majic-ansible-roles Changeset

Changeset - bba096126140

Parent rev.

Child rev.

[Not reviewed]

6 5 1

Branko Majic (branko) - 4 years ago 2020-08-26 19:32:45
branko@majic.rs

MAR-150: Use fixtures for X.509 artefacts in the ldap_server role:

- Removed the statically generated artefacts.
- Generate X.509 artefacts for tests using Gimmecert.
- Updated paths to point to generated artefacts.
- Introduced cleanup playbook for removing generated artefacts.

12 files changed with 58 insertions and 533 deletions:

roles/ldap_server/molecule/default/cleanup.yml

roles/ldap_server/molecule/default/group_vars/parameters-mandatory.yml

roles/ldap_server/molecule/default/group_vars/parameters-optional.yml

roles/ldap_server/molecule/default/molecule.yml

roles/ldap_server/molecule/default/prepare.yml

roles/ldap_server/molecule/default/tests/data/x509/ca.cert.pem

roles/ldap_server/molecule/default/tests/data/x509/ca.key.pem

182

roles/ldap_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.local_ldap.cert.pem

roles/ldap_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.local_ldap.key.pem

134

roles/ldap_server/molecule/default/tests/data/x509/parameters-optional-stretch64_ldap.cert.pem

roles/ldap_server/molecule/default/tests/data/x509/parameters-optional-stretch64_ldap.key.pem

134

roles/ldap_server/molecule/default/tests/test_default.py

0 comments (0 inline, 0 general)

roles/ldap_server/molecule/default/cleanup.yml

➞

Show inline comments

@@ new file 100644 @@
 ---
 - name: Clean-up fixtures
   hosts: localhost
   connection: local
   gather_facts: false
   tasks:
     - name: Remove X.509 material
       file:
         path: "{{ item }}"
         state: absent
       with_items:
         - "tests/data/x509"
         - "tests/data/.gimmecert"

roles/ldap_server/molecule/default/group_vars/parameters-mandatory.yml

➞

Show inline comments

 ---
 ldap_admin_password: adminpassword
 ldap_server_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_ldap.cert.pem') }}"
 ldap_server_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_ldap.key.pem') }}"
 ldap_server_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_ldap.cert.pem') }}"
 ldap_server_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_ldap.key.pem') }}"
 # ldap_client
 ldap_client_config:
   - comment: CA truststore
     option: TLS_CACERT
     value: /etc/ssl/certs/testca.cert.pem
   - comment: Ensure TLS is enforced
     option: TLS_REQCERT
     value: demand

roles/ldap_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

 ---
 ldap_admin_password: adminpassword
 ldap_server_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_ldap.cert.pem') }}"
 ldap_server_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_ldap.key.pem') }}"
 ldap_server_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_ldap.cert.pem') }}"
 ldap_server_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_ldap.key.pem') }}"
 ldap_entries:
   - dn: uid=john,dc=local
     attributes:
       objectClass:
         - inetOrgPerson
         - simpleSecurityObject
       userPassword: johnpassword
       uid: john
       cn: John Doe
       sn: Doe
   - dn: uid=jane,dc=local

roles/ldap_server/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -42,24 +42,26 @@ platforms: @@
       - backup-server
     box: debian/contrib-stretch64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.23
         network_name: private_network
         type: static
 provisioner:
   name: ansible
   playbooks:
     cleanup: cleanup.yml
   config_options:
     defaults:
       force_valid_group_names: "ignore"
       interpreter_python: "/usr/bin/python3"
     ssh_connection:
       pipelining: "True"
   lint:
     name: ansible-lint
 scenario:
   name: default

roles/ldap_server/molecule/default/prepare.yml

➞

Show inline comments

 ---
 - name: Set-up fixtures
   hosts: localhost
   connection: local
   gather_facts: false
   tasks:
     - name: Initialise CA hierarchy
       command: "gimmecert init"
       args:
         creates: "tests/data/.gimmecert/ca/level1.cert.pem"
         chdir: "tests/data/"
     - name: Generate server private keys and certificates
       command:
       args:
         chdir: "tests/data/"
         creates: "tests/data/.gimmecert/server/{{ item.name }}.cert.pem"
         argv:
           - "gimmecert"
           - "server"
           - "{{ item.name }}"
           - "{{ item.fqdn }}"
       with_items:
         - name: parameters-mandatory-stretch64.local_ldap
           fqdn: parameters-mandatory.local
         - name: parameters-optional-stretch64_ldap
           fqdn: parameters-optional
     - name: Set-up link to generated X.509 material
       file:
         src: ".gimmecert"
         dest: "tests/data/x509"
         state: link
 - name: Prepare
   hosts: all
   gather_facts: false
   tasks:
     - name: Install python for Ansible
       raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal)
       become: true
       changed_when: false
 - hosts: all
   become: true
   tasks:
     - name: Update all caches to avoid errors due to missing remote archives
       apt:
         update_cache: true
       changed_when: false
     - name: Deploy CA certificate
       copy:
         src: tests/data/x509/ca.cert.pem
+        src: tests/data/x509/ca/level1.cert.pem
         dest: /etc/ssl/certs/testca.cert.pem
         owner: root
         group: root
         mode: 0644
 - hosts: client
   become: true
   tasks:
     - name: Install tool for teting TCP connectivity
       apt:
         name: hping3

roles/ldap_server/molecule/default/tests/data/x509/ca.cert.pem

➞

Show inline comments

deleted file

roles/ldap_server/molecule/default/tests/data/x509/ca.key.pem

➞

Show inline comments

deleted file

roles/ldap_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.local_ldap.cert.pem

➞

Show inline comments

deleted file

roles/ldap_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64.local_ldap.key.pem

➞

Show inline comments

deleted file

roles/ldap_server/molecule/default/tests/data/x509/parameters-optional-stretch64_ldap.cert.pem

➞

Show inline comments

deleted file

roles/ldap_server/molecule/default/tests/data/x509/parameters-optional-stretch64_ldap.key.pem

➞

Show inline comments

deleted file

roles/ldap_server/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -202,31 +202,31 @@ def test_ldap_tls_private_key_file(host): @@
     """
     with host.sudo():
         inventory_hostname = host.ansible.get_variables()['inventory_hostname']
         key = host.file('/etc/ssl/private/%s_ldap.key' % inventory_hostname)
         assert key.is_file
         assert key.user == 'root'
         assert key.group == 'openldap'
         assert key.mode == 0o640
         assert key.content_string == open('tests/data/x509/%s_ldap.key.pem' % inventory_hostname).read()
+        assert key.content_string == open('tests/data/x509/server/%s_ldap.key.pem' % inventory_hostname).read()
 def test_ldap_tls_certificate_file(host):
     """
     Tests if the TLS certificate has been deployed correctly.
     """
     with host.sudo():
         inventory_hostname = host.ansible.get_variables()['inventory_hostname']
         cert = host.file('/etc/ssl/certs/%s_ldap.pem' % inventory_hostname)
         assert cert.is_file
         assert cert.user == 'root'
         assert cert.group == 'root'
         assert cert.mode == 0o644
         assert cert.content_string == open('tests/data/x509/%s_ldap.cert.pem' % inventory_hostname).read()
+        assert cert.content_string == open('tests/data/x509/server/%s_ldap.cert.pem' % inventory_hostname).read()

0 comments (0 inline, 0 general)