Automatically set Git proxy environment variables from system configuration

[niik]

See #9126 #9127, and #9139 for the work leading up to this PR.

Description

This is the final piece for supporting automatic Git proxy configuration for (non-authenticating proxies).

When GitHub Desktop is about to perform a network operation (such as push, pull, fetch etc) we're now going to automatically add a https_proxy or http_proxy environment variable with the proxy url that we've retrieved and reformatted for cURL use.

We first inspect the environment to see if the user has manually configured any of the relevant proxy environment variables. If they haven't we'll set them ourselves.

Why env vars and not Git configuration variables?

We have two options when it comes to providing Git with per-invocation configuration. Either we set an environment variable that Git understands or we pass a Git configuration key and value using the git -c parameter.

Using the git -c http.proxy=foo approach would override any http.proxy setting the user might have configured in their global (and/or repo level) git config. More importantly though the -c approach wouldn't be inherited by subcommands executed by Git such as Git LFS.

What about proxies requiring authentication

That'd be the next logical step. While the non-Git bits of GitHub Desktop supports non-authenticating proxies today it doesn't support authenticating proxies meaning that users wouldn't be able to sign in to their accounts or access the GitHub API. We need to start at that end and implement the login event, provide Electron with credentials (taken from keychain/credential manager by default and prompted if no such credentials could be found).

The current workaround of manually configuring Git proxy details described in #2789 (comment) would work for the Git bits but would do nothing to fix the API portion.

Testing

I don't have a definitive guide here but this is what I've been doing.

Install Fiddler Everywhere and turn on capturing. Fiddler will automatically configure the system proxy settings to point to its own proxy port.

Optionally enable HTTPS-decryption if you'd like to inspect to the requests.

Do a fetch in GitHub Desktop. You should see a request being made from Git

If you just want to verify that GitHub Desktop is setting the environment variables correctly you may also specify an invalid proxy url in your system configuration and verify that the fetch doesn't go through.

If you want to verify that Electron is receiving the proxy configuration from the operating system you can copy and paste the following command into the DevTools console

require('electron').remote.session.defaultSession.resolveProxy('https://github.com').then(console.log)

HELP I'm getting an error saying "The revocation function was unable to check revocation for the certificate."

Look at that, you're testing on Windows. Good on ya! See https://github.com/desktop/desktop/blob/development/docs/known-issues.md#certificate-revocation-check-fails---3326. Man-in-the-middle intercepting SSL proxy (such as fiddler or corporate proxies that decrypts https shudders) usually don't implement the necessary logic to support certificate revocation checks. You can set http.schannelCheckRevoke to false in order to test this but this is obviously something we're going to want to have a better solution for. That will be my next step and I'm hoping to have a PR to show in the beginning of next week.

[tierninho]

@niik I have set up Fiddler on OSX, the traffic is being captured, the Network settings were auto-updated, the git config --global http.proxy http://proxyuser:proxypwd@proxy.server.com:8080 is set with the proper credentials and server url from the Network settings, but I am failing to get past "The revocation function was unable to check revocation for the certificate" errors on Desktop. I tried the Windows suggestion $ git config --global http.schannelCheckRevoke false but no luck. Any ideas?

[niik]

the git config --global http.proxy http://proxyuser:proxypwd@proxy.server.com:8080 is set with the proper credentials and server url from the Network settings

You shouldn't have to set that variable at all, please unset it using git config --global --unset http.proxy. The goal of this PR is to remove the need to manually configure proxies. Sorry if I didn't make that clear in the PR description.

I am failing to get past "The revocation function was unable to check revocation for the certificate" errors on Desktop. I tried the Windows suggestion $ git config --global http.schannelCheckRevoke false but no luck. Any ideas?

Wait, are you saying you're seeing the "The revocation function was unable to check revocation for the certificate" error on macOS? That shouldn't be possible. Could you provide a screenshot of the error?

Could you also please provide the output of running git config -l?

[tierninho]

I removed the git config settings and here is the output of git config -l:

core.excludesfile=~/.gitignore
core.legacyheaders=false
core.quotepath=false
mergetool.keepbackup=true
push.default=simple
color.ui=auto
color.interactive=auto
repack.usedeltabaseoffset=true
alias.s=status
alias.a=!git add . && git status
alias.au=!git add -u . && git status
alias.aa=!git add . && git add -u . && git status
alias.c=commit
alias.cm=commit -m
alias.ca=commit --amend
alias.ac=!git add . && git commit
alias.acm=!git add . && git commit -m
alias.l=log --graph --all --pretty=format:'%C(yellow)%h%C(cyan)%d%Creset %s %C(white)- %an, %ar%Creset'
alias.ll=log --stat --abbrev-commit
alias.lg=log --color --graph --pretty=format:'%C(bold white)%h%Creset -%C(bold green)%d%Creset %s %C(bold green)(%cr)%Creset %C(bold blue)<%an>%Creset' --abbrev-commit --date=relative
alias.llg=log --color --graph --pretty=format:'%C(bold white)%H %d%Creset%n%s%n%+b%C(bold blue)%an <%ae>%Creset %C(bold green)%cr (%ci)' --abbrev-commit
alias.d=diff
alias.master=checkout master
alias.spull=svn rebase
alias.spush=svn dcommit
alias.alias=!git config --list | grep 'alias\.' | sed 's/alias\.\([^=]*\)=\(.*\)/\1\     => \2/' | sort
include.path=~/.gitcinclude
include.path=.githubconfig
include.path=.gitcredential
diff.exif.textconv=exif
credential.helper=osxkeychain
filter.lfs.clean=git-lfs clean -- %f
filter.lfs.smudge=git-lfs smudge -- %f
filter.lfs.process=git-lfs filter-process
filter.lfs.required=true
user.name=TL
user.email=tierninho@github.com
commit.gpgsign=false
commit.template=/Users/tierninho/.stCommitMsg
pull.rebase=true
core.excludesfile=/Users/tierninho/.gitignore_global
difftool.sourcetree.cmd=opendiff "$LOCAL" "$REMOTE"
difftool.sourcetree.path=
mergetool.sourcetree.cmd=/Users/tierninho/Applications/Sourcetree.app/Contents/Resources/opendiff-w.sh "$LOCAL" "$REMOTE" -ancestor "$BASE" -merge "$MERGED"
mergetool.sourcetree.trustexitcode=true
core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
core.ignorecase=true
core.precomposeunicode=true
remote.origin.url=https://github.com/tierninho/desktop-tutorial.git
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
branch.master.remote=origin
branch.master.merge=refs/heads/master
branch.sdfsdfsdf.remote=origin
branch.sdfsdfsdf.merge=refs/heads/sdfsdfsdf

This is the error I am seeing:

Note: Fiddler renders my wifi useless as it changes my proxy settings. Not sure if this is part of the problem.

Steps I took to setup:

• Spin up this PR in OSX
• Start Fidler, enter master pw to change Network settings
• Open Desktop, attempt to fetch

[niik]

This is the error I am seeing:

So this error is not the same as what I was talking about above, i.e. "The revocation function was unable to check revocation for the certificate". The reason you're seeing this error is because you haven't trusted the fiddler root certificate yet, see https://docs.telerik.com/fiddler-everywhere/user-guide/settings/https/https-decryption and https://docs.telerik.com/fiddler-everywhere/knowledge-base/how-to-install-fiddler-root-certificate-on-mac-os.

Note: Fiddler renders my wifi useless as it changes my proxy settings. Not sure if this is part of the problem.

This will also be solved once you trust the certificate.

[tierninho]

Perfect, thanks! The requests are coming through now on OSX upon fetching:

GET https://github.com/tierninho/Blah/info/refs?service=git-upload-pack HTTP/1.1
Host: github.com
User-Agent: git/2.23.1
Accept: */*

• Verify that changing the URL in the Proxy setting in Network Preferences blocks traffic in Fiddler, and fails (times out) in Desktop.
  

• Verify Electron is picking up proxy URL
  

Will test Windows once the revocation function PR is implemented.

[outofambit]

one question for @niik but looks good!

[outofambit]

re-approved