ansible-collections/community.mysql
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.mysql.git synced 2025-08-03 04:34:27 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add auth plugin tests

Browse source
This commit is contained in:
Fran Sanjuán 2024-08-23 12:16:50 +02:00
commit f4136a1dda
4 changed files with 160 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/596-fix-check-changes.yaml Normal file
View file

@ -0,0 +1,2 @@
bugfixes:
- mysql_user - Module makes changes when is executed with plugin_auth_string parameter and check mode

2
run_all_tests.py
View file

@ -1,4 +1,4 @@
#!/usr/bin/env python
#!/usr/bin/env python3
import yaml
import os

214
tests/integration/targets/test_mysql_user/tasks/test_user_plugin_auth.yml
View file

@ -9,6 +9,7 @@
login_port: '{{ mysql_primary_port }}'
test_user_name: 'test_user_plugin_auth'
test_plugin_type: 'mysql_native_password'
test_plugin_type2: 'caching_sha2_password'
test_plugin_hash: '*0CB5B86F23FDC24DB19A29B8854EB860CBC47793'
test_plugin_auth_string: 'Fdt8fd^34ds'
test_plugin_new_hash: '*E74368AC90460FA669F6D41BFB7F2A877DB73745'
@ -24,7 +25,7 @@
#
- name: Plugin auth | Create user with plugin auth (with hash string)
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -34,28 +35,107 @@
register: result
- name: Plugin auth | Get user information (with hash string)
command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\""
ansible.builtin.command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\""
register: show_create_user
- name: Plugin auth | Check that the module made a change (with hash string)
assert:
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Check that the expected plugin type is set (with hash string)
assert:
ansible.builtin.assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: "%"
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Change user plugin in check mode
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type2 }}'
plugin_hash_string: '{{ test_plugin_hash }}'
priv: '{{ test_default_priv }}'
check_mode: true
register: result
- name: Plugin auth | Check that the module made a change auth plugin
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Check that the expected plugin type is set
ansible.builtin.include_tasks: utils/assert_plugin.yml
vars:
user_name: "{{ test_user_name }}"
plugin_type: "{{ test_plugin_type }}"
- name: Plugin auth | Change user auth plugin
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type2 }}'
plugin_hash_string: '{{ test_plugin_hash }}'
priv: '{{ test_default_priv }}'
register: result
- name: Plugin auth | Check that the module made a change auth plugin
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Check that the expected plugin type is set
ansible.builtin.include_tasks: utils/assert_plugin.yml
vars:
user_name: "{{ test_user_name }}"
plugin_type: "{{ test_plugin_type2 }}"
- name: Plugin auth | Set main auth plugin again
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_hash_string: '{{ test_plugin_hash }}'
priv: '{{ test_default_priv }}'
register: result
- name: Plugin auth | Check that the module made a change auth plugin
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Check that the expected plugin type is set
ansible.builtin.include_tasks: utils/assert_plugin.yml
vars:
user_name: "{{ test_user_name }}"
plugin_type: "{{ test_plugin_type }}"
- name: Plugin auth | Set same plugint check that no changes are reported
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
plugin: '{{ test_plugin_type }}'
plugin_hash_string: '{{ test_plugin_hash }}'
priv: '{{ test_default_priv }}'
register: result
- name: Plugin auth | Check that the module made a change auth plugin
ansible.builtin.assert:
that:
- result is not changed
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
login_host: '{{ mysql_host }}'
@ -64,12 +144,12 @@
register: result
- name: Plugin auth | Assert that mysql_info was successful
assert:
ansible.builtin.assert:
that:
- result is succeeded
- name: Plugin auth | Update the user with a different hash
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -78,18 +158,18 @@
register: result
- name: Plugin auth | Check that the module makes the change because the hash changed
assert:
ansible.builtin.assert:
that:
- result is changed
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: "%"
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Getting the MySQL info with the new password should work
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_new_auth_string }}'
login_host: '{{ mysql_host }}'
@ -98,12 +178,12 @@
register: result
- name: Plugin auth | Assert that mysql_info was successful
assert:
ansible.builtin.assert:
that:
- result is succeeded
# Cleanup
- include_tasks: utils/remove_user.yml
- ansible.builtin.include_tasks: utils/remove_user.yml
vars:
user_name: "{{ test_user_name }}"
@ -112,7 +192,7 @@
#
- name: Plugin auth | Create user with plugin auth (with hash string)
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -122,28 +202,28 @@
register: result
- name: Plugin auth | Get user information
command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\""
ansible.builtin.command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\""
register: show_create_user
- name: Plugin auth | Check that the module made a change (with hash string)
assert:
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Check that the expected plugin type is set (with hash string)
assert:
ansible.builtin.assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: "%"
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
login_host: '{{ mysql_host }}'
@ -152,12 +232,12 @@
register: result
- name: Plugin auth | Assert that mysql_info was successful
assert:
ansible.builtin.assert:
that:
- result is succeeded
- name: Plugin auth | Update the user with the same hash (no change expected)
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -167,19 +247,19 @@
# FIXME: on mariadb 10.2 there's always a change
- name: Plugin auth | Check that the module doesn't make a change when the same hash is passed in
assert:
ansible.builtin.assert:
that:
- result is not changed
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: "%"
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Change the user using the same plugin, but switch to the same auth string in plaintext form
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -189,12 +269,12 @@
# Expecting a change is currently by design (see comment in source).
- name: Plugin auth | Check that the module did not change the password
assert:
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Getting the MySQL info should still work
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
login_host: '{{ mysql_host }}'
@ -203,12 +283,12 @@
register: result
- name: Plugin auth | Assert that mysql_info was successful
assert:
ansible.builtin.assert:
that:
- result is succeeded
# Cleanup
- include_tasks: utils/remove_user.yml
- ansible.builtin.include_tasks: utils/remove_user.yml
vars:
user_name: "{{ test_user_name }}"
@ -217,7 +297,7 @@
#
- name: Plugin auth | Create user with plugin auth (with auth string)
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -227,28 +307,28 @@
register: result
- name: Plugin auth | Get user information(with auth string)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\""
ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\""
register: show_create_user
- name: Plugin auth | Check that the module made a change (with auth string)
assert:
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Check that the expected plugin type is set (with auth string)
assert:
ansible.builtin.assert:
that:
- test_plugin_type in show_create_user.stdout
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: "%"
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
login_host: '{{ mysql_host }}'
@ -257,12 +337,12 @@
register: result
- name: Plugin auth | Assert that mysql_info was successful
assert:
ansible.builtin.assert:
that:
- result is succeeded
- name: Plugin auth | Update the user with the same auth string
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -273,18 +353,18 @@
# This is the current expected behavior because there isn't a reliable way to hash the password in the mysql_user
# module in order to be able to compare this password with the stored hash. See the source for more info.
- name: Plugin auth | The module should detect a change even though the password is the same
assert:
ansible.builtin.assert:
that:
- result is changed
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: "%"
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Change the user using the same plugin, but switch to the same auth string in hash form
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -293,12 +373,12 @@
register: result
- name: Plugin auth | Check that the module did not change the password
assert:
ansible.builtin.assert:
that:
- result is not changed
- name: Plugin auth | Get the MySQL version using the newly created creds
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: '{{ test_plugin_auth_string }}'
login_host: '{{ mysql_host }}'
@ -307,12 +387,12 @@
register: result
- name: Plugin auth | Assert that mysql_info was successful
assert:
ansible.builtin.assert:
that:
- result is succeeded
# Cleanup
- include_tasks: utils/remove_user.yml
- ansible.builtin.include_tasks: utils/remove_user.yml
vars:
user_name: "{{ test_user_name }}"
@ -321,7 +401,7 @@
#
- name: Plugin auth | Create user with plugin auth (empty auth string)
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -330,28 +410,28 @@
register: result
- name: Plugin auth | Get user information (empty auth string)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\""
ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\""
register: show_create_user
- name: Plugin auth | Check that the module made a change (empty auth string)
assert:
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Check that the expected plugin type is set (empty auth string)
assert:
ansible.builtin.assert:
that:
- "'{{ test_plugin_type }}' in show_create_user.stdout"
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: "%"
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Get the MySQL version using an empty password for the newly created user
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: ''
login_host: '{{ mysql_host }}'
@ -361,12 +441,12 @@
ignore_errors: true
- name: Plugin auth | Assert that mysql_info was successful
assert:
ansible.builtin.assert:
that:
- result is succeeded
- name: Plugin auth | Get the MySQL version using an non-empty password (should fail)
mysql_info:
community.mysql.mysql_info:
login_user: '{{ test_user_name }}'
login_password: 'some_password'
login_host: '{{ mysql_host }}'
@ -376,12 +456,12 @@
ignore_errors: true
- name: Plugin auth | Assert that mysql_info failed
assert:
ansible.builtin.assert:
that:
- result is failed
- name: Plugin auth | Update the user without changing the auth mechanism
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
host: '%'
@ -390,12 +470,12 @@
register: result
- name: Plugin auth | Assert that the user wasn't changed because the auth string is still empty
assert:
ansible.builtin.assert:
that:
- result is not changed
# Cleanup
- include_tasks: utils/remove_user.yml
- ansible.builtin.include_tasks: utils/remove_user.yml
vars:
user_name: "{{ test_user_name }}"
@ -415,7 +495,7 @@
block:
- name: Plugin auth | Create user with plugin auth (empty auth string)
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
plugin: '{{ test_plugin_type }}'
@ -423,28 +503,28 @@
register: result
- name: Plugin auth | Get user information (empty auth string)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
register: show_create_user
- name: Plugin auth | Check that the module made a change (empty auth string)
assert:
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Check that the expected plugin type is set (empty auth string)
assert:
ansible.builtin.assert:
that:
- test_plugin_type in show_create_user.stdout
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: localhost
priv: "{{ test_default_priv_type }}"
- name: Plugin auth | Switch user to sha256_password auth plugin
mysql_user:
community.mysql.mysql_user:
<<: *mysql_params
name: '{{ test_user_name }}'
plugin: sha256_password
@ -452,28 +532,28 @@
register: result
- name: Plugin auth | Get user information (sha256_password)
command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\""
register: show_create_user
- name: Plugin auth | Check that the module made a change (sha256_password)
assert:
ansible.builtin.assert:
that:
- result is changed
- name: Plugin auth | Check that the expected plugin type is set (sha256_password)
assert:
ansible.builtin.assert:
that:
- "'sha256_password' in show_create_user.stdout"
when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>='))
- include_tasks: utils/assert_user.yml
- ansible.builtin.include_tasks: utils/assert_user.yml
vars:
user_name: "{{ test_user_name }}"
user_host: localhost
priv: "{{ test_default_priv_type }}"
# Cleanup
- include_tasks: utils/remove_user.yml
- ansible.builtin.include_tasks: utils/remove_user.yml
vars:
user_name: "{{ test_user_name }}"
@ -505,7 +585,7 @@
register: result
failed_when: result is changed
- name: cleanup user
- name: Cleanup user
ansible.builtin.include_tasks: utils/remove_user.yml
vars:
user_name: "{{ test_user_name }}"

10
tests/integration/targets/test_mysql_user/tasks/utils/assert_plugin.yml Normal file
View file

@ -0,0 +1,10 @@
---
- name: Utils | Assert plugin | Query for user {{ user_name }}
ansible.builtin.command: "{{ mysql_command }} -e \"SELECT {{ plugin_type }} FROM mysql.user where user='{{ user_name }}'\""
register: result
- name: Utils | Assert plugin | Assert plugin is correct
ansible.builtinassert:
that:
- plugin_type in result.stdout