1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Avoid useless queries: use standard module hashlib

When an unchanged MD5-hashed password was used and passlib was
unavailable, an useless 'ALTER USER' query was executed.

Once this useless query avoided, the last 'SELECT' query becomes
useless too.
This commit is contained in:
Pierre-Louis Bonicoli 2017-04-16 23:18:57 +02:00 committed by Toshio Kuratomi
parent f59f042bb0
commit 69edd9e0bb

View file

@ -207,8 +207,9 @@ EXAMPLES = '''
password: NULL
'''
import re
from hashlib import md5
import itertools
import re
from distutils.version import StrictVersion
@ -219,6 +220,7 @@ except ImportError:
postgresqldb_found = False
else:
postgresqldb_found = True
from ansible.module_utils._text import to_bytes
from ansible.module_utils.six import iteritems
_flags = ('SUPERUSER', 'CREATEROLE', 'CREATEUSER', 'CREATEDB', 'INHERIT', 'LOGIN', 'REPLICATION')
@ -294,21 +296,17 @@ def user_alter(cursor, module, user, password, role_attr_flags, encrypted, expir
# Do we actually need to do anything?
pwchanging = False
if password is not None:
if encrypted == 'ENCRYPTED':
if password.startswith('md5'):
if password != current_role_attrs['rolpassword']:
pwchanging = True
else:
try:
from passlib.hash import postgres_md5 as pm
if pm.encrypt(password, user) != current_role_attrs['rolpassword']:
pwchanging = True
except ImportError:
# Cannot check if passlib is not installed, so assume password is different
pwchanging = True
else:
# 32: MD5 hashes are represented as a sequence of 32 hexadecimal digits
# 3: The size of the 'md5' prefix
# When the provided password looks like a MD5-hash, value of
# 'encrypted' is ignored.
if ((password.startswith('md5') and len(password) == 32+3) or encrypted == 'UNENCRYPTED'):
if password != current_role_attrs['rolpassword']:
pwchanging = True
elif encrypted == 'ENCRYPTED':
hashed_password = 'md5{0}'.format(md5(to_bytes(password) + to_bytes(user)).hexdigest())
if hashed_password != current_role_attrs['rolpassword']:
pwchanging = True
role_attr_flags_changing = False
if role_attr_flags:
@ -340,6 +338,7 @@ def user_alter(cursor, module, user, password, role_attr_flags, encrypted, expir
try:
cursor.execute(' '.join(alter), query_password_data)
changed = True
except psycopg2.InternalError:
e = get_exception()
if e.pgcode == '25006':
@ -351,15 +350,6 @@ def user_alter(cursor, module, user, password, role_attr_flags, encrypted, expir
else:
raise psycopg2.InternalError(e)
# Grab new role attributes.
cursor.execute(select, {"user": user})
new_role_attrs = cursor.fetchone()
# Detect any differences between current_ and new_role_attrs.
for i in range(len(current_role_attrs)):
if current_role_attrs[i] != new_role_attrs[i]:
changed = True
elif no_password_changes and role_attr_flags != '':
# Grab role information from pg_roles instead of pg_authid
select = "SELECT * FROM pg_roles where rolname=%(user)s"