Enhance support of tls_requires in mysql_user and mysql_info (#628)

* fix option name

* Add tests for users using SSL

* Rewrite get_tls_requires using mysql.user table

* Add tls_requires to users_info filter

* add more consistant test users

* Add tls tests users in cleanup task

* Fix tls_requires data structure inconsistencies between modules

* Refactor user implementation to host get_tls_requires

* fix MySQL tls_requires not removed from user passed as empty

* Fix wrong variable used to return a hashed password

* Fix sanity

* fix unit tests

* Add changelog fragment

* Add PR URI to the changelog

* Add more precise change log

* fix documentation using wrong variable as an example

* Document example returned value `tls_requires` from users_info filter

* Revert changes that will be in a separate PR

* Fix sanity

plugins/module_utils/implementations/mariadb/user.py

@@ -29,3 +29,48 @@ def server_supports_password_expire(cursor):
     version = get_server_version(cursor)
 
     return LooseVersion(version) >= LooseVersion("10.4.3")
+
+
+def get_tls_requires(cursor, user, host):
+    """Get user TLS requirements.
+    Reads directly from mysql.user table allowing for a more
+    readable code.
+
+    Args:
+        cursor (cursor): DB driver cursor object.
+        user (str): User name.
+        host (str): User host name.
+
+    Returns: Dictionary containing current TLS required
+    """
+    tls_requires = dict()
+
+    query = ('SELECT ssl_type, ssl_cipher, x509_issuer, x509_subject '
+             'FROM mysql.user WHERE User = %s AND Host = %s')
+    cursor.execute(query, (user, host))
+    res = cursor.fetchone()
+
+    # Mysql_info use a DictCursor so we must convert back to a list
+    # otherwise we get KeyError 0
+    if isinstance(res, dict):
+        res = list(res.values())
+
+    # When user don't require SSL, res value is: ('', '', '', '')
+    if not any(res):
+        return None
+
+    if res[0] == 'ANY':
+        tls_requires['SSL'] = None
+
+    if res[0] == 'X509':
+        tls_requires['X509'] = None
+
+    if res[1]:
+        tls_requires['CIPHER'] = res[1]
+
+    if res[2]:
+        tls_requires['ISSUER'] = res[2]
+
+    if res[3]:
+        tls_requires['SUBJECT'] = res[3]
+    return tls_requires

plugins/module_utils/implementations/mysql/user.py

@@ -8,6 +8,9 @@ __metaclass__ = type
 from ansible_collections.community.mysql.plugins.module_utils.version import LooseVersion
 from ansible_collections.community.mysql.plugins.module_utils.mysql import get_server_version
 
+import re
+import shlex
+
 
 def use_old_user_mgmt(cursor):
     version = get_server_version(cursor)
@@ -30,3 +33,46 @@ def server_supports_password_expire(cursor):
     version = get_server_version(cursor)
 
     return LooseVersion(version) >= LooseVersion("5.7")
+
+
+def get_tls_requires(cursor, user, host):
+    """Get user TLS requirements.
+    We must use SHOW GRANTS because some tls fileds are encoded.
+
+    Args:
+        cursor (cursor): DB driver cursor object.
+        user (str): User name.
+        host (str): User host name.
+
+    Returns: Dictionary containing current TLS required
+    """
+    if not use_old_user_mgmt(cursor):
+        query = "SHOW CREATE USER '%s'@'%s'" % (user, host)
+    else:
+        query = "SHOW GRANTS for '%s'@'%s'" % (user, host)
+
+    cursor.execute(query)
+    grants = cursor.fetchone()
+
+    # Mysql_info use a DictCursor so we must convert back to a list
+    # otherwise we get KeyError 0
+    if isinstance(grants, dict):
+        grants = list(grants.values())
+    grants_str = ''.join(grants)
+
+    pattern = r"(?<=\bREQUIRE\b)(.*?)(?=(?:\bPASSWORD\b|$))"
+    requires_match = re.search(pattern, grants_str)
+    requires = requires_match.group().strip() if requires_match else ""
+
+    if requires.startswith('NONE'):
+        return None
+
+    if requires.startswith('SSL'):
+        return {'SSL': None}
+
+    if requires.startswith('X509'):
+        return {'X509': None}
+
+    items = iter(shlex.split(requires))
+    requires = dict(zip(items, items))
+    return requires or None

plugins/module_utils/user.py

@@ -17,6 +17,7 @@ from ansible.module_utils.six import iteritems
 
 from ansible_collections.community.mysql.plugins.module_utils.mysql import (
     mysql_driver,
+    get_server_implementation,
 )
 
 
@@ -80,31 +81,6 @@ def do_not_mogrify_requires(query, params, tls_requires):
     return query, params
 
 
-def get_tls_requires(cursor, user, host):
-    if user:
-        if not impl.use_old_user_mgmt(cursor):
-            query = "SHOW CREATE USER '%s'@'%s'" % (user, host)
-        else:
-            query = "SHOW GRANTS for '%s'@'%s'" % (user, host)
-
-        cursor.execute(query)
-        require_list = [tuple[0] for tuple in filter(lambda x: "REQUIRE" in x[0], cursor.fetchall())]
-        require_line = require_list[0] if require_list else ""
-        pattern = r"(?<=\bREQUIRE\b)(.*?)(?=(?:\bPASSWORD\b|$))"
-        requires_match = re.search(pattern, require_line)
-        requires = requires_match.group().strip() if requires_match else ""
-        if any((requires.startswith(req) for req in ('SSL', 'X509', 'NONE'))):
-            requires = requires.split()[0]
-            if requires == 'NONE':
-                requires = None
-        else:
-            import shlex
-
-            items = iter(shlex.split(requires))
-            requires = dict(zip(items, items))
-        return requires or None
-
-
 def get_grants(cursor, user, host):
     cursor.execute("SHOW GRANTS FOR %s@%s", (user, host))
     grants_line = list(filter(lambda x: "ON *.*" in x[0], cursor.fetchall()))[0]
@@ -166,6 +142,7 @@ def user_add(cursor, user, host, host_all, password, encrypted,
         return {'changed': True, 'password_changed': None, 'attributes': attributes}
 
     # Determine what user management method server uses
+    impl = get_user_implementation(cursor)
     old_user_mgmt = impl.use_old_user_mgmt(cursor)
 
     mogrify = do_not_mogrify_requires if old_user_mgmt else mogrify_requires
@@ -244,6 +221,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
     grant_option = False
 
     # Determine what user management method server uses
+    impl = get_user_implementation(cursor)
     old_user_mgmt = impl.use_old_user_mgmt(cursor)
 
     if host_all and not role:
@@ -499,7 +477,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
             continue
 
         # Handle TLS requirements
-        current_requires = get_tls_requires(cursor, user, host)
+        current_requires = sanitize_requires(impl.get_tls_requires(cursor, user, host))
         if current_requires != tls_requires:
             msg = "TLS requires updated"
             if not module.check_mode:
@@ -837,6 +815,7 @@ def privileges_grant(cursor, user, host, db_table, priv, tls_requires, maria_rol
         query.append("TO %s")
         params = (user)
 
+    impl = get_user_implementation(cursor)
     if tls_requires and impl.use_old_user_mgmt(cursor):
         query, params = mogrify_requires(" ".join(query), params, tls_requires)
         query = [query]
@@ -973,6 +952,7 @@ def limit_resources(module, cursor, user, host, resource_limits, check_mode):
 
     Returns: True, if changed, False otherwise.
     """
+    impl = get_user_implementation(cursor)
     if not impl.server_supports_alter_user(cursor):
         module.fail_json(msg="The server version does not match the requirements "
                              "for resource_limits parameter. See module's documentation.")
@@ -1108,12 +1088,11 @@ def attributes_get(cursor, user, host):
     return j if j else None
 
 
-def get_impl(cursor):
-    global impl
-    cursor.execute("SELECT VERSION()")
-    if 'mariadb' in cursor.fetchone()[0].lower():
+def get_user_implementation(cursor):
+    db_engine = get_server_implementation(cursor)
+    if db_engine == 'mariadb':
         from ansible_collections.community.mysql.plugins.module_utils.implementations.mariadb import user as mariauser
-        impl = mariauser
+        return mariauser
     else:
         from ansible_collections.community.mysql.plugins.module_utils.implementations.mysql import user as mysqluser
-        impl = mysqluser
+        return mysqluser