# Use system-wide trust anchor.

TLS_CACERT /etc/ssl/certs/ca-certificates.crt

  - server: parameters-optional-bullseye

    ip: 192.168.56.42

    public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

    box: debian/bullseye64

  - name: client-bullseye

    groups:

      - clients

      - bullseye

    box: debian/bullseye64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 192.168.56.22

        network_name: private_network

        type: static

  - name: parameters-mandatory-buster

  - name: parameters-optional-buster

  - name: parameters-mandatory-bullseye

    groups:

      - parameters-mandatory

      - bullseye

    box: debian/bullseye64

    memory: 512

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 192.168.56.41

        network_name: private_network

        type: static

  - name: parameters-optional-bullseye

    groups:

      - parameters-optional

      - bullseye

    box: debian/bullseye64

    memory: 512

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 192.168.56.42

        network_name: private_network

        type: static

        - name: parameters-mandatory-buster_xmpp

        - name: parameters-optional-buster_xmpp

          fqdn:

            - parameters-optional

            - domain2

            - proxy.domain2

            - conference.domain2

            - domain3

            - proxy.domain3

            - conference.domain3

        - name: parameters-mandatory-bullseye_xmpp

          fqdn:

            - parameters-mandatory

            - domain1

            - proxy.domain1

            - conference.domain1

        - name: parameters-optional-bullseye_xmpp

    - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the xmpp_server_tls_protocol parameter

      lineinfile:

        path: "/etc/ssl/openssl.cnf"

        regexp: "^MinProtocol ="

        line: "MinProtocol = TLSv1.0"

        owner: root

        group: root

        mode: 0644

        state: present

- hosts: bullseye

  become: true

  tasks:

    - name: Set-up the hosts file

        path: /etc/hosts

        regexp: "^{{ item.key }}"

        line: "{{ item.key }} {{ item.value }}"

      with_dict:

        192.168.56.11: "ldap-server backup-server"

        192.168.56.22: "client-bullseye"

        192.168.56.41: "parameters-mandatory domain1 proxy.domain1 conference.domain1"

        192.168.56.42: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3"

def test_ldap_client_configuration(host):

    Tests if LDAP client configuration is correctly deployed with the

    necessary trust anchor configuration.

    with host.sudo():

        ldaprc = host.file("/var/lib/prosody/.ldaprc")

        assert ldaprc.is_file

        assert ldaprc.user == "root"

        assert ldaprc.group == "prosody"

        assert ldaprc.mode == 0o640

        assert "TLS_CACERT /etc/ssl/certs/ca-certificates.crt" in ldaprc.content_string

import os

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*-bullseye')

def test_backports_prosody_pinning_absent(host):

    """

    Tests if the Prosody backports pinning is absent.

    """

    pin = host.file("/etc/apt/preferences.d/prosody")

    assert not pin.exists

    prosody_package = host.package("prosody")

    prosody_modules_package = host.package("prosody-modules")

    lua_ldap_package = host.package("lua-sec")

    assert "bpo" not in prosody_package.version

    assert "bpo" not in prosody_modules_package.version

    assert "bpo" not in lua_ldap_package.version

import os

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*-buster')

def test_backports_prosody_pinning(host):

    """

    Tests if the backports pin for Prosody has been deployed correctly.

    """

    pin = host.file("/etc/apt/preferences.d/prosody")

    assert pin.is_file

    assert pin.user == "root"

    assert pin.group == "root"

    assert pin.mode == 0o644

    prosody_package = host.package("prosody")

    prosody_modules_package = host.package("prosody-modules")

    lua_ldap_package = host.package("lua-sec")

    assert "bpo" in prosody_package.version

    assert "bpo" in prosody_modules_package.version

    assert "bpo" in lua_ldap_package.version

- name: Configure package pins to backports for Prosody on Debian 10 Buster

  when: ansible_distribution_release == 'buster'

- name: Drop package pins to backports for Prosody on Debian 11 Bullseye

  file:

    path: /etc/apt/preferences.d/prosody

    state: absent

  when: ansible_distribution_release == 'bullseye'

- name: Deploy LDAP client configuration (for validating LDAP server certificate)

  copy:

    src: prosody_ldaprc

    dest: "/var/lib/prosody/.ldaprc"

    owner: root

    group: prosody

    mode: 0640

  notify:

    - Restart Prosody