1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

postgresql_membership: add trust_input parameter (#158)

* postgresql_membership: add trust_input parameter

* add changelog fragment

* add session_role to check
This commit is contained in:
Andrew Klychkov 2020-04-14 16:45:36 +03:00 committed by GitHub
parent 2250e47de7
commit 4ad6ff50cd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 58 additions and 0 deletions

View file

@ -0,0 +1,2 @@
minor_changes:
- postgresql_membership - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/158).

View file

@ -72,6 +72,11 @@ options:
- Permissions checking for SQL commands is carried out as though - Permissions checking for SQL commands is carried out as though
the session_role were the one that had logged in originally. the session_role were the one that had logged in originally.
type: str type: str
trust_input:
description:
- If C(no), check whether values of some parameters are potentially dangerous.
type: bool
default: yes
seealso: seealso:
- module: postgresql_user - module: postgresql_user
- module: postgresql_privs - module: postgresql_privs
@ -141,6 +146,7 @@ except ImportError:
pass pass
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.general.plugins.module_utils.database import check_input
from ansible_collections.community.general.plugins.module_utils.postgres import ( from ansible_collections.community.general.plugins.module_utils.postgres import (
connect_to_db, connect_to_db,
get_conn_params, get_conn_params,
@ -162,6 +168,7 @@ def main():
state=dict(type='str', default='present', choices=['absent', 'present']), state=dict(type='str', default='present', choices=['absent', 'present']),
db=dict(type='str', aliases=['login_db']), db=dict(type='str', aliases=['login_db']),
session_role=dict(type='str'), session_role=dict(type='str'),
trust_input=dict(type='bool', default=True),
) )
module = AnsibleModule( module = AnsibleModule(
@ -173,6 +180,11 @@ def main():
target_roles = module.params['target_roles'] target_roles = module.params['target_roles']
fail_on_role = module.params['fail_on_role'] fail_on_role = module.params['fail_on_role']
state = module.params['state'] state = module.params['state']
session_role = module.params['session_role']
trust_input = module.params['trust_input']
if not trust_input:
# Check input for potentially dangerous elements:
check_input(module, groups, target_roles, session_role)
conn_params = get_conn_params(module, module.params, warn_db_default=False) conn_params = get_conn_params(module, module.params, warn_db_default=False)
db_connection = connect_to_db(module, conn_params, autocommit=False) db_connection = connect_to_db(module, conn_params, autocommit=False)

View file

@ -3,3 +3,4 @@ test_group2: group2
test_group3: group.with.dots test_group3: group.with.dots
test_user1: user1 test_user1: user1
test_user2: user.with.dots test_user2: user.with.dots
dangerous_name: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'

View file

@ -345,3 +345,46 @@
that: that:
- result is changed - result is changed
- result.queries == ["GRANT \"{{ test_group3 }}\" TO \"{{ test_user1 }}\""] - result.queries == ["GRANT \"{{ test_group3 }}\" TO \"{{ test_user1 }}\""]
#############################
# Check trust_input parameter
- name: postgresql_membership - try to use dangerous input, don't trust
become_user: "{{ pg_user }}"
become: yes
postgresql_membership:
login_user: "{{ pg_user }}"
db: postgres
group:
- "{{ test_group3}}"
- "{{ dangerous_name }}"
user: "{{ test_user1 }}"
state: present
trust_input: no
register: result
ignore_errors: yes
- assert:
that:
- result is failed
- result.msg == 'Passed input \'{{ dangerous_name }}\' is potentially dangerous'
- name: postgresql_membership - try to use dangerous input, trust explicitly
become_user: "{{ pg_user }}"
become: yes
postgresql_membership:
login_user: "{{ pg_user }}"
db: postgres
group:
- "{{ test_group3}}"
- "{{ dangerous_name }}"
user: "{{ test_user1 }}"
state: present
trust_input: yes
register: result
ignore_errors: yes
- assert:
that:
- result is failed
- result.msg == 'Role {{ dangerous_name }} does not exist'