import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( '.molecule/ansible_inventory').get_hosts('parameters-optional') def test_base_entry(Command, Sudo): """ Tests if the base entry has been created correctly. """ with Sudo(): base_dn = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local -s base") assert base_dn.rc == 0 assert "dc: local" in base_dn.stdout.split("\n") assert "o: Example" in base_dn.stdout.split("\n") def test_log_level(Command, Sudo): """ Tests if the logging level has been set correctly. """ with Sudo(): log_level = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config -s base olcLogLevel') assert log_level.rc == 0 assert 'olcLogLevel: 0' in log_level.stdout def test_ldap_tls_private_key_file(File, Sudo): """ Tests if the TLS private key has been deployed correctly. """ with Sudo(): key = File('/etc/ssl/private/parameters-optional_ldap.key') assert key.is_file assert key.user == 'root' assert key.group == 'openldap' assert key.mode == 0o640 assert key.content == open('tests/data/x509/parameters-optional.key.pem').read().rstrip() def test_ldap_tls_certificate_file(File, Sudo): """ Tests if the TLS certificate has been deployed correctly. """ with Sudo(): cert = File('/etc/ssl/certs/parameters-optional_ldap.pem') assert cert.is_file assert cert.user == 'root' assert cert.group == 'root' assert cert.mode == 0o644 assert cert.content == open('tests/data/x509/parameters-optional.cert.pem').read().rstrip() def test_certificate_validity_check_configuration(File): """ Tests if certificate validity check configuration file has been deployed correctly. """ config = File('/etc/check_certificate/parameters-optional_ldap.conf') assert config.is_file assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o644 assert config.content == "/etc/ssl/certs/parameters-optional_ldap.pem" def test_tls_configuration(Command): """ Tests if the TLS has been configured correctly and works. """ ldap_starttls = Command('ldapwhoami -Z -x -H ldap://parameters-optional/') assert ldap_starttls.rc == 0 assert ldap_starttls.stdout == 'anonymous' ldap_tls = Command('ldapwhoami -x -H ldaps://parameters-optional/') assert ldap_tls.rc == 0 assert ldap_tls.stdout == 'anonymous' old_tls_versions_disabled = Command("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-optional:636") assert old_tls_versions_disabled.rc == 0 assert "CONNECTED" in old_tls_versions_disabled.stdout cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:636") assert cipher.rc == 0 assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout cipher = Command("echo 'Q' | openssl s_client -tls1_1 -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:636") assert cipher.rc == 0 assert "ECDHE-RSA-AES128-SHA" in cipher.stdout def test_ssf_configuration(Command, Sudo): """ Tests if the SSF olcSecurity configuration has been set-up correctly. """ with Sudo(): ssf = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config olcSecurity') assert ssf.rc == 0 assert "olcSecurity: ssf=0" in ssf.stdout def test_permissions(Command, Sudo): """ Tests if LDAP directory permissions have been set-up correctly. """ with Sudo(): permissions = Command("ldapsearch -o ldif-wrap=no -H ldapi:/// -Q -LLL -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess olcAccess") expected_permissions = "olcAccess: {0}to * " \ "by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage " \ "by self write by * read by dn=\"cn=admin,dc=local\" write " \ "by * none" assert permissions.rc == 0 assert expected_permissions in permissions.stdout def test_services_login_entries(Command, Sudo): """ Tests if the service/consumer login entries have been set correctly. """ with Sudo(): entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=services,dc=local '(objectClass=simpleSecurityObject)'") assert entries.rc == 0 assert entries.stdout == """dn: cn=consumer1,ou=services,dc=local objectClass: applicationProcess objectClass: simpleSecurityObject userPassword:: Y29uc3VtZXIxcGFzc3dvcmQ= cn: consumer1 dn: cn=consumer2,ou=services,dc=local objectClass: applicationProcess objectClass: simpleSecurityObject userPassword:: Y29uc3VtZXIycGFzc3dvcmQ= cn: consumer2""" def test_group_entries(Command, Sudo): """ Tests that no group entries have been created out-of-the-box. """ with Sudo(): entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=groups,dc=local '(objectClass=groupOfUniqueNames)'") assert entries.rc == 0 assert entries.stdout == """dn: cn=group1,ou=groups,dc=local objectClass: groupOfUniqueNames uniqueMember: cn=NONE cn: group1 dn: cn=group2,ou=groups,dc=local objectClass: groupOfUniqueNames uniqueMember: cn=NONE cn: group2""" def test_user_supplied_entries(Command, Sudo): """ Tests if user-supplied entries are created correctly. """ with Sudo(): john_doe = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b uid=john,dc=local") assert john_doe.rc == 0 assert sorted(john_doe.stdout.split("\n")) == sorted("""dn: uid=john,dc=local objectClass: inetOrgPerson objectClass: simpleSecurityObject userPassword:: am9obnBhc3N3b3Jk cn: John Doe sn: Doe uid: john""".split("\n")) jane_doe = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b uid=jane,dc=local") assert jane_doe.rc == 0 assert sorted(jane_doe.stdout.split("\n")) == sorted("""dn: uid=jane,dc=local objectClass: inetOrgPerson objectClass: simpleSecurityObject userPassword:: amFuZXBhc3N3b3Jk cn: Jane Doe sn: Doe uid: jane""".split("\n"))