Files @ eb03c3b4f367
Branch filter:

Location: majic-ansible-roles/roles/ldap_server/molecule/default/tests/test_mandatory.py

eb03c3b4f367 4.2 KiB text/x-python Show Annotation Show as Raw Download as Raw
branko
MAR-162: Deduplicate TLS private key/certificate tests for LDAP server role:

- Rename the key/certificate files to match the Ansible inventory
name.
- Move the tests into test_default.py.
- Change the key/certificate extensions to be more descriptie.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
import os

import testinfra.utils.ansible_runner


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')


def test_base_entry(host):
    """
    Tests if the base entry has been created correctly.
    """

    with host.sudo():

        base_dn = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local -s base")

        assert base_dn.rc == 0
        assert "dc: local" in base_dn.stdout.split("\n")
        assert "o: Private" in base_dn.stdout.split("\n")


def test_log_level(host):
    """
    Tests if the logging level has been set correctly.
    """

    with host.sudo():

        log_level = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config -s base olcLogLevel')

        assert log_level.rc == 0
        assert 'olcLogLevel: 256' in log_level.stdout


def test_certificate_validity_check_configuration(host):
    """
    Tests if certificate validity check configuration file has been deployed
    correctly.
    """

    inventory_hostname = host.ansible.get_variables()['inventory_hostname']

    config = host.file('/etc/check_certificate/%s_ldap.conf' % inventory_hostname)

    assert config.is_file
    assert config.user == 'root'
    assert config.group == 'root'
    assert config.mode == 0o644
    assert config.content_string == "/etc/ssl/certs/%s_ldap.pem" % inventory_hostname


def test_tls_configuration(host):
    """
    Tests if the TLS has been configured correctly and works.
    """

    starttls = host.run('ldapwhoami -Z -x -H ldap://parameters-mandatory.local/')
    assert starttls.rc == 0
    assert starttls.stdout == 'anonymous\n'

    tls = host.run('ldapwhoami -x -H ldaps://parameters-mandatory.local/')
    assert tls.rc == 0
    assert tls.stdout == 'anonymous\n'

    old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory.local:636")
    assert old_tls_versions_disabled.rc != 0
    assert "CONNECTED" in old_tls_versions_disabled.stdout

    cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory.local:636")
    assert cipher.rc == 0
    assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout

    cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory.local:636")
    assert cipher.rc != 0
    assert "CONNECTED" in cipher.stdout
    assert "ECDHE-RSA-AES128-SHA" not in cipher.stdout


def test_ssf_configuration(host):
    """
    Tests if the SSF olcSecurity configuration has been set-up correctly.
    """

    with host.sudo():
        ssf = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config olcSecurity')

        assert ssf.rc == 0
        assert "olcSecurity: ssf=128" in ssf.stdout


def test_permissions(host):
    """
    Tests if LDAP directory permissions have been set-up correctly.
    """

    with host.sudo():
        permissions = host.run("ldapsearch -o ldif-wrap=no -H ldapi:/// -Q -LLL -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess olcAccess")

        expected_permissions = """olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by dn="cn=admin,dc=local" manage by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=local" write by users read by * none"""

        assert permissions.rc == 0
        assert expected_permissions in permissions.stdout


def test_services_login_entries(host):
    """
    Tests if the service/consumer login entries have been set correctly.
    """

    with host.sudo():

        entries = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=services,dc=local '(objectClass=simpleSecurityObject)'")

        assert entries.rc == 0
        assert entries.stdout == ""


def test_group_entries(host):
    """
    Tests that no group entries have been created out-of-the-box.
    """

    with host.sudo():

        entries = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=groups,dc=local '(objectClass=groupOfUniqueNames)'")

        assert entries.rc == 0
        assert entries.stdout == ""
This site is powered by Kallithea 0.7.0, which is © 2010–2023 by various authors & licensed under GPLv3.