import re import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( '.molecule/ansible_inventory').get_hosts('all') def test_website_group(Group): """ Tests if website group has been created correctly. """ group = Group('web-parameters-optional_local') assert group.exists assert group.gid == 5001 def test_website_admin_user(User): """ Tests if website administrator user has been created correctly. """ user = User('admin-parameters-optional_local') assert user.exists assert user.uid == 5000 assert user.group == 'web-parameters-optional_local' assert user.groups == ['web-parameters-optional_local'] assert user.shell == '/bin/bash' assert user.home == '/var/www/parameters-optional.local' def test_website_admin_home(File, Sudo): """ Tests if permissions on website admin home directory are correct. """ home = File('/var/www/parameters-optional.local') assert home.is_directory assert home.user == 'admin-parameters-optional_local' assert home.group == 'web-parameters-optional_local' assert home.mode == 0o750 def test_home_profile_directory(File, Sudo): """ Tests if profile directory has been set-up correctly for the website administrator/application user. """ with Sudo(): directory = File('/var/www/parameters-optional.local') assert directory.is_directory assert directory.user == 'admin-parameters-optional_local' assert directory.group == 'web-parameters-optional_local' assert directory.mode == 0o750 def test_website_application_user(Command, Sudo, User): """ Tests if website application user has been created correctly. """ user = User('web-parameters-optional_local') assert user.exists assert user.uid == 5001 assert user.group == 'web-parameters-optional_local' assert user.groups == ['web-parameters-optional_local'] assert user.shell == '/bin/sh' assert user.home == '/var/www/parameters-optional.local' with Sudo(): umask = Command("su -l web-parameters-optional_local -c 'bash -c umask'") assert umask.stdout == '0007' def test_nginx_user(User): """ Tests if web server user has been added to website group. """ user = User('www-data') assert 'web-parameters-optional_local' in user.groups def test_forward_file(File, Sudo): """ Tests if the forward file has correct permissions and content. """ with Sudo(): config = File('/var/www/parameters-optional.local/.forward') assert config.is_file assert config.user == 'root' assert config.group == 'web-parameters-optional_local' assert config.mode == 0o640 assert config.content == "user" def test_mail_forwarding(Command, File, Sudo): """ Tests if mail forwarding works as expected. """ send = Command('swaks --suppress-data --to web-parameters-optional_local@localhost') assert send.rc == 0 message_id = re.search('Ok: queued as (.*)', send.stdout).group(1) with Sudo(): mail_log = File('/var/log/mail.log') # First extract message ID of forwarded mail. pattern = "%s: to=.*status=sent \(forwarded as ([^)]*)\)" % message_id message_id = re.search(pattern, mail_log.content).group(1) # Now try to determine where the forward ended-up at. pattern = "%s: to=, orig_to=.*status=sent" % message_id assert re.search(pattern, mail_log.content) is not None def test_installed_packages(Package): """ Tests if additional packages are installed. """ assert Package('php5-ldap').is_installed assert Package('php5-json').is_installed assert Package('libmariadb-client-lgpl-dev-compat').is_installed def test_mariadb_compat_symlink(File): """ Tests if compatibility symlink is set-up for mysql_config binary if libmariadb-client-lgpl-dev-compat is installed. """ link = File('/usr/bin/mysql_config') assert link.is_symlink assert link.linked_to == "/usr/bin/mariadb_config" def test_nginx_tls_files(File, Sudo): """ Tests if TLS private key and certificate have been deployed correctly. """ with Sudo(): tls_file = File('/etc/ssl/private/parameters-optional.local_https.key') assert tls_file.is_file assert tls_file.user == 'root' assert tls_file.group == 'root' assert tls_file.mode == 0o640 assert tls_file.content == open("tests/data/x509/parameters-optional.local_https.key.pem", "r").read().rstrip() tls_file = File('/etc/ssl/certs/parameters-optional.local_https.pem') assert tls_file.is_file assert tls_file.user == 'root' assert tls_file.group == 'root' assert tls_file.mode == 0o644 assert tls_file.content == open("tests/data/x509/parameters-optional.local_https.cert.pem", "r").read().rstrip() def test_certificate_validity_check_configuration(File): """ Tests if certificate validity check configuration file has been deployed correctly. """ config = File('/etc/check_certificate/parameters-optional.local_https.conf') assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o644 assert config.content == "/etc/ssl/certs/parameters-optional.local_https.pem" def test_vhost_file(File): """ Tests permissions of vhost configuration file. """ config = File('/etc/nginx/sites-available/parameters-optional.local') assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o640 def test_default_website_enabled(File): """ Tests if website has been enabled. """ config = File('/etc/nginx/sites-enabled/parameters-optional.local') assert config.is_symlink assert config.linked_to == '/etc/nginx/sites-available/parameters-optional.local' def test_https_enforcement(Command): """ Tests if HTTPS is (not) being enforced. """ https_enforcement = Command('curl -I http://parameters-optional.local/') assert https_enforcement.rc == 0 assert 'HTTP/1.1 200 OK' in https_enforcement.stdout assert 'HTTP/1.1 301 Moved Permanently' not in https_enforcement.stdout assert 'Location: https://parameters-optional/' not in https_enforcement.stdout https_enforcement = Command('curl -I https://parameters-optional.local/') assert https_enforcement.rc == 0 assert 'Strict-Transport-Security' not in https_enforcement.stdout def test_index_page(Command): """ Tests if index page is served correctly (should be php file served statically). """ page = Command('curl https://parameters-optional.local/') assert page.rc == 0 assert page.stdout == open("tests/data/php/optional/myindex.php").read().rstrip() def test_additional_fpm_config(Command): """ Tests if additional FPM configuration is processed correctly. """ page = Command('curl https://parameters-optional.local/path.myphp') assert page.rc == 0 assert page.stdout == "/usr/local/bin:/usr/bin:/bin" def test_additional_nginx_config(Command): """ Tests if additional Nginx configuration has been applied (custom 404 page). """ page = Command('curl https://parameters-optional.local/non-existing-page') assert page.rc == 0 assert page.stdout == "This is custom error page." def test_deny_files_regex(Command): """ Tests if regex used for denying access is applied correctly. """ page = Command('curl -I https://parameters-optional.local/secretfile.txt') assert page.rc == 0 assert "HTTP/1.1 403 Forbidden" in page.stdout def test_environment_indicator(Command): """ Tests if environment indicator is applied correctly. """ page = Command('curl https://parameters-optional.local/info.myphp') assert page.rc == 0 assert "
parameters-optional
" in page.stdout def test_php_rewrire_urls(Command): """ Tests if PHP rewrite URLs are processed correctly. """ page = Command('curl https://parameters-optional.local/rewrite1/this/is/some/path') assert page.rc == 0 assert page.stdout == "/rewrite1/this/is/some/path" page = Command('curl https://parameters-optional.local/rewrite2/this/is/some/other/path') assert page.rc == 0 assert page.stdout == "/rewrite2/this/is/some/other/path" def test_regular_rewrites(Command): """ Tests if regular rewrites are working as expected. """ page = Command('curl https://parameters-optional.local/rewrite_to_index1/some/path') assert page.rc == 0 assert page.stdout == open("tests/data/php/optional/myindex.php").read().rstrip() page = Command('curl https://parameters-optional.local/rewrite_to_index2/some/path') assert page.rc == 0 assert page.stdout == open("tests/data/php/optional/myindex.php").read().rstrip()