From e4dd15a7467f61d20bc0f6531c535f089e9045ab Mon Sep 17 00:00:00 2001 From: Thomas O'Donnell Date: Thu, 7 May 2020 08:07:49 +0200 Subject: [PATCH] postgresql_sequence: add trust_input option (#295) * Add trust_input option to postgresql_sequence Have added the trust_input option to the postgresql_sequence module. * Add changelog fragment Have added a changelog fragment for these changes. --- ...95-postgresql_sequence_add_trust_input.yml | 3 ++ .../postgresql/postgresql_sequence.py | 31 +++++++++++++++---- .../tasks/postgresql_sequence_initial.yml | 22 +++++++++++++ 3 files changed, 50 insertions(+), 6 deletions(-) create mode 100644 changelogs/fragments/295-postgresql_sequence_add_trust_input.yml diff --git a/changelogs/fragments/295-postgresql_sequence_add_trust_input.yml b/changelogs/fragments/295-postgresql_sequence_add_trust_input.yml new file mode 100644 index 0000000000..a18cf1240d --- /dev/null +++ b/changelogs/fragments/295-postgresql_sequence_add_trust_input.yml @@ -0,0 +1,3 @@ +--- +minor_changes: + - postgresql_sequence - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/295). diff --git a/plugins/modules/database/postgresql/postgresql_sequence.py b/plugins/modules/database/postgresql/postgresql_sequence.py index f81d05ee20..6a4906b835 100644 --- a/plugins/modules/database/postgresql/postgresql_sequence.py +++ b/plugins/modules/database/postgresql/postgresql_sequence.py @@ -135,6 +135,11 @@ options: aliases: - database - login_db + trust_input: + description: + - If C(no), check whether values of some parameters are potentially dangerous. + type: bool + default: yes notes: - If you do not pass db parameter, sequence will be created in the database named postgres. @@ -154,6 +159,7 @@ seealso: link: https://www.postgresql.org/docs/current/sql-dropsequence.html author: - Tobias Birkefeld (@tcraxs) +- Thomas O'Donnell (@andytom) extends_documentation_fragment: - community.general.postgres @@ -299,7 +305,9 @@ except ImportError: pass from ansible.module_utils.basic import AnsibleModule -from ansible_collections.community.general.plugins.module_utils.database import pg_quote_identifier +from ansible_collections.community.general.plugins.module_utils.database import ( + check_input, +) from ansible_collections.community.general.plugins.module_utils.postgres import ( connect_to_db, exec_sql, @@ -435,7 +443,7 @@ class Sequence(object): """Implements ALTER SEQUENCE RENAME TO command behavior.""" query = ['ALTER SEQUENCE'] query.append(self.__add_schema()) - query.append('RENAME TO %s' % pg_quote_identifier(self.module.params['rename_to'], 'sequence')) + query.append('RENAME TO "%s"' % self.module.params['rename_to']) return exec_sql(self, ' '.join(query), return_bool=True) @@ -443,7 +451,7 @@ class Sequence(object): """Implements ALTER SEQUENCE OWNER TO command behavior.""" query = ['ALTER SEQUENCE'] query.append(self.__add_schema()) - query.append('OWNER TO %s' % pg_quote_identifier(self.module.params['owner'], 'role')) + query.append('OWNER TO "%s"' % self.module.params['owner']) return exec_sql(self, ' '.join(query), return_bool=True) @@ -451,13 +459,12 @@ class Sequence(object): """Implements ALTER SEQUENCE SET SCHEMA command behavior.""" query = ['ALTER SEQUENCE'] query.append(self.__add_schema()) - query.append('SET SCHEMA %s' % pg_quote_identifier(self.module.params['newschema'], 'schema')) + query.append('SET SCHEMA "%s"' % self.module.params['newschema']) return exec_sql(self, ' '.join(query), return_bool=True) def __add_schema(self): - return '.'.join([pg_quote_identifier(self.schema, 'schema'), - pg_quote_identifier(self.name, 'sequence')]) + return '"%s"."%s"' % (self.schema, self.name) # =========================================== @@ -483,6 +490,7 @@ def main(): newschema=dict(type='str'), db=dict(type='str', default='', aliases=['login_db', 'database']), session_role=dict(type='str'), + trust_input=dict(type="bool", default=True), ) module = AnsibleModule( argument_spec=argument_spec, @@ -510,6 +518,17 @@ def main(): ] ) + if not module.params["trust_input"]: + check_input( + module, + module.params['sequence'], + module.params['schema'], + module.params['rename_to'], + module.params['owner'], + module.params['newschema'], + module.params['session_role'], + ) + # Note: we don't need to check mutually exclusive params here, because they are # checked automatically by AnsibleModule (mutually_exclusive=[] list above). diff --git a/tests/integration/targets/postgresql_sequence/tasks/postgresql_sequence_initial.yml b/tests/integration/targets/postgresql_sequence/tasks/postgresql_sequence_initial.yml index 29507391d8..f3672f265d 100644 --- a/tests/integration/targets/postgresql_sequence/tasks/postgresql_sequence_initial.yml +++ b/tests/integration/targets/postgresql_sequence/tasks/postgresql_sequence_initial.yml @@ -1,3 +1,4 @@ +--- # Copyright: (c) 2019, Tobias Birkefeld (@tcraxs) # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) @@ -686,6 +687,27 @@ that: - result.rowcount == 1 +#################### +# Test: create sequence with trust_input +- name: postgresql_sequence - check that trust_input works as expected + become_user: "{{ pg_user }}" + become: yes + postgresql_sequence: + db: "{{ db_name }}" + login_user: "{{ pg_user }}" + name: 'just_a_name"; SELECT * FROM information_schema.tables; --' + trust_input: no + owner: "{{ db_user2 }}" + ignore_errors: yes + register: result + +# Checks +- name: postgresql_sequence - check with assert the output + assert: + that: + - result is failed + - result.msg is search('is potentially dangerous') + # Cleanup - name: postgresql_sequence - destroy DB become_user: "{{ pg_user }}"