Check account_locking values

2025-04-24 03:11:25 -07:00 · 2020-11-29 22:03:54 +02:00 · 2020-11-29 22:03:54 +02:00 · de75697d5f
commit de75697d5f
parent 9a303ac55a
1 changed files with 12 additions and 12 deletions
--- a/plugins/modules/mysql_user.py
+++ b/plugins/modules/mysql_user.py
@ -440,10 +440,12 @@ def validate_account_locking(cursor, account_locking):
    locking = {}

    if 'mariadb' in version_str.lower():
-        msg = "MariaDB does not support this manner of account locking. Use the MAX_PASSWORD_ERRORS server variable instead."
+        module.warn("MariaDB does not support this manner of account locking. Use the MAX_PASSWORD_ERRORS server variable instead.")
+        module.warn("Account locking settings are being ignored.")
    else:
        if int(version[0]) * 1000 + int(version[2]) < 8019:
-            msg = "MySQL is too old to support this manner of account locking."
+            module.warn("MySQL is too old to support this manner of account locking.")
+            module.warn("Account locking settings are being ignored.")
        else:
            msg = None
            if account_locking is not None:
@ -451,7 +453,11 @@ def validate_account_locking(cursor, account_locking):
                    "FAILED_LOGIN_ATTEMPTS": str(account_locking.get("FAILED_LOGIN_ATTEMPTS", 0)),
                    "PASSWORD_LOCK_TIME": str(account_locking.get("PASSWORD_LOCK_TIME", 0))
                }
-    return msg, locking
+    if any([int(value) < 0 or int(value) > 32767 for value in locking.values() if re.match("[-+]?\\d+$", value)]):
+        module.fail_json(msg="Account locking values are out of the valid range (0-32767)")
+    if not re.match("[-+]?\\d+$", locking["PASSWORD_LOCK_TIME"]) and locking["PASSWORD_LOCK_TIME"] != "UNBOUNDED":
+        module.fail_json(msg="PASSWORD_LOCK_TIME must be an integer between 0 and 32767 or 'UNBOUNDED'")
+    return locking


 def get_account_locking(cursor, user, host):
@ -578,13 +584,10 @@ def user_add(cursor, user, host, host_all, password, encrypted,
    if host_all:
        return False

-    msg, locking = validate_account_locking(cursor, account_locking)
-    if msg and account_locking:
-        module.warn(msg)
-        module.warn("Account locking settings are being ignored.")
+    locking = validate_account_locking(cursor, account_locking, module)

    if check_mode:
-        return (True, msg)
+        return True

    # Determine what user management method server uses
    old_user_mgmt = use_old_user_mgmt(cursor)
@ -816,10 +819,7 @@ def user_mod(cursor, user, host, host_all, password, encrypted,
            changed = True

        # Handle Account locking
-        note, locking = validate_account_locking(cursor, account_locking)
-        if note and account_locking:
-            module.warn(note)
-            module.warn("Account locking settings are being ignored.")
+        locking = validate_account_locking(cursor, account_locking, module)
        current_locking = get_account_locking(cursor, user, host)
        clear_locking = dict((x, y) for x, y in locking.items() if y != '0')
        if current_locking != clear_locking: