diff --git a/roles/web_server/meta/main.yml b/roles/web_server/meta/main.yml
index a8a7bb38f612001e78287e5cb3a9c67ab7134faa..e53b9cc9399b1d218dc1a06d3fa5ba178c25c61c 100644
--- a/roles/web_server/meta/main.yml
+++ b/roles/web_server/meta/main.yml
@@ -1,4 +1,4 @@
---
dependencies:
- - common
\ No newline at end of file
+ - common
diff --git a/roles/web_server/molecule.yml b/roles/web_server/molecule.yml
deleted file mode 100644
index ff9028dff8409caa0eda4a8e3126862f540fff97..0000000000000000000000000000000000000000
--- a/roles/web_server/molecule.yml
+++ /dev/null
@@ -1,51 +0,0 @@
----
-
-ansible:
- ansiblecfg_ssh_connection:
- pipelining: True
-
-dependency: {}
-
-driver:
- name: vagrant
-
-vagrant:
-
- platforms:
- - name: debian-jessie64
- box: debian/contrib-jessie64
-
- providers:
- - name: virtualbox
- type: virtualbox
- options:
- memory: 512
- cpus: 1
-
- instances:
-
- - name: client1
- groups:
- - client
- interfaces:
- - network_name: private_network
- type: static
- ip: 10.31.127.20
- auto_config: yes
-
- - name: parameters-mandatory
- interfaces:
- - network_name: private_network
- type: static
- ip: 10.31.127.30
- auto_config: yes
-
- - name: parameters-optional
- interfaces:
- - network_name: private_network
- type: static
- ip: 10.31.127.31
- auto_config: yes
-
-verifier:
- name: testinfra
diff --git a/roles/web_server/molecule/default/create.yml b/roles/web_server/molecule/default/create.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f8eb37cd4df02c540216c02791d0c50870986202
--- /dev/null
+++ b/roles/web_server/molecule/default/create.yml
@@ -0,0 +1,56 @@
+---
+- name: Create
+ hosts: localhost
+ connection: local
+ gather_facts: False
+ no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"
+ vars:
+ molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"
+ molecule_instance_config: "{{ lookup('env', 'MOLECULE_INSTANCE_CONFIG') }}"
+ molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}"
+ tasks:
+ - name: Create molecule instance(s)
+ molecule_vagrant:
+ instance_name: "{{ item.name }}"
+ instance_interfaces: "{{ item.interfaces | default(omit) }}"
+ instance_raw_config_args: "{{ item.instance_raw_config_args | default(omit) }}"
+
+ platform_box: "{{ item.box }}"
+ platform_box_version: "{{ item.box_version | default(omit) }}"
+ platform_box_url: "{{ item.box_url | default(omit) }}"
+
+ provider_name: "{{ molecule_yml.driver.provider.name }}"
+ provider_memory: "{{ item.memory | default(omit) }}"
+ provider_cpus: "{{ item.cpus | default(omit) }}"
+ provider_raw_config_args: "{{ item.raw_config_args | default(omit) }}"
+
+ state: up
+ register: server
+ with_items: "{{ molecule_yml.platforms }}"
+
+ # Mandatory configuration for Molecule to function.
+
+ - name: Populate instance config dict
+ set_fact:
+ instance_conf_dict: {
+ 'instance': "{{ item.Host }}",
+ 'address': "{{ item.HostName }}",
+ 'user': "{{ item.User }}",
+ 'port': "{{ item.Port }}",
+ 'identity_file': "{{ item.IdentityFile }}", }
+ with_items: "{{ server.results }}"
+ register: instance_config_dict
+ when: server.changed | bool
+
+ - name: Convert instance config dict to a list
+ set_fact:
+ instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
+ when: server.changed | bool
+
+ - name: Dump instance config
+ copy:
+ # NOTE(retr0h): Workaround for Ansible 2.2.
+ # https://github.com/ansible/ansible/issues/20885
+ content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}"
+ dest: "{{ molecule_instance_config }}"
+ when: server.changed | bool
diff --git a/roles/web_server/molecule/default/destroy.yml b/roles/web_server/molecule/default/destroy.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3972a2df8fafe515b30a74f951499b83aae8449c
--- /dev/null
+++ b/roles/web_server/molecule/default/destroy.yml
@@ -0,0 +1,36 @@
+---
+
+- name: Destroy
+ hosts: localhost
+ connection: local
+ gather_facts: False
+ no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"
+ vars:
+ molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"
+ molecule_instance_config: "{{ lookup('env',' MOLECULE_INSTANCE_CONFIG') }}"
+ molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}"
+ tasks:
+ - name: Destroy molecule instance(s)
+ molecule_vagrant:
+ instance_name: "{{ item.name }}"
+ platform_box: "{{ item.box }}"
+ provider_name: "{{ molecule_yml.driver.provider.name }}"
+ force_stop: "{{ item.force_stop | default(True) }}"
+
+ state: destroy
+ register: server
+ with_items: "{{ molecule_yml.platforms }}"
+
+ # Mandatory configuration for Molecule to function.
+
+ - name: Populate instance config
+ set_fact:
+ instance_conf: {}
+
+ - name: Dump instance config
+ copy:
+ # NOTE(retr0h): Workaround for Ansible 2.2.
+ # https://github.com/ansible/ansible/issues/20885
+ content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}"
+ dest: "{{ molecule_instance_config }}"
+ when: server.changed | bool
diff --git a/roles/web_server/molecule/default/molecule.yml b/roles/web_server/molecule/default/molecule.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a03bf9b5d50afe3df0887c6518430af93fec268c
--- /dev/null
+++ b/roles/web_server/molecule/default/molecule.yml
@@ -0,0 +1,65 @@
+---
+
+dependency: {}
+
+driver:
+ name: vagrant
+ provider:
+ name: virtualbox
+
+lint:
+ name: yamllint
+
+platforms:
+
+ - name: client1
+ groups:
+ - client
+ box: debian/contrib-jessie64
+ memory: 256
+ cpus: 1
+ interfaces:
+ - auto_config: true
+ ip: 10.31.127.20
+ network_name: private_network
+ type: static
+
+ - name: parameters-mandatory-jessie64
+ groups:
+ - parameters-mandatory
+ box: debian/contrib-jessie64
+ memory: 512
+ cpus: 1
+ interfaces:
+ - auto_config: true
+ ip: 10.31.127.30
+ network_name: private_network
+ type: static
+
+ - name: parameters-optional-jessie64
+ groups:
+ - parameters-optional
+ box: debian/contrib-jessie64
+ memory: 512
+ cpus: 1
+ interfaces:
+ - auto_config: true
+ ip: 10.31.127.31
+ network_name: private_network
+ type: static
+
+provisioner:
+ name: ansible
+ config_options:
+ ssh_connection:
+ pipelining: "True"
+ lint:
+ name: ansible-lint
+
+scenario:
+ name: default
+
+verifier:
+ name: testinfra
+ lint:
+ name: flake8
diff --git a/roles/web_server/molecule/default/playbook.yml b/roles/web_server/molecule/default/playbook.yml
new file mode 100644
index 0000000000000000000000000000000000000000..695883381b309e175259d34c11395fb49af417a8
--- /dev/null
+++ b/roles/web_server/molecule/default/playbook.yml
@@ -0,0 +1,32 @@
+---
+
+- hosts: parameters-mandatory
+ become: yes
+ roles:
+ - role: web_server
+
+ # common
+ ca_certificates:
+ testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
+
+ # Common parameters (general, not role).
+ tls_certificate_dir: tests/data/x509/
+ tls_private_key_dir: tests/data/x509/
+
+- hosts: parameters-optional
+ become: yes
+ roles:
+ - role: web_server
+ default_enforce_https: no
+ default_https_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional_https.cert.pem') }}"
+ default_https_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional_https.key.pem') }}"
+ web_default_title: "Optional Welcome"
+ web_default_message: "Welcome to parameters-optional, default virtual host."
+ web_server_tls_protocols:
+ - TLSv1.1
+ - TLSv1.2
+ web_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:!aNULL:!MD5:!EXPORT"
+
+ # common
+ ca_certificates:
+ testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
diff --git a/roles/web_server/molecule/default/prepare.yml b/roles/web_server/molecule/default/prepare.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3f13685a2cafc390d2cf277574486083eb3471fb
--- /dev/null
+++ b/roles/web_server/molecule/default/prepare.yml
@@ -0,0 +1,71 @@
+---
+
+- name: Prepare
+ hosts: all
+ gather_facts: False
+ tasks:
+ - name: Install python for Ansible
+ raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
+ become: True
+ changed_when: False
+
+- hosts: all
+ become: yes
+ tasks:
+
+ - name: Update all caches to avoid errors due to missing remote archives
+ apt:
+ update_cache: yes
+ changed_when: False
+
+- hosts: all
+ become: yes
+ tasks:
+
+ - name: Set-up the hosts file
+ lineinfile:
+ path: /etc/hosts
+ regexp: "^{{ item.key }}"
+ line: "{{ item.key }} {{ item.value }}"
+ owner: root
+ group: root
+ mode: 0644
+ state: present
+ with_dict:
+ 10.31.127.20: "client1"
+ 10.31.127.30: "parameters-mandatory parameters-mandatory-jessie64"
+ 10.31.127.31: "parameters-optional parameters-optional-jessie64"
+
+ - name: Install curl for testing redirects and webpage content
+ apt:
+ name: curl
+ state: installed
+
+- hosts: client1
+ become: yes
+ tasks:
+
+ - name: Install tool for testing TCP connectivity
+ apt:
+ name: hping3
+ state: installed
+
+ - name: Install console-based web browser for interactive testing
+ apt:
+ name: lynx
+ state: installed
+
+ - name: Deploy CA certificate
+ copy:
+ src: tests/data/x509/ca.cert.pem
+ dest: /usr/local/share/ca-certificates/testca.crt
+ owner: root
+ group: root
+ mode: 0644
+ notify:
+ - Update CA certificate cache
+
+ handlers:
+
+ - name: Update CA certificate cache
+ command: /usr/sbin/update-ca-certificates --fresh
diff --git a/roles/web_server/tests/data/x509/ca.cert.pem b/roles/web_server/molecule/default/tests/data/x509/ca.cert.pem
similarity index 100%
rename from roles/web_server/tests/data/x509/ca.cert.pem
rename to roles/web_server/molecule/default/tests/data/x509/ca.cert.pem
diff --git a/roles/web_server/tests/data/x509/ca.key.pem b/roles/web_server/molecule/default/tests/data/x509/ca.key.pem
similarity index 100%
rename from roles/web_server/tests/data/x509/ca.key.pem
rename to roles/web_server/molecule/default/tests/data/x509/ca.key.pem
diff --git a/roles/web_server/tests/data/x509/parameters-mandatory_https.key b/roles/web_server/molecule/default/tests/data/x509/parameters-mandatory-jessie64_https.key
similarity index 100%
rename from roles/web_server/tests/data/x509/parameters-mandatory_https.key
rename to roles/web_server/molecule/default/tests/data/x509/parameters-mandatory-jessie64_https.key
diff --git a/roles/web_server/tests/data/x509/parameters-mandatory_https.pem b/roles/web_server/molecule/default/tests/data/x509/parameters-mandatory-jessie64_https.pem
similarity index 100%
rename from roles/web_server/tests/data/x509/parameters-mandatory_https.pem
rename to roles/web_server/molecule/default/tests/data/x509/parameters-mandatory-jessie64_https.pem
diff --git a/roles/web_server/tests/data/x509/parameters-optional_https.cert.pem b/roles/web_server/molecule/default/tests/data/x509/parameters-optional_https.cert.pem
similarity index 100%
rename from roles/web_server/tests/data/x509/parameters-optional_https.cert.pem
rename to roles/web_server/molecule/default/tests/data/x509/parameters-optional_https.cert.pem
diff --git a/roles/web_server/tests/data/x509/parameters-optional_https.key.pem b/roles/web_server/molecule/default/tests/data/x509/parameters-optional_https.key.pem
similarity index 100%
rename from roles/web_server/tests/data/x509/parameters-optional_https.key.pem
rename to roles/web_server/molecule/default/tests/data/x509/parameters-optional_https.key.pem
diff --git a/roles/web_server/molecule/default/tests/test_client.py b/roles/web_server/molecule/default/tests/test_client.py
new file mode 100644
index 0000000000000000000000000000000000000000..0cd38d093cbedc00f5d43748e1551519ac43536f
--- /dev/null
+++ b/roles/web_server/molecule/default/tests/test_client.py
@@ -0,0 +1,21 @@
+import testinfra.utils.ansible_runner
+
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+ '.molecule/ansible_inventory.yml').get_hosts('client1')
+
+
+def test_connectivity(host):
+ """
+ Tests connectivity to the web server (ports that should be reachable).
+ """
+
+ with host.sudo():
+
+ for server in ["parameters-mandatory-jessie64",
+ "parameters-optional-jessie64"]:
+ # HTTP, HTTPS.
+ for port in [80, 443]:
+
+ ping = host.run('hping3 -S -p %d -c 1 %s' % (port, server))
+ assert ping.rc == 0
diff --git a/roles/web_server/tests/test_default.py b/roles/web_server/molecule/default/tests/test_default.py
similarity index 61%
rename from roles/web_server/tests/test_default.py
rename to roles/web_server/molecule/default/tests/test_default.py
index 0c4501d1051b252353cd75481d4603803db2b713..f9315ba3988e2d85a5b00323c73e130799447e5c 100644
--- a/roles/web_server/tests/test_default.py
+++ b/roles/web_server/molecule/default/tests/test_default.py
@@ -2,44 +2,44 @@ import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
- '.molecule/ansible_inventory').get_hosts(['parameters-mandatory', 'parameters-optional'])
+ '.molecule/ansible_inventory.yml').get_hosts(['parameters-mandatory', 'parameters-optional'])
-def test_installed_packages(Package):
+def test_installed_packages(host):
"""
Tests if the required packages have been installed.
"""
- assert Package('nginx').is_installed
- assert Package('virtualenv').is_installed
- assert Package('virtualenvwrapper').is_installed
- assert Package('php5-fpm').is_installed
+ assert host.package('nginx').is_installed
+ assert host.package('virtualenv').is_installed
+ assert host.package('virtualenvwrapper').is_installed
+ assert host.package('php5-fpm').is_installed
-def test_nginx_user(User):
+def test_nginx_user(host):
"""
Tests if Nginx user has been set-up correctly to traverse TLS directories.
"""
- assert 'ssl-cert' in User('www-data').groups
+ assert 'ssl-cert' in host.user('www-data').groups
-def test_default_tls_configuration_removed(File):
+def test_default_tls_configuration_removed(host):
"""
Tests if TLS configuration has been removed from the main (default)
configuration file.
"""
- assert 'ssl_protocols' not in File('/etc/nginx/nginx.conf').content
+ assert 'ssl_protocols' not in host.file('/etc/nginx/nginx.conf').content
-def test_nginx_configuration_verification_script(File):
+def test_nginx_configuration_verification_script(host):
"""
Tests if script used for verifying Nginx configuration is deployed
correctly.
"""
- script = File('/usr/local/bin/nginx_verify_site.sh')
+ script = host.file('/usr/local/bin/nginx_verify_site.sh')
assert script.is_file
assert script.user == 'root'
@@ -47,12 +47,12 @@ def test_nginx_configuration_verification_script(File):
assert script.mode == 0o755
-def test_tls_configuration_file(File):
+def test_tls_configuration_file(host):
"""
Tests permissions of TLS configuration file.
"""
- config = File('/etc/nginx/conf.d/tls.conf')
+ config = host.file('/etc/nginx/conf.d/tls.conf')
assert config.is_file
assert config.user == 'root'
@@ -60,12 +60,12 @@ def test_tls_configuration_file(File):
assert config.mode == 0o644
-def test_default_vhost_file(File):
+def test_default_vhost_file(host):
"""
Tests permissions of default vhost configuration file.
"""
- config = File('/etc/nginx/sites-available/default')
+ config = host.file('/etc/nginx/sites-available/default')
assert config.is_file
assert config.user == 'root'
@@ -73,25 +73,25 @@ def test_default_vhost_file(File):
assert config.mode == 0o640
-def test_default_website_enabled(File):
+def test_default_website_enabled(host):
"""
Tests if default website has been enabled.
"""
- config = File('/etc/nginx/sites-enabled/default')
+ config = host.file('/etc/nginx/sites-enabled/default')
assert config.is_symlink
assert config.linked_to == '/etc/nginx/sites-available/default'
-def test_firewall_configuration_file(File, Sudo):
+def test_firewall_configuration_file(host):
"""
Tests if firewall configuration file has been deployed correctly.
"""
- with Sudo():
+ with host.sudo():
- config = File('/etc/ferm/conf.d/30-web.conf')
+ config = host.file('/etc/ferm/conf.d/30-web.conf')
assert config.is_file
assert config.user == 'root'
@@ -99,21 +99,21 @@ def test_firewall_configuration_file(File, Sudo):
assert config.mode == 0o640
-def test_default_debian_index_removed(File, Sudo):
+def test_default_debian_index_removed(host):
"""
Tests if default HTML pages provided by debian are removed.
"""
- with Sudo():
- assert not File('/var/www/html').exists
+ with host.sudo():
+ assert not host.file('/var/www/html').exists
-def test_default_vhost_root_directory(File, Sudo):
+def test_default_vhost_root_directory(host):
"""
Tests if the default vhost root directory exists.
"""
- directory = File('/var/www/default')
+ directory = host.file('/var/www/default')
assert directory.is_directory
assert directory.user == 'root'
@@ -121,14 +121,14 @@ def test_default_vhost_root_directory(File, Sudo):
assert directory.mode == 0o750
-def test_default_vhost_index_page_file(File, Sudo):
+def test_default_vhost_index_page_file(host):
"""
Tests permissions of default vhost index page.
"""
- with Sudo():
+ with host.sudo():
- page = File('/var/www/default/index.html')
+ page = host.file('/var/www/default/index.html')
assert page.is_file
assert page.user == 'root'
@@ -136,55 +136,55 @@ def test_default_vhost_index_page_file(File, Sudo):
assert page.mode == 0o640
-def test_services(Service):
+def test_services(host):
"""
Tests if services are enabled at boot and running.
"""
- service = Service('nginx')
+ service = host.service('nginx')
assert service.is_enabled
assert service.is_running
- service = Service('php5-fpm')
+ service = host.service('php5-fpm')
assert service.is_enabled
assert service.is_running
-def test_sockets(Socket):
+def test_sockets(host):
"""
Tests if web server is listening on correct ports.
"""
- assert Socket("tcp://80").is_listening
- assert Socket("tcp://443").is_listening
+ assert host.socket("tcp://80").is_listening
+ assert host.socket("tcp://443").is_listening
-def test_socket_directories(File, Sudo):
+def test_socket_directories(host):
"""
Tests if directories containing sockets for WSGI and PHP apps are created
correctly.
"""
- directory = File('/run/wsgi')
+ directory = host.file('/run/wsgi')
assert directory.is_directory
assert directory.user == 'root'
assert directory.group == 'www-data'
assert directory.mode == 0o750
- directory = File('/run/php5-fpm')
+ directory = host.file('/run/php5-fpm')
assert directory.is_directory
assert directory.user == 'root'
assert directory.group == 'www-data'
assert directory.mode == 0o750
- config = File('/etc/tmpfiles.d/wsgi.conf')
+ config = host.file('/etc/tmpfiles.d/wsgi.conf')
assert config.is_file
assert config.user == 'root'
assert config.group == 'root'
assert config.mode == 0o644
assert 'd /run/wsgi/ 0750 root www-data - -' in config.content
- config = File('/etc/tmpfiles.d/php5-fpm.conf')
+ config = host.file('/etc/tmpfiles.d/php5-fpm.conf')
assert config.is_file
assert config.user == 'root'
assert config.group == 'root'
@@ -192,45 +192,45 @@ def test_socket_directories(File, Sudo):
assert 'd /run/php5-fpm/ 0750 root www-data - -' in config.content
-def test_php5_fpm_service_overrides(File):
+def test_php5_fpm_service_overrides(host):
"""
Tests if overrides for php5-fpm service are deployed correctly.
"""
- directory = File('/etc/systemd/system/php5-fpm.service.d')
+ directory = host.file('/etc/systemd/system/php5-fpm.service.d')
assert directory.is_directory
assert directory.user == 'root'
assert directory.group == 'root'
assert directory.mode == 0o755
- config = File('/etc/systemd/system/php5-fpm.service.d/umask.conf')
+ config = host.file('/etc/systemd/system/php5-fpm.service.d/umask.conf')
assert config.is_file
assert config.user == 'root'
assert config.group == 'root'
assert config.mode == 0o644
-def test_php_timezone_configuration(Command, File):
+def test_php_timezone_configuration(host):
"""
Tests if PHP timezone configuration has been set correctly.
"""
- config = File('/etc/php5/cli/conf.d/30-timezone.ini')
+ config = host.file('/etc/php5/cli/conf.d/30-timezone.ini')
assert config.is_file
assert config.user == 'root'
assert config.group == 'root'
assert config.mode == 0o644
- config = File('/etc/php5/fpm/conf.d/30-timezone.ini')
+ config = host.file('/etc/php5/fpm/conf.d/30-timezone.ini')
assert config.is_file
assert config.user == 'root'
assert config.group == 'root'
assert config.mode == 0o644
- timezone = Command("php --php-ini /etc/php5/cli/php.ini -r 'echo ini_get(\"date.timezone\");'")
+ timezone = host.run("php --php-ini /etc/php5/cli/php.ini -r 'echo ini_get(\"date.timezone\");'")
assert timezone.rc == 0
assert timezone.stdout == "GMT+0"
- timezone = Command("php --php-ini /etc/php5/fpm/php.ini -r 'echo ini_get(\"date.timezone\");'")
+ timezone = host.run("php --php-ini /etc/php5/fpm/php.ini -r 'echo ini_get(\"date.timezone\");'")
assert timezone.rc == 0
assert timezone.stdout == "GMT+0"
diff --git a/roles/web_server/tests/test_mandatory.py b/roles/web_server/molecule/default/tests/test_mandatory.py
similarity index 55%
rename from roles/web_server/tests/test_mandatory.py
rename to roles/web_server/molecule/default/tests/test_mandatory.py
index 2718254ed4094a58da568f2883994d1691c734b7..1a17603ee4e412e874a28f7542ef636340f98868 100644
--- a/roles/web_server/tests/test_mandatory.py
+++ b/roles/web_server/molecule/default/tests/test_mandatory.py
@@ -2,89 +2,93 @@ import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
- '.molecule/ansible_inventory').get_hosts('parameters-mandatory')
+ '.molecule/ansible_inventory.yml').get_hosts('parameters-mandatory')
-def test_nginx_tls_files(File, Sudo):
+def test_nginx_tls_files(host):
"""
Tests if TLS private key and certificate have been deployed correctly.
"""
- with Sudo():
+ hostname = host.run('hostname').stdout
- tls_file = File('/etc/ssl/private/parameters-mandatory_https.key')
+ with host.sudo():
+
+ tls_file = host.file('/etc/ssl/private/%s_https.key' % hostname)
assert tls_file.is_file
assert tls_file.user == 'root'
assert tls_file.group == 'root'
assert tls_file.mode == 0o640
- assert tls_file.content == open("tests/data/x509/parameters-mandatory_https.key", "r").read().rstrip()
+ assert tls_file.content == open("tests/data/x509/%s_https.key" % hostname, "r").read().rstrip()
- tls_file = File('/etc/ssl/certs/parameters-mandatory_https.pem')
+ tls_file = host.file('/etc/ssl/certs/%s_https.pem' % hostname)
assert tls_file.is_file
assert tls_file.user == 'root'
assert tls_file.group == 'root'
assert tls_file.mode == 0o644
- assert tls_file.content == open("tests/data/x509/parameters-mandatory_https.pem", "r").read().rstrip()
+ assert tls_file.content == open("tests/data/x509/%s_https.pem" % hostname, "r").read().rstrip()
-def test_certificate_validity_check_configuration(File):
+def test_certificate_validity_check_configuration(host):
"""
Tests if certificate validity check configuration file has been deployed
correctly.
"""
- config = File('/etc/check_certificate/parameters-mandatory_https.conf')
+ hostname = host.run('hostname').stdout
+
+ config = host.file('/etc/check_certificate/%s_https.conf' % hostname)
assert config.is_file
assert config.user == 'root'
assert config.group == 'root'
assert config.mode == 0o644
- assert config.content == "/etc/ssl/certs/parameters-mandatory_https.pem"
+ assert config.content == "/etc/ssl/certs/%s_https.pem" % hostname
-def test_tls_configuration(Command):
+def test_tls_configuration(host):
"""
Tests if the TLS has been configured correctly and works.
"""
- tls = Command('wget -q -O - https://parameters-mandatory/')
+ tls = host.run('wget -q -O - https://parameters-mandatory/')
assert tls.rc == 0
- old_tls_versions_disabled = Command("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:443")
+ old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:443")
assert old_tls_versions_disabled.rc != 0
assert "CONNECTED" in old_tls_versions_disabled.stdout
- cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory:443")
+ cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory:443")
assert cipher.rc == 0
assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout
- cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory:443")
+ cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory:443")
assert cipher.rc != 0
assert "ECDHE-RSA-AES128-SHA" not in cipher.stdout
-def test_https_enforcement(Command):
+def test_https_enforcement(host):
"""
Tests if HTTPS is being enforced.
"""
- https_enforcement = Command('curl -I http://parameters-mandatory/')
+ https_enforcement = host.run('curl -I http://parameters-mandatory/')
assert https_enforcement.rc == 0
assert 'HTTP/1.1 301 Moved Permanently' in https_enforcement.stdout
assert 'Location: https://parameters-mandatory/' in https_enforcement.stdout
- https_enforcement = Command('curl -I https://parameters-mandatory/')
+ https_enforcement = host.run('curl -I https://parameters-mandatory/')
assert https_enforcement.rc == 0
assert 'Strict-Transport-Security: max-age=31536000; includeSubDomains' in https_enforcement.stdout
-def test_default_vhost_index_page(Command):
+def test_default_vhost_index_page(host):
"""
Tests content of default vhost index page.
"""
- page = Command('curl https://parameters-mandatory/')
+ page = host.run('curl https://parameters-mandatory/')
assert page.rc == 0
assert "Welcome" in page.stdout
diff --git a/roles/web_server/tests/test_optional.py b/roles/web_server/molecule/default/tests/test_optional.py
similarity index 60%
rename from roles/web_server/tests/test_optional.py
rename to roles/web_server/molecule/default/tests/test_optional.py
index c231051b672bc3cbcc461f3212b5abc325bfc9ee..a04f7e9063f899c375cb378e4e49edb624b2a605 100644
--- a/roles/web_server/tests/test_optional.py
+++ b/roles/web_server/molecule/default/tests/test_optional.py
@@ -2,24 +2,26 @@ import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
- '.molecule/ansible_inventory').get_hosts('parameters-optional')
+ '.molecule/ansible_inventory.yml').get_hosts('parameters-optional')
-def test_nginx_tls_files(File, Sudo):
+def test_nginx_tls_files(host):
"""
Tests if TLS private key and certificate have been deployed correctly.
"""
- with Sudo():
+ hostname = host.run('hostname').stdout
- tls_file = File('/etc/ssl/private/parameters-optional_https.key')
+ with host.sudo():
+
+ tls_file = host.file('/etc/ssl/private/%s_https.key' % hostname)
assert tls_file.is_file
assert tls_file.user == 'root'
assert tls_file.group == 'root'
assert tls_file.mode == 0o640
assert tls_file.content == open("tests/data/x509/parameters-optional_https.key.pem", "r").read().rstrip()
- tls_file = File('/etc/ssl/certs/parameters-optional_https.pem')
+ tls_file = host.file('/etc/ssl/certs/%s_https.pem' % hostname)
assert tls_file.is_file
assert tls_file.user == 'root'
assert tls_file.group == 'root'
@@ -27,69 +29,71 @@ def test_nginx_tls_files(File, Sudo):
assert tls_file.content == open("tests/data/x509/parameters-optional_https.cert.pem", "r").read().rstrip()
-def test_certificate_validity_check_configuration(File):
+def test_certificate_validity_check_configuration(host):
"""
Tests if certificate validity check configuration file has been deployed
correctly.
"""
- config = File('/etc/check_certificate/parameters-optional_https.conf')
+ hostname = host.run('hostname').stdout
+
+ config = host.file('/etc/check_certificate/%s_https.conf' % hostname)
assert config.is_file
assert config.user == 'root'
assert config.group == 'root'
assert config.mode == 0o644
- assert config.content == "/etc/ssl/certs/parameters-optional_https.pem"
+ assert config.content == "/etc/ssl/certs/%s_https.pem" % hostname
-def test_tls_configuration(Command):
+def test_tls_configuration(host):
"""
Tests if the TLS has been configured correctly and works.
"""
- tls = Command('wget -q -O - https://parameters-optional/')
+ tls = host.run('wget -q -O - https://parameters-optional/')
assert tls.rc == 0
- old_tls_versions_disabled = Command("echo 'Q' | openssl s_client -no_tls1_1 -no_tls1_2 -connect parameters-optional:443")
+ old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_1 -no_tls1_2 -connect parameters-optional:443")
assert old_tls_versions_disabled.rc != 0
assert "CONNECTED" in old_tls_versions_disabled.stdout
- newer_tls_versions_enabled = Command("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-optional:443")
+ newer_tls_versions_enabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-optional:443")
assert newer_tls_versions_enabled.rc == 0
assert "CONNECTED" in newer_tls_versions_enabled.stdout
- cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:443")
+ cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:443")
assert cipher.rc == 0
assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout
- cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:443")
+ cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:443")
assert cipher.rc == 0
assert "ECDHE-RSA-AES128-SHA" in cipher.stdout
-def test_https_enforcement(Command):
+def test_https_enforcement(host):
"""
Tests if HTTPS is (not) being enforced.
"""
- https_enforcement = Command('curl -I http://parameters-optional/')
+ https_enforcement = host.run('curl -I http://parameters-optional/')
assert https_enforcement.rc == 0
assert 'HTTP/1.1 200 OK' in https_enforcement.stdout
assert 'HTTP/1.1 301 Moved Permanently' not in https_enforcement.stdout
assert 'Location: https://parameters-optional/' not in https_enforcement.stdout
- https_enforcement = Command('curl -I https://parameters-optional/')
+ https_enforcement = host.run('curl -I https://parameters-optional/')
assert https_enforcement.rc == 0
assert 'Strict-Transport-Security' not in https_enforcement.stdout
-def test_default_vhost_index_page(Command):
+def test_default_vhost_index_page(host):
"""
Tests content of default vhost index page.
"""
- page = Command('curl https://parameters-optional/')
+ page = host.run('curl https://parameters-optional/')
assert page.rc == 0
assert "Optional Welcome" in page.stdout
diff --git a/roles/web_server/playbook.yml b/roles/web_server/playbook.yml
deleted file mode 100644
index bfdf75d607f0337ef1a77359f00f88e59dd6a4c2..0000000000000000000000000000000000000000
--- a/roles/web_server/playbook.yml
+++ /dev/null
@@ -1,86 +0,0 @@
----
-
-- hosts: all
- tasks:
-
- - name: Update all caches to avoid errors due to missing remote archives
- apt:
- update_cache: yes
- changed_when: False
-
-- hosts: all
- tasks:
-
- - name: Set-up /etc/hosts entries
- lineinfile:
- dest: /etc/hosts
- line: "{{ item.key }} {{ item.value }}"
- with_dict:
- 10.31.127.20: "client1"
- 10.31.127.30: "parameters-mandatory"
- 10.31.127.31: "parameters-optional"
-
-- hosts: client1
- tasks:
-
- - name: Install tool for testing TCP connectivity
- apt:
- name: hping3
- state: installed
-
- - name: Install console-based web browser for interactive testing
- apt:
- name: lynx
- state: installed
-
- - name: Deploy CA certificate
- copy:
- src: tests/data/x509/ca.cert.pem
- dest: /usr/local/share/ca-certificates/testca.crt
- owner: root
- group: root
- mode: 0644
- notify:
- - Update CA certificate cache
-
- handlers:
-
- - name: Update CA certificate cache
- command: /usr/sbin/update-ca-certificates --fresh
-
-- hosts: parameters-mandatory
- roles:
- - role: web_server
-
- # common
- ca_certificates:
- testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
-
- # Common parameters (general, not role).
- tls_certificate_dir: tests/data/x509/
- tls_private_key_dir: tests/data/x509/
-
-- hosts: parameters-optional
- roles:
- - role: web_server
- default_enforce_https: no
- default_https_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional_https.cert.pem') }}"
- default_https_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional_https.key.pem') }}"
- web_default_title: "Optional Welcome"
- web_default_message: "Welcome to parameters-optional, default virtual host."
- web_server_tls_protocols:
- - TLSv1.1
- - TLSv1.2
- web_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:!aNULL:!MD5:!EXPORT"
-
- # common
- ca_certificates:
- testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
-
-
-- hosts: all
- tasks:
- - name: Install curl for testing redirects and webpage content
- apt:
- name: curl
- state: installed
diff --git a/roles/web_server/tests/test_client.py b/roles/web_server/tests/test_client.py
deleted file mode 100644
index f2f84caf9bd7053bee4aaf36249d1d5e787dae8b..0000000000000000000000000000000000000000
--- a/roles/web_server/tests/test_client.py
+++ /dev/null
@@ -1,21 +0,0 @@
-import testinfra.utils.ansible_runner
-
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
- '.molecule/ansible_inventory').get_hosts('client1')
-
-
-def test_connectivity(Command, Sudo):
- """
- Tests connectivity to the web server (ports that should be reachable).
- """
-
- with Sudo():
-
- for server in ["parameters-mandatory",
- "parameters-optional"]:
- # HTTP, HTTPS.
- for port in [80, 443]:
-
- ping = Command('hping3 -S -p %d -c 1 %s' % (port, server))
- assert ping.rc == 0