chore(cli-integ): new test case for proxied requests (#32254)

This important scenario was missing from the integ test suite.

----

*By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license*

Author: otaviomacedo

packages/@aws-cdk-testing/cli-integ/package.json

@@ -59,6 +59,7 @@
     "jest": "^29.7.0",
     "jest-junit": "^14.0.1",
     "make-runnable": "^1.4.1",
+    "mockttp": "^3.15.4",
     "npm": "^8.19.4",
     "p-queue": "^6.6.2",
     "semver": "^7.6.3",

packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts

@@ -1,4 +1,4 @@
-import { promises as fs, existsSync } from 'fs';
+import { existsSync, promises as fs } from 'fs';
 import * as os from 'os';
 import * as path from 'path';
 import {
@@ -22,21 +22,22 @@ import { InvokeCommand } from '@aws-sdk/client-lambda';
 import { PutObjectLockConfigurationCommand } from '@aws-sdk/client-s3';
 import { CreateTopicCommand, DeleteTopicCommand } from '@aws-sdk/client-sns';
 import { AssumeRoleCommand, GetCallerIdentityCommand } from '@aws-sdk/client-sts';
+import * as mockttp from 'mockttp';
 import {
-  integTest,
   cloneDirectory,
-  shell,
-  withDefaultFixture,
-  retry,
-  sleep,
+  integTest,
   randomInteger,
-  withSamIntegrationFixture,
+  randomString,
   RESOURCES_DIR,
+  retry,
+  shell,
+  sleep,
   withCDKMigrateFixture,
+  withDefaultFixture,
   withExtendedTimeoutFixture,
-  randomString,
-  withSpecificFixture,
   withoutBootstrap,
+  withSamIntegrationFixture,
+  withSpecificFixture,
 } from '../../lib';
 
 jest.setTimeout(2 * 60 * 60_000); // Includes the time to acquire locks, worst-case single-threaded runtime
@@ -2809,3 +2810,46 @@ integTest('cdk notices are displayed correctly', withDefaultFixture(async (fixtu
   expect(output).toContain(`AffectedEnvironments:<aws://${await fixture.aws.account()}/${fixture.aws.region}>`);
 
 }));
+
+integTest('requests go through a proxy when configured',
+  withDefaultFixture(async (fixture) => {
+    // Set up key and certificate
+    const { key, cert } = await mockttp.generateCACertificate();
+    const certDir = await fs.mkdtemp(path.join(os.tmpdir(), 'cdk-'));
+    const certPath = path.join(certDir, 'cert.pem');
+    const keyPath = path.join(certDir, 'key.pem');
+    await fs.writeFile(keyPath, key);
+    await fs.writeFile(certPath, cert);
+
+    const proxyServer = mockttp.getLocal({
+      https: { keyPath, certPath },
+    });
+
+    // We don't need to modify any request, so the proxy
+    // passes through all requests to the host.
+    const endpoint = await proxyServer
+      .forAnyRequest()
+      .thenPassThrough();
+
+    proxyServer.enableDebug();
+    await proxyServer.start();
+
+    // The proxy is now ready to intercept requests
+
+    try {
+      await fixture.cdkDeploy('test-2', {
+        captureStderr: true,
+        options: [
+          '--proxy', proxyServer.url,
+          '--ca-bundle-path', certPath,
+        ],
+      });
+    } finally {
+      await fs.rm(certDir, { recursive: true, force: true });
+    }
+
+    // Checking that there was some interaction with the proxy
+    const requests = await endpoint.getSeenRequests();
+    expect(requests.length).toBeGreaterThan(0);
+  }),
+);

packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts

@@ -179,7 +179,7 @@ function getRegionFromIniFile(profile: string, data?: any) {
 function tryGetCACert(bundlePath?: string) {
   const path = bundlePath || caBundlePathFromEnvironment();
   if (path) {
-    debug('Using CA bundle path: %s', bundlePath);
+    debug('Using CA bundle path: %s', path);
     return readIfPossible(path);
   }
   return undefined;