community.mysql/tests/integration/targets/test_mysql_user/tasks/main.yml

---
####################################################################
# WARNING: These are designed specifically for Ansible tests       #
# and should not be used as examples of how to write Ansible roles #
####################################################################

# test code for the mysql_user module
# (c) 2014,  Wayne Rosario <wrosario@ansible.com>

# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 dof the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.

# ============================================================
# create mysql user and verify user is added to mysql database
#

- vars:
    mysql_parameters: &mysql_params
      login_user: '{{ mysql_user }}'
      login_password: '{{ mysql_password }}'
      login_host: '{{ mysql_host }}'
      login_port: '{{ mysql_primary_port }}'

  block:

    - include_tasks: issue-121.yml

    - include_tasks: issue-28.yml

    - include_tasks: test_resource_limits.yml

    - include_tasks: test_idempotency.yml

    - include_tasks: test_password_expire.yml

    # ============================================================
    # Create user with no privileges and verify default privileges are assign
    #
    - name: create user with DEFAULT privilege state=present (expect changed=true)
      mysql_user:
        <<: *mysql_params
        name: "{{ user_name_1 }}"
        password: "{{ user_password_1 }}"
        state: present
      register: result

    - include_tasks: utils/assert_user.yml
      vars:
        user_name: "{{ user_name_1 }}"
        user_host: localhost
        priv: USAGE

    - include_tasks: utils/remove_user.yml
      vars:
        user_name: "{{ user_name_1 }}"

    - include_tasks: utils/assert_no_user.yml
      vars:
        user_name: "{{ user_name_1 }}"


    # ============================================================
    # Create user with select privileges and verify select privileges are assign
    #
    - name: Create user with SELECT privilege state=present (expect changed=true)
      mysql_user:
        <<: *mysql_params
        name: "{{ user_name_2 }}"
        password: "{{ user_password_2 }}"
        state: present
        priv: '*.*:SELECT'
      register: result

    - include_tasks: utils/assert_user.yml
      vars:
        user_name: "{{ user_name_2 }}"
        user_host: localhost
        priv: SELECT

    - include_tasks: utils/remove_user.yml
      vars:
        user_name: "{{ user_name_2 }}"

    - include_tasks: utils/assert_no_user.yml
      vars:
        user_name: "{{ user_name_2 }}"


    # ============================================================
    # Assert user has access to multiple databases
    #
    - name: Give users access to multiple databases
      mysql_user:
        <<: *mysql_params
        name: '{{ item[0] }}'
        priv: '{{ item[1] }}.*:ALL'
        append_privs: yes
        password: '{{ user_password_1 }}'
      with_nested:
        - ['{{ user_name_1 }}', '{{ user_name_2 }}']
        - "{{db_names}}"

    - name: Show grants access for user1 on multiple database
      command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_1 }}'@'localhost'\""
      register: result

    - name: Assert grant access for user1 on multiple database
      assert:
        that:
          - item in result.stdout
      loop: "{{ db_names }}"

    - name: Show grants access for user2 on multiple database
      command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_2 }}'@'localhost'\""
      register: result

    - name: Assert grant access for user2 on multiple database
      assert:
        that:
          - item in result.stdout
      loop: "{{db_names}}"

    - include_tasks: utils/remove_user.yml
      vars:
        user_name: "{{ user_name_1 }}"

    - include_tasks: utils/remove_user.yml
      vars:
        user_name: "{{ user_name_2 }}"

    - name: Give user SELECT access to database via wildcard
      mysql_user:
        <<: *mysql_params
        name: '{{ user_name_1 }}'
        priv: '%db.*:SELECT'
        append_privs: yes
        password: '{{ user_password_1 }}'

    - name: Show grants access for user1 on database via wildcard
      command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_1 }}'@'localhost'\""
      register: result

    - name: assert grant access for user1 on multiple database
      assert:
        that:
          - "'%db' in result.stdout"
          - "'SELECT' in result.stdout"

    - name: test priv type check, must fail
      mysql_user:
        <<: *mysql_params
        name: '{{ user_name_1 }}'
        priv:
          - unsuitable
          - type
        append_privs: yes
        host_all: yes
        password: '{{ user_password_1 }}'
      register: result
      ignore_errors: yes

    - name: check fail message
      assert:
        that:
          - result is failed
          - result.msg is search('priv parameter must be str or dict')

    - name: Change SELECT to INSERT for user access to database via wildcard
      mysql_user:
        <<: *mysql_params
        name: '{{ user_name_1 }}'
        priv: '%db.*:INSERT'
        append_privs: yes
        host_all: yes
        password: '{{ user_password_1 }}'

    - name: Show grants access for user1 on database via wildcard
      command: "{{ mysql_command }} -e \"SHOW GRANTS FOR '{{ user_name_1 }}'@'localhost'\""
      register: result

    - name: assert grant access for user1 on multiple database
      assert:
        that:
          - "'%db' in result.stdout"
          - "'INSERT' in result.stdout"

    - include_tasks: utils/remove_user.yml
      vars:
        user_name: "{{user_name_1}}"

    # ============================================================
    # Test plaintext and encrypted password scenarios.
    #
    - include_tasks: test_user_password.yml

    # ============================================================
    # Test plugin authentication scenarios.
    #
    # FIXME: mariadb sql syntax for create/update user is not compatible
    - include_tasks: test_user_plugin_auth.yml
      when: db_engine == 'mysql'

    # ============================================================
    # Assert create user with SELECT privileges, attempt to create database and update privileges to create database
    #
    - include_tasks: test_privs.yml
      vars:
        current_privilege: SELECT
        current_append_privs: no

    # ============================================================
    # Assert creating user with SELECT privileges, attempt to create database and append privileges to create database
    #
    - include_tasks: test_privs.yml
      vars:
        current_privilege: DROP
        current_append_privs: yes

    # ============================================================
    # Assert create user with SELECT privileges, attempt to create database and update privileges to create database
    #
    - include_tasks: test_privs.yml
      vars:
        current_privilege: 'UPDATE,ALTER'
        current_append_privs: no

    # ============================================================
    # Assert creating user with SELECT privileges, attempt to create database and append privileges to create database
    #
    - include_tasks: test_privs.yml
      vars:
        current_privilege: 'INSERT,DELETE'
        current_append_privs: yes

    # Tests for the priv parameter with dict value (https://github.com/ansible/ansible/issues/57533)
    - include_tasks: test_priv_dict.yml

    # Test that append_privs will not attempt to make a change where current privileges are a superset of new privileges
    # (https://github.com/ansible-collections/community.mysql/issues/69)
    - include_tasks: test_priv_append.yml
      vars:
        enable_check_mode: no
    - include_tasks: test_priv_append.yml
      vars:
        enable_check_mode: yes

    # Test that subtract_privs will only revoke the grants given by priv
    # (https://github.com/ansible-collections/community.mysql/issues/331)
    - include_tasks: test_priv_subtract.yml
      vars:
        enable_check_mode: no
    - include_tasks: test_priv_subtract.yml
      vars:
        enable_check_mode: yes

    - import_tasks: test_privs_issue_465.yml
      tags:
        - issue_465

    # Tests for user attributes
    - include_tasks: test_user_attributes.yml

    # Tests for the TLS requires dictionary
    - include_tasks: test_tls_requirements.yml

    - import_tasks: issue-29511.yaml
      tags:
        - issue-29511

    - import_tasks: issue-64560.yaml
      tags:
        - issue-64560
    
    - name: Test ANSI_QUOTES
      ansible.builtin.import_tasks:
        file: issue-671.yaml
      tags:
        - issue-671  

    # Test that mysql_user still works with force_context enabled (database set to "mysql")
    # (https://github.com/ansible-collections/community.mysql/issues/265)
    - include_tasks: issue-265.yml

    # https://github.com/ansible-collections/community.mysql/issues/231
    - include_tasks: test_user_grants_with_roles_applied.yml

    - include_tasks: test_revoke_only_grant.yml

    - name: Mysql_user - test column case sensitive
      ansible.builtin.import_tasks:
        file: test_column_case_sensitive.yml

    - name: Mysql_user - test update_password
      ansible.builtin.import_tasks:
        file: test_update_password.yml

    - name: Mysql_user - test user_locking
      ansible.builtin.import_tasks:
        file: test_user_locking.yml