Files @ ef201fa5ec5f
Branch filter:

Location: majic-ansible-roles/roles/ldap_server/playbook.yml

ef201fa5ec5f 4.2 KiB text/x-yaml Show Annotation Show as Raw Download as Raw
branko
MAR-128: Upgraded tests for backup_server role:

- Switch to new Molecule configuration.
- Updated set-up playbook to use become: yes.
- Moved some preparatory steps outside of the main playbook (eases
idempotence tests).
- Updated tests to reference the yml inventory file.
- Updated tests to use new fixture (host instead of individual ones).
- Switched to extracting IP address instead of hard-coding it in a
couple of tests.
- Moved test for checking available authentication mechanisms for
backup SSH server to be part of testing of parameters_optional only
for now (it was hard coded to that IP, and fails on
parameters-mandatory due to iptables not opening correct ports).
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
---

- hosts: all
  tasks:

    - name: Update all caches to avoid errors due to missing remote archives
      apt:
        update_cache: yes
      changed_when: False

- hosts: parameters-mandatory.local
  roles:
    - role: ldap_server
      ldap_admin_password: adminpassword

      # ldap_client
      ldap_client_config:
        - comment: CA truststore
          option: TLS_CACERT
          value: /etc/ssl/certs/testca.cert.pem
        - comment: Ensure TLS is enforced
          option: TLS_REQCERT
          value: demand

      # common vars (not the role, global common)
      tls_private_key_dir: tests/data/x509/
      tls_certificate_dir: tests/data/x509/

- hosts: parameters-optional
  roles:
    - role: backup_server
      backup_host_ssh_private_keys:
        dsa: "{{ lookup('file', 'tests/data/ssh/server_dsa') }}"
        rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"
        ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
        ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
      backup_clients:
        - server: parameters-optional
          ip: 127.0.0.1
          public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

- hosts: parameters-optional
  roles:
    - role: ldap_server
      ldap_admin_password: adminpassword
      ldap_entries:
        - dn: uid=john,dc=local
          attributes:
            objectClass:
              - inetOrgPerson
              - simpleSecurityObject
            userPassword: johnpassword
            uid: john
            cn: John Doe
            sn: Doe
        - dn: uid=jane,dc=local
          attributes:
            objectClass:
              - inetOrgPerson
              - simpleSecurityObject
            userPassword: janepassword
            uid: jane
            cn: Jane Doe
            sn: Doe

      ldap_permissions:
        - >
          to *
          by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
          by self write
          by * read
          by dn="cn=admin,dc=local" write
          by * none

      ldap_server_consumers:
        - name: consumer1
          password: consumer1password
        - name: consumer2
          password: consumer2password
          state: present
        - name: consumer3
          password: consumer3password
          state: absent

      ldap_server_groups:
        - name: group1
        - name: group2
          state: present
        - name: group3
          state: absent

      ldap_server_domain: "local"
      ldap_server_organization: "Example"
      ldap_server_log_level: 0
      ldap_server_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional.cert.pem') }}"
      ldap_server_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional.key.pem') }}"
      ldap_server_ssf: 0
      ldap_tls_ciphers: "NONE:+VERS-TLS1.1:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA1:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"

      # ldap_client
      ldap_client_config:
        - comment: CA truststore
          option: TLS_CACERT
          value: /etc/ssl/certs/testca.cert.pem
        - comment: Ensure TLS is enforced
          option: TLS_REQCERT
          value: demand

      # backup_client
      enable_backup: yes
      backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"
      backup_server: localhost
      backup_server_host_ssh_public_keys:
        - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}"
        - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"
        - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"
        - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"
      backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}"

- hosts: all
  tasks:

    - name: Deploy CA certificate
      copy:
        src: tests/data/x509/ca.cert.pem
        dest: /etc/ssl/certs/testca.cert.pem
        owner: root
        group: root
        mode: 0644

- hosts: client
  tasks:

    - name: Install tool for teting TCP connectivity
      apt:
        name: hping3
        state: installed
This site is powered by Kallithea 0.7.0, which is © 2010–2024 by various authors & licensed under GPLv3.