User locking (#702)

* function to check if a user is locked already Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add the location and logic of where I think user locking would happen. Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Fix missing parameters for execute() Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add the locked attribute Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Initial user locking integration tests Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add attribute documentation Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * More descriptive names in the integration tests Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * - Changes requested/suggested by @Andersson007 - Example usage - Changelog fragment Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Fix user_is_locked and remove host_all option. Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Fix host of user (was % should have been localhost after deleting `host:` earlier) Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Switch locked to named instead of positional. Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add check_mode support. Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add check_mode: true test cases Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Fix names that included `check_mode: true` Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add idempotence checks Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Switch calls to user_mod with sequences of None positional arguments to full named arguments Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * locked check should not run for roles. Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * check_mode is set at the task level and not the module level Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add user locking to info module and test. Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Handle DictCursor Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add check_mode feedback Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add another builtin account to the exclusion list Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Initial switch to default=None for locked, will need to add a test for it. Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> * Add check that missing locked argument does not unlock a user Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com> --------- Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys <es.rosenberg+github@gmail.com>
2025-07-23 05:10:24 -07:00 · 2025-03-19 15:40:59 +02:00 · 2025-03-19 15:40:59 +02:00 · 45a29408ad
commit 45a29408ad
parent dd7e297d50
8 changed files with 285 additions and 14 deletions
--- a/tests/integration/targets/test_mysql_user/tasks/main.yml
+++ b/tests/integration/targets/test_mysql_user/tasks/main.yml
@ -305,3 +305,7 @@
    - name: Mysql_user - test update_password
      ansible.builtin.import_tasks:
        file: test_update_password.yml
+
+    - name: Mysql_user - test user_locking
+      ansible.builtin.import_tasks:
+        file: test_user_locking.yml
--- a/tests/integration/targets/test_mysql_user/tasks/test_user_locking.yml
+++ b/tests/integration/targets/test_mysql_user/tasks/test_user_locking.yml
@ -0,0 +1,200 @@
+---
+
+- vars:
+    mysql_parameters: &mysql_params
+      login_user: '{{ mysql_user }}'
+      login_password: '{{ mysql_password }}'
+      login_host: '{{ mysql_host }}'
+      login_port: '{{ mysql_primary_port }}'
+
+  block:
+
+    # ========================= Prepare =======================================
+    - name: Mysql_user Lock user | Create a test database
+      community.mysql.mysql_db:
+        <<: *mysql_params
+        name: mysql_lock_user_test
+        state: present
+
+    # ========================== Tests ========================================
+
+    - name: Mysql_user Lock user | create locked | Create test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        password: 'msandbox'
+        locked: true
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+
+    - name: Mysql_user Lock user | create locked | Assert that test user is locked
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query:
+          - SHOW CREATE USER 'mysql_locked_user'@'localhost'
+      register: locked_user_creation
+      failed_when:
+        - locked_user_creation.query_result[0][0] is not search('ACCOUNT LOCK')
+
+    - name: 'Mysql_user Lock user | create locked | Idempotence check'
+      check_mode: true
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        locked: true
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+      register: idempotence_check
+      failed_when: idempotence_check is changed
+
+    - name: 'Mysql_user Lock user | create locked | Check that absense of locked does not unlock the user'
+      check_mode: true
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+      register: idempotence_check
+      failed_when: idempotence_check is changed
+
+    - name: 'Mysql_user Lock user | create locked | Unlock test user check_mode: true'
+      check_mode: true
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        locked: false
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+
+    - name: Mysql_user Lock user | create locked | Assert that test user is locked
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query:
+          - SHOW CREATE USER 'mysql_locked_user'@'localhost'
+      register: locked_user_creation
+      failed_when:
+        - locked_user_creation.query_result[0][0] is not search('ACCOUNT LOCK')
+
+    - name: Mysql_user Lock user | create locked | Unlock test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        locked: false
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+
+    - name: Mysql_user Lock user | create locked | Assert that test user is not locked
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query:
+          - SHOW CREATE USER 'mysql_locked_user'@'localhost'
+      register: locked_user_creation
+      failed_when:
+        - locked_user_creation.query_result[0][0] is search('ACCOUNT LOCK')
+
+    - name: Mysql_user Lock user | create locked | Remove test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        state: absent
+        
+    - name: Mysql_user Lock user | create unlocked | Create test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        password: 'msandbox'
+        locked: false
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+
+    - name: Mysql_user Lock user | create unlocked | Assert that test user is not locked
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query:
+          - SHOW CREATE USER 'mysql_locked_user'@'localhost'
+      register: locked_user_creation
+      failed_when:
+        - locked_user_creation.query_result[0][0] is search('ACCOUNT LOCK')
+
+    - name: 'Mysql_user Lock user | create unlocked | Idempotence check'
+      check_mode: true
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        locked: false
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+      register: idempotence_check
+      failed_when: idempotence_check is changed
+
+    - name: 'Mysql_user Lock user | create unlocked | Lock test user check_mode: true'
+      check_mode: true
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        locked: true
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+
+    - name: Mysql_user Lock user | create unlocked | Assert that test user is not locked
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query:
+          - SHOW CREATE USER 'mysql_locked_user'@'localhost'
+      register: locked_user_creation
+      failed_when:
+        - locked_user_creation.query_result[0][0] is search('ACCOUNT LOCK')
+
+    - name: Mysql_user Lock user | create unlocked | Lock test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        locked: true
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+
+    - name: Mysql_user Lock user | create unlocked | Assert that test user is locked
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query:
+          - SHOW CREATE USER 'mysql_locked_user'@'localhost'
+      register: locked_user_creation
+      failed_when:
+        - locked_user_creation.query_result[0][0] is not search('ACCOUNT LOCK')
+
+    - name: Mysql_user Lock user | create unlocked | Remove test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        state: absent
+
+    - name: Mysql_user Lock user | create default | Create test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        password: 'msandbox'
+        priv:
+          'mysql_lock_user_test.*': 'SELECT'
+
+    - name: Mysql_user Lock user | create default | Assert that test user is not locked
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query:
+          - SHOW CREATE USER 'mysql_locked_user'@'localhost'
+      register: locked_user_creation
+      failed_when:
+        - locked_user_creation.query_result[0][0] is search('ACCOUNT LOCK')
+
+    - name: Mysql_user Lock user | create default | Remove test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: mysql_locked_user
+        state: absent
+
+    # ========================= Teardown ======================================
+
+    - name: Mysql_user Lock user | Delete test database
+      community.mysql.mysql_db:
+        <<: *mysql_params
+        name: mysql_lock_user_test
+        state: absent