Fixes #5106 - SSL verification with SAML fails with valid Let's Encry…

…pt certificates
zammad · May 17, 2024 · e8508ec · e8508ec
1 parent 4b860eb
commit e8508ec
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 6 deletions.
diff --git a/app/models/setting/validation/saml/tls.rb b/app/models/setting/validation/saml/tls.rb
@@ -29,9 +29,14 @@ def check_tls_verification
     )
 
     return nil if resp.error.nil?
+    return nil if resp.error.starts_with?('#<Net::HTTP')
 
     Rails.logger.error("SAML: TLS verification failed for '#{url}': #{resp.error}")
 
-    __('The verification of the TLS connection failed. Please check the IDP certificate.')
+    if resp.error.starts_with?('#<OpenSSL::SSL::SSLError')
+      __('The verification of the TLS connection failed. Please check the SAML IDP certificate.')
+    else
+      __('The verification of the TLS connection is not possible. Please check the SAML IDP connection.')
+    end
   end
 end
diff --git a/i18n/zammad.pot b/i18n/zammad.pot
@@ -12921,7 +12921,11 @@ msgid "The verification email could not be resent."
 msgstr ""
 
 #: app/models/setting/validation/saml/tls.rb
-msgid "The verification of the TLS connection failed. Please check the IDP certificate."
+msgid "The verification of the TLS connection failed. Please check the SAML IDP certificate."
+msgstr ""
+
+#: app/models/setting/validation/saml/tls.rb
+msgid "The verification of the TLS connection is not possible. Please check the SAML IDP connection."
 msgstr ""
 
 #: app/assets/javascripts/app/controllers/customer_ticket_create/sidebar_customer_default.coffee

diff --git a/spec/models/setting/validation/saml/tls_spec.rb b/spec/models/setting/validation/saml/tls_spec.rb
@@ -40,13 +40,33 @@
     context 'when ssl verify is enabled' do
       let(:ssl_verify) { true }
 
-      it 'raises an error' do
-        if ENV['CI'].present?
-          result = UserAgent::Result.new(success: false, error: '#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=')
+      context 'with a SSL error' do
+        it 'raises an error' do
+          if ENV['CI'].present?
+            result = UserAgent::Result.new(success: false, error: '#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=')
+            allow(UserAgent).to receive(:get).and_return(result)
+          end
+
+          expect { Setting.set(setting_name, setting_value) }.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: The verification of the TLS connection failed. Please check the SAML IDP certificate.')
+        end
+      end
+
+      context 'with a HTTP error' do
+        it 'raises no error' do
+          result = UserAgent::Result.new(success: false, error: '#<Net::HTTPNotFound')
           allow(UserAgent).to receive(:get).and_return(result)
+
+          expect { Setting.set(setting_name, setting_value) }.not_to raise_error
         end
+      end
+
+      context 'with a connection error' do
+        it 'raises an error' do
+          result = UserAgent::Result.new(success: false, error: '#<Errno::EHOSTUNREACH')
+          allow(UserAgent).to receive(:get).and_return(result)
 
-        expect { Setting.set(setting_name, setting_value) }.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: The verification of the TLS connection failed. Please check the IDP certificate.')
+          expect { Setting.set(setting_name, setting_value) }.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: The verification of the TLS connection is not possible. Please check the SAML IDP connection.')
+        end
       end
     end
   end