ldap_tls_ciphers: "NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"

---

- name: Create

  hosts: localhost

  connection: local

  gather_facts: False

  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"

  vars:

    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"

    molecule_instance_config: "{{ lookup('env', 'MOLECULE_INSTANCE_CONFIG') }}"

    molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}"

  tasks:

    - name: Create molecule instance(s)

      molecule_vagrant:

        instance_name: "{{ item.name }}"

        instance_interfaces: "{{ item.interfaces | default(omit) }}"

        instance_raw_config_args: "{{ item.instance_raw_config_args | default(omit) }}"

        platform_box: "{{ item.box }}"

        platform_box_version: "{{ item.box_version | default(omit) }}"

        platform_box_url: "{{ item.box_url | default(omit) }}"

        provider_name: "{{ molecule_yml.driver.provider.name }}"

        provider_memory: "{{ item.memory | default(omit) }}"

        provider_cpus: "{{ item.cpus | default(omit) }}"

        provider_raw_config_args: "{{ item.raw_config_args | default(omit) }}"

        state: up

      register: server

      with_items: "{{ molecule_yml.platforms }}"

    # Mandatory configuration for Molecule to function.

    - name: Populate instance config dict

      set_fact:

        instance_conf_dict: {

          'instance': "{{ item.Host }}",

          'address': "{{ item.HostName }}",

          'user': "{{ item.User }}",

          'port': "{{ item.Port }}",

          'identity_file': "{{ item.IdentityFile }}", }

      with_items: "{{ server.results }}"

      register: instance_config_dict

      when: server.changed | bool

    - name: Convert instance config dict to a list

      set_fact:

        instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"

      when: server.changed | bool

    - name: Dump instance config

      copy:

        # NOTE(retr0h): Workaround for Ansible 2.2.

        #               https://github.com/ansible/ansible/issues/20885

        content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}"

        dest: "{{ molecule_instance_config }}"

      when: server.changed | bool

---

- name: Destroy

  hosts: localhost

  connection: local

  gather_facts: False

  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"

  vars:

    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"

    molecule_instance_config: "{{ lookup('env',' MOLECULE_INSTANCE_CONFIG') }}"

    molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}"

  tasks:

    - name: Destroy molecule instance(s)

      molecule_vagrant:

        instance_name: "{{ item.name }}"

        platform_box: "{{ item.box }}"

        provider_name: "{{ molecule_yml.driver.provider.name }}"

        force_stop: "{{ item.force_stop | default(True) }}"

        state: destroy

      register: server

      with_items: "{{ molecule_yml.platforms }}"

    # Mandatory configuration for Molecule to function.

    - name: Populate instance config

      set_fact:

        instance_conf: {}

    - name: Dump instance config

      copy:

        # NOTE(retr0h): Workaround for Ansible 2.2.

        #               https://github.com/ansible/ansible/issues/20885

        content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}"

        dest: "{{ molecule_instance_config }}"

      when: server.changed | bool

---

dependency: {}

driver:

  name: vagrant

  provider:

    name: virtualbox

lint:

  name: yamllint

platforms:

  - name: client

    box: debian/contrib-jessie64

    memory: 512

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.10

        network_name: private_network

        type: static

  - name: parameters-mandatory-jessie64.local

    groups:

      - parameters-mandatory

    box: debian/contrib-jessie64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.20

        network_name: private_network

        type: static

  - name: parameters-optional-jessie64

    groups:

      - parameters-optional

    box: debian/contrib-jessie64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.21

        network_name: private_network

        type: static

provisioner:

  name: ansible

  config_options:

    ssh_connection:

      pipelining: "True"

  lint:

    name: ansible-lint

scenario:

  name: default

verifier:

  name: testinfra

  lint:

    name: flake8

- hosts: parameters-mandatory

  become: yes

  become: yes

        - server: localhost

  become: yes

      backup_client_username: "bak-localhost"

---

- name: Prepare

  hosts: all

  gather_facts: False

  tasks:

    - name: Install python for Ansible

      raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)

      become: True

      changed_when: False

- hosts: all

  become: yes

  tasks:

    - name: Update all caches to avoid errors due to missing remote archives

      apt:

        update_cache: yes

      changed_when: False

    - name: Deploy CA certificate

      copy:

        src: tests/data/x509/ca.cert.pem

        dest: /etc/ssl/certs/testca.cert.pem

        owner: root

        group: root

        mode: 0644

- hosts: client

  become: yes

  tasks:

    - name: Install tool for teting TCP connectivity

      apt:

        name: hping3

        state: installed

- hosts: parameters-optional

  become: yes

  tasks:

    - name: Set-up the hosts file

      lineinfile:

        path: /etc/hosts

        regexp: "^{{ item.key }}"

        line: "{{ item.key }} {{ item.value }}"

        owner: root

        group: root

        mode: 0644

        state: present

      with_dict:

        127.0.2.1: parameters-optional

- hosts: parameters-mandatory

  become: yes

  tasks:

    - name: Set-up the hosts file

      lineinfile:

        path: /etc/hosts

        regexp: "^{{ item.key }}"

        line: "{{ item.key }} {{ item.value }}"

        owner: root

        group: root

        mode: 0644

        state: present

      with_dict:

        127.0.2.1: parameters-mandatory.local

    '.molecule/ansible_inventory.yml').get_hosts('parameters-optional')

def test_database_dump_directory(host):

    with host.sudo():

        directory = host.file('/srv/backup')

def test_database_dump_script(host):

    with host.sudo():

        script = host.file('/etc/duply/main/pre.d/ldapdump.sh')

def test_backup(host):

    with host.sudo():

        host.run("rm -rf /root/restore")

        backup_run = host.run('duply main backup')

        database_dump = host.file('/srv/backup/slapd.bak')

        restore_run = host.run('duply main restore /root/restore')

        restored_database_dump = host.file('/root/restore/srv/backup/slapd.bak')

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    '.molecule/ansible_inventory.yml').get_hosts('client')

def test_connectivity(host):

    with host.sudo():

        ping = host.run('hping3 -S -p 389 -c 1 10.31.127.20')

        assert ping.rc == 0

        ping = host.run('hping3 -S -p 636 -c 1 10.31.127.20')

        assert ping.rc == 0

        ping = host.run('hping3 -S -p 389 -c 1 10.31.127.21')

        assert ping.rc == 0

        ping = host.run('hping3 -S -p 636 -c 1 10.31.127.21')

        assert ping.rc == 0

    '.molecule/ansible_inventory.yml').get_hosts('all')

def test_installed_packages(host):

    assert host.package('slapd').is_installed

    assert host.package('python-ldap').is_installed

def test_ldap_user_group(host):

    assert "ssl-cert" in host.user('openldap').groups

def test_ldap_server_service_sockets_and_ports(host):

    assert host.socket('tcp://389').is_listening

    assert host.socket('tcp://636').is_listening

    assert host.socket('unix:///var/run/slapd/ldapi').is_listening

def test_ldap_server_service(host):

    service = host.service('slapd')

def test_syslog_configuration(host):

    config = host.file('/etc/rsyslog.d/slapd.conf')

    with host.sudo():

        log = host.file('/var/log/slapd.log')

def test_log_rotation_configuration(host):

    config = host.file('/etc/logrotate.d/slapd')

    with host.sudo():

        assert host.run('logrotate /etc/logrotate.d/slapd').rc == 0

def test_misc_schema_presence(host):

    with host.sudo():

        misc_schema = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn')

def test_memberof_module(host):

    with host.sudo():

        memberof = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn')

def test_basic_directory_structure(host):

    with host.sudo():

            entry = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=%s,dc=local' % ou)

def test_mail_service_entries(host):

    with host.sudo():

        entry = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=mail,ou=services,dc=local')

        entry = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=domains,ou=mail,ou=services,dc=local')

        entry = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=aliases,ou=mail,ou=services,dc=local')

def test_firewall_configuration_file(host):

    with host.sudo():

        config = host.file('/etc/ferm/conf.d/10-ldap.conf')

def test_admin_password(host):

    login = host.run("ldapwhoami -H ldapi:/// -x -w adminpassword -D cn=admin,dc=local")

def test_temporary_admin_password_file_not_present(host):

    with host.sudo():

        assert not host.file('/root/.ldap_admin_password').exists

    '.molecule/ansible_inventory.yml').get_hosts('parameters-mandatory')

def test_base_entry(host):

    with host.sudo():

        base_dn = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local -s base")

def test_log_level(host):

    with host.sudo():

        log_level = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config -s base olcLogLevel')

def test_ldap_tls_private_key_file(host):

    with host.sudo():

        inventory_hostname = "parameters-mandatory-jessie64.local"

        key = host.file('/etc/ssl/private/%s_ldap.key' % inventory_hostname)

        assert key.content == open('tests/data/x509/%s_ldap.key' % inventory_hostname).read().rstrip()

def test_ldap_tls_certificate_file(host):

    with host.sudo():

        inventory_hostname = "parameters-mandatory-jessie64.local"

        cert = host.file('/etc/ssl/certs/%s_ldap.pem' % inventory_hostname)

        assert cert.content == open('tests/data/x509/%s_ldap.pem' % inventory_hostname).read().rstrip()

def test_certificate_validity_check_configuration(host):

    inventory_hostname = "parameters-mandatory-jessie64.local"

    config = host.file('/etc/check_certificate/%s_ldap.conf' % inventory_hostname)

    assert config.content == "/etc/ssl/certs/%s_ldap.pem" % inventory_hostname

def test_tls_configuration(host):

    starttls = host.run('ldapwhoami -Z -x -H ldap://parameters-mandatory.local/')