import os import pytest import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') @pytest.mark.parametrize('fqdn', [ 'parameters-mandatory', 'parameters-optional.local', ]) def test_https_enforcement(host, fqdn): """ Tests if HTTPS is being enforced. """ https_enforcement = host.run('curl -I http://%s/', fqdn) assert https_enforcement.rc == 0 assert 'HTTP/1.1 301 Moved Permanently' in https_enforcement.stdout assert 'Location: https://%s/' % fqdn in https_enforcement.stdout https_enforcement = host.run('curl -I https://%s/', fqdn) assert https_enforcement.rc == 0 assert 'Strict-Transport-Security: max-age=31536000; includeSubDomains' in https_enforcement.stdout @pytest.mark.parametrize("private_key_path, certificate_path, expected_private_key, expected_certificate", [ ('/etc/ssl/private/parameters-mandatory_https.key', '/etc/ssl/certs/parameters-mandatory_https.pem', 'tests/data/x509/server/parameters-mandatory_https.key.pem', 'tests/data/x509/server/parameters-mandatory_https.cert.pem'), ('/etc/ssl/private/parameters-optional.local_https.key', '/etc/ssl/certs/parameters-optional.local_https.pem', 'tests/data/x509/server/parameters-optional_https.key.pem', 'tests/data/x509/server/parameters-optional_https.cert.pem'), ]) def test_nginx_tls_files(host, private_key_path, certificate_path, expected_private_key, expected_certificate): """ Tests if TLS private key and certificate have been deployed correctly. """ with host.sudo(): tls_file = host.file(private_key_path) assert tls_file.is_file assert tls_file.user == 'root' assert tls_file.group == 'root' assert tls_file.mode == 0o640 assert tls_file.content_string == open(expected_private_key, "r").read().rstrip() tls_file = host.file(certificate_path) assert tls_file.is_file assert tls_file.user == 'root' assert tls_file.group == 'root' assert tls_file.mode == 0o644 assert tls_file.content_string == open(expected_certificate, "r").read().rstrip()