mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
32d6a354d7
* Set encrypted as default and fix empty password reporting changed * Starting with Postgres 10 `UNENCRYPTED` passwords are removed and because of that this module fails with the default `encrypted=no`. Also encrypted passwords are suported since version 7.2 (https://www.postgresql.org/docs/7.2/static/sql-createuser.html) which went EOL in 2007 and since 7.3 it is the default. Because of this it makes a lot more sense to make `encrypted=yes` the default. This won't break backward compatibility, the module would just update the user's password in the DB in the hashed format and everything else will work like before. It's also a security bad practice to store passwords in plain text. fixes #25823 * There was also a bug with `encrypted=yes` and an empty password always reported as changed. * Improved documentation for `encrypted`/`password` parameters, and removed some obsolete notes about passlib. * Fix clearing user's password to work with all versions of Postgres * Add tests for clearing the user password * Fix documentation atfer rebase * Add changelog fragment
331 lines
9.8 KiB
YAML
331 lines
9.8 KiB
YAML
- vars:
|
||
task_parameters: &task_parameters
|
||
become_user: "{{ pg_user }}"
|
||
become: True
|
||
register: result
|
||
postgresql_parameters: ¶meters
|
||
db: postgres
|
||
name: "{{ db_user1 }}"
|
||
login_user: "{{ pg_user }}"
|
||
|
||
block:
|
||
- name: 'Check that PGOPTIONS environment variable is effective (1/2)'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: '{{ db_password1 }}'
|
||
ignore_errors: true
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
|
||
|
||
- name: 'Check that PGOPTIONS environment variable is effective (2/2)'
|
||
assert:
|
||
that:
|
||
- "{{ result is failed }}"
|
||
|
||
- name: 'Create a user (password encrypted: {{ encrypted }})'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: '{{ db_password1 }}'
|
||
encrypted: '{{ encrypted }}'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
|
||
- block: &changed # block is only used here in order to be able to define YAML anchor
|
||
- name: Check that ansible reports it was created
|
||
assert:
|
||
that:
|
||
- "{{ result is changed }}"
|
||
|
||
- name: Check that it was created
|
||
<<: *task_parameters
|
||
shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres
|
||
|
||
- assert:
|
||
that:
|
||
- "result.stdout_lines[-1] == '(1 row)'"
|
||
|
||
- name: Check that creating user a second time does nothing
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: '{{ db_password1 }}'
|
||
encrypted: '{{ encrypted }}'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
|
||
|
||
- block: ¬_changed # block is only used here in order to be able to define YAML anchor
|
||
- name: Check that ansible reports no change
|
||
assert:
|
||
that:
|
||
- "{{ result is not changed }}"
|
||
|
||
- name: 'Define an expiration time'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
expires: '2025-01-01'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
|
||
- <<: *changed
|
||
|
||
- name: 'Redefine the same expiration time'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
expires: '2025-01-01'
|
||
<<: *parameters
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
|
||
|
||
- <<: *not_changed
|
||
|
||
- block:
|
||
|
||
- name: 'Using MD5-hashed password: check that password not changed when using cleartext password'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: '{{ db_password1 }}'
|
||
encrypted: 'yes'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
|
||
|
||
- <<: *not_changed
|
||
|
||
- name: "Using MD5-hashed password: check that password not changed when using md5 hash with 'ENCRYPTED'"
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: "md5{{ (db_password1 ~ db_user1) | hash('md5')}}"
|
||
encrypted: 'yes'
|
||
environment:
|
||
PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
|
||
|
||
- <<: *not_changed
|
||
|
||
- name: "Using MD5-hashed password: check that password not changed when using md5 hash with 'UNENCRYPTED'"
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: "md5{{ (db_password1 ~ db_user1) | hash('md5')}}"
|
||
encrypted: 'no'
|
||
environment:
|
||
PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
|
||
|
||
- <<: *not_changed
|
||
|
||
- name: 'Redefine the same expiration time and password (encrypted)'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
encrypted: 'yes'
|
||
password: "md5{{ (db_password1 ~ db_user1) | hash('md5')}}"
|
||
expires: '2025-01-01'
|
||
environment:
|
||
PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
|
||
|
||
- <<: *not_changed
|
||
|
||
- name: 'Using MD5-hashed password: check that password changed when using another cleartext password'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: 'prefix{{ db_password1 }}'
|
||
encrypted: 'yes'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
|
||
- <<: *changed
|
||
|
||
- name: "Using MD5-hashed password: check that password changed when using another md5 hash with 'ENCRYPTED'"
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: "md5{{ ('prefix1' ~ db_password1 ~ db_user1) | hash('md5')}}"
|
||
encrypted: 'yes'
|
||
|
||
- <<: *changed
|
||
|
||
- name: "Using MD5-hashed password: check that password changed when using md5 hash with 'UNENCRYPTED'"
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: "md5{{ ('prefix2' ~ db_password1 ~ db_user1) | hash('md5')}}"
|
||
encrypted: 'no'
|
||
|
||
- <<: *changed
|
||
|
||
- name: 'Using MD5-hashed password: check that password changed when clearing the password'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: ''
|
||
encrypted: 'yes'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
|
||
- <<: *changed
|
||
|
||
- name: 'Using MD5-hashed password: check that password not changed when clearing the password again'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: ''
|
||
encrypted: 'yes'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
|
||
|
||
- <<: *not_changed
|
||
|
||
- name: 'Using cleartext password: check that password not changed when clearing the password again'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: ''
|
||
encrypted: 'no'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
|
||
|
||
- <<: *not_changed
|
||
|
||
- name: 'Using MD5-hashed password: check that password changed when using a cleartext password'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: '{{ db_password1 }}'
|
||
encrypted: 'yes'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
|
||
- <<: *changed
|
||
|
||
when: encrypted == 'yes'
|
||
|
||
- block:
|
||
|
||
- name: 'Using cleartext password: check that password not changed when using cleartext password'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: "{{ db_password1 }}"
|
||
encrypted: 'no'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
|
||
|
||
- <<: *not_changed
|
||
|
||
- name: 'Redefine the same expiration time and password (not encrypted)'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: "{{ db_password1 }}"
|
||
encrypted: 'no'
|
||
expires: '2025-01-01'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
|
||
|
||
- <<: *not_changed
|
||
|
||
- name: 'Using cleartext password: check that password changed when using another cleartext password'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: "changed{{ db_password1 }}"
|
||
encrypted: 'no'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
|
||
- <<: *changed
|
||
|
||
- name: 'Using cleartext password: check that password changed when clearing the password'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: ''
|
||
encrypted: 'no'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
|
||
- <<: *changed
|
||
|
||
- name: 'Using cleartext password: check that password not changed when clearing the password again'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: ''
|
||
encrypted: 'no'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
|
||
|
||
- <<: *not_changed
|
||
|
||
- name: 'Using MD5-hashed password: check that password not changed when clearing the password again'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: ''
|
||
encrypted: 'yes'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
|
||
|
||
- <<: *not_changed
|
||
|
||
- name: 'Using cleartext password: check that password changed when using cleartext password'
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
<<: *parameters
|
||
password: "{{ db_password1 }}"
|
||
encrypted: 'no'
|
||
environment:
|
||
PGCLIENTENCODING: 'UTF8'
|
||
|
||
- <<: *changed
|
||
|
||
when: encrypted == 'no'
|
||
|
||
- name: Remove user
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
state: 'absent'
|
||
<<: *parameters
|
||
|
||
- <<: *changed
|
||
|
||
- name: Check that they were removed
|
||
<<: *task_parameters
|
||
shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres
|
||
environment:
|
||
PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
|
||
|
||
- assert:
|
||
that:
|
||
- "result.stdout_lines[-1] == '(0 rows)'"
|
||
|
||
- name: Check that removing user a second time does nothing
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
state: 'absent'
|
||
<<: *parameters
|
||
environment:
|
||
PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed
|
||
|
||
- <<: *not_changed
|
||
|
||
always:
|
||
- name: Remove user
|
||
<<: *task_parameters
|
||
postgresql_user:
|
||
state: 'absent'
|
||
<<: *parameters
|