feat: https proxy handle self-signed certs (not added as root CA) (#7)

* fix(dev-deps): update http-proxy-agent and https-proxy-agent to v7, patch HttpsProxyAgent

Author: shazron

package.json

@@ -27,8 +27,8 @@
     "eslint-plugin-promise": "^6.1.1",
     "eslint-plugin-standard": "^4.0.0",
     "fetch-mock": "^9.0.0",
-    "http-proxy-agent": "^4.0.1",
-    "https-proxy-agent": "2.2.4",
+    "http-proxy-agent": "^7",
+    "https-proxy-agent": "^7",
     "jest": "^29",
     "jest-fetch-mock": "^3.0.1",
     "jest-html-reporter": "^3.4.1",

src/proxy.js

@@ -22,6 +22,7 @@ const os = require('os')
  * @typedef {object} HttpOptions the http proxy options
  * @property {number} port the port to use
  * @property {boolean} useBasicAuth use basic authorization
+ * @property {boolean} [selfSigned=false] use self-signed certs
  * @property {boolean} [username=admin] the username for basic authorization
  * @property {boolean} [password=secret] the password for basic authorization
  */
@@ -48,21 +49,27 @@ async function createHttpProxy (httpOptions = {}) {
 }
 
 /**
- * Generate certs for SSL, and add it to the root CAs temporarily.
- * This prevents any self-signed cert errors for tests when using the https proxy.
+ * Generate certs for SSL, and add it to the root CAs.
+ * If added to the root CAs, this prevents any self-signed cert errors for tests when using the https proxy.
  *
  * @private
+ * @param {object} options the options
+ * @param {boolean} options.addToRootCAs defaults to true to add the cert to the root CAs temporarily
  * @returns {object} the https object containing the cert and key
  */
-async function generateCertAndAddToRootCAs () {
+async function generateCert (options = {}) {
+  const { addToRootCAs = true } = options
+
   const https = await mockttp.generateCACertificate()
 
   const tmpFolder = await mkdtemp(path.join(os.tmpdir(), 'test-proxy-'))
   const certPath = path.join(tmpFolder, 'server.crt')
   await writeFile(certPath, https.cert)
 
-  const syswidecas = require('syswide-cas')
-  syswidecas.addCAs(certPath)
+  if (addToRootCAs) {
+    const syswidecas = require('syswide-cas')
+    syswidecas.addCAs(certPath)
+  }
 
   return https
 }
@@ -83,15 +90,15 @@ function setupServerRules (server, httpOptions) {
   const passThroughOptions = { ignoreHostHttpsErrors: ['localhost', '127.0.0.1'] }
 
   if (!useBasicAuth) {
-    server.anyRequest().thenPassThrough(passThroughOptions)
+    server.forAnyRequest().thenPassThrough(passThroughOptions)
   } else {
     const authorization = 'Basic ' + Buffer.from(`${username}:${password}`).toString('base64')
     // this rule makes the request pass through (authorization correct)
-    server.anyRequest()
+    server.forAnyRequest()
       .withHeaders({ 'Proxy-Authorization': authorization })
       .thenPassThrough(passThroughOptions)
     // this rule makes any other request fail
-    server.anyRequest().thenReply(403)
+    server.forAnyRequest().thenReply(403)
   }
 
   return server
@@ -110,8 +117,9 @@ function setupServerRules (server, httpOptions) {
  * @returns {Promise<mockttp.Mockttp>} the proxy server instance
  */
 async function createHttpsProxy (httpOptions = {}) {
-  const { port = 8081 } = httpOptions
-  const https = await generateCertAndAddToRootCAs()
+  const { port = 8081, selfSigned = false } = httpOptions
+
+  const https = await generateCert({ addToRootCAs: !selfSigned })
   const server = mockttp.getLocal({ https })
 
   setupServerRules(server, httpOptions)
@@ -123,6 +131,7 @@ async function createHttpsProxy (httpOptions = {}) {
 }
 
 module.exports = {
+  generateCert,
   createHttpProxy,
   createHttpsProxy
 }

test/proxy.test.js

@@ -10,12 +10,33 @@ governing permissions and limitations under the License.
 */
 
 const queryString = require('query-string')
-const { createHttpsProxy, createHttpProxy } = require('../src/proxy')
+const { createHttpsProxy, createHttpProxy, generateCert } = require('../src/proxy')
 const { createApiServer, HOSTNAME } = require('../src/api-server')
 const fetch = require('node-fetch')
-const HttpsProxyAgent = require('https-proxy-agent')
-const HttpProxyAgent = require('http-proxy-agent')
+const { HttpsProxyAgent } = require('https-proxy-agent')
+const { HttpProxyAgent } = require('http-proxy-agent')
 const url = require('url')
+const syswidecas = require('syswide-cas')
+
+jest.mock('syswide-cas')
+
+/**
+ * HttpsProxyAgent needs a patch for TLS connections.
+ * It doesn't pass in the original options during a SSL connect.
+ *
+ * See https://github.com/TooTallNate/proxy-agents/issues/89
+ * An alternative is to use https://github.com/delvedor/hpagent
+ */
+class PatchedHttpsProxyAgent extends HttpsProxyAgent {
+  constructor (proxyUrl, opts) {
+    super(proxyUrl, opts)
+    this.savedOpts = opts
+  }
+
+  async connect (req, opts) {
+    return super.connect(req, { ...this.savedOpts, ...opts })
+  }
+}
 
 /**
  * Converts a URL to a suitable object for http request options.
@@ -154,10 +175,11 @@ describe('https proxy', () => {
   const protocol = 'https'
   let proxyServer, apiServer
   const portNotInUse = 3009
+  const selfSigned = true
 
-  describe('no auth', () => {
+  describe('no auth (self-signed)', () => {
     beforeAll(async () => {
-      proxyServer = await createHttpsProxy()
+      proxyServer = await createHttpsProxy({ selfSigned })
       apiServer = await createApiServer({ port: 3001, useSsl: true })
     })
 
@@ -174,17 +196,25 @@ describe('https proxy', () => {
 
       const proxyUrl = proxyServer.url
       const proxyOpts = urlToHttpOptions(proxyUrl)
-      // the passing on of this property to the underlying implementation only works on https-proxy-agent@2.2.4
-      // this is only used for unit-tests and passed in the constructor
-      proxyOpts.rejectUnauthorized = false
-      proxyOpts.ALPNProtocols = ['http/1.1']
 
-      const response = await fetch(testUrl, {
-        agent: new HttpsProxyAgent(proxyOpts)
-      })
+      // IGNORE self-signed certs
+      {
+        proxyOpts.rejectUnauthorized = false
+        const response = await fetch(testUrl, {
+          agent: new PatchedHttpsProxyAgent(proxyUrl, proxyOpts)
+        })
 
-      const json = await response.json()
-      expect(json).toStrictEqual(queryObject)
+        const json = await response.json()
+        expect(json).toStrictEqual(queryObject)
+      }
+      // DO NOT IGNORE self-signed certs
+      {
+        proxyOpts.rejectUnauthorized = true
+        const proxyFetch = fetch(testUrl, {
+          agent: new PatchedHttpsProxyAgent(proxyUrl, proxyOpts)
+        })
+        await expect(proxyFetch).rejects.toThrow('self-signed certificate in certificate chain')
+      }
     })
 
     test('failure', async () => {
@@ -195,20 +225,31 @@ describe('https proxy', () => {
       const proxyOpts = urlToHttpOptions(proxyUrl)
       // the passing on of this property to the underlying implementation only works on https-proxy-agent@2.2.4
       // this is only used for unit-tests and passed in the constructor
-      proxyOpts.rejectUnauthorized = false
       proxyOpts.ALPNProtocols = ['http/1.1']
 
-      const response = await fetch(testUrl, {
-        agent: new HttpsProxyAgent(proxyOpts)
-      })
-      expect(response.ok).toEqual(false)
-      expect(response.status).toEqual(502)
+      // IGNORE self-signed certs
+      {
+        proxyOpts.rejectUnauthorized = false
+        const response = await fetch(testUrl, {
+          agent: new PatchedHttpsProxyAgent(proxyUrl, proxyOpts)
+        })
+        expect(response.ok).toEqual(false)
+        expect(response.status).toEqual(502)
+      }
+      // DO NOT IGNORE self-signed certs
+      {
+        proxyOpts.rejectUnauthorized = true
+        const proxyFetch = fetch(testUrl, {
+          agent: new PatchedHttpsProxyAgent(proxyUrl, proxyOpts)
+        })
+        await expect(proxyFetch).rejects.toThrow('self-signed certificate in certificate chain')
+      }
     })
   })
 
   describe('basic auth', () => {
     beforeAll(async () => {
-      proxyServer = await createHttpsProxy({ useBasicAuth: true })
+      proxyServer = await createHttpsProxy({ useBasicAuth: true, selfSigned })
       apiServer = await createApiServer({ port: 3001, useSsl: true })
     })
 
@@ -229,19 +270,27 @@ describe('https proxy', () => {
       const proxyUrl = proxyServer.url
       const proxyOpts = urlToHttpOptions(proxyUrl)
       proxyOpts.auth = `${username}:${password}`
-      // the passing on of this property to the underlying implementation only works on https-proxy-agent@2.2.4
-      // this is only used for unit-tests and passed in the constructor
-      proxyOpts.rejectUnauthorized = false
-      proxyOpts.ALPNProtocols = ['http/1.1']
-
       const testUrl = `${protocol}://${HOSTNAME}:${apiServerPort}/mirror?${queryString.stringify(queryObject)}`
-      const response = await fetch(testUrl, {
-        agent: new HttpsProxyAgent(proxyOpts),
-        headers
-      })
-      expect(response.ok).toEqual(true)
-      const json = await response.json()
-      expect(json).toStrictEqual(queryObject)
+
+      // IGNORE self-signed certs
+      {
+        proxyOpts.rejectUnauthorized = false
+        const response = await fetch(testUrl, {
+          agent: new PatchedHttpsProxyAgent(proxyUrl, proxyOpts),
+          headers
+        })
+        expect(response.ok).toEqual(true)
+        const json = await response.json()
+        expect(json).toStrictEqual(queryObject)
+      }
+      // DO NOT IGNORE self-signed certs
+      {
+        proxyOpts.rejectUnauthorized = true
+        const proxyFetch = fetch(testUrl, {
+          agent: new PatchedHttpsProxyAgent(proxyUrl, proxyOpts)
+        })
+        await expect(proxyFetch).rejects.toThrow('self-signed certificate in certificate chain')
+      }
     })
 
     test('failure', async () => {
@@ -256,18 +305,51 @@ describe('https proxy', () => {
       const proxyUrl = proxyServer.url
       const proxyOpts = urlToHttpOptions(proxyUrl)
       proxyOpts.auth = `${username}:${password}`
-      // the passing on of this property to the underlying implementation only works on https-proxy-agent@2.2.4
-      // this is only used for unit-tests and passed in the constructor
-      proxyOpts.rejectUnauthorized = false
-      proxyOpts.ALPNProtocols = ['http/1.1']
-
       const testUrl = `${protocol}://${HOSTNAME}:${apiServerPort}/mirror?${queryString.stringify(queryObject)}`
-      const response = await fetch(testUrl, {
-        agent: new HttpsProxyAgent(proxyOpts),
-        headers
-      })
-      expect(response.ok).toEqual(false)
-      expect(response.status).toEqual(403)
+
+      // IGNORE self-signed certs
+      {
+        proxyOpts.rejectUnauthorized = false
+        const response = await fetch(testUrl, {
+          agent: new PatchedHttpsProxyAgent(proxyUrl, proxyOpts),
+          headers
+        })
+        expect(response.ok).toEqual(false)
+        expect(response.status).toEqual(403)
+      }
+      // DO NOT IGNORE self-signed certs
+      {
+        proxyOpts.rejectUnauthorized = true
+        const proxyFetch = fetch(testUrl, {
+          agent: new PatchedHttpsProxyAgent(proxyUrl, proxyOpts)
+        })
+        await expect(proxyFetch).rejects.toThrow('self-signed certificate in certificate chain')
+      }
     })
   })
+
+  test('createHttpsProxy (default options)', async () => {
+    syswidecas.addCAs.mockRestore()
+
+    proxyServer = await createHttpsProxy()
+    await proxyServer.stop()
+
+    expect(syswidecas.addCAs).toHaveBeenCalled()
+  })
+})
+
+describe('generateCert', () => {
+  beforeEach(() => {
+    syswidecas.addCAs.mockRestore()
+  })
+
+  test('default (add root CAs)', async () => {
+    await generateCert()
+    expect(syswidecas.addCAs).toHaveBeenCalled()
+  })
+
+  test('do not add root CAs', async () => {
+    await generateCert({ addToRootCAs: false })
+    expect(syswidecas.addCAs).not.toHaveBeenCalled()
+  })
 })