Tweak tests to make TravisCI reliably pass (#30)

Author: alessfg

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## 0.3.1 (Unreleased)
 
+ENHANCEMENTS:
+
+*   Split the default Molecule scenario into a simple and advanced scenario to solve timeout issues encountered in TravisCI.
+
 BUG FIXES:
 
 *   Rename handlers to use more specific role related naming and prevent namespace collision issues.

defaults/main.yml

@@ -79,4 +79,5 @@ nginx_app_protect_conf_template:
   out_file_location: /etc/nginx/
 nginx_app_protect_demo_workload_protocol: http://
 nginx_app_protect_demo_workload_host: 10.1.1.1:8080
-nginx_app_protect_log_policy_syslog_target: 127.0.0.1:514
+nginx_app_protect_log_policy_syslog_target: 127.0.0.1:514  # DEPRECATED -- use nginx_app_protect_log_policy_target instead
+nginx_app_protect_log_policy_target: "syslog:server={{ nginx_app_protect_log_policy_syslog_target }}"

molecule/advanced/converge.yml

@@ -0,0 +1,24 @@
+---
+- name: Converge
+  hosts: nap
+  tasks:
+    - name: Install NGINX App Protect
+      include_role:
+        name: ansible-role-nginx-app-protect
+      vars:
+        nginx_app_protect_license:
+          certificate: license/nginx-repo.crt
+          key: license/nginx-repo.key
+        nginx_app_protect_remove_license: false
+        nginx_app_protect_install_signatures: true
+        nginx_app_protect_install_threat_campaigns: true
+        nginx_app_protect_configure: true
+        nginx_app_protect_security_policy_template_enable: true
+        nginx_app_protect_security_policy_enforcement_mode: blocking
+        nginx_app_protect_log_policy_template_enable: true
+        nginx_app_protect_log_policy_filter_request_type: all
+        nginx_app_protect_conf_template_enable: true
+        nginx_app_protect_demo_workload_protocol: http://
+        nginx_app_protect_demo_workload_host: test-workload:80
+        nginx_app_protect_log_policy_syslog_target: localhost:514
+        nginx_app_protect_timeout: 180

molecule/advanced/molecule.yml

@@ -0,0 +1,54 @@
+---
+driver:
+  name: docker
+lint: |
+  set -e
+  yamllint .
+  ansible-lint --force-color
+platforms:
+  - name: test-workload
+    groups:
+      - workload
+    image: nginxdemos/hello
+    privileged: true
+    networks:
+      - name: molecule-test
+  - name: centos-7
+    groups:
+      - nap
+    image: centos:7
+    dockerfile: ../Dockerfile.j2
+    privileged: true
+    networks:
+      - name: molecule-test
+    volumes:
+      - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
+    command: "/usr/sbin/init"
+  - name: ubuntu-bionic
+    groups:
+      - nap
+    image: ubuntu:bionic
+    dockerfile: ../Dockerfile.j2
+    privileged: true
+    networks:
+      - name: molecule-test
+    volumes:
+      - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
+    command: "/sbin/init"
+  - name: debian-stretch
+    groups:
+      - nap
+    image: debian:stretch-slim
+    dockerfile: ../Dockerfile.j2
+    privileged: true
+    networks:
+      - name: molecule-test
+    volumes:
+      - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
+    command: "/sbin/init"
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      no_target_syslog: true
+  log: false

molecule/advanced/prepare.yml

@@ -0,0 +1,35 @@
+---
+- name: Prepare
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Create ephemeral license certificate file from b64 decoded env var
+      copy:
+        content: "{{ lookup('env','NGINX_CRT') | b64decode }}"
+        dest: ../../files/license/nginx-repo.crt
+        force: false
+        mode: 0444
+
+    - name: Create ephemeral license key file from b64 decoded env var
+      copy:
+        content: "{{ lookup('env','NGINX_KEY') | b64decode }}"
+        dest: ../../files/license/nginx-repo.key
+        force: false
+        mode: 0444
+
+- name: Set up rsyslog server for verifying NAP syslog events
+  hosts: nap
+  roles:
+    - role: robertdebock.rsyslog
+  vars:
+    rsyslog_receiver: true
+    rsyslog_remote_tcp: true
+    rsyslog_remote_port: 514
+
+- name: Prepare workload for tests
+  hosts: workload
+  gather_facts: false
+  tasks:
+    - name: Start nginx on test workload
+      raw: nohup nginx </dev/null >/dev/null 2>&1 & sleep 1
+      changed_when: false

molecule/default/requirements.yml renamed to molecule/advanced/requirements.yml

@@ -0,0 +1,60 @@
+---
+- name: Verify
+  hosts: nap
+  tasks:
+    - name: Check if NGINX is installed
+      package:
+        name: nginx-plus
+      check_mode: true
+      register: install
+      failed_when: (install is changed) or (install is failed)
+
+    - name: Check if NGINX App Protect is installed
+      package:
+        name: app-protect
+      check_mode: true
+      register: install
+      failed_when: (install is changed) or (install is failed)
+
+    - name: Check if NGINX App Protect Signatures is installed
+      package:
+        name: app-protect-attack-signatures
+      check_mode: true
+      register: install
+      failed_when: (install is changed) or (install is failed)
+
+    - name: Check if NGINX App Protect Threat Campaigns is installed
+      package:
+        name: app-protect-threat-campaigns
+      check_mode: true
+      register: install
+      failed_when: (install is changed) or (install is failed)
+
+    - name: Check if NGINX service is running
+      service:
+        name: nginx
+        state: started
+        enabled: true
+      check_mode: true
+      register: service
+      failed_when: (service is changed) or (service is failed)
+
+    - name: Check that a page returns a status 200 and fail if the words Hello World are not in the page contents
+      uri:
+        url: "http://localhost"
+        return_content: true
+      register: this
+      failed_when: "'Hello World' not in this.content"
+
+    - name: Check that a page returns a status 200 and fail if the words Request Rejected are not in the page contents
+      uri:
+        url: "http://localhost/?v=<script>"
+        return_content: true
+      register: this
+      failed_when: "'Request Rejected' not in this.content"
+
+    - name: Ensure /var/log/messages contains block event from above test
+      shell: grep -c "Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)" /var/log/messages || true
+      register: event
+      changed_when: false
+      failed_when: event.stdout == "0"

molecule/advanced/verify.yml

@@ -1,12 +1,14 @@
 ---
 - name: Converge
-  hosts: nap
+  hosts: all
   tasks:
     - name: Install NGINX App Protect
       include_role:
         name: ansible-role-nginx-app-protect
       vars:
-        nginx_app_protect_enable: true
+        nginx_app_protect_license:
+          certificate: license/nginx-repo.crt
+          key: license/nginx-repo.key
         nginx_app_protect_remove_license: false
         nginx_app_protect_install_signatures: true
         nginx_app_protect_install_threat_campaigns: true
@@ -15,11 +17,4 @@
         nginx_app_protect_security_policy_enforcement_mode: blocking
         nginx_app_protect_log_policy_template_enable: true
         nginx_app_protect_log_policy_filter_request_type: all
-        nginx_app_protect_log_policy_syslog_target: localhost:514
-        nginx_app_protect_conf_template_enable: true
-        nginx_app_protect_demo_workload_protocol: http://
-        nginx_app_protect_demo_workload_host: test-workload:80
-        nginx_app_protect_license:
-          certificate: license/nginx-repo.crt
-          key: license/nginx-repo.key
-        nginx_app_protect_timeout: 180
+        nginx_app_protect_conf_template_enable: false

molecule/default/converge.yml

@@ -6,49 +6,26 @@ lint: |
   yamllint .
   ansible-lint --force-color
 platforms:
-  - name: test-workload
-    groups:
-      - workload
-    image: nginxdemos/hello
-    privileged: true
-    networks:
-      - name: molecule-test
   - name: centos-7
-    groups:
-      - nap
     image: centos:7
     dockerfile: ../Dockerfile.j2
     privileged: true
-    networks:
-      - name: molecule-test
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/usr/sbin/init"
   - name: ubuntu-bionic
-    groups:
-      - nap
     image: ubuntu:bionic
     dockerfile: ../Dockerfile.j2
     privileged: true
-    networks:
-      - name: molecule-test
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/sbin/init"
   - name: debian-stretch
-    groups:
-      - nap
     image: debian:stretch-slim
     dockerfile: ../Dockerfile.j2
     privileged: true
-    networks:
-      - name: molecule-test
     volumes:
       - "/sys/fs/cgroup:/sys/fs/cgroup:rw"
     command: "/sbin/init"
 provisioner:
   name: ansible
-  config_options:
-    defaults:
-      no_target_syslog: true
-  log: false

molecule/default/molecule.yml

@@ -16,20 +16,3 @@
         dest: ../../files/license/nginx-repo.key
         force: false
         mode: 0444
-
-- name: Set up rsyslog server for verifying NAP syslog events
-  hosts: nap
-  roles:
-    - role: robertdebock.rsyslog
-  vars:
-    rsyslog_receiver: true
-    rsyslog_remote_tcp: true
-    rsyslog_remote_port: 514
-
-- name: Prepare workload for tests
-  hosts: workload
-  gather_facts: false
-  tasks:
-    - name: Start nginx on test workload
-      raw: nohup nginx </dev/null >/dev/null 2>&1 & sleep 1
-      changed_when: false