majic-ansible-roles Changeset

Changeset - e081fd2bc85c

Parent rev.

Child rev.

[Not reviewed]

0 6 0

Branko Majic (branko) - 20 months ago 2023-08-10 00:02:18
branko@majic.rs

MAR-181: Drop support for Debian 9 Stretch from ldap_server role:

- Switch to using IPs from VirtualBox default allowed host-only
network subnets.
- Drop the workaround for unsupported TLS ciphers on Debian Stretch.

6 files changed with 29 insertions and 92 deletions:

docs/rolereference.rst

roles/ldap_server/meta/main.yml

roles/ldap_server/molecule/default/molecule.yml

roles/ldap_server/molecule/default/prepare.yml

roles/ldap_server/molecule/default/tests/test_mandatory.py

roles/ldap_server/molecule/default/tests/test_optional.py

0 comments (0 inline, 0 general) First comment

docs/rolereference.rst

➞

Show inline comments

@@ @@ -782,7 +782,6 @@ Distribution compatibility @@
 Role is compatible with the following distributions:
 - Debian 9 (Stretch)
 - Debian 10 (Buster)

roles/ldap_server/meta/main.yml

➞

Show inline comments

@@ @@ -17,5 +17,4 @@ galaxy_info: @@
   platforms:
     - name: Debian
       versions:
         - 9
         - 10

roles/ldap_server/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -20,32 +20,7 @@ platforms: @@
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.10
         network_name: private_network
         type: static
   - name: parameters-mandatory-stretch64
     groups:
       - parameters-mandatory
     box: debian/contrib-stretch64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.22
         network_name: private_network
         type: static
   - name: parameters-optional-stretch64
     groups:
       - parameters-optional
       - backup-server
     box: debian/contrib-stretch64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.23
         ip: 192.168.56.10
         network_name: private_network
         type: static
@@ @@ -57,7 +32,7 @@ platforms: @@
     cpus: 1
     interfaces:
       - auto_config: true
-        ip: 10.31.127.12
+        ip: 192.168.56.12
         network_name: private_network
         type: static
@@ @@ -70,7 +45,7 @@ platforms: @@
     cpus: 1
     interfaces:
       - auto_config: true
-        ip: 10.31.127.13
+        ip: 192.168.56.13
         network_name: private_network
         type: static

roles/ldap_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -23,10 +23,6 @@ @@
           - "{{ item.name }}"
           - "{{ item.fqdn }}"
       with_items:
         - name: parameters-mandatory-stretch64_ldap
           fqdn: parameters-mandatory
         - name: parameters-optional-stretch64_ldap
           fqdn: parameters-optional
         - name: parameters-mandatory-buster64_ldap
           fqdn: parameters-mandatory
         - name: parameters-optional-buster64_ldap
@@ @@ -83,10 +79,8 @@ @@
         mode: 0644
         state: present
       with_dict:
 .31.127.22: parameters-mandatory-stretch64
 .31.127.23: parameters-optional-stretch64
 .31.127.12: parameters-mandatory-buster64
 .31.127.13: parameters-optional-buster64
 .168.56.12: parameters-mandatory-buster64
 .168.56.13: parameters-optional-buster64
 - hosts: parameters-optional
   become: true

roles/ldap_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

@@ @@ -75,27 +75,14 @@ def test_tls_version_and_ciphers(host): @@
     expected_tls_versions = ["TLSv1.2"]
     # @TODO: Under Debian Stretch, the DHE ciphers are not usable due
     # to a bug present in OpenLDAP 2.4.44. See
     # https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979
     # for details.
     expected_tls_ciphers = {
         "stretch": [
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
         ],
         "buster": [
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+        ]
+    }
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+    ]
     # Run the nmap scanner against the LDAP server, and fetch the
     # results.
@@ @@ -118,7 +105,7 @@ def test_tls_version_and_ciphers(host): @@
     tls_ciphers = sorted(list(tls_ciphers))
     assert tls_versions == expected_tls_versions
-    assert tls_ciphers == expected_tls_ciphers[distribution_release]
     assert tls_ciphers == expected_tls_ciphers
 def test_ssf_configuration(host):

roles/ldap_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -77,37 +77,20 @@ def test_tls_version_and_ciphers(host): @@
     expected_tls_versions = ["TLSv1.1", "TLSv1.2"]
     # @TODO: Under Debian Stretch, the DHE ciphers are not usable due
     # to a bug present in OpenLDAP 2.4.44. See
     # https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979
     # for details. It should be possible to fix this problem once
     # switch to buster is mad.e
     expected_tls_ciphers = {
         "stretch": [
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
         ],
         "buster": [
             "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
             "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        ]
+    }
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
         "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
         "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    ]
     # Run the nmap scanner against the LDAP server, and fetch the
     # results.
@@ @@ -130,7 +113,7 @@ def test_tls_version_and_ciphers(host): @@
     tls_ciphers = sorted(list(tls_ciphers))
     assert tls_versions == expected_tls_versions
-    assert tls_ciphers == expected_tls_ciphers[distribution_release]
     assert tls_ciphers == expected_tls_ciphers
 def test_ssf_configuration(host):

0 comments (0 inline, 0 general) First comment