ansible-collections/community.mysql
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.mysql.git synced 2025-07-28 23:51:26 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

[PR #490/6970aef backport][stable-1] Integrations tests : Use containers (#517)

Browse source 
* Integrations tests : Use containers for more control and verify that versions match expectation (#490)

* Add healthcheck to MariaDB before starting the tests
This prevent the first test to fail because the db isn't ready yet.

* Add % instead of the default 'localhost' since we use remote connection

Previously, everything was on localhost. Now ansible-test is in a
venv and the db is in a container. The db see the IP address from the
podman host (10.88.0.2)

* Add mysql_client to the controller

* Prepare controller with Podman/Docker Network

We use the Podman/Docker network gateway address to communicate between
container. I haven't tested Docker. I would have preferred to use a pod
but only Podman support it and ansible-test only support the
--docker-network option.

* Generalize mysql and mariadb version based on container name

This way we can split db_engine and db_version and simplify tests.
Also this is mandatory to use the matrix.db_engine_version as the
image name for our services containers.

* Fix replication due to usage of gateway_addr instead of localhost

* Refactor setup_mysql into setup_controller

* Fix server_id in GHA

GHA lack a way to pass option to docker's command. Also server_id is
not read as a environment variable. So I'm forced to use a config file.

* Refactor test_mysql_user to work with other host than localhost

* Refactor way tests info are passed from sed to file with lookup

The idea is to avoid modifying test targets from the workflow to prevent
ansible-test to think every tests needs to be run.

* Refactor test to use the db_version from setup_controller

* Add temporary files to .gitignore

* Add back docker healthcheck on services

I saw in the GHA logs that it perform an healtcheck ! So I hope this
will work.

* Refactor the way server_id is set for replicas

The simple way is to add '--server-id 2' after the name of the image of
the container. But GHA doesn't let us do that. The idea of mount a file
from our repo doesn't work because the repo is check out later in the
workflow and I failed to find a pre-job hook. Then I realized that this
MySQL option is dynamic! So we will set that in the test target!

* Add IF NOT EXISTS to prevent misleading error on retry

* Cut python 3.11 not supported by ansible-test yet

* Add option to run only a single target

* Disable replication with channel tests entirely for MySQL 5.7

* Activate Mysql 8 and Mariadb into GitHub Action Workflow

* Document run_all_tests.py

* Fix replication settings

sh don't know 'echo -e', so we use bash instead.
Also, we need to wait for the container to be healthy before trying to
restart it. Otherwise that could corrupt it.

* Add more descriptive tests names

* Use mysql_host var name instead of gateway_addr in tests

* Refactor user@<gateway ip addr> into user@%

* Workaround for plugin role that fails with any MariaDB versions

* Ensure replicas are healthy before rebooting them

* Add a virtualenv for ansible-test used locally

* Cut column-statistics disabling

Thanks to our test-container, we now use the correspond mysql-client.
So to test mysql 5.7 we use mysql-client-5.7 and to test mysql 8 we
use mysql-client-8.

* Fix test matrix

Python version should be quoted, otherwise 3.10 become 3.1
We can skip 2.14 and devel with Python3.8
We can skip devel with Python 3.9
We can skip MariaDB 10.4 with mysql-client-10.6
Add tests for MariaDB 10.6, 10.7 and 10.8

* Fix queries for roles

* Add filter for issues resolved in newer version of mysqlclient

* Add names to tests

* Cut tests for incompatible MySQL 8 and pymysql 0.7.11

* Fix assertion for older mysqlclient than 2.0.1 with mysql (mariadb ok)

* Change docker-image workflow to work on all images using matrix

* Add support for version of mysqlclient

* Fix verify database version

Sometimes, version_full contains trailing information (-log). To prevent
issues it's best to concatenate major and minor version.

* Cut filter for tests now that the right connector is used

* Add clean up in "always" phase of the block

Because our tests use --retry-on-error, and the first thing the test
does is to try to create the database. We must cleanup otherwise if
there is a retry, it will throw a misleading "database already exists"
error.

* Disable tests using pymysql 1.0.2

Many tests are failing but this must be fixed in the plugins in a future
PR.

* Cut test MySQL 8 with incompatible pymysql 0.7.11

It fails to connect with error about cryptography unsupported

* Fix missing cffi package to connect to MySQL 8 using Python 3.9

* Split Docker image workflow to rebuild only changed Dockerfile

My goal is not to save the planet but to make it work. Currently
docker/setup-buildx-action@v2 often fails. You have to rerun the
workflow multiple times until it succeed. When you do that with the
matrix with 15 containers, you never get to the point where they all
built successfully. Having separate workflows makes rerun the failing
build easier.

* Add option to let containers alive at end of testing

* Migrate tests documentations in their own file

* Document usage of continue_on_errors

* Add support for systems with unsupported python set as default

* Add create podman network for system missing it.

We saw that on a Fedora 33 with Podman 3.3.1, an old system. I didn't
find in which release the default network changed and maybe it's
defined in the Linux distribution. So in doubt I always attempt to
create the network.

* Add full path to image to prevent podman asking which registry to use

* Add options to enforce recreate containers even if already exists

* Add deletion of anonymous volumes associated with the container

* Change shebang from python to python3 to avoid confusion with python2

This script is a python3 script.

* Add disk and RAM requirements

* Cut the 3 from python command to follow shebang recommendations

https://docs.ansible.com/ansible-core/devel/dev_guide/testing/sanity/shebang.html

* Reformat file path

Co-authored-by: Jorge Rodriguez (A.K.A. Tiriel) <jorge.rodriguez@futurice.com>

* Move utility task files in their own folder

* Add called workflow file in the GHA hooks

Without this, the containers are not rebuilt when you modify the file
built-docker-image.yml.

* Rollback to github.repository in container image name

This time I think I understood. We publish in the
github.repository_owner's namespace. In my case it's laurent-indermuehle
and in case of upstream it's ansible-collections. A proof of that:
https://github.com/orgs/ansible-collections/packages <- here there is
one attempt I did in february to push my branch to the upstream.
So, our tests containers will be visible to the whole community, not
just community.mysql.

---------

Co-authored-by: Jorge Rodriguez (A.K.A. Tiriel) <jorge.rodriguez@futurice.com>
(cherry picked from commit 6970aef8f6)

* Add changelog fragment

* Disable tests that doesn't work on stable-1

It's shameful to disable tests, but they didn't makes much sense
anyway.

* Fix error message being different on stable-1 than v3

* Disable tests against MariaDB 10.5 and 10.6

Does version have never been tested on stable-1 and many tests fails.
This commit is contained in:
Laurent Indermühle 2023-03-29 08:56:09 +02:00 committed by GitHub
commit 54efe0bbb8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
122 changed files with 2960 additions and 1519 deletions
Download patch file Download diff file Expand all files Collapse all files

2
tests/integration/targets/test_mysql_user/defaults/main.yml
View file

@ -2,7 +2,7 @@
# defaults file for test_mysql_user
mysql_user: root
mysql_password: msandbox
mysql_host: 127.0.0.1
mysql_host: '{{ gateway_addr }}'
mysql_primary_port: 3307
db_name: 'data'

3
tests/integration/targets/test_mysql_user/meta/main.yml
View file

@ -1,3 +1,4 @@
---
dependencies:
- setup_mysql
- setup_controller
- setup_remote_tmp_dir

25
tests/integration/targets/test_mysql_user/tasks/assert_no_user.yml
View file

@ -1,25 +0,0 @@
# test code to assert no mysql user
# (c) 2014, Wayne Rosario <wrosario@ansible.com>
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# ============================================================
- name: run command to query for mysql user
command: "{{ mysql_command }} -e \"SELECT User FROM mysql.user where user='{{ user_name }}'\""
register: result
- name: assert mysql user is not present
assert: { that: "'{{ user_name }}' not in result.stdout" }

38
tests/integration/targets/test_mysql_user/tasks/assert_user.yml
View file

@ -1,38 +0,0 @@
# test code to assert mysql user
# (c) 2014, Wayne Rosario <wrosario@ansible.com>
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# ============================================================
- name: run command to query for mysql user
command: "{{ mysql_command }} -e \"SELECT User FROM mysql.user where user='{{ user_name }}'\""
register: result
- name: assert mysql user is present
assert:
that:
- "'{{ user_name }}' in result.stdout"
- name: run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name }}'@'localhost'\""
register: result
when: priv is defined
- name: assert user has giving privileges
assert:
that:
- "'GRANT {{priv}} ON *.*' in result.stdout"
when: priv is defined

40
tests/integration/targets/test_mysql_user/tasks/create_user.yml
View file

@ -1,40 +0,0 @@
# test code to create mysql user
# (c) 2014, Wayne Rosario <wrosario@ansible.com>
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_port: '{{ mysql_primary_port }}'
block:
# ============================================================
- name: create mysql user {{user_name}}
mysql_user:
<<: *mysql_params
name: '{{ user_name }}'
password: '{{ user_password }}'
state: present
register: result
- name: assert output message mysql user was created
assert:
that:
- result is changed

135
tests/integration/targets/test_mysql_user/tasks/issue-121.yml
View file

@ -1,112 +1,85 @@
---
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
# ============================================================
- name: get server certificate
- name: Issue-121 | Setup | Get server certificate
copy:
content: "{{ lookup('pipe', \"openssl s_client -starttls mysql -connect localhost:3307 -showcerts 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'\") }}"
content: "{{ lookup('pipe', \"openssl s_client -starttls mysql -connect {{ mysql_host }}:3307 -showcerts 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'\") }}"
dest: /tmp/cert.pem
delegate_to: localhost
- name: get server version
mysql_info:
<<: *mysql_params
filter: version
register: db_version
- set_fact:
old_user_mgmt: "{{ db_version.version.major <= 5 and db_version.version.minor <= 6 or db_version.version.major == 10 and db_version.version.minor < 2 | bool }}"
- name: Drop mysql user if exists
- name: Issue-121 | Drop mysql user if exists
mysql_user:
<<: *mysql_params
name: '{{ item }}'
host_all: true
state: absent
ignore_errors: yes
with_items:
ignore_errors: true
loop:
- "{{ user_name_1 }}"
- "{{ user_name_2 }}"
- name: create user with REQUIRESSL privilege
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
# Disabled because:
# - It makes no sense (state changed as nothing to do with a failure)
# - It doesn't work on stable-1
# - name: Issue-121 | Create user with REQUIRESSL privilege (expect failure)
# mysql_user:
# <<: *mysql_params
# name: "{{ user_name_1 }}"
# password: "{{ user_password_1 }}"
# priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
# register: result
# ignore_errors: true
- name: verify REQUIRESSL is assigned to the user
mysql_query:
<<: *mysql_params
query: "SHOW {{ what }} '{{ user_name_1}}'@'localhost'"
register: result
vars:
what: "{{ 'GRANTS FOR' if old_user_mgmt else 'CREATE USER' }}"
# - name: Issue-121 | Assert error granting privileges
# assert:
# that:
# - result is not changed
- assert:
that:
- result is succeeded and 'REQUIRE SSL' in (result.query_result | string)
# Disabled on stable-1 because:
# - It doesn't work on stable-1, it's always changed
# - name: >-
# Issue-121 | Create user with both REQUIRESSL privilege and an incompatible
# tls_requires option
# mysql_user:
# <<: *mysql_params
# name: "{{ user_name_1 }}"
# host: '{{ gateway_addr }}'
# password: "{{ user_password_1 }}"
# priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
# tls_requires:
# X509:
- name: create user with equivalent ssl requirement in tls_requires (expect unchanged)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
priv: '*.*:SELECT,CREATE USER,GRANT'
tls_requires:
SSL:
register: result
# - name: Issue-121 | Create same user again without REQUIRESSL privilege
# mysql_user:
# <<: *mysql_params
# name: "{{ user_name_1 }}"
# password: "{{ user_password_1 }}"
# priv: '*.*:SELECT,CREATE USER,GRANT'
# tls_requires:
# X509:
# register: result
# ignore_errors: true
- assert:
that:
- result is not changed
# - name: >-
# Issue-121 | Assert error granting privileges with incompatible tls_requires
# option
# assert:
# that:
# - result is not changed
- name: create the same user again, with REQUIRESSL privilege once more
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
register: result
- assert:
that:
- result is not changed
- name: create user with both REQUIRESSL privilege and an incompatible tls_requires option
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
tls_requires:
X509:
- name: create same user again without REQUIRESSL privilege
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
priv: '*.*:SELECT,CREATE USER,GRANT'
tls_requires:
X509:
register: result
- assert:
that: result is not changed
- name: Drop mysql user
- name: Issue-121 | Teardown | Drop mysql user
mysql_user:
<<: *mysql_params
name: '{{ item }}'
host: 127.0.0.1
host_all: true
state: absent
with_items:
- "{{ user_name_1 }}"

0
tests/integration/targets/test_mysql_user/tasks/issue-265.yml Normal file
View file

52
tests/integration/targets/test_mysql_user/tasks/issue-28.yml
View file

@ -9,81 +9,87 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
when: tls_enabled
block:
# ============================================================
- name: get server certificate
- name: Issue-28 | Setup | Get server certificate
copy:
content: "{{ lookup('pipe', \"openssl s_client -starttls mysql -connect localhost:3307 -showcerts 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'\") }}"
content: "{{ lookup('pipe', \"openssl s_client -starttls mysql -connect {{ mysql_host }}:3307 -showcerts 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'\") }}"
dest: /tmp/cert.pem
delegate_to: localhost
- name: Drop mysql user if exists
- name: Issue-28 | Setup | Drop mysql user if exists
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
host_all: true
state: absent
ignore_errors: yes
ignore_errors: true
- name: create user with ssl requirement
- name: Issue-28 | Create user with ssl requirement
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
host: '{{ gateway_addr }}'
password: "{{ user_password_1 }}"
priv: '*.*:ALL,GRANT'
tls_requires:
SSL:
- name: attempt connection with newly created user (expect failure)
- name: Issue-28 | Attempt connection with newly created user (expect failure)
mysql_user:
name: "{{ user_name_2 }}"
password: "{{ user_password_2 }}"
host: 127.0.0.1
host: '{{ gateway_addr }}'
login_user: '{{ user_name_1 }}'
login_password: '{{ user_password_1 }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
ca_cert: /tmp/cert.pem
register: result
ignore_errors: yes
ignore_errors: true
- assert:
- name: Issue-28 | Assert connection failed
assert:
that:
- result is failed
when: connector_name is search('pymysql')
when:
- connector_name == 'pymysql'
- assert:
- name: Issue-28 | Assert connection succeeded
assert:
that:
- result is succeeded
when: connector_name is not search('pymysql')
when:
- connector_name != 'pymysql'
- name: attempt connection with newly created user ignoring hostname
- name: Issue-28 | Attempt connection with newly created user ignoring hostname
mysql_user:
name: "{{ user_name_2 }}"
password: "{{ user_password_2 }}"
host: 127.0.0.1
host: '{{ gateway_addr }}'
login_user: '{{ user_name_1 }}'
login_password: '{{ user_password_1 }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
ca_cert: /tmp/cert.pem
check_hostname: no
check_hostname: false
register: result
ignore_errors: yes
ignore_errors: true
- assert:
- name: Issue-28 | Assert connection succeeded
assert:
that:
- result is succeeded or 'pymysql >= 0.7.11 is required' in result.msg
- name: Drop mysql user
- name: Issue-28 | Drop mysql user
mysql_user:
<<: *mysql_params
name: '{{ item }}'
host: 127.0.0.1
host: '{{ gateway_addr }}'
state: absent
with_items:
- "{{ user_name_1 }}"

30
tests/integration/targets/test_mysql_user/tasks/issue-29511.yaml
View file

@ -3,12 +3,12 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
- name: Issue test setup - drop database
- name: Issue-29511 | test setup | drop database
mysql_db:
<<: *mysql_params
name: "{{ item }}"
@ -17,7 +17,7 @@
- foo
- bar
- name: Issue test setup - create database
- name: Issue-29511 | test setup | create database
mysql_db:
<<: *mysql_params
name: "{{ item }}"
@ -26,7 +26,7 @@
- foo
- bar
- name: Copy SQL scripts to remote
- name: Issue-29511 | Copy SQL scripts to remote
copy:
src: "{{ item }}"
dest: "{{ remote_tmp_dir }}/{{ item | basename }}"
@ -34,13 +34,13 @@
- create-function.sql
- create-procedure.sql
- name: Create function for test
- name: Issue-29511 | Create function for test
shell: "{{ mysql_command }} < {{ remote_tmp_dir }}/create-function.sql"
- name: Create procedure for test
- name: Issue-29511 | Create procedure for test
shell: "{{ mysql_command }} < {{ remote_tmp_dir }}/create-procedure.sql"
- name: Create user with FUNCTION and PROCEDURE privileges
- name: Issue-29511 | Create user with FUNCTION and PROCEDURE privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
@ -49,13 +49,13 @@
priv: 'FUNCTION foo.function:EXECUTE/foo.*:SELECT/PROCEDURE bar.procedure:EXECUTE'
register: result
- name: Assert Create user with FUNCTION and PROCEDURE privileges
- name: Issue-29511 | Assert Create user with FUNCTION and PROCEDURE privileges
assert:
that:
- result is success
- result is changed
- name: Create user with FUNCTION and PROCEDURE privileges - Idempotent check
- name: Issue-29511 | Create user with FUNCTION and PROCEDURE privileges - Idempotent check
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
@ -64,19 +64,13 @@
priv: 'FUNCTION foo.function:EXECUTE/foo.*:SELECT/PROCEDURE bar.procedure:EXECUTE'
register: result
- name: Assert Create user with FUNCTION and PROCEDURE privileges
- name: Issue-29511 | Assert Create user with FUNCTION and PROCEDURE privileges
assert:
that:
- result is success
- result is not changed
- name: Remove user
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
state: absent
- name: Issue test teardown - cleanup databases
- name: Issue-29511 | Test teardown | cleanup databases
mysql_db:
<<: *mysql_params
name: "{{ item }}"
@ -84,3 +78,5 @@
loop:
- foo
- bar
- include: utils/remove_user.yml user_name="{{ user_name_2 }}"

19
tests/integration/targets/test_mysql_user/tasks/issue-64560.yaml
View file

@ -3,47 +3,50 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
- name: Set root password
- name: Issue-64560 | Set root password
mysql_user:
<<: *mysql_params
name: root
host: '%'
password: '{{ root_password }}'
check_implicit_admin: yes
register: result
- name: assert root password is changed
- name: Issue-64560 | Assert root password is changed
assert:
that:
- result is changed
- name: Set root password again
- name: Issue-64560 | Set root password again
mysql_user:
login_user: '{{ mysql_user }}'
login_password: '{{ root_password }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
name: root
host: '%'
password: '{{ root_password }}'
check_implicit_admin: yes
register: result
- name: Assert root password is not changed
- name: Issue-64560 | Assert root password is not changed
assert:
that:
- result is not changed
- name: Set root password again
- name: Issue-64560 | Set root password again
mysql_user:
login_user: '{{ mysql_user }}'
login_password: '{{ root_password }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
name: root
host: '%'
password: '{{ mysql_password }}'
check_implicit_admin: yes
register: result

132
tests/integration/targets/test_mysql_user/tasks/main.yml
View file

@ -1,3 +1,4 @@
---
####################################################################
# WARNING: These are designed specifically for Ansible tests #
# and should not be used as examples of how to write Ansible roles #
@ -24,15 +25,12 @@
# ============================================================
# create mysql user and verify user is added to mysql database
#
- name: alias mysql command to include default options
set_fact:
mysql_command: "mysql -u{{ mysql_user }} -p{{ mysql_password }} -P{{ mysql_primary_port }} --protocol=tcp"
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
@ -41,109 +39,49 @@
- include: issue-28.yml
- include: create_user.yml user_name={{user_name_1}} user_password={{ user_password_1 }}
- include: test_resource_limits.yml
- include: resource_limits.yml
- include: assert_user.yml user_name={{user_name_1}}
- include: remove_user.yml user_name={{user_name_1}} user_password={{ user_password_1 }}
- include: assert_no_user.yml user_name={{user_name_1}}
# ============================================================
# Create mysql user that already exist on mysql database
#
- include: create_user.yml user_name={{user_name_1}} user_password={{ user_password_1 }}
- name: create mysql user that already exist (expect changed=false)
mysql_user:
<<: *mysql_params
name: '{{user_name_1}}'
password: '{{user_password_1}}'
state: present
register: result
- name: assert output message mysql user was not created
assert:
that:
- result is not changed
# ============================================================
# remove mysql user and verify user is removed from mysql database
#
- name: remove mysql user state=absent (expect changed=true)
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
password: '{{ user_password_1 }}'
state: absent
register: result
- name: assert output message mysql user was removed
assert:
that:
- result is changed
- include: assert_no_user.yml user_name={{user_name_1}}
# ============================================================
# remove mysql user that does not exist on mysql database
#
- name: remove mysql user that does not exist state=absent (expect changed=false)
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
password: '{{ user_password_1 }}'
state: absent
register: result
- name: assert output message mysql user that does not exist
assert:
that:
- result is not changed
- include: assert_no_user.yml user_name={{user_name_1}}
- include: test_idempotency.yml
# ============================================================
# Create user with no privileges and verify default privileges are assign
#
- name: create user with select privilege state=present (expect changed=true)
- name: create user with DEFAULT privilege state=present (expect changed=true)
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
password: '{{ user_password_1 }}'
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
state: present
register: result
- include: assert_user.yml user_name={{user_name_1}} priv=USAGE
- include: utils/assert_user.yml user_name={{ user_name_1 }} user_host=localhost priv=USAGE
- include: remove_user.yml user_name={{user_name_1}} user_password={{ user_password_1 }}
- include: utils/remove_user.yml user_name={{ user_name_1 }}
- include: assert_no_user.yml user_name={{user_name_1}}
- include: utils/assert_no_user.yml user_name={{ user_name_1 }}
# ============================================================
# Create user with select privileges and verify select privileges are assign
#
- name: create user with select privilege state=present (expect changed=true)
- name: Create user with SELECT privilege state=present (expect changed=true)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
password: '{{ user_password_2 }}'
name: "{{ user_name_2 }}"
password: "{{ user_password_2 }}"
state: present
priv: '*.*:SELECT'
register: result
- include: assert_user.yml user_name={{user_name_2}} priv=SELECT
- include: utils/assert_user.yml user_name={{ user_name_2 }} user_host=localhost priv=SELECT
- include: remove_user.yml user_name={{user_name_2}} user_password={{ user_password_2 }}
- include: utils/remove_user.yml user_name={{ user_name_2 }}
- include: assert_no_user.yml user_name={{user_name_2}}
- include: utils/assert_no_user.yml user_name={{ user_name_2 }}
# ============================================================
# Assert user has access to multiple databases
#
- name: give users access to multiple databases
- name: Give users access to multiple databases
mysql_user:
<<: *mysql_params
name: '{{ item[0] }}'
@ -151,34 +89,34 @@
append_privs: yes
password: '{{ user_password_1 }}'
with_nested:
- [ '{{ user_name_1 }}', '{{ user_name_2 }}']
- ['{{ user_name_1 }}', '{{ user_name_2 }}']
- "{{db_names}}"
- name: show grants access for user1 on multiple database
- name: Show grants access for user1 on multiple database
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_1 }}'@'localhost'\""
register: result
- name: assert grant access for user1 on multiple database
- name: Assert grant access for user1 on multiple database
assert:
that:
- "'{{ item }}' in result.stdout"
with_items: "{{db_names}}"
with_items: "{{ db_names }}"
- name: show grants access for user2 on multiple database
- name: Show grants access for user2 on multiple database
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_2 }}'@'localhost'\""
register: result
- name: assert grant access for user2 on multiple database
- name: Assert grant access for user2 on multiple database
assert:
that:
- "'{{ item }}' in result.stdout"
with_items: "{{db_names}}"
- include: remove_user.yml user_name={{user_name_1}} user_password={{ user_password_1 }}
- include: utils/remove_user.yml user_name={{ user_name_1 }}
- include: remove_user.yml user_name={{user_name_2}} user_password={{ user_password_1 }}
- include: utils/remove_user.yml user_name={{ user_name_2 }}
- name: give user access to database via wildcard
- name: Give user SELECT access to database via wildcard
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -186,7 +124,7 @@
append_privs: yes
password: '{{ user_password_1 }}'
- name: show grants access for user1 on multiple database
- name: Show grants access for user1 on database via wildcard
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_1 }}'@'localhost'\""
register: result
@ -201,8 +139,8 @@
<<: *mysql_params
name: '{{ user_name_1 }}'
priv:
- unsuitable
- type
- unsuitable
- type
append_privs: yes
host_all: yes
password: '{{ user_password_1 }}'
@ -215,7 +153,7 @@
- result is failed
- result.msg is search('priv parameter must be str or dict')
- name: change user access to database via wildcard
- name: Change SELECT to INSERT for user access to database via wildcard
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -224,7 +162,7 @@
host_all: yes
password: '{{ user_password_1 }}'
- name: show grants access for user1 on multiple database
- name: Show grants access for user1 on database via wildcard
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_1 }}'@'localhost'\""
register: result
@ -234,7 +172,7 @@
- "'%db' in result.stdout"
- "'INSERT' in result.stdout"
- include: remove_user.yml user_name={{user_name_1}} user_password={{ user_password_1 }}
- include: utils/remove_user.yml user_name={{user_name_1}}
# ============================================================
# Test plaintext and encrypted password scenarios.
@ -246,7 +184,7 @@
#
# FIXME: mariadb sql syntax for create/update user is not compatible
- include: test_user_plugin_auth.yml
when: install_type == 'mysql'
when: db_engine == 'mysql'
# ============================================================
# Assert create user with SELECT privileges, attempt to create database and update privileges to create database
@ -277,7 +215,7 @@
- include: test_priv_append.yml enable_check_mode=yes
# Tests for the TLS requires dictionary
- include: tls_requirements.yml
- include: test_tls_requirements.yml
- import_tasks: issue-29511.yaml
tags:
@ -289,3 +227,5 @@
# https://github.com/ansible-collections/community.mysql/issues/231
- include: test_user_grants_with_roles_applied.yml
- include: test_revoke_only_grant.yml

74
tests/integration/targets/test_mysql_user/tasks/remove_user.yml
View file

@ -1,74 +0,0 @@
# test code to remove mysql user
# (c) 2014, Wayne Rosario <wrosario@ansible.com>
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_port: '{{ mysql_primary_port }}'
block:
# ============================================================
- name: remove mysql user {{user_name}}
mysql_user:
<<: *mysql_params
name: '{{user_name}}'
password: '{{user_password}}'
state: absent
register: result
- name: assert output message mysql user was removed
assert:
that:
- result is changed
# ============================================================
- name: create blank mysql user to be removed later
mysql_user:
<<: *mysql_params
name: ""
state: present
password: 'KJFDY&D*Sfuydsgf'
- name: remove blank mysql user with hosts=all (expect changed)
mysql_user:
<<: *mysql_params
user: ""
host_all: true
state: absent
register: result
- name: assert changed is true for removing all blank users
assert:
that:
- result is changed
- name: remove blank mysql user with hosts=all (expect ok)
mysql_user:
<<: *mysql_params
user: ""
host_all: true
state: absent
register: result
- name: assert changed is true for removing all blank users
assert:
that:
- result is not changed

84
tests/integration/targets/test_mysql_user/tasks/test_idempotency.yml Normal file
View file

@ -0,0 +1,84 @@
---
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
# ========================================================================
# Creation
# ========================================================================
- include: utils/create_user.yml user_name={{ user_name_1 }} user_password={{ user_password_1 }}
- name: Idempotency | Create user that already exist (expect changed=false)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
state: present
register: result
- name: Idempotency | Assert create user task is not changed
assert: {that: [result is not changed]}
# ========================================================================
# Removal
# ========================================================================
- name: Idempotency | Remove user (expect changed=true)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
state: absent
register: result
- name: Idempotency | Assert remove user task is changed
ansible.builtin.assert:
that:
- result is changed
- name: Idempotency | Remove user that doesn't exists (expect changed=false)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
state: absent
register: result
- name: Idempotency | Assert remove user task is not changed
ansible.builtin.assert:
that:
- result is not changed
# ========================================================================
# Removal with host_all
# ========================================================================
# Create blank user to be removed later
- include: utils/create_user.yml user_name="" user_password='KJFDY&D*Sfuysf'
- name: Idempotency | Remove blank user with hosts=all (expect changed)
mysql_user:
<<: *mysql_params
user: ""
host_all: true
state: absent
register: result
- name: Idempotency | Assert removing all blank users is changed
ansible.builtin.assert:
that:
- result is changed
- name: Idempotency | Remove blank user with hosts=all (expect ok)
mysql_user:
<<: *mysql_params
user: ""
host_all: true
state: absent
register: result
- name: Idempotency | Assert removing all blank users is not changed
ansible.builtin.assert:
that:
- result is not changed

74
tests/integration/targets/test_mysql_user/tasks/test_priv_append.yml
View file

@ -1,45 +1,48 @@
---
# Test code to ensure that appending privileges will not result in unnecessary changes when the current privileges
# are a superset of the new privileges that have been defined.
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
- name: Create test databases
- name: Priv append | Create test databases
mysql_db:
<<: *mysql_params
name: '{{ item }}'
state: present
loop:
- data1
- data2
- data1
- data2
- name: Create a user with an initial set of privileges
- name: Priv append | Create a user with an initial set of privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
host: '%'
password: '{{ user_password_4 }}'
priv: 'data1.*:SELECT,INSERT/data2.*:SELECT,DELETE'
state: present
- name: Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
- name: Priv append | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'%'\""
register: result
- name: Assert that the initial set of privileges matches what is expected
- name: Priv append | Assert that the initial set of privileges matches what is expected
assert:
that:
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
- "'GRANT SELECT, DELETE ON `data2`.*' in result.stdout"
- name: Append privileges that are a subset of the current privileges, which should be a no-op
- name: Priv append | Append privileges that are a subset of the current privileges, which should be a no-op
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
host: '%'
password: '{{ user_password_4 }}'
priv: 'data1.*:SELECT/data2.*:SELECT'
append_privs: yes
@ -47,25 +50,26 @@
check_mode: '{{ enable_check_mode }}'
register: result
- name: Assert that there wasn't a change in permissions
- name: Priv append | Assert that there wasn't a change in permissions
assert:
that:
- result is not changed
- name: Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
- name: Priv append | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'%'\""
register: result
- name: Assert that the permissions still match what was originally granted
- name: Priv append | Assert that the permissions still match what was originally granted
assert:
that:
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
- "'GRANT SELECT, DELETE ON `data2`.*' in result.stdout"
- name: Append privileges that are not included in the current set of privileges to test that privileges are updated
- name: Priv append | Append privileges that are not included in the current set of privileges to test that privileges are updated
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
host: '%'
password: '{{ user_password_4 }}'
priv: 'data1.*:DELETE/data2.*:SELECT'
append_privs: yes
@ -73,29 +77,51 @@
check_mode: '{{ enable_check_mode }}'
register: result
- name: Assert that there was a change because permissions were added to data1.*
- name: Priv append | Assert that there was a change because permissions were added to data1.*
assert:
that:
- result is changed
- name: Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
- name: Priv append | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'%'\""
register: result
- name: Assert that the permissions were changed as expected if check_mode is set to 'no'
- name: Priv append | Assert that the permissions were changed as expected if check_mode is set to 'no'
assert:
that:
- "'GRANT SELECT, INSERT, DELETE ON `data1`.*' in result.stdout"
- "'GRANT SELECT, DELETE ON `data2`.*' in result.stdout"
when: enable_check_mode == 'no'
- name: Assert that the permissions were not actually changed if check_mode is set to 'yes'
- name: Priv append | Assert that the permissions were not actually changed if check_mode is set to 'yes'
assert:
that:
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
- "'GRANT SELECT, DELETE ON `data2`.*' in result.stdout"
when: enable_check_mode == 'yes'
- name: Priv append | Try to append invalid privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
host: '%'
password: '{{ user_password_4 }}'
priv: 'data1.*:INVALID/data2.*:SELECT'
append_privs: yes
state: present
check_mode: '{{ enable_check_mode }}'
register: result
ignore_errors: true
- name: Priv append | Assert that there wasn't a change in privileges if check_mode is set to 'no'
assert:
that:
- result is failed
- >
'Error granting privileges' in result.msg
or 'invalid privileges string' in result.msg
when: enable_check_mode == 'no'
##########
# Clean up
- name: Drop test databases
@ -104,11 +130,7 @@
name: '{{ item }}'
state: present
loop:
- data1
- data2
- data1
- data2
- name: Drop test user
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
state: absent
- include: utils/remove_user.yml user_name={{ user_name_4 }}

80
tests/integration/targets/test_mysql_user/tasks/test_priv_dict.yml
View file

@ -1,24 +1,25 @@
---
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
# Tests for priv parameter value passed as a dict
- name: Create test databases
- name: Priv dict | Create test databases
mysql_db:
<<: *mysql_params
name: '{{ item }}'
state: present
loop:
- data1
- data2
- data3
- data1
- data2
- data3
- name: Create user with privileges
- name: Priv dict | Create user with privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -28,7 +29,7 @@
"data2.*": "SELECT"
state: present
- name: Run command to show privileges for user (expect privileges in stdout)
- name: Priv dict | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_3 }}'@'localhost'\""
register: result
@ -39,12 +40,12 @@
- "'GRANT SELECT ON `data2`.*' in result.stdout"
# Issue https://github.com/ansible-collections/community.mysql/issues/99
- name: Create test table test_table_issue99
- name: Priv dict | Create test table test_table_issue99
mysql_query:
<<: *mysql_params
query: "CREATE TABLE IF NOT EXISTS data3.test_table_issue99 (a INT, b INT, c INT)"
- name: Grant select on a column
- name: Priv dict | Grant select on a column
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -52,11 +53,12 @@
'data3.test_table_issue99': 'SELECT (a)'
register: result
- assert:
- name: Priv dict | Assert that select on a column is changed
assert:
that:
- result is changed
- result is changed
- name: Grant select on the column again
- name: Priv dict | Grant select on the column again
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -64,12 +66,12 @@
'data3.test_table_issue99': 'SELECT (a)'
register: result
- assert:
- name: Priv dict | Assert that select on the column is not changed
assert:
that:
- result is not changed
- result is not changed
- name: Grant select on columns
- name: Priv dict | Grant select on columns
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -77,11 +79,12 @@
'data3.test_table_issue99': 'SELECT (a, b),INSERT'
register: result
- assert:
- name: Priv dict | Assert select on columns is changed
assert:
that:
- result is changed
- result is changed
- name: Grant select on columns again
- name: Priv dict | Grant select on columns again
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -89,11 +92,12 @@
'data3.test_table_issue99': 'SELECT (a, b),INSERT'
register: result
- assert:
- name: Priv dict | Assert that select on columns again is not changed
assert:
that:
- result is not changed
- result is not changed
- name: Grant privs on columns
- name: Priv dict | Grant privs on columns
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -101,11 +105,12 @@
'data3.test_table_issue99': 'SELECT (a, b), INSERT (a, b), UPDATE'
register: result
- assert:
- name: Priv dict | Assert that grant privs on columns is changed
assert:
that:
- result is changed
- result is changed
- name: Grant same privs on columns again, note that the column order is different
- name: Priv dict | Grant same privs on columns again, note that the column order is different
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -113,21 +118,22 @@
'data3.test_table_issue99': 'SELECT (a, b), UPDATE, INSERT (b, a)'
register: result
- assert:
- name: Priv dict | Assert that grants same privs with different order is not changed
assert:
that:
- result is not changed
- result is not changed
- name: Run command to show privileges for user (expect privileges in stdout)
- name: Priv dict | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_3 }}'@'localhost'\""
register: result
- name: Assert user has giving privileges
- name: Priv dict | Assert user has giving privileges
assert:
that:
- "'GRANT SELECT (`A`, `B`), INSERT (`A`, `B`), UPDATE' in result.stdout"
when: "'(`A`, `B`)' in result.stdout"
- name: Assert user has giving privileges
- name: Priv dict | Assert user has giving privileges
assert:
that:
- "'GRANT SELECT (A, B), INSERT (A, B), UPDATE' in result.stdout"
@ -135,18 +141,14 @@
##########
# Clean up
- name: Drop test databases
- name: Priv dict | Drop test databases
mysql_db:
<<: *mysql_params
name: '{{ item }}'
state: present
loop:
- data1
- data2
- data3
- data1
- data2
- data3
- name: Drop test user
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
state: absent
- include: utils/remove_user.yml user_name="{{ user_name_3 }}"

0
tests/integration/targets/test_mysql_user/tasks/test_priv_subtract.yml Normal file
View file

137
tests/integration/targets/test_mysql_user/tasks/test_privs.yml
View file

@ -1,3 +1,4 @@
---
# test code for privileges for mysql_user module
# (c) 2014, Wayne Rosario <wrosario@ansible.com>
@ -20,56 +21,58 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
# ============================================================
- name: create user with basic select privileges
- name: Privs | Create user with basic select privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: '*.*:SELECT'
state: present
when: current_append_privs == "yes"
- include: assert_user.yml user_name={{user_name_2}} priv='SELECT'
- include: utils/assert_user.yml user_name={{ user_name_2 }} user_host=% priv='SELECT'
when: current_append_privs == "yes"
- name: create user with current privileges (expect changed=true)
- name: Privs | Create user with current privileges (expect changed=true)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: '*.*:{{current_privilege}}'
append_privs: '{{current_append_privs}}'
priv: '*.*:{{ current_privilege }}'
append_privs: '{{ current_append_privs }}'
state: present
register: result
- name: assert output message for current privileges
- name: Privs | Assert output message for current privileges
assert:
that:
- result is changed
- name: run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{user_name_2}}'@'localhost'\""
- name: Privs | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{user_name_2}}'@'%'\""
register: result
- name: assert user has correct privileges
- name: Privs | Assert user has correct privileges
assert:
that:
- "'GRANT {{current_privilege | replace(',', ', ')}} ON *.*' in result.stdout"
- "'GRANT {{ current_privilege | replace(',', ', ') }} ON *.*' in result.stdout"
when: current_append_privs == "no"
- name: assert user has correct privileges
- name: Privs | Assert user has correct privileges
assert:
that:
- "'GRANT SELECT, {{current_privilege | replace(',', ', ')}} ON *.*' in result.stdout"
- "'GRANT SELECT, {{ current_privilege | replace(',', ', ') }} ON *.*' in result.stdout"
when: current_append_privs == "yes"
- name: create database using user current privileges
- name: Privs | Create database using user current privileges
mysql_db:
login_user: '{{ user_name_2 }}'
login_password: '{{ user_password_2 }}'
@ -79,56 +82,59 @@
state: present
ignore_errors: true
- name: run command to test that database was not created
- name: Privs | Run command to test that database was not created
command: "{{ mysql_command }} -e \"show databases like '{{ db_name }}'\""
register: result
- name: assert database was not created
- name: Privs | Assert database was not created
assert:
that:
- "'{{ db_name }}' not in result.stdout"
- db_name not in result.stdout
# ============================================================
- name: Add privs to a specific table (expect changed)
- name: Privs | Add privs to a specific table (expect changed)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: 'jmainguy.jmainguy:ALL'
state: present
register: result
- name: Assert that priv changed
- name: Privs | Assert that priv changed
assert:
that:
- result is changed
- name: Add privs to a specific table (expect ok)
- name: Privs | Add privs to a specific table (expect ok)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: 'jmainguy.jmainguy:ALL'
state: present
register: result
- name: Assert that priv did not change
- name: Privs | Assert that priv did not change
assert:
that:
- result is not changed
# ============================================================
- name: update user with all privileges
- name: Privs | Grant ALL to user {{ user_name_2 }}
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: '*.*:ALL'
state: present
# - include: assert_user.yml user_name={{user_name_2}} priv='ALL PRIVILEGES'
# - include: utils/assert_user.yml user_name={{user_name_2}} user_host=% priv='ALL PRIVILEGES'
- name: create database using user
- name: Privs | Create database using user {{ user_name_2 }}
mysql_db:
login_user: '{{ user_name_2 }}'
login_password: '{{ user_password_2 }}'
@ -137,10 +143,10 @@
name: '{{ db_name }}'
state: present
- name: run command to test database was created using user new privileges
- name: Privs | Run command to test database was created using user new privileges
command: "{{ mysql_command }} -e \"SHOW CREATE DATABASE {{ db_name }}\""
- name: drop database using user
- name: Privs | Drop database using user {{ user_name_2 }}
mysql_db:
login_user: '{{ user_name_2 }}'
login_password: '{{ user_password_2 }}'
@ -150,37 +156,95 @@
state: absent
# ============================================================
- name: update user with a long privileges list (mysql has a special multiline grant output)
- name: Privs | Update user with a long privileges list (mysql has a special multiline grant output)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: '*.*:CREATE USER,FILE,PROCESS,RELOAD,REPLICATION CLIENT,REPLICATION SLAVE,SHOW DATABASES,SHUTDOWN,SUPER,CREATE,DROP,EVENT,LOCK TABLES,INSERT,UPDATE,DELETE,SELECT,SHOW VIEW,GRANT'
state: present
register: result
- name: Assert that priv changed
- name: Privs | Assert that priv changed
assert:
that:
- result is changed
- name: Test idempotency (expect ok)
- name: Privs | Test idempotency with a long privileges list (expect ok)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: '*.*:CREATE USER,FILE,PROCESS,RELOAD,REPLICATION CLIENT,REPLICATION SLAVE,SHOW DATABASES,SHUTDOWN,SUPER,CREATE,DROP,EVENT,LOCK TABLES,INSERT,UPDATE,DELETE,SELECT,SHOW VIEW,GRANT'
state: present
register: result
- name: Assert that priv did not change
# FIXME: on mysql >=8 and mariadb >=10.5.2 there's always a change because
# the REPLICATION CLIENT privilege was renamed to BINLOG MONITOR
- name: Privs | Assert that priv did not change
assert:
that:
- result is not changed
when: install_type == 'mysql' or (install_type == 'mariadb' and mariadb_version is version('10.2', '=='))
- include: utils/remove_user.yml user_name="{{ user_name_2 }}"
# ============================================================
- name: update user with invalid privileges
- name: Privs | Grant all privileges with grant option
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
password: '{{ user_password_2 }}'
priv: '*.*:ALL,GRANT'
state: present
register: result
- name: Privs | Assert that priv changed
assert:
that:
- result is changed
- name: Privs | Collect user info by host
community.mysql.mysql_info:
<<: *mysql_params
filter: "users"
register: mysql_info_about_users
- name: Privs | Assert that 'GRANT' permission is present
assert:
that:
- mysql_info_about_users.users.localhost.{{ user_name_2 }}.Grant_priv == 'Y'
# Disabled on stable-1 because always returns changed.
# - name: Privs | Test idempotency (expect ok)
# mysql_user:
# <<: *mysql_params
# name: '{{ user_name_2 }}'
# password: '{{ user_password_2 }}'
# priv: '*.*:CREATE USER,FILE,PROCESS,RELOAD,REPLICATION CLIENT,REPLICATION SLAVE,SHOW DATABASES,SHUTDOWN,SUPER,CREATE,DROP,EVENT,LOCK TABLES,INSERT,UPDATE,DELETE,SELECT,SHOW VIEW,GRANT'
# state: present
# register: result
# # FIXME: on mysql >=8 there's always a change (ALL PRIVILEGES -> specific privileges)
# - name: Privs | Assert that priv did not change
# assert:
# that:
# - result is not changed
- name: Privs | Collect user info by host
community.mysql.mysql_info:
<<: *mysql_params
filter: "users"
register: mysql_info_about_users
- name: Privs | Assert that 'GRANT' permission is present (by host)
assert:
that:
- mysql_info_about_users.users.localhost.{{ user_name_2 }}.Grant_priv == 'Y'
# ============================================================
- name: Privs | Update user with invalid privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
@ -190,14 +254,9 @@
register: result
ignore_errors: yes
- name: Assert that priv did not change
- name: Privs | Assert that priv did not change
assert:
that:
- result is failed
- name: remove username
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
password: '{{ user_password_2 }}'
state: absent
- include: utils/remove_user.yml user_name="{{ user_name_2 }}"

31
tests/integration/targets/test_mysql_user/tasks/test_privs_issue_465.yml Normal file
View file

@ -0,0 +1,31 @@
---
# test code for privileges for mysql_user module - issue 465
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
# ============================================================
- name: Privs issue 465 | Create a user with parameters that will always cause an exception
mysql_user:
<<: *mysql_params
name: user_issue_465
password: a_test_password_465
priv: '*.{{ db_name }}:SELECT'
state: present
ignore_errors: true
register: result
- name: Privs issue 465 | Assert output message for current privileges
assert:
that:
- result is failed
- result.msg is search('invalid priv string')
- result.msg is search('params')
- result.msg is search('query')
- result.msg is search('exception')

54
tests/integration/targets/test_mysql_user/tasks/resource_limits.yml → tests/integration/targets/test_mysql_user/tasks/test_resource_limits.yml
View file

@ -1,20 +1,22 @@
---
# test code for resource_limits parameter
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
- name: Drop mysql user {{ user_name_1 }} if exists
- name: Resource limits | Drop mysql user {{ user_name_1 }} if exists
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
host_all: true
state: absent
- name: Create mysql user {{ user_name_1 }} with resource limits in check_mode
- name: Resource limits | Create mysql user {{ user_name_1 }} with resource limits in check_mode
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -26,11 +28,12 @@
check_mode: yes
register: result
- assert:
- name: Resource limits | Assert that create user with resource limits is changed
assert:
that:
- result is changed
- name: Create mysql user {{ user_name_1 }} with resource limits in actual mode
- name: Resource limits | Create mysql user {{ user_name_1 }} with resource limits in actual mode
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -45,19 +48,23 @@
that:
- result is changed
- name: Check
- name: Resource limits | Retrieve user
mysql_query:
<<: *mysql_params
query: >
SELECT User FROM mysql.user WHERE User = '{{ user_name_1 }}' AND Host = 'localhost'
AND max_questions = 10 AND max_connections = 5
SELECT User FROM mysql.user
WHERE User = '{{ user_name_1 }}'
AND Host = 'localhost'
AND max_questions = 10
AND max_connections = 5
register: result
- assert:
- name: Resource limits | Assert that rowcount is 1
assert:
that:
- result.rowcount[0] == 1
- result.rowcount[0] == 1
- name: Try to set the same limits again in check mode
- name: Resource limits | Try to set the same limits again in check mode
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -69,11 +76,12 @@
check_mode: yes
register: result
- assert:
- name: Resource limits | Assert that set same limits again is not changed
assert:
that:
- result is not changed
- name: Try to set the same limits again in actual mode
- name: Resource limits | Try to set the same limits again in actual mode
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -84,11 +92,12 @@
MAX_CONNECTIONS_PER_HOUR: 5
register: result
- assert:
- name: Resource limits | Assert that set same limits again in actual mode is not changed
assert:
that:
- result is not changed
- name: Change limits
- name: Resource limits | Change limits
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -99,19 +108,24 @@
MAX_CONNECTIONS_PER_HOUR: 5
register: result
- assert:
- name: Resource limits | Assert limits changed
assert:
that:
- result is changed
- name: Check
- name: Resource limits | Get user limits
mysql_query:
<<: *mysql_params
query: >
SELECT User FROM mysql.user WHERE User = '{{ user_name_1 }}' AND Host = 'localhost'
AND max_questions = 5 AND max_connections = 5
SELECT User FROM mysql.user
WHERE User = '{{ user_name_1 }}'
AND Host = 'localhost'
AND max_questions = 5
AND max_connections = 5
register: result
- assert:
- name: Resource limits | Assert limit row count
assert:
that:
- result.rowcount[0] == 1

50
tests/integration/targets/test_mysql_user/tasks/test_revoke_only_grant.yml Normal file
View file

@ -0,0 +1,50 @@
---
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
- include: utils/remove_user.yml user_name={{ user_name_1 }}
- name: Revoke only grants | Create user with two grants
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
update_password: on_create
priv: '*.*:SELECT,GRANT'
- name: Revoke only grants | Revoke grant priv from db_user1
register: result
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
update_password: on_create
priv: '*.*:SELECT'
- name: Revoke only grants | Assert that db_user1 only have one priv left
assert:
that:
- result is not failed
- result is changed
- name: Revoke only grants | Update db_user1 again to test idempotence
register: result
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
update_password: on_create
priv: '*.*:SELECT'
- name: Revoke only grants | Assert that task is idempotent
assert:
that:
- result is succeeded
- result is not changed
always:
- include: utils/remove_user.yml user_name={{ user_name_1 }}

98
tests/integration/targets/test_mysql_user/tasks/tls_requirements.yml → tests/integration/targets/test_mysql_user/tasks/test_tls_requirements.yml
View file

@ -3,26 +3,12 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
# ============================================================
- name: find out the database version
mysql_info:
<<: *mysql_params
filter: version
register: db_version
- name: Drop mysql user {{ item }} if exists
mysql_user:
<<: *mysql_params
name: '{{ item }}'
state: absent
with_items: ['{{ user_name_1 }}', '{{ user_name_2 }}', '{{ user_name_3 }}']
- name: create user with TLS requirements in check mode (expect changed=true)
- name: Tls reqs | Create user with TLS requirements in check mode (expect changed=true)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
@ -32,14 +18,14 @@
check_mode: yes
register: result
- name: Assert check mode user create reports changed state
- name: Tls reqs | Assert check mode user create reports changed state
assert:
that:
- result is changed
- include: assert_no_user.yml user_name={{user_name_1}}
- include: utils/assert_no_user.yml user_name={{user_name_1}}
- name: create user with TLS requirements state=present (expect changed=true)
- name: Tls reqs | Create user with TLS requirements state=present (expect changed=true)
mysql_user:
<<: *mysql_params
name: '{{ item[0] }}'
@ -55,45 +41,49 @@
issuer: '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
- block:
- name: retrieve TLS requirements for users in old database version
- name: Tls reqs | Retrieve TLS requirements for users in old database version
command: "{{ mysql_command }} -L -N -s -e \"SHOW GRANTS for '{{ item }}'@'localhost'\""
register: old_result
with_items: ['{{ user_name_1 }}', '{{ user_name_2 }}', '{{ user_name_3 }}']
- name: set old database separator
- name: Tls reqs | Set old database separator
set_fact:
separator: '\n'
# Semantically: when mysql version <= 5.6 or MariaDB version <= 10.1
when: db_version.version.major <= 5 and db_version.version.minor <= 6 or db_version.version.major == 10 and db_version.version.minor < 2
when:
- (db_engine == 'mysql' and db_version is version('5.6', '<='))
or (db_engine == 'mariadb' and db_version is version('10.1', '<='))
- block:
- name: retrieve TLS requirements for users in new database version
- name: Tls reqs | Retrieve TLS requirements for users in new database version
command: "{{ mysql_command }} -L -N -s -e \"SHOW CREATE USER '{{ item }}'@'localhost'\""
register: new_result
with_items: ['{{ user_name_1 }}', '{{ user_name_2 }}', '{{ user_name_3 }}']
- name: set new database separator
- name: Tls reqs | Set new database separator
set_fact:
separator: 'PASSWORD'
# Semantically: when mysql version >= 5.7 or MariaDB version >= 10.2
when: db_version.version.major == 5 and db_version.version.minor >= 7 or db_version.version.major > 5 and db_version.version.major < 10 or db_version.version.major == 10 and db_version.version.minor >= 2
when:
- (db_engine == 'mysql' and db_version is version('5.7', '>='))
or (db_engine == 'mariadb' and db_version is version('10.2', '>='))
- block:
- name: assert user1 TLS requirements
- name: Tls reqs | Assert user1 TLS requirements
assert:
that:
- "'SSL' in reqs"
vars:
- reqs: "{{((old_result.results[0] is skipped | ternary(new_result, old_result)).results | selectattr('item', 'contains', user_name_1) | first).stdout.split('REQUIRE')[1].split(separator)[0].strip()}}"
- name: assert user2 TLS requirements
- name: Tls reqs | Assert user2 TLS requirements
assert:
that:
- "'X509' in reqs"
vars:
- reqs: "{{((old_result.results[0] is skipped | ternary(new_result, old_result)).results | selectattr('item', 'contains', user_name_2) | first).stdout.split('REQUIRE')[1].split(separator)[0].strip()}}"
- name: assert user3 TLS requirements
- name: Tls reqs | Assert user3 TLS requirements
assert:
that:
- "'/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland' in (reqs | select('contains', 'SUBJECT') | first)"
@ -104,7 +94,7 @@
# CentOS 6 uses an older version of jinja that does not provide the selectattr filter.
when: ansible_distribution != 'CentOS' or ansible_distribution_major_version != '6'
- name: modify user with TLS requirements state=present in check mode (expect changed=true)
- name: Tls reqs | Modify user with TLS requirements state=present in check mode (expect changed=true)
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -114,28 +104,32 @@
check_mode: yes
register: result
- name: Assert check mode user update reports changed state
- name: Tls reqs | Assert check mode user update reports changed state
assert:
that:
- result is changed
- name: retrieve TLS requirements for users in old database version
- name: Tls reqs | Retrieve TLS requirements for users in old database version
command: "{{ mysql_command }} -L -N -s -e \"SHOW GRANTS for '{{ user_name_1 }}'@'localhost'\""
register: old_result
when: db_version.version.major <= 5 and db_version.version.minor <= 6 or db_version.version.major == 10 and db_version.version.minor < 2
when:
- (db_engine == 'mysql' and db_version is version('5.6', '<='))
or (db_engine == 'mariadb' and db_version is version('10.2', '<'))
- name: retrieve TLS requirements for users in new database version
- name: Tls reqs | Retrieve TLS requirements for users in new database version
command: "{{ mysql_command }} -L -N -s -e \"SHOW CREATE USER '{{ user_name_1 }}'@'localhost'\""
register: new_result
when: db_version.version.major == 5 and db_version.version.minor >= 7 or db_version.version.major > 5 and db_version.version.major < 10 or db_version.version.major == 10 and db_version.version.minor >= 2
when:
- (db_engine == 'mysql' and db_version is version('5.7', '>='))
or (db_engine == 'mariadb' and db_version is version('10.2', '>='))
- name: assert user1 TLS requirements was not changed
- name: Tls reqs | Assert user1 TLS requirements was not changed
assert:
that: "'SSL' in reqs"
vars:
- reqs: "{{(old_result is skipped | ternary(new_result, old_result)).stdout.split('REQUIRE')[1].split(separator)[0].strip()}}"
- name: modify user with TLS requirements state=present (expect changed=true)
- name: Tls reqs | Modify user with TLS requirements state=present (expect changed=true)
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -143,45 +137,49 @@
tls_requires:
X509:
- name: retrieve TLS requirements for users in old database version
- name: Tls reqs | Retrieve TLS requirements for users in old database version
command: "{{ mysql_command }} -L -N -s -e \"SHOW GRANTS for '{{ user_name_1 }}'@'localhost'\""
register: old_result
when: db_version.version.major <= 5 and db_version.version.minor <= 6 or db_version.version.major == 10 and db_version.version.minor < 2
when:
- (db_engine == 'mysql' and db_version is version('5.6', '<='))
or (db_engine == 'mariadb' and db_version is version('10.2', '<'))
- name: retrieve TLS requirements for users in new database version
- name: Tls reqs | Retrieve TLS requirements for users in new database version
command: "{{ mysql_command }} -L -N -s -e \"SHOW CREATE USER '{{ user_name_1 }}'@'localhost'\""
register: new_result
when: db_version.version.major == 5 and db_version.version.minor >= 7 or db_version.version.major > 5 and db_version.version.major < 10 or db_version.version.major == 10 and db_version.version.minor >= 2
when:
- (db_engine == 'mysql' and db_version is version('5.7', '>='))
or (db_engine == 'mariadb' and db_version is version('10.2', '>='))
- name: assert user1 TLS requirements
- name: Tls reqs | Assert user1 TLS requirements
assert:
that: "'X509' in reqs"
vars:
- reqs: "{{(old_result is skipped | ternary(new_result, old_result)).stdout.split('REQUIRE')[1].split(separator)[0].strip()}}"
- name: remove TLS requirements from user (expect changed=true)
- name: Tls reqs | Remove TLS requirements from user (expect changed=true)
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
password: '{{ user_password_1 }}'
tls_requires:
- name: retrieve TLS requirements for users
- name: Tls reqs | Retrieve TLS requirements for users
command: "{{ mysql_command }} -L -N -s -e \"SHOW CREATE USER '{{ user_name_1 }}'@'localhost'\""
register: result
- name: assert user1 TLS requirements
- name: Tls reqs | Assert user1 TLS requirements
assert:
that: "'REQUIRE ' not in result.stdout or 'REQUIRE NONE' in result.stdout"
- include: remove_user.yml user_name={{user_name_1}} user_password={{ user_password_1 }}
- include: utils/remove_user.yml user_name={{user_name_1}}
- include: remove_user.yml user_name={{user_name_2}} user_password={{ user_password_1 }}
- include: utils/remove_user.yml user_name={{user_name_2}}
- include: remove_user.yml user_name={{user_name_3}} user_password={{ user_password_1 }}
- include: utils/remove_user.yml user_name={{user_name_3}}
- include: assert_no_user.yml user_name={{user_name_1}}
- include: utils/assert_no_user.yml user_name={{user_name_1}}
- include: assert_no_user.yml user_name={{user_name_2}}
- include: utils/assert_no_user.yml user_name={{user_name_2}}
- include: assert_no_user.yml user_name={{user_name_3}}
- include: utils/assert_no_user.yml user_name={{user_name_3}}

129
tests/integration/targets/test_mysql_user/tasks/test_update_password.yml Normal file
View file

@ -0,0 +1,129 @@
---
# Tests scenarios for both plaintext and encrypted user passwords.
- vars:
mysql_parameters:
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
test_password1: kbB9tcx5WOGVGfzV
test_password1_hash: '*AF6A7F9D038475C17EE46564F154104877EE5037'
test_password2: XBYjpHmjIctMxl1y
test_password2_hash: '*9E22D1B35C68BDDF398B8F28AE482E5A865BAC0A'
test_password3: tem33JfR5Yx98BB
test_password3_hash: '*C7E7C2710702F20336F8D93BC0670C8FB66BDBC7'
block:
- include_tasks: utils/assert_user_password.yml
vars:
username: "{{ item.username }}"
host: "%"
update_password: "{{ item.update_password }}"
password: "{{ test_password1 }}"
expect_change: "{{ item.expect_change }}"
expect_password_change: "{{ item.expect_change }}"
expect_password_hash: "{{ test_password1_hash }}"
loop:
# all variants set the password when nothing exists
- username: test1
update_password: always
expect_change: true
- username: test2
update_password: on_create
expect_change: true
- username: test3
update_password: on_new_username
expect_change: true
# assert idempotency
- username: test1
update_password: always
expect_change: false
- username: test2
update_password: on_create
expect_change: false
- username: test3
update_password: on_new_username
expect_change: false
# same user, new password
- include_tasks: utils/assert_user_password.yml
vars:
username: "{{ item.username }}"
host: "%"
update_password: "{{ item.update_password }}"
password: "{{ test_password2 }}"
expect_change: "{{ item.expect_change }}"
expect_password_change: "{{ item.expect_change }}"
expect_password_hash: "{{ item.expect_password_hash }}"
loop:
- username: test1
update_password: always
expect_change: true
expect_password_hash: "{{ test_password2_hash }}"
- username: test2
update_password: on_create
expect_change: false
expect_password_hash: "{{ test_password1_hash }}"
- username: test3
update_password: on_new_username
expect_change: false
expect_password_hash: "{{ test_password1_hash }}"
# new user, new password
- include_tasks: utils/assert_user_password.yml
vars:
username: "{{ item.username }}"
host: '::1'
update_password: "{{ item.update_password }}"
password: "{{ item.password }}"
expect_change: "{{ item.expect_change }}"
expect_password_change: "{{ item.expect_password_change }}"
expect_password_hash: "{{ item.expect_password_hash }}"
loop:
- username: test1
update_password: always
expect_change: true
expect_password_change: true
password: "{{ test_password1 }}"
expect_password_hash: "{{ test_password1_hash }}"
- username: test2
update_password: on_create
expect_change: true
expect_password_change: true
password: "{{ test_password2 }}"
expect_password_hash: "{{ test_password2_hash }}"
- username: test3
update_password: on_new_username
expect_change: true
expect_password_change: false
password: "{{ test_password2 }}"
expect_password_hash: "{{ test_password1_hash }}"
# prepare for next test: ensure all users have varying passwords
- username: test3
update_password: always
expect_change: true
expect_password_change: true
password: "{{ test_password2 }}"
expect_password_hash: "{{ test_password2_hash }}"
# another new user, another new password and multiple existing users with varying passwords
- include_tasks: utils/assert_user_password.yml
vars:
username: "{{ item.username }}"
host: '2001:db8::1'
update_password: "{{ item.update_password }}"
password: "{{ test_password3 }}"
expect_change: true
expect_password_change: true
expect_password_hash: "{{ test_password3_hash }}"
loop:
- username: test1
update_password: always
- username: test2
update_password: on_create
- username: test3
update_password: on_new_username

47
tests/integration/targets/test_mysql_user/tasks/test_user_grants_with_roles_applied.yml
View file

@ -1,31 +1,30 @@
---
# https://github.com/ansible-collections/community.mysql/issues/231
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
- name: Get server version
mysql_info:
<<: *mysql_params
register: srv
# Skip unsupported versions
- meta: end_play
when: srv['version']['major'] < 8
- name: User grants with roles applied | Skip unsupported versions
meta: end_play
when:
- db_engine == 'mysql'
- db_version is version('8.0.0', '<')
- name: Create test databases
- name: User grants with roles applied | Create test databases
mysql_db:
<<: *mysql_params
name: '{{ item }}'
state: present
loop:
- data1
- data2
- data1
- data2
- name: Create user with privileges
- name: User grants with roles applied | Create user with privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -35,7 +34,7 @@
"data2.*": "SELECT"
state: present
- name: Run command to show privileges for user (expect privileges in stdout)
- name: User grants with roles applied | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_3 }}'@'localhost'\""
register: result
@ -56,7 +55,7 @@
<<: *mysql_params
query: 'GRANT test231 TO {{ user_name_3 }}@localhost'
- name: Try to change privs
- name: User grants with roles applied | Try to change privs
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -65,11 +64,11 @@
"data2.*": "INSERT"
state: present
- name: Run command to show privileges for user (expect privileges in stdout)
- name: User grants with roles applied | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_3 }}'@'localhost'\""
register: result
- name: Assert user has giving privileges
- name: User grants with roles applied | Assert user has giving privileges
assert:
that:
- "'GRANT INSERT ON `data1`.*' in result.stdout"
@ -77,20 +76,16 @@
##########
# Clean up
- name: Drop test databases
- name: User grants with roles applied | Drop test databases
mysql_db:
<<: *mysql_params
name: '{{ item }}'
state: present
loop:
- data1
- data2
- name: Drop test user
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
state: absent
loop:
- data1
- data2
- include: utils/remove_user.yml user_name={{ user_name_3 }}
- name: Drop test role
mysql_query:

110
tests/integration/targets/test_mysql_user/tasks/test_user_password.yml
View file

@ -1,10 +1,11 @@
---
# Tests scenarios for both plaintext and encrypted user passwords.
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
test_user_name: 'test_user_password'
initial_password: 'a5C8SN*DBa0%a75sGz'
@ -20,23 +21,24 @@
# Test setting plaintext password and changing it.
#
- name: Create user with initial password
- name: Password | Create user with initial password
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
password: '{{ initial_password }}'
priv: '{{ test_default_priv }}'
state: present
register: result
- name: Assert that a change occurred because the user was added
- name: Password | Assert that a change occurred because the user was added
assert:
that:
- result is changed
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils/assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Get the MySQL version using the newly created used creds
- name: Password | Get the MySQL version using the newly created used creds
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ initial_password }}'
@ -46,43 +48,45 @@
register: result
ignore_errors: true
- name: Assert that mysql_info was successful
- name: Password | Assert that mysql_info was successful
assert:
that:
- result is succeeded
- name: Run mysql_user again without any changes
- name: Password | Run mysql_user again without any changes
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
password: '{{ initial_password }}'
priv: '{{ test_default_priv }}'
name: "{{ test_user_name }}"
host: "%"
password: "{{ initial_password }}"
priv: "{{ test_default_priv }}"
state: present
register: result
- name: Assert that there weren't any changes because username/password didn't change
- name: Password | Assert that there weren't any changes because username/password didn't change
assert:
that:
- result is not changed
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils/assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Update the user password
- name: Password | Update the user password
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
password: '{{ new_password }}'
name: "{{ test_user_name }}"
host: "%"
password: "{{ new_password }}"
state: present
register: result
- name: Assert that a change occurred because the password was updated
- name: Password | Assert that a change occurred because the password was updated
assert:
that:
- result is changed
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils/assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Get the MySQL version data using the original password (should fail)
- name: Password | Get the MySQL version data using the original password (should fail)
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ initial_password }}'
@ -92,12 +96,12 @@
register: result
ignore_errors: true
- name: Assert that the mysql_info module failed because we used the old password
- name: Password | Assert that the mysql_info module failed because we used the old password
assert:
that:
- result is failed
- name: Get the MySQL version data using the new password (should work)
- name: Password | Get the MySQL version data using the new password (should work)
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ new_password }}'
@ -107,19 +111,19 @@
register: result
ignore_errors: true
- name: Assert that the mysql_info module succeeded because we used the new password
- name: Password | Assert that the mysql_info module succeeded because we used the new password
assert:
that:
- result is succeeded
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ new_password }}
- include: utils/remove_user.yml user_name={{ test_user_name }}
# ============================================================
# Test setting a plaintext password and then the same password encrypted to ensure there isn't a change detected.
#
- name: Create user with initial password
- name: Password | Create user with initial password
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
@ -128,14 +132,14 @@
state: present
register: result
- name: Assert that a change occurred because the user was added
- name: Password | Assert that a change occurred because the user was added
assert:
that:
- result is changed
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils/assert_user.yml user_name={{ test_user_name }} user_host=localhost priv={{ test_default_priv_type }}
- name: Pass in the same password as before, but in the encrypted form (no change expected)
- name: Password | Pass in the same password as before, but in the encrypted form (no change expected)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
@ -145,36 +149,37 @@
state: present
register: result
- name: Assert that there weren't any changes because username/password didn't change
- name: Password | Assert that there weren't any changes because username/password didn't change
assert:
that:
- result is not changed
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ new_password }}
- include: utils/remove_user.yml user_name={{ test_user_name }}
# ============================================================
# Test setting an encrypted password and then the same password in plaintext to ensure there isn't a change.
#
- name: Create user with initial password
- name: Password | Create user with initial password
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: "%"
password: '{{ initial_password_encrypted }}'
encrypted: yes
priv: '{{ test_default_priv }}'
state: present
register: result
- name: Assert that a change occurred because the user was added
- name: Password | Assert that a change occurred because the user was added
assert:
that:
- result is changed
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils/assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Get the MySQL version data using the new creds
- name: Password | Get the MySQL version data using the new creds
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ initial_password }}'
@ -184,60 +189,62 @@
register: result
ignore_errors: true
- name: Assert that the mysql_info module succeeded because we used the new password
- name: Password | Assert that the mysql_info module succeeded because we used the new password
assert:
that:
- result is succeeded
- name: Pass in the same password as before, but in the encrypted form (no change expected)
- name: Password | Pass in the same password as before, but in the encrypted form (no change expected)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: "%"
password: '{{ initial_password }}'
state: present
register: result
- name: Assert that there weren't any changes because username/password didn't change
- name: Password | Assert that there weren't any changes because username/password didn't change
assert:
that:
- result is not changed
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ new_password }}
- include: utils/remove_user.yml user_name={{ test_user_name }}
# ============================================================
# Test setting an empty password.
#
- name: Create user with empty password
- name: Password | Create user with empty password
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
priv: '{{ test_default_priv }}'
name: "{{ test_user_name }}"
host: "%"
priv: "{{ test_default_priv }}"
state: present
register: result
- name: Assert that a change occurred because the user was added
- name: Password | Assert that a change occurred because the user was added
assert:
that:
- result is changed
- name: Get the MySQL version using an empty password for the newly created user
- name: Password | Get the MySQL version using an empty password for the newly created user
mysql_info:
login_user: '{{ test_user_name }}'
login_password: ''
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
login_user: "{{ test_user_name }}"
login_password: ""
login_host: "{{ mysql_host }}"
login_port: "{{ mysql_primary_port }}"
filter: version
register: result
ignore_errors: true
- name: Assert that mysql_info was successful
- name: Password | Assert that mysql_info was successful
assert:
that:
- result is succeeded
- name: Get the MySQL version using an non-empty password (should fail)
- name: Password | Get the MySQL version using an non-empty password (should fail)
mysql_info:
login_user: '{{ test_user_name }}'
login_password: 'some_password'
@ -247,23 +254,24 @@
register: result
ignore_errors: true
- name: Assert that mysql_info failed
- name: Password | Assert that mysql_info failed
assert:
that:
- result is failed
- name: Update the user without changing the password
- name: Password | Update the user without changing the password
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: "%"
priv: '{{ test_default_priv }}'
state: present
register: result
- name: Assert that the user wasn't changed because the password is still empty
- name: Password | Assert that the user wasn't changed because the password is still empty
assert:
that:
- result is not changed
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password=''
- include: utils/remove_user.yml user_name={{ test_user_name }}

233
tests/integration/targets/test_mysql_user/tasks/test_user_plugin_auth.yml
View file

@ -1,10 +1,11 @@
---
# Test user plugin auth scenarios.
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: 127.0.0.1
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
test_user_name: 'test_user_plugin_auth'
test_plugin_type: 'mysql_native_password'
@ -21,33 +22,34 @@
# Test plugin auth initially setting a hash and then changing to a different hash.
#
- name: Create user with plugin auth (with hash string)
- name: Plugin auth | Create user with plugin auth (with hash string)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_hash_string: '{{ test_plugin_hash }}'
priv: '{{ test_default_priv }}'
register: result
- name: Get user information
command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = 'localhost'\""
- name: Plugin auth | Get user information (with hash string)
command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\""
register: show_create_user
- name: Check that the module made a change
- name: Plugin auth | Check that the module made a change (with hash string)
assert:
that:
- result is changed
- name: Check that the expected plugin type is set
- name: Plugin auth | Check that the expected plugin type is set (with hash string)
assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: install_type == 'mysql' or (install_type == 'mariadb' and mariadb_version is version('10.3', '>='))
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils/assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Get the MySQL version using the newly created creds
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
@ -56,27 +58,28 @@
filter: version
register: result
- name: Assert that mysql_info was successful
- name: Plugin auth | Assert that mysql_info was successful
assert:
that:
- result is succeeded
- name: Update the user with a different hash
- name: Plugin auth | Update the user with a different hash
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_hash_string: '{{ test_plugin_new_hash }}'
register: result
- name: Check that the module makes the change because the hash changed
- name: Plugin auth | Check that the module makes the change because the hash changed
assert:
that:
- result is changed
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils/assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Getting the MySQL info with the new password should work
- name: Plugin auth | Getting the MySQL info with the new password should work
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_new_auth_string }}'
@ -85,45 +88,46 @@
filter: version
register: result
- name: Assert that mysql_info was successful
- name: Plugin auth | Assert that mysql_info was successful
assert:
that:
- result is succeeded
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ test_plugin_new_auth_string }}
- include: utils/remove_user.yml user_name={{ test_user_name }}
# ============================================================
# Test plugin auth initially setting a hash and then switching to a plaintext auth string.
#
- name: Create user with plugin auth (with hash string)
- name: Plugin auth | Create user with plugin auth (with hash string)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_hash_string: '{{ test_plugin_hash }}'
priv: '{{ test_default_priv }}'
register: result
- name: Get user information
command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = 'localhost'\""
- name: Plugin auth | Get user information
command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\""
register: show_create_user
- name: Check that the module made a change
- name: Plugin auth | Check that the module made a change (with hash string)
assert:
that:
- result is changed
- name: Check that the expected plugin type is set
- name: Plugin auth | Check that the expected plugin type is set (with hash string)
assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: install_type == 'mysql' or (install_type == 'mariadb' and mariadb_version is version('10.3', '>='))
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils/assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Get the MySQL version using the newly created creds
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
@ -132,43 +136,45 @@
filter: version
register: result
- name: Assert that mysql_info was successful
- name: Plugin auth | Assert that mysql_info was successful
assert:
that:
- result is succeeded
- name: Update the user with the same hash (no change expected)
- name: Plugin auth | Update the user with the same hash (no change expected)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_hash_string: '{{ test_plugin_hash }}'
register: result
# FIXME: on mariadb 10.2 there's always a change
- name: Check that the module doesn't make a change when the same hash is passed in
- name: Plugin auth | Check that the module doesn't make a change when the same hash is passed in
assert:
that:
- result is not changed
when: install_type == 'mysql' or (install_type == 'mariadb' and mariadb_version is version('10.3', '>='))
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils/assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Change the user using the same plugin, but switch to the same auth string in plaintext form
- name: Plugin auth | Change the user using the same plugin, but switch to the same auth string in plaintext form
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_auth_string: '{{ test_plugin_auth_string }}'
register: result
# Expecting a change is currently by design (see comment in source).
- name: Check that the module did not change the password
- name: Plugin auth | Check that the module did not change the password
assert:
that:
- result is changed
- name: Getting the MySQL info should still work
- name: Plugin auth | Getting the MySQL info should still work
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
@ -177,45 +183,46 @@
filter: version
register: result
- name: Assert that mysql_info was successful
- name: Plugin auth | Assert that mysql_info was successful
assert:
that:
- result is succeeded
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ test_plugin_auth_string }}
- include: utils/remove_user.yml user_name={{ test_user_name }}
# ============================================================
# Test plugin auth initially setting a plaintext auth string and then switching to a hash.
#
- name: Create user with plugin auth (with auth string)
- name: Plugin auth | Create user with plugin auth (with auth string)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_auth_string: '{{ test_plugin_auth_string }}'
priv: '{{ test_default_priv }}'
register: result
- name: Get user information
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
- name: Plugin auth | Get user information(with auth string)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\""
register: show_create_user
- name: Check that the module made a change
- name: Plugin auth | Check that the module made a change (with auth string)
assert:
that:
- result is changed
- name: Check that the expected plugin type is set
- name: Plugin auth | Check that the expected plugin type is set (with auth string)
assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: install_type == 'mysql' or (install_type == 'mariadb' and mariadb_version is version('10.3', '>='))
- test_plugin_type in show_create_user.stdout
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils/assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Get the MySQL version using the newly created creds
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
@ -224,42 +231,44 @@
filter: version
register: result
- name: Assert that mysql_info was successful
- name: Plugin auth | Assert that mysql_info was successful
assert:
that:
- result is succeeded
- name: Update the user with the same auth string
- name: Plugin auth | Update the user with the same auth string
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_auth_string: '{{ test_plugin_auth_string }}'
register: result
# This is the current expected behavior because there isn't a reliable way to hash the password in the mysql_user
# module in order to be able to compare this password with the stored hash. See the source for more info.
- name: The module should detect a change even though the password is the same
- name: Plugin auth | The module should detect a change even though the password is the same
assert:
that:
- result is changed
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils/assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Change the user using the same plugin, but switch to the same auth string in hash form
- name: Plugin auth | Change the user using the same plugin, but switch to the same auth string in hash form
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_hash_string: '{{ test_plugin_hash }}'
register: result
- name: Check that the module did not change the password
- name: Plugin auth | Check that the module did not change the password
assert:
that:
- result is not changed
- name: Get the MySQL version using the newly created creds
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
@ -268,44 +277,45 @@
filter: version
register: result
- name: Assert that mysql_info was successful
- name: Plugin auth | Assert that mysql_info was successful
assert:
that:
- result is succeeded
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ test_plugin_auth_string }}
- include: utils/remove_user.yml user_name={{ test_user_name }}
# ============================================================
# Test plugin auth with an empty auth string.
#
- name: Create user with plugin auth (empty auth string)
- name: Plugin auth | Create user with plugin auth (empty auth string)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
priv: '{{ test_default_priv }}'
register: result
- name: Get user information
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
- name: Plugin auth | Get user information (empty auth string)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\""
register: show_create_user
- name: Check that the module made a change
- name: Plugin auth | Check that the module made a change (empty auth string)
assert:
that:
- result is changed
- name: Check that the expected plugin type is set
- name: Plugin auth | Check that the expected plugin type is set (empty auth string)
assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: install_type == 'mysql' or (install_type == 'mariadb' and mariadb_version is version('10.3', '>='))
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils/assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Get the MySQL version using an empty password for the newly created user
- name: Plugin auth | Get the MySQL version using an empty password for the newly created user
mysql_info:
login_user: '{{ test_user_name }}'
login_password: ''
@ -315,12 +325,12 @@
register: result
ignore_errors: true
- name: Assert that mysql_info was successful
- name: Plugin auth | Assert that mysql_info was successful
assert:
that:
- result is succeeded
- name: Get the MySQL version using an non-empty password (should fail)
- name: Plugin auth | Get the MySQL version using an non-empty password (should fail)
mysql_info:
login_user: '{{ test_user_name }}'
login_password: 'some_password'
@ -330,91 +340,92 @@
register: result
ignore_errors: true
- name: Assert that mysql_info failed
- name: Plugin auth | Assert that mysql_info failed
assert:
that:
- result is failed
- name: Update the user without changing the auth mechanism
- name: Plugin auth | Update the user without changing the auth mechanism
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
state: present
register: result
- name: Assert that the user wasn't changed because the auth string is still empty
- name: Plugin auth | Assert that the user wasn't changed because the auth string is still empty
assert:
that:
- result is not changed
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ test_plugin_auth_string }}
- include: utils/remove_user.yml user_name={{ test_user_name }}
# ============================================================
# Test plugin auth switching from one type of plugin to another without an auth string or hash. The only other
# plugins that are loaded by default are sha2*, but these aren't compatible with pymysql < 0.9, so skip these tests
# for those versions.
#
- name: Test plugin auth switching which doesn't work on pymysql < 0.9
- name: Plugin auth | Test plugin auth switching which doesn't work on pymysql < 0.9
when:
- >
connector_name is not search('pymysql')
connector_name != 'pymysql'
or (
connector_name is search('pymysql')
and connector_ver is version('0.9', '>=')
connector_name == 'pymysql'
and connector_version is version('0.9', '>=')
)
block:
- name: Create user with plugin auth (empty auth string)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
plugin: '{{ test_plugin_type }}'
priv: '{{ test_default_priv }}'
register: result
- name: Plugin auth | Create user with plugin auth (empty auth string)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
plugin: '{{ test_plugin_type }}'
priv: '{{ test_default_priv }}'
register: result
- name: Get user information
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
register: show_create_user
- name: Plugin auth | Get user information (empty auth string)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
register: show_create_user
- name: Check that the module made a change
assert:
that:
- result is changed
- name: Plugin auth | Check that the module made a change (empty auth string)
assert:
that:
- result is changed
- name: Check that the expected plugin type is set
assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: install_type == 'mysql' or (install_type == 'mariadb' and mariadb_version is version('10.3', '>='))
- name: Plugin auth | Check that the expected plugin type is set (empty auth string)
assert:
that:
- test_plugin_type in show_create_user.stdout
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils/assert_user.yml user_name={{ test_user_name }} user_host=localhost priv={{ test_default_priv_type }}
- name: Switch user to sha256_password auth plugin
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
plugin: sha256_password
priv: '{{ test_default_priv }}'
register: result
- name: Plugin auth | Switch user to sha256_password auth plugin
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
plugin: sha256_password
priv: '{{ test_default_priv }}'
register: result
- name: Get user information
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
register: show_create_user
- name: Plugin auth | Get user information (sha256_password)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
register: show_create_user
- name: Check that the module made a change
assert:
that:
- result is changed
- name: Plugin auth | Check that the module made a change (sha256_password)
assert:
that:
- result is changed
- name: Check that the expected plugin type is set
assert:
that:
- name: Plugin auth | Check that the expected plugin type is set (sha256_password)
assert:
that:
- "'sha256_password' in show_create_user.stdout"
when: install_type == 'mysql' or (install_type == 'mariadb' and mariadb_version is version('10.3', '>='))
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils/assert_user.yml user_name={{ test_user_name }} user_host=localhost priv={{ test_default_priv_type }}
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ test_plugin_auth_string }}
# Cleanup
- include: utils/remove_user.yml user_name={{ test_user_name }}

8
tests/integration/targets/test_mysql_user/tasks/utils/assert_no_user.yml Normal file
View file

@ -0,0 +1,8 @@
---
- name: Utils | Assert no user | Query for user {{ user_name }}
command: "{{ mysql_command }} -e \"SELECT User FROM mysql.user where user='{{ user_name }}'\""
register: result
- name: Utils | Assert no user | Assert mysql user is not present
assert:
that: user_name not in result.stdout

21
tests/integration/targets/test_mysql_user/tasks/utils/assert_user.yml Normal file
View file

@ -0,0 +1,21 @@
---
- name: Utils | Assert user | Query for user {{ user_name }}
command: "{{ mysql_command }} -e \"SELECT user FROM mysql.user where user='{{ user_name }}'\""
register: result
- name: Utils | Assert user | Assert user is present
assert:
that:
- user_name in result.stdout
- name: Utils | Assert user | Query for privileges of user {{ user_name }}
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name }}'@'{{ user_host }}'\""
register: result
when: priv is defined
- name: Utils | Assert user | Assert user has given privileges
ansible.builtin.assert:
that:
- "'GRANT {{ priv }} ON *.*' in result.stdout"
when: priv is defined

12
tests/integration/targets/test_mysql_user/tasks/assert_user_password.yml → tests/integration/targets/test_mysql_user/tasks/utils/assert_user_password.yml
View file

@ -1,4 +1,5 @@
- name: "applying user {{ username }}@{{ host }} with update_password={{ update_password }}"
---
- name: Utils | Assert user password | Apply update_password to {{ username }}
mysql_user:
login_user: '{{ mysql_parameters.login_user }}'
login_password: '{{ mysql_parameters.login_password }}'
@ -10,15 +11,18 @@
password: "{{ password }}"
update_password: "{{ update_password }}"
register: result
- name: assert a change occurred
- name: Utils | Assert user password | Assert a change occurred
assert:
that:
- "result.changed | bool == {{ expect_change }} | bool"
- "result.password_changed == {{ expect_password_change }}"
- name: query the user
- name: Utils | Assert user password | Query user {{ username }}
command: "{{ mysql_command }} -BNe \"SELECT plugin, authentication_string FROM mysql.user where user='{{ username }}' and host='{{ host }}'\""
register: existing_user
- name: assert the password is as set to expect_hash
- name: Utils | Assert user password | Assert expect_hash is in user stdout
assert:
that:
- "'mysql_native_password\t{{ expect_password_hash }}' in existing_user.stdout_lines"

12
tests/integration/targets/test_mysql_user/tasks/utils/create_user.yml Normal file
View file

@ -0,0 +1,12 @@
---
- name: Utils | Create user {{ user_name }}
mysql_user:
login_user: "{{ mysql_user }}"
login_password: "{{ mysql_password }}"
login_host: "{{ mysql_host }}"
login_port: "{{ mysql_primary_port }}"
name: "{{ user_name }}"
host: "{{ user_host | default(omit) }}"
password: "{{ user_password }}"
state: present

12
tests/integration/targets/test_mysql_user/tasks/utils/remove_user.yml Normal file
View file

@ -0,0 +1,12 @@
---
- name: Utils | Remove user {{ user_name }}
mysql_user:
login_user: "{{ mysql_user }}"
login_password: "{{ mysql_password }}"
login_host: "{{ mysql_host }}"
login_port: "{{ mysql_primary_port }}"
name: "{{ user_name }}"
host_all: true
state: absent
ignore_errors: true