From be01ee86b9ddea7fa2d677682cac4dd520de72c6 2020-08-25 17:55:08 From: Branko Majic Date: 2020-08-25 17:55:08 Subject: [PATCH] MAR-162: Make the smtp_relay_truststore parameter mandatory in mail_forwarder role: - Dropped the defaults from mail_forwarder role. - Updated group variables in role tests. - Updated role reference documentation. - Updated usage instructions to include the mandatory parameter. - Deduplicated tests for the TLS files. --- diff --git a/docs/rolereference.rst b/docs/rolereference.rst index d21654ce69aceb50764000c4fc5f024619ef10bd..084e3702c648edb0dc68c4c85debd8487df4b639 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -1309,7 +1309,7 @@ Parameters **smtp_relay_host_port** (integer, optional, ``None``) Port to use when connecting to the SMTP relay host. -**smtp_relay_truststore** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}``) +**smtp_relay_truststore** (string, mandatory) X.509 certificate chain used for issuing certificate for the SMTP relay service. The file will be stored in location ``/etc/ssl/certs/smtp_relay_truststore.pem`` diff --git a/docs/usage.rst b/docs/usage.rst index 7fbc540568b06dc1977cab73ea2bcbb6911318dc..3defa3f95c1835a717807585e4202a293863430c 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -982,7 +982,11 @@ external addresses on those two servers goes through our anti-virus scanner. :file:`~/mysite/group_vars/all.yml` :: - # First, let's make sure any mails directed to localhost root account get + # Define what X.509 certificates should be used for validating + # the certificate of server we are relaying the mails through. + smtp_relay_truststore: "{{ lookup('file', '~/mysite/tls/truststore.pem') }}" + + # Make sure any mails directed to localhost root account get # forwarded to one of our mail users as well. local_mail_aliases: root: root john.doe@example.com diff --git a/roles/mail_forwarder/defaults/main.yml b/roles/mail_forwarder/defaults/main.yml index 9c75026da95130464a22ecd45debea346b2ad525..7e9d19e3ca190b420a4751bd956077d0700dfca5 100644 --- a/roles/mail_forwarder/defaults/main.yml +++ b/roles/mail_forwarder/defaults/main.yml @@ -3,6 +3,5 @@ local_mail_aliases: {} smtp_from_relay_allowed: true smtp_relay_host: "" -smtp_relay_truststore: "{{ lookup('file', tls_certificate_dir + '/truststore.pem') }}" smtp_relay_host_port: null mail_message_size_limit: 10240000 diff --git a/roles/mail_forwarder/molecule/default/group_vars/parameters-mandatory.yml b/roles/mail_forwarder/molecule/default/group_vars/parameters-mandatory.yml index 9dca40540130109a6cb72761f1249bb3c194113a..3c8b82e3aaca6c6c32013e7e3846dce74d5bd3cb 100644 --- a/roles/mail_forwarder/molecule/default/group_vars/parameters-mandatory.yml +++ b/roles/mail_forwarder/molecule/default/group_vars/parameters-mandatory.yml @@ -1,4 +1,3 @@ --- -# Global common parameters. -tls_certificate_dir: tests/data/x509/ +smtp_relay_truststore: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}" diff --git a/roles/mail_forwarder/molecule/default/tests/test_default.py b/roles/mail_forwarder/molecule/default/tests/test_default.py index 2c9c90d342a4f07e134d35456654127207d1b5be..f5698a7e0ea450751f521e15f200c2bc7425f2e2 100644 --- a/roles/mail_forwarder/molecule/default/tests/test_default.py +++ b/roles/mail_forwarder/molecule/default/tests/test_default.py @@ -27,7 +27,7 @@ def test_removed_packages(host): def test_smtp_relay_truststore_file(host): """ - Tests if SMTP relay truststore has correct permissions + Tests if SMTP relay truststore has correct permissions and content. """ truststore = host.file('/etc/ssl/certs/smtp_relay_truststore.pem') @@ -36,6 +36,7 @@ def test_smtp_relay_truststore_file(host): assert truststore.user == 'root' assert truststore.group == 'root' assert truststore.mode == 0o644 + assert truststore.content_string == open("tests/data/x509/truststore.pem", "r").read().rstrip() def test_smtp_mailname(host): diff --git a/roles/mail_forwarder/molecule/default/tests/test_mandatory.py b/roles/mail_forwarder/molecule/default/tests/test_mandatory.py index 77987ffa153ca7271cb361eb612a59ed71c5e39f..f35897bebc768f888a0479ab80c47633b91a85b4 100644 --- a/roles/mail_forwarder/molecule/default/tests/test_mandatory.py +++ b/roles/mail_forwarder/molecule/default/tests/test_mandatory.py @@ -9,16 +9,6 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory') -def test_smtp_relay_truststore_file(host): - """ - Tests if SMTP relay truststore has correct content. - """ - - truststore = host.file('/etc/ssl/certs/smtp_relay_truststore.pem') - - assert truststore.content_string == open("tests/data/x509/truststore.pem", "r").read().rstrip() - - def test_smtp_mailname(host): """ Tests if SMTP mailname configuration file has correct content. diff --git a/roles/mail_forwarder/molecule/default/tests/test_optional.py b/roles/mail_forwarder/molecule/default/tests/test_optional.py index ea1441c69781911a5a1cfa627dd1aba3629d4f20..389efe7e15bc6b3e67bfa718cbd3b3f776e5e193 100644 --- a/roles/mail_forwarder/molecule/default/tests/test_optional.py +++ b/roles/mail_forwarder/molecule/default/tests/test_optional.py @@ -9,16 +9,6 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional') -def test_smtp_relay_truststore_file(host): - """ - Tests if SMTP relay truststore has correct content. - """ - - truststore = host.file('/etc/ssl/certs/smtp_relay_truststore.pem') - - assert truststore.content_string == open("tests/data/x509/ca.cert.pem", "r").read().rstrip() - - def test_smtp_mailname(host): """ Tests if SMTP mailname has been configured correctly.