Files @ 36cc127035aa
Branch filter:

Location: majic-ansible-roles/roles/web_server/molecule/default/tests/test_mandatory.py

36cc127035aa 4.4 KiB text/x-python Show Annotation Show as Raw Download as Raw
branko
MAR-158: Update default TLS cipher configuration in the web_server role:

- Updated the default value for parameter web_server_tls_ciphers.
- Updated tests, making them explicitly test for enabled and disabled
ciphers.
- Updated role reference documentation.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
import os

import pytest

import testinfra.utils.ansible_runner


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')


def test_tls_version(host):
    """
    Tests if only the configured TLS protocol versions are allowed by
    the server.
    """

    old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:443")

    # Avoid false negatives by ensuring the client had actually
    # established the TCP connection.
    assert "CONNECTED" in old_tls_versions_disabled.stdout
    assert old_tls_versions_disabled.rc != 0


ALL_CIPHERS = [
    "AES128-GCM-SHA256",
    "AES128-SHA",
    "AES128-SHA256",
    "AES256-GCM-SHA384",
    "AES256-SHA",
    "AES256-SHA256",
    "DHE-PSK-AES128-CBC-SHA",
    "DHE-PSK-AES128-CBC-SHA256",
    "DHE-PSK-AES128-GCM-SHA256",
    "DHE-PSK-AES256-CBC-SHA",
    "DHE-PSK-AES256-CBC-SHA384",
    "DHE-PSK-AES256-GCM-SHA384",
    "DHE-PSK-CHACHA20-POLY1305",
    "DHE-RSA-AES128-GCM-SHA256",
    "DHE-RSA-AES128-SHA",
    "DHE-RSA-AES128-SHA256",
    "DHE-RSA-AES256-GCM-SHA384",
    "DHE-RSA-AES256-SHA",
    "DHE-RSA-AES256-SHA256",
    "DHE-RSA-CHACHA20-POLY1305",
    "ECDHE-ECDSA-AES128-GCM-SHA256",
    "ECDHE-ECDSA-AES128-SHA",
    "ECDHE-ECDSA-AES128-SHA256",
    "ECDHE-ECDSA-AES256-GCM-SHA384",
    "ECDHE-ECDSA-AES256-SHA",
    "ECDHE-ECDSA-AES256-SHA384",
    "ECDHE-ECDSA-CHACHA20-POLY1305",
    "ECDHE-PSK-AES128-CBC-SHA",
    "ECDHE-PSK-AES128-CBC-SHA256",
    "ECDHE-PSK-AES256-CBC-SHA",
    "ECDHE-PSK-AES256-CBC-SHA384",
    "ECDHE-PSK-CHACHA20-POLY1305",
    "ECDHE-RSA-AES128-GCM-SHA256",
    "ECDHE-RSA-AES128-SHA",
    "ECDHE-RSA-AES128-SHA256",
    "ECDHE-RSA-AES256-GCM-SHA384",
    "ECDHE-RSA-AES256-SHA",
    "ECDHE-RSA-AES256-SHA384",
    "ECDHE-RSA-CHACHA20-POLY1305",
    "PSK-AES128-CBC-SHA",
    "PSK-AES128-CBC-SHA256",
    "PSK-AES128-GCM-SHA256",
    "PSK-AES256-CBC-SHA",
    "PSK-AES256-CBC-SHA384",
    "PSK-AES256-GCM-SHA384",
    "PSK-CHACHA20-POLY1305",
    "RSA-PSK-AES128-CBC-SHA",
    "RSA-PSK-AES128-CBC-SHA256",
    "RSA-PSK-AES128-GCM-SHA256",
    "RSA-PSK-AES256-CBC-SHA",
    "RSA-PSK-AES256-CBC-SHA384",
    "RSA-PSK-AES256-GCM-SHA384",
    "RSA-PSK-CHACHA20-POLY1305",
    "SRP-AES-128-CBC-SHA",
    "SRP-AES-256-CBC-SHA",
    "SRP-RSA-AES-128-CBC-SHA",
    "SRP-RSA-AES-256-CBC-SHA",
]

ENABLED_CIPHERS = [
    "DHE-RSA-AES128-GCM-SHA256",
    "DHE-RSA-AES256-GCM-SHA384",
    "DHE-RSA-CHACHA20-POLY1305",
    "ECDHE-RSA-AES128-GCM-SHA256",
    "ECDHE-RSA-AES256-GCM-SHA384",
    "ECDHE-RSA-CHACHA20-POLY1305",
]

DISABLED_CIPHERS = sorted(list(set(ALL_CIPHERS)-set(ENABLED_CIPHERS)))


@pytest.mark.parametrize("cipher", ENABLED_CIPHERS)
def test_enabled_tls_ciphers(host, cipher):
    """
    Tests available TLS ciphers on the server.
    """

    hostname = host.run('hostname').stdout.strip()
    fqdn = hostname[:hostname.rfind('-')]

    client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:443", cipher, fqdn)
    assert client.rc == 0
    assert cipher in client.stdout


@pytest.mark.parametrize("cipher", DISABLED_CIPHERS)
def test_disabled_tls_ciphers(host, cipher):
    """
    Tests available TLS ciphers on the server.
    """

    hostname = host.run('hostname').stdout.strip()
    fqdn = hostname[:hostname.rfind('-')]

    client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:443", cipher, fqdn)
    assert client.rc != 0
    assert cipher not in client.stdout


def test_https_enforcement(host):
    """
    Tests if HTTPS is being enforced.
    """

    https_enforcement = host.run('curl -I http://parameters-mandatory/')

    assert https_enforcement.rc == 0
    assert 'HTTP/1.1 301 Moved Permanently' in https_enforcement.stdout
    assert 'Location: https://parameters-mandatory/' in https_enforcement.stdout

    https_enforcement = host.run('curl -I https://parameters-mandatory/')

    assert https_enforcement.rc == 0
    assert 'Strict-Transport-Security: max-age=31536000; includeSubDomains' in https_enforcement.stdout


def test_default_vhost_index_page(host):
    """
    Tests content of default vhost index page.
    """

    page = host.run('curl https://parameters-mandatory/')

    assert page.rc == 0
    assert "<title>Welcome</title>" in page.stdout
    assert "<h1>Welcome</h1>" in page.stdout
    assert "<p>You are attempting to access the web server using a wrong name or an IP address. Please check your URL.</p>" in page.stdout
This site is powered by Kallithea 0.7.0, which is © 2010–2023 by various authors & licensed under GPLv3.