Files @ 8a6ebeaabb26
Branch filter:

Location: majic-ansible-roles/roles/ldap_server/tests/test_mandatory.py

branko
MAR-125: Eliminated a couple of warnings:

- Use the file module when cleaning-up the /etc/duply/main/gnupg directory.
- Mark the bind_password in m_ldap_entry and m_ldap_permissions as no_log
parameters.
import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    '.molecule/ansible_inventory').get_hosts('parameters-mandatory.local')


def test_base_entry(Command, Sudo):
    """
    Tests if the base entry has been created correctly.
    """

    with Sudo():

        base_dn = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local -s base")

        assert base_dn.rc == 0
        assert "dc: local" in base_dn.stdout.split("\n")
        assert "o: Private" in base_dn.stdout.split("\n")


def test_log_level(Command, Sudo):
    """
    Tests if the logging level has been set correctly.
    """

    with Sudo():

        log_level = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config -s base olcLogLevel')

        assert log_level.rc == 0
        assert 'olcLogLevel: 256' in log_level.stdout


def test_ldap_tls_private_key_file(File, Sudo):
    """
    Tests if the TLS private key has been deployed correctly.
    """

    with Sudo():

        key = File('/etc/ssl/private/parameters-mandatory.local_ldap.key')

        assert key.is_file
        assert key.user == 'root'
        assert key.group == 'openldap'
        assert key.mode == 0o640
        assert key.content == open('tests/data/x509/parameters-mandatory.local_ldap.key').read().rstrip()


def test_ldap_tls_certificate_file(File, Sudo):
    """
    Tests if the TLS certificate has been deployed correctly.
    """

    with Sudo():

        cert = File('/etc/ssl/certs/parameters-mandatory.local_ldap.pem')

        assert cert.is_file
        assert cert.user == 'root'
        assert cert.group == 'root'
        assert cert.mode == 0o644
        assert cert.content == open('tests/data/x509/parameters-mandatory.local_ldap.pem').read().rstrip()


def test_certificate_validity_check_configuration(File):
    """
    Tests if certificate validity check configuration file has been deployed
    correctly.
    """

    config = File('/etc/check_certificate/parameters-mandatory.local_ldap.conf')

    assert config.is_file
    assert config.user == 'root'
    assert config.group == 'root'
    assert config.mode == 0o644
    assert config.content == "/etc/ssl/certs/parameters-mandatory.local_ldap.pem"


def test_tls_configuration(Command):
    """
    Tests if the TLS has been configured correctly and works.
    """

    starttls = Command('ldapwhoami -Z -x -H ldap://parameters-mandatory.local/')
    assert starttls.rc == 0
    assert starttls.stdout == 'anonymous'

    tls = Command('ldapwhoami -x -H ldaps://parameters-mandatory.local/')
    assert tls.rc == 0
    assert tls.stdout == 'anonymous'

    old_tls_versions_disabled = Command("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:636")
    assert old_tls_versions_disabled.rc != 0
    assert "CONNECTED" in old_tls_versions_disabled.stdout

    cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory:636")
    assert cipher.rc == 0
    assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout

    cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory:636")
    assert cipher.rc != 0
    assert "CONNECTED" in cipher.stdout
    assert "ECDHE-RSA-AES128-SHA" not in cipher.stdout


def test_ssf_configuration(Command, Sudo):
    """
    Tests if the SSF olcSecurity configuration has been set-up correctly.
    """

    with Sudo():
        ssf = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config olcSecurity')

        assert ssf.rc == 0
        assert "olcSecurity: ssf=128" in ssf.stdout


def test_permissions(Command, Sudo):
    """
    Tests if LDAP directory permissions have been set-up correctly.
    """

    with Sudo():
        permissions = Command("ldapsearch -o ldif-wrap=no -H ldapi:/// -Q -LLL -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess olcAccess")

        expected_permissions = """olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by dn="cn=admin,dc=local" manage by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=local" write by users read by * none"""

        assert permissions.rc == 0
        assert expected_permissions in permissions.stdout


def test_services_login_entries(Command, Sudo):
    """
    Tests if the service/consumer login entries have been set correctly.
    """

    with Sudo():

        entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=services,dc=local '(objectClass=simpleSecurityObject)'")

        assert entries.rc == 0
        assert entries.stdout == ""


def test_group_entries(Command, Sudo):
    """
    Tests that no group entries have been created out-of-the-box.
    """

    with Sudo():

        entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=groups,dc=local '(objectClass=groupOfUniqueNames)'")

        assert entries.rc == 0
        assert entries.stdout == ""