postgresql_sequence: add trust_input option (#295)

* Add trust_input option to postgresql_sequence Have added the trust_input option to the postgresql_sequence module. * Add changelog fragment Have added a changelog fragment for these changes.
2024-09-14 20:13:21 +02:00 · 2020-05-07 08:07:49 +02:00 · 2020-05-07 08:07:49 +02:00 · e4dd15a746
commit e4dd15a746
parent 9ff2c7685f
3 changed files with 50 additions and 6 deletions
--- a/changelogs/fragments/295-postgresql_sequence_add_trust_input.yml
+++ b/changelogs/fragments/295-postgresql_sequence_add_trust_input.yml
@ -0,0 +1,3 @@
+---
+minor_changes:
+  - postgresql_sequence - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/295).
--- a/plugins/modules/database/postgresql/postgresql_sequence.py
+++ b/plugins/modules/database/postgresql/postgresql_sequence.py
@ -135,6 +135,11 @@ options:
    aliases:
    - database
    - login_db
+  trust_input:
+    description:
+    - If C(no), check whether values of some parameters are potentially dangerous.
+    type: bool
+    default: yes
 notes:
 - If you do not pass db parameter, sequence will be created in the database
  named postgres.
@ -154,6 +159,7 @@ seealso:
  link: https://www.postgresql.org/docs/current/sql-dropsequence.html
 author:
 - Tobias Birkefeld (@tcraxs)
+- Thomas O'Donnell (@andytom)
 extends_documentation_fragment:
 - community.general.postgres

@ -299,7 +305,9 @@ except ImportError:
    pass

 from ansible.module_utils.basic import AnsibleModule
-from ansible_collections.community.general.plugins.module_utils.database import pg_quote_identifier
+from ansible_collections.community.general.plugins.module_utils.database import (
+    check_input,
+)
 from ansible_collections.community.general.plugins.module_utils.postgres import (
    connect_to_db,
    exec_sql,
@ -435,7 +443,7 @@ class Sequence(object):
        """Implements ALTER SEQUENCE RENAME TO command behavior."""
        query = ['ALTER SEQUENCE']
        query.append(self.__add_schema())
-        query.append('RENAME TO %s' % pg_quote_identifier(self.module.params['rename_to'], 'sequence'))
+        query.append('RENAME TO "%s"' % self.module.params['rename_to'])

        return exec_sql(self, ' '.join(query), return_bool=True)

@ -443,7 +451,7 @@ class Sequence(object):
        """Implements ALTER SEQUENCE OWNER TO command behavior."""
        query = ['ALTER SEQUENCE']
        query.append(self.__add_schema())
-        query.append('OWNER TO %s' % pg_quote_identifier(self.module.params['owner'], 'role'))
+        query.append('OWNER TO "%s"' % self.module.params['owner'])

        return exec_sql(self, ' '.join(query), return_bool=True)

@ -451,13 +459,12 @@ class Sequence(object):
        """Implements ALTER SEQUENCE SET SCHEMA command behavior."""
        query = ['ALTER SEQUENCE']
        query.append(self.__add_schema())
-        query.append('SET SCHEMA %s' % pg_quote_identifier(self.module.params['newschema'], 'schema'))
+        query.append('SET SCHEMA "%s"' % self.module.params['newschema'])

        return exec_sql(self, ' '.join(query), return_bool=True)

    def __add_schema(self):
-        return '.'.join([pg_quote_identifier(self.schema, 'schema'),
-                        pg_quote_identifier(self.name, 'sequence')])
+        return '"%s"."%s"' % (self.schema, self.name)


 # ===========================================
@ -483,6 +490,7 @@ def main():
        newschema=dict(type='str'),
        db=dict(type='str', default='', aliases=['login_db', 'database']),
        session_role=dict(type='str'),
+        trust_input=dict(type="bool", default=True),
    )
    module = AnsibleModule(
        argument_spec=argument_spec,
@ -510,6 +518,17 @@ def main():
        ]
    )

+    if not module.params["trust_input"]:
+        check_input(
+            module,
+            module.params['sequence'],
+            module.params['schema'],
+            module.params['rename_to'],
+            module.params['owner'],
+            module.params['newschema'],
+            module.params['session_role'],
+        )
+
    # Note: we don't need to check mutually exclusive params here, because they are
    # checked automatically by AnsibleModule (mutually_exclusive=[] list above).

--- a/tests/integration/targets/postgresql_sequence/tasks/postgresql_sequence_initial.yml
+++ b/tests/integration/targets/postgresql_sequence/tasks/postgresql_sequence_initial.yml
@ -1,3 +1,4 @@
+---
 # Copyright: (c) 2019, Tobias Birkefeld (@tcraxs) <t@craxs.de>
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

@ -686,6 +687,27 @@
    that:
      - result.rowcount == 1

+####################
+# Test: create sequence with trust_input
+- name: postgresql_sequence - check that trust_input works as expected
+  become_user: "{{ pg_user }}"
+  become: yes
+  postgresql_sequence:
+    db: "{{ db_name }}"
+    login_user: "{{ pg_user }}"
+    name: 'just_a_name"; SELECT * FROM information_schema.tables; --'
+    trust_input: no
+    owner: "{{ db_user2 }}"
+  ignore_errors: yes
+  register: result
+
+# Checks
+- name: postgresql_sequence - check with assert the output
+  assert:
+    that:
+      - result is failed
+      - result.msg is search('is potentially dangerous')
+
 # Cleanup
 - name: postgresql_sequence - destroy DB
  become_user: "{{ pg_user }}"