From 2a050b7e951d0698f4bd980bc08c902f62867354 Mon Sep 17 00:00:00 2001
From: mkdev11 <jaysmth689@gmail.com>
Date: Tue, 6 Jan 2026 10:51:51 +0200
Subject: [PATCH] test: add test cases for TLS alert checking functionality

- Test rejection when expecting TLS alert but connection succeeds
- Test UP status when expected TLS alert is received
- Test rejection when different TLS alert is received than expected
---
 test/backend-test/monitors/test-tcp.js | 72 ++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)

diff --git a/test/backend-test/monitors/test-tcp.js b/test/backend-test/monitors/test-tcp.js
index c1bc1bd1b..25265013c 100644
--- a/test/backend-test/monitors/test-tcp.js
+++ b/test/backend-test/monitors/test-tcp.js
@@ -220,4 +220,76 @@ describe("TCP Monitor", () => {
         }, heartbeat);
         assert.strictEqual(heartbeat.status, UP);
     });
+
+    // TLS Alert checking tests
+    test("check() rejects when expecting TLS alert but connection succeeds", async () => {
+        const tcpMonitor = new TCPMonitorType();
+
+        const monitor = {
+            hostname: "google.com",
+            port: 443,
+            expected_tls_alert: "certificate_required",
+            timeout: 10,
+            isEnabledExpiryNotification: () => false,
+            getIgnoreTls: () => false,
+        };
+
+        const heartbeat = {
+            msg: "",
+            status: PENDING,
+        };
+
+        await assert.rejects(
+            tcpMonitor.check(monitor, heartbeat, {}),
+            /Expected TLS alert 'certificate_required' but connection succeeded/
+        );
+    });
+
+    test("check() sets status to UP when expected TLS alert is received", async () => {
+        const tcpMonitor = new TCPMonitorType();
+
+        // client.badssl.com:443 requires client certificate and returns certificate_required alert
+        const monitor = {
+            hostname: "client.badssl.com",
+            port: 443,
+            expected_tls_alert: "handshake_failure",
+            timeout: 10,
+            isEnabledExpiryNotification: () => false,
+            getIgnoreTls: () => true,
+        };
+
+        const heartbeat = {
+            msg: "",
+            status: PENDING,
+        };
+
+        await tcpMonitor.check(monitor, heartbeat, {});
+
+        assert.strictEqual(heartbeat.status, UP);
+        assert.ok(heartbeat.msg.includes("TLS alert received as expected"));
+    });
+
+    test("check() rejects when different TLS alert is received than expected", async () => {
+        const tcpMonitor = new TCPMonitorType();
+
+        // client.badssl.com returns handshake_failure, but we expect certificate_required
+        const monitor = {
+            hostname: "client.badssl.com",
+            port: 443,
+            expected_tls_alert: "certificate_required",
+            timeout: 10,
+            isEnabledExpiryNotification: () => false,
+            getIgnoreTls: () => true,
+        };
+
+        const heartbeat = {
+            msg: "",
+            status: PENDING,
+        };
+
+        await assert.rejects(
+            tcpMonitor.check(monitor, heartbeat, {}),
+            /Expected TLS alert 'certificate_required' but received/
+        );
+    });
 });