From 0de9685cf1db355fac194f70e154fa48ecd06705 Mon Sep 17 00:00:00 2001 From: Fran <51233345+francescsanjuanmrf@users.noreply.github.com> Date: Fri, 30 Aug 2024 11:15:16 +0200 Subject: [PATCH] Fix user plugin changes in check mode (#596) * Fix user plugin changes in check mode * Add auth plugin tests * Undo local changes * Improve task names * Fix query * Changes * Add check * Add check * Add check * Add one more check * Add one more check * Fix typo * Change parameter * Testing * Remove tests * Add tests * Test first stteps * Readd tests * Test without check mode * Test with check mode * Test with check mode * Testing * Testing * Add missing tests * Changes for ansible-lint complaints * Fix condition * Update changelogs/fragments/596-fix-check-changes.yaml Co-authored-by: Andrew Klychkov * refactor * Add more tests * Fix newpass var * Remove extra test --------- Co-authored-by: Andrew Klychkov --- .../fragments/596-fix-check-changes.yaml | 2 + plugins/module_utils/user.py | 3 +- .../tasks/test_user_plugin_auth.yml | 227 ++++++++++++------ .../tasks/utils/assert_plugin.yml | 11 + 4 files changed, 175 insertions(+), 68 deletions(-) create mode 100644 changelogs/fragments/596-fix-check-changes.yaml create mode 100644 tests/integration/targets/test_mysql_user/tasks/utils/assert_plugin.yml diff --git a/changelogs/fragments/596-fix-check-changes.yaml b/changelogs/fragments/596-fix-check-changes.yaml new file mode 100644 index 0000000..e7c24f1 --- /dev/null +++ b/changelogs/fragments/596-fix-check-changes.yaml @@ -0,0 +1,2 @@ +bugfixes: + - mysql_user - module makes changes when is executed with ``plugin_auth_string`` parameter and check mode. diff --git a/plugins/module_utils/user.py b/plugins/module_utils/user.py index 5e0196a..7d7d304 100644 --- a/plugins/module_utils/user.py +++ b/plugins/module_utils/user.py @@ -411,7 +411,8 @@ def user_mod(cursor, user, host, host_all, password, encrypted, else: query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s", (user, host, plugin) - cursor.execute(*query_with_args) + if not module.check_mode: + cursor.execute(*query_with_args) password_changed = True changed = True diff --git a/tests/integration/targets/test_mysql_user/tasks/test_user_plugin_auth.yml b/tests/integration/targets/test_mysql_user/tasks/test_user_plugin_auth.yml index b5ed6c5..f6f3c2e 100644 --- a/tests/integration/targets/test_mysql_user/tasks/test_user_plugin_auth.yml +++ b/tests/integration/targets/test_mysql_user/tasks/test_user_plugin_auth.yml @@ -24,7 +24,7 @@ # - name: Plugin auth | Create user with plugin auth (with hash string) - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -34,28 +34,28 @@ register: result - name: Plugin auth | Get user information (with hash string) - command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\"" + ansible.builtin.command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\"" register: show_create_user - name: Plugin auth | Check that the module made a change (with hash string) - assert: + ansible.builtin.assert: that: - result is changed - name: Plugin auth | Check that the expected plugin type is set (with hash string) - assert: + ansible.builtin.assert: that: - "'{{ test_plugin_type }}' in show_create_user.stdout" when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>=')) - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: "%" priv: "{{ test_default_priv_type }}" - name: Plugin auth | Get the MySQL version using the newly created creds - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: '{{ test_plugin_auth_string }}' login_host: '{{ mysql_host }}' @@ -64,12 +64,12 @@ register: result - name: Plugin auth | Assert that mysql_info was successful - assert: + ansible.builtin.assert: that: - result is succeeded - name: Plugin auth | Update the user with a different hash - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -78,18 +78,18 @@ register: result - name: Plugin auth | Check that the module makes the change because the hash changed - assert: + ansible.builtin.assert: that: - result is changed - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: "%" priv: "{{ test_default_priv_type }}" - name: Plugin auth | Getting the MySQL info with the new password should work - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: '{{ test_plugin_new_auth_string }}' login_host: '{{ mysql_host }}' @@ -98,12 +98,12 @@ register: result - name: Plugin auth | Assert that mysql_info was successful - assert: + ansible.builtin.assert: that: - result is succeeded # Cleanup - - include_tasks: utils/remove_user.yml + - ansible.builtin.include_tasks: utils/remove_user.yml vars: user_name: "{{ test_user_name }}" @@ -112,7 +112,7 @@ # - name: Plugin auth | Create user with plugin auth (with hash string) - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -122,28 +122,28 @@ register: result - name: Plugin auth | Get user information - command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\"" + ansible.builtin.command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\"" register: show_create_user - name: Plugin auth | Check that the module made a change (with hash string) - assert: + ansible.builtin.assert: that: - result is changed - name: Plugin auth | Check that the expected plugin type is set (with hash string) - assert: + ansible.builtin.assert: that: - "'{{ test_plugin_type }}' in show_create_user.stdout" when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>=')) - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: "%" priv: "{{ test_default_priv_type }}" - name: Plugin auth | Get the MySQL version using the newly created creds - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: '{{ test_plugin_auth_string }}' login_host: '{{ mysql_host }}' @@ -152,12 +152,12 @@ register: result - name: Plugin auth | Assert that mysql_info was successful - assert: + ansible.builtin.assert: that: - result is succeeded - name: Plugin auth | Update the user with the same hash (no change expected) - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -167,19 +167,19 @@ # FIXME: on mariadb 10.2 there's always a change - name: Plugin auth | Check that the module doesn't make a change when the same hash is passed in - assert: + ansible.builtin.assert: that: - result is not changed when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>=')) - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: "%" priv: "{{ test_default_priv_type }}" - name: Plugin auth | Change the user using the same plugin, but switch to the same auth string in plaintext form - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -189,12 +189,12 @@ # Expecting a change is currently by design (see comment in source). - name: Plugin auth | Check that the module did not change the password - assert: + ansible.builtin.assert: that: - result is changed - name: Plugin auth | Getting the MySQL info should still work - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: '{{ test_plugin_auth_string }}' login_host: '{{ mysql_host }}' @@ -203,12 +203,12 @@ register: result - name: Plugin auth | Assert that mysql_info was successful - assert: + ansible.builtin.assert: that: - result is succeeded # Cleanup - - include_tasks: utils/remove_user.yml + - ansible.builtin.include_tasks: utils/remove_user.yml vars: user_name: "{{ test_user_name }}" @@ -217,7 +217,7 @@ # - name: Plugin auth | Create user with plugin auth (with auth string) - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -227,28 +227,28 @@ register: result - name: Plugin auth | Get user information(with auth string) - command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\"" + ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\"" register: show_create_user - name: Plugin auth | Check that the module made a change (with auth string) - assert: + ansible.builtin.assert: that: - result is changed - name: Plugin auth | Check that the expected plugin type is set (with auth string) - assert: + ansible.builtin.assert: that: - test_plugin_type in show_create_user.stdout when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>=')) - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: "%" priv: "{{ test_default_priv_type }}" - name: Plugin auth | Get the MySQL version using the newly created creds - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: '{{ test_plugin_auth_string }}' login_host: '{{ mysql_host }}' @@ -257,12 +257,12 @@ register: result - name: Plugin auth | Assert that mysql_info was successful - assert: + ansible.builtin.assert: that: - result is succeeded - name: Plugin auth | Update the user with the same auth string - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -273,18 +273,18 @@ # This is the current expected behavior because there isn't a reliable way to hash the password in the mysql_user # module in order to be able to compare this password with the stored hash. See the source for more info. - name: Plugin auth | The module should detect a change even though the password is the same - assert: + ansible.builtin.assert: that: - result is changed - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: "%" priv: "{{ test_default_priv_type }}" - name: Plugin auth | Change the user using the same plugin, but switch to the same auth string in hash form - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -293,12 +293,12 @@ register: result - name: Plugin auth | Check that the module did not change the password - assert: + ansible.builtin.assert: that: - result is not changed - name: Plugin auth | Get the MySQL version using the newly created creds - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: '{{ test_plugin_auth_string }}' login_host: '{{ mysql_host }}' @@ -307,12 +307,12 @@ register: result - name: Plugin auth | Assert that mysql_info was successful - assert: + ansible.builtin.assert: that: - result is succeeded # Cleanup - - include_tasks: utils/remove_user.yml + - ansible.builtin.include_tasks: utils/remove_user.yml vars: user_name: "{{ test_user_name }}" @@ -321,7 +321,7 @@ # - name: Plugin auth | Create user with plugin auth (empty auth string) - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -330,28 +330,28 @@ register: result - name: Plugin auth | Get user information (empty auth string) - command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\"" + ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\"" register: show_create_user - name: Plugin auth | Check that the module made a change (empty auth string) - assert: + ansible.builtin.assert: that: - result is changed - name: Plugin auth | Check that the expected plugin type is set (empty auth string) - assert: + ansible.builtin.assert: that: - "'{{ test_plugin_type }}' in show_create_user.stdout" when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>=')) - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: "%" priv: "{{ test_default_priv_type }}" - name: Plugin auth | Get the MySQL version using an empty password for the newly created user - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: '' login_host: '{{ mysql_host }}' @@ -361,12 +361,12 @@ ignore_errors: true - name: Plugin auth | Assert that mysql_info was successful - assert: + ansible.builtin.assert: that: - result is succeeded - name: Plugin auth | Get the MySQL version using an non-empty password (should fail) - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: 'some_password' login_host: '{{ mysql_host }}' @@ -376,12 +376,12 @@ ignore_errors: true - name: Plugin auth | Assert that mysql_info failed - assert: + ansible.builtin.assert: that: - result is failed - name: Plugin auth | Update the user without changing the auth mechanism - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -390,12 +390,12 @@ register: result - name: Plugin auth | Assert that the user wasn't changed because the auth string is still empty - assert: + ansible.builtin.assert: that: - result is not changed # Cleanup - - include_tasks: utils/remove_user.yml + - ansible.builtin.include_tasks: utils/remove_user.yml vars: user_name: "{{ test_user_name }}" @@ -415,7 +415,7 @@ block: - name: Plugin auth | Create user with plugin auth (empty auth string) - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' plugin: '{{ test_plugin_type }}' @@ -423,28 +423,28 @@ register: result - name: Plugin auth | Get user information (empty auth string) - command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\"" + ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\"" register: show_create_user - name: Plugin auth | Check that the module made a change (empty auth string) - assert: + ansible.builtin.assert: that: - result is changed - name: Plugin auth | Check that the expected plugin type is set (empty auth string) - assert: + ansible.builtin.assert: that: - test_plugin_type in show_create_user.stdout when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>=')) - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: localhost priv: "{{ test_default_priv_type }}" - name: Plugin auth | Switch user to sha256_password auth plugin - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' plugin: sha256_password @@ -452,28 +452,28 @@ register: result - name: Plugin auth | Get user information (sha256_password) - command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\"" + ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\"" register: show_create_user - name: Plugin auth | Check that the module made a change (sha256_password) - assert: + ansible.builtin.assert: that: - result is changed - name: Plugin auth | Check that the expected plugin type is set (sha256_password) - assert: + ansible.builtin.assert: that: - "'sha256_password' in show_create_user.stdout" when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>=')) - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: localhost priv: "{{ test_default_priv_type }}" # Cleanup - - include_tasks: utils/remove_user.yml + - ansible.builtin.include_tasks: utils/remove_user.yml vars: user_name: "{{ test_user_name }}" @@ -505,7 +505,7 @@ register: result failed_when: result is changed - - name: cleanup user + - name: Cleanup user ansible.builtin.include_tasks: utils/remove_user.yml vars: user_name: "{{ test_user_name }}" @@ -544,3 +544,96 @@ priv: "{{ test_default_priv }}" register: result failed_when: result is success + + # ============================================================ + # Test auth plugin change + # + + - name: Plugin auth | Test plugin auth switching which doesn't work on pymysql < 0.9 + when: + - > + connector_name != 'pymysql' + or ( + connector_name == 'pymysql' + and connector_version is version('0.9', '>=') + ) + block: + + - name: Cleanup user + ansible.builtin.include_tasks: utils/remove_user.yml + vars: + user_name: "{{ test_user_name }}" + + - name: Plugin auth | Create user with mysql_native_password + community.mysql.mysql_user: + <<: *mysql_params + name: "{{ test_user_name }}" + host: "%" + plugin: "{{ test_plugin_type }}" + password: "{{ test_plugin_auth_string }}" + priv: "{{ test_default_priv }}" + + - name: Plugin auth | Check that the expected plugin type is set + ansible.builtin.include_tasks: utils/assert_plugin.yml + vars: + user_name: "{{ test_user_name }}" + plugin_type: "{{ test_plugin_type }}" + + - name: Plugin auth | Connect with user and password + ansible.builtin.command: '{{ mysql_command }} -u {{ test_user_name }} -p{{ test_plugin_auth_string }} -e "SELECT 1"' + changed_when: false + + - name: Plugin auth | Change auth user plugin in check mode + community.mysql.mysql_user: + <<: *mysql_params + name: "{{ test_user_name }}" + host: '%' + plugin: caching_sha2_password + plugin_auth_string: "{{ test_plugin_auth_string }}" + salt: "{{ test_salt }}" + priv: "{{ test_default_priv }}" + check_mode: true + register: result + failed_when: result is not changed + + - name: Plugin auth | Check that the expected plugin type is set (not changed) + ansible.builtin.include_tasks: utils/assert_plugin.yml + vars: + user_name: "{{ test_user_name }}" + plugin_type: "{{ test_plugin_type }}" + + - name: Plugin auth | Change auth user plugin + community.mysql.mysql_user: + <<: *mysql_params + name: "{{ test_user_name }}" + host: '%' + plugin: caching_sha2_password + plugin_auth_string: "{{ test_plugin_auth_string }}" + salt: "{{ test_salt }}" + priv: "{{ test_default_priv }}" + register: result + failed_when: result is not changed + + - name: Plugin auth | Check that the expected (new) plugin type is set + ansible.builtin.include_tasks: utils/assert_plugin.yml + vars: + user_name: "{{ test_user_name }}" + plugin_type: caching_sha2_password + + - name: Plugin auth | Change auth user plugin again (should not change) + community.mysql.mysql_user: + <<: *mysql_params + name: "{{ test_user_name }}" + host: '%' + plugin: caching_sha2_password + plugin_auth_string: "{{ test_plugin_auth_string }}" + salt: "{{ test_salt }}" + priv: "{{ test_default_priv }}" + register: result + failed_when: result is changed + + - name: Plugin auth | Check that the expected (not changed) plugin type is set + ansible.builtin.include_tasks: utils/assert_plugin.yml + vars: + user_name: "{{ test_user_name }}" + plugin_type: caching_sha2_password diff --git a/tests/integration/targets/test_mysql_user/tasks/utils/assert_plugin.yml b/tests/integration/targets/test_mysql_user/tasks/utils/assert_plugin.yml new file mode 100644 index 0000000..7d3b5a1 --- /dev/null +++ b/tests/integration/targets/test_mysql_user/tasks/utils/assert_plugin.yml @@ -0,0 +1,11 @@ +--- + +- name: Utils | Assert plugin | Query for user {{ user_name }} + ansible.builtin.command: "{{ mysql_command }} -e \"SELECT plugin FROM mysql.user where user='{{ user_name }}'\"" + register: result + changed_when: False + +- name: Utils | Assert plugin | Assert plugin is correct + ansible.builtin.assert: + that: + - plugin_type in result.stdout