fix(compass,atlas-service): apply proxy to main thread HTTP calls COMPASS-8165

packages/atlas-service/package.json

@@ -79,17 +79,16 @@
     "@mongodb-js/compass-user-data": "^0.3.3",
     "@mongodb-js/compass-utils": "^0.6.9",
     "@mongodb-js/devtools-connect": "^3.2.5",
+    "@mongodb-js/devtools-proxy-support": "^0.3.5",
     "@mongodb-js/oidc-plugin": "^1.0.0",
     "hadron-app-registry": "^9.2.2",
     "compass-preferences-model": "^2.26.0",
     "electron": "^29.4.5",
     "hadron-ipc": "^3.2.20",
     "lodash": "^4.17.21",
-    "node-fetch": "^2.7.0",
     "react": "^17.0.2",
     "react-redux": "^8.1.3",
     "redux": "^4.2.1",
-    "redux-thunk": "^2.4.2",
-    "system-ca": "^2.0.0"
+    "redux-thunk": "^2.4.2"
   }
 }

packages/atlas-service/src/main.spec.ts

@@ -85,11 +85,12 @@ describe('CompassAuthServiceMain', function () {
       createHandle: sandbox.stub(),
     };
     CompassAuthService['fetch'] = mockFetch as any;
+    CompassAuthService['httpClient'] = { fetch: mockFetch } as any;
     CompassAuthService['createMongoDBOIDCPlugin'] = () => mockOidcPlugin;
 
     CompassAuthService['config'] = defaultConfig;
 
-    await CompassAuthService['setupPlugin']();
+    CompassAuthService['setupPlugin']();
     CompassAuthService['attachOidcPluginLoggerEvents']();
 
     preferences = await createSandboxFromDefaultPreferences();
@@ -289,27 +290,9 @@ describe('CompassAuthServiceMain', function () {
         CompassAuthService as any,
         'setupPlugin'
       );
-      await CompassAuthService.init(preferences);
+      await CompassAuthService.init(preferences, {} as any);
       expect(setupPluginSpy).to.have.been.calledOnce;
     });
-
-    it('should pass the system ca to the plugin as a custom http option', async function () {
-      const createOIDCPluginSpy = sandbox.spy(
-        CompassAuthService as any,
-        'createMongoDBOIDCPlugin'
-      );
-      await CompassAuthService.init(preferences);
-      expect(createOIDCPluginSpy).to.have.been.calledOnce;
-      try {
-        expect(
-          createOIDCPluginSpy.firstCall.args[0].customHttpOptions.ca
-        ).to.include('-----BEGIN CERTIFICATE-----');
-      } catch (e) {
-        throw new Error(
-          'Expected ca to be included in the customHttpOptions, but it was not.'
-        );
-      }
-    });
   });
 
   describe('with networkTraffic turned off', function () {
@@ -346,7 +329,7 @@ describe('CompassAuthServiceMain', function () {
       CompassAuthService['currentUser'] = {
         sub: '1234',
       } as any;
-      await CompassAuthService.init(preferences);
+      await CompassAuthService.init(preferences, {} as any);
       CompassAuthService['config'] = defaultConfig;
       expect(getListenerCount(logger)).to.eq(27);
       // We did all preparations, reset sinon history for easier assertions

packages/atlas-service/src/main.ts

@@ -11,11 +11,7 @@ import {
   hookLoggerToMongoLogWriter as oidcPluginHookLoggerToMongoLogWriter,
 } from '@mongodb-js/oidc-plugin';
 import { oidcServerRequestHandler } from '@mongodb-js/devtools-connect';
-import { systemCertsAsync } from 'system-ca';
-import type { Options as SystemCAOptions } from 'system-ca';
-import type { RequestInfo, RequestInit, Response } from 'node-fetch';
-import https from 'https';
-import nodeFetch from 'node-fetch';
+import type { Agent } from 'https';
 import type { IntrospectInfo, AtlasUserInfo, AtlasServiceConfig } from './util';
 import { throwIfAborted } from '@mongodb-js/compass-utils';
 import type { HadronIpcMain } from 'hadron-ipc';
@@ -27,6 +23,7 @@ import { OidcPluginLogger } from './oidc-plugin-logger';
 import { spawn } from 'child_process';
 import { getAtlasConfig } from './util';
 import { createIpcTrack } from '@mongodb-js/compass-telemetry';
+import type { RequestInit, Response } from '@mongodb-js/devtools-proxy-support';
 
 const { log } = createLogger('COMPASS-ATLAS-SERVICE');
 const track = createIpcTrack();
@@ -36,27 +33,25 @@ const redirectRequestHandler = oidcServerRequestHandler.bind(null, {
   productDocsLink: 'https://www.mongodb.com/docs/compass',
 });
 
-async function getSystemCA() {
-  // It is possible for OIDC login flow to fail if system CA certs are different from
-  // the ones packaged with the application. To avoid this, we include the system CA
-  // certs in the OIDC plugin options. See COMPASS-7950 for more details.
-  const systemCAOpts: SystemCAOptions = { includeNodeCertificates: true };
-  const ca = await systemCertsAsync(systemCAOpts);
-  return ca.join('\n');
-}
-
 const TOKEN_TYPE_TO_HINT = {
   accessToken: 'access_token',
   refreshToken: 'refresh_token',
 } as const;
 
+interface CompassAuthHTTPClient {
+  agent: Agent | undefined;
+  fetch: (url: string, init: RequestInit) => Promise<Response>;
+}
+
 export class CompassAuthService {
   private constructor() {
     // singleton
   }
 
   private static initPromise: Promise<void> | null = null;
 
+  private static httpClient: CompassAuthHTTPClient;
+
   private static oidcPluginLogger = new OidcPluginLogger();
 
   private static plugin: MongoDBOIDCPlugin | null = null;
@@ -66,7 +61,7 @@ export class CompassAuthService {
   private static signInPromise: Promise<AtlasUserInfo> | null = null;
 
   private static fetch = async (
-    url: RequestInfo,
+    url: string,
     init: RequestInit = {}
   ): Promise<Response> => {
     await this.initPromise;
@@ -79,15 +74,7 @@ export class CompassAuthService {
       { url }
     );
     try {
-      const res = await nodeFetch(url, {
-        // Tests use 'http'.
-        ...(url.toString().includes('https')
-          ? {
-              agent: new https.Agent({
-                ca: await getSystemCA(),
-              }),
-            }
-          : {}),
+      const res = await this.httpClient.fetch(url, {
         ...init,
         headers: {
           ...init.headers,
@@ -145,7 +132,7 @@ export class CompassAuthService {
 
   private static createMongoDBOIDCPlugin = createMongoDBOIDCPlugin;
 
-  private static async setupPlugin(serializedState?: string) {
+  private static setupPlugin(serializedState?: string) {
     this.plugin = this.createMongoDBOIDCPlugin({
       redirectServerRequestHandler: (data) => {
         if (data.result === 'redirecting') {
@@ -167,7 +154,7 @@ export class CompassAuthService {
       logger: this.oidcPluginLogger,
       serializedState,
       customHttpOptions: {
-        ca: await getSystemCA(),
+        agent: this.httpClient.agent,
       },
     });
     oidcPluginHookLoggerToMongoLogWriter(
@@ -177,7 +164,11 @@ export class CompassAuthService {
     );
   }
 
-  static init(preferences: PreferencesAccess): Promise<void> {
+  static init(
+    preferences: PreferencesAccess,
+    httpClient: CompassAuthHTTPClient
+  ): Promise<void> {
+    this.httpClient = httpClient;
     this.preferences = preferences;
     this.config = getAtlasConfig(preferences);
     return (this.initPromise ??= (async () => {
@@ -199,7 +190,7 @@ export class CompassAuthService {
         { config: this.config }
       );
       const serializedState = await this.secretStore.getState();
-      await this.setupPlugin(serializedState);
+      this.setupPlugin(serializedState);
     })());
   }
 
@@ -318,7 +309,7 @@ export class CompassAuthService {
     this.attachOidcPluginLoggerEvents();
     // Destroy old plugin and setup new one
     await this.plugin?.destroy();
-    await this.setupPlugin();
+    this.setupPlugin();
     // Revoke tokens. Revoking refresh token will also revoke associated access
     // tokens
     // https://developer.okta.com/docs/guides/revoke-tokens/main/#revoke-an-access-token-or-a-refresh-token

packages/compass-utils/src/cancellable-promise.ts

@@ -5,7 +5,10 @@ class AbortError extends Error {
   name = 'AbortError';
 }
 
-export const throwIfAborted = (signal?: AbortSignal) => {
+export const throwIfAborted = (signal?: {
+  aborted: boolean;
+  reason?: Error;
+}) => {
   if (signal?.aborted) {
     throw signal.reason ?? createCancelError();
   }

packages/compass/src/main/application.ts

@@ -28,7 +28,14 @@ import {
   getCompassMainConnectionStorage,
 } from '@mongodb-js/connection-storage/main';
 import { createIpcTrack } from '@mongodb-js/compass-telemetry';
+import type {
+  AgentWithInitialize,
+  RequestInit,
+  Response,
+} from '@mongodb-js/devtools-proxy-support';
 import {
+  createAgent,
+  createFetch,
   extractProxySecrets,
   translateToElectronProxyConfig,
 } from '@mongodb-js/devtools-proxy-support';
@@ -61,6 +68,12 @@ const hasConfig = (
   return !!Object.keys(globalPreferences[source]).length;
 };
 
+// The properties of this object are changed when proxy options change
+interface CompassProxyClient {
+  agent: AgentWithInitialize | undefined;
+  fetch: (url: string, fetchOptions?: RequestInit) => Promise<Response>;
+}
+
 class CompassApplication {
   private constructor() {
     // marking constructor as private to disallow usage
@@ -71,6 +84,7 @@ class CompassApplication {
   private static initPromise: Promise<void> | null = null;
   private static mode: CompassApplicationMode | null = null;
   public static preferences: PreferencesAccess;
+  public static httpClient: CompassProxyClient;
 
   private static async _init(
     mode: CompassApplicationMode,
@@ -168,7 +182,7 @@ class CompassApplication {
   }
 
   private static async setupCompassAuthService() {
-    await CompassAuthService.init(this.preferences);
+    await CompassAuthService.init(this.preferences, this.httpClient);
     this.addExitHandler(() => {
       return CompassAuthService.onExit();
     });
@@ -288,6 +302,15 @@ class CompassApplication {
         const proxyOptions = proxyPreferenceToProxyOptions(value);
         await app.whenReady();
         await target.setProxy(translateToElectronProxyConfig(proxyOptions));
+
+        const agent = createAgent(proxyOptions);
+        const fetch = createFetch(agent || {});
+        this.httpClient?.agent?.destroy();
+        this.httpClient = Object.assign(this.httpClient ?? {}, {
+          agent,
+          fetch,
+        });
+
         log.info(mongoLogId(1_001_000_327), logContext, 'Configured proxy', {
           options: extractProxySecrets(proxyOptions).proxyOptions,
         });