postgresql_publication: add trust_input and session_role parameters (#279)

* postgresql_publication: add trust_input and session_role parameters * add changelog fragment
2024-09-14 20:13:21 +02:00 · 2020-05-05 16:36:14 +03:00 · 2020-05-05 16:36:14 +03:00 · e6b6c05bf7
commit e6b6c05bf7
parent 30e84111f0
3 changed files with 52 additions and 3 deletions
--- a/changelogs/fragments/279-postgresql_publication_add_trust_input_session_role.yml
+++ b/changelogs/fragments/279-postgresql_publication_add_trust_input_session_role.yml
@ -0,0 +1,3 @@
+minor_changes:
+- postgresql_publication - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/279).
+- postgresql_publication - add the ``session_role`` parameter (https://github.com/ansible-collections/community.general/pull/279).
--- a/plugins/modules/database/postgresql/postgresql_publication.py
+++ b/plugins/modules/database/postgresql/postgresql_publication.py
@ -62,6 +62,18 @@ options:
    - Drop publication dependencies. Has effect with I(state=absent) only.
    type: bool
    default: false
+  session_role:
+    description:
+    - Switch to session_role after connecting. The specified session_role must
+      be a role that the current login_user is a member of.
+    - Permissions checking for SQL commands is carried out as though
+      the session_role were the one that had logged in originally.
+    type: str
+  trust_input:
+    description:
+    - If C(no), check whether values of some parameters are potentially dangerous.
+    type: bool
+    default: yes
 notes:
 - PostgreSQL version must be 10 or greater.
 seealso:
@ -167,7 +179,10 @@ except ImportError:
    pass

 from ansible.module_utils.basic import AnsibleModule
-from ansible_collections.community.general.plugins.module_utils.database import pg_quote_identifier
+from ansible_collections.community.general.plugins.module_utils.database import (
+    check_input,
+    pg_quote_identifier,
+)
 from ansible_collections.community.general.plugins.module_utils.postgres import (
    connect_to_db,
    exec_sql,
@ -538,8 +553,8 @@ class PgPublication():
        Returns:
            True if successful, False otherwise.
        """
-        query = ("ALTER PUBLICATION %s OWNER TO %s" % (pg_quote_identifier(self.name, 'publication'),
-                                                       pg_quote_identifier(role, 'role')))
+        query = ('ALTER PUBLICATION %s '
+                 'OWNER TO "%s"' % (pg_quote_identifier(self.name, 'publication'), role))
        return self.__exec_sql(query, check_mode=check_mode)

    def __exec_sql(self, query, check_mode=False):
@ -580,6 +595,8 @@ def main():
        parameters=dict(type='dict'),
        owner=dict(type='str'),
        cascade=dict(type='bool', default=False),
+        session_role=dict(type='str'),
+        trust_input=dict(type='bool', default=True),
    )
    module = AnsibleModule(
        argument_spec=argument_spec,
@ -593,6 +610,17 @@ def main():
    params = module.params['parameters']
    owner = module.params['owner']
    cascade = module.params['cascade']
+    session_role = module.params['session_role']
+    trust_input = module.params['trust_input']
+
+    if not trust_input:
+        # Check input for potentially dangerous elements:
+        if not params:
+            params_list = None
+        else:
+            params_list = ['%s = %s' % (k, v) for k, v in iteritems(params)]
+
+        check_input(module, name, tables, owner, session_role, params_list)

    if state == 'absent':
        if tables:
--- a/tests/integration/targets/postgresql_publication/tasks/postgresql_publication_initial.yml
+++ b/tests/integration/targets/postgresql_publication/tasks/postgresql_publication_initial.yml
@ -8,6 +8,7 @@
    test_table3: acme3
    test_pub: acme_publ
    test_role: alice
+    dangerous_name: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
    test_schema: acme_schema
    test_db: acme_db
    task_parameters: &task_parameters
@ -178,6 +179,7 @@
      tables:
      - '{{ test_table1 }}'
      - '{{ test_schema }}.{{ test_table2 }}'
+      trust_input: yes
      parameters:
        publish: 'insert'

@ -225,6 +227,22 @@
      that:
      - result.rowcount == 1

+  # Test
+  - name: postgresql_publication - test trust_input parameter
+    <<: *task_parameters
+    postgresql_publication: 
+      <<: *pg_parameters
+      name: '{{ test_pub }}'
+      session_role: '{{ dangerous_name }}'
+      owner: '{{ dangerous_name }}'
+      trust_input: no
+    ignore_errors: yes
+
+  - assert:
+      that:
+      - result is failed
+      - result.msg is search('is potentially dangerous')
+
  # Test
  - name: postgresql_publication - add table to publication, change owner, check_mode
    <<: *task_parameters