Files @ be01ee86b9dd
Branch filter:

Location: majic-ansible-roles/roles/mail_forwarder/molecule/default/tests/test_default.py

be01ee86b9dd 3.6 KiB text/x-python Show Annotation Show as Raw Download as Raw
branko
MAR-162: Make the smtp_relay_truststore parameter mandatory in mail_forwarder role:

- Dropped the defaults from mail_forwarder role.
- Updated group variables in role tests.
- Updated role reference documentation.
- Updated usage instructions to include the mandatory parameter.
- Deduplicated tests for the TLS files.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
import os

import testinfra.utils.ansible_runner


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*')


def test_installed_packages(host):
    """
    Tests if the necessary packages have been installed.
    """

    assert host.package('postfix').is_installed
    assert host.package('procmail').is_installed
    assert host.package('swaks').is_installed


def test_removed_packages(host):
    """
    Tests if certain packages have been removed from the system.
    """

    assert not host.package('exim4').is_installed


def test_smtp_relay_truststore_file(host):
    """
    Tests if SMTP relay truststore has correct permissions and content.
    """

    truststore = host.file('/etc/ssl/certs/smtp_relay_truststore.pem')

    assert truststore.is_file
    assert truststore.user == 'root'
    assert truststore.group == 'root'
    assert truststore.mode == 0o644
    assert truststore.content_string == open("tests/data/x509/truststore.pem", "r").read().rstrip()


def test_smtp_mailname(host):
    """
    Tests if SMTP mailname configuration file has correct permissions.
    """

    mailname = host.file('/etc/mailname')

    assert mailname.is_file
    assert mailname.user == 'root'
    assert mailname.group == 'root'
    assert mailname.mode == 0o644


def test_postfix_main_cf_file(host):
    """
    Tests Postfix main configuration file permissions.
    """

    config = host.file('/etc/postfix/main.cf')
    assert config.is_file
    assert config.user == 'root'
    assert config.group == 'root'
    assert config.mode == 0o644


def test_services(host):
    """
    Tests if all the necessary services are enabled and running.
    """

    service = host.service('postfix')
    assert service.is_running
    assert service.is_enabled


def test_firewall_configuration_file(host):
    """
    Tests if firewall configuration file has correct permissions.
    """

    with host.sudo():
        config = host.file('/etc/ferm/conf.d/20-mail.conf')
        assert config.is_file
        assert config.user == 'root'
        assert config.group == 'root'
        assert config.mode == 0o640


def test_smtp_server_dh_parameter_file(host):
    """
    Tests if the Diffie-Hellman parameter file has been generated
    correctly.
    """

    hostname = host.run('hostname').stdout.strip()
    dhparam_file_path = '/etc/ssl/private/%s_smtp.dh.pem' % hostname

    with host.sudo():
        dhparam_file = host.file(dhparam_file_path)
        assert dhparam_file.is_file
        assert dhparam_file.user == 'root'
        assert dhparam_file.group == 'root'
        assert dhparam_file.mode == 0o640

        dhparam_info = host.run("openssl dhparam -noout -text -in %s", dhparam_file_path)

        assert "DH Parameters: (2048 bit)" in dhparam_info.stdout


def test_smtp_server_uses_correct_dh_parameters(host):
    """
    Tests if the SMTP server uses the generated Diffie-Hellman parameter.
    """

    hostname = host.run('hostname').stdout.strip()

    with host.sudo():
        expected_dhparam = host.file('/etc/ssl/private/%s_smtp.dh.pem' % hostname).content_string.rstrip()

    connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=smtp --port 25 "
                          "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose localhost")

    output = connection.stdout
    begin_marker = "-----BEGIN DH PARAMETERS-----"
    end_marker = "-----END DH PARAMETERS-----"
    used_dhparam = output[output.find(begin_marker):output.find(end_marker) + len(end_marker)]

    assert used_dhparam == expected_dhparam
This site is powered by Kallithea 0.7.0, which is © 2010–2024 by various authors & licensed under GPLv3.