From 51f2c05ea4cef94d277ee7a8a0e1b4d4bc246941 Mon Sep 17 00:00:00 2001
From: Matthieu Bourgain <aohzan@gmail.com>
Date: Mon, 22 Apr 2024 18:26:51 +0200
Subject: [PATCH] [ci skip] handle change

---
 plugins/module_utils/user.py  | 12 ++++++++----
 plugins/modules/mysql_user.py |  4 +++-
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/plugins/module_utils/user.py b/plugins/module_utils/user.py
index 6d95cf5..7b2fa71 100644
--- a/plugins/module_utils/user.py
+++ b/plugins/module_utils/user.py
@@ -360,6 +360,14 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
                 # a check, so I prefer to update more often than never
                 update = True
 
+            if salt:
+                if plugin in ['caching_sha2_password', 'sha256_password']:
+                    generated_hash_string = mysql_sha256_password_hash_hex(password=plugin_auth_string, salt=salt)
+                    if current_plugin[0] != generated_hash_string:
+                        update = True
+                else:
+                    module.fail_json(msg="salt not handled for %s authentication plugin" % plugin)
+
             if update:
                 if plugin_hash_string:
                     query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, plugin_hash_string)
@@ -368,10 +376,6 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
                     if plugin in ('pam', 'ed25519'):
                         query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s USING %s", (user, host, plugin, plugin_auth_string)
                     elif salt:
-                        if plugin in ['caching_sha2_password', 'sha256_password']:
-                            generated_hash_string = mysql_sha256_password_hash_hex(password=plugin_auth_string, salt=salt)
-                        else:
-                            module.fail_json(msg="salt not handled for %s authentication plugin" % plugin)
                         query_with_args = ("ALTER USER %s@%s IDENTIFIED WITH %s AS 0x" + generated_hash_string), (user, host, plugin)
                     else:
                         query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string)
diff --git a/plugins/modules/mysql_user.py b/plugins/modules/mysql_user.py
index 481f1f0..0c7021b 100644
--- a/plugins/modules/mysql_user.py
+++ b/plugins/modules/mysql_user.py
@@ -517,8 +517,10 @@ def main():
                              should be positive number")
 
     if salt:
+        if not plugin_auth_string:
+            module.fail_json(msg="salt requires plugin_auth_string")
         if len(salt) != 20:
-            module.fail_json(msg="Salt must be 20 characters long")
+            module.fail_json(msg="salt must be 20 characters long")
         if plugin not in ['caching_sha2_password', 'sha256_password']:
             module.fail_json(msg="salt requires caching_sha2_password or sha256_password plugin")