more TLS tests around merging vs not merging the default options

Tom Maher · Tom Maher · commit c5f212605f0c · 2016-08-22T23:45:51.000-07:00
diff --git a/test/integration/test_bind.rb b/test/integration/test_bind.rb
@@ -42,7 +42,18 @@ def test_bind_tls_with_cafile
            @ldap.get_operation_result.inspect
   end
 
-  def test_bind_tls_with_verify_none
+  def test_bind_tls_with_bad_hostname_verify_none_no_ca_passes
+    @ldap.host = '127.0.0.1'
+    @ldap.port = 9389 unless ENV['TRAVIS'] == 'true'
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: { verify_mode: OpenSSL::SSL::VERIFY_NONE },
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_bad_hostname_verify_none_no_ca_opt_merge_passes
     @ldap.host = '127.0.0.1'
     @ldap.port = 9389 unless ENV['TRAVIS'] == 'true'
     @ldap.encryption(
@@ -53,13 +64,13 @@ def test_bind_tls_with_verify_none
            @ldap.get_operation_result.inspect
   end
 
-  def test_bind_tls_with_bad_hostname
+  def test_bind_tls_with_bad_hostname_verify_peer_ca_fails
     @ldap.host = '127.0.0.1'
     @ldap.port = 9389 unless ENV['TRAVIS'] == 'true'
     @ldap.encryption(
       method:      :start_tls,
-      tls_options: TLS_OPTS.merge(verify_mode: OpenSSL::SSL::VERIFY_PEER,
-                                  ca_file:     CA_FILE),
+      tls_options: { verify_mode: OpenSSL::SSL::VERIFY_PEER,
+                     ca_file:     CA_FILE },
     )
     error = assert_raise Net::LDAP::Error,
                          Net::LDAP::ConnectionRefusedError do
@@ -71,7 +82,24 @@ def test_bind_tls_with_bad_hostname
     )
   end
 
-  def test_bind_tls_with_valid_hostname
+  def test_bind_tls_with_bad_hostname_ca_default_opt_merge_fails
+    @ldap.host = '127.0.0.1'
+    @ldap.port = 9389 unless ENV['TRAVIS'] == 'true'
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(ca_file: CA_FILE),
+    )
+    error = assert_raise Net::LDAP::Error,
+                         Net::LDAP::ConnectionRefusedError do
+      @ldap.bind BIND_CREDS
+    end
+    assert_equal(
+      "hostname \"#{@ldap.host}\" does not match the server certificate",
+      error.message,
+    )
+  end
+
+  def test_bind_tls_with_valid_hostname_default_opts_passes
     @ldap.host = 'localhost'
     @ldap.port = 9389 unless ENV['TRAVIS'] == 'true'
     @ldap.encryption(
@@ -83,6 +111,18 @@ def test_bind_tls_with_valid_hostname
            @ldap.get_operation_result.inspect
   end
 
+  def test_bind_tls_with_valid_hostname_just_verify_peer_ca_passes
+    @ldap.host = 'localhost'
+    @ldap.port = 9389 unless ENV['TRAVIS'] == 'true'
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: { verify_mode: OpenSSL::SSL::VERIFY_PEER,
+                     ca_file:     CA_FILE },
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
   # The following depend on /etc/hosts hacking.
   # We can do that on CI, but it's less than cool on people's dev boxes
   def test_bind_tls_with_multiple_hosts
@@ -137,7 +177,7 @@ def test_bind_tls_with_multiple_bogus_hosts_ca_check_only
     @ldap.hosts = [['127.0.0.1', 389], ['bogus.example.com', 389]]
     @ldap.encryption(
       method: :start_tls,
-      tls_options: TLS_OPTS.merge(ca_file: CA_FILE),
+      tls_options: { ca_file: CA_FILE },
     )
     assert @ldap.bind(BIND_CREDS),
            @ldap.get_operation_result.inspect
