Files @ eee778bc2d7c
Branch filter:

Location: majic-ansible-roles/roles/web_server/molecule/default/tests/test_mandatory.py

eee778bc2d7c 3.2 KiB text/x-python Show Annotation Show as Raw Download as Raw
branko
MAR-128: Upgraded tests for ROLE_NAME role:

- Switch to new Molecule configuration.
- Updated set-up playbook to use become: yes.
- Moved some preparatory steps outside of the main playbook (eases
idempotence tests).
- Updated tests to reference the yml inventory file.
- Updated tests to use new fixture (host instead of individual ones).
- Switched to extracting hostname instead of hard-coding it in a
couple of tests.
- Renamed hosts instances to include Debian version in their
hostnames.
- Fixed some linting issues.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
import testinfra.utils.ansible_runner


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    '.molecule/ansible_inventory.yml').get_hosts('parameters-mandatory')


def test_nginx_tls_files(host):
    """
    Tests if TLS private key and certificate have been deployed correctly.
    """

    hostname = host.run('hostname').stdout

    with host.sudo():

        tls_file = host.file('/etc/ssl/private/%s_https.key' % hostname)
        assert tls_file.is_file
        assert tls_file.user == 'root'
        assert tls_file.group == 'root'
        assert tls_file.mode == 0o640
        assert tls_file.content == open("tests/data/x509/%s_https.key" % hostname, "r").read().rstrip()

        tls_file = host.file('/etc/ssl/certs/%s_https.pem' % hostname)
        assert tls_file.is_file
        assert tls_file.user == 'root'
        assert tls_file.group == 'root'
        assert tls_file.mode == 0o644
        assert tls_file.content == open("tests/data/x509/%s_https.pem" % hostname, "r").read().rstrip()


def test_certificate_validity_check_configuration(host):
    """
    Tests if certificate validity check configuration file has been deployed
    correctly.
    """

    hostname = host.run('hostname').stdout

    config = host.file('/etc/check_certificate/%s_https.conf' % hostname)
    assert config.is_file
    assert config.user == 'root'
    assert config.group == 'root'
    assert config.mode == 0o644
    assert config.content == "/etc/ssl/certs/%s_https.pem" % hostname


def test_tls_configuration(host):
    """
    Tests if the TLS has been configured correctly and works.
    """

    tls = host.run('wget -q -O - https://parameters-mandatory/')
    assert tls.rc == 0

    old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:443")
    assert old_tls_versions_disabled.rc != 0
    assert "CONNECTED" in old_tls_versions_disabled.stdout

    cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory:443")
    assert cipher.rc == 0
    assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout

    cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory:443")
    assert cipher.rc != 0
    assert "ECDHE-RSA-AES128-SHA" not in cipher.stdout


def test_https_enforcement(host):
    """
    Tests if HTTPS is being enforced.
    """

    https_enforcement = host.run('curl -I http://parameters-mandatory/')

    assert https_enforcement.rc == 0
    assert 'HTTP/1.1 301 Moved Permanently' in https_enforcement.stdout
    assert 'Location: https://parameters-mandatory/' in https_enforcement.stdout

    https_enforcement = host.run('curl -I https://parameters-mandatory/')

    assert https_enforcement.rc == 0
    assert 'Strict-Transport-Security: max-age=31536000; includeSubDomains' in https_enforcement.stdout


def test_default_vhost_index_page(host):
    """
    Tests content of default vhost index page.
    """

    page = host.run('curl https://parameters-mandatory/')

    assert page.rc == 0
    assert "<title>Welcome</title>" in page.stdout
    assert "<h1>Welcome</h1>" in page.stdout
    assert "<p>You are attempting to access the web server using a wrong name or an IP address. Please check your URL.</p>" in page.stdout
This site is powered by Kallithea 0.7.0, which is © 2010–2023 by various authors & licensed under GPLv3.