clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-06-01 19:02:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Address MITM CA trust review feedback

Browse Source
This commit is contained in:
Winston Howes
2026-05-27 13:53:19 -07:00
parent 8566da5226
commit d149f354b3
9 changed files with 74 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
codex-rs/network-proxy/src/certs.rs
View File

@@ -168,27 +168,34 @@ fn build_managed_ca_trust_bundle(
push_certificate_pem(&mut trust_bundle, cert.as_ref());
}
let mut custom_ca_paths = Vec::new();
let mut custom_ca_path: Option<PathBuf> = None;
for key in CUSTOM_CA_ENV_KEYS {
let Some(path) = env.get(key).filter(|path| !path.is_empty()) else {
continue;
};
let path = resolve_ca_bundle_path(path, cwd);
if path == managed_ca_cert_path
|| path == trust_bundle_path
|| custom_ca_paths.contains(&path)
{
if path == managed_ca_cert_path || path == trust_bundle_path {
continue;
}
custom_ca_paths.push(path);
}
for path in custom_ca_paths {
if let Err(err) = append_pem_file(&mut trust_bundle, &path) {
warn!(
path = %path.display(),
"failed to append inherited custom CA bundle; continuing without it: {err}"
);
if let Some(existing_path) = custom_ca_path.as_ref() {
if existing_path != &path {
return Err(anyhow!(
"cannot merge distinct inherited CA bundles for managed MITM trust: {} and {}",
existing_path.display(),
path.display()
));
}
continue;
}
custom_ca_path = Some(path);
}
if let Some(path) = custom_ca_path
&& let Err(err) = append_pem_file(&mut trust_bundle, &path)
{
warn!(
path = %path.display(),
"failed to append inherited custom CA bundle; continuing without it: {err}"
);
}
append_pem_file(&mut trust_bundle, managed_ca_cert_path)?;
Ok(trust_bundle)
@@ -544,6 +551,42 @@ mod tests {
assert!(trust_bundle.contains("managed ca"));
}
#[test]
fn build_managed_ca_trust_bundle_rejects_distinct_inherited_bundles() {
let dir = tempdir().unwrap();
let managed_ca_cert_path = dir.path().join("ca.pem");
let trust_bundle_path = dir.path().join("ca-bundle.pem");
let requests_bundle_path = dir.path().join("requests.pem");
let curl_bundle_path = dir.path().join("curl.pem");
fs::write(&managed_ca_cert_path, "managed ca\n").unwrap();
fs::write(&requests_bundle_path, "requests ca\n").unwrap();
fs::write(&curl_bundle_path, "curl ca\n").unwrap();
let env = HashMap::from([
(
"REQUESTS_CA_BUNDLE".to_string(),
requests_bundle_path.display().to_string(),
),
(
"CURL_CA_BUNDLE".to_string(),
curl_bundle_path.display().to_string(),
),
]);
let err = build_managed_ca_trust_bundle(
&managed_ca_cert_path,
&trust_bundle_path,
&env,
dir.path(),
)
.unwrap_err();
assert!(
err.to_string()
.contains("cannot merge distinct inherited CA bundles for managed MITM trust"),
"unexpected error: {err:#}"
);
}
#[test]
fn build_managed_ca_trust_bundle_resolves_relative_inherited_bundle_against_cwd() {
let dir = tempdir().unwrap();

17
codex-rs/network-proxy/src/proxy.rs
View File

@@ -622,21 +622,8 @@ impl NetworkProxy {
self.runtime_settings().mitm_ca_trust_bundle_path
}
pub fn apply_to_env(&self, env: &mut HashMap<String, String>, cwd: &Path) {
pub fn apply_to_env(&self, env: &mut HashMap<String, String>) {
let runtime_settings = self.runtime_settings();
// Fold command-level CA overrides into our replacement bundle before overwriting them.
let mitm_ca_trust_bundle_path =
runtime_settings
.mitm_ca_trust_bundle_path
.as_ref()
.map(|fallback_path| {
crate::certs::managed_ca_trust_bundle_path(env, cwd).unwrap_or_else(|err| {
warn!(
"failed to refresh managed MITM CA trust bundle from child env; using startup bundle: {err}"
);
fallback_path.clone()
})
});
// Enforce proxying for child processes. We intentionally override existing values so
// command-level environment cannot bypass the managed proxy endpoint.
apply_proxy_env_overrides(
@@ -645,7 +632,7 @@ impl NetworkProxy {
self.socks_addr,
self.socks_enabled,
runtime_settings.allow_local_binding,
mitm_ca_trust_bundle_path.as_deref(),
runtime_settings.mitm_ca_trust_bundle_path.as_deref(),
);
}