Clean up MITM CA env wiring

2026-05-29 23:40:29 +00:00 · 2026-05-26 13:18:18 -07:00
parent 13e783f35b
commit 672045c2f0
3 changed files with 30 additions and 42 deletions
--- a/codex-rs/app-server/src/config/external_agent_config.rs
+++ b/codex-rs/app-server/src/config/external_agent_config.rs
@@ -1491,11 +1491,10 @@ fn json_object_to_env_toml_table(
    object: &serde_json::Map<String, JsonValue>,
 ) -> toml::map::Map<String, TomlValue> {
    let mut table = toml::map::Map::new();
-    for (key, value) in object
-        .iter()
-        .filter_map(|(key, value)| json_env_value_to_string(value).map(|value| (key, value)))
-    {
-        table.insert(key.clone(), TomlValue::String(value));
+    for (key, value) in object {
+        if let Some(value) = json_env_value_to_string(value) {
+            table.insert(key.clone(), TomlValue::String(value));
+        }
    }
    table
 }
--- a/codex-rs/network-proxy/src/certs.rs
+++ b/codex-rs/network-proxy/src/certs.rs
@@ -100,7 +100,9 @@ const MANAGED_MITM_CA_CERT: &str = "ca.pem";
 const MANAGED_MITM_CA_KEY: &str = "ca.key";
 const MANAGED_MITM_CA_TRUST_BUNDLE: &str = "ca-bundle.pem";

-const CUSTOM_CA_ENV_KEYS: &[&str] = &[
+// Best-effort compatibility set for common child toolchains that accept a CA bundle path.
+// This is intentionally curated rather than pretending to cover every TLS client.
+pub(crate) const CUSTOM_CA_ENV_KEYS: [&str; 10] = [
    "CODEX_CA_CERTIFICATE",
    "SSL_CERT_FILE",
    "REQUESTS_CA_BUNDLE",
@@ -163,7 +165,7 @@ fn build_managed_ca_trust_bundle(

    let mut custom_ca_paths = Vec::new();
    for key in CUSTOM_CA_ENV_KEYS {
-        let Some(path) = env.get(*key).filter(|path| !path.is_empty()) else {
+        let Some(path) = env.get(key).filter(|path| !path.is_empty()) else {
            continue;
        };
        let path = PathBuf::from(path);
--- a/codex-rs/network-proxy/src/proxy.rs
+++ b/codex-rs/network-proxy/src/proxy.rs
@@ -378,7 +378,7 @@ const ELECTRON_GET_USE_PROXY_ENV_KEY: &str = "ELECTRON_GET_USE_PROXY";
 const NODE_USE_ENV_PROXY_ENV_KEY: &str = "NODE_USE_ENV_PROXY";
 #[cfg(any(target_os = "macos", test))]
 const GIT_SSH_COMMAND_ENV_KEY: &str = "GIT_SSH_COMMAND";
-pub const PROXY_ENV_KEYS: &[&str] = &[
+const BASE_PROXY_ENV_KEYS: [&str; 35] = [
    PROXY_ACTIVE_ENV_KEY,
    ALLOW_LOCAL_BINDING_ENV_KEY,
    ELECTRON_GET_USE_PROXY_ENV_KEY,
@@ -414,17 +414,8 @@ pub const PROXY_ENV_KEYS: &[&str] = &[
    "all_proxy",
    "FTP_PROXY",
    "ftp_proxy",
-    "CODEX_CA_CERTIFICATE",
-    "SSL_CERT_FILE",
-    "REQUESTS_CA_BUNDLE",
-    "CURL_CA_BUNDLE",
-    "NODE_EXTRA_CA_CERTS",
-    "GIT_SSL_CAINFO",
-    "PIP_CERT",
-    "BUNDLE_SSL_CA_CERT",
-    "npm_config_cafile",
-    "NPM_CONFIG_CAFILE",
 ];
+pub const PROXY_ENV_KEYS: &[&str] = &concat_proxy_env_keys();

 #[cfg(target_os = "macos")]
 pub const PROXY_GIT_SSH_COMMAND_ENV_KEY: &str = GIT_SSH_COMMAND_ENV_KEY;
@@ -479,6 +470,24 @@ fn set_env_keys(env: &mut HashMap<String, String>, keys: &[&str], value: &str) {
    }
 }

+const fn concat_proxy_env_keys()
+-> [&'static str; BASE_PROXY_ENV_KEYS.len() + crate::certs::CUSTOM_CA_ENV_KEYS.len()] {
+    let mut keys = [""; BASE_PROXY_ENV_KEYS.len() + crate::certs::CUSTOM_CA_ENV_KEYS.len()];
+    let mut index = 0;
+    while index < BASE_PROXY_ENV_KEYS.len() {
+        keys[index] = BASE_PROXY_ENV_KEYS[index];
+        index += 1;
+    }
+
+    let mut custom_ca_index = 0;
+    while custom_ca_index < crate::certs::CUSTOM_CA_ENV_KEYS.len() {
+        keys[index + custom_ca_index] = crate::certs::CUSTOM_CA_ENV_KEYS[custom_ca_index];
+        custom_ca_index += 1;
+    }
+
+    keys
+}
+
 #[cfg(target_os = "macos")]
 fn codex_proxy_git_ssh_command(socks_addr: SocketAddr) -> String {
    format!("{CODEX_PROXY_GIT_SSH_COMMAND_PREFIX}{socks_addr}{CODEX_PROXY_GIT_SSH_COMMAND_SUFFIX}")
@@ -581,18 +590,7 @@ fn apply_proxy_env_overrides(
        let mitm_ca_trust_bundle_path = mitm_ca_trust_bundle_path.to_string_lossy();
        set_env_keys(
            env,
-            &[
-                "CODEX_CA_CERTIFICATE",
-                "SSL_CERT_FILE",
-                "REQUESTS_CA_BUNDLE",
-                "CURL_CA_BUNDLE",
-                "NODE_EXTRA_CA_CERTS",
-                "GIT_SSL_CAINFO",
-                "PIP_CERT",
-                "BUNDLE_SSL_CA_CERT",
-                "npm_config_cafile",
-                "NPM_CONFIG_CAFILE",
-            ],
+            &crate::certs::CUSTOM_CA_ENV_KEYS,
            &mitm_ca_trust_bundle_path,
        );
    }
@@ -1110,18 +1108,7 @@ mod tests {
            Some(mitm_ca_trust_bundle_path),
        );

-        for key in [
-            "CODEX_CA_CERTIFICATE",
-            "SSL_CERT_FILE",
-            "REQUESTS_CA_BUNDLE",
-            "CURL_CA_BUNDLE",
-            "NODE_EXTRA_CA_CERTS",
-            "GIT_SSL_CAINFO",
-            "PIP_CERT",
-            "BUNDLE_SSL_CA_CERT",
-            "npm_config_cafile",
-            "NPM_CONFIG_CAFILE",
-        ] {
+        for key in crate::certs::CUSTOM_CA_ENV_KEYS {
            assert_eq!(
                env.get(key),
                Some(&mitm_ca_trust_bundle_path.display().to_string())