diff --git a/changelogs/fragments/596-fix-check-changes.yaml b/changelogs/fragments/596-fix-check-changes.yaml new file mode 100644 index 0000000..e53e1c7 --- /dev/null +++ b/changelogs/fragments/596-fix-check-changes.yaml @@ -0,0 +1,2 @@ +bugfixes: + - mysql_user - Module makes changes when is executed with plugin_auth_string parameter and check mode diff --git a/run_all_tests.py b/run_all_tests.py index 94cf799..f25529e 100755 --- a/run_all_tests.py +++ b/run_all_tests.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 import yaml import os diff --git a/tests/integration/targets/test_mysql_user/tasks/test_user_plugin_auth.yml b/tests/integration/targets/test_mysql_user/tasks/test_user_plugin_auth.yml index b5ed6c5..64c8fc2 100644 --- a/tests/integration/targets/test_mysql_user/tasks/test_user_plugin_auth.yml +++ b/tests/integration/targets/test_mysql_user/tasks/test_user_plugin_auth.yml @@ -9,6 +9,7 @@ login_port: '{{ mysql_primary_port }}' test_user_name: 'test_user_plugin_auth' test_plugin_type: 'mysql_native_password' + test_plugin_type2: 'caching_sha2_password' test_plugin_hash: '*0CB5B86F23FDC24DB19A29B8854EB860CBC47793' test_plugin_auth_string: 'Fdt8fd^34ds' test_plugin_new_hash: '*E74368AC90460FA669F6D41BFB7F2A877DB73745' @@ -24,7 +25,7 @@ # - name: Plugin auth | Create user with plugin auth (with hash string) - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -34,28 +35,107 @@ register: result - name: Plugin auth | Get user information (with hash string) - command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\"" + ansible.builtin.command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\"" register: show_create_user - name: Plugin auth | Check that the module made a change (with hash string) - assert: + ansible.builtin.assert: that: - result is changed - name: Plugin auth | Check that the expected plugin type is set (with hash string) - assert: + ansible.builtin.assert: that: - "'{{ test_plugin_type }}' in show_create_user.stdout" when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>=')) - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: "%" priv: "{{ test_default_priv_type }}" + - name: Plugin auth | Change user plugin in check mode + community.mysql.mysql_user: + <<: *mysql_params + name: '{{ test_user_name }}' + host: '%' + plugin: '{{ test_plugin_type2 }}' + plugin_hash_string: '{{ test_plugin_hash }}' + priv: '{{ test_default_priv }}' + check_mode: true + register: result + + - name: Plugin auth | Check that the module made a change auth plugin + ansible.builtin.assert: + that: + - result is changed + + - name: Plugin auth | Check that the expected plugin type is set + ansible.builtin.include_tasks: utils/assert_plugin.yml + vars: + user_name: "{{ test_user_name }}" + plugin_type: "{{ test_plugin_type }}" + + - name: Plugin auth | Change user auth plugin + community.mysql.mysql_user: + <<: *mysql_params + name: '{{ test_user_name }}' + host: '%' + plugin: '{{ test_plugin_type2 }}' + plugin_hash_string: '{{ test_plugin_hash }}' + priv: '{{ test_default_priv }}' + register: result + + - name: Plugin auth | Check that the module made a change auth plugin + ansible.builtin.assert: + that: + - result is changed + + - name: Plugin auth | Check that the expected plugin type is set + ansible.builtin.include_tasks: utils/assert_plugin.yml + vars: + user_name: "{{ test_user_name }}" + plugin_type: "{{ test_plugin_type2 }}" + + - name: Plugin auth | Set main auth plugin again + community.mysql.mysql_user: + <<: *mysql_params + name: '{{ test_user_name }}' + host: '%' + plugin: '{{ test_plugin_type }}' + plugin_hash_string: '{{ test_plugin_hash }}' + priv: '{{ test_default_priv }}' + register: result + + - name: Plugin auth | Check that the module made a change auth plugin + ansible.builtin.assert: + that: + - result is changed + + - name: Plugin auth | Check that the expected plugin type is set + ansible.builtin.include_tasks: utils/assert_plugin.yml + vars: + user_name: "{{ test_user_name }}" + plugin_type: "{{ test_plugin_type }}" + + - name: Plugin auth | Set same plugint check that no changes are reported + community.mysql.mysql_user: + <<: *mysql_params + name: '{{ test_user_name }}' + host: '%' + plugin: '{{ test_plugin_type }}' + plugin_hash_string: '{{ test_plugin_hash }}' + priv: '{{ test_default_priv }}' + register: result + + - name: Plugin auth | Check that the module made a change auth plugin + ansible.builtin.assert: + that: + - result is not changed + - name: Plugin auth | Get the MySQL version using the newly created creds - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: '{{ test_plugin_auth_string }}' login_host: '{{ mysql_host }}' @@ -64,12 +144,12 @@ register: result - name: Plugin auth | Assert that mysql_info was successful - assert: + ansible.builtin.assert: that: - result is succeeded - name: Plugin auth | Update the user with a different hash - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -78,18 +158,18 @@ register: result - name: Plugin auth | Check that the module makes the change because the hash changed - assert: + ansible.builtin.assert: that: - result is changed - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: "%" priv: "{{ test_default_priv_type }}" - name: Plugin auth | Getting the MySQL info with the new password should work - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: '{{ test_plugin_new_auth_string }}' login_host: '{{ mysql_host }}' @@ -98,12 +178,12 @@ register: result - name: Plugin auth | Assert that mysql_info was successful - assert: + ansible.builtin.assert: that: - result is succeeded # Cleanup - - include_tasks: utils/remove_user.yml + - ansible.builtin.include_tasks: utils/remove_user.yml vars: user_name: "{{ test_user_name }}" @@ -112,7 +192,7 @@ # - name: Plugin auth | Create user with plugin auth (with hash string) - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -122,28 +202,28 @@ register: result - name: Plugin auth | Get user information - command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\"" + ansible.builtin.command: "{{ mysql_command }} -e \"SELECT user, host, plugin FROM mysql.user WHERE user = '{{ test_user_name }}' and host = '%'\"" register: show_create_user - name: Plugin auth | Check that the module made a change (with hash string) - assert: + ansible.builtin.assert: that: - result is changed - name: Plugin auth | Check that the expected plugin type is set (with hash string) - assert: + ansible.builtin.assert: that: - "'{{ test_plugin_type }}' in show_create_user.stdout" when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>=')) - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: "%" priv: "{{ test_default_priv_type }}" - name: Plugin auth | Get the MySQL version using the newly created creds - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: '{{ test_plugin_auth_string }}' login_host: '{{ mysql_host }}' @@ -152,12 +232,12 @@ register: result - name: Plugin auth | Assert that mysql_info was successful - assert: + ansible.builtin.assert: that: - result is succeeded - name: Plugin auth | Update the user with the same hash (no change expected) - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -167,19 +247,19 @@ # FIXME: on mariadb 10.2 there's always a change - name: Plugin auth | Check that the module doesn't make a change when the same hash is passed in - assert: + ansible.builtin.assert: that: - result is not changed when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>=')) - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: "%" priv: "{{ test_default_priv_type }}" - name: Plugin auth | Change the user using the same plugin, but switch to the same auth string in plaintext form - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -189,12 +269,12 @@ # Expecting a change is currently by design (see comment in source). - name: Plugin auth | Check that the module did not change the password - assert: + ansible.builtin.assert: that: - result is changed - name: Plugin auth | Getting the MySQL info should still work - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: '{{ test_plugin_auth_string }}' login_host: '{{ mysql_host }}' @@ -203,12 +283,12 @@ register: result - name: Plugin auth | Assert that mysql_info was successful - assert: + ansible.builtin.assert: that: - result is succeeded # Cleanup - - include_tasks: utils/remove_user.yml + - ansible.builtin.include_tasks: utils/remove_user.yml vars: user_name: "{{ test_user_name }}" @@ -217,7 +297,7 @@ # - name: Plugin auth | Create user with plugin auth (with auth string) - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -227,28 +307,28 @@ register: result - name: Plugin auth | Get user information(with auth string) - command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\"" + ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\"" register: show_create_user - name: Plugin auth | Check that the module made a change (with auth string) - assert: + ansible.builtin.assert: that: - result is changed - name: Plugin auth | Check that the expected plugin type is set (with auth string) - assert: + ansible.builtin.assert: that: - test_plugin_type in show_create_user.stdout when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>=')) - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: "%" priv: "{{ test_default_priv_type }}" - name: Plugin auth | Get the MySQL version using the newly created creds - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: '{{ test_plugin_auth_string }}' login_host: '{{ mysql_host }}' @@ -257,12 +337,12 @@ register: result - name: Plugin auth | Assert that mysql_info was successful - assert: + ansible.builtin.assert: that: - result is succeeded - name: Plugin auth | Update the user with the same auth string - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -273,18 +353,18 @@ # This is the current expected behavior because there isn't a reliable way to hash the password in the mysql_user # module in order to be able to compare this password with the stored hash. See the source for more info. - name: Plugin auth | The module should detect a change even though the password is the same - assert: + ansible.builtin.assert: that: - result is changed - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: "%" priv: "{{ test_default_priv_type }}" - name: Plugin auth | Change the user using the same plugin, but switch to the same auth string in hash form - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -293,12 +373,12 @@ register: result - name: Plugin auth | Check that the module did not change the password - assert: + ansible.builtin.assert: that: - result is not changed - name: Plugin auth | Get the MySQL version using the newly created creds - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: '{{ test_plugin_auth_string }}' login_host: '{{ mysql_host }}' @@ -307,12 +387,12 @@ register: result - name: Plugin auth | Assert that mysql_info was successful - assert: + ansible.builtin.assert: that: - result is succeeded # Cleanup - - include_tasks: utils/remove_user.yml + - ansible.builtin.include_tasks: utils/remove_user.yml vars: user_name: "{{ test_user_name }}" @@ -321,7 +401,7 @@ # - name: Plugin auth | Create user with plugin auth (empty auth string) - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -330,28 +410,28 @@ register: result - name: Plugin auth | Get user information (empty auth string) - command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\"" + ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'%'\"" register: show_create_user - name: Plugin auth | Check that the module made a change (empty auth string) - assert: + ansible.builtin.assert: that: - result is changed - name: Plugin auth | Check that the expected plugin type is set (empty auth string) - assert: + ansible.builtin.assert: that: - "'{{ test_plugin_type }}' in show_create_user.stdout" when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>=')) - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: "%" priv: "{{ test_default_priv_type }}" - name: Plugin auth | Get the MySQL version using an empty password for the newly created user - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: '' login_host: '{{ mysql_host }}' @@ -361,12 +441,12 @@ ignore_errors: true - name: Plugin auth | Assert that mysql_info was successful - assert: + ansible.builtin.assert: that: - result is succeeded - name: Plugin auth | Get the MySQL version using an non-empty password (should fail) - mysql_info: + community.mysql.mysql_info: login_user: '{{ test_user_name }}' login_password: 'some_password' login_host: '{{ mysql_host }}' @@ -376,12 +456,12 @@ ignore_errors: true - name: Plugin auth | Assert that mysql_info failed - assert: + ansible.builtin.assert: that: - result is failed - name: Plugin auth | Update the user without changing the auth mechanism - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' host: '%' @@ -390,12 +470,12 @@ register: result - name: Plugin auth | Assert that the user wasn't changed because the auth string is still empty - assert: + ansible.builtin.assert: that: - result is not changed # Cleanup - - include_tasks: utils/remove_user.yml + - ansible.builtin.include_tasks: utils/remove_user.yml vars: user_name: "{{ test_user_name }}" @@ -415,7 +495,7 @@ block: - name: Plugin auth | Create user with plugin auth (empty auth string) - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' plugin: '{{ test_plugin_type }}' @@ -423,28 +503,28 @@ register: result - name: Plugin auth | Get user information (empty auth string) - command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\"" + ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\"" register: show_create_user - name: Plugin auth | Check that the module made a change (empty auth string) - assert: + ansible.builtin.assert: that: - result is changed - name: Plugin auth | Check that the expected plugin type is set (empty auth string) - assert: + ansible.builtin.assert: that: - test_plugin_type in show_create_user.stdout when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>=')) - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: localhost priv: "{{ test_default_priv_type }}" - name: Plugin auth | Switch user to sha256_password auth plugin - mysql_user: + community.mysql.mysql_user: <<: *mysql_params name: '{{ test_user_name }}' plugin: sha256_password @@ -452,28 +532,28 @@ register: result - name: Plugin auth | Get user information (sha256_password) - command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\"" + ansible.builtin.command: "{{ mysql_command }} -e \"SHOW CREATE USER '{{ test_user_name }}'@'localhost'\"" register: show_create_user - name: Plugin auth | Check that the module made a change (sha256_password) - assert: + ansible.builtin.assert: that: - result is changed - name: Plugin auth | Check that the expected plugin type is set (sha256_password) - assert: + ansible.builtin.assert: that: - "'sha256_password' in show_create_user.stdout" when: db_engine == 'mysql' or (db_engine == 'mariadb' and db_version is version('10.3', '>=')) - - include_tasks: utils/assert_user.yml + - ansible.builtin.include_tasks: utils/assert_user.yml vars: user_name: "{{ test_user_name }}" user_host: localhost priv: "{{ test_default_priv_type }}" # Cleanup - - include_tasks: utils/remove_user.yml + - ansible.builtin.include_tasks: utils/remove_user.yml vars: user_name: "{{ test_user_name }}" @@ -505,7 +585,7 @@ register: result failed_when: result is changed - - name: cleanup user + - name: Cleanup user ansible.builtin.include_tasks: utils/remove_user.yml vars: user_name: "{{ test_user_name }}" diff --git a/tests/integration/targets/test_mysql_user/tasks/utils/assert_plugin.yml b/tests/integration/targets/test_mysql_user/tasks/utils/assert_plugin.yml new file mode 100644 index 0000000..ba49c32 --- /dev/null +++ b/tests/integration/targets/test_mysql_user/tasks/utils/assert_plugin.yml @@ -0,0 +1,10 @@ +--- + +- name: Utils | Assert plugin | Query for user {{ user_name }} + ansible.builtin.command: "{{ mysql_command }} -e \"SELECT {{ plugin_type }} FROM mysql.user where user='{{ user_name }}'\"" + register: result + +- name: Utils | Assert plugin | Assert plugin is correct + ansible.builtinassert: + that: + - plugin_type in result.stdout