From 9cc277a60acbff44b8b1435113ec447c599fef75 Mon Sep 17 00:00:00 2001
From: Matthieu Bourgain <aohzan@gmail.com>
Date: Mon, 22 Apr 2024 18:44:21 +0200
Subject: [PATCH] [ci skip] fix change with hex

---
 plugins/module_utils/implementations/mysql/hash.py | 9 +++++++--
 plugins/module_utils/user.py                       | 8 ++++++--
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/plugins/module_utils/implementations/mysql/hash.py b/plugins/module_utils/implementations/mysql/hash.py
index 5761559..4fec3de 100644
--- a/plugins/module_utils/implementations/mysql/hash.py
+++ b/plugins/module_utils/implementations/mysql/hash.py
@@ -108,8 +108,8 @@ def _sha256_digest(key, salt, loops):
     return tmp
 
 
-def mysql_sha256_password_hash_hex(password, salt):
-    """Return a MySQL compatible caching_sha2_password hash in hex format."""
+def mysql_sha256_password_hash(password, salt):
+    """Return a MySQL compatible caching_sha2_password hash in raw format."""
     if len(salt) != 20:
         raise ValueError("Salt must be 20 characters long.")
 
@@ -118,3 +118,8 @@ def mysql_sha256_password_hash_hex(password, salt):
 
     digest = _sha256_digest(password, salt, iteration)
     return "$A${0:>03}${1}{2}".format(count, salt, digest).encode().hex().upper()
+
+
+def mysql_sha256_password_hash_hex(password, salt):
+    """Return a MySQL compatible caching_sha2_password hash in hex format."""
+    return mysql_sha256_password_hash(password, salt).encode().hex().upper()
diff --git a/plugins/module_utils/user.py b/plugins/module_utils/user.py
index 7b2fa71..a8483f6 100644
--- a/plugins/module_utils/user.py
+++ b/plugins/module_utils/user.py
@@ -22,6 +22,7 @@ from ansible_collections.community.mysql.plugins.module_utils.mysql import (
     get_server_implementation,
 )
 from ansible_collections.community.mysql.plugins.module_utils.implementations.mysql.hash import (
+    mysql_sha256_password_hash,
     mysql_sha256_password_hash_hex,
 )
 
@@ -362,8 +363,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
 
             if salt:
                 if plugin in ['caching_sha2_password', 'sha256_password']:
-                    generated_hash_string = mysql_sha256_password_hash_hex(password=plugin_auth_string, salt=salt)
-                    if current_plugin[0] != generated_hash_string:
+                    if current_plugin[0] != mysql_sha256_password_hash(password=plugin_auth_string, salt=salt):
                         update = True
                 else:
                     module.fail_json(msg="salt not handled for %s authentication plugin" % plugin)
@@ -376,6 +376,10 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
                     if plugin in ('pam', 'ed25519'):
                         query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s USING %s", (user, host, plugin, plugin_auth_string)
                     elif salt:
+                        if plugin in ['caching_sha2_password', 'sha256_password']:
+                            generated_hash_string = mysql_sha256_password_hash_hex(password=plugin_auth_string, salt=salt)
+                        else:
+                            module.fail_json(msg="salt not handled for %s authentication plugin" % plugin)
                         query_with_args = ("ALTER USER %s@%s IDENTIFIED WITH %s AS 0x" + generated_hash_string), (user, host, plugin)
                     else:
                         query_with_args = "ALTER USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string)