infrahub-sdk 0.0.7 → 0.0.8

package/README.md

@@ -39,11 +39,25 @@ const usersData = await client.executeGraphQL(listDevices);
 
 ## TLS/SSL Configuration
 
-When connecting to Infrahub instances with custom or self-signed certificates, you can configure TLS options:
+When connecting to Infrahub instances with custom, self-signed, or expired certificates, you can configure TLS options:
+
+### Handling Certificate Errors
+
+If you encounter certificate errors such as:
+- `certificate has expired`
+- `self-signed certificate`
+- `unable to verify the first certificate`
+- `UNABLE_TO_VERIFY_LEAF_SIGNATURE`
+
+You can resolve these by configuring the TLS options as shown below.
 
 ### Disable Certificate Verification (for development/testing)
 
+This is the recommended approach for handling expired certificates in development/testing environments:
+
 ```typescript
+import { InfrahubClient, InfrahubClientOptions } from 'infrahub-sdk';
+
 const options: InfrahubClientOptions = {
   address: "https://infrahub.example.com",
   token: "your-api-token",
@@ -55,7 +69,22 @@ const options: InfrahubClientOptions = {
 const client = new InfrahubClient(options);
 ```
 
-**Warning**: Disabling certificate verification is not recommended for production environments as it makes your connection vulnerable to man-in-the-middle attacks.
+**Important Notes:**
+- Setting `rejectUnauthorized: false` disables ALL certificate validation
+- This bypasses checks for expired, self-signed, and invalid certificates
+- **Warning**: Never use this in production environments as it makes your connection vulnerable to man-in-the-middle attacks
+- Only use this for development, testing, or when connecting to trusted internal servers
+
+**Example:** See [examples/expired-certificate-example.ts](examples/expired-certificate-example.ts) for a complete working example.
+
+### Troubleshooting
+
+If you're still experiencing certificate errors after setting `rejectUnauthorized: false`:
+
+1. **Verify the configuration is being applied**: Make sure you're creating the client with the TLS options
+2. **Check for multiple client instances**: Ensure all instances use the same TLS configuration
+3. **Network/Proxy Issues**: If you're behind a proxy, you may need additional configuration
+4. **Node.js Version**: Ensure you're using Node.js 14 or later
 
 ### Use Custom CA Certificate
 

package/dist/index.d.ts

@@ -17,10 +17,14 @@ export interface TLSConfig {
     /**
      * If true, the server certificate is verified against the list of supplied CAs.
      * Set to false to disable certificate verification (not recommended for production).
+     *
+     * Note: Setting this to false will bypass all certificate validation, including
+     * expired certificates, self-signed certificates, and hostname mismatches.
      */
     rejectUnauthorized?: boolean;
     /**
      * Optional CA certificates to trust. Can be a string or Buffer containing the certificate(s).
+     * Use this when connecting to servers with custom or self-signed certificates.
      */
     ca?: string | Buffer | Array<string | Buffer>;
     /**
@@ -38,7 +42,15 @@ export interface InfrahubClientOptions {
     branch?: string;
     /**
      * TLS/SSL configuration options for HTTPS connections.
-     * Use this to handle custom certificates or disable certificate verification.
+     * Use this to handle custom certificates, expired certificates, or disable certificate verification.
+     *
+     * @example
+     * // Disable certificate verification (development only)
+     * { tls: { rejectUnauthorized: false } }
+     *
+     * @example
+     * // Use custom CA certificate
+     * { tls: { ca: fs.readFileSync('/path/to/ca.pem') } }
      */
     tls?: TLSConfig;
 }

package/dist/index.js

@@ -37,14 +37,26 @@ class InfrahubClient {
         // Create custom fetch with TLS options if provided
         let customFetch = node_fetch_1.default;
         if (options.tls) {
-            const httpsAgent = new https_1.default.Agent({
-                rejectUnauthorized: options.tls.rejectUnauthorized,
-                ca: options.tls.ca,
-                cert: options.tls.cert,
-                key: options.tls.key
-            });
+            // Build agent options, ensuring rejectUnauthorized is explicitly set if provided
+            const agentOptions = {};
+            if (options.tls.rejectUnauthorized !== undefined) {
+                agentOptions.rejectUnauthorized = options.tls.rejectUnauthorized;
+            }
+            if (options.tls.ca !== undefined) {
+                agentOptions.ca = options.tls.ca;
+            }
+            if (options.tls.cert !== undefined) {
+                agentOptions.cert = options.tls.cert;
+            }
+            if (options.tls.key !== undefined) {
+                agentOptions.key = options.tls.key;
+            }
+            const httpsAgent = new https_1.default.Agent(agentOptions);
             customFetch = ((url, opts = {}) => {
-                return (0, node_fetch_1.default)(url, { ...opts, agent: httpsAgent });
+                // Ensure agent is passed for HTTPS URLs
+                // node-fetch v2 requires the agent to be explicitly set
+                const fetchOptions = { ...opts, agent: httpsAgent };
+                return (0, node_fetch_1.default)(url, fetchOptions);
             });
         }
         // Initialize the openapi-fetch client with TLS configuration
@@ -128,6 +140,45 @@ class InfrahubClient {
             return await this.graphqlClient.request(query, variables);
         }
         catch (error) {
+            // Check if this is a certificate error and provide helpful guidance
+            if (error instanceof Error) {
+                const errorMessage = error.message.toLowerCase();
+                const isCertError = errorMessage.includes('certificate') ||
+                    errorMessage.includes('cert') ||
+                    errorMessage.includes('ssl') ||
+                    errorMessage.includes('tls');
+                const isExpired = errorMessage.includes('expired');
+                const isSelfSigned = errorMessage.includes('self-signed') || errorMessage.includes('self signed');
+                const isUnauthorized = errorMessage.includes('unauthorized');
+                if (isCertError && (isExpired || isSelfSigned || isUnauthorized)) {
+                    const helpMessage = [
+                        '',
+                        'Certificate validation failed. To resolve this issue, you can configure TLS options:',
+                        '',
+                        '1. Disable certificate verification (for development/testing only):',
+                        '   const client = new InfrahubClient({',
+                        '     address: "your-address",',
+                        '     token: "your-token",',
+                        '     tls: { rejectUnauthorized: false }',
+                        '   });',
+                        '',
+                        '2. Or provide a custom CA certificate (requires: import fs from "fs"):',
+                        '   const client = new InfrahubClient({',
+                        '     address: "your-address",',
+                        '     token: "your-token",',
+                        '     tls: { ca: fs.readFileSync("/path/to/ca-cert.pem") }',
+                        '   });',
+                        '',
+                        'See the README.md for more TLS configuration options.',
+                        ''
+                    ].join('\n');
+                    console.error(helpMessage);
+                    // Create a new error with helpful message appended
+                    const enhancedError = new Error(`${error.message}\n${helpMessage}`);
+                    enhancedError.stack = error.stack;
+                    throw enhancedError;
+                }
+            }
             console.error('Error executing GraphQL query:', error);
             throw error;
         }

package/dist/index.test.js

@@ -38,6 +38,50 @@ const globals_1 = require("@jest/globals");
         await (0, globals_1.expect)(client.executeGraphQL('{ test }')).rejects.toThrow('GraphQL error');
         consoleErrorSpy.mockRestore();
     });
+    (0, globals_1.it)('should provide helpful error message for certificate errors', async () => {
+        const mockRequest = globals_1.jest
+            .fn()
+            .mockImplementation(() => Promise.reject(new Error('request failed, reason: certificate has expired')));
+        client.graphqlClient.request = mockRequest;
+        const consoleErrorSpy = globals_1.jest
+            .spyOn(console, 'error')
+            .mockImplementation(() => { });
+        try {
+            await client.executeGraphQL('{ test }');
+            (0, globals_1.expect)(true).toBe(false); // Should not reach here
+        }
+        catch (error) {
+            (0, globals_1.expect)(error).toBeInstanceOf(Error);
+            if (error instanceof Error) {
+                (0, globals_1.expect)(error.message).toContain('certificate has expired');
+                (0, globals_1.expect)(error.message).toContain('Certificate validation failed');
+                (0, globals_1.expect)(error.message).toContain('rejectUnauthorized: false');
+            }
+        }
+        consoleErrorSpy.mockRestore();
+    });
+    (0, globals_1.it)('should provide helpful error message for self-signed certificate errors', async () => {
+        const mockRequest = globals_1.jest
+            .fn()
+            .mockImplementation(() => Promise.reject(new Error('request failed, reason: self-signed certificate')));
+        client.graphqlClient.request = mockRequest;
+        const consoleErrorSpy = globals_1.jest
+            .spyOn(console, 'error')
+            .mockImplementation(() => { });
+        try {
+            await client.executeGraphQL('{ test }');
+            (0, globals_1.expect)(true).toBe(false); // Should not reach here
+        }
+        catch (error) {
+            (0, globals_1.expect)(error).toBeInstanceOf(Error);
+            if (error instanceof Error) {
+                (0, globals_1.expect)(error.message).toContain('self-signed certificate');
+                (0, globals_1.expect)(error.message).toContain('Certificate validation failed');
+                (0, globals_1.expect)(error.message).toContain('tls: { rejectUnauthorized: false }');
+            }
+        }
+        consoleErrorSpy.mockRestore();
+    });
     (0, globals_1.it)('should initialize rest client with baseUrl', () => {
         (0, globals_1.expect)(client.rest).toBeDefined();
     });
@@ -72,6 +116,22 @@ const globals_1 = require("@jest/globals");
             (0, globals_1.expect)(tlsClient).toBeDefined();
             (0, globals_1.expect)(tlsClient.graphqlClient).toBeInstanceOf(graphql_request_1.GraphQLClient);
         });
+        (0, globals_1.it)('should create agent with rejectUnauthorized: false when explicitly set', () => {
+            const https = require('https');
+            const createAgentSpy = globals_1.jest.spyOn(https, 'Agent');
+            const options = {
+                address: baseURL,
+                token: token,
+                tls: {
+                    rejectUnauthorized: false
+                }
+            };
+            const tlsClient = new index_1.InfrahubClient(options);
+            (0, globals_1.expect)(createAgentSpy).toHaveBeenCalled();
+            const agentOptions = createAgentSpy.mock.calls[createAgentSpy.mock.calls.length - 1][0];
+            (0, globals_1.expect)(agentOptions.rejectUnauthorized).toBe(false);
+            createAgentSpy.mockRestore();
+        });
         (0, globals_1.it)('should accept TLS configuration with custom CA certificate', () => {
             const options = {
                 address: baseURL,

package/examples/expired-certificate-example.ts

@@ -0,0 +1,36 @@
+// Example: Connecting to Infrahub with an expired or self-signed certificate
+import { InfrahubClient, InfrahubClientOptions } from 'infrahub-sdk';
+import fs from 'fs';
+
+// Option 1: Disable certificate verification (for development/testing only)
+// This will bypass ALL certificate validation including expired certificates
+const clientWithoutVerification = new InfrahubClient({
+  address: 'https://your-infrahub-server.com',
+  token: 'your-api-token',
+  tls: {
+    rejectUnauthorized: false
+  }
+});
+
+// Test the connection
+async function testConnection() {
+  try {
+    const version = await clientWithoutVerification.getVersion();
+    console.log('Successfully connected! Infrahub version:', version);
+  } catch (error) {
+    console.error('Connection failed:', error);
+  }
+}
+
+testConnection();
+
+// Option 2: Use a custom CA certificate (production-friendly approach)
+// Uncomment the following to use a custom CA certificate instead:
+//
+// const clientWithCustomCA = new InfrahubClient({
+//   address: 'https://your-infrahub-server.com',
+//   token: 'your-api-token',
+//   tls: {
+//     ca: fs.readFileSync('/path/to/your/ca-certificate.pem')
+//   }
+// });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "infrahub-sdk",
-  "version": "0.0.7",
+  "version": "0.0.8",
   "description": "A client SDK for the Infrahub API.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/index.test.ts

@@ -45,6 +45,58 @@ describe('InfrahubClient', () => {
     consoleErrorSpy.mockRestore();
   });
 
+  it('should provide helpful error message for certificate errors', async () => {
+    const mockRequest = jest
+      .fn()
+      .mockImplementation(() => 
+        Promise.reject(new Error('request failed, reason: certificate has expired'))
+      );
+    (client as any).graphqlClient.request = mockRequest;
+    const consoleErrorSpy = jest
+      .spyOn(console, 'error')
+      .mockImplementation(() => {});
+    
+    try {
+      await client.executeGraphQL('{ test }');
+      expect(true).toBe(false); // Should not reach here
+    } catch (error) {
+      expect(error).toBeInstanceOf(Error);
+      if (error instanceof Error) {
+        expect(error.message).toContain('certificate has expired');
+        expect(error.message).toContain('Certificate validation failed');
+        expect(error.message).toContain('rejectUnauthorized: false');
+      }
+    }
+    
+    consoleErrorSpy.mockRestore();
+  });
+
+  it('should provide helpful error message for self-signed certificate errors', async () => {
+    const mockRequest = jest
+      .fn()
+      .mockImplementation(() => 
+        Promise.reject(new Error('request failed, reason: self-signed certificate'))
+      );
+    (client as any).graphqlClient.request = mockRequest;
+    const consoleErrorSpy = jest
+      .spyOn(console, 'error')
+      .mockImplementation(() => {});
+    
+    try {
+      await client.executeGraphQL('{ test }');
+      expect(true).toBe(false); // Should not reach here
+    } catch (error) {
+      expect(error).toBeInstanceOf(Error);
+      if (error instanceof Error) {
+        expect(error.message).toContain('self-signed certificate');
+        expect(error.message).toContain('Certificate validation failed');
+        expect(error.message).toContain('tls: { rejectUnauthorized: false }');
+      }
+    }
+    
+    consoleErrorSpy.mockRestore();
+  });
+
   it('should initialize rest client with baseUrl', () => {
     expect((client as any).rest).toBeDefined();
   });
@@ -86,6 +138,27 @@ describe('InfrahubClient', () => {
       expect((tlsClient as any).graphqlClient).toBeInstanceOf(GraphQLClient);
     });
 
+    it('should create agent with rejectUnauthorized: false when explicitly set', () => {
+      const https = require('https');
+      const createAgentSpy = jest.spyOn(https, 'Agent');
+      
+      const options: InfrahubClientOptions = {
+        address: baseURL,
+        token: token,
+        tls: {
+          rejectUnauthorized: false
+        }
+      };
+      
+      const tlsClient = new InfrahubClient(options);
+      
+      expect(createAgentSpy).toHaveBeenCalled();
+      const agentOptions = createAgentSpy.mock.calls[createAgentSpy.mock.calls.length - 1][0] as any;
+      expect(agentOptions.rejectUnauthorized).toBe(false);
+      
+      createAgentSpy.mockRestore();
+    });
+
     it('should accept TLS configuration with custom CA certificate', () => {
       const options: InfrahubClientOptions = {
         address: baseURL,

package/src/index.ts

@@ -27,10 +27,14 @@ export interface TLSConfig {
   /**
    * If true, the server certificate is verified against the list of supplied CAs.
    * Set to false to disable certificate verification (not recommended for production).
+   * 
+   * Note: Setting this to false will bypass all certificate validation, including
+   * expired certificates, self-signed certificates, and hostname mismatches.
    */
   rejectUnauthorized?: boolean;
   /**
    * Optional CA certificates to trust. Can be a string or Buffer containing the certificate(s).
+   * Use this when connecting to servers with custom or self-signed certificates.
    */
   ca?: string | Buffer | Array<string | Buffer>;
   /**
@@ -49,7 +53,15 @@ export interface InfrahubClientOptions {
   branch?: string;
   /**
    * TLS/SSL configuration options for HTTPS connections.
-   * Use this to handle custom certificates or disable certificate verification.
+   * Use this to handle custom certificates, expired certificates, or disable certificate verification.
+   * 
+   * @example
+   * // Disable certificate verification (development only)
+   * { tls: { rejectUnauthorized: false } }
+   * 
+   * @example
+   * // Use custom CA certificate
+   * { tls: { ca: fs.readFileSync('/path/to/ca.pem') } }
    */
   tls?: TLSConfig;
 }
@@ -73,17 +85,32 @@ export class InfrahubClient {
     // Create custom fetch with TLS options if provided
     let customFetch: typeof fetch = fetch;
     if (options.tls) {
-      const httpsAgent = new https.Agent({
-        rejectUnauthorized: options.tls.rejectUnauthorized,
-        ca: options.tls.ca,
-        cert: options.tls.cert,
-        key: options.tls.key
-      });
+      // Build agent options, ensuring rejectUnauthorized is explicitly set if provided
+      const agentOptions: https.AgentOptions = {};
+      
+      if (options.tls.rejectUnauthorized !== undefined) {
+        agentOptions.rejectUnauthorized = options.tls.rejectUnauthorized;
+      }
+      if (options.tls.ca !== undefined) {
+        agentOptions.ca = options.tls.ca;
+      }
+      if (options.tls.cert !== undefined) {
+        agentOptions.cert = options.tls.cert;
+      }
+      if (options.tls.key !== undefined) {
+        agentOptions.key = options.tls.key;
+      }
+
+      const httpsAgent = new https.Agent(agentOptions);
+      
       customFetch = ((
         url: Parameters<typeof fetch>[0],
         opts: Parameters<typeof fetch>[1] = {}
       ) => {
-        return fetch(url, { ...opts, agent: httpsAgent });
+        // Ensure agent is passed for HTTPS URLs
+        // node-fetch v2 requires the agent to be explicitly set
+        const fetchOptions = { ...opts, agent: httpsAgent };
+        return fetch(url, fetchOptions);
       }) as typeof fetch;
     }
 
@@ -194,6 +221,50 @@ export class InfrahubClient {
       });
       return await (this.graphqlClient.request as any)(query, variables);
     } catch (error) {
+      // Check if this is a certificate error and provide helpful guidance
+      if (error instanceof Error) {
+        const errorMessage = error.message.toLowerCase();
+        const isCertError =
+          errorMessage.includes('certificate') ||
+          errorMessage.includes('cert') ||
+          errorMessage.includes('ssl') ||
+          errorMessage.includes('tls');
+        const isExpired = errorMessage.includes('expired');
+        const isSelfSigned = errorMessage.includes('self-signed') || errorMessage.includes('self signed');
+        const isUnauthorized = errorMessage.includes('unauthorized');
+
+        if (isCertError && (isExpired || isSelfSigned || isUnauthorized)) {
+          const helpMessage = [
+            '',
+            'Certificate validation failed. To resolve this issue, you can configure TLS options:',
+            '',
+            '1. Disable certificate verification (for development/testing only):',
+            '   const client = new InfrahubClient({',
+            '     address: "your-address",',
+            '     token: "your-token",',
+            '     tls: { rejectUnauthorized: false }',
+            '   });',
+            '',
+            '2. Or provide a custom CA certificate (requires: import fs from "fs"):',
+            '   const client = new InfrahubClient({',
+            '     address: "your-address",',
+            '     token: "your-token",',
+            '     tls: { ca: fs.readFileSync("/path/to/ca-cert.pem") }',
+            '   });',
+            '',
+            'See the README.md for more TLS configuration options.',
+            ''
+          ].join('\n');
+
+          console.error(helpMessage);
+          
+          // Create a new error with helpful message appended
+          const enhancedError = new Error(`${error.message}\n${helpMessage}`);
+          enhancedError.stack = error.stack;
+          throw enhancedError;
+        }
+      }
+      
       console.error('Error executing GraphQL query:', error);
       throw error;
     }