import socket import paramiko import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( '.molecule/ansible_inventory').get_hosts('parameters-mandatory') def test_apt_proxy(File): """ Tests if proxy configuration for apt is missing. """ assert not File('/etc/apt/apt.conf.d/00proxy').exists def test_bash_prompt_content(File): """ Tests if bash prompt configuration file has not colouring and ID information contained within. """ bash_prompt = File('/etc/profile.d/bash_prompt.sh') assert "export PS1='\\[\\e]0;\\u@\\h: \\w\\a\\]${debian_chroot:+($debian_chroot)}\\[\\033[0m\\]\\u@\\h:\\w\\$ \\[\\033[0m\\]'" in bash_prompt.content assert "export PS1='\\[\\e]0;\\u@\\h: \\w\\a\\]${debian_chroot:+($debian_chroot)}\\u@\\h:\\w\\$ '" in bash_prompt.content def test_ssh_login_mechanisms(): """ Tests available SSH login mechanisms (should be just public key). """ sock = socket.socket() sock.connect(('10.31.127.3', 22)) transport = paramiko.transport.Transport(sock) transport.connect() try: transport.auth_none('') except paramiko.transport.BadAuthenticationType, err: assert err.allowed_types == ['publickey'] def test_mariadb_mysql_config_symlink(File, Sudo): """ Tests if symbolic link has been set-up for mariadb_config binary to be accessible as mysql_config as well. (should not be present with just mandatory options set). """ mysql_config = File('/usr/bin/mysql_config') assert not mysql_config.exists def test_emacs_electric_indent_mode(File): """ Tests if Emacs electric indent mode has been disabled via custom configuration file. With just mandatory options set, the file should not be present. """ emacs_config = File('/etc/emacs/site-start.d/01disable-electric-indent-mode') assert not emacs_config.exists def test_ferm_base_rules(Command, File, Sudo): """ Test if base ferm configuration has been deployed correctly (content-wise). """ with Sudo(): ferm_base = File('/etc/ferm/conf.d/00-base.conf') assert "mod hashlimit hashlimit 3/second hashlimit-burst 9" in ferm_base.content iptables = Command('iptables-save') assert iptables.rc == 0 assert "-A flood -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \ "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout assert "-A flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \ "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout ip6tables = Command('ip6tables-save') assert ip6tables.rc == 0 assert "-A flood -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \ "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in iptables.stdout assert "-A flood -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m hashlimit --hashlimit-upto 3/sec --hashlimit-burst 9 " \ "--hashlimit-mode srcip --hashlimit-name icmp -j RETURN" in ip6tables.stdout def test_pipreqcheck_virtualenv_user(Group, User): """ Tests if user/group for running the pip requirements upgrade checks have been created correctly. """ group = Group('pipreqcheck') assert group.exists assert group.gid == 1001 user = User('pipreqcheck') assert user.exists assert user.home == '/var/lib/pipreqcheck' assert user.uid == 1001 assert user.group == 'pipreqcheck' assert user.groups == ['pipreqcheck'] def test_backup_configuration_absent(File, Sudo): """ Tests if backup configuration is absent. This should be the case when only mandatory parameters are provided. """ with Sudo(): assert not File('/etc/duply/main/patterns/common').exists