Mdd psql user aws fix (#23988)

* postgresql_user module - transaction logic hacks to allow recovery from failed select * postgresql_user - PEP8 and style fixes to make debugging easier * postgresql_user - move password changing logic to separate function * postgresql_user - trap failure in case where there is no access to pg_authid * postgresql_user - further PEP8 fixes * postgresql_user - Simplify password change logic and improve imports according to suggestions from PR review * postgresql_user - Eliminate pep8/blank line errors introduced in merge * Check behaviour when pg_authid relation isn't readable TASK [postgresql : Normal user isn't allowed to access pg_authid relation: password comparison will fail, password will be updated] *** An exception occurred during task execution. To see the full traceback, use -vvv. The error was: psycopg2.ProgrammingError: permission denied for relation pg_authid * Don't reintroduce passlib, remove useless query
2025-04-27 04:41:26 -07:00 · 2017-07-07 17:28:31 +01:00 · 2017-07-07 17:28:31 +01:00 · 3c4db1e8dd
commit 3c4db1e8dd
parent 800de2b0ce
3 changed files with 147 additions and 50 deletions
--- a/test/integration/targets/postgresql/tasks/main.yml
+++ b/test/integration/targets/postgresql/tasks/main.yml
@ -336,16 +336,21 @@
  become: True
  shell: echo "create table test_table2 (field text);" | psql {{ db_name }}

- name: Create a user with some permissions on the db
-  become_user: "{{ pg_user }}"
-  become: True
-  postgresql_user:
-    name: "{{ db_user1 }}"
-    encrypted: 'yes'
-    password: "md55c8ccfd9d6711fc69a7eae647fc54f51"
-    db: "{{ db_name }}"
-    priv: 'test_table1:INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,TRIGGER/test_table2:INSERT/CREATE,CONNECT,TEMP'
-    login_user: "{{ pg_user }}"
+- vars:
+    db_password: 'secretù' # use UTF-8
+  block:
+    - name: Create a user with some permissions on the db
+      become_user: "{{ pg_user }}"
+      become: True
+      postgresql_user:
+        name: "{{ db_user1 }}"
+        encrypted: 'yes'
+        password: "md5{{ (db_password ~ db_user1) | hash('md5')}}"
+        db: "{{ db_name }}"
+        priv: 'test_table1:INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,TRIGGER/test_table2:INSERT/CREATE,CONNECT,TEMP'
+        login_user: "{{ pg_user }}"
+
+    - include: pg_authid_not_readable.yml

 - name: Check that the user has the requested permissions (table1)
  become_user: "{{ pg_user }}"
--- a/test/integration/targets/postgresql/tasks/pg_authid_not_readable.yml
+++ b/test/integration/targets/postgresql/tasks/pg_authid_not_readable.yml
@ -0,0 +1,50 @@
+- name: "Admin user is allowed to access pg_authid relation: password comparison will succeed, password won't be updated"
+  become_user: "{{ pg_user }}"
+  become: True
+  postgresql_user:
+    name: "{{ db_user1 }}"
+    encrypted: 'yes'
+    password: "md5{{ (db_password ~ db_user1) | hash('md5')}}"
+    db: "{{ db_name }}"
+    priv: 'test_table1:INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,TRIGGER/test_table2:INSERT/CREATE,CONNECT,TEMP'
+    login_user: "{{ pg_user }}"
+  register: redo_as_admin
+
+- name: "Check that task succeeded without any change"
+  assert:
+    that:
+      - 'not redo_as_admin|failed'
+      - 'not redo_as_admin|changed'
+      - 'redo_as_admin|success'
+
+- name: "Check that normal user isn't allowed to access pg_authid"
+  shell: 'psql -c "select * from pg_authid;" {{ db_name }} {{ db_user1 }}'
+  environment:
+    PGPASSWORD: '{{ db_password }}'
+  ignore_errors: True
+  register: pg_authid
+
+- assert:
+    that:
+      - 'pg_authid|failed'
+      - '"permission denied for relation pg_authid" in pg_authid.stderr'
+
+- name: "Normal user isn't allowed to access pg_authid relation: password comparison will fail, password will be updated"
+  become_user: "{{ pg_user }}"
+  become: True
+  postgresql_user:
+    name: "{{ db_user1 }}"
+    encrypted: 'yes'
+    password: "md5{{ (db_password ~ db_user1) | hash('md5')}}"
+    db: "{{ db_name }}"
+    priv: 'test_table1:INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,TRIGGER/test_table2:INSERT/CREATE,CONNECT,TEMP'
+    login_user: "{{ db_user1 }}"
+    login_password: "{{ db_password }}"
+  register: redo_as_normal_user
+
+- name: "Check that task succeeded and that result is changed"
+  assert:
+    that:
+      - 'not redo_as_normal_user|failed'
+      - 'redo_as_normal_user|changed'
+      - 'redo_as_normal_user|success'