majic-ansible-roles Changeset

Changeset - 895e9bd5a83b

Parent rev.

Child rev.

[Not reviewed]

0 6 2

Branko Majic (branko) - 9 months ago 2023-08-14 00:30:27
branko@majic.rs

MAR-181: Add VM for testing deprecations in xmpp_server role.

8 files changed with 161 insertions and 9 deletions:

roles/xmpp_server/molecule/default/group_vars/deprecated.yml

roles/xmpp_server/molecule/default/molecule.yml

roles/xmpp_server/molecule/default/playbook.yml

roles/xmpp_server/molecule/default/prepare.yml

roles/xmpp_server/molecule/default/tests/test_client.py

roles/xmpp_server/molecule/default/tests/test_default.py

roles/xmpp_server/molecule/default/tests/test_default_buster.py

roles/xmpp_server/molecule/default/tests/test_deprecated.py

0 comments (0 inline, 0 general)

roles/xmpp_server/molecule/default/group_vars/deprecated.yml

➞

Show inline comments

@@ new file 100644 @@
 ---
 xmpp_administrators:
   - eve.doe@domain4
 xmpp_domains:
   - domain4
 xmpp_ldap_base_dn: dc=local
 xmpp_ldap_password: prosodypassword
 xmpp_ldap_server: ldap-server
 xmpp_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_xmpp.cert.pem') }}"
 xmpp_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_xmpp.key.pem') }}"
 # common
 ca_certificates:
   testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"

roles/xmpp_server/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -63,6 +63,19 @@ platforms: @@
         network_name: private_network
         type: static
   - name: deprecated-buster64
     groups:
       - deprecated
       - buster
     box: debian/contrib-buster64
     memory: 512
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 192.168.56.32
         network_name: private_network
         type: static
 provisioner:
   name: ansible
   playbooks:

roles/xmpp_server/molecule/default/playbook.yml

➞

Show inline comments

 ---
 - hosts: parameters-mandatory,parameters-optional
+- hosts: parameters-mandatory,parameters-optional,deprecated
   become: true
   roles:
     - xmpp_server

roles/xmpp_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -37,6 +37,12 @@ @@
             - domain3
             - proxy.domain3
             - conference.domain3
         - name: deprecated-buster64_xmpp
           fqdn:
             - deprecated
             - domain4
             - proxy.domain4
             - conference.domain4
     - name: Set-up link to generated X.509 material
       file:
@@ @@ -93,6 +99,7 @@ @@
 .168.56.20: "client-buster"
 .168.56.30: "parameters-mandatory domain1 proxy.domain1 conference.domain1"
 .168.56.31: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3"
 .168.56.32: "deprecated domain4 proxy.domain4 conference.domain4"
     - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the xmpp_server_tls_protocol parameter
       lineinfile:
@@ @@ -104,15 +111,11 @@ @@
         mode: 0644
         state: present
     # @WORKAROUND: BEGIN - Prosody repository override
     # @WORKAROUND: Prosody repository override
+    #
     # Prosody project has killed off Debian Buster repositories. Trick
     # the system to install packages from custom repository location
     # instead.
     # Prosody project has killed off Debian Buster repositories. The
     # custom repository used to install the packages has been signed
     # by different key.
     - name: Override server IP for Prosody repository via hosts file
       lineinfile:
         path: /etc/hosts
@@ @@ -122,12 +125,15 @@ @@
         group: root
         mode: 0644
         state: present
       tags:
         - workaround:prosody_repository_override
     - name: Add workaround Prosody repository signing key
       apt_key:
         data: "{{ lookup('file', 'workaround_prosody_repository_signing_key.asc') }}"
         state: present
     # @WORKAROUND: END - Prosody repository override
       tags:
         - workaround:prosody_repository_override
 - hosts: clients
   become: true
@@ @@ -197,6 +203,11 @@ @@
           server: domain1
           security: tls
           nickname: noxmpp
         - jid: eve.doe@domain4
           password: evepassword
           server: domain4
           security: tls
           nickname: eve.doe
   handlers:
@@ @@ -263,6 +274,17 @@ @@
             sn: XMPP
             mail: noxmpp@domain1
         - dn: uid=eve,ou=people,dc=local
           objectClass:
             - inetOrgPerson
             - simpleSecurityObject
           attributes:
             userPassword: evepassword
             uid: eve
             cn: Eve Doe
             sn: Doe
             mail: eve.doe@domain4
     - name: Add test accounts to correct group
       ldap_attr:
         dn: "cn=xmpp,ou=groups,dc=local"
@@ @@ -272,8 +294,9 @@ @@
           - uid=john,ou=people,dc=local
           - uid=jane,ou=people,dc=local
           - uid=mick,ou=people,dc=local
           - uid=eve,ou=people,dc=local
 - hosts: parameters-mandatory,parameters-optional
+- hosts: parameters-mandatory,parameters-optional,deprecated
   become: true
   tasks:

roles/xmpp_server/molecule/default/tests/test_client.py

➞

Show inline comments

@@ @@ -28,6 +28,7 @@ def test_connectivity(host): @@
 @pytest.mark.parametrize("username, password, domain", [
     ["john.doe", "johnpassword", "domain1"],
     ["jane.doe", "janepassword", "domain2"],
     ["eve.doe", "evepassword", "domain4"],
 ])
 def test_tls(host, username, password, domain):
     """
@@ @@ -46,6 +47,7 @@ def test_tls(host, username, password, domain): @@
 @pytest.mark.parametrize("username, password, domain", [
     ["john.doe", "johnpassword", "domain1"],
     ["jane.doe", "janepassword", "domain2"],
     ["eve.doe", "evepassword", "domain4"],
 ])
 def test_authentication_requires_tls(host, username, password, domain):
     """
     ["john.doe", "johnpassword", "domain1"],
     ["jane.doe", "janepassword", "domain2"],
     ["mick.doe", "mickpassword", "domain3"],
     ["eve.doe", "evepassword", "domain4"],
 ])
 def test_authentication(host, username, password, domain):
     """
@@ @@ -79,6 +82,7 @@ def test_authentication(host, username, password, domain): @@
 @pytest.mark.parametrize("target_username, target_domain", [
     ["john.doe", "domain1"],
     ["jane.doe", "domain2"],
     ["eve.doe", "domain4"],
 ])
 def test_unauthorized_users_rejected(host, target_username, target_domain):
     """

roles/xmpp_server/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -6,6 +6,9 @@ import testinfra.utils.ansible_runner @@
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*')
 testinfra_hosts += testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('deprecated')
 def test_supporting_packages_installed(host):
     """

roles/xmpp_server/molecule/default/tests/test_default_buster.py

➞

Show inline comments

@@ @@ -6,6 +6,9 @@ import testinfra.utils.ansible_runner @@
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*-buster64')
 testinfra_hosts += testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('deprecated-buster64')
 def test_lua_ldap_pin_and_version(host):
     """

roles/xmpp_server/molecule/default/tests/test_deprecated.py

➞

Show inline comments

@@ new file 100644 @@
 import os
 import defusedxml.ElementTree as ElementTree
 import pytest
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('deprecated')
 def test_prosody_configuration_file_content(host):
     """
     Tests if Prosody configuration file has correct content.
     """
     hostname = host.run('hostname').stdout.strip()
     with host.sudo():
         config = host.file('/etc/prosody/prosody.cfg.lua')
         assert "admins = { \"eve.doe@domain4\",  }" in config.content_string
         assert "key = \"/etc/ssl/private/%s_xmpp.key\";" % hostname in config.content_string
         assert "certificate = \"/etc/ssl/certs/%s_xmpp.pem\";" % hostname in config.content_string
         assert "ldap_server = \"ldap-server\"" in config.content_string
         assert "ldap_rootdn = \"cn=prosody,ou=services,dc=local\"" in config.content_string
         assert "ldap_password = \"prosodypassword\"" in config.content_string
         assert "ldap_filter = \"(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,dc=local))\"" in config.content_string
         assert "ldap_base = \"ou=people,dc=local\"" in config.content_string
         assert "archive_expires_after = \"never\"" in config.content_string
         assert """VirtualHost "domain4"
 Component "conference.domain4" "muc"
   restrict_room_creation = "local"
 Component "proxy.domain4" "proxy65"
   proxy65_acl = { "domain4" }""" in config.content_string
 def test_correct_prosody_package_installed(host):
     """
     Tests if correct Prosody package has been installed.
     """
     assert host.package('prosody-0.11').is_installed
 @pytest.mark.parametrize("port", [
 ,
 ])
 def test_xmpp_c2s_tls_version_and_ciphers(host, port):
     """
     Tests if the correct TLS version and ciphers have been enabled for
     XMPP C2S ports.
     """
     expected_tls_versions = ["TLSv1.2"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+    ]
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain4 -oX /tmp/report.xml", str(port))
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string
     report_root = ElementTree.fromstring(report_content)
     tls_versions = []
     tls_ciphers = set()
     for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"):
         tls_versions.append(child.attrib['key'])
     for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
         tls_ciphers.add(child.text)
     tls_versions.sort()
     tls_ciphers = sorted(list(tls_ciphers))
     assert tls_versions == expected_tls_versions
     assert tls_ciphers == expected_tls_ciphers

0 comments (0 inline, 0 general)