From 79aefff9c140087626701b385fc8e1ea3e0fcbee Mon Sep 17 00:00:00 2001 From: Matt Todd Date: Sun, 30 Nov 2014 16:49:11 -0800 Subject: [PATCH 1/3] Skip cert verification for test cc @jch as I'm unsure if we want to go this route or make the cert verifiable instead --- test/integration/test_bind.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/integration/test_bind.rb b/test/integration/test_bind.rb index c322f401..33169330 100644 --- a/test/integration/test_bind.rb +++ b/test/integration/test_bind.rb @@ -21,7 +21,8 @@ def test_bind_fail end def test_bind_tls - @ldap.encryption(method: :start_tls, tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS) + tls_options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(:verify_mode => OpenSSL::SSL::VERIFY_NONE) + @ldap.encryption(method: :start_tls, tls_options: tls_options) assert @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "passworD1"), @ldap.get_operation_result.inspect end end From f3d41b5e576c209844b1c339566e71b41e3ae179 Mon Sep 17 00:00:00 2001 From: Matt Todd Date: Sun, 30 Nov 2014 17:06:17 -0800 Subject: [PATCH 2/3] Cache cacert.pem for local testing, wire up override, VM-aware path --- test/fixtures/cacert.pem | 20 ++++++++++++++++++++ test/integration/test_bind.rb | 2 +- test/test_helper.rb | 12 ++++++++++++ 3 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 test/fixtures/cacert.pem diff --git a/test/fixtures/cacert.pem b/test/fixtures/cacert.pem new file mode 100644 index 00000000..f8b134e1 --- /dev/null +++ b/test/fixtures/cacert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRzCCAf+gAwIBAgIEVHpbmjANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhy +dWJ5bGRhcDAeFw0xNDExMjkyMzQ5NDZaFw0xNTExMjkyMzQ5NDZaMBMxETAPBgNV +BAMTCHJ1YnlsZGFwMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEA4pKe +cDCNuL53fkpO/WSAS+gmMTsOs+oOK71kZlk2QT/MBz8TxC6m358qCADjnXcMVVxa +ySQbQlVKZMkIvLNciZbiLDgC5II0NbHACNa8rqenoKRjS4J9W3OhA8EmnXn/Me+8 +uMCI9tfnKNRZYdkQZlra4I+Idn+xYfl/5q5b/7ZjPS2zY/585hFEYE+5vfOZVBSU +3HMNSeuJvTehLv7dD7aQfXNM4cRgHXequkJQ/HLLFAO4AgJ+LJrFWpj7GWz3crgr +9G5px4T78wJH3NQiOsG6UBXPw8c4T+Z6GAWX2l1zs1gZsaiCVbAraqK3404lL7yp ++ThbsW3ifzgNPhmjScXBLdbEDrrAKosW7kkTOGzxiMCBmNlj2SKhcztoduAtfF1f +Fs2Jk8MRTHwO8ThD7wIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB +/wQFAwMHBAAwHQYDVR0OBBYEFJDm67ekyFu4/Z7VcO6Vk/5pinGcMA0GCSqGSIb3 +DQEBCwUAA4IBMQDHeEPzfYRtjynpUKyrtxx/6ZVOfCLuz4eHkBZggz/pJacDCv/a +I//W03XCk8RWq/fWVVUzvxXgPwnYcw992PLM7XW81zp6ruRUDWooYnjHZZz3bRhe +kC4QvM2mZhcsMVmhmWWKZn81qXgVdUY1XNRhk87cuXjF/UTpEieFvWAsCUkFZkqB +AmySCuI/FuPaauT1YAltkIlYAEIGNJGZDMf2BTVUQpXhTXeS9/AZWLNDBwiq+fwo +YYnsr9MnBXCEmg1gVSR/Ay2AZmbYfiYtb5kU8uq2lSWAUb4LX6HZl82wo3OilrJ2 +WXl6Qf+Fcy4qqkRt4AKHjtzizpEDCOVYuuG0Zoy+QnxNXRsEzpb8ymnJFrcgYfk/ +6Lv2gWAFl5FqCZp7gBWg55eL2coT4C+mbNTF +-----END CERTIFICATE----- diff --git a/test/integration/test_bind.rb b/test/integration/test_bind.rb index 33169330..dd4683fc 100644 --- a/test/integration/test_bind.rb +++ b/test/integration/test_bind.rb @@ -21,7 +21,7 @@ def test_bind_fail end def test_bind_tls - tls_options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(:verify_mode => OpenSSL::SSL::VERIFY_NONE) + tls_options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(:ca_file => CA_FILE) @ldap.encryption(method: :start_tls, tls_options: tls_options) assert @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "passworD1"), @ldap.get_operation_result.inspect end diff --git a/test/test_helper.rb b/test/test_helper.rb index f208977d..640b0e23 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -6,6 +6,18 @@ # Whether integration tests should be run. INTEGRATION = ENV.fetch("INTEGRATION", "skip") != "skip" +# The CA file to verify certs against for tests. +# Override with CA_FILE env variable; otherwise checks for the VM-specific path +# and falls back to the test/fixtures/cacert.pem for local testing. +CA_FILE = + ENV.fetch("CA_FILE") do + if File.exist?("/etc/ssl/certs/cacert.pem") + "/etc/ssl/certs/cacert.pem" + else + File.expand_path("fixtures/cacert.pem", File.dirname(__FILE__)) + end + end + if RUBY_VERSION < "2.0" class String def b From 23ee34f668304bc31967536352d691af6c03a591 Mon Sep 17 00:00:00 2001 From: Matt Todd Date: Tue, 9 Dec 2014 16:38:18 -0800 Subject: [PATCH 3/3] Add verify none test, differentiate --- test/integration/test_bind.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/test/integration/test_bind.rb b/test/integration/test_bind.rb index dd4683fc..bea6b034 100644 --- a/test/integration/test_bind.rb +++ b/test/integration/test_bind.rb @@ -20,9 +20,15 @@ def test_bind_fail refute @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "not my password"), @ldap.get_operation_result.inspect end - def test_bind_tls + def test_bind_tls_with_cafile tls_options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(:ca_file => CA_FILE) @ldap.encryption(method: :start_tls, tls_options: tls_options) assert @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "passworD1"), @ldap.get_operation_result.inspect end + + def test_bind_tls_with_verify_none + tls_options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(:verify_mode => OpenSSL::SSL::VERIFY_NONE) + @ldap.encryption(method: :start_tls, tls_options: tls_options) + assert @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "passworD1"), @ldap.get_operation_result.inspect + end end