internal: (studio) do not retry on cert failures (#32631)

* fix: ensure that all calls to api.cypress.io and cloud.cypress.io properly set rejectUnauthorized

* fix: ensure that all calls to api.cypress.io and cloud.cypress.io properly set rejectUnauthorized

* Fix SSL certificate verification for cloud requests

Fixed SSL certificate verification for Cypress cloud requests.

* fix: ensure that all calls to api.cypress.io and cloud.cypress.io properly set rejectUnauthorized

* internal: (studio) do not retry on cert failures

* Update packages/server/test/unit/cloud/api/studio/post_studio_session_spec.ts

Co-authored-by: Matt Schile <[email protected]>

* Update packages/server/test/unit/cloud/api/studio/post_studio_session_spec.ts

Co-authored-by: Matt Schile <[email protected]>

* fix types

---------

Co-authored-by: Matt Schile <[email protected]>

Author: ryanthemanuel

packages/data-context/graphql/schemaTypes/index.ts

@@ -1,9 +1,9 @@
 /* eslint-disable padding-line-between-statements */
 // created by autobarrel, do not modify directly
 
-export * from './enumTypes'
-export * from './inputTypes'
-export * from './interfaceTypes'
-export * from './objectTypes'
-export * from './scalarTypes'
-export * from './unions'
+export * from './enumTypes/'
+export * from './inputTypes/'
+export * from './interfaceTypes/'
+export * from './objectTypes/'
+export * from './scalarTypes/'
+export * from './unions/'

packages/server/lib/cloud/api/index.ts

@@ -37,6 +37,7 @@ import type { CreateInstanceRequestBody, CreateInstanceResponse } from './create
 
 import { transformError } from './axios_middleware/transform_error'
 import { DecryptionError } from './cloud_request_errors'
+import { isNonRetriableCertErrorCode } from '../network/nonretriable_cert_error_codes'
 
 const THIRTY_SECONDS = humanInterval('30 seconds')
 const SIXTY_SECONDS = humanInterval('60 seconds')
@@ -169,7 +170,7 @@ const getCachedResponse = (params) => {
   return responseCache[params.url]
 }
 
-const retryWithBackoff = (fn) => {
+const retryWithBackoff = (fn, options: { displayRetryErrors?: boolean } = { displayRetryErrors: true }) => {
   if (process.env.DISABLE_API_RETRIES) {
     debug('api retries disabled')
 
@@ -192,13 +193,15 @@ const retryWithBackoff = (fn) => {
 
       const delayMs = delays[retryIndex]
 
-      errors.warning(
-        'CLOUD_API_RESPONSE_FAILED_RETRYING', {
-          delayMs,
-          tries: delays.length - retryIndex,
-          response: err,
-        },
-      )
+      if (options.displayRetryErrors) {
+        errors.warning(
+          'CLOUD_API_RESPONSE_FAILED_RETRYING', {
+            delayMs,
+            tries: delays.length - retryIndex,
+            response: err,
+          },
+        )
+      }
 
       retryIndex++
 
@@ -227,6 +230,10 @@ const isRetriableError = (err) => {
     return false
   }
 
+  if (err.cause?.code && isNonRetriableCertErrorCode(err.cause?.code)) {
+    return false
+  }
+
   return err instanceof Bluebird.TimeoutError ||
     (err.statusCode >= 500 && err.statusCode < 600) ||
     (err.statusCode == null)
@@ -674,7 +681,7 @@ export default {
     })
   },
 
-  async getCaptureProtocolScript (url: string) {
+  async getCaptureProtocolScript (url: string, options: { displayRetryErrors?: boolean } = { displayRetryErrors: true }) {
     // TODO(protocol): Ensure this is removed in production
     if (process.env.CYPRESS_LOCAL_PROTOCOL_PATH) {
       debugProtocol(`Loading protocol via script at local path %s`, process.env.CYPRESS_LOCAL_PROTOCOL_PATH)
@@ -694,7 +701,7 @@ export default {
         encrypt: 'signed',
         resolveWithFullResponse: true,
       })
-    })
+    }, options)
 
     const verified = enc.verifySignature(res.body, res.headers['x-cypress-signature'])
 

packages/server/lib/cloud/api/put_protocol_artifact.ts

@@ -3,7 +3,7 @@ import fs from 'fs'
 import Debug from 'debug'
 import { StreamActivityMonitor } from '../upload/stream_activity_monitor'
 import { asyncRetry, linearDelay } from '../../util/async_retry'
-import { putFetch, ParseKinds } from '../network/put_fetch'
+import { putFetch, ParseKinds } from '../network/fetch'
 import { isRetryableError } from '../network/is_retryable_error'
 const debug = Debug('cypress:server:cloud:api:protocol-artifact')
 

packages/server/lib/cloud/api/studio/get_studio_bundle.ts

@@ -6,6 +6,8 @@ import { strictAgent } from '@packages/network'
 import { PUBLIC_KEY_VERSION } from '../../constants'
 import { createWriteStream } from 'fs'
 import { verifySignatureFromFile } from '../../encryption'
+import { HttpError } from '../../network/http_error'
+import { SystemError } from '../../network/system_error'
 
 const pkg = require('@packages/root')
 const _delay = linearDelay(500)
@@ -37,7 +39,9 @@ export const getStudioBundle = async ({ studioUrl, bundlePath }: { studioUrl: st
       })
 
       if (!response.ok) {
-        throw new Error(`Failed to download studio bundle: ${response.statusText}`)
+        const err = await HttpError.fromResponse(response)
+
+        throw err
       }
 
       responseSignature = response.headers.get('x-cypress-signature')
@@ -71,6 +75,17 @@ export const getStudioBundle = async ({ studioUrl, bundlePath }: { studioUrl: st
         throw new Error('Studio bundle fetch timed out')
       }
 
+      if (HttpError.isHttpError(error)) {
+        throw error
+      }
+
+      if (error.errno || error.code) {
+        const sysError = new SystemError(error, studioUrl, error.code, error.errno)
+
+        sysError.stack = error.stack
+        throw sysError
+      }
+
       throw error
     }
   }, {

packages/server/lib/cloud/api/studio/post_studio_session.ts

@@ -1,8 +1,7 @@
 import { asyncRetry, linearDelay } from '../../../util/async_retry'
 import { isRetryableError } from '../../network/is_retryable_error'
-import fetch from 'cross-fetch'
 import os from 'os'
-import { strictAgent } from '@packages/network'
+import { ParseKinds, postFetch } from '../../network/fetch'
 
 const pkg = require('@packages/root')
 const routes = require('../../routes') as typeof import('../../routes')
@@ -15,28 +14,15 @@ const _delay = linearDelay(500)
 
 export const postStudioSession = async ({ projectId }: PostStudioSessionOptions) => {
   return await (asyncRetry(async () => {
-    const response = await fetch(routes.apiRoutes.studioSession(), {
-      // @ts-expect-error - this is supported
-      agent: strictAgent,
-      method: 'POST',
+    return postFetch<{ studioUrl: string, protocolUrl: string }>(routes.apiRoutes.studioSession(), {
+      parse: ParseKinds.JSON,
       headers: {
         'Content-Type': 'application/json',
         'x-os-name': os.platform(),
         'x-cypress-version': pkg.version,
       },
       body: JSON.stringify({ projectSlug: projectId, studioMountVersion: 1, protocolMountVersion: 2 }),
     })
-
-    if (!response.ok) {
-      throw new Error(`Failed to create studio session: ${response.statusText}`)
-    }
-
-    const data = await response.json()
-
-    return {
-      studioUrl: data.studioUrl,
-      protocolUrl: data.protocolUrl,
-    }
   }, {
     maxAttempts: 3,
     retryDelay: _delay,

packages/server/lib/cloud/api/studio/report_studio_error.ts

@@ -17,6 +17,8 @@ interface StudioError {
   name: string
   stack: string
   message: string
+  code?: string | number
+  errno?: string | number
   studioMethod: string
   studioMethodArgs?: string
 }
@@ -80,6 +82,8 @@ export function reportStudioError ({
         name: stripPath(errorObject.name ?? `Unknown name`),
         stack: stripPath(errorObject.stack ?? `Unknown stack`),
         message: stripPath(errorObject.message ?? `Unknown message`),
+        code: 'code' in errorObject ? errorObject.code as string | number : undefined,
+        errno: 'errno' in errorObject ? errorObject.errno as string | number : undefined,
         studioMethod,
         studioMethodArgs: studioMethodArgsString ? stripPath(studioMethodArgsString) : undefined,
       }],

packages/server/lib/cloud/network/put_fetch.ts renamed to packages/server/lib/cloud/network/fetch.ts

@@ -7,7 +7,9 @@ import Debug from 'debug'
 
 const debug = Debug('cypress-verbose:server:cloud:api:put')
 
-type PutInit = Omit<RequestInit, 'agent' | 'method'>
+type FetchInit = Omit<RequestInit, 'agent'>
+
+type MethodlessFetchInit = Omit<FetchInit, 'method'>
 
 export const ParseKinds = Object.freeze({
   JSON: 'json',
@@ -16,23 +18,46 @@ export const ParseKinds = Object.freeze({
 
 type ParseKind = typeof ParseKinds[keyof typeof ParseKinds]
 
-type PutOptions = PutInit & {
+type FetchOptions = FetchInit & {
   parse?: ParseKind
 }
 
-export async function putFetch<
+type MethodlessFetchOptions = MethodlessFetchInit & {
+  parse: ParseKind
+}
+
+export function putFetch<
+  TReturn,
+> (input: RequestInfo | URL, options: MethodlessFetchOptions): Promise<TReturn> {
+  return fetch(input, {
+    ...options,
+    method: 'PUT',
+  })
+}
+
+export function postFetch<
+  TReturn,
+> (input: RequestInfo | URL, options: MethodlessFetchOptions): Promise<TReturn> {
+  return fetch(input, {
+    ...options,
+    method: 'POST',
+  })
+}
+
+export async function fetch<
   TReturn,
-> (input: RequestInfo | URL, options: PutOptions = { parse: 'json' }): Promise<TReturn> {
+> (input: RequestInfo | URL, options: FetchOptions): Promise<TReturn> {
   const {
     parse,
+    method,
     ...init
   } = options
 
-  debug('Initiating PUT %s', input)
+  debug('Initiating %s %s', method, input)
   try {
     const response = await crossFetch(input, {
       ...(init || {}),
-      method: 'PUT',
+      method,
       // cross-fetch thinks this is in the browser, so declares
       // types based on that rather than on node-fetch which it
       // actually uses under the hood. node-fetch supports `agent`.
@@ -74,7 +99,7 @@ export async function putFetch<
       const url = typeof input === 'string' ? input :
         input instanceof URL ? input.href :
           input instanceof Request ? input.url : 'UNKNOWN_URL'
-      const sysError = new SystemError(err, url)
+      const sysError = new SystemError(err, url, err.code, err.errno)
 
       sysError.stack = err.stack
       throw sysError

packages/server/lib/cloud/network/is_retryable_error.ts

@@ -1,21 +1,26 @@
 import { SystemError } from './system_error'
 import { HttpError } from './http_error'
 import Debug from 'debug'
+import { isNonRetriableCertErrorCode } from './nonretriable_cert_error_codes'
 
 const debug = Debug('cypress-verbose:server:is-retryable-error')
 
-export const isRetryableError = (error: unknown) => {
+export const isRetryableError = (error: any) => {
   debug('is retryable error? system error: %s, httperror: %s, status: %d',
     error && SystemError.isSystemError(error as any),
     error && HttpError.isHttpError(error as any),
     (error as HttpError)?.status)
 
-  if (SystemError.isSystemError(error as any)) {
+  if (SystemError.isSystemError(error)) {
+    if (error.code && isNonRetriableCertErrorCode(error.code)) {
+      return false
+    }
+
     return true
   }
 
-  if (HttpError.isHttpError(error as any)) {
-    return [408, 429, 502, 503, 504].includes((error as HttpError).status)
+  if (HttpError.isHttpError(error)) {
+    return [408, 429, 502, 503, 504].includes(error.status)
   }
 
   return false

packages/server/lib/cloud/network/nonretriable_cert_error_codes.ts

@@ -0,0 +1,16 @@
+export const NON_RETRIABLE_CERT_ERROR_CODES = Object.freeze({
+  // The leaf certificate signature can’t be verified
+  UNABLE_TO_VERIFY_LEAF_SIGNATURE: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
+  // The certificate is a self-signed certificate and not in trusted root store
+  DEPTH_ZERO_SELF_SIGNED_CERT: 'DEPTH_ZERO_SELF_SIGNED_CERT',
+  // A self-signed certificate exists somewhere in the chain
+  SELF_SIGNED_CERT_IN_CHAIN: 'SELF_SIGNED_CERT_IN_CHAIN',
+  // The issuer certificate is not available locally
+  UNABLE_TO_GET_ISSUER_CERT_LOCALLY: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY',
+})
+
+type NonRetriableCertErrorCode = typeof NON_RETRIABLE_CERT_ERROR_CODES[keyof typeof NON_RETRIABLE_CERT_ERROR_CODES]
+
+export const isNonRetriableCertErrorCode = (errorCode: string | number): errorCode is NonRetriableCertErrorCode => {
+  return Object.values(NON_RETRIABLE_CERT_ERROR_CODES).includes(errorCode as NonRetriableCertErrorCode)
+}

packages/server/lib/cloud/network/system_error.ts

@@ -7,6 +7,8 @@ export class SystemError extends Error {
   constructor (
     public readonly originalError: Error,
     public readonly url: string,
+    public readonly code: string | number | undefined,
+    public readonly errno: string | number | undefined,
   ) {
     super(originalError.message)
   }