* Add test for use_ssl + use_starttls combo

Author: lukebakken

deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap_mgmt.erl

@@ -80,6 +80,11 @@ accept_content(ReqData0, Context) ->
                                     Reason = unicode_format(E),
                                     rabbit_mgmt_util:unprocessable_entity(Reason, ReqData1, Context)
                             end;
+                        {error, tls_already_started} ->
+                            rabbit_mgmt_util:unprocessable_entity("TLS configuration error: "
+                                                                  "cannot use StartTLS on an SSL connection "
+                                                                  "(use_ssl and use_starttls cannot both be true)",
+                                                                  ReqData1, Context);
                         Error ->
                             Reason = unicode_format(Error),
                             rabbit_mgmt_util:unprocessable_entity(Reason, ReqData1, Context)

deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl

@@ -502,6 +502,27 @@ validate_ldap_configuration_via_api(Config) ->
     ?assertEqual(<<"unprocessable_entity">>, maps:get(<<"error">>, LongPasswordJson)),
     ?assertEqual(<<"invalid LDAP credentials: authentication failure">>,
                  maps:get(<<"reason">>, LongPasswordJson)),
+
+    %% SSL/TLS Edge Cases
+    %% Both use_ssl and use_starttls set to true - TLS configuration error
+    {ok, {{_, 422, _}, _Headers5, BothTlsBody}} =
+        rabbit_mgmt_test_util:req(Config, 0, put, "/ldap/validate/simple-bind",
+                                  [rabbit_mgmt_test_util:auth_header("guest", "guest")],
+                                  rabbit_mgmt_test_util:format_for_upload(#{
+                                      'user_dn' => AliceUserDN,
+                                      'password' => Password,
+                                      'servers' => ["localhost"],
+                                      'port' => LdapTlsPort,
+                                      'use_ssl' => true,
+                                      'use_starttls' => true,
+                                      'ssl_options' => #{
+                                          'cacertfile' => CaCertfile
+                                      }
+                                  })),
+    BothTlsJson = rabbit_json:decode(BothTlsBody),
+    ?assertEqual(<<"unprocessable_entity">>, maps:get(<<"error">>, BothTlsJson)),
+    ?assertEqual(<<"TLS configuration error: cannot use StartTLS on an SSL connection (use_ssl and use_starttls cannot both be true)">>,
+                 maps:get(<<"reason">>, BothTlsJson)),
     http_put(Config, "/ldap/validate/simple-bind",
         #{
             'user_dn' => AliceUserDN,