WIP

Author: addaleax

packages/devtools-proxy-support/src/agent.spec.ts

@@ -223,7 +223,7 @@ describe('createAgent', function () {
 
     it('fails to connect to an ssh proxy with unavailable tunneling', async function () {
       setup.authHandler = sinon.stub().returns(true);
-      setup.canTunnel = false;
+      setup.canTunnel = sinon.stub().returns(false);
 
       try {
         await get(

packages/devtools-proxy-support/src/proxy-options.ts

@@ -18,6 +18,7 @@ export interface DevtoolsProxyOptions {
   };
 
   // Not being honored by the translate-to-electron functionality
+  // TODO(COMPASS-8077): Integrate system CA here
   ca?: ConnectionOptions['ca'];
 
   // Mostly intended for testing, defaults to `process.env`.

packages/devtools-proxy-support/src/socks5.spec.ts

@@ -0,0 +1,100 @@
+import sinon from 'sinon';
+import { HTTPServerProxyTestSetup } from '../test/helpers';
+import type { Tunnel } from './socks5';
+import { setupSocks5Tunnel } from './socks5';
+import { expect } from 'chai';
+import { createFetch } from './fetch';
+
+describe('setupSocks5Tunnel', function () {
+  let setup: HTTPServerProxyTestSetup;
+  let tunnel: Tunnel | undefined;
+
+  beforeEach(async function () {
+    setup = new HTTPServerProxyTestSetup();
+    await setup.listen();
+    tunnel = undefined;
+  });
+
+  afterEach(async function () {
+    await setup.teardown();
+    await tunnel?.close();
+  });
+
+  it('can be used to create a Socks5 server that forwards requests to another proxy', async function () {
+    setup.authHandler = sinon.stub().returns(true);
+
+    tunnel = await setupSocks5Tunnel(
+      {
+        proxy: `http://foo:[email protected]:${setup.httpProxyPort}`,
+      },
+      {
+        proxyUsername: 'baz',
+        proxyPassword: 'quux',
+      }
+    );
+    if (!tunnel) {
+      // regular conditional instead of assertion so that TS can follow it
+      expect.fail('failed to create Socks5 tunnel');
+    }
+
+    const fetch = createFetch({
+      proxy: `socks5://baz:[email protected]:${tunnel.config.proxyPort}`,
+    });
+    const response = await fetch('http://example.com/hello');
+    expect(await response.text()).to.equal('OK /hello');
+
+    try {
+      await fetch('http://localhost:1/hello');
+      expect.fail('missed exception');
+    } catch (err) {
+      expect(err.message).to.include(
+        'request to http://localhost:1/hello failed'
+      );
+    }
+  });
+
+  it('rejects mismatching auth', async function () {
+    tunnel = await setupSocks5Tunnel(
+      {
+        useEnvironmentVariableProxies: true,
+        env: {},
+      },
+      {
+        proxyUsername: 'baz',
+        proxyPassword: 'quux',
+      }
+    );
+    if (!tunnel) {
+      // regular conditional instead of assertion so that TS can follow it
+      expect.fail('failed to create Socks5 tunnel');
+    }
+
+    const fetch = createFetch({
+      proxy: `socks5://baz:[email protected]:${tunnel.config.proxyPort}`,
+    });
+
+    try {
+      await fetch('http://localhost:1234/hello');
+      expect.fail('missed exception');
+    } catch (err) {
+      expect(err.message).to.include('Socks5 Authentication failed');
+    }
+  });
+
+  it('reports an error when it fails to listen', async function () {
+    try {
+      await setupSocks5Tunnel(
+        {
+          useEnvironmentVariableProxies: true,
+          env: {},
+        },
+        {
+          proxyHost: 'example.net',
+        }
+      );
+      expect.fail('missed exception');
+    } catch (err) {
+      expect(err.code).to.equal('EADDRNOTAVAIL');
+    }
+  });
+});

packages/devtools-proxy-support/src/socks5.ts

@@ -46,17 +46,19 @@ export interface Tunnel {
 }
 
 function createFakeHttpClientRequest(dstAddr: string, dstPort: number) {
-  return {
-    host: dstAddr,
+  const headers: Record<string, string> = {
+    host: `${isIPv6(dstAddr) ? `[${dstAddr}]` : dstAddr}:${dstPort}`,
+    upgrade: 'websocket', // hack to make proxy-agent prefer CONNECT over HTTP proxying
+  };
+  return Object.assign(new EventEmitter() as ClientRequest, {
+    host: headers.host,
     protocol: 'http',
     method: 'GET',
     path: '/',
-    getHeader(name) {
-      return name === 'host'
-        ? `${isIPv6(dstAddr) ? `[${dstAddr}]` : dstAddr}:${dstPort}`
-        : undefined;
+    getHeader(name: string) {
+      return headers[name];
     },
-  } as ClientRequest;
+  });
 }
 
 class Socks5Server extends EventEmitter implements Tunnel {
@@ -126,14 +128,14 @@ class Socks5Server extends EventEmitter implements Tunnel {
 
     const listeningPromise = this.serverListen(proxyPort, proxyHost);
     try {
-      await Promise.all([listeningPromise, this.ensureAgentInitialized()]);
+      await Promise.all([
+        listeningPromise,
+        once(this, 'listening'),
+        this.ensureAgentInitialized(),
+      ]);
       this.agentInitialized = true;
     } catch (err: unknown) {
-      try {
-        await listeningPromise;
-      } finally {
-        await this.close();
-      }
+      await this.close();
       throw err;
     }
   }
@@ -192,19 +194,36 @@ class Socks5Server extends EventEmitter implements Tunnel {
       this.closeOpenConnections(),
     ]);
 
-    if (maybeError) {
+    if (
+      maybeError &&
+      !('code' in maybeError && maybeError.code === 'ERR_SERVER_NOT_RUNNING')
+    ) {
       throw maybeError;
     }
   }
 
   private async forwardOut(dstAddr: string, dstPort: number): Promise<Duplex> {
-    const channel = await promisify(this.agent.createSocket.bind(this.agent))(
-      createFakeHttpClientRequest(dstAddr, dstPort),
-      {
-        host: dstAddr,
-        port: dstPort,
-      }
-    );
+    const channel = await new Promise<Duplex>((resolve, reject) => {
+      const req = createFakeHttpClientRequest(dstAddr, dstPort);
+      req.onSocket = (sock) => {
+        if (sock) resolve(sock);
+      };
+      this.agent.createSocket(
+        req,
+        {
+          host: dstAddr,
+          port: dstPort,
+        },
+        (err, sock) => {
+          // Ideally, we would always be using this callback for retrieving the `sock`
+          // instance. However, agent-base does not call the callback at all if
+          // the agent resolved to another agent (as is the case for e.g. `ProxyAgent`).
+          if (err) reject(err);
+          else if (sock) resolve(sock);
+        }
+      );
+    });
+
     if (!channel)
       throw new Error(`Could not create channel to ${dstAddr}:${dstPort}`);
     return channel;
@@ -231,15 +250,19 @@ class Socks5Server extends EventEmitter implements Tunnel {
 
       socket = accept(true);
       this.connections.add(socket);
-
-      socket.on('error', (err: ErrorWithOrigin) => {
+      const forwardingErrorHandler = (err: ErrorWithOrigin) => {
+        if (!socket?.writableEnded) socket?.end();
+        if (!channel?.writableEnded) channel?.end();
         err.origin ??= 'connection';
         this.logger.emit('socks5:forwarding-error', {
           ...logMetadata,
           error: String((err as Error).stack),
         });
         this.emit('forwardingError', err);
-      });
+      };
+
+      channel.on('error', forwardingErrorHandler);
+      socket.on('error', forwardingErrorHandler);
 
       socket.once('close', () => {
         this.logger.emit('socks5:forwarded-socket-closed', { ...logMetadata });
@@ -265,7 +288,7 @@ class Socks5Server extends EventEmitter implements Tunnel {
 export async function setupSocks5Tunnel(
   proxyOptions: DevtoolsProxyOptions | AgentWithInitialize,
   tunnelOptions?: Partial<TunnelOptions>,
-  target = 'mongodb://'
+  target?: string | undefined
 ): Promise<Tunnel | undefined> {
   const agent = useOrCreateAgent(proxyOptions, target);
   if (!agent) return undefined;

packages/devtools-proxy-support/src/ssh.spec.ts

@@ -0,0 +1,115 @@
+import { HTTPServerProxyTestSetup } from '../test/helpers';
+import { SSHAgent } from './ssh';
+import { createFetch } from './fetch';
+import { expect } from 'chai';
+import sinon from 'sinon';
+
+describe('SSHAgent', function () {
+  let setup: HTTPServerProxyTestSetup;
+  let agent: SSHAgent | undefined;
+
+  beforeEach(async function () {
+    setup = new HTTPServerProxyTestSetup();
+    await setup.listen();
+    agent = undefined;
+  });
+
+  afterEach(async function () {
+    await setup.teardown();
+    agent?.destroy();
+  });
+
+  it('allows establishing connections through an SSH server', async function () {
+    agent = new SSHAgent({
+      proxy: `ssh://[email protected]:${setup.sshProxyPort}/`,
+    });
+    const fetch = createFetch(agent);
+    const response = await fetch('http://example.com/hello');
+    expect(await response.text()).to.equal('OK /hello');
+  });
+
+  it('re-uses a single SSH connection if it can', async function () {
+    setup.authHandler = sinon.stub().returns(true);
+    agent = new SSHAgent({
+      proxy: `ssh://foo:[email protected]:${setup.sshProxyPort}/`,
+    });
+    const fetch = createFetch(agent);
+    await Promise.all([
+      fetch('http://example.com/hello'),
+      fetch('http://example.com/hello'),
+    ]);
+    expect(setup.authHandler).to.have.been.calledOnceWith('foo', 'bar');
+  });
+
+  it('allows explicitly initializing the connection', async function () {
+    setup.authHandler = sinon.stub().returns(true);
+    agent = new SSHAgent({
+      proxy: `ssh://foo:[email protected]:${setup.sshProxyPort}/`,
+    });
+    await agent.initialize();
+    await createFetch(agent)('http://example.com/hello');
+    expect(setup.authHandler).to.have.been.calledOnceWith('foo', 'bar');
+  });
+
+  it('automatically reconnects if a connection was broken', async function () {
+    setup.authHandler = sinon.stub().returns(true);
+    agent = new SSHAgent({
+      proxy: `ssh://foo:[email protected]:${setup.sshProxyPort}/`,
+    });
+    await agent.initialize();
+    const fetch = createFetch(agent);
+    await fetch('http://example.com/hello');
+    await agent.interruptForTesting();
+    await fetch('http://example.com/hello');
+    expect(setup.authHandler).to.have.been.calledTwice;
+  });
+
+  it('does not reconnect if the agent was intentionally closed', async function () {
+    setup.authHandler = sinon.stub().returns(true);
+    agent = new SSHAgent({
+      proxy: `ssh://foo:[email protected]:${setup.sshProxyPort}/`,
+    });
+    await agent.initialize();
+    const fetch = createFetch(agent);
+    await fetch('http://example.com/hello');
+    agent.destroy();
+    try {
+      await fetch('http://example.com/hello');
+      expect.fail('missed exception');
+    } catch (err) {
+      expect(err.message).to.include(
+        'request to http://example.com/hello failed, reason: Disconnected'
+      );
+    }
+    expect(setup.authHandler).to.have.been.calledOnce;
+  });
+
+  it('automatically retries the forwarding operation once (connection lost)', async function () {
+    setup.authHandler = sinon.stub().returns(true);
+    agent = new SSHAgent({
+      proxy: `ssh://foo:[email protected]:${setup.sshProxyPort}/`,
+    });
+    await agent.initialize();
+    await agent.interruptForTesting();
+    const fetch = createFetch(agent);
+    await fetch('http://example.com/hello');
+    expect(setup.authHandler).to.have.been.calledTwice;
+  });
+
+  it('automatically retries the forwarding operation once (tunnel failure)', async function () {
+    setup.authHandler = sinon.stub().returns(true);
+    setup.canTunnel = sinon
+      .stub()
+      .onFirstCall()
+      .returns(false)
+      .onSecondCall()
+      .returns(true);
+    agent = new SSHAgent({
+      proxy: `ssh://foo:[email protected]:${setup.sshProxyPort}/`,
+    });
+    const fetch = createFetch(agent);
+    await fetch('http://example.com/hello');
+    expect(setup.authHandler).to.have.been.calledTwice;
+    expect(setup.canTunnel).to.have.been.calledTwice;
+  });
+});

packages/devtools-proxy-support/src/ssh.ts

@@ -143,7 +143,9 @@ export class SSHAgent extends AgentBase implements AgentWithInitialize {
       }
       return sock;
     } catch (err: unknown) {
-      const retryableError = (err as Error).message === 'Not connected';
+      const retryableError = /Not connected|Channel open failure/.test(
+        (err as Error).message
+      );
       this.logger.emit('ssh:failed-forward', {
         host,
         error: String((err as Error).stack),
@@ -165,4 +167,9 @@ export class SSHAgent extends AgentBase implements AgentWithInitialize {
     this.closed = true;
     this.sshClient.end();
   }
+
+  async interruptForTesting(): Promise<void> {
+    this.sshClient.end();
+    await once(this.sshClient, 'close');
+  }
 }