majic-ansible-roles Changeset

Changeset - bc7eef6554a9

Parent rev.

Child rev.

[Not reviewed]

0 4 0

Branko Majic (branko) - 6 years ago 2020-01-06 21:53:55
branko@majic.rs

MAR-148: Fixed the tests for ldap_server role (newline fixes, and fix for Testinfra's get_hosts call).

4 files changed with 30 insertions and 18 deletions:

roles/ldap_server/molecule/default/tests/test_client.py

roles/ldap_server/molecule/default/tests/test_default.py

roles/ldap_server/molecule/default/tests/test_mandatory.py

roles/ldap_server/molecule/default/tests/test_optional.py

0 comments (0 inline, 0 general)

roles/ldap_server/molecule/default/tests/test_client.py

➞

Show inline comments

 import os
 import pytest
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('client')
 @pytest.mark.parametrize('server', testinfra.utils.ansible_runner.AnsibleRunner(
-    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts(['parameters-mandatory', 'parameters-optional'])
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*')
+)
 def test_connectivity(host, server):
     with host.sudo():
         ping = host.run('hping3 -S -p 389 -c 1 %s', server)
         assert ping.rc == 0
         ping = host.run('hping3 -S -p 636 -c 1 %s', server)
         assert ping.rc == 0

roles/ldap_server/molecule/default/tests/test_default.py

➞

Show inline comments

 import os
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*')
 def test_installed_packages(host):
     """
     Tests if all the necessary packages have been installed.
     """
     assert host.package('slapd').is_installed
     assert host.package('python-ldap').is_installed
 def test_ldap_user_group(host):
     """
     Tests if LDAP server user is part of group that allows it to traverse TLS
     private keys directory.
     """
     assert "ssl-cert" in host.user('openldap').groups
 def test_ldap_server_service_sockets_and_ports(host):
     """
     Tests if LDAP server has been configured to listen on correct sockets.
     """
     assert host.socket('tcp://389').is_listening
     assert host.socket('tcp://636').is_listening
     assert host.socket('unix:///var/run/slapd/ldapi').is_listening
 def test_ldap_server_service(host):
     """
     Tests if the LDAP service is enabled and running.
     """
     service = host.service('slapd')
     assert service.is_enabled
     assert service.is_running
 def test_syslog_configuration(host):
     """
     Tests if syslog configuration file has been deployed, and log file was
     created correctly (and is being logged to).
     """
     config = host.file('/etc/rsyslog.d/slapd.conf')
     assert config.is_file
     assert config.user == 'root'
     assert config.group == 'root'
     assert config.mode == 0o644
     with host.sudo():
         log = host.file('/var/log/slapd.log')
         assert log.is_file
         assert 'slapd' in log.content
 def test_log_rotation_configuration(host):
     """
     Tests if log rotation configuration file has been deployed correctly and has
     valid syntax.
     """
     config = host.file('/etc/logrotate.d/slapd')
     assert config.is_file
     assert config.user == 'root'
     assert config.group == 'root'
     assert config.mode == 0o644
     with host.sudo():
         assert host.run('logrotate /etc/logrotate.d/slapd').rc == 0
 def test_misc_schema_presence(host):
     """
     Tests if the misc LDAP schema has been imported.
     """
     with host.sudo():
         misc_schema = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn')
         assert misc_schema.rc == 0
         assert 'dn: cn={4}misc,cn=schema,cn=config' in misc_schema.stdout
 def test_memberof_module(host):
     """
     Tests if the memberof overlay has been enabled for the main database.
     """
     with host.sudo():
         memberof = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn')
         assert memberof.rc == 0
         assert 'dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config' in memberof.stdout
 def test_basic_directory_structure(host):
     """
     Tests if the base LDAP directory structure has been set-up correctly.
     """
     with host.sudo():
         ous = ["people", "groups", "services"]
         for ou in ous:
             entry = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=%s,dc=local' % ou)
             assert entry.rc == 0
             assert entry.stdout == """dn: ou=%(ou)s,dc=local
 objectClass: organizationalUnit
 ou: %(ou)s""" % {'ou': ou}
 ou: %(ou)s
 """ % {'ou': ou}
 def test_mail_service_entries(host):
     """
     Tests if the mail service entries have been set-up correctly.
     """
     with host.sudo():
         entry = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=mail,ou=services,dc=local')
         assert entry.rc == 0
         assert entry.stdout == """dn: ou=mail,ou=services,dc=local
 objectClass: organizationalUnit
 ou: mail"""
 ou: mail
 """
         entry = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=domains,ou=mail,ou=services,dc=local')
         assert entry.rc == 0
         assert entry.stdout == """dn: ou=domains,ou=mail,ou=services,dc=local
 objectClass: organizationalUnit
 ou: domains"""
 ou: domains
 """
         entry = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=aliases,ou=mail,ou=services,dc=local')
         assert entry.rc == 0
         assert entry.stdout == """dn: ou=aliases,ou=mail,ou=services,dc=local
 objectClass: organizationalUnit
 ou: aliases"""
 ou: aliases
 """
 def test_firewall_configuration_file(host):
     """
     Tests if firewall configuration file has been deployed correctly.
     """
     with host.sudo():
         config = host.file('/etc/ferm/conf.d/10-ldap.conf')
         assert config.is_file
         assert config.user == 'root'
         assert config.group == 'root'
         assert config.mode == 0o640
 def test_admin_password(host):
     """
     Tests if administrator password has been set correctly.
     """
     login = host.run("ldapwhoami -H ldapi:/// -x -w adminpassword -D cn=admin,dc=local")
     assert login.rc == 0
     assert login.stdout == "dn:cn=admin,dc=local"
+    assert login.stdout == "dn:cn=admin,dc=local\n"
 def test_temporary_admin_password_file_not_present(host):
     """
     Tests if the file that temporarily contains the LDAP adminstrator password
     has been removed.
     """
     with host.sudo():
         assert not host.file('/root/.ldap_admin_password').exists

roles/ldap_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

 import os
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')
 def test_base_entry(host):
     """
     Tests if the base entry has been created correctly.
     """
     with host.sudo():
         base_dn = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local -s base")
         assert base_dn.rc == 0
         assert "dc: local" in base_dn.stdout.split("\n")
         assert "o: Private" in base_dn.stdout.split("\n")
 def test_log_level(host):
     """
     Tests if the logging level has been set correctly.
     """
     with host.sudo():
         log_level = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config -s base olcLogLevel')
         assert log_level.rc == 0
         assert 'olcLogLevel: 256' in log_level.stdout
 def test_ldap_tls_private_key_file(host):
     """
     Tests if the TLS private key has been deployed correctly.
     """
     with host.sudo():
         inventory_hostname = host.ansible.get_variables()['inventory_hostname']
         key = host.file('/etc/ssl/private/%s_ldap.key' % inventory_hostname)
         assert key.is_file
         assert key.user == 'root'
         assert key.group == 'openldap'
         assert key.mode == 0o640
-        assert key.content == open('tests/data/x509/%s_ldap.key' % inventory_hostname).read().rstrip()
         assert key.content == open('tests/data/x509/%s_ldap.key' % inventory_hostname).read()
 def test_ldap_tls_certificate_file(host):
     """
     Tests if the TLS certificate has been deployed correctly.
     """
     with host.sudo():
         inventory_hostname = host.ansible.get_variables()['inventory_hostname']
         cert = host.file('/etc/ssl/certs/%s_ldap.pem' % inventory_hostname)
         assert cert.is_file
         assert cert.user == 'root'
         assert cert.group == 'root'
         assert cert.mode == 0o644
-        assert cert.content == open('tests/data/x509/%s_ldap.pem' % inventory_hostname).read().rstrip()
         assert cert.content == open('tests/data/x509/%s_ldap.pem' % inventory_hostname).read()
 def test_certificate_validity_check_configuration(host):
     """
     Tests if certificate validity check configuration file has been deployed
     correctly.
     """
     inventory_hostname = host.ansible.get_variables()['inventory_hostname']
     config = host.file('/etc/check_certificate/%s_ldap.conf' % inventory_hostname)
     assert config.is_file
     assert config.user == 'root'
     assert config.group == 'root'
     assert config.mode == 0o644
     assert config.content == "/etc/ssl/certs/%s_ldap.pem" % inventory_hostname
 def test_tls_configuration(host):
     """
     Tests if the TLS has been configured correctly and works.
     """
     starttls = host.run('ldapwhoami -Z -x -H ldap://parameters-mandatory.local/')
     assert starttls.rc == 0
     assert starttls.stdout == 'anonymous'
+    assert starttls.stdout == 'anonymous\n'
     tls = host.run('ldapwhoami -x -H ldaps://parameters-mandatory.local/')
     assert tls.rc == 0
     assert tls.stdout == 'anonymous'
+    assert tls.stdout == 'anonymous\n'
     old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory.local:636")
     assert old_tls_versions_disabled.rc != 0
     assert "CONNECTED" in old_tls_versions_disabled.stdout
     cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory.local:636")
     assert cipher.rc == 0
     assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout
     cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory.local:636")
     assert cipher.rc != 0
     assert "CONNECTED" in cipher.stdout
     assert "ECDHE-RSA-AES128-SHA" not in cipher.stdout
 def test_ssf_configuration(host):
     """
     Tests if the SSF olcSecurity configuration has been set-up correctly.
     """
     with host.sudo():
         ssf = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config olcSecurity')
         assert ssf.rc == 0
         assert "olcSecurity: ssf=128" in ssf.stdout
 def test_permissions(host):
     """
     Tests if LDAP directory permissions have been set-up correctly.
     """
     with host.sudo():
         permissions = host.run("ldapsearch -o ldif-wrap=no -H ldapi:/// -Q -LLL -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess olcAccess")
         expected_permissions = """olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by dn="cn=admin,dc=local" manage by * break
 olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
 olcAccess: {2}to dn.base="" by * read
 olcAccess: {3}to * by self write by dn="cn=admin,dc=local" write by users read by * none"""
         assert permissions.rc == 0
         assert expected_permissions in permissions.stdout
 def test_services_login_entries(host):
     """
     Tests if the service/consumer login entries have been set correctly.
     """
     with host.sudo():
         entries = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=services,dc=local '(objectClass=simpleSecurityObject)'")
         assert entries.rc == 0
         assert entries.stdout == ""
 def test_group_entries(host):
     """
     Tests that no group entries have been created out-of-the-box.
     """
     with host.sudo():
         entries = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=groups,dc=local '(objectClass=groupOfUniqueNames)'")
         assert entries.rc == 0
         assert entries.stdout == ""

roles/ldap_server/molecule/default/tests/test_optional.py

➞

Show inline comments

 import os
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional')
 def test_base_entry(host):
     """
     Tests if the base entry has been created correctly.
     """
     with host.sudo():
         base_dn = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local -s base")
         assert base_dn.rc == 0
         assert "dc: local" in base_dn.stdout.split("\n")
         assert "o: Example" in base_dn.stdout.split("\n")
 def test_log_level(host):
     """
     Tests if the logging level has been set correctly.
     """
     with host.sudo():
         log_level = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config -s base olcLogLevel')
         assert log_level.rc == 0
         assert 'olcLogLevel: 0' in log_level.stdout
 def test_ldap_tls_private_key_file(host):
     """
     Tests if the TLS private key has been deployed correctly.
     """
     with host.sudo():
         inventory_hostname = host.ansible.get_variables()['inventory_hostname']
         key = host.file('/etc/ssl/private/%s_ldap.key' % inventory_hostname)
         assert key.is_file
         assert key.user == 'root'
         assert key.group == 'openldap'
         assert key.mode == 0o640
-        assert key.content == open('tests/data/x509/parameters-optional.key.pem').read().rstrip()
         assert key.content == open('tests/data/x509/parameters-optional.key.pem').read()
 def test_ldap_tls_certificate_file(host):
     """
     Tests if the TLS certificate has been deployed correctly.
     """
     with host.sudo():
         inventory_hostname = host.ansible.get_variables()['inventory_hostname']
         cert = host.file('/etc/ssl/certs/%s_ldap.pem' % inventory_hostname)
         assert cert.is_file
         assert cert.user == 'root'
         assert cert.group == 'root'
         assert cert.mode == 0o644
-        assert cert.content == open('tests/data/x509/parameters-optional.cert.pem').read().rstrip()
         assert cert.content == open('tests/data/x509/parameters-optional.cert.pem').read()
 def test_certificate_validity_check_configuration(host):
     """
     Tests if certificate validity check configuration file has been deployed
     correctly.
     """
     inventory_hostname = host.ansible.get_variables()['inventory_hostname']
     config = host.file('/etc/check_certificate/%s_ldap.conf' % inventory_hostname)
     assert config.is_file
     assert config.user == 'root'
     assert config.group == 'root'
     assert config.mode == 0o644
     assert config.content == "/etc/ssl/certs/%s_ldap.pem" % inventory_hostname
 def test_tls_configuration(host):
     """
     Tests if the TLS has been configured correctly and works.
     """
     ldap_starttls = host.run('ldapwhoami -Z -x -H ldap://parameters-optional/')
     assert ldap_starttls.rc == 0
     assert ldap_starttls.stdout == 'anonymous'
+    assert ldap_starttls.stdout == 'anonymous\n'
     ldap_tls = host.run('ldapwhoami -x -H ldaps://parameters-optional/')
     assert ldap_tls.rc == 0
     assert ldap_tls.stdout == 'anonymous'
+    assert ldap_tls.stdout == 'anonymous\n'
     old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-optional:636")
     assert old_tls_versions_disabled.rc == 0
     assert "CONNECTED" in old_tls_versions_disabled.stdout
     cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:636")
     assert cipher.rc == 0
     assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout
     cipher = host.run("echo 'Q' | openssl s_client -tls1_1 -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:636")
     assert cipher.rc == 0
     assert "ECDHE-RSA-AES128-SHA" in cipher.stdout
 def test_ssf_configuration(host):
     """
     Tests if the SSF olcSecurity configuration has been set-up correctly.
     """
     with host.sudo():
         ssf = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config olcSecurity')
         assert ssf.rc == 0
         assert "olcSecurity: ssf=0" in ssf.stdout
 def test_permissions(host):
     """
     Tests if LDAP directory permissions have been set-up correctly.
     """
     with host.sudo():
         permissions = host.run("ldapsearch -o ldif-wrap=no -H ldapi:/// -Q -LLL -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess olcAccess")
         expected_permissions = "olcAccess: {0}to * " \
                                "by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage " \
                                "by self write by * read by dn=\"cn=admin,dc=local\" write " \
                                "by * none"
         assert permissions.rc == 0
         assert expected_permissions in permissions.stdout
 def test_services_login_entries(host):
     """
     Tests if the service/consumer login entries have been set correctly.
     """
     with host.sudo():
         entries = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=services,dc=local '(objectClass=simpleSecurityObject)'")
         assert entries.rc == 0
         assert entries.stdout == """dn: cn=consumer1,ou=services,dc=local
 objectClass: applicationProcess
 objectClass: simpleSecurityObject
 userPassword:: Y29uc3VtZXIxcGFzc3dvcmQ=
 cn: consumer1
 dn: cn=consumer2,ou=services,dc=local
 objectClass: applicationProcess
 objectClass: simpleSecurityObject
 userPassword:: Y29uc3VtZXIycGFzc3dvcmQ=
 cn: consumer2"""
 cn: consumer2
 """
 def test_group_entries(host):
     """
     Tests that no group entries have been created out-of-the-box.
     """
     with host.sudo():
         entries = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=groups,dc=local '(objectClass=groupOfUniqueNames)'")
         assert entries.rc == 0
         assert entries.stdout == """dn: cn=group1,ou=groups,dc=local
 objectClass: groupOfUniqueNames
 uniqueMember: cn=NONE
 cn: group1
 dn: cn=group2,ou=groups,dc=local
 objectClass: groupOfUniqueNames
 uniqueMember: cn=NONE
 cn: group2"""
 cn: group2
 """
 def test_user_supplied_entries(host):
     """
     Tests if user-supplied entries are created correctly.
     """
     with host.sudo():
         john_doe = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b uid=john,dc=local")
         assert john_doe.rc == 0
         assert sorted(john_doe.stdout.split("\n")) == sorted("""dn: uid=john,dc=local
+        assert sorted(john_doe.stdout.strip().split("\n")) == sorted("""dn: uid=john,dc=local
 objectClass: inetOrgPerson
 objectClass: simpleSecurityObject
 userPassword:: am9obnBhc3N3b3Jk
 cn: John Doe
 sn: Doe
 uid: john""".split("\n"))
         jane_doe = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b uid=jane,dc=local")
         assert jane_doe.rc == 0
         assert sorted(jane_doe.stdout.split("\n")) == sorted("""dn: uid=jane,dc=local
+        assert sorted(jane_doe.stdout.strip().split("\n")) == sorted("""dn: uid=jane,dc=local
 objectClass: inetOrgPerson
 objectClass: simpleSecurityObject
 userPassword:: amFuZXBhc3N3b3Jk
 cn: Jane Doe
 sn: Doe
 uid: jane""".split("\n"))

0 comments (0 inline, 0 general)