background: Support for system proxy configuration.

This adds support for use the system proxy configuration (by asking the embedded Chrome to resolve the proxy configuration). The idea to ask Chrome was from the electron-proxy-agent package; however, it had significant issues on supporting system CA certificates, and the result ended up being a complete rewrite. We need the wrapper classes for HttpsProxyAgent and SocksProxyAgent so that we can pass the CA options down to the eventual tls.connect() call. This is due to TooTallNate/proxy-agents#89 Signed-off-by: Mark Yen <[email protected]>
rancher-sandbox · Aug 6, 2021 · 83d1a15 · 83d1a15
1 parent fbe2ff7
commit 83d1a15
Show file tree

Hide file tree

Showing 5 changed files with 326 additions and 80 deletions.
diff --git a/background.ts b/background.ts
@@ -6,8 +6,6 @@ import { URL } from 'url';
 
 import Electron from 'electron';
 import _ from 'lodash';
-import MacCA from 'mac-ca';
-import WinCA from 'win-ca';
 
 import mainEvents from '@/main/mainEvents';
 import { setupKim } from '@/main/kim';
@@ -18,6 +16,7 @@ import * as K8s from '@/k8s-engine/k8s';
 import resources from '@/resources';
 import Logging from '@/utils/logging';
 import * as childProcess from '@/utils/childProcess';
+import setupNetworking from '@/main/networking';
 import setupUpdate from '@/main/update';
 
 Electron.app.setName('Rancher Desktop');
@@ -53,10 +52,7 @@ Electron.app.whenReady().then(async() => {
   } catch (err) {
     console.log(`Can't get app version: ${ err }`);
   }
-  if (os.platform().startsWith('win')) {
-    // Inject the Windows certs.
-    WinCA({ inject: '+' });
-  }
+  setupNetworking();
   try {
     tray = new Tray();
   } catch (e) {
@@ -220,52 +216,6 @@ Electron.ipcMain.handle('settings-write', (event, arg: RecursivePartial<settings
   event.sender.sendToFrame(event.frameId, 'settings-update', cfg);
 });
 
-// Set up certificate handling for system certificates on Windows and macOS
-Electron.app.on('certificate-error', (event, webContents, url, error, certificate, callback) => {
-  if (error === 'net::ERR_CERT_INVALID') {
-    // If we're getting *this* particular error, it means it's an untrusted cert.
-    // Ask the system store.
-    console.log(`Attempting to check system certificates for ${ url } (${ certificate.subjectName }/${ certificate.fingerprint })`);
-    if (os.platform().startsWith('win')) {
-      const certs: string[] = [];
-
-      WinCA({
-        format: WinCA.der2.pem, ondata: certs, fallback: false
-      });
-      for (const cert of certs) {
-        // For now, just check that the PEM data matches exactly; this is
-        // probably a little more strict than necessary, but avoids issues like
-        // an attacker generating a cert with the same serial.
-        if (cert === certificate.data) {
-          console.log(`Accepting system certificate for ${ certificate.subjectName } (${ certificate.fingerprint })`);
-          // eslint-disable-next-line node/no-callback-literal
-          callback(true);
-
-          return;
-        }
-      }
-    } else if (os.platform() === 'darwin') {
-      for (const cert of MacCA.all(MacCA.der2.pem)) {
-        // For now, just check that the PEM data matches exactly; this is
-        // probably a little more strict than necessary, but avoids issues like
-        // an attacker generating a cert with the same serial.
-        if (cert === certificate.data) {
-          console.log(`Accepting system certificate for ${ certificate.subjectName } (${ certificate.fingerprint })`);
-          // eslint-disable-next-line node/no-callback-literal
-          callback(true);
-
-          return;
-        }
-      }
-    }
-  }
-
-  console.log(`Not handling certificate error ${ error } for ${ url }`);
-
-  // eslint-disable-next-line node/no-callback-literal
-  callback(false);
-});
-
 Electron.ipcMain.on('k8s-state', (event) => {
   event.returnValue = k8smanager.state;
 });