mirror of
https://github.com/ansible-collections/community.mysql.git
synced 2025-04-09 12:10:31 -07:00
dc522cc5d3
* Deprecate REQUIRESSL privilege * Add missing whitespace * Fix according to PR review * Fix conditional check * Fix privilege string parsing * Add unit tests for the new function * Add integration tests * Fix parentheses indentation * Cover alternative error message * Fix privileges * Limit verification of access denied to pymysql connector * Fix REQUIRE SSL verification tests
115 lines
3.3 KiB
YAML
115 lines
3.3 KiB
YAML
---
|
|
- vars:
|
|
mysql_parameters: &mysql_params
|
|
login_user: '{{ mysql_user }}'
|
|
login_password: '{{ mysql_password }}'
|
|
login_host: 127.0.0.1
|
|
login_port: '{{ mysql_primary_port }}'
|
|
|
|
block:
|
|
|
|
# ============================================================
|
|
- shell: pip show pymysql | awk '/Version/ {print $2}'
|
|
register: pymysql_version
|
|
|
|
- name: get server certificate
|
|
copy:
|
|
content: "{{ lookup('pipe', \"openssl s_client -starttls mysql -connect localhost:3307 -showcerts 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'\") }}"
|
|
dest: /tmp/cert.pem
|
|
delegate_to: localhost
|
|
|
|
- name: get server version
|
|
mysql_info:
|
|
<<: *mysql_params
|
|
filter: version
|
|
register: db_version
|
|
|
|
- set_fact:
|
|
old_user_mgmt: "{{ db_version.version.major <= 5 and db_version.version.minor <= 6 or db_version.version.major == 10 and db_version.version.minor < 2 | bool }}"
|
|
|
|
- name: Drop mysql user if exists
|
|
mysql_user:
|
|
<<: *mysql_params
|
|
name: '{{ item }}'
|
|
state: absent
|
|
ignore_errors: yes
|
|
with_items:
|
|
- "{{ user_name_1 }}"
|
|
- "{{ user_name_2 }}"
|
|
|
|
- name: create user with REQUIRESSL privilege
|
|
mysql_user:
|
|
<<: *mysql_params
|
|
name: "{{ user_name_1 }}"
|
|
password: "{{ user_password_1 }}"
|
|
priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
|
|
|
|
- name: verify REQUIRESSL is assigned to the user
|
|
mysql_query:
|
|
<<: *mysql_params
|
|
query: "SHOW {{ what }} '{{ user_name_1}}'@'localhost'"
|
|
register: result
|
|
vars:
|
|
what: "{{ 'GRANTS FOR' if old_user_mgmt else 'CREATE USER' }}"
|
|
|
|
- assert:
|
|
that:
|
|
- result is succeeded and 'REQUIRE SSL' in (result.query_result | string)
|
|
|
|
- name: create user with equivalent ssl requirement in tls_requires (expect unchanged)
|
|
mysql_user:
|
|
<<: *mysql_params
|
|
name: "{{ user_name_1 }}"
|
|
password: "{{ user_password_1 }}"
|
|
priv: '*.*:SELECT,CREATE USER,GRANT'
|
|
tls_requires:
|
|
SSL:
|
|
register: result
|
|
|
|
- assert:
|
|
that:
|
|
- result is not changed
|
|
|
|
- name: create the same user again, with REQUIRESSL privilege once more
|
|
mysql_user:
|
|
<<: *mysql_params
|
|
name: "{{ user_name_1 }}"
|
|
password: "{{ user_password_1 }}"
|
|
priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
|
|
register: result
|
|
|
|
- assert:
|
|
that:
|
|
- result is not changed
|
|
|
|
- name: create user with both REQUIRESSL privilege and an incompatible tls_requires option
|
|
mysql_user:
|
|
<<: *mysql_params
|
|
name: "{{ user_name_1 }}"
|
|
password: "{{ user_password_1 }}"
|
|
priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
|
|
tls_requires:
|
|
X509:
|
|
|
|
- name: create same user again without REQUIRESSL privilege
|
|
mysql_user:
|
|
<<: *mysql_params
|
|
name: "{{ user_name_1 }}"
|
|
password: "{{ user_password_1 }}"
|
|
priv: '*.*:SELECT,CREATE USER,GRANT'
|
|
tls_requires:
|
|
X509:
|
|
register: result
|
|
|
|
- assert:
|
|
that: result is not changed
|
|
|
|
- name: Drop mysql user
|
|
mysql_user:
|
|
<<: *mysql_params
|
|
name: '{{ item }}'
|
|
host: 127.0.0.1
|
|
state: absent
|
|
with_items:
|
|
- "{{ user_name_1 }}"
|
|
- "{{ user_name_2 }}"
|