majic-ansible-roles Changeset

Changeset - 770551dc8c6f

Parent rev.

Child rev.

[Not reviewed]

0 1 1

Branko Majic (branko) - 4 years ago 2020-01-08 20:13:36
branko@majic.rs

MAR-148: Improve the SSH connectivity tests in backup_server role to be more reliable:

- Introduce a session-level fixture for setting permissions for client
SSH private keys (fixes errors related to SSH requesting tighter
permissions).
- Add assertions for the tests that verify the backup clients cannot
connect to the regular SSH server in case the SSH private keys do
not have correct permissions (just in case).

2 files changed with 47 insertions and 0 deletions:

roles/backup_server/molecule/default/tests/conftest.py

roles/backup_server/molecule/default/tests/test_parameters_optional.py

0 comments (0 inline, 0 general)

roles/backup_server/molecule/default/tests/conftest.py

➞

Show inline comments

@@ new file 100644 @@
 import os
 import pytest
 @pytest.fixture(scope='session')
 def prepare_ssh_client_private_key_permissions():
     """
     Helper fixture used to fix the file permissions of client private
     keys that are used directly from the local machine to test
     connectivity towards the server.
     Permissions are set-up in such a way that the ssh tool does not
     report any errors (e.g. setting the mode to 0600).
     The fixture will restore old permissions once the tests have been
     completed.
     The fixture is used with the session scope.
     The following private keys will be processed:
     - tests/data/ssh/client1
     - tests/data/ssh/client2
     """
     private_keys = [
         "tests/data/ssh/client1",
         "tests/data/ssh/client2"
+    ]
     private_key_old_permissions = {}
     for private_key in private_keys:
         private_key_old_permissions[private_key] = os.stat(private_key).st_mode
         os.chmod(private_key, 0o600)
     yield
     for private_key in private_keys:
         os.chmod(private_key, private_key_old_permissions[private_key])

roles/backup_server/molecule/default/tests/test_parameters_optional.py

➞

Show inline comments

 import os
 import pytest
 import testinfra.utils.ansible_runner
@@ @@ -138,6 +139,7 @@ def test_firewall_configuration(host): @@
         assert 'saddr ( 10.31.127.1 10.31.127.3) @subchain "backup_in" {' in firewall_config.content
 @pytest.mark.usefixtures("prepare_ssh_client_private_key_permissions")
 def test_regular_ssh_server_inaccessible(host):
     """
     Tests if the default SSH server is inaccessible for the backup client system
@@ @@ -157,6 +159,7 @@ def test_regular_ssh_server_inaccessible(host): @@
                               "bak-client1_backup@%s "
                               "/bin/echo sshtest" % remote_ip)
     assert login_attempt.rc != 0
     assert "bad permissions" not in login_attempt.stderr  # Avoid passing test due to client private key having wrong permissions.
     assert "Permission denied (publickey)" in login_attempt.stderr
     login_attempt = local.run("ssh "
@@ @@ -167,9 +170,11 @@ def test_regular_ssh_server_inaccessible(host): @@
                               "bak-client2-backup@%s "
                               "/bin/echo sshtest" % remote_ip)
     assert login_attempt.rc != 0
     assert "bad permissions" not in login_attempt.stderr  # Avoid passing test due to client private key having wrong permissions.
     assert "Permission denied (publickey)" in login_attempt.stderr
 @pytest.mark.usefixtures("prepare_ssh_client_private_key_permissions")
 def test_backup_ssh_service_connectivity(host):
     """
     Tests if SFTP (only) is availavble to system users used by backup clients.
@@ @@ -201,6 +206,7 @@ def test_backup_ssh_service_connectivity(host): @@
     assert "This service allows sftp connections only." in login_attempt.stdout
 @pytest.mark.usefixtures("prepare_ssh_client_private_key_permissions")
 def test_backup_ssh_service_key_fingerprints(host):
     """
     Tests fingerprints of backup SSH server in order to ensure correct keys are

0 comments (0 inline, 0 general)