Skip to content

RFC: https_proxy extension: initial commit #8298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

RFC: https_proxy extension: initial commit #8298

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions extensions/https_proxy.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
#!/usr/bin/env bash

# squid must be configured to do ssl-bumping
# Also a self-signed cert with ca needs to be created
# the ca needs to be stored as "squid-self-signed.crt" in userpatches/

# to do
# check if https_proxy/HTTPS_PROXY are set and then if cert is available.

# HOST
# if a cert file is there copy into docker container or host machine and enable it
function post_family_config__prepare_host_for_https_proxy() {
if [ -f ${USERPATCHES_PATH}/squid-self-signed.crt ]; then
display_alert "Found cert file: ${USERPATCHES_PATH}/squid-self-signed.crt" "${EXTENSION}" "info"
run_host_command_logged mkdir -p /usr/share/ca-certificates/extra/
run_host_command_logged cp ${USERPATCHES_PATH}/squid-self-signed.crt /usr/share/ca-certificates/extra/squid-self-signed.crt
run_host_command_logged echo "extra/squid-self-signed.crt" >> /etc/ca-certificates.conf
run_host_command_logged update-ca-certificates
display_alert "Host/Docker prepared for https proxy" "${EXTENSION}" "info"
else
display_alert "Cert file not found" "${EXTENSION}" "error"
exit 1
fi
}
Comment on lines +12 to +24
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Quote variables and ensure idempotent CA config on host
Unquoted ${USERPATCHES_PATH} can break on spaces; appending to /etc/ca-certificates.conf may duplicate entries on re-runs. Guard against duplicates and wrap paths in quotes.

 function post_family_config__prepare_host_for_https_proxy() {
-    if [ -f ${USERPATCHES_PATH}/squid-self-signed.crt ]; then
-        display_alert "Found cert file: ${USERPATCHES_PATH}/squid-self-signed.crt" "${EXTENSION}" "info"
-        run_host_command_logged mkdir -p /usr/share/ca-certificates/extra/
-        run_host_command_logged cp ${USERPATCHES_PATH}/squid-self-signed.crt /usr/share/ca-certificates/extra/squid-self-signed.crt
-        run_host_command_logged echo "extra/squid-self-signed.crt" >> /etc/ca-certificates.conf
-        run_host_command_logged update-ca-certificates
+    cert_host="${USERPATCHES_PATH}/squid-self-signed.crt"
+    if [[ -f "$cert_host" ]]; then
+        display_alert "Found cert file: $cert_host" "${EXTENSION}" "info"
+        run_host_command_logged mkdir -p "/usr/share/ca-certificates/extra/"
+        run_host_command_logged cp "$cert_host" "/usr/share/ca-certificates/extra/squid-self-signed.crt"
+        # Append only if not already present
+        if ! grep -Fxq "extra/squid-self-signed.crt" /etc/ca-certificates.conf; then
+            run_host_command_logged bash -c 'echo "extra/squid-self-signed.crt" >> /etc/ca-certificates.conf'
+        fi
+        run_host_command_logged update-ca-certificates
         display_alert "Host/Docker prepared for https proxy" "${EXTENSION}" "info"
     else
         display_alert "Cert file not found" "${EXTENSION}" "error"
         exit 1
     fi
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
function post_family_config__prepare_host_for_https_proxy() {
if [ -f ${USERPATCHES_PATH}/squid-self-signed.crt ]; then
display_alert "Found cert file: ${USERPATCHES_PATH}/squid-self-signed.crt" "${EXTENSION}" "info"
run_host_command_logged mkdir -p /usr/share/ca-certificates/extra/
run_host_command_logged cp ${USERPATCHES_PATH}/squid-self-signed.crt /usr/share/ca-certificates/extra/squid-self-signed.crt
run_host_command_logged echo "extra/squid-self-signed.crt" >> /etc/ca-certificates.conf
run_host_command_logged update-ca-certificates
display_alert "Host/Docker prepared for https proxy" "${EXTENSION}" "info"
else
display_alert "Cert file not found" "${EXTENSION}" "error"
exit 1
fi
}
function post_family_config__prepare_host_for_https_proxy() {
cert_host="${USERPATCHES_PATH}/squid-self-signed.crt"
if [[ -f "$cert_host" ]]; then
display_alert "Found cert file: $cert_host" "${EXTENSION}" "info"
run_host_command_logged mkdir -p "/usr/share/ca-certificates/extra/"
run_host_command_logged cp "$cert_host" "/usr/share/ca-certificates/extra/squid-self-signed.crt"
# Append only if not already present
if ! grep -Fxq "extra/squid-self-signed.crt" /etc/ca-certificates.conf; then
run_host_command_logged bash -c 'echo "extra/squid-self-signed.crt" >> /etc/ca-certificates.conf'
fi
run_host_command_logged update-ca-certificates
display_alert "Host/Docker prepared for https proxy" "${EXTENSION}" "info"
else
display_alert "Cert file not found" "${EXTENSION}" "error"
exit 1
fi
}
🤖 Prompt for AI Agents 
In extensions/https_proxy.sh between lines 12 and 24, the variable
USERPATCHES_PATH is used without quotes, which can cause issues if the path
contains spaces. Also, appending the certificate path to
/etc/ca-certificates.conf without checking can lead to duplicate entries on
multiple runs. To fix this, wrap all instances of ${USERPATCHES_PATH} in double
quotes to handle spaces properly, and before appending the certificate path to
/etc/ca-certificates.conf, check if the entry already exists to avoid
duplicates.


# CHROOT
# Add cert into chroot before customization so customization won't fail on https downloads
function pre_customize_image__prepare_https_proxy_inside_chroot() {
display_alert "Found cert file" "${EXTENSION}" "info"
chroot_sdcard mkdir -p /usr/share/ca-certificates/extra/
run_host_command_logged cp ${USERPATCHES_PATH}/squid-self-signed.crt "${SDCARD}"/usr/share/ca-certificates/extra/squid-self-signed.crt
run_host_command_logged echo "extra/squid-self-signed.crt" >> "${SDCARD}"/etc/ca-certificates.conf
chroot_sdcard cat /etc/ca-certificates.conf
chroot_sdcard update-ca-certificates
}
Comment on lines +28 to +35
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Unify chroot operations and properly quote paths
Mixing chroot_sdcard and run_host_command_logged for file edits complicates context. Use chroot_sdcard for all in-chroot manipulations, quote the chroot path, and remove the debugging cat call if not needed.

 function pre_customize_image__prepare_https_proxy_inside_chroot() {
-    display_alert "Found cert file" "${EXTENSION}" "info"
-    chroot_sdcard mkdir -p /usr/share/ca-certificates/extra/ 
-    run_host_command_logged cp ${USERPATCHES_PATH}/squid-self-signed.crt "${SDCARD}"/usr/share/ca-certificates/extra/squid-self-signed.crt
-    run_host_command_logged echo "extra/squid-self-signed.crt" >> "${SDCARD}"/etc/ca-certificates.conf
-    chroot_sdcard cat /etc/ca-certificates.conf
-    chroot_sdcard update-ca-certificates
+    display_alert "Preparing chroot for HTTPS proxy" "${EXTENSION}" "info"
+    # Ensure cert directory in chroot
+    chroot_sdcard mkdir -p /usr/share/ca-certificates/extra/
+    # Copy certificate into chroot
+    chroot_sdcard bash -c "cp /host${USERPATCHES_PATH}/squid-self-signed.crt /usr/share/ca-certificates/extra/"
+    # Append to ca-certificates.conf if missing
+    chroot_sdcard bash -c 'grep -Fxq "extra/squid-self-signed.crt" /etc/ca-certificates.conf || echo "extra/squid-self-signed.crt" >> /etc/ca-certificates.conf'
+    chroot_sdcard update-ca-certificates
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
function pre_customize_image__prepare_https_proxy_inside_chroot() {
display_alert "Found cert file" "${EXTENSION}" "info"
chroot_sdcard mkdir -p /usr/share/ca-certificates/extra/
run_host_command_logged cp ${USERPATCHES_PATH}/squid-self-signed.crt "${SDCARD}"/usr/share/ca-certificates/extra/squid-self-signed.crt
run_host_command_logged echo "extra/squid-self-signed.crt" >> "${SDCARD}"/etc/ca-certificates.conf
chroot_sdcard cat /etc/ca-certificates.conf
chroot_sdcard update-ca-certificates
}
function pre_customize_image__prepare_https_proxy_inside_chroot() {
display_alert "Preparing chroot for HTTPS proxy" "${EXTENSION}" "info"
# Ensure cert directory in chroot
chroot_sdcard mkdir -p /usr/share/ca-certificates/extra/
# Copy certificate into chroot
chroot_sdcard bash -c "cp /host${USERPATCHES_PATH}/squid-self-signed.crt /usr/share/ca-certificates/extra/"
# Append to ca-certificates.conf if missing
chroot_sdcard bash -c 'grep -Fxq "extra/squid-self-signed.crt" /etc/ca-certificates.conf || echo "extra/squid-self-signed.crt" >> /etc/ca-certificates.conf'
chroot_sdcard update-ca-certificates
}
🤖 Prompt for AI Agents 
In extensions/https_proxy.sh around lines 28 to 35, unify all in-chroot file
operations by replacing run_host_command_logged calls with chroot_sdcard to
maintain consistent context. Properly quote all path variables used inside
chroot_sdcard to handle spaces or special characters safely. Also, remove the
chroot_sdcard cat command used for debugging if it is not necessary for the
final script.


# CHROOT
# Remove cert after "apt_lists_copy_from_host_to_image_and_update" has been executed
function pre_umount_final_image__unprepare_https_proxy_inside_chroot() {
chroot_sdcard rm /usr/share/ca-certificates/extra/squid-self-signed.crt
run_host_command_logged sed -i "'/extra\/squid-self-signed.crt/d'" "${SDCARD}/etc/ca-certificates.conf"
chroot_sdcard update-ca-certificates
}
Comment on lines +39 to +43
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix sed quoting and guard certificate removal inside chroot
The sed -i expression is currently quoted incorrectly and may not run. Remove the file only if it exists and correctly strip the entry.

 function pre_umount_final_image__unprepare_https_proxy_inside_chroot() {
-    chroot_sdcard rm /usr/share/ca-certificates/extra/squid-self-signed.crt
-    run_host_command_logged sed -i "'/extra\/squid-self-signed.crt/d'" "${SDCARD}/etc/ca-certificates.conf"
-    chroot_sdcard update-ca-certificates
+    # Remove certificate file if present
+    chroot_sdcard bash -c '[[ -f /usr/share/ca-certificates/extra/squid-self-signed.crt ]] && rm /usr/share/ca-certificates/extra/squid-self-signed.crt'
+    # Remove entry from conf
+    chroot_sdcard sed -i '/extra\/squid-self-signed.crt/d' /etc/ca-certificates.conf
+    chroot_sdcard update-ca-certificates
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
function pre_umount_final_image__unprepare_https_proxy_inside_chroot() {
chroot_sdcard rm /usr/share/ca-certificates/extra/squid-self-signed.crt
run_host_command_logged sed -i "'/extra\/squid-self-signed.crt/d'" "${SDCARD}/etc/ca-certificates.conf"
chroot_sdcard update-ca-certificates
}
function pre_umount_final_image__unprepare_https_proxy_inside_chroot() {
# Remove certificate file if present
chroot_sdcard bash -c '[[ -f /usr/share/ca-certificates/extra/squid-self-signed.crt ]] && rm /usr/share/ca-certificates/extra/squid-self-signed.crt'
# Remove entry from conf
chroot_sdcard sed -i '/extra\/squid-self-signed.crt/d' /etc/ca-certificates.conf
chroot_sdcard update-ca-certificates
}
🤖 Prompt for AI Agents 
In extensions/https_proxy.sh around lines 39 to 43, fix the sed command by
correcting its quoting so the expression runs properly. Also, add a check to
remove the certificate file inside the chroot only if it exists, and ensure the
sed command correctly removes the certificate entry from the configuration file.


# HOST
# remove
#function post_umount_final_image__unprepare_host_for_https_proxy() {
# if [ -f /usr/share/ca-certificates/extra/squid-self-signed.crt ]; then
# display_alert "Found cert file: /usr/share/ca-certificates/extra/squid-self-signed.crt. Removing..." "${EXTENSION}" "info"
# run_host_command_logged rm /usr/share/ca-certificates/extra/squid-self-signed.crt
# run_host_command_logged sed -i "'/extra\/squid-self-signed.crt/d'" /etc/ca-certificates.conf
# run_host_command_logged update-ca-certificates
# display_alert "Host unprepared for https proxy" "${EXTENSION}" "info"
# else
# display_alert "Cert file not found" "${EXTENSION}" "error"
# exit 1
# fi
#}
# removing cert casuses log upload to fail