Files @ c1abe824342c
Branch filter:

Location: majic-ansible-roles/roles/xmpp_server/molecule/default/tests/test_optional.py

c1abe824342c 4.1 KiB text/x-python Show Annotation Show as Raw Download as Raw
branko
MAR-192: Added support for Debian 12 Bookworm to xmpp_server role:

- Some of the tests are still failing, namely the ones centered around
the sendxmpp tool (which seems completely broken at this point in
Debian 12 Bookworm)
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
import os

import defusedxml.ElementTree as ElementTree

import pytest

import testinfra.utils.ansible_runner


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional')


def test_prosody_configuration_file_content(host):
    """
    Tests if Prosody configuration file has correct content.
    """

    hostname = host.run('hostname').stdout.strip()

    with host.sudo():

        config = host.file('/etc/prosody/prosody.cfg.lua')

        assert "admins = { \"jane.doe@domain2\", \"mick.doe@domain3\",  }" in config.content_string
        assert "key = \"/etc/ssl/private/%s_xmpp.key\";" % hostname in config.content_string
        assert "certificate = \"/etc/ssl/certs/%s_xmpp.pem\";" % hostname in config.content_string
        assert "ldap_server = \"ldap-server\"" in config.content_string
        assert "ldap_rootdn = \"cn=prosody,ou=services,dc=local\"" in config.content_string
        assert "ldap_password = \"prosodypassword\"" in config.content_string
        assert "ldap_filter = \"(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,dc=local))\"" in config.content_string
        assert "ldap_base = \"ou=people,dc=local\"" in config.content_string
        assert "archive_expires_after = \"1w\"" in config.content_string

        assert """VirtualHost "domain2"
Component "conference.domain2" "muc"
  restrict_room_creation = "local"
Component "proxy.domain2" "proxy65"
  proxy65_acl = { "domain2" }""" in config.content_string

        assert """VirtualHost "domain3"
Component "conference.domain3" "muc"
  restrict_room_creation = "local"
Component "proxy.domain3" "proxy65"
  proxy65_acl = { "domain3" }""" in config.content_string


@pytest.mark.parametrize("port", [
    5222,
    5223
])
def test_xmpp_c2s_tls_version_and_ciphers(host, port):
    """
    Tests if the correct TLS version and ciphers have been enabled for
    XMPP C2S ports.
    """

    distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]

    if distribution_release == "bullseye":
        expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
        expected_tls_ciphers = [
            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        ]
    else:
        expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
        expected_tls_ciphers = [
            "TLS_AKE_WITH_AES_128_GCM_SHA256",
            "TLS_AKE_WITH_AES_256_GCM_SHA384",
            "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        ]

    # Run the nmap scanner against the server, and fetch the results.
    nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain2 -oX /tmp/report.xml", str(port))
    assert nmap.rc == 0
    report_content = host.file('/tmp/report.xml').content_string

    report_root = ElementTree.fromstring(report_content)

    tls_versions = []
    tls_ciphers = set()

    for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"):
        tls_versions.append(child.attrib['key'])

    for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
        tls_ciphers.add(child.text)

    tls_versions.sort()
    tls_ciphers = sorted(list(tls_ciphers))

    assert tls_versions == expected_tls_versions
    assert tls_ciphers == expected_tls_ciphers
This site is powered by Kallithea 0.7.0, which is © 2010–2023 by various authors & licensed under GPLv3.