feat: add tls options support

arturfromtabnine · arturfromtabnine · commit a316b22ac064 · 2025-09-02T12:13:41.000+02:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -53,6 +53,7 @@
     "hono": "^4.6.10",
     "jose": "^6.0.11",
     "patch-package": "^8.0.0",
+    "undici": "^7.12.0",
     "ws": "^8.18.0",
     "zod": "^3.22.4"
   },
diff --git a/src/handlers/handlerUtils.ts b/src/handlers/handlerUtils.ts
@@ -1,4 +1,5 @@
 import { Context } from 'hono';
+import { Agent } from 'undici/types';
 import {
   AZURE_OPEN_AI,
   BEDROCK,
@@ -27,6 +28,7 @@ import { ConditionalRouter } from '../services/conditionalRouter';
 import { RouterError } from '../errors/RouterError';
 import { GatewayError } from '../errors/GatewayError';
 import { HookType } from '../middlewares/hooks/types';
+import { getCustomHttpsAgent } from '../utils/fetch';
 
 // Services
 import { CacheResponseObject, CacheService } from './services/cacheService';
@@ -177,12 +179,22 @@ export async function constructRequest(
     providerMappedHeaders
   );
 
-  const fetchOptions: RequestInit = {
+  const fetchOptions: RequestInit & { dispatcher?: Agent } = {
     method: requestContext.method,
     headers,
     ...(requestContext.endpoint === 'uploadFile' && { duplex: 'half' }),
   };
 
+  const { tlsOptions } = requestContext.providerOption;
+  if (tlsOptions?.ca || tlsOptions?.rejectUnauthorized === false) {
+    // SECURITY NOTE: The following allows to disable TLS certificate validation
+
+    fetchOptions.dispatcher = getCustomHttpsAgent({
+      rejectUnauthorized: tlsOptions?.rejectUnauthorized,
+      ca: tlsOptions?.ca,
+    });
+  }
+
   const body = constructRequestBody(requestContext, providerMappedHeaders);
   if (body) {
     fetchOptions.body = body;
@@ -950,6 +962,15 @@ export function constructConfigFromRequestHeaders(
     anthropicVersion: requestHeaders[`x-${POWERED_BY}-anthropic-version`],
   };
 
+  let tlsOptions = undefined;
+  if (requestHeaders['x-portkey-tls-options']) {
+    try {
+      tlsOptions = JSON.parse(requestHeaders['x-portkey-tls-options']);
+    } catch (e) {
+      console.warn('Failed to parse x-portkey-tls-options:', e);
+    }
+  }
+
   const vertexServiceAccountJson =
     requestHeaders[`x-${POWERED_BY}-vertex-service-account-json`];
 
@@ -1120,6 +1141,7 @@ export function constructConfigFromRequestHeaders(
     ...(requestHeaders[`x-${POWERED_BY}-provider`] === FIREWORKS_AI &&
       fireworksConfig),
     ...(requestHeaders[`x-${POWERED_BY}-provider`] === CORTEX && cortexConfig),
+    tlsOptions,
   };
 }
 
diff --git a/src/types/requestBody.ts b/src/types/requestBody.ts
@@ -157,6 +157,18 @@ export interface Options {
 
   /** Cortex specific fields */
   snowflakeAccount?: string;
+
+  /**
+   * TLS options for outgoing requests. Example:
+   * {
+   *   ca?: string; // CA certificate(s) in PEM format
+   *   rejectUnauthorized?: boolean;
+   * }
+   */
+  tlsOptions?: {
+    ca?: string;
+    rejectUnauthorized?: boolean;
+  };
 }
 
 /**
diff --git a/src/utils/fetch.ts b/src/utils/fetch.ts
@@ -0,0 +1,27 @@
+import { Agent } from 'undici';
+
+/**
+ * Creates a custom HTTPS agent with SSL configuration options
+ *
+ * @param options - Configuration options for the HTTPS agent
+ * @param options.rejectUnauthorized - Whether to reject unauthorized certificates (default: true)
+ * @param options.ca - Custom CA certificate (optional)
+ * @returns HTTPS Agent instance
+ */
+export function getCustomHttpsAgent(
+  options: {
+    rejectUnauthorized?: boolean;
+    ca?: string | Buffer;
+    cert?: string | Buffer;
+    key?: string | Buffer;
+  } = {}
+): Agent {
+  const { rejectUnauthorized = true, ca } = options || {};
+
+  return new Agent({
+    connect: {
+      rejectUnauthorized,
+      ...(ca && { ca }),
+    },
+  });
+}
diff --git a/tests/unit/src/utils/fetch.test.ts b/tests/unit/src/utils/fetch.test.ts
@@ -0,0 +1,84 @@
+import { Agent } from 'undici';
+import { getCustomHttpsAgent } from '../../../../src/utils/fetch';
+
+const mockCa =
+  '-----BEGIN CERTIFICATE-----\nMOCK_CA_CERT\n-----END CERTIFICATE-----';
+
+function getSymbolValue<T extends object>(
+  obj: T,
+  description: string
+): unknown {
+  const symbol = Object.getOwnPropertySymbols(obj).find(
+    (s) => s.description === description
+  );
+  return symbol ? (obj as any)[symbol] : undefined;
+}
+
+describe('getCustomHttpsAgent', () => {
+  describe('default behavior', () => {
+    it('should create an Agent with rejectUnauthorized true by default', () => {
+      const agent = getCustomHttpsAgent();
+      const optionsValue = getSymbolValue(agent, 'options');
+
+      expect(agent).toBeInstanceOf(Agent);
+      expect(optionsValue).toEqual({
+        connect: { rejectUnauthorized: true },
+      });
+    });
+  });
+
+  describe('with custom options', () => {
+    it('should create an Agent with custom rejectUnauthorized option', () => {
+      const agent = getCustomHttpsAgent({ rejectUnauthorized: false });
+      const optionsValue = getSymbolValue(agent, 'options');
+
+      expect(agent).toBeInstanceOf(Agent);
+      expect(optionsValue).toEqual({
+        connect: { rejectUnauthorized: false },
+      });
+    });
+
+    it('should create an Agent with custom CA certificate', () => {
+      const agent = getCustomHttpsAgent({ ca: mockCa });
+      const optionsValue = getSymbolValue(agent, 'options');
+
+      expect(agent).toBeInstanceOf(Agent);
+      expect(optionsValue).toEqual({
+        connect: { ca: mockCa, rejectUnauthorized: true },
+      });
+    });
+  });
+
+  describe('with Buffer inputs', () => {
+    it('should create an Agent with Buffer CA certificate', () => {
+      const mockCaBuffer = Buffer.from(mockCa);
+      const agent = getCustomHttpsAgent({ ca: mockCaBuffer });
+      const optionsValue = getSymbolValue(agent, 'options');
+
+      expect(agent).toBeInstanceOf(Agent);
+      expect(optionsValue).toEqual({
+        connect: { ca: mockCaBuffer, rejectUnauthorized: true },
+      });
+    });
+  });
+
+  describe('edge cases', () => {
+    it('should accept optional options parameter', () => {
+      // Test that the function can be called without parameters
+      const agent1 = getCustomHttpsAgent();
+      expect(agent1).toBeInstanceOf(Agent);
+
+      // Test that the function can be called with empty options
+      const agent2 = getCustomHttpsAgent({});
+      expect(agent2).toBeInstanceOf(Agent);
+
+      // Test that the function can be called with partial options
+      const agent3 = getCustomHttpsAgent({ rejectUnauthorized: false });
+      expect(agent3).toBeInstanceOf(Agent);
+
+      // Test that the function can be called with null options
+      const agent4 = getCustomHttpsAgent(null as any);
+      expect(agent4).toBeInstanceOf(Agent);
+    });
+  });
+});
