Files
@ 36cc127035aa
Branch filter:
Location: majic-ansible-roles/roles/web_server/molecule/default/tests/test_mandatory.py
36cc127035aa
4.4 KiB
text/x-python
MAR-158: Update default TLS cipher configuration in the web_server role:
- Updated the default value for parameter web_server_tls_ciphers.
- Updated tests, making them explicitly test for enabled and disabled
ciphers.
- Updated role reference documentation.
- Updated the default value for parameter web_server_tls_ciphers.
- Updated tests, making them explicitly test for enabled and disabled
ciphers.
- Updated role reference documentation.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 | import os
import pytest
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')
def test_tls_version(host):
"""
Tests if only the configured TLS protocol versions are allowed by
the server.
"""
old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:443")
# Avoid false negatives by ensuring the client had actually
# established the TCP connection.
assert "CONNECTED" in old_tls_versions_disabled.stdout
assert old_tls_versions_disabled.rc != 0
ALL_CIPHERS = [
"AES128-GCM-SHA256",
"AES128-SHA",
"AES128-SHA256",
"AES256-GCM-SHA384",
"AES256-SHA",
"AES256-SHA256",
"DHE-PSK-AES128-CBC-SHA",
"DHE-PSK-AES128-CBC-SHA256",
"DHE-PSK-AES128-GCM-SHA256",
"DHE-PSK-AES256-CBC-SHA",
"DHE-PSK-AES256-CBC-SHA384",
"DHE-PSK-AES256-GCM-SHA384",
"DHE-PSK-CHACHA20-POLY1305",
"DHE-RSA-AES128-GCM-SHA256",
"DHE-RSA-AES128-SHA",
"DHE-RSA-AES128-SHA256",
"DHE-RSA-AES256-GCM-SHA384",
"DHE-RSA-AES256-SHA",
"DHE-RSA-AES256-SHA256",
"DHE-RSA-CHACHA20-POLY1305",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES128-SHA",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA",
"ECDHE-ECDSA-AES256-SHA384",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-PSK-AES128-CBC-SHA",
"ECDHE-PSK-AES128-CBC-SHA256",
"ECDHE-PSK-AES256-CBC-SHA",
"ECDHE-PSK-AES256-CBC-SHA384",
"ECDHE-PSK-CHACHA20-POLY1305",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA256",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA384",
"ECDHE-RSA-CHACHA20-POLY1305",
"PSK-AES128-CBC-SHA",
"PSK-AES128-CBC-SHA256",
"PSK-AES128-GCM-SHA256",
"PSK-AES256-CBC-SHA",
"PSK-AES256-CBC-SHA384",
"PSK-AES256-GCM-SHA384",
"PSK-CHACHA20-POLY1305",
"RSA-PSK-AES128-CBC-SHA",
"RSA-PSK-AES128-CBC-SHA256",
"RSA-PSK-AES128-GCM-SHA256",
"RSA-PSK-AES256-CBC-SHA",
"RSA-PSK-AES256-CBC-SHA384",
"RSA-PSK-AES256-GCM-SHA384",
"RSA-PSK-CHACHA20-POLY1305",
"SRP-AES-128-CBC-SHA",
"SRP-AES-256-CBC-SHA",
"SRP-RSA-AES-128-CBC-SHA",
"SRP-RSA-AES-256-CBC-SHA",
]
ENABLED_CIPHERS = [
"DHE-RSA-AES128-GCM-SHA256",
"DHE-RSA-AES256-GCM-SHA384",
"DHE-RSA-CHACHA20-POLY1305",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-RSA-CHACHA20-POLY1305",
]
DISABLED_CIPHERS = sorted(list(set(ALL_CIPHERS)-set(ENABLED_CIPHERS)))
@pytest.mark.parametrize("cipher", ENABLED_CIPHERS)
def test_enabled_tls_ciphers(host, cipher):
"""
Tests available TLS ciphers on the server.
"""
hostname = host.run('hostname').stdout.strip()
fqdn = hostname[:hostname.rfind('-')]
client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:443", cipher, fqdn)
assert client.rc == 0
assert cipher in client.stdout
@pytest.mark.parametrize("cipher", DISABLED_CIPHERS)
def test_disabled_tls_ciphers(host, cipher):
"""
Tests available TLS ciphers on the server.
"""
hostname = host.run('hostname').stdout.strip()
fqdn = hostname[:hostname.rfind('-')]
client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:443", cipher, fqdn)
assert client.rc != 0
assert cipher not in client.stdout
def test_https_enforcement(host):
"""
Tests if HTTPS is being enforced.
"""
https_enforcement = host.run('curl -I http://parameters-mandatory/')
assert https_enforcement.rc == 0
assert 'HTTP/1.1 301 Moved Permanently' in https_enforcement.stdout
assert 'Location: https://parameters-mandatory/' in https_enforcement.stdout
https_enforcement = host.run('curl -I https://parameters-mandatory/')
assert https_enforcement.rc == 0
assert 'Strict-Transport-Security: max-age=31536000; includeSubDomains' in https_enforcement.stdout
def test_default_vhost_index_page(host):
"""
Tests content of default vhost index page.
"""
page = host.run('curl https://parameters-mandatory/')
assert page.rc == 0
assert "<title>Welcome</title>" in page.stdout
assert "<h1>Welcome</h1>" in page.stdout
assert "<p>You are attempting to access the web server using a wrong name or an IP address. Please check your URL.</p>" in page.stdout
|