postgresql_sequence: add trust_input option (#295)

* Add trust_input option to postgresql_sequence

Have added the trust_input option to the postgresql_sequence module.

* Add changelog fragment

Have added a changelog fragment for these changes.

changelogs/fragments/295-postgresql_sequence_add_trust_input.yml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - postgresql_sequence - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/295).

plugins/modules/database/postgresql/postgresql_sequence.py

@@ -135,6 +135,11 @@ options:
     aliases:
     - database
     - login_db
+  trust_input:
+    description:
+    - If C(no), check whether values of some parameters are potentially dangerous.
+    type: bool
+    default: yes
 notes:
 - If you do not pass db parameter, sequence will be created in the database
   named postgres.
@@ -154,6 +159,7 @@ seealso:
   link: https://www.postgresql.org/docs/current/sql-dropsequence.html
 author:
 - Tobias Birkefeld (@tcraxs)
+- Thomas O'Donnell (@andytom)
 extends_documentation_fragment:
 - community.general.postgres
 
@@ -299,7 +305,9 @@ except ImportError:
     pass
 
 from ansible.module_utils.basic import AnsibleModule
-from ansible_collections.community.general.plugins.module_utils.database import pg_quote_identifier
+from ansible_collections.community.general.plugins.module_utils.database import (
+    check_input,
+)
 from ansible_collections.community.general.plugins.module_utils.postgres import (
     connect_to_db,
     exec_sql,
@@ -435,7 +443,7 @@ class Sequence(object):
         """Implements ALTER SEQUENCE RENAME TO command behavior."""
         query = ['ALTER SEQUENCE']
         query.append(self.__add_schema())
-        query.append('RENAME TO %s' % pg_quote_identifier(self.module.params['rename_to'], 'sequence'))
+        query.append('RENAME TO "%s"' % self.module.params['rename_to'])
 
         return exec_sql(self, ' '.join(query), return_bool=True)
 
@@ -443,7 +451,7 @@ class Sequence(object):
         """Implements ALTER SEQUENCE OWNER TO command behavior."""
         query = ['ALTER SEQUENCE']
         query.append(self.__add_schema())
-        query.append('OWNER TO %s' % pg_quote_identifier(self.module.params['owner'], 'role'))
+        query.append('OWNER TO "%s"' % self.module.params['owner'])
 
         return exec_sql(self, ' '.join(query), return_bool=True)
 
@@ -451,13 +459,12 @@ class Sequence(object):
         """Implements ALTER SEQUENCE SET SCHEMA command behavior."""
         query = ['ALTER SEQUENCE']
         query.append(self.__add_schema())
-        query.append('SET SCHEMA %s' % pg_quote_identifier(self.module.params['newschema'], 'schema'))
+        query.append('SET SCHEMA "%s"' % self.module.params['newschema'])
 
         return exec_sql(self, ' '.join(query), return_bool=True)
 
     def __add_schema(self):
-        return '.'.join([pg_quote_identifier(self.schema, 'schema'),
+        return '"%s"."%s"' % (self.schema, self.name)
-                        pg_quote_identifier(self.name, 'sequence')])
 
 
 # ===========================================
@@ -483,6 +490,7 @@ def main():
         newschema=dict(type='str'),
         db=dict(type='str', default='', aliases=['login_db', 'database']),
         session_role=dict(type='str'),
+        trust_input=dict(type="bool", default=True),
     )
     module = AnsibleModule(
         argument_spec=argument_spec,
@@ -510,6 +518,17 @@ def main():
         ]
     )
 
+    if not module.params["trust_input"]:
+        check_input(
+            module,
+            module.params['sequence'],
+            module.params['schema'],
+            module.params['rename_to'],
+            module.params['owner'],
+            module.params['newschema'],
+            module.params['session_role'],
+        )
+
     # Note: we don't need to check mutually exclusive params here, because they are
     # checked automatically by AnsibleModule (mutually_exclusive=[] list above).
 

tests/integration/targets/postgresql_sequence/tasks/postgresql_sequence_initial.yml

@@ -1,3 +1,4 @@
+---
 # Copyright: (c) 2019, Tobias Birkefeld (@tcraxs) <t@craxs.de>
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 
@@ -686,6 +687,27 @@
     that:
       - result.rowcount == 1
 
+####################
+# Test: create sequence with trust_input
+- name: postgresql_sequence - check that trust_input works as expected
+  become_user: "{{ pg_user }}"
+  become: yes
+  postgresql_sequence:
+    db: "{{ db_name }}"
+    login_user: "{{ pg_user }}"
+    name: 'just_a_name"; SELECT * FROM information_schema.tables; --'
+    trust_input: no
+    owner: "{{ db_user2 }}"
+  ignore_errors: yes
+  register: result
+
+# Checks
+- name: postgresql_sequence - check with assert the output
+  assert:
+    that:
+      - result is failed
+      - result.msg is search('is potentially dangerous')
+
 # Cleanup
 - name: postgresql_sequence - destroy DB
   become_user: "{{ pg_user }}"