import os import defusedxml.ElementTree as ElementTree import pytest import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory') def test_prosody_configuration_file_content(host): """ Tests if Prosody configuration file has correct content. """ hostname = host.run('hostname').stdout.strip() with host.sudo(): config = host.file('/etc/prosody/prosody.cfg.lua') assert "admins = { \"john.doe@domain1\", }" in config.content_string assert "key = \"/etc/ssl/private/%s_xmpp.key\";" % hostname in config.content_string assert "certificate = \"/etc/ssl/certs/%s_xmpp.pem\";" % hostname in config.content_string assert "ldap_server = \"ldap-server\"" in config.content_string assert "ldap_rootdn = \"cn=prosody,ou=services,dc=local\"" in config.content_string assert "ldap_password = \"prosodypassword\"" in config.content_string assert "ldap_filter = \"(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,dc=local))\"" in config.content_string assert "ldap_base = \"ou=people,dc=local\"" in config.content_string assert "archive_expires_after = \"never\"" in config.content_string assert """VirtualHost "domain1" Component "conference.domain1" "muc" restrict_room_creation = "local" Component "proxy.domain1" "proxy65" proxy65_acl = { "domain1" } Component "upload.domain1" "http_file_share" http_file_share_access = { "domain1" }""" in config.content_string def test_xmpp_server_uses_correct_dh_parameters(host): """ Tests if the HTTP server uses the generated Diffie-Hellman parameter. """ fqdn = host.run('hostname -f').stdout.strip() # Use first defined domain for testing. domain = host.ansible.get_variables()['xmpp_domains'][0] with host.sudo(): expected_dhparam = host.file('/etc/ssl/private/%s_xmpp.dh.pem' % fqdn).content_string.rstrip() connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=xmpp --port 5222 " "--priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose %s", domain) output = connection.stdout begin_marker = "-----BEGIN DH PARAMETERS-----" end_marker = "-----END DH PARAMETERS-----" used_dhparam = output[output.find(begin_marker):output.find(end_marker) + len(end_marker)] assert used_dhparam == expected_dhparam @pytest.mark.parametrize("port", [ 5222, 5223 ]) def test_xmpp_c2s_tls_version_and_ciphers(host, port): """ Tests if the correct TLS version and ciphers have been enabled for XMPP C2S ports. """ expected_tls_versions = ["TLSv1.2", "TLSv1.3"] expected_tls_ciphers = [ "TLS_AKE_WITH_AES_128_GCM_SHA256", "TLS_AKE_WITH_AES_256_GCM_SHA384", "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", ] # Run the nmap scanner against the server, and fetch the results. nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain1 -oX /tmp/report.xml", str(port)) assert nmap.rc == 0 report_content = host.file('/tmp/report.xml').content_string report_root = ElementTree.fromstring(report_content) tls_versions = [] tls_ciphers = set() for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"): tls_versions.append(child.attrib['key']) for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"): tls_ciphers.add(child.text) tls_versions.sort() tls_ciphers = sorted(list(tls_ciphers)) assert tls_versions == expected_tls_versions assert tls_ciphers == expected_tls_ciphers def test_xmpp_s2s_tls_version_and_ciphers(host): """ Tests if the correct TLS version and ciphers have been enabled for XMPP S2S port. """ expected_tls_versions = ["TLSv1.2", "TLSv1.3"] # Seems like TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 is off by default. expected_tls_ciphers = [ "TLS_AKE_WITH_AES_128_GCM_SHA256", "TLS_AKE_WITH_AES_256_GCM_SHA384", "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", ] # Run the nmap scanner against the server, and fetch the results. nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 5269 domain1 -oX /tmp/report.xml") assert nmap.rc == 0 report_content = host.file('/tmp/report.xml').content_string report_root = ElementTree.fromstring(report_content) tls_versions = [] tls_ciphers = set() for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"): tls_versions.append(child.attrib['key']) for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"): tls_ciphers.add(child.text) tls_versions.sort() tls_ciphers = sorted(list(tls_ciphers)) assert tls_versions == expected_tls_versions assert tls_ciphers == expected_tls_ciphers