Files
@ 36cc127035aa
Branch filter:
Location: majic-ansible-roles/roles/web_server/molecule/default/tests/test_optional.py - annotation
36cc127035aa
2.7 KiB
text/x-python
MAR-158: Update default TLS cipher configuration in the web_server role:
- Updated the default value for parameter web_server_tls_ciphers.
- Updated tests, making them explicitly test for enabled and disabled
ciphers.
- Updated role reference documentation.
- Updated the default value for parameter web_server_tls_ciphers.
- Updated tests, making them explicitly test for enabled and disabled
ciphers.
- Updated role reference documentation.
a5f4c1ec6853 a5f4c1ec6853 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 d62b3adec462 351cd42e5f56 351cd42e5f56 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c eee778bc2d7c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 351cd42e5f56 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 351cd42e5f56 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 23a5f9ba293c 351cd42e5f56 eee778bc2d7c 351cd42e5f56 351cd42e5f56 351cd42e5f56 eee778bc2d7c 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 eee778bc2d7c 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 eee778bc2d7c 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 eee778bc2d7c 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 eee778bc2d7c 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 eee778bc2d7c 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 | import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional')
def test_tls_version(host):
"""
Tests if only the configured TLS protocol versions are allowed by
the server.
"""
old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_1 -no_tls1_2 -connect parameters-optional:443")
tls1_1_enabled = host.run("echo 'Q' | openssl s_client -tls1_1 -connect parameters-optional:443")
tls1_2_enabled = host.run("echo 'Q' | openssl s_client -tls1_2 -connect parameters-optional:443")
# Avoid false negatives by ensuring the client had actually
# established the TCP connection.
assert "CONNECTED" in old_tls_versions_disabled.stdout
assert old_tls_versions_disabled.rc != 0
# Avoid false negatives by ensuring the client had actually
# established the TCP connection.
assert "CONNECTED" in tls1_1_enabled.stdout
assert tls1_1_enabled.rc == 0
# Avoid false negatives by ensuring the client had actually
# established the TCP connection.
assert "CONNECTED" in tls1_2_enabled.stdout
assert tls1_2_enabled.rc == 0
def test_tls_ciphers(host):
"""
Tests available TLS ciphers on the server.
"""
cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:443")
assert cipher.rc == 0
assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout
cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:443")
assert cipher.rc == 0
assert "ECDHE-RSA-AES128-SHA" in cipher.stdout
def test_https_enforcement(host):
"""
Tests if HTTPS is (not) being enforced.
"""
https_enforcement = host.run('curl -I http://parameters-optional/')
assert https_enforcement.rc == 0
assert 'HTTP/1.1 200 OK' in https_enforcement.stdout
assert 'HTTP/1.1 301 Moved Permanently' not in https_enforcement.stdout
assert 'Location: https://parameters-optional/' not in https_enforcement.stdout
https_enforcement = host.run('curl -I https://parameters-optional/')
assert https_enforcement.rc == 0
assert 'Strict-Transport-Security' not in https_enforcement.stdout
def test_default_vhost_index_page(host):
"""
Tests content of default vhost index page.
"""
page = host.run('curl https://parameters-optional/')
assert page.rc == 0
assert "<title>Optional Welcome</title>" in page.stdout
assert "<h1>Optional Welcome</h1>" in page.stdout
assert "<p>Welcome to parameters-optional, default virtual host.</p>" in page.stdout
|