import os import re import time import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-optional') def test_website_group(host): """ Tests if website group has been created correctly. """ group = host.group('web-parameters-optional_local') assert group.exists assert group.gid == 5001 def test_website_admin_user(host): """ Tests if website administrator user has been created correctly. """ user = host.user('admin-parameters-optional_local') assert user.exists assert user.uid == 5000 assert user.group == 'web-parameters-optional_local' assert user.groups == ['web-parameters-optional_local'] assert user.shell == '/bin/bash' assert user.home == '/var/www/parameters-optional.local' def test_website_admin_home(host): """ Tests if permissions on website admin home directory are correct. """ home = host.file('/var/www/parameters-optional.local') assert home.is_directory assert home.user == 'admin-parameters-optional_local' assert home.group == 'web-parameters-optional_local' assert home.mode == 0o750 def test_home_profile_directory(host): """ Tests if profile directory has been set-up correctly for the website administrator/application user. """ with host.sudo(): directory = host.file('/var/www/parameters-optional.local/.profile.d') assert directory.is_directory assert directory.user == 'admin-parameters-optional_local' assert directory.group == 'web-parameters-optional_local' assert directory.mode == 0o750 def test_website_application_user(host): """ Tests if website application user has been created correctly. """ user = host.user('web-parameters-optional_local') assert user.exists assert user.uid == 5001 assert user.group == 'web-parameters-optional_local' assert user.groups == ['web-parameters-optional_local'] assert user.shell == '/bin/sh' assert user.home == '/var/www/parameters-optional.local' with host.sudo(): umask = host.run("su -l web-parameters-optional_local -c 'bash -c umask'") assert umask.stdout == '0007\n' def test_nginx_user(host): """ Tests if web server user has been added to website group. """ user = host.user('www-data') assert 'web-parameters-optional_local' in user.groups def test_forward_file(host): """ Tests if the forward file has correct permissions and content. """ with host.sudo(): config = host.file('/var/www/parameters-optional.local/.forward') assert config.is_file assert config.user == 'root' assert config.group == 'web-parameters-optional_local' assert config.mode == 0o640 assert config.content_string == "user\n" def test_mail_forwarding(host): """ Tests if mail forwarding works as expected. """ hostname = host.run('hostname').stdout.strip() send = host.run('swaks --suppress-data --to web-parameters-optional_local@localhost') assert send.rc == 0 message_id = re.search('Ok: queued as (.*)', send.stdout).group(1) # Sleep for a couple of seconds so the mail can get delivered. time.sleep(5) with host.sudo(): mail_log = host.file('/var/log/mail.log') # First extract message ID of forwarded mail. pattern = r"%s: to=.*status=sent \(forwarded as ([^)]*)\)" % message_id message_id = re.search(pattern, mail_log.content_string).group(1) # Now try to determine where the forward ended-up at. pattern = "%s: to=, orig_to=.*status=sent" % (message_id, hostname) assert re.search(pattern, mail_log.content_string) is not None def test_installed_packages(host): """ Tests if additional packages are installed. """ assert host.package('php-ldap').is_installed assert host.package('php-json').is_installed def test_certificate_validity_check_configuration(host): """ Tests if certificate validity check configuration file has been deployed correctly. """ config = host.file('/etc/check_certificate/parameters-optional.local_https.conf') assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o644 assert config.content_string == "/etc/ssl/certs/parameters-optional.local_https.pem" def test_vhost_file(host): """ Tests permissions of vhost configuration file. """ config = host.file('/etc/nginx/sites-available/parameters-optional.local') assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o640 def test_website_enabled(host): """ Tests if website has been enabled. """ config = host.file('/etc/nginx/sites-enabled/parameters-optional.local') assert config.is_symlink assert config.linked_to == '/etc/nginx/sites-available/parameters-optional.local' def test_index_page(host): """ Tests if index page is served correctly (should be php file served statically). """ page = host.run('curl https://parameters-optional.local/') assert page.rc == 0 assert page.stdout == open("tests/data/php/optional/myindex.php").read().rstrip() def test_additional_fpm_config(host): """ Tests if additional FPM configuration is processed correctly. """ page = host.run('curl https://parameters-optional.local/path.myphp') assert page.rc == 0 assert page.stdout == "/usr/local/bin:/usr/bin:/bin" def test_additional_nginx_config(host): """ Tests if additional Nginx configuration has been applied (custom 404 page). """ page = host.run('curl https://parameters-optional.local/non-existing-page') assert page.rc == 0 assert page.stdout == "This is custom error page." def test_deny_files_regex(host): """ Tests if regex used for denying access is applied correctly. """ page = host.run('curl -I https://parameters-optional.local/secretfile.txt') assert page.rc == 0 assert "HTTP/1.1 403 Forbidden" in page.stdout def test_environment_indicator(host): """ Tests if environment indicator is applied correctly. """ page = host.run('curl https://parameters-optional.local/info.myphp') expected_content = """\
🞀🞂
parameters-optional
""" assert page.rc == 0 assert expected_content in page.stdout def test_php_rewrire_urls(host): """ Tests if PHP rewrite URLs are processed correctly. """ page = host.run('curl https://parameters-optional.local/rewrite1/this/is/some/path') assert page.rc == 0 assert page.stdout == "/rewrite1/this/is/some/path" page = host.run('curl https://parameters-optional.local/rewrite2/this/is/some/other/path') assert page.rc == 0 assert page.stdout == "/rewrite2/this/is/some/other/path" def test_regular_rewrites(host): """ Tests if regular rewrites are working as expected. """ page = host.run('curl https://parameters-optional.local/rewrite_to_index1/some/path') assert page.rc == 0 assert page.stdout == open("tests/data/php/optional/myindex.php").read().rstrip() page = host.run('curl https://parameters-optional.local/rewrite_to_index2/some/path') assert page.rc == 0 assert page.stdout == open("tests/data/php/optional/myindex.php").read().rstrip() def test_http_header_overrides(host): """ Tests if headers are overridden by Nginx prior to hitting the PHP application. """ page = host.run('curl -H "Accept-Encoding: plain" https://parameters-optional.local/headers.myphp') assert page.rc == 0 assert "Accept-Encoding: donotencode" in page.stdout.split("\n")