Files @ eb03c3b4f367
Branch filter:

Location: majic-ansible-roles/roles/ldap_server/molecule/default/tests/test_default.py

branko
MAR-162: Deduplicate TLS private key/certificate tests for LDAP server role:

- Rename the key/certificate files to match the Ansible inventory
name.
- Move the tests into test_default.py.
- Change the key/certificate extensions to be more descriptie.
import os

import testinfra.utils.ansible_runner

from helpers import parse_ldif


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*')


def test_installed_packages(host):
    """
    Tests if all the necessary packages have been installed.
    """

    assert host.package('slapd').is_installed
    assert host.package('python3-pyldap').is_installed


def test_ldap_user_group(host):
    """
    Tests if LDAP server user is part of group that allows it to traverse TLS
    private keys directory.
    """

    assert "ssl-cert" in host.user('openldap').groups


def test_ldap_server_service_sockets_and_ports(host):
    """
    Tests if LDAP server has been configured to listen on correct sockets.
    """

    assert host.socket('tcp://389').is_listening
    assert host.socket('tcp://636').is_listening
    assert host.socket('unix:///var/run/slapd/ldapi').is_listening


def test_ldap_server_service(host):
    """
    Tests if the LDAP service is enabled and running.
    """

    service = host.service('slapd')

    assert service.is_enabled
    assert service.is_running


def test_syslog_configuration(host):
    """
    Tests if syslog configuration file has been deployed, and log file was
    created correctly (and is being logged to).
    """

    config = host.file('/etc/rsyslog.d/slapd.conf')
    assert config.is_file
    assert config.user == 'root'
    assert config.group == 'root'
    assert config.mode == 0o644

    with host.sudo():
        log = host.file('/var/log/slapd.log')
        assert log.is_file
        assert 'slapd' in log.content_string


def test_log_rotation_configuration(host):
    """
    Tests if log rotation configuration file has been deployed correctly and has
    valid syntax.
    """

    config = host.file('/etc/logrotate.d/slapd')

    assert config.is_file
    assert config.user == 'root'
    assert config.group == 'root'
    assert config.mode == 0o644

    with host.sudo():

        assert host.run('logrotate /etc/logrotate.d/slapd').rc == 0


def test_misc_schema_presence(host):
    """
    Tests if the misc LDAP schema has been imported.
    """

    with host.sudo():

        misc_schema = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn')
        assert misc_schema.rc == 0
        assert 'dn: cn={4}misc,cn=schema,cn=config' in misc_schema.stdout


def test_memberof_module(host):
    """
    Tests if the memberof overlay has been enabled for the main database.
    """

    with host.sudo():
        memberof = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn')

        assert memberof.rc == 0
        assert 'dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config' in memberof.stdout


def test_basic_directory_structure(host):
    """
    Tests if the base LDAP directory structure has been set-up correctly.
    """

    expected_entries = parse_ldif("""
dn: ou=people,dc=local
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=local
objectClass: organizationalUnit
ou: groups

dn: ou=services,dc=local
objectClass: organizationalUnit
ou: services
""")

    entry = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local "
                     "'(|(entrydn=ou=people,dc=local)(entrydn=ou=groups,dc=local)(entrydn=ou=services,dc=local))'")

    assert entry.rc == 0
    assert parse_ldif(entry.stdout) == expected_entries


def test_mail_service_entries(host):
    """
    Tests if the mail service entries have been set-up correctly.
    """

    with host.sudo():

        expected_entries = parse_ldif("""
dn: ou=mail,ou=services,dc=local
objectClass: organizationalUnit
ou: mail

dn: ou=aliases,ou=mail,ou=services,dc=local
objectClass: organizationalUnit
ou: aliases

dn: ou=domains,ou=mail,ou=services,dc=local
objectClass: organizationalUnit
ou: domains
""")

        entry = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b ou=mail,ou=services,dc=local')
        assert entry.rc == 0
        assert parse_ldif(entry.stdout) == expected_entries


def test_firewall_configuration_file(host):
    """
    Tests if firewall configuration file has been deployed correctly.
    """

    with host.sudo():

        config = host.file('/etc/ferm/conf.d/10-ldap.conf')

        assert config.is_file
        assert config.user == 'root'
        assert config.group == 'root'
        assert config.mode == 0o640


def test_admin_password(host):
    """
    Tests if administrator password has been set correctly.
    """

    login = host.run("ldapwhoami -H ldapi:/// -x -w adminpassword -D cn=admin,dc=local")

    assert login.rc == 0
    assert login.stdout == "dn:cn=admin,dc=local\n"


def test_temporary_admin_password_file_not_present(host):
    """
    Tests if the file that temporarily contains the LDAP adminstrator password
    has been removed.
    """

    with host.sudo():
        assert not host.file('/root/.ldap_admin_password').exists


def test_ldap_tls_private_key_file(host):
    """
    Tests if the TLS private key has been deployed correctly.
    """

    with host.sudo():

        inventory_hostname = host.ansible.get_variables()['inventory_hostname']

        key = host.file('/etc/ssl/private/%s_ldap.key' % inventory_hostname)

        assert key.is_file
        assert key.user == 'root'
        assert key.group == 'openldap'
        assert key.mode == 0o640
        assert key.content_string == open('tests/data/x509/%s_ldap.key.pem' % inventory_hostname).read()


def test_ldap_tls_certificate_file(host):
    """
    Tests if the TLS certificate has been deployed correctly.
    """

    with host.sudo():

        inventory_hostname = host.ansible.get_variables()['inventory_hostname']

        cert = host.file('/etc/ssl/certs/%s_ldap.pem' % inventory_hostname)

        assert cert.is_file
        assert cert.user == 'root'
        assert cert.group == 'root'
        assert cert.mode == 0o644
        assert cert.content_string == open('tests/data/x509/%s_ldap.cert.pem' % inventory_hostname).read()