import os
import pytest
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('clients')
def test_connectivity(host):
"""
Tests connectivity to the XMPP server (ports that should be reachable).
"""
with host.sudo():
for server in ["parameters-mandatory",
"parameters-optional"]:
# c2s plaintext, c2s TLS, file proxy, s2s.
for port in [5222, 5223, 5000, 5269]:
ping = host.run('hping3 -S -p %s -c 1 %s', str(port), server)
assert ping.rc == 0
@pytest.mark.parametrize("username, password, domain", [
["john.doe", "johnpassword", "domain1"],
["jane.doe", "janepassword", "domain2"],
])
def test_tls(host, username, password, domain):
"""
Tests if TLS works as expected.
"""
send = host.run(f"echo 'Hello' | sendxmpp --tls-ca-path /usr/local/share/ca-certificates/testca.crt "
f"-t -u {username} -p {password} -j {domain}:5222 {username}@{domain}")
assert send.rc == 0
send = host.run(f"echo 'Hello' | sendxmpp --tls-ca-path /usr/local/share/ca-certificates/testca.crt "
f"-e -u {username} -p {password} -j {domain}:5223 {username}@{domain}")
assert send.rc == 0
@pytest.mark.parametrize("username, password, domain", [
["john.doe", "johnpassword", "domain1"],
["jane.doe", "janepassword", "domain2"],
])
def test_authentication_requires_tls(host, username, password, domain):
"""
Tests if authentication must be done over TLS.
"""
command = host.run(f"echo 'Hello' | sendxmpp --tls-ca-path /usr/local/share/ca-certificates/testca.crt "
f"-u {username} -p {password} -j {domain}:5222 {username}@{domain} -d")
assert "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls>" in command.stderr
@pytest.mark.parametrize("username, password, domain", [
["john.doe", "johnpassword", "domain1"],
["jane.doe", "janepassword", "domain2"],
["mick.doe", "mickpassword", "domain3"],
])
def test_authentication(host, username, password, domain):
"""
Tests if authentication works correctly.
"""
send = host.run(f"echo 'Hello' | sendxmpp --tls-ca-path /usr/local/share/ca-certificates/testca.crt "
f"-t -u {username} -p {password} -j {domain}:5222 {username}@{domain}")
assert send.rc == 0
send = host.run(f"echo 'Hello' | sendxmpp --tls-ca-path /usr/local/share/ca-certificates/testca.crt "
f"-e -u {username} -p {password} -j {domain}:5223 {username}@{domain}")
assert send.rc == 0
@pytest.mark.parametrize("target_username, target_domain", [
["john.doe", "domain1"],
["jane.doe", "domain2"],
])
def test_unauthorized_users_rejected(host, target_username, target_domain):
"""
Tests if unauthorized users (present in LDAP, but not member of correct
group) are rejected from accessing the XMPP server.
"""
send = host.run(f"echo 'Hello' | sendxmpp --tls-ca-path /usr/local/share/ca-certificates/testca.crt "
f"-t -u noxmpp -p noxmpppassword -j {target_domain}:5222 {target_username}@{target_domain}")
assert send.rc != 0
assert "Error 'AuthSend': error: not-authorized[?]" in send.stderr