Skip to content

Commit

Permalink
background: Support for system proxy configuration.
Browse files Browse the repository at this point in the history 
This adds support for use the system proxy configuration (by asking the
embedded Chrome to resolve the proxy configuration).  The idea to ask
Chrome was from the electron-proxy-agent package; however, it had
significant issues on supporting system CA certificates, and the result
ended up being a complete rewrite.

We need the wrapper classes for HttpsProxyAgent and SocksProxyAgent so that
we can pass the CA options down to the eventual tls.connect() call.  This
is due to TooTallNate/proxy-agents#89

Signed-off-by: Mark Yen <[email protected]>
  • Loading branch information
@mook-as
mook-as committed Jul 28, 2021
1 parent 94360aa commit e5f93cf
Show file tree
Hide file tree
Showing 5 changed files with 307 additions and 61 deletions.
54 changes: 2 additions & 52 deletions background.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@ import { URL } from 'url';

import Electron from 'electron';
import _ from 'lodash';
import MacCA from 'mac-ca';
import WinCA from 'win-ca';

import mainEvents from '@/main/mainEvents';
import { setupKim } from '@/main/kim';
Expand All @@ -18,6 +16,7 @@ import * as K8s from '@/k8s-engine/k8s';
import resources from '@/resources';
import Logging from '@/utils/logging';
import * as childProcess from '@/utils/childProcess';
import setupNetworking from '@/main/networking';
import setupUpdate from '@/main/update';

Electron.app.setName('Rancher Desktop');
Expand Down Expand Up @@ -55,10 +54,7 @@ Electron.app.whenReady().then(async() => {
} catch (err) {
console.log(`Can't get app version: ${ err }`);
}
if (os.platform().startsWith('win')) {
// Inject the Windows certs.
WinCA({ inject: '+' });
}
setupNetworking();
try {
tray = new Tray();
} catch (e) {
Expand Down Expand Up @@ -212,52 +208,6 @@ Electron.ipcMain.handle('settings-write', (event, arg: Partial<settings.Settings
Electron.ipcMain.emit('k8s-restart-required');
});

// Set up certificate handling for system certificates on Windows and macOS
Electron.app.on('certificate-error', (event, webContents, url, error, certificate, callback) => {
if (error === 'net::ERR_CERT_INVALID') {
// If we're getting *this* particular error, it means it's an untrusted cert.
// Ask the system store.
console.log(`Attempting to check system certificates for ${ url } (${ certificate.subjectName }/${ certificate.fingerprint })`);
if (os.platform().startsWith('win')) {
const certs: string[] = [];

WinCA({
format: WinCA.der2.pem, ondata: certs, fallback: false
});
for (const cert of certs) {
// For now, just check that the PEM data matches exactly; this is
// probably a little more strict than necessary, but avoids issues like
// an attacker generating a cert with the same serial.
if (cert === certificate.data) {
console.log(`Accepting system certificate for ${ certificate.subjectName } (${ certificate.fingerprint })`);
// eslint-disable-next-line node/no-callback-literal
callback(true);

return;
}
}
} else if (os.platform() === 'darwin') {
for (const cert of MacCA.all(MacCA.der2.pem)) {
// For now, just check that the PEM data matches exactly; this is
// probably a little more strict than necessary, but avoids issues like
// an attacker generating a cert with the same serial.
if (cert === certificate.data) {
console.log(`Accepting system certificate for ${ certificate.subjectName } (${ certificate.fingerprint })`);
// eslint-disable-next-line node/no-callback-literal
callback(true);

return;
}
}
}
}

console.log(`Not handling certificate error ${ error } for ${ url }`);

// eslint-disable-next-line node/no-callback-literal
callback(false);
});

Electron.ipcMain.on('k8s-state', (event) => {
event.returnValue = k8smanager.state;
});
Expand Down
137 changes: 128 additions & 9 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
"main": "dist/app/background.js",
"dependencies": {
"@kubernetes/client-node": "^0.13.0",
"agent-base": "^6.0.2",
"bufferutil": "^4.0.3",
"cookie-universal-nuxt": "^2.0.17",
"core-js": "^3.8.1",
Expand All @@ -35,6 +36,8 @@
"dompurify": "^2.2.9",
"electron-updater": "^4.3.9",
"fs-extra": "^10.0.0",
"http-proxy-agent": "^4.0.1",
"https-proxy-agent": "^5.0.0",
"intl-messageformat": "^7.8.4",
"jquery": "^3.5.1",
"jsonpath": "^1.0.2",
Expand All @@ -44,6 +47,7 @@
"node-fetch": "^2.6.1",
"sass": "^1.32.2",
"semver": "^7.3.5",
"socks-proxy-agent": "^6.0.0",
"sudo-prompt": "^9.2.1",
"utf-8-validate": "^5.0.4",
"vue": "^2.6.12",
Expand Down
Loading

0 comments on commit e5f93cf

Please sign in to comment.