1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

postgresql_privs: Fix bug with grant_option (#796)

This commit is contained in:
Milan Ilic 2020-08-21 12:57:26 +02:00 committed by GitHub
parent b797922e20
commit f3b82a9470
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 139 additions and 6 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- postgresql_privs - the module was attempting to revoke grant options even though ``grant_option`` was not specified (https://github.com/ansible-collections/community.general/pull/796).

View file

@ -864,12 +864,14 @@ class QueryBuilder(object):
self.query[-1] += ' WITH ADMIN OPTION;' self.query[-1] += ' WITH ADMIN OPTION;'
else: else:
self.query[-1] += ' WITH GRANT OPTION;' self.query[-1] += ' WITH GRANT OPTION;'
else: elif self._grant_option is False:
self.query[-1] += ';' self.query[-1] += ';'
if self._obj_type == 'group': if self._obj_type == 'group':
self.query.append('REVOKE ADMIN OPTION FOR {0} FROM {1};'.format(self._set_what, self._for_whom)) self.query.append('REVOKE ADMIN OPTION FOR {0} FROM {1};'.format(self._set_what, self._for_whom))
elif not self._obj_type == 'default_privs': elif not self._obj_type == 'default_privs':
self.query.append('REVOKE GRANT OPTION FOR {0} FROM {1};'.format(self._set_what, self._for_whom)) self.query.append('REVOKE GRANT OPTION FOR {0} FROM {1};'.format(self._set_what, self._for_whom))
else:
self.query[-1] += ';'
def add_default_priv(self): def add_default_priv(self):
for obj in self._objs: for obj in self._objs:

View file

@ -683,6 +683,135 @@
- result.rowcount == 0 - result.rowcount == 0
when: postgres_version_resp.stdout is version('10', '>=') when: postgres_version_resp.stdout is version('10', '>=')
# Test
- name: Grant execute with grant option on pg_create_restore_point function
postgresql_privs:
privs: EXECUTE
type: function
schema: pg_catalog
obj: pg_create_restore_point(text)
db: "{{ db_name }}"
roles: "{{ db_user2 }}"
login_user: "{{ pg_user }}"
grant_option: yes
state: present
become: yes
become_user: "{{ pg_user }}"
register: result
# Checks
- assert:
that: result is changed
- name: Check that user has GRANT privilege on the function
postgresql_query:
query: SELECT proacl FROM pg_proc WHERE proname='pg_create_restore_point'
db: "{{ db_name }}"
login_user: "{{ db_user2 }}"
login_password: password
become: yes
become_user: "{{ pg_user }}"
register: result
- assert:
that: "'{{ db_user2 }}=X*/{{ pg_user }}' in result.query_result[0].proacl"
# Test
- name: Grant execute without specifying grant_option to check idempotence
postgresql_privs:
privs: EXECUTE
type: function
schema: pg_catalog
obj: pg_create_restore_point(text)
db: "{{ db_name }}"
roles: "{{ db_user2 }}"
login_user: "{{ pg_user }}"
state: present
become: yes
become_user: "{{ pg_user }}"
register: result
# Checks
- assert:
that: result is not changed
- name: Check that user has GRANT privilege on the function
postgresql_query:
query: SELECT proacl FROM pg_proc WHERE proname='pg_create_restore_point'
db: "{{ db_name }}"
login_user: "{{ db_user2 }}"
login_password: password
become: yes
become_user: "{{ pg_user }}"
register: result
- assert:
that: "'{{ db_user2 }}=X*/{{ pg_user }}' in result.query_result[0].proacl"
# Test
- name: Revoke grant option on pg_create_restore_point function
postgresql_privs:
privs: EXECUTE
type: function
schema: pg_catalog
obj: pg_create_restore_point(text)
db: "{{ db_name }}"
roles: "{{ db_user2 }}"
login_user: "{{ pg_user }}"
grant_option: no
state: present
become: yes
become_user: "{{ pg_user }}"
register: result
# Checks
- assert:
that: result is changed
- name: Check that user does not have GRANT privilege on the function
postgresql_query:
query: SELECT proacl FROM pg_proc WHERE proname='pg_create_restore_point'
db: "{{ db_name }}"
login_user: "{{ db_user2 }}"
login_password: password
become: yes
become_user: "{{ pg_user }}"
register: result
- assert:
that: "'{{ db_user2 }}=X/{{ pg_user }}' in result.query_result[0].proacl"
# Test
- name: Revoke execute on pg_create_restore_point function
postgresql_privs:
privs: EXECUTE
type: function
schema: pg_catalog
obj: pg_create_restore_point(text)
db: "{{ db_name }}"
roles: "{{ db_user2 }}"
login_user: "{{ pg_user }}"
state: absent
become: yes
become_user: "{{ pg_user }}"
register: result
# Checks
- assert:
that: result is changed
- name: Check that user does not have EXECUTE privilege on the function
postgresql_query:
query: SELECT proacl FROM pg_proc WHERE proname='pg_create_restore_point'
db: "{{ db_name }}"
login_user: "{{ db_user2 }}"
login_password: password
become: yes
become_user: "{{ pg_user }}"
register: result
- assert:
that: "'{{ db_user2 }}' not in result.query_result[0].proacl"
# Test # Test
- name: Grant execute to all tables - name: Grant execute to all tables