majic-ansible-roles Changeset

Changeset - 3dd7f39302f8

Parent rev.

Child rev.

[Not reviewed]

0 4 11

Branko Majic (branko) - 7 years ago 2017-07-13 14:34:18
branko@majic.rs

MAR-29: Implemented tests for php_website role:

- Install some additional tools for testing everything.
- Updated test playbook to change allowed extensions for running PHP scripts on
parameters-optional.
- Updated error page to use correct extension for parameters-optional test
instance.
- Expanded rewrite configuration slightly for parameters-optional.
- Install libmariadb-client-lgpl-dev-compat to test mysql_config symlink
creation.
- Deploy a number of PHP pages used for testing if pages are served correctly.
- Set file permissions on deployed PHP FPM pool configuraiton files.
- Use expanded syntax when deploying TLS keys/certificates in order to avoid
issues with TAB mangling.
- Fixed set-up of Strict-Transport-Security header when HTTPS enforcement is
disabled.
- Added a number of PHP and static test pages.
- Wrote tests covering full functionality of the role.

15 files changed with 663 insertions and 17 deletions:

roles/php_website/playbook.yml

roles/php_website/tasks/main.yml

roles/php_website/templates/nginx_site.j2

roles/php_website/tests/data/php/mandatory/index.php

roles/php_website/tests/data/php/mandatory/index.php3

roles/php_website/tests/data/php/optional/404.myphp

roles/php_website/tests/data/php/optional/info.myphp

roles/php_website/tests/data/php/optional/myindex.myphp

roles/php_website/tests/data/php/optional/myindex.php

roles/php_website/tests/data/php/optional/path.myphp

roles/php_website/tests/data/php/optional/rewrite.myphp

roles/php_website/tests/data/php/optional/secretfile.txt

roles/php_website/tests/test_default.py

roles/php_website/tests/test_parameters_mandatory.py

228

roles/php_website/tests/test_parameters_optional.py

313

0 comments (0 inline, 0 general)

roles/php_website/playbook.yml

➞

Show inline comments

@@ @@ -17,6 +17,16 @@ @@
         name: curl
         state: installed
     - name: Install swaks for testing mail forwarding
       apt:
         name: swaks
         state: installed
     - name: Install Postfix for testing mail forwarding (Exim4 not covered)
       apt:
         name: postfix
         state: installed
     - name: Set-up group for an additional user
       group:
         name: user
@@ @@ -49,9 +59,10 @@ @@
     - role: php_website
       additional_fpm_config:
         "env[PATH]": "\"/usr/local/bin:/usr/bin:/bin\""
         "security.limit_extensions": ".php .myphp"
       additional_nginx_config:
         - comment: Custom missing page.
-          value: error_page 404 /404.php;
+          value: error_page 404 /404.myphp;
       admin_uid: 5000
       deny_files_regex:
         - '^/secretfile.txt'
@@ @@ -66,11 +77,61 @@ @@
       https_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional.local_https.key.pem') }}"
       php_file_regex: "\\.myphp$"
       php_rewrite_urls:
         - ^(.*)$ /index.php?url=$1 last
         - ^/rewrite1/(.*)$ /rewrite.myphp?url=$1 last
         - ^/rewrite2/(.*)$ /rewrite.myphp?url=$1 last
       rewrites:
         - '^/rewrite_to_index/(.*) /myindex.php last'
         - '^/rewrite_to_index1/(.*) /myindex.php last'
         - '^/rewrite_to_index2/(.*) /myindex.php last'
       packages:
         - php5-ldap
         - php5-json
         - libmariadb-client-lgpl-dev-compat
       uid: 5001
       website_mail_recipients: user
 - hosts: all
   tasks:
     # parameters-mandatory application
     - name: Set-up directory where PHP files are hosted at
       file:
         path: /var/www/parameters-mandatory/htdocs
         state: directory
         owner: admin-parameters-mandatory
         group: web-parameters-mandatory
         mode: 0750
     - name: Deploy a couple of PHP pages for testing purposes
       copy:
         src: "tests/data/php/mandatory/{{ item }}"
         dest: "/var/www/parameters-mandatory/htdocs/{{ item }}"
         owner: admin-parameters-mandatory
         group: web-parameters-mandatory
         mode: 0640
       with_items:
         - index.php
         - index.php3
     # parameters-optional application
     - name: Set-up directory where PHP files are hosted at
       file:
         path: /var/www/parameters-optional.local/htdocs
         state: directory
         owner: admin-parameters-optional_local
         group: web-parameters-optional_local
         mode: 0750
     - name: Deploy a couple of PHP pages for testing purposes
       copy:
         src: "tests/data/php/optional/{{ item }}"
         dest: "/var/www/parameters-optional.local/htdocs/{{ item }}"
         owner: admin-parameters-optional_local
         group: web-parameters-optional_local
         mode: 0640
       with_items:
         - myindex.php
         - myindex.myphp
         - path.myphp
         - secretfile.txt
         - info.myphp
         - 404.myphp
         - rewrite.myphp

roles/php_website/tasks/main.yml

➞

Show inline comments

@@ @@ -41,19 +41,33 @@ @@
   when: "'libmariadb-client-lgpl-dev-compat' in packages"
 - name: Deploy PHP FPM configuration file for website
   template: src="fpm_site.conf.j2" dest="/etc/php5/fpm/pool.d/{{ fqdn }}.conf" validate="php5-fpm -t -y %s"
   template:
     src: "fpm_site.conf.j2"
     dest: "/etc/php5/fpm/pool.d/{{ fqdn }}.conf"
     validate: "php5-fpm -t -y %s"
     owner: root
     group: root
     mode: 0640
   notify:
     - Restart php5-fpm
 - name: Deploy nginx TLS private key for website
   copy: dest="/etc/ssl/private/{{ fqdn }}_https.key" content="{{ https_tls_key }}"
         mode=0640 owner=root group=root
   copy:
     dest: "/etc/ssl/private/{{ fqdn }}_https.key"
     content: "{{ https_tls_key }}"
     mode: 0640
     owner: root
     group: root
   notify:
     - Restart nginx
 - name: Deploy nginx TLS certificate for website
   copy: dest="/etc/ssl/certs/{{ fqdn }}_https.pem" content="{{ https_tls_certificate }}"
         mode=0644 owner=root group=root
   copy:
     dest: "/etc/ssl/certs/{{ fqdn }}_https.pem"
     content: "{{ https_tls_certificate }}"
     mode: 0644
     owner: root
     group: root
   notify:
     - Restart nginx

roles/php_website/templates/nginx_site.j2

➞

Show inline comments

@@ @@ -26,7 +26,7 @@ server { @@
     ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;
     ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;
-{% if default_enforce_https -%}
+{% if enforce_https -%}
     # Set-up HSTS header for preventing downgrades for users that visited the
     # site via HTTPS at least once.
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

roles/php_website/tests/data/php/mandatory/index.php

➞

Show inline comments

@@ new file 100644 @@
 <?php
 echo "This is the index page for parameters-mandatory.";
 ?>
@@ \ No newline at end of file @@

roles/php_website/tests/data/php/mandatory/index.php3

➞

Show inline comments

		new file 100644
		This it just plaintext file.
		\ No newline at end of file

roles/php_website/tests/data/php/optional/404.myphp

➞

Show inline comments

@@ new file 100644 @@
 <?php
 echo "This is custom error page.";
 ?>
@@ \ No newline at end of file @@

roles/php_website/tests/data/php/optional/info.myphp

➞

Show inline comments

@@ new file 100644 @@
 <?php
 phpinfo();
 ?>
@@ \ No newline at end of file @@

roles/php_website/tests/data/php/optional/myindex.myphp

➞

Show inline comments

@@ new file 100644 @@
 <?php
 phpinfo();
 ?>
@@ \ No newline at end of file @@

roles/php_website/tests/data/php/optional/myindex.php

➞

Show inline comments

@@ new file 100644 @@
 <?php
 echo "I will not get run.";
 ?>
@@ \ No newline at end of file @@

roles/php_website/tests/data/php/optional/path.myphp

➞

Show inline comments

@@ new file 100644 @@
 <?php
 echo getenv("PATH");
 ?>
@@ \ No newline at end of file @@

roles/php_website/tests/data/php/optional/rewrite.myphp

➞

Show inline comments

@@ new file 100644 @@
 <?php
 echo $_SERVER['REQUEST_URI'];
 ?>
@@ \ No newline at end of file @@

roles/php_website/tests/data/php/optional/secretfile.txt

➞

Show inline comments

		new file 100644
		This is a secret file.

roles/php_website/tests/test_default.py

➞

Show inline comments

 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     '.molecule/ansible_inventory').get_hosts('all')
 def test_hosts_file(File):
     f = File('/etc/hosts')
     assert f.exists
     assert f.user == 'root'
     assert f.group == 'root'

roles/php_website/tests/test_parameters_mandatory.py

➞

Show inline comments

@@ new file 100644 @@
 import re
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     '.molecule/ansible_inventory').get_hosts('all')
 def test_website_group(Group):
     """
     Tests if website group has been created correctly.
     """
     group = Group('web-parameters-mandatory')
     assert group.exists
     assert group.gid == 1003
 def test_website_admin_user(User):
     """
     Tests if website administrator user has been created correctly.
     """
     user = User('admin-parameters-mandatory')
     assert user.exists
     assert user.uid == 1003
     assert user.group == 'web-parameters-mandatory'
     assert user.groups == ['web-parameters-mandatory']
     assert user.shell == '/bin/bash'
     assert user.home == '/var/www/parameters-mandatory'
 def test_website_admin_home(File, Sudo):
     """
     Tests if permissions on website admin home directory are correct.
     """
     home = File('/var/www/parameters-mandatory')
     assert home.is_directory
     assert home.user == 'admin-parameters-mandatory'
     assert home.group == 'web-parameters-mandatory'
     assert home.mode == 0o750
 def test_home_profile_directory(File, Sudo):
     """
     Tests if profile directory has been set-up correctly for the website
     administrator/application user.
     """
     with Sudo():
         directory = File('/var/www/parameters-mandatory')
         assert directory.is_directory
         assert directory.user == 'admin-parameters-mandatory'
         assert directory.group == 'web-parameters-mandatory'
         assert directory.mode == 0o750
 def test_website_application_user(Command, Sudo, User):
     """
     Tests if website application user has been created correctly.
     """
     user = User('web-parameters-mandatory')
     assert user.exists
     assert user.uid == 999
     assert user.group == 'web-parameters-mandatory'
     assert user.groups == ['web-parameters-mandatory']
     assert user.shell == '/bin/sh'
     assert user.home == '/var/www/parameters-mandatory'
     with Sudo():
         umask = Command("su -l web-parameters-mandatory -c 'bash -c umask'")
         assert umask.stdout == '0007'
 def test_nginx_user(User):
     """
     Tests if web server user has been added to website group.
     """
     user = User('www-data')
     assert 'web-parameters-mandatory' in user.groups
 def test_forward_file(File, Sudo):
     """
     Tests if the forward file has correct permissions and content.
     """
     with Sudo():
         config = File('/var/www/parameters-mandatory/.forward')
         assert config.is_file
         assert config.user == 'root'
         assert config.group == 'web-parameters-mandatory'
         assert config.mode == 0o640
         assert config.content == "root"
 def test_mail_forwarding(Command, File, Sudo):
     """
     Tests if mail forwarding works as expected.
     """
     send = Command('swaks --suppress-data --to web-parameters-mandatory@localhost')
     assert send.rc == 0
     message_id = re.search('Ok: queued as (.*)', send.stdout).group(1)
     with Sudo():
         mail_log = File('/var/log/mail.log')
         # First extract message ID of forwarded mail.
         pattern = "%s: to=<web-parameters-mandatory@localhost>.*status=sent \(forwarded as ([^)]*)\)" % message_id
         message_id = re.search(pattern, mail_log.content).group(1)
         # Now try to determine where the forward ended-up at.
         pattern = "%s: to=<vagrant@php-website>, orig_to=<web-parameters-mandatory@localhost>.*status=sent" % message_id
         assert re.search(pattern, mail_log.content) is not None
 def test_php5_fpm_configuration_file(File, Sudo):
     """
     Tests if PHP FPM configuration file has been correctly deployed.
     """
     with Sudo():
         config = File('/etc/php5/fpm/pool.d/parameters-mandatory.conf')
         assert config.is_file
         assert config.user == 'root'
         assert config.group == 'root'
         assert config.mode == 0o640
 def test_nginx_tls_files(File, Sudo):
     """
     Tests if TLS private key and certificate have been deployed correctly.
     """
     with Sudo():
         tls_file = File('/etc/ssl/private/parameters-mandatory_https.key')
         assert tls_file.is_file
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o640
         assert tls_file.content == open("tests/data/x509/parameters-mandatory_https.key", "r").read().rstrip()
         tls_file = File('/etc/ssl/certs/parameters-mandatory_https.pem')
         assert tls_file.is_file
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o644
         assert tls_file.content == open("tests/data/x509/parameters-mandatory_https.pem", "r").read().rstrip()
 def test_certificate_validity_check_configuration(File):
     """
     Tests if certificate validity check configuration file has been deployed
     correctly.
     """
     config = File('/etc/check_certificate/parameters-mandatory_https.conf')
     assert config.is_file
     assert config.user == 'root'
     assert config.group == 'root'
     assert config.mode == 0o644
     assert config.content == "/etc/ssl/certs/parameters-mandatory_https.pem"
 def test_vhost_file(File):
     """
     Tests permissions of vhost configuration file.
     """
     config = File('/etc/nginx/sites-available/parameters-mandatory')
     assert config.is_file
     assert config.user == 'root'
     assert config.group == 'root'
     assert config.mode == 0o640
 def test_default_website_enabled(File):
     """
     Tests if website has been enabled.
     """
     config = File('/etc/nginx/sites-enabled/parameters-mandatory')
     assert config.is_symlink
     assert config.linked_to == '/etc/nginx/sites-available/parameters-mandatory'
 def test_https_enforcement(Command):
     """
     Tests if HTTPS is being enforced.
     """
     https_enforcement = Command('curl -I http://parameters-mandatory/')
     assert https_enforcement.rc == 0
     assert 'HTTP/1.1 301 Moved Permanently' in https_enforcement.stdout
     assert 'Location: https://parameters-mandatory/' in https_enforcement.stdout
     https_enforcement = Command('curl -I https://parameters-mandatory/')
     assert https_enforcement.rc == 0
     assert 'Strict-Transport-Security: max-age=31536000; includeSubDomains' in https_enforcement.stdout
 def test_index_page(Command):
     """
     Tests if index page is served correctly.
     """
     page = Command('curl https://parameters-mandatory/')
     assert page.rc == 0
     assert page.stdout == "This is the index page for parameters-mandatory."

roles/php_website/tests/test_parameters_optional.py

➞

Show inline comments

@@ new file 100644 @@
 import re
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     '.molecule/ansible_inventory').get_hosts('all')
 def test_website_group(Group):
     """
     Tests if website group has been created correctly.
     """
     group = Group('web-parameters-optional_local')
     assert group.exists
     assert group.gid == 5001
 def test_website_admin_user(User):
     """
     Tests if website administrator user has been created correctly.
     """
     user = User('admin-parameters-optional_local')
     assert user.exists
     assert user.uid == 5000
     assert user.group == 'web-parameters-optional_local'
     assert user.groups == ['web-parameters-optional_local']
     assert user.shell == '/bin/bash'
     assert user.home == '/var/www/parameters-optional.local'
 def test_website_admin_home(File, Sudo):
     """
     Tests if permissions on website admin home directory are correct.
     """
     home = File('/var/www/parameters-optional.local')
     assert home.is_directory
     assert home.user == 'admin-parameters-optional_local'
     assert home.group == 'web-parameters-optional_local'
     assert home.mode == 0o750
 def test_home_profile_directory(File, Sudo):
     """
     Tests if profile directory has been set-up correctly for the website
     administrator/application user.
     """
     with Sudo():
         directory = File('/var/www/parameters-optional.local')
         assert directory.is_directory
         assert directory.user == 'admin-parameters-optional_local'
         assert directory.group == 'web-parameters-optional_local'
         assert directory.mode == 0o750
 def test_website_application_user(Command, Sudo, User):
     """
     Tests if website application user has been created correctly.
     """
     user = User('web-parameters-optional_local')
     assert user.exists
     assert user.uid == 5001
     assert user.group == 'web-parameters-optional_local'
     assert user.groups == ['web-parameters-optional_local']
     assert user.shell == '/bin/sh'
     assert user.home == '/var/www/parameters-optional.local'
     with Sudo():
         umask = Command("su -l web-parameters-optional_local -c 'bash -c umask'")
         assert umask.stdout == '0007'
 def test_nginx_user(User):
     """
     Tests if web server user has been added to website group.
     """
     user = User('www-data')
     assert 'web-parameters-optional_local' in user.groups
 def test_forward_file(File, Sudo):
     """
     Tests if the forward file has correct permissions and content.
     """
     with Sudo():
         config = File('/var/www/parameters-optional.local/.forward')
         assert config.is_file
         assert config.user == 'root'
         assert config.group == 'web-parameters-optional_local'
         assert config.mode == 0o640
         assert config.content == "user"
 def test_mail_forwarding(Command, File, Sudo):
     """
     Tests if mail forwarding works as expected.
     """
     send = Command('swaks --suppress-data --to web-parameters-optional_local@localhost')
     assert send.rc == 0
     message_id = re.search('Ok: queued as (.*)', send.stdout).group(1)
     with Sudo():
         mail_log = File('/var/log/mail.log')
         # First extract message ID of forwarded mail.
         pattern = "%s: to=<web-parameters-optional_local@localhost>.*status=sent \(forwarded as ([^)]*)\)" % message_id
         message_id = re.search(pattern, mail_log.content).group(1)
         # Now try to determine where the forward ended-up at.
         pattern = "%s: to=<user@php-website>, orig_to=<web-parameters-optional_local@localhost>.*status=sent" % message_id
         assert re.search(pattern, mail_log.content) is not None
 def test_installed_packages(Package):
     """
     Tests if additional packages are installed.
     """
     assert Package('php5-ldap').is_installed
     assert Package('php5-json').is_installed
     assert Package('libmariadb-client-lgpl-dev-compat').is_installed
 def test_mariadb_compat_symlink(File):
     """
     Tests if compatibility symlink is set-up for mysql_config binary if
     libmariadb-client-lgpl-dev-compat is installed.
     """
     link = File('/usr/bin/mysql_config')
     assert link.is_symlink
     assert link.linked_to == "/usr/bin/mariadb_config"
 def test_nginx_tls_files(File, Sudo):
     """
     Tests if TLS private key and certificate have been deployed correctly.
     """
     with Sudo():
         tls_file = File('/etc/ssl/private/parameters-optional.local_https.key')
         assert tls_file.is_file
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o640
         assert tls_file.content == open("tests/data/x509/parameters-optional.local_https.key.pem", "r").read().rstrip()
         tls_file = File('/etc/ssl/certs/parameters-optional.local_https.pem')
         assert tls_file.is_file
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o644
         assert tls_file.content == open("tests/data/x509/parameters-optional.local_https.cert.pem", "r").read().rstrip()
 def test_certificate_validity_check_configuration(File):
     """
     Tests if certificate validity check configuration file has been deployed
     correctly.
     """
     config = File('/etc/check_certificate/parameters-optional.local_https.conf')
     assert config.is_file
     assert config.user == 'root'
     assert config.group == 'root'
     assert config.mode == 0o644
     assert config.content == "/etc/ssl/certs/parameters-optional.local_https.pem"
 def test_vhost_file(File):
     """
     Tests permissions of vhost configuration file.
     """
     config = File('/etc/nginx/sites-available/parameters-optional.local')
     assert config.is_file
     assert config.user == 'root'
     assert config.group == 'root'
     assert config.mode == 0o640
 def test_default_website_enabled(File):
     """
     Tests if website has been enabled.
     """
     config = File('/etc/nginx/sites-enabled/parameters-optional.local')
     assert config.is_symlink
     assert config.linked_to == '/etc/nginx/sites-available/parameters-optional.local'
 def test_https_enforcement(Command):
     """
     Tests if HTTPS is (not) being enforced.
     """
     https_enforcement = Command('curl -I http://parameters-optional.local/')
     assert https_enforcement.rc == 0
     assert 'HTTP/1.1 200 OK' in https_enforcement.stdout
     assert 'HTTP/1.1 301 Moved Permanently' not in https_enforcement.stdout
     assert 'Location: https://parameters-optional/' not in https_enforcement.stdout
     https_enforcement = Command('curl -I https://parameters-optional.local/')
     assert https_enforcement.rc == 0
     assert 'Strict-Transport-Security' not in https_enforcement.stdout
 def test_index_page(Command):
     """
     Tests if index page is served correctly (should be php file served statically).
     """
     page = Command('curl https://parameters-optional.local/')
     assert page.rc == 0
     assert page.stdout == open("tests/data/php/optional/myindex.php").read().rstrip()
 def test_additional_fpm_config(Command):
     """
     Tests if additional FPM configuration is processed correctly.
     """
     page = Command('curl https://parameters-optional.local/path.myphp')
     assert page.rc == 0
     assert page.stdout == "/usr/local/bin:/usr/bin:/bin"
 def test_additional_nginx_config(Command):
     """
     Tests if additional Nginx configuration has been applied (custom 404 page).
     """
     page = Command('curl https://parameters-optional.local/non-existing-page')
     assert page.rc == 0
     assert page.stdout == "This is custom error page."
 def test_deny_files_regex(Command):
     """
     Tests if regex used for denying access is applied correctly.
     """
     page = Command('curl -I https://parameters-optional.local/secretfile.txt')
     assert page.rc == 0
     assert "HTTP/1.1 403 Forbidden" in page.stdout
 def test_environment_indicator(Command):
     """
     Tests if environment indicator is applied correctly.
     """
     page = Command('curl https://parameters-optional.local/info.myphp')
     assert page.rc == 0
     assert "<div id='website-environment' style='background-color: #ff0000; width: 100%; text-align: center; position: fixed; bottom: 5px; color: #00ff00; " \
         "font-weight: bold; z-index: 999999;'>parameters-optional</div></body>" in page.stdout
 def test_php_rewrire_urls(Command):
     """
     Tests if PHP rewrite URLs are processed correctly.
     """
     page = Command('curl https://parameters-optional.local/rewrite1/this/is/some/path')
     assert page.rc == 0
     assert page.stdout == "/rewrite1/this/is/some/path"
     page = Command('curl https://parameters-optional.local/rewrite2/this/is/some/other/path')
     assert page.rc == 0
     assert page.stdout == "/rewrite2/this/is/some/other/path"
 def test_regular_rewrites(Command):
     """
     Tests if regular rewrites are working as expected.
     """
     page = Command('curl https://parameters-optional.local/rewrite_to_index1/some/path')
     assert page.rc == 0
     assert page.stdout == open("tests/data/php/optional/myindex.php").read().rstrip()
     page = Command('curl https://parameters-optional.local/rewrite_to_index2/some/path')
     assert page.rc == 0
     assert page.stdout == open("tests/data/php/optional/myindex.php").read().rstrip()

0 comments (0 inline, 0 general)