import os import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory') def test_nginx_tls_files(host): """ Tests if TLS private key and certificate have been deployed correctly. """ hostname = host.run('hostname').stdout.strip() with host.sudo(): tls_file = host.file('/etc/ssl/private/%s_https.key' % hostname) assert tls_file.is_file assert tls_file.user == 'root' assert tls_file.group == 'root' assert tls_file.mode == 0o640 assert tls_file.content == open("tests/data/x509/%s_https.key" % hostname, "r").read().rstrip() tls_file = host.file('/etc/ssl/certs/%s_https.pem' % hostname) assert tls_file.is_file assert tls_file.user == 'root' assert tls_file.group == 'root' assert tls_file.mode == 0o644 assert tls_file.content == open("tests/data/x509/%s_https.pem" % hostname, "r").read().rstrip() def test_certificate_validity_check_configuration(host): """ Tests if certificate validity check configuration file has been deployed correctly. """ hostname = host.run('hostname').stdout.strip() config = host.file('/etc/check_certificate/%s_https.conf' % hostname) assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o644 assert config.content == "/etc/ssl/certs/%s_https.pem" % hostname def test_tls_configuration(host): """ Tests if the TLS has been configured correctly and works. """ tls = host.run('wget -q -O - https://parameters-mandatory/') assert tls.rc == 0 old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:443") assert old_tls_versions_disabled.rc != 0 assert "CONNECTED" in old_tls_versions_disabled.stdout cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory:443") assert cipher.rc == 0 assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout cipher = host.run("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory:443") assert cipher.rc != 0 assert "ECDHE-RSA-AES128-SHA" not in cipher.stdout def test_https_enforcement(host): """ Tests if HTTPS is being enforced. """ https_enforcement = host.run('curl -I http://parameters-mandatory/') assert https_enforcement.rc == 0 assert 'HTTP/1.1 301 Moved Permanently' in https_enforcement.stdout assert 'Location: https://parameters-mandatory/' in https_enforcement.stdout https_enforcement = host.run('curl -I https://parameters-mandatory/') assert https_enforcement.rc == 0 assert 'Strict-Transport-Security: max-age=31536000; includeSubDomains' in https_enforcement.stdout def test_default_vhost_index_page(host): """ Tests content of default vhost index page. """ page = host.run('curl https://parameters-mandatory/') assert page.rc == 0 assert "Welcome" in page.stdout assert "

Welcome

" in page.stdout assert "

You are attempting to access the web server using a wrong name or an IP address. Please check your URL.

" in page.stdout