Files
@ 5f9f8aef3473
Branch filter:
Location: majic-ansible-roles/roles/common/molecule/default/tests/test_parameters_mandatory.py
5f9f8aef3473
4.9 KiB
text/x-python
MAR-154: Drop support for Python 2.7 from the common role:
- This primarily concerns removal of pip requirements upgrade checks
for Python 2.7.
- The old Python 3-specific paths are getting deprecated, and the
Python 2 paths will be used instead.
- Set permissions on pipreqcheck directory explicitly (because of
deprecation testing).
- This primarily concerns removal of pip requirements upgrade checks
for Python 2.7.
- The old Python 3-specific paths are getting deprecated, and the
Python 2 paths will be used instead.
- Set permissions on pipreqcheck directory explicitly (because of
deprecation testing).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 | import os
import socket
import paramiko
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')
def test_apt_proxy(host):
"""
Tests if proxy configuration for apt is missing.
"""
assert not host.file('/etc/apt/apt.conf.d/00proxy').exists
def test_bash_prompt_content(host):
"""
Tests if bash prompt configuration file has not colouring and ID information
contained within.
"""
bash_prompt = host.file('/etc/profile.d/bash_prompt.sh')
assert "export PS1='\\[\\e]0;\\u@\\h: \\w\\a\\]${debian_chroot:+($debian_chroot)}\\[\\033[0m\\]\\u@\\h:\\w\\$ \\[\\033[0m\\]'" in bash_prompt.content_string
assert "export PS1='\\[\\e]0;\\u@\\h: \\w\\a\\]${debian_chroot:+($debian_chroot)}\\u@\\h:\\w\\$ '" in bash_prompt.content_string
def test_ssh_login_mechanisms(host):
"""
Tests available SSH login mechanisms (should be just public key).
"""
# Extract first non-IPv6 IP. Crude test, but it should work.
remote_ip = next(a for a in host.interface("eth1").addresses if ":" not in a)
sock = socket.socket()
sock.connect((remote_ip, 22))
transport = paramiko.transport.Transport(sock)
transport.connect()
try:
transport.auth_none('')
except paramiko.transport.BadAuthenticationType as err:
assert err.allowed_types == ['publickey']
def test_emacs_electric_indent_mode(host):
"""
Tests if Emacs electric indent mode has been disabled via custom
configuration file. With just mandatory options set, the file should not be
present.
"""
emacs_config = host.file('/etc/emacs/site-start.d/01disable-electric-indent-mode')
assert not emacs_config.exists
def test_ferm_base_rules(host):
"""
Test if base ferm configuration has been deployed correctly (content-wise).
"""
with host.sudo():
ferm_base = host.file('/etc/ferm/conf.d/00-base.conf')
assert "mod hashlimit hashlimit 3/second hashlimit-burst 9" in ferm_base.content_string
iptables = host.command('iptables-save')
assert iptables.rc == 0
assert "-A flood -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \
"--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout
assert "-A flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \
"--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout
ip6tables = host.command('ip6tables-save')
assert ip6tables.rc == 0
assert "-A flood -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \
"--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout
assert "-A flood -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \
"--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in ip6tables.stdout
def test_pipreqcheck_virtualenv_user(host):
"""
Tests if user/group for running the pip requirements upgrade checks have
been created correctly.
"""
group = host.group('pipreqcheck')
assert group.exists
assert group.gid == 1001
user = host.user('pipreqcheck')
assert user.exists
assert user.home == '/var/lib/pipreqcheck'
assert user.uid == 1001
assert user.group == 'pipreqcheck'
assert user.groups == ['pipreqcheck']
def test_backup_configuration_absent(host):
"""
Tests if backup configuration is absent. This should be the case when only
mandatory parameters are provided.
"""
with host.sudo():
assert not host.file('/etc/duply/main/patterns/common').exists
def test_ntp_software_not_installed(host):
"""
Tests if NTP packages are absent.
"""
assert not host.package('ntp').is_installed
assert not host.package('ntpdate').is_installed
def test_ntp_listening_interfaces(host):
"""
Tests if NTP server is not listening.
"""
assert not host.socket('udp://:::123').is_listening
def test_pipreqcheck_input_content(host):
"""
Tests content of requirements input file used for virtual
environment utilised by script that performs pip requirements
upgrade checks.
"""
requirements_path = '/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in'
expected_requirements = [
"pip",
"pip-tools",
"setuptools",
"wheel"
]
with host.sudo():
deployed_requirements = host.file(requirements_path).content_string
expected_requirements = sorted([line.lower() for line in expected_requirements])
actual_requirements = sorted(deployed_requirements.lower().strip().split("\n"))
assert actual_requirements == expected_requirements
|