mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
postgresql_subscription: add trust_input and session_role parameters (#280)
* postgresql_subscription: add trust_input and session_role parameters * add changelog fragment
This commit is contained in:
parent
4c14956280
commit
30e84111f0
3 changed files with 64 additions and 0 deletions
|
@ -0,0 +1,3 @@
|
||||||
|
minor_changes:
|
||||||
|
- postgresql_subscription - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/280).
|
||||||
|
- postgresql_subscription - add the ``session_role`` parameter (https://github.com/ansible-collections/community.general/pull/280).
|
|
@ -80,6 +80,18 @@ options:
|
||||||
on U(https://www.postgresql.org/docs/current/sql-createsubscription.html).
|
on U(https://www.postgresql.org/docs/current/sql-createsubscription.html).
|
||||||
- Ignored when I(state) is not C(present).
|
- Ignored when I(state) is not C(present).
|
||||||
type: dict
|
type: dict
|
||||||
|
session_role:
|
||||||
|
description:
|
||||||
|
- Switch to session_role after connecting. The specified session_role must
|
||||||
|
be a role that the current login_user is a member of.
|
||||||
|
- Permissions checking for SQL commands is carried out as though
|
||||||
|
the session_role were the one that had logged in originally.
|
||||||
|
type: str
|
||||||
|
trust_input:
|
||||||
|
description:
|
||||||
|
- If C(no), check whether values of some parameters are potentially dangerous.
|
||||||
|
type: bool
|
||||||
|
default: yes
|
||||||
|
|
||||||
notes:
|
notes:
|
||||||
- PostgreSQL version must be 10 or greater.
|
- PostgreSQL version must be 10 or greater.
|
||||||
|
@ -196,6 +208,7 @@ except ImportError:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
from ansible.module_utils.basic import AnsibleModule
|
from ansible.module_utils.basic import AnsibleModule
|
||||||
|
from ansible_collections.community.general.plugins.module_utils.database import check_input
|
||||||
from ansible_collections.community.general.plugins.module_utils.postgres import (
|
from ansible_collections.community.general.plugins.module_utils.postgres import (
|
||||||
connect_to_db,
|
connect_to_db,
|
||||||
exec_sql,
|
exec_sql,
|
||||||
|
@ -581,6 +594,8 @@ def main():
|
||||||
cascade=dict(type='bool', default=False),
|
cascade=dict(type='bool', default=False),
|
||||||
owner=dict(type='str'),
|
owner=dict(type='str'),
|
||||||
subsparams=dict(type='dict'),
|
subsparams=dict(type='dict'),
|
||||||
|
session_role=dict(type='str'),
|
||||||
|
trust_input=dict(type='bool', default=True),
|
||||||
)
|
)
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
argument_spec=argument_spec,
|
argument_spec=argument_spec,
|
||||||
|
@ -596,6 +611,23 @@ def main():
|
||||||
owner = module.params['owner']
|
owner = module.params['owner']
|
||||||
subsparams = module.params['subsparams']
|
subsparams = module.params['subsparams']
|
||||||
connparams = module.params['connparams']
|
connparams = module.params['connparams']
|
||||||
|
session_role = module.params['session_role']
|
||||||
|
trust_input = module.params['trust_input']
|
||||||
|
|
||||||
|
if not trust_input:
|
||||||
|
# Check input for potentially dangerous elements:
|
||||||
|
if not subsparams:
|
||||||
|
subsparams_str = None
|
||||||
|
else:
|
||||||
|
subsparams_str = convert_subscr_params(subsparams)
|
||||||
|
|
||||||
|
if not connparams:
|
||||||
|
connparams_str = None
|
||||||
|
else:
|
||||||
|
connparams_str = convert_conn_params(connparams)
|
||||||
|
|
||||||
|
check_input(module, name, publications, owner, session_role,
|
||||||
|
connparams_str, subsparams_str)
|
||||||
|
|
||||||
if state == 'present' and cascade:
|
if state == 'present' and cascade:
|
||||||
module.warn('parameter "cascade" is ignored when state is not absent')
|
module.warn('parameter "cascade" is ignored when state is not absent')
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||||
|
|
||||||
- vars:
|
- vars:
|
||||||
|
dangerous_name: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
|
||||||
task_parameters: &task_parameters
|
task_parameters: &task_parameters
|
||||||
become_user: '{{ pg_user }}'
|
become_user: '{{ pg_user }}'
|
||||||
become: yes
|
become: yes
|
||||||
|
@ -243,6 +244,34 @@
|
||||||
that:
|
that:
|
||||||
- result.rowcount == 1
|
- result.rowcount == 1
|
||||||
|
|
||||||
|
##########################
|
||||||
|
# Test trust_input param #
|
||||||
|
##########################
|
||||||
|
|
||||||
|
- name: Test trust_input parameter
|
||||||
|
<<: *task_parameters
|
||||||
|
postgresql_subscription:
|
||||||
|
<<: *pg_parameters
|
||||||
|
login_port: '{{ replica_port }}'
|
||||||
|
name: '{{ test_subscription }}'
|
||||||
|
state: present
|
||||||
|
publications: '{{ test_pub }}'
|
||||||
|
session_role: '{{ dangerous_name }}'
|
||||||
|
owner: '{{ test_role1 }}'
|
||||||
|
trust_input: no
|
||||||
|
connparams:
|
||||||
|
host: 127.0.0.1
|
||||||
|
port: '{{ master_port }}'
|
||||||
|
user: '{{ replication_role }}'
|
||||||
|
password: '{{ replication_pass }}'
|
||||||
|
dbname: '{{ test_db }}'
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- result is failed
|
||||||
|
- result.msg is search('is potentially dangerous')
|
||||||
|
|
||||||
##############
|
##############
|
||||||
# Test cascade
|
# Test cascade
|
||||||
##############
|
##############
|
||||||
|
|
Loading…
Reference in a new issue