import os import re import time import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory') def test_website_group(host): """ Tests if website group has been created correctly. """ group = host.group('web-parameters-mandatory') assert group.exists assert group.gid == 1003 def test_website_admin_user(host): """ Tests if website administrator user has been created correctly. """ user = host.user('admin-parameters-mandatory') assert user.exists assert user.uid == 1003 assert user.group == 'web-parameters-mandatory' assert user.groups == ['web-parameters-mandatory'] assert user.shell == '/bin/bash' assert user.home == '/var/www/parameters-mandatory' def test_website_admin_home(host): """ Tests if permissions on website admin home directory are correct. """ home = host.file('/var/www/parameters-mandatory') assert home.is_directory assert home.user == 'admin-parameters-mandatory' assert home.group == 'web-parameters-mandatory' assert home.mode == 0o750 def test_home_profile_directory(host): """ Tests if profile directory has been set-up correctly for the website administrator/application user. """ with host.sudo(): directory = host.file('/var/www/parameters-mandatory/.profile.d') assert directory.is_directory assert directory.user == 'admin-parameters-mandatory' assert directory.group == 'web-parameters-mandatory' assert directory.mode == 0o750 def test_website_application_user(host): """ Tests if website application user has been created correctly. """ user = host.user('web-parameters-mandatory') assert user.exists assert user.uid == 999 assert user.group == 'web-parameters-mandatory' assert user.groups == ['web-parameters-mandatory'] assert user.shell == '/bin/sh' assert user.home == '/var/www/parameters-mandatory' with host.sudo(): umask = host.run("su -l web-parameters-mandatory -c 'bash -c umask'") assert umask.stdout == '0007\n' def test_nginx_user(host): """ Tests if web server user has been added to website group. """ user = host.user('www-data') assert 'web-parameters-mandatory' in user.groups def test_forward_file(host): """ Tests if the forward file has correct permissions and content. """ with host.sudo(): config = host.file('/var/www/parameters-mandatory/.forward') assert config.is_file assert config.user == 'root' assert config.group == 'web-parameters-mandatory' assert config.mode == 0o640 assert config.content_string == "root\n" def test_mail_forwarding(host): """ Tests if mail forwarding works as expected. """ hostname = host.run('hostname').stdout.strip() send = host.run('swaks --suppress-data --to web-parameters-mandatory@localhost') assert send.rc == 0 original_queue_id = re.search('Ok: queued as (.*)', send.stdout).group(1) # Sleep for a couple of seconds so the mail can get delivered. time.sleep(5) with host.sudo(): mail_log = host.file('/var/log/mail.log') # First extract message ID of forwarded mail. pattern = r"%s: to=.*status=sent \(forwarded as ([^)]*)\)" % original_queue_id forward_queue_id = re.search(pattern, mail_log.content_string).group(1) # Now try to determine where the forward ended-up at. pattern = "%s: to=, orig_to=.*status=sent" % (forward_queue_id, hostname) assert re.search(pattern, mail_log.content_string) is not None def test_php_fpm_configuration_file(host): """ Tests if PHP FPM configuration file has been correctly deployed. """ config_file_path = '/etc/php/7.0/fpm/pool.d/parameters-mandatory.conf' with host.sudo(): config = host.file(config_file_path) assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o640 def test_nginx_tls_files(host): """ Tests if TLS private key and certificate have been deployed correctly. """ with host.sudo(): tls_file = host.file('/etc/ssl/private/parameters-mandatory_https.key') assert tls_file.is_file assert tls_file.user == 'root' assert tls_file.group == 'root' assert tls_file.mode == 0o640 assert tls_file.content_string == open("tests/data/x509/parameters-mandatory_https.key", "r").read().rstrip() tls_file = host.file('/etc/ssl/certs/parameters-mandatory_https.pem') assert tls_file.is_file assert tls_file.user == 'root' assert tls_file.group == 'root' assert tls_file.mode == 0o644 assert tls_file.content_string == open("tests/data/x509/parameters-mandatory_https.pem", "r").read().rstrip() def test_certificate_validity_check_configuration(host): """ Tests if certificate validity check configuration file has been deployed correctly. """ config = host.file('/etc/check_certificate/parameters-mandatory_https.conf') assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o644 assert config.content_string == "/etc/ssl/certs/parameters-mandatory_https.pem" def test_vhost_file(host): """ Tests permissions of vhost configuration file. """ config = host.file('/etc/nginx/sites-available/parameters-mandatory') assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o640 def test_website_enabled(host): """ Tests if website has been enabled. """ config = host.file('/etc/nginx/sites-enabled/parameters-mandatory') assert config.is_symlink assert config.linked_to == '/etc/nginx/sites-available/parameters-mandatory' def test_https_enforcement(host): """ Tests if HTTPS is being enforced. """ https_enforcement = host.run('curl -I http://parameters-mandatory/') assert https_enforcement.rc == 0 assert 'HTTP/1.1 301 Moved Permanently' in https_enforcement.stdout assert 'Location: https://parameters-mandatory/' in https_enforcement.stdout https_enforcement = host.run('curl -I https://parameters-mandatory/') assert https_enforcement.rc == 0 assert 'Strict-Transport-Security: max-age=31536000; includeSubDomains' in https_enforcement.stdout def test_index_page(host): """ Tests if index page is served correctly. """ page = host.run('curl https://parameters-mandatory/') assert page.rc == 0 assert page.stdout == "This is the index page for parameters-mandatory."