Mysql db unsafe passwd (#428)

* mysql_db: add new parameter unsafe_login_password * add CI tests * add changelog fragment
2024-09-14 20:13:21 +02:00 · 2020-06-02 09:17:54 +03:00 · 2020-06-02 09:17:54 +03:00 · c2bf9ea9fb
commit c2bf9ea9fb
parent f81e562301
3 changed files with 43 additions and 7 deletions
--- a/changelogs/fragments/428-mysql_db_add_unsafe_login_password_param.yml
+++ b/changelogs/fragments/428-mysql_db_add_unsafe_login_password_param.yml
@ -0,0 +1,2 @@
+minor_changes:
+- mysql_db - add the ``unsafe_login_password`` parameter (https://github.com/ansible/ansible/issues/63955).
--- a/plugins/modules/database/mysql/mysql_db.py
+++ b/plugins/modules/database/mysql/mysql_db.py
@ -113,6 +113,15 @@ options:
    required: no
    type: bool
    default: no
+  unsafe_login_password:
+    description:
+      - If C(no), the module will safely use a shell-escaped version of the I(login_password) value.
+      - It makes sense to use C(yes) only if there are special symbols in the value and errors C(Access denied) occur.
+      - Used only when I(state) is C(import) or C(dump) and I(login_password) is passed, ignored otherwise.
+    type: bool
+    default: no
+    version_added: '2.10'
+
 seealso:
 - module: mysql_info
 - module: mysql_variables
@ -299,7 +308,8 @@ def db_delete(cursor, db):
 def db_dump(module, host, user, password, db_name, target, all_databases, port,
            config_file, socket=None, ssl_cert=None, ssl_key=None, ssl_ca=None,
            single_transaction=None, quick=None, ignore_tables=None, hex_blob=None,
-            encoding=None, force=False, master_data=0, skip_lock_tables=False, dump_extra_args=None):
+            encoding=None, force=False, master_data=0, skip_lock_tables=False,
+            dump_extra_args=None, unsafe_password=False):
    cmd = module.get_bin_path('mysqldump', True)
    # If defined, mysqldump demands --defaults-extra-file be the first option
    if config_file:
@ -307,7 +317,10 @@ def db_dump(module, host, user, password, db_name, target, all_databases, port,
    if user is not None:
        cmd += " --user=%s" % shlex_quote(user)
    if password is not None:
-        cmd += " --password=%s" % shlex_quote(password)
+        if not unsafe_password:
+            cmd += " --password=%s" % shlex_quote(password)
+        else:
+            cmd += " --password=%s" % password
    if ssl_cert is not None:
        cmd += " --ssl-cert=%s" % shlex_quote(ssl_cert)
    if ssl_key is not None:
@ -366,7 +379,7 @@ def db_dump(module, host, user, password, db_name, target, all_databases, port,

 def db_import(module, host, user, password, db_name, target, all_databases, port, config_file,
              socket=None, ssl_cert=None, ssl_key=None, ssl_ca=None, encoding=None, force=False,
-              use_shell=False):
+              use_shell=False, unsafe_password=False):
    if not os.path.exists(target):
        return module.fail_json(msg="target %s does not exist on the host" % target)

@ -377,7 +390,10 @@ def db_import(module, host, user, password, db_name, target, all_databases, port
    if user:
        cmd.append("--user=%s" % shlex_quote(user))
    if password:
-        cmd.append("--password=%s" % shlex_quote(password))
+        if not unsafe_password:
+            cmd.append("--password=%s" % shlex_quote(password))
+        else:
+            cmd.append("--password=%s" % password)
    if ssl_cert is not None:
        cmd.append("--ssl-cert=%s" % shlex_quote(ssl_cert))
    if ssl_key is not None:
@ -492,6 +508,7 @@ def main():
            skip_lock_tables=dict(type='bool', default=False),
            dump_extra_args=dict(type='str'),
            use_shell=dict(type='bool', default=False),
+            unsafe_login_password=dict(type='bool', default=False),
        ),
        supports_check_mode=True,
    )
@ -518,6 +535,7 @@ def main():
    connect_timeout = module.params['connect_timeout']
    config_file = module.params['config_file']
    login_password = module.params["login_password"]
+    unsafe_login_password = module.params["unsafe_login_password"]
    login_user = module.params["login_user"]
    login_host = module.params["login_host"]
    ignore_tables = module.params["ignore_tables"]
@ -599,7 +617,7 @@ def main():
                                     login_port, config_file, socket, ssl_cert, ssl_key,
                                     ssl_ca, single_transaction, quick, ignore_tables,
                                     hex_blob, encoding, force, master_data, skip_lock_tables,
-                                     dump_extra_args)
+                                     dump_extra_args, unsafe_login_password)
        if rc != 0:
            module.fail_json(msg="%s" % stderr)
        module.exit_json(changed=True, db=db_name, db_list=db, msg=stdout,
@ -618,7 +636,7 @@ def main():
                                       all_databases,
                                       login_port, config_file,
                                       socket, ssl_cert, ssl_key, ssl_ca,
-                                       encoding, force, use_shell)
+                                       encoding, force, use_shell, unsafe_login_password)
        if rc != 0:
            module.fail_json(msg="%s" % stderr)
        module.exit_json(changed=True, db=db_name, db_list=db, msg=stdout,
--- a/tests/integration/targets/mysql_db/tasks/state_dump_import.yml
+++ b/tests/integration/targets/mysql_db/tasks/state_dump_import.yml
@ -22,6 +22,16 @@
    wrong_sql_file="{{tmp_dir}}/wrong.sql"
    dump_file1="{{tmp_dir}}/{{file2}}"
    dump_file2="{{tmp_dir}}/{{file3}}"
+    db_user="test"
+    db_user_unsafe_password="pass!word"
+
+- name: create user for test unsafe_login_password parameter
+  mysql_user:
+    name: '{{ db_user }}'
+    password: '{{ db_user_unsafe_password }}'
+    priv: '*.*:ALL'
+    state: present
+    login_unix_socket: '{{ mysql_socket }}'

 - name: state dump/import - create database
  mysql_db:
@ -58,6 +68,9 @@

 - name: state dump without department table.
  mysql_db:
+    login_user: '{{ db_user }}'
+    login_password: '{{ db_user_unsafe_password }}'
+    unsafe_login_password: yes
    name: "{{ db_name }}"
    state: dump
    target: "{{ db_file_name }}"
@ -74,7 +87,7 @@
  assert:
    that:
    - result is changed
-    - result.executed_commands[0] is search("mysqldump --force --socket={{ mysql_socket }} {{ db_name }} --skip-lock-tables --quick --ignore-table={{ db_name }}.department --master-data=1 --skip-triggers")
+    - result.executed_commands[0] is search("mysqldump --user={{ db_user }} --password=\*\*\*\*\*\*\*\* --force --socket={{ mysql_socket }} {{ db_name }} --skip-lock-tables --quick --ignore-table={{ db_name }}.department --master-data=1 --skip-triggers")

 - name: state dump/import - file name should exist
  file: name={{ db_file_name }} state=file
@ -153,6 +166,9 @@

 - name: test state=import to restore the database of type {{ format_type }} (expect changed=true)
  mysql_db:
+    login_user: '{{ db_user }}'
+    login_password: '{{ db_user_unsafe_password }}'
+    unsafe_login_password: yes
    name: '{{ db_name }}'
    state: import
    target: '{{ db_file_name }}'