ansible-collections/community.mysql
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.mysql.git synced 2025-07-22 12:50:24 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Remove support for REQUIRESSL privilege (#244)

Browse source 
* Remove support for REQUIRESSL privilege

* Fix error search string
This commit is contained in:
Jorge Rodriguez (A.K.A. Tiriel) 2021-12-01 07:56:04 +01:00 committed by GitHub
commit dd4700989f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 11 additions and 147 deletions
Download patch file Download diff file Expand all files Collapse all files

53
tests/integration/targets/test_mysql_user/tasks/issue-121.yml
View file

@ -37,50 +37,19 @@
- "{{ user_name_1 }}"
- "{{ user_name_2 }}"
- name: create user with REQUIRESSL privilege
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
- name: verify REQUIRESSL is assigned to the user
mysql_query:
<<: *mysql_params
query: "SHOW {{ what }} '{{ user_name_1}}'@'localhost'"
register: result
vars:
what: "{{ 'GRANTS FOR' if old_user_mgmt else 'CREATE USER' }}"
- assert:
that:
- result is succeeded and 'REQUIRE SSL' in (result.query_result | string)
- name: create user with equivalent ssl requirement in tls_requires (expect unchanged)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
priv: '*.*:SELECT,CREATE USER,GRANT'
tls_requires:
SSL:
register: result
- assert:
that:
- result is not changed
- name: create the same user again, with REQUIRESSL privilege once more
- name: create user with REQUIRESSL privilege (expect failure)
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
register: result
ignore_errors: yes
- assert:
that:
- result is not changed
- result is failed
- result.msg is search('Error granting privileges')
- name: create user with both REQUIRESSL privilege and an incompatible tls_requires option
mysql_user:
@ -90,19 +59,13 @@
priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
tls_requires:
X509:
- name: create same user again without REQUIRESSL privilege
mysql_user:
<<: *mysql_params
name: "{{ user_name_1 }}"
password: "{{ user_password_1 }}"
priv: '*.*:SELECT,CREATE USER,GRANT'
tls_requires:
X509:
register: result
ignore_errors: yes
- assert:
that: result is not changed
that:
- result is failed
- result.msg is search('Error granting privileges')
- name: Drop mysql user
mysql_user:

68
tests/unit/plugins/module_utils/test_mysql_user.py
View file

@ -13,8 +13,7 @@ from ansible_collections.community.mysql.plugins.module_utils.user import (
handle_grant_on_col,
has_grant_on_col,
normalize_col_grants,
sort_column_order,
handle_requiressl_in_priv_string
sort_column_order
)
from ..utils import dummy_cursor_class
@ -79,71 +78,6 @@ def test_handle_grant_on_col(privileges, start, end, output):
assert handle_grant_on_col(privileges, start, end) == output
@pytest.mark.parametrize(
'input_tuple,output_tuple',
[
(('*.*:REQUIRESSL', None), (None, 'SSL')),
(('*.*:ALL,REQUIRESSL', None), ('*.*:ALL', 'SSL')),
(('*.*:REQUIRESSL,ALL', None), ('*.*:ALL', 'SSL')),
(('*.*:ALL,REQUIRESSL,GRANT', None), ('*.*:ALL,GRANT', 'SSL')),
(('*.*:ALL,REQUIRESSL,GRANT/a.b:USAGE', None), ('*.*:ALL,GRANT/a.b:USAGE', 'SSL')),
(('*.*:REQUIRESSL', 'X509'), (None, 'X509')),
(('*.*:ALL,REQUIRESSL', 'X509'), ('*.*:ALL', 'X509')),
(('*.*:REQUIRESSL,ALL', 'X509'), ('*.*:ALL', 'X509')),
(('*.*:ALL,REQUIRESSL,GRANT', 'X509'), ('*.*:ALL,GRANT', 'X509')),
(('*.*:ALL,REQUIRESSL,GRANT/a.b:USAGE', 'X509'), ('*.*:ALL,GRANT/a.b:USAGE', 'X509')),
(('*.*:REQUIRESSL', {
'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
'cipher': 'ECDHE-ECDSA-AES256-SHA384',
'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
}), (None, {
'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
'cipher': 'ECDHE-ECDSA-AES256-SHA384',
'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
})),
(('*.*:ALL,REQUIRESSL', {
'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
'cipher': 'ECDHE-ECDSA-AES256-SHA384',
'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
}), ('*.*:ALL', {
'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
'cipher': 'ECDHE-ECDSA-AES256-SHA384',
'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
})),
(('*.*:REQUIRESSL,ALL', {
'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
'cipher': 'ECDHE-ECDSA-AES256-SHA384',
'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
}), ('*.*:ALL', {
'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
'cipher': 'ECDHE-ECDSA-AES256-SHA384',
'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
})),
(('*.*:ALL,REQUIRESSL,GRANT', {
'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
'cipher': 'ECDHE-ECDSA-AES256-SHA384',
'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
}), ('*.*:ALL,GRANT', {
'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
'cipher': 'ECDHE-ECDSA-AES256-SHA384',
'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
})),
(('*.*:ALL,REQUIRESSL,GRANT/a.b:USAGE', {
'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
'cipher': 'ECDHE-ECDSA-AES256-SHA384',
'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
}), ('*.*:ALL,GRANT/a.b:USAGE', {
'subject': '/CN=alice/O=MyDom, Inc./C=US/ST=Oregon/L=Portland',
'cipher': 'ECDHE-ECDSA-AES256-SHA384',
'issuer': '/CN=org/O=MyDom, Inc./C=US/ST=Oregon/L=Portland'
}))
]
)
def test_handle_requiressl_in_priv_string(input_tuple, output_tuple):
"""Tests the handle_requiressl_in_priv_string funciton."""
assert handle_requiressl_in_priv_string(MagicMock(), *input_tuple) == output_tuple
@pytest.mark.parametrize(
'input_,expected',
[