- common

---

- name: Create

  hosts: localhost

  connection: local

  gather_facts: False

  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"

  vars:

    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"

    molecule_instance_config: "{{ lookup('env', 'MOLECULE_INSTANCE_CONFIG') }}"

    molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}"

  tasks:

    - name: Create molecule instance(s)

      molecule_vagrant:

        instance_name: "{{ item.name }}"

        instance_interfaces: "{{ item.interfaces | default(omit) }}"

        instance_raw_config_args: "{{ item.instance_raw_config_args | default(omit) }}"

        platform_box: "{{ item.box }}"

        platform_box_version: "{{ item.box_version | default(omit) }}"

        platform_box_url: "{{ item.box_url | default(omit) }}"

        provider_name: "{{ molecule_yml.driver.provider.name }}"

        provider_memory: "{{ item.memory | default(omit) }}"

        provider_cpus: "{{ item.cpus | default(omit) }}"

        provider_raw_config_args: "{{ item.raw_config_args | default(omit) }}"

        state: up

      register: server

      with_items: "{{ molecule_yml.platforms }}"

    # Mandatory configuration for Molecule to function.

    - name: Populate instance config dict

      set_fact:

        instance_conf_dict: {

          'instance': "{{ item.Host }}",

          'address': "{{ item.HostName }}",

          'user': "{{ item.User }}",

          'port': "{{ item.Port }}",

          'identity_file': "{{ item.IdentityFile }}", }

      with_items: "{{ server.results }}"

      register: instance_config_dict

      when: server.changed | bool

    - name: Convert instance config dict to a list

      set_fact:

        instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"

      when: server.changed | bool

    - name: Dump instance config

      copy:

        # NOTE(retr0h): Workaround for Ansible 2.2.

        #               https://github.com/ansible/ansible/issues/20885

        content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}"

        dest: "{{ molecule_instance_config }}"

      when: server.changed | bool

---

- name: Destroy

  hosts: localhost

  connection: local

  gather_facts: False

  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"

  vars:

    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"

    molecule_instance_config: "{{ lookup('env',' MOLECULE_INSTANCE_CONFIG') }}"

    molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}"

  tasks:

    - name: Destroy molecule instance(s)

      molecule_vagrant:

        instance_name: "{{ item.name }}"

        platform_box: "{{ item.box }}"

        provider_name: "{{ molecule_yml.driver.provider.name }}"

        force_stop: "{{ item.force_stop | default(True) }}"

        state: destroy

      register: server

      with_items: "{{ molecule_yml.platforms }}"

    # Mandatory configuration for Molecule to function.

    - name: Populate instance config

      set_fact:

        instance_conf: {}

    - name: Dump instance config

      copy:

        # NOTE(retr0h): Workaround for Ansible 2.2.

        #               https://github.com/ansible/ansible/issues/20885

        content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}"

        dest: "{{ molecule_instance_config }}"

      when: server.changed | bool

---

dependency: {}

driver:

  name: vagrant

  provider:

    name: virtualbox

lint:

  name: yamllint

platforms:

  - name: mail-server

    groups:

      - mail-servers

    box: debian/contrib-jessie64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.10

        network_name: private_network

        type: static

  - name: client1

    groups:

      - clients

    box: debian/contrib-jessie64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.11

        network_name: private_network

        type: static

  - name: parameters-mandatory-jessie64

    groups:

      - parameters-mandatory

    box: debian/contrib-jessie64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.20

        network_name: private_network

        type: static

  - name: parameters-optional-jessie64

    groups:

      - parameters-optional

    box: debian/contrib-jessie64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.21

        network_name: private_network

        type: static

  - name: parameters-no-incoming-jessie64

    groups:

      - parameters-no-incoming

    box: debian/contrib-jessie64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.22

        network_name: private_network

        type: static

  - name: parameters-mandatory-stretch64

    groups:

      - parameters-mandatory

    box: debian/contrib-stretch64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.30

        network_name: private_network

        type: static

  - name: parameters-optional-stretch64

    groups:

      - parameters-optional

    box: debian/contrib-stretch64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.31

        network_name: private_network

        type: static

  - name: parameters-no-incoming-stretch64

    groups:

      - parameters-no-incoming

    box: debian/contrib-stretch64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.32

        network_name: private_network

        type: static

provisioner:

  name: ansible

  config_options:

    ssh_connection:

      pipelining: "True"

  lint:

    name: ansible-lint

scenario:

  name: default

verifier:

  name: testinfra

  lint:

    name: flake8

---

- hosts: parameters-mandatory

  become: yes

  roles:

    - role: mail_forwarder

      # Global common parameters.

      tls_certificate_dir: tests/data/x509/

- hosts: parameters-optional

  become: yes

  roles:

    - role: mail_forwarder

      local_mail_aliases:

        root: "root testuser"

      smtp_from_relay_allowed: True

      smtp_relay_host: mail-server

      smtp_relay_host_port: 27

      smtp_relay_truststore: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"

      # common

      ca_certificates:

        testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"

- hosts: parameters-no-incoming

  become: yes

  roles:

    - role: mail_forwarder

      smtp_relay_host: mail-server

      smtp_from_relay_allowed: False

      smtp_relay_truststore: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"

      # common

      ca_certificates:

        testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"

- name: Prepare

  hosts: all

  gather_facts: False

  tasks:

    - name: Install python for Ansible

      raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)

      become: True

      changed_when: False

  become: yes

  become: yes

    - name: Set-up the hosts file

        path: /etc/hosts

        regexp: "^{{ item.key }}"

        owner: root

        group: root

        mode: 0644

        state: present

        10.31.127.11: "client1"

        10.31.127.20: "parameters-mandatory-jessie64"

        10.31.127.21: "parameters-optional-jessie64"

        10.31.127.22: "parameters-no-incoming-jessie64"

        10.31.127.30: "parameters-mandatory-stretch64"

        10.31.127.31: "parameters-optional-stretch64"

        10.31.127.32: "parameters-no-incoming-stretch64"

- hosts: clients

  become: yes

- hosts: mail-servers

  become: yes

  become: yes

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    '.molecule/ansible_inventory.yml').get_hosts('client1')

def test_connectivity_from_client(host):

    """

    Tests connectivity towards mail forwarder servers from client

    (non-relay). Connectivity should fail for both.

    """

    with host.sudo():

        ping = host.run('hping3 -S -p 25 -c 1 parameters-mandatory-jessie64')

        assert ping.rc != 0

        assert "100% packet loss" in ping.stderr

        ping = host.run('hping3 -S -p 25 -c 1 parameters-optional-jessie64')

        assert ping.rc != 0

        assert "100% packet loss" in ping.stderr

        ping = host.run('hping3 -S -p 25 -c 1 parameters-no-incoming-jessie64')

        assert "100% packet loss" in ping.stderr

        assert ping.rc != 0

        ping = host.run('hping3 -S -p 25 -c 1 parameters-mandatory-stretch64')

        assert ping.rc != 0

        assert "100% packet loss" in ping.stderr

        ping = host.run('hping3 -S -p 25 -c 1 parameters-optional-stretch64')

        assert ping.rc != 0

        assert "100% packet loss" in ping.stderr

        ping = host.run('hping3 -S -p 25 -c 1 parameters-no-incoming-stretch64')

        assert "100% packet loss" in ping.stderr

        assert ping.rc != 0

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    '.molecule/ansible_inventory.yml').get_hosts('mail-server')

def test_connectivity_from_relay(host):

    """

    Tests connectivity towards mail forwarder servers from relay. Connection

    towards parameters-mandatory should fail.

    """

    with host.sudo():

        ping = host.run('hping3 -S -p 25 -c 1 parameters-mandatory-jessie64')

        assert ping.rc != 0

        assert "100% packet loss" in ping.stderr

        ping = host.run('hping3 -S -p 25 -c 1 parameters-optional-jessie64')

        assert ping.rc == 0

        ping = host.run('hping3 -S -p 25 -c 1 parameters-no-incoming-jessie64')

        assert "100% packet loss" in ping.stderr

        assert ping.rc != 0

        ping = host.run('hping3 -S -p 25 -c 1 parameters-mandatory-stretch64')

        assert ping.rc != 0

        assert "100% packet loss" in ping.stderr

        ping = host.run('hping3 -S -p 25 -c 1 parameters-optional-stretch64')

        assert ping.rc == 0

        ping = host.run('hping3 -S -p 25 -c 1 parameters-no-incoming-stretch64')

        assert "100% packet loss" in ping.stderr

        assert ping.rc != 0

def test_mail_reception_from_relay(host):

    """

    Tests if mails can be sent from relay to servers configured to use the

    relay.

    """

    send = host.run('swaks --suppress-data --to root@parameters-optional-jessie64 --server parameters-optional-jessie64')

    assert send.rc == 0

    send = host.run('swaks --suppress-data --to root@parameters-optional-stretch64 --server parameters-optional-stretch64')

    assert send.rc == 0

def test_open_relay(host):

    """

    Tests if mail forwarder behaves as open relay.

    """

    no_recipients_accepted = 24

    send = host.run('swaks --suppress-data --to root@client1 --server parameters-optional-jessie64')

    assert send.rc == no_recipients_accepted

    assert "Relay access denied" in send.stdout

    send = host.run('swaks --suppress-data --to root@client1 --server parameters-optional-stretch64')

    assert send.rc == no_recipients_accepted

    assert "Relay access denied" in send.stdout

    '.molecule/ansible_inventory.yml').get_hosts(['parameters-mandatory', 'parameters-optional', 'parameters-no-incoming'])

def test_installed_packages(host):

    assert host.package('postfix').is_installed

    assert host.package('procmail').is_installed

    assert host.package('swaks').is_installed

def test_removed_packages(host):

    assert not host.package('exim4').is_installed

def test_smtp_relay_truststore_file(host):

    truststore = host.file('/etc/ssl/certs/smtp_relay_truststore.pem')

def test_smtp_mailname(host):

    mailname = host.file('/etc/mailname')

def test_postfix_main_cf_file(host):

    config = host.file('/etc/postfix/main.cf')

def test_services(host):

    service = host.service('postfix')

def test_firewall_configuration_file(host):

    with host.sudo():

        config = host.file('/etc/ferm/conf.d/20-mail.conf')

    '.molecule/ansible_inventory.yml').get_hosts('parameters-mandatory')

def test_smtp_relay_truststore_file(host):

    truststore = host.file('/etc/ssl/certs/smtp_relay_truststore.pem')

def test_smtp_mailname(host):

    hostname = host.run('hostname').stdout

    mailname = host.file('/etc/mailname')

    assert mailname.content == hostname

def test_postfix_main_cf_file_content(host):

    hostname = host.run('hostname').stdout

    config = host.file('/etc/postfix/main.cf')

    assert "myhostname = %s" % hostname in config_lines

    assert "mydestination = %s, %s, localhost.localdomain, localhost" % (hostname, hostname) in config_lines

def test_direct_mail_sending(host):

    send = host.run('swaks --suppress-data --to root@domain1 --server localhost')

    with host.sudo():

        mail_log = host.file('/var/log/mail.log')

    '.molecule/ansible_inventory.yml').get_hosts('parameters-optional')

def test_smtp_relay_truststore_file(host):

    truststore = host.file('/etc/ssl/certs/smtp_relay_truststore.pem')

def test_smtp_mailname(host):

    hostname = host.run('hostname').stdout

    mailname = host.file('/etc/mailname')

    assert mailname.content == "%s" % hostname

def test_postfix_main_cf_file_content(host):

    hostname = host.run('hostname').stdout

    config = host.file('/etc/postfix/main.cf')

    assert "myhostname = %s" % hostname in config_lines

    assert "mydestination = %s, %s, localhost.localdomain, localhost" % (hostname, hostname) in config_lines

def test_local_aliases(host):

    hostname = host.run('hostname').stdout

    send = host.run('swaks --suppress-data --to root@localhost')

    with host.sudo():

        mail_log = host.file('/var/log/mail.log')

        pattern1 = "%s: to=<root@%s>, orig_to=<root@localhost>.*status=sent" % (message_id, hostname)

        pattern2 = "%s: to=<testuser@%s>, orig_to=<root@localhost>.*status=sent" % (message_id, hostname)

def test_relay_mail_sending(host):

    send = host.run('swaks --suppress-data --to root@domain1 --server localhost')

    with host.sudo():

        mail_log = host.file('/var/log/mail.log')

def test_tls_enforced_towards_relay_mail_server(host):

    with host.sudo():

        command = host.run("sed -i -e s#relayhost\\ =\\ mail-server#relayhost\\ =\\ domain1# /etc/postfix/main.cf")

        command = host.run("service postfix restart")

        send = host.run('swaks --suppress-data --to root@domain1 --server localhost')

        command = host.run("sed -i -e s#relayhost\\ =\\ domain1#relayhost\\ =\\ mail-server# /etc/postfix/main.cf")

        command = host.run("service postfix restart")