Files @ 3dd7f39302f8
Branch filter:

Location: majic-ansible-roles/roles/web_server/tests/test_mandatory.py

branko
MAR-29: Implemented tests for php_website role:

- Install some additional tools for testing everything.
- Updated test playbook to change allowed extensions for running PHP scripts on
parameters-optional.
- Updated error page to use correct extension for parameters-optional test
instance.
- Expanded rewrite configuration slightly for parameters-optional.
- Install libmariadb-client-lgpl-dev-compat to test mysql_config symlink
creation.
- Deploy a number of PHP pages used for testing if pages are served correctly.
- Set file permissions on deployed PHP FPM pool configuraiton files.
- Use expanded syntax when deploying TLS keys/certificates in order to avoid
issues with TAB mangling.
- Fixed set-up of Strict-Transport-Security header when HTTPS enforcement is
disabled.
- Added a number of PHP and static test pages.
- Wrote tests covering full functionality of the role.
import testinfra.utils.ansible_runner


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    '.molecule/ansible_inventory').get_hosts('parameters-mandatory')


def test_nginx_tls_files(File, Sudo):
    """
    Tests if TLS private key and certificate have been deployed correctly.
    """

    with Sudo():

        tls_file = File('/etc/ssl/private/parameters-mandatory_https.key')
        assert tls_file.is_file
        assert tls_file.user == 'root'
        assert tls_file.group == 'root'
        assert tls_file.mode == 0o640
        assert tls_file.content == open("tests/data/x509/parameters-mandatory_https.key", "r").read().rstrip()

        tls_file = File('/etc/ssl/certs/parameters-mandatory_https.pem')
        assert tls_file.is_file
        assert tls_file.user == 'root'
        assert tls_file.group == 'root'
        assert tls_file.mode == 0o644
        assert tls_file.content == open("tests/data/x509/parameters-mandatory_https.pem", "r").read().rstrip()


def test_certificate_validity_check_configuration(File):
    """
    Tests if certificate validity check configuration file has been deployed
    correctly.
    """

    config = File('/etc/check_certificate/parameters-mandatory_https.conf')
    assert config.is_file
    assert config.user == 'root'
    assert config.group == 'root'
    assert config.mode == 0o644
    assert config.content == "/etc/ssl/certs/parameters-mandatory_https.pem"


def test_tls_configuration(Command):
    """
    Tests if the TLS has been configured correctly and works.
    """

    tls = Command('wget -q -O - https://parameters-mandatory/')
    assert tls.rc == 0

    old_tls_versions_disabled = Command("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:443")
    assert old_tls_versions_disabled.rc != 0
    assert "CONNECTED" in old_tls_versions_disabled.stdout

    cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory:443")
    assert cipher.rc == 0
    assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout

    cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory:443")
    assert cipher.rc != 0
    assert "ECDHE-RSA-AES128-SHA" not in cipher.stdout


def test_https_enforcement(Command):
    """
    Tests if HTTPS is being enforced.
    """

    https_enforcement = Command('curl -I http://parameters-mandatory/')

    assert https_enforcement.rc == 0
    assert 'HTTP/1.1 301 Moved Permanently' in https_enforcement.stdout
    assert 'Location: https://parameters-mandatory/' in https_enforcement.stdout

    https_enforcement = Command('curl -I https://parameters-mandatory/')

    assert https_enforcement.rc == 0
    assert 'Strict-Transport-Security: max-age=31536000; includeSubDomains' in https_enforcement.stdout


def test_default_vhost_index_page(Command):
    """
    Tests content of default vhost index page.
    """

    page = Command('curl https://parameters-mandatory/')

    assert page.rc == 0
    assert "<title>Welcome</title>" in page.stdout
    assert "<h1>Welcome</h1>" in page.stdout
    assert "<p>You are attempting to access the web server using a wrong name or an IP address. Please check your URL.</p>" in page.stdout