mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
postgresql_membership: add trust_input parameter (#158)
* postgresql_membership: add trust_input parameter * add changelog fragment * add session_role to check
This commit is contained in:
parent
2250e47de7
commit
4ad6ff50cd
4 changed files with 58 additions and 0 deletions
|
@ -0,0 +1,2 @@
|
||||||
|
minor_changes:
|
||||||
|
- postgresql_membership - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/158).
|
|
@ -72,6 +72,11 @@ options:
|
||||||
- Permissions checking for SQL commands is carried out as though
|
- Permissions checking for SQL commands is carried out as though
|
||||||
the session_role were the one that had logged in originally.
|
the session_role were the one that had logged in originally.
|
||||||
type: str
|
type: str
|
||||||
|
trust_input:
|
||||||
|
description:
|
||||||
|
- If C(no), check whether values of some parameters are potentially dangerous.
|
||||||
|
type: bool
|
||||||
|
default: yes
|
||||||
seealso:
|
seealso:
|
||||||
- module: postgresql_user
|
- module: postgresql_user
|
||||||
- module: postgresql_privs
|
- module: postgresql_privs
|
||||||
|
@ -141,6 +146,7 @@ except ImportError:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
from ansible.module_utils.basic import AnsibleModule
|
from ansible.module_utils.basic import AnsibleModule
|
||||||
|
from ansible_collections.community.general.plugins.module_utils.database import check_input
|
||||||
from ansible_collections.community.general.plugins.module_utils.postgres import (
|
from ansible_collections.community.general.plugins.module_utils.postgres import (
|
||||||
connect_to_db,
|
connect_to_db,
|
||||||
get_conn_params,
|
get_conn_params,
|
||||||
|
@ -162,6 +168,7 @@ def main():
|
||||||
state=dict(type='str', default='present', choices=['absent', 'present']),
|
state=dict(type='str', default='present', choices=['absent', 'present']),
|
||||||
db=dict(type='str', aliases=['login_db']),
|
db=dict(type='str', aliases=['login_db']),
|
||||||
session_role=dict(type='str'),
|
session_role=dict(type='str'),
|
||||||
|
trust_input=dict(type='bool', default=True),
|
||||||
)
|
)
|
||||||
|
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
|
@ -173,6 +180,11 @@ def main():
|
||||||
target_roles = module.params['target_roles']
|
target_roles = module.params['target_roles']
|
||||||
fail_on_role = module.params['fail_on_role']
|
fail_on_role = module.params['fail_on_role']
|
||||||
state = module.params['state']
|
state = module.params['state']
|
||||||
|
session_role = module.params['session_role']
|
||||||
|
trust_input = module.params['trust_input']
|
||||||
|
if not trust_input:
|
||||||
|
# Check input for potentially dangerous elements:
|
||||||
|
check_input(module, groups, target_roles, session_role)
|
||||||
|
|
||||||
conn_params = get_conn_params(module, module.params, warn_db_default=False)
|
conn_params = get_conn_params(module, module.params, warn_db_default=False)
|
||||||
db_connection = connect_to_db(module, conn_params, autocommit=False)
|
db_connection = connect_to_db(module, conn_params, autocommit=False)
|
||||||
|
|
|
@ -3,3 +3,4 @@ test_group2: group2
|
||||||
test_group3: group.with.dots
|
test_group3: group.with.dots
|
||||||
test_user1: user1
|
test_user1: user1
|
||||||
test_user2: user.with.dots
|
test_user2: user.with.dots
|
||||||
|
dangerous_name: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
|
||||||
|
|
|
@ -345,3 +345,46 @@
|
||||||
that:
|
that:
|
||||||
- result is changed
|
- result is changed
|
||||||
- result.queries == ["GRANT \"{{ test_group3 }}\" TO \"{{ test_user1 }}\""]
|
- result.queries == ["GRANT \"{{ test_group3 }}\" TO \"{{ test_user1 }}\""]
|
||||||
|
|
||||||
|
#############################
|
||||||
|
# Check trust_input parameter
|
||||||
|
|
||||||
|
- name: postgresql_membership - try to use dangerous input, don't trust
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: yes
|
||||||
|
postgresql_membership:
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
db: postgres
|
||||||
|
group:
|
||||||
|
- "{{ test_group3}}"
|
||||||
|
- "{{ dangerous_name }}"
|
||||||
|
user: "{{ test_user1 }}"
|
||||||
|
state: present
|
||||||
|
trust_input: no
|
||||||
|
register: result
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- result is failed
|
||||||
|
- result.msg == 'Passed input \'{{ dangerous_name }}\' is potentially dangerous'
|
||||||
|
|
||||||
|
- name: postgresql_membership - try to use dangerous input, trust explicitly
|
||||||
|
become_user: "{{ pg_user }}"
|
||||||
|
become: yes
|
||||||
|
postgresql_membership:
|
||||||
|
login_user: "{{ pg_user }}"
|
||||||
|
db: postgres
|
||||||
|
group:
|
||||||
|
- "{{ test_group3}}"
|
||||||
|
- "{{ dangerous_name }}"
|
||||||
|
user: "{{ test_user1 }}"
|
||||||
|
state: present
|
||||||
|
trust_input: yes
|
||||||
|
register: result
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- result is failed
|
||||||
|
- result.msg == 'Role {{ dangerous_name }} does not exist'
|
||||||
|
|
Loading…
Reference in a new issue