Deprecate REQUIRESSL privilege (#132)

* Deprecate REQUIRESSL privilege * Add missing whitespace * Fix according to PR review * Fix conditional check * Fix privilege string parsing * Add unit tests for the new function * Add integration tests * Fix parentheses indentation * Cover alternative error message * Fix privileges * Limit verification of access denied to pymysql connector * Fix REQUIRE SSL verification tests
2025-04-09 20:20:32 -07:00 · 2021-04-10 07:01:15 +02:00 · 2021-04-10 07:01:15 +02:00 · dc522cc5d3
commit dc522cc5d3
parent 6342fb6f23
5 changed files with 220 additions and 13 deletions
--- a/changelogs/fragments/101-drop-requiressl-support.yml
+++ b/changelogs/fragments/101-drop-requiressl-support.yml
@ -0,0 +1,4 @@
+minor_changes:
+  - mysql_user - deprecate the ``REQUIRESSL`` privilege (https://github.com/ansible-collections/community.mysql/issues/101).
+major_changes:
+  - mysql_user - the ``REQUIRESSL`` is an alias for the ``ssl`` key in the ``tls_requires`` option in ``community.mysql`` 2.0.0 and support will be dropped altogether in ``community.mysql`` 3.0.0 (https://github.com/ansible-collections/community.mysql/issues/121).
--- a/plugins/modules/mysql_user.py
+++ b/plugins/modules/mysql_user.py
@ -189,7 +189,7 @@ EXAMPLES = r'''
      'db2.*': 'ALL,GRANT'

 # Note that REQUIRESSL is a special privilege that should only apply to *.* by itself.
-# Setting this privilege in this manner is supported for backwards compatibility only.
+# Setting this privilege in this manner is deprecated.
 # Use 'tls_requires' instead.
 - name: Modify user to require SSL connections
  community.mysql.mysql_user:
@ -316,7 +316,8 @@ VALID_PRIVS = frozenset(('CREATE', 'DROP', 'GRANT', 'GRANT OPTION',
                         'EXECUTE', 'FILE', 'CREATE TABLESPACE', 'CREATE USER',
                         'PROCESS', 'PROXY', 'RELOAD', 'REPLICATION CLIENT',
                         'REPLICATION SLAVE', 'SHOW DATABASES', 'SHUTDOWN',
-                         'SUPER', 'ALL', 'ALL PRIVILEGES', 'USAGE', 'REQUIRESSL',
+                         'SUPER', 'ALL', 'ALL PRIVILEGES', 'USAGE',
+                         'REQUIRESSL',  # Deprecated, to be removed in version 3.0.0
                         'CREATE ROLE', 'DROP ROLE', 'APPLICATION_PASSWORD_ADMIN',
                         'AUDIT_ADMIN', 'BACKUP_ADMIN', 'BINLOG_ADMIN',
                         'BINLOG_ENCRYPTION_ADMIN', 'CLONE_ADMIN', 'CONNECTION_ADMIN',
@ -745,8 +746,6 @@ def privileges_get(cursor, user, host):

        if "WITH GRANT OPTION" in res.group(7):
            privileges.append('GRANT')
-        if 'REQUIRE SSL' in res.group(7):
-            privileges.append('REQUIRESSL')
        db = res.group(2)
        output.setdefault(db, []).extend(privileges)
    return output
@ -919,11 +918,6 @@ def privileges_unpack(priv, mode):
    if '*.*' not in output:
        output['*.*'] = ['USAGE']

-    # if we are only specifying something like REQUIRESSL and/or GRANT (=WITH GRANT OPTION) in *.*
-    # we still need to add USAGE as a privilege to avoid syntax errors
-    if 'REQUIRESSL' in priv and not set(output['*.*']).difference(set(['GRANT', 'REQUIRESSL'])):
-        output['*.*'].append('USAGE')
-
    return output


@ -935,7 +929,7 @@ def privileges_revoke(cursor, user, host, db_table, priv, grant_option):
        query.append("FROM %s@%s")
        query = ' '.join(query)
        cursor.execute(query, (user, host))
-    priv_string = ",".join([p for p in priv if p not in ('GRANT', 'REQUIRESSL')])
+    priv_string = ",".join([p for p in priv if p not in ('GRANT', )])
    query = ["REVOKE %s ON %s" % (priv_string, db_table)]
    query.append("FROM %s@%s")
    query = ' '.join(query)
@ -946,15 +940,13 @@ def privileges_grant(cursor, user, host, db_table, priv, tls_requires):
    # Escape '%' since mysql db.execute uses a format string and the
    # specification of db and table often use a % (SQL wildcard)
    db_table = db_table.replace('%', '%%')
-    priv_string = ",".join([p for p in priv if p not in ('GRANT', 'REQUIRESSL')])
+    priv_string = ",".join([p for p in priv if p not in ('GRANT', )])
    query = ["GRANT %s ON %s" % (priv_string, db_table)]
    query.append("TO %s@%s")
    params = (user, host)
    if tls_requires and impl.use_old_user_mgmt(cursor):
        query, params = mogrify_requires(" ".join(query), params, tls_requires)
        query = [query]
-    if 'REQUIRESSL' in priv and not tls_requires:
-        query.append("REQUIRE SSL")
    if 'GRANT' in priv:
        query.append("WITH GRANT OPTION")
    query = ' '.join(query)
@ -975,6 +967,27 @@ def convert_priv_dict_to_str(priv):
    return '/'.join(priv_list)


+def handle_requiressl_in_priv_string(module, priv, tls_requires):
+    module.deprecate('The "REQUIRESSL" privilege is deprecated, use the "tls_requires" option instead.',
+                     version='3.0.0', collection_name='community.mysql')
+    priv_groups = re.search(r"(.*?)(\*\.\*:)([^/]*)(.*)", priv)
+    if priv_groups.group(3) == "REQUIRESSL":
+        priv = priv_groups.group(1) + priv_groups.group(4) or None
+    else:
+        inner_priv_groups = re.search(r"(.*?),?REQUIRESSL,?(.*)", priv_groups.group(3))
+        priv = '{0}{1}{2}{3}'.format(
+            priv_groups.group(1),
+            priv_groups.group(2),
+            ','.join(filter(None, (inner_priv_groups.group(1), inner_priv_groups.group(2)))),
+            priv_groups.group(4)
+        )
+    if not tls_requires:
+        tls_requires = "SSL"
+    else:
+        module.warn('Ignoring "REQUIRESSL" privilege as "tls_requires" is defined and it takes precedence.')
+    return priv, tls_requires
+
+
 # Alter user is supported since MySQL 5.6 and MariaDB 10.2.0
 def server_supports_alter_user(cursor):
    """Check if the server supports ALTER USER statement or doesn't.
@ -1167,6 +1180,9 @@ def main():
    if priv and isinstance(priv, dict):
        priv = convert_priv_dict_to_str(priv)

+    if priv and "REQUIRESSL" in priv:
+        priv, tls_requires = handle_requiressl_in_priv_string(module, priv, tls_requires)
+
    if mysql_driver is None:
        module.fail_json(msg=mysql_driver_fail_msg)

--- a/tests/integration/targets/test_mysql_user/tasks/issue-121.yml
+++ b/tests/integration/targets/test_mysql_user/tasks/issue-121.yml
@ -0,0 +1,115 @@
+---
+- vars:
+    mysql_parameters: &mysql_params
+      login_user: '{{ mysql_user }}'
+      login_password: '{{ mysql_password }}'
+      login_host: 127.0.0.1
+      login_port: '{{ mysql_primary_port }}'
+
+  block:
+
+    # ============================================================
+    - shell: pip show pymysql | awk '/Version/ {print $2}'
+      register: pymysql_version
+
+    - name: get server certificate
+      copy:
+        content: "{{ lookup('pipe', \"openssl s_client -starttls mysql -connect localhost:3307 -showcerts 2>/dev/null </dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'\") }}"
+        dest: /tmp/cert.pem
+      delegate_to: localhost
+
+    - name: get server version
+      mysql_info:
+        <<: *mysql_params
+        filter: version
+      register: db_version
+
+    - set_fact:
+        old_user_mgmt: "{{ db_version.version.major <= 5 and db_version.version.minor <= 6 or db_version.version.major == 10 and db_version.version.minor < 2 | bool }}"
+
+    - name: Drop mysql user if exists
+      mysql_user:
+        <<: *mysql_params
+        name: '{{ item }}'
+        state: absent
+      ignore_errors: yes
+      with_items:
+        - "{{ user_name_1 }}"
+        - "{{ user_name_2 }}"
+
+    - name: create user with REQUIRESSL privilege
+      mysql_user:
+        <<: *mysql_params
+        name: "{{ user_name_1 }}"
+        password: "{{ user_password_1 }}"
+        priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
+
+    - name: verify REQUIRESSL is assigned to the user
+      mysql_query:
+        <<: *mysql_params
+        query: "SHOW {{ what }} '{{ user_name_1}}'@'localhost'"
+      register: result
+      vars:
+        what: "{{ 'GRANTS FOR' if old_user_mgmt else 'CREATE USER' }}"
+
+    - assert:
+        that:
+          - result is succeeded and 'REQUIRE SSL' in (result.query_result | string)
+
+    - name: create user with equivalent ssl requirement in tls_requires (expect unchanged)
+      mysql_user:
+        <<: *mysql_params
+        name: "{{ user_name_1 }}"
+        password: "{{ user_password_1 }}"
+        priv: '*.*:SELECT,CREATE USER,GRANT'
+        tls_requires:
+          SSL:
+      register: result
+
+    - assert:
+        that:
+          - result is not changed
+
+    - name: create the same user again, with REQUIRESSL privilege once more
+      mysql_user:
+        <<: *mysql_params
+        name: "{{ user_name_1 }}"
+        password: "{{ user_password_1 }}"
+        priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
+      register: result
+
+    - assert:
+        that:
+          - result is not changed
+
+    - name: create user with both REQUIRESSL privilege and an incompatible tls_requires option
+      mysql_user:
+        <<: *mysql_params
+        name: "{{ user_name_1 }}"
+        password: "{{ user_password_1 }}"
+        priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
+        tls_requires:
+          X509:
+
+    - name: create same user again without REQUIRESSL privilege
+      mysql_user:
+        <<: *mysql_params
+        name: "{{ user_name_1 }}"
+        password: "{{ user_password_1 }}"
+        priv: '*.*:SELECT,CREATE USER,GRANT'
+        tls_requires:
+          X509:
+      register: result
+
+    - assert:
+        that: result is not changed
+
+    - name: Drop mysql user
+      mysql_user:
+        <<: *mysql_params
+        name: '{{ item }}'
+        host: 127.0.0.1
+        state: absent
+      with_items:
+        - "{{ user_name_1 }}"
+        - "{{ user_name_2 }}"
--- a/tests/integration/targets/test_mysql_user/tasks/main.yml
+++ b/tests/integration/targets/test_mysql_user/tasks/main.yml
@ -37,6 +37,8 @@

  block:

+    - include: issue-121.yml
+
    - include: issue-28.yml

    - include: create_user.yml user_name={{user_name_1}} user_password={{ user_password_1 }}
--- a/tests/unit/plugins/modules/test_mysql_user.py
+++ b/tests/unit/plugins/modules/test_mysql_user.py
@ -4,12 +4,17 @@ from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type

 import pytest
+try:
+    from unittest.mock import MagicMock
+except ImportError:
+    from mock import MagicMock

 from ansible_collections.community.mysql.plugins.modules.mysql_user import (
    handle_grant_on_col,
    has_grant_on_col,
    normalize_col_grants,
    sort_column_order,
+    handle_requiressl_in_priv_string
 )
 from ..utils import dummy_cursor_class

@ -74,6 +79,71 @@ def test_handle_grant_on_col(privileges, start, end, output):
    assert handle_grant_on_col(privileges, start, end) == output


+@pytest.mark.parametrize(
+    'input_tuple,output_tuple',
+    [
+        (('*.*:REQUIRESSL', None), (None, 'SSL')),
+        (('*.*:ALL,REQUIRESSL', None), ('*.*:ALL', 'SSL')),
+        (('*.*:REQUIRESSL,ALL', None), ('*.*:ALL', 'SSL')),
+        (('*.*:ALL,REQUIRESSL,GRANT', None), ('*.*:ALL,GRANT', 'SSL')),
+        (('*.*:ALL,REQUIRESSL,GRANT/a.b:USAGE', None), ('*.*:ALL,GRANT/a.b:USAGE', 'SSL')),
+        (('*.*:REQUIRESSL', 'X509'), (None, 'X509')),
+        (('*.*:ALL,REQUIRESSL', 'X509'), ('*.*:ALL', 'X509')),
+        (('*.*:REQUIRESSL,ALL', 'X509'), ('*.*:ALL', 'X509')),
+        (('*.*:ALL,REQUIRESSL,GRANT', 'X509'), ('*.*:ALL,GRANT', 'X509')),
+        (('*.*:ALL,REQUIRESSL,GRANT/a.b:USAGE', 'X509'), ('*.*:ALL,GRANT/a.b:USAGE', 'X509')),
+        (('*.*:REQUIRESSL', {
+            'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
+            'cipher': 'ECDHE-ECDSA-AES256-SHA384',
+            'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
+        }), (None, {
+            'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
+            'cipher': 'ECDHE-ECDSA-AES256-SHA384',
+            'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
+        })),
+        (('*.*:ALL,REQUIRESSL', {
+            'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
+            'cipher': 'ECDHE-ECDSA-AES256-SHA384',
+            'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
+        }), ('*.*:ALL', {
+            'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
+            'cipher': 'ECDHE-ECDSA-AES256-SHA384',
+            'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
+        })),
+        (('*.*:REQUIRESSL,ALL', {
+            'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
+            'cipher': 'ECDHE-ECDSA-AES256-SHA384',
+            'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
+        }), ('*.*:ALL', {
+            'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
+            'cipher': 'ECDHE-ECDSA-AES256-SHA384',
+            'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
+        })),
+        (('*.*:ALL,REQUIRESSL,GRANT', {
+            'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
+            'cipher': 'ECDHE-ECDSA-AES256-SHA384',
+            'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
+        }), ('*.*:ALL,GRANT', {
+            'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
+            'cipher': 'ECDHE-ECDSA-AES256-SHA384',
+            'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
+        })),
+        (('*.*:ALL,REQUIRESSL,GRANT/a.b:USAGE', {
+            'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
+            'cipher': 'ECDHE-ECDSA-AES256-SHA384',
+            'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
+        }), ('*.*:ALL,GRANT/a.b:USAGE', {
+            'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
+            'cipher': 'ECDHE-ECDSA-AES256-SHA384',
+            'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
+        }))
+    ]
+)
+def test_handle_requiressl_in_priv_string(input_tuple, output_tuple):
+    """Tests the handle_requiressl_in_priv_string funciton."""
+    assert handle_requiressl_in_priv_string(MagicMock(), *input_tuple) == output_tuple
+
+
@pytest.mark.parametrize(
    'input_,expected',
    [