Merge pull request #169 from dj-wasabi/improve-molecule

Using Molecule for Wazuh Manager
wazuh · Apr 26, 2019 · d87d6b4 · d87d6b4
2 parents 85dbeca + 54c7859
commit d87d6b4
Show file tree

Hide file tree

Showing 13 changed files with 458 additions and 221 deletions.
diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -10,22 +10,39 @@ platforms:
   - name: bionic
     image: ubuntu:bionic
   - name: xenial
-    image: ubuntu:xenial
+    image: solita/ubuntu-systemd:xenial
+    privileged: True
+    command: /sbin/init
   - name: trusty
     image: ubuntu:trusty
   - name: centos6
     image: centos:6
   - name: centos7
-    image: centos:7      
+    image: milcom/centos7-systemd
+    privileged: True
 provisioner:
   name: ansible
   env:
-    ANSIBLE_ROLES_PATH: $HOME/wazuh-ansible/roles
+    ANSIBLE_ROLES_PATH: ../../roles
   lint:
     name: ansible-lint
     enabled: true # fix in seperate PR
 scenario:
   name: default
+  test_sequence:
+    - lint
+    - dependency
+    - cleanup
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    # - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy
 verifier:
   name: testinfra
   lint:

diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml
@@ -2,8 +2,10 @@
 - name: Converge
   hosts: all
   roles:
-    - {role: wazuh/ansible-wazuh-manager}
-    - {role: wazuh/ansible-filebeat} #, filebeat_output_logstash_hosts: 'your elastic stack server IP'
+    - role: wazuh/ansible-wazuh-manager
+
+
+    # - {role: wazuh/ansible-filebeat} #, filebeat_output_logstash_hosts: 'your elastic stack server IP'
     # Elasticsearch requires too much memory to test multiple containers concurrently - To Fix
     #- {role: elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost'}
     #- {role: elastic-stack/ansible-logstash, logstash_input_beats: true, elasticsearch_network_host: 'localhost'}

diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
@@ -1,5 +1,26 @@
 ---
 - name: Prepare
   hosts: all
-  gather_facts: false
-  tasks: []
+  gather_facts: True
+  tasks:
+
+    - name: "Install Python packages for Trusty to solve trust issues"
+      package:
+        name:
+          - python-setuptools
+          - python-pip
+        state: latest
+      register: wazuh_manager_trusty_packages_installed
+      until: wazuh_manager_trusty_packages_installed is succeeded
+      when:
+        - ansible_distribution == "Ubuntu"
+        - ansible_distribution_major_version | int == 14
+
+    - name: "Install dependencies"
+      package:
+        name:
+          - curl
+          - net-tools
+        state: latest
+      register: wazuh_manager_dependencies_packages_installed
+      until: wazuh_manager_dependencies_packages_installed is succeeded
diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py
@@ -1,30 +1,80 @@
 import os
+import pytest
 
 import testinfra.utils.ansible_runner
 
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
 
 
-def test_hosts_file(host):
-    f = host.file('/etc/hosts')
+def get_wazuh_version():
+    """This return the version of Wazuh."""
+    return "3.8"
 
-    assert f.exists
-    assert f.user == 'root'
-    assert f.group == 'root'
 
+def test_wazuh_packages_are_installed(host):
+    """Test if the main packages are installed."""
+    manager = host.package("wazuh-manager")
+    api = host.package("wazuh-api")
 
-def test_filebeat_is_installed(host):
-    package = host.package("filebeat")
-    assert package.is_installed
-    assert package.version.startswith("6")
+    distribution = host.system_info.distribution.lower()
+    if distribution == 'centos':
+        if host.system_info.release == "7":
+            assert manager.is_installed
+            assert manager.version.startswith(get_wazuh_version())
+            assert api.is_installed
+            assert api.version.startswith(get_wazuh_version())
+        elif host.system_info.release.startswith("6"):
+            assert manager.is_installed
+            assert manager.version.startswith(get_wazuh_version())
+    elif distribution == 'ubuntu':
+        assert manager.is_installed
+        assert manager.version.startswith(get_wazuh_version())
 
 
-def test_filebeat_service_enabled(host):
-    service = host.service('filebeat')
-    assert service.is_enabled
+def test_wazuh_services_are_running(host):
+    """Test if the services are enabled and running.
 
+    When assert commands are commented, this means that the service command has
+    a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107
+    """
+    manager = host.service("wazuh-manager")
+    api = host.service("wazuh-api")
 
-def test_filebeat_config_file_present(host):
-    config_file = host.file('/etc/filebeat/filebeat.yml')
-    assert config_file.is_file
+    distribution = host.system_info.distribution.lower()
+    if distribution == 'centos':
+        # assert manager.is_running
+        assert manager.is_enabled
+        # assert not api.is_running
+        assert not api.is_enabled
+    elif distribution == 'ubuntu':
+        # assert manager.is_running
+        assert manager.is_enabled
+        # assert api.is_running
+        assert api.is_enabled
+
+
+@pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [
+    ("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640),
+    ("/var/ossec/etc/sslmanager.key", "root", "root", 0o640),
+    ("/var/ossec/etc/rules/local_rules.xml", "root", "ossec", 0o640),
+    ("/var/ossec/etc/lists/audit-keys", "root", "ossec", 0o640),
+])
+def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode):
+    """Test if Wazuh related files exist and have proper owners and mode."""
+    wazuh_file_host = host.file(wazuh_file)
+
+    assert wazuh_file_host.user == wazuh_owner
+    assert wazuh_file_host.group == wazuh_group
+    assert wazuh_file_host.mode == wazuh_mode
+
+
+def test_open_ports(host):
+    """Test if the main port is open and the agent-auth is not open."""
+    distribution = host.system_info.distribution.lower()
+    if distribution == 'ubuntu':
+        assert host.socket("tcp://0.0.0.0:1515").is_listening
+        assert not host.socket("tcp://0.0.0.0:1514").is_listening
+    elif distribution == 'centos':
+        assert host.socket("tcp://:::1515").is_listening
+        assert not host.socket("tcp://:::1514").is_listening
diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
@@ -1,5 +1,6 @@
 ---
 wazuh_manager_fqdn: "wazuh-server"
+wazuh_manager_package_state: latest
 
 wazuh_manager_config:
   json_output: 'yes'

diff --git a/roles/wazuh/ansible-wazuh-manager/handlers/main.yml b/roles/wazuh/ansible-wazuh-manager/handlers/main.yml
@@ -13,3 +13,5 @@
     name: wazuh-api
     state: restarted
     enabled: true
+  when:
+    - not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 6)
diff --git a/roles/wazuh/ansible-wazuh-manager/meta/main.yml b/roles/wazuh/ansible-wazuh-manager/meta/main.yml
@@ -6,18 +6,18 @@ galaxy_info:
   license: license (GPLv3)
   min_ansible_version: 2.0
   platforms:
-  - name: EL
-    versions:
-    - all
-  - name: Ubuntu
-    versions:
-    - all
-  - name: Debian
-    versions:
-    - all
-  - name: Fedora
-    versions:
-    - all
-  categories:
-  - monitoring
+    - name: EL
+      versions:
+        - all
+    - name: Ubuntu
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+    - name: Fedora
+      versions:
+        - all
+  galaxy_tags:
+    - monitoring
 dependencies: []
diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml
@@ -1,32 +1,64 @@
 ---
 - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
   apt:
-    name: ['apt-transport-https', 'ca-certificates']
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - gnupg
     state: present
     cache_valid_time: 3600
-  with_items:
-    - apt-transport-https
-    - ca-certificates
-    - urllib3
+  register: wazuh_manager_https_packages_installed
+  until: wazuh_manager_https_packages_installed is succeeded
 
+- name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14)
+  become: yes
+  shell: |
+    set -o pipefail
+    curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
+  args:
+    warn: False
+    executable: /bin/bash
+  changed_when: False
+  when:
+    - ansible_distribution == "Ubuntu"
+    - ansible_distribution_major_version | int == 14
 
 - name: Debian/Ubuntu | Installing Wazuh repository key
   apt_key: url=https://packages.wazuh.com/key/GPG-KEY-WAZUH
+  when:
+    - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
 
 - name: Debian/Ubuntu | Add Wazuh repositories
   apt_repository:
     repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
     state: present
     update_cache: yes
+  changed_when: False
+
+- name: Debian/Ubuntu | Installing NodeJS repository key (Ubuntu 14)
+  become: yes
+  shell: |
+    set -o pipefail
+    curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -
+  args:
+    warn: False
+    executable: /bin/bash
+  changed_when: False
+  when:
+    - ansible_distribution == "Ubuntu"
+    - ansible_distribution_major_version | int == 14
 
 - name: Debian/Ubuntu | Installing NodeJS repository key
   apt_key: url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key
+  when:
+    - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
 
 - name: Debian/Ubuntu | Add NodeSource repositories for Node.js
   apt_repository:
     repo: "deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main"
     state: present
     update_cache: yes
+  changed_when: False
 
 - name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu
   set_fact:
@@ -54,6 +86,8 @@
       name: oracle-java8-installer
       state: present
       cache_valid_time: 3600
+    register: wazuh_manager_oracle_java_8_installed
+    until: wazuh_manager_oracle_java_8_installed is succeeded
   tags:
     - init
 
@@ -62,6 +96,8 @@
     name: "{{ item }}"
     state: present
     cache_valid_time: 3600
+  register: wazuh_manager_openscap_installed
+  until: wazuh_manager_openscap_installed is succeeded
   when: wazuh_manager_config.openscap.disable == 'no'
   with_items:
     - libopenscap8
@@ -73,14 +109,14 @@
   shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
   when: wazuh_manager_config.openscap.disable == 'no'
   register: openscap_version
-  changed_when: true
+  changed_when: False
   tags:
     - config
 
 - name: Debian/Ubuntu | Check OpenScap version
   shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
   when: wazuh_manager_config.openscap.disable == 'no'
   register: openscap_version_valid
-  changed_when: true
+  changed_when: False
   tags:
     - config
diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/RMDebian.yml b/roles/wazuh/ansible-wazuh-manager/tasks/RMDebian.yml
@@ -3,8 +3,10 @@
   apt_repository:
     repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
     state: absent
+  changed_when: False
 
 - name: Debian/Ubuntu | Remove Nodejs repository.
   apt_repository:
     repo: deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
     state: absent
+  changed_when: False
diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/RMRedHat.yml b/roles/wazuh/ansible-wazuh-manager/tasks/RMRedHat.yml
@@ -3,8 +3,10 @@
   yum_repository:
     name: NodeJS
     state: absent
+  changed_when: False
 
 - name: RedHat/CentOS/Fedora | Remove Wazuh repository (and clean up left-over metadata)
   yum_repository:
     name: wazuh_repo
     state: absent
+  changed_when: False