diff --git a/roles/xmpp_server/files/prosody_ldaprc b/roles/xmpp_server/files/prosody_ldaprc new file mode 100644 index 0000000000000000000000000000000000000000..14edf5a233428d41750a3f2c65c0e1b1b48effc2 --- /dev/null +++ b/roles/xmpp_server/files/prosody_ldaprc @@ -0,0 +1,2 @@ +# Use system-wide trust anchor. +TLS_CACERT /etc/ssl/certs/ca-certificates.crt diff --git a/roles/xmpp_server/molecule/default/host_vars/ldap-server.yml b/roles/xmpp_server/molecule/default/host_vars/ldap-server.yml index 5bcd2a356a0a90fe4eb3a333fc6f9fc5a66917ce..278d65ae58e744af50a68f00d56fcae0b1f09eb9 100644 --- a/roles/xmpp_server/molecule/default/host_vars/ldap-server.yml +++ b/roles/xmpp_server/molecule/default/host_vars/ldap-server.yml @@ -42,3 +42,6 @@ backup_clients: - server: parameters-optional-buster ip: 192.168.56.32 public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" + - server: parameters-optional-bullseye + ip: 192.168.56.42 + public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" diff --git a/roles/xmpp_server/molecule/default/molecule.yml b/roles/xmpp_server/molecule/default/molecule.yml index 101c39707f8b05792e53b2d4851181233f95e610..27c3b3d285922d19a6237bed9b8add0436b65e5a 100644 --- a/roles/xmpp_server/molecule/default/molecule.yml +++ b/roles/xmpp_server/molecule/default/molecule.yml @@ -15,7 +15,7 @@ lint: platforms: - name: ldap-server - box: debian/contrib-buster64 + box: debian/bullseye64 memory: 512 cpus: 1 interfaces: @@ -37,7 +37,20 @@ platforms: network_name: private_network type: static - - name: parameters-mandatory-buster64 + - name: client-bullseye + groups: + - clients + - bullseye + box: debian/bullseye64 + memory: 256 + cpus: 1 + interfaces: + - auto_config: true + ip: 192.168.56.22 + network_name: private_network + type: static + + - name: parameters-mandatory-buster groups: - parameters-mandatory - buster @@ -50,7 +63,7 @@ platforms: network_name: private_network type: static - - name: parameters-optional-buster64 + - name: parameters-optional-buster groups: - parameters-optional - buster @@ -63,6 +76,32 @@ platforms: network_name: private_network type: static + - name: parameters-mandatory-bullseye + groups: + - parameters-mandatory + - bullseye + box: debian/bullseye64 + memory: 512 + cpus: 1 + interfaces: + - auto_config: true + ip: 192.168.56.41 + network_name: private_network + type: static + + - name: parameters-optional-bullseye + groups: + - parameters-optional + - bullseye + box: debian/bullseye64 + memory: 512 + cpus: 1 + interfaces: + - auto_config: true + ip: 192.168.56.42 + network_name: private_network + type: static + provisioner: name: ansible playbooks: diff --git a/roles/xmpp_server/molecule/default/prepare.yml b/roles/xmpp_server/molecule/default/prepare.yml index 6d4e6d58b234b6eabd522d16d02a99106ff4ac24..07ddb70c3d7a1740b2bc6da05157d14f092740c6 100644 --- a/roles/xmpp_server/molecule/default/prepare.yml +++ b/roles/xmpp_server/molecule/default/prepare.yml @@ -22,13 +22,30 @@ - name: ldap-server_ldap fqdn: - ldap-server - - name: parameters-mandatory-buster64_xmpp + + - name: parameters-mandatory-buster_xmpp fqdn: - parameters-mandatory - domain1 - proxy.domain1 - conference.domain1 - - name: parameters-optional-buster64_xmpp + - name: parameters-optional-buster_xmpp + fqdn: + - parameters-optional + - domain2 + - proxy.domain2 + - conference.domain2 + - domain3 + - proxy.domain3 + - conference.domain3 + + - name: parameters-mandatory-bullseye_xmpp + fqdn: + - parameters-mandatory + - domain1 + - proxy.domain1 + - conference.domain1 + - name: parameters-optional-bullseye_xmpp fqdn: - parameters-optional - domain2 @@ -75,6 +92,16 @@ regexp: "host\\.name\\)" replace: "host.targetname)" + - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the xmpp_server_tls_protocol parameter + lineinfile: + path: "/etc/ssl/openssl.cnf" + regexp: "^MinProtocol =" + line: "MinProtocol = TLSv1.0" + owner: root + group: root + mode: 0644 + state: present + - hosts: buster become: true tasks: @@ -94,15 +121,24 @@ 192.168.56.31: "parameters-mandatory domain1 proxy.domain1 conference.domain1" 192.168.56.32: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3" - - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the xmpp_server_tls_protocol parameter +- hosts: bullseye + become: true + tasks: + + - name: Set-up the hosts file lineinfile: - path: "/etc/ssl/openssl.cnf" - regexp: "^MinProtocol =" - line: "MinProtocol = TLSv1.0" + path: /etc/hosts + regexp: "^{{ item.key }}" + line: "{{ item.key }} {{ item.value }}" owner: root group: root mode: 0644 state: present + with_dict: + 192.168.56.11: "ldap-server backup-server" + 192.168.56.22: "client-bullseye" + 192.168.56.41: "parameters-mandatory domain1 proxy.domain1 conference.domain1" + 192.168.56.42: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3" - hosts: clients become: true diff --git a/roles/xmpp_server/molecule/default/tests/test_default.py b/roles/xmpp_server/molecule/default/tests/test_default.py index 69e5ce1252871a2cbcc8654a3e7bae65c56df400..e0a567a9bf3262985e13a1810a19423ff978604e 100644 --- a/roles/xmpp_server/molecule/default/tests/test_default.py +++ b/roles/xmpp_server/molecule/default/tests/test_default.py @@ -13,7 +13,6 @@ def test_installed_packages(host): installed. """ - assert host.package('python-apt').is_installed assert host.package('lua-ldap').is_installed assert host.package('prosody-modules').is_installed assert host.package('prosody').is_installed @@ -288,25 +287,20 @@ def test_backports_repository(host): assert repository.content_string.rstrip() == expected_content -def test_backports_prosody_pinning(host): +def test_ldap_client_configuration(host): """ - Tests if the backports pin for Prosody has been deployed correctly. + Tests if LDAP client configuration is correctly deployed with the + necessary trust anchor configuration. """ - pin = host.file("/etc/apt/preferences.d/prosody") - - assert pin.is_file - assert pin.user == "root" - assert pin.group == "root" - assert pin.mode == 0o644 - - prosody_package = host.package("prosody") - prosody_modules_package = host.package("prosody-modules") - lua_ldap_package = host.package("lua-sec") + with host.sudo(): + ldaprc = host.file("/var/lib/prosody/.ldaprc") - assert "bpo" in prosody_package.version - assert "bpo" in prosody_modules_package.version - assert "bpo" in lua_ldap_package.version + assert ldaprc.is_file + assert ldaprc.user == "root" + assert ldaprc.group == "prosody" + assert ldaprc.mode == 0o640 + assert "TLS_CACERT /etc/ssl/certs/ca-certificates.crt" in ldaprc.content_string # @TODO: Tests which were not implemented due to lack of out-of-box tools: diff --git a/roles/xmpp_server/molecule/default/tests/test_default_bullseye.py b/roles/xmpp_server/molecule/default/tests/test_default_bullseye.py new file mode 100644 index 0000000000000000000000000000000000000000..43f1e49d43b0dbee6ac6edd481ad55fc383f5343 --- /dev/null +++ b/roles/xmpp_server/molecule/default/tests/test_default_bullseye.py @@ -0,0 +1,25 @@ +import os + +import testinfra.utils.ansible_runner + + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*-bullseye') + + +def test_backports_prosody_pinning_absent(host): + """ + Tests if the Prosody backports pinning is absent. + """ + + pin = host.file("/etc/apt/preferences.d/prosody") + + assert not pin.exists + + prosody_package = host.package("prosody") + prosody_modules_package = host.package("prosody-modules") + lua_ldap_package = host.package("lua-sec") + + assert "bpo" not in prosody_package.version + assert "bpo" not in prosody_modules_package.version + assert "bpo" not in lua_ldap_package.version diff --git a/roles/xmpp_server/molecule/default/tests/test_default_buster.py b/roles/xmpp_server/molecule/default/tests/test_default_buster.py new file mode 100644 index 0000000000000000000000000000000000000000..1bdc60375e2006ae7e22b5202c37d7e7fe10088c --- /dev/null +++ b/roles/xmpp_server/molecule/default/tests/test_default_buster.py @@ -0,0 +1,28 @@ +import os + +import testinfra.utils.ansible_runner + + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*-buster') + + +def test_backports_prosody_pinning(host): + """ + Tests if the backports pin for Prosody has been deployed correctly. + """ + + pin = host.file("/etc/apt/preferences.d/prosody") + + assert pin.is_file + assert pin.user == "root" + assert pin.group == "root" + assert pin.mode == 0o644 + + prosody_package = host.package("prosody") + prosody_modules_package = host.package("prosody-modules") + lua_ldap_package = host.package("lua-sec") + + assert "bpo" in prosody_package.version + assert "bpo" in prosody_modules_package.version + assert "bpo" in lua_ldap_package.version diff --git a/roles/xmpp_server/tasks/main.yml b/roles/xmpp_server/tasks/main.yml index 63b229010ba263360df11e837bad65590374b289..0055de61e94d3c451b32d5c409addefa54b25d98 100644 --- a/roles/xmpp_server/tasks/main.yml +++ b/roles/xmpp_server/tasks/main.yml @@ -1,13 +1,5 @@ --- -# Ansible pre-requisites -# ====================== - -- name: Install Python apt bindings - apt: - name: python-apt - - # Main implementation # =================== @@ -30,13 +22,20 @@ update_cache: true when: backports_repository_configuration.changed -- name: Configure package pins to backports for Prosody +- name: Configure package pins to backports for Prosody on Debian 10 Buster template: src: prosody_backports_pin.j2 dest: /etc/apt/preferences.d/prosody owner: root group: root mode: 0644 + when: ansible_distribution_release == 'buster' + +- name: Drop package pins to backports for Prosody on Debian 11 Bullseye + file: + path: /etc/apt/preferences.d/prosody + state: absent + when: ansible_distribution_release == 'bullseye' - name: Install additional Prosody dependencies apt: @@ -114,6 +113,16 @@ group: root mode: 0644 +- name: Deploy LDAP client configuration (for validating LDAP server certificate) + copy: + src: prosody_ldaprc + dest: "/var/lib/prosody/.ldaprc" + owner: root + group: prosody + mode: 0640 + notify: + - Restart Prosody + - name: Deploy Prosody configuration file template: src: "prosody.cfg.lua.j2"