1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

postgresql_privs: Fix bug with grant_option (#796)

This commit is contained in:
Milan Ilic 2020-08-21 12:57:26 +02:00 committed by GitHub
parent b797922e20
commit f3b82a9470
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 139 additions and 6 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- postgresql_privs - the module was attempting to revoke grant options even though ``grant_option`` was not specified (https://github.com/ansible-collections/community.general/pull/796).

View file

@ -864,12 +864,14 @@ class QueryBuilder(object):
self.query[-1] += ' WITH ADMIN OPTION;' self.query[-1] += ' WITH ADMIN OPTION;'
else: else:
self.query[-1] += ' WITH GRANT OPTION;' self.query[-1] += ' WITH GRANT OPTION;'
else: elif self._grant_option is False:
self.query[-1] += ';' self.query[-1] += ';'
if self._obj_type == 'group': if self._obj_type == 'group':
self.query.append('REVOKE ADMIN OPTION FOR {0} FROM {1};'.format(self._set_what, self._for_whom)) self.query.append('REVOKE ADMIN OPTION FOR {0} FROM {1};'.format(self._set_what, self._for_whom))
elif not self._obj_type == 'default_privs': elif not self._obj_type == 'default_privs':
self.query.append('REVOKE GRANT OPTION FOR {0} FROM {1};'.format(self._set_what, self._for_whom)) self.query.append('REVOKE GRANT OPTION FOR {0} FROM {1};'.format(self._set_what, self._for_whom))
else:
self.query[-1] += ';'
def add_default_priv(self): def add_default_priv(self):
for obj in self._objs: for obj in self._objs:

View file

@ -59,11 +59,11 @@
- result is changed - result is changed
- name: Create schema with hyphen in the name - name: Create schema with hyphen in the name
postgresql_schema: postgresql_schema:
login_user: "{{ pg_user }}" login_user: "{{ pg_user }}"
login_password: password login_password: password
db: "{{ db_name_with_hyphens }}" db: "{{ db_name_with_hyphens }}"
name: "{{ db_schema_with_hyphens }}" name: "{{ db_schema_with_hyphens }}"
state: present state: present
register: result register: result
@ -71,12 +71,12 @@
that: that:
- result is changed - result is changed
- name: Set table default privs on the schema with hyphen in the name - name: Set table default privs on the schema with hyphen in the name
postgresql_privs: postgresql_privs:
login_user: "{{ pg_user }}" login_user: "{{ pg_user }}"
password: password password: password
db: "{{ db_name_with_hyphens }}" db: "{{ db_name_with_hyphens }}"
schema: "{{ db_schema_with_hyphens }}" schema: "{{ db_schema_with_hyphens }}"
role: "{{ db_user_with_hyphens }}" role: "{{ db_user_with_hyphens }}"
type: default_privs type: default_privs
obj: TABLES obj: TABLES
@ -683,6 +683,135 @@
- result.rowcount == 0 - result.rowcount == 0
when: postgres_version_resp.stdout is version('10', '>=') when: postgres_version_resp.stdout is version('10', '>=')
# Test
- name: Grant execute with grant option on pg_create_restore_point function
postgresql_privs:
privs: EXECUTE
type: function
schema: pg_catalog
obj: pg_create_restore_point(text)
db: "{{ db_name }}"
roles: "{{ db_user2 }}"
login_user: "{{ pg_user }}"
grant_option: yes
state: present
become: yes
become_user: "{{ pg_user }}"
register: result
# Checks
- assert:
that: result is changed
- name: Check that user has GRANT privilege on the function
postgresql_query:
query: SELECT proacl FROM pg_proc WHERE proname='pg_create_restore_point'
db: "{{ db_name }}"
login_user: "{{ db_user2 }}"
login_password: password
become: yes
become_user: "{{ pg_user }}"
register: result
- assert:
that: "'{{ db_user2 }}=X*/{{ pg_user }}' in result.query_result[0].proacl"
# Test
- name: Grant execute without specifying grant_option to check idempotence
postgresql_privs:
privs: EXECUTE
type: function
schema: pg_catalog
obj: pg_create_restore_point(text)
db: "{{ db_name }}"
roles: "{{ db_user2 }}"
login_user: "{{ pg_user }}"
state: present
become: yes
become_user: "{{ pg_user }}"
register: result
# Checks
- assert:
that: result is not changed
- name: Check that user has GRANT privilege on the function
postgresql_query:
query: SELECT proacl FROM pg_proc WHERE proname='pg_create_restore_point'
db: "{{ db_name }}"
login_user: "{{ db_user2 }}"
login_password: password
become: yes
become_user: "{{ pg_user }}"
register: result
- assert:
that: "'{{ db_user2 }}=X*/{{ pg_user }}' in result.query_result[0].proacl"
# Test
- name: Revoke grant option on pg_create_restore_point function
postgresql_privs:
privs: EXECUTE
type: function
schema: pg_catalog
obj: pg_create_restore_point(text)
db: "{{ db_name }}"
roles: "{{ db_user2 }}"
login_user: "{{ pg_user }}"
grant_option: no
state: present
become: yes
become_user: "{{ pg_user }}"
register: result
# Checks
- assert:
that: result is changed
- name: Check that user does not have GRANT privilege on the function
postgresql_query:
query: SELECT proacl FROM pg_proc WHERE proname='pg_create_restore_point'
db: "{{ db_name }}"
login_user: "{{ db_user2 }}"
login_password: password
become: yes
become_user: "{{ pg_user }}"
register: result
- assert:
that: "'{{ db_user2 }}=X/{{ pg_user }}' in result.query_result[0].proacl"
# Test
- name: Revoke execute on pg_create_restore_point function
postgresql_privs:
privs: EXECUTE
type: function
schema: pg_catalog
obj: pg_create_restore_point(text)
db: "{{ db_name }}"
roles: "{{ db_user2 }}"
login_user: "{{ pg_user }}"
state: absent
become: yes
become_user: "{{ pg_user }}"
register: result
# Checks
- assert:
that: result is changed
- name: Check that user does not have EXECUTE privilege on the function
postgresql_query:
query: SELECT proacl FROM pg_proc WHERE proname='pg_create_restore_point'
db: "{{ db_name }}"
login_user: "{{ db_user2 }}"
login_password: password
become: yes
become_user: "{{ pg_user }}"
register: result
- assert:
that: "'{{ db_user2 }}' not in result.query_result[0].proacl"
# Test # Test
- name: Grant execute to all tables - name: Grant execute to all tables
@ -934,7 +1063,7 @@
that: that:
- "'{{ db_user2 }}' in typ_result.query_result[0].typacl" - "'{{ db_user2 }}' in typ_result.query_result[0].typacl"
when: postgres_version_resp.stdout is version('10', '>=') when: postgres_version_resp.stdout is version('10', '>=')
- name: Revoke type privileges in check_mode - name: Revoke type privileges in check_mode
become: yes become: yes
become_user: "{{ pg_user }}" become_user: "{{ pg_user }}"