From 5e23f01a76b685cdea657763c8fa38f16a9ebb7c Mon Sep 17 00:00:00 2001
From: Andrew Klychkov <aaklychkov@mail.ru>
Date: Mon, 6 Jul 2020 15:16:48 +0300
Subject: [PATCH] mysql_user: fix overriding user passowrd to the same (#609)

* mysql_user: fix overriding user passowrd to the same

* add changelog
---
 ...er_fix_overriding_password_to_the_same.yml |  2 ++
 plugins/modules/database/mysql/mysql_user.py  | 11 ++++++++-
 .../tasks/user_password_update_test.yml       | 23 +++++++++----------
 3 files changed, 23 insertions(+), 13 deletions(-)
 create mode 100644 changelogs/fragments/609-mysql_user_fix_overriding_password_to_the_same.yml

diff --git a/changelogs/fragments/609-mysql_user_fix_overriding_password_to_the_same.yml b/changelogs/fragments/609-mysql_user_fix_overriding_password_to_the_same.yml
new file mode 100644
index 0000000000..9ad0c083e5
--- /dev/null
+++ b/changelogs/fragments/609-mysql_user_fix_overriding_password_to_the_same.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- mysql_user - fix overriding password to the same (https://github.com/ansible-collections/community.general/issues/543).
diff --git a/plugins/modules/database/mysql/mysql_user.py b/plugins/modules/database/mysql/mysql_user.py
index d8ef5aa1f3..27565a1336 100644
--- a/plugins/modules/database/mysql/mysql_user.py
+++ b/plugins/modules/database/mysql/mysql_user.py
@@ -367,10 +367,19 @@ def user_add(cursor, user, host, host_all, password, encrypted,
     if check_mode:
         return True
 
+    # Determine what user management method server uses
+    old_user_mgmt = use_old_user_mgmt(cursor)
+
     if password and encrypted:
         cursor.execute("CREATE USER %s@%s IDENTIFIED BY PASSWORD %s", (user, host, password))
     elif password and not encrypted:
-        cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user, host, password))
+        if old_user_mgmt:
+            cursor.execute("CREATE USER %s@%s IDENTIFIED BY %s", (user, host, password))
+        else:
+            cursor.execute("SELECT CONCAT('*', UCASE(SHA1(UNHEX(SHA1(%s)))))", (password,))
+            encrypted_password = cursor.fetchone()[0]
+            cursor.execute("CREATE USER %s@%s IDENTIFIED WITH mysql_native_password AS %s", (user, host, encrypted_password))
+
     elif plugin and plugin_hash_string:
         cursor.execute("CREATE USER %s@%s IDENTIFIED WITH %s AS %s", (user, host, plugin, plugin_hash_string))
     elif plugin and plugin_auth_string:
diff --git a/tests/integration/targets/mysql_user/tasks/user_password_update_test.yml b/tests/integration/targets/mysql_user/tasks/user_password_update_test.yml
index 1f126c48b5..a85e4edf04 100644
--- a/tests/integration/targets/mysql_user/tasks/user_password_update_test.yml
+++ b/tests/integration/targets/mysql_user/tasks/user_password_update_test.yml
@@ -46,18 +46,17 @@
   register: user_password_old  
   when: user_password_old_create is failed
 
-# FIXME: not sure why this is failing, but it looks like it should expect changed=true
-#- name: update user2 state=present with same password (expect changed=false)
-#  mysql_user:
-#    name: '{{ user_name_2 }}'
-#    password: '{{ user_password_2 }}'
-#    priv: '*.*:ALL'
-#    state: present
-#    login_unix_socket: '{{ mysql_socket }}'
-#  register: result
-#
-#- name: assert output user2 was not updated 
-#  assert: { that: "result.changed == false" }
+- name: update user2 state=present with same password (expect changed=false)
+  mysql_user:
+    name: '{{ user_name_2 }}'
+    password: '{{ user_password_2 }}'
+    priv: '*.*:ALL'
+    state: present
+    login_unix_socket: '{{ mysql_socket }}'
+  register: result
+
+- name: assert output user2 was not updated 
+  assert: { that: "result.changed == false" }
 
 - include: assert_user.yml user_name={{user_name_2}} priv='ALL PRIVILEGES'