From 5dab5854fcc856568104de71ba45f8ed4b7964af 2020-07-29 14:21:06 From: Branko Majic Date: 2020-07-29 14:21:06 Subject: [PATCH] MAR-162: Make the xmpp_tls_certificate and xmpp_tls_key parameters mandatory in xmpp_server role: - Dropped the defaults from wsgi_server role. - Updated group variables in role tests. - Changed the key/certificate file extensions to be more descriptive. - Updated role reference documentation. - Updated usage instructions to include the mandatory parameters. - Deduplicated tests for the TLS files. --- diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 04e053e326577c50fac9e2b748567ff7d1e611e4..d21654ce69aceb50764000c4fc5f024619ef10bd 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -938,11 +938,11 @@ Parameters to switch to a different nightly builds. It should be noted that only the default version is getting properly tested. -**xmpp_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_xmpp.pem') }}``) +**xmpp_tls_certificate** (string, mandatory) X.509 certificate used for TLS for XMPP service. The file will be stored in directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_xmpp.pem``. -**xmpp_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_xmpp.key') }}``) +**xmpp_tls_key** (string, mandatory) Private key used for TLS for XMPP service. The file will be stored in directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_xmpp.key``. diff --git a/docs/usage.rst b/docs/usage.rst index f55fda988a2835c0b588c90c29ea682c09c129ba..7fbc540568b06dc1977cab73ea2bcbb6911318dc 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -1057,6 +1057,10 @@ role. :file:`~/mysite/group_vars/communications.yml` :: + # Set the TLS private key and certificate. + xmpp_server_tls_certificate: "{{ lookup('file', 'tls/comms.example.com_xmpp.pem') }}" + xmpp_server_tls_key: "{{ lookup('file', 'tls/comms.example.com_xmpp.key') }}" + # Set one of the users to also be an XMPP administrator. xmpp_administrators: - john.doe@example.com diff --git a/roles/xmpp_server/defaults/main.yml b/roles/xmpp_server/defaults/main.yml index f90e98953ead7924e5c8ca91358814e5b6ea8428..3521fcc4d3dc666289d9432b2d9ee9084f0d64b1 100644 --- a/roles/xmpp_server/defaults/main.yml +++ b/roles/xmpp_server/defaults/main.yml @@ -4,5 +4,3 @@ enable_backup: false xmpp_domains: - "{{ ansible_domain }}" xmpp_prosody_package: "prosody-0.10" -xmpp_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_xmpp.pem') }}" -xmpp_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_xmpp.key') }}" diff --git a/roles/xmpp_server/molecule/default/group_vars/parameters-mandatory.yml b/roles/xmpp_server/molecule/default/group_vars/parameters-mandatory.yml index 57596b9126bf453d96371c90e76de9e15a9b4628..2be4418cc81730b58d194afe184d881895d2a4fb 100644 --- a/roles/xmpp_server/molecule/default/group_vars/parameters-mandatory.yml +++ b/roles/xmpp_server/molecule/default/group_vars/parameters-mandatory.yml @@ -5,10 +5,8 @@ xmpp_administrators: xmpp_ldap_base_dn: dc=local xmpp_ldap_password: prosodypassword xmpp_ldap_server: ldap-server - -# Common parameters (general, not role). -tls_certificate_dir: tests/data/x509/ -tls_private_key_dir: tests/data/x509/ +xmpp_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_xmpp.cert.pem') }}" +xmpp_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_xmpp.key.pem') }}" # common ca_certificates: diff --git a/roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml b/roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml index 5b6770eeadc3e9454db6dc1e358870020abd5d27..e22e5353dc8db1adba44bf7d3e05dc85358534f1 100644 --- a/roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml +++ b/roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml @@ -10,12 +10,8 @@ xmpp_ldap_base_dn: dc=local xmpp_ldap_password: prosodypassword xmpp_ldap_server: ldap-server xmpp_prosody_package: prosody-0.9 -xmpp_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional_xmpp.cert.pem') }}" -xmpp_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional_xmpp.key.pem') }}" - -# Common parameters (general, not role). -tls_certificate_dir: tests/data/x509/ -tls_private_key_dir: tests/data/x509/ +xmpp_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_xmpp.cert.pem') }}" +xmpp_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_xmpp.key.pem') }}" # common ca_certificates: diff --git a/roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.pem b/roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.cert.pem similarity index 100% rename from roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.pem rename to roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.cert.pem diff --git a/roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.key b/roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.key.pem similarity index 100% rename from roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.key rename to roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.key.pem diff --git a/roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional_xmpp.cert.pem b/roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional-stretch64_xmpp.cert.pem similarity index 100% rename from roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional_xmpp.cert.pem rename to roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional-stretch64_xmpp.cert.pem diff --git a/roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional_xmpp.key.pem b/roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional-stretch64_xmpp.key.pem similarity index 100% rename from roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional_xmpp.key.pem rename to roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional-stretch64_xmpp.key.pem diff --git a/roles/xmpp_server/molecule/default/tests/test_default.py b/roles/xmpp_server/molecule/default/tests/test_default.py index 141d92148069d7f79942ec9b306c689995ccf0bf..1049cde7880b741954a34557029785294ea9671f 100644 --- a/roles/xmpp_server/molecule/default/tests/test_default.py +++ b/roles/xmpp_server/molecule/default/tests/test_default.py @@ -145,6 +145,31 @@ def test_xmpp_server_dh_parameters_file(host): assert "DH Parameters: (2048 bit)" in dhparam_info.stdout +def test_prosody_tls_files(host): + """ + Tests if Prosody TLS private key and certificage have been deployed + correctly. + """ + + hostname = host.run('hostname -f').stdout.strip() + + with host.sudo(): + + tls_file = host.file('/etc/ssl/private/%s_xmpp.key' % hostname) + assert tls_file.is_file + assert tls_file.user == 'root' + assert tls_file.group == 'prosody' + assert tls_file.mode == 0o640 + assert tls_file.content_string == open("tests/data/x509/%s_xmpp.key.pem" % hostname, "r").read().rstrip() + + tls_file = host.file('/etc/ssl/certs/%s_xmpp.pem' % hostname) + assert tls_file.is_file + assert tls_file.user == 'root' + assert tls_file.group == 'root' + assert tls_file.mode == 0o644 + assert tls_file.content_string == open("tests/data/x509/%s_xmpp.cert.pem" % hostname, "r").read().rstrip() + + # @TODO: Tests which were not implemented due to lack of out-of-box tools: # # - Proxy capability. diff --git a/roles/xmpp_server/molecule/default/tests/test_mandatory.py b/roles/xmpp_server/molecule/default/tests/test_mandatory.py index a2cb2d67c3232809c5297cfdd4e118976465e4dc..f8dc8919497d8efb9fa146d9fe8d31e48053d949 100644 --- a/roles/xmpp_server/molecule/default/tests/test_mandatory.py +++ b/roles/xmpp_server/molecule/default/tests/test_mandatory.py @@ -7,31 +7,6 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory') -def test_prosody_tls_files(host): - """ - Tests if Prosody TLS private key and certificage have been deployed - correctly. - """ - - hostname = host.run('hostname').stdout.strip() - - with host.sudo(): - - tls_file = host.file('/etc/ssl/private/%s.domain1_xmpp.key' % hostname) - assert tls_file.is_file - assert tls_file.user == 'root' - assert tls_file.group == 'prosody' - assert tls_file.mode == 0o640 - assert tls_file.content_string == open("tests/data/x509/%s.domain1_xmpp.key" % hostname, "r").read().rstrip() - - tls_file = host.file('/etc/ssl/certs/%s.domain1_xmpp.pem' % hostname) - assert tls_file.is_file - assert tls_file.user == 'root' - assert tls_file.group == 'root' - assert tls_file.mode == 0o644 - assert tls_file.content_string == open("tests/data/x509/%s.domain1_xmpp.pem" % hostname, "r").read().rstrip() - - def test_certificate_validity_check_configuration(host): """ Tests if certificate validity check configuration file has been deployed diff --git a/roles/xmpp_server/molecule/default/tests/test_optional.py b/roles/xmpp_server/molecule/default/tests/test_optional.py index 195126335bb21c5b5085a9528d3f59a53d68322d..2c342a76115510e8903f5342d699aedc32b66ec7 100644 --- a/roles/xmpp_server/molecule/default/tests/test_optional.py +++ b/roles/xmpp_server/molecule/default/tests/test_optional.py @@ -7,31 +7,6 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional') -def test_prosody_tls_files(host): - """ - Tests if Prosody TLS private key and certificage have been deployed - correctly. - """ - - hostname = host.run('hostname').stdout.strip() - - with host.sudo(): - - tls_file = host.file('/etc/ssl/private/%s_xmpp.key' % hostname) - assert tls_file.is_file - assert tls_file.user == 'root' - assert tls_file.group == 'prosody' - assert tls_file.mode == 0o640 - assert tls_file.content_string == open("tests/data/x509/parameters-optional_xmpp.key.pem", "r").read().rstrip() - - tls_file = host.file('/etc/ssl/certs/%s_xmpp.pem' % hostname) - assert tls_file.is_file - assert tls_file.user == 'root' - assert tls_file.group == 'root' - assert tls_file.mode == 0o644 - assert tls_file.content_string == open("tests/data/x509/parameters-optional_xmpp.cert.pem", "r").read().rstrip() - - def test_certificate_validity_check_configuration(host): """ Tests if certificate validity check configuration file has been deployed