fix(oidc, atlas-service): use system ca certs in atlas reqs and OIDC COMPASS-7950 (#5925)

Author: Anemy

package-lock.json

@@ -88,6 +88,7 @@
     "react": "^17.0.2",
     "react-redux": "^8.1.3",
     "redux": "^4.2.1",
-    "redux-thunk": "^2.4.2"
+    "redux-thunk": "^2.4.2",
+    "system-ca": "^1.0.2"
   }
 }

packages/atlas-service/package.json

@@ -94,7 +94,7 @@ describe('CompassAuthServiceMain', function () {
 
     CompassAuthService['config'] = defaultConfig;
 
-    CompassAuthService['setupPlugin']();
+    await CompassAuthService['setupPlugin']();
     CompassAuthService['attachOidcPluginLoggerEvents']();
 
     preferences = await createSandboxFromDefaultPreferences();
@@ -298,6 +298,24 @@ describe('CompassAuthServiceMain', function () {
       await CompassAuthService.init(preferences);
       expect(setupPluginSpy).to.have.been.calledOnce;
     });
+
+    it('should pass the system ca to the plugin as a custom http option', async function () {
+      const createOIDCPluginSpy = sandbox.spy(
+        CompassAuthService as any,
+        'createMongoDBOIDCPlugin'
+      );
+      await CompassAuthService.init(preferences);
+      expect(createOIDCPluginSpy).to.have.been.calledOnce;
+      try {
+        expect(
+          createOIDCPluginSpy.firstCall.args[0].customHttpOptions.ca
+        ).to.include('-----BEGIN CERTIFICATE-----');
+      } catch (e) {
+        throw new Error(
+          'Expected ca to be included in the customHttpOptions, but it was not.'
+        );
+      }
+    });
   });
 
   describe('with networkTraffic turned off', function () {

packages/atlas-service/src/main.spec.ts

@@ -11,10 +11,10 @@ import {
   hookLoggerToMongoLogWriter as oidcPluginHookLoggerToMongoLogWriter,
 } from '@mongodb-js/oidc-plugin';
 import { oidcServerRequestHandler } from '@mongodb-js/devtools-connect';
-// TODO(https://github.com/node-fetch/node-fetch/issues/1652): Remove this when
-// node-fetch types match the built in AbortSignal from node.
-import type { AbortSignal as NodeFetchAbortSignal } from 'node-fetch/externals';
+import { systemCertsAsync } from 'system-ca';
+import type { Options as SystemCAOptions } from 'system-ca';
 import type { RequestInfo, RequestInit, Response } from 'node-fetch';
+import https from 'https';
 import nodeFetch from 'node-fetch';
 import type { IntrospectInfo, AtlasUserInfo, AtlasServiceConfig } from './util';
 import { throwIfAborted } from '@mongodb-js/compass-utils';
@@ -37,6 +37,15 @@ const redirectRequestHandler = oidcServerRequestHandler.bind(null, {
   productDocsLink: 'https://www.mongodb.com/docs/compass',
 });
 
+async function getSystemCA() {
+  // It is possible for OIDC login flow to fail if system CA certs are different from
+  // the ones packaged with the application. To avoid this, we include the system CA
+  // certs in the OIDC plugin options. See COMPASS-7950 for more details.
+  const systemCAOpts: SystemCAOptions = { includeNodeCertificates: true };
+  const ca = await systemCertsAsync(systemCAOpts);
+  return ca.join('\n');
+}
+
 const TOKEN_TYPE_TO_HINT = {
   accessToken: 'access_token',
   refreshToken: 'refresh_token',
@@ -63,7 +72,7 @@ export class CompassAuthService {
   ): Promise<Response> => {
     await this.initPromise;
     this.throwIfNetworkTrafficDisabled();
-    throwIfAborted(init.signal as AbortSignal);
+    throwIfAborted(init.signal ?? undefined);
     log.info(
       mongoLogId(1_001_000_299),
       'AtlasService',
@@ -72,6 +81,14 @@ export class CompassAuthService {
     );
     try {
       const res = await nodeFetch(url, {
+        // Tests use 'http'.
+        ...(url.toString().includes('https')
+          ? {
+              agent: new https.Agent({
+                ca: await getSystemCA(),
+              }),
+            }
+          : {}),
         ...init,
         headers: {
           ...init.headers,
@@ -129,7 +146,7 @@ export class CompassAuthService {
 
   private static createMongoDBOIDCPlugin = createMongoDBOIDCPlugin;
 
-  private static setupPlugin(serializedState?: string) {
+  private static async setupPlugin(serializedState?: string) {
     this.plugin = this.createMongoDBOIDCPlugin({
       redirectServerRequestHandler: (data) => {
         if (data.result === 'redirecting') {
@@ -150,6 +167,9 @@ export class CompassAuthService {
       allowedFlows: this.getAllowedAuthFlows.bind(this),
       logger: this.oidcPluginLogger,
       serializedState,
+      customHttpOptions: {
+        ca: await getSystemCA(),
+      },
     });
     oidcPluginHookLoggerToMongoLogWriter(
       this.oidcPluginLogger,
@@ -180,7 +200,7 @@ export class CompassAuthService {
         { config: this.config }
       );
       const serializedState = await this.secretStore.getState();
-      this.setupPlugin(serializedState);
+      await this.setupPlugin(serializedState);
     })());
   }
 
@@ -301,7 +321,7 @@ export class CompassAuthService {
     this.attachOidcPluginLoggerEvents();
     // Destroy old plugin and setup new one
     await this.plugin?.destroy();
-    this.setupPlugin();
+    await this.setupPlugin();
     // Revoke tokens. Revoking refresh token will also revoke associated access
     // tokens
     // https://developer.okta.com/docs/guides/revoke-tokens/main/#revoke-an-access-token-or-a-refresh-token
@@ -362,7 +382,7 @@ export class CompassAuthService {
             Authorization: `Bearer ${token ?? ''}`,
             Accept: 'application/json',
           },
-          signal: signal as NodeFetchAbortSignal | undefined,
+          signal: signal,
         }
       );
 
@@ -403,7 +423,7 @@ export class CompassAuthService {
         Accept: 'application/json',
         'Content-Type': 'application/x-www-form-urlencoded',
       },
-      signal: signal as NodeFetchAbortSignal | undefined,
+      signal: signal,
     });
 
     await throwIfNotOk(res);
@@ -438,7 +458,7 @@ export class CompassAuthService {
         Accept: 'application/json',
         'Content-Type': 'application/x-www-form-urlencoded',
       },
-      signal: signal as NodeFetchAbortSignal | undefined,
+      signal: signal,
     });
 
     await throwIfNotOk(res);