From 5dab5854fcc856568104de71ba45f8ed4b7964af 2020-07-29 14:21:06
From: Branko Majic <branko@majic.rs>
Date: 2020-07-29 14:21:06
Subject: [PATCH] MAR-162: Make the xmpp_tls_certificate and xmpp_tls_key parameters mandatory in xmpp_server role:

- Dropped the defaults from wsgi_server role.
- Updated group variables in role tests.
- Changed the key/certificate file extensions to be more descriptive.
- Updated role reference documentation.
- Updated usage instructions to include the mandatory parameters.
- Deduplicated tests for the TLS files.

---

diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 04e053e326577c50fac9e2b748567ff7d1e611e4..d21654ce69aceb50764000c4fc5f024619ef10bd 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -938,11 +938,11 @@ Parameters
   to switch to a different nightly builds. It should be noted that
   only the default version is getting properly tested.
 
-**xmpp_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_xmpp.pem') }}``)
+**xmpp_tls_certificate** (string, mandatory)
   X.509 certificate used for TLS for XMPP service. The file will be stored in
   directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_xmpp.pem``.
 
-**xmpp_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_xmpp.key') }}``)
+**xmpp_tls_key** (string, mandatory)
   Private key used for TLS for XMPP service. The file will be stored in
   directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_xmpp.key``.
 
diff --git a/docs/usage.rst b/docs/usage.rst
index f55fda988a2835c0b588c90c29ea682c09c129ba..7fbc540568b06dc1977cab73ea2bcbb6911318dc 100644
--- a/docs/usage.rst
+++ b/docs/usage.rst
@@ -1057,6 +1057,10 @@ role.
    :file:`~/mysite/group_vars/communications.yml`
    ::
 
+      # Set the TLS private key and certificate.
+      xmpp_server_tls_certificate: "{{ lookup('file', 'tls/comms.example.com_xmpp.pem') }}"
+      xmpp_server_tls_key: "{{ lookup('file', 'tls/comms.example.com_xmpp.key') }}"
+
       # Set one of the users to also be an XMPP administrator.
       xmpp_administrators:
         - john.doe@example.com
diff --git a/roles/xmpp_server/defaults/main.yml b/roles/xmpp_server/defaults/main.yml
index f90e98953ead7924e5c8ca91358814e5b6ea8428..3521fcc4d3dc666289d9432b2d9ee9084f0d64b1 100644
--- a/roles/xmpp_server/defaults/main.yml
+++ b/roles/xmpp_server/defaults/main.yml
@@ -4,5 +4,3 @@ enable_backup: false
 xmpp_domains:
   - "{{ ansible_domain }}"
 xmpp_prosody_package: "prosody-0.10"
-xmpp_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_xmpp.pem') }}"
-xmpp_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_xmpp.key') }}"
diff --git a/roles/xmpp_server/molecule/default/group_vars/parameters-mandatory.yml b/roles/xmpp_server/molecule/default/group_vars/parameters-mandatory.yml
index 57596b9126bf453d96371c90e76de9e15a9b4628..2be4418cc81730b58d194afe184d881895d2a4fb 100644
--- a/roles/xmpp_server/molecule/default/group_vars/parameters-mandatory.yml
+++ b/roles/xmpp_server/molecule/default/group_vars/parameters-mandatory.yml
@@ -5,10 +5,8 @@ xmpp_administrators:
 xmpp_ldap_base_dn: dc=local
 xmpp_ldap_password: prosodypassword
 xmpp_ldap_server: ldap-server
-
-# Common parameters (general, not role).
-tls_certificate_dir: tests/data/x509/
-tls_private_key_dir: tests/data/x509/
+xmpp_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_xmpp.cert.pem') }}"
+xmpp_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_xmpp.key.pem') }}"
 
 # common
 ca_certificates:
diff --git a/roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml b/roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml
index 5b6770eeadc3e9454db6dc1e358870020abd5d27..e22e5353dc8db1adba44bf7d3e05dc85358534f1 100644
--- a/roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml
+++ b/roles/xmpp_server/molecule/default/group_vars/parameters-optional.yml
@@ -10,12 +10,8 @@ xmpp_ldap_base_dn: dc=local
 xmpp_ldap_password: prosodypassword
 xmpp_ldap_server: ldap-server
 xmpp_prosody_package: prosody-0.9
-xmpp_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional_xmpp.cert.pem') }}"
-xmpp_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional_xmpp.key.pem') }}"
-
-# Common parameters (general, not role).
-tls_certificate_dir: tests/data/x509/
-tls_private_key_dir: tests/data/x509/
+xmpp_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_xmpp.cert.pem') }}"
+xmpp_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_xmpp.key.pem') }}"
 
 # common
 ca_certificates:
diff --git a/roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.pem b/roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.cert.pem
similarity index 100%
rename from roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.pem
rename to roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.cert.pem
diff --git a/roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.key b/roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.key.pem
similarity index 100%
rename from roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.key
rename to roles/xmpp_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.domain1_xmpp.key.pem
diff --git a/roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional_xmpp.cert.pem b/roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional-stretch64_xmpp.cert.pem
similarity index 100%
rename from roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional_xmpp.cert.pem
rename to roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional-stretch64_xmpp.cert.pem
diff --git a/roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional_xmpp.key.pem b/roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional-stretch64_xmpp.key.pem
similarity index 100%
rename from roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional_xmpp.key.pem
rename to roles/xmpp_server/molecule/default/tests/data/x509/parameters-optional-stretch64_xmpp.key.pem
diff --git a/roles/xmpp_server/molecule/default/tests/test_default.py b/roles/xmpp_server/molecule/default/tests/test_default.py
index 141d92148069d7f79942ec9b306c689995ccf0bf..1049cde7880b741954a34557029785294ea9671f 100644
--- a/roles/xmpp_server/molecule/default/tests/test_default.py
+++ b/roles/xmpp_server/molecule/default/tests/test_default.py
@@ -145,6 +145,31 @@ def test_xmpp_server_dh_parameters_file(host):
         assert "DH Parameters: (2048 bit)" in dhparam_info.stdout
 
 
+def test_prosody_tls_files(host):
+    """
+    Tests if Prosody TLS private key and certificage have been deployed
+    correctly.
+    """
+
+    hostname = host.run('hostname -f').stdout.strip()
+
+    with host.sudo():
+
+        tls_file = host.file('/etc/ssl/private/%s_xmpp.key' % hostname)
+        assert tls_file.is_file
+        assert tls_file.user == 'root'
+        assert tls_file.group == 'prosody'
+        assert tls_file.mode == 0o640
+        assert tls_file.content_string == open("tests/data/x509/%s_xmpp.key.pem" % hostname, "r").read().rstrip()
+
+        tls_file = host.file('/etc/ssl/certs/%s_xmpp.pem' % hostname)
+        assert tls_file.is_file
+        assert tls_file.user == 'root'
+        assert tls_file.group == 'root'
+        assert tls_file.mode == 0o644
+        assert tls_file.content_string == open("tests/data/x509/%s_xmpp.cert.pem" % hostname, "r").read().rstrip()
+
+
 # @TODO: Tests which were not implemented due to lack of out-of-box tools:
 #
 # - Proxy capability.
diff --git a/roles/xmpp_server/molecule/default/tests/test_mandatory.py b/roles/xmpp_server/molecule/default/tests/test_mandatory.py
index a2cb2d67c3232809c5297cfdd4e118976465e4dc..f8dc8919497d8efb9fa146d9fe8d31e48053d949 100644
--- a/roles/xmpp_server/molecule/default/tests/test_mandatory.py
+++ b/roles/xmpp_server/molecule/default/tests/test_mandatory.py
@@ -7,31 +7,6 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')
 
 
-def test_prosody_tls_files(host):
-    """
-    Tests if Prosody TLS private key and certificage have been deployed
-    correctly.
-    """
-
-    hostname = host.run('hostname').stdout.strip()
-
-    with host.sudo():
-
-        tls_file = host.file('/etc/ssl/private/%s.domain1_xmpp.key' % hostname)
-        assert tls_file.is_file
-        assert tls_file.user == 'root'
-        assert tls_file.group == 'prosody'
-        assert tls_file.mode == 0o640
-        assert tls_file.content_string == open("tests/data/x509/%s.domain1_xmpp.key" % hostname, "r").read().rstrip()
-
-        tls_file = host.file('/etc/ssl/certs/%s.domain1_xmpp.pem' % hostname)
-        assert tls_file.is_file
-        assert tls_file.user == 'root'
-        assert tls_file.group == 'root'
-        assert tls_file.mode == 0o644
-        assert tls_file.content_string == open("tests/data/x509/%s.domain1_xmpp.pem" % hostname, "r").read().rstrip()
-
-
 def test_certificate_validity_check_configuration(host):
     """
     Tests if certificate validity check configuration file has been deployed
diff --git a/roles/xmpp_server/molecule/default/tests/test_optional.py b/roles/xmpp_server/molecule/default/tests/test_optional.py
index 195126335bb21c5b5085a9528d3f59a53d68322d..2c342a76115510e8903f5342d699aedc32b66ec7 100644
--- a/roles/xmpp_server/molecule/default/tests/test_optional.py
+++ b/roles/xmpp_server/molecule/default/tests/test_optional.py
@@ -7,31 +7,6 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional')
 
 
-def test_prosody_tls_files(host):
-    """
-    Tests if Prosody TLS private key and certificage have been deployed
-    correctly.
-    """
-
-    hostname = host.run('hostname').stdout.strip()
-
-    with host.sudo():
-
-        tls_file = host.file('/etc/ssl/private/%s_xmpp.key' % hostname)
-        assert tls_file.is_file
-        assert tls_file.user == 'root'
-        assert tls_file.group == 'prosody'
-        assert tls_file.mode == 0o640
-        assert tls_file.content_string == open("tests/data/x509/parameters-optional_xmpp.key.pem", "r").read().rstrip()
-
-        tls_file = host.file('/etc/ssl/certs/%s_xmpp.pem' % hostname)
-        assert tls_file.is_file
-        assert tls_file.user == 'root'
-        assert tls_file.group == 'root'
-        assert tls_file.mode == 0o644
-        assert tls_file.content_string == open("tests/data/x509/parameters-optional_xmpp.cert.pem", "r").read().rstrip()
-
-
 def test_certificate_validity_check_configuration(host):
     """
     Tests if certificate validity check configuration file has been deployed