mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-07-22 21:00:22 -07:00
Initial commit
This commit is contained in:
commit
aebc1b03fd
4861 changed files with 812621 additions and 0 deletions
4
tests/integration/targets/postgresql_privs/aliases
Normal file
4
tests/integration/targets/postgresql_privs/aliases
Normal file
|
@ -0,0 +1,4 @@
|
|||
destructive
|
||||
shippable/posix/group4
|
||||
skip/aix
|
||||
skip/osx
|
|
@ -0,0 +1,8 @@
|
|||
db_name: ansible_db
|
||||
db_user1: ansible_db_user1
|
||||
db_user2: ansible_db_user2
|
||||
db_user3: ansible_db_user3
|
||||
db_user_with_dots1: role.with.dots1
|
||||
db_user_with_dots2: role.with.dots2
|
||||
db_session_role1: session_role1
|
||||
db_session_role2: session_role2
|
2
tests/integration/targets/postgresql_privs/meta/main.yml
Normal file
2
tests/integration/targets/postgresql_privs/meta/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
dependencies:
|
||||
- setup_postgresql_db
|
14
tests/integration/targets/postgresql_privs/tasks/main.yml
Normal file
14
tests/integration/targets/postgresql_privs/tasks/main.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
- include_tasks: postgresql_privs_session_role.yml
|
||||
when: postgres_version_resp.stdout is version('9.4', '>=')
|
||||
|
||||
# Initial CI tests of postgresql_privs module:
|
||||
- include_tasks: postgresql_privs_initial.yml
|
||||
when: postgres_version_resp.stdout is version('9.4', '>=')
|
||||
|
||||
# General tests:
|
||||
- include_tasks: postgresql_privs_general.yml
|
||||
when: postgres_version_resp.stdout is version('9.4', '>=')
|
||||
|
||||
# Tests default_privs with target_role:
|
||||
- include_tasks: test_target_role.yml
|
||||
when: postgres_version_resp.stdout is version('9.4', '>=')
|
|
@ -0,0 +1,50 @@
|
|||
- name: "Admin user is allowed to access pg_authid relation: password comparison will succeed, password won't be updated"
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_user:
|
||||
name: "{{ db_user1 }}"
|
||||
encrypted: 'yes'
|
||||
password: "md5{{ (db_password ~ db_user1) | hash('md5')}}"
|
||||
db: "{{ db_name }}"
|
||||
priv: 'test_table1:INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,TRIGGER/test_table2:INSERT/CREATE,CONNECT,TEMP'
|
||||
login_user: "{{ pg_user }}"
|
||||
register: redo_as_admin
|
||||
|
||||
- name: "Check that task succeeded without any change"
|
||||
assert:
|
||||
that:
|
||||
- 'redo_as_admin is not failed'
|
||||
- 'redo_as_admin is not changed'
|
||||
- 'redo_as_admin is successful'
|
||||
|
||||
- name: "Check that normal user isn't allowed to access pg_authid"
|
||||
shell: 'psql -c "select * from pg_authid;" {{ db_name }} {{ db_user1 }}'
|
||||
environment:
|
||||
PGPASSWORD: '{{ db_password }}'
|
||||
ignore_errors: yes
|
||||
register: pg_authid
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- 'pg_authid is failed'
|
||||
- pg_authid.stderr is search('permission denied for (relation|table) pg_authid')
|
||||
|
||||
- name: "Normal user isn't allowed to access pg_authid relation: password comparison will fail, password will be updated"
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_user:
|
||||
name: "{{ db_user1 }}"
|
||||
encrypted: 'yes'
|
||||
password: "md5{{ (db_password ~ db_user1) | hash('md5')}}"
|
||||
db: "{{ db_name }}"
|
||||
priv: 'test_table1:INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,TRIGGER/test_table2:INSERT/CREATE,CONNECT,TEMP'
|
||||
login_user: "{{ db_user1 }}"
|
||||
login_password: "{{ db_password }}"
|
||||
register: redo_as_normal_user
|
||||
|
||||
- name: "Check that task succeeded and that result is changed"
|
||||
assert:
|
||||
that:
|
||||
- 'redo_as_normal_user is not failed'
|
||||
- 'redo_as_normal_user is changed'
|
||||
- 'redo_as_normal_user is successful'
|
|
@ -0,0 +1,966 @@
|
|||
# Setup
|
||||
- name: Create DB
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_db:
|
||||
state: present
|
||||
name: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
- name: Create a user to be owner of objects
|
||||
postgresql_user:
|
||||
name: "{{ db_user3 }}"
|
||||
state: present
|
||||
encrypted: yes
|
||||
password: password
|
||||
role_attr_flags: CREATEDB,LOGIN
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
- name: Create a user to be given permissions and other tests
|
||||
postgresql_user:
|
||||
name: "{{ db_user2 }}"
|
||||
state: present
|
||||
encrypted: yes
|
||||
password: password
|
||||
role_attr_flags: LOGIN
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
#############################
|
||||
# Test of solving bug 27327 #
|
||||
#############################
|
||||
|
||||
# Create the test table and view:
|
||||
- name: Create table
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_table:
|
||||
login_user: "{{ pg_user }}"
|
||||
db: postgres
|
||||
name: test_table1
|
||||
columns:
|
||||
- id int
|
||||
|
||||
- name: Create view
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_query:
|
||||
login_user: "{{ pg_user }}"
|
||||
db: postgres
|
||||
query: "CREATE VIEW test_view AS SELECT id FROM test_table1"
|
||||
|
||||
# Test check_mode:
|
||||
- name: Grant SELECT on test_view, check_mode
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_privs:
|
||||
login_user: "{{ pg_user }}"
|
||||
db: postgres
|
||||
state: present
|
||||
privs: SELECT
|
||||
type: table
|
||||
objs: test_view
|
||||
roles: "{{ db_user2 }}"
|
||||
check_mode: yes
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result is changed
|
||||
|
||||
# Check:
|
||||
- name: Check that nothing was changed after the prev step
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_query:
|
||||
login_user: "{{ pg_user }}"
|
||||
db: postgres
|
||||
query: "SELECT grantee FROM information_schema.role_table_grants WHERE table_name='test_view' AND grantee = '{{ db_user2 }}'"
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result.rowcount == 0
|
||||
|
||||
# Test true mode:
|
||||
- name: Grant SELECT on test_view
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_privs:
|
||||
login_user: "{{ pg_user }}"
|
||||
db: postgres
|
||||
state: present
|
||||
privs: SELECT
|
||||
type: table
|
||||
objs: test_view
|
||||
roles: "{{ db_user2 }}"
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result is changed
|
||||
|
||||
# Check:
|
||||
- name: Check that nothing was changed after the prev step
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_query:
|
||||
login_user: "{{ pg_user }}"
|
||||
db: postgres
|
||||
query: "SELECT grantee FROM information_schema.role_table_grants WHERE table_name='test_view' AND grantee = '{{ db_user2 }}'"
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result.rowcount == 1
|
||||
|
||||
# Test true mode:
|
||||
- name: Try to grant SELECT again
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_privs:
|
||||
login_user: "{{ pg_user }}"
|
||||
db: postgres
|
||||
state: present
|
||||
privs: SELECT
|
||||
type: table
|
||||
objs: test_view
|
||||
roles: "{{ db_user2 }}"
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result is not changed
|
||||
|
||||
# Cleanup:
|
||||
- name: Drop test view
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_query:
|
||||
login_user: "{{ pg_user }}"
|
||||
db: postgres
|
||||
query: "DROP VIEW test_view"
|
||||
|
||||
- name: Drop test table
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_table:
|
||||
login_user: "{{ pg_user }}"
|
||||
db: postgres
|
||||
name: test_table1
|
||||
state: absent
|
||||
|
||||
######################################################
|
||||
# Test foreign data wrapper and foreign server privs #
|
||||
######################################################
|
||||
|
||||
# Foreign data wrapper setup
|
||||
- name: Create foreign data wrapper extension
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
shell: echo "CREATE EXTENSION postgres_fdw" | psql -d "{{ db_name }}"
|
||||
|
||||
- name: Create dummy foreign data wrapper
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
shell: echo "CREATE FOREIGN DATA WRAPPER dummy" | psql -d "{{ db_name }}"
|
||||
|
||||
- name: Create foreign server
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
shell: echo "CREATE SERVER dummy_server FOREIGN DATA WRAPPER dummy" | psql -d "{{ db_name }}"
|
||||
|
||||
# Test
|
||||
- name: Grant foreign data wrapper privileges
|
||||
postgresql_privs:
|
||||
state: present
|
||||
type: foreign_data_wrapper
|
||||
roles: "{{ db_user2 }}"
|
||||
privs: ALL
|
||||
objs: dummy
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that:
|
||||
- result is changed
|
||||
|
||||
- name: Get foreign data wrapper privileges
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}"
|
||||
vars:
|
||||
fdw_query: >
|
||||
SELECT fdwacl FROM pg_catalog.pg_foreign_data_wrapper
|
||||
WHERE fdwname = ANY (ARRAY['dummy']) ORDER BY fdwname
|
||||
register: fdw_result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "fdw_result.stdout_lines[-1] == '(1 row)'"
|
||||
- "'{{ db_user2 }}' in fdw_result.stdout_lines[-2]"
|
||||
|
||||
# Test
|
||||
- name: Grant foreign data wrapper privileges second time
|
||||
postgresql_privs:
|
||||
state: present
|
||||
type: foreign_data_wrapper
|
||||
roles: "{{ db_user2 }}"
|
||||
privs: ALL
|
||||
objs: dummy
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that:
|
||||
- result is not changed
|
||||
|
||||
# Test
|
||||
- name: Revoke foreign data wrapper privileges
|
||||
postgresql_privs:
|
||||
state: absent
|
||||
type: foreign_data_wrapper
|
||||
roles: "{{ db_user2 }}"
|
||||
privs: ALL
|
||||
objs: dummy
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that:
|
||||
- result is changed
|
||||
|
||||
- name: Get foreign data wrapper privileges
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}"
|
||||
vars:
|
||||
fdw_query: >
|
||||
SELECT fdwacl FROM pg_catalog.pg_foreign_data_wrapper
|
||||
WHERE fdwname = ANY (ARRAY['dummy']) ORDER BY fdwname
|
||||
register: fdw_result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "fdw_result.stdout_lines[-1] == '(1 row)'"
|
||||
- "'{{ db_user2 }}' not in fdw_result.stdout_lines[-2]"
|
||||
|
||||
# Test
|
||||
- name: Revoke foreign data wrapper privileges for second time
|
||||
postgresql_privs:
|
||||
state: absent
|
||||
type: foreign_data_wrapper
|
||||
roles: "{{ db_user2 }}"
|
||||
privs: ALL
|
||||
objs: dummy
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that:
|
||||
- result is not changed
|
||||
|
||||
# Test
|
||||
- name: Grant foreign server privileges
|
||||
postgresql_privs:
|
||||
state: present
|
||||
type: foreign_server
|
||||
roles: "{{ db_user2 }}"
|
||||
privs: ALL
|
||||
objs: dummy_server
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that:
|
||||
- result is changed
|
||||
|
||||
- name: Get foreign server privileges
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}"
|
||||
vars:
|
||||
fdw_query: >
|
||||
SELECT srvacl FROM pg_catalog.pg_foreign_server
|
||||
WHERE srvname = ANY (ARRAY['dummy_server']) ORDER BY srvname
|
||||
register: fs_result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "fs_result.stdout_lines[-1] == '(1 row)'"
|
||||
- "'{{ db_user2 }}' in fs_result.stdout_lines[-2]"
|
||||
|
||||
# Test
|
||||
- name: Grant foreign server privileges for second time
|
||||
postgresql_privs:
|
||||
state: present
|
||||
type: foreign_server
|
||||
roles: "{{ db_user2 }}"
|
||||
privs: ALL
|
||||
objs: dummy_server
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that:
|
||||
- result is not changed
|
||||
|
||||
# Test
|
||||
- name: Revoke foreign server privileges
|
||||
postgresql_privs:
|
||||
state: absent
|
||||
type: foreign_server
|
||||
roles: "{{ db_user2 }}"
|
||||
privs: ALL
|
||||
objs: dummy_server
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that:
|
||||
- result is changed
|
||||
|
||||
- name: Get foreign server privileges
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}"
|
||||
vars:
|
||||
fdw_query: >
|
||||
SELECT srvacl FROM pg_catalog.pg_foreign_server
|
||||
WHERE srvname = ANY (ARRAY['dummy_server']) ORDER BY srvname
|
||||
register: fs_result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "fs_result.stdout_lines[-1] == '(1 row)'"
|
||||
- "'{{ db_user2 }}' not in fs_result.stdout_lines[-2]"
|
||||
|
||||
# Test
|
||||
- name: Revoke foreign server privileges for second time
|
||||
postgresql_privs:
|
||||
state: absent
|
||||
type: foreign_server
|
||||
roles: "{{ db_user2 }}"
|
||||
privs: ALL
|
||||
objs: dummy_server
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that:
|
||||
- result is not changed
|
||||
|
||||
# Foreign data wrapper cleanup
|
||||
- name: Drop foreign server
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
shell: echo "DROP SERVER dummy_server" | psql -d "{{ db_name }}"
|
||||
|
||||
- name: Drop dummy foreign data wrapper
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
shell: echo "DROP FOREIGN DATA WRAPPER dummy" | psql -d "{{ db_name }}"
|
||||
|
||||
- name: Drop foreign data wrapper extension
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
shell: echo "DROP EXTENSION postgres_fdw" | psql -d "{{ db_name }}"
|
||||
|
||||
##########################################
|
||||
# Test ALL_IN_SCHEMA for 'function' type #
|
||||
##########################################
|
||||
|
||||
# Function ALL_IN_SCHEMA Setup
|
||||
- name: Create function for test
|
||||
postgresql_query:
|
||||
query: CREATE FUNCTION public.a() RETURNS integer LANGUAGE SQL AS 'SELECT 2';
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ db_user3 }}"
|
||||
login_password: password
|
||||
|
||||
# Test
|
||||
- name: Grant execute to all functions
|
||||
postgresql_privs:
|
||||
type: function
|
||||
state: present
|
||||
privs: EXECUTE
|
||||
roles: "{{ db_user2 }}"
|
||||
objs: ALL_IN_SCHEMA
|
||||
schema: public
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ db_user3 }}"
|
||||
login_password: password
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that: result is changed
|
||||
|
||||
- name: Check that all functions have execute privileges
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
shell: psql {{ db_name }} -c "SELECT proacl FROM pg_proc WHERE proname = 'a'" -t
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that: "'{{ db_user2 }}=X/{{ db_user3 }}' in '{{ result.stdout_lines[0] }}'"
|
||||
|
||||
# Test
|
||||
- name: Grant execute to all functions again
|
||||
postgresql_privs:
|
||||
type: function
|
||||
state: present
|
||||
privs: EXECUTE
|
||||
roles: "{{ db_user2 }}"
|
||||
objs: ALL_IN_SCHEMA
|
||||
schema: public
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ db_user3 }}"
|
||||
login_password: password
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that: result is not changed
|
||||
|
||||
# Test
|
||||
- name: Revoke execute to all functions
|
||||
postgresql_privs:
|
||||
type: function
|
||||
state: absent
|
||||
privs: EXECUTE
|
||||
roles: "{{ db_user2 }}"
|
||||
objs: ALL_IN_SCHEMA
|
||||
schema: public
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ db_user3 }}"
|
||||
login_password: password
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that: result is changed
|
||||
|
||||
# Test
|
||||
- name: Revoke execute to all functions again
|
||||
postgresql_privs:
|
||||
type: function
|
||||
state: absent
|
||||
privs: EXECUTE
|
||||
roles: "{{ db_user2 }}"
|
||||
objs: ALL_IN_SCHEMA
|
||||
schema: public
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ db_user3 }}"
|
||||
login_password: password
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
|
||||
- assert:
|
||||
that: result is not changed
|
||||
|
||||
# Function ALL_IN_SCHEMA cleanup
|
||||
- name: Remove function for test
|
||||
postgresql_query:
|
||||
query: DROP FUNCTION public.a();
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ db_user3 }}"
|
||||
login_password: password
|
||||
|
||||
#################################################
|
||||
# Test ALL_IN_SCHEMA for 'partioned tables type #
|
||||
#################################################
|
||||
|
||||
# Partitioning tables is a feature introduced in Postgresql 10.
|
||||
# (see https://www.postgresql.org/docs/10/ddl-partitioning.html )
|
||||
# The test below check for this version
|
||||
|
||||
# Function ALL_IN_SCHEMA Setup
|
||||
- name: Create partioned table for test purpose
|
||||
postgresql_query:
|
||||
query: CREATE TABLE public.testpt (id int not null, logdate date not null) PARTITION BY RANGE (logdate);
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ db_user3 }}"
|
||||
login_password: password
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Test
|
||||
- name: Grant execute to all tables in check mode
|
||||
postgresql_privs:
|
||||
type: table
|
||||
state: present
|
||||
privs: SELECT
|
||||
roles: "{{ db_user2 }}"
|
||||
objs: ALL_IN_SCHEMA
|
||||
schema: public
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ db_user3 }}"
|
||||
login_password: password
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
check_mode: yes
|
||||
|
||||
# Checks
|
||||
- name: Check that all partitioned tables don't have select privileges after the check mode task
|
||||
postgresql_query:
|
||||
query: SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE table_name='testpt' and privilege_type='SELECT' and grantee = %(grantuser)s
|
||||
db: "{{ db_name }}"
|
||||
login_user: '{{ db_user2 }}'
|
||||
login_password: password
|
||||
named_args:
|
||||
grantuser: '{{ db_user2 }}'
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
register: result
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result.rowcount == 0
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
|
||||
# Test
|
||||
- name: Grant execute to all tables
|
||||
postgresql_privs:
|
||||
type: table
|
||||
state: present
|
||||
privs: SELECT
|
||||
roles: "{{ db_user2 }}"
|
||||
objs: ALL_IN_SCHEMA
|
||||
schema: public
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ db_user3 }}"
|
||||
login_password: password
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that: result is changed
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- name: Check that all partitioned tables have select privileges
|
||||
postgresql_query:
|
||||
query: SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE table_name='testpt' and privilege_type='SELECT' and grantee = %(grantuser)s
|
||||
db: "{{ db_name }}"
|
||||
login_user: '{{ db_user2 }}'
|
||||
login_password: password
|
||||
named_args:
|
||||
grantuser: '{{ db_user2 }}'
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
register: result
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result.rowcount == 1
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Test
|
||||
- name: Grant execute to all tables again to see no changes are reported
|
||||
postgresql_privs:
|
||||
type: table
|
||||
state: present
|
||||
privs: SELECT
|
||||
roles: "{{ db_user2 }}"
|
||||
objs: ALL_IN_SCHEMA
|
||||
schema: public
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ db_user3 }}"
|
||||
login_password: password
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that: result is not changed
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Test
|
||||
- name: Revoke SELECT to all tables
|
||||
postgresql_privs:
|
||||
type: table
|
||||
state: absent
|
||||
privs: SELECT
|
||||
roles: "{{ db_user2 }}"
|
||||
objs: ALL_IN_SCHEMA
|
||||
schema: public
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ db_user3 }}"
|
||||
login_password: password
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that: result is changed
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- name: Check that all partitioned tables don't have select privileges
|
||||
postgresql_query:
|
||||
query: SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE table_name='testpt' and privilege_type='SELECT' and grantee = %(grantuser)s
|
||||
db: "{{ db_name }}"
|
||||
login_user: '{{ db_user2 }}'
|
||||
login_password: password
|
||||
named_args:
|
||||
grantuser: '{{ db_user2 }}'
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
register: result
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result.rowcount == 0
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Test
|
||||
- name: Revoke SELECT to all tables and no changes are reported
|
||||
postgresql_privs:
|
||||
type: table
|
||||
state: absent
|
||||
privs: SELECT
|
||||
roles: "{{ db_user2 }}"
|
||||
objs: ALL_IN_SCHEMA
|
||||
schema: public
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ db_user3 }}"
|
||||
login_password: password
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- assert:
|
||||
that: result is not changed
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Table ALL_IN_SCHEMA cleanup
|
||||
- name: Remove table for test
|
||||
postgresql_query:
|
||||
query: DROP TABLE public.testpt;
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ db_user3 }}"
|
||||
login_password: password
|
||||
ignore_errors: yes
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
###########################################
|
||||
# Test for 'type' value of type parameter #
|
||||
###########################################
|
||||
|
||||
# Test
|
||||
- name: Grant type privileges
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_privs:
|
||||
state: present
|
||||
type: type
|
||||
roles: "{{ db_user2 }}"
|
||||
privs: ALL
|
||||
objs: numeric
|
||||
schema: pg_catalog
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that:
|
||||
- result is changed
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- name: Get type privileges
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_query:
|
||||
login_user: "{{ pg_user }}"
|
||||
login_db: "{{ db_name }}"
|
||||
query: SELECT typacl FROM pg_catalog.pg_type WHERE typname = 'numeric';
|
||||
register: typ_result
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "'{{ db_user2 }}' in typ_result.query_result[0].typacl"
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- name: Grant type privileges again using check_mode
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_privs:
|
||||
state: present
|
||||
type: type
|
||||
roles: "{{ db_user2 }}"
|
||||
privs: ALL
|
||||
objs: numeric
|
||||
schema: pg_catalog
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
check_mode: yes
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that:
|
||||
- result is not changed
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- name: Get type privileges
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_query:
|
||||
login_user: "{{ pg_user }}"
|
||||
login_db: "{{ db_name }}"
|
||||
query: SELECT typacl FROM pg_catalog.pg_type WHERE typname = 'numeric';
|
||||
register: typ_result
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "'{{ db_user2 }}' in typ_result.query_result[0].typacl"
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- name: Grant type privileges again
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_privs:
|
||||
state: present
|
||||
type: type
|
||||
roles: "{{ db_user2 }}"
|
||||
privs: ALL
|
||||
objs: numeric
|
||||
schema: pg_catalog
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that:
|
||||
- result is not changed
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- name: Get type privileges
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_query:
|
||||
login_user: "{{ pg_user }}"
|
||||
login_db: "{{ db_name }}"
|
||||
query: SELECT typacl FROM pg_catalog.pg_type WHERE typname = 'numeric';
|
||||
register: typ_result
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "'{{ db_user2 }}' in typ_result.query_result[0].typacl"
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- name: Revoke type privileges in check_mode
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_privs:
|
||||
state: absent
|
||||
type: type
|
||||
roles: "{{ db_user2 }}"
|
||||
privs: ALL
|
||||
objs: numeric
|
||||
schema: pg_catalog
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
check_mode: yes
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that:
|
||||
- result is changed
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- name: Get type privileges
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_query:
|
||||
login_user: "{{ pg_user }}"
|
||||
login_db: "{{ db_name }}"
|
||||
query: SELECT typacl FROM pg_catalog.pg_type WHERE typname = 'numeric';
|
||||
register: typ_result
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "'{{ db_user2 }}' in typ_result.query_result[0].typacl"
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- name: Revoke type privileges
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_privs:
|
||||
state: absent
|
||||
type: type
|
||||
roles: "{{ db_user2 }}"
|
||||
privs: ALL
|
||||
objs: numeric
|
||||
schema: pg_catalog
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that:
|
||||
- result is changed
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- name: Get type privileges
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_query:
|
||||
login_user: "{{ pg_user }}"
|
||||
login_db: "{{ db_name }}"
|
||||
query: SELECT typacl FROM pg_catalog.pg_type WHERE typname = 'numeric';
|
||||
register: typ_result
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "'{{ db_user2 }}' not in typ_result.query_result[0].typacl"
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# type with default schema (public):
|
||||
- name: Create custom type in schema public
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_query:
|
||||
login_user: "{{ pg_user }}"
|
||||
login_db: "{{ db_name }}"
|
||||
query: "CREATE TYPE compfoo AS (f1 int, f2 text)"
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Test
|
||||
- name: Grant type privileges with default schema
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_privs:
|
||||
state: present
|
||||
type: type
|
||||
roles: "{{ db_user2 }}"
|
||||
privs: ALL
|
||||
objs: compfoo
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that:
|
||||
- result is changed
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- name: Get type privileges
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_query:
|
||||
login_user: "{{ pg_user }}"
|
||||
login_db: "{{ db_name }}"
|
||||
query: >
|
||||
SELECT t.typacl FROM pg_catalog.pg_type t JOIN pg_catalog.pg_namespace n
|
||||
ON n.oid = t.typnamespace WHERE t.typname = 'compfoo' AND n.nspname = 'public';
|
||||
register: typ_result
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "'{{ db_user2 }}' in typ_result.query_result[0].typacl"
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
# Cleanup
|
||||
- name: Remove privs
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_privs:
|
||||
state: absent
|
||||
type: type
|
||||
roles: "{{ db_user2 }}"
|
||||
privs: ALL
|
||||
objs: compfoo
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
when: postgres_version_resp.stdout is version('10', '>=')
|
||||
|
||||
- name: Reassign ownership
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_owner:
|
||||
login_user: "{{ pg_user }}"
|
||||
db: "{{ db_name }}"
|
||||
new_owner: "{{ pg_user }}"
|
||||
reassign_owned_by: "{{ item }}"
|
||||
loop:
|
||||
- "{{ db_user2 }}"
|
||||
- "{{ db_user3 }}"
|
||||
|
||||
- name: Remove user given permissions
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_user:
|
||||
name: "{{ db_user2 }}"
|
||||
state: absent
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
- name: Remove user owner of objects
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_user:
|
||||
name: "{{ db_user3 }}"
|
||||
state: absent
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
- name: Destroy DB
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_db:
|
||||
state: absent
|
||||
name: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
|
@ -0,0 +1,382 @@
|
|||
# The tests below were added initially and moved here
|
||||
# from the shared target called ``postgresql`` by @Andersson007 <aaklychkov@mail.ru>.
|
||||
# You can see modern examples of CI tests in postgresql_publication directory, for example.
|
||||
|
||||
#
|
||||
# Test settings privileges
|
||||
#
|
||||
- name: Create db
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_db:
|
||||
name: "{{ db_name }}"
|
||||
state: "present"
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
- name: Create some tables on the db
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "create table test_table1 (field text);" | psql {{ db_name }}
|
||||
|
||||
- become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "create table test_table2 (field text);" | psql {{ db_name }}
|
||||
|
||||
- vars:
|
||||
db_password: 'secretù' # use UTF-8
|
||||
block:
|
||||
- name: Create a user with some permissions on the db
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_user:
|
||||
name: "{{ db_user1 }}"
|
||||
encrypted: 'yes'
|
||||
password: "md5{{ (db_password ~ db_user1) | hash('md5')}}"
|
||||
db: "{{ db_name }}"
|
||||
priv: 'test_table1:INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,TRIGGER/test_table2:INSERT/CREATE,CONNECT,TEMP'
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
- include_tasks: pg_authid_not_readable.yml
|
||||
|
||||
- name: Check that the user has the requested permissions (table1)
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }}
|
||||
register: result_table1
|
||||
|
||||
- name: Check that the user has the requested permissions (table2)
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }}
|
||||
register: result_table2
|
||||
|
||||
- name: Check that the user has the requested permissions (database)
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }}
|
||||
register: result_database
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "result_table1.stdout_lines[-1] == '(7 rows)'"
|
||||
- "'INSERT' in result_table1.stdout"
|
||||
- "'SELECT' in result_table1.stdout"
|
||||
- "'UPDATE' in result_table1.stdout"
|
||||
- "'DELETE' in result_table1.stdout"
|
||||
- "'TRUNCATE' in result_table1.stdout"
|
||||
- "'REFERENCES' in result_table1.stdout"
|
||||
- "'TRIGGER' in result_table1.stdout"
|
||||
- "result_table2.stdout_lines[-1] == '(1 row)'"
|
||||
- "'INSERT' == '{{ result_table2.stdout_lines[-2] | trim }}'"
|
||||
- "result_database.stdout_lines[-1] == '(1 row)'"
|
||||
- "'{{ db_user1 }}=CTc/{{ pg_user }}' in result_database.stdout_lines[-2]"
|
||||
|
||||
- name: Add another permission for the user
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_user:
|
||||
name: "{{ db_user1 }}"
|
||||
encrypted: 'yes'
|
||||
password: "md55c8ccfd9d6711fc69a7eae647fc54f51"
|
||||
db: "{{ db_name }}"
|
||||
priv: 'test_table2:select'
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
|
||||
- name: Check that ansible reports it changed the user
|
||||
assert:
|
||||
that:
|
||||
- result is changed
|
||||
|
||||
- name: Check that the user has the requested permissions (table2)
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }}
|
||||
register: result_table2
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "result_table2.stdout_lines[-1] == '(2 rows)'"
|
||||
- "'INSERT' in result_table2.stdout"
|
||||
- "'SELECT' in result_table2.stdout"
|
||||
|
||||
#
|
||||
# Test priv setting via postgresql_privs module
|
||||
# (Depends on state from previous _user privs tests)
|
||||
#
|
||||
|
||||
- name: Revoke a privilege
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_privs:
|
||||
type: "table"
|
||||
state: "absent"
|
||||
roles: "{{ db_user1 }}"
|
||||
privs: "INSERT"
|
||||
objs: "test_table2"
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
|
||||
- name: Check that ansible reports it changed the user
|
||||
assert:
|
||||
that:
|
||||
- result is changed
|
||||
|
||||
- name: Check that the user has the requested permissions (table2)
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }}
|
||||
register: result_table2
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "result_table2.stdout_lines[-1] == '(1 row)'"
|
||||
- "'SELECT' == '{{ result_table2.stdout_lines[-2] | trim }}'"
|
||||
|
||||
- name: Revoke many privileges on multiple tables
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_privs:
|
||||
state: "absent"
|
||||
roles: "{{ db_user1 }}"
|
||||
privs: "INSERT,select,UPDATE,TRUNCATE,REFERENCES,TRIGGER,delete"
|
||||
objs: "test_table2,test_table1"
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
|
||||
- name: Check that ansible reports it changed the user
|
||||
assert:
|
||||
that:
|
||||
- result is changed
|
||||
|
||||
- name: Check that permissions were revoked (table1)
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }}
|
||||
register: result_table1
|
||||
|
||||
- name: Check that permissions were revoked (table2)
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }}
|
||||
register: result_table2
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "result_table1.stdout_lines[-1] == '(0 rows)'"
|
||||
- "result_table2.stdout_lines[-1] == '(0 rows)'"
|
||||
|
||||
- name: Revoke database privileges
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_privs:
|
||||
type: "database"
|
||||
state: "absent"
|
||||
roles: "{{ db_user1 }}"
|
||||
privs: "Create,connect,TEMP"
|
||||
objs: "{{ db_name }}"
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
- name: Check that the user has the requested permissions (database)
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }}
|
||||
register: result_database
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "result_database.stdout_lines[-1] == '(1 row)'"
|
||||
- "'{{ db_user1 }}' not in result_database.stdout"
|
||||
|
||||
- name: Grant database privileges
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_privs:
|
||||
type: "database"
|
||||
state: "present"
|
||||
roles: "{{ db_user1 }}"
|
||||
privs: "CREATE,connect"
|
||||
objs: "{{ db_name }}"
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
|
||||
- name: Check that ansible reports it changed the user
|
||||
assert:
|
||||
that:
|
||||
- result is changed
|
||||
|
||||
- name: Check that the user has the requested permissions (database)
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }}
|
||||
register: result_database
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "result_database.stdout_lines[-1] == '(1 row)'"
|
||||
- "'{{ db_user1 }}=Cc' in result_database.stdout"
|
||||
|
||||
- name: Grant a single privilege on a table
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_privs:
|
||||
state: "present"
|
||||
roles: "{{ db_user1 }}"
|
||||
privs: "INSERT"
|
||||
objs: "test_table1"
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
- name: Check that permissions were added (table1)
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }}
|
||||
register: result_table1
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "result_table1.stdout_lines[-1] == '(1 row)'"
|
||||
- "'{{ result_table1.stdout_lines[-2] | trim }}' == 'INSERT'"
|
||||
|
||||
- name: Grant many privileges on multiple tables
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_privs:
|
||||
state: "present"
|
||||
roles: "{{ db_user1 }}"
|
||||
privs: 'INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,trigger'
|
||||
objs: "test_table2,test_table1"
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
- name: Check that permissions were added (table1)
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }}
|
||||
register: result_table1
|
||||
|
||||
- name: Check that permissions were added (table2)
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }}
|
||||
register: result_table2
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "result_table1.stdout_lines[-1] == '(7 rows)'"
|
||||
- "'INSERT' in result_table1.stdout"
|
||||
- "'SELECT' in result_table1.stdout"
|
||||
- "'UPDATE' in result_table1.stdout"
|
||||
- "'DELETE' in result_table1.stdout"
|
||||
- "'TRUNCATE' in result_table1.stdout"
|
||||
- "'REFERENCES' in result_table1.stdout"
|
||||
- "'TRIGGER' in result_table1.stdout"
|
||||
- "result_table2.stdout_lines[-1] == '(7 rows)'"
|
||||
- "'INSERT' in result_table2.stdout"
|
||||
- "'SELECT' in result_table2.stdout"
|
||||
- "'UPDATE' in result_table2.stdout"
|
||||
- "'DELETE' in result_table2.stdout"
|
||||
- "'TRUNCATE' in result_table2.stdout"
|
||||
- "'REFERENCES' in result_table2.stdout"
|
||||
- "'TRIGGER' in result_table2.stdout"
|
||||
|
||||
# Check passing roles with dots
|
||||
# https://github.com/ansible/ansible/issues/63204
|
||||
- name: Create roles for further tests
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_user:
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
name: "{{ item }}"
|
||||
loop:
|
||||
- "{{ db_user_with_dots1 }}"
|
||||
- "{{ db_user_with_dots2 }}"
|
||||
|
||||
- name: Pass role with dots in its name to roles parameter
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_privs:
|
||||
state: "present"
|
||||
roles: "{{ db_user_with_dots1 }}"
|
||||
privs: "INSERT"
|
||||
objs: "test_table1"
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
- name: Check that permissions were added (table1)
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_query:
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
query: "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user_with_dots1 }}' and table_name='test_table1'"
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result.rowcount == 1
|
||||
|
||||
# We don't need to check anything here, only that nothing failed
|
||||
- name: Pass role with dots in its name to target_roles parameter
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_privs:
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
state: "present"
|
||||
roles: "{{ db_user_with_dots1 }}"
|
||||
privs: "INSERT"
|
||||
objs: TABLES
|
||||
type: default_privs
|
||||
target_roles: "{{ db_user_with_dots2 }}"
|
||||
|
||||
#
|
||||
# Cleanup
|
||||
#
|
||||
- name: Cleanup db
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_db:
|
||||
name: "{{ db_name }}"
|
||||
state: "absent"
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
- name: Check that database was destroyed
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "result.stdout_lines[-1] == '(0 rows)'"
|
||||
|
||||
- name: Cleanup test user
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_user:
|
||||
name: "{{ item }}"
|
||||
state: 'absent'
|
||||
login_user: "{{ pg_user }}"
|
||||
db: postgres
|
||||
loop:
|
||||
- "{{ db_user1 }}"
|
||||
- "{{ db_user2 }}"
|
||||
- "{{ db_user3 }}"
|
||||
- "{{ db_user_with_dots1 }}"
|
||||
- "{{ db_user_with_dots2 }}"
|
||||
|
||||
- name: Check that they were removed
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- "result.stdout_lines[-1] == '(0 rows)'"
|
|
@ -0,0 +1,79 @@
|
|||
- name: Create a high privileged user
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_user:
|
||||
name: "{{ db_session_role1 }}"
|
||||
state: "present"
|
||||
password: "password"
|
||||
role_attr_flags: "CREATEDB,LOGIN,CREATEROLE"
|
||||
login_user: "{{ pg_user }}"
|
||||
db: postgres
|
||||
|
||||
- name: Create a low privileged user using the newly created user
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
postgresql_user:
|
||||
name: "{{ db_session_role2 }}"
|
||||
state: "present"
|
||||
password: "password"
|
||||
role_attr_flags: "LOGIN"
|
||||
login_user: "{{ pg_user }}"
|
||||
session_role: "{{ db_session_role1 }}"
|
||||
db: postgres
|
||||
|
||||
- name: Create DB as session_role
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_db:
|
||||
state: present
|
||||
name: "{{ db_session_role1 }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
session_role: "{{ db_session_role1 }}"
|
||||
register: result
|
||||
|
||||
- name: Create table to be able to grant privileges
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
shell: echo "CREATE TABLE test(i int); CREATE TABLE test2(i int);" | psql -AtXq "{{ db_session_role1 }}"
|
||||
|
||||
- name: Grant all privileges on test1 table to low privileged user
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_privs:
|
||||
db: "{{ db_session_role1 }}"
|
||||
type: table
|
||||
objs: test
|
||||
roles: "{{ db_session_role2 }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
privs: select
|
||||
admin_option: yes
|
||||
|
||||
- name: Verify admin option was successful for grants
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_privs:
|
||||
db: "{{ db_session_role1 }}"
|
||||
type: table
|
||||
objs: test
|
||||
roles: "{{ db_session_role1 }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
privs: select
|
||||
session_role: "{{ db_session_role2 }}"
|
||||
|
||||
- name: Verify no grants can be granted for test2 table
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_privs:
|
||||
db: "{{ db_session_role1 }}"
|
||||
type: table
|
||||
objs: test2
|
||||
roles: "{{ db_session_role1 }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
privs: update
|
||||
session_role: "{{ db_session_role2 }}"
|
||||
ignore_errors: yes
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result is failed
|
|
@ -0,0 +1,120 @@
|
|||
# Setup
|
||||
- name: Create a test user
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_user:
|
||||
name: "{{ db_user1 }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
db: postgres
|
||||
|
||||
- name: Create DB
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_db:
|
||||
state: present
|
||||
name: "{{ db_name }}"
|
||||
owner: "{{ db_user1 }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
- name: Create a user to be given permissions and other tests
|
||||
postgresql_user:
|
||||
name: "{{ db_user2 }}"
|
||||
state: present
|
||||
encrypted: yes
|
||||
password: password
|
||||
role_attr_flags: LOGIN
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
#######################################
|
||||
# Test default_privs with target_role #
|
||||
#######################################
|
||||
|
||||
# Test
|
||||
- name: Grant default privileges for new table objects
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_privs:
|
||||
db: "{{ db_name }}"
|
||||
objs: TABLES
|
||||
privs: SELECT
|
||||
type: default_privs
|
||||
role: "{{ db_user2 }}"
|
||||
target_roles: "{{ db_user1 }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that: result is changed
|
||||
|
||||
- name: Check that default privileges are set
|
||||
become: yes
|
||||
become_user: "{{ pg_user }}"
|
||||
shell: psql {{ db_name }} -c "SELECT defaclrole, defaclobjtype, defaclacl FROM pg_default_acl a JOIN pg_roles b ON a.defaclrole=b.oid;" -t
|
||||
register: result
|
||||
|
||||
- assert:
|
||||
that: "'{{ db_user2 }}=r/{{ db_user1 }}' in '{{ result.stdout_lines[0] }}'"
|
||||
|
||||
# Test
|
||||
- name: Revoke default privileges for new table objects
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_privs:
|
||||
db: "{{ db_name }}"
|
||||
state: absent
|
||||
objs: TABLES
|
||||
privs: SELECT
|
||||
type: default_privs
|
||||
role: "{{ db_user2 }}"
|
||||
target_roles: "{{ db_user1 }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
register: result
|
||||
|
||||
# Checks
|
||||
- assert:
|
||||
that: result is changed
|
||||
|
||||
# Cleanup
|
||||
- name: Remove user given permissions
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_user:
|
||||
name: "{{ db_user2 }}"
|
||||
state: absent
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
- name: Remove user owner of objects
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_user:
|
||||
name: "{{ db_user3 }}"
|
||||
state: absent
|
||||
db: "{{ db_name }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
|
||||
- name: Destroy DBs
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_db:
|
||||
state: absent
|
||||
name: "{{ item }}"
|
||||
login_user: "{{ pg_user }}"
|
||||
loop:
|
||||
- "{{ db_name }}"
|
||||
- "{{ db_session_role1 }}"
|
||||
|
||||
- name: Remove test users
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_user:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
db: postgres
|
||||
login_user: "{{ pg_user }}"
|
||||
loop:
|
||||
- "{{ db_user1 }}"
|
||||
- "{{ db_session_role1 }}"
|
||||
- "{{ db_session_role2 }}"
|
Loading…
Add table
Add a link
Reference in a new issue