Files
@ 04a99d1e5a60
Branch filter:
Location: majic-ansible-roles/roles/xmpp_server/molecule/default/tests/test_mandatory.py - annotation
04a99d1e5a60
5.5 KiB
text/x-python
MAR-242: Enable HTTP file upload (XEP-0363) for XMPP server deployments.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 | 2ada86e90026 2ada86e90026 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 da031f975c67 da031f975c67 da031f975c67 da031f975c67 d62b3adec462 da031f975c67 da031f975c67 e970d4afbea4 da031f975c67 da031f975c67 da031f975c67 da031f975c67 54275c753ea1 e970d4afbea4 e970d4afbea4 da031f975c67 e970d4afbea4 da031f975c67 d752715bb533 eb6d9c7d6651 eb6d9c7d6651 d752715bb533 d752715bb533 d752715bb533 d752715bb533 d752715bb533 c95f61f32b67 da031f975c67 da031f975c67 da031f975c67 da031f975c67 da031f975c67 04a99d1e5a60 04a99d1e5a60 04a99d1e5a60 cc7de990e9e4 cc7de990e9e4 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 bbbc4c2cb188 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 28de9251c7aa 28de9251c7aa 28de9251c7aa 28de9251c7aa 28de9251c7aa 28de9251c7aa 28de9251c7aa 28de9251c7aa 28de9251c7aa 28de9251c7aa 28de9251c7aa 28de9251c7aa 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 5a9a31d16029 | import os
import defusedxml.ElementTree as ElementTree
import pytest
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')
def test_prosody_configuration_file_content(host):
"""
Tests if Prosody configuration file has correct content.
"""
hostname = host.run('hostname').stdout.strip()
with host.sudo():
config = host.file('/etc/prosody/prosody.cfg.lua')
assert "admins = { \"john.doe@domain1\", }" in config.content_string
assert "key = \"/etc/ssl/private/%s_xmpp.key\";" % hostname in config.content_string
assert "certificate = \"/etc/ssl/certs/%s_xmpp.pem\";" % hostname in config.content_string
assert "ldap_server = \"ldap-server\"" in config.content_string
assert "ldap_rootdn = \"cn=prosody,ou=services,dc=local\"" in config.content_string
assert "ldap_password = \"prosodypassword\"" in config.content_string
assert "ldap_filter = \"(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,dc=local))\"" in config.content_string
assert "ldap_base = \"ou=people,dc=local\"" in config.content_string
assert "archive_expires_after = \"never\"" in config.content_string
assert """VirtualHost "domain1"
Component "conference.domain1" "muc"
restrict_room_creation = "local"
Component "proxy.domain1" "proxy65"
proxy65_acl = { "domain1" }
Component "upload.domain1" "http_file_share"
http_file_share_access = { "domain1" }""" in config.content_string
def test_xmpp_server_uses_correct_dh_parameters(host):
"""
Tests if the HTTP server uses the generated Diffie-Hellman parameter.
"""
fqdn = host.run('hostname -f').stdout.strip()
# Use first defined domain for testing.
domain = host.ansible.get_variables()['xmpp_domains'][0]
with host.sudo():
expected_dhparam = host.file('/etc/ssl/private/%s_xmpp.dh.pem' % fqdn).content_string.rstrip()
connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=xmpp --port 5222 "
"--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose %s", domain)
output = connection.stdout
begin_marker = "-----BEGIN DH PARAMETERS-----"
end_marker = "-----END DH PARAMETERS-----"
used_dhparam = output[output.find(begin_marker):output.find(end_marker) + len(end_marker)]
assert used_dhparam == expected_dhparam
@pytest.mark.parametrize("port", [
5222,
5223
])
def test_xmpp_c2s_tls_version_and_ciphers(host, port):
"""
Tests if the correct TLS version and ciphers have been enabled for
XMPP C2S ports.
"""
expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
expected_tls_ciphers = [
"TLS_AKE_WITH_AES_128_GCM_SHA256",
"TLS_AKE_WITH_AES_256_GCM_SHA384",
"TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
]
# Run the nmap scanner against the server, and fetch the results.
nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain1 -oX /tmp/report.xml", str(port))
assert nmap.rc == 0
report_content = host.file('/tmp/report.xml').content_string
report_root = ElementTree.fromstring(report_content)
tls_versions = []
tls_ciphers = set()
for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"):
tls_versions.append(child.attrib['key'])
for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
tls_ciphers.add(child.text)
tls_versions.sort()
tls_ciphers = sorted(list(tls_ciphers))
assert tls_versions == expected_tls_versions
assert tls_ciphers == expected_tls_ciphers
def test_xmpp_s2s_tls_version_and_ciphers(host):
"""
Tests if the correct TLS version and ciphers have been enabled for
XMPP S2S port.
"""
expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
# Seems like TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 is off by default.
expected_tls_ciphers = [
"TLS_AKE_WITH_AES_128_GCM_SHA256",
"TLS_AKE_WITH_AES_256_GCM_SHA384",
"TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
]
# Run the nmap scanner against the server, and fetch the results.
nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 5269 domain1 -oX /tmp/report.xml")
assert nmap.rc == 0
report_content = host.file('/tmp/report.xml').content_string
report_root = ElementTree.fromstring(report_content)
tls_versions = []
tls_ciphers = set()
for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"):
tls_versions.append(child.attrib['key'])
for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
tls_ciphers.add(child.text)
tls_versions.sort()
tls_ciphers = sorted(list(tls_ciphers))
assert tls_versions == expected_tls_versions
assert tls_ciphers == expected_tls_ciphers
|