ansible-collections/community.mysql
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.mysql.git synced 2025-10-25 05:24:01 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix hashed passwords being returned by get_existing_authentication() via the plugin_auth_string variable instead of plugin_hash_string (#629)

Browse source 
* fix returned variable from plugin_auth_string to plugin_hash_string
* Refactor to keep plugin_auth_string in addition to plugin_hash_string
* Add breaking_changes to the changelog
This commit is contained in:
Laurent Indermühle 2024-06-06 13:05:31 +02:00 committed by GitHub
commit 50e7413b88
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 36 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

6
changelogs/fragments/lie_fix_plugin_hash_string_return.yml Normal file
View file

@ -0,0 +1,6 @@
---
bugfixes:
- mysql_info - Add ``plugin_hash_string`` to ``users_info`` filter's output. The existing ``plugin_auth_string`` contained the hashed password and thus is missleading, it will be removed from community.mysql 4.0.0. (https://github.com/ansible-collections/community.mysql/pull/629).
breaking_changes:
- mysql_info - The ``users_info`` filter returned variable ``plugin_auth_string`` contains the hashed password and it's misleading, it will be removed from community.mysql 4.0.0. Use the `plugin_hash_string` return value instead (https://github.com/ansible-collections/community.mysql/pull/629).

14
plugins/module_utils/user.py
View file

@ -118,11 +118,19 @@ def get_existing_authentication(cursor, user, host):
if isinstance(rows, dict):
rows = list(rows.values())
# 'plugin_auth_string' contains the hash string. Must be removed in c.mysql 4.0
# See https://github.com/ansible-collections/community.mysql/pull/629
if isinstance(rows[0], tuple):
return {'plugin': rows[0][0], 'plugin_auth_string': rows[0][1]}
return {'plugin': rows[0][0],
'plugin_auth_string': rows[0][1],
'plugin_hash_string': rows[0][1]}
# 'plugin_auth_string' contains the hash string. Must be removed in c.mysql 4.0
# See https://github.com/ansible-collections/community.mysql/pull/629
if isinstance(rows[0], dict):
return {'plugin': rows[0].get('plugin'), 'plugin_auth_string': rows[0].get('auth')}
return {'plugin': rows[0].get('plugin'),
'plugin_auth_string': rows[0].get('auth'),
'plugin_hash_string': rows[0].get('auth')}
return None
@ -152,7 +160,7 @@ def user_add(cursor, user, host, host_all, password, encrypted,
existing_auth = get_existing_authentication(cursor, user, host)
if existing_auth:
plugin = existing_auth['plugin']
plugin_hash_string = existing_auth['auth_string']
plugin_hash_string = existing_auth['plugin_hash_string']
password = None
used_existing_password = True
if password and encrypted:

72
tests/integration/targets/test_mysql_info/tasks/filter_users_info.yml
View file

@ -211,66 +211,32 @@
TO users_info_tls_sub_issu_ciph@'host'
- name: Mysql_info users_info | Prepare tests users for MariaDB
community.mysql.mysql_user:
name: "{{ item.name }}"
host: "users_info.com"
plugin: "{{ item.plugin | default(omit) }}"
plugin_auth_string: "{{ item.plugin_auth_string | default(omit) }}"
plugin_hash_string: "{{ item.plugin_hash_string | default(omit) }}"
tls_requires: "{{ item.tls_requires | default(omit) }}"
priv: "{{ item.priv }}"
resource_limits: "{{ item.resource_limits | default(omit) }}"
column_case_sensitive: true
state: present
loop:
- name: users_info_socket # Only for MariaDB
priv:
'*.*': 'ALL'
plugin: 'unix_socket'
community.mysql.mysql_query:
query:
- >-
CREATE USER users_info_socket@'users_info.com' IDENTIFIED WITH
unix_socket
- GRANT ALL ON *.* to users_info_socket@'users_info.com'
when:
- db_engine == 'mariadb'
- name: Mysql_info users_info | Prepare tests users for MySQL
community.mysql.mysql_user:
name: "{{ item.name }}"
host: "users_info.com"
plugin: "{{ item.plugin | default(omit) }}"
plugin_auth_string: "{{ item.plugin_auth_string | default(omit) }}"
plugin_hash_string: "{{ item.plugin_hash_string | default(omit) }}"
tls_requires: "{{ item.tls_requires | default(omit) }}"
priv: "{{ item.priv }}"
resource_limits: "{{ item.resource_limits | default(omit) }}"
column_case_sensitive: true
state: present
loop:
- name: users_info_sha256 # Only for MySQL
priv:
'*.*': 'ALL'
plugin_auth_string:
'$5$/<w*D`L4\"F$WQiI1Pev.7atAh8udYs3wqlzgdfV8LXoy7rqSEC7NF2'
plugin: 'sha256_password'
community.mysql.mysql_query:
query:
- >-
CREATE USER users_info_sha256@'users_info.com' IDENTIFIED WITH
sha256_password BY 'msandbox'
- GRANT ALL ON *.* to users_info_sha256@'users_info.com'
when:
- db_engine == 'mysql'
- name: Mysql_info users_info | Prepare tests users for MySQL 8+
community.mysql.mysql_user:
name: "{{ item.name }}"
host: "users_info.com"
plugin: "{{ item.plugin | default(omit) }}"
plugin_auth_string: "{{ item.plugin_auth_string | default(omit) }}"
plugin_hash_string: "{{ item.plugin_hash_string | default(omit) }}"
tls_requires: "{{ item.tls_requires | default(omit) }}"
priv: "{{ item.priv }}"
resource_limits: "{{ item.resource_limits | default(omit) }}"
column_case_sensitive: true
state: present
loop:
- name: users_info_caching_sha2 # Only for MySQL 8+
priv:
'*.*': 'ALL'
plugin_auth_string:
'$A$005$61j/uF%Qb4-=O2xkeO82u2HNkF.lxDq0liO4U3xqi7bDUCbWM6HayRXWn1'
plugin: 'caching_sha2_password'
community.mysql.mysql_query:
query:
- >-
CREATE USER users_info_caching_sha2@'users_info.com' IDENTIFIED WITH
caching_sha2_password BY 'msandbox'
- GRANT ALL ON *.* to users_info_caching_sha2@'users_info.com'
when:
- db_engine == 'mysql'
- db_version is version('8.0', '>=')
@ -283,7 +249,7 @@
- users_info
register: result
- name: Recreate users from mysql_info users_info result
- name: Mysql_info users_info | Recreate users from mysql_info result
community.mysql.mysql_user:
name: "{{ item.name }}"
host: "{{ item.host }}"