Files @ eba5d5d69e4f
Branch filter:

Location: majic-ansible-roles/roles/backup_server/tests/test_parameters_optional.py

branko
MAR-114: Moved set_fact for wsgi_website and php_website roles:

- Moved set_fact for setting application admin, user, and home directory into
defaults/main.yml.
- Updated test playbook for wsgi_website to fixate the ptpython and dnspython
versions (including their dependencies).
- Updated tests for wsgi_website to use new fixated versions for ptpython,
dnspython, and their dependencies.
import os


import testinfra.utils.ansible_runner


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    '.molecule/ansible_inventory').get_hosts('parameters-optional')


def test_backup_client_users_and_groups(Group, Sudo, User):
    """
    Tests if the system groups and users for backup clients have been set-up
    correctly.
    """

    with Sudo():

        client1_group = Group('bak-client1_backup')
        assert client1_group.exists
        assert client1_group.gid < 1000

        client1_user = User('bak-client1_backup')
        assert client1_user.exists
        assert client1_user.group == 'bak-client1_backup'
        assert sorted(client1_user.groups) == sorted(['bak-client1_backup', 'backup'])
        assert client1_user.home == '/srv/backups/client1.backup'
        assert client1_user.uid < 1000
        assert client1_user.password == '!'

        client2_group = Group('bak-client2-backup')
        assert client2_group.exists
        assert client2_group.gid == 5001

        client2_user = User('bak-client2-backup')
        assert client2_user.exists
        assert client2_user.group == 'bak-client2-backup'
        assert sorted(client2_user.groups) == sorted(['bak-client2-backup', 'backup'])
        assert client2_user.home == '/srv/backups/client2-backup'
        assert client2_user.uid == 5001
        assert client2_user.password == '!'


def test_backup_client_home_directories(File, Sudo, User):
    """
    Tests if the home directory structure has been set-up correctly for the
    backup client system user.
    """

    with Sudo():

        client1_user = User('bak-client1_backup')

        client1_user_home = File(client1_user.home)
        assert client1_user_home.is_directory
        assert client1_user_home.user == 'root'
        assert client1_user_home.group == 'bak-client1_backup'
        assert client1_user_home.mode == 0o750

        client1_user_duplicity = File(os.path.join(client1_user.home, 'duplicity'))
        assert client1_user_duplicity.is_directory
        assert client1_user_duplicity.user == 'bak-client1_backup'
        assert client1_user_duplicity.group == 'bak-client1_backup'
        assert client1_user_duplicity.mode == 0o770

        client1_user_ssh = File(os.path.join(client1_user.home, '.ssh'))
        assert client1_user_ssh.is_directory
        assert client1_user_ssh.user == 'root'
        assert client1_user_ssh.group == 'root'
        assert client1_user_ssh.mode == 0o751

        # This verifies /etc/skel was not used for setting-up home.
        assert not File(os.path.join(client1_user.home, '.bashrc')).exists

        client2_user = User('bak-client2-backup')

        client2_user_home = File(client2_user.home)
        assert client2_user_home.is_directory
        assert client2_user_home.user == 'root'
        assert client2_user_home.group == 'bak-client2-backup'
        assert client2_user_home.mode == 0o750

        client2_user_duplicity = File(os.path.join(client2_user.home, 'duplicity'))
        assert client2_user_duplicity.is_directory
        assert client2_user_duplicity.user == 'bak-client2-backup'
        assert client2_user_duplicity.group == 'bak-client2-backup'
        assert client2_user_duplicity.mode == 0o770

        client2_user_ssh = File(os.path.join(client2_user.home, '.ssh'))
        assert client2_user_ssh.is_directory
        assert client2_user_ssh.user == 'root'
        assert client2_user_ssh.group == 'root'
        assert client2_user_ssh.mode == 0o751

        # This verifies /etc/skel was not used for setting-up home.
        assert not File(os.path.join(client2_user.home, '.bashrc')).exists


def test_backup_client_authorized_keys(File, Sudo, User):
    """
    Tests if the authorized keys for backup client system user have been set-up
    correctly.
    """

    with Sudo():

        client1_user = User('bak-client1_backup')

        client1_user_authorized_keys = File(os.path.join(client1_user.home, '.ssh', 'authorized_keys'))
        assert client1_user_authorized_keys.is_file
        assert client1_user_authorized_keys.user == 'root'
        assert client1_user_authorized_keys.group == 'bak-client1_backup'
        assert client1_user_authorized_keys.mode == 0o640
        assert client1_user_authorized_keys.content == open('tests/data/ssh/client1.pub', 'r').read().strip()

        client2_user = User('bak-client2-backup')

        client2_user_authorized_keys = File(os.path.join(client2_user.home, '.ssh', 'authorized_keys'))
        assert client2_user_authorized_keys.is_file
        assert client2_user_authorized_keys.user == 'root'
        assert client2_user_authorized_keys.group == 'bak-client2-backup'
        assert client2_user_authorized_keys.mode == 0o640
        assert client2_user_authorized_keys.content == open('tests/data/ssh/client2.pub', 'r').read().strip()


def test_firewall_configuration(File, Sudo):
    """
    Tests if the firewall configuration file has been deployed correctly.
    """

    with Sudo():

        firewall_config = File('/etc/ferm/conf.d/40-backup.conf')

        assert firewall_config.is_file
        assert firewall_config.user == 'root'
        assert firewall_config.group == 'root'
        assert firewall_config.mode == 0o640
        assert 'saddr ( 10.31.127.1 10.31.127.3) @subchain "backup_in" {' in firewall_config.content


def test_regular_ssh_server_inaccessible(LocalCommand):
    """
    Tests if the default SSH server is inaccessible for the backup client system
    users.
    """

    # Test connectivity towards regular ssh (should fail).
    login_attempt = LocalCommand("ssh "
                                 "-o PasswordAuthentication=no "
                                 "-o StrictHostKeyChecking=no "
                                 "-o UserKnownHostsFile=/dev/null "
                                 "-i tests/data/ssh/client1 "
                                 "bak-client1_backup@10.31.127.11 "
                                 "/bin/echo sshtest")
    assert login_attempt.rc != 0
    assert "Permission denied (publickey)" in login_attempt.stderr

    login_attempt = LocalCommand("ssh "
                                 "-o PasswordAuthentication=no "
                                 "-o StrictHostKeyChecking=no "
                                 "-o UserKnownHostsFile=/dev/null "
                                 "-i tests/data/ssh/client2 "
                                 "bak-client2-backup@10.31.127.11 "
                                 "/bin/echo sshtest")
    assert login_attempt.rc != 0
    assert "Permission denied (publickey)" in login_attempt.stderr


def test_backup_ssh_service_connectivity(LocalCommand):
    """
    Tests if SFTP (only) is availavble to system users used by backup clients.
    """

    # Test connectivity towards dedicated ssh (should be allowed).
    login_attempt = LocalCommand("ssh -p 2222 "
                                 "-o PasswordAuthentication=no "
                                 "-o StrictHostKeyChecking=no "
                                 "-o UserKnownHostsFile=/dev/null "
                                 "-i tests/data/ssh/client1 "
                                 "bak-client1_backup@10.31.127.11 /bin/echo sshtest")
    assert login_attempt.rc == 1
    assert "This service allows sftp connections only." in login_attempt.stdout

    # Test connectivity towards dedicated ssh (should be allowed).
    login_attempt = LocalCommand("ssh -p 2222 "
                                 "-o PasswordAuthentication=no "
                                 "-o StrictHostKeyChecking=no "
                                 "-o UserKnownHostsFile=/dev/null "
                                 "-i tests/data/ssh/client2 "
                                 "bak-client2-backup@10.31.127.11 /bin/echo sshtest")
    assert login_attempt.rc == 1
    assert "This service allows sftp connections only." in login_attempt.stdout


def test_backup_ssh_service_key_fingerprints(LocalCommand):
    """
    Tests fingerprints of backup SSH server in order to ensure correct keys are
    in use.
    """

    for key_type in ['ssh-dss', 'ssh-rsa', 'ssh-ed25519', 'ecdsa-sha2-nistp256']:

        login_attempt = LocalCommand("ssh -p 2222 "
                                     "-o PasswordAuthentication=no "
                                     "-o StrictHostKeyChecking=yes "
                                     "-o UserKnownHostsFile=tests/data/ssh/known_hosts "
                                     "-i tests/data/ssh/client1 "
                                     "-o HostKeyAlgorithms=%s "
                                     "bak-client1_backup@10.31.127.11 /bin/echo sshtest" % key_type)
        assert login_attempt.rc == 1
        assert "This service allows sftp connections only." in login_attempt.stdout