majic-ansible-roles Changeset

Changeset - 83a557f70dfb

Parent rev.

Child rev.

[Not reviewed]

0 2 1

Branko Majic (branko) - 4 years ago 2020-09-22 16:19:21
branko@majic.rs

MAR-158: Extended TLS cipher tests for web_server role for optional parameters:

- Extend the existing tests to cover both enabled and disabled
ciphers.
- Deduplicate list of all available ciphers for both testing of
mandatory and optional parameters.

3 files changed with 101 insertions and 67 deletions:

roles/web_server/molecule/default/tests/test_mandatory.py

roles/web_server/molecule/default/tests/test_optional.py

roles/web_server/molecule/default/tests/tls_ciphers.py

0 comments (0 inline, 0 general)

roles/web_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

@@ @@ -4,6 +4,8 @@ import pytest @@
 import testinfra.utils.ansible_runner
 from tls_ciphers import ALL_CIPHERS
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')
@@ @@ -23,66 +25,6 @@ def test_tls_version(host): @@
     assert old_tls_versions_disabled.rc != 0
 ALL_CIPHERS = [
     "AES128-GCM-SHA256",
     "AES128-SHA",
     "AES128-SHA256",
     "AES256-GCM-SHA384",
     "AES256-SHA",
     "AES256-SHA256",
     "DHE-PSK-AES128-CBC-SHA",
     "DHE-PSK-AES128-CBC-SHA256",
     "DHE-PSK-AES128-GCM-SHA256",
     "DHE-PSK-AES256-CBC-SHA",
     "DHE-PSK-AES256-CBC-SHA384",
     "DHE-PSK-AES256-GCM-SHA384",
     "DHE-PSK-CHACHA20-POLY1305",
     "DHE-RSA-AES128-GCM-SHA256",
     "DHE-RSA-AES128-SHA",
     "DHE-RSA-AES128-SHA256",
     "DHE-RSA-AES256-GCM-SHA384",
     "DHE-RSA-AES256-SHA",
     "DHE-RSA-AES256-SHA256",
     "DHE-RSA-CHACHA20-POLY1305",
     "ECDHE-ECDSA-AES128-GCM-SHA256",
     "ECDHE-ECDSA-AES128-SHA",
     "ECDHE-ECDSA-AES128-SHA256",
     "ECDHE-ECDSA-AES256-GCM-SHA384",
     "ECDHE-ECDSA-AES256-SHA",
     "ECDHE-ECDSA-AES256-SHA384",
     "ECDHE-ECDSA-CHACHA20-POLY1305",
     "ECDHE-PSK-AES128-CBC-SHA",
     "ECDHE-PSK-AES128-CBC-SHA256",
     "ECDHE-PSK-AES256-CBC-SHA",
     "ECDHE-PSK-AES256-CBC-SHA384",
     "ECDHE-PSK-CHACHA20-POLY1305",
     "ECDHE-RSA-AES128-GCM-SHA256",
     "ECDHE-RSA-AES128-SHA",
     "ECDHE-RSA-AES128-SHA256",
     "ECDHE-RSA-AES256-GCM-SHA384",
     "ECDHE-RSA-AES256-SHA",
     "ECDHE-RSA-AES256-SHA384",
     "ECDHE-RSA-CHACHA20-POLY1305",
     "PSK-AES128-CBC-SHA",
     "PSK-AES128-CBC-SHA256",
     "PSK-AES128-GCM-SHA256",
     "PSK-AES256-CBC-SHA",
     "PSK-AES256-CBC-SHA384",
     "PSK-AES256-GCM-SHA384",
     "PSK-CHACHA20-POLY1305",
     "RSA-PSK-AES128-CBC-SHA",
     "RSA-PSK-AES128-CBC-SHA256",
     "RSA-PSK-AES128-GCM-SHA256",
     "RSA-PSK-AES256-CBC-SHA",
     "RSA-PSK-AES256-CBC-SHA384",
     "RSA-PSK-AES256-GCM-SHA384",
     "RSA-PSK-CHACHA20-POLY1305",
     "SRP-AES-128-CBC-SHA",
     "SRP-AES-256-CBC-SHA",
     "SRP-RSA-AES-128-CBC-SHA",
     "SRP-RSA-AES-256-CBC-SHA",
+]
 ENABLED_CIPHERS = [
     "DHE-RSA-AES128-GCM-SHA256",
     "DHE-RSA-AES256-GCM-SHA384",

roles/web_server/molecule/default/tests/test_optional.py

➞

Show inline comments

 import os
 import pytest
 import testinfra.utils.ansible_runner
 from tls_ciphers import ALL_CIPHERS
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional')
@@ @@ -33,18 +37,47 @@ def test_tls_version(host): @@
     assert tls1_2_enabled.rc == 0
 def test_tls_ciphers(host):
 ENABLED_CIPHERS = [
     "DHE-RSA-AES128-GCM-SHA256",
     "DHE-RSA-AES128-SHA256",
     "DHE-RSA-AES256-GCM-SHA384",
     "DHE-RSA-AES256-SHA256",
     "ECDHE-RSA-AES128-GCM-SHA256",
     "ECDHE-RSA-AES128-SHA",
     "ECDHE-RSA-AES128-SHA256",
     "ECDHE-RSA-AES256-GCM-SHA384",
     "ECDHE-RSA-AES256-SHA384",
+]
 DISABLED_CIPHERS = sorted(list(set(ALL_CIPHERS)-set(ENABLED_CIPHERS)))
 @pytest.mark.parametrize("cipher", ENABLED_CIPHERS)
 def test_enabled_tls_ciphers(host, cipher):
     """
     Tests available TLS ciphers on the server.
     """
     hostname = host.run('hostname').stdout.strip()
     fqdn = hostname[:hostname.rfind('-')]
     client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:443", cipher, fqdn)
     assert client.rc == 0
     assert cipher in client.stdout
 @pytest.mark.parametrize("cipher", DISABLED_CIPHERS)
 def test_disabled_tls_ciphers(host, cipher):
     """
     Tests available TLS ciphers on the server.
     """
     cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:443")
     assert cipher.rc == 0
     assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout
     hostname = host.run('hostname').stdout.strip()
     fqdn = hostname[:hostname.rfind('-')]
     cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:443")
     assert cipher.rc == 0
     assert "ECDHE-RSA-AES128-SHA" in cipher.stdout
     client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:443", cipher, fqdn)
     assert client.rc != 0
     assert cipher not in client.stdout
 def test_https_enforcement(host):

roles/web_server/molecule/default/tests/tls_ciphers.py

➞

Show inline comments

@@ new file 100644 @@
 ALL_CIPHERS = [
     "AES128-GCM-SHA256",
     "AES128-SHA",
     "AES128-SHA256",
     "AES256-GCM-SHA384",
     "AES256-SHA",
     "AES256-SHA256",
     "DHE-PSK-AES128-CBC-SHA",
     "DHE-PSK-AES128-CBC-SHA256",
     "DHE-PSK-AES128-GCM-SHA256",
     "DHE-PSK-AES256-CBC-SHA",
     "DHE-PSK-AES256-CBC-SHA384",
     "DHE-PSK-AES256-GCM-SHA384",
     "DHE-PSK-CHACHA20-POLY1305",
     "DHE-RSA-AES128-GCM-SHA256",
     "DHE-RSA-AES128-SHA",
     "DHE-RSA-AES128-SHA256",
     "DHE-RSA-AES256-GCM-SHA384",
     "DHE-RSA-AES256-SHA",
     "DHE-RSA-AES256-SHA256",
     "DHE-RSA-CHACHA20-POLY1305",
     "ECDHE-ECDSA-AES128-GCM-SHA256",
     "ECDHE-ECDSA-AES128-SHA",
     "ECDHE-ECDSA-AES128-SHA256",
     "ECDHE-ECDSA-AES256-GCM-SHA384",
     "ECDHE-ECDSA-AES256-SHA",
     "ECDHE-ECDSA-AES256-SHA384",
     "ECDHE-ECDSA-CHACHA20-POLY1305",
     "ECDHE-PSK-AES128-CBC-SHA",
     "ECDHE-PSK-AES128-CBC-SHA256",
     "ECDHE-PSK-AES256-CBC-SHA",
     "ECDHE-PSK-AES256-CBC-SHA384",
     "ECDHE-PSK-CHACHA20-POLY1305",
     "ECDHE-RSA-AES128-GCM-SHA256",
     "ECDHE-RSA-AES128-SHA",
     "ECDHE-RSA-AES128-SHA256",
     "ECDHE-RSA-AES256-GCM-SHA384",
     "ECDHE-RSA-AES256-SHA",
     "ECDHE-RSA-AES256-SHA384",
     "ECDHE-RSA-CHACHA20-POLY1305",
     "PSK-AES128-CBC-SHA",
     "PSK-AES128-CBC-SHA256",
     "PSK-AES128-GCM-SHA256",
     "PSK-AES256-CBC-SHA",
     "PSK-AES256-CBC-SHA384",
     "PSK-AES256-GCM-SHA384",
     "PSK-CHACHA20-POLY1305",
     "RSA-PSK-AES128-CBC-SHA",
     "RSA-PSK-AES128-CBC-SHA256",
     "RSA-PSK-AES128-GCM-SHA256",
     "RSA-PSK-AES256-CBC-SHA",
     "RSA-PSK-AES256-CBC-SHA384",
     "RSA-PSK-AES256-GCM-SHA384",
     "RSA-PSK-CHACHA20-POLY1305",
     "SRP-AES-128-CBC-SHA",
     "SRP-AES-256-CBC-SHA",
     "SRP-RSA-AES-128-CBC-SHA",
     "SRP-RSA-AES-256-CBC-SHA",
+]

0 comments (0 inline, 0 general)