2020-03-09 09:11:07 +00:00
|
|
|
#
|
|
|
|
# Create and destroy user, test 'password' and 'encrypted' parameters
|
|
|
|
#
|
|
|
|
# unencrypted values are not supported on newer versions
|
|
|
|
# do not run the encrypted: no tests if on 10+
|
2020-07-16 12:24:04 +03:00
|
|
|
- ansible.builtin.set_fact:
|
2020-03-09 09:11:07 +00:00
|
|
|
encryption_values:
|
|
|
|
- 'yes'
|
|
|
|
|
2020-07-16 12:24:04 +03:00
|
|
|
- ansible.builtin.set_fact:
|
2020-03-09 09:11:07 +00:00
|
|
|
encryption_values: '{{ encryption_values + ["no"]}}'
|
|
|
|
when: postgres_version_resp.stdout is version('10', '<=')
|
|
|
|
|
|
|
|
- include_tasks: test_password.yml
|
|
|
|
vars:
|
|
|
|
encrypted: '{{ loop_item }}'
|
|
|
|
db_password1: 'secretù' # use UTF-8
|
|
|
|
loop: '{{ encryption_values }}'
|
|
|
|
loop_control:
|
|
|
|
loop_var: loop_item
|
|
|
|
|
|
|
|
# BYPASSRLS role attribute was introduced in PostgreSQL 9.5, so
|
|
|
|
# we want to test attribute management differently depending
|
|
|
|
# on the version.
|
2020-07-16 12:24:04 +03:00
|
|
|
- ansible.builtin.set_fact:
|
2020-03-09 09:11:07 +00:00
|
|
|
bypassrls_supported: "{{ postgres_version_resp.stdout is version('9.5.0', '>=') }}"
|
|
|
|
|
|
|
|
# test 'no_password_change' and 'role_attr_flags' parameters
|
|
|
|
- include_tasks: test_no_password_change.yml
|
|
|
|
vars:
|
|
|
|
no_password_changes: '{{ loop_item }}'
|
|
|
|
loop:
|
|
|
|
- 'yes'
|
|
|
|
- 'no'
|
|
|
|
loop_control:
|
|
|
|
loop_var: loop_item
|
|
|
|
|
|
|
|
### TODO: fail_on_user
|
|
|
|
|
|
|
|
#
|
|
|
|
# Test login_user functionality
|
|
|
|
#
|
|
|
|
- name: Create a user to test login module parameters
|
|
|
|
become: yes
|
|
|
|
become_user: "{{ pg_user }}"
|
|
|
|
postgresql_user:
|
|
|
|
name: "{{ db_user1 }}"
|
|
|
|
state: "present"
|
|
|
|
encrypted: 'yes'
|
|
|
|
password: "password"
|
|
|
|
role_attr_flags: "CREATEDB,LOGIN,CREATEROLE"
|
|
|
|
login_user: "{{ pg_user }}"
|
2020-05-09 09:25:12 +03:00
|
|
|
trust_input: no
|
2020-03-09 09:11:07 +00:00
|
|
|
db: postgres
|
|
|
|
|
|
|
|
- name: Create db
|
|
|
|
postgresql_db:
|
|
|
|
name: "{{ db_name }}"
|
|
|
|
state: "present"
|
|
|
|
login_user: "{{ db_user1 }}"
|
|
|
|
login_password: "password"
|
|
|
|
login_host: "localhost"
|
|
|
|
|
|
|
|
- name: Check that database created
|
|
|
|
become: yes
|
|
|
|
become_user: "{{ pg_user }}"
|
|
|
|
shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres
|
|
|
|
register: result
|
|
|
|
|
2020-07-16 12:24:04 +03:00
|
|
|
- ansible.builtin.assert:
|
2020-03-09 09:11:07 +00:00
|
|
|
that:
|
|
|
|
- "result.stdout_lines[-1] == '(1 row)'"
|
|
|
|
|
|
|
|
- name: Create a user
|
|
|
|
postgresql_user:
|
|
|
|
name: "{{ db_user2 }}"
|
|
|
|
state: "present"
|
|
|
|
encrypted: 'yes'
|
|
|
|
password: "md55c8ccfd9d6711fc69a7eae647fc54f51"
|
|
|
|
db: "{{ db_name }}"
|
|
|
|
login_user: "{{ db_user1 }}"
|
|
|
|
login_password: "password"
|
|
|
|
login_host: "localhost"
|
2020-05-09 09:25:12 +03:00
|
|
|
trust_input: no
|
2020-03-09 09:11:07 +00:00
|
|
|
|
|
|
|
- name: Check that it was created
|
|
|
|
become: yes
|
|
|
|
become_user: "{{ pg_user }}"
|
|
|
|
shell: echo "select * from pg_user where usename='{{ db_user2 }}';" | psql -d postgres
|
|
|
|
register: result
|
|
|
|
|
2020-07-16 12:24:04 +03:00
|
|
|
- ansible.builtin.assert:
|
2020-03-09 09:11:07 +00:00
|
|
|
that:
|
|
|
|
- "result.stdout_lines[-1] == '(1 row)'"
|
|
|
|
|
|
|
|
- name: Grant database privileges
|
|
|
|
postgresql_privs:
|
|
|
|
type: "database"
|
|
|
|
state: "present"
|
|
|
|
roles: "{{ db_user2 }}"
|
|
|
|
privs: "CREATE,connect"
|
|
|
|
objs: "{{ db_name }}"
|
|
|
|
db: "{{ db_name }}"
|
|
|
|
login: "{{ db_user1 }}"
|
|
|
|
password: "password"
|
|
|
|
host: "localhost"
|
|
|
|
|
|
|
|
- name: Check that the user has the requested permissions (database)
|
|
|
|
become: yes
|
|
|
|
become_user: "{{ pg_user }}"
|
|
|
|
shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }}
|
|
|
|
register: result_database
|
|
|
|
|
2020-07-16 12:24:04 +03:00
|
|
|
- ansible.builtin.assert:
|
2020-03-09 09:11:07 +00:00
|
|
|
that:
|
|
|
|
- "result_database.stdout_lines[-1] == '(1 row)'"
|
|
|
|
- "db_user2 ~ '=Cc' in result_database.stdout"
|
|
|
|
|
|
|
|
- name: Remove user
|
|
|
|
postgresql_user:
|
|
|
|
name: "{{ db_user2 }}"
|
|
|
|
state: 'absent'
|
|
|
|
priv: "ALL"
|
|
|
|
db: "{{ db_name }}"
|
|
|
|
login_user: "{{ db_user1 }}"
|
|
|
|
login_password: "password"
|
|
|
|
login_host: "localhost"
|
2020-05-09 09:25:12 +03:00
|
|
|
trust_input: no
|
2020-03-09 09:11:07 +00:00
|
|
|
|
|
|
|
- name: Check that they were removed
|
|
|
|
become: yes
|
|
|
|
become_user: "{{ pg_user }}"
|
|
|
|
shell: echo "select * from pg_user where usename='{{ db_user2 }}';" | psql -d postgres
|
|
|
|
register: result
|
|
|
|
|
2020-07-16 12:24:04 +03:00
|
|
|
- ansible.builtin.assert:
|
2020-03-09 09:11:07 +00:00
|
|
|
that:
|
|
|
|
- "result.stdout_lines[-1] == '(0 rows)'"
|
|
|
|
|
|
|
|
- name: Destroy DB
|
|
|
|
postgresql_db:
|
|
|
|
state: absent
|
|
|
|
name: "{{ db_name }}"
|
|
|
|
login_user: "{{ db_user1 }}"
|
|
|
|
login_password: "password"
|
|
|
|
login_host: "localhost"
|
|
|
|
|
|
|
|
- name: Check that database was destroyed
|
|
|
|
become: yes
|
|
|
|
become_user: "{{ pg_user }}"
|
|
|
|
shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres
|
|
|
|
register: result
|
|
|
|
|
2020-07-16 12:24:04 +03:00
|
|
|
- ansible.builtin.assert:
|
2020-03-09 09:11:07 +00:00
|
|
|
that:
|
|
|
|
- "result.stdout_lines[-1] == '(0 rows)'"
|