☝️ Important announcement: Greenkeeper will be saying goodbye 👋 and passing the torch to Snyk on June 3rd, 2020! Find out how to migrate to Snyk and more at greenkeeper.io

The devDependency fetch-mock was updated from 9.3.1 to 9.4.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

fetch-mock is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

Context:
A customer has an existing proxy server running at http://proxy.company.com:7070. The proxy requires authentication. A technical proxy user with a password has been setup where the user name contains a special character.

Example:
Username: domain\user
Password: test

The customer expects to use this technical proxy user to authenticate all outgoing calls, e.g. curl, aio, ...

curl:
curl supports all of the following proxy configurations (unescaped, url-encoded uppercase, url-encoded lowercase):

HTTPS_PROXY='http://domain\user:[email protected]:7070' curl -v https://cloudmanager.adobe.io/api/programs

HTTPS_PROXY='http://domain%5Cuser:[email protected]:7070' curl -v https://cloudmanager.adobe.io/api/programs

HTTPS_PROXY='http://domain%5cuser:[email protected]:7070' curl -v https://cloudmanager.adobe.io/api/programs

All three calls will authenticate at the proxy server, will reach the service endpoint and return "Oauth token is missing."

It shall be noted that the curl debug output (headers) indicates that (in all three cases) the special character \ is not URL-encoded anymore before it gets Base64-encoded:

...
Proxy auth using Basic with user 'domain\user'
Proxy-Authorization: Basic ZG9tYWluXHVzZXI6dGVzdA== 
...

(which after base64-decode is domain\user:test)

Expected Behaviour

It is expected that aio with proxy support works similar to tools like curl, i.e. the same proxy + user can be used with curl and with aio. This is unfortunately not the case.

Actual Behaviour

When trying to use the same proxy with aio, all requests fail:

HTTPS_PROXY='http://domain\user:[email protected]:7070' aio login -d
=> errors out due to a Node-specific URL decomposition issue (treats 'domain\user' as a path, not as a user name)

HTTPS_PROXY='http://domain%5Cuser:[email protected]:7070' aio login -d
=> errors out with a proxy authentication error (HTTP 407)

HTTPS_PROXY='http://domain%5cuser:[email protected]:7070' aio login -d
=> errors out with a proxy authentication error (HTTP 407)

While the first case cannot be fixed (here), the second and third case should work. The reason why the proxy authentication fails is that the username and password URL-encoding is not reversed before the proxy URL is converted to proxyOpts and passed to the respective proxy agent.

Reproduce Scenario (including but not limited to)

Steps to Reproduce

Setup a local proxy server (e.g. using docker ubuntu-squid) and define a user: 'domain\user' with password 'test'
In the example above, it is listening on port 7070 using the http protocol.

Setup aio:

nvm use 16.16.0                               

aio config:set ims.contexts.aio-cli-plugin-cloudmanager ~/config.json --file --json
aio config:set ims.contexts.aio-cli-plugin-cloudmanager.private_key ~/private.key --file
aio config:set cloudmanager_orgid A1…@AdobeOrg
aio config:set cloudmanager_programid 12345

aio auth ctx -s aio-cli-plugin-cloudmanager

Then run the scripts above: (curl and aio login -d) with the proxy configured

Platform and Version

Mac on MacOS 13.1
aio v9.1.1 with aio-lib-core-networking v3.0.0

aio info:

System:
    OS: macOS 13.1
    CPU: (10) arm64 Apple M1 Max
    Memory: 564.42 MB / 32.00 GB
    Shell: 5.8.1 - /bin/zsh
  Binaries:
    Node: 16.16.0 - ~/.nvm/versions/node/v16.16.0/bin/node
    Yarn: Not Found
    npm: 8.11.0 - ~/.nvm/versions/node/v16.16.0/bin/npm
  Virtualization:
    Docker: 20.10.21 - /usr/local/bin/docker
  npmGlobalPackages:
    @adobe/aio-cli: 9.1.1

  Proxies:
    http: (not set)
    https: http://domain%5cuser:[email protected]:7070 (scheme mismatch)
  CLI plugins:
    core:
      @adobe/aio-cli 9.1.1
      @adobe/aio-cli-plugin-app 10.0.3
      @adobe/aio-cli-plugin-app-templates 1.5.1
      @adobe/aio-cli-plugin-auth 3.0.1
      @adobe/aio-cli-plugin-certificate 1.0.1
      @adobe/aio-cli-plugin-config 4.0.1
      @adobe/aio-cli-plugin-console 4.0.1
      @adobe/aio-cli-plugin-events 2.0.2
      @adobe/aio-cli-plugin-info 3.0.1
      @adobe/aio-cli-plugin-runtime 6.0.1
      @adobe/aio-cli-plugin-telemetry 1.1.0
      @oclif/plugin-autocomplete 1.3.8
      @oclif/plugin-help 5.1.20
      @oclif/plugin-not-found 2.3.11
      @oclif/plugin-plugins 2.1.9
      @oclif/plugin-warn-if-update-available 2.0.17
    user:
      @adobe/aio-cli-plugin-aem-rde 0.0.1-alpha.6
      @adobe/aio-cli-plugin-cloudmanager 4.0.0
    link:

Sample Code that illustrates the problem

Logs taken while reproducing problem

curl can access the service endpoint:
HTTPS_PROXY='http://domain%5Cuser:[email protected]:7070' curl https://cloudmanager.adobe.io/api/programs {"error_code":"403010","message":"Oauth token is missing."}

aio can't:
HTTPS_PROXY='http://domain%5Cuser:[email protected]:7070' aio login -d › Error: Cannot get token for context 'aio-cli-plugin-cloudmanager': 407 › (Proxy Authentication Required)

This bases whether to use HTTP/HTTPS proxy based on what the proxy protocol is, however this logic is wrong, it should be based on what the end point protocol is:

As a result, using an http proxy and connecting to an https endpoint causes the logic to pick HttpProxyAgent which then returns an error from the server as we are trying to connect to it via non HTTPS methods

We are locked to [email protected] because that version supports rejectUnauthorized=false.
See issue that was closed: TooTallNate/proxy-agents#89

Consider moving to: https://github.com/delvedor/hpagent

☝️ Important announcement: Greenkeeper will be saying goodbye 👋 and passing the torch to Snyk on June 3rd, 2020! Find out how to migrate to Snyk and more at greenkeeper.io

The devDependency @adobe/eslint-config-aio-lib-config was updated from 1.1.0 to 1.2.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

@adobe/eslint-config-aio-lib-config is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

Related: adobe/aio-cli#224

Description

1. client: Base it off the fetch API. Pay particular attention to the needs of of swagger-client custom userFetch property: https://github.com/swagger-api/swagger-js/blob/dc84649dd63b7a3a0733b24f828753b070ee2832/docs/usage/http-client.md#custom-fetch This will automatically use our http.agent Proxy below
2. proxy: for adobe/aio-cli#224 - this can be used for example in the openwhisk library, where we can't specify our own client, but we can set the proxy/http.agent https://github.com/apache/openwhisk-client-js#constructor-options

Further Steps

All our aio libs, instead of using node-fetch or the global fetch, should use this implementation instead, and third-party libraries like swagger-client and others should use this custom fetch override. Similarly for openwhisk and the custom proxy