1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Allow setting/unsetting BYPASSRLS Postgres role attribute (#24625)

* Allow setting/unsetting BYPASSRLS role attr

* Build valid role attrs against version

* Add integration tests
This commit is contained in:
Reilly Herrewig-Pope 2017-05-26 12:56:42 -04:00 committed by Brian Coca
parent 603366863f
commit 723c8f06ab
4 changed files with 243 additions and 93 deletions

View file

@ -103,7 +103,7 @@ options:
required: false required: false
default: "" default: ""
choices: [ "[NO]SUPERUSER","[NO]CREATEROLE", "[NO]CREATEUSER", "[NO]CREATEDB", choices: [ "[NO]SUPERUSER","[NO]CREATEROLE", "[NO]CREATEUSER", "[NO]CREATEDB",
"[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION" ] "[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION", "[NO]BYPASSRLS" ]
state: state:
description: description:
- The user (role) state - The user (role) state
@ -210,6 +210,8 @@ EXAMPLES = '''
import re import re
import itertools import itertools
from distutils.version import StrictVersion
try: try:
import psycopg2 import psycopg2
import psycopg2.extras import psycopg2.extras
@ -220,7 +222,7 @@ else:
from ansible.module_utils.six import iteritems from ansible.module_utils.six import iteritems
_flags = ('SUPERUSER', 'CREATEROLE', 'CREATEUSER', 'CREATEDB', 'INHERIT', 'LOGIN', 'REPLICATION') _flags = ('SUPERUSER', 'CREATEROLE', 'CREATEUSER', 'CREATEDB', 'INHERIT', 'LOGIN', 'REPLICATION')
VALID_FLAGS = frozenset(itertools.chain(_flags, ('NO%s' % f for f in _flags))) _flags_by_version = {'BYPASSRLS': '9.5.0'}
VALID_PRIVS = dict(table=frozenset(('SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER', 'ALL')), VALID_PRIVS = dict(table=frozenset(('SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER', 'ALL')),
database=frozenset(('CREATE', 'CONNECT', 'TEMPORARY', 'TEMP', 'ALL')), database=frozenset(('CREATE', 'CONNECT', 'TEMPORARY', 'TEMP', 'ALL')),
@ -230,7 +232,7 @@ VALID_PRIVS = dict(table=frozenset(('SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRU
PRIV_TO_AUTHID_COLUMN = dict(SUPERUSER='rolsuper', CREATEROLE='rolcreaterole', PRIV_TO_AUTHID_COLUMN = dict(SUPERUSER='rolsuper', CREATEROLE='rolcreaterole',
CREATEUSER='rolcreateuser', CREATEDB='rolcreatedb', CREATEUSER='rolcreateuser', CREATEDB='rolcreatedb',
INHERIT='rolinherit', LOGIN='rolcanlogin', INHERIT='rolinherit', LOGIN='rolcanlogin',
REPLICATION='rolreplication') REPLICATION='rolreplication', BYPASSRLS='rolbypassrls')
class InvalidFlagsError(Exception): class InvalidFlagsError(Exception):
pass pass
@ -558,7 +560,7 @@ def grant_privileges(cursor, user, privs):
changed = True changed = True
return changed return changed
def parse_role_attrs(role_attr_flags): def parse_role_attrs(cursor, role_attr_flags):
""" """
Parse role attributes string for user creation. Parse role attributes string for user creation.
Format: Format:
@ -569,18 +571,24 @@ def parse_role_attrs(role_attr_flags):
attributes := CREATEDB,CREATEROLE,NOSUPERUSER,... attributes := CREATEDB,CREATEROLE,NOSUPERUSER,...
[ "[NO]SUPERUSER","[NO]CREATEROLE", "[NO]CREATEUSER", "[NO]CREATEDB", [ "[NO]SUPERUSER","[NO]CREATEROLE", "[NO]CREATEUSER", "[NO]CREATEDB",
"[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION" ] "[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION",
"[NO]BYPASSRLS" ]
Note: "[NO]BYPASSRLS" role attribute introduced in 9.5
""" """
flags = frozenset(itertools.chain(_flags, get_valid_flags_by_version(cursor)))
valid_flags = frozenset(itertools.chain(flags, ('NO%s' % f for f in flags)))
if ',' in role_attr_flags: if ',' in role_attr_flags:
flag_set = frozenset(r.upper() for r in role_attr_flags.split(",")) flag_set = frozenset(r.upper() for r in role_attr_flags.split(","))
elif role_attr_flags: elif role_attr_flags:
flag_set = frozenset((role_attr_flags.upper(),)) flag_set = frozenset((role_attr_flags.upper(),))
else: else:
flag_set = frozenset() flag_set = frozenset()
if not flag_set.issubset(VALID_FLAGS): if not flag_set.issubset(valid_flags):
raise InvalidFlagsError('Invalid role_attr_flags specified: %s' % raise InvalidFlagsError('Invalid role_attr_flags specified: %s' %
' '.join(flag_set.difference(VALID_FLAGS))) ' '.join(flag_set.difference(valid_flags)))
o_flags = ' '.join(flag_set) o_flags = ' '.join(flag_set)
return o_flags return o_flags
@ -633,6 +641,35 @@ def parse_privs(privs, db):
return o_privs return o_privs
def get_pg_server_version(cursor):
"""
Queries Postgres for its server version.
server_version should be just the server version itself:
postgres=# SHOW SERVER_VERSION;
server_version
----------------
9.6.2
(1 row)
"""
cursor.execute("SHOW SERVER_VERSION")
return cursor.fetchone()['server_version']
def get_valid_flags_by_version(cursor):
"""
Some role attributes were introduced after certain versions. We want to
compile a list of valid flags against the current Postgres version.
"""
current_version = StrictVersion(get_pg_server_version(cursor))
return [
flag
for flag, version_introduced in _flags_by_version.items()
if current_version >= StrictVersion(version_introduced)
]
# =========================================== # ===========================================
# Module execution. # Module execution.
# #
@ -671,11 +708,6 @@ def main():
privs = parse_privs(module.params["priv"], db) privs = parse_privs(module.params["priv"], db)
port = module.params["port"] port = module.params["port"]
no_password_changes = module.params["no_password_changes"] no_password_changes = module.params["no_password_changes"]
try:
role_attr_flags = parse_role_attrs(module.params["role_attr_flags"])
except InvalidFlagsError:
e = get_exception()
module.fail_json(msg=str(e))
if module.params["encrypted"]: if module.params["encrypted"]:
encrypted = "ENCRYPTED" encrypted = "ENCRYPTED"
else: else:
@ -723,6 +755,12 @@ def main():
e = get_exception() e = get_exception()
module.fail_json(msg="unable to connect to database: %s" % e) module.fail_json(msg="unable to connect to database: %s" % e)
try:
role_attr_flags = parse_role_attrs(cursor, module.params["role_attr_flags"])
except InvalidFlagsError:
e = get_exception()
module.fail_json(msg=str(e))
kw = dict(user=user) kw = dict(user=user)
changed = False changed = False
user_removed = False user_removed = False

View file

@ -268,92 +268,27 @@
that: that:
- "result.changed == False" - "result.changed == False"
- name: Create a user with all role attributes # BYPASSRLS role attribute was introduced in Postgres 9.5, so
# we want to test atrribute management differently depending
# on the version. See https://github.com/ansible/ansible/pull/24625
# for more details.
- name: Get Postgres version
become_user: "{{ pg_user }}" become_user: "{{ pg_user }}"
become: True become: True
postgresql_user: shell: echo 'SHOW SERVER_VERSION' | psql -d postgres
name: "{{ db_user1 }}" register: postgres_version_resp
state: "present"
role_attr_flags: "SUPERUSER,CREATEROLE,CREATEDB,INHERIT,login"
login_user: "{{ pg_user }}"
db: postgres
- name: Check that the user has the requested role attributes - name: Print Postgres server version
become_user: "{{ pg_user }}" debug:
become: True msg: "{{ postgres_version_resp.stdout_lines[-2] | trim }}"
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
register: result
- assert: - name: Role attribute testing for Postgres 9.5+
that: include: postgresql_user_9.5_or_greater.yml
- "result.stdout_lines[-1] == '(1 row)'" when: (postgres_version_resp.stdout_lines[-2] | trim) | version_compare('9.5.0', '>=')
- "'super:t' in result.stdout_lines[-2]"
- "'createrole:t' in result.stdout_lines[-2]"
- "'create:t' in result.stdout_lines[-2]"
- "'inherit:t' in result.stdout_lines[-2]"
- "'login:t' in result.stdout_lines[-2]"
- name: Modify a user to have no role attributes - name: Role attribute testing for Postgres versions below 9.5
become_user: "{{ pg_user }}" include: postgresql_user_less_than_9.5.yml
become: True when: (postgres_version_resp.stdout_lines[-2] | trim) | version_compare('9.5.0', '<')
postgresql_user:
name: "{{ db_user1 }}"
state: "present"
role_attr_flags: "NOSUPERUSER,NOCREATEROLE,NOCREATEDB,noinherit,NOLOGIN"
login_user: "{{ pg_user }}"
db: postgres
register: result
- name: Check that ansible reports it modified the role
assert:
that:
- "result.changed == True"
- name: Check that the user has the requested role attributes
become_user: "{{ pg_user }}"
become: True
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
register: result
- assert:
that:
- "result.stdout_lines[-1] == '(1 row)'"
- "'super:f' in result.stdout_lines[-2]"
- "'createrole:f' in result.stdout_lines[-2]"
- "'create:f' in result.stdout_lines[-2]"
- "'inherit:f' in result.stdout_lines[-2]"
- "'login:f' in result.stdout_lines[-2]"
- name: Modify a single role attribute on a user
become_user: "{{ pg_user }}"
become: True
postgresql_user:
name: "{{ db_user1 }}"
state: "present"
role_attr_flags: "LOGIN"
login_user: "{{ pg_user }}"
db: postgres
register: result
- name: Check that ansible reports it modified the role
assert:
that:
- "result.changed == True"
- name: Check that the user has the requested role attributes
become_user: "{{ pg_user }}"
become: True
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
register: result
- assert:
that:
- "result.stdout_lines[-1] == '(1 row)'"
- "'super:f' in result.stdout_lines[-2]"
- "'createrole:f' in result.stdout_lines[-2]"
- "'create:f' in result.stdout_lines[-2]"
- "'inherit:f' in result.stdout_lines[-2]"
- "'login:t' in result.stdout_lines[-2]"
- name: Cleanup the user - name: Cleanup the user
become_user: "{{ pg_user }}" become_user: "{{ pg_user }}"

View file

@ -0,0 +1,90 @@
---
- name: Create a user with all role attributes
become_user: "{{ pg_user }}"
become: True
postgresql_user:
name: "{{ db_user1 }}"
state: "present"
role_attr_flags: "SUPERUSER,CREATEROLE,CREATEDB,INHERIT,login,BYPASSRLS"
login_user: "{{ pg_user }}"
db: postgres
- name: Check that the user has the requested role attributes
become_user: "{{ pg_user }}"
become: True
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin, 'bypassrls:'||rolbypassrls from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
register: result
- assert:
that:
- "result.stdout_lines[-1] == '(1 row)'"
- "'super:t' in result.stdout_lines[-2]"
- "'createrole:t' in result.stdout_lines[-2]"
- "'create:t' in result.stdout_lines[-2]"
- "'inherit:t' in result.stdout_lines[-2]"
- "'login:t' in result.stdout_lines[-2]"
- "'bypassrls:t' in result.stdout_lines[-2]"
- name: Modify a user to have no role attributes
become_user: "{{ pg_user }}"
become: True
postgresql_user:
name: "{{ db_user1 }}"
state: "present"
role_attr_flags: "NOSUPERUSER,NOCREATEROLE,NOCREATEDB,noinherit,NOLOGIN,NOBYPASSRLS"
login_user: "{{ pg_user }}"
db: postgres
register: result
- name: Check that ansible reports it modified the role
assert:
that:
- "result.changed == True"
- name: Check that the user has the requested role attributes
become_user: "{{ pg_user }}"
become: True
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin, 'bypassrls:'||rolbypassrls from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
register: result
- assert:
that:
- "result.stdout_lines[-1] == '(1 row)'"
- "'super:f' in result.stdout_lines[-2]"
- "'createrole:f' in result.stdout_lines[-2]"
- "'create:f' in result.stdout_lines[-2]"
- "'inherit:f' in result.stdout_lines[-2]"
- "'login:f' in result.stdout_lines[-2]"
- "'bypassrls:f' in result.stdout_lines[-2]"
- name: Modify a single role attribute on a user
become_user: "{{ pg_user }}"
become: True
postgresql_user:
name: "{{ db_user1 }}"
state: "present"
role_attr_flags: "LOGIN"
login_user: "{{ pg_user }}"
db: postgres
register: result
- name: Check that ansible reports it modified the role
assert:
that:
- "result.changed == True"
- name: Check that the user has the requested role attributes
become_user: "{{ pg_user }}"
become: True
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin, 'bypassrls:'||rolbypassrls from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
register: result
- assert:
that:
- "result.stdout_lines[-1] == '(1 row)'"
- "'super:f' in result.stdout_lines[-2]"
- "'createrole:f' in result.stdout_lines[-2]"
- "'create:f' in result.stdout_lines[-2]"
- "'inherit:f' in result.stdout_lines[-2]"
- "'login:t' in result.stdout_lines[-2]"
- "'bypassrls:f' in result.stdout_lines[-2]"

View file

@ -0,0 +1,87 @@
---
- name: Create a user with all role attributes
become_user: "{{ pg_user }}"
become: True
postgresql_user:
name: "{{ db_user1 }}"
state: "present"
role_attr_flags: "SUPERUSER,CREATEROLE,CREATEDB,INHERIT,login"
login_user: "{{ pg_user }}"
db: postgres
- name: Check that the user has the requested role attributes
become_user: "{{ pg_user }}"
become: True
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
register: result
- assert:
that:
- "result.stdout_lines[-1] == '(1 row)'"
- "'super:t' in result.stdout_lines[-2]"
- "'createrole:t' in result.stdout_lines[-2]"
- "'create:t' in result.stdout_lines[-2]"
- "'inherit:t' in result.stdout_lines[-2]"
- "'login:t' in result.stdout_lines[-2]"
- name: Modify a user to have no role attributes
become_user: "{{ pg_user }}"
become: True
postgresql_user:
name: "{{ db_user1 }}"
state: "present"
role_attr_flags: "NOSUPERUSER,NOCREATEROLE,NOCREATEDB,noinherit,NOLOGIN"
login_user: "{{ pg_user }}"
db: postgres
register: result
- name: Check that ansible reports it modified the role
assert:
that:
- "result.changed == True"
- name: Check that the user has the requested role attributes
become_user: "{{ pg_user }}"
become: True
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
register: result
- assert:
that:
- "result.stdout_lines[-1] == '(1 row)'"
- "'super:f' in result.stdout_lines[-2]"
- "'createrole:f' in result.stdout_lines[-2]"
- "'create:f' in result.stdout_lines[-2]"
- "'inherit:f' in result.stdout_lines[-2]"
- "'login:f' in result.stdout_lines[-2]"
- name: Modify a single role attribute on a user
become_user: "{{ pg_user }}"
become: True
postgresql_user:
name: "{{ db_user1 }}"
state: "present"
role_attr_flags: "LOGIN"
login_user: "{{ pg_user }}"
db: postgres
register: result
- name: Check that ansible reports it modified the role
assert:
that:
- "result.changed == True"
- name: Check that the user has the requested role attributes
become_user: "{{ pg_user }}"
become: True
shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres
register: result
- assert:
that:
- "result.stdout_lines[-1] == '(1 row)'"
- "'super:f' in result.stdout_lines[-2]"
- "'createrole:f' in result.stdout_lines[-2]"
- "'create:f' in result.stdout_lines[-2]"
- "'inherit:f' in result.stdout_lines[-2]"
- "'login:t' in result.stdout_lines[-2]"