From 583407fbe2f9773665381cefc5c6c4610dcd16ea Mon Sep 17 00:00:00 2001 From: "E.S. Rosenberg a.k.a. Keeper of the Keys" Date: Tue, 4 Mar 2025 00:25:20 +0200 Subject: [PATCH] Add the locked attribute Signed-off-by: E.S. Rosenberg a.k.a. Keeper of the Keys --- plugins/module_utils/user.py | 29 +++++++++++++++-------------- plugins/modules/mysql_user.py | 8 +++++--- 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/plugins/module_utils/user.py b/plugins/module_utils/user.py index 665e113..ac18d8f 100644 --- a/plugins/module_utils/user.py +++ b/plugins/module_utils/user.py @@ -61,9 +61,8 @@ def user_is_locked(cursor, user, host, host_all): # Unless I am very much mistaken there should only be 1 answer to this query ever. result = cursor.fetchone() - for res in result.values(): - if res.endswith('ACCOUNT LOCK'): - return True + if result[0].endswith('ACCOUNT LOCK'): + return True return False @@ -176,7 +175,7 @@ def get_existing_authentication(cursor, user, host=None): def user_add(cursor, user, host, host_all, password, encrypted, plugin, plugin_hash_string, plugin_auth_string, salt, new_priv, attributes, tls_requires, reuse_existing_password, module, - password_expire, password_expire_interval): + password_expire, password_expire_interval, locked=False): # If attributes are set, perform a sanity check to ensure server supports user attributes before creating user if attributes and not get_attribute_support(cursor): module.fail_json(msg="user attributes were specified but the server does not support user attributes") @@ -266,8 +265,8 @@ def user_add(cursor, user, host, host_all, password, encrypted, cursor.execute("ALTER USER %s@%s ATTRIBUTE %s", (user, host, json.dumps(attributes))) final_attributes = attributes_get(cursor, user, host) -# if locked: -# cursor.execute("ALTER USER %s@%s ACCOUNT LOCK", (user, host)) + if locked: + cursor.execute("ALTER USER %s@%s ACCOUNT LOCK", (user, host)) return {'changed': True, 'password_changed': not used_existing_password, 'attributes': final_attributes} @@ -283,7 +282,7 @@ def is_hash(password): def user_mod(cursor, user, host, host_all, password, encrypted, plugin, plugin_hash_string, plugin_auth_string, salt, new_priv, append_privs, subtract_privs, attributes, tls_requires, module, - password_expire, password_expire_interval, role=False, maria_role=False): + password_expire, password_expire_interval, locked=False, role=False, maria_role=False): changed = False msg = "User unchanged" grant_option = False @@ -555,6 +554,15 @@ def user_mod(cursor, user, host, host_all, password, encrypted, if attribute_support: final_attributes = attributes_get(cursor, user, host) + if user_is_locked(cursor, user, host, False) != locked: + if locked: + cursor.execute("ALTER USER %s@%s ACCOUNT LOCK", (user, host)) + msg = 'User locked' + else: + cursor.execute("ALTER USER %s@%s ACCOUNT UNLOCK", (user, host)) + msg = 'User unlocked' + changed = True + if role: continue @@ -578,13 +586,6 @@ def user_mod(cursor, user, host, host_all, password, encrypted, cursor.execute(*query_with_args) changed = True -# if user_is_locked(cursor, user, host, False) != locked: -# if locked: -# cursor.execute("ALTER USER %s@%s ACCOUNT LOCK", (user, host)) -# else: -# cursor.execute("ALTER USER %s@%s ACCOUNT UNLOCK", (user, host)) -# changed = True - return {'changed': changed, 'msg': msg, 'password_changed': password_changed, 'attributes': final_attributes} diff --git a/plugins/modules/mysql_user.py b/plugins/modules/mysql_user.py index 499f2a0..17d8315 100644 --- a/plugins/modules/mysql_user.py +++ b/plugins/modules/mysql_user.py @@ -470,6 +470,7 @@ def main(): column_case_sensitive=dict(type='bool', default=None), # TODO 4.0.0 add default=True password_expire=dict(type='str', choices=['now', 'never', 'default', 'interval'], no_log=True), password_expire_interval=dict(type='int', required_if=[('password_expire', 'interval', True)], no_log=True), + locked=dict(type='bool', default='no'), ) module = AnsibleModule( argument_spec=argument_spec, @@ -510,6 +511,7 @@ def main(): column_case_sensitive = module.params["column_case_sensitive"] password_expire = module.params["password_expire"] password_expire_interval = module.params["password_expire_interval"] + locked = module.boolean(module.params['locked']) if priv and not isinstance(priv, (str, dict)): module.fail_json(msg="priv parameter must be str or dict but %s was passed" % type(priv)) @@ -577,13 +579,13 @@ def main(): result = user_mod(cursor, user, host, host_all, password, encrypted, plugin, plugin_hash_string, plugin_auth_string, salt, priv, append_privs, subtract_privs, attributes, tls_requires, module, - password_expire, password_expire_interval) + password_expire, password_expire_interval, locked) else: result = user_mod(cursor, user, host, host_all, None, encrypted, None, None, None, None, priv, append_privs, subtract_privs, attributes, tls_requires, module, - password_expire, password_expire_interval) + password_expire, password_expire_interval, locked) changed = result['changed'] msg = result['msg'] password_changed = result['password_changed'] @@ -601,7 +603,7 @@ def main(): result = user_add(cursor, user, host, host_all, password, encrypted, plugin, plugin_hash_string, plugin_auth_string, salt, priv, attributes, tls_requires, reuse_existing_password, module, - password_expire, password_expire_interval) + password_expire, password_expire_interval, locked) changed = result['changed'] password_changed = result['password_changed'] final_attributes = result['attributes']