further tweaks to prod testinfra tests

freedomofpress · Jul 31, 2020 · fe379ba · fe379ba
1 parent add8e6e
commit fe379ba
Show file tree

Hide file tree

Showing 5 changed files with 7 additions and 3 deletions.
diff --git a/devops/scripts/run_prod_testinfra b/devops/scripts/run_prod_testinfra
@@ -23,7 +23,7 @@ echo "Installing test dependencies, this may take a while..."
 torify python3 -m pip install --quiet --no-deps --require-hashes -r securedrop/requirements/python3/develop-requirements.txt
 
 cd molecule/testinfra
-CI_SD_ENV=${TEST_ENV:-prod} SECUREDROP_TESTINFRA_TARGET_HOST=${TEST_ENV:-prod} py.test -v -n 4 --disable-warnings -m "not skip_in_prod" 
+CI_SD_ENV=${TEST_ENV:-prod} SECUREDROP_TESTINFRA_TARGET_HOST=${TEST_ENV:-prod} py.test -v -n 2 --disable-warnings -m "not skip_in_prod" 
 
 deactivate
 echo "--------"

diff --git a/molecule/testinfra/app/apache/test_apache_system_config.py b/molecule/testinfra/app/apache/test_apache_system_config.py
@@ -158,9 +158,11 @@ def test_apache_logfiles_no_extras(host):
     `test_apache_logfiles_present` config test. Here, we confirm that the
     total number of Apache logfiles exactly matches the number permitted
     on the Application Server, whether staging or prod.
+    Long-running instances may have rotated and gzipped logfiles, so this
+    test should only look for files ending in '.log'.
     """
     # We need elevated privileges to read files inside /var/log/apache2
     with host.sudo():
-        c = host.run("find /var/log/apache2 -mindepth 1 | wc -l")
+        c = host.run("find /var/log/apache2 -mindepth 1 -name '*.log' | wc -l")
         assert int(c.stdout) == \
             len(securedrop_test_vars.allowed_apache_logfiles)
diff --git a/molecule/testinfra/common/test_user_config.py b/molecule/testinfra/common/test_user_config.py
@@ -84,6 +84,7 @@ def test_tmux_installed(host):
     assert host.package("tmux").is_installed
 
 
+@pytest.mark.skip_in_prod
 def test_sudoers_tmux_env_deprecated(host):
     """
     Previous version of the Ansible config set the tmux config

diff --git a/molecule/testinfra/mon/test_mon_network.py b/molecule/testinfra/mon/test_mon_network.py
@@ -45,6 +45,7 @@ def test_mon_iptables_rules(host):
         assert iptables_expected == iptables
 
 
+@pytest.mark.skip_in_prod
 @pytest.mark.parametrize('ossec_service', [
     dict(host="0.0.0.0", proto="tcp", port=22, listening=True),
     dict(host="0.0.0.0", proto="udp", port=1514, listening=True),

diff --git a/molecule/testinfra/vars/prod.yml b/molecule/testinfra/vars/prod.yml
@@ -42,7 +42,7 @@ apparmor_enforce:
   - "/usr/lib/NetworkManager/nm-dhcp-client.action"
   - "/usr/lib/connman/scripts/dhclient-script"
   - "/usr/sbin/ntpd"
-  - "/usr/sbin/tcpdump"
+  - "/usr/sbin/haveged"
   - "system_tor"
   - "/usr/sbin/apache2"
   - "/usr/sbin/apache2//DEFAULT_URI"