Files
@ 8d272d91d3d2
Branch filter:
Location: majic-ansible-roles/roles/xmpp_server/molecule/default/tests/test_mandatory.py - annotation
8d272d91d3d2
3.0 KiB
text/x-python
MAR-165: Deploy Diffie-Helman parameters for LDAP server in the ldap_server role:
- Not relevant for Debian Strech because of a bug in the OpenLDAP
version it ships with.
- This should allow use of DHE ciphers with LDAP server.
- Generated DH parameters only help pick one of the parameters from
RFC-7919 (based on the size of generated ones).
- Make the cipher test lists distro-specific due to differences
between supported algorithms in respective GnuTLS versions.
- Not relevant for Debian Strech because of a bug in the OpenLDAP
version it ships with.
- This should allow use of DHE ciphers with LDAP server.
- Generated DH parameters only help pick one of the parameters from
RFC-7919 (based on the size of generated ones).
- Make the cipher test lists distro-specific due to differences
between supported algorithms in respective GnuTLS versions.
2ada86e90026 2ada86e90026 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 da031f975c67 da031f975c67 da031f975c67 da031f975c67 d62b3adec462 da031f975c67 da031f975c67 e970d4afbea4 da031f975c67 da031f975c67 da031f975c67 da031f975c67 54275c753ea1 e970d4afbea4 e970d4afbea4 da031f975c67 e970d4afbea4 da031f975c67 d752715bb533 eb6d9c7d6651 eb6d9c7d6651 d752715bb533 d752715bb533 d752715bb533 d752715bb533 d752715bb533 c95f61f32b67 da031f975c67 da031f975c67 da031f975c67 da031f975c67 da031f975c67 d752715bb533 cc7de990e9e4 cc7de990e9e4 cc7de990e9e4 cc7de990e9e4 cc7de990e9e4 cc7de990e9e4 cc7de990e9e4 114f02e67a4d c92d79571cf9 c92d79571cf9 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 52c4a4001c46 | import os
import defusedxml.ElementTree as ElementTree
import pytest
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')
def test_prosody_configuration_file_content(host):
"""
Tests if Prosody configuration file has correct content.
"""
hostname = host.run('hostname').stdout.strip()
with host.sudo():
config = host.file('/etc/prosody/prosody.cfg.lua')
assert "admins = { \"john.doe@domain1\", }" in config.content_string
assert "key = \"/etc/ssl/private/%s_xmpp.key\";" % hostname in config.content_string
assert "certificate = \"/etc/ssl/certs/%s_xmpp.pem\";" % hostname in config.content_string
assert "ldap_server = \"ldap-server\"" in config.content_string
assert "ldap_rootdn = \"cn=prosody,ou=services,dc=local\"" in config.content_string
assert "ldap_password = \"prosodypassword\"" in config.content_string
assert "ldap_filter = \"(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,dc=local))\"" in config.content_string
assert "ldap_base = \"ou=people,dc=local\"" in config.content_string
assert "archive_expires_after = \"never\"" in config.content_string
assert """VirtualHost "domain1"
Component "conference.domain1" "muc"
restrict_room_creation = "local"
Component "proxy.domain1" "proxy65"
proxy65_acl = { "domain1" }""" in config.content_string
def test_correct_prosody_package_installed(host):
"""
Tests if correct Prosody package has been installed.
"""
assert host.package('prosody-0.11').is_installed
@pytest.mark.parametrize("port", [
5222,
5223
])
def test_xmpp_c2s_tls_version_and_ciphers(host, port):
"""
Tests if the correct TLS version and ciphers have been enabled for
XMPP C2S ports.
"""
expected_tls_versions = ["TLSv1.2"]
expected_tls_ciphers = [
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
]
# Run the nmap scanner against the server, and fetch the results.
nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain1 -oX /tmp/report.xml", str(port))
assert nmap.rc == 0
report_content = host.file('/tmp/report.xml').content_string
report_root = ElementTree.fromstring(report_content)
tls_versions = []
tls_ciphers = set()
for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"):
tls_versions.append(child.attrib['key'])
for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
tls_ciphers.add(child.text)
tls_versions.sort()
tls_ciphers = sorted(list(tls_ciphers))
assert tls_versions == expected_tls_versions
assert tls_ciphers == expected_tls_ciphers
|