Skip to content

Commit 8e850a9

Browse files
0x54570x5457
committed
fix: respect NODE_TLS_REJECT_UNAUTHORIZED environment variable
1 parent af9c9f7 commit 8e850a9

File tree

4 files changed

+85
-3
lines changed

4 files changed

+85
-3
lines changed

package-lock.json

Lines changed: 24 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,7 @@
8383
"nock": "^14.0.5",
8484
"prettier": "^3.0.0",
8585
"pretty-quick": "^4.0.0",
86+
"selfsigned": "^3.0.1",
8687
"ts-mockito": "^2.3.1",
8788
"tsx": "^4.19.1",
8889
"typedoc": "^0.28.0",

src/config.ts

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -202,7 +202,9 @@ export class KubeConfig implements SecurityAuthentication {
202202
agentOptions.key = opts.key;
203203
agentOptions.pfx = opts.pfx;
204204
agentOptions.passphrase = opts.passphrase;
205-
agentOptions.rejectUnauthorized = opts.rejectUnauthorized;
205+
if (opts.rejectUnauthorized !== undefined) {
206+
agentOptions.rejectUnauthorized = opts.rejectUnauthorized;
207+
}
206208
// The ws docs say that it accepts anything that https.RequestOptions accepts,
207209
// but Typescript doesn't understand that idea (yet) probably could be fixed in
208210
// the typings, but for now just cast to any
@@ -259,7 +261,9 @@ export class KubeConfig implements SecurityAuthentication {
259261
agentOptions.key = httpsOptions.key;
260262
agentOptions.pfx = httpsOptions.pfx;
261263
agentOptions.passphrase = httpsOptions.passphrase;
262-
agentOptions.rejectUnauthorized = httpsOptions.rejectUnauthorized;
264+
if (httpsOptions.rejectUnauthorized !== undefined) {
265+
agentOptions.rejectUnauthorized = httpsOptions.rejectUnauthorized;
266+
}
263267

264268
context.setAgent(this.createAgent(cluster, agentOptions));
265269
}

src/config_test.ts

Lines changed: 54 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ import { fileURLToPath } from 'node:url';
1818
import mockfs from 'mock-fs';
1919

2020
import { Authenticator } from './auth.js';
21-
import { Headers } from 'node-fetch';
21+
import fetch, { Headers } from 'node-fetch';
2222
import { HttpMethod } from './index.js';
2323
import { assertRequestAgentsEqual, assertRequestOptionsEqual } from './test/match-buffer.js';
2424
import { CoreV1Api, RequestContext } from './api.js';
@@ -27,6 +27,8 @@ import { ActionOnInvalid, Cluster, newClusters, newContexts, newUsers, User } fr
2727
import { ExecAuth } from './exec_auth.js';
2828
import { HttpProxyAgent, HttpsProxyAgent } from 'hpagent';
2929
import { SocksProxyAgent } from 'socks-proxy-agent';
30+
import { AddressInfo } from 'node:net';
31+
import selfsigned from 'selfsigned';
3032

3133
const kcFileName = 'testdata/kubeconfig.yaml';
3234
const kc2FileName = 'testdata/kubeconfig-2.yaml';
@@ -491,6 +493,28 @@ describe('KubeConfig', () => {
491493

492494
strictEqual(rc.getAgent() instanceof https.Agent, true);
493495
});
496+
497+
it('should apply NODE_TLS_REJECT_UNAUTHORIZED from environment to agent', async () => {
498+
const { server, host, port } = await createTestHttpsServer();
499+
const originalValue = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
500+
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
501+
after(() => {
502+
server.close();
503+
process.env.NODE_TLS_REJECT_UNAUTHORIZED = originalValue;
504+
});
505+
506+
const kc = new KubeConfig();
507+
const rc = new RequestContext(`https://${host}:${port}`, HttpMethod.GET);
508+
await kc.applySecurityAuthentication(rc);
509+
const res = await fetch(`https://${host}:${port}`, { agent: rc.getAgent() });
510+
strictEqual(res.status, 200);
511+
strictEqual(await res.text(), 'OK');
512+
513+
const res2 = await fetch(`https://${host}:${port}`, await kc.applyToFetchOptions({}));
514+
strictEqual(res2.status, 200);
515+
strictEqual(await res2.text(), 'OK');
516+
delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
517+
});
494518
});
495519

496520
describe('loadClusterConfigObjects', () => {
@@ -1827,3 +1851,32 @@ describe('KubeConfig', () => {
18271851
});
18281852
});
18291853
});
1854+
1855+
// create a self-signed HTTPS test server
1856+
async function createTestHttpsServer(): Promise<{
1857+
server: https.Server;
1858+
host: string;
1859+
port: number;
1860+
ca: string;
1861+
}> {
1862+
const host = 'localhost';
1863+
const { private: key, cert } = selfsigned.generate([{ name: 'commonName', value: host }]);
1864+
1865+
const server = https.createServer({ key, cert }, (_req, res) => {
1866+
res.writeHead(200);
1867+
res.end('OK');
1868+
});
1869+
1870+
const port = await new Promise<number>((resolve) => {
1871+
server.listen(0, () => {
1872+
resolve((server.address() as AddressInfo).port);
1873+
});
1874+
});
1875+
1876+
return {
1877+
server,
1878+
host,
1879+
port,
1880+
ca: cert, // ca is the same as cert here
1881+
};
1882+
}

0 commit comments

Comments
 (0)