Files @ 4f29bd1aa05b
Branch filter:

Location: majic-ansible-roles/roles/ldap_server/molecule/default/tests/

MAR-181: Drop support for Debian 9 Stretch from the xmpp_server role:

- Switch to using IPs from VirtualBox default allowed host-only
network subnets.
- Drop Stretch-specific workarounds, code, and tests.
import os

import testinfra.utils.ansible_runner

from helpers import parse_ldif

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

def test_installed_packages(host):
    Tests if all the necessary packages have been installed.

    assert host.package('slapd').is_installed
    assert host.package('python3-pyldap').is_installed

def test_ldap_user_group(host):
    Tests if LDAP server user is part of group that allows it to traverse TLS
    private keys directory.

    assert "ssl-cert" in host.user('openldap').groups

def test_ldap_server_service_sockets_and_ports(host):
    Tests if LDAP server has been configured to listen on correct sockets.

    assert host.socket('tcp://389').is_listening
    assert host.socket('tcp://636').is_listening
    assert host.socket('unix:///var/run/slapd/ldapi').is_listening

def test_ldap_server_service(host):
    Tests if the LDAP service is enabled and running.

    service = host.service('slapd')

    assert service.is_enabled
    assert service.is_running

def test_syslog_configuration(host):
    Tests if syslog configuration file has been deployed, and log file was
    created correctly (and is being logged to).

    config = host.file('/etc/rsyslog.d/slapd.conf')
    assert config.is_file
    assert config.user == 'root'
    assert == 'root'
    assert config.mode == 0o644

    with host.sudo():
        log = host.file('/var/log/slapd.log')
        assert log.is_file
        assert 'slapd' in log.content_string

def test_log_rotation_configuration(host):
    Tests if log rotation configuration file has been deployed correctly and has
    valid syntax.

    config = host.file('/etc/logrotate.d/slapd')

    assert config.is_file
    assert config.user == 'root'
    assert == 'root'
    assert config.mode == 0o644

    with host.sudo():

        assert'logrotate /etc/logrotate.d/slapd').rc == 0

def test_misc_schema_presence(host):
    Tests if the misc LDAP schema has been imported.

    with host.sudo():

        misc_schema ='ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn')
        assert misc_schema.rc == 0
        assert 'dn: cn={4}misc,cn=schema,cn=config' in misc_schema.stdout

def test_memberof_module(host):
    Tests if the memberof overlay has been enabled for the main database.

    with host.sudo():
        memberof ='ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn')

        assert memberof.rc == 0
        assert 'dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config' in memberof.stdout

def test_basic_directory_structure(host):
    Tests if the base LDAP directory structure has been set-up correctly.

    expected_entries = parse_ldif("""
dn: ou=people,dc=local
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=local
objectClass: organizationalUnit
ou: groups

dn: ou=services,dc=local
objectClass: organizationalUnit
ou: services

    entry ="ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local "

    assert entry.rc == 0
    assert parse_ldif(entry.stdout) == expected_entries

def test_mail_service_entries(host):
    Tests if the mail service entries have been set-up correctly.

    with host.sudo():

        expected_entries = parse_ldif("""
dn: ou=mail,ou=services,dc=local
objectClass: organizationalUnit
ou: mail

dn: ou=aliases,ou=mail,ou=services,dc=local
objectClass: organizationalUnit
ou: aliases

dn: ou=domains,ou=mail,ou=services,dc=local
objectClass: organizationalUnit
ou: domains

        entry ='ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b ou=mail,ou=services,dc=local')
        assert entry.rc == 0
        assert parse_ldif(entry.stdout) == expected_entries

def test_firewall_configuration_file(host):
    Tests if firewall configuration file has been deployed correctly.

    with host.sudo():

        config = host.file('/etc/ferm/conf.d/10-ldap.conf')

        assert config.is_file
        assert config.user == 'root'
        assert == 'root'
        assert config.mode == 0o640

def test_admin_password(host):
    Tests if administrator password has been set correctly.

    login ="ldapwhoami -H ldapi:/// -x -w adminpassword -D cn=admin,dc=local")

    assert login.rc == 0
    assert login.stdout == "dn:cn=admin,dc=local\n"

def test_temporary_admin_password_file_not_present(host):
    Tests if the file that temporarily contains the LDAP adminstrator password
    has been removed.

    with host.sudo():
        assert not host.file('/root/.ldap_admin_password').exists

def test_ldap_tls_private_key_file(host):
    Tests if the TLS private key has been deployed correctly.

    with host.sudo():

        inventory_hostname = host.ansible.get_variables()['inventory_hostname']

        key = host.file('/etc/ssl/private/%s_ldap.key' % inventory_hostname)

        assert key.is_file
        assert key.user == 'root'
        assert == 'openldap'
        assert key.mode == 0o640
        assert key.content_string == open('tests/data/x509/server/%s_ldap.key.pem' % inventory_hostname).read()

def test_ldap_tls_certificate_file(host):
    Tests if the TLS certificate has been deployed correctly.

    with host.sudo():

        inventory_hostname = host.ansible.get_variables()['inventory_hostname']

        cert = host.file('/etc/ssl/certs/%s_ldap.pem' % inventory_hostname)

        assert cert.is_file
        assert cert.user == 'root'
        assert == 'root'
        assert cert.mode == 0o644
        assert cert.content_string == open('tests/data/x509/server/%s_ldap.cert.pem' % inventory_hostname).read()

def test_ldap_server_dh_parameter_file(host):
    Tests if the Diffie-Hellman parameter file has been generated

    hostname ='hostname').stdout.strip()
    dhparam_file_path = '/etc/ssl/private/%s_ldap.dh.pem' % hostname

    with host.sudo():
        dhparam_file = host.file(dhparam_file_path)
        assert dhparam_file.is_file
        assert dhparam_file.user == 'root'
        assert == 'openldap'
        assert dhparam_file.mode == 0o640

        dhparam_info ="openssl dhparam -noout -text -in %s", dhparam_file_path)

        assert "DH Parameters: (2048 bit)" in dhparam_info.stdout