majic-ansible-roles Changeset

Changeset - e081fd2bc85c

Parent rev.

Child rev.

[Not reviewed]

0 6 0

Branko Majic (branko) - 2 years ago 2023-08-10 00:02:18
branko@majic.rs

MAR-181: Drop support for Debian 9 Stretch from ldap_server role:

- Switch to using IPs from VirtualBox default allowed host-only
network subnets.
- Drop the workaround for unsupported TLS ciphers on Debian Stretch.

6 files changed with 29 insertions and 92 deletions:

docs/rolereference.rst

roles/ldap_server/meta/main.yml

roles/ldap_server/molecule/default/molecule.yml

roles/ldap_server/molecule/default/prepare.yml

roles/ldap_server/molecule/default/tests/test_mandatory.py

roles/ldap_server/molecule/default/tests/test_optional.py

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -779,13 +779,12 @@ Parameters @@
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 9 (Stretch)
 - Debian 10 (Buster)
 Examples
 ~~~~~~~~

roles/ldap_server/meta/main.yml

➞

Show inline comments

@@ @@ -14,8 +14,7 @@ galaxy_info: @@
   description: Sets-up an OpenLDAP server
   license: BSD
   min_ansible_version: 2.9
   platforms:
     - name: Debian
       versions:
         - 9
         - 10

roles/ldap_server/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -17,63 +17,38 @@ platforms: @@
   - name: client
     box: debian/contrib-buster64
     memory: 512
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.10
         network_name: private_network
         type: static
   - name: parameters-mandatory-stretch64
     groups:
       - parameters-mandatory
     box: debian/contrib-stretch64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.22
         network_name: private_network
         type: static
   - name: parameters-optional-stretch64
     groups:
       - parameters-optional
       - backup-server
     box: debian/contrib-stretch64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.23
         ip: 192.168.56.10
         network_name: private_network
         type: static
   - name: parameters-mandatory-buster64
     groups:
       - parameters-mandatory
     box: debian/contrib-buster64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
-        ip: 10.31.127.12
+        ip: 192.168.56.12
         network_name: private_network
         type: static
   - name: parameters-optional-buster64
     groups:
       - parameters-optional
       - backup-server
     box: debian/contrib-buster64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
-        ip: 10.31.127.13
+        ip: 192.168.56.13
         network_name: private_network
         type: static
 provisioner:
   name: ansible
   playbooks:

roles/ldap_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -20,16 +20,12 @@ @@
         argv:
           - "gimmecert"
           - "server"
           - "{{ item.name }}"
           - "{{ item.fqdn }}"
       with_items:
         - name: parameters-mandatory-stretch64_ldap
           fqdn: parameters-mandatory
         - name: parameters-optional-stretch64_ldap
           fqdn: parameters-optional
         - name: parameters-mandatory-buster64_ldap
           fqdn: parameters-mandatory
         - name: parameters-optional-buster64_ldap
           fqdn: parameters-optional
     - name: Set-up link to generated X.509 material
@@ @@ -80,16 +76,14 @@ @@
         line: "{{ item.key }} {{ item.value }}"
         owner: root
         group: root
         mode: 0644
         state: present
       with_dict:
 .31.127.22: parameters-mandatory-stretch64
 .31.127.23: parameters-optional-stretch64
 .31.127.12: parameters-mandatory-buster64
 .31.127.13: parameters-optional-buster64
 .168.56.12: parameters-mandatory-buster64
 .168.56.13: parameters-optional-buster64
 - hosts: parameters-optional
   become: true
   tasks:
     - name: Set-up the hosts file

roles/ldap_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

@@ @@ -72,33 +72,20 @@ def test_tls_version_and_ciphers(host): @@
     """
     Tests if the correct TLS version and ciphers have been enabled.
     """
     expected_tls_versions = ["TLSv1.2"]
     # @TODO: Under Debian Stretch, the DHE ciphers are not usable due
     # to a bug present in OpenLDAP 2.4.44. See
     # https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979
     # for details.
     expected_tls_ciphers = {
         "stretch": [
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
         ],
         "buster": [
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+        ]
+    }
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+    ]
     # Run the nmap scanner against the LDAP server, and fetch the
     # results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 636 localhost -oX /tmp/report.xml")
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string
@@ @@ -115,13 +102,13 @@ def test_tls_version_and_ciphers(host): @@
         tls_ciphers.add(child.text)
     tls_versions.sort()
     tls_ciphers = sorted(list(tls_ciphers))
     assert tls_versions == expected_tls_versions
-    assert tls_ciphers == expected_tls_ciphers[distribution_release]
     assert tls_ciphers == expected_tls_ciphers
 def test_ssf_configuration(host):
     """
     Tests if the SSF olcSecurity configuration has been set-up correctly.
     """

roles/ldap_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -74,43 +74,26 @@ def test_tls_version_and_ciphers(host): @@
     """
     Tests if the correct TLS version and ciphers have been enabled.
     """
     expected_tls_versions = ["TLSv1.1", "TLSv1.2"]
     # @TODO: Under Debian Stretch, the DHE ciphers are not usable due
     # to a bug present in OpenLDAP 2.4.44. See
     # https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979
     # for details. It should be possible to fix this problem once
     # switch to buster is mad.e
     expected_tls_ciphers = {
         "stretch": [
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
         ],
         "buster": [
             "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
             "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        ]
+    }
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
         "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
         "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    ]
     # Run the nmap scanner against the LDAP server, and fetch the
     # results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 636 localhost -oX /tmp/report.xml")
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string
@@ @@ -127,13 +110,13 @@ def test_tls_version_and_ciphers(host): @@
         tls_ciphers.add(child.text)
     tls_versions.sort()
     tls_ciphers = sorted(list(tls_ciphers))
     assert tls_versions == expected_tls_versions
-    assert tls_ciphers == expected_tls_ciphers[distribution_release]
     assert tls_ciphers == expected_tls_ciphers
 def test_ssf_configuration(host):
     """
     Tests if the SSF olcSecurity configuration has been set-up correctly.
     """

0 comments (0 inline, 0 general)