Adding HTTP(S) over HTTP(S) proxy support to add accounts. (#26137) (#26162)

lewis-sanchez · web-flow · commit 3e1c6f5aab39 · 2025-01-23T13:55:06.000-08:00
* Adjust axios proxy configuration

* Add logging around axios get request logic

* Minor clean up

* Fix conditional check

* Load environment proxy value

* Fix compilation error

* Review changes

* Add additional logging to tunnel logic with axios

* Remove unused import

* Set proxy false when proxy endpoint found

* Log when proxy endpoint is not found

* Improve log wording

* Prioritize workspace HTTP config before environment variables
diff --git a/extensions/azurecore/src/account-provider/auths/azureAuth.ts b/extensions/azurecore/src/account-provider/auths/azureAuth.ts
@@ -6,6 +6,9 @@
 import * as vscode from 'vscode';
 import * as azdata from 'azdata';
 import * as nls from 'vscode-nls';
+import * as tunnel from "tunnel";
+import * as http from "http";
+import * as https from "https";
 
 import {
 	AzureAccount,
@@ -26,13 +29,19 @@ import { errorToPromptFailedResult } from './networkUtils';
 import { MsalCachePluginProvider } from '../utils/msalCachePlugin';
 import { isErrorResponseBodyWithError } from '../../azureResource/utils';
 import axios, { AxiosResponse, AxiosRequestConfig } from 'axios';
+import { getProxyAgentOptions } from '../../proxy';
 const localize = nls.loadMessageBundle();
 
 export type GetTenantsResponseData = {
 	value: TenantResponse[];
 	error?: string;
 }
 
+interface ProxyAgent {
+	isHttps: boolean;
+	agent: http.Agent | https.Agent;
+}
+
 export abstract class AzureAuth implements vscode.Disposable {
 	protected readonly memdb = new MemoryDatabase<string>();
 	protected readonly loginEndpointUrl: string;
@@ -442,20 +451,138 @@ export abstract class AzureAuth implements vscode.Disposable {
 
 	//#region network functions
 
-	private async makeGetRequest<T>(url: string, token: string): Promise<AxiosResponse<T>> {
+	private async makeGetRequest<T>(requestUrl: string, token: string): Promise<AxiosResponse<T>> {
 		const config: AxiosRequestConfig = {
 			headers: {
 				'Content-Type': 'application/json',
-				'Authorization': `Bearer ${token}`
+				'Authorization': `Bearer ${token}`,
 			},
 			validateStatus: () => true // Never throw
 		};
 
-		const response: AxiosResponse = await axios.get<T>(url, config);
-		Logger.piiSanitized('GET request ', [{ name: 'response', objOrArray: response.data?.value as TenantResponse[] ?? response.data as GetTenantsResponseData }], [], url,);
+		const httpConfig = vscode.workspace.getConfiguration("http");
+		let proxy: string | undefined = httpConfig['proxy'] as string;
+		if (!proxy) {
+			Logger.verbose("Workspace HTTP config didn't contain a proxy endpoint. Checking environment variables.");
+
+			proxy = this.loadEnvironmentProxyValue();
+		}
+
+		if (proxy) {
+			Logger.verbose("Proxy endpoint found in environment variables or workspace configuration.");
+
+			// Turning off automatic proxy detection to avoid issues with tunneling agent by setting proxy to false.
+			// https://github.com/axios/axios/blob/bad6d8b97b52c0c15311c92dd596fc0bff122651/lib/adapters/http.js#L85
+			config.proxy = false;
+
+			const agent = this.createProxyAgent(requestUrl, proxy, httpConfig["proxyStrictSSL"]);
+			if (agent.isHttps) {
+				config.httpsAgent = agent.agent;
+			}
+			else {
+				config.httpAgent = agent.agent;
+			}
+
+			const HTTPS_PORT = 443;
+			const HTTP_PORT = 80;
+			const parsedRequestUrl = url.parse(requestUrl);
+			const port = parsedRequestUrl.protocol?.startsWith("https") ? HTTPS_PORT : HTTP_PORT;
+
+			// Request URL will include HTTPS port 443 ('https://management.azure.com:443/tenants?api-version=2019-11-01'), so
+			// that Axios doesn't try to reach this URL with HTTP port 80 on HTTP proxies, which result in an error. See https://github.com/axios/axios/issues/925
+			const requestUrlWithPort = `${parsedRequestUrl.protocol}//${parsedRequestUrl.hostname}:${port}${parsedRequestUrl.path}`;
+			const response: AxiosResponse = await axios.get<T>(requestUrlWithPort, config);
+			Logger.piiSanitized('GET request ', [{ name: 'response', objOrArray: response.data?.value as TenantResponse[] ?? response.data as GetTenantsResponseData }], [], requestUrl,);
+			return response;
+		}
+
+		Logger.verbose("No proxy endpoint was found in the HTTP_PROXY, HTTPS_PROXY environment variables or in the workspace HTTP configuration.");
+		const response: AxiosResponse = await axios.get<T>(requestUrl, config);
+		Logger.piiSanitized('GET request ', [{ name: 'response', objOrArray: response.data?.value as TenantResponse[] ?? response.data as GetTenantsResponseData }], [], requestUrl,);
 		return response;
 	}
 
+	private loadEnvironmentProxyValue(): string | undefined {
+		const HTTP_PROXY = "HTTP_PROXY";
+		const HTTPS_PROXY = "HTTPS_PROXY";
+
+		if (!process) {
+			Logger.verbose("No process object found, unable to read environment variables for proxy.");
+			return undefined;
+		}
+
+		if (process.env[HTTP_PROXY] || process.env[HTTP_PROXY.toLowerCase()]) {
+			Logger.verbose("Loading proxy value from HTTP_PROXY environment variable.");
+
+			return process.env[HTTP_PROXY] || process.env[HTTP_PROXY.toLowerCase()];
+		}
+		else if (process.env[HTTPS_PROXY] || process.env[HTTPS_PROXY.toLowerCase()]) {
+			Logger.verbose("Loading proxy value from HTTPS_PROXY environment variable.");
+
+			return process.env[HTTPS_PROXY] || process.env[HTTPS_PROXY.toLowerCase()];
+		}
+
+		Logger.verbose("No proxy value found in either HTTPS_PROXY or HTTP_PROXY environment variables.");
+
+		return undefined;
+	}
+
+	private createProxyAgent(requestUrl: string, proxy: string, proxyStrictSSL: boolean): ProxyAgent {
+		const agentOptions = getProxyAgentOptions(url.parse(requestUrl), proxy, proxyStrictSSL);
+		if (!agentOptions || !agentOptions.host || !agentOptions.port) {
+			Logger.verbose("Unable to read proxy agent options to create proxy agent.");
+			throw new Error("Unable to read proxy agent options to create proxy agent.");
+		}
+
+		let tunnelOptions: tunnel.HttpsOverHttpsOptions = {};
+		if (typeof agentOptions.auth === 'string' && agentOptions.auth) {
+			tunnelOptions = {
+				proxy: {
+					proxyAuth: agentOptions.auth,
+					host: agentOptions.host,
+					port: Number(agentOptions.port),
+				}
+			};
+		}
+		else {
+			tunnelOptions = {
+				proxy: {
+					host: agentOptions.host,
+					port: Number(agentOptions.port),
+
+				}
+			};
+		}
+
+		const isHttpsRequest = requestUrl.startsWith("https");
+		const isHttpsProxy = proxy.startsWith("https");
+		const proxyAgent = {
+			isHttps: isHttpsProxy,
+			agent: this.createTunnelingAgent(isHttpsRequest, isHttpsProxy, tunnelOptions),
+		} as ProxyAgent;
+
+		return proxyAgent;
+	}
+
+	private createTunnelingAgent(isHttpsRequest: boolean, isHttpsProxy: boolean, tunnelOptions: tunnel.HttpsOverHttpsOptions): http.Agent | https.Agent {
+		if (isHttpsRequest && isHttpsProxy) {
+			Logger.verbose("Creating https request over https proxy tunneling agent");
+			return tunnel.httpsOverHttps(tunnelOptions);
+		}
+		else if (isHttpsRequest && !isHttpsProxy) {
+			Logger.verbose("Creating https request over http proxy tunneling agent");
+			return tunnel.httpsOverHttp(tunnelOptions);
+		}
+		else if (!isHttpsRequest && isHttpsProxy) {
+			Logger.verbose("Creating http request over https proxy tunneling agent");
+			return tunnel.httpOverHttps(tunnelOptions);
+		}
+		else {
+			Logger.verbose("Creating http request over http proxy tunneling agent");
+			return tunnel.httpOverHttp(tunnelOptions);
+		}
+	}
+
 	//#endregion
 
 	//#region inconsequential
