mirror of
				https://github.com/ansible-collections/community.mysql.git
				synced 2025-10-25 13:34:03 -07:00 
			
		
		
		
	Add TLS connection parameters (#9)
* Add TLS connection parameters * Add check mode tests * Fix check mode indentation * Run MySQL commands with the mysql_command variable * Fix typo * Restore code lost during cherry pick * Fix conditionals to accomodate for MySQL v8 * Fix equal operators * Remove Black formatting in an attempt to make codecov happy * Remove deprecation notice * Fix closing bracket * Remove code duplication
This commit is contained in:
		
					parent
					
						
							
								ecd70e8022
							
						
					
				
			
			
				commit
				
					
						36e7e6603e
					
				
			
		
					 3 changed files with 318 additions and 25 deletions
				
			
		
							
								
								
									
										2
									
								
								changelogs/fragments/369-mysql_user_add_tls_requires.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								changelogs/fragments/369-mysql_user_add_tls_requires.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,2 @@ | ||||||
|  | minor_changes: | ||||||
|  |   - mysql_user - add TLS REQUIRES parameters (https://github.com/ansible-collections/community.mysql/pull/9). | ||||||
|  | @ -60,6 +60,14 @@ options: | ||||||
|         user instead of overwriting existing ones. |         user instead of overwriting existing ones. | ||||||
|     type: bool |     type: bool | ||||||
|     default: no |     default: no | ||||||
|  |   tls_requires: | ||||||
|  |     description: | ||||||
|  |       - Set requirement for secure transport as a dictionary of requirements (see the examples). | ||||||
|  |       - Valid requirements are SSL, X509, SUBJECT, ISSUER, CIPHER. | ||||||
|  |       - SUBJECT, ISSUER and CIPHER are complementary, and mutually exclusive with SSL and X509. | ||||||
|  |       - U(https://mariadb.com/kb/en/securing-connections-for-client-and-server/#requiring-tls). | ||||||
|  |     type: dict | ||||||
|  |     version_added: 1.0.0 | ||||||
|   sql_log_bin: |   sql_log_bin: | ||||||
|     description: |     description: | ||||||
|       - Whether binary logging should be enabled or disabled for the connection. |       - Whether binary logging should be enabled or disabled for the connection. | ||||||
|  | @ -180,6 +188,7 @@ EXAMPLES = r''' | ||||||
|       'db2.*': 'ALL,GRANT' |       'db2.*': 'ALL,GRANT' | ||||||
| 
 | 
 | ||||||
| # Note that REQUIRESSL is a special privilege that should only apply to *.* by itself. | # Note that REQUIRESSL is a special privilege that should only apply to *.* by itself. | ||||||
|  | # Setting this privilege in this manner is supported for backwards compatibility only. Use 'tls_requires' instead. | ||||||
| - name: Modify user to require SSL connections. | - name: Modify user to require SSL connections. | ||||||
|   community.mysql.mysql_user: |   community.mysql.mysql_user: | ||||||
|     name: bob |     name: bob | ||||||
|  | @ -187,6 +196,20 @@ EXAMPLES = r''' | ||||||
|     priv: '*.*:REQUIRESSL' |     priv: '*.*:REQUIRESSL' | ||||||
|     state: present |     state: present | ||||||
| 
 | 
 | ||||||
|  | - name: Modify user to require TLS connection with a valid client certificate | ||||||
|  |   community.mysql.mysql_user: | ||||||
|  |     name: bob | ||||||
|  |     tls_requires: | ||||||
|  |       x509: | ||||||
|  |     state: present | ||||||
|  | 
 | ||||||
|  | - name: Modify user to require TLS connection with a specific client certificate and cipher | ||||||
|  |   community.mysql.mysql_user: | ||||||
|  |     name: bob | ||||||
|  |     tls_requires: | ||||||
|  |       subject: '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland' | ||||||
|  |       cipher: 'ECDHE-ECDSA-AES256-SHA384' | ||||||
|  | 
 | ||||||
| - name: Ensure no user named 'sally'@'localhost' exists, also passing in the auth credentials. | - name: Ensure no user named 'sally'@'localhost' exists, also passing in the auth credentials. | ||||||
|   community.mysql.mysql_user: |   community.mysql.mysql_user: | ||||||
|     login_user: root |     login_user: root | ||||||
|  | @ -358,8 +381,73 @@ def user_exists(cursor, user, host, host_all): | ||||||
|     return count[0] > 0 |     return count[0] > 0 | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | def sanitize_requires(tls_requires): | ||||||
|  |     sanitized_requires = {} | ||||||
|  |     if tls_requires: | ||||||
|  |         for key in tls_requires.keys(): | ||||||
|  |             sanitized_requires[key.upper()] = tls_requires[key] | ||||||
|  |         if any([key in ["CIPHER", "ISSUER", "SUBJECT"] for key in sanitized_requires.keys()]): | ||||||
|  |             sanitized_requires.pop("SSL", None) | ||||||
|  |             sanitized_requires.pop("X509", None) | ||||||
|  |             return sanitized_requires | ||||||
|  | 
 | ||||||
|  |         if "X509" in sanitized_requires.keys(): | ||||||
|  |             sanitized_requires = "X509" | ||||||
|  |         else: | ||||||
|  |             sanitized_requires = "SSL" | ||||||
|  | 
 | ||||||
|  |         return sanitized_requires | ||||||
|  |     return None | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | def mogrify_requires(query, params, tls_requires): | ||||||
|  |     if tls_requires: | ||||||
|  |         if isinstance(tls_requires, dict): | ||||||
|  |             k, v = zip(*tls_requires.items()) | ||||||
|  |             requires_query = " AND ".join(("%s %%s" % key for key in k)) | ||||||
|  |             params += v | ||||||
|  |         else: | ||||||
|  |             requires_query = tls_requires | ||||||
|  |         query = " REQUIRE ".join((query, requires_query)) | ||||||
|  |     return query, params | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | def do_not_mogrify_requires(query, params, tls_requires): | ||||||
|  |     return query, params | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | def get_tls_requires(cursor, user, host): | ||||||
|  |     if user: | ||||||
|  |         if not use_old_user_mgmt(cursor): | ||||||
|  |             query = "SHOW CREATE USER '%s'@'%s'" % (user, host) | ||||||
|  |         else: | ||||||
|  |             query = "SHOW GRANTS for '%s'@'%s'" % (user, host) | ||||||
|  | 
 | ||||||
|  |         cursor.execute(query) | ||||||
|  |         require_list = list(filter(lambda x: "REQUIRE" in x, cursor.fetchall())) | ||||||
|  |         require_line = require_list[0] if require_list else "" | ||||||
|  |         pattern = r"(?<=\bREQUIRE\b)(.*?)(?=(?:\bPASSWORD\b|$))" | ||||||
|  |         requires_match = re.search(pattern, require_line) | ||||||
|  |         requires = requires_match.group().strip() if requires_match else "" | ||||||
|  |         if len(requires.split()) > 1: | ||||||
|  |             import shlex | ||||||
|  | 
 | ||||||
|  |             items = iter(shlex.split(requires)) | ||||||
|  |             requires = dict(zip(items, items)) | ||||||
|  |         return requires or None | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | def get_grants(cursor, user, host): | ||||||
|  |     cursor.execute("SHOW GRANTS FOR %s@%s", (user, host)) | ||||||
|  |     grants_line = list(filter(lambda x: "ON *.*" in x[0], cursor.fetchall()))[0] | ||||||
|  |     pattern = r"(?<=\bGRANT\b)(.*?)(?=(?:\bON\b))" | ||||||
|  |     grants = re.search(pattern, grants_line[0]).group().strip() | ||||||
|  |     return grants.split(", ") | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
| def user_add(cursor, user, host, host_all, password, encrypted, | def user_add(cursor, user, host, host_all, password, encrypted, | ||||||
|              plugin, plugin_hash_string, plugin_auth_string, new_priv, check_mode): |              plugin, plugin_hash_string, plugin_auth_string, new_priv, | ||||||
|  |              tls_requires, check_mode): | ||||||
|     # we cannot create users without a proper hostname |     # we cannot create users without a proper hostname | ||||||
|     if host_all: |     if host_all: | ||||||
|         return False |         return False | ||||||
|  | @ -370,27 +458,44 @@ def user_add(cursor, user, host, host_all, password, encrypted, | ||||||
|     # Determine what user management method server uses |     # Determine what user management method server uses | ||||||
|     old_user_mgmt = use_old_user_mgmt(cursor) |     old_user_mgmt = use_old_user_mgmt(cursor) | ||||||
| 
 | 
 | ||||||
|  |     mogrify = do_not_mogrify_requires if old_user_mgmt else mogrify_requires | ||||||
|  | 
 | ||||||
|     if password and encrypted: |     if password and encrypted: | ||||||
|         cursor.execute("CREATE USER %s@%s IDENTIFIED BY PASSWORD %s", (user, host, password)) |         cursor.execute(*mogrify("CREATE USER %s@%s IDENTIFIED BY PASSWORD %s", (user, host, password), tls_requires)) | ||||||
|     elif password and not encrypted: |     elif password and not encrypted: | ||||||
|         if old_user_mgmt: |         if old_user_mgmt: | ||||||
|             cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user, host, password)) |             cursor.execute(*mogrify("CREATE USER %s@%s IDENTIFIED BY %s", (user, host, password), tls_requires)) | ||||||
|         else: |         else: | ||||||
|             cursor.execute("SELECT CONCAT('*', UCASE(SHA1(UNHEX(SHA1(%s)))))", (password,)) |             cursor.execute("SELECT CONCAT('*', UCASE(SHA1(UNHEX(SHA1(%s)))))", (password,)) | ||||||
|             encrypted_password = cursor.fetchone()[0] |             encrypted_password = cursor.fetchone()[0] | ||||||
|             cursor.execute("CREATE USER %s@%s IDENTIFIED WITH mysql_native_password AS %s", (user, host, encrypted_password)) |             cursor.execute( | ||||||
| 
 |                 *mogrify( | ||||||
|  |                     "CREATE USER %s@%s IDENTIFIED WITH mysql_native_password AS %s", | ||||||
|  |                     (user, host, encrypted_password), | ||||||
|  |                     tls_requires, | ||||||
|  |                 ) | ||||||
|  |             ) | ||||||
|     elif plugin and plugin_hash_string: |     elif plugin and plugin_hash_string: | ||||||
|         cursor.execute("CREATE USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, plugin_hash_string)) |         cursor.execute( | ||||||
|  |             *mogrify( | ||||||
|  |                 "CREATE USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, plugin_hash_string), tls_requires | ||||||
|  |             ) | ||||||
|  |         ) | ||||||
|     elif plugin and plugin_auth_string: |     elif plugin and plugin_auth_string: | ||||||
|         cursor.execute("CREATE USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string)) |         cursor.execute( | ||||||
|  |             *mogrify( | ||||||
|  |                 "CREATE USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string), tls_requires | ||||||
|  |             ) | ||||||
|  |         ) | ||||||
|     elif plugin: |     elif plugin: | ||||||
|         cursor.execute("CREATE USER %s@%s IDENTIFIED WITH %s", (user, host, plugin)) |         cursor.execute(*mogrify("CREATE USER %s@%s IDENTIFIED WITH %s", (user, host, plugin), tls_requires)) | ||||||
|     else: |     else: | ||||||
|         cursor.execute("CREATE USER %s@%s", (user, host)) |         cursor.execute(*mogrify("CREATE USER %s@%s", (user, host), tls_requires)) | ||||||
|     if new_priv is not None: |     if new_priv is not None: | ||||||
|         for db_table, priv in iteritems(new_priv): |         for db_table, priv in iteritems(new_priv): | ||||||
|             privileges_grant(cursor, user, host, db_table, priv) |             privileges_grant(cursor, user, host, db_table, priv, tls_requires) | ||||||
|  |     if tls_requires is not None: | ||||||
|  |         privileges_grant(cursor, user, host, "*.*", get_grants(cursor, user, host), tls_requires) | ||||||
|     return True |     return True | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | @ -403,7 +508,8 @@ def is_hash(password): | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| def user_mod(cursor, user, host, host_all, password, encrypted, | def user_mod(cursor, user, host, host_all, password, encrypted, | ||||||
|              plugin, plugin_hash_string, plugin_auth_string, new_priv, append_privs, module): |              plugin, plugin_hash_string, plugin_auth_string, new_priv, | ||||||
|  |              append_privs, tls_requires, module): | ||||||
|     changed = False |     changed = False | ||||||
|     msg = "User unchanged" |     msg = "User unchanged" | ||||||
|     grant_option = False |     grant_option = False | ||||||
|  | @ -537,7 +643,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted, | ||||||
|                     msg = "New privileges granted" |                     msg = "New privileges granted" | ||||||
|                     if module.check_mode: |                     if module.check_mode: | ||||||
|                         return (True, msg) |                         return (True, msg) | ||||||
|                     privileges_grant(cursor, user, host, db_table, priv) |                     privileges_grant(cursor, user, host, db_table, priv, tls_requires) | ||||||
|                     changed = True |                     changed = True | ||||||
| 
 | 
 | ||||||
|             # If the db.table specification exists in both the user's current privileges |             # If the db.table specification exists in both the user's current privileges | ||||||
|  | @ -551,9 +657,28 @@ def user_mod(cursor, user, host, host_all, password, encrypted, | ||||||
|                         return (True, msg) |                         return (True, msg) | ||||||
|                     if not append_privs: |                     if not append_privs: | ||||||
|                         privileges_revoke(cursor, user, host, db_table, curr_priv[db_table], grant_option) |                         privileges_revoke(cursor, user, host, db_table, curr_priv[db_table], grant_option) | ||||||
|                     privileges_grant(cursor, user, host, db_table, new_priv[db_table]) |                     privileges_grant(cursor, user, host, db_table, new_priv[db_table], tls_requires) | ||||||
|                     changed = True |                     changed = True | ||||||
| 
 | 
 | ||||||
|  |         # Handle TLS requirements | ||||||
|  |         current_requires = get_tls_requires(cursor, user, host) | ||||||
|  |         if current_requires != tls_requires: | ||||||
|  |             msg = "TLS requires updated" | ||||||
|  |             if module.check_mode: | ||||||
|  |                 return (True, msg) | ||||||
|  |             if not old_user_mgmt: | ||||||
|  |                 pre_query = "ALTER USER" | ||||||
|  |             else: | ||||||
|  |                 pre_query = "GRANT %s ON *.* TO" % ",".join(get_grants(cursor, user, host)) | ||||||
|  | 
 | ||||||
|  |             if tls_requires is not None: | ||||||
|  |                 query = " ".join((pre_query, "%s@%s")) | ||||||
|  |                 cursor.execute(*mogrify_requires(query, (user, host), tls_requires)) | ||||||
|  |             else: | ||||||
|  |                 query = " ".join(pre_query, "%s@%s REQUIRE NONE") | ||||||
|  |                 cursor.execute(query, (user, host)) | ||||||
|  |             changed = True | ||||||
|  | 
 | ||||||
|     return (changed, msg) |     return (changed, msg) | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | @ -611,7 +736,7 @@ def privileges_get(cursor, user, host): | ||||||
|         privileges = [pick(x.strip()) for x in privileges] |         privileges = [pick(x.strip()) for x in privileges] | ||||||
|         if "WITH GRANT OPTION" in res.group(7): |         if "WITH GRANT OPTION" in res.group(7): | ||||||
|             privileges.append('GRANT') |             privileges.append('GRANT') | ||||||
|         if "REQUIRE SSL" in res.group(7): |         if 'REQUIRE SSL' in res.group(7): | ||||||
|             privileges.append('REQUIRESSL') |             privileges.append('REQUIRESSL') | ||||||
|         db = res.group(2) |         db = res.group(2) | ||||||
|         output.setdefault(db, []).extend(privileges) |         output.setdefault(db, []).extend(privileges) | ||||||
|  | @ -690,19 +815,23 @@ def privileges_revoke(cursor, user, host, db_table, priv, grant_option): | ||||||
|     cursor.execute(query, (user, host)) |     cursor.execute(query, (user, host)) | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| def privileges_grant(cursor, user, host, db_table, priv): | def privileges_grant(cursor, user, host, db_table, priv, tls_requires): | ||||||
|     # Escape '%' since mysql db.execute uses a format string and the |     # Escape '%' since mysql db.execute uses a format string and the | ||||||
|     # specification of db and table often use a % (SQL wildcard) |     # specification of db and table often use a % (SQL wildcard) | ||||||
|     db_table = db_table.replace('%', '%%') |     db_table = db_table.replace('%', '%%') | ||||||
|     priv_string = ",".join([p for p in priv if p not in ('GRANT', 'REQUIRESSL')]) |     priv_string = ",".join([p for p in priv if p not in ('GRANT', 'REQUIRESSL')]) | ||||||
|     query = ["GRANT %s ON %s" % (priv_string, db_table)] |     query = ["GRANT %s ON %s" % (priv_string, db_table)] | ||||||
|     query.append("TO %s@%s") |     query.append("TO %s@%s") | ||||||
|     if 'REQUIRESSL' in priv: |     params = (user, host) | ||||||
|  |     if tls_requires and use_old_user_mgmt(cursor): | ||||||
|  |         query, params = mogrify_requires(" ".join(query), params, tls_requires) | ||||||
|  |         query = [query] | ||||||
|  |     if 'REQUIRESSL' in priv and not tls_requires: | ||||||
|         query.append("REQUIRE SSL") |         query.append("REQUIRE SSL") | ||||||
|     if 'GRANT' in priv: |     if 'GRANT' in priv: | ||||||
|         query.append("WITH GRANT OPTION") |         query.append("WITH GRANT OPTION") | ||||||
|     query = ' '.join(query) |     query = ' '.join(query) | ||||||
|     cursor.execute(query, (user, host)) |     cursor.execute(query, params) | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| def convert_priv_dict_to_str(priv): | def convert_priv_dict_to_str(priv): | ||||||
|  | @ -850,6 +979,7 @@ def limit_resources(module, cursor, user, host, resource_limits, check_mode): | ||||||
|     cursor.execute(query, (user, host)) |     cursor.execute(query, (user, host)) | ||||||
|     return True |     return True | ||||||
| 
 | 
 | ||||||
|  | 
 | ||||||
| # =========================================== | # =========================================== | ||||||
| # Module execution. | # Module execution. | ||||||
| # | # | ||||||
|  | @ -870,6 +1000,7 @@ def main(): | ||||||
|             host_all=dict(type="bool", default=False), |             host_all=dict(type="bool", default=False), | ||||||
|             state=dict(type='str', default='present', choices=['absent', 'present']), |             state=dict(type='str', default='present', choices=['absent', 'present']), | ||||||
|             priv=dict(type='raw'), |             priv=dict(type='raw'), | ||||||
|  |             tls_requires=dict(type='dict'), | ||||||
|             append_privs=dict(type='bool', default=False), |             append_privs=dict(type='bool', default=False), | ||||||
|             check_implicit_admin=dict(type='bool', default=False), |             check_implicit_admin=dict(type='bool', default=False), | ||||||
|             update_password=dict(type='str', default='always', choices=['always', 'on_create'], no_log=False), |             update_password=dict(type='str', default='always', choices=['always', 'on_create'], no_log=False), | ||||||
|  | @ -895,9 +1026,10 @@ def main(): | ||||||
|     host_all = module.params["host_all"] |     host_all = module.params["host_all"] | ||||||
|     state = module.params["state"] |     state = module.params["state"] | ||||||
|     priv = module.params["priv"] |     priv = module.params["priv"] | ||||||
|     check_implicit_admin = module.params['check_implicit_admin'] |     tls_requires = sanitize_requires(module.params["tls_requires"]) | ||||||
|     connect_timeout = module.params['connect_timeout'] |     check_implicit_admin = module.params["check_implicit_admin"] | ||||||
|     config_file = module.params['config_file'] |     connect_timeout = module.params["connect_timeout"] | ||||||
|  |     config_file = module.params["config_file"] | ||||||
|     append_privs = module.boolean(module.params["append_privs"]) |     append_privs = module.boolean(module.params["append_privs"]) | ||||||
|     update_password = module.params['update_password'] |     update_password = module.params['update_password'] | ||||||
|     ssl_cert = module.params["client_cert"] |     ssl_cert = module.params["client_cert"] | ||||||
|  | @ -922,7 +1054,7 @@ def main(): | ||||||
|     try: |     try: | ||||||
|         if check_implicit_admin: |         if check_implicit_admin: | ||||||
|             try: |             try: | ||||||
|                 cursor, db_conn = mysql_connect(module, 'root', '', config_file, ssl_cert, ssl_key, ssl_ca, db, |                 cursor, db_conn = mysql_connect(module, "root", "", config_file, ssl_cert, ssl_key, ssl_ca, db, | ||||||
|                                                 connect_timeout=connect_timeout) |                                                 connect_timeout=connect_timeout) | ||||||
|             except Exception: |             except Exception: | ||||||
|                 pass |                 pass | ||||||
|  | @ -950,14 +1082,14 @@ def main(): | ||||||
|     if state == "present": |     if state == "present": | ||||||
|         if user_exists(cursor, user, host, host_all): |         if user_exists(cursor, user, host, host_all): | ||||||
|             try: |             try: | ||||||
|                 if update_password == 'always': |                 if update_password == "always": | ||||||
|                     changed, msg = user_mod(cursor, user, host, host_all, password, encrypted, |                     changed, msg = user_mod(cursor, user, host, host_all, password, encrypted, | ||||||
|                                             plugin, plugin_hash_string, plugin_auth_string, |                                             plugin, plugin_hash_string, plugin_auth_string, | ||||||
|                                             priv, append_privs, module) |                                             priv, append_privs, tls_requires, module) | ||||||
|                 else: |                 else: | ||||||
|                     changed, msg = user_mod(cursor, user, host, host_all, None, encrypted, |                     changed, msg = user_mod(cursor, user, host, host_all, None, encrypted, | ||||||
|                                             plugin, plugin_hash_string, plugin_auth_string, |                                             plugin, plugin_hash_string, plugin_auth_string, | ||||||
|                                             priv, append_privs, module) |                                             priv, append_privs, tls_requires, module) | ||||||
| 
 | 
 | ||||||
|             except (SQLParseError, InvalidPrivsError, mysql_driver.Error) as e: |             except (SQLParseError, InvalidPrivsError, mysql_driver.Error) as e: | ||||||
|                 module.fail_json(msg=to_native(e)) |                 module.fail_json(msg=to_native(e)) | ||||||
|  | @ -967,7 +1099,7 @@ def main(): | ||||||
|             try: |             try: | ||||||
|                 changed = user_add(cursor, user, host, host_all, password, encrypted, |                 changed = user_add(cursor, user, host, host_all, password, encrypted, | ||||||
|                                    plugin, plugin_hash_string, plugin_auth_string, |                                    plugin, plugin_hash_string, plugin_auth_string, | ||||||
|                                    priv, module.check_mode) |                                    priv, tls_requires, module.check_mode) | ||||||
|                 if changed: |                 if changed: | ||||||
|                     msg = "User added" |                     msg = "User added" | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -129,6 +129,165 @@ | ||||||
| 
 | 
 | ||||||
|     - include: assert_no_user.yml user_name={{user_name_2}} |     - include: assert_no_user.yml user_name={{user_name_2}} | ||||||
| 
 | 
 | ||||||
|  |     # ============================================================ | ||||||
|  |     # Create users with TLS requirements and verify requirements are assigned | ||||||
|  |     # | ||||||
|  |     - name: find out the database version | ||||||
|  |       mysql_info: | ||||||
|  |         <<: *mysql_params | ||||||
|  |         filter: version | ||||||
|  |       register: db_version | ||||||
|  | 
 | ||||||
|  |     - name: create user with TLS requirements in check mode (expect changed=true) | ||||||
|  |       mysql_user: | ||||||
|  |         <<: *mysql_params | ||||||
|  |         name: "{{ user_name_1 }}" | ||||||
|  |         password: "{{ user_password_1 }}" | ||||||
|  |         tls_requires: | ||||||
|  |           SSL: | ||||||
|  |       check_mode: yes | ||||||
|  |       register: result | ||||||
|  | 
 | ||||||
|  |     - name: Assert check mode user create reports changed state | ||||||
|  |       assert: | ||||||
|  |         that: | ||||||
|  |           - result is changed | ||||||
|  | 
 | ||||||
|  |     - include: assert_no_user.yml user_name={{user_name_1}} | ||||||
|  | 
 | ||||||
|  |     - name: create user with TLS requirements state=present (expect changed=true) | ||||||
|  |       mysql_user: | ||||||
|  |         <<: *mysql_params | ||||||
|  |         name: '{{ item[0] }}' | ||||||
|  |         password: '{{ user_password_1 }}' | ||||||
|  |         tls_requires: '{{ item[1] }}' | ||||||
|  |       with_together: | ||||||
|  |         - [ '{{ user_name_1 }}', '{{ user_name_2 }}', '{{ user_name_3 }}'] | ||||||
|  |         - | ||||||
|  |           - SSL: | ||||||
|  |           - X509: | ||||||
|  |           - subject: '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland' | ||||||
|  |             cipher: 'ECDHE-ECDSA-AES256-SHA384' | ||||||
|  |             issuer: '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland' | ||||||
|  | 
 | ||||||
|  |     - block: | ||||||
|  |       - name: retrieve TLS requiremets for users in old database version | ||||||
|  |         command: "{{ mysql_command }} -L -N -s -e \"SHOW GRANTS for '{{ item }}'@'localhost'\"" | ||||||
|  |         register: old_result | ||||||
|  |         with_items: ['{{ user_name_1 }}', '{{ user_name_2 }}', '{{ user_name_3 }}'] | ||||||
|  | 
 | ||||||
|  |       - name: set old database separator | ||||||
|  |         set_fact: | ||||||
|  |           separator: '\n' | ||||||
|  |       # Semantically: when mysql version <= 5.6 or MariaDB version <= 10.1 | ||||||
|  |       when: db_version.version.major <= 5 and db_version.version.minor <= 6 or db_version.version.major == 10 and db_version.version.minor < 2 | ||||||
|  | 
 | ||||||
|  |     - block: | ||||||
|  |       - name: retrieve TLS requiremets for users in new database version | ||||||
|  |         command: "{{ mysql_command }} -L -N -s -e \"SHOW CREATE USER '{{ item }}'@'localhost'\"" | ||||||
|  |         register: new_result | ||||||
|  |         with_items: ['{{ user_name_1 }}', '{{ user_name_2 }}', '{{ user_name_3 }}'] | ||||||
|  | 
 | ||||||
|  |       - name: set new database separator | ||||||
|  |         set_fact: | ||||||
|  |           separator: 'PASSWORD' | ||||||
|  |       # Semantically: when mysql version >= 5.7 or MariaDB version >= 10.2 | ||||||
|  |       when: db_version.version.major == 5 and db_version.version.minor >= 7 or db_version.version.major > 5 and db_version.version.major < 10  or db_version.version.major == 10 and db_version.version.minor >= 2 | ||||||
|  | 
 | ||||||
|  |     - block: | ||||||
|  |       - name: assert user1 TLS requirements | ||||||
|  |         assert: | ||||||
|  |           that: | ||||||
|  |             - "'SSL' in reqs" | ||||||
|  |         vars: | ||||||
|  |           - reqs: "{{((old_result.results[0] is skipped | ternary(new_result, old_result)).results | selectattr('item', 'contains', user_name_1) | first).stdout.split('REQUIRE')[1].split(separator)[0].strip()}}" | ||||||
|  | 
 | ||||||
|  |       - name: assert user2 TLS requirements | ||||||
|  |         assert: | ||||||
|  |           that: | ||||||
|  |             - "'X509' in reqs" | ||||||
|  |         vars: | ||||||
|  |           - reqs: "{{((old_result.results[0] is skipped | ternary(new_result, old_result)).results | selectattr('item', 'contains', user_name_2) | first).stdout.split('REQUIRE')[1].split(separator)[0].strip()}}" | ||||||
|  | 
 | ||||||
|  |       - name: assert user3 TLS requirements | ||||||
|  |         assert: | ||||||
|  |           that: | ||||||
|  |             - "'/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland' in (reqs | select('contains', 'SUBJECT') | first)" | ||||||
|  |             - "'/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland' in (reqs | select('contains', 'ISSUER') | first)" | ||||||
|  |             - "'ECDHE-ECDSA-AES256-SHA384' in (reqs | select('contains', 'CIPHER') | first)" | ||||||
|  |         vars: | ||||||
|  |           - reqs: "{{((old_result.results[0] is skipped | ternary(new_result, old_result)).results | selectattr('item', 'contains', user_name_3) | first).stdout.split('REQUIRE')[1].split(separator)[0].replace(\"' \", \"':\").split(\":\")}}" | ||||||
|  |       # CentOS 6 uses an older version of jinja that does not provide the selectattr filter. | ||||||
|  |       when: ansible_distribution != 'CentOS' or ansible_distribution_major_version != '6' | ||||||
|  | 
 | ||||||
|  |     - name: modify user with TLS requirements state=present in check mode (expect changed=true) | ||||||
|  |       mysql_user: | ||||||
|  |         <<: *mysql_params | ||||||
|  |         name: '{{ user_name_1 }}' | ||||||
|  |         password: '{{ user_password_1 }}' | ||||||
|  |         tls_requires: | ||||||
|  |           X509: | ||||||
|  |       check_mode: yes | ||||||
|  |       register: result | ||||||
|  | 
 | ||||||
|  |     - name: Assert check mode user update reports changed state | ||||||
|  |       assert: | ||||||
|  |         that: | ||||||
|  |           - result is changed | ||||||
|  | 
 | ||||||
|  |     - name: retrieve TLS requiremets for users in old database version | ||||||
|  |       command: "{{ mysql_command }} -L -N -s -e \"SHOW GRANTS for '{{ user_name_1 }}'@'localhost'\"" | ||||||
|  |       register: old_result | ||||||
|  |       when: db_version.version.major <= 5 and db_version.version.minor <= 6 or db_version.version.major == 10 and db_version.version.minor < 2 | ||||||
|  | 
 | ||||||
|  |     - name: retrieve TLS requiremets for users in new database version | ||||||
|  |       command: "{{ mysql_command }} -L -N -s -e \"SHOW CREATE USER '{{ user_name_1 }}'@'localhost'\"" | ||||||
|  |       register: new_result | ||||||
|  |       when: db_version.version.major == 5 and db_version.version.minor >= 7 or db_version.version.major > 5 and db_version.version.major < 10  or db_version.version.major == 10 and db_version.version.minor >= 2 | ||||||
|  | 
 | ||||||
|  |     - name: assert user1 TLS requirements was not changed | ||||||
|  |       assert: | ||||||
|  |         that: "'SSL' in reqs" | ||||||
|  |       vars: | ||||||
|  |         - reqs: "{{(old_result is skipped | ternary(new_result, old_result)).stdout.split('REQUIRE')[1].split(separator)[0].strip()}}" | ||||||
|  | 
 | ||||||
|  |     - name: modify user with TLS requirements state=present (expect changed=true) | ||||||
|  |       mysql_user: | ||||||
|  |         <<: *mysql_params | ||||||
|  |         name: '{{ user_name_1 }}' | ||||||
|  |         password: '{{ user_password_1 }}' | ||||||
|  |         tls_requires: | ||||||
|  |           X509: | ||||||
|  | 
 | ||||||
|  |     - name: retrieve TLS requiremets for users in old database version | ||||||
|  |       command: "{{ mysql_command }} -L -N -s -e \"SHOW GRANTS for '{{ user_name_1 }}'@'localhost'\"" | ||||||
|  |       register: old_result | ||||||
|  |       when: db_version.version.major <= 5 and db_version.version.minor <= 6 or db_version.version.major == 10 and db_version.version.minor < 2 | ||||||
|  | 
 | ||||||
|  |     - name: retrieve TLS requiremets for users in new database version | ||||||
|  |       command: "{{ mysql_command }} -L -N -s -e \"SHOW CREATE USER '{{ user_name_1 }}'@'localhost'\"" | ||||||
|  |       register: new_result | ||||||
|  |       when: db_version.version.major == 5 and db_version.version.minor >= 7 or db_version.version.major > 5 and db_version.version.major < 10  or db_version.version.major == 10 and db_version.version.minor >= 2 | ||||||
|  | 
 | ||||||
|  |     - name: assert user1 TLS requirements | ||||||
|  |       assert: | ||||||
|  |         that: "'X509' in reqs" | ||||||
|  |       vars: | ||||||
|  |         - reqs: "{{(old_result is skipped | ternary(new_result, old_result)).stdout.split('REQUIRE')[1].split(separator)[0].strip()}}" | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  |     - include: remove_user.yml user_name={{user_name_1}} user_password={{ user_password_1 }} | ||||||
|  | 
 | ||||||
|  |     - include: remove_user.yml user_name={{user_name_2}} user_password={{ user_password_1 }} | ||||||
|  | 
 | ||||||
|  |     - include: remove_user.yml user_name={{user_name_3}} user_password={{ user_password_1 }} | ||||||
|  | 
 | ||||||
|  |     - include: assert_no_user.yml user_name={{user_name_1}} | ||||||
|  | 
 | ||||||
|  |     - include: assert_no_user.yml user_name={{user_name_2}} | ||||||
|  | 
 | ||||||
|  |     - include: assert_no_user.yml user_name={{user_name_3}} | ||||||
|  | 
 | ||||||
|     # ============================================================ |     # ============================================================ | ||||||
|     # Assert user has access to multiple databases |     # Assert user has access to multiple databases | ||||||
|     # |     # | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue