From 2edafb12f57645301f54cf3ed81343f90674ea07 Mon Sep 17 00:00:00 2001
From: Vasilii Sorokin <vasiliisorokin@gmail.com>
Date: Thu, 17 Apr 2025 14:16:37 +0300
Subject: [PATCH] call check server identity

---
 CHANGELOG.md                         |  3 +++
 package-lock.json                    |  4 ++--
 package.json                         |  2 +-
 src/index.ts                         |  3 +++
 tests/test-client/src/direct.test.ts | 20 ++++++++++++++++++++
 5 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 57cf272..75d1e2d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,9 @@
 # Change Log
 Notable changes will be documented here.
 
+## [0.32.1]
+- Call checkServerIdentity from original agent
+
 ## [0.32.0]
 - Check both system certificates settings for `fetch` ([microsoft/vscode-proxy-agent#66](https://github.com/microsoft/vscode-proxy-agent/pull/66))
 
diff --git a/package-lock.json b/package-lock.json
index d2ea474..5531f7e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@vscode/proxy-agent",
-  "version": "0.31.0",
+  "version": "0.32.0",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "@vscode/proxy-agent",
-      "version": "0.31.0",
+      "version": "0.32.0",
       "license": "MIT",
       "dependencies": {
         "@tootallnate/once": "^3.0.0",
diff --git a/package.json b/package.json
index 1309562..d84815c 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@vscode/proxy-agent",
-  "version": "0.32.0",
+  "version": "0.32.1",
   "description": "NodeJS http(s) agent implementation for VS Code",
   "main": "out/index.js",
   "types": "out/index.d.ts",
diff --git a/src/index.ts b/src/index.ts
index 8f3af48..658f7f2 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -370,6 +370,8 @@ export function createHttpPatch(params: ProxyAgentParams, originals: typeof http
 			// If Agent.options.ca is set to undefined, it overwrites RequestOptions.ca.
 			const originalOptionsCa = isHttps ? (options as https.RequestOptions).ca : undefined;
 			const originalAgentCa = isHttps && originalAgent instanceof originals.Agent && (originalAgent as https.Agent).options && 'ca' in (originalAgent as https.Agent).options && (originalAgent as https.Agent).options.ca;
+			const originalAgentCheckServerIdentity = isHttps && originalAgent instanceof originals.Agent && (originalAgent as https.Agent).options && 'checkServerIdentity' in (originalAgent as https.Agent).options && (originalAgent as https.Agent).options.checkServerIdentity;
+			const originalCheckServerIdentity = originalAgentCheckServerIdentity !== false ? originalAgentCheckServerIdentity : undefined;
 			const originalCa = originalAgentCa !== false ? originalAgentCa : originalOptionsCa;
 			const addCertificatesV1 = !optionsPatched && params.addCertificatesV1() && isHttps && !originalCa;
 
@@ -396,6 +398,7 @@ export function createHttpPatch(params: ProxyAgentParams, originals: typeof http
 					originalAgent: (!useProxySettings || isLocalhost || config === 'fallback') ? originalAgent : undefined,
 					lookupProxyAuthorization: params.lookupProxyAuthorization,
 					// keepAlive: ((originalAgent || originals.globalAgent) as { keepAlive?: boolean }).keepAlive, // Skipping due to https://github.com/microsoft/vscode/issues/228872.
+					checkServerIdentity: (host, cert) => originalCheckServerIdentity?.(host, cert),
 					_vscodeTestReplaceCaCerts: (options as SecureContextOptionsPatch)._vscodeTestReplaceCaCerts,
 				}, opts => new Promise<void>(resolve => addCertificatesToOptionsV1(params, params.addCertificatesV1(), opts, resolve)));
 				agent.protocol = isHttps ? 'https:' : 'http:';
diff --git a/tests/test-client/src/direct.test.ts b/tests/test-client/src/direct.test.ts
index f460bc9..b2b8faa 100644
--- a/tests/test-client/src/direct.test.ts
+++ b/tests/test-client/src/direct.test.ts
@@ -320,4 +320,24 @@ describe('Direct client', function () {
 		assert.strictEqual(res.status, 200);
 		assert.strictEqual((await res.json()).status, 'OK HTTP2!');
 	});
+	it('should call original checkServerIdentity function', async function() {
+		const { resolveProxyWithRequest: resolveProxy } = vpa.createProxyResolver(directProxyAgentParamsV1);
+		const patchedHttps: typeof https = {
+			...https,
+			...vpa.createHttpPatch(directProxyAgentParamsV1, https, resolveProxy),
+		} as any;
+		try {
+			const res = await testRequest(patchedHttps, {
+				hostname: 'test-https-server',
+				path: '/test-path',
+				ca,
+				agent:  new https.Agent({
+					checkServerIdentity: () => new Error("Certificate pinning failed"),
+				}),
+			});
+			assert.fail('Expected to fail with ertificate pinning failed');
+		} catch (err: any) {
+			assert.strictEqual(err?.message, 'Certificate pinning failed');
+		}
+	})
 });