Files
@ 2381ba93d089
Branch filter:
Location: majic-ansible-roles/roles/web_server/molecule/default/tests/test_optional.py
2381ba93d089
3.5 KiB
text/x-python
MAR-148: Better workaround for https://github.com/ansible/ansible/issues/64560 (override the module_utils/mysql.py instead of the module itself).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 | import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional')
def test_nginx_tls_files(host):
"""
Tests if TLS private key and certificate have been deployed correctly.
"""
hostname = host.run('hostname').stdout.strip()
with host.sudo():
tls_file = host.file('/etc/ssl/private/%s_https.key' % hostname)
assert tls_file.is_file
assert tls_file.user == 'root'
assert tls_file.group == 'root'
assert tls_file.mode == 0o640
assert tls_file.content == open("tests/data/x509/parameters-optional_https.key.pem", "r").read().rstrip()
tls_file = host.file('/etc/ssl/certs/%s_https.pem' % hostname)
assert tls_file.is_file
assert tls_file.user == 'root'
assert tls_file.group == 'root'
assert tls_file.mode == 0o644
assert tls_file.content == open("tests/data/x509/parameters-optional_https.cert.pem", "r").read().rstrip()
def test_certificate_validity_check_configuration(host):
"""
Tests if certificate validity check configuration file has been deployed
correctly.
"""
hostname = host.run('hostname').stdout.strip()
config = host.file('/etc/check_certificate/%s_https.conf' % hostname)
assert config.is_file
assert config.user == 'root'
assert config.group == 'root'
assert config.mode == 0o644
assert config.content == "/etc/ssl/certs/%s_https.pem" % hostname
def test_tls_configuration(host):
"""
Tests if the TLS has been configured correctly and works.
"""
tls = host.run('wget -q -O - https://parameters-optional/')
assert tls.rc == 0
old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_1 -no_tls1_2 -connect parameters-optional:443")
assert old_tls_versions_disabled.rc != 0
assert "CONNECTED" in old_tls_versions_disabled.stdout
newer_tls_versions_enabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-optional:443")
assert newer_tls_versions_enabled.rc == 0
assert "CONNECTED" in newer_tls_versions_enabled.stdout
cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:443")
assert cipher.rc == 0
assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout
cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:443")
assert cipher.rc == 0
assert "ECDHE-RSA-AES128-SHA" in cipher.stdout
def test_https_enforcement(host):
"""
Tests if HTTPS is (not) being enforced.
"""
https_enforcement = host.run('curl -I http://parameters-optional/')
assert https_enforcement.rc == 0
assert 'HTTP/1.1 200 OK' in https_enforcement.stdout
assert 'HTTP/1.1 301 Moved Permanently' not in https_enforcement.stdout
assert 'Location: https://parameters-optional/' not in https_enforcement.stdout
https_enforcement = host.run('curl -I https://parameters-optional/')
assert https_enforcement.rc == 0
assert 'Strict-Transport-Security' not in https_enforcement.stdout
def test_default_vhost_index_page(host):
"""
Tests content of default vhost index page.
"""
page = host.run('curl https://parameters-optional/')
assert page.rc == 0
assert "<title>Optional Welcome</title>" in page.stdout
assert "<h1>Optional Welcome</h1>" in page.stdout
assert "<p>Welcome to parameters-optional, default virtual host.</p>" in page.stdout
|