From d420a12a571fc0f302e79ae5133611c23785e55c Mon Sep 17 00:00:00 2001
From: Konstantin S Kazarin <kazarin.konstantin@gmail.com>
Date: Fri, 1 Jul 2022 03:26:16 +0600
Subject: [PATCH] Handle verify hostname ssl option (#1428)

---
 .rubocop.yml                            |  2 +-
 lib/faraday/options/ssl_options.rb      | 12 +++++++++++-
 spec/faraday/connection_spec.rb         |  6 ++++++
 spec/faraday/options/env_spec.rb        |  6 ++++++
 spec/faraday/request_spec.rb            |  1 +
 spec/faraday/utils_spec.rb              |  3 ++-
 spec/support/shared_examples/adapter.rb |  1 +
 7 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/.rubocop.yml b/.rubocop.yml
index d2b06284..b285bdc9 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -119,7 +119,7 @@ Performance/StringInclude: # (new in 1.7)
 Performance/Sum: # (new in 1.8)
   Enabled: true
 
-Gemspec/DateAssignment: # (new in 1.10)
+Gemspec/DeprecatedAttributeAssignment:
   Enabled: true
 Layout/LineEndStringConcatenationIndentation: # (new in 1.18)
   Enabled: true
diff --git a/lib/faraday/options/ssl_options.rb b/lib/faraday/options/ssl_options.rb
index 1fa5811a..7abb6b1e 100644
--- a/lib/faraday/options/ssl_options.rb
+++ b/lib/faraday/options/ssl_options.rb
@@ -6,6 +6,10 @@ module Faraday
   # @!attribute verify
   #   @return [Boolean] whether to verify SSL certificates or not
   #
+  # @!attribute verify_hostname
+  #   @return [Boolean] whether to enable hostname verification on server certificates
+  #           during the handshake or not (see https://github.com/ruby/openssl/pull/60)
+  #
   # @!attribute ca_file
   #   @return [String] CA file
   #
@@ -41,7 +45,8 @@ module Faraday
   #
   # @!attribute max_version
   #   @return [String, Symbol] maximum SSL version (see https://ruby-doc.org/stdlib-2.5.1/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html#method-i-max_version-3D)
-  class SSLOptions < Options.new(:verify, :ca_file, :ca_path, :verify_mode,
+  class SSLOptions < Options.new(:verify, :verify_hostname,
+                                 :ca_file, :ca_path, :verify_mode,
                                  :cert_store, :client_cert, :client_key,
                                  :certificate, :private_key, :verify_depth,
                                  :version, :min_version, :max_version)
@@ -55,5 +60,10 @@ module Faraday
     def disable?
       !verify?
     end
+
+    # @return [Boolean] true if should verify_hostname
+    def verify_hostname?
+      verify_hostname != false
+    end
   end
 end
diff --git a/spec/faraday/connection_spec.rb b/spec/faraday/connection_spec.rb
index a44f799e..e53d095d 100644
--- a/spec/faraday/connection_spec.rb
+++ b/spec/faraday/connection_spec.rb
@@ -131,6 +131,12 @@ RSpec.describe Faraday::Connection do
       it { expect(subject.ssl.verify?).to be_falsey }
     end
 
+    context 'with verify_hostname false' do
+      let(:options) { { ssl: { verify_hostname: false } } }
+
+      it { expect(subject.ssl.verify_hostname?).to be_falsey }
+    end
+
     context 'with empty block' do
       let(:conn) { Faraday::Connection.new {} }
 
diff --git a/spec/faraday/options/env_spec.rb b/spec/faraday/options/env_spec.rb
index 194cbdc6..006bd5fb 100644
--- a/spec/faraday/options/env_spec.rb
+++ b/spec/faraday/options/env_spec.rb
@@ -27,6 +27,12 @@ RSpec.describe Faraday::Env do
     expect(ssl.fetch(:verify, true)).to be_falsey
   end
 
+  it 'handle verify_hostname when fetching' do
+    ssl = Faraday::SSLOptions.new
+    ssl.verify_hostname = true
+    expect(ssl.fetch(:verify_hostname, false)).to be_truthy
+  end
+
   it 'retains custom members' do
     env[:foo] = 'custom 1'
     env[:bar] = :custom2
diff --git a/spec/faraday/request_spec.rb b/spec/faraday/request_spec.rb
index 6a3d7963..fbf85b56 100644
--- a/spec/faraday/request_spec.rb
+++ b/spec/faraday/request_spec.rb
@@ -14,6 +14,7 @@ RSpec.describe Faraday::Request do
   context 'when nothing particular is configured' do
     it { expect(subject.http_method).to eq(:get) }
     it { expect(subject.to_env(conn).ssl.verify).to be_falsey }
+    it { expect(subject.to_env(conn).ssl.verify_hostname).to be_falsey }
   end
 
   context 'when HTTP method is post' do
diff --git a/spec/faraday/utils_spec.rb b/spec/faraday/utils_spec.rb
index 984ec589..bf7499eb 100644
--- a/spec/faraday/utils_spec.rb
+++ b/spec/faraday/utils_spec.rb
@@ -102,7 +102,8 @@ RSpec.describe Faraday::Utils do
           verify_depth: nil,
           version: '2',
           min_version: nil,
-          max_version: nil
+          max_version: nil,
+          verify_hostname: nil
         }
       end
 
diff --git a/spec/support/shared_examples/adapter.rb b/spec/support/shared_examples/adapter.rb
index 6487367d..4cf09a23 100644
--- a/spec/support/shared_examples/adapter.rb
+++ b/spec/support/shared_examples/adapter.rb
@@ -38,6 +38,7 @@ shared_examples 'adapter examples' do |**options|
   let(:conn) do
     conn_options[:ssl] ||= {}
     conn_options[:ssl][:ca_file] ||= ENV['SSL_FILE']
+    conn_options[:ssl][:verify_hostname] ||= ENV['SSL_VERIFY_HOSTNAME'] == 'yes'
 
     Faraday.new(remote, conn_options) do |conn|
       conn.request :url_encoded