Welcome

import os

import pytest

import testinfra.utils.ansible_runner

from tls_ciphers import ALL_CIPHERS


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')


def test_tls_version(host):
    """
    Tests if only the configured TLS protocol versions are allowed by
    the server.
    """

    old_tls_versions_disabled = host.run("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:443")

    # Avoid false negatives by ensuring the client had actually
    # established the TCP connection.
    assert "CONNECTED" in old_tls_versions_disabled.stdout
    assert old_tls_versions_disabled.rc != 0


ENABLED_CIPHERS = [
    "DHE-RSA-AES128-GCM-SHA256",
    "DHE-RSA-AES256-GCM-SHA384",
    "DHE-RSA-CHACHA20-POLY1305",
    "ECDHE-RSA-AES128-GCM-SHA256",
    "ECDHE-RSA-AES256-GCM-SHA384",
    "ECDHE-RSA-CHACHA20-POLY1305",
]

DISABLED_CIPHERS = sorted(list(set(ALL_CIPHERS)-set(ENABLED_CIPHERS)))


@pytest.mark.parametrize("cipher", ENABLED_CIPHERS)
def test_enabled_tls_ciphers(host, cipher):
    """
    Tests available TLS ciphers on the server.
    """

    hostname = host.run('hostname').stdout.strip()
    fqdn = hostname[:hostname.rfind('-')]

    client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:443", cipher, fqdn)
    assert client.rc == 0
    assert cipher in client.stdout


@pytest.mark.parametrize("cipher", DISABLED_CIPHERS)
def test_disabled_tls_ciphers(host, cipher):
    """
    Tests available TLS ciphers on the server.
    """

    hostname = host.run('hostname').stdout.strip()
    fqdn = hostname[:hostname.rfind('-')]

    client = host.run("echo 'Q' | openssl s_client -cipher %s -connect %s:443", cipher, fqdn)
    assert client.rc != 0
    assert cipher not in client.stdout


def test_https_enforcement(host):
    """
    Tests if HTTPS is being enforced.
    """

    https_enforcement = host.run('curl -I http://parameters-mandatory/')

    assert https_enforcement.rc == 0
    assert 'HTTP/1.1 301 Moved Permanently' in https_enforcement.stdout
    assert 'Location: https://parameters-mandatory/' in https_enforcement.stdout

    https_enforcement = host.run('curl -I https://parameters-mandatory/')

    assert https_enforcement.rc == 0
    assert 'Strict-Transport-Security: max-age=31536000; includeSubDomains' in https_enforcement.stdout


def test_default_vhost_index_page(host):
    """
    Tests content of default vhost index page.
    """

    page = host.run('curl https://parameters-mandatory/')

    assert page.rc == 0
    assert "<title>Welcome</title>" in page.stdout
    assert "<h1>Welcome</h1>" in page.stdout
    assert "<p>You are attempting to access the web server using a wrong name or an IP address. Please check your URL.</p>" in page.stdout