Enable TLS validation

jonabc · jonabc · commit c80076631320 · 2017-06-01T17:53:09.000-07:00
enable by setting `validate_encryption: true` on initialization options
diff --git a/lib/github/ldap.rb b/lib/github/ldap.rb
@@ -65,6 +65,7 @@ class Ldap
     #   which to attempt opening connections (default [[host, port]]). Overrides
     #   host and port if set.
     # encryption: optional string. `ssl` or `tls`. nil by default
+    # validate_encryption: optional boolean. nil by default
     # admin_user: optional string ldap administrator user dn for authentication
     # admin_password: optional string ldap administrator user password
     #
@@ -99,7 +100,7 @@ def initialize(options = {})
         @connection.authenticate(options[:admin_user], options[:admin_password])
       end
 
-      if encryption = check_encryption(options[:encryption])
+      if encryption = check_encryption(options[:encryption], options[:validate_encryption])
         @connection.encryption(encryption)
       end
 
@@ -236,16 +237,18 @@ def capabilities
     # Internal - Determine whether to use encryption or not.
     #
     # encryption: is the encryption method, either 'ssl', 'tls', 'simple_tls' or 'start_tls'.
+    # validate: is true to enable certificate validation
     #
     # Returns the real encryption type.
-    def check_encryption(encryption)
+    def check_encryption(encryption, validate = false)
       return unless encryption
 
+      tls_options = validate == true ? OpenSSL::SSL::VERIFY_PEER : {}
       case encryption.downcase.to_sym
       when :ssl, :simple_tls
-        :simple_tls
+        { method: :simple_tls, tls_options: tls_options }
       when :tls, :start_tls
-        :start_tls
+        { method: :start_tls, tls_options: tls_options }
       end
     end
 
diff --git a/test/ldap_test.rb b/test/ldap_test.rb
@@ -25,15 +25,30 @@ def test_connection_with_list_of_hosts_with_first_invalid
   end
 
   def test_simple_tls
-    assert_equal :simple_tls, @ldap.check_encryption(:ssl)
-    assert_equal :simple_tls, @ldap.check_encryption('SSL')
-    assert_equal :simple_tls, @ldap.check_encryption(:simple_tls)
+    expected = { method: :simple_tls, tls_options: {} }
+    assert_equal expected, @ldap.check_encryption(:ssl)
+    assert_equal expected, @ldap.check_encryption('SSL')
+    assert_equal expected, @ldap.check_encryption(:simple_tls)
   end
 
   def test_start_tls
-    assert_equal :start_tls, @ldap.check_encryption(:tls)
-    assert_equal :start_tls, @ldap.check_encryption('TLS')
-    assert_equal :start_tls, @ldap.check_encryption(:start_tls)
+    expected = { method: :start_tls, tls_options: {} }
+    assert_equal expected, @ldap.check_encryption(:tls)
+    assert_equal expected, @ldap.check_encryption('TLS')
+    assert_equal expected, @ldap.check_encryption(:start_tls)
+  end
+
+  def test_tls_validation
+    assert_equal({ method: :start_tls, tls_options: OpenSSL::SSL::VERIFY_PEER },
+                 @ldap.check_encryption(:tls, true))
+    assert_equal({ method: :start_tls, tls_options: {} },
+                 @ldap.check_encryption(:tls, false))
+    assert_equal({ method: :start_tls, tls_options: {} },
+                 @ldap.check_encryption(:tls, nil))
+    assert_equal({ method: :start_tls, tls_options: {} },
+                 @ldap.check_encryption(:tls, 'true'))
+    assert_equal({ method: :start_tls, tls_options: {} },
+                 @ldap.check_encryption(:tls))
   end
 
   def test_search_delegator
