majic-ansible-roles Changeset

Changeset - 23a5f9ba293c

Parent rev.

Child rev.

[Not reviewed]

0 2 0

Branko Majic (branko) - 4 years ago 2020-09-15 21:15:26
branko@majic.rs

MAR-158: Split-up the TLS tests for web_server role:

- Better separation for testing individual properties of TLS
configuration (whether it's enabled, what protocols are enabled, and
finally enabled ciphers).

2 files changed with 49 insertions and 9 deletions:

roles/web_server/molecule/default/tests/test_mandatory.py

roles/web_server/molecule/default/tests/test_optional.py

0 comments (0 inline, 0 general)

roles/web_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

@@ @@ -23,17 +23,33 @@ def test_certificate_validity_check_configuration(host): @@
     assert config.content_string == "/etc/ssl/certs/%s_https.pem" % hostname
-def test_tls_configuration(host):
+def test_tls_enabled(host):
     """
-    Tests if the TLS has been configured correctly and works.
+    Tests if TLS has been enabled.
     """
     tls = host.run('wget -q -O - https://parameters-mandatory/')
     assert tls.rc == 0
 def test_tls_version(host):
     """
     Tests if only the configured TLS protocol versions are allowed by
     the server.
     """
     old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:443")
     assert old_tls_versions_disabled.rc != 0
     # Avoid false negatives by ensuring the client had actually
     # established the TCP connection.
     assert "CONNECTED" in old_tls_versions_disabled.stdout
     assert old_tls_versions_disabled.rc != 0
 def test_tls_ciphers(host):
     """
     Tests available TLS ciphers on the server.
     """
     cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory:443")
     assert cipher.rc == 0

roles/web_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -23,21 +23,45 @@ def test_certificate_validity_check_configuration(host): @@
     assert config.content_string == "/etc/ssl/certs/%s_https.pem" % hostname
-def test_tls_configuration(host):
+def test_tls_enabled(host):
     """
-    Tests if the TLS has been configured correctly and works.
+    Tests if TLS has been enabled.
     """
     tls = host.run('wget -q -O - https://parameters-optional/')
     assert tls.rc == 0
 def test_tls_version(host):
     """
     Tests if only the configured TLS protocol versions are allowed by
     the server.
     """
     old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_1 -no_tls1_2 -connect parameters-optional:443")
     assert old_tls_versions_disabled.rc != 0
     tls1_1_enabled = host.run("echo 'Q' | openssl s_client -tls1_1 -connect parameters-optional:443")
     tls1_2_enabled = host.run("echo 'Q' | openssl s_client -tls1_2 -connect parameters-optional:443")
     # Avoid false negatives by ensuring the client had actually
     # established the TCP connection.
     assert "CONNECTED" in old_tls_versions_disabled.stdout
     assert old_tls_versions_disabled.rc != 0
     # Avoid false negatives by ensuring the client had actually
     # established the TCP connection.
     assert "CONNECTED" in tls1_1_enabled.stdout
     assert tls1_1_enabled.rc == 0
     # Avoid false negatives by ensuring the client had actually
     # established the TCP connection.
     assert "CONNECTED" in tls1_2_enabled.stdout
     assert tls1_2_enabled.rc == 0
     newer_tls_versions_enabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-optional:443")
     assert newer_tls_versions_enabled.rc == 0
     assert "CONNECTED" in newer_tls_versions_enabled.stdout
 def test_tls_ciphers(host):
     """
     Tests available TLS ciphers on the server.
     """
     cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:443")
     assert cipher.rc == 0

0 comments (0 inline, 0 general)