mysql_user: add "update_password: on_new_username" argument, "password_changed" result field (#365)

* mysql_user: add value 'on_new_username' to argument 'update_password' * mysql_user: return "password_changed" boolean (true if the user got a new password) * mysql_user: optimize queries for existing passwords * mysql_user: add integration tests for update_password argument * mysql_user: add description for "update_password: on_new_username" argument * add changelog fragment * formatting (PEP8) * Update changelogs/fragments/365-mysql_user-add-on_new_username-and-password_changed.yml Co-authored-by: Benjamin MALYNOVYTCH <bmalynovytch@users.noreply.github.com> * Update changelogs/fragments/365-mysql_user-add-on_new_username-and-password_changed.yml Co-authored-by: Benjamin MALYNOVYTCH <bmalynovytch@users.noreply.github.com> * Update plugins/modules/mysql_user.py Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru> * Update changelogs/fragments/365-mysql_user-add-on_new_username-and-password_changed.yml Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru> * Update changelogs/fragments/365-mysql_user-add-on_new_username-and-password_changed.yml Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru> Co-authored-by: Felix Hamme <felix.hamme@ionos.com> Co-authored-by: Benjamin MALYNOVYTCH <bmalynovytch@users.noreply.github.com> Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
2025-07-22 12:50:24 -07:00 · 2022-05-31 16:00:24 +02:00 · 2022-05-31 16:00:24 +02:00 · ed3935abec
commit ed3935abec
parent 51a38840d9
6 changed files with 232 additions and 27 deletions
--- a/tests/integration/targets/test_mysql_user/tasks/assert_user_password.yml
+++ b/tests/integration/targets/test_mysql_user/tasks/assert_user_password.yml
@ -0,0 +1,24 @@
+- name: "applying user {{ username }}@{{ host }} with update_password={{ update_password }}"
+  mysql_user:
+    login_user: '{{ mysql_parameters.login_user }}'
+    login_password: '{{ mysql_parameters.login_password }}'
+    login_host: '{{ mysql_parameters.login_host }}'
+    login_port: '{{ mysql_parameters.login_port }}'
+    state: present
+    name: "{{ username }}"
+    host: "{{ host }}"
+    password: "{{ password }}"
+    update_password: "{{ update_password }}"
+  register: result
+- name: assert a change occurred
+  assert:
+    that:
+      - "result.changed == {{ expect_change }}"
+      - "result.password_changed == {{ expect_password_change }}"
+- name: query the user
+  command: "{{ mysql_command }} -BNe \"SELECT plugin, authentication_string FROM mysql.user where user='{{ username }}' and host='{{ host }}'\""
+  register: existing_user
+- name: assert the password is as set to expect_hash
+  assert:
+    that:
+      - "'mysql_native_password\t{{ expect_password_hash }}' in existing_user.stdout_lines"
--- a/tests/integration/targets/test_mysql_user/tasks/test_update_password.yml
+++ b/tests/integration/targets/test_mysql_user/tasks/test_update_password.yml
@ -0,0 +1,128 @@
+# Tests scenarios for both plaintext and encrypted user passwords.
+
+- vars:
+    mysql_parameters:
+      login_user: '{{ mysql_user }}'
+      login_password: '{{ mysql_password }}'
+      login_host: 127.0.0.1
+      login_port: '{{ mysql_primary_port }}'
+    test_password1: kbB9tcx5WOGVGfzV
+    test_password1_hash: '*AF6A7F9D038475C17EE46564F154104877EE5037'
+    test_password2: XBYjpHmjIctMxl1y
+    test_password2_hash: '*9E22D1B35C68BDDF398B8F28AE482E5A865BAC0A'
+    test_password3: tem33JfR5Yx98BB
+    test_password3_hash: '*C7E7C2710702F20336F8D93BC0670C8FB66BDBC7'
+
+
+  block:
+    - include_tasks: assert_user_password.yml
+      vars:
+        username: "{{ item.username }}"
+        host: '127.0.0.1'
+        update_password: "{{ item.update_password }}"
+        password: "{{ test_password1 }}"
+        expect_change: "{{ item.expect_change }}"
+        expect_password_change: "{{ item.expect_change }}"
+        expect_password_hash: "{{ test_password1_hash }}"
+      loop:
+        # all variants set the password when nothing exists
+        - username: test1
+          update_password: always
+          expect_change: true
+        - username: test2
+          update_password: on_create
+          expect_change: true
+        - username: test3
+          update_password: on_new_username
+          expect_change: true
+
+        # assert idempotency
+        - username: test1
+          update_password: always
+          expect_change: false
+        - username: test2
+          update_password: on_create
+          expect_change: false
+        - username: test3
+          update_password: on_new_username
+          expect_change: false
+
+    # same user, new password
+    - include_tasks: assert_user_password.yml
+      vars:
+        username: "{{ item.username }}"
+        host: '127.0.0.1'
+        update_password: "{{ item.update_password }}"
+        password: "{{ test_password2 }}"
+        expect_change: "{{ item.expect_change }}"
+        expect_password_change: "{{ item.expect_change }}"
+        expect_password_hash: "{{ item.expect_password_hash }}"
+      loop:
+        - username: test1
+          update_password: always
+          expect_change: true
+          expect_password_hash: "{{ test_password2_hash }}"
+        - username: test2
+          update_password: on_create
+          expect_change: false
+          expect_password_hash: "{{ test_password1_hash }}"
+        - username: test3
+          update_password: on_new_username
+          expect_change: false
+          expect_password_hash: "{{ test_password1_hash }}"
+
+    # new user, new password
+    - include_tasks: assert_user_password.yml
+      vars:
+        username: "{{ item.username }}"
+        host: '::1'
+        update_password: "{{ item.update_password }}"
+        password: "{{ item.password }}"
+        expect_change: "{{ item.expect_change }}"
+        expect_password_change: "{{ item.expect_password_change }}"
+        expect_password_hash: "{{ item.expect_password_hash }}"
+      loop:
+        - username: test1
+          update_password: always
+          expect_change: true
+          expect_password_change: true
+          password: "{{ test_password1 }}"
+          expect_password_hash: "{{ test_password1_hash }}"
+        - username: test2
+          update_password: on_create
+          expect_change: true
+          expect_password_change: true
+          password: "{{ test_password2 }}"
+          expect_password_hash: "{{ test_password2_hash }}"
+        - username: test3
+          update_password: on_new_username
+          expect_change: true
+          expect_password_change: false
+          password: "{{ test_password2 }}"
+          expect_password_hash: "{{ test_password1_hash }}"
+
+        # prepare for next test: ensure all users have varying passwords
+        - username: test3
+          update_password: always
+          expect_change: true
+          expect_password_change: true
+          password: "{{ test_password2 }}"
+          expect_password_hash: "{{ test_password2_hash }}"
+
+    # another new user, another new password and multiple existing users with varying passwords
+    - include_tasks: assert_user_password.yml
+      vars:
+        username: "{{ item.username }}"
+        host: '2001:db8::1'
+        update_password: "{{ item.update_password }}"
+        password: "{{ test_password3 }}"
+        expect_change: true
+        expect_password_change: true
+        expect_password_hash: "{{ test_password3_hash }}"
+      loop:
+        - username: test1
+          update_password: always
+        - username: test2
+          update_password: on_create
+        - username: test3
+          update_password: on_new_username