From 5217af0c2eeaa1ae12244c5c9dc5ccec54a9e394 Mon Sep 17 00:00:00 2001
From: Andrew Klychkov <aklychko@redhat.com>
Date: Thu, 16 Oct 2025 10:03:51 +0200
Subject: [PATCH] issue-744: add integration tests (#751)

---
 .../test_mysql_user/tasks/issue-744.yml       | 98 +++++++++++++++++++
 .../targets/test_mysql_user/tasks/main.yml    |  7 +-
 2 files changed, 104 insertions(+), 1 deletion(-)
 create mode 100644 tests/integration/targets/test_mysql_user/tasks/issue-744.yml

diff --git a/tests/integration/targets/test_mysql_user/tasks/issue-744.yml b/tests/integration/targets/test_mysql_user/tasks/issue-744.yml
new file mode 100644
index 0000000..4373f8a
--- /dev/null
+++ b/tests/integration/targets/test_mysql_user/tasks/issue-744.yml
@@ -0,0 +1,98 @@
+---
+# Test for https://github.com/ansible-collections/community.mysql/issues/664
+# Issue 744: Bug revoking 'WITH GRANT OPTION'
+# The issue occurs when a user has only USAGE with GRANT OPTION on a database
+# and we try to modify their permissions. The revoke logic fails because it
+# tries to revoke USAGE twice.
+
+- vars:
+    mysql_parameters: &mysql_params
+      login_user: '{{ mysql_user }}'
+      login_password: '{{ mysql_password }}'
+      login_host: '{{ mysql_host }}'
+      login_port: '{{ mysql_primary_port }}'
+
+  block:
+    - name: Issue-744 | Create test database
+      community.mysql.mysql_db:
+        <<: *mysql_params
+        name: issue744_testdb
+        state: present
+
+    - name: Issue-744 | Create user with USAGE privileges only
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: "{{ user_name_1 }}"
+        password: "{{ user_password_1 }}"
+        state: present
+
+    - name: Issue-744 | Grant USAGE with GRANT OPTION on specific database
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: "{{ user_name_1 }}"
+        password: "{{ user_password_1 }}"
+        priv: 'issue744_testdb.*:USAGE,GRANT'
+        state: present
+
+    - name: Issue-744 | Show grants to verify USAGE with GRANT OPTION
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query: "SHOW GRANTS FOR '{{ user_name_1 }}'@'localhost'"
+      register: show_grants_result
+
+    - name: Issue-744 | Verify user has USAGE with GRANT OPTION
+      assert:
+        that:
+          - "'issue744_testdb' in (show_grants_result.query_result | string)"
+          - "'WITH GRANT OPTION' in (show_grants_result.query_result | string)"
+
+    # With the fix, this should now succeed
+    - name: Issue-744 | Modify user permissions (this should now succeed with the fix)
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: "{{ user_name_1 }}"
+        password: "{{ user_password_1 }}"
+        priv: 'issue744_testdb.*:SELECT'
+        state: present
+      register: modify_perms_result
+
+    - name: Issue-744 | Debug modification result
+      debug:
+        var: modify_perms_result
+
+    # With the fix, the operation should succeed
+    - name: Issue-744 | Verify that modification succeeded
+      assert:
+        that:
+          - modify_perms_result is succeeded
+          - modify_perms_result is changed
+        fail_msg: "Expected the modification to succeed with the fix, but got: {{ modify_perms_result.msg }}"
+
+    # Verify the final state is correct
+    - name: Issue-744 | Show final grants to verify SELECT privilege
+      community.mysql.mysql_query:
+        <<: *mysql_params
+        query: "SHOW GRANTS FOR '{{ user_name_1 }}'@'localhost'"
+      register: final_grants_result
+
+    - name: Issue-744 | Verify user now has SELECT privilege
+      assert:
+        that:
+          - "'GRANT SELECT ON' in (final_grants_result.query_result | string)"
+          - "'issue744_testdb' in (final_grants_result.query_result | string)"
+        fail_msg: "Expected user to have SELECT privilege on issue744_testdb, but got: {{ final_grants_result.query_result }}"
+
+  always:
+    - name: Issue-744 | Cleanup - Remove test user
+      community.mysql.mysql_user:
+        <<: *mysql_params
+        name: "{{ user_name_1 }}"
+        state: absent
+      ignore_errors: true
+
+    - name: Issue-744 | Cleanup - Remove test database
+      community.mysql.mysql_db:
+        <<: *mysql_params
+        name: issue744_testdb
+        state: absent
+      ignore_errors: true
diff --git a/tests/integration/targets/test_mysql_user/tasks/main.yml b/tests/integration/targets/test_mysql_user/tasks/main.yml
index c69aea3..f50eb6c 100644
--- a/tests/integration/targets/test_mysql_user/tasks/main.yml
+++ b/tests/integration/targets/test_mysql_user/tasks/main.yml
@@ -169,7 +169,7 @@
         host_all: yes
         password: '{{ user_password_1 }}'
       register: result
-      ignore_errors: yes
+      ignore_errors: true
 
     - name: check fail message
       assert:
@@ -313,3 +313,8 @@
       # Test that mysql_user still works with default role set
       # (https://github.com/ansible-collections/community.mysql/issues/710)
     - include_tasks: issue-710.yml
+
+    # Test for bug with revoking GRANT OPTION when user has only USAGE
+    # (https://github.com/ansible-collections/community.mysql/issues/664)
+    # (https://github.com/ansible-collections/community.mysql/pull/744)
+    - include_tasks: issue-744.yml