Files @ 5ee6fc8d3513
Branch filter:

Location: majic-ansible-roles/roles/ldap_server/molecule/default/tests/test_optional.py

branko
MAR-218: Force handler execution during testing for consistency:

- Otherwise it can easily happen that some handlers never run, leaving
the machine in inconsistent state until they are run by hand.
import os

import defusedxml.ElementTree as ElementTree

import testinfra.utils.ansible_runner

from helpers import parse_ldif


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional')


def test_base_entry(host):
    """
    Tests if the base entry has been created correctly.
    """

    with host.sudo():

        base_dn = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local -s base")

        assert base_dn.rc == 0
        assert "dc: local" in base_dn.stdout.split("\n")
        assert "o: Example" in base_dn.stdout.split("\n")


def test_log_level(host):
    """
    Tests if the logging level has been set correctly.
    """

    with host.sudo():

        log_level = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config -s base olcLogLevel')

        assert log_level.rc == 0
        assert 'olcLogLevel: 0' in log_level.stdout


def test_certificate_validity_check_configuration(host):
    """
    Tests if certificate validity check configuration file has been deployed
    correctly.
    """

    inventory_hostname = host.ansible.get_variables()['inventory_hostname']

    config = host.file('/etc/check_certificate/%s_ldap.conf' % inventory_hostname)

    assert config.is_file
    assert config.user == 'root'
    assert config.group == 'root'
    assert config.mode == 0o644
    assert config.content_string == "/etc/ssl/certs/%s_ldap.pem" % inventory_hostname


def test_tls_connectivity(host):
    """
    Tests if it is possible to connect to the LDAP server using
    STARTTLS/TLS.
    """

    starttls = host.run('ldapwhoami -Z -x -H ldap://parameters-optional/')
    assert starttls.rc == 0
    assert starttls.stdout == 'anonymous\n'

    tls = host.run('ldapwhoami -x -H ldaps://parameters-optional/')
    assert tls.rc == 0
    assert tls.stdout == 'anonymous\n'


def test_tls_version_and_ciphers(host):
    """
    Tests if the correct TLS version and ciphers have been enabled.
    """

    expected_tls_versions = ["TLSv1.1", "TLSv1.2"]

    expected_tls_ciphers = [
        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    ]

    # Run the nmap scanner against the LDAP server, and fetch the
    # results.
    nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 636 localhost -oX /tmp/report.xml")
    assert nmap.rc == 0
    report_content = host.file('/tmp/report.xml').content_string

    report_root = ElementTree.fromstring(report_content)

    tls_versions = []
    tls_ciphers = set()

    for child in report_root.findall("./host/ports/port/script/table"):
        tls_versions.append(child.attrib['key'])

    for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
        tls_ciphers.add(child.text)

    tls_versions.sort()
    tls_ciphers = sorted(list(tls_ciphers))

    assert tls_versions == expected_tls_versions
    assert tls_ciphers == expected_tls_ciphers


def test_ssf_configuration(host):
    """
    Tests if the SSF olcSecurity configuration has been set-up correctly.
    """

    with host.sudo():
        ssf = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config olcSecurity')

        assert ssf.rc == 0
        assert "olcSecurity: ssf=0" in ssf.stdout


def test_permissions(host):
    """
    Tests if LDAP directory permissions have been set-up correctly.
    """

    with host.sudo():
        permissions = host.run("ldapsearch -o ldif-wrap=no -H ldapi:/// -Q -LLL -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess olcAccess")

        expected_permissions = "olcAccess: {0}to * " \
                               "by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage " \
                               "by self write by * read by dn=\"cn=admin,dc=local\" write " \
                               "by * none"

        assert permissions.rc == 0
        assert expected_permissions in permissions.stdout


def test_services_login_entries(host):
    """
    Tests if the service/consumer login entries have been set correctly.
    """

    with host.sudo():

        expected_entries = parse_ldif("""
dn: cn=consumer1,ou=services,dc=local
objectClass: applicationProcess
objectClass: simpleSecurityObject
userPassword:: Y29uc3VtZXIxcGFzc3dvcmQ=
cn: consumer1

dn: cn=consumer2,ou=services,dc=local
objectClass: applicationProcess
objectClass: simpleSecurityObject
userPassword:: Y29uc3VtZXIycGFzc3dvcmQ=
cn: consumer2
""")

        entries = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=services,dc=local '(objectClass=simpleSecurityObject)'")

        assert entries.rc == 0
        assert parse_ldif(entries.stdout) == expected_entries


def test_group_entries(host):
    """
    Tests that no group entries have been created out-of-the-box.
    """

    with host.sudo():

        expected_entries = parse_ldif("""
dn: cn=group1,ou=groups,dc=local
objectClass: groupOfUniqueNames
uniqueMember: cn=NONE
cn: group1

dn: cn=group2,ou=groups,dc=local
objectClass: groupOfUniqueNames
uniqueMember: cn=NONE
cn: group2
""")

        entries = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=groups,dc=local '(objectClass=groupOfUniqueNames)'")

        assert entries.rc == 0
        assert parse_ldif(entries.stdout) == expected_entries


def test_user_supplied_entries(host):
    """
    Tests if user-supplied entries are created correctly.
    """

    with host.sudo():

        expected_entries = parse_ldif("""
dn: uid=john,dc=local
objectClass: inetOrgPerson
objectClass: simpleSecurityObject
userPassword:: am9obnBhc3N3b3Jk
cn: John Doe
sn: Doe
uid: john

dn: uid=jane,dc=local
objectClass: inetOrgPerson
objectClass: simpleSecurityObject
userPassword:: amFuZXBhc3N3b3Jk
cn: Jane Doe
sn: Doe
uid: jane""")

        entries = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local '(|(entrydn=uid=john,dc=local)(entrydn=uid=jane,dc=local))'")

        assert entries.rc == 0
        assert parse_ldif(entries.stdout) == expected_entries