Files @ be01ee86b9dd
Branch filter:

Location: majic-ansible-roles/roles/mail_forwarder/molecule/default/tests/test_default.py

branko
MAR-162: Make the smtp_relay_truststore parameter mandatory in mail_forwarder role:

- Dropped the defaults from mail_forwarder role.
- Updated group variables in role tests.
- Updated role reference documentation.
- Updated usage instructions to include the mandatory parameter.
- Deduplicated tests for the TLS files.
import os

import testinfra.utils.ansible_runner


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*')


def test_installed_packages(host):
    """
    Tests if the necessary packages have been installed.
    """

    assert host.package('postfix').is_installed
    assert host.package('procmail').is_installed
    assert host.package('swaks').is_installed


def test_removed_packages(host):
    """
    Tests if certain packages have been removed from the system.
    """

    assert not host.package('exim4').is_installed


def test_smtp_relay_truststore_file(host):
    """
    Tests if SMTP relay truststore has correct permissions and content.
    """

    truststore = host.file('/etc/ssl/certs/smtp_relay_truststore.pem')

    assert truststore.is_file
    assert truststore.user == 'root'
    assert truststore.group == 'root'
    assert truststore.mode == 0o644
    assert truststore.content_string == open("tests/data/x509/truststore.pem", "r").read().rstrip()


def test_smtp_mailname(host):
    """
    Tests if SMTP mailname configuration file has correct permissions.
    """

    mailname = host.file('/etc/mailname')

    assert mailname.is_file
    assert mailname.user == 'root'
    assert mailname.group == 'root'
    assert mailname.mode == 0o644


def test_postfix_main_cf_file(host):
    """
    Tests Postfix main configuration file permissions.
    """

    config = host.file('/etc/postfix/main.cf')
    assert config.is_file
    assert config.user == 'root'
    assert config.group == 'root'
    assert config.mode == 0o644


def test_services(host):
    """
    Tests if all the necessary services are enabled and running.
    """

    service = host.service('postfix')
    assert service.is_running
    assert service.is_enabled


def test_firewall_configuration_file(host):
    """
    Tests if firewall configuration file has correct permissions.
    """

    with host.sudo():
        config = host.file('/etc/ferm/conf.d/20-mail.conf')
        assert config.is_file
        assert config.user == 'root'
        assert config.group == 'root'
        assert config.mode == 0o640


def test_smtp_server_dh_parameter_file(host):
    """
    Tests if the Diffie-Hellman parameter file has been generated
    correctly.
    """

    hostname = host.run('hostname').stdout.strip()
    dhparam_file_path = '/etc/ssl/private/%s_smtp.dh.pem' % hostname

    with host.sudo():
        dhparam_file = host.file(dhparam_file_path)
        assert dhparam_file.is_file
        assert dhparam_file.user == 'root'
        assert dhparam_file.group == 'root'
        assert dhparam_file.mode == 0o640

        dhparam_info = host.run("openssl dhparam -noout -text -in %s", dhparam_file_path)

        assert "DH Parameters: (2048 bit)" in dhparam_info.stdout


def test_smtp_server_uses_correct_dh_parameters(host):
    """
    Tests if the SMTP server uses the generated Diffie-Hellman parameter.
    """

    hostname = host.run('hostname').stdout.strip()

    with host.sudo():
        expected_dhparam = host.file('/etc/ssl/private/%s_smtp.dh.pem' % hostname).content_string.rstrip()

    connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=smtp --port 25 "
                          "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose localhost")

    output = connection.stdout
    begin_marker = "-----BEGIN DH PARAMETERS-----"
    end_marker = "-----END DH PARAMETERS-----"
    used_dhparam = output[output.find(begin_marker):output.find(end_marker) + len(end_marker)]

    assert used_dhparam == expected_dhparam