- common

---

- name: Create

  hosts: localhost

  connection: local

  gather_facts: False

  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"

  vars:

    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"

    molecule_instance_config: "{{ lookup('env', 'MOLECULE_INSTANCE_CONFIG') }}"

    molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}"

  tasks:

    - name: Create molecule instance(s)

      molecule_vagrant:

        instance_name: "{{ item.name }}"

        instance_interfaces: "{{ item.interfaces | default(omit) }}"

        instance_raw_config_args: "{{ item.instance_raw_config_args | default(omit) }}"

        platform_box: "{{ item.box }}"

        platform_box_version: "{{ item.box_version | default(omit) }}"

        platform_box_url: "{{ item.box_url | default(omit) }}"

        provider_name: "{{ molecule_yml.driver.provider.name }}"

        provider_memory: "{{ item.memory | default(omit) }}"

        provider_cpus: "{{ item.cpus | default(omit) }}"

        provider_raw_config_args: "{{ item.raw_config_args | default(omit) }}"

        state: up

      register: server

      with_items: "{{ molecule_yml.platforms }}"

    # Mandatory configuration for Molecule to function.

    - name: Populate instance config dict

      set_fact:

        instance_conf_dict: {

          'instance': "{{ item.Host }}",

          'address': "{{ item.HostName }}",

          'user': "{{ item.User }}",

          'port': "{{ item.Port }}",

          'identity_file': "{{ item.IdentityFile }}", }

      with_items: "{{ server.results }}"

      register: instance_config_dict

      when: server.changed | bool

    - name: Convert instance config dict to a list

      set_fact:

        instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"

      when: server.changed | bool

    - name: Dump instance config

      copy:

        # NOTE(retr0h): Workaround for Ansible 2.2.

        #               https://github.com/ansible/ansible/issues/20885

        content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}"

        dest: "{{ molecule_instance_config }}"

      when: server.changed | bool

---

- name: Destroy

  hosts: localhost

  connection: local

  gather_facts: False

  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"

  vars:

    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"

    molecule_instance_config: "{{ lookup('env',' MOLECULE_INSTANCE_CONFIG') }}"

    molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}"

  tasks:

    - name: Destroy molecule instance(s)

      molecule_vagrant:

        instance_name: "{{ item.name }}"

        platform_box: "{{ item.box }}"

        provider_name: "{{ molecule_yml.driver.provider.name }}"

        force_stop: "{{ item.force_stop | default(True) }}"

        state: destroy

      register: server

      with_items: "{{ molecule_yml.platforms }}"

    # Mandatory configuration for Molecule to function.

    - name: Populate instance config

      set_fact:

        instance_conf: {}

    - name: Dump instance config

      copy:

        # NOTE(retr0h): Workaround for Ansible 2.2.

        #               https://github.com/ansible/ansible/issues/20885

        content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}"

        dest: "{{ molecule_instance_config }}"

      when: server.changed | bool

---

dependency: {}

driver:

  name: vagrant

  provider:

    name: virtualbox

lint:

  name: yamllint

platforms:

  - name: client1

    groups:

      - client

    box: debian/contrib-jessie64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.20

        network_name: private_network

        type: static

  - name: parameters-mandatory-jessie64

    groups:

      - parameters-mandatory

    box: debian/contrib-jessie64

    memory: 512

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.30

        network_name: private_network

        type: static

  - name: parameters-optional-jessie64

    groups:

      - parameters-optional

    box: debian/contrib-jessie64

    memory: 512

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.31

        network_name: private_network

        type: static

provisioner:

  name: ansible

  config_options:

    ssh_connection:

      pipelining: "True"

  lint:

    name: ansible-lint

scenario:

  name: default

verifier:

  name: testinfra

  lint:

    name: flake8

---

- hosts: parameters-mandatory

  become: yes

  roles:

    - role: web_server

      # common

      ca_certificates:

        testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"

      # Common parameters (general, not role).

      tls_certificate_dir: tests/data/x509/

      tls_private_key_dir: tests/data/x509/

- hosts: parameters-optional

  become: yes

  roles:

    - role: web_server

      default_enforce_https: no

      default_https_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional_https.cert.pem') }}"

      default_https_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional_https.key.pem') }}"

      web_default_title: "Optional Welcome"

      web_default_message: "Welcome to parameters-optional, default virtual host."

      web_server_tls_protocols:

        - TLSv1.1

        - TLSv1.2

      web_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:!aNULL:!MD5:!EXPORT"

      # common

      ca_certificates:

        testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"

---

- name: Prepare

  hosts: all

  gather_facts: False

  tasks:

    - name: Install python for Ansible

      raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)

      become: True

      changed_when: False

- hosts: all

  become: yes

  tasks:

    - name: Update all caches to avoid errors due to missing remote archives

      apt:

        update_cache: yes

      changed_when: False

- hosts: all

  become: yes

  tasks:

    - name: Set-up the hosts file

      lineinfile:

        path: /etc/hosts

        regexp: "^{{ item.key }}"

        line: "{{ item.key }} {{ item.value }}"

        owner: root

        group: root

        mode: 0644

        state: present

      with_dict:

        10.31.127.20: "client1"

        10.31.127.30: "parameters-mandatory parameters-mandatory-jessie64"

        10.31.127.31: "parameters-optional parameters-optional-jessie64"

    - name: Install curl for testing redirects and webpage content

      apt:

        name: curl

        state: installed

- hosts: client1

  become: yes

  tasks:

    - name: Install tool for testing TCP connectivity

      apt:

        name: hping3

        state: installed

    - name: Install console-based web browser for interactive testing

      apt:

        name: lynx

        state: installed

    - name: Deploy CA certificate

      copy:

        src: tests/data/x509/ca.cert.pem

        dest: /usr/local/share/ca-certificates/testca.crt

        owner: root

        group: root

        mode: 0644

      notify:

        - Update CA certificate cache

  handlers:

    - name: Update CA certificate cache

      command: /usr/sbin/update-ca-certificates --fresh

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    '.molecule/ansible_inventory.yml').get_hosts('client1')

def test_connectivity(host):

    """

    Tests connectivity to the web server (ports that should be reachable).

    """

    with host.sudo():

        for server in ["parameters-mandatory-jessie64",

                       "parameters-optional-jessie64"]:

            # HTTP, HTTPS.

            for port in [80, 443]:

                ping = host.run('hping3 -S -p %d -c 1 %s' % (port, server))

                assert ping.rc == 0

    '.molecule/ansible_inventory.yml').get_hosts(['parameters-mandatory', 'parameters-optional'])

def test_installed_packages(host):

    assert host.package('nginx').is_installed

    assert host.package('virtualenv').is_installed

    assert host.package('virtualenvwrapper').is_installed

    assert host.package('php5-fpm').is_installed

def test_nginx_user(host):

    assert 'ssl-cert' in host.user('www-data').groups

def test_default_tls_configuration_removed(host):

    assert 'ssl_protocols' not in host.file('/etc/nginx/nginx.conf').content

def test_nginx_configuration_verification_script(host):

    script = host.file('/usr/local/bin/nginx_verify_site.sh')

def test_tls_configuration_file(host):

    config = host.file('/etc/nginx/conf.d/tls.conf')

def test_default_vhost_file(host):

    config = host.file('/etc/nginx/sites-available/default')

def test_default_website_enabled(host):

    config = host.file('/etc/nginx/sites-enabled/default')

def test_firewall_configuration_file(host):

    with host.sudo():

        config = host.file('/etc/ferm/conf.d/30-web.conf')

def test_default_debian_index_removed(host):

    with host.sudo():

        assert not host.file('/var/www/html').exists

def test_default_vhost_root_directory(host):

    directory = host.file('/var/www/default')

def test_default_vhost_index_page_file(host):

    with host.sudo():

        page = host.file('/var/www/default/index.html')

def test_services(host):

    service = host.service('nginx')

    service = host.service('php5-fpm')

def test_sockets(host):

    assert host.socket("tcp://80").is_listening

    assert host.socket("tcp://443").is_listening

def test_socket_directories(host):

    directory = host.file('/run/wsgi')

    directory = host.file('/run/php5-fpm')

    config = host.file('/etc/tmpfiles.d/wsgi.conf')

    config = host.file('/etc/tmpfiles.d/php5-fpm.conf')

def test_php5_fpm_service_overrides(host):

    directory = host.file('/etc/systemd/system/php5-fpm.service.d')

    config = host.file('/etc/systemd/system/php5-fpm.service.d/umask.conf')

def test_php_timezone_configuration(host):

    config = host.file('/etc/php5/cli/conf.d/30-timezone.ini')

    config = host.file('/etc/php5/fpm/conf.d/30-timezone.ini')

    timezone = host.run("php --php-ini /etc/php5/cli/php.ini -r 'echo ini_get(\"date.timezone\");'")

    timezone = host.run("php --php-ini /etc/php5/fpm/php.ini -r 'echo ini_get(\"date.timezone\");'")

    '.molecule/ansible_inventory.yml').get_hosts('parameters-mandatory')

def test_nginx_tls_files(host):

    hostname = host.run('hostname').stdout

    with host.sudo():

        tls_file = host.file('/etc/ssl/private/%s_https.key' % hostname)

        assert tls_file.content == open("tests/data/x509/%s_https.key" % hostname, "r").read().rstrip()

        tls_file = host.file('/etc/ssl/certs/%s_https.pem' % hostname)

        assert tls_file.content == open("tests/data/x509/%s_https.pem" % hostname, "r").read().rstrip()

def test_certificate_validity_check_configuration(host):

    hostname = host.run('hostname').stdout

    config = host.file('/etc/check_certificate/%s_https.conf' % hostname)

    assert config.content == "/etc/ssl/certs/%s_https.pem" % hostname

def test_tls_configuration(host):

    tls = host.run('wget -q -O - https://parameters-mandatory/')

    old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:443")

    cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory:443")

    cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory:443")

def test_https_enforcement(host):

    https_enforcement = host.run('curl -I http://parameters-mandatory/')

    https_enforcement = host.run('curl -I https://parameters-mandatory/')

def test_default_vhost_index_page(host):

    page = host.run('curl https://parameters-mandatory/')

    '.molecule/ansible_inventory.yml').get_hosts('parameters-optional')

def test_nginx_tls_files(host):

    hostname = host.run('hostname').stdout

    with host.sudo():

        tls_file = host.file('/etc/ssl/private/%s_https.key' % hostname)

        tls_file = host.file('/etc/ssl/certs/%s_https.pem' % hostname)

def test_certificate_validity_check_configuration(host):

    hostname = host.run('hostname').stdout

    config = host.file('/etc/check_certificate/%s_https.conf' % hostname)

    assert config.content == "/etc/ssl/certs/%s_https.pem" % hostname

def test_tls_configuration(host):

    tls = host.run('wget -q -O - https://parameters-optional/')

    old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_1 -no_tls1_2 -connect parameters-optional:443")

    newer_tls_versions_enabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-optional:443")

    cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:443")

    cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:443")

def test_https_enforcement(host):

    https_enforcement = host.run('curl -I http://parameters-optional/')