From 28de9251c7aa5ff8fcb579c151f88f9c721031f2 2024-08-30 23:29:36 From: Branko Majic Date: 2024-08-30 23:29:36 Subject: [PATCH] MAR-239: Dropped support for Debian 11 Bullseye from the xmpp_server role. --- diff --git a/roles/xmpp_server/molecule/default/host_vars/ldap-server.yml b/roles/xmpp_server/molecule/default/host_vars/ldap-server.yml index 26869dfbbed00d79229ea49313ba8c8a60554edc..69d416aa51be4f56cf33fa2b3951061f449fc93a 100644 --- a/roles/xmpp_server/molecule/default/host_vars/ldap-server.yml +++ b/roles/xmpp_server/molecule/default/host_vars/ldap-server.yml @@ -39,9 +39,6 @@ backup_host_ssh_private_keys: ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}" ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}" backup_clients: - - server: parameters-optional-bullseye - ip: 192.168.56.52 - public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" - server: parameters-optional-bookworm ip: 192.168.56.32 public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" diff --git a/roles/xmpp_server/molecule/default/molecule.yml b/roles/xmpp_server/molecule/default/molecule.yml index 058d724fa79b3d451f36d54f211fe8beaf44eea2..b79d7b3d5b8e4c0025ca5140173f81c878265002 100644 --- a/roles/xmpp_server/molecule/default/molecule.yml +++ b/roles/xmpp_server/molecule/default/molecule.yml @@ -31,59 +31,6 @@ platforms: type: static - # Debian 11 Bullseye - # ================ - - - name: client-bullseye - groups: - - clients - - bullseye - # Use Bookworm client box for testing Bullseye servers to avoid - # duplication of test code in test_client.py due to missing - # functional build of go-sendxmpp for the Bullseye release (glibc - # mismatch in prebuilt package). - box: debian/bookworm64 - memory: 256 - cpus: 1 - provider_raw_config_args: - - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']" - interfaces: - - auto_config: true - ip: 192.168.56.41 - network_name: private_network - type: static - - - name: parameters-mandatory-bullseye - groups: - - parameters-mandatory - - bullseye - box: debian/bullseye64 - memory: 512 - cpus: 1 - provider_raw_config_args: - - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']" - interfaces: - - auto_config: true - ip: 192.168.56.51 - network_name: private_network - type: static - - - name: parameters-optional-bullseye - groups: - - parameters-optional - - bullseye - box: debian/bullseye64 - memory: 512 - cpus: 1 - provider_raw_config_args: - - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']" - interfaces: - - auto_config: true - ip: 192.168.56.52 - network_name: private_network - type: static - - # Debian 11 Bookworm # ================== diff --git a/roles/xmpp_server/molecule/default/prepare.yml b/roles/xmpp_server/molecule/default/prepare.yml index 62187af3f9d3e10025beb642832b9b024a2bb50f..1111e787c5fe75f0d7b8106cfc3cc64de42e3989 100644 --- a/roles/xmpp_server/molecule/default/prepare.yml +++ b/roles/xmpp_server/molecule/default/prepare.yml @@ -23,21 +23,6 @@ fqdn: - ldap-server - - name: parameters-mandatory-bullseye_xmpp - fqdn: - - parameters-mandatory - - domain1 - - proxy.domain1 - - conference.domain1 - - name: parameters-optional-bullseye_xmpp - fqdn: - - parameters-optional - - domain2 - - proxy.domain2 - - conference.domain2 - - domain3 - - proxy.domain3 - - conference.domain3 - name: parameters-mandatory-bookworm_xmpp fqdn: - parameters-mandatory @@ -91,35 +76,6 @@ regexp: "host\\.name\\)" replace: "host.targetname)" -- hosts: bullseye - become: true - tasks: - - - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the xmpp_server_tls_protocol parameter - lineinfile: - path: "/etc/ssl/openssl.cnf" - regexp: "^MinProtocol =" - line: "MinProtocol = TLSv1.0" - owner: root - group: root - mode: 0644 - state: present - - - name: Set-up the hosts file - lineinfile: - path: /etc/hosts - regexp: "^{{ item.key }}" - line: "{{ item.key }} {{ item.value }}" - owner: root - group: root - mode: 0644 - state: present - with_dict: - 192.168.56.11: "ldap-server backup-server" - 192.168.56.41: "client-bullseye" - 192.168.56.51: "parameters-mandatory domain1 proxy.domain1 conference.domain1" - 192.168.56.52: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3" - - hosts: bookworm become: true tasks: @@ -311,7 +267,7 @@ name: "{{ sendxmpp_package }}" state: present vars: - sendxmpp_package: "{% if ansible_distribution_release == 'bullseye' %}sendxmpp{% else %}go-sendxmpp{% endif %}" + sendxmpp_package: "go-sendxmpp" - name: Deploy small Lua script for listing the enabled modules in Prosody copy: diff --git a/roles/xmpp_server/molecule/default/tests/test_backup.py b/roles/xmpp_server/molecule/default/tests/test_backup.py index 26c0d091e7ad44f067c8e83ff944fa60facdea9d..e43a6822dc43b9e7125b69cc3ba5271304669ae2 100644 --- a/roles/xmpp_server/molecule/default/tests/test_backup.py +++ b/roles/xmpp_server/molecule/default/tests/test_backup.py @@ -13,21 +13,14 @@ def test_backup(host): Tests if Prosody data directory is correctly backed-up. """ - distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"] - # Deliver a couple of messages in order to make sure the directory structure # is created. message = str(uuid.uuid1()) - if distribution_release == "bullseye": - send = host.run("echo '%s' | sendxmpp --tls-ca-path /usr/local/share/ca-certificates/testca.crt " - "-t -u jane.doe -p janepassword -j domain2:5222 mick.doe@domain3", message) - assert send.rc == 0 - else: - send = host.run("echo '%s' | go-sendxmpp --debug " - "--username jane.doe@domain2 --password janepassword --jserver domain3:5222 " - "mick.doe@domain3", message) - assert send.rc == 0 + send = host.run("echo '%s' | go-sendxmpp --debug " + "--username jane.doe@domain2 --password janepassword --jserver domain3:5222 " + "mick.doe@domain3", message) + assert send.rc == 0 with host.sudo(): diff --git a/roles/xmpp_server/molecule/default/tests/test_default_bullseye.py b/roles/xmpp_server/molecule/default/tests/test_default_bullseye.py deleted file mode 100644 index 43f1e49d43b0dbee6ac6edd481ad55fc383f5343..0000000000000000000000000000000000000000 --- a/roles/xmpp_server/molecule/default/tests/test_default_bullseye.py +++ /dev/null @@ -1,25 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*-bullseye') - - -def test_backports_prosody_pinning_absent(host): - """ - Tests if the Prosody backports pinning is absent. - """ - - pin = host.file("/etc/apt/preferences.d/prosody") - - assert not pin.exists - - prosody_package = host.package("prosody") - prosody_modules_package = host.package("prosody-modules") - lua_ldap_package = host.package("lua-sec") - - assert "bpo" not in prosody_package.version - assert "bpo" not in prosody_modules_package.version - assert "bpo" not in lua_ldap_package.version diff --git a/roles/xmpp_server/molecule/default/tests/test_mandatory.py b/roles/xmpp_server/molecule/default/tests/test_mandatory.py index 46bafe8176aa88321de5c52c1c08772becebcdd5..839cc95527f9a1219623b9ff7efb9b066e1629ba 100644 --- a/roles/xmpp_server/molecule/default/tests/test_mandatory.py +++ b/roles/xmpp_server/molecule/default/tests/test_mandatory.py @@ -49,31 +49,18 @@ def test_xmpp_c2s_tls_version_and_ciphers(host, port): XMPP C2S ports. """ - distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"] - - if distribution_release == "bullseye": - expected_tls_versions = ["TLSv1.2"] - expected_tls_ciphers = [ - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - ] - else: - expected_tls_versions = ["TLSv1.2", "TLSv1.3"] - expected_tls_ciphers = [ - "TLS_AKE_WITH_AES_128_GCM_SHA256", - "TLS_AKE_WITH_AES_256_GCM_SHA384", - "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - ] + expected_tls_versions = ["TLSv1.2", "TLSv1.3"] + expected_tls_ciphers = [ + "TLS_AKE_WITH_AES_128_GCM_SHA256", + "TLS_AKE_WITH_AES_256_GCM_SHA384", + "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + ] # Run the nmap scanner against the server, and fetch the results. nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain1 -oX /tmp/report.xml", str(port)) diff --git a/roles/xmpp_server/molecule/default/tests/test_optional.py b/roles/xmpp_server/molecule/default/tests/test_optional.py index 39ab5b8fa1beae0e9b413cad52e2f1facecfbf98..f1ea126df3ecba81a8fcfd48330051c02a7d7564 100644 --- a/roles/xmpp_server/molecule/default/tests/test_optional.py +++ b/roles/xmpp_server/molecule/default/tests/test_optional.py @@ -55,37 +55,21 @@ def test_xmpp_c2s_tls_version_and_ciphers(host, port): XMPP C2S ports. """ - distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"] - - if distribution_release == "bullseye": - expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"] - expected_tls_ciphers = [ - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - ] - else: - expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"] - expected_tls_ciphers = [ - "TLS_AKE_WITH_AES_128_GCM_SHA256", - "TLS_AKE_WITH_AES_256_GCM_SHA384", - "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - ] + expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"] + expected_tls_ciphers = [ + "TLS_AKE_WITH_AES_128_GCM_SHA256", + "TLS_AKE_WITH_AES_256_GCM_SHA384", + "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + ] # Run the nmap scanner against the server, and fetch the results. nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain2 -oX /tmp/report.xml", str(port)) diff --git a/roles/xmpp_server/tasks/main.yml b/roles/xmpp_server/tasks/main.yml index a41e15e68dd1321b18d9dae1931467bf7fd5e847..76f4580ade12c5e23831236c2a97af0c56c13d5e 100644 --- a/roles/xmpp_server/tasks/main.yml +++ b/roles/xmpp_server/tasks/main.yml @@ -22,12 +22,6 @@ update_cache: true when: backports_repository_configuration.changed -- name: Drop package pins to backports for Prosody on Debian 11 Bullseye - file: - path: /etc/apt/preferences.d/prosody - state: absent - when: ansible_distribution_release == 'bullseye' - - name: Install additional Prosody dependencies apt: name: diff --git a/roles/xmpp_server/templates/prosody.cfg.lua.j2 b/roles/xmpp_server/templates/prosody.cfg.lua.j2 index 86bbcd26e2cf35923ff57cfe3a87e5a243a365fc..110a533ff1296277da43a095996070ec654c05b7 100644 --- a/roles/xmpp_server/templates/prosody.cfg.lua.j2 +++ b/roles/xmpp_server/templates/prosody.cfg.lua.j2 @@ -55,12 +55,6 @@ c2s_ssl = { -- Configure TLS protocol and ciphers for client-to-server -- connections (direct TLS). -{% if ansible_distribution_release == "bullseye" %} -legacy_ssl_ssl = { - protocol = "{{ xmpp_server_tls_protocol }}"; - ciphers = "{{ xmpp_server_tls_ciphers }}"; -} -{% else %} c2s_direct_tls_ssl = { protocol = "{{ xmpp_server_tls_protocol }}"; ciphers = "{{ xmpp_server_tls_ciphers }}"; @@ -72,14 +66,9 @@ c2s_direct_tls_ssl = { -- in within this configuration context as well to fix the issue. dhparam = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.dh.pem"; } -{% endif %} -- Ports on which to have direct TLS/SSL. -{% if ansible_distribution_release == "bullseye" %} -legacy_ssl_ports = { 5223 } -{% else %} c2s_direct_tls_ports = { 5223 } -{% endif %} -- Force clients to use encrypted connection. c2s_require_encryption = true