majic-ansible-roles Changeset

Changeset - c1abe824342c

Parent rev.

Child rev.

[Not reviewed]

0 8 0

Branko Majic (branko) - 13 months ago 2024-03-02 22:30:40
branko@majic.rs

MAR-192: Added support for Debian 12 Bookworm to xmpp_server role:

- Some of the tests are still failing, namely the ones centered around
the sendxmpp tool (which seems completely broken at this point in
Debian 12 Bookworm)

8 files changed with 182 insertions and 24 deletions:

docs/rolereference.rst

roles/xmpp_server/meta/main.yml

roles/xmpp_server/molecule/default/host_vars/ldap-server.yml

roles/xmpp_server/molecule/default/molecule.yml

roles/xmpp_server/molecule/default/prepare.yml

roles/xmpp_server/molecule/default/tests/test_mandatory.py

roles/xmpp_server/molecule/default/tests/test_optional.py

roles/xmpp_server/templates/prosody.cfg.lua.j2

0 comments (0 inline, 0 general) First comment

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1003,6 +1003,7 @@ Distribution compatibility @@
 Role is compatible with the following distributions:
 - Debian 11 (Bullseye)
 - Debian 12 (Bookworm)
 Examples

roles/xmpp_server/meta/main.yml

➞

Show inline comments

@@ @@ -17,3 +17,4 @@ galaxy_info: @@
     - name: Debian
       versions:
         - 11
         - 12

roles/xmpp_server/molecule/default/host_vars/ldap-server.yml

➞

Show inline comments

@@ @@ -42,3 +42,6 @@ backup_clients: @@
   - server: parameters-optional-bullseye
     ip: 192.168.56.52
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
   - server: parameters-optional-bookworm
     ip: 192.168.56.32
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

roles/xmpp_server/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -19,7 +19,7 @@ platforms: @@
   # =======
   - name: ldap-server
-    box: debian/bullseye64
+    box: debian/bookworm64
     memory: 512
     cpus: 1
     provider_raw_config_args:
@@ @@ -79,6 +79,56 @@ platforms: @@
         network_name: private_network
         type: static
   # Debian 11 Bookworm
   # ==================
   - name: client-bookworm
     groups:
       - clients
       - bookworm
     box: debian/bookworm64
     memory: 256
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.21
         network_name: private_network
         type: static
   - name: parameters-mandatory-bookworm
     groups:
       - parameters-mandatory
       - bookworm
     box: debian/bookworm64
     memory: 512
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.31
         network_name: private_network
         type: static
   - name: parameters-optional-bookworm
     groups:
       - parameters-optional
       - bookworm
     box: debian/bookworm64
     memory: 512
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.32
         network_name: private_network
         type: static
 provisioner:
   name: ansible
   playbooks:

roles/xmpp_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -38,6 +38,21 @@ @@
             - domain3
             - proxy.domain3
             - conference.domain3
         - name: parameters-mandatory-bookworm_xmpp
           fqdn:
             - parameters-mandatory
             - domain1
             - proxy.domain1
             - conference.domain1
         - name: parameters-optional-bookworm_xmpp
           fqdn:
             - parameters-optional
             - domain2
             - proxy.domain2
             - conference.domain2
             - domain3
             - proxy.domain3
             - conference.domain3
     - name: Set-up link to generated X.509 material
       file:
@@ @@ -105,6 +120,43 @@ @@
 .168.56.51: "parameters-mandatory domain1 proxy.domain1 conference.domain1"
 .168.56.52: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3"
 - hosts: bookworm
   become: true
   tasks:
     - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter
       blockinfile:
         path: "/etc/ssl/openssl.cnf"
         block: |
           [openssl_init]
           ssl_conf = ssl_sect
           [ssl_sect]
           system_default = system_default_sect
           [system_default_sect]
           MinProtocol = TLSv1.1
           CipherString = DEFAULT@SECLEVEL=0
         owner: root
         group: root
         mode: 0644
         state: present
     - name: Set-up the hosts file
       lineinfile:
         path: /etc/hosts
         regexp: "^{{ item.key }}"
         line: "{{ item.key }} {{ item.value }}"
         owner: root
         group: root
         mode: 0644
         state: present
       with_dict:
 .168.56.11: "ldap-server backup-server"
 .168.56.21: "client-bookworm"
 .168.56.31: "parameters-mandatory domain1 proxy.domain1 conference.domain1"
 .168.56.32: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3"
 - hosts: clients
   become: true
   tasks:

roles/xmpp_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

@@ @@ -49,16 +49,31 @@ def test_xmpp_c2s_tls_version_and_ciphers(host, port): @@
     XMPP C2S ports.
     """
     expected_tls_versions = ["TLSv1.2"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+    ]
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     if distribution_release == "bullseye":
         expected_tls_versions = ["TLSv1.2"]
         expected_tls_ciphers = [
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+        ]
     else:
         expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
         expected_tls_ciphers = [
             "TLS_AKE_WITH_AES_128_GCM_SHA256",
             "TLS_AKE_WITH_AES_256_GCM_SHA384",
             "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+        ]
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain1 -oX /tmp/report.xml", str(port))

roles/xmpp_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -55,19 +55,37 @@ def test_xmpp_c2s_tls_version_and_ciphers(host, port): @@
     XMPP C2S ports.
     """
     expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    ]
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     if distribution_release == "bullseye":
         expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
         expected_tls_ciphers = [
             "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        ]
     else:
         expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
         expected_tls_ciphers = [
             "TLS_AKE_WITH_AES_128_GCM_SHA256",
             "TLS_AKE_WITH_AES_256_GCM_SHA384",
             "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        ]
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain2 -oX /tmp/report.xml", str(port))

roles/xmpp_server/templates/prosody.cfg.lua.j2

➞

Show inline comments

@@ @@ -55,13 +55,31 @@ c2s_ssl = { @@
 -- Configure TLS protocol and ciphers for client-to-server
 -- connections (direct TLS).
 {% if ansible_distribution_release == "bullseye" %}
 legacy_ssl_ssl = {
   protocol = "{{ xmpp_server_tls_protocol }}";
   ciphers = "{{ xmpp_server_tls_ciphers }}";
+}
 {% else %}
 c2s_direct_tls_ssl = {
   protocol = "{{ xmpp_server_tls_protocol }}";
   ciphers = "{{ xmpp_server_tls_ciphers }}";
   -- @WORKAROUND: No DHE ciphers because dhparam is getting reset
   --
   --    There is a bug in Prosody 0.12.3 resulting in dhparam value
   --    from from global config getting ignored when domain SNI
   --    context is initalised on TCP port 5223. Define the parameter
   --    in within this configuration context as well to fix the issue.
   dhparam = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.dh.pem";
+}
 {% endif %}
 -- Ports on which to have direct TLS/SSL.
 {% if ansible_distribution_release == "bullseye" %}
 legacy_ssl_ports = { 5223 }
 {% else %}
 c2s_direct_tls_ports = { 5223 }
 {% endif %}
 -- Force clients to use encrypted connection.
 c2s_require_encryption = true

0 comments (0 inline, 0 general) First comment