feat(cli-repl): add experimental HTTP OIDC proxying capability MONGOSH-1779 (#1995)

addaleax · web-flow · commit fcc9bf481d9a · 2024-05-16T19:20:26.000+02:00
This is just an experiment, *not* a production-ready change with tests or
documentation, with the goal being to verify that an implementation of this
sort can satisfy specific customer needs.
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/arg-parser/package.json b/packages/arg-parser/package.json
@@ -40,7 +40,7 @@
     "mongodb-connection-string-url": "^3.0.1"
   },
   "devDependencies": {
-    "@mongodb-js/devtools-connect": "^2.6.2",
+    "@mongodb-js/devtools-connect": "^2.6.3",
     "@mongodb-js/eslint-config-mongosh": "^1.0.0",
     "@mongodb-js/prettier-config-devtools": "^1.0.1",
     "@mongodb-js/tsconfig-mongosh": "^1.0.0",
diff --git a/packages/cli-repl/package.json b/packages/cli-repl/package.json
@@ -87,6 +87,7 @@
     "mongodb-log-writer": "^1.4.2",
     "numeral": "^2.0.6",
     "pretty-repl": "^4.0.1",
+    "proxy-agent": "^6.4.0",
     "semver": "^7.5.4",
     "strip-ansi": "^6.0.0",
     "text-table": "^0.2.0",
diff --git a/packages/cli-repl/src/cli-repl.spec.ts b/packages/cli-repl/src/cli-repl.spec.ts
@@ -2447,7 +2447,10 @@ describe('CliRepl', function () {
       cliRepl = new CliRepl(cliReplOptions);
       await cliRepl.start('', {});
 
-      const o = await cliRepl.prepareOIDCOptions({} as any);
+      const o = await cliRepl.prepareOIDCOptions(
+        'mongodb://localhost/',
+        {} as any
+      );
       expect(o.oidc?.allowedFlows).to.deep.equal(['auth-code']);
       expect(o.oidc?.notifyDeviceFlow).to.be.a('function');
       expect(o.authMechanismProperties).to.deep.equal({});
@@ -2470,7 +2473,7 @@ describe('CliRepl', function () {
       let o: DevtoolsConnectOptions;
       process.env.MONGOSH_OIDC_PARENT_HANDLE = 'foo-bar';
       try {
-        o = await cliRepl.prepareOIDCOptions({} as any);
+        o = await cliRepl.prepareOIDCOptions('mongodb://localhost/', {} as any);
       } finally {
         delete process.env.MONGOSH_OIDC_PARENT_HANDLE;
       }
diff --git a/packages/cli-repl/src/cli-repl.ts b/packages/cli-repl/src/cli-repl.ts
@@ -360,7 +360,7 @@ export class CliRepl implements MongoshIOProvider {
       delete driverOptions.autoEncryption;
     }
 
-    driverOptions = await this.prepareOIDCOptions(driverOptions);
+    driverOptions = await this.prepareOIDCOptions(driverUri, driverOptions);
     markTime(TimingCategories.DriverSetup, 'prepared OIDC options');
 
     let initialServiceProvider;
@@ -1143,6 +1143,7 @@ export class CliRepl implements MongoshIOProvider {
 
   /** Adjust `driverOptionsIn` with OIDC-specific settings from this CLI instance. */
   async prepareOIDCOptions(
+    driverUri: string,
     driverOptionsIn: Readonly<DevtoolsConnectOptions>
   ): Promise<DevtoolsConnectOptions> {
     const driverOptions = {
@@ -1165,6 +1166,24 @@ export class CliRepl implements MongoshIOProvider {
           )}\nWaiting...\n`
       );
     };
+    if (process.env.MONGOSH_EXPERIMENTAL_OIDC_PROXY_SUPPORT) {
+      const ProxyAgent = (await import('proxy-agent')).ProxyAgent;
+      const tlsCAFile =
+        driverOptions.tlsCAFile ??
+        new ConnectionString(driverUri)
+          .typedSearchParams<DevtoolsConnectOptions>()
+          .get('tlsCAFile');
+      const ca = tlsCAFile ? await fs.readFile(tlsCAFile) : undefined;
+      driverOptions.oidc.customHttpOptions = (_url, opts) => {
+        if (ca && !opts.ca) {
+          opts = { ...opts, ca };
+        }
+        return {
+          ...opts,
+          agent: new ProxyAgent({ ...opts }),
+        };
+      };
+    }
 
     const [redirectURI, trustedEndpoints, browser] = await Promise.all([
       this.getConfig('oidcRedirectURI'),
diff --git a/packages/logging/package.json b/packages/logging/package.json
@@ -17,7 +17,7 @@
     "node": ">=14.15.1"
   },
   "dependencies": {
-    "@mongodb-js/devtools-connect": "^2.6.2",
+    "@mongodb-js/devtools-connect": "^2.6.3",
     "@mongosh/errors": "0.0.0-dev.0",
     "@mongosh/history": "0.0.0-dev.0",
     "@mongosh/types": "0.0.0-dev.0",
diff --git a/packages/service-provider-server/package.json b/packages/service-provider-server/package.json
@@ -47,7 +47,7 @@
     }
   },
   "dependencies": {
-    "@mongodb-js/devtools-connect": "^2.6.2",
+    "@mongodb-js/devtools-connect": "^2.6.3",
     "@mongodb-js/oidc-plugin": "^0.4.0",
     "@mongosh/errors": "0.0.0-dev.0",
     "@mongosh/service-provider-core": "0.0.0-dev.0",
diff --git a/packages/types/package.json b/packages/types/package.json
@@ -38,7 +38,7 @@
     "unitTestsOnly": true
   },
   "dependencies": {
-    "@mongodb-js/devtools-connect": "^2.6.2"
+    "@mongodb-js/devtools-connect": "^2.6.3"
   },
   "devDependencies": {
     "@mongodb-js/eslint-config-mongosh": "^1.0.0",

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@`
`47`	`47`	`}`
`48`	`48`	`},`
`49`	`49`	`"dependencies": {`
`50`		`- "@mongodb-js/devtools-connect": "^2.6.2",`
	`50`	`+ "@mongodb-js/devtools-connect": "^2.6.3",`
`51`	`51`	`"@mongodb-js/oidc-plugin": "^0.4.0",`
`52`	`52`	`"@mongosh/errors": "0.0.0-dev.0",`
`53`	`53`	`"@mongosh/service-provider-core": "0.0.0-dev.0",`