diff --git a/roles/ldap_server/defaults/main.yml b/roles/ldap_server/defaults/main.yml index ec2a72b76c43a9e4079b40dbc54e8840388e997a..038e1cb022845de5eb96ea6d0f316685b5c8a39e 100644 --- a/roles/ldap_server/defaults/main.yml +++ b/roles/ldap_server/defaults/main.yml @@ -33,4 +33,4 @@ ldap_permissions: by users read by * none -ldap_tls_ciphers: "NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL" \ No newline at end of file +ldap_tls_ciphers: "NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL" diff --git a/roles/ldap_server/molecule.yml b/roles/ldap_server/molecule.yml deleted file mode 100644 index d7a33ecc898f6984175572cc7e60520a77cd9150..0000000000000000000000000000000000000000 --- a/roles/ldap_server/molecule.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- - -ansible: - ansiblecfg_ssh_connection: - pipelining: True - -dependency: {} - -driver: - name: vagrant - -vagrant: - - platforms: - - name: debian-jessie64 - box: debian/contrib-jessie64 - - providers: - - name: virtualbox - type: virtualbox - options: - memory: 512 - cpus: 1 - - instances: - - name: parameters-mandatory.local - interfaces: - - network_name: private_network - type: static - ip: 10.31.127.10 - auto_config: yes - - - name: parameters-optional - interfaces: - - network_name: private_network - type: static - ip: 10.31.127.11 - auto_config: yes - - - name: client - interfaces: - - network_name: private_network - type: static - ip: 10.31.127.12 - auto_config: yes - -verifier: - name: testinfra diff --git a/roles/ldap_server/molecule/default/create.yml b/roles/ldap_server/molecule/default/create.yml new file mode 100644 index 0000000000000000000000000000000000000000..f8eb37cd4df02c540216c02791d0c50870986202 --- /dev/null +++ b/roles/ldap_server/molecule/default/create.yml @@ -0,0 +1,56 @@ +--- +- name: Create + hosts: localhost + connection: local + gather_facts: False + no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}" + vars: + molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}" + molecule_instance_config: "{{ lookup('env', 'MOLECULE_INSTANCE_CONFIG') }}" + molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}" + tasks: + - name: Create molecule instance(s) + molecule_vagrant: + instance_name: "{{ item.name }}" + instance_interfaces: "{{ item.interfaces | default(omit) }}" + instance_raw_config_args: "{{ item.instance_raw_config_args | default(omit) }}" + + platform_box: "{{ item.box }}" + platform_box_version: "{{ item.box_version | default(omit) }}" + platform_box_url: "{{ item.box_url | default(omit) }}" + + provider_name: "{{ molecule_yml.driver.provider.name }}" + provider_memory: "{{ item.memory | default(omit) }}" + provider_cpus: "{{ item.cpus | default(omit) }}" + provider_raw_config_args: "{{ item.raw_config_args | default(omit) }}" + + state: up + register: server + with_items: "{{ molecule_yml.platforms }}" + + # Mandatory configuration for Molecule to function. + + - name: Populate instance config dict + set_fact: + instance_conf_dict: { + 'instance': "{{ item.Host }}", + 'address': "{{ item.HostName }}", + 'user': "{{ item.User }}", + 'port': "{{ item.Port }}", + 'identity_file': "{{ item.IdentityFile }}", } + with_items: "{{ server.results }}" + register: instance_config_dict + when: server.changed | bool + + - name: Convert instance config dict to a list + set_fact: + instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}" + when: server.changed | bool + + - name: Dump instance config + copy: + # NOTE(retr0h): Workaround for Ansible 2.2. + # https://github.com/ansible/ansible/issues/20885 + content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}" + dest: "{{ molecule_instance_config }}" + when: server.changed | bool diff --git a/roles/ldap_server/molecule/default/destroy.yml b/roles/ldap_server/molecule/default/destroy.yml new file mode 100644 index 0000000000000000000000000000000000000000..3972a2df8fafe515b30a74f951499b83aae8449c --- /dev/null +++ b/roles/ldap_server/molecule/default/destroy.yml @@ -0,0 +1,36 @@ +--- + +- name: Destroy + hosts: localhost + connection: local + gather_facts: False + no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}" + vars: + molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}" + molecule_instance_config: "{{ lookup('env',' MOLECULE_INSTANCE_CONFIG') }}" + molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}" + tasks: + - name: Destroy molecule instance(s) + molecule_vagrant: + instance_name: "{{ item.name }}" + platform_box: "{{ item.box }}" + provider_name: "{{ molecule_yml.driver.provider.name }}" + force_stop: "{{ item.force_stop | default(True) }}" + + state: destroy + register: server + with_items: "{{ molecule_yml.platforms }}" + + # Mandatory configuration for Molecule to function. + + - name: Populate instance config + set_fact: + instance_conf: {} + + - name: Dump instance config + copy: + # NOTE(retr0h): Workaround for Ansible 2.2. + # https://github.com/ansible/ansible/issues/20885 + content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}" + dest: "{{ molecule_instance_config }}" + when: server.changed | bool diff --git a/roles/ldap_server/molecule/default/molecule.yml b/roles/ldap_server/molecule/default/molecule.yml new file mode 100644 index 0000000000000000000000000000000000000000..f1ef8b50cc92847a2f7deea1787bb98cde3f5b8d --- /dev/null +++ b/roles/ldap_server/molecule/default/molecule.yml @@ -0,0 +1,63 @@ +--- + +dependency: {} + +driver: + name: vagrant + provider: + name: virtualbox + +lint: + name: yamllint + +platforms: + + - name: client + box: debian/contrib-jessie64 + memory: 512 + cpus: 1 + interfaces: + - auto_config: true + ip: 10.31.127.10 + network_name: private_network + type: static + + - name: parameters-mandatory-jessie64.local + groups: + - parameters-mandatory + box: debian/contrib-jessie64 + memory: 256 + cpus: 1 + interfaces: + - auto_config: true + ip: 10.31.127.20 + network_name: private_network + type: static + + - name: parameters-optional-jessie64 + groups: + - parameters-optional + box: debian/contrib-jessie64 + memory: 256 + cpus: 1 + interfaces: + - auto_config: true + ip: 10.31.127.21 + network_name: private_network + type: static + +provisioner: + name: ansible + config_options: + ssh_connection: + pipelining: "True" + lint: + name: ansible-lint + +scenario: + name: default + +verifier: + name: testinfra + lint: + name: flake8 diff --git a/roles/ldap_server/playbook.yml b/roles/ldap_server/molecule/default/playbook.yml similarity index 86% rename from roles/ldap_server/playbook.yml rename to roles/ldap_server/molecule/default/playbook.yml index c8cd1a9ffb844e0964c79873032361e1e08066ab..0580673e76cdf8987c99773861711f7b1271402c 100644 --- a/roles/ldap_server/playbook.yml +++ b/roles/ldap_server/molecule/default/playbook.yml @@ -1,14 +1,7 @@ --- -- hosts: all - tasks: - - - name: Update all caches to avoid errors due to missing remote archives - apt: - update_cache: yes - changed_when: False - -- hosts: parameters-mandatory.local +- hosts: parameters-mandatory + become: yes roles: - role: ldap_server ldap_admin_password: adminpassword @@ -27,6 +20,7 @@ tls_certificate_dir: tests/data/x509/ - hosts: parameters-optional + become: yes roles: - role: backup_server backup_host_ssh_private_keys: @@ -35,11 +29,12 @@ ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}" ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}" backup_clients: - - server: parameters-optional + - server: localhost ip: 127.0.0.1 public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" - hosts: parameters-optional + become: yes roles: - role: ldap_server ldap_admin_password: adminpassword @@ -108,6 +103,7 @@ # backup_client enable_backup: yes + backup_client_username: "bak-localhost" backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}" backup_server: localhost backup_server_host_ssh_public_keys: @@ -116,22 +112,3 @@ - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}" - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}" backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}" - -- hosts: all - tasks: - - - name: Deploy CA certificate - copy: - src: tests/data/x509/ca.cert.pem - dest: /etc/ssl/certs/testca.cert.pem - owner: root - group: root - mode: 0644 - -- hosts: client - tasks: - - - name: Install tool for teting TCP connectivity - apt: - name: hping3 - state: installed diff --git a/roles/ldap_server/molecule/default/prepare.yml b/roles/ldap_server/molecule/default/prepare.yml new file mode 100644 index 0000000000000000000000000000000000000000..53a41ad097f7ba71e05380e927379daa31c17ecb --- /dev/null +++ b/roles/ldap_server/molecule/default/prepare.yml @@ -0,0 +1,68 @@ +--- + +- name: Prepare + hosts: all + gather_facts: False + tasks: + - name: Install python for Ansible + raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal) + become: True + changed_when: False + +- hosts: all + become: yes + tasks: + + - name: Update all caches to avoid errors due to missing remote archives + apt: + update_cache: yes + changed_when: False + + - name: Deploy CA certificate + copy: + src: tests/data/x509/ca.cert.pem + dest: /etc/ssl/certs/testca.cert.pem + owner: root + group: root + mode: 0644 + +- hosts: client + become: yes + tasks: + + - name: Install tool for teting TCP connectivity + apt: + name: hping3 + state: installed + +- hosts: parameters-optional + become: yes + tasks: + + - name: Set-up the hosts file + lineinfile: + path: /etc/hosts + regexp: "^{{ item.key }}" + line: "{{ item.key }} {{ item.value }}" + owner: root + group: root + mode: 0644 + state: present + with_dict: + 127.0.2.1: parameters-optional + +- hosts: parameters-mandatory + become: yes + tasks: + + - name: Set-up the hosts file + lineinfile: + path: /etc/hosts + regexp: "^{{ item.key }}" + line: "{{ item.key }} {{ item.value }}" + owner: root + group: root + mode: 0644 + state: present + with_dict: + 127.0.2.1: parameters-mandatory.local diff --git a/roles/ldap_server/tests/data/gnupg/parameters-optional.asc b/roles/ldap_server/molecule/default/tests/data/gnupg/parameters-optional.asc similarity index 100% rename from roles/ldap_server/tests/data/gnupg/parameters-optional.asc rename to roles/ldap_server/molecule/default/tests/data/gnupg/parameters-optional.asc diff --git a/roles/ldap_server/tests/data/ssh/parameters-optional b/roles/ldap_server/molecule/default/tests/data/ssh/parameters-optional similarity index 100% rename from roles/ldap_server/tests/data/ssh/parameters-optional rename to roles/ldap_server/molecule/default/tests/data/ssh/parameters-optional diff --git a/roles/ldap_server/tests/data/ssh/parameters-optional.pub b/roles/ldap_server/molecule/default/tests/data/ssh/parameters-optional.pub similarity index 100% rename from roles/ldap_server/tests/data/ssh/parameters-optional.pub rename to roles/ldap_server/molecule/default/tests/data/ssh/parameters-optional.pub diff --git a/roles/ldap_server/tests/data/ssh/server_dsa b/roles/ldap_server/molecule/default/tests/data/ssh/server_dsa similarity index 100% rename from roles/ldap_server/tests/data/ssh/server_dsa rename to roles/ldap_server/molecule/default/tests/data/ssh/server_dsa diff --git a/roles/ldap_server/tests/data/ssh/server_dsa.pub b/roles/ldap_server/molecule/default/tests/data/ssh/server_dsa.pub similarity index 100% rename from roles/ldap_server/tests/data/ssh/server_dsa.pub rename to roles/ldap_server/molecule/default/tests/data/ssh/server_dsa.pub diff --git a/roles/ldap_server/tests/data/ssh/server_ecdsa b/roles/ldap_server/molecule/default/tests/data/ssh/server_ecdsa similarity index 100% rename from roles/ldap_server/tests/data/ssh/server_ecdsa rename to roles/ldap_server/molecule/default/tests/data/ssh/server_ecdsa diff --git a/roles/ldap_server/tests/data/ssh/server_ecdsa.pub b/roles/ldap_server/molecule/default/tests/data/ssh/server_ecdsa.pub similarity index 100% rename from roles/ldap_server/tests/data/ssh/server_ecdsa.pub rename to roles/ldap_server/molecule/default/tests/data/ssh/server_ecdsa.pub diff --git a/roles/ldap_server/tests/data/ssh/server_ed25519 b/roles/ldap_server/molecule/default/tests/data/ssh/server_ed25519 similarity index 100% rename from roles/ldap_server/tests/data/ssh/server_ed25519 rename to roles/ldap_server/molecule/default/tests/data/ssh/server_ed25519 diff --git a/roles/ldap_server/tests/data/ssh/server_ed25519.pub b/roles/ldap_server/molecule/default/tests/data/ssh/server_ed25519.pub similarity index 100% rename from roles/ldap_server/tests/data/ssh/server_ed25519.pub rename to roles/ldap_server/molecule/default/tests/data/ssh/server_ed25519.pub diff --git a/roles/ldap_server/tests/data/ssh/server_rsa b/roles/ldap_server/molecule/default/tests/data/ssh/server_rsa similarity index 100% rename from roles/ldap_server/tests/data/ssh/server_rsa rename to roles/ldap_server/molecule/default/tests/data/ssh/server_rsa diff --git a/roles/ldap_server/tests/data/ssh/server_rsa.pub b/roles/ldap_server/molecule/default/tests/data/ssh/server_rsa.pub similarity index 100% rename from roles/ldap_server/tests/data/ssh/server_rsa.pub rename to roles/ldap_server/molecule/default/tests/data/ssh/server_rsa.pub diff --git a/roles/ldap_server/tests/data/x509/ca.cert.pem b/roles/ldap_server/molecule/default/tests/data/x509/ca.cert.pem similarity index 100% rename from roles/ldap_server/tests/data/x509/ca.cert.pem rename to roles/ldap_server/molecule/default/tests/data/x509/ca.cert.pem diff --git a/roles/ldap_server/tests/data/x509/ca.key.pem b/roles/ldap_server/molecule/default/tests/data/x509/ca.key.pem similarity index 100% rename from roles/ldap_server/tests/data/x509/ca.key.pem rename to roles/ldap_server/molecule/default/tests/data/x509/ca.key.pem diff --git a/roles/ldap_server/tests/data/x509/parameters-mandatory.local_ldap.key b/roles/ldap_server/molecule/default/tests/data/x509/parameters-mandatory-jessie64.local_ldap.key similarity index 100% rename from roles/ldap_server/tests/data/x509/parameters-mandatory.local_ldap.key rename to roles/ldap_server/molecule/default/tests/data/x509/parameters-mandatory-jessie64.local_ldap.key diff --git a/roles/ldap_server/tests/data/x509/parameters-mandatory.local_ldap.pem b/roles/ldap_server/molecule/default/tests/data/x509/parameters-mandatory-jessie64.local_ldap.pem similarity index 100% rename from roles/ldap_server/tests/data/x509/parameters-mandatory.local_ldap.pem rename to roles/ldap_server/molecule/default/tests/data/x509/parameters-mandatory-jessie64.local_ldap.pem diff --git a/roles/ldap_server/tests/data/x509/parameters-optional.cert.pem b/roles/ldap_server/molecule/default/tests/data/x509/parameters-optional.cert.pem similarity index 100% rename from roles/ldap_server/tests/data/x509/parameters-optional.cert.pem rename to roles/ldap_server/molecule/default/tests/data/x509/parameters-optional.cert.pem diff --git a/roles/ldap_server/tests/data/x509/parameters-optional.key.pem b/roles/ldap_server/molecule/default/tests/data/x509/parameters-optional.key.pem similarity index 100% rename from roles/ldap_server/tests/data/x509/parameters-optional.key.pem rename to roles/ldap_server/molecule/default/tests/data/x509/parameters-optional.key.pem diff --git a/roles/ldap_server/tests/test_backup.py b/roles/ldap_server/molecule/default/tests/test_backup.py similarity index 62% rename from roles/ldap_server/tests/test_backup.py rename to roles/ldap_server/molecule/default/tests/test_backup.py index 5bc631b3deeca2cb9ed3efebd757f1f74628d46b..9dbbe9cb39d72c7a2e481113ec4dc08c63ec77b9 100644 --- a/roles/ldap_server/tests/test_backup.py +++ b/roles/ldap_server/molecule/default/tests/test_backup.py @@ -1,18 +1,18 @@ import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - '.molecule/ansible_inventory').get_hosts('parameters-optional') + '.molecule/ansible_inventory.yml').get_hosts('parameters-optional') -def test_database_dump_directory(File, Sudo): +def test_database_dump_directory(host): """ Tests configuration of the directory where database dumps are stored prior to running backup. """ - with Sudo(): + with host.sudo(): - directory = File('/srv/backup') + directory = host.file('/srv/backup') assert directory.is_directory assert directory.user == 'root' @@ -20,14 +20,14 @@ def test_database_dump_directory(File, Sudo): assert directory.mode == 0o700 -def test_database_dump_script(File, Sudo): +def test_database_dump_script(host): """ Tests if database dump script is deployed correctly. """ - with Sudo(): + with host.sudo(): - script = File('/etc/duply/main/pre.d/ldapdump.sh') + script = host.file('/etc/duply/main/pre.d/ldapdump.sh') assert script.is_file assert script.user == 'root' @@ -35,27 +35,27 @@ def test_database_dump_script(File, Sudo): assert script.mode == 0o700 -def test_backup(Command, File, Sudo): +def test_backup(host): """ Tests if LDAP directory is correctly backed-up. """ - with Sudo(): + with host.sudo(): # Remove restore directory in order to make sure restore has worked # correctly. - Command("rm -rf /root/restore") + host.run("rm -rf /root/restore") - backup_run = Command('duply main backup') + backup_run = host.run('duply main backup') assert backup_run.rc == 0 - database_dump = File('/srv/backup/slapd.bak') + database_dump = host.file('/srv/backup/slapd.bak') assert database_dump.is_file assert 'dn: dc=local' in database_dump.content - restore_run = Command('duply main restore /root/restore') + restore_run = host.run('duply main restore /root/restore') assert restore_run.rc == 0 - restored_database_dump = File('/root/restore/srv/backup/slapd.bak') + restored_database_dump = host.file('/root/restore/srv/backup/slapd.bak') assert restored_database_dump.is_file assert restored_database_dump.content == database_dump.content diff --git a/roles/ldap_server/molecule/default/tests/test_client.py b/roles/ldap_server/molecule/default/tests/test_client.py new file mode 100644 index 0000000000000000000000000000000000000000..6216013577789e1275c828e86e3faa2844c5826c --- /dev/null +++ b/roles/ldap_server/molecule/default/tests/test_client.py @@ -0,0 +1,21 @@ +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + '.molecule/ansible_inventory.yml').get_hosts('client') + + +def test_connectivity(host): + + with host.sudo(): + + ping = host.run('hping3 -S -p 389 -c 1 10.31.127.20') + assert ping.rc == 0 + + ping = host.run('hping3 -S -p 636 -c 1 10.31.127.20') + assert ping.rc == 0 + + ping = host.run('hping3 -S -p 389 -c 1 10.31.127.21') + assert ping.rc == 0 + + ping = host.run('hping3 -S -p 636 -c 1 10.31.127.21') + assert ping.rc == 0 diff --git a/roles/ldap_server/tests/test_default.py b/roles/ldap_server/molecule/default/tests/test_default.py similarity index 57% rename from roles/ldap_server/tests/test_default.py rename to roles/ldap_server/molecule/default/tests/test_default.py index 59b77aa308ff0c562b6acefc1d8a10c7e942184c..a102032891a7b02356e1d62e07e9e255bc49173d 100644 --- a/roles/ldap_server/tests/test_default.py +++ b/roles/ldap_server/molecule/default/tests/test_default.py @@ -1,121 +1,121 @@ import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - '.molecule/ansible_inventory').get_hosts('all') + '.molecule/ansible_inventory.yml').get_hosts('all') testinfra_hosts.remove("client") -def test_installed_packages(Package): +def test_installed_packages(host): """ Tests if all the necessary packages have been installed. """ - assert Package('slapd').is_installed - assert Package('python-ldap').is_installed + assert host.package('slapd').is_installed + assert host.package('python-ldap').is_installed -def test_ldap_user_group(User): +def test_ldap_user_group(host): """ Tests if LDAP server user is part of group that allows it to traverse TLS private keys directory. """ - assert "ssl-cert" in User('openldap').groups + assert "ssl-cert" in host.user('openldap').groups -def test_ldap_server_service_sockets_and_ports(Socket): +def test_ldap_server_service_sockets_and_ports(host): """ Tests if LDAP server has been configured to listen on correct sockets. """ - assert Socket('tcp://389').is_listening - assert Socket('tcp://636').is_listening - assert Socket('unix:///var/run/slapd/ldapi').is_listening + assert host.socket('tcp://389').is_listening + assert host.socket('tcp://636').is_listening + assert host.socket('unix:///var/run/slapd/ldapi').is_listening -def test_ldap_server_service(Service): +def test_ldap_server_service(host): """ Tests if the LDAP service is enabled and running. """ - service = Service('slapd') + service = host.service('slapd') assert service.is_enabled assert service.is_running -def test_syslog_configuration(File, Sudo): +def test_syslog_configuration(host): """ Tests if syslog configuration file has been deployed, and log file was created correctly (and is being logged to). """ - config = File('/etc/rsyslog.d/slapd.conf') + config = host.file('/etc/rsyslog.d/slapd.conf') assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o644 - with Sudo(): - log = File('/var/log/slapd.log') + with host.sudo(): + log = host.file('/var/log/slapd.log') assert log.is_file assert 'slapd' in log.content -def test_log_rotation_configuration(File, Command, Sudo): +def test_log_rotation_configuration(host): """ Tests if log rotation configuration file has been deployed correctly and has valid syntax. """ - config = File('/etc/logrotate.d/slapd') + config = host.file('/etc/logrotate.d/slapd') assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o644 - with Sudo(): + with host.sudo(): - assert Command('logrotate /etc/logrotate.d/slapd').rc == 0 + assert host.run('logrotate /etc/logrotate.d/slapd').rc == 0 -def test_misc_schema_presence(Command, Sudo): +def test_misc_schema_presence(host): """ Tests if the misc LDAP schema has been imported. """ - with Sudo(): + with host.sudo(): - misc_schema = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn') + misc_schema = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn') assert misc_schema.rc == 0 assert 'dn: cn={4}misc,cn=schema,cn=config' in misc_schema.stdout -def test_memberof_module(Command, Sudo): +def test_memberof_module(host): """ Tests if the memberof overlay has been enabled for the main database. """ - with Sudo(): - memberof = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn') + with host.sudo(): + memberof = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn') assert memberof.rc == 0 assert 'dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config' in memberof.stdout -def test_basic_directory_structure(Command, Sudo): +def test_basic_directory_structure(host): """ Tests if the base LDAP directory structure has been set-up correctly. """ - with Sudo(): + with host.sudo(): ous = ["people", "groups", "services"] for ou in ous: - entry = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=%s,dc=local' % ou) + entry = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=%s,dc=local' % ou) assert entry.rc == 0 assert entry.stdout == """dn: ou=%(ou)s,dc=local @@ -123,40 +123,40 @@ objectClass: organizationalUnit ou: %(ou)s""" % {'ou': ou} -def test_mail_service_entries(Command, Sudo): +def test_mail_service_entries(host): """ Tests if the mail service entries have been set-up correctly. """ - with Sudo(): + with host.sudo(): - entry = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=mail,ou=services,dc=local') + entry = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=mail,ou=services,dc=local') assert entry.rc == 0 assert entry.stdout == """dn: ou=mail,ou=services,dc=local objectClass: organizationalUnit ou: mail""" - entry = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=domains,ou=mail,ou=services,dc=local') + entry = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=domains,ou=mail,ou=services,dc=local') assert entry.rc == 0 assert entry.stdout == """dn: ou=domains,ou=mail,ou=services,dc=local objectClass: organizationalUnit ou: domains""" - entry = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=aliases,ou=mail,ou=services,dc=local') + entry = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=aliases,ou=mail,ou=services,dc=local') assert entry.rc == 0 assert entry.stdout == """dn: ou=aliases,ou=mail,ou=services,dc=local objectClass: organizationalUnit ou: aliases""" -def test_firewall_configuration_file(File, Sudo): +def test_firewall_configuration_file(host): """ Tests if firewall configuration file has been deployed correctly. """ - with Sudo(): + with host.sudo(): - config = File('/etc/ferm/conf.d/10-ldap.conf') + config = host.file('/etc/ferm/conf.d/10-ldap.conf') assert config.is_file assert config.user == 'root' @@ -164,22 +164,22 @@ def test_firewall_configuration_file(File, Sudo): assert config.mode == 0o640 -def test_admin_password(Command): +def test_admin_password(host): """ Tests if administrator password has been set correctly. """ - login = Command("ldapwhoami -H ldapi:/// -x -w adminpassword -D cn=admin,dc=local") + login = host.run("ldapwhoami -H ldapi:/// -x -w adminpassword -D cn=admin,dc=local") assert login.rc == 0 assert login.stdout == "dn:cn=admin,dc=local" -def test_temporary_admin_password_file_not_present(File, Sudo): +def test_temporary_admin_password_file_not_present(host): """ Tests if the file that temporarily contains the LDAP adminstrator password has been removed. """ - with Sudo(): - assert not File('/root/.ldap_admin_password').exists + with host.sudo(): + assert not host.file('/root/.ldap_admin_password').exists diff --git a/roles/ldap_server/tests/test_mandatory.py b/roles/ldap_server/molecule/default/tests/test_mandatory.py similarity index 51% rename from roles/ldap_server/tests/test_mandatory.py rename to roles/ldap_server/molecule/default/tests/test_mandatory.py index f5b22ec09cf636adf496e862ec65672d94118687..bd71bf392ec74321c075713d883a6973caf0c46c 100644 --- a/roles/ldap_server/tests/test_mandatory.py +++ b/roles/ldap_server/molecule/default/tests/test_mandatory.py @@ -1,129 +1,135 @@ import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - '.molecule/ansible_inventory').get_hosts('parameters-mandatory.local') + '.molecule/ansible_inventory.yml').get_hosts('parameters-mandatory') -def test_base_entry(Command, Sudo): +def test_base_entry(host): """ Tests if the base entry has been created correctly. """ - with Sudo(): + with host.sudo(): - base_dn = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local -s base") + base_dn = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local -s base") assert base_dn.rc == 0 assert "dc: local" in base_dn.stdout.split("\n") assert "o: Private" in base_dn.stdout.split("\n") -def test_log_level(Command, Sudo): +def test_log_level(host): """ Tests if the logging level has been set correctly. """ - with Sudo(): + with host.sudo(): - log_level = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config -s base olcLogLevel') + log_level = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config -s base olcLogLevel') assert log_level.rc == 0 assert 'olcLogLevel: 256' in log_level.stdout -def test_ldap_tls_private_key_file(File, Sudo): +def test_ldap_tls_private_key_file(host): """ Tests if the TLS private key has been deployed correctly. """ - with Sudo(): + with host.sudo(): - key = File('/etc/ssl/private/parameters-mandatory.local_ldap.key') + inventory_hostname = "parameters-mandatory-jessie64.local" + + key = host.file('/etc/ssl/private/%s_ldap.key' % inventory_hostname) assert key.is_file assert key.user == 'root' assert key.group == 'openldap' assert key.mode == 0o640 - assert key.content == open('tests/data/x509/parameters-mandatory.local_ldap.key').read().rstrip() + assert key.content == open('tests/data/x509/%s_ldap.key' % inventory_hostname).read().rstrip() -def test_ldap_tls_certificate_file(File, Sudo): +def test_ldap_tls_certificate_file(host): """ Tests if the TLS certificate has been deployed correctly. """ - with Sudo(): + with host.sudo(): + + inventory_hostname = "parameters-mandatory-jessie64.local" - cert = File('/etc/ssl/certs/parameters-mandatory.local_ldap.pem') + cert = host.file('/etc/ssl/certs/%s_ldap.pem' % inventory_hostname) assert cert.is_file assert cert.user == 'root' assert cert.group == 'root' assert cert.mode == 0o644 - assert cert.content == open('tests/data/x509/parameters-mandatory.local_ldap.pem').read().rstrip() + assert cert.content == open('tests/data/x509/%s_ldap.pem' % inventory_hostname).read().rstrip() -def test_certificate_validity_check_configuration(File): +def test_certificate_validity_check_configuration(host): """ Tests if certificate validity check configuration file has been deployed correctly. """ - config = File('/etc/check_certificate/parameters-mandatory.local_ldap.conf') + inventory_hostname = "parameters-mandatory-jessie64.local" + + config = host.file('/etc/check_certificate/%s_ldap.conf' % inventory_hostname) assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o644 - assert config.content == "/etc/ssl/certs/parameters-mandatory.local_ldap.pem" + assert config.content == "/etc/ssl/certs/%s_ldap.pem" % inventory_hostname -def test_tls_configuration(Command): +def test_tls_configuration(host): """ Tests if the TLS has been configured correctly and works. """ - starttls = Command('ldapwhoami -Z -x -H ldap://parameters-mandatory.local/') + starttls = host.run('ldapwhoami -Z -x -H ldap://parameters-mandatory.local/') assert starttls.rc == 0 assert starttls.stdout == 'anonymous' - tls = Command('ldapwhoami -x -H ldaps://parameters-mandatory.local/') + tls = host.run('ldapwhoami -x -H ldaps://parameters-mandatory.local/') assert tls.rc == 0 assert tls.stdout == 'anonymous' - old_tls_versions_disabled = Command("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:636") + old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory.local:636") assert old_tls_versions_disabled.rc != 0 assert "CONNECTED" in old_tls_versions_disabled.stdout - cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory:636") + cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory.local:636") assert cipher.rc == 0 assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout - cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory:636") + cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory.local:636") assert cipher.rc != 0 assert "CONNECTED" in cipher.stdout assert "ECDHE-RSA-AES128-SHA" not in cipher.stdout -def test_ssf_configuration(Command, Sudo): +def test_ssf_configuration(host): """ Tests if the SSF olcSecurity configuration has been set-up correctly. """ - with Sudo(): - ssf = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config olcSecurity') + with host.sudo(): + ssf = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config olcSecurity') assert ssf.rc == 0 assert "olcSecurity: ssf=128" in ssf.stdout -def test_permissions(Command, Sudo): +def test_permissions(host): """ Tests if LDAP directory permissions have been set-up correctly. """ - with Sudo(): - permissions = Command("ldapsearch -o ldif-wrap=no -H ldapi:/// -Q -LLL -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess olcAccess") + with host.sudo(): + permissions = host.run("ldapsearch -o ldif-wrap=no -H ldapi:/// -Q -LLL -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess olcAccess") expected_permissions = """olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by dn="cn=admin,dc=local" manage by * break olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none @@ -134,27 +140,27 @@ olcAccess: {3}to * by self write by dn="cn=admin,dc=local" write by users read b assert expected_permissions in permissions.stdout -def test_services_login_entries(Command, Sudo): +def test_services_login_entries(host): """ Tests if the service/consumer login entries have been set correctly. """ - with Sudo(): + with host.sudo(): - entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=services,dc=local '(objectClass=simpleSecurityObject)'") + entries = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=services,dc=local '(objectClass=simpleSecurityObject)'") assert entries.rc == 0 assert entries.stdout == "" -def test_group_entries(Command, Sudo): +def test_group_entries(host): """ Tests that no group entries have been created out-of-the-box. """ - with Sudo(): + with host.sudo(): - entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=groups,dc=local '(objectClass=groupOfUniqueNames)'") + entries = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=groups,dc=local '(objectClass=groupOfUniqueNames)'") assert entries.rc == 0 assert entries.stdout == "" diff --git a/roles/ldap_server/tests/test_optional.py b/roles/ldap_server/molecule/default/tests/test_optional.py similarity index 60% rename from roles/ldap_server/tests/test_optional.py rename to roles/ldap_server/molecule/default/tests/test_optional.py index 9b2332e7b9b8243e82e7fc3e8dac8fb22efd463d..e4bcb84e58b12c5bc2a142acdcc8a9f6fe69f5a8 100644 --- a/roles/ldap_server/tests/test_optional.py +++ b/roles/ldap_server/molecule/default/tests/test_optional.py @@ -1,44 +1,46 @@ import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - '.molecule/ansible_inventory').get_hosts('parameters-optional') + '.molecule/ansible_inventory.yml').get_hosts('parameters-optional') -def test_base_entry(Command, Sudo): +def test_base_entry(host): """ Tests if the base entry has been created correctly. """ - with Sudo(): + with host.sudo(): - base_dn = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local -s base") + base_dn = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local -s base") assert base_dn.rc == 0 assert "dc: local" in base_dn.stdout.split("\n") assert "o: Example" in base_dn.stdout.split("\n") -def test_log_level(Command, Sudo): +def test_log_level(host): """ Tests if the logging level has been set correctly. """ - with Sudo(): + with host.sudo(): - log_level = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config -s base olcLogLevel') + log_level = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config -s base olcLogLevel') assert log_level.rc == 0 assert 'olcLogLevel: 0' in log_level.stdout -def test_ldap_tls_private_key_file(File, Sudo): +def test_ldap_tls_private_key_file(host): """ Tests if the TLS private key has been deployed correctly. """ - with Sudo(): + with host.sudo(): - key = File('/etc/ssl/private/parameters-optional_ldap.key') + inventory_hostname = "parameters-optional-jessie64" + + key = host.file('/etc/ssl/private/%s_ldap.key' % inventory_hostname) assert key.is_file assert key.user == 'root' @@ -47,14 +49,16 @@ def test_ldap_tls_private_key_file(File, Sudo): assert key.content == open('tests/data/x509/parameters-optional.key.pem').read().rstrip() -def test_ldap_tls_certificate_file(File, Sudo): +def test_ldap_tls_certificate_file(host): """ Tests if the TLS certificate has been deployed correctly. """ - with Sudo(): + with host.sudo(): + + inventory_hostname = "parameters-optional-jessie64" - cert = File('/etc/ssl/certs/parameters-optional_ldap.pem') + cert = host.file('/etc/ssl/certs/%s_ldap.pem' % inventory_hostname) assert cert.is_file assert cert.user == 'root' @@ -63,66 +67,68 @@ def test_ldap_tls_certificate_file(File, Sudo): assert cert.content == open('tests/data/x509/parameters-optional.cert.pem').read().rstrip() -def test_certificate_validity_check_configuration(File): +def test_certificate_validity_check_configuration(host): """ Tests if certificate validity check configuration file has been deployed correctly. """ - config = File('/etc/check_certificate/parameters-optional_ldap.conf') + inventory_hostname = "parameters-optional-jessie64" + + config = host.file('/etc/check_certificate/%s_ldap.conf' % inventory_hostname) assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o644 - assert config.content == "/etc/ssl/certs/parameters-optional_ldap.pem" + assert config.content == "/etc/ssl/certs/%s_ldap.pem" % inventory_hostname -def test_tls_configuration(Command): +def test_tls_configuration(host): """ Tests if the TLS has been configured correctly and works. """ - ldap_starttls = Command('ldapwhoami -Z -x -H ldap://parameters-optional/') + ldap_starttls = host.run('ldapwhoami -Z -x -H ldap://parameters-optional/') assert ldap_starttls.rc == 0 assert ldap_starttls.stdout == 'anonymous' - ldap_tls = Command('ldapwhoami -x -H ldaps://parameters-optional/') + ldap_tls = host.run('ldapwhoami -x -H ldaps://parameters-optional/') assert ldap_tls.rc == 0 assert ldap_tls.stdout == 'anonymous' - old_tls_versions_disabled = Command("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-optional:636") + old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-optional:636") assert old_tls_versions_disabled.rc == 0 assert "CONNECTED" in old_tls_versions_disabled.stdout - cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:636") + cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:636") assert cipher.rc == 0 assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout - cipher = Command("echo 'Q' | openssl s_client -tls1_1 -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:636") + cipher = host.run("echo 'Q' | openssl s_client -tls1_1 -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:636") assert cipher.rc == 0 assert "ECDHE-RSA-AES128-SHA" in cipher.stdout -def test_ssf_configuration(Command, Sudo): +def test_ssf_configuration(host): """ Tests if the SSF olcSecurity configuration has been set-up correctly. """ - with Sudo(): - ssf = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config olcSecurity') + with host.sudo(): + ssf = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config olcSecurity') assert ssf.rc == 0 assert "olcSecurity: ssf=0" in ssf.stdout -def test_permissions(Command, Sudo): +def test_permissions(host): """ Tests if LDAP directory permissions have been set-up correctly. """ - with Sudo(): - permissions = Command("ldapsearch -o ldif-wrap=no -H ldapi:/// -Q -LLL -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess olcAccess") + with host.sudo(): + permissions = host.run("ldapsearch -o ldif-wrap=no -H ldapi:/// -Q -LLL -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess olcAccess") expected_permissions = "olcAccess: {0}to * " \ "by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage " \ @@ -133,14 +139,14 @@ def test_permissions(Command, Sudo): assert expected_permissions in permissions.stdout -def test_services_login_entries(Command, Sudo): +def test_services_login_entries(host): """ Tests if the service/consumer login entries have been set correctly. """ - with Sudo(): + with host.sudo(): - entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=services,dc=local '(objectClass=simpleSecurityObject)'") + entries = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=services,dc=local '(objectClass=simpleSecurityObject)'") assert entries.rc == 0 assert entries.stdout == """dn: cn=consumer1,ou=services,dc=local @@ -156,14 +162,14 @@ userPassword:: Y29uc3VtZXIycGFzc3dvcmQ= cn: consumer2""" -def test_group_entries(Command, Sudo): +def test_group_entries(host): """ Tests that no group entries have been created out-of-the-box. """ - with Sudo(): + with host.sudo(): - entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=groups,dc=local '(objectClass=groupOfUniqueNames)'") + entries = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=groups,dc=local '(objectClass=groupOfUniqueNames)'") assert entries.rc == 0 assert entries.stdout == """dn: cn=group1,ou=groups,dc=local @@ -177,14 +183,14 @@ uniqueMember: cn=NONE cn: group2""" -def test_user_supplied_entries(Command, Sudo): +def test_user_supplied_entries(host): """ Tests if user-supplied entries are created correctly. """ - with Sudo(): + with host.sudo(): - john_doe = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b uid=john,dc=local") + john_doe = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b uid=john,dc=local") assert john_doe.rc == 0 assert sorted(john_doe.stdout.split("\n")) == sorted("""dn: uid=john,dc=local objectClass: inetOrgPerson @@ -194,7 +200,7 @@ cn: John Doe sn: Doe uid: john""".split("\n")) - jane_doe = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b uid=jane,dc=local") + jane_doe = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b uid=jane,dc=local") assert jane_doe.rc == 0 assert sorted(jane_doe.stdout.split("\n")) == sorted("""dn: uid=jane,dc=local objectClass: inetOrgPerson diff --git a/roles/ldap_server/tests/test_client.py b/roles/ldap_server/tests/test_client.py deleted file mode 100644 index bb7d08227076d0491fdadd50e7a3a9cb0d856d24..0000000000000000000000000000000000000000 --- a/roles/ldap_server/tests/test_client.py +++ /dev/null @@ -1,21 +0,0 @@ -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - '.molecule/ansible_inventory').get_hosts('client') - - -def test_connectivity(Command, Sudo): - - with Sudo(): - - ping = Command('hping3 -S -p 389 -c 1 10.31.127.10') - assert ping.rc == 0 - - ping = Command('hping3 -S -p 636 -c 1 10.31.127.10') - assert ping.rc == 0 - - ping = Command('hping3 -S -p 389 -c 1 10.31.127.11') - assert ping.rc == 0 - - ping = Command('hping3 -S -p 636 -c 1 10.31.127.11') - assert ping.rc == 0