Files
@ a451a3cf2b41
Branch filter:
Location: majic-ansible-roles/roles/web_server/molecule/default/tests/test_optional.py - annotation
a451a3cf2b41
2.6 KiB
text/x-python
MAR-167: Added simple test for validating the output from the pip_check_requirements_upgrades.sh script.
a5f4c1ec6853 a5f4c1ec6853 f7c1f4c841f8 83a557f70dfb 351cd42e5f56 351cd42e5f56 351cd42e5f56 d62b3adec462 351cd42e5f56 351cd42e5f56 f7c1f4c841f8 23a5f9ba293c f7c1f4c841f8 23a5f9ba293c 23a5f9ba293c f7c1f4c841f8 23a5f9ba293c f7c1f4c841f8 f7c1f4c841f8 f7c1f4c841f8 f7c1f4c841f8 f7c1f4c841f8 f7c1f4c841f8 f7c1f4c841f8 f7c1f4c841f8 f7c1f4c841f8 f7c1f4c841f8 f7c1f4c841f8 83a557f70dfb f7c1f4c841f8 f7c1f4c841f8 f7c1f4c841f8 f7c1f4c841f8 f7c1f4c841f8 83a557f70dfb f7c1f4c841f8 83a557f70dfb f7c1f4c841f8 f7c1f4c841f8 83a557f70dfb f7c1f4c841f8 f7c1f4c841f8 83a557f70dfb f7c1f4c841f8 f7c1f4c841f8 83a557f70dfb f7c1f4c841f8 f7c1f4c841f8 351cd42e5f56 f7c1f4c841f8 f7c1f4c841f8 351cd42e5f56 351cd42e5f56 eee778bc2d7c 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 eee778bc2d7c 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 eee778bc2d7c 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 eee778bc2d7c 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 eee778bc2d7c 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 | import os
import defusedxml.ElementTree as ElementTree
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional')
def test_tls_version_and_ciphers(host):
"""
Tests if the correct TLS version and ciphers have been enabled.
"""
expected_tls_versions = ["TLSv1.1", "TLSv1.2"]
expected_tls_ciphers = [
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
]
# Run the nmap scanner against the LDAP server, and fetch the
# results.
nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 443 localhost -oX /tmp/report.xml")
assert nmap.rc == 0
report_content = host.file('/tmp/report.xml').content_string
report_root = ElementTree.fromstring(report_content)
tls_versions = []
tls_ciphers = set()
for child in report_root.findall("./host/ports/port/script/table"):
tls_versions.append(child.attrib['key'])
for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
tls_ciphers.add(child.text)
tls_versions.sort()
tls_ciphers = sorted(list(tls_ciphers))
assert tls_versions == expected_tls_versions
assert tls_ciphers == expected_tls_ciphers
def test_https_enforcement(host):
"""
Tests if HTTPS is (not) being enforced.
"""
https_enforcement = host.run('curl -I http://parameters-optional/')
assert https_enforcement.rc == 0
assert 'HTTP/1.1 200 OK' in https_enforcement.stdout
assert 'HTTP/1.1 301 Moved Permanently' not in https_enforcement.stdout
assert 'Location: https://parameters-optional/' not in https_enforcement.stdout
https_enforcement = host.run('curl -I https://parameters-optional/')
assert https_enforcement.rc == 0
assert 'Strict-Transport-Security' not in https_enforcement.stdout
def test_default_vhost_index_page(host):
"""
Tests content of default vhost index page.
"""
page = host.run('curl https://parameters-optional/')
assert page.rc == 0
assert "<title>Optional Welcome</title>" in page.stdout
assert "<h1>Optional Welcome</h1>" in page.stdout
assert "<p>Welcome to parameters-optional, default virtual host.</p>" in page.stdout
|