majic-ansible-roles File Diff

File diff 315128d98063 → 36cc127035aa

roles/web_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

 import os
 import pytest
 import testinfra.utils.ansible_runner
@@ @@ -21,18 +23,104 @@ def test_tls_version(host): @@
     assert old_tls_versions_disabled.rc != 0
 def test_tls_ciphers(host):
 ALL_CIPHERS = [
     "AES128-GCM-SHA256",
     "AES128-SHA",
     "AES128-SHA256",
     "AES256-GCM-SHA384",
     "AES256-SHA",
     "AES256-SHA256",
     "DHE-PSK-AES128-CBC-SHA",
     "DHE-PSK-AES128-CBC-SHA256",
     "DHE-PSK-AES128-GCM-SHA256",
     "DHE-PSK-AES256-CBC-SHA",
     "DHE-PSK-AES256-CBC-SHA384",
     "DHE-PSK-AES256-GCM-SHA384",
     "DHE-PSK-CHACHA20-POLY1305",
     "DHE-RSA-AES128-GCM-SHA256",
     "DHE-RSA-AES128-SHA",
     "DHE-RSA-AES128-SHA256",
     "DHE-RSA-AES256-GCM-SHA384",
     "DHE-RSA-AES256-SHA",
     "DHE-RSA-AES256-SHA256",
     "DHE-RSA-CHACHA20-POLY1305",
     "ECDHE-ECDSA-AES128-GCM-SHA256",
     "ECDHE-ECDSA-AES128-SHA",
     "ECDHE-ECDSA-AES128-SHA256",
     "ECDHE-ECDSA-AES256-GCM-SHA384",
     "ECDHE-ECDSA-AES256-SHA",
     "ECDHE-ECDSA-AES256-SHA384",
     "ECDHE-ECDSA-CHACHA20-POLY1305",
     "ECDHE-PSK-AES128-CBC-SHA",
     "ECDHE-PSK-AES128-CBC-SHA256",
     "ECDHE-PSK-AES256-CBC-SHA",
     "ECDHE-PSK-AES256-CBC-SHA384",
     "ECDHE-PSK-CHACHA20-POLY1305",
     "ECDHE-RSA-AES128-GCM-SHA256",
     "ECDHE-RSA-AES128-SHA",
     "ECDHE-RSA-AES128-SHA256",
     "ECDHE-RSA-AES256-GCM-SHA384",
     "ECDHE-RSA-AES256-SHA",
     "ECDHE-RSA-AES256-SHA384",
     "ECDHE-RSA-CHACHA20-POLY1305",
     "PSK-AES128-CBC-SHA",
     "PSK-AES128-CBC-SHA256",
     "PSK-AES128-GCM-SHA256",
     "PSK-AES256-CBC-SHA",
     "PSK-AES256-CBC-SHA384",
     "PSK-AES256-GCM-SHA384",
     "PSK-CHACHA20-POLY1305",
     "RSA-PSK-AES128-CBC-SHA",
     "RSA-PSK-AES128-CBC-SHA256",
     "RSA-PSK-AES128-GCM-SHA256",
     "RSA-PSK-AES256-CBC-SHA",
     "RSA-PSK-AES256-CBC-SHA384",
     "RSA-PSK-AES256-GCM-SHA384",
     "RSA-PSK-CHACHA20-POLY1305",
     "SRP-AES-128-CBC-SHA",
     "SRP-AES-256-CBC-SHA",
     "SRP-RSA-AES-128-CBC-SHA",
     "SRP-RSA-AES-256-CBC-SHA",
+]
 ENABLED_CIPHERS = [
     "DHE-RSA-AES128-GCM-SHA256",
     "DHE-RSA-AES256-GCM-SHA384",
     "DHE-RSA-CHACHA20-POLY1305",
     "ECDHE-RSA-AES128-GCM-SHA256",
     "ECDHE-RSA-AES256-GCM-SHA384",
     "ECDHE-RSA-CHACHA20-POLY1305",
+]
 DISABLED_CIPHERS = sorted(list(set(ALL_CIPHERS)-set(ENABLED_CIPHERS)))
 @pytest.mark.parametrize("cipher", ENABLED_CIPHERS)
 def test_enabled_tls_ciphers(host, cipher):
     """
     Tests available TLS ciphers on the server.
     """
     hostname = host.run('hostname').stdout.strip()
     fqdn = hostname[:hostname.rfind('-')]
     client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:443", cipher, fqdn)
     assert client.rc == 0
     assert cipher in client.stdout
 @pytest.mark.parametrize("cipher", DISABLED_CIPHERS)
 def test_disabled_tls_ciphers(host, cipher):
     """
     Tests available TLS ciphers on the server.
     """
     cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory:443")
     assert cipher.rc == 0
     assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout
     hostname = host.run('hostname').stdout.strip()
     fqdn = hostname[:hostname.rfind('-')]
     cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory:443")
     assert cipher.rc != 0
     assert "ECDHE-RSA-AES128-SHA" not in cipher.stdout
     client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:443", cipher, fqdn)
     assert client.rc != 0
     assert cipher not in client.stdout
 def test_https_enforcement(host):