mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
postgresql_membership: add trust_input parameter (#158)
* postgresql_membership: add trust_input parameter * add changelog fragment * add session_role to check
This commit is contained in:
parent
2250e47de7
commit
4ad6ff50cd
4 changed files with 58 additions and 0 deletions
|
@ -0,0 +1,2 @@
|
|||
minor_changes:
|
||||
- postgresql_membership - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/158).
|
|
@ -72,6 +72,11 @@ options:
|
|||
- Permissions checking for SQL commands is carried out as though
|
||||
the session_role were the one that had logged in originally.
|
||||
type: str
|
||||
trust_input:
|
||||
description:
|
||||
- If C(no), check whether values of some parameters are potentially dangerous.
|
||||
type: bool
|
||||
default: yes
|
||||
seealso:
|
||||
- module: postgresql_user
|
||||
- module: postgresql_privs
|
||||
|
@ -141,6 +146,7 @@ except ImportError:
|
|||
pass
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
from ansible_collections.community.general.plugins.module_utils.database import check_input
|
||||
from ansible_collections.community.general.plugins.module_utils.postgres import (
|
||||
connect_to_db,
|
||||
get_conn_params,
|
||||
|
@ -162,6 +168,7 @@ def main():
|
|||
state=dict(type='str', default='present', choices=['absent', 'present']),
|
||||
db=dict(type='str', aliases=['login_db']),
|
||||
session_role=dict(type='str'),
|
||||
trust_input=dict(type='bool', default=True),
|
||||
)
|
||||
|
||||
module = AnsibleModule(
|
||||
|
@ -173,6 +180,11 @@ def main():
|
|||
target_roles = module.params['target_roles']
|
||||
fail_on_role = module.params['fail_on_role']
|
||||
state = module.params['state']
|
||||
session_role = module.params['session_role']
|
||||
trust_input = module.params['trust_input']
|
||||
if not trust_input:
|
||||
# Check input for potentially dangerous elements:
|
||||
check_input(module, groups, target_roles, session_role)
|
||||
|
||||
conn_params = get_conn_params(module, module.params, warn_db_default=False)
|
||||
db_connection = connect_to_db(module, conn_params, autocommit=False)
|
||||
|
|
|
@ -3,3 +3,4 @@ test_group2: group2
|
|||
test_group3: group.with.dots
|
||||
test_user1: user1
|
||||
test_user2: user.with.dots
|
||||
dangerous_name: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
|
||||
|
|
|
@ -345,3 +345,46 @@
|
|||
that:
|
||||
- result is changed
|
||||
- result.queries == ["GRANT \"{{ test_group3 }}\" TO \"{{ test_user1 }}\""]
|
||||
|
||||
#############################
|
||||
# Check trust_input parameter
|
||||
|
||||
- name: postgresql_membership - try to use dangerous input, don't trust
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_membership:
|
||||
login_user: "{{ pg_user }}"
|
||||
db: postgres
|
||||
group:
|
||||
- "{{ test_group3}}"
|
||||
- "{{ dangerous_name }}"
|
||||
user: "{{ test_user1 }}"
|
||||
state: present
|
||||
trust_input: no
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result is failed
|
||||
- result.msg == 'Passed input \'{{ dangerous_name }}\' is potentially dangerous'
|
||||
|
||||
- name: postgresql_membership - try to use dangerous input, trust explicitly
|
||||
become_user: "{{ pg_user }}"
|
||||
become: yes
|
||||
postgresql_membership:
|
||||
login_user: "{{ pg_user }}"
|
||||
db: postgres
|
||||
group:
|
||||
- "{{ test_group3}}"
|
||||
- "{{ dangerous_name }}"
|
||||
user: "{{ test_user1 }}"
|
||||
state: present
|
||||
trust_input: yes
|
||||
register: result
|
||||
ignore_errors: yes
|
||||
|
||||
- assert:
|
||||
that:
|
||||
- result is failed
|
||||
- result.msg == 'Role {{ dangerous_name }} does not exist'
|
||||
|
|
Loading…
Reference in a new issue