1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

postgresql_publication: add trust_input and session_role parameters (#279)

* postgresql_publication: add trust_input and session_role parameters

* add changelog fragment
This commit is contained in:
Andrew Klychkov 2020-05-05 16:36:14 +03:00 committed by GitHub
parent 30e84111f0
commit e6b6c05bf7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 52 additions and 3 deletions

View file

@ -0,0 +1,3 @@
minor_changes:
- postgresql_publication - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/279).
- postgresql_publication - add the ``session_role`` parameter (https://github.com/ansible-collections/community.general/pull/279).

View file

@ -62,6 +62,18 @@ options:
- Drop publication dependencies. Has effect with I(state=absent) only.
type: bool
default: false
session_role:
description:
- Switch to session_role after connecting. The specified session_role must
be a role that the current login_user is a member of.
- Permissions checking for SQL commands is carried out as though
the session_role were the one that had logged in originally.
type: str
trust_input:
description:
- If C(no), check whether values of some parameters are potentially dangerous.
type: bool
default: yes
notes:
- PostgreSQL version must be 10 or greater.
seealso:
@ -167,7 +179,10 @@ except ImportError:
pass
from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.general.plugins.module_utils.database import pg_quote_identifier
from ansible_collections.community.general.plugins.module_utils.database import (
check_input,
pg_quote_identifier,
)
from ansible_collections.community.general.plugins.module_utils.postgres import (
connect_to_db,
exec_sql,
@ -538,8 +553,8 @@ class PgPublication():
Returns:
True if successful, False otherwise.
"""
query = ("ALTER PUBLICATION %s OWNER TO %s" % (pg_quote_identifier(self.name, 'publication'),
pg_quote_identifier(role, 'role')))
query = ('ALTER PUBLICATION %s '
'OWNER TO "%s"' % (pg_quote_identifier(self.name, 'publication'), role))
return self.__exec_sql(query, check_mode=check_mode)
def __exec_sql(self, query, check_mode=False):
@ -580,6 +595,8 @@ def main():
parameters=dict(type='dict'),
owner=dict(type='str'),
cascade=dict(type='bool', default=False),
session_role=dict(type='str'),
trust_input=dict(type='bool', default=True),
)
module = AnsibleModule(
argument_spec=argument_spec,
@ -593,6 +610,17 @@ def main():
params = module.params['parameters']
owner = module.params['owner']
cascade = module.params['cascade']
session_role = module.params['session_role']
trust_input = module.params['trust_input']
if not trust_input:
# Check input for potentially dangerous elements:
if not params:
params_list = None
else:
params_list = ['%s = %s' % (k, v) for k, v in iteritems(params)]
check_input(module, name, tables, owner, session_role, params_list)
if state == 'absent':
if tables:

View file

@ -8,6 +8,7 @@
test_table3: acme3
test_pub: acme_publ
test_role: alice
dangerous_name: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
test_schema: acme_schema
test_db: acme_db
task_parameters: &task_parameters
@ -178,6 +179,7 @@
tables:
- '{{ test_table1 }}'
- '{{ test_schema }}.{{ test_table2 }}'
trust_input: yes
parameters:
publish: 'insert'
@ -225,6 +227,22 @@
that:
- result.rowcount == 1
# Test
- name: postgresql_publication - test trust_input parameter
<<: *task_parameters
postgresql_publication:
<<: *pg_parameters
name: '{{ test_pub }}'
session_role: '{{ dangerous_name }}'
owner: '{{ dangerous_name }}'
trust_input: no
ignore_errors: yes
- assert:
that:
- result is failed
- result.msg is search('is potentially dangerous')
# Test
- name: postgresql_publication - add table to publication, change owner, check_mode
<<: *task_parameters