mcp-tls-support

general-kroll-4-life · general-kroll-4-life · commit eb04f545a52d · 2025-10-22T19:10:13.000+11:00
Summary:

- Basic TLS support for MCP server and client.
- Added robot test `Concurrent psql and Reverse Proxy MCP HTTPS Server Query Tool`.
diff --git a/mcp_client/cmd/exec.go b/mcp_client/cmd/exec.go
@@ -42,9 +42,15 @@ var execCmd = &cobra.Command{
 	Long: `simple mcp client example
 `,
 	Run: func(cmd *cobra.Command, args []string) {
+		clientCfgMap := make(map[string]any)
+		jsonErr := json.Unmarshal([]byte(clientCfgJSON), &clientCfgMap)
+		if jsonErr != nil {
+			panic(fmt.Sprintf("error unmarshaling client cfg json: %v", jsonErr))
+		}
 		client, setupErr := mcp_server.NewMCPClient(
 			clientType,
 			url,
+			clientCfgMap,
 			nil,
 		)
 		if setupErr != nil {
@@ -64,9 +70,9 @@ var execCmd = &cobra.Command{
 			outputString = string(output)
 		default:
 			var args map[string]any
-			jsonErr := json.Unmarshal([]byte(actionArgs), &args)
-			if jsonErr != nil {
-				panic(fmt.Sprintf("error unmarshaling action args: %v", jsonErr))
+			jsonCfgErr := json.Unmarshal([]byte(actionArgs), &args)
+			if jsonCfgErr != nil {
+				panic(fmt.Sprintf("error unmarshaling action args: %v", jsonCfgErr))
 			}
 			rv, rvErr := client.CallToolText(actionName, args)
 			if rvErr != nil {
diff --git a/mcp_client/cmd/root.go b/mcp_client/cmd/root.go
@@ -24,8 +24,9 @@ import (
 )
 
 var (
-	clientType = "http"
-	url        = "127.0.0.1:9191"
+	clientType    = "http"
+	url           = "127.0.0.1:9191"
+	clientCfgJSON = "{}"
 )
 
 //nolint:revive,gochecknoglobals // explicit preferred
@@ -68,6 +69,7 @@ func init() {
 
 	rootCmd.PersistentFlags().StringVar(&clientType, "client-type", mcp_server.MCPClientTypeSTDIO, "MCP client type (http or stdio for now)")
 	rootCmd.PersistentFlags().StringVar(&url, "url", "http://127.0.0.1:9876", "MCP server URL.  Relevant for http and sse client types.")
+	rootCmd.PersistentFlags().StringVar(&clientCfgJSON, "client-cfg", "{}", "MCP client configuration as JSON string")
 
 	// Here you will define your flags and configuration settings.
 	// Cobra supports persistent flags, which, if defined here,
diff --git a/pkg/mcp_server/client.go b/pkg/mcp_server/client.go
@@ -4,8 +4,11 @@ package mcp_server //nolint:revive // fine for now
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net/http"
+	"os"
 
 	"github.com/modelcontextprotocol/go-sdk/mcp"
 	"github.com/sirupsen/logrus"
@@ -21,33 +24,68 @@ type MCPClient interface {
 	CallToolText(toolName string, args map[string]any) (string, error)
 }
 
-func NewMCPClient(clientType string, baseURL string, logger *logrus.Logger) (MCPClient, error) {
+func NewMCPClient(clientType string, baseURL string, clientCfgMap map[string]any, logger *logrus.Logger) (MCPClient, error) {
 	switch clientType {
 	case MCPClientTypeHTTP:
-		return newHTTPMCPClient(baseURL, logger)
+		return newHTTPMCPClient(baseURL, clientCfgMap, logger)
 	case MCPClientTypeSTDIO:
 		return newStdioMCPClient(logger)
 	default:
 		return nil, fmt.Errorf("unknown client type: %s", clientType)
 	}
 }
 
-func newHTTPMCPClient(baseURL string, logger *logrus.Logger) (MCPClient, error) {
+func getHTTPClient(clientCfgMap map[string]any) (*http.Client, error) {
+	if clientCfgMap != nil && clientCfgMap["ca_file"] != nil {
+		caFile, isString := clientCfgMap["ca_file"].(string)
+		if !isString {
+			return nil, fmt.Errorf("ca_file must be a string")
+		}
+		caCert, err := os.ReadFile(caFile)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read CA file: %w", err)
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+
+		// Create a TLS configuration
+		tlsConfig := &tls.Config{
+			RootCAs:    caCertPool,       // Trust custom CA certificates
+			MinVersion: tls.VersionTLS12, // Enforce minimum TLS version
+			// InsecureSkipVerify: false,            // Set to true to skip server certificate verification (NOT recommended for production)
+		}
+
+		// Create a custom HTTP transport
+		tr := &http.Transport{
+			TLSClientConfig: tlsConfig,
+		}
+		return &http.Client{Transport: tr}, nil
+	}
+	return http.DefaultClient, nil
+}
+
+func newHTTPMCPClient(baseURL string, clientCfgMap map[string]any, logger *logrus.Logger) (MCPClient, error) {
 	if logger == nil {
 		logger = logrus.New()
 		logger.SetLevel(logrus.InfoLevel)
 	}
+	httpClient, httpClientErr := getHTTPClient(clientCfgMap)
+	if httpClientErr != nil {
+		return nil, fmt.Errorf("error creating HTTP client: %w", httpClientErr)
+	}
 	return &httpMCPClient{
 		baseURL:    baseURL,
-		httpClient: http.DefaultClient,
+		httpClient: httpClient,
 		logger:     logger,
+		clientCfg:  clientCfgMap,
 	}, nil
 }
 
 type httpMCPClient struct {
 	baseURL    string
 	httpClient *http.Client
 	logger     *logrus.Logger
+	clientCfg  map[string]any
 }
 
 func (c *httpMCPClient) connect() (*mcp.ClientSession, error) {
diff --git a/pkg/mcp_server/config.go b/pkg/mcp_server/config.go
@@ -59,7 +59,10 @@ type ServerConfig struct {
 	// Version is the server version advertised to clients.
 	Version string `json:"version" yaml:"version"`
 
-	ConnectionCfg map[string]any `json:"connection_cfg,omitempty" yaml:"connection_cfg,omitempty"`
+	TLSCertFile string `json:"tls_cert_file,omitempty" yaml:"tls_cert_file,omitempty"`
+	TLSKeyFile  string `json:"tls_key_file,omitempty" yaml:"tls_key_file,omitempty"`
+
+	TransportCfg map[string]any `json:"transport_cfg,omitempty" yaml:"transport_cfg,omitempty"`
 
 	// Description is a human-readable description of the server.
 	Description string `json:"description" yaml:"description"`
diff --git a/pkg/mcp_server/server.go b/pkg/mcp_server/server.go
@@ -43,8 +43,9 @@ type simpleMCPServer struct {
 	servers []io.Closer // Track all running servers for cleanup
 }
 
-func (s *simpleMCPServer) runHTTPServer(server *mcp.Server, address string) error {
+func (s *simpleMCPServer) runHTTPServer(server *mcp.Server, config *Config) error {
 	// Create the streamable HTTP handler.
+	address := config.GetServerAddress()
 	handler := mcp.NewStreamableHTTPHandler(func(req *http.Request) *mcp.Server {
 		return server
 	}, nil)
@@ -56,6 +57,15 @@ func (s *simpleMCPServer) runHTTPServer(server *mcp.Server, address string) erro
 
 	// Start the HTTP server with logging handler.
 	//nolint:gosec // TODO: find viable alternative to http.ListenAndServe
+	if config.Server.TLSCertFile != "" && config.Server.TLSKeyFile != "" {
+		s.logger.Infof("Starting HTTPS server on %s", address)
+		if err := http.ListenAndServeTLS(address, config.Server.TLSCertFile, config.Server.TLSKeyFile, handlerWithLogging); err != nil {
+			s.logger.Errorf("HTTPS Server failed: %v", err)
+			return err
+		}
+		return nil
+	}
+	//nolint:gosec // TODO: find viable alternative to http.ListenAndServe
 	if err := http.ListenAndServe(address, handlerWithLogging); err != nil {
 		s.logger.Errorf("Server failed: %v", err)
 		return err
@@ -478,9 +488,9 @@ func (s *simpleMCPServer) Start(ctx context.Context) error {
 func (s *simpleMCPServer) run(ctx context.Context) error {
 	switch s.config.GetServerTransport() {
 	case serverTransportHTTP:
-		return s.runHTTPServer(s.server, s.config.GetServerAddress())
+		return s.runHTTPServer(s.server, s.config)
 	case serverTransportSSE:
-		return fmt.Errorf("SSE transport not yet implemented")
+		return fmt.Errorf("SSE transport obsoleted; use streamable HTTP transport instead")
 	case serverTransportStdIO:
 		// Default to stdio transport
 		return s.server.Run(ctx, &mcp.StdioTransport{})
diff --git a/test/robot/functional/mcp.robot b/test/robot/functional/mcp.robot
@@ -39,6 +39,18 @@ Start MCP Servers
     ...                                   \-\-tls.allowInsecure
     ...                                   \-\-pgsrv.port
     ...                                   5445
+    Start Process                         ${STACKQL_EXE}
+    ...                                   srv
+    ...                                   \-\-mcp.server.type\=reverse_proxy
+    ...                                   \-\-mcp.config
+    ...                                   {"server": {"tls_cert_file": "test/server/mtls/credentials/pg_server_cert.pem", "tls_key_file": "test/server/mtls/credentials/pg_server_key.pem", "transport": "http", "address": "127.0.0.1:9004"}, "backend": {"dsn": "postgres:\/\/stackql:stackql@127.0.0.1:5446?default_query_exec_mode\=simple_protocol"} }
+    ...                                   \-\-registry
+    ...                                   ${REGISTRY_NO_VERIFY_CFG_JSON_STR}
+    ...                                   \-\-auth
+    ...                                   ${AUTH_CFG_STR}
+    ...                                   \-\-tls.allowInsecure
+    ...                                   \-\-pgsrv.port
+    ...                                   5446
     Sleep         5s
 
 *** Settings ***
@@ -198,3 +210,31 @@ Concurrent psql and Reverse Proxy MCP HTTP Server Query Tool
     ...                  stderr=${CURDIR}${/}tmp${/}Concurrent-psql-and-Reverse-Proxy-MCP-HTTP-Server-Query-Tool-psql-stderr.txt
     Should Contain       ${psql_client_result.stdout}       cloudkms.googleapis.com
     Should Be Equal As Integers    ${psql_client_result.rc}    0
+
+Concurrent psql and Reverse Proxy MCP HTTPS Server Query Tool
+    Pass Execution If    "%{IS_SKIP_MCP_TEST=false}" == "true"    Some platforms do not have the MCP client available
+    Sleep         5s
+    ${mcp_client_result}=    Run Process          ${STACKQL_MCP_CLIENT_EXE}
+    ...                  exec
+    ...                  \-\-client\-type\=http 
+    ...                  \-\-url\=https://127.0.0.1:9004
+    ...                  \-\-client\-cfg      { "ca_file": "test/server/mtls/credentials/pg_server_cert.pem" }
+    ...                  \-\-exec.action      query_v2
+    ...                  \-\-exec.args        {"sql": "SELECT assetType, count(*) as asset_count FROM google.cloudasset.assets WHERE parentType \= 'projects' and parent \= 'testing-project' GROUP BY assetType order by count(*) desc, assetType desc;"}
+    ...                  stdout=${CURDIR}${/}tmp${/}Concurrent-psql-and-Reverse-Proxy-MCP-HTTPS-Server-Query-Tool.txt
+    ...                  stderr=${CURDIR}${/}tmp${/}Concurrent-psql-and-Reverse-Proxy-MCP-HTTPS-Server-Query-Tool-stderr.txt
+    Should Contain       ${mcp_client_result.stdout}       cloudkms.googleapis.com
+    Should Be Equal As Integers    ${mcp_client_result.rc}    0
+    ${posixInput} =     Catenate
+    ...    "${PSQL_EXE}"    -d     postgres://stackql:stackql@127.0.0.1:5445   -c
+    ...    "SELECT assetType, count(*) as asset_count FROM google.cloudasset.assets WHERE parentType = 'projects' and parent = 'testing-project' GROUP BY assetType order by count(*) desc, assetType desc;"
+    ${windowsInput} =     Catenate
+    ...    &    ${posixInput}
+    ${input} =    Set Variable If    "${IS_WINDOWS}" == "1"    ${windowsInput}    ${posixInput}
+    ${shellExe} =    Set Variable If    "${IS_WINDOWS}" == "1"    powershell    sh
+    ${psql_client_result}=    Run Process
+    ...                  ${shellExe}     \-c    ${input}
+    ...                  stdout=${CURDIR}${/}tmp${/}Concurrent-psql-and-Reverse-Proxy-MCP-HTTPS-Server-Query-Tool-psql.txt
+    ...                  stderr=${CURDIR}${/}tmp${/}Concurrent-psql-and-Reverse-Proxy-MCP-HTTPS-Server-Query-Tool-psql-stderr.txt
+    Should Contain       ${psql_client_result.stdout}       cloudkms.googleapis.com
+    Should Be Equal As Integers    ${psql_client_result.rc}    0
