* Continue adding /api/ldap/validate/simple-bind tests

lukebakken · lukebakken · commit addd62e6e01b · 2025-09-22T14:28:11.000-07:00
diff --git a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap_mgmt.erl b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap_mgmt.erl
@@ -126,6 +126,12 @@ maybe_add_ssl_options(Options0, true, BodyMap) ->
 
 tls_options(BodyMap) when is_map_key(ssl_options, BodyMap) ->
     SslOptionsMap = maps:get(ssl_options, BodyMap),
+    case is_map(SslOptionsMap) of
+        false ->
+            throw({bad_request, "ssl_options must be a map/object"});
+        true ->
+            ok
+    end,
     CaCertfile = maps:get(<<"cacertfile">>, SslOptionsMap, undefined),
     CaCertPemData = maps:get(<<"cacert_pem_data">>, SslOptionsMap, undefined),
     TlsOpts0 = case {CaCertfile, CaCertPemData} of
@@ -146,12 +152,20 @@ tls_options(BodyMap) when is_map_key(ssl_options, BodyMap) ->
             TlsOpts1;
         CaCertPems when is_list(CaCertPems) ->
             F0 = fun (P) ->
-                case public_key:pem_decode(P) of
-                    [{'Certificate', CaCertDerEncoded, not_encrypted}] ->
-                        {true, CaCertDerEncoded};
-                    _Unexpected ->
-                        throw({bad_request, "unexpected cacert_pem_data passed to "
-                                            "/ldap/validate/simple-bind ssl_options.cacerts"})
+                try
+                    case public_key:pem_decode(P) of
+                        [{'Certificate', CaCertDerEncoded, not_encrypted}] ->
+                            {true, CaCertDerEncoded};
+                        [] ->
+                            throw({bad_request, "invalid PEM data in cacert_pem_data: "
+                                                "no valid certificates found"});
+                        _Unexpected ->
+                            throw({bad_request, "unexpected cacert_pem_data passed to "
+                                                "/ldap/validate/simple-bind ssl_options.cacerts"})
+                    end
+                catch
+                    error:Reason ->
+                        throw({bad_request, unicode_format("invalid PEM data in cacert_pem_data: ~tp", [Reason])})
                 end
             end,
             CaCertsDerEncoded = lists:filtermap(F0, CaCertPems),
@@ -163,8 +177,14 @@ tls_options(BodyMap) when is_map_key(ssl_options, BodyMap) ->
         undefined ->
             TlsOpts2;
         Verify ->
-            VerifyStr = unicode:characters_to_list(Verify),
-            [{verify, list_to_existing_atom(VerifyStr)} | TlsOpts2]
+            try
+                VerifyStr = unicode:characters_to_list(Verify),
+                [{verify, list_to_existing_atom(VerifyStr)} | TlsOpts2]
+            catch
+                error:badarg ->
+                    throw({bad_request, "invalid verify option passed to "
+                                        "/ldap/validate/simple-bind ssl_options.verify"})
+            end
     end,
     TlsOpts4 = case maps:get(<<"server_name_indication">>, SslOptionsMap, disable) of
         disable ->
diff --git a/deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl b/deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl
@@ -523,6 +523,71 @@ validate_ldap_configuration_via_api(Config) ->
     ?assertEqual(<<"unprocessable_entity">>, maps:get(<<"error">>, BothTlsJson)),
     ?assertEqual(<<"TLS configuration error: cannot use StartTLS on an SSL connection (use_ssl and use_starttls cannot both be true)">>,
                  maps:get(<<"reason">>, BothTlsJson)),
+
+    %% Invalid certificate file path
+    http_put(Config, "/ldap/validate/simple-bind",
+        #{
+            'user_dn' => AliceUserDN,
+            'password' => Password,
+            'servers' => ["localhost"],
+            'port' => LdapTlsPort,
+            'use_ssl' => true,
+            'ssl_options' => #{
+                'cacertfile' => "/nonexistent/path/cert.pem"
+            }
+        }, ?BAD_REQUEST),
+
+    %% Invalid PEM data - should now return 400 Bad Request
+    http_put(Config, "/ldap/validate/simple-bind",
+        #{
+            'user_dn' => AliceUserDN,
+            'password' => Password,
+            'servers' => ["localhost"],
+            'port' => LdapTlsPort,
+            'use_ssl' => true,
+            'ssl_options' => #{
+                'cacert_pem_data' => ["not-valid-pem-data"]
+            }
+        }, ?BAD_REQUEST),
+
+    %% Invalid SSL options structure - not a map
+    http_put(Config, "/ldap/validate/simple-bind",
+        #{
+            'user_dn' => AliceUserDN,
+            'password' => Password,
+            'servers' => ["localhost"],
+            'port' => LdapTlsPort,
+            'use_ssl' => true,
+            'ssl_options' => "not_a_map"
+        }, ?BAD_REQUEST),
+
+    %% Invalid TLS versions
+    http_put(Config, "/ldap/validate/simple-bind",
+        #{
+            'user_dn' => AliceUserDN,
+            'password' => Password,
+            'servers' => ["localhost"],
+            'port' => LdapTlsPort,
+            'use_ssl' => true,
+            'ssl_options' => #{
+                'versions' => ["invalid_version", "tlsv1.2"],
+                'cacertfile' => CaCertfile
+            }
+        }, ?BAD_REQUEST),
+
+    %% Invalid verify option
+    http_put(Config, "/ldap/validate/simple-bind",
+        #{
+            'user_dn' => AliceUserDN,
+            'password' => Password,
+            'servers' => ["localhost"],
+            'port' => LdapTlsPort,
+            'use_ssl' => true,
+            'ssl_options' => #{
+                'verify' => "invalid_verify_option",
+                'cacertfile' => CaCertfile
+            }
+        }, ?BAD_REQUEST),
     http_put(Config, "/ldap/validate/simple-bind",
         #{
             'user_dn' => AliceUserDN,
