feat: allow scoped client certificates

network/agent/agent.spec.ts

@@ -7,8 +7,9 @@ jest.mock('agentkeepalive', () => {
 })
 jest.mock('https-proxy-agent', () => mockHttpAgent('https-proxy'))
 
-function mockHttpAgent (type: string) {
-  return function Agent (opts: any) { // eslint-disable-line @typescript-eslint/no-explicit-any
+function mockHttpAgent(type: string) {
+  return function Agent(opts: any) {
+    // eslint-disable-line @typescript-eslint/no-explicit-any
     return {
       ...opts,
       __type: type,
@@ -89,3 +90,45 @@ test("don't use a proxy when the URL is in noProxy", () => {
   })
 })
 
+test('should return the correct client certificates', () => {
+  const agent = getAgent('https://foo.com/bar', {
+    clientCertificates: {
+      '//foo.com/': {
+        ca: 'ca',
+        cert: 'cert',
+        key: 'key',
+      },
+    },
+  })
+
+  expect(agent).toEqual({
+    ca: 'ca',
+    cert: 'cert',
+    key: 'key',
+    localAddress: undefined,
+    maxSockets: 50,
+    rejectUnauthorized: undefined,
+    timeout: 0,
+    __type: 'https',
+  })
+})
+
+test('should not return client certificates for a different host', () => {
+  const agent = getAgent('https://foo.com/bar', {
+    clientCertificates: {
+      '//bar.com/': {
+        ca: 'ca',
+        cert: 'cert',
+        key: 'key',
+      },
+    },
+  })
+
+  expect(agent).toEqual({
+    localAddress: undefined,
+    maxSockets: 50,
+    rejectUnauthorized: undefined,
+    timeout: 0,
+    __type: 'https',
+  })
+})

network/agent/agent.ts

@@ -1,6 +1,7 @@
 import { URL } from 'url'
 import HttpAgent from 'agentkeepalive'
 import LRU from 'lru-cache'
+import nerfDart from 'nerf-dart'
 import { getProxyAgent, ProxyAgentOptions } from '@pnpm/network.proxy-agent'
 
 const HttpsAgent = HttpAgent.HttpsAgent
@@ -23,16 +24,27 @@ export function getAgent (uri: string, opts: AgentOptions) {
 
 function getNonProxyAgent (uri: string, opts: AgentOptions) {
   const parsedUri = new URL(uri)
+  const host = nerfDart(uri)
   const isHttps = parsedUri.protocol === 'https:'
 
+  const clientCertificates = opts.clientCertificates?.[host] ?? null
+
   /* eslint-disable @typescript-eslint/prefer-nullish-coalescing */
   const key = [
     `https:${isHttps.toString()}`,
     `local-address:${opts.localAddress ?? '>no-local-address<'}`,
-    `strict-ssl:${isHttps ? Boolean(opts.strictSsl).toString() : '>no-strict-ssl<'}`,
-    `ca:${(isHttps && opts.ca?.toString()) || '>no-ca<'}`,
-    `cert:${(isHttps && opts.cert?.toString()) || '>no-cert<'}`,
-    `key:${(isHttps && opts.key) || '>no-key<'}`,
+    `strict-ssl:${
+      isHttps ? Boolean(opts.strictSsl).toString() : '>no-strict-ssl<'
+    }`,
+    `ca:${
+      (isHttps && clientCertificates?.ca) || opts.ca?.toString() || '>no-ca<'
+    }`,
+    `cert:${
+      (isHttps && clientCertificates?.cert) ||
+      opts.cert?.toString() ||
+      '>no-cert<'
+    }`,
+    `key:${(isHttps && clientCertificates?.key) || opts.key || '>no-key<'}`,
   ].join(':')
   /* eslint-enable @typescript-eslint/prefer-nullish-coalescing */
 
@@ -45,7 +57,10 @@ function getNonProxyAgent (uri: string, opts: AgentOptions) {
   // opts.timeout is a non-zero value, set it to timeout + 1, to ensure that
   // the node-fetch-npm timeout will always fire first, giving us more
   // consistent errors.
-  const agentTimeout = typeof opts.timeout !== 'number' || opts.timeout === 0 ? 0 : opts.timeout + 1
+  const agentTimeout =
+    typeof opts.timeout !== 'number' || opts.timeout === 0
+      ? 0
+      : opts.timeout + 1
 
   // NOTE: localAddress is passed to the agent here even though it is an
   // undocumented option of the agent's constructor.
@@ -55,29 +70,35 @@ function getNonProxyAgent (uri: string, opts: AgentOptions) {
   // https://github.com/nodejs/node/blob/350a95b89faab526de852d417bbb8a3ac823c325/lib/_http_agent.js#L254
   const agent = isHttps
     ? new HttpsAgent({
-      ca: opts.ca,
-      cert: opts.cert,
-      key: opts.key,
-      localAddress: opts.localAddress,
-      maxSockets: opts.maxSockets ?? DEFAULT_MAX_SOCKETS,
-      rejectUnauthorized: opts.strictSsl,
-      timeout: agentTimeout,
-    } as any) // eslint-disable-line @typescript-eslint/no-explicit-any
+        ca: clientCertificates?.ca || opts.ca,
+        cert: clientCertificates?.cert || opts.cert,
+        key: clientCertificates?.key || opts.key,
+        localAddress: opts.localAddress,
+        maxSockets: opts.maxSockets ?? DEFAULT_MAX_SOCKETS,
+        rejectUnauthorized: opts.strictSsl,
+        timeout: agentTimeout,
+      } as any) // eslint-disable-line @typescript-eslint/no-explicit-any
     : new HttpAgent({
-      localAddress: opts.localAddress,
-      maxSockets: opts.maxSockets ?? DEFAULT_MAX_SOCKETS,
-      timeout: agentTimeout,
-    } as any) // eslint-disable-line @typescript-eslint/no-explicit-any
+        localAddress: opts.localAddress,
+        maxSockets: opts.maxSockets ?? DEFAULT_MAX_SOCKETS,
+        timeout: agentTimeout,
+      } as any) // eslint-disable-line @typescript-eslint/no-explicit-any
   AGENT_CACHE.set(key, agent)
   return agent
 }
 
 function checkNoProxy (uri: string, opts: { noProxy?: boolean | string }) {
-  const host = new URL(uri).hostname.split('.').filter(x => x).reverse()
+  const host = new URL(uri).hostname
+    .split('.')
+    .filter(x => x)
+    .reverse()
   if (typeof opts.noProxy === 'string') {
     const noproxyArr = opts.noProxy.split(/\s*,\s*/g)
     return noproxyArr.some(no => {
-      const noParts = no.split('.').filter(x => x).reverse()
+      const noParts = no
+        .split('.')
+        .filter(x => x)
+        .reverse()
       if (noParts.length === 0) {
         return false
       }

network/proxy-agent/proxy-agent.ts

@@ -19,6 +19,13 @@ export interface ProxyAgentOptions {
   noProxy?: boolean | string
   strictSsl?: boolean
   timeout?: number
+  clientCertificates?: {
+    [registryUrl: string]: {
+      cert: string
+      key: string
+      ca?: string
+    }
+  }
 }
 
 export function getProxyAgent (uri: string, opts: ProxyAgentOptions) {
@@ -32,7 +39,9 @@ export function getProxyAgent (uri: string, opts: ProxyAgentOptions) {
     `https:${isHttps.toString()}`,
     `proxy:${pxuri.protocol}//${pxuri.username}:${pxuri.password}@${pxuri.host}:${pxuri.port}`,
     `local-address:${opts.localAddress ?? '>no-local-address<'}`,
-    `strict-ssl:${isHttps ? Boolean(opts.strictSsl).toString() : '>no-strict-ssl<'}`,
+    `strict-ssl:${
+      isHttps ? Boolean(opts.strictSsl).toString() : '>no-strict-ssl<'
+    }`,
     `ca:${(isHttps && opts.ca?.toString()) || '>no-ca<'}`,
     `cert:${(isHttps && opts.cert?.toString()) || '>no-cert<'}`,
     `key:${(isHttps && opts.key) || '>no-key<'}`,
@@ -58,14 +67,14 @@ function getProxyUri (
 
   let proxy: string | undefined
   switch (protocol) {
-  case 'http:': {
-    proxy = opts.httpProxy
-    break
-  }
-  case 'https:': {
-    proxy = opts.httpsProxy
-    break
-  }
+    case 'http:': {
+      proxy = opts.httpProxy
+      break
+    }
+    case 'https:': {
+      proxy = opts.httpsProxy
+      break
+    }
   }
 
   if (!proxy) {
@@ -114,7 +123,10 @@ function getProxy (
     port: proxyUrl.port,
     protocol: proxyUrl.protocol,
     rejectUnauthorized: opts.strictSsl,
-    timeout: typeof opts.timeout !== 'number' || opts.timeout === 0 ? 0 : opts.timeout + 1,
+    timeout:
+      typeof opts.timeout !== 'number' || opts.timeout === 0
+        ? 0
+        : opts.timeout + 1,
   }
 
   if (proxyUrl.protocol === 'http:' || proxyUrl.protocol === 'https:') {
@@ -130,7 +142,7 @@ function getProxy (
   return undefined
 }
 
-function getAuth (user: { username?: string, password?: string }) {
+function getAuth (user: { username?: string; password?: string }) {
   if (!user.username) {
     return undefined
   }

workspace.jsonc

@@ -58,6 +58,7 @@
         "http-proxy-agent": "5.0.0",
         "https-proxy-agent": "5.0.1",
         "lru-cache": "7.10.1",
+        "nerf-dart": "^1.0.0",
         "node-fetch": "^2.6.7",
         "proxy": "1.0.2",
         "safe-execa": "0.1.1",