**pipreqcheck_uid** (integer, optional, ``whatever OS picks``)

  UID for user running the pip requirements upgrade checks. User is created with

  name ``pipreqcheck``.

**pipreqcheck_gid** (integer, optional, ``whatever OS picks``)

  GID for user running the pip requirements upgrade checks. Group is created

  with name ``pipreqcheck``.

          # Password is 'user2'.

          password: "$6$wdXOQiMe09ugh0$VRIph2XA2QQyEYlAlH7zT4TPACDUalf/4FKpqG9JRHfKxANTcTug2ANCt450htcs0LikJfHLWofLP54jraFU61"

          # Password is 'user3'.

          password: "$6$nmx.21uLqT$9LrUqNUgUwIM.l0KFKgr2.kDEwe2lo7IbBIhnG70AGW7GTFdWBUFnGAxH15YxikTXhDJD/uxd.NNgojEOjRvx1"

        - libmariadb-client-lgpl-dev-compat

        - emacs24-nox

      incoming_connection_limit_burst: 5

      pipreqcheck_uid: 2500

      pipreqcheck_gid: 2500

  copy: src=ferm.conf dest=/etc/ferm/ferm.conf owner=root group=root mode=0640

testinfra_hosts.remove("helper")

def test_pam_umask(File):

    """

    Tests configuration of PAM umask module.

    """

    pam_auth_update_config = File('/usr/share/pam-configs/umask')

    assert pam_auth_update_config.exists

    assert pam_auth_update_config.user == 'root'

    assert pam_auth_update_config.group == 'root'

    assert pam_auth_update_config.mode == 0o644

    assert File('/etc/pam.d/common-session').contains('session[[:blank:]]\+required[[:blank:]]\+pam_umask.so')

    assert File('/etc/pam.d/common-session-noninteractive').contains('session[[:blank:]]\+required[[:blank:]]\+pam_umask.so')

def test_login_umask(File):

    """

    Tests set-up of default UMASK via /etc/login.defs.

    """

    assert File('/etc/login.defs').contains('UMASK[[:blank:]]\+027')

def test_adduser_umask(File):

    """

    Tests UMASK configuration used for creating user home directory.

    """

    assert File('/etc/adduser.conf').contains('DIR_MODE=0750')

def test_bash_prompt(File):

    """

    Tests file permissions on custom bash prompt configuration.

    """

    bash_prompt = File('/etc/profile.d/bash_prompt.sh')

    assert bash_prompt.exists

    assert bash_prompt.user == 'root'

    assert bash_prompt.group == 'root'

    assert bash_prompt.mode == 0o644

def test_home_profile_d(File):

    """

    Tests deployment of special profile file used for enabling profile.d-like

    capability in user's home directory.

    """

    home_profile_d = File('/etc/profile.d/z99-user_profile_d.sh')

    assert home_profile_d.is_file

    assert home_profile_d.user == 'root'

    assert home_profile_d.group == 'root'

    assert home_profile_d.mode == 0o644

def test_home_skeleton_bashrc(File):

    """

    Tests deployment of home directory skeleton bashrc.

    """

    bashrc = File('/etc/skel/.bashrc')

    assert bashrc.is_file

    assert bashrc.user == 'root'

    assert bashrc.group == 'root'

    assert bashrc.mode == 0o644

    assert bashrc.sha256sum == '4f946fb387a413c8d7633787d8e8a7785c256d77f7c6a692822ffdb439c78277'

def test_default_bashrc(File):

    """

    Tests deployment of default bashrc file.

    """

    bashrc = File('/etc/bash.bashrc')

    assert bashrc.is_file

    assert bashrc.user == 'root'

    assert bashrc.group == 'root'

    assert bashrc.mode == 0o644

def test_root_bashrc(File, Sudo):

    """

    Tests overwriting of root's bashrc configuration with default one.

    """

    with Sudo():

        bashrc = File('/root/.bashrc')

        assert bashrc.is_file

        assert bashrc.user == 'root'

        assert bashrc.group == 'root'

        assert bashrc.mode == 0o640

        assert bashrc.sha256sum == '4f946fb387a413c8d7633787d8e8a7785c256d77f7c6a692822ffdb439c78277'

def test_installed_packages(Package):

    """

    Tests installation of required packages.

    """

    assert Package('sudo').is_installed

    assert Package('ssl-cert').is_installed

    assert Package('rcconf').is_installed

    assert Package('ferm').is_installed

    assert Package('apticron').is_installed

    assert Package('virtualenv').is_installed

def test_root_remote_login_disabled(File):

    """

    Tests if SSH server has been configured to prevent remote root logins.

    """

    assert 'PermitRootLogin no' in File('/etc/ssh/sshd_config').content

def test_remote_login_via_password_disabled(File):

    """

    Tests if SSH server has been configured to disable password-based

    authentication.

    """

    assert 'PasswordAuthentication no' in File('/etc/ssh/sshd_config').content

def test_ferm_service_configuration(File):

    ferm_service_config = File('/etc/default/ferm')

    assert ferm_service_config.is_file

    assert ferm_service_config.user == 'root'

    assert ferm_service_config.group == 'root'

    assert ferm_service_config.mode == 0o644

    assert 'FAST=yes' in ferm_service_config.content

    assert 'CACHE=no' in ferm_service_config.content

    assert 'ENABLED="yes"' in ferm_service_config.content

def test_ferm_configuration_directory(File, Sudo):

    """

    Tests creation of ferm configuration directory.

    """

    with Sudo():

        ferm_dir = File('/etc/ferm/conf.d')

        assert ferm_dir.is_directory

        assert ferm_dir.user == 'root'

        assert ferm_dir.group == 'root'

        assert ferm_dir.mode == 0o750

def test_ferm_configuration(File, Sudo):

    """

    Tests deployment of basic ferm configuration files.

    """

    with Sudo():

        ferm_configuration = File('/etc/ferm/ferm.conf')

        assert ferm_configuration.is_file

        assert ferm_configuration.user == 'root'

        assert ferm_configuration.group == 'root'

        assert ferm_configuration.mode == 0o640

        assert "@include '/etc/ferm/conf.d/';" in ferm_configuration.content

        ferm_base = File('/etc/ferm/conf.d/00-base.conf')

        assert ferm_base.is_file

        assert ferm_base.user == 'root'

        assert ferm_base.group == 'root'

        assert ferm_base.mode == 0o640

def test_ferm_service(Service):

    """

    Tests if ferm is started and enabled to start automatically on boot.

    """

    ferm = Service('ferm')

    assert ferm.is_running

    assert ferm.is_enabled

def test_check_certificate_script(File):

    check_certificate = File('/usr/local/bin/check_certificate.sh')

    assert check_certificate.is_file

    assert check_certificate.user == 'root'

    assert check_certificate.group == 'root'

    assert check_certificate.mode == 0o755

def test_check_certificate_directory(File):

    check_certificate_dir = File('/etc/check_certificate')

    assert check_certificate_dir.is_directory

    assert check_certificate_dir.user == 'root'

    assert check_certificate_dir.group == 'root'

    assert check_certificate_dir.mode == 0o755

def test_check_certificate_crontab(File):

    """

    Tests deployment of cron job for checking certificates.

    """

    check_certificate_crontab = File('/etc/cron.d/check_certificate')

    assert check_certificate_crontab.is_file

    assert check_certificate_crontab.user == 'root'

    assert check_certificate_crontab.group == 'root'

    assert check_certificate_crontab.mode == 0o644

    assert "0 0 * * * nobody /usr/local/bin/check_certificate.sh expiration" in check_certificate_crontab.content

def test_pipreqcheck_virtualenv(File, Sudo):

    """

    Tests creation of Python virtual environment used for performing pip

    requirements upgrade checks.

    """

    with Sudo():

        virtualenv_activate = File('/var/lib/pipreqcheck/virtualenv/bin/activate')

        assert virtualenv_activate.is_file

        assert virtualenv_activate.user == 'pipreqcheck'

        assert virtualenv_activate.group == 'pipreqcheck'

        assert virtualenv_activate.mode == 0o644

def test_pipreqcheck_directories(File, Sudo):

    """

    Tests creation of directories used for storing configuration used by script

    that performs pip requirements upgrade checks.

    """

    with Sudo():

        pipreqcheck_config_directory = File('/etc/pip_check_requirements_upgrades')

        assert pipreqcheck_config_directory.is_directory

        assert pipreqcheck_config_directory.user == 'root'

        assert pipreqcheck_config_directory.group == 'pipreqcheck'

        assert pipreqcheck_config_directory.mode == 0o750

        pipreqcheck_config_directory_pipreqcheck = File('/etc/pip_check_requirements_upgrades/pipreqcheck')

        assert pipreqcheck_config_directory_pipreqcheck.is_directory

        assert pipreqcheck_config_directory_pipreqcheck.user == 'root'

        assert pipreqcheck_config_directory_pipreqcheck.group == 'pipreqcheck'

        assert pipreqcheck_config_directory_pipreqcheck.mode == 0o750

def test_pipreqcheck_requirements(File, Sudo):

    """

    Tests deployment of requirements input and text file used for virtual

    environment utilised by script that perform pip requirements upgrade checks.

    """

    with Sudo():

        requirements_in = File('/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in')

        assert requirements_in.is_file

        assert requirements_in.user == 'root'

        assert requirements_in.group == 'pipreqcheck'

        assert requirements_in.mode == 0o640

        requirements_txt = File('/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt')

        requirements_txt.is_file

        assert requirements_txt.user == 'root'

        assert requirements_txt.group == 'pipreqcheck'

        assert requirements_txt.mode == 0o640

def test_pipreqcheck_packages(PipPackage, Sudo):

    """

    Tests if Python virtual environment used for running the pip requirements

    upgrade checks has correct version of pip installed.

    """

    with Sudo():

        packages = PipPackage.get_packages(pip_path='/var/lib/pipreqcheck/virtualenv/bin/pip')

        assert packages['pip']['version'].rsplit('.', 1)[0] == '9.0'

        assert 'pip-tools' in packages

def test_pipreqcheck_script(File):

    """

    Tests script used for performing pip requirements upgrade checks.

    """

    pipreqcheck_script = File('/usr/local/bin/pip_check_requirements_upgrades.sh')

    assert pipreqcheck_script.is_file

    assert pipreqcheck_script.user == 'root'

    assert pipreqcheck_script.group == 'root'

    assert pipreqcheck_script.mode == 0o755

def test_pipreqcheck_crontab(File):

    """

    Tests if crontab entry is set-up correctly for running the pip requirements

    upgrade checks.

    """

    crontab = File('/etc/cron.d/check_pip_requirements')

    assert crontab.is_file

    assert crontab.user == 'root'

    assert crontab.group == 'root'

    assert crontab.mode == 0o644

    assert "MAILTO=root" in crontab.content

import socket

import paramiko

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    '.molecule/ansible_inventory').get_hosts('parameters-mandatory')

def test_apt_proxy(File):

    """

    Tests if proxy configuration for apt is missing.

    """

    assert not File('/etc/apt/apt.conf.d/00proxy').exists

def test_bash_prompt_content(File):

    """

    Tests if bash prompt configuration file has not colouring and ID information

    contained within.

    """

    bash_prompt = File('/etc/profile.d/bash_prompt.sh')

    assert "export PS1='\\[\\e]0;\\u@\\h: \\w\\a\\]${debian_chroot:+($debian_chroot)}\\[\\033[0m\\]\\u@\\h:\\w\\$ \\[\\033[0m\\]'" in bash_prompt.content

    assert "export PS1='\\[\\e]0;\\u@\\h: \\w\\a\\]${debian_chroot:+($debian_chroot)}\\u@\\h:\\w\\$ '" in bash_prompt.content

def test_ssh_login_mechanisms():

    """

    Tests available SSH login mechanisms (should be just public key).

    """

    sock = socket.socket()

    sock.connect(('10.31.127.3', 22))

    transport = paramiko.transport.Transport(sock)

    transport.connect()

    try:

        transport.auth_none('')

    except paramiko.transport.BadAuthenticationType, err:

        assert err.allowed_types == ['publickey']

def test_mariadb_mysql_config_symlink(File, Sudo):

    """

    Tests if symbolic link has been set-up for mariadb_config binary to be

    accessible as mysql_config as well. (should not be present with just

    mandatory options set).

    """

    mysql_config = File('/usr/bin/mysql_config')

    assert not mysql_config.exists

def test_emacs_electric_indent_mode(File):

    """

    Tests if Emacs electric indent mode has been disabled via custom

    configuration file. With just mandatory options set, the file should not be

    present.

    """

    emacs_config = File('/etc/emacs/site-start.d/01disable-electric-indent-mode')

    assert not emacs_config.exists

def test_ferm_base_rules(Command, File, Sudo):

    """

    Test if base ferm configuration has been deployed correctly (content-wise).

    """

    with Sudo():

        ferm_base = File('/etc/ferm/conf.d/00-base.conf')

        assert "mod hashlimit hashlimit 3/second hashlimit-burst 9" in ferm_base.content

        iptables = Command('iptables-save')

        assert iptables.rc == 0

        assert "-A flood -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \

            "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout

        assert "-A flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \

            "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout

        ip6tables = Command('ip6tables-save')

        assert ip6tables.rc == 0

        assert "-A flood -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \

            "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout

        assert "-A flood -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \

            "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in ip6tables.stdout

def test_pipreqcheck_virtualenv_user(Group, User):

    """

    Tests if user/group for running the pip requirements upgrade checks have

    been created correctly.

    """

    group = Group('pipreqcheck')

    assert group.exists

    assert group.gid == 1001

    user = User('pipreqcheck')

    assert user.exists

    assert user.home == '/var/lib/pipreqcheck'

    assert user.uid == 1001

    assert user.group == 'pipreqcheck'

    assert user.groups == ['pipreqcheck']

import os

import socket

import paramiko

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    '.molecule/ansible_inventory').get_hosts('parameters-optional')

def test_apt_proxy(File):

    """

    Tests if proxy configuration for apt has been deployed correctly.

    """

    proxy_config = File('/etc/apt/apt.conf.d/00proxy')

    assert proxy_config.exists

    assert proxy_config.user == 'root'

    assert proxy_config.group == 'root'

    assert proxy_config.mode == 0o644

def test_bash_prompt_content(File):

    """

    Tests that custom bash prompt has been configured correctly with specified

    colour and prompt.

    """

    config = File('/etc/profile.d/bash_prompt.sh')

    assert "export PS1='\\[\\e]0;\\u@\\h: \\w\\a\\]${debian_chroot:+($debian_chroot)}\\[\\033[0;36m\\]\\u@\\h[test]:\\w\\$ \\[\\033[0m\\]'" in config.content

    assert "export PS1='\\[\\e]0;\\u@\\h: \\w\\a\\]${debian_chroot:+($debian_chroot)}\\u@\\h[test]:\\w\\$ '" in config.content

def test_common_installed_packages_common(Package):

    """

    Tests that user-provided common packages have been installed.

    """

    assert Package('units').is_installed

    assert Package('gnutls-bin').is_installed

    assert Package('libmariadb-client-lgpl-dev-compat').is_installed

def test_ssh_login_mechanisms():

    """

    Tests available SSH login mechanisms (should be just public key).

    """

    sock = socket.socket()

    sock.connect(('10.31.127.4', 22))

    transport = paramiko.transport.Transport(sock)

    transport.connect()

    try:

        transport.auth_none('')

    except paramiko.transport.BadAuthenticationType, err:

        assert err.allowed_types == ['publickey']

def test_mariadb_mysql_config_symlink(File):

    """

    Tests if symbolic link has been set-up for mariadb_config binary to be

    accessible as mysql_config as well.

    """

    mysql_config = File('/usr/bin/mysql_config')

    assert mysql_config.is_symlink

    assert mysql_config.linked_to == '/usr/bin/mariadb_config'

def test_emacs_electric_indent_mode(File):

    """

    Tests if Emacs electric indent mode has been disabled via custom

    configuration file.

    """

    emacs_config = File('/etc/emacs/site-start.d/01disable-electric-indent-mode.el')

    assert emacs_config.is_file

    assert emacs_config.user == 'root'

    assert emacs_config.group == 'root'

    assert emacs_config.mode == 0o644

    assert "(electric-indent-mode -1)" in emacs_config.content

def test_os_groups(Group):

    """

    Tests if user-supplied system groups have been created correctly.

    """

    group1 = Group('group1')

    assert group1.gid == 1001

    group2 = Group('group2')

    assert group2.gid == 3001

    group3 = Group('group3')

    assert group3.gid == 3002

    user1_group = Group('user1')

    assert user1_group.gid == 3003

    user2_group = Group('user2')

    assert user2_group.gid == 2001

    user3_group = Group('user3')

    assert user3_group.gid == 2002

def test_os_users(File, Sudo, User):

    """

    Tests if user-supplied system users have been created correctly.

    """

    with Sudo():

        user1 = User('user1')

        assert user1.uid == 1001

        assert user1.group == 'user1'

        assert user1.groups == ['user1']

        assert user1.shell == '/bin/bash'

        assert user1.password == '!'

        user1_authorized_keys = File(os.path.join(user1.home, '.ssh', 'authorized_keys'))

        assert not user1_authorized_keys.exists

        user2 = User('user2')

        assert user2.uid == 2001

        assert user2.group == 'user2'

        assert sorted(user2.groups) == sorted(['group1', 'group2', 'user2'])

        assert user2.shell == '/bin/bash'

        assert user2.password == '$6$wdXOQiMe09ugh0$VRIph2XA2QQyEYlAlH7zT4TPACDUalf/4FKpqG9JRHfKxANTcTug2ANCt450htcs0LikJfHLWofLP54jraFU61'

        user2_authorized_keys = File(os.path.join(user2.home, '.ssh', 'authorized_keys'))

        assert open('tests/data/ssh/clientkey1.pub', 'r').read().strip() in user2_authorized_keys.content

        assert open('tests/data/ssh/clientkey2.pub', 'r').read().strip() in user2_authorized_keys.content

        user3 = User('user3')

        assert user3.uid == 2002

        assert user3.group == 'user3'

        assert sorted(user3.groups) == sorted(['group3', 'user3'])

        assert user3.shell == '/bin/bash'

        assert user3.password == '$6$nmx.21uLqT$9LrUqNUgUwIM.l0KFKgr2.kDEwe2lo7IbBIhnG70AGW7GTFdWBUFnGAxH15YxikTXhDJD/uxd.NNgojEOjRvx1'

        user3_authorized_keys = File(os.path.join(user3.home, '.ssh', 'authorized_keys'))

        assert open('tests/data/ssh/clientkey3.pub', 'r').read().strip() in user3_authorized_keys.content

def test_authorized_keys_login():

    """

    Tests if authorized SSH keys for user-provided system users have been set-up

    correctly.

    """

    client = paramiko.client.SSHClient()

    client.set_missing_host_key_policy(paramiko.client.WarningPolicy())

    # No exception will be raised if connection is successful.

    client.connect("10.31.127.4", username="user2", allow_agent=False, look_for_keys=False, key_filename='tests/data/ssh/clientkey1')

    client.connect("10.31.127.4", username="user2", allow_agent=False, look_for_keys=False, key_filename='tests/data/ssh/clientkey2')

    client.connect("10.31.127.4", username="user3", allow_agent=False, look_for_keys=False, key_filename='tests/data/ssh/clientkey3')

def test_ca_certificates(File):

    """

    Tests if CA certificates have been correctly deployed to the system.

    """

    ca1_cert = File('/usr/local/share/ca-certificates/cacert1.crt')

    assert ca1_cert.is_file

    assert ca1_cert.user == 'root'

    assert ca1_cert.group == 'root'

    assert ca1_cert.mode == 0o644

    ca1_cert_symlink = File('/etc/ssl/certs/cacert1.pem')

    assert ca1_cert_symlink.is_symlink

    assert ca1_cert_symlink.linked_to == '/usr/local/share/ca-certificates/cacert1.crt'

    ca1_cert_hash_1 = File('/etc/ssl/certs/3ce70b58.1')

    assert ca1_cert_hash_1.is_symlink

    assert ca1_cert_hash_1.linked_to == '/usr/local/share/ca-certificates/cacert1.crt'

    ca1_cert_hash_2 = File('/etc/ssl/certs/49f72a44.1')

    assert ca1_cert_hash_2.is_symlink

    assert ca1_cert_hash_2.linked_to == '/usr/local/share/ca-certificates/cacert1.crt'

    ca2_cert = File('/usr/local/share/ca-certificates/cacert2.crt')

    assert ca2_cert.is_file

    assert ca2_cert.user == 'root'

    assert ca2_cert.group == 'root'

    assert ca2_cert.mode == 0o644

    ca2_cert_symlink = File('/etc/ssl/certs/cacert2.pem')

    assert ca2_cert_symlink.is_symlink

    assert ca2_cert_symlink.linked_to == '/usr/local/share/ca-certificates/cacert2.crt'

    ca2_cert_hash_1 = File('/etc/ssl/certs/3ce70b58.0')

    assert ca2_cert_hash_1.is_symlink

    assert ca2_cert_hash_1.linked_to == '/usr/local/share/ca-certificates/cacert2.crt'

    ca2_cert_hash_2 = File('/etc/ssl/certs/49f72a44.0')

    assert ca2_cert_hash_2.is_symlink

    assert ca2_cert_hash_2.linked_to == '/usr/local/share/ca-certificates/cacert2.crt'

def test_ferm_base_rules(Command, File, Sudo):

    """

    Tests if base ferm configuration has been deployed correctly with proper

    user-provided rate-limiting.

    """

    with Sudo():

        ferm_base = File('/etc/ferm/conf.d/00-base.conf')

        assert "mod hashlimit hashlimit 5/second hashlimit-burst 5" in ferm_base.content

        iptables = Command('iptables-save')

        assert iptables.rc == 0

        assert "-A flood -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 " \

            "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout

        assert "-A flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 " \

            "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout

        ip6tables = Command('ip6tables-save')

        assert ip6tables.rc == 0

        assert "-A flood -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 " \

            "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout

        assert "-A flood -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m hashlimit --hashlimit-upto 5/sec --hashlimit-burst 5 " \

            "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in ip6tables.stdout

def test_pipreqcheck_virtualenv_user(Group, User):

    """

    Tests if group and user for running pip requirements upgrade checks have

    been created correctly with user-provided uid/gid.

    """

    group = Group('pipreqcheck')

    assert group.exists

    assert group.gid == 2500

    user = User('pipreqcheck')

    assert user.exists

    assert user.home == '/var/lib/pipreqcheck'

    assert user.uid == 2500

    assert user.group == 'pipreqcheck'

    assert user.groups == ['pipreqcheck']