infrahub-sdk 0.0.7 → 0.0.9

package/README.md

@@ -39,11 +39,25 @@ const usersData = await client.executeGraphQL(listDevices);
 
 ## TLS/SSL Configuration
 
-When connecting to Infrahub instances with custom or self-signed certificates, you can configure TLS options:
+When connecting to Infrahub instances with custom, self-signed, or expired certificates, you can configure TLS options:
+
+### Handling Certificate Errors
+
+If you encounter certificate errors such as:
+- `certificate has expired`
+- `self-signed certificate`
+- `unable to verify the first certificate`
+- `UNABLE_TO_VERIFY_LEAF_SIGNATURE`
+
+You can resolve these by configuring the TLS options as shown below.
 
 ### Disable Certificate Verification (for development/testing)
 
+This is the recommended approach for handling expired certificates in development/testing environments:
+
 ```typescript
+import { InfrahubClient, InfrahubClientOptions } from 'infrahub-sdk';
+
 const options: InfrahubClientOptions = {
   address: "https://infrahub.example.com",
   token: "your-api-token",
@@ -55,7 +69,22 @@ const options: InfrahubClientOptions = {
 const client = new InfrahubClient(options);
 ```
 
-**Warning**: Disabling certificate verification is not recommended for production environments as it makes your connection vulnerable to man-in-the-middle attacks.
+**Important Notes:**
+- Setting `rejectUnauthorized: false` disables ALL certificate validation
+- This bypasses checks for expired, self-signed, and invalid certificates
+- **Warning**: Never use this in production environments as it makes your connection vulnerable to man-in-the-middle attacks
+- Only use this for development, testing, or when connecting to trusted internal servers
+
+**Example:** See [examples/expired-certificate-example.ts](examples/expired-certificate-example.ts) for a complete working example.
+
+### Troubleshooting
+
+If you're still experiencing certificate errors after setting `rejectUnauthorized: false`:
+
+1. **Verify the configuration is being applied**: Make sure you're creating the client with the TLS options
+2. **Check for multiple client instances**: Ensure all instances use the same TLS configuration
+3. **Network/Proxy Issues**: If you're behind a proxy, you may need additional configuration
+4. **Node.js Version**: Ensure you're using Node.js 14 or later
 
 ### Use Custom CA Certificate
 

package/dist/index.d.ts

@@ -17,10 +17,14 @@ export interface TLSConfig {
     /**
      * If true, the server certificate is verified against the list of supplied CAs.
      * Set to false to disable certificate verification (not recommended for production).
+     *
+     * Note: Setting this to false will bypass all certificate validation, including
+     * expired certificates, self-signed certificates, and hostname mismatches.
      */
     rejectUnauthorized?: boolean;
     /**
      * Optional CA certificates to trust. Can be a string or Buffer containing the certificate(s).
+     * Use this when connecting to servers with custom or self-signed certificates.
      */
     ca?: string | Buffer | Array<string | Buffer>;
     /**
@@ -38,7 +42,15 @@ export interface InfrahubClientOptions {
     branch?: string;
     /**
      * TLS/SSL configuration options for HTTPS connections.
-     * Use this to handle custom certificates or disable certificate verification.
+     * Use this to handle custom certificates, expired certificates, or disable certificate verification.
+     *
+     * @example
+     * // Disable certificate verification (development only)
+     * { tls: { rejectUnauthorized: false } }
+     *
+     * @example
+     * // Use custom CA certificate
+     * { tls: { ca: fs.readFileSync('/path/to/ca.pem') } }
      */
     tls?: TLSConfig;
 }

package/dist/index.js

@@ -35,18 +35,52 @@ class InfrahubClient {
         this.defaultBranch = options.branch || DEFAULT_BRANCH_NAME;
         this.branch = new branch_1.InfrahubBranchManager(this);
         // Create custom fetch with TLS options if provided
-        let customFetch = node_fetch_1.default;
+        // Also handle Request objects properly for node-fetch v2 compatibility
+        let httpsAgent;
         if (options.tls) {
-            const httpsAgent = new https_1.default.Agent({
-                rejectUnauthorized: options.tls.rejectUnauthorized,
-                ca: options.tls.ca,
-                cert: options.tls.cert,
-                key: options.tls.key
-            });
-            customFetch = ((url, opts = {}) => {
-                return (0, node_fetch_1.default)(url, { ...opts, agent: httpsAgent });
-            });
+            // Build agent options, ensuring rejectUnauthorized is explicitly set if provided
+            const agentOptions = {};
+            if (options.tls.rejectUnauthorized !== undefined) {
+                agentOptions.rejectUnauthorized = options.tls.rejectUnauthorized;
+            }
+            if (options.tls.ca !== undefined) {
+                agentOptions.ca = options.tls.ca;
+            }
+            if (options.tls.cert !== undefined) {
+                agentOptions.cert = options.tls.cert;
+            }
+            if (options.tls.key !== undefined) {
+                agentOptions.key = options.tls.key;
+            }
+            httpsAgent = new https_1.default.Agent(agentOptions);
         }
+        // Wrap fetch to handle Request objects from openapi-fetch
+        // node-fetch v2 doesn't properly extract URL from Request objects
+        const customFetch = ((input, init) => {
+            let url;
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            let options = init || {};
+            // Handle Request objects by extracting URL and merging options
+            if (input && typeof input === 'object' && 'url' in input) {
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                const req = input;
+                url = req.url;
+                options = {
+                    method: req.method,
+                    headers: req.headers,
+                    body: req.body,
+                    ...init
+                };
+            }
+            else {
+                url = input;
+            }
+            // Add HTTPS agent if configured
+            if (httpsAgent) {
+                options = { ...options, agent: httpsAgent };
+            }
+            return (0, node_fetch_1.default)(url, options);
+        });
         // Initialize the openapi-fetch client with TLS configuration
         this.rest = (0, openapi_fetch_1.default)({
             baseUrl: this.baseUrl,
@@ -128,6 +162,45 @@ class InfrahubClient {
             return await this.graphqlClient.request(query, variables);
         }
         catch (error) {
+            // Check if this is a certificate error and provide helpful guidance
+            if (error instanceof Error) {
+                const errorMessage = error.message.toLowerCase();
+                const isCertError = errorMessage.includes('certificate') ||
+                    errorMessage.includes('cert') ||
+                    errorMessage.includes('ssl') ||
+                    errorMessage.includes('tls');
+                const isExpired = errorMessage.includes('expired');
+                const isSelfSigned = errorMessage.includes('self-signed') || errorMessage.includes('self signed');
+                const isUnauthorized = errorMessage.includes('unauthorized');
+                if (isCertError && (isExpired || isSelfSigned || isUnauthorized)) {
+                    const helpMessage = [
+                        '',
+                        'Certificate validation failed. To resolve this issue, you can configure TLS options:',
+                        '',
+                        '1. Disable certificate verification (for development/testing only):',
+                        '   const client = new InfrahubClient({',
+                        '     address: "your-address",',
+                        '     token: "your-token",',
+                        '     tls: { rejectUnauthorized: false }',
+                        '   });',
+                        '',
+                        '2. Or provide a custom CA certificate (requires: import fs from "fs"):',
+                        '   const client = new InfrahubClient({',
+                        '     address: "your-address",',
+                        '     token: "your-token",',
+                        '     tls: { ca: fs.readFileSync("/path/to/ca-cert.pem") }',
+                        '   });',
+                        '',
+                        'See the README.md for more TLS configuration options.',
+                        ''
+                    ].join('\n');
+                    console.error(helpMessage);
+                    // Create a new error with helpful message appended
+                    const enhancedError = new Error(`${error.message}\n${helpMessage}`);
+                    enhancedError.stack = error.stack;
+                    throw enhancedError;
+                }
+            }
             console.error('Error executing GraphQL query:', error);
             throw error;
         }

package/dist/index.test.js

@@ -38,6 +38,50 @@ const globals_1 = require("@jest/globals");
         await (0, globals_1.expect)(client.executeGraphQL('{ test }')).rejects.toThrow('GraphQL error');
         consoleErrorSpy.mockRestore();
     });
+    (0, globals_1.it)('should provide helpful error message for certificate errors', async () => {
+        const mockRequest = globals_1.jest
+            .fn()
+            .mockImplementation(() => Promise.reject(new Error('request failed, reason: certificate has expired')));
+        client.graphqlClient.request = mockRequest;
+        const consoleErrorSpy = globals_1.jest
+            .spyOn(console, 'error')
+            .mockImplementation(() => { });
+        try {
+            await client.executeGraphQL('{ test }');
+            (0, globals_1.expect)(true).toBe(false); // Should not reach here
+        }
+        catch (error) {
+            (0, globals_1.expect)(error).toBeInstanceOf(Error);
+            if (error instanceof Error) {
+                (0, globals_1.expect)(error.message).toContain('certificate has expired');
+                (0, globals_1.expect)(error.message).toContain('Certificate validation failed');
+                (0, globals_1.expect)(error.message).toContain('rejectUnauthorized: false');
+            }
+        }
+        consoleErrorSpy.mockRestore();
+    });
+    (0, globals_1.it)('should provide helpful error message for self-signed certificate errors', async () => {
+        const mockRequest = globals_1.jest
+            .fn()
+            .mockImplementation(() => Promise.reject(new Error('request failed, reason: self-signed certificate')));
+        client.graphqlClient.request = mockRequest;
+        const consoleErrorSpy = globals_1.jest
+            .spyOn(console, 'error')
+            .mockImplementation(() => { });
+        try {
+            await client.executeGraphQL('{ test }');
+            (0, globals_1.expect)(true).toBe(false); // Should not reach here
+        }
+        catch (error) {
+            (0, globals_1.expect)(error).toBeInstanceOf(Error);
+            if (error instanceof Error) {
+                (0, globals_1.expect)(error.message).toContain('self-signed certificate');
+                (0, globals_1.expect)(error.message).toContain('Certificate validation failed');
+                (0, globals_1.expect)(error.message).toContain('tls: { rejectUnauthorized: false }');
+            }
+        }
+        consoleErrorSpy.mockRestore();
+    });
     (0, globals_1.it)('should initialize rest client with baseUrl', () => {
         (0, globals_1.expect)(client.rest).toBeDefined();
     });
@@ -72,6 +116,22 @@ const globals_1 = require("@jest/globals");
             (0, globals_1.expect)(tlsClient).toBeDefined();
             (0, globals_1.expect)(tlsClient.graphqlClient).toBeInstanceOf(graphql_request_1.GraphQLClient);
         });
+        (0, globals_1.it)('should create agent with rejectUnauthorized: false when explicitly set', () => {
+            const https = require('https');
+            const createAgentSpy = globals_1.jest.spyOn(https, 'Agent');
+            const options = {
+                address: baseURL,
+                token: token,
+                tls: {
+                    rejectUnauthorized: false
+                }
+            };
+            const tlsClient = new index_1.InfrahubClient(options);
+            (0, globals_1.expect)(createAgentSpy).toHaveBeenCalled();
+            const agentOptions = createAgentSpy.mock.calls[createAgentSpy.mock.calls.length - 1][0];
+            (0, globals_1.expect)(agentOptions.rejectUnauthorized).toBe(false);
+            createAgentSpy.mockRestore();
+        });
         (0, globals_1.it)('should accept TLS configuration with custom CA certificate', () => {
             const options = {
                 address: baseURL,

package/dist/integration.test.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Integration tests for the Infrahub SDK
+ *
+ * These tests require a running Infrahub server at http://localhost:8000
+ *
+ * Run with: npx jest --testPathPattern=integration --resetModules
+ * Or run directly: npx ts-node src/integration.test.ts
+ */
+export {};

package/dist/integration.test.js

@@ -0,0 +1,52 @@
+"use strict";
+/**
+ * Integration tests for the Infrahub SDK
+ *
+ * These tests require a running Infrahub server at http://localhost:8000
+ *
+ * Run with: npx jest --testPathPattern=integration --resetModules
+ * Or run directly: npx ts-node src/integration.test.ts
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const index_1 = require("./index");
+const globals_1 = require("@jest/globals");
+const INFRAHUB_URL = process.env.INFRAHUB_URL || 'http://localhost:8000';
+const INFRAHUB_TOKEN = process.env.INFRAHUB_TOKEN || '';
+(0, globals_1.describe)('Integration Tests - Schema Loading', () => {
+    let client;
+    (0, globals_1.beforeAll)(() => {
+        const options = {
+            address: INFRAHUB_URL,
+            token: INFRAHUB_TOKEN
+        };
+        client = new index_1.InfrahubClient(options);
+    });
+    (0, globals_1.it)('should load schema from the server', async () => {
+        const result = await client.rest.GET('/api/schema');
+        (0, globals_1.expect)(result.error).toBeUndefined();
+        (0, globals_1.expect)(result.response?.status).toBe(200);
+        (0, globals_1.expect)(result.data).toBeDefined();
+        // Schema should have nodes and/or generics arrays
+        if (result.data) {
+            (0, globals_1.expect)(typeof result.data).toBe('object');
+        }
+    });
+    (0, globals_1.it)('should load schema summary from the server', async () => {
+        const result = await client.rest.GET('/api/schema/summary');
+        (0, globals_1.expect)(result.error).toBeUndefined();
+        (0, globals_1.expect)(result.response?.status).toBe(200);
+        (0, globals_1.expect)(result.data).toBeDefined();
+    });
+    (0, globals_1.it)('should get server info', async () => {
+        const result = await client.rest.GET('/api/info');
+        (0, globals_1.expect)(result.error).toBeUndefined();
+        (0, globals_1.expect)(result.response?.status).toBe(200);
+        (0, globals_1.expect)(result.data).toBeDefined();
+    });
+    (0, globals_1.it)('should get server config', async () => {
+        const result = await client.rest.GET('/api/config');
+        (0, globals_1.expect)(result.error).toBeUndefined();
+        (0, globals_1.expect)(result.response?.status).toBe(200);
+        (0, globals_1.expect)(result.data).toBeDefined();
+    });
+});

package/dist/rest.test.d.ts

@@ -0,0 +1 @@
+export {};