---
# test code for privileges for mysql_user module
# (c) 2014,  Wayne Rosario <wrosario@ansible.com>

# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.

- vars:
    mysql_parameters: &mysql_params
      login_user: '{{ mysql_user }}'
      login_password: '{{ mysql_password }}'
      login_host: '{{ mysql_host }}'
      login_port: '{{ mysql_primary_port }}'

  block:

    # ============================================================
    - name: Privs | Create user with basic select privileges
      mysql_user:
        <<: *mysql_params
        name: '{{ user_name_2 }}'
        host: '%'
        password: '{{ user_password_2 }}'
        priv: '*.*:SELECT'
        state: present
      when: current_append_privs ==  "yes"

    - include_tasks: utils/assert_user.yml
      vars:
        user_name: "{{ user_name_2 }}"
        user_host: "%"
        priv: 'SELECT'
      when: current_append_privs ==  "yes"

    - name: Privs | Create user with current privileges (expect changed=true)
      mysql_user:
        <<: *mysql_params
        name: '{{ user_name_2 }}'
        host: '%'
        password: '{{ user_password_2 }}'
        priv: '*.*:{{ current_privilege }}'
        append_privs: '{{ current_append_privs }}'
        state: present
      register: result

    - name: Privs | Assert output message for current privileges
      assert:
        that:
          - result is changed

    - name: Privs | Run command to show privileges for user (expect privileges in stdout)
      command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{user_name_2}}'@'%'\""
      register: result

    - name: Privs | Assert user has correct privileges
      assert:
        that:
          - "'GRANT {{ current_privilege | replace(',', ', ') }} ON *.*' in result.stdout"
      when: current_append_privs ==  "no"

    - name: Privs | Assert user has correct privileges
      assert:
        that:
          - "'GRANT SELECT, {{ current_privilege | replace(',', ', ') }} ON *.*' in result.stdout"
      when: current_append_privs ==  "yes"

    - name: Privs | Create database using user current privileges
      mysql_db:
        login_user: '{{ user_name_2 }}'
        login_password: '{{ user_password_2 }}'
        login_host: '{{ mysql_host }}'
        login_port: '{{ mysql_primary_port }}'
        name: '{{ db_name }}'
        state: present
      ignore_errors: true

    - name: Privs | Run command to test that database was not created
      command: "{{ mysql_command }} -e \"show databases like '{{ db_name }}'\""
      register: result

    - name: Privs | Assert database was not created
      assert:
        that:
          - db_name not in result.stdout

    # ============================================================
    - name: Privs | Add privs to a specific table (expect changed)
      mysql_user:
        <<: *mysql_params
        name: '{{ user_name_2 }}'
        host: '%'
        password: '{{ user_password_2 }}'
        priv: 'jmainguy.jmainguy:ALL'
        state: present
      register: result

    - name: Privs | Assert that priv changed
      assert:
        that:
          - result is changed

    - name: Privs | Add privs to a specific table (expect ok)
      mysql_user:
        <<: *mysql_params
        name: '{{ user_name_2 }}'
        host: '%'
        password: '{{ user_password_2 }}'
        priv: 'jmainguy.jmainguy:ALL'
        state: present
      register: result

    - name: Privs | Assert that priv did not change
      assert:
        that:
          - result is not changed

    # ============================================================
    - name: Privs | Grant ALL to user {{ user_name_2 }}
      mysql_user:
        <<: *mysql_params
        name: '{{ user_name_2 }}'
        host: '%'
        password: '{{ user_password_2 }}'
        priv: '*.*:ALL'
        state: present

    # - include_tasks: utils/assert_user.yml user_name={{user_name_2}} user_host=% priv='ALL PRIVILEGES'

    - name: Privs | Create database using user {{ user_name_2 }}
      mysql_db:
        login_user: '{{ user_name_2 }}'
        login_password: '{{ user_password_2 }}'
        login_host: '{{ mysql_host }}'
        login_port: '{{ mysql_primary_port }}'
        name: '{{ db_name }}'
        state: present

    - name: Privs | Run command to test database was created using user new privileges
      command: "{{ mysql_command }} -e \"SHOW CREATE DATABASE {{ db_name }}\""

    - name: Privs | Drop database using user {{ user_name_2 }}
      mysql_db:
        login_user: '{{ user_name_2 }}'
        login_password: '{{ user_password_2 }}'
        login_host: '{{ mysql_host }}'
        login_port: '{{ mysql_primary_port }}'
        name: '{{ db_name }}'
        state: absent

    # ============================================================
    - name: Privs | Update user with a long privileges list (mysql has a special multiline grant output)
      mysql_user:
        <<: *mysql_params
        name: '{{ user_name_2 }}'
        host: '%'
        password: '{{ user_password_2 }}'
        priv: '*.*:CREATE USER,FILE,PROCESS,RELOAD,REPLICATION CLIENT,REPLICATION SLAVE,SHOW DATABASES,SHUTDOWN,SUPER,CREATE,DROP,EVENT,LOCK TABLES,INSERT,UPDATE,DELETE,SELECT,SHOW VIEW,GRANT'
        state: present
      register: result

    - name: Privs | Assert that priv changed
      assert:
        that:
          - result is changed

    - name: Privs | Test idempotency with a long privileges list (expect ok)
      mysql_user:
        <<: *mysql_params
        name: '{{ user_name_2 }}'
        host: '%'
        password: '{{ user_password_2 }}'
        priv: '*.*:CREATE USER,FILE,PROCESS,RELOAD,REPLICATION CLIENT,REPLICATION SLAVE,SHOW DATABASES,SHUTDOWN,SUPER,CREATE,DROP,EVENT,LOCK TABLES,INSERT,UPDATE,DELETE,SELECT,SHOW VIEW,GRANT'
        state: present
      register: result

    # FIXME: on mysql >=8 and mariadb >=10.5.2 there's always a change because
    # the REPLICATION CLIENT privilege was renamed to BINLOG MONITOR
    - name: Privs | Assert that priv did not change
      assert:
        that:
          - result is not changed

    - include_tasks: utils/remove_user.yml
      vars:
        user_name: "{{ user_name_2 }}"

    # ============================================================
    - name: Privs | Grant all privileges with grant option
      mysql_user:
        <<: *mysql_params
        name: '{{ user_name_2 }}'
        password: '{{ user_password_2 }}'
        priv: '*.*:ALL,GRANT'
        state: present
      register: result

    - name: Privs | Assert that priv changed
      assert:
        that:
          - result is changed

    - name: Privs | Collect user info by host
      community.mysql.mysql_info:
        <<: *mysql_params
        filter: "users"
      register: mysql_info_about_users

    - name: Privs | Assert that 'GRANT' permission is present
      assert:
        that:
          - mysql_info_about_users.users.localhost.{{ user_name_2 }}.Grant_priv == 'Y'

    - name: Privs | Test idempotency (expect ok)
      mysql_user:
        <<: *mysql_params
        name: '{{ user_name_2 }}'
        password: '{{ user_password_2 }}'
        priv: '*.*:ALL,GRANT'
        state: present
      register: result

    # FIXME: on mysql >=8 there's always a change (ALL PRIVILEGES -> specific privileges)
    - name: Privs | Assert that priv did not change
      assert:
        that:
          - result is not changed

    - name: Privs | Collect user info by host
      community.mysql.mysql_info:
        <<: *mysql_params
        filter: "users"
      register: mysql_info_about_users

    - name: Privs | Assert that 'GRANT' permission is present (by host)
      assert:
        that:
          - mysql_info_about_users.users.localhost.{{ user_name_2 }}.Grant_priv == 'Y'

    # ============================================================
    - name: Privs | Update user with invalid privileges
      mysql_user:
        <<: *mysql_params
        name: '{{ user_name_2 }}'
        password: '{{ user_password_2 }}'
        priv: '*.*:INVALID'
        state: present
      register: result
      ignore_errors: yes

    - name: Privs | Assert that priv did not change
      assert:
        that:
          - result is failed
          - "'Error granting privileges' in result.msg"

    - include_tasks: utils/remove_user.yml
      vars:
        user_name: "{{ user_name_2 }}"