diff options
author | Andrey Klychkov <aaklychkov@mail.ru> | 2019-09-25 16:03:48 +0300 |
---|---|---|
committer | John R Barker <john@johnrbarker.com> | 2019-09-25 09:03:48 -0400 |
commit | 53ba3c46ccb01757c038ac939c8e5a82246d07b0 (patch) | |
tree | 55d6e485825371340c240e3c85fcfbf40edd13a4 /test/integration/targets/postgresql | |
parent | 3b409f2f50a3f9c71e44ece9dc05205e81e23bea (diff) | |
download | ansible-53ba3c46ccb01757c038ac939c8e5a82246d07b0.tar.gz |
postgresql: move CI test to separate targets (#62823)
Diffstat (limited to 'test/integration/targets/postgresql')
15 files changed, 0 insertions, 3605 deletions
diff --git a/test/integration/targets/postgresql/aliases b/test/integration/targets/postgresql/aliases deleted file mode 100644 index 638474beaa..0000000000 --- a/test/integration/targets/postgresql/aliases +++ /dev/null @@ -1,6 +0,0 @@ -destructive -shippable/posix/group4 -postgresql_db -postgresql_privs -postgresql_user -skip/osx diff --git a/test/integration/targets/postgresql/defaults/main.yml b/test/integration/targets/postgresql/defaults/main.yml deleted file mode 100644 index 9a0adb34b5..0000000000 --- a/test/integration/targets/postgresql/defaults/main.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -# defaults file for test_postgresql_db -db_name: 'ansible_db' -db_user1: 'ansible_db_user1' -db_user2: 'ansible_db_user2' -db_user3: 'ansible_db_user3' -db_default: 'postgres' - -tmp_dir: '/tmp' -db_session_role1: 'session_role1' -db_session_role2: 'session_role2' - -pg_hba_test_ips: -- contype: local - users: 'all,postgres,test' -- source: '0000:ffff::' - netmask: 'ffff:fff0::' -- source: '192.168.0.0/24' - netmask: '' - databases: 'all,replication' -- source: '192.168.1.0/24' - netmask: '' - databases: 'all' - method: reject -- source: '127.0.0.1/32' - netmask: '' -- source: '::1/128' - netmask: '' -- source: '0000:ff00::' - netmask: 'ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00' - method: scram-sha-256 -- source: '172.16.0.0' - netmask: '255.255.0.0' - method: trust - -# defaults for test SSL -ssl_db: 'ssl_db' -ssl_user: 'ssl_user' -ssl_pass: 'ssl_pass' -ssl_rootcert: '~{{ pg_user }}/root.crt' diff --git a/test/integration/targets/postgresql/meta/main.yml b/test/integration/targets/postgresql/meta/main.yml deleted file mode 100644 index 85b1dc7e4c..0000000000 --- a/test/integration/targets/postgresql/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - setup_postgresql_db diff --git a/test/integration/targets/postgresql/tasks/main.yml b/test/integration/targets/postgresql/tasks/main.yml deleted file mode 100644 index c734057846..0000000000 --- a/test/integration/targets/postgresql/tasks/main.yml +++ /dev/null @@ -1,56 +0,0 @@ -# Unsorted tests that were moved from here to unsorted.yml -- import_tasks: unsorted.yml - -# Test ssl. -# Restricted using Debian family because of there are errors on other distributions -# that not related with PostgreSQL or psycopg2 SSL support. -# The tests' key point is to be sure that ssl options work in general -- import_tasks: ssl.yml - when: - - ansible_os_family == 'Debian' - - postgres_version_resp.stdout is version('9.4', '>=') - -- include_tasks: '{{ loop_item }}' - loop: - # Test postgresql_user module - - postgresql_user.yml - - # Verify different session_role scenarios - - session_role.yml - - # Test postgresql_db module, specific options - - postgresql_db.yml - - # Test postgresql_privs - - postgresql_privs.yml - loop_control: - loop_var: loop_item - -# Test default_privs with target_role -- import_tasks: test_target_role.yml - when: postgres_version_resp.stdout is version('9.1', '>=') - -# dump/restore tests per format -# ============================================================ -- include_tasks: state_dump_restore.yml - vars: - test_fixture: user - file: '{{ loop_item }}' - loop: - - dbdata.sql - - dbdata.sql.gz - - dbdata.sql.bz2 - - dbdata.sql.xz - - dbdata.tar - - dbdata.tar.gz - - dbdata.tar.bz2 - - dbdata.tar.xz - loop_control: - loop_var: loop_item - -# dump/restore tests per other logins -# ============================================================ -- import_tasks: state_dump_restore.yml - vars: - file: dbdata.tar - test_fixture: admin diff --git a/test/integration/targets/postgresql/tasks/pg_authid_not_readable.yml b/test/integration/targets/postgresql/tasks/pg_authid_not_readable.yml deleted file mode 100644 index f5d502d091..0000000000 --- a/test/integration/targets/postgresql/tasks/pg_authid_not_readable.yml +++ /dev/null @@ -1,50 +0,0 @@ -- name: "Admin user is allowed to access pg_authid relation: password comparison will succeed, password won't be updated" - become_user: "{{ pg_user }}" - become: yes - postgresql_user: - name: "{{ db_user1 }}" - encrypted: 'yes' - password: "md5{{ (db_password ~ db_user1) | hash('md5')}}" - db: "{{ db_name }}" - priv: 'test_table1:INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,TRIGGER/test_table2:INSERT/CREATE,CONNECT,TEMP' - login_user: "{{ pg_user }}" - register: redo_as_admin - -- name: "Check that task succeeded without any change" - assert: - that: - - 'redo_as_admin is not failed' - - 'redo_as_admin is not changed' - - 'redo_as_admin is successful' - -- name: "Check that normal user isn't allowed to access pg_authid" - shell: 'psql -c "select * from pg_authid;" {{ db_name }} {{ db_user1 }}' - environment: - PGPASSWORD: '{{ db_password }}' - ignore_errors: yes - register: pg_authid - -- assert: - that: - - 'pg_authid is failed' - - pg_authid.stderr is search('permission denied for (relation|table) pg_authid') - -- name: "Normal user isn't allowed to access pg_authid relation: password comparison will fail, password will be updated" - become_user: "{{ pg_user }}" - become: yes - postgresql_user: - name: "{{ db_user1 }}" - encrypted: 'yes' - password: "md5{{ (db_password ~ db_user1) | hash('md5')}}" - db: "{{ db_name }}" - priv: 'test_table1:INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,TRIGGER/test_table2:INSERT/CREATE,CONNECT,TEMP' - login_user: "{{ db_user1 }}" - login_password: "{{ db_password }}" - register: redo_as_normal_user - -- name: "Check that task succeeded and that result is changed" - assert: - that: - - 'redo_as_normal_user is not failed' - - 'redo_as_normal_user is changed' - - 'redo_as_normal_user is successful' diff --git a/test/integration/targets/postgresql/tasks/postgresql_db.yml b/test/integration/targets/postgresql/tasks/postgresql_db.yml deleted file mode 100644 index f47c521127..0000000000 --- a/test/integration/targets/postgresql/tasks/postgresql_db.yml +++ /dev/null @@ -1,193 +0,0 @@ -# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -# The file for testing new options for postgresql_db module. - -- vars: - db_tablespace: bar - tblspc_location: /ssd - db_name: acme - block_parameters: &block_parameters - become_user: "{{ pg_user }}" - become: yes - task_parameters: &task_parameters - register: result - pg_parameters: &pg_parameters - login_user: "{{ pg_user }}" - - # Start tablespace option tests: - block: - # Preparation for tests. - - name: postgresql_db - drop dir for test tablespace - become: yes - become_user: root - file: - path: "{{ tblspc_location }}" - state: absent - ignore_errors: yes - - - name: postgresql_db - disable selinux - become: yes - become_user: root - shell: setenforce 0 - ignore_errors: yes - - - name: postgresql_db - create dir for test tablespace - become: yes - become_user: root - file: - path: "{{ tblspc_location }}" - state: directory - owner: "{{ pg_user }}" - group: "{{ pg_user }}" - mode: 0700 - - # Create tablespace: - - name: postgresql_db_ - create a new tablespace - postgresql_tablespace: - <<: *pg_parameters - login_db: postgres - name: "{{ db_tablespace }}" - location: "{{ tblspc_location }}" - - # Check mode for DB creation with tablespace option: - - name: postgresql_db_tablespace - Create DB with tablespace option in check mode - <<: *task_parameters - check_mode: yes - postgresql_db: - <<: *pg_parameters - maintenance_db: postgres - name: "{{ db_name }}" - tablespace: "{{ db_tablespace }}" - - - assert: - that: - - result is changed - - - name: postgresql_db_tablespace - Check actual DB tablespace, rowcount must be 0 because actually nothing changed - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - login_db: postgres - query: > - SELECT 1 FROM pg_database AS d JOIN pg_tablespace AS t - ON d.dattablespace = t.oid WHERE d.datname = '{{ db_name }}' - AND t.spcname = '{{ db_tablespace }}' - - - assert: - that: - - result.rowcount == 0 - - # Actual mode for creation with tablespace option: - - name: postgresql_db_tablespace - Create DB with tablespace option - <<: *task_parameters - postgresql_db: - <<: *pg_parameters - maintenance_db: postgres - name: "{{ db_name }}" - tablespace: "{{ db_tablespace }}" - - - assert: - that: - - result is changed - - - name: postgresql_db_tablespace - Check actual DB tablespace, rowcount must be 1 - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - login_db: postgres - query: > - SELECT 1 FROM pg_database AS d JOIN pg_tablespace AS t - ON d.dattablespace = t.oid WHERE d.datname = '{{ db_name }}' - AND t.spcname = '{{ db_tablespace }}' - - - assert: - that: - - result.rowcount == 1 - - # Try to change tablespace to the same: - - name: postgresql_db_tablespace - The same DB with tablespace option again - <<: *task_parameters - postgresql_db: - <<: *pg_parameters - maintenance_db: postgres - name: "{{ db_name }}" - tablespace: "{{ db_tablespace }}" - - - assert: - that: - - result is not changed - - # Try to change tablespace in check_mode: - - name: postgresql_db_tablespace - Change tablespace in check_mode - <<: *task_parameters - check_mode: yes - postgresql_db: - <<: *pg_parameters - maintenance_db: postgres - name: "{{ db_name }}" - tablespace: pg_default - - - assert: - that: - - result is changed - - - name: postgresql_db_tablespace - Check actual DB tablespace, rowcount must be 1 because actually nothing changed - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - login_db: postgres - query: > - SELECT 1 FROM pg_database AS d JOIN pg_tablespace AS t - ON d.dattablespace = t.oid WHERE d.datname = '{{ db_name }}' - AND t.spcname = '{{ db_tablespace }}' - - - assert: - that: - - result.rowcount == 1 - - # Try to change tablespace to pg_default in actual mode: - - name: postgresql_db_tablespace - Change tablespace in actual mode - <<: *task_parameters - postgresql_db: - <<: *pg_parameters - maintenance_db: postgres - name: "{{ db_name }}" - tablespace: pg_default - - - assert: - that: - - result is changed - - - name: postgresql_db_tablespace - Check actual DB tablespace, rowcount must be 1 - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - login_db: postgres - query: > - SELECT 1 FROM pg_database AS d JOIN pg_tablespace AS t - ON d.dattablespace = t.oid WHERE d.datname = '{{ db_name }}' - AND t.spcname = 'pg_default' - - - assert: - that: - - result.rowcount == 1 - - # Cleanup: - - name: postgresql_db_tablespace - Drop test DB - <<: *task_parameters - postgresql_db: - <<: *pg_parameters - maintenance_db: postgres - name: "{{ db_name }}" - state: absent - - - name: postgresql_db_tablespace - Remove tablespace - <<: *task_parameters - postgresql_tablespace: - <<: *pg_parameters - login_db: postgres - name: "{{ db_tablespace }}" - state: absent - - <<: *block_parameters - # End of tablespace block diff --git a/test/integration/targets/postgresql/tasks/postgresql_privs.yml b/test/integration/targets/postgresql/tasks/postgresql_privs.yml deleted file mode 100644 index 663ea9aaa4..0000000000 --- a/test/integration/targets/postgresql/tasks/postgresql_privs.yml +++ /dev/null @@ -1,702 +0,0 @@ -# Setup -- name: Create DB - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: present - name: "{{ db_name }}" - login_user: "{{ pg_user }}" - -- name: Create a user to be owner of objects - postgresql_user: - name: "{{ db_user3 }}" - state: present - encrypted: yes - password: password - role_attr_flags: CREATEDB,LOGIN - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - -- name: Create a user to be given permissions and other tests - postgresql_user: - name: "{{ db_user2 }}" - state: present - encrypted: yes - password: password - role_attr_flags: LOGIN - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - -############################# -# Test of solving bug 27327 # -############################# - -# Create the test table and view: -- name: Create table - become: yes - become_user: "{{ pg_user }}" - postgresql_table: - login_user: "{{ pg_user }}" - db: postgres - name: test_table1 - columns: - - id int - -- name: Create view - become: yes - become_user: "{{ pg_user }}" - postgresql_query: - login_user: "{{ pg_user }}" - db: postgres - query: "CREATE VIEW test_view AS SELECT id FROM test_table1" - -# Test check_mode: -- name: Grant SELECT on test_view, check_mode - become: yes - become_user: "{{ pg_user }}" - postgresql_privs: - login_user: "{{ pg_user }}" - db: postgres - state: present - privs: SELECT - type: table - objs: test_view - roles: "{{ db_user2 }}" - check_mode: yes - register: result - -- assert: - that: - - result is changed - -# Check: -- name: Check that nothing was changed after the prev step - become: yes - become_user: "{{ pg_user }}" - postgresql_query: - login_user: "{{ pg_user }}" - db: postgres - query: "SELECT grantee FROM information_schema.role_table_grants WHERE table_name='test_view' AND grantee = '{{ db_user2 }}'" - register: result - -- assert: - that: - - result.rowcount == 0 - -# Test true mode: -- name: Grant SELECT on test_view - become: yes - become_user: "{{ pg_user }}" - postgresql_privs: - login_user: "{{ pg_user }}" - db: postgres - state: present - privs: SELECT - type: table - objs: test_view - roles: "{{ db_user2 }}" - register: result - -- assert: - that: - - result is changed - -# Check: -- name: Check that nothing was changed after the prev step - become: yes - become_user: "{{ pg_user }}" - postgresql_query: - login_user: "{{ pg_user }}" - db: postgres - query: "SELECT grantee FROM information_schema.role_table_grants WHERE table_name='test_view' AND grantee = '{{ db_user2 }}'" - register: result - -- assert: - that: - - result.rowcount == 1 - -# Test true mode: -- name: Try to grant SELECT again - become: yes - become_user: "{{ pg_user }}" - postgresql_privs: - login_user: "{{ pg_user }}" - db: postgres - state: present - privs: SELECT - type: table - objs: test_view - roles: "{{ db_user2 }}" - register: result - -- assert: - that: - - result is not changed - -# Cleanup: -- name: Drop test view - become: yes - become_user: "{{ pg_user }}" - postgresql_query: - login_user: "{{ pg_user }}" - db: postgres - query: "DROP VIEW test_view" - -- name: Drop test table - become: yes - become_user: "{{ pg_user }}" - postgresql_table: - login_user: "{{ pg_user }}" - db: postgres - name: test_table1 - state: absent - -###################################################### -# Test foreign data wrapper and foreign server privs # -###################################################### - -# Foreign data wrapper setup -- name: Create foreign data wrapper extension - become: yes - become_user: "{{ pg_user }}" - shell: echo "CREATE EXTENSION postgres_fdw" | psql -d "{{ db_name }}" - -- name: Create dummy foreign data wrapper - become: yes - become_user: "{{ pg_user }}" - shell: echo "CREATE FOREIGN DATA WRAPPER dummy" | psql -d "{{ db_name }}" - -- name: Create foreign server - become: yes - become_user: "{{ pg_user }}" - shell: echo "CREATE SERVER dummy_server FOREIGN DATA WRAPPER dummy" | psql -d "{{ db_name }}" - -# Test -- name: Grant foreign data wrapper privileges - postgresql_privs: - state: present - type: foreign_data_wrapper - roles: "{{ db_user2 }}" - privs: ALL - objs: dummy - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - ignore_errors: yes - -# Checks -- assert: - that: - - result is changed - -- name: Get foreign data wrapper privileges - become: yes - become_user: "{{ pg_user }}" - shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}" - vars: - fdw_query: > - SELECT fdwacl FROM pg_catalog.pg_foreign_data_wrapper - WHERE fdwname = ANY (ARRAY['dummy']) ORDER BY fdwname - register: fdw_result - -- assert: - that: - - "fdw_result.stdout_lines[-1] == '(1 row)'" - - "'{{ db_user2 }}' in fdw_result.stdout_lines[-2]" - -# Test -- name: Grant foreign data wrapper privileges second time - postgresql_privs: - state: present - type: foreign_data_wrapper - roles: "{{ db_user2 }}" - privs: ALL - objs: dummy - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - ignore_errors: yes - -# Checks -- assert: - that: - - result is not changed - -# Test -- name: Revoke foreign data wrapper privileges - postgresql_privs: - state: absent - type: foreign_data_wrapper - roles: "{{ db_user2 }}" - privs: ALL - objs: dummy - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - ignore_errors: yes - -# Checks -- assert: - that: - - result is changed - -- name: Get foreign data wrapper privileges - become: yes - become_user: "{{ pg_user }}" - shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}" - vars: - fdw_query: > - SELECT fdwacl FROM pg_catalog.pg_foreign_data_wrapper - WHERE fdwname = ANY (ARRAY['dummy']) ORDER BY fdwname - register: fdw_result - -- assert: - that: - - "fdw_result.stdout_lines[-1] == '(1 row)'" - - "'{{ db_user2 }}' not in fdw_result.stdout_lines[-2]" - -# Test -- name: Revoke foreign data wrapper privileges for second time - postgresql_privs: - state: absent - type: foreign_data_wrapper - roles: "{{ db_user2 }}" - privs: ALL - objs: dummy - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - ignore_errors: yes - -# Checks -- assert: - that: - - result is not changed - -# Test -- name: Grant foreign server privileges - postgresql_privs: - state: present - type: foreign_server - roles: "{{ db_user2 }}" - privs: ALL - objs: dummy_server - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - ignore_errors: yes - -# Checks -- assert: - that: - - result is changed - -- name: Get foreign server privileges - become: yes - become_user: "{{ pg_user }}" - shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}" - vars: - fdw_query: > - SELECT srvacl FROM pg_catalog.pg_foreign_server - WHERE srvname = ANY (ARRAY['dummy_server']) ORDER BY srvname - register: fs_result - -- assert: - that: - - "fs_result.stdout_lines[-1] == '(1 row)'" - - "'{{ db_user2 }}' in fs_result.stdout_lines[-2]" - -# Test -- name: Grant foreign server privileges for second time - postgresql_privs: - state: present - type: foreign_server - roles: "{{ db_user2 }}" - privs: ALL - objs: dummy_server - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - ignore_errors: yes - -# Checks -- assert: - that: - - result is not changed - -# Test -- name: Revoke foreign server privileges - postgresql_privs: - state: absent - type: foreign_server - roles: "{{ db_user2 }}" - privs: ALL - objs: dummy_server - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - ignore_errors: yes - -# Checks -- assert: - that: - - result is changed - -- name: Get foreign server privileges - become: yes - become_user: "{{ pg_user }}" - shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}" - vars: - fdw_query: > - SELECT srvacl FROM pg_catalog.pg_foreign_server - WHERE srvname = ANY (ARRAY['dummy_server']) ORDER BY srvname - register: fs_result - -- assert: - that: - - "fs_result.stdout_lines[-1] == '(1 row)'" - - "'{{ db_user2 }}' not in fs_result.stdout_lines[-2]" - -# Test -- name: Revoke foreign server privileges for second time - postgresql_privs: - state: absent - type: foreign_server - roles: "{{ db_user2 }}" - privs: ALL - objs: dummy_server - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - ignore_errors: yes - -# Checks -- assert: - that: - - result is not changed - -# Foreign data wrapper cleanup -- name: Drop foreign server - become: yes - become_user: "{{ pg_user }}" - shell: echo "DROP SERVER dummy_server" | psql -d "{{ db_name }}" - -- name: Drop dummy foreign data wrapper - become: yes - become_user: "{{ pg_user }}" - shell: echo "DROP FOREIGN DATA WRAPPER dummy" | psql -d "{{ db_name }}" - -- name: Drop foreign data wrapper extension - become: yes - become_user: "{{ pg_user }}" - shell: echo "DROP EXTENSION postgres_fdw" | psql -d "{{ db_name }}" - -########################################## -# Test ALL_IN_SCHEMA for 'function' type # -########################################## - -# Function ALL_IN_SCHEMA Setup -- name: Create function for test - postgresql_query: - query: CREATE FUNCTION public.a() RETURNS integer LANGUAGE SQL AS 'SELECT 2'; - db: "{{ db_name }}" - login_user: "{{ db_user3 }}" - login_password: password - -# Test -- name: Grant execute to all functions - postgresql_privs: - type: function - state: present - privs: EXECUTE - roles: "{{ db_user2 }}" - objs: ALL_IN_SCHEMA - schema: public - db: "{{ db_name }}" - login_user: "{{ db_user3 }}" - login_password: password - register: result - ignore_errors: yes - -# Checks -- assert: - that: result is changed - -- name: Check that all functions have execute privileges - become: yes - become_user: "{{ pg_user }}" - shell: psql {{ db_name }} -c "SELECT proacl FROM pg_proc WHERE proname = 'a'" -t - register: result - -- assert: - that: "'{{ db_user2 }}=X/{{ db_user3 }}' in '{{ result.stdout_lines[0] }}'" - -# Test -- name: Grant execute to all functions again - postgresql_privs: - type: function - state: present - privs: EXECUTE - roles: "{{ db_user2 }}" - objs: ALL_IN_SCHEMA - schema: public - db: "{{ db_name }}" - login_user: "{{ db_user3 }}" - login_password: password - register: result - ignore_errors: yes - -# Checks -- assert: - that: result is not changed - -# Test -- name: Revoke execute to all functions - postgresql_privs: - type: function - state: absent - privs: EXECUTE - roles: "{{ db_user2 }}" - objs: ALL_IN_SCHEMA - schema: public - db: "{{ db_name }}" - login_user: "{{ db_user3 }}" - login_password: password - register: result - ignore_errors: yes - -# Checks -- assert: - that: result is changed - -# Test -- name: Revoke execute to all functions again - postgresql_privs: - type: function - state: absent - privs: EXECUTE - roles: "{{ db_user2 }}" - objs: ALL_IN_SCHEMA - schema: public - db: "{{ db_name }}" - login_user: "{{ db_user3 }}" - login_password: password - register: result - ignore_errors: yes - -- assert: - that: result is not changed - -# Function ALL_IN_SCHEMA cleanup -- name: Remove function for test - postgresql_query: - query: DROP FUNCTION public.a(); - db: "{{ db_name }}" - login_user: "{{ db_user3 }}" - login_password: password - -################################################# -# Test ALL_IN_SCHEMA for 'partioned tables type # -################################################# - -# Partitioning tables is a feature introduced in Postgresql 10. -# (see https://www.postgresql.org/docs/10/ddl-partitioning.html ) -# The test below check for this version - -# Function ALL_IN_SCHEMA Setup -- name: Create partioned table for test purpose - postgresql_query: - query: CREATE TABLE public.testpt (id int not null, logdate date not null) PARTITION BY RANGE (logdate); - db: "{{ db_name }}" - login_user: "{{ db_user3 }}" - login_password: password - when: postgres_version_resp.stdout is version('10', '>=') - -# Test -- name: Grant execute to all tables in check mode - postgresql_privs: - type: table - state: present - privs: SELECT - roles: "{{ db_user2 }}" - objs: ALL_IN_SCHEMA - schema: public - db: "{{ db_name }}" - login_user: "{{ db_user3 }}" - login_password: password - register: result - ignore_errors: yes - when: postgres_version_resp.stdout is version('10', '>=') - check_mode: yes - -# Checks -- name: Check that all partitioned tables don't have select privileges after the check mode task - postgresql_query: - query: SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE table_name='testpt' and privilege_type='SELECT' and grantee = %(grantuser)s - db: "{{ db_name }}" - login_user: '{{ db_user2 }}' - login_password: password - named_args: - grantuser: '{{ db_user2 }}' - become: yes - become_user: "{{ pg_user }}" - register: result - when: postgres_version_resp.stdout is version('10', '>=') - -- assert: - that: - - result.rowcount == 0 - when: postgres_version_resp.stdout is version('10', '>=') - - -# Test -- name: Grant execute to all tables - postgresql_privs: - type: table - state: present - privs: SELECT - roles: "{{ db_user2 }}" - objs: ALL_IN_SCHEMA - schema: public - db: "{{ db_name }}" - login_user: "{{ db_user3 }}" - login_password: password - register: result - ignore_errors: yes - when: postgres_version_resp.stdout is version('10', '>=') - -# Checks -- assert: - that: result is changed - when: postgres_version_resp.stdout is version('10', '>=') - -- name: Check that all partitioned tables have select privileges - postgresql_query: - query: SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE table_name='testpt' and privilege_type='SELECT' and grantee = %(grantuser)s - db: "{{ db_name }}" - login_user: '{{ db_user2 }}' - login_password: password - named_args: - grantuser: '{{ db_user2 }}' - become: yes - become_user: "{{ pg_user }}" - register: result - when: postgres_version_resp.stdout is version('10', '>=') - -- assert: - that: - - result.rowcount == 1 - when: postgres_version_resp.stdout is version('10', '>=') - -# Test -- name: Grant execute to all tables again to see no changes are reported - postgresql_privs: - type: table - state: present - privs: SELECT - roles: "{{ db_user2 }}" - objs: ALL_IN_SCHEMA - schema: public - db: "{{ db_name }}" - login_user: "{{ db_user3 }}" - login_password: password - register: result - ignore_errors: yes - when: postgres_version_resp.stdout is version('10', '>=') - -# Checks -- assert: - that: result is not changed - when: postgres_version_resp.stdout is version('10', '>=') - -# Test -- name: Revoke SELECT to all tables - postgresql_privs: - type: table - state: absent - privs: SELECT - roles: "{{ db_user2 }}" - objs: ALL_IN_SCHEMA - schema: public - db: "{{ db_name }}" - login_user: "{{ db_user3 }}" - login_password: password - register: result - ignore_errors: yes - when: postgres_version_resp.stdout is version('10', '>=') - -# Checks -- assert: - that: result is changed - when: postgres_version_resp.stdout is version('10', '>=') - -- name: Check that all partitioned tables don't have select privileges - postgresql_query: - query: SELECT grantee, privilege_type FROM information_schema.role_table_grants WHERE table_name='testpt' and privilege_type='SELECT' and grantee = %(grantuser)s - db: "{{ db_name }}" - login_user: '{{ db_user2 }}' - login_password: password - named_args: - grantuser: '{{ db_user2 }}' - become: yes - become_user: "{{ pg_user }}" - register: result - when: postgres_version_resp.stdout is version('10', '>=') - -- assert: - that: - - result.rowcount == 0 - when: postgres_version_resp.stdout is version('10', '>=') - -# Test -- name: Revoke SELECT to all tables and no changes are reported - postgresql_privs: - type: table - state: absent - privs: SELECT - roles: "{{ db_user2 }}" - objs: ALL_IN_SCHEMA - schema: public - db: "{{ db_name }}" - login_user: "{{ db_user3 }}" - login_password: password - register: result - ignore_errors: yes - when: postgres_version_resp.stdout is version('10', '>=') - -- assert: - that: result is not changed - when: postgres_version_resp.stdout is version('10', '>=') - -# Table ALL_IN_SCHEMA cleanup -- name: Remove table for test - postgresql_query: - query: DROP TABLE public.testpt; - db: "{{ db_name }}" - login_user: "{{ db_user3 }}" - login_password: password - ignore_errors: yes - when: postgres_version_resp.stdout is version('10', '>=') - -# Cleanup -- name: Remove user given permissions - postgresql_user: - name: "{{ db_user2 }}" - state: absent - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - -- name: Remove user owner of objects - postgresql_user: - name: "{{ db_user3 }}" - state: absent - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - -- name: Destroy DB - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: absent - name: "{{ db_name }}" - login_user: "{{ pg_user }}" diff --git a/test/integration/targets/postgresql/tasks/postgresql_user.yml b/test/integration/targets/postgresql/tasks/postgresql_user.yml deleted file mode 100644 index aae57b2429..0000000000 --- a/test/integration/targets/postgresql/tasks/postgresql_user.yml +++ /dev/null @@ -1,670 +0,0 @@ -# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) -# Integration tests for postgresql_user module. - -- vars: - test_user: hello_user - test_group1: group1 - test_group2: group2 - test_table: test - task_parameters: &task_parameters - become_user: '{{ pg_user }}' - become: yes - register: result - pg_parameters: &pg_parameters - login_user: '{{ pg_user }}' - login_db: postgres - - block: - # - # Common tests - # - - name: Create role in check_mode - <<: *task_parameters - check_mode: yes - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - - - assert: - that: - - result is changed - - result.user == '{{ test_user }}' - - - name: check that the user doesn't exist - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT rolname FROM pg_roles WHERE rolname = '{{ test_user }}'" - - - assert: - that: - - result.rowcount == 0 - - - name: Create role in actual mode - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - - - assert: - that: - - result is changed - - result.user == '{{ test_user }}' - - - name: check that the user exists - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT rolname FROM pg_roles WHERE rolname = '{{ test_user }}'" - - - assert: - that: - - result.rowcount == 1 - - - name: Try to create role again in check_mode - <<: *task_parameters - check_mode: yes - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - - - assert: - that: - - result is not changed - - result.user == '{{ test_user }}' - - - name: check that the user exists - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT rolname FROM pg_roles WHERE rolname = '{{ test_user }}'" - - - assert: - that: - - result.rowcount == 1 - - - name: Try to create role again - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - - - assert: - that: - - result is not changed - - result.user == '{{ test_user }}' - - - name: check that the user exists - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT rolname FROM pg_roles WHERE rolname = '{{ test_user }}'" - - - assert: - that: - - result.rowcount == 1 - - - name: Drop role in check_mode - <<: *task_parameters - check_mode: yes - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - state: absent - - - assert: - that: - - result is changed - - result.user == '{{ test_user }}' - - - name: check that the user actually exists - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT rolname FROM pg_roles WHERE rolname = '{{ test_user }}'" - - - assert: - that: - - result.rowcount == 1 - - - name: Drop role in actual mode - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - state: absent - - - assert: - that: - - result is changed - - result.user == '{{ test_user }}' - - - name: check that the user doesn't exist - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT rolname FROM pg_roles WHERE rolname = '{{ test_user }}'" - - - assert: - that: - - result.rowcount == 0 - - - name: Try to drop role in check mode again - <<: *task_parameters - check_mode: yes - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - state: absent - - - assert: - that: - - result is not changed - - result.user == '{{ test_user }}' - - - name: Try to drop role in actual mode again - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - state: absent - - - assert: - that: - - result is not changed - - result.user == '{{ test_user }}' - - # - # password, no_password_changes, encrypted, expires parameters - # - - - name: Create role with password, passed as hashed md5 - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - password: md59543f1d82624df2b31672ec0f7050460 - - - assert: - that: - - result is changed - - result.user == '{{ test_user }}' - - - name: Check that the user exist with a proper password - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT rolname FROM pg_authid WHERE rolname = '{{ test_user }}' and rolpassword = 'md59543f1d82624df2b31672ec0f7050460'" - - - assert: - that: - - result.rowcount == 1 - - - name: Test no_password_changes - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - password: u123 - no_password_changes: yes - - - assert: - that: - - result is not changed - - result.user == '{{ test_user }}' - - - - name: Check that nothing changed - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT rolname FROM pg_authid WHERE rolname = '{{ test_user }}' and rolpassword = 'md59543f1d82624df2b31672ec0f7050460'" - - - assert: - that: - - result.rowcount == 1 - - # Storing unencrypted passwords is not available from PostgreSQL 10 - - name: Change password, passed as unencrypted - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - password: myunencryptedpass - encrypted: no - when: postgres_version_resp.stdout is version('10', '<') - - - assert: - that: - - result is changed - - result.user == '{{ test_user }}' - when: postgres_version_resp.stdout is version('10', '<') - - - name: Check that the user exist with the unencrypted password - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT rolname FROM pg_authid WHERE rolname = '{{ test_user }}' and rolpassword = 'myunencryptedpass'" - when: postgres_version_resp.stdout is version('10', '<') - - - assert: - that: - - result.rowcount == 1 - when: postgres_version_resp.stdout is version('10', '<') - - - name: Change password, explicit encrypted=yes - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - password: myunencryptedpass - encrypted: yes - - - assert: - that: - - result is changed - - result.user == '{{ test_user }}' - - - name: Check that the user exist with encrypted password - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT rolname FROM pg_authid WHERE rolname = '{{ test_user }}' and rolpassword != 'myunencryptedpass'" - - - assert: - that: - - result.rowcount == 1 - - - name: Change rolvaliduntil attribute - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - expires: 'Jan 31 2020' - - - assert: - that: - - result is changed - - result.user == '{{ test_user }}' - - - name: Check the prev step - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: > - SELECT rolname FROM pg_authid WHERE rolname = '{{ test_user }}' - AND rolvaliduntil::text like '2020-01-31%' - - - assert: - that: - - result.rowcount == 1 - - - name: Try to set the same rolvaliduntil value again - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - expires: 'Jan 31 2020' - - - assert: - that: - - result is not changed - - result.user == '{{ test_user }}' - - - name: Check that nothing changed - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: > - SELECT rolname FROM pg_authid WHERE rolname = '{{ test_user }}' - AND rolvaliduntil::text like '2020-01-31%' - - - assert: - that: - - result.rowcount == 1 - - # - # role_attr_flags - # - - name: Set role attributes - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - role_attr_flags: CREATEROLE,CREATEDB - - - assert: - that: - - result is changed - - result.user == '{{ test_user }}' - - - name: Check the prev step - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: > - SELECT rolname FROM pg_authid WHERE rolname = '{{ test_user }}' - AND rolcreaterole = 't' and rolcreatedb = 't' - - - assert: - that: - - result.rowcount == 1 - - - name: Set the same role attributes again - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - role_attr_flags: CREATEROLE,CREATEDB - - - assert: - that: - - result is not changed - - result.user == '{{ test_user }}' - - - name: Check the prev step - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: > - SELECT rolname FROM pg_authid WHERE rolname = '{{ test_user }}' - AND rolcreaterole = 't' and rolcreatedb = 't' - - - name: Set role attributes - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - role_attr_flags: NOCREATEROLE,NOCREATEDB - - - assert: - that: - - result is changed - - result.user == '{{ test_user }}' - - - name: Check the prev step - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: > - SELECT rolname FROM pg_authid WHERE rolname = '{{ test_user }}' - AND rolcreaterole = 'f' and rolcreatedb = 'f' - - - assert: - that: - - result.rowcount == 1 - - - name: Set role attributes - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - role_attr_flags: NOCREATEROLE,NOCREATEDB - - - assert: - that: - - result is not changed - - result.user == '{{ test_user }}' - - - name: Check the prev step - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: > - SELECT rolname FROM pg_authid WHERE rolname = '{{ test_user }}' - AND rolcreaterole = 'f' and rolcreatedb = 'f' - - # - # priv - # - - name: Create test table - <<: *task_parameters - postgresql_table: - <<: *pg_parameters - name: '{{ test_table }}' - columns: - - id int - - - name: Insert data to test table - <<: *task_parameters - postgresql_query: - query: "INSERT INTO {{ test_table }} (id) VALUES ('1')" - <<: *pg_parameters - - - name: Check that test_user is not allowed to read the data - <<: *task_parameters - postgresql_query: - db: postgres - login_user: '{{ pg_user }}' - session_role: '{{ test_user }}' - query: 'SELECT * FROM {{ test_table }}' - ignore_errors: yes - - - assert: - that: - - result is failed - - "'permission denied' in result.msg" - - - name: Grant privileges - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - priv: '{{ test_table }}:SELECT' - - - assert: - that: - - result is changed - - - name: Check that test_user is allowed to read the data - <<: *task_parameters - postgresql_query: - db: postgres - login_user: '{{ pg_user }}' - session_role: '{{ test_user }}' - query: 'SELECT * FROM {{ test_table }}' - - - assert: - that: - - result.rowcount == 1 - - - name: Grant the same privileges again - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - priv: '{{ test_table }}:SELECT' - - - assert: - that: - - result is not changed - - - name: Remove test table - <<: *task_parameters - postgresql_table: - <<: *pg_parameters - name: '{{ test_table }}' - state: absent - - # - # fail_on_user - # - - name: Create test table, set owner as test_user - <<: *task_parameters - postgresql_table: - <<: *pg_parameters - name: '{{ test_table }}' - owner: '{{ test_user }}' - - - name: Test fail_on_user - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - state: absent - ignore_errors: yes - - - assert: - that: - - result is failed - - result.msg == 'Unable to remove user' - - - name: Test fail_on_user - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - fail_on_user: no - - - assert: - that: - - result is not changed - - # - # Test groups parameter - # - - name: Create test group - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_group2 }}' - role_attr_flags: NOLOGIN - - - name: Create role test_group1 and grant test_group2 to test_group1 in check_mode - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_group1 }}' - groups: '{{ test_group2 }}' - role_attr_flags: NOLOGIN - check_mode: yes - - - assert: - that: - - result is changed - - result.user == '{{ test_group1 }}' - - result.queries == ['CREATE USER "{{ test_group1 }}" NOLOGIN', 'GRANT "{{ test_group2 }}" TO "{{ test_group1 }}"'] - - - name: check that the user doesn't exist - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT rolname FROM pg_roles WHERE rolname = '{{ test_group1 }}'" - - - assert: - that: - - result.rowcount == 0 - - - name: check membership - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT grolist FROM pg_group WHERE groname = '{{ test_group2 }}' AND grolist != '{}'" - - - assert: - that: - - result.rowcount == 0 - - - name: Create role test_group1 and grant test_group2 to test_group1 - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_group1 }}' - groups: '{{ test_group2 }}' - role_attr_flags: NOLOGIN - - - assert: - that: - - result is changed - - result.user == '{{ test_group1 }}' - - result.queries == ['CREATE USER "{{ test_group1 }}" NOLOGIN', 'GRANT "{{ test_group2 }}" TO "{{ test_group1 }}"'] - - - name: check that the user exists - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT rolname FROM pg_roles WHERE rolname = '{{ test_group1 }}'" - - - assert: - that: - - result.rowcount == 1 - - - name: check membership - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT grolist FROM pg_group WHERE groname = '{{ test_group2 }}' AND grolist != '{}'" - - - assert: - that: - - result.rowcount == 1 - - - name: Grant test_group2 to test_group1 again - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_group1 }}' - groups: '{{ test_group2 }}' - - - assert: - that: - - result is not changed - - result.user == '{{ test_group1 }}' - - - name: check membership - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT grolist FROM pg_group WHERE groname = '{{ test_group2 }}' AND grolist != '{}'" - - - assert: - that: - - result.rowcount == 1 - - - name: Grant groups to existent role - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ test_user }}' - groups: - - '{{ test_group1 }}' - - '{{ test_group2 }}' - - - assert: - that: - - result is changed - - result.user == '{{ test_user }}' - - result.queries == ['GRANT "{{ test_group1 }}" TO "{{ test_user }}"', 'GRANT "{{ test_group2 }}" TO "{{ test_user }}"'] - - - name: check membership - <<: *task_parameters - postgresql_query: - <<: *pg_parameters - query: "SELECT * FROM pg_group WHERE groname in ('{{ test_group1 }}', '{{ test_group2 }}') AND grolist != '{}'" - - - assert: - that: - - result.rowcount == 2 - - always: - # - # Clean up - # - - name: Drop test table - <<: *task_parameters - postgresql_table: - <<: *pg_parameters - name: '{{ test_table }}' - state: absent - - - name: Drop test user - <<: *task_parameters - postgresql_user: - <<: *pg_parameters - name: '{{ item }}' - state: absent - loop: - - '{{ test_user }}' - - '{{ test_group1 }}' - - '{{ test_group2 }}' diff --git a/test/integration/targets/postgresql/tasks/session_role.yml b/test/integration/targets/postgresql/tasks/session_role.yml deleted file mode 100644 index 6b17f522e8..0000000000 --- a/test/integration/targets/postgresql/tasks/session_role.yml +++ /dev/null @@ -1,254 +0,0 @@ -- name: Check that becoming an non-existing user throws an error - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: present - name: "{{ db_name }}" - login_user: "{{ pg_user }}" - session_role: "{{ db_session_role1 }}" - register: result - ignore_errors: yes - -- assert: - that: - - result is failed - -- name: Create a high privileged user - become: yes - become_user: "{{ pg_user }}" - postgresql_user: - name: "{{ db_session_role1 }}" - state: "present" - password: "password" - role_attr_flags: "CREATEDB,LOGIN,CREATEROLE" - login_user: "{{ pg_user }}" - db: postgres - -- name: Create a low privileged user using the newly created user - become: yes - become_user: "{{ pg_user }}" - postgresql_user: - name: "{{ db_session_role2 }}" - state: "present" - password: "password" - role_attr_flags: "LOGIN" - login_user: "{{ pg_user }}" - session_role: "{{ db_session_role1 }}" - db: postgres - -- name: Create DB as session_role - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: present - name: "{{ db_session_role1 }}" - login_user: "{{ pg_user }}" - session_role: "{{ db_session_role1 }}" - register: result - -- name: Check that database created and is owned by correct user - become_user: "{{ pg_user }}" - become: yes - shell: echo "select rolname from pg_database join pg_roles on datdba = pg_roles.oid where datname = '{{ db_session_role1 }}';" | psql -AtXq postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '{{ db_session_role1 }}'" - -- name: Fail when creating database as low privileged user - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: present - name: "{{ db_session_role2 }}" - login_user: "{{ pg_user }}" - session_role: "{{ db_session_role2 }}" - register: result - ignore_errors: yes - -- assert: - that: - - result is failed - -- name: Create schema in own database - become_user: "{{ pg_user }}" - become: yes - postgresql_schema: - database: "{{ db_session_role1 }}" - login_user: "{{ pg_user }}" - name: "{{ db_session_role1 }}" - session_role: "{{ db_session_role1 }}" - -- name: Create schema in own database, should be owned by session_role - become_user: "{{ pg_user }}" - become: yes - postgresql_schema: - database: "{{ db_session_role1 }}" - login_user: "{{ pg_user }}" - name: "{{ db_session_role1 }}" - owner: "{{ db_session_role1 }}" - register: result - -- assert: - that: - - result is not changed - -- name: Fail when creating schema in postgres database as a regular user - become_user: "{{ pg_user }}" - become: yes - postgresql_schema: - database: postgres - login_user: "{{ pg_user }}" - name: "{{ db_session_role1 }}" - session_role: "{{ db_session_role1 }}" - ignore_errors: yes - register: result - -- assert: - that: - - result is failed - -# PostgreSQL introduced extensions in 9.1, some checks are still run against older versions, therefore we need to ensure -# we only run these tests against supported PostgreSQL databases - -- name: Check that pg_extension exists (postgresql >= 9.1) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select count(*) from pg_class where relname='pg_extension' and relkind='r'" | psql -AtXq postgres - register: pg_extension - -- name: Remove plpgsql from testdb using postgresql_ext - become_user: "{{ pg_user }}" - become: yes - postgresql_ext: - name: plpgsql - db: "{{ db_session_role1 }}" - login_user: "{{ pg_user }}" - state: absent - when: - "pg_extension.stdout_lines[-1] == '1'" - -- name: Fail when trying to create an extension as a mere mortal user - become_user: "{{ pg_user }}" - become: yes - postgresql_ext: - name: plpgsql - db: "{{ db_session_role1 }}" - login_user: "{{ pg_user }}" - session_role: "{{ db_session_role2 }}" - ignore_errors: yes - register: result - when: - "pg_extension.stdout_lines[-1] == '1'" - -- assert: - that: - - result is failed - when: - "pg_extension.stdout_lines[-1] == '1'" - -- name: Install extension as session_role - become_user: "{{ pg_user }}" - become: yes - postgresql_ext: - name: plpgsql - db: "{{ db_session_role1 }}" - login_user: "{{ pg_user }}" - session_role: "{{ db_session_role1 }}" - when: - "pg_extension.stdout_lines[-1] == '1'" - -- name: Check that extension is created and is owned by session_role - become_user: "{{ pg_user }}" - become: yes - shell: echo "select rolname from pg_extension join pg_roles on extowner=pg_roles.oid where extname='plpgsql';" | psql -AtXq "{{ db_session_role1 }}" - register: result - when: - "pg_extension.stdout_lines[-1] == '1'" - -- assert: - that: - - "result.stdout_lines[-1] == '{{ db_session_role1 }}'" - when: - "pg_extension.stdout_lines[-1] == '1'" - -- name: Remove plpgsql from testdb using postgresql_ext - become_user: "{{ pg_user }}" - become: yes - postgresql_ext: - name: plpgsql - db: "{{ db_session_role1 }}" - login_user: "{{ pg_user }}" - state: absent - when: - "pg_extension.stdout_lines[-1] == '1'" - -# End of postgresql_ext conditional tests against PostgreSQL 9.1+ - -- name: Create table to be able to grant privileges - become_user: "{{ pg_user }}" - become: yes - shell: echo "CREATE TABLE test(i int); CREATE TABLE test2(i int);" | psql -AtXq "{{ db_session_role1 }}" - -- name: Grant all privileges on test1 table to low privileged user - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - db: "{{ db_session_role1 }}" - type: table - objs: test - roles: "{{ db_session_role2 }}" - login_user: "{{ pg_user }}" - privs: select - admin_option: yes - -- name: Verify admin option was successful for grants - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - db: "{{ db_session_role1 }}" - type: table - objs: test - roles: "{{ db_session_role1 }}" - login_user: "{{ pg_user }}" - privs: select - session_role: "{{ db_session_role2 }}" - -- name: Verify no grants can be granted for test2 table - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - db: "{{ db_session_role1 }}" - type: table - objs: test2 - roles: "{{ db_session_role1 }}" - login_user: "{{ pg_user }}" - privs: update - session_role: "{{ db_session_role2 }}" - ignore_errors: yes - register: result - -- assert: - that: - - result is failed - -- name: Drop test db - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: absent - name: "{{ db_session_role1 }}" - login_user: "{{ pg_user }}" - -- name: Drop test users - become: yes - become_user: "{{ pg_user }}" - postgresql_user: - name: "{{ item }}" - state: absent - login_user: "{{ pg_user }}" - db: postgres - with_items: - - "{{ db_session_role1 }}" - - "{{ db_session_role2 }}" diff --git a/test/integration/targets/postgresql/tasks/ssl.yml b/test/integration/targets/postgresql/tasks/ssl.yml deleted file mode 100644 index 3a5e5e4da0..0000000000 --- a/test/integration/targets/postgresql/tasks/ssl.yml +++ /dev/null @@ -1,105 +0,0 @@ -# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) - -# The aim of this test is to be sure that SSL options work in general -# and preparing the environment for testing these options in -# the following PostgreSQL modules (ssl_db, ssl_user, certs). -# Configured by https://www.postgresql.org/docs/current/ssl-tcp.html - -#################### -# Prepare for tests: - -- name: postgresql SSL - create database - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: "{{ ssl_db }}" - -- name: postgresql SSL - create role - become_user: "{{ pg_user }}" - become: yes - postgresql_user: - name: "{{ ssl_user }}" - role_attr_flags: SUPERUSER - password: "{{ ssl_pass }}" - -- name: postgresql SSL - install openssl - become: yes - package: name=openssl state=present - -- name: postgresql SSL - create certs 1 - become_user: root - become: yes - shell: 'openssl req -new -nodes -text -out ~{{ pg_user }}/root.csr \ - -keyout ~{{ pg_user }}/root.key -subj "/CN=localhost.local"' - -- name: postgresql SSL - create certs 2 - become_user: root - become: yes - shell: 'openssl x509 -req -in ~{{ pg_user }}/root.csr -text -days 3650 \ - -extensions v3_ca -signkey ~{{ pg_user }}/root.key -out ~{{ pg_user }}/root.crt' - -- name: postgresql SSL - create certs 3 - become_user: root - become: yes - shell: 'openssl req -new -nodes -text -out ~{{ pg_user }}/server.csr \ - -keyout ~{{ pg_user }}/server.key -subj "/CN=localhost.local"' - -- name: postgresql SSL - create certs 4 - become_user: root - become: yes - shell: 'openssl x509 -req -in ~{{ pg_user }}/server.csr -text -days 365 \ - -CA ~{{ pg_user }}/root.crt -CAkey ~{{ pg_user }}/root.key -CAcreateserial -out server.crt' - -- name: postgresql SSL - set right permissions to files - become_user: root - become: yes - file: - path: '{{ item }}' - mode: 0600 - owner: '{{ pg_user }}' - group: '{{ pg_user }}' - with_items: - - '~{{ pg_user }}/root.key' - - '~{{ pg_user }}/server.key' - - '~{{ pg_user }}/root.crt' - - '~{{ pg_user }}/server.csr' - -- name: postgresql SSL - enable SSL - become_user: "{{ pg_user }}" - become: yes - postgresql_set: - login_user: "{{ pg_user }}" - db: postgres - name: ssl - value: on - -- name: postgresql SSL - reload PostgreSQL to enable ssl on - become: yes - service: - name: "{{ postgresql_service }}" - state: reloaded - -############### -# Do main tests - -- name: postgresql SSL - ping DB with SSL - become_user: "{{ pg_user }}" - become: yes - postgresql_ping: - db: "{{ ssl_db }}" - login_user: "{{ ssl_user }}" - login_password: "{{ ssl_pass }}" - login_host: 127.0.0.1 - login_port: 5432 - ssl_mode: require - ca_cert: '{{ ssl_rootcert }}' - register: result - -- assert: - that: - - result.is_available == true - -################################################### -# I decided not to clean ssl_db, ssl_user and certs -# for testing options related with SSL in other modules diff --git a/test/integration/targets/postgresql/tasks/state_dump_restore.yml b/test/integration/targets/postgresql/tasks/state_dump_restore.yml deleted file mode 100644 index d4327d362f..0000000000 --- a/test/integration/targets/postgresql/tasks/state_dump_restore.yml +++ /dev/null @@ -1,140 +0,0 @@ -# test code for state dump and restore for postgresql_db module -# copied from mysql_db/tasks/state_dump_import.yml -# (c) 2014, Wayne Rosario <wrosario@ansible.com> - -# This file is part of Ansible -# -# Ansible is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# Ansible is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Ansible. If not, see <http://www.gnu.org/licenses/>. - -# ============================================================ -- set_fact: db_file_name="{{tmp_dir}}/{{file}}" - -- set_fact: - admin_str: "psql -U {{ pg_user }}" - -- set_fact: - user_str: "env PGPASSWORD=password psql -h localhost -U {{ db_user1 }} {{ db_name }}" - when: test_fixture == "user" - # "-n public" is required to work around pg_restore issues with plpgsql - -- set_fact: - user_str: "psql -U {{ pg_user }} {{ db_name }}" - when: test_fixture == "admin" - - - -- set_fact: - sql_create: "create table employee(id int, name varchar(100));" - sql_insert: "insert into employee values (47,'Joe Smith');" - sql_select: "select * from employee;" - -- name: state dump/restore - create database - postgresql_db: - state: present - name: "{{ db_name }}" - owner: "{{ db_user1 }}" - login_user: "{{ pg_user }}" - -- name: state dump/restore - create table employee - command: '{{ user_str }} -c "{{ sql_create }}"' - -- name: state dump/restore - insert data into table employee - command: '{{ user_str }} -c "{{ sql_insert }}"' - -- name: state dump/restore - file name should not exist - file: name={{ db_file_name }} state=absent - -- name: test state=dump to backup the database (expect changed=true) - postgresql_db: - name: "{{ db_name }}" - target: "{{ db_file_name }}" - owner: "{{ db_user1 }}" - login_user: '{{(test_fixture == "user")|ternary(db_user1, pg_user)}}' - target_opts: '{{(test_fixture == "user")|ternary("-n public", omit)}}' - login_host: '{{(test_fixture == "user")|ternary("localhost", omit)}}' - login_password: '{{(test_fixture == "user")|ternary("password", omit)}}' - state: dump - register: result - become_user: "{{ pg_user }}" - become: yes - -- name: assert output message backup the database - assert: - that: - - result is changed - -- name: assert database was backed up successfully - command: file {{ db_file_name }} - register: result - -- name: state dump/restore - remove database for restore - postgresql_db: - name: "{{ db_name }}" - target: "{{ db_file_name }}" - owner: "{{ db_user1 }}" - login_user: '{{(test_fixture == "user")|ternary(db_user1, pg_user)}}' - target_opts: '{{(test_fixture == "user")|ternary("-n public", omit)}}' - login_host: '{{(test_fixture == "user")|ternary("localhost", omit)}}' - login_password: '{{(test_fixture == "user")|ternary("password", omit)}}' - state: absent - -- name: state dump/restore - re-create database - postgresql_db: - state: present - name: "{{ db_name }}" - owner: "{{ db_user1 }}" - login_user: "{{ pg_user }}" - -- name: test state=restore to restore the database (expect changed=true) - postgresql_db: - name: "{{ db_name }}" - target: "{{ db_file_name }}" - owner: "{{ db_user1 }}" - login_user: '{{(test_fixture == "user")|ternary(db_user1, pg_user)}}' - target_opts: '{{(test_fixture == "user")|ternary("-n public", omit)}}' - login_host: '{{(test_fixture == "user")|ternary("localhost", omit)}}' - login_password: '{{(test_fixture == "user")|ternary("password", omit)}}' - state: restore - register: result - become_user: "{{ pg_user }}" - become: yes - -- name: assert output message restore the database - assert: - that: - - result is changed - -- name: select data from table employee - command: '{{ user_str }} -c "{{ sql_select }}"' - register: result - -- name: assert data in database is from the restore database - assert: - that: - - "'47' in result.stdout" - - "'Joe Smith' in result.stdout" - -- name: state dump/restore - remove database name - postgresql_db: - name: "{{ db_name }}" - target: "{{ db_file_name }}" - owner: "{{ db_user1 }}" - login_user: '{{(test_fixture == "user")|ternary(db_user1, pg_user)}}' - target_opts: '{{(test_fixture == "user")|ternary("-n public", omit)}}' - login_host: '{{(test_fixture == "user")|ternary("localhost", omit)}}' - login_password: '{{(test_fixture == "user")|ternary("password", omit)}}' - state: absent - -- name: remove file name - file: name={{ db_file_name }} state=absent diff --git a/test/integration/targets/postgresql/tasks/test_no_password_change.yml b/test/integration/targets/postgresql/tasks/test_no_password_change.yml deleted file mode 100644 index c296c0ea77..0000000000 --- a/test/integration/targets/postgresql/tasks/test_no_password_change.yml +++ /dev/null @@ -1,167 +0,0 @@ -- vars: - task_parameters: &task_parameters - become_user: "{{ pg_user }}" - become: yes - register: result - postgresql_parameters: ¶meters - db: postgres - name: "{{ db_user1 }}" - login_user: "{{ pg_user }}" - - block: - - - name: Create a user with all role attributes - <<: *task_parameters - postgresql_user: - <<: *parameters - state: "present" - role_attr_flags: "SUPERUSER,CREATEROLE,CREATEDB,INHERIT,LOGIN{{ bypassrls_supported | ternary(',BYPASSRLS', '') }}" - no_password_changes: '{{ no_password_changes }}' # no_password_changes is ignored when user doesn't already exist - - - name: Check that the user has the requested role attributes - <<: *task_parameters - shell: "echo \"select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin {{ bypassrls_supported | ternary(\", 'bypassrls:'||rolbypassrls\", '') }} from pg_roles where rolname='{{ db_user1 }}';\" | psql -d postgres" - - - assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - - "'super:t' in result.stdout_lines[-2]" - - "'createrole:t' in result.stdout_lines[-2]" - - "'create:t' in result.stdout_lines[-2]" - - "'inherit:t' in result.stdout_lines[-2]" - - "'login:t' in result.stdout_lines[-2]" - - - block: - - name: Check that the user has the requested role attribute BYPASSRLS - <<: *task_parameters - shell: "echo \"select 'bypassrls:'||rolbypassrls from pg_roles where rolname='{{ db_user1 }}';\" | psql -d postgres" - - - assert: - that: - - "not bypassrls_supported or 'bypassrls:t' in result.stdout_lines[-2]" - when: bypassrls_supported - - - name: Modify a user to have no role attributes - <<: *task_parameters - postgresql_user: - <<: *parameters - state: "present" - role_attr_flags: "NOSUPERUSER,NOCREATEROLE,NOCREATEDB,noinherit,NOLOGIN{{ bypassrls_supported | ternary(',NOBYPASSRLS', '') }}" - no_password_changes: '{{ no_password_changes }}' - - - name: Check that ansible reports it modified the role - assert: - that: - - result is changed - - - name: "Check that the user doesn't have any attribute" - <<: *task_parameters - shell: "echo \"select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';\" | psql -d postgres" - - - assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - - "'super:f' in result.stdout_lines[-2]" - - "'createrole:f' in result.stdout_lines[-2]" - - "'create:f' in result.stdout_lines[-2]" - - "'inherit:f' in result.stdout_lines[-2]" - - "'login:f' in result.stdout_lines[-2]" - - - block: - - name: Check that the user has the requested role attribute BYPASSRLS - <<: *task_parameters - shell: "echo \"select 'bypassrls:'||rolbypassrls from pg_roles where rolname='{{ db_user1 }}';\" | psql -d postgres" - - - assert: - that: - - "not bypassrls_supported or 'bypassrls:f' in result.stdout_lines[-2]" - when: bypassrls_supported - - - name: Try to add an invalid attribute - <<: *task_parameters - postgresql_user: - <<: *parameters - state: "present" - role_attr_flags: "NOSUPERUSER,NOCREATEROLE,NOCREATEDB,noinherit,NOLOGIN{{ bypassrls_supported | ternary(',NOBYPASSRLS', '') }},INVALID" - no_password_changes: '{{ no_password_changes }}' - ignore_errors: yes - - - name: Check that ansible reports failure - assert: - that: - - result is not changed - - result is failed - - "result.msg == 'Invalid role_attr_flags specified: INVALID'" - - - name: Modify a single role attribute on a user - <<: *task_parameters - postgresql_user: - <<: *parameters - state: "present" - role_attr_flags: "LOGIN" - no_password_changes: '{{ no_password_changes }}' - - - name: Check that ansible reports it modified the role - assert: - that: - - result is changed - - - name: Check the role attributes - <<: *task_parameters - shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres - - - assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - - "'super:f' in result.stdout_lines[-2]" - - "'createrole:f' in result.stdout_lines[-2]" - - "'create:f' in result.stdout_lines[-2]" - - "'inherit:f' in result.stdout_lines[-2]" - - "'login:t' in result.stdout_lines[-2]" - - - block: - - name: Check the role attribute BYPASSRLS - <<: *task_parameters - shell: echo "select 'bypassrls:'||rolbypassrls from pg_roles where rolname='{{ db_user1 }}';" | psql -d postgres - - - assert: - that: - - "( postgres_version_resp.stdout is version('9.5.0', '<')) or 'bypassrls:f' in result.stdout_lines[-2]" - when: bypassrls_supported - - - name: Check that using same attribute a second time does nothing - <<: *task_parameters - postgresql_user: - <<: *parameters - state: "present" - role_attr_flags: "LOGIN" - no_password_changes: '{{ no_password_changes }}' - environment: - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - name: Check there isn't any update reported - assert: - that: - - result is not changed - - - name: Cleanup the user - <<: *task_parameters - postgresql_user: - <<: *parameters - state: 'absent' - no_password_changes: '{{ no_password_changes }}' # user deletion: no_password_changes is ignored - - - name: Check that user was removed - <<: *task_parameters - shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres - - - assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - - always: - - name: Cleanup the user - <<: *task_parameters - postgresql_user: - <<: *parameters - state: 'absent' diff --git a/test/integration/targets/postgresql/tasks/test_password.yml b/test/integration/targets/postgresql/tasks/test_password.yml deleted file mode 100644 index be033a5569..0000000000 --- a/test/integration/targets/postgresql/tasks/test_password.yml +++ /dev/null @@ -1,336 +0,0 @@ -- vars: - task_parameters: &task_parameters - become_user: "{{ pg_user }}" - become: yes - register: result - postgresql_parameters: ¶meters - db: postgres - name: "{{ db_user1 }}" - login_user: "{{ pg_user }}" - - block: - - name: 'Check that PGOPTIONS environment variable is effective (1/2)' - <<: *task_parameters - postgresql_user: - <<: *parameters - password: '{{ db_password1 }}' - ignore_errors: true - environment: - PGCLIENTENCODING: 'UTF8' - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - name: 'Check that PGOPTIONS environment variable is effective (2/2)' - assert: - that: - - "{{ result is failed }}" - - - name: 'Create a user (password encrypted: {{ encrypted }})' - <<: *task_parameters - postgresql_user: - <<: *parameters - password: '{{ db_password1 }}' - encrypted: '{{ encrypted }}' - environment: - PGCLIENTENCODING: 'UTF8' - - - block: &changed # block is only used here in order to be able to define YAML anchor - - name: Check that ansible reports it was created - assert: - that: - - "{{ result is changed }}" - - - name: Check that it was created - <<: *task_parameters - shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres - - - assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - - - name: Check that creating user a second time does nothing - <<: *task_parameters - postgresql_user: - <<: *parameters - password: '{{ db_password1 }}' - encrypted: '{{ encrypted }}' - environment: - PGCLIENTENCODING: 'UTF8' - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - block: ¬_changed # block is only used here in order to be able to define YAML anchor - - name: Check that ansible reports no change - assert: - that: - - "{{ result is not changed }}" - - - name: 'Define an expiration time' - <<: *task_parameters - postgresql_user: - <<: *parameters - expires: '2025-01-01' - environment: - PGCLIENTENCODING: 'UTF8' - - - <<: *changed - - - name: 'Redefine the same expiration time' - <<: *task_parameters - postgresql_user: - expires: '2025-01-01' - <<: *parameters - environment: - PGCLIENTENCODING: 'UTF8' - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - <<: *not_changed - - - block: - - - name: 'Using MD5-hashed password: check that password not changed when using cleartext password' - <<: *task_parameters - postgresql_user: - <<: *parameters - password: '{{ db_password1 }}' - encrypted: 'yes' - environment: - PGCLIENTENCODING: 'UTF8' - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - <<: *not_changed - - - name: "Using MD5-hashed password: check that password not changed when using md5 hash with 'ENCRYPTED'" - <<: *task_parameters - postgresql_user: - <<: *parameters - password: "md5{{ (db_password1 ~ db_user1) | hash('md5')}}" - encrypted: 'yes' - environment: - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - <<: *not_changed - - - name: "Using MD5-hashed password: check that password not changed when using md5 hash with 'UNENCRYPTED'" - <<: *task_parameters - postgresql_user: - <<: *parameters - password: "md5{{ (db_password1 ~ db_user1) | hash('md5')}}" - encrypted: 'no' - environment: - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - <<: *not_changed - - - name: 'Redefine the same expiration time and password (encrypted)' - <<: *task_parameters - postgresql_user: - <<: *parameters - encrypted: 'yes' - password: "md5{{ (db_password1 ~ db_user1) | hash('md5')}}" - expires: '2025-01-01' - environment: - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - <<: *not_changed - - - name: 'Using MD5-hashed password: check that password changed when using another cleartext password' - <<: *task_parameters - postgresql_user: - <<: *parameters - password: 'prefix{{ db_password1 }}' - encrypted: 'yes' - environment: - PGCLIENTENCODING: 'UTF8' - - - <<: *changed - - - name: "Using MD5-hashed password: check that password changed when using another md5 hash with 'ENCRYPTED'" - <<: *task_parameters - postgresql_user: - <<: *parameters - password: "md5{{ ('prefix1' ~ db_password1 ~ db_user1) | hash('md5')}}" - encrypted: 'yes' - - - <<: *changed - - - name: "Using MD5-hashed password: check that password changed when using md5 hash with 'UNENCRYPTED'" - <<: *task_parameters - postgresql_user: - <<: *parameters - password: "md5{{ ('prefix2' ~ db_password1 ~ db_user1) | hash('md5')}}" - encrypted: 'no' - register: change_pass_unencrypted - failed_when: - - change_pass_unencrypted is failed - # newer version of psycopg2 no longer supported unencrypted password, we ignore the error - - '"UNENCRYPTED PASSWORD is no longer supported" not in change_pass_unencrypted.msg' - - - <<: *changed - - - name: 'Using MD5-hashed password: check that password changed when clearing the password' - <<: *task_parameters - postgresql_user: - <<: *parameters - password: '' - encrypted: 'yes' - environment: - PGCLIENTENCODING: 'UTF8' - - - <<: *changed - - - name: 'Using MD5-hashed password: check that password not changed when clearing the password again' - <<: *task_parameters - postgresql_user: - <<: *parameters - password: '' - encrypted: 'yes' - environment: - PGCLIENTENCODING: 'UTF8' - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - <<: *not_changed - - - name: 'Using cleartext password: check that password not changed when clearing the password again' - <<: *task_parameters - postgresql_user: - <<: *parameters - password: '' - encrypted: 'no' - environment: - PGCLIENTENCODING: 'UTF8' - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - <<: *not_changed - - - name: 'Using MD5-hashed password: check that password changed when using a cleartext password' - <<: *task_parameters - postgresql_user: - <<: *parameters - password: '{{ db_password1 }}' - encrypted: 'yes' - environment: - PGCLIENTENCODING: 'UTF8' - - - <<: *changed - - when: encrypted == 'yes' - - - block: - - - name: 'Using cleartext password: check that password not changed when using cleartext password' - <<: *task_parameters - postgresql_user: - <<: *parameters - password: "{{ db_password1 }}" - encrypted: 'no' - environment: - PGCLIENTENCODING: 'UTF8' - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - <<: *not_changed - - - name: 'Redefine the same expiration time and password (not encrypted)' - <<: *task_parameters - postgresql_user: - <<: *parameters - password: "{{ db_password1 }}" - encrypted: 'no' - expires: '2025-01-01' - environment: - PGCLIENTENCODING: 'UTF8' - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - <<: *not_changed - - - name: 'Using cleartext password: check that password changed when using another cleartext password' - <<: *task_parameters - postgresql_user: - <<: *parameters - password: "changed{{ db_password1 }}" - encrypted: 'no' - environment: - PGCLIENTENCODING: 'UTF8' - - - <<: *changed - - - name: 'Using cleartext password: check that password changed when clearing the password' - <<: *task_parameters - postgresql_user: - <<: *parameters - password: '' - encrypted: 'no' - environment: - PGCLIENTENCODING: 'UTF8' - - - <<: *changed - - - name: 'Using cleartext password: check that password not changed when clearing the password again' - <<: *task_parameters - postgresql_user: - <<: *parameters - password: '' - encrypted: 'no' - environment: - PGCLIENTENCODING: 'UTF8' - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - <<: *not_changed - - - name: 'Using MD5-hashed password: check that password not changed when clearing the password again' - <<: *task_parameters - postgresql_user: - <<: *parameters - password: '' - encrypted: 'yes' - environment: - PGCLIENTENCODING: 'UTF8' - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - <<: *not_changed - - - name: 'Using cleartext password: check that password changed when using cleartext password' - <<: *task_parameters - postgresql_user: - <<: *parameters - password: "{{ db_password1 }}" - encrypted: 'no' - environment: - PGCLIENTENCODING: 'UTF8' - - - <<: *changed - - when: encrypted == 'no' - - - name: Remove user - <<: *task_parameters - postgresql_user: - state: 'absent' - <<: *parameters - - - <<: *changed - - - name: Check that they were removed - <<: *task_parameters - shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres - environment: - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - - - name: Check that removing user a second time does nothing - <<: *task_parameters - postgresql_user: - state: 'absent' - <<: *parameters - environment: - PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed - - - <<: *not_changed - - always: - - name: Remove user - <<: *task_parameters - postgresql_user: - state: 'absent' - <<: *parameters diff --git a/test/integration/targets/postgresql/tasks/test_target_role.yml b/test/integration/targets/postgresql/tasks/test_target_role.yml deleted file mode 100644 index 75b58ddfd8..0000000000 --- a/test/integration/targets/postgresql/tasks/test_target_role.yml +++ /dev/null @@ -1,94 +0,0 @@ ---- - -# Setup -- name: Create DB - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: present - name: "{{ db_name }}" - owner: "{{ db_user1 }}" - login_user: "{{ pg_user }}" - -- name: Create a user to be given permissions and other tests - postgresql_user: - name: "{{ db_user2 }}" - state: present - encrypted: yes - password: password - role_attr_flags: LOGIN - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - -####################################### -# Test default_privs with target_role # -####################################### - -# Test -- name: Grant default privileges for new table objects - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - db: "{{ db_name }}" - objs: TABLES - privs: SELECT - type: default_privs - role: "{{ db_user2 }}" - target_roles: "{{ db_user1 }}" - login_user: "{{ pg_user }}" - register: result - -# Checks -- assert: - that: result is changed - -- name: Check that default privileges are set - become: yes - become_user: "{{ pg_user }}" - shell: psql {{ db_name }} -c "SELECT defaclrole, defaclobjtype, defaclacl FROM pg_default_acl a JOIN pg_roles b ON a.defaclrole=b.oid;" -t - register: result - -- assert: - that: "'{{ db_user2 }}=r/{{ db_user1 }}' in '{{ result.stdout_lines[0] }}'" - -# Test -- name: Revoke default privileges for new table objects - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - db: "{{ db_name }}" - state: absent - objs: TABLES - privs: SELECT - type: default_privs - role: "{{ db_user2 }}" - target_roles: "{{ db_user1 }}" - login_user: "{{ pg_user }}" - register: result - -# Checks -- assert: - that: result is changed - -# Cleanup -- name: Remove user given permissions - postgresql_user: - name: "{{ db_user2 }}" - state: absent - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - -- name: Remove user owner of objects - postgresql_user: - name: "{{ db_user3 }}" - state: absent - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - -- name: Destroy DB - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: absent - name: "{{ db_name }}" - login_user: "{{ pg_user }}" diff --git a/test/integration/targets/postgresql/tasks/unsorted.yml b/test/integration/targets/postgresql/tasks/unsorted.yml deleted file mode 100644 index 963b9db90b..0000000000 --- a/test/integration/targets/postgresql/tasks/unsorted.yml +++ /dev/null @@ -1,789 +0,0 @@ -# -# Create and destroy db -# -- name: Create DB - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: present - name: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - -- name: assert that module reports the db was created - assert: - that: - - result is changed - - "result.db == db_name" - -- name: Check that database created - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - -- name: Run create on an already created db - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: present - name: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - -- name: assert that module reports the db was unchanged - assert: - that: - - result is not changed - -- name: Destroy DB - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: absent - name: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - -- name: assert that module reports the db was changed - assert: - that: - - result is changed - -- name: Check that database was destroyed - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - -- name: Destroy DB - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: absent - name: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - -- name: assert that removing an already removed db makes no change - assert: - that: - - result is not changed - - -# This corner case works to add but not to drop. This is sufficiently crazy -# that I'm not going to attempt to fix it unless someone lets me know that they -# need the functionality -# -# - postgresql_db: -# state: 'present' -# name: '"silly.""name"' -# - shell: echo "select datname from pg_database where datname = 'silly.""name';" | psql -# register: result -# -# - assert: -# that: "result.stdout_lines[-1] == '(1 row)'" -# - postgresql_db: -# state: absent -# name: '"silly.""name"' -# - shell: echo "select datname from pg_database where datname = 'silly.""name';" | psql -# register: result -# -# - assert: -# that: "result.stdout_lines[-1] == '(0 rows)'" - -# -# Test conn_limit, encoding, collate, ctype, template options -# -- name: Create a DB with conn_limit, encoding, collate, ctype, and template options - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: '{{ db_name }}' - state: 'present' - conn_limit: '100' - encoding: 'LATIN1' - lc_collate: 'pt_BR{{ locale_latin_suffix }}' - lc_ctype: 'es_ES{{ locale_latin_suffix }}' - template: 'template0' - login_user: "{{ pg_user }}" - -- name: Check that the DB has all of our options - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datname, datconnlimit, pg_encoding_to_char(encoding), datcollate, datctype from pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - - "'LATIN1' in result.stdout_lines[-2]" - - "'pt_BR' in result.stdout_lines[-2]" - - "'es_ES' in result.stdout_lines[-2]" - - "'UTF8' not in result.stdout_lines[-2]" - - "'en_US' not in result.stdout_lines[-2]" - - "'100' in result.stdout_lines[-2]" - -- name: Check that running db creation with options a second time does nothing - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: '{{ db_name }}' - state: 'present' - conn_limit: '100' - encoding: 'LATIN1' - lc_collate: 'pt_BR{{ locale_latin_suffix }}' - lc_ctype: 'es_ES{{ locale_latin_suffix }}' - template: 'template0' - login_user: "{{ pg_user }}" - register: result - -- assert: - that: - - result is not changed - - -- name: Check that attempting to change encoding returns an error - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: '{{ db_name }}' - state: 'present' - encoding: 'UTF8' - lc_collate: 'pt_BR{{ locale_utf8_suffix }}' - lc_ctype: 'es_ES{{ locale_utf8_suffix }}' - template: 'template0' - login_user: "{{ pg_user }}" - register: result - ignore_errors: yes - -- assert: - that: - - result is failed - -- name: Check that changing the conn_limit actually works - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: '{{ db_name }}' - state: 'present' - conn_limit: '200' - encoding: 'LATIN1' - lc_collate: 'pt_BR{{ locale_latin_suffix }}' - lc_ctype: 'es_ES{{ locale_latin_suffix }}' - template: 'template0' - login_user: "{{ pg_user }}" - register: result - -- assert: - that: - - result is changed - -- name: Check that conn_limit has actually been set / updated to 200 - become_user: "{{ pg_user }}" - become: yes - shell: echo "SELECT datconnlimit AS conn_limit FROM pg_database WHERE datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - - "'200' == '{{ result.stdout_lines[-2] | trim }}'" - -- name: Cleanup test DB - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: '{{ db_name }}' - state: 'absent' - login_user: "{{ pg_user }}" - -- shell: echo "select datname, pg_encoding_to_char(encoding), datcollate, datctype from pg_database where datname = '{{ db_name }}';" | psql -d postgres - become_user: "{{ pg_user }}" - become: yes - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - -# -# Create and destroy user, test 'password' and 'encrypted' parameters -# -# unencrypted values are not supported on newer versions -# do not run the encrypted: no tests if on 10+ -- set_fact: - encryption_values: - - 'yes' - -- set_fact: - encryption_values: '{{ encryption_values + ["no"]}}' - when: postgres_version_resp.stdout is version('10', '<=') - -- include_tasks: test_password.yml - vars: - encrypted: '{{ loop_item }}' - db_password1: 'secretù' # use UTF-8 - loop: '{{ encryption_values }}' - loop_control: - loop_var: loop_item - -# BYPASSRLS role attribute was introduced in PostgreSQL 9.5, so -# we want to test attribute management differently depending -# on the version. -- set_fact: - bypassrls_supported: "{{ postgres_version_resp.stdout is version('9.5.0', '>=') }}" - -# test 'no_password_change' and 'role_attr_flags' parameters -- include_tasks: test_no_password_change.yml - vars: - no_password_changes: '{{ loop_item }}' - loop: - - 'yes' - - 'no' - loop_control: - loop_var: loop_item - -### TODO: fail_on_user - -# -# Test db ownership -# -- name: Create an unprivileged user to own a DB - become_user: "{{ pg_user }}" - become: yes - postgresql_user: - name: "{{ db_user1 }}" - encrypted: 'yes' - password: "md55c8ccfd9d6711fc69a7eae647fc54f51" - login_user: "{{ pg_user }}" - db: postgres - -- name: Create db with user ownership - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: "{{ db_name }}" - state: "present" - owner: "{{ db_user1 }}" - login_user: "{{ pg_user }}" - -- name: Check that the user owns the newly created DB - become_user: "{{ pg_user }}" - become: yes - shell: echo "select pg_catalog.pg_get_userbyid(datdba) from pg_catalog.pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - - "'{{ db_user1 }}' == '{{ result.stdout_lines[-2] | trim }}'" - -- name: Change the owner on an existing db - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: "{{ db_name }}" - state: "present" - owner: "{{ pg_user }}" - login_user: "{{ pg_user }}" - register: result - -- name: assert that ansible says it changed the db - assert: - that: - - result is changed - -- name: Check that the user owns the newly created DB - become_user: "{{ pg_user }}" - become: yes - shell: echo "select pg_catalog.pg_get_userbyid(datdba) from pg_catalog.pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - - "'{{ pg_user }}' == '{{ result.stdout_lines[-2] | trim }}'" - -- name: Cleanup db - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: "{{ db_name }}" - state: "absent" - login_user: "{{ pg_user }}" - -- name: Check that database was destroyed - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - -- name: Cleanup test user - become_user: "{{ pg_user }}" - become: yes - postgresql_user: - name: "{{ db_user1 }}" - state: 'absent' - login_user: "{{ pg_user }}" - db: postgres - -- name: Check that they were removed - become_user: "{{ pg_user }}" - become: yes - shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - -# -# Test settings privileges -# -- name: Create db - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: "{{ db_name }}" - state: "present" - login_user: "{{ pg_user }}" - -- name: Create some tables on the db - become_user: "{{ pg_user }}" - become: yes - shell: echo "create table test_table1 (field text);" | psql {{ db_name }} - -- become_user: "{{ pg_user }}" - become: yes - shell: echo "create table test_table2 (field text);" | psql {{ db_name }} - -- vars: - db_password: 'secretù' # use UTF-8 - block: - - name: Create a user with some permissions on the db - become_user: "{{ pg_user }}" - become: yes - postgresql_user: - name: "{{ db_user1 }}" - encrypted: 'yes' - password: "md5{{ (db_password ~ db_user1) | hash('md5')}}" - db: "{{ db_name }}" - priv: 'test_table1:INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,TRIGGER/test_table2:INSERT/CREATE,CONNECT,TEMP' - login_user: "{{ pg_user }}" - - - include_tasks: pg_authid_not_readable.yml - -- name: Check that the user has the requested permissions (table1) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} - register: result_table1 - -- name: Check that the user has the requested permissions (table2) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} - register: result_table2 - -- name: Check that the user has the requested permissions (database) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} - register: result_database - -- assert: - that: - - "result_table1.stdout_lines[-1] == '(7 rows)'" - - "'INSERT' in result_table1.stdout" - - "'SELECT' in result_table1.stdout" - - "'UPDATE' in result_table1.stdout" - - "'DELETE' in result_table1.stdout" - - "'TRUNCATE' in result_table1.stdout" - - "'REFERENCES' in result_table1.stdout" - - "'TRIGGER' in result_table1.stdout" - - "result_table2.stdout_lines[-1] == '(1 row)'" - - "'INSERT' == '{{ result_table2.stdout_lines[-2] | trim }}'" - - "result_database.stdout_lines[-1] == '(1 row)'" - - "'{{ db_user1 }}=CTc/{{ pg_user }}' in result_database.stdout_lines[-2]" - -- name: Add another permission for the user - become_user: "{{ pg_user }}" - become: yes - postgresql_user: - name: "{{ db_user1 }}" - encrypted: 'yes' - password: "md55c8ccfd9d6711fc69a7eae647fc54f51" - db: "{{ db_name }}" - priv: 'test_table2:select' - login_user: "{{ pg_user }}" - register: result - -- name: Check that ansible reports it changed the user - assert: - that: - - result is changed - -- name: Check that the user has the requested permissions (table2) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} - register: result_table2 - -- assert: - that: - - "result_table2.stdout_lines[-1] == '(2 rows)'" - - "'INSERT' in result_table2.stdout" - - "'SELECT' in result_table2.stdout" - - -# -# Test priv setting via postgresql_privs module -# (Depends on state from previous _user privs tests) -# - -- name: Revoke a privilege - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - type: "table" - state: "absent" - roles: "{{ db_user1 }}" - privs: "INSERT" - objs: "test_table2" - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - -- name: Check that ansible reports it changed the user - assert: - that: - - result is changed - -- name: Check that the user has the requested permissions (table2) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} - register: result_table2 - -- assert: - that: - - "result_table2.stdout_lines[-1] == '(1 row)'" - - "'SELECT' == '{{ result_table2.stdout_lines[-2] | trim }}'" - -- name: Revoke many privileges on multiple tables - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - state: "absent" - roles: "{{ db_user1 }}" - privs: "INSERT,select,UPDATE,TRUNCATE,REFERENCES,TRIGGER,delete" - objs: "test_table2,test_table1" - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - -- name: Check that ansible reports it changed the user - assert: - that: - - result is changed - -- name: Check that permissions were revoked (table1) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} - register: result_table1 - -- name: Check that permissions were revoked (table2) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} - register: result_table2 - -- assert: - that: - - "result_table1.stdout_lines[-1] == '(0 rows)'" - - "result_table2.stdout_lines[-1] == '(0 rows)'" - -- name: Revoke database privileges - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - type: "database" - state: "absent" - roles: "{{ db_user1 }}" - privs: "Create,connect,TEMP" - objs: "{{ db_name }}" - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - -- name: Check that the user has the requested permissions (database) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} - register: result_database - -- assert: - that: - - "result_database.stdout_lines[-1] == '(1 row)'" - - "'{{ db_user1 }}' not in result_database.stdout" - -- name: Grant database privileges - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - type: "database" - state: "present" - roles: "{{ db_user1 }}" - privs: "CREATE,connect" - objs: "{{ db_name }}" - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - -- name: Check that ansible reports it changed the user - assert: - that: - - result is changed - -- name: Check that the user has the requested permissions (database) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} - register: result_database - -- assert: - that: - - "result_database.stdout_lines[-1] == '(1 row)'" - - "'{{ db_user1 }}=Cc' in result_database.stdout" - -- name: Grant a single privilege on a table - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - state: "present" - roles: "{{ db_user1 }}" - privs: "INSERT" - objs: "test_table1" - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - -- name: Check that permissions were added (table1) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} - register: result_table1 - -- assert: - that: - - "result_table1.stdout_lines[-1] == '(1 row)'" - - "'{{ result_table1.stdout_lines[-2] | trim }}' == 'INSERT'" - -- name: Grant many privileges on multiple tables - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - state: "present" - roles: "{{ db_user1 }}" - privs: 'INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,trigger' - objs: "test_table2,test_table1" - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - -- name: Check that permissions were added (table1) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} - register: result_table1 - -- name: Check that permissions were added (table2) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} - register: result_table2 - -- assert: - that: - - "result_table1.stdout_lines[-1] == '(7 rows)'" - - "'INSERT' in result_table1.stdout" - - "'SELECT' in result_table1.stdout" - - "'UPDATE' in result_table1.stdout" - - "'DELETE' in result_table1.stdout" - - "'TRUNCATE' in result_table1.stdout" - - "'REFERENCES' in result_table1.stdout" - - "'TRIGGER' in result_table1.stdout" - - "result_table2.stdout_lines[-1] == '(7 rows)'" - - "'INSERT' in result_table2.stdout" - - "'SELECT' in result_table2.stdout" - - "'UPDATE' in result_table2.stdout" - - "'DELETE' in result_table2.stdout" - - "'TRUNCATE' in result_table2.stdout" - - "'REFERENCES' in result_table2.stdout" - - "'TRIGGER' in result_table2.stdout" - -# -# Cleanup -# -- name: Cleanup db - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: "{{ db_name }}" - state: "absent" - login_user: "{{ pg_user }}" - -- name: Check that database was destroyed - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - -- name: Cleanup test user - become_user: "{{ pg_user }}" - become: yes - postgresql_user: - name: "{{ db_user1 }}" - state: 'absent' - login_user: "{{ pg_user }}" - db: postgres - -- name: Check that they were removed - become_user: "{{ pg_user }}" - become: yes - shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - -# -# Test login_user functionality -# -- name: Create a user to test login module parameters - become: yes - become_user: "{{ pg_user }}" - postgresql_user: - name: "{{ db_user1 }}" - state: "present" - encrypted: 'yes' - password: "password" - role_attr_flags: "CREATEDB,LOGIN,CREATEROLE" - login_user: "{{ pg_user }}" - db: postgres - -- name: Create db - postgresql_db: - name: "{{ db_name }}" - state: "present" - login_user: "{{ db_user1 }}" - login_password: "password" - login_host: "localhost" - -- name: Check that database created - become: yes - become_user: "{{ pg_user }}" - shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - -- name: Create a user - postgresql_user: - name: "{{ db_user2 }}" - state: "present" - encrypted: 'yes' - password: "md55c8ccfd9d6711fc69a7eae647fc54f51" - db: "{{ db_name }}" - login_user: "{{ db_user1 }}" - login_password: "password" - login_host: "localhost" - -- name: Check that it was created - become: yes - become_user: "{{ pg_user }}" - shell: echo "select * from pg_user where usename='{{ db_user2 }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - -- name: Grant database privileges - postgresql_privs: - type: "database" - state: "present" - roles: "{{ db_user2 }}" - privs: "CREATE,connect" - objs: "{{ db_name }}" - db: "{{ db_name }}" - login: "{{ db_user1 }}" - password: "password" - host: "localhost" - -- name: Check that the user has the requested permissions (database) - become: yes - become_user: "{{ pg_user }}" - shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} - register: result_database - -- assert: - that: - - "result_database.stdout_lines[-1] == '(1 row)'" - - "db_user2 ~ '=Cc' in result_database.stdout" - -- name: Remove user - postgresql_user: - name: "{{ db_user2 }}" - state: 'absent' - priv: "ALL" - db: "{{ db_name }}" - login_user: "{{ db_user1 }}" - login_password: "password" - login_host: "localhost" - -- name: Check that they were removed - become: yes - become_user: "{{ pg_user }}" - shell: echo "select * from pg_user where usename='{{ db_user2 }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - -- name: Destroy DB - postgresql_db: - state: absent - name: "{{ db_name }}" - login_user: "{{ db_user1 }}" - login_password: "password" - login_host: "localhost" - -- name: Check that database was destroyed - become: yes - become_user: "{{ pg_user }}" - shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" |