tls_spec.rb 2.6 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe Setting::Validation::Saml::TLS do
  4. let(:setting_name) { 'auth_saml_credentials' }
  5. context 'with blank settings' do
  6. it 'does not raise an error' do
  7. expect { Setting.set(setting_name, {}) }.not_to raise_error
  8. end
  9. end
  10. context 'when changing only display_name' do
  11. it 'does not raise an error' do
  12. expect { Setting.set(setting_name, { display_name: 'Keycloak' }) }.not_to raise_error
  13. end
  14. end
  15. context 'with self-signed certificate' do
  16. let(:setting_value) do
  17. {
  18. idp_sso_target_url: 'https://self-signed.badssl.com/',
  19. idp_slo_service_url: 'https://example.com',
  20. name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
  21. idp_cert: '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----',
  22. ssl_verify: ssl_verify,
  23. }
  24. end
  25. context 'when ssl verify is disabled' do
  26. let(:ssl_verify) { false }
  27. it 'does not raise an error' do
  28. expect { Setting.set(setting_name, setting_value) }.not_to raise_error
  29. end
  30. end
  31. context 'when ssl verify is enabled' do
  32. let(:ssl_verify) { true }
  33. context 'with a SSL error' do
  34. it 'raises an error' do
  35. if ENV['CI'].present?
  36. result = UserAgent::Result.new(success: false, error: '#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=')
  37. allow(UserAgent).to receive(:get).and_return(result)
  38. end
  39. expect { Setting.set(setting_name, setting_value) }.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: The verification of the TLS connection to the IDP SSO target URL failed. Please check the SAML IDP certificate.')
  40. end
  41. end
  42. context 'with a HTTP error' do
  43. it 'raises no error' do
  44. result = UserAgent::Result.new(success: false, error: 'Client Error: #<Net::HTTPNotFound')
  45. allow(UserAgent).to receive(:get).and_return(result)
  46. expect { Setting.set(setting_name, setting_value) }.not_to raise_error
  47. end
  48. end
  49. context 'with a connection error' do
  50. it 'raises an error' do
  51. result = UserAgent::Result.new(success: false, error: '#<Errno::EHOSTUNREACH')
  52. allow(UserAgent).to receive(:get).and_return(result)
  53. expect { Setting.set(setting_name, setting_value) }.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: The verification of the TLS connection to the IDP SSO target URL is not possible. Please check the connection.')
  54. end
  55. end
  56. end
  57. end
  58. end