postgresql_user: fix bugs related to 'expires' option (#23862)

* Factorize tests related to no_password_change using an include task * Refactor: deduplicate tasks * postgresql_user: test 'expires' parameter * Change 'valid until' even it's the only updated field * value is changed when another value is provided * value isn't returned when unset * Remove unused variable * psycopg2.extras.DictRow is able to handle comparison * postgresql_user: simplify helper method * postgresql_user: define variable just before using it * Fix comparison between user input and applied configuration * new test: adding an invalid attribute * Refactor, add cleaning task * Check that using same attribute a 2nd time does nothing * Always try to remove created user * postgresql_user: fix pep8
2025-10-25 05:23:58 -07:00 · 2017-06-11 23:48:39 +02:00 · 2017-06-11 23:48:39 +02:00 · 460d932aa8
commit 460d932aa8
parent 301cbc1f5b
7 changed files with 304 additions and 368 deletions
--- a/test/integration/targets/postgresql/tasks/main.yml
+++ b/test/integration/targets/postgresql/tasks/main.yml
@ -184,9 +184,9 @@
      - "result.stdout_lines[-1] == '(0 rows)'"

 #
-# Create and destroy user
+# Create and destroy user, test 'password' and 'encrypted' parameters
 #
- include: test_user.yml
+- include: test_password.yml
  vars:
    encrypted: '{{ item.user_creation_encrypted_value }}'
    db_password1: 'secretù' # use UTF-8
@ -194,154 +194,31 @@
    - user_creation_encrypted_value: 'yes'
    - user_creation_encrypted_value: 'no'

-# BYPASSRLS role attribute was introduced in Postgres 9.5, so 
+# BYPASSRLS role attribute was introduced in PostgreSQL 9.5, so
 # we want to test atrribute management differently depending
-# on the version. See https://github.com/ansible/ansible/pull/24625
-# for more details.
- name: Get Postgres version 
+# on the version.
+- name: Get PostgreSQL version
  become_user: "{{ pg_user }}"
  become: True
-  shell: echo 'SHOW SERVER_VERSION' | psql -d postgres
+  shell: "echo 'SHOW SERVER_VERSION' | psql --tuples-only --no-align --dbname postgres"
  register: postgres_version_resp

- name: Print Postgres server version
+- name: Print PostgreSQL server version
  debug:
-    msg: "{{ postgres_version_resp.stdout_lines[-2] | trim }}"
+    msg: "{{ postgres_version_resp.stdout }}"

- name: Role attribute testing for Postgres 9.5+
-  include: postgresql_user_9.5_or_greater.yml
-  when: (postgres_version_resp.stdout_lines[-2] | trim) | version_compare('9.5.0', '>=')
+- set_fact:
+    bypassrls_supported: "{{ postgres_version_resp.stdout | version_compare('9.5.0', '>=') }}"

- name: Role attribute testing for Postgres versions below 9.5 
-  include: postgresql_user_less_than_9.5.yml
-  when: (postgres_version_resp.stdout_lines[-2] | trim) | version_compare('9.5.0', '<')
+# test 'no_password_change' and 'role_attr_flags' parameters
+- include: test_no_password_change.yml
+  vars:
+    no_password_changes: '{{ item }}'
+  with_items:
+    - 'yes'
+    - 'no'

- name: Cleanup the user
-  become_user: "{{ pg_user }}"
-  become: True
-  postgresql_user:
-    name: "{{ db_user1 }}"
-    state: 'absent'
-    login_user: "{{ pg_user }}"
-    db: postgres
-
- name: Check that they were removed
-  become_user: "{{ pg_user }}"
-  become: True
-  shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres
-  register: result
-
- assert:
-    that:
-      - "result.stdout_lines[-1] == '(0 rows)'"
-
-# Test cases to replicate issue 19835
- name: Create a user "{{ db_user3 }}"  to test issue 19835
-  become_user: "{{ pg_user }}"
-  become: True
-  postgresql_user:
-    name: "{{ db_user3 }}"
-    encrypted: 'yes'
-    password: "md55c8ccfd9d6711fc69a7eae647fc54f51"
-    login_user: "{{ pg_user }}"
-    #role_attr_flags: "NOSUPERUSER,NOCREATEROLE,NOCREATEDB,noinherit,NOLOGIN"
-    db: postgres
-  register: result
-
- name: Check that ansible reports that "{{ db_user3 }}" was created for testing issue 19835
-  assert:
-    that:
-      - "result.changed == True"
-
- name: debug result
-  debug:
-    var: result
-
- name: Check that "{{ db_user3 }}" was created for testing issue 19835
-  become_user: "{{ pg_user }}"
-  become: True
-  shell: echo "select * from pg_user where usename='{{ db_user3 }}';" | psql -d postgres
-  register: result
-
- assert:
-    that:
-      - "result.stdout_lines[-1] == '(1 row)'"
-
- name: Modify user "{{ db_user3 }}" to have only login role attributes for testing issue 19835
-  become_user: "{{ pg_user }}"
-  become: True
-  postgresql_user:
-    name: "{{ db_user3 }}"
-    state: "present"
-    role_attr_flags: "NOSUPERUSER,NOCREATEROLE,NOCREATEDB,noinherit"
-    login_user: "{{ pg_user }}"
-    db: postgres
-  register: result
-
- name: Check that ansible reports it modified the roles for testing issue 19835
-  assert:
-    that:
-      - "result.changed == True"
-
- name: Check that the user "{{ db_user3 }}" has the requested role attributes for testing issue 19835
-  become_user: "{{ pg_user }}"
-  become: True
-  shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user3 }}';" | psql -d postgres
-  register: result
-
- name: Modify a single role attribute on the user "{{ db_user3 }}"  with no_password_changes set to yes. issue 19835
-  become_user: "{{ pg_user }}"
-  become: True
-  postgresql_user:
-    name: "{{ db_user3 }}"
-    state: "present"
-    role_attr_flags: "CREATEDB"
-    no_password_changes: yes
-    login_user: "{{ pg_user }}"
-    db: postgres
-  register: result
-
- name: Check that ansible reports it modified the role with no_password_changes set to yes. issue 19835
-  assert:
-    that:
-      - "result.changed == True"
-
- name: Check that the user "{{ db_user3 }}" has the requested role attributes with no_password_changes set to yes. issue 19835
-  become_user: "{{ pg_user }}"
-  become: True
-  shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin  from pg_roles where rolname='{{ db_user3 }}';" | psql -d postgres
-  register: result
-
- name: Assert that the request role attributes check for user "{{ db_user3 }}" was correct with no_password_changes set to yes. issue 19835
-  assert:
-    that:
-      - "result.stdout_lines[-1] == '(1 row)'"
-      - "'super:f' in result.stdout_lines[-2]"
-      - "'createrole:f' in result.stdout_lines[-2]"
-      - "'create:t' in result.stdout_lines[-2]"
-      - "'inherit:f' in result.stdout_lines[-2]"
-      - "'login:t' in result.stdout_lines[-2]"
-
- name: Cleanup the "{{ db_user3 }}" user
-  become_user: "{{ pg_user }}"
-  become: True
-  postgresql_user:
-    name: "{{ db_user3 }}"
-    state: 'absent'
-    login_user: "{{ pg_user }}"
-    db: postgres
-
- name: Check that "{{ db_user3 }}"  was removed
-  become_user: "{{ pg_user }}"
-  become: True
-  shell: echo "select * from pg_user where usename='{{ db_user3 }}';" | psql -d postgres
-  register: result
-
- assert:
-    that:
-      - "result.stdout_lines[-1] == '(0 rows)'"
-
-### TODO: test expires, fail_on_user
+### TODO: fail_on_user

 #
 # Test db ownership
--- a/test/integration/targets/postgresql/tasks/postgresql_user_9.5_or_greater.yml
+++ b/test/integration/targets/postgresql/tasks/postgresql_user_9.5_or_greater.yml
@ -1,90 +0,0 @@
---
- name: Create a user with all role attributes
-  become_user: "{{ pg_user }}"
-  become: True
-  postgresql_user:
-    name: "{{ db_user1 }}"
-    state: "present"
-    role_attr_flags: "SUPERUSER,CREATEROLE,CREATEDB,INHERIT,login,BYPASSRLS"
-    login_user: "{{ pg_user }}"
-    db: postgres
-
- name: Check that the user has the requested role attributes
-  become_user: "{{ pg_user }}"
-  become: True
-  shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin, 'bypassrls:'||rolbypassrls from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
-  register: result
-
- assert:
-    that:
-      - "result.stdout_lines[-1] == '(1 row)'"
-      - "'super:t' in result.stdout_lines[-2]"
-      - "'createrole:t' in result.stdout_lines[-2]"
-      - "'create:t' in result.stdout_lines[-2]"
-      - "'inherit:t' in result.stdout_lines[-2]"
-      - "'login:t' in result.stdout_lines[-2]"
-      - "'bypassrls:t' in result.stdout_lines[-2]"
-
- name: Modify a user to have no role attributes
-  become_user: "{{ pg_user }}"
-  become: True
-  postgresql_user:
-    name: "{{ db_user1 }}"
-    state: "present"
-    role_attr_flags: "NOSUPERUSER,NOCREATEROLE,NOCREATEDB,noinherit,NOLOGIN,NOBYPASSRLS"
-    login_user: "{{ pg_user }}"
-    db: postgres
-  register: result
-
- name: Check that ansible reports it modified the role
-  assert:
-    that:
-      - "result.changed == True"
-
- name: Check that the user has the requested role attributes
-  become_user: "{{ pg_user }}"
-  become: True
-  shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin, 'bypassrls:'||rolbypassrls from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
-  register: result
-
- assert:
-    that:
-      - "result.stdout_lines[-1] == '(1 row)'"
-      - "'super:f' in result.stdout_lines[-2]"
-      - "'createrole:f' in result.stdout_lines[-2]"
-      - "'create:f' in result.stdout_lines[-2]"
-      - "'inherit:f' in result.stdout_lines[-2]"
-      - "'login:f' in result.stdout_lines[-2]"
-      - "'bypassrls:f' in result.stdout_lines[-2]"
-
- name: Modify a single role attribute on a user
-  become_user: "{{ pg_user }}"
-  become: True
-  postgresql_user:
-    name: "{{ db_user1 }}"
-    state: "present"
-    role_attr_flags: "LOGIN"
-    login_user: "{{ pg_user }}"
-    db: postgres
-  register: result
-
- name: Check that ansible reports it modified the role
-  assert:
-    that:
-      - "result.changed == True"
-
- name: Check that the user has the requested role attributes
-  become_user: "{{ pg_user }}"
-  become: True
-  shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin, 'bypassrls:'||rolbypassrls  from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
-  register: result
-
- assert:
-    that:
-      - "result.stdout_lines[-1] == '(1 row)'"
-      - "'super:f' in result.stdout_lines[-2]"
-      - "'createrole:f' in result.stdout_lines[-2]"
-      - "'create:f' in result.stdout_lines[-2]"
-      - "'inherit:f' in result.stdout_lines[-2]"
-      - "'login:t' in result.stdout_lines[-2]"
-      - "'bypassrls:f' in result.stdout_lines[-2]"
--- a/test/integration/targets/postgresql/tasks/postgresql_user_less_than_9.5.yml
+++ b/test/integration/targets/postgresql/tasks/postgresql_user_less_than_9.5.yml
@ -1,87 +0,0 @@
---
- name: Create a user with all role attributes
-  become_user: "{{ pg_user }}"
-  become: True
-  postgresql_user:
-    name: "{{ db_user1 }}"
-    state: "present"
-    role_attr_flags: "SUPERUSER,CREATEROLE,CREATEDB,INHERIT,login"
-    login_user: "{{ pg_user }}"
-    db: postgres
-
- name: Check that the user has the requested role attributes
-  become_user: "{{ pg_user }}"
-  become: True
-  shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
-  register: result
-
- assert:
-    that:
-      - "result.stdout_lines[-1] == '(1 row)'"
-      - "'super:t' in result.stdout_lines[-2]"
-      - "'createrole:t' in result.stdout_lines[-2]"
-      - "'create:t' in result.stdout_lines[-2]"
-      - "'inherit:t' in result.stdout_lines[-2]"
-      - "'login:t' in result.stdout_lines[-2]"
-
- name: Modify a user to have no role attributes
-  become_user: "{{ pg_user }}"
-  become: True
-  postgresql_user:
-    name: "{{ db_user1 }}"
-    state: "present"
-    role_attr_flags: "NOSUPERUSER,NOCREATEROLE,NOCREATEDB,noinherit,NOLOGIN"
-    login_user: "{{ pg_user }}"
-    db: postgres
-  register: result
-
- name: Check that ansible reports it modified the role
-  assert:
-    that:
-      - "result.changed == True"
-
- name: Check that the user has the requested role attributes
-  become_user: "{{ pg_user }}"
-  become: True
-  shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
-  register: result
-
- assert:
-    that:
-      - "result.stdout_lines[-1] == '(1 row)'"
-      - "'super:f' in result.stdout_lines[-2]"
-      - "'createrole:f' in result.stdout_lines[-2]"
-      - "'create:f' in result.stdout_lines[-2]"
-      - "'inherit:f' in result.stdout_lines[-2]"
-      - "'login:f' in result.stdout_lines[-2]"
-
- name: Modify a single role attribute on a user
-  become_user: "{{ pg_user }}"
-  become: True
-  postgresql_user:
-    name: "{{ db_user1 }}"
-    state: "present"
-    role_attr_flags: "LOGIN"
-    login_user: "{{ pg_user }}"
-    db: postgres
-  register: result
-
- name: Check that ansible reports it modified the role
-  assert:
-    that:
-      - "result.changed == True"
-
- name: Check that the user has the requested role attributes
-  become_user: "{{ pg_user }}"
-  become: True
-  shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin  from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
-  register: result
-
- assert:
-    that:
-      - "result.stdout_lines[-1] == '(1 row)'"
-      - "'super:f' in result.stdout_lines[-2]"
-      - "'createrole:f' in result.stdout_lines[-2]"
-      - "'create:f' in result.stdout_lines[-2]"
-      - "'inherit:f' in result.stdout_lines[-2]"
-      - "'login:t' in result.stdout_lines[-2]"
--- a/test/integration/targets/postgresql/tasks/test_no_password_change.yml
+++ b/test/integration/targets/postgresql/tasks/test_no_password_change.yml
@ -0,0 +1,167 @@
+- vars:
+    task_parameters: &task_parameters
+      become_user: "{{ pg_user }}"
+      become: True
+      register: result
+    postgresql_parameters: &parameters
+      db: postgres
+      name: "{{ db_user1 }}"
+      login_user: "{{ pg_user }}"
+
+  block:
+
+  - name: Create a user with all role attributes
+    <<: *task_parameters
+    postgresql_user:
+      <<: *parameters
+      state: "present"
+      role_attr_flags: "SUPERUSER,CREATEROLE,CREATEDB,INHERIT,login{{ bypassrls_supported | ternary(',BYPASSRLS', '') }}"
+      no_password_changes: '{{ no_password_changes }}' # no_password_changes is ignored when user doesn't already exist
+
+  - name: Check that the user has the requested role attributes
+    <<: *task_parameters
+    shell: "echo \"select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin {{ bypassrls_supported | ternary(\", 'bypassrls:'||rolbypassrls\", '') }} from pg_roles where rolname='{{ db_user1 }}';\" | psql -d postgres"
+
+  - assert:
+      that:
+        - "result.stdout_lines[-1] == '(1 row)'"
+        - "'super:t' in result.stdout_lines[-2]"
+        - "'createrole:t' in result.stdout_lines[-2]"
+        - "'create:t' in result.stdout_lines[-2]"
+        - "'inherit:t' in result.stdout_lines[-2]"
+        - "'login:t' in result.stdout_lines[-2]"
+
+  - block:
+      - name: Check that the user has the requested role attribute BYPASSRLS
+        <<: *task_parameters
+        shell: "echo \"select 'bypassrls:'||rolbypassrls from pg_roles where rolname='{{ db_user1 }}';\" | psql -d postgres"
+
+      - assert:
+          that:
+            - "not bypassrls_supported or 'bypassrls:t' in result.stdout_lines[-2]"
+    when: bypassrls_supported
+
+  - name: Modify a user to have no role attributes
+    <<: *task_parameters
+    postgresql_user:
+      <<: *parameters
+      state: "present"
+      role_attr_flags: "NOSUPERUSER,NOCREATEROLE,NOCREATEDB,noinherit,NOLOGIN{{ bypassrls_supported | ternary(',NOBYPASSRLS', '') }}"
+      no_password_changes: '{{ no_password_changes }}'
+
+  - name: Check that ansible reports it modified the role
+    assert:
+      that:
+        - "result.changed"
+
+  - name: "Check that the user doesn't have any attribute"
+    <<: *task_parameters
+    shell: "echo \"select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';\" | psql -d postgres"
+
+  - assert:
+      that:
+        - "result.stdout_lines[-1] == '(1 row)'"
+        - "'super:f' in result.stdout_lines[-2]"
+        - "'createrole:f' in result.stdout_lines[-2]"
+        - "'create:f' in result.stdout_lines[-2]"
+        - "'inherit:f' in result.stdout_lines[-2]"
+        - "'login:f' in result.stdout_lines[-2]"
+
+  - block:
+      - name: Check that the user has the requested role attribute BYPASSRLS
+        <<: *task_parameters
+        shell: "echo \"select 'bypassrls:'||rolbypassrls from pg_roles where rolname='{{ db_user1 }}';\" | psql -d postgres"
+
+      - assert:
+          that:
+            - "not bypassrls_supported or 'bypassrls:f' in result.stdout_lines[-2]"
+    when: bypassrls_supported
+
+  - name: Try to add an invalid attribute
+    <<: *task_parameters
+    postgresql_user:
+      <<: *parameters
+      state: "present"
+      role_attr_flags: "NOSUPERUSER,NOCREATEROLE,NOCREATEDB,noinherit,NOLOGIN{{ bypassrls_supported | ternary(',NOBYPASSRLS', '') }},INVALID"
+      no_password_changes: '{{ no_password_changes }}'
+    ignore_errors: True
+
+  - name: Check that ansible reports failure
+    assert:
+      that:
+        - "not result.changed"
+        - "result.failed"
+        - "result.msg == 'Invalid role_attr_flags specified: INVALID'"
+
+  - name: Modify a single role attribute on a user
+    <<: *task_parameters
+    postgresql_user:
+      <<: *parameters
+      state: "present"
+      role_attr_flags: "LOGIN"
+      no_password_changes: '{{ no_password_changes }}'
+
+  - name: Check that ansible reports it modified the role
+    assert:
+      that:
+        - "result.changed"
+
+  - name: Check the role attributes
+    <<: *task_parameters
+    shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
+
+  - assert:
+      that:
+        - "result.stdout_lines[-1] == '(1 row)'"
+        - "'super:f' in result.stdout_lines[-2]"
+        - "'createrole:f' in result.stdout_lines[-2]"
+        - "'create:f' in result.stdout_lines[-2]"
+        - "'inherit:f' in result.stdout_lines[-2]"
+        - "'login:t' in result.stdout_lines[-2]"
+
+  - block:
+      - name: Check the role attribute BYPASSRLS
+        <<: *task_parameters
+        shell: echo "select 'bypassrls:'||rolbypassrls from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
+
+      - assert:
+          that:
+            - "(postgres_version_resp.stdout | version_compare('9.5.0', '<')) or 'bypassrls:f' in result.stdout_lines[-2]"
+    when: bypassrls_supported
+
+  - name: Check that using same attribute a second time does nothing
+    <<: *task_parameters
+    postgresql_user:
+      <<: *parameters
+      state: "present"
+      role_attr_flags: "LOGIN"
+      no_password_changes: '{{ no_password_changes }}'
+    environment:
+        PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
+
+  - name: Check there isn't any update reported
+    assert:
+      that:
+        - "not result.changed"
+
+  - name: Cleanup the user
+    <<: *task_parameters
+    postgresql_user:
+      <<: *parameters
+      state: 'absent'
+      no_password_changes: '{{ no_password_changes }}' # user deletion: no_password_changes is ignored
+
+  - name: Check that user was removed
+    <<: *task_parameters
+    shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres
+
+  - assert:
+      that:
+        - "result.stdout_lines[-1] == '(0 rows)'"
+
+  always:
+  - name: Cleanup the user
+    <<: *task_parameters
+    postgresql_user:
+      <<: *parameters
+      state: 'absent'
--- a/test/integration/targets/postgresql/tasks/test_password.yml
+++ b/test/integration/targets/postgresql/tasks/test_password.yml
@ -8,7 +8,7 @@
      name: "{{ db_user1 }}"
      login_user: "{{ pg_user }}"

-  block: # block is only used here in order to be able to define YAML anchors at the beginning in 'vars' section
+  block:
  - name: 'Check that PGOPTIONS environment variable is effective (1/2)'
    <<: *task_parameters
    postgresql_user:
@ -63,6 +63,27 @@
        that:
          - "{{ not result|changed }}"

+  - name: 'Define an expiration time'
+    <<: *task_parameters
+    postgresql_user:
+      <<: *parameters
+      expires: '2025-01-01'
+    environment:
+      PGCLIENTENCODING: 'UTF8'
+
+  - <<: *changed
+
+  - name: 'Redefine the same expiration time'
+    <<: *task_parameters
+    postgresql_user:
+      expires: '2025-01-01'
+      <<: *parameters
+    environment:
+      PGCLIENTENCODING: 'UTF8'
+      PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
+
+  - <<: *not_changed
+
  - block:

    - name: 'Using MD5-hashed password: check that password not changed when using cleartext password'
@ -72,7 +93,7 @@
        password: '{{ db_password1 }}'
        encrypted: 'yes'
      environment:
-#        PGCLIENTENCODING: 'UTF8'
+        PGCLIENTENCODING: 'UTF8'
        PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed

    - <<: *not_changed
@ -99,6 +120,18 @@

    - <<: *not_changed

+    - name: 'Redefine the same expiration time and password (encrypted)'
+      <<: *task_parameters
+      postgresql_user:
+        <<: *parameters
+        encrypted: 'yes'
+        password: "md5{{ (db_password1 ~ db_user1) | hash('md5')}}"
+        expires: '2025-01-01'
+      environment:
+        PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
+
+    - <<: *not_changed
+
    - name: 'Using MD5-hashed password: check that password changed when using another cleartext password'
      <<: *task_parameters
      postgresql_user:
@ -144,6 +177,19 @@

    - <<: *not_changed

+    - name: 'Redefine the same expiration time and password (not encrypted)'
+      <<: *task_parameters
+      postgresql_user:
+        <<: *parameters
+        password: "{{ db_password1 }}"
+        encrypted: 'no'
+        expires: '2025-01-01'
+      environment:
+        PGCLIENTENCODING: 'UTF8'
+        PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
+
+    - <<: *not_changed
+
    - name: 'Using cleartext password: check that password changed when using another cleartext password'
      <<: *task_parameters
      postgresql_user:
@ -184,3 +230,10 @@
        PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed

  - <<: *not_changed
+
+  always:
+  - name: Remove user
+    <<: *task_parameters
+    postgresql_user:
+      state: 'absent'
+      <<: *parameters