ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

Avoid useless queries: use standard module hashlib

Browse source 
When an unchanged MD5-hashed password was used and passlib was
unavailable, an useless 'ALTER USER' query was executed.

Once this useless query avoided, the last 'SELECT' query becomes
useless too.
This commit is contained in:
Pierre-Louis Bonicoli 2017-04-16 23:18:57 +02:00 committed by Toshio Kuratomi
parent f59f042bb0
commit 69edd9e0bb
1 changed files with 13 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
lib/ansible/modules/database/postgresql/postgresql_user.py
View file

@ -207,8 +207,9 @@ EXAMPLES = '''
password: NULL password: NULL
''' '''
import re from hashlib import md5
import itertools import itertools
import re
from distutils.version import StrictVersion from distutils.version import StrictVersion
@ -219,6 +220,7 @@ except ImportError:
postgresqldb_found = False postgresqldb_found = False
else: else:
postgresqldb_found = True postgresqldb_found = True
from ansible.module_utils._text import to_bytes
from ansible.module_utils.six import iteritems from ansible.module_utils.six import iteritems
_flags = ('SUPERUSER', 'CREATEROLE', 'CREATEUSER', 'CREATEDB', 'INHERIT', 'LOGIN', 'REPLICATION') _flags = ('SUPERUSER', 'CREATEROLE', 'CREATEUSER', 'CREATEDB', 'INHERIT', 'LOGIN', 'REPLICATION')
@ -294,20 +296,16 @@ def user_alter(cursor, module, user, password, role_attr_flags, encrypted, expir
# Do we actually need to do anything? # Do we actually need to do anything?
pwchanging = False pwchanging = False
if password is not None: if password is not None:
if encrypted == 'ENCRYPTED': # 32: MD5 hashes are represented as a sequence of 32 hexadecimal digits
if password.startswith('md5'): # 3: The size of the 'md5' prefix
# When the provided password looks like a MD5-hash, value of
# 'encrypted' is ignored.
if ((password.startswith('md5') and len(password) == 32+3) or encrypted == 'UNENCRYPTED'):
if password != current_role_attrs['rolpassword']: if password != current_role_attrs['rolpassword']:
pwchanging = True pwchanging = True
else: elif encrypted == 'ENCRYPTED':
try: hashed_password = 'md5{0}'.format(md5(to_bytes(password) + to_bytes(user)).hexdigest())
from passlib.hash import postgres_md5 as pm if hashed_password != current_role_attrs['rolpassword']:
if pm.encrypt(password, user) != current_role_attrs['rolpassword']:
pwchanging = True
except ImportError:
# Cannot check if passlib is not installed, so assume password is different
pwchanging = True
else:
if password != current_role_attrs['rolpassword']:
pwchanging = True pwchanging = True
role_attr_flags_changing = False role_attr_flags_changing = False
@ -340,6 +338,7 @@ def user_alter(cursor, module, user, password, role_attr_flags, encrypted, expir
try: try:
cursor.execute(' '.join(alter), query_password_data) cursor.execute(' '.join(alter), query_password_data)
changed = True
except psycopg2.InternalError: except psycopg2.InternalError:
e = get_exception() e = get_exception()
if e.pgcode == '25006': if e.pgcode == '25006':
@ -351,15 +350,6 @@ def user_alter(cursor, module, user, password, role_attr_flags, encrypted, expir
else: else:
raise psycopg2.InternalError(e) raise psycopg2.InternalError(e)
# Grab new role attributes.
cursor.execute(select, {"user": user})
new_role_attrs = cursor.fetchone()
# Detect any differences between current_ and new_role_attrs.
for i in range(len(current_role_attrs)):
if current_role_attrs[i] != new_role_attrs[i]:
changed = True
elif no_password_changes and role_attr_flags != '': elif no_password_changes and role_attr_flags != '':
# Grab role information from pg_roles instead of pg_authid # Grab role information from pg_roles instead of pg_authid
select = "SELECT * FROM pg_roles where rolname=%(user)s" select = "SELECT * FROM pg_roles where rolname=%(user)s"