import os import defusedxml.ElementTree as ElementTree import pytest import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional') def test_prosody_configuration_file_content(host): """ Tests if Prosody configuration file has correct content. """ hostname = host.run('hostname').stdout.strip() with host.sudo(): config = host.file('/etc/prosody/prosody.cfg.lua') assert "admins = { \"jane.doe@domain2\", \"mick.doe@domain3\", }" in config.content_string assert "key = \"/etc/ssl/private/%s_xmpp.key\";" % hostname in config.content_string assert "certificate = \"/etc/ssl/certs/%s_xmpp.pem\";" % hostname in config.content_string assert "ldap_server = \"ldap-server\"" in config.content_string assert "ldap_rootdn = \"cn=prosody,ou=services,dc=local\"" in config.content_string assert "ldap_password = \"prosodypassword\"" in config.content_string assert "ldap_filter = \"(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,dc=local))\"" in config.content_string assert "ldap_base = \"ou=people,dc=local\"" in config.content_string assert """VirtualHost "domain2" Component "conference.domain2" "muc" restrict_room_creation = "local" Component "proxy.domain2" "proxy65" proxy65_acl = { "domain2" }""" in config.content_string assert """VirtualHost "domain3" Component "conference.domain3" "muc" restrict_room_creation = "local" Component "proxy.domain3" "proxy65" proxy65_acl = { "domain3" }""" in config.content_string def test_correct_prosody_package_installed(host): """ Tests if correct Prosody package has been installed. """ assert host.package('prosody-0.10').is_installed @pytest.mark.parametrize("port", [ 5222, 5223 ]) def test_xmpp_c2s_tls_version_and_ciphers(host, port): """ Tests if the correct TLS version and ciphers have been enabled for XMPP C2S ports. """ expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"] expected_tls_ciphers = [ "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", ] # Run the nmap scanner against the server, and fetch the results. nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s domain2 -oX /tmp/report.xml", str(port)) assert nmap.rc == 0 report_content = host.file('/tmp/report.xml').content_string report_root = ElementTree.fromstring(report_content) tls_versions = [] tls_ciphers = set() for child in report_root.findall("./host/ports/port/script[@id='ssl-enum-ciphers']/table"): tls_versions.append(child.attrib['key']) for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"): tls_ciphers.add(child.text) tls_versions.sort() tls_ciphers = sorted(list(tls_ciphers)) assert tls_versions == expected_tls_versions assert tls_ciphers == expected_tls_ciphers