ansible-collections/community.mysql
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.mysql.git synced 2025-07-29 16:11:26 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Refactor test_mysql_user to work with other host than localhost

Browse source
This commit is contained in:
Laurent Indermuehle 2023-01-05 18:04:12 +01:00
commit 9da866a7bf
No known key found for this signature in database
GPG key ID: 93FA944C9F34DD09
27 changed files with 675 additions and 758 deletions
Download patch file Download diff file Expand all files Collapse all files

27
tests/integration/targets/test_mysql_user/tasks/assert_no_user.yml
View file

@ -1,27 +0,0 @@
---
# test code to assert no mysql user
# (c) 2014, Wayne Rosario <wrosario@ansible.com>
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# ============================================================
- name: run command to query for mysql user
command: "{{ mysql_command }} -e \"SELECT User FROM mysql.user where user='{{ user_name }}'\""
register: result
- name: assert mysql user is not present
assert:
that: "'{{ user_name }}' not in result.stdout"

39
tests/integration/targets/test_mysql_user/tasks/assert_user.yml
View file

@ -1,39 +0,0 @@
---
# test code to assert mysql user
# (c) 2014, Wayne Rosario <wrosario@ansible.com>
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# ============================================================
- name: run command to query for mysql user
command: "{{ mysql_command }} -e \"SELECT User FROM mysql.user where user='{{ user_name }}'\""
register: result
- name: assert mysql user is present
assert:
that:
- "'{{ user_name }}' in result.stdout"
- name: run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name }}'@'localhost'\""
register: result
when: priv is defined
- name: assert user has giving privileges
assert:
that:
- "'GRANT {{priv}} ON *.*' in result.stdout"
when: priv is defined

47
tests/integration/targets/test_mysql_user/tasks/create_user.yml
View file

@ -1,47 +0,0 @@
---
# test code to create mysql user
# (c) 2014, Wayne Rosario <wrosario@ansible.com>
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
- vars:
mysql_parameters: &mysql_params
login_user: "{{ mysql_user }}"
login_password: "{{ mysql_password }}"
login_host: "{{ gateway_addr }}"
login_port: "{{ mysql_primary_port }}"
block:
- name: Drop mysql user if exists
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
state: absent
ignore_errors: yes
# ============================================================
- name: create mysql user {{user_name}}
mysql_user:
<<: *mysql_params
name: "{{ user_name }}"
password: "{{ user_password }}"
state: present
register: result
- name: assert output message mysql user was created
assert:
that:
- result is changed

48
tests/integration/targets/test_mysql_user/tasks/issue-121.yml
View file

@ -1,75 +1,73 @@
---
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
# ============================================================
- name: get server certificate
- name: Issue-121 | Setup | Get server certificate
copy:
content: "{{ lookup('pipe', \"openssl s_client -starttls mysql -connect localhost:3307 -showcerts 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'\") }}"
content: "{{ lookup('pipe', \"openssl s_client -starttls mysql -connect {{ mysql_host }}:3307 -showcerts 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'\") }}"
dest: /tmp/cert.pem
delegate_to: localhost
- name: get server version
mysql_info:
<<: *mysql_params
filter: version
register: db_version
- set_fact:
old_user_mgmt: "{{ db_version.version.major <= 5 and db_version.version.minor <= 6 or db_version.version.major == 10 and db_version.version.minor < 2 | bool }}"
- name: Drop mysql user if exists
- name: Issue-121 | Drop mysql user if exists
mysql_user:
<<: *mysql_params
name: '{{ item }}'
host_all: true
state: absent
ignore_errors: yes
with_items:
ignore_errors: true
loop:
- "{{ user_name_1 }}"
- "{{ user_name_2 }}"
- name: create user with REQUIRESSL privilege (expect failure)
- name: Issue-121 | Create user with REQUIRESSL privilege (expect failure)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
register: result
ignore_errors: yes
ignore_errors: true
- assert:
- name: Issue-121 | Assert error granting privileges
assert:
that:
- result is failed
- result.msg is search('Error granting privileges')
- name: create user with both REQUIRESSL privilege and an incompatible tls_requires option
- name: >-
Issue-121 | Create user with both REQUIRESSL privilege and an incompatible
tls_requires option
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
host: '{{ gateway_addr }}'
password: "{{ user_password_1 }}"
priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
tls_requires:
X509:
register: result
ignore_errors: yes
ignore_errors: true
- assert:
- name: >-
Issue-121 | Assert error granting privileges with incompatible tls_requires
option
assert:
that:
- result is failed
- result.msg is search('Error granting privileges')
- name: Drop mysql user
- name: Issue-121 | Teardown | Drop mysql user
mysql_user:
<<: *mysql_params
name: '{{ item }}'
host: '{{ gateway_addr }}'
host_all: true
state: absent
with_items:
- "{{ user_name_1 }}"

66
tests/integration/targets/test_mysql_user/tasks/issue-265.yml
View file

@ -3,20 +3,21 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
- name: Drop mysql user if exists
- name: Issue-265 | Drop mysql user if exists
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
host_all: true
state: absent
ignore_errors: yes
# Tests with force_context: yes
# Test user creation
- name: create mysql user {{ user_name_1 }}
- name: Issue-265 | Create mysql user {{ user_name_1 }}
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
@ -25,30 +26,31 @@
force_context: yes
register: result
- name: assert output message mysql user was created
- name: Issue-265 | Assert user was created
assert:
that:
- result is changed
- include: assert_user.yml user_name={{user_name_1}}
- include: utils_assert_user.yml user_name={{ user_name_1 }} user_host=localhost
# Test user removal
- name: remove mysql user {{user_name_1}}
- name: Issue-265 | remove mysql user {{ user_name_1 }}
mysql_user:
<<: *mysql_params
name: '{{user_name_1}}'
password: '{{user_password_1}}'
name: "{{ user_name_1 }}"
host_all: true
password: "{{ user_password_1 }}"
state: absent
force_context: yes
register: result
- name: assert output message mysql user was removed
- name: Issue-265 | Assert user was removed
assert:
that:
- result is changed
# Test blank user removal
- name: create blank mysql user to be removed later
- name: Issue-265 | Create blank mysql user to be removed later
mysql_user:
<<: *mysql_params
name: ""
@ -56,7 +58,7 @@
force_context: yes
password: 'KJFDY&D*Sfuydsgf'
- name: remove blank mysql user with hosts=all (expect changed)
- name: Issue-265 | Remove blank mysql user with hosts=all (expect changed)
mysql_user:
<<: *mysql_params
user: ""
@ -65,12 +67,12 @@
force_context: yes
register: result
- name: assert changed is true for removing all blank users
- name: Issue-265 | Assert changed is true for removing all blank users
assert:
that:
- result is changed
- name: remove blank mysql user with hosts=all (expect ok)
- name: Issue-265 | Remove blank mysql user with hosts=all (expect ok)
mysql_user:
<<: *mysql_params
user: ""
@ -79,57 +81,57 @@
state: absent
register: result
- name: assert changed is true for removing all blank users
- name: Issue-265 | Assert changed is true for removing all blank users
assert:
that:
- result is not changed
- include: assert_no_user.yml user_name={{user_name_1}}
- include: utils_assert_no_user.yml user_name={{user_name_1}}
# Tests with force_context: no
# Test user creation
- name: Drop mysql user if exists
- name: Issue-265 | Drop mysql user if exists
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
name: "{{ user_name_1 }}"
state: absent
ignore_errors: yes
# Tests with force_context: yes
# Test user creation
- name: create mysql user {{user_name_1}}
- name: Issue-265 | Create mysql user {{user_name_1}}
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
password: '{{ user_password_1 }}'
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
state: present
force_context: yes
register: result
- name: assert output message mysql user was created
- name: Issue-265 | Assert output message mysql user was created
assert:
that:
- result is changed
- include: assert_user.yml user_name={{user_name_1}}
- include: utils_assert_user.yml user_name={{ user_name_1 }} user_host=localhost
# Test user removal
- name: remove mysql user {{user_name_1}}
- name: Issue-265 | Remove mysql user {{ user_name_1 }}
mysql_user:
<<: *mysql_params
name: '{{user_name_1}}'
password: '{{user_password_1}}'
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
state: absent
force_context: no
register: result
- name: assert output message mysql user was removed
- name: Issue-265 | Assert output message mysql user was removed
assert:
that:
- result is changed
# Test blank user removal
- name: create blank mysql user to be removed later
- name: Issue-265 | Create blank mysql user to be removed later
mysql_user:
<<: *mysql_params
name: ""
@ -137,7 +139,7 @@
force_context: no
password: 'KJFDY&D*Sfuydsgf'
- name: remove blank mysql user with hosts=all (expect changed)
- name: Issue-265 | Remove blank mysql user with hosts=all (expect changed)
mysql_user:
<<: *mysql_params
user: ""
@ -146,12 +148,12 @@
force_context: no
register: result
- name: assert changed is true for removing all blank users
- name: Issue-265 | Assert changed is true for removing all blank users
assert:
that:
- result is changed
- name: remove blank mysql user with hosts=all (expect ok)
- name: Issue-265 | Remove blank mysql user with hosts=all (expect ok)
mysql_user:
<<: *mysql_params
user: ""
@ -160,9 +162,9 @@
state: absent
register: result
- name: assert changed is true for removing all blank users
- name: Issue-265 | Assert changed is true for removing all blank users
assert:
that:
- result is not changed
- include: assert_no_user.yml user_name={{ user_name_1 }}
- include: utils_assert_no_user.yml user_name={{ user_name_1 }}

35
tests/integration/targets/test_mysql_user/tasks/issue-28.yml
View file

@ -9,35 +9,37 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
when: tls_enabled
block:
# ============================================================
- name: get server certificate
- name: Issue-28 | Setup | Get server certificate
copy:
content: "{{ lookup('pipe', \"openssl s_client -starttls mysql -connect localhost:3307 -showcerts 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'\") }}"
content: "{{ lookup('pipe', \"openssl s_client -starttls mysql -connect {{ mysql_host }}:3307 -showcerts 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'\") }}"
dest: /tmp/cert.pem
delegate_to: localhost
- name: Drop mysql user if exists
- name: Issue-28 | Setup | Drop mysql user if exists
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
host_all: true
state: absent
ignore_errors: yes
ignore_errors: true
- name: create user with ssl requirement
- name: Issue-28 | Create user with ssl requirement
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
host: '{{ gateway_addr }}'
password: "{{ user_password_1 }}"
priv: '*.*:ALL,GRANT'
tls_requires:
SSL:
- name: attempt connection with newly created user (expect failure)
- name: Issue-28 | Attempt connection with newly created user (expect failure)
mysql_user:
name: "{{ user_name_2 }}"
password: "{{ user_password_2 }}"
@ -48,19 +50,21 @@
login_port: '{{ mysql_primary_port }}'
ca_cert: /tmp/cert.pem
register: result
ignore_errors: yes
ignore_errors: true
- assert:
- name: Issue-28 | Assert connection failed
assert:
that:
- result is failed
when: connector_name is search('pymysql')
- assert:
- name: Issue-28 | Assert connection succeeded
assert:
that:
- result is succeeded
when: connector_name is not search('pymysql')
- name: attempt connection with newly created user ignoring hostname
- name: Issue-28 | Attempt connection with newly created user ignoring hostname
mysql_user:
name: "{{ user_name_2 }}"
password: "{{ user_password_2 }}"
@ -70,15 +74,16 @@
login_host: '{{ gateway_addr }}'
login_port: '{{ mysql_primary_port }}'
ca_cert: /tmp/cert.pem
check_hostname: no
check_hostname: false
register: result
ignore_errors: yes
ignore_errors: true
- assert:
- name: Issue-28 | Assert connection succeeded
assert:
that:
- result is succeeded or 'pymysql >= 0.7.11 is required' in result.msg
- name: Drop mysql user
- name: Issue-28 | Drop mysql user
mysql_user:
<<: *mysql_params
name: '{{ item }}'

30
tests/integration/targets/test_mysql_user/tasks/issue-29511.yaml
View file

@ -3,12 +3,12 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
- name: Issue test setup - drop database
- name: Issue-29511 | test setup | drop database
mysql_db:
<<: *mysql_params
name: "{{ item }}"
@ -17,7 +17,7 @@
- foo
- bar
- name: Issue test setup - create database
- name: Issue-29511 | test setup | create database
mysql_db:
<<: *mysql_params
name: "{{ item }}"
@ -26,7 +26,7 @@
- foo
- bar
- name: Copy SQL scripts to remote
- name: Issue-29511 | Copy SQL scripts to remote
copy:
src: "{{ item }}"
dest: "{{ remote_tmp_dir }}/{{ item | basename }}"
@ -34,13 +34,13 @@
- create-function.sql
- create-procedure.sql
- name: Create function for test
- name: Issue-29511 | Create function for test
shell: "{{ mysql_command }} < {{ remote_tmp_dir }}/create-function.sql"
- name: Create procedure for test
- name: Issue-29511 | Create procedure for test
shell: "{{ mysql_command }} < {{ remote_tmp_dir }}/create-procedure.sql"
- name: Create user with FUNCTION and PROCEDURE privileges
- name: Issue-29511 | Create user with FUNCTION and PROCEDURE privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
@ -49,13 +49,13 @@
priv: 'FUNCTION foo.function:EXECUTE/foo.*:SELECT/PROCEDURE bar.procedure:EXECUTE'
register: result
- name: Assert Create user with FUNCTION and PROCEDURE privileges
- name: Issue-29511 | Assert Create user with FUNCTION and PROCEDURE privileges
assert:
that:
- result is success
- result is changed
- name: Create user with FUNCTION and PROCEDURE privileges - Idempotent check
- name: Issue-29511 | Create user with FUNCTION and PROCEDURE privileges - Idempotent check
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
@ -64,19 +64,13 @@
priv: 'FUNCTION foo.function:EXECUTE/foo.*:SELECT/PROCEDURE bar.procedure:EXECUTE'
register: result
- name: Assert Create user with FUNCTION and PROCEDURE privileges
- name: Issue-29511 | Assert Create user with FUNCTION and PROCEDURE privileges
assert:
that:
- result is success
- result is not changed
- name: Remove user
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
state: absent
- name: Issue test teardown - cleanup databases
- name: Issue-29511 | Test teardown | cleanup databases
mysql_db:
<<: *mysql_params
name: "{{ item }}"
@ -84,3 +78,5 @@
loop:
- foo
- bar
- include: utils_remove_user.yml user_name="{{ user_name_2 }}"

19
tests/integration/targets/test_mysql_user/tasks/issue-64560.yaml
View file

@ -3,47 +3,50 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
- name: Set root password
- name: Issue-64560 | Set root password
mysql_user:
<<: *mysql_params
name: root
host: '%'
password: '{{ root_password }}'
check_implicit_admin: yes
register: result
- name: assert root password is changed
- name: Issue-64560 | Assert root password is changed
assert:
that:
- result is changed
- name: Set root password again
- name: Issue-64560 | Set root password again
mysql_user:
login_user: '{{ mysql_user }}'
login_password: '{{ root_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
name: root
host: '%'
password: '{{ root_password }}'
check_implicit_admin: yes
register: result
- name: Assert root password is not changed
- name: Issue-64560 | Assert root password is not changed
assert:
that:
- result is not changed
- name: Set root password again
- name: Issue-64560 | Set root password again
mysql_user:
login_user: '{{ mysql_user }}'
login_password: '{{ root_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
name: root
host: '%'
password: '{{ mysql_password }}'
check_implicit_admin: yes
register: result

117
tests/integration/targets/test_mysql_user/tasks/main.yml
View file

@ -1,3 +1,4 @@
---
####################################################################
# WARNING: These are designed specifically for Ansible tests #
# and should not be used as examples of how to write Ansible roles #
@ -29,7 +30,7 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
@ -38,74 +39,14 @@
- include: issue-28.yml
- include: create_user.yml user_name={{ user_name_1 }} user_password={{ user_password_1 }}
- include: test_resource_limits.yml
- include: resource_limits.yml
- include: assert_user.yml user_name={{ user_name_1 }}
- include: remove_user.yml user_name={{ user_name_1 }} user_password={{ user_password_1 }}
- include: assert_no_user.yml user_name={{ user_name_1 }}
# ============================================================
# Create mysql user that already exist on mysql database
#
- include: create_user.yml user_name={{ user_name_1 }} user_password={{ user_password_1 }}
- name: create mysql user that already exist (expect changed=false)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
state: present
register: result
- name: assert output message mysql user was not created
assert:
that:
- result is not changed
# ============================================================
# remove mysql user and verify user is removed from mysql database
#
- name: remove mysql user state=absent (expect changed=true)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
state: absent
register: result
- name: assert output message mysql user was removed
assert:
that:
- result is changed
- include: assert_no_user.yml user_name={{ user_name_1 }}
# ============================================================
# remove mysql user that does not exist on mysql database
#
- name: remove mysql user that does not exist state=absent (expect changed=false)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
state: absent
register: result
- name: assert output message mysql user that does not exist
assert:
that:
- result is not changed
- include: assert_no_user.yml user_name={{user_name_1}}
- include: test_idempotency.yml
# ============================================================
# Create user with no privileges and verify default privileges are assign
#
- name: create user with select privilege state=present (expect changed=true)
- name: create user with DEFAULT privilege state=present (expect changed=true)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
@ -113,16 +54,16 @@
state: present
register: result
- include: assert_user.yml user_name={{ user_name_1 }} priv=USAGE
- include: utils_assert_user.yml user_name={{ user_name_1 }} user_host=localhost priv=USAGE
- include: remove_user.yml user_name={{ user_name_1 }} user_password={{ user_password_1 }}
- include: utils_remove_user.yml user_name={{ user_name_1 }}
- include: assert_no_user.yml user_name={{ user_name_1 }}
- include: utils_assert_no_user.yml user_name={{ user_name_1 }}
# ============================================================
# Create user with select privileges and verify select privileges are assign
#
- name: create user with select privilege state=present (expect changed=true)
- name: Create user with SELECT privilege state=present (expect changed=true)
mysql_user:
<<: *mysql_params
name: "{{ user_name_2 }}"
@ -131,16 +72,16 @@
priv: '*.*:SELECT'
register: result
- include: assert_user.yml user_name={{user_name_2}} priv=SELECT
- include: utils_assert_user.yml user_name={{ user_name_2 }} user_host=localhost priv=SELECT
- include: remove_user.yml user_name={{ user_name_2 }} user_password={{ user_password_2 }}
- include: utils_remove_user.yml user_name={{ user_name_2 }}
- include: assert_no_user.yml user_name={{ user_name_2 }}
- include: utils_assert_no_user.yml user_name={{ user_name_2 }}
# ============================================================
# Assert user has access to multiple databases
#
- name: give users access to multiple databases
- name: Give users access to multiple databases
mysql_user:
<<: *mysql_params
name: '{{ item[0] }}'
@ -148,34 +89,34 @@
append_privs: yes
password: '{{ user_password_1 }}'
with_nested:
- [ '{{ user_name_1 }}', '{{ user_name_2 }}']
- ['{{ user_name_1 }}', '{{ user_name_2 }}']
- "{{db_names}}"
- name: show grants access for user1 on multiple database
- name: Show grants access for user1 on multiple database
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_1 }}'@'localhost'\""
register: result
- name: assert grant access for user1 on multiple database
- name: Assert grant access for user1 on multiple database
assert:
that:
- "'{{ item }}' in result.stdout"
with_items: "{{db_names}}"
with_items: "{{ db_names }}"
- name: show grants access for user2 on multiple database
- name: Show grants access for user2 on multiple database
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_2 }}'@'localhost'\""
register: result
- name: assert grant access for user2 on multiple database
- name: Assert grant access for user2 on multiple database
assert:
that:
- "'{{ item }}' in result.stdout"
with_items: "{{db_names}}"
- include: remove_user.yml user_name={{user_name_1}} user_password={{ user_password_1 }}
- include: utils_remove_user.yml user_name={{ user_name_1 }}
- include: remove_user.yml user_name={{user_name_2}} user_password={{ user_password_1 }}
- include: utils_remove_user.yml user_name={{ user_name_2 }}
- name: give user access to database via wildcard
- name: Give user SELECT access to database via wildcard
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -183,7 +124,7 @@
append_privs: yes
password: '{{ user_password_1 }}'
- name: show grants access for user1 on multiple database
- name: show grants access for user1 on database via wildcard
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_1 }}'@'localhost'\""
register: result
@ -198,8 +139,8 @@
<<: *mysql_params
name: '{{ user_name_1 }}'
priv:
- unsuitable
- type
- unsuitable
- type
append_privs: yes
host_all: yes
password: '{{ user_password_1 }}'
@ -212,7 +153,7 @@
- result is failed
- result.msg is search('priv parameter must be str or dict')
- name: change user access to database via wildcard
- name: Change SELECT to INSERT for user access to database via wildcard
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -221,7 +162,7 @@
host_all: yes
password: '{{ user_password_1 }}'
- name: show grants access for user1 on multiple database
- name: show grants access for user1 on database via wildcard
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_1 }}'@'localhost'\""
register: result
@ -231,7 +172,7 @@
- "'%db' in result.stdout"
- "'INSERT' in result.stdout"
- include: remove_user.yml user_name={{user_name_1}} user_password={{ user_password_1 }}
- include: utils_remove_user.yml user_name={{user_name_1}}
# ============================================================
# Test plaintext and encrypted password scenarios.
@ -283,7 +224,7 @@
- issue_465
# Tests for the TLS requires dictionary
- include: tls_requirements.yml
- include: test_tls_requirements.yml
- import_tasks: issue-29511.yaml
tags:

75
tests/integration/targets/test_mysql_user/tasks/remove_user.yml
View file

@ -1,75 +0,0 @@
---
# test code to remove mysql user
# (c) 2014, Wayne Rosario <wrosario@ansible.com>
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_port: '{{ mysql_primary_port }}'
block:
# ============================================================
- name: remove mysql user {{ user_name }}
mysql_user:
<<: *mysql_params
name: '{{ user_name }}'
password: '{{ user_password }}'
state: absent
register: result
- name: assert output message mysql user was removed
assert:
that:
- result is changed
# ============================================================
- name: create blank mysql user to be removed later
mysql_user:
<<: *mysql_params
name: ""
state: present
password: 'KJFDY&D*Sfuydsgf'
- name: remove blank mysql user with hosts=all (expect changed)
mysql_user:
<<: *mysql_params
user: ""
host_all: true
state: absent
register: result
- name: assert changed is true for removing all blank users
assert:
that:
- result is changed
- name: remove blank mysql user with hosts=all (expect ok)
mysql_user:
<<: *mysql_params
user: ""
host_all: true
state: absent
register: result
- name: assert changed is true for removing all blank users
assert:
that:
- result is not changed

84
tests/integration/targets/test_mysql_user/tasks/test_idempotency.yml Normal file
View file

@ -0,0 +1,84 @@
---
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
# ========================================================================
# Creation
# ========================================================================
- include: utils_create_user.yml user_name={{ user_name_1 }} user_password={{ user_password_1 }}
- name: Idempotency | Create user that already exist (expect changed=false)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
state: present
register: result
- name: Idempotency | Assert create user task is not changed
assert: {that: [result is not changed]}
# ========================================================================
# Removal
# ========================================================================
- name: Idempotency | Remove user (expect changed=true)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
state: absent
register: result
- name: Idempotency | Assert remove user task is changed
ansible.builtin.assert:
that:
- result is changed
- name: Idempotency | Remove user that doesn't exists (expect changed=false)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
state: absent
register: result
- name: Idempotency | Assert remove user task is not changed
ansible.builtin.assert:
that:
- result is not changed
# ========================================================================
# Removal with host_all
# ========================================================================
# Create blank user to be removed later
- include: utils_create_user.yml user_name="" user_password='KJFDY&D*Sfuysf'
- name: Idempotency | Remove blank user with hosts=all (expect changed)
mysql_user:
<<: *mysql_params
user: ""
host_all: true
state: absent
register: result
- name: Idempotency | Assert removing all blank users is changed
ansible.builtin.assert:
that:
- result is changed
- name: Idempotency | Remove blank user with hosts=all (expect ok)
mysql_user:
<<: *mysql_params
user: ""
host_all: true
state: absent
register: result
- name: Idempotency | Assert removing all blank users is not changed
ansible.builtin.assert:
that:
- result is not changed

48
tests/integration/targets/test_mysql_user/tasks/test_priv_append.yml
View file

@ -5,12 +5,12 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
- name: Create test databases
- name: Priv append | Create test databases
mysql_db:
<<: *mysql_params
name: '{{ item }}'
@ -19,28 +19,30 @@
- data1
- data2
- name: Create a user with an initial set of privileges
- name: Priv append | Create a user with an initial set of privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
host: '%'
password: '{{ user_password_4 }}'
priv: 'data1.*:SELECT,INSERT/data2.*:SELECT,DELETE'
state: present
- name: Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
- name: Priv append | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'%'\""
register: result
- name: Assert that the initial set of privileges matches what is expected
- name: Priv append | Assert that the initial set of privileges matches what is expected
assert:
that:
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
- "'GRANT SELECT, DELETE ON `data2`.*' in result.stdout"
- name: Append privileges that are a subset of the current privileges, which should be a no-op
- name: Priv append | Append privileges that are a subset of the current privileges, which should be a no-op
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
host: '%'
password: '{{ user_password_4 }}'
priv: 'data1.*:SELECT/data2.*:SELECT'
append_privs: yes
@ -48,25 +50,26 @@
check_mode: '{{ enable_check_mode }}'
register: result
- name: Assert that there wasn't a change in permissions
- name: Priv append | Assert that there wasn't a change in permissions
assert:
that:
- result is not changed
- name: Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
- name: Priv append | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'%'\""
register: result
- name: Assert that the permissions still match what was originally granted
- name: Priv append | Assert that the permissions still match what was originally granted
assert:
that:
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
- "'GRANT SELECT, DELETE ON `data2`.*' in result.stdout"
- name: Append privileges that are not included in the current set of privileges to test that privileges are updated
- name: Priv append | Append privileges that are not included in the current set of privileges to test that privileges are updated
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
host: '%'
password: '{{ user_password_4 }}'
priv: 'data1.*:DELETE/data2.*:SELECT'
append_privs: yes
@ -74,33 +77,34 @@
check_mode: '{{ enable_check_mode }}'
register: result
- name: Assert that there was a change because permissions were added to data1.*
- name: Priv append | Assert that there was a change because permissions were added to data1.*
assert:
that:
- result is changed
- name: Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
- name: Priv append | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'%'\""
register: result
- name: Assert that the permissions were changed as expected if check_mode is set to 'no'
- name: Priv append | Assert that the permissions were changed as expected if check_mode is set to 'no'
assert:
that:
- "'GRANT SELECT, INSERT, DELETE ON `data1`.*' in result.stdout"
- "'GRANT SELECT, DELETE ON `data2`.*' in result.stdout"
when: enable_check_mode == 'no'
- name: Assert that the permissions were not actually changed if check_mode is set to 'yes'
- name: Priv append | Assert that the permissions were not actually changed if check_mode is set to 'yes'
assert:
that:
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
- "'GRANT SELECT, DELETE ON `data2`.*' in result.stdout"
when: enable_check_mode == 'yes'
- name: Try to append invalid privileges
- name: Priv append | Try to append invalid privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
host: '%'
password: '{{ user_password_4 }}'
priv: 'data1.*:INVALID/data2.*:SELECT'
append_privs: yes
@ -109,7 +113,7 @@
register: result
ignore_errors: true
- name: Assert that there wasn't a change in privileges if check_mode is set to 'no'
- name: Priv append | Assert that there wasn't a change in privileges if check_mode is set to 'no'
assert:
that:
- result is failed
@ -127,8 +131,4 @@
- data1
- data2
- name: Drop test user
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
state: absent
- include: utils_remove_user.yml user_name={{ user_name_4 }}

56
tests/integration/targets/test_mysql_user/tasks/test_priv_dict.yml
View file

@ -1,14 +1,15 @@
---
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
# Tests for priv parameter value passed as a dict
- name: Create test databases
- name: Priv dict | Create test databases
mysql_db:
<<: *mysql_params
name: '{{ item }}'
@ -18,7 +19,7 @@
- data2
- data3
- name: Create user with privileges
- name: Priv dict | Create user with privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -28,7 +29,7 @@
"data2.*": "SELECT"
state: present
- name: Run command to show privileges for user (expect privileges in stdout)
- name: Priv dict | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_3 }}'@'localhost'\""
register: result
@ -39,12 +40,12 @@
- "'GRANT SELECT ON `data2`.*' in result.stdout"
# Issue https://github.com/ansible-collections/community.mysql/issues/99
- name: Create test table test_table_issue99
- name: Priv dict | Create test table test_table_issue99
mysql_query:
<<: *mysql_params
query: "CREATE TABLE IF NOT EXISTS data3.test_table_issue99 (a INT, b INT, c INT)"
- name: Grant select on a column
- name: Priv dict | Grant select on a column
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -52,11 +53,12 @@
'data3.test_table_issue99': 'SELECT (a)'
register: result
- assert:
- name: Priv dict | Assert that select on a column is changed
assert:
that:
- result is changed
- name: Grant select on the column again
- name: Priv dict | Grant select on the column again
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -64,12 +66,12 @@
'data3.test_table_issue99': 'SELECT (a)'
register: result
- assert:
- name: Priv dict | Assert that select on the column is not changed
assert:
that:
- result is not changed
- name: Grant select on columns
- name: Priv dict | Grant select on columns
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -77,11 +79,12 @@
'data3.test_table_issue99': 'SELECT (a, b),INSERT'
register: result
- assert:
- name: Priv dict | Assert select on columns is changed
assert:
that:
- result is changed
- name: Grant select on columns again
- name: Priv dict | Grant select on columns again
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -89,11 +92,12 @@
'data3.test_table_issue99': 'SELECT (a, b),INSERT'
register: result
- assert:
- name: Priv dict | Assert that select on columns again is not changed
assert:
that:
- result is not changed
- name: Grant privs on columns
- name: Priv dict | Grant privs on columns
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -101,11 +105,12 @@
'data3.test_table_issue99': 'SELECT (a, b), INSERT (a, b), UPDATE'
register: result
- assert:
- name: Priv dict | Assert that grant privs on columns is changed
assert:
that:
- result is changed
- name: Grant same privs on columns again, note that the column order is different
- name: Priv dict | Grant same privs on columns again, note that the column order is different
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -113,21 +118,22 @@
'data3.test_table_issue99': 'SELECT (a, b), UPDATE, INSERT (b, a)'
register: result
- assert:
- name: Priv dict | Assert that grants same privs with different order is not changed
assert:
that:
- result is not changed
- name: Run command to show privileges for user (expect privileges in stdout)
- name: Priv dict | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_3 }}'@'localhost'\""
register: result
- name: Assert user has giving privileges
- name: Priv dict | Assert user has giving privileges
assert:
that:
- "'GRANT SELECT (`A`, `B`), INSERT (`A`, `B`), UPDATE' in result.stdout"
when: "'(`A`, `B`)' in result.stdout"
- name: Assert user has giving privileges
- name: Priv dict | Assert user has giving privileges
assert:
that:
- "'GRANT SELECT (A, B), INSERT (A, B), UPDATE' in result.stdout"
@ -135,7 +141,7 @@
##########
# Clean up
- name: Drop test databases
- name: Priv dict | Drop test databases
mysql_db:
<<: *mysql_params
name: '{{ item }}'
@ -145,8 +151,4 @@
- data2
- data3
- name: Drop test user
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
state: absent
- include: utils_remove_user.yml user_name="{{ user_name_3 }}"

71
tests/integration/targets/test_mysql_user/tasks/test_priv_subtract.yml
View file

@ -4,12 +4,12 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
- name: Create test databases
- name: Priv substract | Create test databases
mysql_db:
<<: *mysql_params
name: '{{ item }}'
@ -17,27 +17,29 @@
loop:
- data1
- name: Create a user with an initial set of privileges
- name: Priv substract | Create a user with an initial set of privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
host: '%'
password: '{{ user_password_4 }}'
priv: 'data1.*:SELECT,INSERT'
state: present
- name: Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
- name: Priv substract | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'%'\""
register: result
- name: Assert that the initial set of privileges matches what is expected
- name: Priv substract | Assert that the initial set of privileges matches what is expected
assert:
that:
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
- name: Subtract privileges that are not in the current privileges, which should be a no-op
- name: Priv substract | Subtract privileges that are not in the current privileges, which should be a no-op
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
host: '%'
password: '{{ user_password_4 }}'
priv: 'data1.*:DELETE'
subtract_privs: yes
@ -45,24 +47,25 @@
check_mode: '{{ enable_check_mode }}'
register: result
- name: Assert that there wasn't a change in permissions
- name: Priv substract | Assert that there wasn't a change in permissions
assert:
that:
- result is not changed
- name: Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
- name: Priv substract | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'%'\""
register: result
- name: Assert that the permissions still match what was originally granted
- name: Priv substract | Assert that the permissions still match what was originally granted
assert:
that:
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
- name: Subtract existing and not-existing privileges, but not all
- name: Priv substract | Subtract existing and not-existing privileges, but not all
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
host: '%'
password: '{{ user_password_4 }}'
priv: 'data1.*:INSERT,DELETE'
subtract_privs: yes
@ -70,31 +73,32 @@
check_mode: '{{ enable_check_mode }}'
register: result
- name: Assert that there was a change because permissions were/would be revoked on data1.*
- name: Priv substract | Assert that there was a change because permissions were/would be revoked on data1.*
assert:
that:
- result is changed
- name: Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
- name: Priv substract | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'%'\""
register: result
- name: Assert that the permissions were not changed if check_mode is set to 'yes'
- name: Priv substract | Assert that the permissions were not changed if check_mode is set to 'yes'
assert:
that:
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
when: enable_check_mode == 'yes'
- name: Assert that only DELETE was revoked if check_mode is set to 'no'
- name: Priv substract | Assert that only DELETE was revoked if check_mode is set to 'no'
assert:
that:
- "'GRANT SELECT ON `data1`.*' in result.stdout"
when: enable_check_mode == 'no'
- name: Try to subtract invalid privileges
- name: Priv substract | Try to subtract invalid privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
host: '%'
password: '{{ user_password_4 }}'
priv: 'data1.*:INVALID'
subtract_privs: yes
@ -102,31 +106,32 @@
check_mode: '{{ enable_check_mode }}'
register: result
- name: Assert that there was no change because invalid permissions are ignored
- name: Priv substract | Assert that there was no change because invalid permissions are ignored
assert:
that:
- result is not changed
- name: Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
- name: Priv substract | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'%'\""
register: result
- name: Assert that the permissions were not changed with check_mode=='yes'
- name: Priv substract | Assert that the permissions were not changed with check_mode=='yes'
assert:
that:
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
when: enable_check_mode == 'yes'
- name: Assert that the permissions were not changed with check_mode=='no'
- name: Priv substract | Assert that the permissions were not changed with check_mode=='no'
assert:
that:
- "'GRANT SELECT ON `data1`.*' in result.stdout"
when: enable_check_mode == 'no'
- name: trigger failure by trying to subtract and append privileges at the same time
- name: Priv substract | Trigger failure by trying to subtract and append privileges at the same time
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
host: '%'
password: '{{ user_password_4 }}'
priv: 'data1.*:SELECT'
subtract_privs: yes
@ -136,22 +141,22 @@
register: result
ignore_errors: true
- name: Assert the previous execution failed
- name: Priv substract | Assert the previous execution failed
assert:
that:
- result is failed
- name: Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\""
- name: Priv substract | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'%'\""
register: result
- name: Assert that the permissions stayed the same, with check_mode=='yes'
- name: Priv substract | Assert that the permissions stayed the same, with check_mode=='yes'
assert:
that:
- "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout"
when: enable_check_mode == 'yes'
- name: Assert that the permissions stayed the same, with check_mode=='no'
- name: Priv substract | Assert that the permissions stayed the same, with check_mode=='no'
assert:
that:
- "'GRANT SELECT ON `data1`.*' in result.stdout"
@ -159,7 +164,7 @@
##########
# Clean up
- name: Drop test databases
- name: Priv substract | Drop test databases
mysql_db:
<<: *mysql_params
name: '{{ item }}'
@ -167,8 +172,4 @@
loop:
- data1
- name: Drop test user
mysql_user:
<<: *mysql_params
name: '{{ user_name_4 }}'
state: absent
- include: utils_remove_user.yml user_name="{{ user_name_4 }}"

101
tests/integration/targets/test_mysql_user/tasks/test_privs.yml
View file

@ -21,56 +21,58 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
# ============================================================
- name: create user with basic select privileges
- name: Privs | Create user with basic select privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: '*.*:SELECT'
state: present
when: current_append_privs == "yes"
- include: assert_user.yml user_name={{user_name_2}} priv='SELECT'
- include: utils_assert_user.yml user_name={{ user_name_2 }} user_host=% priv='SELECT'
when: current_append_privs == "yes"
- name: create user with current privileges (expect changed=true)
- name: Privs | Create user with current privileges (expect changed=true)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: '*.*:{{current_privilege}}'
append_privs: '{{current_append_privs}}'
priv: '*.*:{{ current_privilege }}'
append_privs: '{{ current_append_privs }}'
state: present
register: result
- name: assert output message for current privileges
- name: Privs | Assert output message for current privileges
assert:
that:
- result is changed
- name: run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{user_name_2}}'@'localhost'\""
- name: Privs | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{user_name_2}}'@'%'\""
register: result
- name: assert user has correct privileges
- name: Privs | Assert user has correct privileges
assert:
that:
- "'GRANT {{current_privilege | replace(',', ', ')}} ON *.*' in result.stdout"
- "'GRANT {{ current_privilege | replace(',', ', ') }} ON *.*' in result.stdout"
when: current_append_privs == "no"
- name: assert user has correct privileges
- name: Privs | Assert user has correct privileges
assert:
that:
- "'GRANT SELECT, {{current_privilege | replace(',', ', ')}} ON *.*' in result.stdout"
- "'GRANT SELECT, {{ current_privilege | replace(',', ', ') }} ON *.*' in result.stdout"
when: current_append_privs == "yes"
- name: create database using user current privileges
- name: Privs | Create database using user current privileges
mysql_db:
login_user: '{{ user_name_2 }}'
login_password: '{{ user_password_2 }}'
@ -80,56 +82,59 @@
state: present
ignore_errors: true
- name: run command to test that database was not created
- name: Privs | Run command to test that database was not created
command: "{{ mysql_command }} -e \"show databases like '{{ db_name }}'\""
register: result
- name: assert database was not created
- name: Privs | Assert database was not created
assert:
that:
- "'{{ db_name }}' not in result.stdout"
- db_name not in result.stdout
# ============================================================
- name: Add privs to a specific table (expect changed)
- name: Privs | Add privs to a specific table (expect changed)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: 'jmainguy.jmainguy:ALL'
state: present
register: result
- name: Assert that priv changed
- name: Privs | Assert that priv changed
assert:
that:
- result is changed
- name: Add privs to a specific table (expect ok)
- name: Privs | Add privs to a specific table (expect ok)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: 'jmainguy.jmainguy:ALL'
state: present
register: result
- name: Assert that priv did not change
- name: Privs | Assert that priv did not change
assert:
that:
- result is not changed
# ============================================================
- name: update user with all privileges
- name: Privs | Grant ALL to user {{ user_name_2 }}
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: '*.*:ALL'
state: present
# - include: assert_user.yml user_name={{user_name_2}} priv='ALL PRIVILEGES'
# - include: utils_assert_user.yml user_name={{user_name_2}} user_host=% priv='ALL PRIVILEGES'
- name: create database using user
- name: Privs | Create database using user {{ user_name_2 }}
mysql_db:
login_user: '{{ user_name_2 }}'
login_password: '{{ user_password_2 }}'
@ -138,10 +143,10 @@
name: '{{ db_name }}'
state: present
- name: run command to test database was created using user new privileges
- name: Privs | Run command to test database was created using user new privileges
command: "{{ mysql_command }} -e \"SHOW CREATE DATABASE {{ db_name }}\""
- name: drop database using user
- name: Privs | Drop database using user {{ user_name_2 }}
mysql_db:
login_user: '{{ user_name_2 }}'
login_password: '{{ user_password_2 }}'
@ -151,24 +156,26 @@
state: absent
# ============================================================
- name: update user with a long privileges list (mysql has a special multiline grant output)
- name: Privs | Update user with a long privileges list (mysql has a special multiline grant output)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: '*.*:CREATE USER,FILE,PROCESS,RELOAD,REPLICATION CLIENT,REPLICATION SLAVE,SHOW DATABASES,SHUTDOWN,SUPER,CREATE,DROP,EVENT,LOCK TABLES,INSERT,UPDATE,DELETE,SELECT,SHOW VIEW,GRANT'
state: present
register: result
- name: Assert that priv changed
- name: Privs | Assert that priv changed
assert:
that:
- result is changed
- name: Test idempotency with a long privileges list (expect ok)
- name: Privs | Test idempotency with a long privileges list (expect ok)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
host: '%'
password: '{{ user_password_2 }}'
priv: '*.*:CREATE USER,FILE,PROCESS,RELOAD,REPLICATION CLIENT,REPLICATION SLAVE,SHOW DATABASES,SHUTDOWN,SUPER,CREATE,DROP,EVENT,LOCK TABLES,INSERT,UPDATE,DELETE,SELECT,SHOW VIEW,GRANT'
state: present
@ -176,20 +183,15 @@
# FIXME: on mysql >=8 and mariadb >=10.5.2 there's always a change because
# the REPLICATION CLIENT privilege was renamed to BINLOG MONITOR
- name: Assert that priv did not change
- name: Privs | Assert that priv did not change
assert:
that:
- result is not changed
- name: remove username
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
password: '{{ user_password_2 }}'
state: absent
- include: utils_remove_user.yml user_name="{{ user_name_2 }}"
# ============================================================
- name: grant all privileges with grant option
- name: Privs | Grant all privileges with grant option
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
@ -198,23 +200,23 @@
state: present
register: result
- name: Assert that priv changed
- name: Privs | Assert that priv changed
assert:
that:
- result is changed
- name: Collect user info by host
- name: Privs | Collect user info by host
community.mysql.mysql_info:
<<: *mysql_params
filter: "users"
register: mysql_info_about_users
- name: Assert that 'GRANT' permission is present
- name: Privs | Assert that 'GRANT' permission is present
assert:
that:
- mysql_info_about_users.users.localhost.{{ user_name_2 }}.Grant_priv == 'Y'
- name: Test idempotency (expect ok)
- name: Privs | Test idempotency (expect ok)
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
@ -224,24 +226,24 @@
register: result
# FIXME: on mysql >=8 there's always a change (ALL PRIVILEGES -> specific privileges)
- name: Assert that priv did not change
- name: Privs | Assert that priv did not change
assert:
that:
- result is not changed
- name: Collect user info by host
- name: Privs | Collect user info by host
community.mysql.mysql_info:
<<: *mysql_params
filter: "users"
register: mysql_info_about_users
- name: Assert that 'GRANT' permission is present
- name: Privs | Assert that 'GRANT' permission is present (by host)
assert:
that:
- mysql_info_about_users.users.localhost.{{ user_name_2 }}.Grant_priv == 'Y'
# ============================================================
- name: update user with invalid privileges
- name: Privs | Update user with invalid privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
@ -251,15 +253,10 @@
register: result
ignore_errors: yes
- name: Assert that priv did not change
- name: Privs | Assert that priv did not change
assert:
that:
- result is failed
- "'Error granting privileges' in result.msg"
- name: remove username
mysql_user:
<<: *mysql_params
name: '{{ user_name_2 }}'
password: '{{ user_password_2 }}'
state: absent
- include: utils_remove_user.yml user_name="{{ user_name_2 }}"

6
tests/integration/targets/test_mysql_user/tasks/test_privs_issue_465.yml
View file

@ -5,13 +5,13 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
# ============================================================
- name: create a user with parameters that will always cause an exception
- name: Privs issue 465 | Create a user with parameters that will always cause an exception
mysql_user:
<<: *mysql_params
name: user_issue_465
@ -21,7 +21,7 @@
ignore_errors: true
register: result
- name: assert output message for current privileges
- name: Privs issue 465 | Assert output message for current privileges
assert:
that:
- result is failed

52
tests/integration/targets/test_mysql_user/tasks/resource_limits.yml → tests/integration/targets/test_mysql_user/tasks/test_resource_limits.yml
View file

@ -4,18 +4,18 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_port: '{{ mysql_primary_port }}'
block:
- name: Drop mysql user {{ user_name_1 }} if exists
- name: Resource limits | Drop mysql user {{ user_name_1 }} if exists
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
host_all: true
state: absent
- name: Create mysql user {{ user_name_1 }} with resource limits in check_mode
- name: Resource limits | Create mysql user {{ user_name_1 }} with resource limits in check_mode
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -27,11 +27,12 @@
check_mode: yes
register: result
- assert:
- name: Resource limits | Assert that create user with resource limits is changed
assert:
that:
- result is changed
- name: Create mysql user {{ user_name_1 }} with resource limits in actual mode
- name: Resource limits | Create mysql user {{ user_name_1 }} with resource limits in actual mode
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -46,19 +47,23 @@
that:
- result is changed
- name: Check
- name: Resource limits | Check
mysql_query:
<<: *mysql_params
query: >
SELECT User FROM mysql.user WHERE User = '{{ user_name_1 }}' AND Host = 'localhost'
AND max_questions = 10 AND max_connections = 5
SELECT User FROM mysql.user
WHERE User = '{{ user_name_1 }}'
AND Host = 'localhost'
AND max_questions = 10
AND max_connections = 5
register: result
- assert:
- name: Resource limits | Assert that rowcount is 1
assert:
that:
- result.rowcount[0] == 1
- result.rowcount[0] == 1
- name: Try to set the same limits again in check mode
- name: Resource limits | Try to set the same limits again in check mode
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -70,11 +75,12 @@
check_mode: yes
register: result
- assert:
- name: Resource limits | Assert that set same limits again is not changed
assert:
that:
- result is not changed
- name: Try to set the same limits again in actual mode
- name: Resource limits | Try to set the same limits again in actual mode
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -85,11 +91,12 @@
MAX_CONNECTIONS_PER_HOUR: 5
register: result
- assert:
- name: Resource limits | Assert that set same limits again in actual mode is not changed
assert:
that:
- result is not changed
- name: Change limits
- name: Resource limits | Change limits
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -100,19 +107,24 @@
MAX_CONNECTIONS_PER_HOUR: 5
register: result
- assert:
- name: Resource limits | Assert limits changed
assert:
that:
- result is changed
- name: Check
- name: Resource limits | Get user limits
mysql_query:
<<: *mysql_params
query: >
SELECT User FROM mysql.user WHERE User = '{{ user_name_1 }}' AND Host = 'localhost'
AND max_questions = 5 AND max_connections = 5
SELECT User FROM mysql.user
WHERE User = '{{ user_name_1 }}'
AND Host = 'localhost'
AND max_questions = 5
AND max_connections = 5
register: result
- assert:
- name: Resource limits | Assert limit row count
assert:
that:
- result.rowcount[0] == 1

64
tests/integration/targets/test_mysql_user/tasks/tls_requirements.yml → tests/integration/targets/test_mysql_user/tasks/test_tls_requirements.yml
View file

@ -3,26 +3,26 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
# ============================================================
- name: find out the database version
- name: Tls reqs | find out the database version
mysql_info:
<<: *mysql_params
filter: version
register: db_version
- name: Drop mysql user {{ item }} if exists
- name: Tls reqs | Drop mysql user {{ item }} if exists
mysql_user:
<<: *mysql_params
name: '{{ item }}'
state: absent
with_items: ['{{ user_name_1 }}', '{{ user_name_2 }}', '{{ user_name_3 }}']
- name: create user with TLS requirements in check mode (expect changed=true)
- name: Tls reqs | Create user with TLS requirements in check mode (expect changed=true)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
@ -32,14 +32,14 @@
check_mode: yes
register: result
- name: Assert check mode user create reports changed state
- name: Tls reqs | Assert check mode user create reports changed state
assert:
that:
- result is changed
- include: assert_no_user.yml user_name={{user_name_1}}
- include: utils_assert_no_user.yml user_name={{user_name_1}}
- name: create user with TLS requirements state=present (expect changed=true)
- name: Tls reqs | Create user with TLS requirements state=present (expect changed=true)
mysql_user:
<<: *mysql_params
name: '{{ item[0] }}'
@ -55,45 +55,45 @@
issuer: '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
- block:
- name: retrieve TLS requirements for users in old database version
- name: Tls reqs | Retrieve TLS requirements for users in old database version
command: "{{ mysql_command }} -L -N -s -e \"SHOW GRANTS for '{{ item }}'@'localhost'\""
register: old_result
with_items: ['{{ user_name_1 }}', '{{ user_name_2 }}', '{{ user_name_3 }}']
- name: set old database separator
- name: Tls reqs | Set old database separator
set_fact:
separator: '\n'
# Semantically: when mysql version <= 5.6 or MariaDB version <= 10.1
when: db_version.version.major <= 5 and db_version.version.minor <= 6 or db_version.version.major == 10 and db_version.version.minor < 2
- block:
- name: retrieve TLS requirements for users in new database version
- name: Tls reqs | Retrieve TLS requirements for users in new database version
command: "{{ mysql_command }} -L -N -s -e \"SHOW CREATE USER '{{ item }}'@'localhost'\""
register: new_result
with_items: ['{{ user_name_1 }}', '{{ user_name_2 }}', '{{ user_name_3 }}']
- name: set new database separator
- name: Tls reqs | Set new database separator
set_fact:
separator: 'PASSWORD'
# Semantically: when mysql version >= 5.7 or MariaDB version >= 10.2
when: db_version.version.major == 5 and db_version.version.minor >= 7 or db_version.version.major > 5 and db_version.version.major < 10 or db_version.version.major == 10 and db_version.version.minor >= 2
- block:
- name: assert user1 TLS requirements
- name: Tls reqs | Assert user1 TLS requirements
assert:
that:
- "'SSL' in reqs"
vars:
- reqs: "{{((old_result.results[0] is skipped | ternary(new_result, old_result)).results | selectattr('item', 'contains', user_name_1) | first).stdout.split('REQUIRE')[1].split(separator)[0].strip()}}"
- name: assert user2 TLS requirements
- name: Tls reqs | Assert user2 TLS requirements
assert:
that:
- "'X509' in reqs"
vars:
- reqs: "{{((old_result.results[0] is skipped | ternary(new_result, old_result)).results | selectattr('item', 'contains', user_name_2) | first).stdout.split('REQUIRE')[1].split(separator)[0].strip()}}"
- name: assert user3 TLS requirements
- name: Tls reqs | Assert user3 TLS requirements
assert:
that:
- "'/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland' in (reqs | select('contains', 'SUBJECT') | first)"
@ -104,7 +104,7 @@
# CentOS 6 uses an older version of jinja that does not provide the selectattr filter.
when: ansible_distribution != 'CentOS' or ansible_distribution_major_version != '6'
- name: modify user with TLS requirements state=present in check mode (expect changed=true)
- name: Tls reqs | Modify user with TLS requirements state=present in check mode (expect changed=true)
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -114,28 +114,28 @@
check_mode: yes
register: result
- name: Assert check mode user update reports changed state
- name: Tls reqs | Assert check mode user update reports changed state
assert:
that:
- result is changed
- name: retrieve TLS requirements for users in old database version
- name: Tls reqs | Retrieve TLS requirements for users in old database version
command: "{{ mysql_command }} -L -N -s -e \"SHOW GRANTS for '{{ user_name_1 }}'@'localhost'\""
register: old_result
when: db_version.version.major <= 5 and db_version.version.minor <= 6 or db_version.version.major == 10 and db_version.version.minor < 2
- name: retrieve TLS requirements for users in new database version
- name: Tls reqs | Retrieve TLS requirements for users in new database version
command: "{{ mysql_command }} -L -N -s -e \"SHOW CREATE USER '{{ user_name_1 }}'@'localhost'\""
register: new_result
when: db_version.version.major == 5 and db_version.version.minor >= 7 or db_version.version.major > 5 and db_version.version.major < 10 or db_version.version.major == 10 and db_version.version.minor >= 2
- name: assert user1 TLS requirements was not changed
- name: Tls reqs | Assert user1 TLS requirements was not changed
assert:
that: "'SSL' in reqs"
vars:
- reqs: "{{(old_result is skipped | ternary(new_result, old_result)).stdout.split('REQUIRE')[1].split(separator)[0].strip()}}"
- name: modify user with TLS requirements state=present (expect changed=true)
- name: Tls reqs | Modify user with TLS requirements state=present (expect changed=true)
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
@ -143,45 +143,45 @@
tls_requires:
X509:
- name: retrieve TLS requirements for users in old database version
- name: Tls reqs | Retrieve TLS requirements for users in old database version
command: "{{ mysql_command }} -L -N -s -e \"SHOW GRANTS for '{{ user_name_1 }}'@'localhost'\""
register: old_result
when: db_version.version.major <= 5 and db_version.version.minor <= 6 or db_version.version.major == 10 and db_version.version.minor < 2
- name: retrieve TLS requirements for users in new database version
- name: Tls reqs | Retrieve TLS requirements for users in new database version
command: "{{ mysql_command }} -L -N -s -e \"SHOW CREATE USER '{{ user_name_1 }}'@'localhost'\""
register: new_result
when: db_version.version.major == 5 and db_version.version.minor >= 7 or db_version.version.major > 5 and db_version.version.major < 10 or db_version.version.major == 10 and db_version.version.minor >= 2
- name: assert user1 TLS requirements
- name: Tls reqs | Assert user1 TLS requirements
assert:
that: "'X509' in reqs"
vars:
- reqs: "{{(old_result is skipped | ternary(new_result, old_result)).stdout.split('REQUIRE')[1].split(separator)[0].strip()}}"
- name: remove TLS requirements from user (expect changed=true)
- name: Tls reqs | Remove TLS requirements from user (expect changed=true)
mysql_user:
<<: *mysql_params
name: '{{ user_name_1 }}'
password: '{{ user_password_1 }}'
tls_requires:
- name: retrieve TLS requirements for users
- name: Tls reqs | Retrieve TLS requirements for users
command: "{{ mysql_command }} -L -N -s -e \"SHOW CREATE USER '{{ user_name_1 }}'@'localhost'\""
register: result
- name: assert user1 TLS requirements
- name: Tls reqs | Assert user1 TLS requirements
assert:
that: "'REQUIRE ' not in result.stdout or 'REQUIRE NONE' in result.stdout"
- include: remove_user.yml user_name={{user_name_1}} user_password={{ user_password_1 }}
- include: utils_remove_user.yml user_name={{user_name_1}}
- include: remove_user.yml user_name={{user_name_2}} user_password={{ user_password_1 }}
- include: utils_remove_user.yml user_name={{user_name_2}}
- include: remove_user.yml user_name={{user_name_3}} user_password={{ user_password_1 }}
- include: utils_remove_user.yml user_name={{user_name_3}}
- include: assert_no_user.yml user_name={{user_name_1}}
- include: utils_assert_no_user.yml user_name={{user_name_1}}
- include: assert_no_user.yml user_name={{user_name_2}}
- include: utils_assert_no_user.yml user_name={{user_name_2}}
- include: assert_no_user.yml user_name={{user_name_3}}
- include: utils_assert_no_user.yml user_name={{user_name_3}}

14
tests/integration/targets/test_mysql_user/tasks/test_update_password.yml
View file

@ -5,7 +5,7 @@
mysql_parameters:
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
test_password1: kbB9tcx5WOGVGfzV
test_password1_hash: '*AF6A7F9D038475C17EE46564F154104877EE5037'
@ -16,10 +16,10 @@
block:
- include_tasks: assert_user_password.yml
- include_tasks: utils_assert_user_password.yml
vars:
username: "{{ item.username }}"
host: ''{{ gateway_addr }}''
host: "%"
update_password: "{{ item.update_password }}"
password: "{{ test_password1 }}"
expect_change: "{{ item.expect_change }}"
@ -49,10 +49,10 @@
expect_change: false
# same user, new password
- include_tasks: assert_user_password.yml
- include_tasks: utils_assert_user_password.yml
vars:
username: "{{ item.username }}"
host: ''{{ gateway_addr }}''
host: "%"
update_password: "{{ item.update_password }}"
password: "{{ test_password2 }}"
expect_change: "{{ item.expect_change }}"
@ -73,7 +73,7 @@
expect_password_hash: "{{ test_password1_hash }}"
# new user, new password
- include_tasks: assert_user_password.yml
- include_tasks: utils_assert_user_password.yml
vars:
username: "{{ item.username }}"
host: '::1'
@ -111,7 +111,7 @@
expect_password_hash: "{{ test_password2_hash }}"
# another new user, another new password and multiple existing users with varying passwords
- include_tasks: assert_user_password.yml
- include_tasks: utils_assert_user_password.yml
vars:
username: "{{ item.username }}"
host: '2001:db8::1'

38
tests/integration/targets/test_mysql_user/tasks/test_user_grants_with_roles_applied.yml
View file

@ -4,20 +4,18 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
block:
- name: Get server version
mysql_info:
<<: *mysql_params
register: srv
# Skip unsupported versions
- meta: end_play
when: srv['version']['major'] < 8
- name: User grants with roles applied | Skip unsupported versions
meta: end_play
when:
- db_engine == 'mysql'
- db_version is version('8.0.0', '<')
- name: Create test databases
- name: User grants with roles applied | Create test databases
mysql_db:
<<: *mysql_params
name: '{{ item }}'
@ -26,7 +24,7 @@
- data1
- data2
- name: Create user with privileges
- name: User grants with roles applied | Create user with privileges
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -36,7 +34,7 @@
"data2.*": "SELECT"
state: present
- name: Run command to show privileges for user (expect privileges in stdout)
- name: User grants with roles applied | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_3 }}'@'localhost'\""
register: result
@ -46,14 +44,14 @@
- "'GRANT SELECT ON `data1`.*' in result.stdout"
- "'GRANT SELECT ON `data2`.*' in result.stdout"
- name: Create role
- name: User grants with roles applied | Create role
mysql_role:
<<: *mysql_params
name: test231
members:
- '{{ user_name_3 }}@localhost'
- name: Try to change privs
- name: User grants with roles applied | Try to change privs
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
@ -62,11 +60,11 @@
"data2.*": "INSERT"
state: present
- name: Run command to show privileges for user (expect privileges in stdout)
- name: User grants with roles applied | Run command to show privileges for user (expect privileges in stdout)
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_3 }}'@'localhost'\""
register: result
- name: Assert user has giving privileges
- name: User grants with roles applied | Assert user has giving privileges
assert:
that:
- "'GRANT INSERT ON `data1`.*' in result.stdout"
@ -74,7 +72,7 @@
##########
# Clean up
- name: Drop test databases
- name: User grants with roles applied | Drop test databases
mysql_db:
<<: *mysql_params
name: '{{ item }}'
@ -83,13 +81,9 @@
- data1
- data2
- name: Drop test user
mysql_user:
<<: *mysql_params
name: '{{ user_name_3 }}'
state: absent
- include: utils_remove_user.yml user_name="{{ user_name_3 }}"
- name: Drop test role
- name: User grants with roles applied | Drop test role
mysql_role:
<<: *mysql_params
name: test231

108
tests/integration/targets/test_mysql_user/tasks/test_user_password.yml
View file

@ -5,7 +5,7 @@
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
test_user_name: 'test_user_password'
initial_password: 'a5C8SN*DBa0%a75sGz'
@ -21,7 +21,7 @@
# Test setting plaintext password and changing it.
#
- name: Create user with initial password
- name: Password | Create user with initial password
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
@ -31,14 +31,14 @@
state: present
register: result
- name: Assert that a change occurred because the user was added
- name: Password | Assert that a change occurred because the user was added
assert:
that:
- result is changed
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils_assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Get the MySQL version using the newly created used creds
- name: Password | Get the MySQL version using the newly created used creds
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ initial_password }}'
@ -48,43 +48,45 @@
register: result
ignore_errors: true
- name: Assert that mysql_info was successful
- name: Password | Assert that mysql_info was successful
assert:
that:
- result is succeeded
- name: Run mysql_user again without any changes
- name: Password | Run mysql_user again without any changes
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
password: '{{ initial_password }}'
priv: '{{ test_default_priv }}'
name: "{{ test_user_name }}"
host: "%"
password: "{{ initial_password }}"
priv: "{{ test_default_priv }}"
state: present
register: result
- name: Assert that there weren't any changes because username/password didn't change
- name: Password | Assert that there weren't any changes because username/password didn't change
assert:
that:
- result is not changed
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils_assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Update the user password
- name: Password | Update the user password
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
password: '{{ new_password }}'
name: "{{ test_user_name }}"
host: "%"
password: "{{ new_password }}"
state: present
register: result
- name: Assert that a change occurred because the password was updated
- name: Password | Assert that a change occurred because the password was updated
assert:
that:
- result is changed
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils_assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Get the MySQL version data using the original password (should fail)
- name: Password | Get the MySQL version data using the original password (should fail)
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ initial_password }}'
@ -94,12 +96,12 @@
register: result
ignore_errors: true
- name: Assert that the mysql_info module failed because we used the old password
- name: Password | Assert that the mysql_info module failed because we used the old password
assert:
that:
- result is failed
- name: Get the MySQL version data using the new password (should work)
- name: Password | Get the MySQL version data using the new password (should work)
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ new_password }}'
@ -109,19 +111,19 @@
register: result
ignore_errors: true
- name: Assert that the mysql_info module succeeded because we used the new password
- name: Password | Assert that the mysql_info module succeeded because we used the new password
assert:
that:
- result is succeeded
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ new_password }}
- include: utils_remove_user.yml user_name={{ test_user_name }}
# ============================================================
# Test setting a plaintext password and then the same password encrypted to ensure there isn't a change detected.
#
- name: Create user with initial password
- name: Password | Create user with initial password
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
@ -130,14 +132,14 @@
state: present
register: result
- name: Assert that a change occurred because the user was added
- name: Password | Assert that a change occurred because the user was added
assert:
that:
- result is changed
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils_assert_user.yml user_name={{ test_user_name }} user_host=localhost priv={{ test_default_priv_type }}
- name: Pass in the same password as before, but in the encrypted form (no change expected)
- name: Password | Pass in the same password as before, but in the encrypted form (no change expected)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
@ -147,36 +149,37 @@
state: present
register: result
- name: Assert that there weren't any changes because username/password didn't change
- name: Password | Assert that there weren't any changes because username/password didn't change
assert:
that:
- result is not changed
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ new_password }}
- include: utils_remove_user.yml user_name={{ test_user_name }}
# ============================================================
# Test setting an encrypted password and then the same password in plaintext to ensure there isn't a change.
#
- name: Create user with initial password
- name: Password | Create user with initial password
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: "%"
password: '{{ initial_password_encrypted }}'
encrypted: yes
priv: '{{ test_default_priv }}'
state: present
register: result
- name: Assert that a change occurred because the user was added
- name: Password | Assert that a change occurred because the user was added
assert:
that:
- result is changed
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils_assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Get the MySQL version data using the new creds
- name: Password | Get the MySQL version data using the new creds
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ initial_password }}'
@ -186,60 +189,62 @@
register: result
ignore_errors: true
- name: Assert that the mysql_info module succeeded because we used the new password
- name: Password | Assert that the mysql_info module succeeded because we used the new password
assert:
that:
- result is succeeded
- name: Pass in the same password as before, but in the encrypted form (no change expected)
- name: Password | Pass in the same password as before, but in the encrypted form (no change expected)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: "%"
password: '{{ initial_password }}'
state: present
register: result
- name: Assert that there weren't any changes because username/password didn't change
- name: Password | Assert that there weren't any changes because username/password didn't change
assert:
that:
- result is not changed
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ new_password }}
- include: utils_remove_user.yml user_name={{ test_user_name }}
# ============================================================
# Test setting an empty password.
#
- name: Create user with empty password
- name: Password | Create user with empty password
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
priv: '{{ test_default_priv }}'
name: "{{ test_user_name }}"
host: "%"
priv: "{{ test_default_priv }}"
state: present
register: result
- name: Assert that a change occurred because the user was added
- name: Password | Assert that a change occurred because the user was added
assert:
that:
- result is changed
- name: Get the MySQL version using an empty password for the newly created user
- name: Password | Get the MySQL version using an empty password for the newly created user
mysql_info:
login_user: '{{ test_user_name }}'
login_password: ''
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
login_user: "{{ test_user_name }}"
login_password: ""
login_host: "{{ mysql_host }}"
login_port: "{{ mysql_primary_port }}"
filter: version
register: result
ignore_errors: true
- name: Assert that mysql_info was successful
- name: Password | Assert that mysql_info was successful
assert:
that:
- result is succeeded
- name: Get the MySQL version using an non-empty password (should fail)
- name: Password | Get the MySQL version using an non-empty password (should fail)
mysql_info:
login_user: '{{ test_user_name }}'
login_password: 'some_password'
@ -249,23 +254,24 @@
register: result
ignore_errors: true
- name: Assert that mysql_info failed
- name: Password | Assert that mysql_info failed
assert:
that:
- result is failed
- name: Update the user without changing the password
- name: Password | Update the user without changing the password
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: "%"
priv: '{{ test_default_priv }}'
state: present
register: result
- name: Assert that the user wasn't changed because the password is still empty
- name: Password | Assert that the user wasn't changed because the password is still empty
assert:
that:
- result is not changed
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password=''
- include: utils_remove_user.yml user_name={{ test_user_name }}

227
tests/integration/targets/test_mysql_user/tasks/test_user_plugin_auth.yml
View file

@ -1,10 +1,11 @@
---
# Test user plugin auth scenarios.
- vars:
mysql_parameters: &mysql_params
login_user: '{{ mysql_user }}'
login_password: '{{ mysql_password }}'
login_host: '{{ gateway_addr }}'
login_host: '{{ mysql_host }}'
login_port: '{{ mysql_primary_port }}'
test_user_name: 'test_user_plugin_auth'
test_plugin_type: 'mysql_native_password'
@ -21,33 +22,34 @@
# Test plugin auth initially setting a hash and then changing to a different hash.
#
- name: Create user with plugin auth (with hash string)
- name: Plugin auth | Create user with plugin auth (with hash string)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_hash_string: '{{ test_plugin_hash }}'
priv: '{{ test_default_priv }}'
register: result
- name: Get user information
command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = 'localhost'\""
- name: Plugin auth | Get user information (with hash string)
command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\""
register: show_create_user
- name: Check that the module made a change
- name: Plugin auth | Check that the module made a change (with hash string)
assert:
that:
- result is changed
- name: Check that the expected plugin type is set
- name: Plugin auth | Check that the expected plugin type is set (with hash string)
assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: db_engine == 'mysql' or (db_engine == 'mariadb' and mariadb_version is version('10.3', '>='))
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils_assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Get the MySQL version using the newly created creds
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
@ -56,27 +58,28 @@
filter: version
register: result
- name: Assert that mysql_info was successful
- name: Plugin auth | Assert that mysql_info was successful
assert:
that:
- result is succeeded
- name: Update the user with a different hash
- name: Plugin auth | Update the user with a different hash
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_hash_string: '{{ test_plugin_new_hash }}'
register: result
- name: Check that the module makes the change because the hash changed
- name: Plugin auth | Check that the module makes the change because the hash changed
assert:
that:
- result is changed
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils_assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Getting the MySQL info with the new password should work
- name: Plugin auth | Getting the MySQL info with the new password should work
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_new_auth_string }}'
@ -85,45 +88,46 @@
filter: version
register: result
- name: Assert that mysql_info was successful
- name: Plugin auth | Assert that mysql_info was successful
assert:
that:
- result is succeeded
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ test_plugin_new_auth_string }}
- include: utils_remove_user.yml user_name={{ test_user_name }}
# ============================================================
# Test plugin auth initially setting a hash and then switching to a plaintext auth string.
#
- name: Create user with plugin auth (with hash string)
- name: Plugin auth | Create user with plugin auth (with hash string)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_hash_string: '{{ test_plugin_hash }}'
priv: '{{ test_default_priv }}'
register: result
- name: Get user information
command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = 'localhost'\""
- name: Plugin auth | Get user information
command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\""
register: show_create_user
- name: Check that the module made a change
- name: Plugin auth | Check that the module made a change (with hash string)
assert:
that:
- result is changed
- name: Check that the expected plugin type is set
- name: Plugin auth | Check that the expected plugin type is set (with hash string)
assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: db_engine == 'mysql' or (db_engine == 'mariadb' and mariadb_version is version('10.3', '>='))
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils_assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Get the MySQL version using the newly created creds
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
@ -132,43 +136,45 @@
filter: version
register: result
- name: Assert that mysql_info was successful
- name: Plugin auth | Assert that mysql_info was successful
assert:
that:
- result is succeeded
- name: Update the user with the same hash (no change expected)
- name: Plugin auth | Update the user with the same hash (no change expected)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_hash_string: '{{ test_plugin_hash }}'
register: result
# FIXME: on mariadb 10.2 there's always a change
- name: Check that the module doesn't make a change when the same hash is passed in
- name: Plugin auth | Check that the module doesn't make a change when the same hash is passed in
assert:
that:
- result is not changed
when: db_engine == 'mysql' or (db_engine == 'mariadb' and mariadb_version is version('10.3', '>='))
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils_assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Change the user using the same plugin, but switch to the same auth string in plaintext form
- name: Plugin auth | Change the user using the same plugin, but switch to the same auth string in plaintext form
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_auth_string: '{{ test_plugin_auth_string }}'
register: result
# Expecting a change is currently by design (see comment in source).
- name: Check that the module did not change the password
- name: Plugin auth | Check that the module did not change the password
assert:
that:
- result is changed
- name: Getting the MySQL info should still work
- name: Plugin auth | Getting the MySQL info should still work
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
@ -177,45 +183,46 @@
filter: version
register: result
- name: Assert that mysql_info was successful
- name: Plugin auth | Assert that mysql_info was successful
assert:
that:
- result is succeeded
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ test_plugin_auth_string }}
- include: utils_remove_user.yml user_name={{ test_user_name }}
# ============================================================
# Test plugin auth initially setting a plaintext auth string and then switching to a hash.
#
- name: Create user with plugin auth (with auth string)
- name: Plugin auth | Create user with plugin auth (with auth string)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_auth_string: '{{ test_plugin_auth_string }}'
priv: '{{ test_default_priv }}'
register: result
- name: Get user information
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
- name: Plugin auth | Get user information(with auth string)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\""
register: show_create_user
- name: Check that the module made a change
- name: Plugin auth | Check that the module made a change (with auth string)
assert:
that:
- result is changed
- name: Check that the expected plugin type is set
- name: Plugin auth | Check that the expected plugin type is set (with auth string)
assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: db_engine == 'mysql' or (db_engine == 'mariadb' and mariadb_version is version('10.3', '>='))
- test_plugin_type in show_create_user.stdout
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils_assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Get the MySQL version using the newly created creds
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
@ -224,42 +231,44 @@
filter: version
register: result
- name: Assert that mysql_info was successful
- name: Plugin auth | Assert that mysql_info was successful
assert:
that:
- result is succeeded
- name: Update the user with the same auth string
- name: Plugin auth | Update the user with the same auth string
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_auth_string: '{{ test_plugin_auth_string }}'
register: result
# This is the current expected behavior because there isn't a reliable way to hash the password in the mysql_user
# module in order to be able to compare this password with the stored hash. See the source for more info.
- name: The module should detect a change even though the password is the same
- name: Plugin auth | The module should detect a change even though the password is the same
assert:
that:
- result is changed
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils_assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Change the user using the same plugin, but switch to the same auth string in hash form
- name: Plugin auth | Change the user using the same plugin, but switch to the same auth string in hash form
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_hash_string: '{{ test_plugin_hash }}'
register: result
- name: Check that the module did not change the password
- name: Plugin auth | Check that the module did not change the password
assert:
that:
- result is not changed
- name: Get the MySQL version using the newly created creds
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
@ -268,44 +277,45 @@
filter: version
register: result
- name: Assert that mysql_info was successful
- name: Plugin auth | Assert that mysql_info was successful
assert:
that:
- result is succeeded
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ test_plugin_auth_string }}
- include: utils_remove_user.yml user_name={{ test_user_name }}
# ============================================================
# Test plugin auth with an empty auth string.
#
- name: Create user with plugin auth (empty auth string)
- name: Plugin auth | Create user with plugin auth (empty auth string)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
priv: '{{ test_default_priv }}'
register: result
- name: Get user information
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
- name: Plugin auth | Get user information (empty auth string)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\""
register: show_create_user
- name: Check that the module made a change
- name: Plugin auth | Check that the module made a change (empty auth string)
assert:
that:
- result is changed
- name: Check that the expected plugin type is set
- name: Plugin auth | Check that the expected plugin type is set (empty auth string)
assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: db_engine == 'mysql' or (db_engine == 'mariadb' and mariadb_version is version('10.3', '>='))
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils_assert_user.yml user_name={{ test_user_name }} user_host=% priv={{ test_default_priv_type }}
- name: Get the MySQL version using an empty password for the newly created user
- name: Plugin auth | Get the MySQL version using an empty password for the newly created user
mysql_info:
login_user: '{{ test_user_name }}'
login_password: ''
@ -315,12 +325,12 @@
register: result
ignore_errors: true
- name: Assert that mysql_info was successful
- name: Plugin auth | Assert that mysql_info was successful
assert:
that:
- result is succeeded
- name: Get the MySQL version using an non-empty password (should fail)
- name: Plugin auth | Get the MySQL version using an non-empty password (should fail)
mysql_info:
login_user: '{{ test_user_name }}'
login_password: 'some_password'
@ -330,33 +340,34 @@
register: result
ignore_errors: true
- name: Assert that mysql_info failed
- name: Plugin auth | Assert that mysql_info failed
assert:
that:
- result is failed
- name: Update the user without changing the auth mechanism
- name: Plugin auth | Update the user without changing the auth mechanism
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
state: present
register: result
- name: Assert that the user wasn't changed because the auth string is still empty
- name: Plugin auth | Assert that the user wasn't changed because the auth string is still empty
assert:
that:
- result is not changed
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ test_plugin_auth_string }}
- include: utils_remove_user.yml user_name={{ test_user_name }}
# ============================================================
# Test plugin auth switching from one type of plugin to another without an auth string or hash. The only other
# plugins that are loaded by default are sha2*, but these aren't compatible with pymysql < 0.9, so skip these tests
# for those versions.
#
- name: Test plugin auth switching which doesn't work on pymysql < 0.9
- name: Plugin auth | Test plugin auth switching which doesn't work on pymysql < 0.9
when:
- >
connector_name is not search('pymysql')
@ -366,55 +377,55 @@
)
block:
- name: Create user with plugin auth (empty auth string)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
plugin: '{{ test_plugin_type }}'
priv: '{{ test_default_priv }}'
register: result
- name: Plugin auth | Create user with plugin auth (empty auth string)
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
plugin: '{{ test_plugin_type }}'
priv: '{{ test_default_priv }}'
register: result
- name: Get user information
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
register: show_create_user
- name: Plugin auth | Get user information (empty auth string)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
register: show_create_user
- name: Check that the module made a change
assert:
that:
- result is changed
- name: Plugin auth | Check that the module made a change (empty auth string)
assert:
that:
- result is changed
- name: Check that the expected plugin type is set
assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: db_engine == 'mysql' or (db_engine == 'mariadb' and mariadb_version is version('10.3', '>='))
- name: Plugin auth | Check that the expected plugin type is set (empty auth string)
assert:
that:
- test_plugin_type in show_create_user.stdout
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils_assert_user.yml user_name={{ test_user_name }} user_host=localhost priv={{ test_default_priv_type }}
- name: Switch user to sha256_password auth plugin
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
plugin: sha256_password
priv: '{{ test_default_priv }}'
register: result
- name: Plugin auth | Switch user to sha256_password auth plugin
mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
plugin: sha256_password
priv: '{{ test_default_priv }}'
register: result
- name: Get user information
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
register: show_create_user
- name: Plugin auth | Get user information (sha256_password)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
register: show_create_user
- name: Check that the module made a change
assert:
that:
- result is changed
- name: Plugin auth | Check that the module made a change (sha256_password)
assert:
that:
- result is changed
- name: Check that the expected plugin type is set
assert:
that:
- name: Plugin auth | Check that the expected plugin type is set (sha256_password)
assert:
that:
- "'sha256_password' in show_create_user.stdout"
when: db_engine == 'mysql' or (db_engine == 'mariadb' and mariadb_version is version('10.3', '>='))
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include: assert_user.yml user_name={{ test_user_name }} priv={{ test_default_priv_type }}
- include: utils_assert_user.yml user_name={{ test_user_name }} user_host=localhost priv={{ test_default_priv_type }}
# Cleanup
- include: remove_user.yml user_name={{ test_user_name }} user_password={{ test_plugin_auth_string }}
# Cleanup
- include: utils_remove_user.yml user_name={{ test_user_name }}

8
tests/integration/targets/test_mysql_user/tasks/utils_assert_no_user.yml Normal file
View file

@ -0,0 +1,8 @@
---
- name: Utils | Assert no user | Query for user {{ user_name }}
command: "{{ mysql_command }} -e \"SELECT User FROM mysql.user where user='{{ user_name }}'\""
register: result
- name: Utils | Assert no user | Assert mysql user is not present
assert:
that: user_name not in result.stdout

21
tests/integration/targets/test_mysql_user/tasks/utils_assert_user.yml Normal file
View file

@ -0,0 +1,21 @@
---
- name: Utils | Assert user | Query for user {{ user_name }}
command: "{{ mysql_command }} -e \"SELECT user FROM mysql.user where user='{{ user_name }}'\""
register: result
- name: Utils | Assert user | Assert user is present
assert:
that:
- user_name in result.stdout
- name: Utils | Assert user | Query for privileges of user {{ user_name }}
command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name }}'@'{{ user_host }}'\""
register: result
when: priv is defined
- name: Utils | Assert user | Assert user has given privileges
ansible.builtin.assert:
that:
- "'GRANT {{ priv }} ON *.*' in result.stdout"
when: priv is defined

8
tests/integration/targets/test_mysql_user/tasks/assert_user_password.yml → tests/integration/targets/test_mysql_user/tasks/utils_assert_user_password.yml
View file

@ -1,5 +1,5 @@
---
- name: "applying user {{ username }}@{{ host }} with update_password={{ update_password }}"
- name: Utils | Assert user password | Apply update_password to {{ username }}
mysql_user:
login_user: '{{ mysql_parameters.login_user }}'
login_password: '{{ mysql_parameters.login_password }}'
@ -12,17 +12,17 @@
update_password: "{{ update_password }}"
register: result
- name: assert a change occurred
- name: Utils | Assert user password | Assert a change occurred
assert:
that:
- "result.changed | bool == {{ expect_change }} | bool"
- "result.password_changed == {{ expect_password_change }}"
- name: query the user
- name: Utils | Assert user password | Query user {{ username }}
command: "{{ mysql_command }} -BNe \"SELECT plugin, authentication_string FROM mysql.user where user='{{ username }}' and host='{{ host }}'\""
register: existing_user
- name: assert the password is as set to expect_hash
- name: Utils | Assert user password | Assert expect_hash is in user stdout
assert:
that:
- "'mysql_native_password\t{{ expect_password_hash }}' in existing_user.stdout_lines"

12
tests/integration/targets/test_mysql_user/tasks/utils_create_user.yml Normal file
View file

@ -0,0 +1,12 @@
---
- name: Utils | Create user {{ user_name }}
mysql_user:
login_user: "{{ mysql_user }}"
login_password: "{{ mysql_password }}"
login_host: "{{ mysql_host }}"
login_port: "{{ mysql_primary_port }}"
name: "{{ user_name }}"
host: "{{ user_host | default(omit) }}"
password: "{{ user_password }}"
state: present

12
tests/integration/targets/test_mysql_user/tasks/utils_remove_user.yml Normal file
View file

@ -0,0 +1,12 @@
---
- name: Utils | Remove user {{ user_name }}
mysql_user:
login_user: "{{ mysql_user }}"
login_password: "{{ mysql_password }}"
login_host: "{{ mysql_host }}"
login_port: "{{ mysql_primary_port }}"
name: "{{ user_name }}"
host_all: true
state: absent
ignore_errors: true