# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) #################### # Prepare for tests: # Create test roles: - name: postgresql_membership - create test roles become_user: "{{ pg_user }}" become: yes postgresql_user: login_user: "{{ pg_user }}" db: postgres name: "{{ item }}" ignore_errors: yes with_items: - "{{ test_group1 }}" - "{{ test_group2 }}" - "{{ test_group3 }}" - "{{ test_user1 }}" - "{{ test_user2 }}" ################ # Do main tests: ### Test check_mode # Grant test_group1 to test_user1 in check_mode: - name: postgresql_membership - grant test_group1 to test_user1 in check_mode become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: "{{ test_group1 }}" user: "{{ test_user1 }}" state: present register: result ignore_errors: yes check_mode: yes - assert: that: - result is changed - result.groups == ["{{ test_group1 }}"] - result.queries == ["GRANT \"{{ test_group1 }}\" TO \"{{ test_user1 }}\""] - result.granted.{{ test_group1 }} == ["{{ test_user1 }}"] - result.state == "present" - result.target_roles == ["{{ test_user1 }}"] # Try to revoke test_group1 from test_user1 to check that # nothing actually changed in check_mode at the previous step: - name: postgresql_membership - try to revoke test_group1 from test_user1 for checking check_mode become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: "{{ test_group1 }}" user: "{{ test_user1 }}" state: absent register: result ignore_errors: yes check_mode: yes - assert: that: - result is not changed - result.groups == ["{{ test_group1 }}"] - result.queries == [] - result.revoked.{{ test_group1 }} == [] - result.state == "absent" - result.target_roles == ["{{ test_user1 }}"] ### End of test check_mode # Grant test_group1 to test_user1: - name: postgresql_membership - grant test_group1 to test_user1 become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: "{{ test_group1 }}" user: "{{ test_user1 }}" state: present register: result ignore_errors: yes - assert: that: - result is changed - result.groups == ["{{ test_group1 }}"] - result.queries == ["GRANT \"{{ test_group1 }}\" TO \"{{ test_user1 }}\""] - result.granted.{{ test_group1 }} == ["{{ test_user1 }}"] - result.state == "present" - result.target_roles == ["{{ test_user1 }}"] # Grant test_group1 to test_user1 again to check that nothing changes: - name: postgresql_membership - grant test_group1 to test_user1 again become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: "{{ test_group1 }}" user: "{{ test_user1 }}" state: present register: result ignore_errors: yes - assert: that: - result is not changed - result.groups == ["{{ test_group1 }}"] - result.queries == [] - result.granted.{{ test_group1 }} == [] - result.state == "present" - result.target_roles == ["{{ test_user1 }}"] # Revoke test_group1 from test_user1: - name: postgresql_membership - revoke test_group1 from test_user1 become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: "{{ test_group1 }}" user: "{{ test_user1 }}" state: absent register: result ignore_errors: yes - assert: that: - result is changed - result.groups == ["{{ test_group1 }}"] - result.queries == ["REVOKE \"{{ test_group1 }}\" FROM \"{{ test_user1 }}\""] - result.revoked.{{ test_group1 }} == ["{{ test_user1 }}"] - result.state == "absent" - result.target_roles == ["{{ test_user1 }}"] # Revoke test_group1 from test_user1 again to check that nothing changes: - name: postgresql_membership - revoke test_group1 from test_user1 again become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: "{{ test_group1 }}" user: "{{ test_user1 }}" state: absent register: result ignore_errors: yes - assert: that: - result is not changed - result.groups == ["{{ test_group1 }}"] - result.queries == [] - result.revoked.{{ test_group1 }} == [] - result.state == "absent" - result.target_roles == ["{{ test_user1 }}"] # Grant test_group1 and test_group2 to test_user1 and test_user2: - name: postgresql_membership - grant two groups to two users become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: - "{{ test_group1 }}" - "{{ test_group2 }}" user: - "{{ test_user1 }}" - "{{ test_user2 }}" state: present register: result ignore_errors: yes - assert: that: - result is changed - result.groups == ["{{ test_group1 }}", "{{ test_group2 }}"] - result.queries == ["GRANT \"{{ test_group1 }}\" TO \"{{ test_user1 }}\"", "GRANT \"{{ test_group1 }}\" TO \"{{ test_user2 }}\"", "GRANT \"{{ test_group2 }}\" TO \"{{ test_user1 }}\"", "GRANT \"{{ test_group2 }}\" TO \"{{ test_user2 }}\""] - result.granted.{{ test_group1 }} == ["{{ test_user1 }}", "{{ test_user2 }}"] - result.granted.{{ test_group2 }} == ["{{ test_user1 }}", "{{ test_user2 }}"] - result.state == "present" - result.target_roles == ["{{ test_user1 }}", "{{ test_user2 }}"] # Grant test_group1 and test_group2 to test_user1 and test_user2 again to check that nothing changes: - name: postgresql_membership - grant two groups to two users again become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: - "{{ test_group1 }}" - "{{ test_group2 }}" user: - "{{ test_user1 }}" - "{{ test_user2 }}" state: present register: result ignore_errors: yes - assert: that: - result is not changed - result.groups == ["{{ test_group1 }}", "{{ test_group2 }}"] - result.queries == [] - result.granted.{{ test_group1 }} == [] - result.granted.{{ test_group2 }} == [] - result.state == "present" - result.target_roles == ["{{ test_user1 }}", "{{ test_user2 }}"] # Revoke only test_group1 from test_user1: - name: postgresql_membership - revoke one group from one user become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: "{{ test_group1 }}" user: "{{ test_user1 }}" state: absent register: result ignore_errors: yes - assert: that: - result is changed - result.groups == ["{{ test_group1 }}"] - result.queries == ["REVOKE \"{{ test_group1 }}\" FROM \"{{ test_user1 }}\""] - result.revoked.{{ test_group1 }} == ["{{ test_user1 }}"] - result.state == "absent" - result.target_roles == ["{{ test_user1 }}"] # Try to grant test_group1 and test_group2 to test_user1 and test_user2 again # to check that nothing changes with test_user2: - name: postgresql_membership - grant two groups to two users again become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: - "{{ test_group1 }}" - "{{ test_group2 }}" user: - "{{ test_user1 }}" - "{{ test_user2 }}" state: present register: result ignore_errors: yes - assert: that: - result is changed - result.groups == ["{{ test_group1 }}", "{{ test_group2 }}"] - result.queries == ["GRANT \"{{ test_group1 }}\" TO \"{{ test_user1 }}\""] - result.granted.{{ test_group1 }} == ["{{ test_user1 }}"] - result.granted.{{ test_group2 }} == [] - result.state == "present" - result.target_roles == ["{{ test_user1 }}", "{{ test_user2 }}"] ##################### # Check fail_on_role: # Try to grant non existent group to non existent role with fail_on_role=yes: - name: postgresql_membership - revoke non existen group from non existen role become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: fake_group user: fake_user state: present fail_on_role: yes register: result ignore_errors: yes - assert: that: - result is not changed # Try to grant non existent group to non existent role with fail_on_role=no: - name: postgresql_membership - revoke non existen group from non existen role become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: fake_group user: fake_user state: present fail_on_role: no register: result ignore_errors: yes - assert: that: - result is not changed - result.granted == {} - result.groups == [] - result.target_roles == [] - result.state == 'present' # Try to revoke non existent group from non existent role with fail_on_role=no: - name: postgresql_membership - revoke non existen group from non existen role become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: fake_group user: fake_user state: absent fail_on_role: no register: result ignore_errors: yes - assert: that: - result is not changed - result.revoked == {} - result.groups == [] - result.target_roles == [] - result.state == 'absent' # Grant test_group3 with a name containing dots to test_user1. - name: postgresql_membership - grant test_group3 with dots to test_user1 become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: "{{ test_group3 }}" user: "{{ test_user1 }}" state: present register: result - assert: that: - result is changed - result.queries == ["GRANT \"{{ test_group3 }}\" TO \"{{ test_user1 }}\""] ############################# # Check trust_input parameter - name: postgresql_membership - try to use dangerous input, don't trust become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: - "{{ test_group3}}" - "{{ dangerous_name }}" user: "{{ test_user1 }}" state: present trust_input: no register: result ignore_errors: yes - assert: that: - result is failed - result.msg == 'Passed input \'{{ dangerous_name }}\' is potentially dangerous' - name: postgresql_membership - try to use dangerous input, trust explicitly become_user: "{{ pg_user }}" become: yes postgresql_membership: login_user: "{{ pg_user }}" db: postgres group: - "{{ test_group3}}" - "{{ dangerous_name }}" user: "{{ test_user1 }}" state: present trust_input: yes register: result ignore_errors: yes - assert: that: - result is failed - result.msg == 'Role {{ dangerous_name }} does not exist'