From 2852e7927e190f3289a223dcc0247b87e785584a Mon Sep 17 00:00:00 2001 From: Laurent Indermuehle Date: Fri, 12 Apr 2024 15:18:29 +0200 Subject: [PATCH 1/8] fix returned variable from plugin_auth_string to plugin_hash_string --- plugins/module_utils/user.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/module_utils/user.py b/plugins/module_utils/user.py index f042c858..e43934e4 100644 --- a/plugins/module_utils/user.py +++ b/plugins/module_utils/user.py @@ -143,10 +143,10 @@ def get_existing_authentication(cursor, user, host): rows = list(rows.values()) if isinstance(rows[0], tuple): - return {'plugin': rows[0][0], 'plugin_auth_string': rows[0][1]} + return {'plugin': rows[0][0], 'plugin_hash_string': rows[0][1]} if isinstance(rows[0], dict): - return {'plugin': rows[0].get('plugin'), 'plugin_auth_string': rows[0].get('auth')} + return {'plugin': rows[0].get('plugin'), 'plugin_hash_string': rows[0].get('auth')} return None From fc08cdae81ab65b4962f232a3e428435fd2db37c Mon Sep 17 00:00:00 2001 From: Laurent Indermuehle Date: Fri, 12 Apr 2024 15:18:40 +0200 Subject: [PATCH 2/8] Add changelog fragment --- changelogs/fragments/lie_fix_plugin_hash_string_return.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelogs/fragments/lie_fix_plugin_hash_string_return.yml diff --git a/changelogs/fragments/lie_fix_plugin_hash_string_return.yml b/changelogs/fragments/lie_fix_plugin_hash_string_return.yml new file mode 100644 index 00000000..2880e840 --- /dev/null +++ b/changelogs/fragments/lie_fix_plugin_hash_string_return.yml @@ -0,0 +1,3 @@ +--- +bugfixes: + - mysql_info - Fix ``users_info`` filter output variable for hashed password to use ``plugin_hash_string`` instead of ``plugin_auth_string`` (https://github.com/ansible-collections/community.mysql/pull/629). From e6b2494c8b3646f048ab7aaea2cfe67e2498629d Mon Sep 17 00:00:00 2001 From: Laurent Indermuehle Date: Fri, 12 Apr 2024 16:19:59 +0200 Subject: [PATCH 3/8] Fix tests not being created properly I used plugin_auth_string instead of plugin_hash_string. But using the module is dangerous because we ma never catch an error. So using a command was the way to go anyway. --- .../tasks/filter_users_info.yml | 70 +++++-------------- 1 file changed, 18 insertions(+), 52 deletions(-) diff --git a/tests/integration/targets/test_mysql_info/tasks/filter_users_info.yml b/tests/integration/targets/test_mysql_info/tasks/filter_users_info.yml index 2c126c12..46f26e7a 100644 --- a/tests/integration/targets/test_mysql_info/tasks/filter_users_info.yml +++ b/tests/integration/targets/test_mysql_info/tasks/filter_users_info.yml @@ -148,66 +148,32 @@ - GRANT SELECT ON users_info_db.* TO users_info_multi_hosts@'host2' - name: Mysql_info users_info | Prepare tests users for MariaDB - community.mysql.mysql_user: - name: "{{ item.name }}" - host: "users_info.com" - plugin: "{{ item.plugin | default(omit) }}" - plugin_auth_string: "{{ item.plugin_auth_string | default(omit) }}" - plugin_hash_string: "{{ item.plugin_hash_string | default(omit) }}" - tls_require: "{{ item.tls_require | default(omit) }}" - priv: "{{ item.priv }}" - resource_limits: "{{ item.resource_limits | default(omit) }}" - column_case_sensitive: true - state: present - loop: - - name: users_info_socket # Only for MariaDB - priv: - '*.*': 'ALL' - plugin: 'unix_socket' + community.mysql.mysql_query: + query: + - >- + CREATE USER users_info_socket@'users_info.com' IDENTIFIED WITH + unix_socket + - GRANT ALL ON *.* to users_info_socket@'users_info.com' when: - db_engine == 'mariadb' - name: Mysql_info users_info | Prepare tests users for MySQL - community.mysql.mysql_user: - name: "{{ item.name }}" - host: "users_info.com" - plugin: "{{ item.plugin | default(omit) }}" - plugin_auth_string: "{{ item.plugin_auth_string | default(omit) }}" - plugin_hash_string: "{{ item.plugin_hash_string | default(omit) }}" - tls_require: "{{ item.tls_require | default(omit) }}" - priv: "{{ item.priv }}" - resource_limits: "{{ item.resource_limits | default(omit) }}" - column_case_sensitive: true - state: present - loop: - - name: users_info_sha256 # Only for MySQL - priv: - '*.*': 'ALL' - plugin_auth_string: - '$5$/- + CREATE USER users_info_sha256@'users_info.com' IDENTIFIED WITH + sha256_password BY 'msandbox' + - GRANT ALL ON *.* to users_info_sha256@'users_info.com' when: - db_engine == 'mysql' - name: Mysql_info users_info | Prepare tests users for MySQL 8+ - community.mysql.mysql_user: - name: "{{ item.name }}" - host: "users_info.com" - plugin: "{{ item.plugin | default(omit) }}" - plugin_auth_string: "{{ item.plugin_auth_string | default(omit) }}" - plugin_hash_string: "{{ item.plugin_hash_string | default(omit) }}" - tls_require: "{{ item.tls_require | default(omit) }}" - priv: "{{ item.priv }}" - resource_limits: "{{ item.resource_limits | default(omit) }}" - column_case_sensitive: true - state: present - loop: - - name: users_info_caching_sha2 # Only for MySQL 8+ - priv: - '*.*': 'ALL' - plugin_auth_string: - '$A$005$61j/uF%Qb4-=O2xkeO82u2HNkF.lxDq0liO4U3xqi7bDUCbWM6HayRXWn1' - plugin: 'caching_sha2_password' + community.mysql.mysql_query: + query: + - >- + CREATE USER users_info_caching_sha2@'users_info.com' IDENTIFIED WITH + caching_sha2_password BY 'msandbox' + - GRANT ALL ON *.* to users_info_caching_sha2@'users_info.com' when: - db_engine == 'mysql' - db_version is version('8.0', '>=') From b65e5a8a20608b69713c7064bef0d450ed15d7d3 Mon Sep 17 00:00:00 2001 From: Laurent Indermuehle Date: Mon, 15 Apr 2024 17:10:18 +0200 Subject: [PATCH 4/8] Fix test task name for uniformity --- .../targets/test_mysql_info/tasks/filter_users_info.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration/targets/test_mysql_info/tasks/filter_users_info.yml b/tests/integration/targets/test_mysql_info/tasks/filter_users_info.yml index 46f26e7a..fc8c66e5 100644 --- a/tests/integration/targets/test_mysql_info/tasks/filter_users_info.yml +++ b/tests/integration/targets/test_mysql_info/tasks/filter_users_info.yml @@ -186,7 +186,7 @@ - users_info register: result - - name: Recreate users from mysql_info users_info result + - name: Mysql_info users_info | Recreate users from mysql_info result community.mysql.mysql_user: name: "{{ item.name }}" host: "{{ item.host }}" From 04f24c57f3d00f849c6b152cb5f0d76095d899f0 Mon Sep 17 00:00:00 2001 From: Laurent Indermuehle Date: Thu, 25 Apr 2024 13:41:00 +0200 Subject: [PATCH 5/8] Refactor to keep plugin_auth_string --- .../lie_fix_plugin_hash_string_return.yml | 2 +- plugins/module_utils/user.py | 14 ++++++++++++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/changelogs/fragments/lie_fix_plugin_hash_string_return.yml b/changelogs/fragments/lie_fix_plugin_hash_string_return.yml index 2880e840..1af520f5 100644 --- a/changelogs/fragments/lie_fix_plugin_hash_string_return.yml +++ b/changelogs/fragments/lie_fix_plugin_hash_string_return.yml @@ -1,3 +1,3 @@ --- bugfixes: - - mysql_info - Fix ``users_info`` filter output variable for hashed password to use ``plugin_hash_string`` instead of ``plugin_auth_string`` (https://github.com/ansible-collections/community.mysql/pull/629). + - mysql_info - Add ``plugin_hash_string`` to ``users_info`` filter's output. The existing ``plugin_auth_string`` contained the hashed password and thus is missleading, it will be removed from community.mysql 4.0.0. (https://github.com/ansible-collections/community.mysql/pull/629). diff --git a/plugins/module_utils/user.py b/plugins/module_utils/user.py index a4b86b56..14909540 100644 --- a/plugins/module_utils/user.py +++ b/plugins/module_utils/user.py @@ -118,11 +118,21 @@ def get_existing_authentication(cursor, user, host): if isinstance(rows, dict): rows = list(rows.values()) + # 'plugin_auth_string' contains the hash string. Must be removed in c.mysql 4.0 + # See https://github.com/ansible-collections/community.mysql/pull/629 if isinstance(rows[0], tuple): - return {'plugin': rows[0][0], 'plugin_hash_string': rows[0][1]} + return {'plugin': rows[0][0], + 'plugin_auth_string': rows[0][1], + 'plugin_hash_string': rows[0][1] + } + # 'plugin_auth_string' contains the hash string. Must be removed in c.mysql 4.0 + # See https://github.com/ansible-collections/community.mysql/pull/629 if isinstance(rows[0], dict): - return {'plugin': rows[0].get('plugin'), 'plugin_hash_string': rows[0].get('auth')} + return {'plugin': rows[0].get('plugin'), + 'plugin_auth_string': rows[0].get('auth'), + 'plugin_hash_string': rows[0].get('auth') + } return None From a60df289b22007e6031ddb5ba7528e876bef46df Mon Sep 17 00:00:00 2001 From: Laurent Indermuehle Date: Thu, 25 Apr 2024 13:42:09 +0200 Subject: [PATCH 6/8] fix variable name of returned value by get_existing_authentication() --- plugins/module_utils/user.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/module_utils/user.py b/plugins/module_utils/user.py index 14909540..1be3b809 100644 --- a/plugins/module_utils/user.py +++ b/plugins/module_utils/user.py @@ -162,7 +162,7 @@ def user_add(cursor, user, host, host_all, password, encrypted, existing_auth = get_existing_authentication(cursor, user, host) if existing_auth: plugin = existing_auth['plugin'] - plugin_hash_string = existing_auth['auth_string'] + plugin_hash_string = existing_auth['plugin_hash_string'] password = None used_existing_password = True if password and encrypted: From 1497ed646df78ecc1cb50b29d6672db8db0130a2 Mon Sep 17 00:00:00 2001 From: Laurent Indermuehle Date: Thu, 25 Apr 2024 13:51:57 +0200 Subject: [PATCH 7/8] fix sanity --- plugins/module_utils/user.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/plugins/module_utils/user.py b/plugins/module_utils/user.py index 1be3b809..25b17346 100644 --- a/plugins/module_utils/user.py +++ b/plugins/module_utils/user.py @@ -123,16 +123,14 @@ def get_existing_authentication(cursor, user, host): if isinstance(rows[0], tuple): return {'plugin': rows[0][0], 'plugin_auth_string': rows[0][1], - 'plugin_hash_string': rows[0][1] - } + 'plugin_hash_string': rows[0][1]} # 'plugin_auth_string' contains the hash string. Must be removed in c.mysql 4.0 # See https://github.com/ansible-collections/community.mysql/pull/629 if isinstance(rows[0], dict): return {'plugin': rows[0].get('plugin'), 'plugin_auth_string': rows[0].get('auth'), - 'plugin_hash_string': rows[0].get('auth') - } + 'plugin_hash_string': rows[0].get('auth')} return None From 9f95eb881aabdbc11f645c3d37f3d6fa141430c0 Mon Sep 17 00:00:00 2001 From: Laurent Indermuehle Date: Fri, 26 Apr 2024 15:57:46 +0200 Subject: [PATCH 8/8] Add breaking_changes to the changelog --- changelogs/fragments/lie_fix_plugin_hash_string_return.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/changelogs/fragments/lie_fix_plugin_hash_string_return.yml b/changelogs/fragments/lie_fix_plugin_hash_string_return.yml index 1af520f5..e1a71ea0 100644 --- a/changelogs/fragments/lie_fix_plugin_hash_string_return.yml +++ b/changelogs/fragments/lie_fix_plugin_hash_string_return.yml @@ -1,3 +1,6 @@ --- bugfixes: - mysql_info - Add ``plugin_hash_string`` to ``users_info`` filter's output. The existing ``plugin_auth_string`` contained the hashed password and thus is missleading, it will be removed from community.mysql 4.0.0. (https://github.com/ansible-collections/community.mysql/pull/629). + +breaking_changes: + - mysql_info - The ``users_info`` filter returned variable ``plugin_auth_string`` contains the hashed password and it's misleading, it will be removed from community.mysql 4.0.0. Use the `plugin_hash_string` return value instead (https://github.com/ansible-collections/community.mysql/pull/629).