Skip to content

✨ Add NODE_EXTRA_CA_CERT support for fetch #1053

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release-0.2
Choose a base branch
from
Open

✨ Add NODE_EXTRA_CA_CERT support for fetch #1053

wants to merge 1 commit into from
+231 −23

Conversation

@ibolton336
Copy link
Member

@ibolton336 ibolton336 commented Nov 26, 2025

  • Fix: Binary Download Failures Behind Corporate Firewalls/Proxies

Problem

Users behind corporate firewalls with SSL-inspecting proxies were experiencing binary download failures during extension activation:

UNABLE_TO_VERIFY_LEAF_SIGNATURE
UND_ERR_ABORTED
407 Proxy Authentication Required

Root Causes

  1. No Proxy Support in Binary Downloads: The ensureKaiAnalyzerBinary() function in paths.ts was using plain fetch() without any proxy configuration, causing downloads to fail when users had HTTPS_PROXY environment variables set.

  2. Custom CA Certificates Not Respected: When enterprises use SSL-inspecting proxies, they issue their own certificates. The download code wasn't loading custom CA certificates specified via NODE_EXTRA_CA_CERTS.

  3. Proxy Authentication Ignored: Due to undici issue #1674, credentials in proxy URLs like http://username:[email protected]:8080 were being ignored, causing 407 Proxy Authentication Required errors.

Solution

1. Added Proxy Support to Binary Downloads (paths.ts)

  • Import and use getDispatcherWithCertBundle() and getFetchWithDispatcher() from utilities/tls.ts
  • Create a dispatcher that respects both HTTPS_PROXY environment variables and NODE_EXTRA_CA_CERTS
  • Apply the dispatcher to both SHA256 checksum and binary downloads

Before:

const response = await fetch(downloadUrl);

After:

const certBundlePath = process.env.NODE_EXTRA_CA_CERTS;
const dispatcher = await getDispatcherWithCertBundle(certBundlePath, false, false);
const fetchWithDispatcher = getFetchWithDispatcher(dispatcher);
const response = await fetchWithDispatcher(downloadUrl);

2. Added Proxy Authentication Support (utilities/tls.ts)

Implemented the workaround from undici issue #1674 to handle credentials in proxy URLs:

  • Parse proxy URL to extract username and password
  • Base64 encode credentials
  • Pass to ProxyAgent via the auth option
const parsedUrl = new URL(proxyUrl);
let auth: string | undefined;

if (parsedUrl.username || parsedUrl.password) {
  const credentials = `${parsedUrl.username}:${parsedUrl.password}`;
  auth = Buffer.from(credentials).toString('base64');
}

return new ProxyAgent({
  uri: proxyUrl,
  auth, // Proxy authentication now works!
  connect: {
    ca: allCerts,
    rejectUnauthorized: !insecure,
  },
});

Supported Proxy Configurations

This fix now supports:

Explicit Proxy (most common):

export HTTPS_PROXY=http://proxy.company.com:8080
export NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.pem

Proxy with Authentication:

export HTTPS_PROXY=http://username:[email protected]:8080
export NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.pem

Transparent Proxy (WireGuard/network-level):

export NODE_EXTRA_CA_CERTS=/path/to/proxy-ca.pem
# No HTTPS_PROXY needed - traffic routes through proxy at network level

Impact

This fix resolves download failures for users in:

  • Corporate environments with HTTP/HTTPS proxies
  • Networks with SSL-inspecting firewalls
  • Environments requiring custom CA certificates
  • Proxies requiring authentication

Related Issues

  • Fixes binary download failures with UNABLE_TO_VERIFY_LEAF_SIGNATURE
  • Fixes UND_ERR_ABORTED errors behind proxies

Files Changed

  • editor-extensions/vscode/src/paths.ts: Added proxy support to binary downloads
  • editor-extensions/vscode/src/utilities/tls.ts: Added proxy authentication support

Breaking Changes

None. This is a backward-compatible fix that adds support for proxy configurations without affecting existing functionality.

@ibolton336 ibolton336 added the cherry-pick/release-0.2 For PRs that should be cherry-picked for v0.2 of the editor extension. label Nov 26, 2025
@ibolton336 ibolton336 requested a review from a team as a code owner November 26, 2025 22:14
@snyk-io
Copy link

snyk-io bot commented Nov 26, 2025
edited
Loading

Snyk checks have failed. 1 issues have been found so far.

Status Scanner Critical High Medium Low Total (1)
Open Source Security 0 0 1 0 1 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@ibolton336 ibolton336 removed the cherry-pick/release-0.2 For PRs that should be cherry-picked for v0.2 of the editor extension. label Nov 26, 2025
@djzager
Copy link
Member

djzager commented Dec 1, 2025

@ibolton336 Shouldn't this also be on main?

@ibolton336 ibolton336 changed the base branch from release-0.2 to main December 1, 2025 23:32
@ibolton336 ibolton336 requested a review from a team as a code owner December 1, 2025 23:32
@ibolton336 ibolton336 changed the base branch from main to release-0.2 December 1, 2025 23:32
@ibolton336
Copy link
Member Author

ibolton336 commented Dec 2, 2025
edited
Loading

@ibolton336 Shouldn't this also be on main?

Opened https://github.com/konveyor/editor-extensions/pull/1060/files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ibolton336 @djzager