import os import testinfra.utils.ansible_runner from helpers import parse_ldif testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*') def test_installed_packages(host): """ Tests if all the necessary packages have been installed. """ assert host.package('slapd').is_installed assert host.package('python3-pyldap').is_installed def test_ldap_user_group(host): """ Tests if LDAP server user is part of group that allows it to traverse TLS private keys directory. """ assert "ssl-cert" in host.user('openldap').groups def test_ldap_server_service_sockets_and_ports(host): """ Tests if LDAP server has been configured to listen on correct sockets. """ assert host.socket('tcp://389').is_listening assert host.socket('tcp://636').is_listening assert host.socket('unix:///var/run/slapd/ldapi').is_listening def test_ldap_server_service(host): """ Tests if the LDAP service is enabled and running. """ service = host.service('slapd') assert service.is_enabled assert service.is_running def test_syslog_configuration(host): """ Tests if syslog configuration file has been deployed, and log file was created correctly (and is being logged to). """ config = host.file('/etc/rsyslog.d/slapd.conf') assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o644 with host.sudo(): log = host.file('/var/log/slapd.log') assert log.is_file assert 'slapd' in log.content_string def test_log_rotation_configuration(host): """ Tests if log rotation configuration file has been deployed correctly and has valid syntax. """ config = host.file('/etc/logrotate.d/slapd') assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o644 with host.sudo(): assert host.run('logrotate /etc/logrotate.d/slapd').rc == 0 def test_misc_schema_presence(host): """ Tests if the misc LDAP schema has been imported. """ with host.sudo(): misc_schema = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn') assert misc_schema.rc == 0 assert 'dn: cn={4}misc,cn=schema,cn=config' in misc_schema.stdout def test_memberof_module(host): """ Tests if the memberof overlay has been enabled for the main database. """ with host.sudo(): memberof = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn') assert memberof.rc == 0 assert 'dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config' in memberof.stdout def test_basic_directory_structure(host): """ Tests if the base LDAP directory structure has been set-up correctly. """ expected_entries = parse_ldif(""" dn: ou=people,dc=local objectClass: organizationalUnit ou: people dn: ou=groups,dc=local objectClass: organizationalUnit ou: groups dn: ou=services,dc=local objectClass: organizationalUnit ou: services """) entry = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local " "'(|(entrydn=ou=people,dc=local)(entrydn=ou=groups,dc=local)(entrydn=ou=services,dc=local))'") assert entry.rc == 0 assert parse_ldif(entry.stdout) == expected_entries def test_mail_service_entries(host): """ Tests if the mail service entries have been set-up correctly. """ with host.sudo(): expected_entries = parse_ldif(""" dn: ou=mail,ou=services,dc=local objectClass: organizationalUnit ou: mail dn: ou=aliases,ou=mail,ou=services,dc=local objectClass: organizationalUnit ou: aliases dn: ou=domains,ou=mail,ou=services,dc=local objectClass: organizationalUnit ou: domains """) entry = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b ou=mail,ou=services,dc=local') assert entry.rc == 0 assert parse_ldif(entry.stdout) == expected_entries def test_firewall_configuration_file(host): """ Tests if firewall configuration file has been deployed correctly. """ with host.sudo(): config = host.file('/etc/ferm/conf.d/10-ldap.conf') assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o640 def test_admin_password(host): """ Tests if administrator password has been set correctly. """ login = host.run("ldapwhoami -H ldapi:/// -x -w adminpassword -D cn=admin,dc=local") assert login.rc == 0 assert login.stdout == "dn:cn=admin,dc=local\n" def test_temporary_admin_password_file_not_present(host): """ Tests if the file that temporarily contains the LDAP adminstrator password has been removed. """ with host.sudo(): assert not host.file('/root/.ldap_admin_password').exists def test_ldap_tls_private_key_file(host): """ Tests if the TLS private key has been deployed correctly. """ with host.sudo(): inventory_hostname = host.ansible.get_variables()['inventory_hostname'] key = host.file('/etc/ssl/private/%s_ldap.key' % inventory_hostname) assert key.is_file assert key.user == 'root' assert key.group == 'openldap' assert key.mode == 0o640 assert key.content_string == open('tests/data/x509/server/%s_ldap.key.pem' % inventory_hostname).read() def test_ldap_tls_certificate_file(host): """ Tests if the TLS certificate has been deployed correctly. """ with host.sudo(): inventory_hostname = host.ansible.get_variables()['inventory_hostname'] cert = host.file('/etc/ssl/certs/%s_ldap.pem' % inventory_hostname) assert cert.is_file assert cert.user == 'root' assert cert.group == 'root' assert cert.mode == 0o644 assert cert.content_string == open('tests/data/x509/server/%s_ldap.cert.pem' % inventory_hostname).read()