ansible-collections/community.mysql
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.mysql.git synced 2025-04-05 02:00:31 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix user plugin changes in check mode (#596)

Browse source 
* Fix user plugin changes in check mode

* Add auth plugin tests

* Undo local changes

* Improve task names

* Fix query

* Changes

* Add check

* Add check

* Add check

* Add one more check

* Add one more check

* Fix typo

* Change parameter

* Testing

* Remove tests

* Add tests

* Test first stteps

* Readd tests

* Test without check mode

* Test with check mode

* Test with check mode

* Testing

* Testing

* Add missing tests

* Changes for ansible-lint complaints

* Fix condition

* Update changelogs/fragments/596-fix-check-changes.yaml

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>

* refactor

* Add more tests

* Fix newpass var

* Remove extra test

---------

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
This commit is contained in:
Fran 2024-08-30 11:15:16 +02:00 committed by GitHub
parent 87be61ccf3
commit 0de9685cf1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 175 additions and 68 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/596-fix-check-changes.yaml Normal file
View file

@ -0,0 +1,2 @@
bugfixes:
- mysql_user - module makes changes when is executed with ``plugin_auth_string`` parameter and check mode.

3
plugins/module_utils/user.py
View file

@ -411,7 +411,8 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
else:
query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s", (user, host, plugin)
cursor.execute(*query_with_args)
if not module.check_mode:
cursor.execute(*query_with_args)
password_changed = True
changed = True

227
tests/integration/targets/test_mysql_user/tasks/test_user_plugin_auth.yml
View file

@ -24,7 +24,7 @@
#
- name: Plugin auth | Create user with plugin auth (with hash string)
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -34,28 +34,28 @@
register: result
- name: Plugin auth | Get user information (with hash string)
command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\""
ansible.builtin.command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\""
register: show_create_user
- name: Plugin auth | Check that the module made a change (with hash string)
assert:
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Check that the expected plugin type is set (with hash string)
assert:
ansible.builtin.assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: "%"
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
login_host: '{{ mysql_host }}'
@ -64,12 +64,12 @@
register: result
- name: Plugin auth | Assert that mysql_info was successful
assert:
ansible.builtin.assert:
that:
- result is succeeded
- name: Plugin auth | Update the user with a different hash
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -78,18 +78,18 @@
register: result
- name: Plugin auth | Check that the module makes the change because the hash changed
assert:
ansible.builtin.assert:
that:
- result is changed
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: "%"
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Getting the MySQL info with the new password should work
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_new_auth_string }}'
login_host: '{{ mysql_host }}'
@ -98,12 +98,12 @@
register: result
- name: Plugin auth | Assert that mysql_info was successful
assert:
ansible.builtin.assert:
that:
- result is succeeded
# Cleanup
- include_tasks: utils/remove_user.yml
- ansible.builtin.include_tasks: utils/remove_user.yml
vars:
user_name: "{{ test_user_name }}"
@ -112,7 +112,7 @@
#
- name: Plugin auth | Create user with plugin auth (with hash string)
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -122,28 +122,28 @@
register: result
- name: Plugin auth | Get user information
command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\""
ansible.builtin.command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\""
register: show_create_user
- name: Plugin auth | Check that the module made a change (with hash string)
assert:
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Check that the expected plugin type is set (with hash string)
assert:
ansible.builtin.assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: "%"
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
login_host: '{{ mysql_host }}'
@ -152,12 +152,12 @@
register: result
- name: Plugin auth | Assert that mysql_info was successful
assert:
ansible.builtin.assert:
that:
- result is succeeded
- name: Plugin auth | Update the user with the same hash (no change expected)
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -167,19 +167,19 @@
# FIXME: on mariadb 10.2 there's always a change
- name: Plugin auth | Check that the module doesn't make a change when the same hash is passed in
assert:
ansible.builtin.assert:
that:
- result is not changed
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: "%"
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Change the user using the same plugin, but switch to the same auth string in plaintext form
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -189,12 +189,12 @@
# Expecting a change is currently by design (see comment in source).
- name: Plugin auth | Check that the module did not change the password
assert:
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Getting the MySQL info should still work
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
login_host: '{{ mysql_host }}'
@ -203,12 +203,12 @@
register: result
- name: Plugin auth | Assert that mysql_info was successful
assert:
ansible.builtin.assert:
that:
- result is succeeded
# Cleanup
- include_tasks: utils/remove_user.yml
- ansible.builtin.include_tasks: utils/remove_user.yml
vars:
user_name: "{{ test_user_name }}"
@ -217,7 +217,7 @@
#
- name: Plugin auth | Create user with plugin auth (with auth string)
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -227,28 +227,28 @@
register: result
- name: Plugin auth | Get user information(with auth string)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\""
ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\""
register: show_create_user
- name: Plugin auth | Check that the module made a change (with auth string)
assert:
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Check that the expected plugin type is set (with auth string)
assert:
ansible.builtin.assert:
that:
- test_plugin_type in show_create_user.stdout
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: "%"
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
login_host: '{{ mysql_host }}'
@ -257,12 +257,12 @@
register: result
- name: Plugin auth | Assert that mysql_info was successful
assert:
ansible.builtin.assert:
that:
- result is succeeded
- name: Plugin auth | Update the user with the same auth string
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -273,18 +273,18 @@
# This is the current expected behavior because there isn't a reliable way to hash the password in the mysql_user
# module in order to be able to compare this password with the stored hash. See the source for more info.
- name: Plugin auth | The module should detect a change even though the password is the same
assert:
ansible.builtin.assert:
that:
- result is changed
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: "%"
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Change the user using the same plugin, but switch to the same auth string in hash form
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -293,12 +293,12 @@
register: result
- name: Plugin auth | Check that the module did not change the password
assert:
ansible.builtin.assert:
that:
- result is not changed
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
login_host: '{{ mysql_host }}'
@ -307,12 +307,12 @@
register: result
- name: Plugin auth | Assert that mysql_info was successful
assert:
ansible.builtin.assert:
that:
- result is succeeded
# Cleanup
- include_tasks: utils/remove_user.yml
- ansible.builtin.include_tasks: utils/remove_user.yml
vars:
user_name: "{{ test_user_name }}"
@ -321,7 +321,7 @@
#
- name: Plugin auth | Create user with plugin auth (empty auth string)
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -330,28 +330,28 @@
register: result
- name: Plugin auth | Get user information (empty auth string)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\""
ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\""
register: show_create_user
- name: Plugin auth | Check that the module made a change (empty auth string)
assert:
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Check that the expected plugin type is set (empty auth string)
assert:
ansible.builtin.assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: "%"
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Get the MySQL version using an empty password for the newly created user
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: ''
login_host: '{{ mysql_host }}'
@ -361,12 +361,12 @@
ignore_errors: true
- name: Plugin auth | Assert that mysql_info was successful
assert:
ansible.builtin.assert:
that:
- result is succeeded
- name: Plugin auth | Get the MySQL version using an non-empty password (should fail)
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: 'some_password'
login_host: '{{ mysql_host }}'
@ -376,12 +376,12 @@
ignore_errors: true
- name: Plugin auth | Assert that mysql_info failed
assert:
ansible.builtin.assert:
that:
- result is failed
- name: Plugin auth | Update the user without changing the auth mechanism
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -390,12 +390,12 @@
register: result
- name: Plugin auth | Assert that the user wasn't changed because the auth string is still empty
assert:
ansible.builtin.assert:
that:
- result is not changed
# Cleanup
- include_tasks: utils/remove_user.yml
- ansible.builtin.include_tasks: utils/remove_user.yml
vars:
user_name: "{{ test_user_name }}"
@ -415,7 +415,7 @@
block:
- name: Plugin auth | Create user with plugin auth (empty auth string)
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
plugin: '{{ test_plugin_type }}'
@ -423,28 +423,28 @@
register: result
- name: Plugin auth | Get user information (empty auth string)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
register: show_create_user
- name: Plugin auth | Check that the module made a change (empty auth string)
assert:
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Check that the expected plugin type is set (empty auth string)
assert:
ansible.builtin.assert:
that:
- test_plugin_type in show_create_user.stdout
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: localhost
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Switch user to sha256_password auth plugin
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
plugin: sha256_password
@ -452,28 +452,28 @@
register: result
- name: Plugin auth | Get user information (sha256_password)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
register: show_create_user
- name: Plugin auth | Check that the module made a change (sha256_password)
assert:
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Check that the expected plugin type is set (sha256_password)
assert:
ansible.builtin.assert:
that:
- "'sha256_password' in show_create_user.stdout"
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: localhost
priv: "{{ test_default_priv_type }}"
# Cleanup
- include_tasks: utils/remove_user.yml
- ansible.builtin.include_tasks: utils/remove_user.yml
vars:
user_name: "{{ test_user_name }}"
@ -505,7 +505,7 @@
register: result
failed_when: result is changed
- name: cleanup user
- name: Cleanup user
ansible.builtin.include_tasks: utils/remove_user.yml
vars:
user_name: "{{ test_user_name }}"
@ -544,3 +544,96 @@
priv: "{{ test_default_priv }}"
register: result
failed_when: result is success
# ============================================================
# Test auth plugin change
#
- name: Plugin auth | Test plugin auth switching which doesn't work on pymysql < 0.9
when:
- >
connector_name != 'pymysql'
or (
connector_name == 'pymysql'
and connector_version is version('0.9', '>=')
)
block:
- name: Cleanup user
ansible.builtin.include_tasks: utils/remove_user.yml
vars:
user_name: "{{ test_user_name }}"
- name: Plugin auth | Create user with mysql_native_password
community.mysql.mysql_user:
<<: *mysql_params
name: "{{ test_user_name }}"
host: "%"
plugin: "{{ test_plugin_type }}"
password: "{{ test_plugin_auth_string }}"
priv: "{{ test_default_priv }}"
- name: Plugin auth | Check that the expected plugin type is set
ansible.builtin.include_tasks: utils/assert_plugin.yml
vars:
user_name: "{{ test_user_name }}"
plugin_type: "{{ test_plugin_type }}"
- name: Plugin auth | Connect with user and password
ansible.builtin.command: '{{ mysql_command }} -u {{ test_user_name }} -p{{ test_plugin_auth_string }} -e "SELECT 1"'
changed_when: false
- name: Plugin auth | Change auth user plugin in check mode
community.mysql.mysql_user:
<<: *mysql_params
name: "{{ test_user_name }}"
host: '%'
plugin: caching_sha2_password
plugin_auth_string: "{{ test_plugin_auth_string }}"
salt: "{{ test_salt }}"
priv: "{{ test_default_priv }}"
check_mode: true
register: result
failed_when: result is not changed
- name: Plugin auth | Check that the expected plugin type is set (not changed)
ansible.builtin.include_tasks: utils/assert_plugin.yml
vars:
user_name: "{{ test_user_name }}"
plugin_type: "{{ test_plugin_type }}"
- name: Plugin auth | Change auth user plugin
community.mysql.mysql_user:
<<: *mysql_params
name: "{{ test_user_name }}"
host: '%'
plugin: caching_sha2_password
plugin_auth_string: "{{ test_plugin_auth_string }}"
salt: "{{ test_salt }}"
priv: "{{ test_default_priv }}"
register: result
failed_when: result is not changed
- name: Plugin auth | Check that the expected (new) plugin type is set
ansible.builtin.include_tasks: utils/assert_plugin.yml
vars:
user_name: "{{ test_user_name }}"
plugin_type: caching_sha2_password
- name: Plugin auth | Change auth user plugin again (should not change)
community.mysql.mysql_user:
<<: *mysql_params
name: "{{ test_user_name }}"
host: '%'
plugin: caching_sha2_password
plugin_auth_string: "{{ test_plugin_auth_string }}"
salt: "{{ test_salt }}"
priv: "{{ test_default_priv }}"
register: result
failed_when: result is changed
- name: Plugin auth | Check that the expected (not changed) plugin type is set
ansible.builtin.include_tasks: utils/assert_plugin.yml
vars:
user_name: "{{ test_user_name }}"
plugin_type: caching_sha2_password

11
tests/integration/targets/test_mysql_user/tasks/utils/assert_plugin.yml Normal file
View file

@ -0,0 +1,11 @@
---
- name: Utils | Assert plugin | Query for user {{ user_name }}
ansible.builtin.command: "{{ mysql_command }} -e \"SELECT plugin FROM mysql.user where user='{{ user_name }}'\""
register: result
changed_when: False
- name: Utils | Assert plugin | Assert plugin is correct
ansible.builtin.assert:
that:
- plugin_type in result.stdout