Files
@ 814be5def61d
Branch filter:
Location: majic-ansible-roles/roles/xmpp_server/molecule/default/tests/test_client.py - annotation
814be5def61d
3.3 KiB
text/x-python
MAR-189: Added support for Debian 11 Bullseye to xmpp_server role:
- Roll-out LDAP client configuration since Bullseye does not come with
a stock one at /etc/ldap/ldap.conf that sets the trust anchor
correctly for validating LDAP server certificates.
- Drop the backports pinning in case of Bullseye (for now let's try to
keep the Buster and Bullseye at same versions for simplicity).
- Drop installation of Python apt bindings (no longer used).
- Tests for Buster and Bullseye need to be split-up a bit due to some
differences around backports etc.
- Roll-out LDAP client configuration since Bullseye does not come with
a stock one at /etc/ldap/ldap.conf that sets the trust anchor
correctly for validating LDAP server certificates.
- Drop the backports pinning in case of Bullseye (for now let's try to
keep the Buster and Bullseye at same versions for simplicity).
- Drop installation of Python apt bindings (no longer used).
- Tests for Buster and Bullseye need to be split-up a bit due to some
differences around backports etc.
2ada86e90026 2ada86e90026 f8f8d51c3fd5 f8f8d51c3fd5 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 d62b3adec462 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 36d96a3fc472 e970d4afbea4 e970d4afbea4 e970d4afbea4 f8f8d51c3fd5 f8f8d51c3fd5 f8f8d51c3fd5 f8f8d51c3fd5 f8f8d51c3fd5 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 f8f8d51c3fd5 f8f8d51c3fd5 e970d4afbea4 e970d4afbea4 f8f8d51c3fd5 f8f8d51c3fd5 e970d4afbea4 e970d4afbea4 e970d4afbea4 f8f8d51c3fd5 f8f8d51c3fd5 f8f8d51c3fd5 f8f8d51c3fd5 f8f8d51c3fd5 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 f8f8d51c3fd5 f8f8d51c3fd5 e970d4afbea4 e970d4afbea4 e970d4afbea4 f8f8d51c3fd5 f8f8d51c3fd5 f8f8d51c3fd5 f8f8d51c3fd5 f8f8d51c3fd5 f8f8d51c3fd5 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 f8f8d51c3fd5 f8f8d51c3fd5 e970d4afbea4 e970d4afbea4 f8f8d51c3fd5 f8f8d51c3fd5 e970d4afbea4 e970d4afbea4 e970d4afbea4 f8f8d51c3fd5 f8f8d51c3fd5 f8f8d51c3fd5 f8f8d51c3fd5 f8f8d51c3fd5 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 e970d4afbea4 f8f8d51c3fd5 f8f8d51c3fd5 e970d4afbea4 e970d4afbea4 | import os
import pytest
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('clients')
def test_connectivity(host):
"""
Tests connectivity to the XMPP server (ports that should be reachable).
"""
with host.sudo():
for server in ["parameters-mandatory",
"parameters-optional"]:
# c2s plaintext, c2s TLS, file proxy, s2s.
for port in [5222, 5223, 5000, 5269]:
ping = host.run('hping3 -S -p %s -c 1 %s', str(port), server)
assert ping.rc == 0
@pytest.mark.parametrize("username, password, domain", [
["john.doe", "johnpassword", "domain1"],
["jane.doe", "janepassword", "domain2"],
])
def test_tls(host, username, password, domain):
"""
Tests if TLS works as expected.
"""
send = host.run(f"echo 'Hello' | sendxmpp --tls-ca-path /usr/local/share/ca-certificates/testca.crt "
f"-t -u {username} -p {password} -j {domain}:5222 {username}@{domain}")
assert send.rc == 0
send = host.run(f"echo 'Hello' | sendxmpp --tls-ca-path /usr/local/share/ca-certificates/testca.crt "
f"-e -u {username} -p {password} -j {domain}:5223 {username}@{domain}")
assert send.rc == 0
@pytest.mark.parametrize("username, password, domain", [
["john.doe", "johnpassword", "domain1"],
["jane.doe", "janepassword", "domain2"],
])
def test_authentication_requires_tls(host, username, password, domain):
"""
Tests if authentication must be done over TLS.
"""
command = host.run(f"echo 'Hello' | sendxmpp --tls-ca-path /usr/local/share/ca-certificates/testca.crt "
f"-u {username} -p {password} -j {domain}:5222 {username}@{domain} -d")
assert "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls>" in command.stderr
@pytest.mark.parametrize("username, password, domain", [
["john.doe", "johnpassword", "domain1"],
["jane.doe", "janepassword", "domain2"],
["mick.doe", "mickpassword", "domain3"],
])
def test_authentication(host, username, password, domain):
"""
Tests if authentication works correctly.
"""
send = host.run(f"echo 'Hello' | sendxmpp --tls-ca-path /usr/local/share/ca-certificates/testca.crt "
f"-t -u {username} -p {password} -j {domain}:5222 {username}@{domain}")
assert send.rc == 0
send = host.run(f"echo 'Hello' | sendxmpp --tls-ca-path /usr/local/share/ca-certificates/testca.crt "
f"-e -u {username} -p {password} -j {domain}:5223 {username}@{domain}")
assert send.rc == 0
@pytest.mark.parametrize("target_username, target_domain", [
["john.doe", "domain1"],
["jane.doe", "domain2"],
])
def test_unauthorized_users_rejected(host, target_username, target_domain):
"""
Tests if unauthorized users (present in LDAP, but not member of correct
group) are rejected from accessing the XMPP server.
"""
send = host.run(f"echo 'Hello' | sendxmpp --tls-ca-path /usr/local/share/ca-certificates/testca.crt "
f"-t -u noxmpp -p noxmpppassword -j {target_domain}:5222 {target_username}@{target_domain}")
assert send.rc != 0
assert "Error 'AuthSend': error: not-authorized[?]" in send.stderr
|