1
0
Fork 0
mirror of https://github.com/jnunemaker/httparty synced 2023-03-27 23:23:07 -04:00

Merge pull request #441 from IcaliaLabs/master

Solves #266 - Honors the verify option to avoid overrides
This commit is contained in:
John Nunemaker 2015-11-20 08:11:06 -05:00
commit 32bfb59f6b
2 changed files with 27 additions and 4 deletions

View file

@ -53,6 +53,11 @@ module HTTParty
# Private: Regex used to strip brackets from IPv6 URIs.
StripIpv6BracketsRegex = /\A\[(.*)\]\z/
OPTION_DEFAULTS = {
verify: true,
verify_peer: true
}
# Public
def self.call(uri, options)
new(uri, options).connection
@ -65,7 +70,7 @@ module HTTParty
raise ArgumentError, "uri must be a #{uri_adapter}, not a #{uri.class}" unless uri.is_a? uri_adapter
@uri = uri
@options = options
@options = OPTION_DEFAULTS.merge(options)
end
def connection
@ -138,6 +143,10 @@ module HTTParty
uri.port == 443 || uri.scheme == 'https'
end
def verify_ssl_certificate?
!(options[:verify] == false || options[:verify_peer] == false)
end
def attach_ssl_certificates(http, options)
if http.use_ssl?
if options.fetch(:verify, true)
@ -158,7 +167,7 @@ module HTTParty
if options[:pem]
http.cert = OpenSSL::X509::Certificate.new(options[:pem])
http.key = OpenSSL::PKey::RSA.new(options[:pem], options[:pem_password])
http.verify_mode = options[:verify_peer] == false ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
http.verify_mode = verify_ssl_certificate? ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
end
# PKCS12 client certificate authentication
@ -166,7 +175,7 @@ module HTTParty
p12 = OpenSSL::PKCS12.new(options[:p12], options[:p12_password])
http.cert = p12.certificate
http.key = p12.key
http.verify_mode = options[:verify_peer] == false ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
http.verify_mode = verify_ssl_certificate? ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
end
# SSL certificate authority file and/or directory

View file

@ -27,7 +27,7 @@ RSpec.describe HTTParty::ConnectionAdapter do
it "sets the options" do
options = {foo: :bar}
adapter = HTTParty::ConnectionAdapter.new(uri, options)
expect(adapter.options).to be options
expect(adapter.options.keys).to include(:verify, :verify_peer, :foo)
end
end
@ -372,6 +372,13 @@ RSpec.describe HTTParty::ConnectionAdapter do
expect(subject.verify_mode).to eq(OpenSSL::SSL::VERIFY_PEER)
end
context "when options include verify=false" do
let(:options) { {pem: pem, pem_password: "password", verify: false} }
it "should not verify the certificate" do
expect(subject.verify_mode).to eq(OpenSSL::SSL::VERIFY_NONE)
end
end
context "when options include verify_peer=false" do
let(:options) { {pem: pem, pem_password: "password", verify_peer: false} }
@ -423,6 +430,13 @@ RSpec.describe HTTParty::ConnectionAdapter do
expect(subject.verify_mode).to eq(OpenSSL::SSL::VERIFY_PEER)
end
context "when options include verify=false" do
let(:options) { {p12: p12, p12_password: "password", verify: false} }
it "should not verify the certificate" do
expect(subject.verify_mode).to eq(OpenSSL::SSL::VERIFY_NONE)
end
end
context "when options include verify_peer=false" do
let(:options) { {p12: p12, p12_password: "password", verify_peer: false} }