postgresql_ping: add session_role and trust_input parameters (#312)

* postgresql_ping: add session_role and trust_input parameters * add changelog fragment
2024-09-14 20:13:21 +02:00 · 2020-05-12 09:34:28 +03:00 · 2020-05-12 09:34:28 +03:00 · 31085fffb7
commit 31085fffb7
parent fce150fcf7
3 changed files with 42 additions and 0 deletions
--- a/changelogs/fragments/312-postgresql_ping_add_trust_input_session_role.yml
+++ b/changelogs/fragments/312-postgresql_ping_add_trust_input_session_role.yml
@ -0,0 +1,3 @@
+minor_changes:
+- postgresql_ping - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/312).
+- postgresql_ping - add the ``session_role`` parameter (https://github.com/ansible-collections/community.general/pull/312).
--- a/plugins/modules/database/postgresql/postgresql_ping.py
+++ b/plugins/modules/database/postgresql/postgresql_ping.py
@ -26,6 +26,19 @@ options:
    type: str
    aliases:
    - login_db
+  session_role:
+    description:
+    - Switch to session_role after connecting. The specified session_role must
+      be a role that the current login_user is a member of.
+    - Permissions checking for SQL commands is carried out as though
+      the session_role were the one that had logged in originally.
+    type: str
+  trust_input:
+    description:
+    - If C(no), check whether a value of I(session_role) is potentially dangerous.
+    - It does make sense to use C(yes) only when SQL injections via I(session_role) are possible.
+    type: bool
+    default: yes
 seealso:
 - module: postgresql_info
 author:
@ -72,6 +85,9 @@ except ImportError:
    pass

 from ansible.module_utils.basic import AnsibleModule
+from ansible_collections.community.general.plugins.module_utils.database import (
+    check_input,
+)
 from ansible_collections.community.general.plugins.module_utils.postgres import (
    connect_to_db,
    exec_sql,
@ -117,12 +133,18 @@ def main():
    argument_spec = postgres_common_argument_spec()
    argument_spec.update(
        db=dict(type='str', aliases=['login_db']),
+        session_role=dict(type='str'),
+        trust_input=dict(type='bool', default=True),
    )
    module = AnsibleModule(
        argument_spec=argument_spec,
        supports_check_mode=True,
    )

+    if not module.params['trust_input']:
+        # Check input for potentially dangerous elements:
+        check_input(module, module.params['session_role'])
+
    # Set some default values:
    cursor = False
    db_connection = False
--- a/tests/integration/targets/postgresql_ping/tasks/postgresql_ping_initial.yml
+++ b/tests/integration/targets/postgresql_ping/tasks/postgresql_ping_initial.yml
@ -45,6 +45,7 @@
    login_port: 5432
    ssl_mode: require
    ca_cert: '{{ ssl_rootcert }}'
+    trust_input: yes
  register: result
  when:
  - ansible_os_family == 'Debian'
@ -56,3 +57,19 @@
  when:
  - ansible_os_family == 'Debian'
  - postgres_version_resp.stdout is version('9.4', '>=')
+
+- name: postgresql_ping - check trust_input
+  become_user: "{{ pg_user }}"
+  become: yes
+  postgresql_ping:
+    db: "{{ db_default }}"
+    login_user: "{{ pg_user }}"
+    trust_input: no
+    session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
+  register: result
+  ignore_errors: yes
+
+- assert:
+    that:
+    - result is failed
+    - result.msg is search('is potentially dangerous')