From ea48464f32bc9e22d84b72f0b3001c545a25cdfe Mon Sep 17 00:00:00 2001 From: Felix Hamme Date: Tue, 19 Apr 2022 11:14:01 +0200 Subject: [PATCH] mysql_role, mysql_user: invalid privileges are ignored when subtract_privs is true -> document that and fix integration tests --- plugins/modules/mysql_role.py | 1 + plugins/modules/mysql_user.py | 1 + .../tasks/test_priv_subtract.yml | 21 +++++++++++++++---- .../tasks/test_priv_subtract.yml | 21 +++++++++++++++---- 4 files changed, 36 insertions(+), 8 deletions(-) diff --git a/plugins/modules/mysql_role.py b/plugins/modules/mysql_role.py index 48c4fdd..3f88e1b 100644 --- a/plugins/modules/mysql_role.py +++ b/plugins/modules/mysql_role.py @@ -58,6 +58,7 @@ options: subtract_privs: description: - Revoke the privileges defined by the I(priv) option and keep other existing privileges. + If set, invalid privileges in I(priv) are ignored. Mutually exclusive with I(append_privs). type: bool default: no diff --git a/plugins/modules/mysql_user.py b/plugins/modules/mysql_user.py index 0dedc26..0cd7fdc 100644 --- a/plugins/modules/mysql_user.py +++ b/plugins/modules/mysql_user.py @@ -69,6 +69,7 @@ options: subtract_privs: description: - Revoke the privileges defined by the I(priv) option and keep other existing privileges. + If set, invalid privileges in I(priv) are ignored. Mutually exclusive with I(append_privs). type: bool default: no diff --git a/tests/integration/targets/test_mysql_role/tasks/test_priv_subtract.yml b/tests/integration/targets/test_mysql_role/tasks/test_priv_subtract.yml index cefe32c..43e5b0c 100644 --- a/tests/integration/targets/test_mysql_role/tasks/test_priv_subtract.yml +++ b/tests/integration/targets/test_mysql_role/tasks/test_priv_subtract.yml @@ -96,13 +96,26 @@ state: present check_mode: '{{ enable_check_mode }}' register: result - ignore_errors: true - - name: Assert that there wasn't a change in privileges if check_mode is set to 'no' + - name: Assert that there was no change because invalid permissions are ignored assert: that: - - result is failed - - "'Error granting privileges' in result.msg" + - "result.changed == false" + + - name: Run command to show privileges for role (expect privileges in stdout) + command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ role2 }}'\"" + register: result + + - name: Assert that the permissions were not changed with check_mode=='yes' + assert: + that: + - "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout" + when: enable_check_mode == 'yes' + + - name: Assert that the permissions were not changed with check_mode=='no' + assert: + that: + - "'GRANT SELECT ON `data1`.*' in result.stdout" when: enable_check_mode == 'no' - name: trigger failure by trying to subtract and append privileges at the same time diff --git a/tests/integration/targets/test_mysql_user/tasks/test_priv_subtract.yml b/tests/integration/targets/test_mysql_user/tasks/test_priv_subtract.yml index dd149fc..8bedd1f 100644 --- a/tests/integration/targets/test_mysql_user/tasks/test_priv_subtract.yml +++ b/tests/integration/targets/test_mysql_user/tasks/test_priv_subtract.yml @@ -100,13 +100,26 @@ state: present check_mode: '{{ enable_check_mode }}' register: result - ignore_errors: true - - name: Assert that there wasn't a change in privileges if check_mode is set to 'no' + - name: Assert that there was no change because invalid permissions are ignored assert: that: - - result is failed - - "'Error granting privileges' in result.msg" + - "result.changed == false" + + - name: Run command to show privileges for user (expect privileges in stdout) + command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_4 }}'@'localhost'\"" + register: result + + - name: Assert that the permissions were not changed with check_mode=='yes' + assert: + that: + - "'GRANT SELECT, INSERT ON `data1`.*' in result.stdout" + when: enable_check_mode == 'yes' + + - name: Assert that the permissions were not changed with check_mode=='no' + assert: + that: + - "'GRANT SELECT ON `data1`.*' in result.stdout" when: enable_check_mode == 'no' - name: trigger failure by trying to subtract and append privileges at the same time