to *

      by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage

      by * break

    - >

      to attrs=userPassword,shadowLastChange

      by self write

      by anonymous auth

      by dn="cn=admin,BASEDN" write

      by * none

    - >

      to dn.base=""

      by * read

    - >

      to *

      by self write

      by dn="cn=admin,BASEDN" write

      by * none

**ldap_server_consumers** (list, optional, ``[]``)

  List of items describing additional login entries that should be created for

  services that want to be able to log-in into the LDAP server and consume the

  data present within. Each item should be a dictionary, with the following keys

  avaialable:

  - **name** (name of the service, mandatory, this will be used to construct the

    login entry DN in format of ``cn=NAME,ou=services,BASE_DN``)

  - **password** (password for the login entry, mandatory)

  - **state** (state of the service, optional, defaults to ``present``, this

    should be ``present`` or ``absent``, allowing for removal of old services)

**ldap_server_groups** (list, optional, ``[]``)

  List of groups that should be created in the LDAP directory. Each item should

  be a dictionary containing the following keys:

  - **name** (name of the group, mandatory, this will be used to construct the

    group DN in format of ``cn=NAME,ou=groups,BASE_DN``)

  - **state** (state of the group, optional, defaults to ``present``, this

    should be ``present`` or ``absent``, allowing for removal of old groups)

**ldap_server_domain** (string, mandatory)

  Domain that should be used for constructing the base DN of default user LDAP

  database. This should be a sub-domain dedicated to organisation. The base DN

  will be constructed by putting all elements of the sub-domain as ``dc``

  entries (as per standard Debian convention). E.g. ``example.com`` would get

  transformed into ``dc=example,dc=com``.

**ldap_server_organization** (string, optional, ``Private``)

  Organization that should be specified in the base DN entry.

**ldap_server_log_level** (string, optional, ``256``)

  Log level to use for the server. This should be compatible with OpenLDAP

  configuration option ``olcLogLevel``. See `OpenLDAP Administrator's Guide

  <http://www.openldap.org/doc/admin24/slapdconf2.html#cn=config>` for value

  description and syntax.

**ldap_server_tls_certificate** (string, mandatory)

  X.509 certificate used for TLS for LDAP service. The file will be stored in

  directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_ldap.pem``.

**ldap_server_tls_key** (string, mandatory)

  Private key used for TLS for LDAP service. The file will be stored in

  directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_ldap.key``.

**ldap_server_ssf** (number, optional, ``128``)

  Minimum *Security Strength Factor* to require from all incoming

  connections. This applies for both remote and local connections.

**ldap_tls_ciphers** (string, optional ``NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384:+SIGN-RSA-PSS-RSAE-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+SHA512:+AEAD:+AES-128-GCM:+AES-256-GCM:+CHACHA20-POLY1305:+CURVE-ALL``)

  .. warning::

     Under Debian Bullseye and upwards, slapd does not use the DH

     parameters generated by the role, but instead uses them to pick

     one of the recommended DH parameters from `RFC-7919

     <https://www.ietf.org/rfc/rfc7919.txt>`_. This is based on the

     size of role-generated parameters.

  TLS ciphers to enable on the LDAP server. This should be a

  GnuTLS-compatible cipher specification that should also include what

  TLS protocol versions should be used. Value should be compatible

  with OpenLDAP server option ``olcTLSCipherSuite``. Default value

  allows TLSv1.2/TLSv1.3 with strong PFS ciphers and RSA private keys.

Distribution compatibility

~~~~~~~~~~~~~~~~~~~~~~~~~~

Role is compatible with the following distributions:

- Debian 12 (Bookworm)

Examples

~~~~~~~~

Here is an example configuration for setting-up LDAP server:

.. code-block:: yaml

  ---

  ldap_server_domain: "example.com"

  ldap_server_organization: "Example Corporation"

  ldap_server_log_level: 256

  ldap_server_tls_certificate: "{{ lookup('file', '~/tls/ldap.example.com_ldap.pem') }}"

  ldap_server_tls_key: "{{ lookup('file', '~/tls/ldap.example.com_ldap.key') }}"

  ldap_server_ssf: 128

  ldap_permissions:

    - >

      to *

      by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage

      by * break

    - >

      to attrs=userPassword,shadowLastChange

      by self write

      by anonymous auth

      by dn="cn=admin,dc=example,dc=com" write

      by * none

    - >

      to dn.base=""

      by * read

    - >

      to *

      by self write

      by dn="cn=admin,dc=example,dc=com" write

      by users read

      by * none

  ldap_entries:

    - dn: ou=people,dc=example,dc=com

      attributes:

        objectClass: organizationalUnit

        ou: people

    - dn: ou=groups,dc=example,dc=com

      attributes:

        objectClass: organizationalUnit

        ou: groups

    - dn: uid=john,dc=example,dc=com

      attributes:

        objectClass:

          - inetOrgPerson

          - simpleSecurityObject

        userPassword: somepassword

        uid: john

        cn: John Doe

        sn: Doe

XMPP Server

-----------

The ``xmpp_server`` role can be used for setting-up Prosody, an XMPP server, on

destination machine.

The role implements the following:

* Deploys XMPP TLS private key and certificate.

  .. warning::

     The issued certificate must have multiple FQDNs listed as subject

     alternative names (DNS names) for each configured domain:

     - domain itself

     - ``conference.DOMAIN``

     - ``proxy.DOMAIN``

     A daily cron job is run to validate that all certificates have

     been configured and issued correctly.

* Installs Prosody.

* Configures Prosody.

* Configures firewall to allow incoming connections to the XMPP server.

Prosody is configured as follows:

* Modules enabled: roster, saslauth, tls, dialback, posix, private, vcard,

  version, uptime, time, ping, pep, register, admin_adhoc, announce,

  legacyauth, carbons, mam.

* Self-registration is not allowed.

* TLS is configured. Legacy TLS is available on port 5223.

* Client-to-server communication requires encryption (TLS).

* Uses 2048-bit Diffie-Hellman parameters for relevant TLS ciphers for

  incoming connections.

* Configures TLS versions and ciphers supported by Prosody (for

  *c2s*/client connections only).

* Authentication is done via LDAP. For setting the LDAP TLS truststore, see

  :ref:`LDAP Client <ldap_client>`.

* Internal storage is used.

* For each domain specified, a dedicated conference/multi-user chat (MUC)

  service is set-up, with FQDN set to ``conference.DOMAIN``.

* For each domain specified, a dedicated file proxy service will be set-up, with

  FQDN set to ``proxy.DOMAIN``.

Prosody expects a specific directory structure in LDAP when doing look-ups:

* Prosody will log-in to LDAP as user

  ``cn=prosody,ou=services,XMPP_LDAP_BASE_DN``.

* User entries are read from sub-tree (first-level only)

  ``ou=people,XMPP_LDAP_BASE_DN``. Query filter used for finding users is

  ``(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,XMPP_LDAP_BASE_DN))``. This

  allows group-based granting of XMPP service to users.

LDIF Templates

~~~~~~~~~~~~~~

For adding user to a group, use::

  dn: cn=xmpp,ou=groups,BASE_DN

  changetype: modify

  add: uniqueMember

  uniqueMember: uid=USERNAME,ou=people,BASE_DN

Role dependencies

~~~~~~~~~~~~~~~~~

Depends on the following roles:

* **common**

* **backup_client**

Backups

~~~~~~~

If the backup for this role has been enabled, the following paths are backed-up:

**/var/lib/prosody/**

  Roster information, as well as undelivered (offline) messages for all XMPP

  users. Keep in mind that list of available users and their credentials are

  stored in the LDAP directory (which is backed-up via LDAP server role).

Parameters

~~~~~~~~~~

**xmpp_administrators** (list, mandatory)

  List of Prosody users that should be granted administrator privileges over

  Prosody. Each item is a string with value equal to XMPP user ID

  (i.e. ``john.doe@example.com``).

**xmpp_domains** (list, mandatory)

  List of domains that are served by this Prosody instance. Each item is a

  string specifying a domain.

**xmpp_ldap_base_dn** (string, mandatory)

  Base DN on the LDAP server. A specific directory structure is expected under

  this entry (as explained above) in order to locate the available domains,

  users, aliases etc.

**xmpp_ldap_password** (string, mandatory)

  Password used for authenticating to the LDAP server.

**xmpp_ldap_server** (string, mandatory)

  Fully qualified domain name, hostname, or IP address of the LDAP server used

  for user authentication and listing.

**xmpp_server_archive_expiration** (string, optional, ``never``)

  Expiration period for messages stored server-side using `XEP-0313:

  Message Archive Management

  <https://xmpp.org/extensions/xep-0313.html>`_. The value should be

  compatible with `Prosody mod_mam

  <https://prosody.im/doc/modules/mod_mam>`_ configuration option

  ``archive_expires_after``.

**xmpp_server_tls_ciphers** (string, optional,  ``DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!aNULL:!MD5:!EXPORT``)

  TLS ciphers to enable on the XMPP server. This should be an

  OpenSSL-compatible cipher specification. Value should be compatible

  with Prosody's option ``ciphers`` normally defined within the

  ``ssl`` section of configuration file (see `official documentation

  <https://prosody.im/doc/advanced_ssl_config#ciphers>`_ for details).

  Default value enables TLSv1.2-compatible strong PFS ciphers and RSA

  private keys. TLSv1.3-specific ciphers (``TLS_*``)

  are not configurable due to OpenSSL TLS context initialisation

  specifics/implementation details. They are included here for

  documentation/reference purposes only.

  .. warning::

     If the mail server minimum TLS version is set to TLSv1.3, it is

     still necessary to include at least one TLSv1.2-compatible cipher

     in the list in order to ensure TLSv1.3 initialisation. This is

     due to specifics of OpenSSL context initialisation/internals.

  The server-to-server communications are not affected by this

  configuration in order to ensure the widest possible compatibility

  with 3rd-party servers.

**xmpp_server_tls_protocol** (string, optional, ``tlsv1_2+``)

  TLS protocol versions the XMPP server should enable for client

  connections. The value specified should be compatible with Prosody's

  ``protocol`` option normally defined within the ``ssl`` section of

  configuration file (see `official documentation

  <https://prosody.im/doc/advanced_ssl_config#protocol>`__ for

  details). Older versions of TLS protocol (TLSv1.1 and lower) are not

  fully supported by the role, and additional configuration is

  required on the server that weakens the OpenSSL security policies in

  order to enable them.

  The server-to-server communications are not affected by this

  configuration in order to ensure the widest possible compatibility

  with 3rd-party servers.

**xmpp_tls_certificate** (string, mandatory)

  X.509 certificate used for TLS for XMPP service. The file will be stored in

  directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_xmpp.pem``.

**xmpp_tls_key** (string, mandatory)

  Private key used for TLS for XMPP service. The file will be stored in

  directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_xmpp.key``.

Distribution compatibility

~~~~~~~~~~~~~~~~~~~~~~~~~~

Role is compatible with the following distributions:

- Debian 12 (Bookworm)

Examples

~~~~~~~~

Here is an example configuration for setting-up XMPP server using Prosody:

.. code-block:: yaml

  ---

  xmpp_administrators:

    - john.doe@example.com

  xmpp_domains:

    - example.com

  xmpp_ldap_base_dn: dc=example,dc=com

  xmpp_ldap_password: xmpp

  xmpp_ldap_server: ldap.example.com

  # These are default key and certificate that generated during Prosody

  # installation. Possibly you want to deploy your own.

  xmpp_tls_key: "{{ lookup('file', '/etc/prosody/certs/localhost.key') }}"

  xmpp_tls_certificate: "{{ lookup('file', '/etc/prosody/certs/localhost.crt') }}"

Mail Server

-----------

.. warning::

   It may happen that the ``clamav-freshclam`` service hasn't finished

   downloading the virus database before the ``clamav-daemon`` and

   ``clamav-milter`` services are enabled during the initial run. If mail server

   is not operational, you may need to wait for a little while for download to

   finish, and then restart the ``clamav-daemon`` and ``clamav-milter``

   services.

The ``mail_server`` role can be used for setting-up a complete mail server

solution, which includes both SMTP and IMAP service, on destination machine.

Postfix is used SMTP, while Dovecot is used for IMAP.

The role implements the following:

* Installs rsync.

* Deploys IMAP/SMTP TLS private keys and certificates.

* Installs and configures Dovecot, Postfix, ClamAV, and ClamAV Milter.

* Purges Exim4 configuration (just in case).

* Sets-up aliases for the local recipients.

* Installs SWAKS (utility for testing SMTP servers).

* Sets-up the necessary directories and files under Postfix chroot.

* Configures firewall to allow incoming connections to the mail server. This

  includes set-up of redirection from TCP port 26 to TCP port 587 (alternate

  submission port), as well as redirection from TCP port 27 to TCP port 25

  (alternate SMTP port), useful as workaround for ISP/hotel blocks.

Deployed services are configured as follows:

* Both Postfix and Dovecot look-up available domains, users, and aliases in

  LDAP.

* Incoming and outgoing mail is scanned with ClamAV (via ClamAV

  Milter). Infected mails are rejected.

* Mail is stored in directory ``/var/MAIL_USER/DOMAIN/USER``, using ``Maildir``

  format.

* TLS is required for user log-ins for both SMTP and IMAP.

* Uses 2048-bit Diffie-Hellman parameters for relevant TLS ciphers for

  incoming connections.

* For user submission (SMTP), users must connect and authenticate over TCP

  port 587.

* Configures TLS versions and ciphers supported by Dovecot.

* Configures TLS versions and ciphers supported by Postfix on submission port

  (587). TLS configuration on port 25 is kept intact in order to maintain maximum

  interoperability with other servers.

* RBL's are used for combating spam (if any is specified in configuration, see

  below).

* Postfix is configured to deliver undeliverable bounces to postmaster. This

  helps with detecting misconfigured applications and servers.

* Postfix is configured to prevent forging of sender addresses for

  logged-in users. Logged-in users can use either their own e-mail as

  sender, or one of the aliases associated with their e-mail.

Both Postfix and Dovecot expect a specific directory structure in LDAP when

doing look-ups:

* Postfix will log-in to LDAP as user

  ``cn=postfix,ou=services,MAIL_LDAP_BASE_DN``.

* Dovecot will log-in to LDAP as user

  ``cn=dovecot,ou=services,MAIL_LDAP_BASE_DN``.

* Domain entries need to be available as

  ``dc=DOMAIN,ou=domains,ou=mail,ou=services,MAIL_LDAP_BASE_DN``.

* Alias entries need to be available as

  ``cn=ALIAS,ou=aliases,ou=mail,ou=services,MAIL_LDAP_BASE_DN``.

* User entries are read from sub-tree (first-level only)

  ``ou=people,MAIL_LDAP_BASE_DN``. Query filter used for finding users is

  ``(&(mail=%s)(memberOf=cn=mail,ou=groups,MAIL_LDAP_BASE_DN))``. This allows

  group-based granting of mail services to users.

LDIF Templates

~~~~~~~~~~~~~~

For adding domains, use::

  dn: dc=DOMAIN,ou=domains,ou=mail,ou=services,BASE_DN

  objectClass: dNSDomain

  dc: DOMAIN

For adding aliases, use::

  dn: cn=ALIAS,ou=aliases,ou=mail,ou=services,BASE_DN

  objectClass: nisMailAlias

  cn: ALIAS

  rfc822MailMember: REALEMAIL

For adding user to a group, use::

  dn: cn=mail,ou=groups,BASE_DN

  changetype: modify

  add: uniqueMember

  uniqueMember: uid=USERNAME,ou=people,BASE_DN

Role dependencies

~~~~~~~~~~~~~~~~~

Depends on the following roles:

* **common**

* **backup_client**

Backups

~~~~~~~

---

enable_backup: false

xmpp_server_archive_expiration: "never"

xmpp_server_tls_protocol: "tlsv1_2+"

# TLS_* ciphers are mandated by the TLSv1.3-related standards and

# cannot be disabled when TLSv1.3 is enabled on the server.

xmpp_server_tls_ciphers: "\

DHE-RSA-AES128-GCM-SHA256:\

DHE-RSA-AES256-GCM-SHA384:\

DHE-RSA-CHACHA20-POLY1305:\

ECDHE-RSA-AES128-GCM-SHA256:\

ECDHE-RSA-AES256-GCM-SHA384:\

ECDHE-RSA-CHACHA20-POLY1305:\

TLS_AES_128_GCM_SHA256:\

TLS_AES_256_GCM_SHA384:\

TLS_CHACHA20_POLY1305_SHA256:\

!aNULL:!MD5:!EXPORT"

---

xmpp_administrators:

  - jane.doe@domain2

  - mick.doe@domain3

xmpp_domains:

  - domain2

  - domain3

xmpp_ldap_base_dn: dc=local

xmpp_ldap_password: prosodypassword

xmpp_ldap_server: ldap-server

xmpp_server_archive_expiration: "1w"

xmpp_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ ansible_fqdn }}_xmpp.cert.pem') }}"

xmpp_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ ansible_fqdn }}_xmpp.key.pem') }}"

xmpp_server_tls_protocol: "tlsv1_3+"

# At least one non-TLSv1.3 cipher has to be included in order to

# ensure TLSv1.3 gets initialised. TLSv1.3 ciphers (TLS_*) are not

# configurable and listed for documentation/reference purposes.

xmpp_server_tls_ciphers: "\

ECDHE-RSA-CHACHA20-POLY1305:\

TLS_AES_128_GCM_SHA256:\

TLS_AES_256_GCM_SHA384:\

TLS_CHACHA20_POLY1305_SHA256:\

!aNULL:!MD5:!EXPORT"

# common

ca_certificates:

  testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"

# backup_client

enable_backup: true

backup_client_username: "bak-parameters-optional-{{ ansible_distribution_release }}"

backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"

backup_server: backup-server

backup_server_host_ssh_public_keys:

  - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"

backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional') }}"

import os

import uuid

import pytest

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('clients')

@pytest.mark.parametrize('server', ['parameters-mandatory', 'parameters-optional'])

@pytest.mark.parametrize('port', [5222, 5223, 5000, 5269, 5281])

@pytest.mark.parametrize('ip_protocol', [4, 6])

def test_connectivity(host, server, port, ip_protocol):

    """

    Tests connectivity to the XMPP server (ports that should be reachable).

    """

    with host.sudo():

        scan = host.run('nmap -%s -p %s -oG - %s', str(ip_protocol), str(port), server)

        assert scan.rc == 0

        assert "Ports: %d/open/tcp//" % port in scan.stdout

@pytest.mark.parametrize("username, password, domain", [

    ["john.doe", "johnpassword", "domain1"],

    ["jane.doe", "janepassword", "domain2"],

])

def test_tls(host, username, password, domain):

    """

    Tests if TLS works as expected.

    """

    send = host.run(f"echo 'Hello' | go-sendxmpp --debug "

                    f"--username {username}@{domain} --password {password} --jserver {domain}:5222 "

                    f"{username}@{domain}")

    assert send.rc == 0

    assert "<body>Hello</body>" in send.stderr

    send = host.run(f"echo 'Hello' | go-sendxmpp --debug --tls "

                    f"--username {username}@{domain} --password {password} --jserver {domain}:5223 "

                    f"{username}@{domain}")

    assert send.rc == 0

    assert "<body>Hello</body>" in send.stderr

@pytest.mark.parametrize("username, password, domain", [

    ["john.doe", "johnpassword", "domain1"],

    ["jane.doe", "janepassword", "domain2"],

])

def test_authentication_requires_tls(host, username, password, domain):

    """

    Tests if STARTTLS is required.

    """

    send = host.run(f"echo 'Hello' | go-sendxmpp --debug "

                    f"--username {username}@{domain} --password {password} --jserver {domain}:5222 "

                    f"{username}@{domain}")

    assert send.rc == 0

    assert "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls>" in send.stderr

@pytest.mark.parametrize("username, password, domain", [

    ["john.doe", "johnpassword", "domain1"],

    ["jane.doe", "janepassword", "domain2"],

    ["mick.doe", "mickpassword", "domain3"],

])

def test_authentication(host, username, password, domain):

    """

    Tests if authentication works correctly.

    """

    send = host.run(f"echo 'Hello' | go-sendxmpp --debug "

                    f"--username {username}@{domain} --password {password} --jserver {domain}:5222 "

                    f"{username}@{domain}")

    assert send.rc == 0

    send = host.run(f"echo 'Hello' | go-sendxmpp --debug --tls "

                    f"--username {username}@{domain} --password {password} --jserver {domain}:5223 "

                    f"{username}@{domain}")

    assert send.rc == 0

@pytest.mark.parametrize("target_username, target_domain", [

    ["john.doe", "domain1"],

    ["jane.doe", "domain2"],

])

def test_unauthorized_users_rejected(host, target_username, target_domain):

    """

    Tests if unauthorized users (present in LDAP, but not member of correct

    group) are rejected from accessing the XMPP server.

    """

    send = host.run(f"echo 'Hello' | go-sendxmpp --debug "

                    f"--username noxmpp@{target_domain} --password noxmpppassword --jserver {target_domain}:5222 "

                    f"{target_username}@{target_domain}")

    assert send.rc != 0

    assert "Unable to authorize you with the authentication credentials you've sent" in send.stderr

@pytest.mark.parametrize("username, password, domain, server", [

    ["john.doe", "johnpassword", "domain1", "parameters-mandatory"],

    ["jane.doe", "janepassword", "domain2", "parameters-optional"],

    ["mick.doe", "mickpassword", "domain3", "parameters-optional"],

])

@pytest.mark.usefixtures("server_clean_domain_uploads")

def test_http_file_upload(host, server_host, username, password, domain):

    """

    Tests if http file upload works correctly.

    """

    upload_directory_path = f"/var/lib/prosody/upload%2e{domain}/http_file_share"

    # Prepare file for transfer.

    expected_content = str(uuid.uuid4())

    create_sample_file = host.run("echo -n %s > /tmp/http_file_upload_sample.txt", expected_content)

    assert create_sample_file.rc == 0

    # Upload the file.

    send = host.run(f"go-sendxmpp --debug --username {username}@{domain} --password {password} --jserver {domain}:5222 "

                    f"--http-upload /tmp/http_file_upload_sample.txt "

                    f"{username}@{domain}")

    assert send.rc == 0

    assert "No http upload component found." not in send.stderr

    # Verify content on server.

    with server_host.sudo():

        upload_directory = server_host.file(upload_directory_path)

        assert upload_directory.is_directory

        assert upload_directory.user == "prosody"

        assert upload_directory.group == "prosody"

        assert upload_directory.mode == 0o750

        assert len(upload_directory.listdir()) == 1

        uploaded_file_name = upload_directory.listdir()[0]

        uploaded_file = server_host.file(os.path.join(upload_directory_path, uploaded_file_name))

        assert uploaded_file.is_file

        assert uploaded_file.user == "prosody"

        assert uploaded_file.group == "prosody"

        assert uploaded_file.mode == 0o640

        assert uploaded_file.content_string == expected_content

])

@pytest.mark.usefixtures("server_clean_domain_uploads")

    """

    Tests the maximum file size for files uploaded via XEP-0363.

    """

    # Test exact size limit.

    create_sample_file = host.run("dd if=/dev/zero of=/tmp/http_file_upload_sample.txt bs=%sB count=1", str(file_size_limit))

    assert create_sample_file.rc == 0

    send = host.run(f"go-sendxmpp --debug --username {username}@{domain} --password {password} --jserver {domain}:5222 "

                    f"--http-upload /tmp/http_file_upload_sample.txt "

                    f"{username}@{domain}")

    assert "file-too-large" not in send.stderr

    # Test exceeded size limit.

    create_sample_file = host.run("dd if=/dev/zero of=/tmp/http_file_upload_sample.txt bs=%sB count=1", str(file_size_limit + 1))

    assert create_sample_file.rc == 0

    send = host.run(f"go-sendxmpp --debug --username {username}@{domain} --password {password} --jserver {domain}:5222 "

                    f"--http-upload /tmp/http_file_upload_sample.txt "

                    f"{username}@{domain}")

    assert "file-too-large" in send.stderr

])

@pytest.mark.usefixtures("server_clean_domain_uploads")

    """

    Tests the user's daily quota for files uploaded via XEP-0363.

    """

        send = host.run(f"go-sendxmpp --debug --username {username}@{domain} --password {password} --jserver {domain}:5222 "

                        f"--http-upload /tmp/http_file_upload_sample.txt "

                        f"{username}@{domain}")

        assert send.rc == 0

    # Test exceeded daily quota.

    create_sample_file = host.run("dd if=/dev/zero of=/tmp/http_file_upload_sample.txt bs=1B count=1")

    assert create_sample_file.rc == 0

    send = host.run(f"go-sendxmpp --debug --username {username}@{domain} --password {password} --jserver {domain}:5222 "

                    f"--http-upload /tmp/http_file_upload_sample.txt "

                    f"{username}@{domain}")

    assert "Daily quota reached" in send.stderr

import os

import defusedxml.ElementTree as ElementTree

import pytest

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')

def test_prosody_configuration_file_content(host):

    """

    Tests if Prosody configuration file has correct content.

    """

    hostname = host.run('hostname').stdout.strip()

    with host.sudo():

        config = host.file('/etc/prosody/prosody.cfg.lua')

        assert "admins = { \"john.doe@domain1\",  }" in config.content_string

        assert "key = \"/etc/ssl/private/%s_xmpp.key\";" % hostname in config.content_string

        assert "certificate = \"/etc/ssl/certs/%s_xmpp.pem\";" % hostname in config.content_string

        assert "ldap_server = \"ldap-server\"" in config.content_string

        assert "ldap_rootdn = \"cn=prosody,ou=services,dc=local\"" in config.content_string

        assert "ldap_password = \"prosodypassword\"" in config.content_string

        assert "ldap_filter = \"(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,dc=local))\"" in config.content_string

        assert "ldap_base = \"ou=people,dc=local\"" in config.content_string

        assert "archive_expires_after = \"never\"" in config.content_string

        assert """VirtualHost "domain1"

Component "conference.domain1" "muc"

  restrict_room_creation = "local"

Component "proxy.domain1" "proxy65"

  proxy65_acl = { "domain1" }

Component "upload.domain1" "http_file_share"

def test_xmpp_server_uses_correct_dh_parameters(host):

    """

    Tests if the HTTP server uses the generated Diffie-Hellman parameter.

    """

    fqdn = host.run('hostname -f').stdout.strip()

    # Use first defined domain for testing.

    domain = host.ansible.get_variables()['xmpp_domains'][0]

    with host.sudo():

        expected_dhparam = host.file('/etc/ssl/private/%s_xmpp.dh.pem' % fqdn).content_string.rstrip()

    connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=xmpp --port 5222 "

                          "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose %s", domain)

    output = connection.stdout

    begin_marker = "-----BEGIN DH PARAMETERS-----"

    end_marker = "-----END DH PARAMETERS-----"

    used_dhparam = output[output.find(begin_marker):output.find(end_marker) + len(end_marker)]

    assert used_dhparam == expected_dhparam

@pytest.mark.parametrize("port", [

    5222,

    5223

])

def test_xmpp_c2s_tls_version_and_ciphers(host, port):

    """

    Tests if the correct TLS version and ciphers have been enabled for

    XMPP C2S ports.

    """

    expected_tls_versions = ["TLSv1.2", "TLSv1.3"]

    expected_tls_ciphers = [

        "TLS_AKE_WITH_AES_128_GCM_SHA256",

        "TLS_AKE_WITH_AES_256_GCM_SHA384",

        "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",

        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

        "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

    ]

    # Run the nmap scanner against the server, and fetch the results.

    nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain1 -oX /tmp/report.xml", str(port))

    assert nmap.rc == 0

    report_content = host.file('/tmp/report.xml').content_string