call check server identity from original agent

CHANGELOG.md

@@ -1,6 +1,9 @@
 # Change Log
 Notable changes will be documented here.
 
+## [0.32.1]
+- Call checkServerIdentity from original agent
+
 ## [0.32.0]
 - Check both system certificates settings for `fetch` ([microsoft/vscode-proxy-agent#66](https://github.com/microsoft/vscode-proxy-agent/pull/66))
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vscode/proxy-agent",
-  "version": "0.32.0",
+  "version": "0.32.1",
   "description": "NodeJS http(s) agent implementation for VS Code",
   "main": "out/index.js",
   "types": "out/index.d.ts",

src/index.ts

@@ -370,6 +370,8 @@ export function createHttpPatch(params: ProxyAgentParams, originals: typeof http
 			// If Agent.options.ca is set to undefined, it overwrites RequestOptions.ca.
 			const originalOptionsCa = isHttps ? (options as https.RequestOptions).ca : undefined;
 			const originalAgentCa = isHttps && originalAgent instanceof originals.Agent && (originalAgent as https.Agent).options && 'ca' in (originalAgent as https.Agent).options && (originalAgent as https.Agent).options.ca;
+			const originalAgentCheckServerIdentity = isHttps && originalAgent instanceof originals.Agent && (originalAgent as https.Agent).options && 'checkServerIdentity' in (originalAgent as https.Agent).options && (originalAgent as https.Agent).options.checkServerIdentity;
+			const originalCheckServerIdentity = originalAgentCheckServerIdentity !== false ? originalAgentCheckServerIdentity : undefined;
 			const originalCa = originalAgentCa !== false ? originalAgentCa : originalOptionsCa;
 			const addCertificatesV1 = !optionsPatched && params.addCertificatesV1() && isHttps && !originalCa;
 
@@ -396,6 +398,7 @@ export function createHttpPatch(params: ProxyAgentParams, originals: typeof http
 					originalAgent: (!useProxySettings || isLocalhost || config === 'fallback') ? originalAgent : undefined,
 					lookupProxyAuthorization: params.lookupProxyAuthorization,
 					// keepAlive: ((originalAgent || originals.globalAgent) as { keepAlive?: boolean }).keepAlive, // Skipping due to https://github.com/microsoft/vscode/issues/228872.
+					checkServerIdentity: (host, cert) => originalCheckServerIdentity?.(host, cert),
 					_vscodeTestReplaceCaCerts: (options as SecureContextOptionsPatch)._vscodeTestReplaceCaCerts,
 				}, opts => new Promise<void>(resolve => addCertificatesToOptionsV1(params, params.addCertificatesV1(), opts, resolve)));
 				agent.protocol = isHttps ? 'https:' : 'http:';

tests/test-client/src/direct.test.ts

@@ -320,4 +320,24 @@ describe('Direct client', function () {
 		assert.strictEqual(res.status, 200);
 		assert.strictEqual((await res.json()).status, 'OK HTTP2!');
 	});
+	it('should call original checkServerIdentity function', async function() {
+		const { resolveProxyWithRequest: resolveProxy } = vpa.createProxyResolver(directProxyAgentParamsV1);
+		const patchedHttps: typeof https = {
+			...https,
+			...vpa.createHttpPatch(directProxyAgentParamsV1, https, resolveProxy),
+		} as any;
+		try {
+			const res = await testRequest(patchedHttps, {
+				hostname: 'test-https-server',
+				path: '/test-path',
+				ca,
+				agent:  new https.Agent({
+					checkServerIdentity: () => new Error("Certificate pinning failed"),
+				}),
+			});
+			assert.fail('Expected to fail with ertificate pinning failed');
+		} catch (err: any) {
+			assert.strictEqual(err?.message, 'Certificate pinning failed');
+		}
+	})
 });