Handle verify hostname ssl option (#1428)

lostisland · Jun 30, 2022 · d420a12 · d420a12
1 parent fcb2003
commit d420a12
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 3 deletions.
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -119,7 +119,7 @@ Performance/StringInclude: # (new in 1.7)
 Performance/Sum: # (new in 1.8)
   Enabled: true
 
-Gemspec/DateAssignment: # (new in 1.10)
+Gemspec/DeprecatedAttributeAssignment:
   Enabled: true
 Layout/LineEndStringConcatenationIndentation: # (new in 1.18)
   Enabled: true

diff --git a/lib/faraday/options/ssl_options.rb b/lib/faraday/options/ssl_options.rb
@@ -6,6 +6,10 @@ module Faraday
   # @!attribute verify
   #   @return [Boolean] whether to verify SSL certificates or not
   #
+  # @!attribute verify_hostname
+  #   @return [Boolean] whether to enable hostname verification on server certificates
+  #           during the handshake or not (see https://github.com/ruby/openssl/pull/60)
+  #
   # @!attribute ca_file
   #   @return [String] CA file
   #
@@ -41,7 +45,8 @@ module Faraday
   #
   # @!attribute max_version
   #   @return [String, Symbol] maximum SSL version (see https://ruby-doc.org/stdlib-2.5.1/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html#method-i-max_version-3D)
-  class SSLOptions < Options.new(:verify, :ca_file, :ca_path, :verify_mode,
+  class SSLOptions < Options.new(:verify, :verify_hostname,
+                                 :ca_file, :ca_path, :verify_mode,
                                  :cert_store, :client_cert, :client_key,
                                  :certificate, :private_key, :verify_depth,
                                  :version, :min_version, :max_version)
@@ -55,5 +60,10 @@ def verify?
     def disable?
       !verify?
     end
+
+    # @return [Boolean] true if should verify_hostname
+    def verify_hostname?
+      verify_hostname != false
+    end
   end
 end
diff --git a/spec/faraday/connection_spec.rb b/spec/faraday/connection_spec.rb
@@ -131,6 +131,12 @@ def decode(params)
       it { expect(subject.ssl.verify?).to be_falsey }
     end
 
+    context 'with verify_hostname false' do
+      let(:options) { { ssl: { verify_hostname: false } } }
+
+      it { expect(subject.ssl.verify_hostname?).to be_falsey }
+    end
+
     context 'with empty block' do
       let(:conn) { Faraday::Connection.new {} }
 

diff --git a/spec/faraday/options/env_spec.rb b/spec/faraday/options/env_spec.rb
@@ -27,6 +27,12 @@
     expect(ssl.fetch(:verify, true)).to be_falsey
   end
 
+  it 'handle verify_hostname when fetching' do
+    ssl = Faraday::SSLOptions.new
+    ssl.verify_hostname = true
+    expect(ssl.fetch(:verify_hostname, false)).to be_truthy
+  end
+
   it 'retains custom members' do
     env[:foo] = 'custom 1'
     env[:bar] = :custom2

diff --git a/spec/faraday/request_spec.rb b/spec/faraday/request_spec.rb
@@ -14,6 +14,7 @@
   context 'when nothing particular is configured' do
     it { expect(subject.http_method).to eq(:get) }
     it { expect(subject.to_env(conn).ssl.verify).to be_falsey }
+    it { expect(subject.to_env(conn).ssl.verify_hostname).to be_falsey }
   end
 
   context 'when HTTP method is post' do

diff --git a/spec/faraday/utils_spec.rb b/spec/faraday/utils_spec.rb
@@ -102,7 +102,8 @@
           verify_depth: nil,
           version: '2',
           min_version: nil,
-          max_version: nil
+          max_version: nil,
+          verify_hostname: nil
         }
       end
 

diff --git a/spec/support/shared_examples/adapter.rb b/spec/support/shared_examples/adapter.rb
@@ -38,6 +38,7 @@
   let(:conn) do
     conn_options[:ssl] ||= {}
     conn_options[:ssl][:ca_file] ||= ENV['SSL_FILE']
+    conn_options[:ssl][:verify_hostname] ||= ENV['SSL_VERIFY_HOSTNAME'] == 'yes'
 
     Faraday.new(remote, conn_options) do |conn|
       conn.request :url_encoded