Add TLS connection parameters

changelogs/fragments/369-mysql_user_add_tls_requires.yml

@@ -0,0 +1,4 @@
+minor_changes:
+  - mysql_user - add TLS REQUIRES parameters (https://github.com/ansible-collections/community.general/pull/369).
+deprecated_features:
+  - mysql_user - using ``REQUIRESSL`` in ``priv`` is deprecated in favor of ``tls_requires`` (https://github.com/ansible-collections/community.general/pull/369).

plugins/modules/mysql_user.py

@@ -6,10 +6,11 @@
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 
 from __future__ import absolute_import, division, print_function
+
 __metaclass__ = type
 
 
-DOCUMENTATION = r'''
+DOCUMENTATION = r"""
 ---
 module: mysql_user
 short_description: Adds or removes a user from a MySQL database
@@ -60,6 +61,14 @@ options:
         user instead of overwriting existing ones.
     type: bool
     default: no
+  tls_requires:
+    description:
+      - Set requirement for secure transport as a dictionary of requirements (see the examples).
+      - Valid requirements are SSL, X509, SUBJECT, ISSUER, CIPHER.
+      - SUBJECT, ISSUER and CIPHER are complementary, and mutually exclusive with SSL and X509.
+      - U(https://mariadb.com/kb/en/securing-connections-for-client-and-server/#requiring-tls).
+    type: dict
+    version_added: 1.0.0
   sql_log_bin:
     description:
       - Whether binary logging should be enabled or disabled for the connection.
@@ -133,9 +142,9 @@ author:
 extends_documentation_fragment:
 - community.mysql.mysql
 
-'''
+"""
 
-EXAMPLES = r'''
+EXAMPLES = r"""
 - name: Removes anonymous user account for localhost
   community.mysql.mysql_user:
     name: ''
@@ -180,6 +189,7 @@ EXAMPLES = r'''
       'db2.*': 'ALL,GRANT'
 
 # Note that REQUIRESSL is a special privilege that should only apply to *.* by itself.
+# Setting this privilege in this manner is supported for backwards compatibility only. Use 'tls_requires' instead.
 - name: Modify user to require SSL connections.
   community.mysql.mysql_user:
     name: bob
@@ -187,6 +197,20 @@ EXAMPLES = r'''
     priv: '*.*:REQUIRESSL'
     state: present
 
+- name: Modify user to require TLS connection with a valid client certificate
+  community.mysql.mysql_user:
+    name: bob
+    tls_requires:
+      x509:
+    state: present
+
+- name: Modify user to require TLS connection with a specific client certificate and cipher
+  community.mysql.mysql_user:
+    name: bob
+    tls_requires:
+      subject: '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
+      cipher: 'ECDHE-ECDSA-AES256-SHA384'
+
 - name: Ensure no user named 'sally'@'localhost' exists, also passing in the auth credentials.
   community.mysql.mysql_user:
     login_user: root
@@ -262,55 +286,109 @@ EXAMPLES = r'''
 # [client]
 # user=root
 # password=n<_665{vS43y
-'''
+"""
 
 import re
 import string
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible_collections.community.mysql.plugins.module_utils.database import SQLParseError
-from ansible_collections.community.mysql.plugins.module_utils.mysql import mysql_connect, mysql_driver, mysql_driver_fail_msg
+from ansible_collections.community.mysql.plugins.module_utils.mysql import (
+    mysql_connect,
+    mysql_driver,
+    mysql_driver_fail_msg,
+)
 from ansible.module_utils.six import iteritems
 from ansible.module_utils._text import to_native
 
 
-VALID_PRIVS = frozenset(('CREATE', 'DROP', 'GRANT', 'GRANT OPTION',
+VALID_PRIVS = frozenset(
-                         'LOCK TABLES', 'REFERENCES', 'EVENT', 'ALTER',
+    (
-                         'DELETE', 'INDEX', 'INSERT', 'SELECT', 'UPDATE',
+        "CREATE",
-                         'CREATE TEMPORARY TABLES', 'TRIGGER', 'CREATE VIEW',
+        "DROP",
-                         'SHOW VIEW', 'ALTER ROUTINE', 'CREATE ROUTINE',
+        "GRANT",
-                         'EXECUTE', 'FILE', 'CREATE TABLESPACE', 'CREATE USER',
+        "GRANT OPTION",
-                         'PROCESS', 'PROXY', 'RELOAD', 'REPLICATION CLIENT',
+        "LOCK TABLES",
-                         'REPLICATION SLAVE', 'SHOW DATABASES', 'SHUTDOWN',
+        "REFERENCES",
-                         'SUPER', 'ALL', 'ALL PRIVILEGES', 'USAGE', 'REQUIRESSL',
+        "EVENT",
-                         'CREATE ROLE', 'DROP ROLE', 'APPLICATION_PASSWORD_ADMIN',
+        "ALTER",
-                         'AUDIT_ADMIN', 'BACKUP_ADMIN', 'BINLOG_ADMIN',
+        "DELETE",
-                         'BINLOG_ENCRYPTION_ADMIN', 'CLONE_ADMIN', 'CONNECTION_ADMIN',
+        "INDEX",
-                         'ENCRYPTION_KEY_ADMIN', 'FIREWALL_ADMIN', 'FIREWALL_USER',
+        "INSERT",
-                         'GROUP_REPLICATION_ADMIN', 'INNODB_REDO_LOG_ARCHIVE',
+        "SELECT",
-                         'NDB_STORED_USER', 'PERSIST_RO_VARIABLES_ADMIN',
+        "UPDATE",
-                         'REPLICATION_APPLIER', 'REPLICATION_SLAVE_ADMIN',
+        "CREATE TEMPORARY TABLES",
-                         'RESOURCE_GROUP_ADMIN', 'RESOURCE_GROUP_USER',
+        "TRIGGER",
-                         'ROLE_ADMIN', 'SESSION_VARIABLES_ADMIN', 'SET_USER_ID',
+        "CREATE VIEW",
-                         'SYSTEM_USER', 'SYSTEM_VARIABLES_ADMIN', 'SYSTEM_USER',
+        "SHOW VIEW",
-                         'TABLE_ENCRYPTION_ADMIN', 'VERSION_TOKEN_ADMIN',
+        "ALTER ROUTINE",
-                         'XA_RECOVER_ADMIN', 'LOAD FROM S3', 'SELECT INTO S3',
+        "CREATE ROUTINE",
-                         'INVOKE LAMBDA',
+        "EXECUTE",
-                         'ALTER ROUTINE',
+        "FILE",
-                         'BINLOG ADMIN',
+        "CREATE TABLESPACE",
-                         'BINLOG MONITOR',
+        "CREATE USER",
-                         'BINLOG REPLAY',
+        "PROCESS",
-                         'CONNECTION ADMIN',
+        "PROXY",
-                         'READ_ONLY ADMIN',
+        "RELOAD",
-                         'REPLICATION MASTER ADMIN',
+        "REPLICATION CLIENT",
-                         'REPLICATION SLAVE',
+        "REPLICATION SLAVE",
-                         'REPLICATION SLAVE ADMIN',
+        "SHOW DATABASES",
-                         'SET USER',))
+        "SHUTDOWN",
+        "SUPER",
+        "ALL",
+        "ALL PRIVILEGES",
+        "USAGE",
+        "REQUIRESSL",
+        "CREATE ROLE",
+        "DROP ROLE",
+        "APPLICATION_PASSWORD_ADMIN",
+        "AUDIT_ADMIN",
+        "BACKUP_ADMIN",
+        "BINLOG_ADMIN",
+        "BINLOG_ENCRYPTION_ADMIN",
+        "CLONE_ADMIN",
+        "CONNECTION_ADMIN",
+        "ENCRYPTION_KEY_ADMIN",
+        "FIREWALL_ADMIN",
+        "FIREWALL_USER",
+        "GROUP_REPLICATION_ADMIN",
+        "INNODB_REDO_LOG_ARCHIVE",
+        "NDB_STORED_USER",
+        "PERSIST_RO_VARIABLES_ADMIN",
+        "REPLICATION_APPLIER",
+        "REPLICATION_SLAVE_ADMIN",
+        "RESOURCE_GROUP_ADMIN",
+        "RESOURCE_GROUP_USER",
+        "ROLE_ADMIN",
+        "SESSION_VARIABLES_ADMIN",
+        "SET_USER_ID",
+        "SYSTEM_USER",
+        "SYSTEM_VARIABLES_ADMIN",
+        "SYSTEM_USER",
+        "TABLE_ENCRYPTION_ADMIN",
+        "VERSION_TOKEN_ADMIN",
+        "XA_RECOVER_ADMIN",
+        "LOAD FROM S3",
+        "SELECT INTO S3",
+        "INVOKE LAMBDA",
+        "ALTER ROUTINE",
+        "BINLOG ADMIN",
+        "BINLOG MONITOR",
+        "BINLOG REPLAY",
+        "CONNECTION ADMIN",
+        "READ_ONLY ADMIN",
+        "REPLICATION MASTER ADMIN",
+        "REPLICATION SLAVE",
+        "REPLICATION SLAVE ADMIN",
+        "SET USER",
+    )
+)
 
 
 class InvalidPrivsError(Exception):
     pass
 
+
 # ===========================================
 # MySQL module specific support methods.
 #
@@ -321,9 +399,9 @@ def use_old_user_mgmt(cursor):
     cursor.execute("SELECT VERSION()")
     result = cursor.fetchone()
     version_str = result[0]
-    version = version_str.split('.')
+    version = version_str.split(".")
 
-    if 'mariadb' in version_str.lower():
+    if "mariadb" in version_str.lower():
         # Prior to MariaDB 10.2
         if int(version[0]) * 1000 + int(version[1]) < 10002:
             return True
@@ -338,13 +416,13 @@ def use_old_user_mgmt(cursor):
 
 
 def get_mode(cursor):
-    cursor.execute('SELECT @@GLOBAL.sql_mode')
+    cursor.execute("SELECT @@GLOBAL.sql_mode")
     result = cursor.fetchone()
     mode_str = result[0]
-    if 'ANSI' in mode_str:
+    if "ANSI" in mode_str:
-        mode = 'ANSI'
+        mode = "ANSI"
     else:
-        mode = 'NOTANSI'
+        mode = "NOTANSI"
     return mode
 
 
@@ -358,8 +436,84 @@ def user_exists(cursor, user, host, host_all):
     return count[0] > 0
 
 
-def user_add(cursor, user, host, host_all, password, encrypted,
+def sanitize_requires(tls_requires):
-             plugin, plugin_hash_string, plugin_auth_string, new_priv, check_mode):
+    sanitized_requires = {}
+    if tls_requires:
+        for key in tls_requires.keys():
+            sanitized_requires[key.upper()] = tls_requires[key]
+        if any([key in ["CIPHER", "ISSUER", "SUBJECT"] for key in sanitized_requires.keys()]):
+            sanitized_requires.pop("SSL", None)
+            sanitized_requires.pop("X509", None)
+            return sanitized_requires
+
+        if "X509" in sanitized_requires.keys():
+            sanitized_requires = "X509"
+        else:
+            sanitized_requires = "SSL"
+
+        return sanitized_requires
+    return None
+
+
+def mogrify_requires(query, params, tls_requires):
+    if tls_requires:
+        if isinstance(tls_requires, dict):
+            k, v = zip(*tls_requires.items())
+            requires_query = " AND ".join(("%s %%s" % key for key in k))
+            params += v
+        else:
+            requires_query = tls_requires
+        query = " REQUIRE ".join((query, requires_query))
+    return query, params
+
+
+def do_not_mogrify_requires(query, params, tls_requires):
+    return query, params
+
+
+def get_tls_requires(cursor, user, host):
+    if user:
+        if server_suports_requires_create(cursor):
+            query = "SHOW CREATE USER '%s'@'%s'" % (user, host)
+        else:
+            query = "SHOW GRANTS for '%s'@'%s'" % (user, host)
+
+        cursor.execute(query)
+        require_list = list(filter(lambda x: "REQUIRE" in x, cursor.fetchall()))
+        require_line = require_list[0] if require_list else ""
+        pattern = r"(?<=\bREQUIRE\b)(.*?)(?=(?:\bPASSWORD\b|$))"
+        requires_match = re.search(pattern, require_line)
+        requires = requires_match.group().strip() if requires_match else ""
+        if len(requires.split()) > 1:
+            import shlex
+
+            items = iter(shlex.split(requires))
+            requires = dict(zip(items, items))
+        return requires or None
+
+
+def get_grants(cursor, user, host):
+    cursor.execute("SHOW GRANTS FOR %s@%s", (user, host))
+    grants_line = list(filter(lambda x: "ON *.*" in x[0], cursor.fetchall()))[0]
+    pattern = r"(?<=\bGRANT\b)(.*?)(?=(?:\bON\b))"
+    grants = re.search(pattern, grants_line[0]).group().strip()
+    return grants.split(", ")
+
+
+def user_add(
+    cursor,
+    user,
+    host,
+    host_all,
+    password,
+    encrypted,
+    plugin,
+    plugin_hash_string,
+    plugin_auth_string,
+    new_priv,
+    tls_requires,
+    check_mode,
+):
     # we cannot create users without a proper hostname
     if host_all:
         return False
@@ -367,43 +521,59 @@ def user_add(cursor, user, host, host_all, password, encrypted,
     if check_mode:
         return True
 
-    # Determine what user management method server uses
+    mogrify = mogrify_requires if server_suports_requires_create(cursor) else do_not_mogrify_requires
-    old_user_mgmt = use_old_user_mgmt(cursor)
 
     if password and encrypted:
-        cursor.execute("CREATE USER %s@%s IDENTIFIED BY PASSWORD %s", (user, host, password))
+        cursor.execute(*mogrify("CREATE USER %s@%s IDENTIFIED BY PASSWORD %s", (user, host, password), tls_requires))
     elif password and not encrypted:
-        if old_user_mgmt:
+        cursor.execute(*mogrify("CREATE USER %s@%s IDENTIFIED BY %s", (user, host, password), tls_requires))
-            cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user, host, password))
-        else:
-            cursor.execute("SELECT CONCAT('*', UCASE(SHA1(UNHEX(SHA1(%s)))))", (password,))
-            encrypted_password = cursor.fetchone()[0]
-            cursor.execute("CREATE USER %s@%s IDENTIFIED WITH mysql_native_password AS %s", (user, host, encrypted_password))
-
     elif plugin and plugin_hash_string:
-        cursor.execute("CREATE USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, plugin_hash_string))
+        cursor.execute(
+            *mogrify(
+                "CREATE USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, plugin_hash_string), tls_requires
+            )
+        )
     elif plugin and plugin_auth_string:
-        cursor.execute("CREATE USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string))
+        cursor.execute(
+            *mogrify(
+                "CREATE USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string), tls_requires
+            )
+        )
     elif plugin:
-        cursor.execute("CREATE USER %s@%s IDENTIFIED WITH %s", (user, host, plugin))
+        cursor.execute(*mogrify("CREATE USER %s@%s IDENTIFIED WITH %s", (user, host, plugin), tls_requires))
     else:
-        cursor.execute("CREATE USER %s@%s", (user, host))
+        cursor.execute(*mogrify("CREATE USER %s@%s", (user, host), tls_requires))
     if new_priv is not None:
         for db_table, priv in iteritems(new_priv):
-            privileges_grant(cursor, user, host, db_table, priv)
+            privileges_grant(cursor, user, host, db_table, priv, tls_requires)
+    if tls_requires is not None:
+        privileges_grant(cursor, user, host, "*.*", get_grants(cursor, user, host), tls_requires)
     return True
 
 
 def is_hash(password):
     ishash = False
-    if len(password) == 41 and password[0] == '*':
+    if len(password) == 41 and password[0] == "*":
         if frozenset(password[1:]).issubset(string.hexdigits):
             ishash = True
     return ishash
 
 
-def user_mod(cursor, user, host, host_all, password, encrypted,
+def user_mod(
-             plugin, plugin_hash_string, plugin_auth_string, new_priv, append_privs, module):
+    cursor,
+    user,
+    host,
+    host_all,
+    password,
+    encrypted,
+    plugin,
+    plugin_hash_string,
+    plugin_auth_string,
+    new_priv,
+    append_privs,
+    tls_requires,
+    module,
+):
     changed = False
     msg = "User unchanged"
     grant_option = False
@@ -420,36 +590,46 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
             old_user_mgmt = use_old_user_mgmt(cursor)
 
             # Get a list of valid columns in mysql.user table to check if Password and/or authentication_string exist
-            cursor.execute("""
+            cursor.execute(
+                """
                 SELECT COLUMN_NAME FROM information_schema.COLUMNS
                 WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user' AND COLUMN_NAME IN ('Password', 'authentication_string')
                 ORDER BY COLUMN_NAME DESC LIMIT 1
-            """)
+            """
+            )
             colA = cursor.fetchone()
 
-            cursor.execute("""
+            cursor.execute(
+                """
                 SELECT COLUMN_NAME FROM information_schema.COLUMNS
                 WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user' AND COLUMN_NAME IN ('Password', 'authentication_string')
                 ORDER BY COLUMN_NAME ASC  LIMIT 1
-            """)
+            """
+            )
             colB = cursor.fetchone()
 
             # Select hash from either Password or authentication_string, depending which one exists and/or is filled
-            cursor.execute("""
+            cursor.execute(
+                """
                 SELECT COALESCE(
                         CASE WHEN %s = '' THEN NULL ELSE %s END,
                         CASE WHEN %s = '' THEN NULL ELSE %s END
                     )
                 FROM mysql.user WHERE user = %%s AND host = %%s
-                """ % (colA[0], colA[0], colB[0], colB[0]), (user, host))
+                """
+                % (colA[0], colA[0], colB[0], colB[0]),
+                (user, host),
+            )
             current_pass_hash = cursor.fetchone()[0]
             if isinstance(current_pass_hash, bytes):
-                current_pass_hash = current_pass_hash.decode('ascii')
+                current_pass_hash = current_pass_hash.decode("ascii")
 
             if encrypted:
                 encrypted_password = password
                 if not is_hash(encrypted_password):
-                    module.fail_json(msg="encrypted was specified however it does not appear to be a valid hash expecting: *SHA1(SHA1(your_password))")
+                    module.fail_json(
+                        msg="encrypted was specified however it does not appear to be a valid hash expecting: *SHA1(SHA1(your_password))"
+                    )
             else:
                 if old_user_mgmt:
                     cursor.execute("SELECT PASSWORD(%s)", (password,))
@@ -466,7 +646,10 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
                     msg = "Password updated (old style)"
                 else:
                     try:
-                        cursor.execute("ALTER USER %s@%s IDENTIFIED WITH mysql_native_password AS %s", (user, host, encrypted_password))
+                        cursor.execute(
+                            "ALTER USER %s@%s IDENTIFIED WITH mysql_native_password AS %s",
+                            (user, host, encrypted_password),
+                        )
                         msg = "Password updated (new style)"
                     except (mysql_driver.Error) as e:
                         # https://stackoverflow.com/questions/51600000/authentication-string-of-root-user-on-mysql
@@ -474,8 +657,9 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
                         if e.args[0] == 1396:
                             cursor.execute(
                                 "UPDATE mysql.user SET plugin = %s, authentication_string = %s, Password = '' WHERE User = %s AND Host = %s",
-                                ('mysql_native_password', encrypted_password, user, host)
+                                ("mysql_native_password", encrypted_password, user, host),
                             )
+                            cursor.execute("GRANT USAGE on *.* to '%s'@'%s'", (user, host))
                             cursor.execute("FLUSH PRIVILEGES")
                             msg = "Password forced update"
                         else:
@@ -484,8 +668,9 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
 
         # Handle plugin authentication
         if plugin:
-            cursor.execute("SELECT plugin, authentication_string FROM mysql.user "
+            cursor.execute(
-                           "WHERE user = %s AND host = %s", (user, host))
+                "SELECT plugin, authentication_string FROM mysql.user " "WHERE user = %s AND host = %s", (user, host)
+            )
             current_plugin = cursor.fetchone()
 
             update = False
@@ -505,9 +690,13 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
 
             if update:
                 if plugin_hash_string:
-                    cursor.execute("ALTER USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, plugin_hash_string))
+                    cursor.execute(
+                        "ALTER USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, plugin_hash_string)
+                    )
                 elif plugin_auth_string:
-                    cursor.execute("ALTER USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string))
+                    cursor.execute(
+                        "ALTER USER %s@%s IDENTIFIED WITH %s BY %s", (user, host, plugin, plugin_auth_string)
+                    )
                 else:
                     cursor.execute("ALTER USER %s@%s IDENTIFIED WITH %s", (user, host, plugin))
                 changed = True
@@ -537,7 +726,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
                     msg = "New privileges granted"
                     if module.check_mode:
                         return (True, msg)
-                    privileges_grant(cursor, user, host, db_table, priv)
+                    privileges_grant(cursor, user, host, db_table, priv, tls_requires)
                     changed = True
 
             # If the db.table specification exists in both the user's current privileges
@@ -551,9 +740,28 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
                         return (True, msg)
                     if not append_privs:
                         privileges_revoke(cursor, user, host, db_table, curr_priv[db_table], grant_option)
-                    privileges_grant(cursor, user, host, db_table, new_priv[db_table])
+                    privileges_grant(cursor, user, host, db_table, new_priv[db_table], tls_requires)
                     changed = True
 
+        # Handle TLS requirements
+        current_requires = get_tls_requires(cursor, user, host)
+        if current_requires != tls_requires:
+            msg = "TLS requires updated"
+            if module.check_mode:
+                return (True, msg)
+            if server_suports_requires_create(cursor):
+                pre_query = "ALTER USER"
+            else:
+                pre_query = "GRANT %s ON *.* TO" % ",".join(get_grants(cursor, user, host))
+
+            if tls_requires is not None:
+                query = " ".join((pre_query, "%s@%s"))
+                cursor.execute(*mogrify_requires(query, (user, host), tls_requires))
+            else:
+                query = " ".join(pre_query, "%s@%s REQUIRE NONE")
+                cursor.execute(query, (user, host))
+            changed = True
+
     return (changed, msg)
 
 
@@ -598,21 +806,23 @@ def privileges_get(cursor, user, host):
     grants = cursor.fetchall()
 
     def pick(x):
-        if x == 'ALL PRIVILEGES':
+        if x == "ALL PRIVILEGES":
-            return 'ALL'
+            return "ALL"
         else:
             return x
 
     for grant in grants:
-        res = re.match("""GRANT (.+) ON (.+) TO (['`"]).*\\3@(['`"]).*\\4( IDENTIFIED BY PASSWORD (['`"]).+\\6)? ?(.*)""", grant[0])
+        res = re.match(
+            """GRANT (.+) ON (.+) TO (['`"]).*\\3@(['`"]).*\\4( IDENTIFIED BY PASSWORD (['`"]).+\\6)? ?(.*)""", grant[0]
+        )
         if res is None:
-            raise InvalidPrivsError('unable to parse the MySQL grant string: %s' % grant[0])
+            raise InvalidPrivsError("unable to parse the MySQL grant string: %s" % grant[0])
         privileges = res.group(1).split(",")
         privileges = [pick(x.strip()) for x in privileges]
         if "WITH GRANT OPTION" in res.group(7):
-            privileges.append('GRANT')
+            privileges.append("GRANT")
         if "REQUIRE SSL" in res.group(7):
-            privileges.append('REQUIRESSL')
+            privileges.append("REQUIRESSL")
         db = res.group(2)
         output.setdefault(db, []).extend(privileges)
     return output
@@ -629,80 +839,84 @@ def privileges_unpack(priv, mode):
     The privilege USAGE stands for no privileges, so we add that in on *.* if it's
     not specified in the string, as MySQL will always provide this by default.
     """
-    if mode == 'ANSI':
+    if mode == "ANSI":
         quote = '"'
     else:
-        quote = '`'
+        quote = "`"
     output = {}
     privs = []
-    for item in priv.strip().split('/'):
+    for item in priv.strip().split("/"):
-        pieces = item.strip().rsplit(':', 1)
+        pieces = item.strip().rsplit(":", 1)
         dbpriv = pieces[0].rsplit(".", 1)
 
         # Check for FUNCTION or PROCEDURE object types
         parts = dbpriv[0].split(" ", 1)
-        object_type = ''
+        object_type = ""
-        if len(parts) > 1 and (parts[0] == 'FUNCTION' or parts[0] == 'PROCEDURE'):
+        if len(parts) > 1 and (parts[0] == "FUNCTION" or parts[0] == "PROCEDURE"):
-            object_type = parts[0] + ' '
+            object_type = parts[0] + " "
             dbpriv[0] = parts[1]
 
         # Do not escape if privilege is for database or table, i.e.
         # neither quote *. nor .*
         for i, side in enumerate(dbpriv):
-            if side.strip('`') != '*':
+            if side.strip("`") != "*":
-                dbpriv[i] = '%s%s%s' % (quote, side.strip('`'), quote)
+                dbpriv[i] = "%s%s%s" % (quote, side.strip("`"), quote)
-        pieces[0] = object_type + '.'.join(dbpriv)
+        pieces[0] = object_type + ".".join(dbpriv)
 
-        if '(' in pieces[1]:
+        if "(" in pieces[1]:
-            output[pieces[0]] = re.split(r',\s*(?=[^)]*(?:\(|$))', pieces[1].upper())
+            output[pieces[0]] = re.split(r",\s*(?=[^)]*(?:\(|$))", pieces[1].upper())
             for i in output[pieces[0]]:
-                privs.append(re.sub(r'\s*\(.*\)', '', i))
+                privs.append(re.sub(r"\s*\(.*\)", "", i))
         else:
-            output[pieces[0]] = pieces[1].upper().split(',')
+            output[pieces[0]] = pieces[1].upper().split(",")
             privs = output[pieces[0]]
         new_privs = frozenset(privs)
         if not new_privs.issubset(VALID_PRIVS):
-            raise InvalidPrivsError('Invalid privileges specified: %s' % new_privs.difference(VALID_PRIVS))
+            raise InvalidPrivsError("Invalid privileges specified: %s" % new_privs.difference(VALID_PRIVS))
 
-    if '*.*' not in output:
+    if "*.*" not in output:
-        output['*.*'] = ['USAGE']
+        output["*.*"] = ["USAGE"]
 
     # if we are only specifying something like REQUIRESSL and/or GRANT (=WITH GRANT OPTION) in *.*
     # we still need to add USAGE as a privilege to avoid syntax errors
-    if 'REQUIRESSL' in priv and not set(output['*.*']).difference(set(['GRANT', 'REQUIRESSL'])):
+    if "REQUIRESSL" in priv and not set(output["*.*"]).difference(set(["GRANT", "REQUIRESSL"])):
-        output['*.*'].append('USAGE')
+        output["*.*"].append("USAGE")
 
     return output
 
 
 def privileges_revoke(cursor, user, host, db_table, priv, grant_option):
     # Escape '%' since mysql db.execute() uses a format string
-    db_table = db_table.replace('%', '%%')
+    db_table = db_table.replace("%", "%%")
     if grant_option:
         query = ["REVOKE GRANT OPTION ON %s" % db_table]
         query.append("FROM %s@%s")
-        query = ' '.join(query)
+        query = " ".join(query)
         cursor.execute(query, (user, host))
-    priv_string = ",".join([p for p in priv if p not in ('GRANT', 'REQUIRESSL')])
+    priv_string = ",".join([p for p in priv if p not in ("GRANT", "REQUIRESSL")])
     query = ["REVOKE %s ON %s" % (priv_string, db_table)]
     query.append("FROM %s@%s")
-    query = ' '.join(query)
+    query = " ".join(query)
     cursor.execute(query, (user, host))
 
 
-def privileges_grant(cursor, user, host, db_table, priv):
+def privileges_grant(cursor, user, host, db_table, priv, tls_requires):
     # Escape '%' since mysql db.execute uses a format string and the
     # specification of db and table often use a % (SQL wildcard)
-    db_table = db_table.replace('%', '%%')
+    db_table = db_table.replace("%", "%%")
-    priv_string = ",".join([p for p in priv if p not in ('GRANT', 'REQUIRESSL')])
+    priv_string = ",".join([p for p in priv if p not in ("GRANT", "REQUIRESSL")])
     query = ["GRANT %s ON %s" % (priv_string, db_table)]
     query.append("TO %s@%s")
-    if 'REQUIRESSL' in priv:
+    params = (user, host)
+    if tls_requires and not server_suports_requires_create(cursor):
+        query, params = mogrify_requires(" ".join(query), params, tls_requires)
+        query = [query]
+    if "REQUIRESSL" in priv and not tls_requires:
         query.append("REQUIRE SSL")
-    if 'GRANT' in priv:
+    if "GRANT" in priv:
         query.append("WITH GRANT OPTION")
-    query = ' '.join(query)
+    query = " ".join(query)
-    cursor.execute(query, (user, host))
+    cursor.execute(query, params)
 
 
 def convert_priv_dict_to_str(priv):
@@ -714,9 +928,36 @@ def convert_priv_dict_to_str(priv):
     Returns:
         priv (str): String representation of input argument.
     """
-    priv_list = ['%s:%s' % (key, val) for key, val in iteritems(priv)]
+    priv_list = ["%s:%s" % (key, val) for key, val in iteritems(priv)]
 
-    return '/'.join(priv_list)
+    return "/".join(priv_list)
+
+
+# TLS requires on user create statement is supported since MySQL 5.7 and MariaDB 10.2
+def server_suports_requires_create(cursor):
+    """Check if the server supports REQUIRES on the CREATE USER statement or doesn't.
+
+    Args:
+        cursor (cursor): DB driver cursor object.
+
+    Returns: True if supports, False otherwise.
+    """
+    cursor.execute("SELECT VERSION()")
+    version_str = cursor.fetchone()[0]
+    version = version_str.split(".")
+
+    if "mariadb" in version_str.lower():
+        # MariaDB 10.2 and later
+        if int(version[0]) * 1000 + int(version[1]) >= 10002:
+            return True
+        else:
+            return False
+    else:
+        # MySQL 5.6 and later
+        if int(version[0]) * 1000 + int(version[1]) >= 5007:
+            return True
+        else:
+            return False
 
 
 # Alter user is supported since MySQL 5.6 and MariaDB 10.2.0
@@ -730,9 +971,9 @@ def server_supports_alter_user(cursor):
     """
     cursor.execute("SELECT VERSION()")
     version_str = cursor.fetchone()[0]
-    version = version_str.split('.')
+    version = version_str.split(".")
 
-    if 'mariadb' in version_str.lower():
+    if "mariadb" in version_str.lower():
         # MariaDB 10.2 and later
         if int(version[0]) * 1000 + int(version[1]) >= 10002:
             return True
@@ -757,11 +998,13 @@ def get_resource_limits(cursor, user, host):
     Returns: Dictionary containing current resource limits.
     """
 
-    query = ('SELECT max_questions AS MAX_QUERIES_PER_HOUR, '
+    query = (
-             'max_updates AS MAX_UPDATES_PER_HOUR, '
+        "SELECT max_questions AS MAX_QUERIES_PER_HOUR, "
-             'max_connections AS MAX_CONNECTIONS_PER_HOUR, '
+        "max_updates AS MAX_UPDATES_PER_HOUR, "
-             'max_user_connections AS MAX_USER_CONNECTIONS '
+        "max_connections AS MAX_CONNECTIONS_PER_HOUR, "
-             'FROM mysql.user WHERE User = %s AND Host = %s')
+        "max_user_connections AS MAX_USER_CONNECTIONS "
+        "FROM mysql.user WHERE User = %s AND Host = %s"
+    )
     cursor.execute(query, (user, host))
     res = cursor.fetchone()
 
@@ -769,10 +1012,10 @@ def get_resource_limits(cursor, user, host):
         return None
 
     current_limits = {
-        'MAX_QUERIES_PER_HOUR': res[0],
+        "MAX_QUERIES_PER_HOUR": res[0],
-        'MAX_UPDATES_PER_HOUR': res[1],
+        "MAX_UPDATES_PER_HOUR": res[1],
-        'MAX_CONNECTIONS_PER_HOUR': res[2],
+        "MAX_CONNECTIONS_PER_HOUR": res[2],
-        'MAX_USER_CONNECTIONS': res[3],
+        "MAX_USER_CONNECTIONS": res[3],
     }
     return current_limits
 
@@ -827,8 +1070,10 @@ def limit_resources(module, cursor, user, host, resource_limits, check_mode):
     Returns: True, if changed, False otherwise.
     """
     if not server_supports_alter_user(cursor):
-        module.fail_json(msg="The server version does not match the requirements "
+        module.fail_json(
-                             "for resource_limits parameter. See module's documentation.")
+            msg="The server version does not match the requirements "
+            "for resource_limits parameter. See module's documentation."
+        )
 
     current_limits = get_resource_limits(cursor, user, host)
 
@@ -843,13 +1088,14 @@ def limit_resources(module, cursor, user, host, resource_limits, check_mode):
     # If not check_mode
     tmp = []
     for key, val in iteritems(needs_to_change):
-        tmp.append('%s %s' % (key, val))
+        tmp.append("%s %s" % (key, val))
 
     query = "ALTER USER %s@%s"
-    query += ' WITH %s' % ' '.join(tmp)
+    query += " WITH %s" % " ".join(tmp)
     cursor.execute(query, (user, host))
     return True
 
+
 # ===========================================
 # Module execution.
 #
@@ -858,31 +1104,32 @@ def limit_resources(module, cursor, user, host, resource_limits, check_mode):
 def main():
     module = AnsibleModule(
         argument_spec=dict(
-            login_user=dict(type='str'),
+            login_user=dict(type="str"),
-            login_password=dict(type='str', no_log=True),
+            login_password=dict(type="str", no_log=True),
-            login_host=dict(type='str', default='localhost'),
+            login_host=dict(type="str", default="localhost"),
-            login_port=dict(type='int', default=3306),
+            login_port=dict(type="int", default=3306),
-            login_unix_socket=dict(type='str'),
+            login_unix_socket=dict(type="str"),
-            user=dict(type='str', required=True, aliases=['name']),
+            user=dict(type="str", required=True, aliases=["name"]),
-            password=dict(type='str', no_log=True),
+            password=dict(type="str", no_log=True),
-            encrypted=dict(type='bool', default=False),
+            encrypted=dict(type="bool", default=False),
-            host=dict(type='str', default='localhost'),
+            host=dict(type="str", default="localhost"),
             host_all=dict(type="bool", default=False),
-            state=dict(type='str', default='present', choices=['absent', 'present']),
+            state=dict(type="str", default="present", choices=["absent", "present"]),
-            priv=dict(type='raw'),
+            priv=dict(type="raw"),
-            append_privs=dict(type='bool', default=False),
+            tls_requires=dict(type="dict"),
-            check_implicit_admin=dict(type='bool', default=False),
+            append_privs=dict(type="bool", default=False),
-            update_password=dict(type='str', default='always', choices=['always', 'on_create'], no_log=False),
+            check_implicit_admin=dict(type="bool", default=False),
-            connect_timeout=dict(type='int', default=30),
+            update_password=dict(type="str", default="always", choices=["always", "on_create"], no_log=False),
-            config_file=dict(type='path', default='~/.my.cnf'),
+            connect_timeout=dict(type="int", default=30),
-            sql_log_bin=dict(type='bool', default=True),
+            config_file=dict(type="path", default="~/.my.cnf"),
-            client_cert=dict(type='path', aliases=['ssl_cert']),
+            sql_log_bin=dict(type="bool", default=True),
-            client_key=dict(type='path', aliases=['ssl_key']),
+            client_cert=dict(type="path", aliases=["ssl_cert"]),
-            ca_cert=dict(type='path', aliases=['ssl_ca']),
+            client_key=dict(type="path", aliases=["ssl_key"]),
-            plugin=dict(default=None, type='str'),
+            ca_cert=dict(type="path", aliases=["ssl_ca"]),
-            plugin_hash_string=dict(default=None, type='str'),
+            plugin=dict(default=None, type="str"),
-            plugin_auth_string=dict(default=None, type='str'),
+            plugin_hash_string=dict(default=None, type="str"),
-            resource_limits=dict(type='dict'),
+            plugin_auth_string=dict(default=None, type="str"),
+            resource_limits=dict(type="dict"),
         ),
         supports_check_mode=True,
     )
@@ -895,15 +1142,16 @@ def main():
     host_all = module.params["host_all"]
     state = module.params["state"]
     priv = module.params["priv"]
-    check_implicit_admin = module.params['check_implicit_admin']
+    tls_requires = sanitize_requires(module.params["tls_requires"])
-    connect_timeout = module.params['connect_timeout']
+    check_implicit_admin = module.params["check_implicit_admin"]
-    config_file = module.params['config_file']
+    connect_timeout = module.params["connect_timeout"]
+    config_file = module.params["config_file"]
     append_privs = module.boolean(module.params["append_privs"])
-    update_password = module.params['update_password']
+    update_password = module.params["update_password"]
     ssl_cert = module.params["client_cert"]
     ssl_key = module.params["client_key"]
     ssl_ca = module.params["ca_cert"]
-    db = ''
+    db = ""
     sql_log_bin = module.params["sql_log_bin"]
     plugin = module.params["plugin"]
     plugin_hash_string = module.params["plugin_hash_string"]
@@ -922,17 +1170,29 @@ def main():
     try:
         if check_implicit_admin:
             try:
-                cursor, db_conn = mysql_connect(module, 'root', '', config_file, ssl_cert, ssl_key, ssl_ca, db,
+                cursor, db_conn = mysql_connect(
-                                                connect_timeout=connect_timeout)
+                    module, "root", "", config_file, ssl_cert, ssl_key, ssl_ca, db, connect_timeout=connect_timeout
+                )
             except Exception:
                 pass
 
         if not cursor:
-            cursor, db_conn = mysql_connect(module, login_user, login_password, config_file, ssl_cert, ssl_key, ssl_ca, db,
+            cursor, db_conn = mysql_connect(
-                                            connect_timeout=connect_timeout)
+                module,
+                login_user,
+                login_password,
+                config_file,
+                ssl_cert,
+                ssl_key,
+                ssl_ca,
+                db,
+                connect_timeout=connect_timeout,
+            )
     except Exception as e:
-        module.fail_json(msg="unable to connect to database, check login_user and login_password are correct or %s has the credentials. "
+        module.fail_json(
-                             "Exception message: %s" % (config_file, to_native(e)))
+            msg="unable to connect to database, check login_user and login_password are correct or %s has the credentials. "
+            "Exception message: %s" % (config_file, to_native(e))
+        )
 
     if not sql_log_bin:
         cursor.execute("SET SQL_LOG_BIN=0;")
@@ -950,14 +1210,38 @@ def main():
     if state == "present":
         if user_exists(cursor, user, host, host_all):
             try:
-                if update_password == 'always':
+                if update_password == "always":
-                    changed, msg = user_mod(cursor, user, host, host_all, password, encrypted,
+                    changed, msg = user_mod(
-                                            plugin, plugin_hash_string, plugin_auth_string,
+                        cursor,
-                                            priv, append_privs, module)
+                        user,
+                        host,
+                        host_all,
+                        password,
+                        encrypted,
+                        plugin,
+                        plugin_hash_string,
+                        plugin_auth_string,
+                        priv,
+                        append_privs,
+                        tls_requires,
+                        module,
+                    )
                 else:
-                    changed, msg = user_mod(cursor, user, host, host_all, None, encrypted,
+                    changed, msg = user_mod(
-                                            plugin, plugin_hash_string, plugin_auth_string,
+                        cursor,
-                                            priv, append_privs, module)
+                        user,
+                        host,
+                        host_all,
+                        None,
+                        encrypted,
+                        plugin,
+                        plugin_hash_string,
+                        plugin_auth_string,
+                        priv,
+                        append_privs,
+                        tls_requires,
+                        module,
+                    )
 
             except (SQLParseError, InvalidPrivsError, mysql_driver.Error) as e:
                 module.fail_json(msg=to_native(e))
@@ -965,9 +1249,20 @@ def main():
             if host_all:
                 module.fail_json(msg="host_all parameter cannot be used when adding a user")
             try:
-                changed = user_add(cursor, user, host, host_all, password, encrypted,
+                changed = user_add(
-                                   plugin, plugin_hash_string, plugin_auth_string,
+                    cursor,
-                                   priv, module.check_mode)
+                    user,
+                    host,
+                    host_all,
+                    password,
+                    encrypted,
+                    plugin,
+                    plugin_hash_string,
+                    plugin_auth_string,
+                    priv,
+                    tls_requires,
+                    module.check_mode,
+                )
                 if changed:
                     msg = "User added"
 
@@ -987,5 +1282,5 @@ def main():
     module.exit_json(changed=changed, user=user, msg=msg)
 
 
-if __name__ == '__main__':
+if __name__ == "__main__":
     main()

tests/integration/targets/test_mysql_user/tasks/main.yml

@@ -129,6 +129,115 @@
 
     - include: assert_no_user.yml user_name={{user_name_2}}
 
+    # ============================================================
+    # Create users with TLS requirements and verify requirements are assigned
+    #
+    - name: find out the database version
+      mysql_info:
+        <<: *mysql_params
+        filter: version
+      register: db_version
+
+    - name: create user with TLS requirements state=present (expect changed=true)
+      mysql_user:
+        <<: *mysql_params
+        name: '{{ item[0] }}'
+        password: '{{ user_password_1 }}'
+        tls_requires: '{{ item[1] }}'
+      with_together:
+        - [ '{{ user_name_1 }}', '{{ user_name_2 }}', '{{ user_name_3 }}']
+        -
+          - SSL:
+          - X509:
+          - subject: '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
+            cipher: 'ECDHE-ECDSA-AES256-SHA384'
+            issuer: '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
+
+    - block:
+      - name: retrieve TLS requiremets for users in old database version
+        command: "{{ mysql_command }} -L -N -s -e \"SHOW GRANTS for '{{ item }}'@'localhost'\""
+        register: old_result
+        with_items: ['{{ user_name_1 }}', '{{ user_name_2 }}', '{{ user_name_3 }}']
+
+      - name: set old database separator
+        set_fact:
+          separator: '\n'
+      when: db_version.version.major <= 5 and db_version.version.minor <= 6 or db_version.version.major == 10 and db_version.version.minor < 2
+
+    - block:
+      - name: retrieve TLS requiremets for users in new database version
+        command: "{{ mysql_command }} -L -N -s -e \"SHOW CREATE USER '{{ item }}'@'localhost'\""
+        register: new_result
+        with_items: ['{{ user_name_1 }}', '{{ user_name_2 }}', '{{ user_name_3 }}']
+
+      - name: set new database separator
+        set_fact:
+          separator: 'PASSWORD'
+      when: db_version.version.major >= 5 and db_version.version.major < 10 and db_version.version.minor > 6 or db_version.version.major == 10 and db_version.version.minor >= 2
+
+    - block:
+      - name: assert user1 TLS requirements
+        assert:
+          that:
+            - "'SSL' in reqs"
+        vars:
+          - reqs: "{{((old_result.results[0] is skipped | ternary(new_result, old_result)).results | selectattr('item', 'contains', user_name_1) | first).stdout.split('REQUIRE')[1].split(separator)[0].strip()}}"
+
+      - name: assert user2 TLS requirements
+        assert:
+          that:
+            - "'X509' in reqs"
+        vars:
+          - reqs: "{{((old_result.results[0] is skipped | ternary(new_result, old_result)).results | selectattr('item', 'contains', user_name_2) | first).stdout.split('REQUIRE')[1].split(separator)[0].strip()}}"
+
+      - name: assert user3 TLS requirements
+        assert:
+          that:
+            - "'/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland' in (reqs | select('contains', 'SUBJECT') | first)"
+            - "'/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland' in (reqs | select('contains', 'ISSUER') | first)"
+            - "'ECDHE-ECDSA-AES256-SHA384' in (reqs | select('contains', 'CIPHER') | first)"
+        vars:
+          - reqs: "{{((old_result.results[0] is skipped | ternary(new_result, old_result)).results | selectattr('item', 'contains', user_name_3) | first).stdout.split('REQUIRE')[1].split(separator)[0].replace(\"' \", \"':\").split(\":\")}}"
+      # CentOS 6 uses an older version of jinja that does not provide the selectattr filter.
+      when: ansible_distribution != 'CentOS' or ansible_distribution_major_version != '6'
+
+    - name: modify user with TLS requirements state=present (expect changed=true)
+      mysql_user:
+        name: '{{ user_name_1 }}'
+        password: '{{ user_password_1 }}'
+        tls_requires:
+          X509:
+        login_unix_socket: '{{ mysql_socket }}'
+
+    - name: retrieve TLS requiremets for users in old database version
+      command: mysql -L -N -s -e "SHOW GRANTS for '{{ user_name_1 }}'@'localhost'"
+      register: old_result
+      when: db_version.version.major <= 5 and db_version.version.minor <= 6 or db_version.version.major == 10 and db_version.version.minor < 2
+
+    - name: retrieve TLS requiremets for users in new database version
+      command: mysql -L -N -s -e "SHOW CREATE USER '{{ user_name_1 }}'@'localhost'"
+      register: new_result
+      when: db_version.version.major >= 5 and db_version.version.major < 10 and db_version.version.minor > 6 or db_version.version.major == 10 and db_version.version.minor >= 2
+
+    - name: assert user1 TLS requirements
+      assert:
+        that: "'X509' in reqs"
+      vars:
+        - reqs: "{{(old_result is skipped | ternary(new_result, old_result)).stdout.split('REQUIRE')[1].split(separator)[0].strip()}}"
+
+
+    - include: remove_user.yml user_name={{user_name_1}} user_password={{ user_password_1 }}
+
+    - include: remove_user.yml user_name={{user_name_2}} user_password={{ user_password_1 }}
+
+    - include: remove_user.yml user_name={{user_name_3}} user_password={{ user_password_1 }}
+
+    - include: assert_no_user.yml user_name={{user_name_1}}
+
+    - include: assert_no_user.yml user_name={{user_name_2}}
+
+    - include: assert_no_user.yml user_name={{user_name_3}}
+
     # ============================================================
     # Assert user has access to multiple databases
     #