From ce856c2123cb83a4e53f9905917965e65eb679a7 Mon Sep 17 00:00:00 2001 From: Pierre-Louis Bonicoli Date: Mon, 17 Apr 2017 01:27:46 +0200 Subject: [PATCH] postgresql_user: add tests with hashed password --- .../targets/postgresql/tasks/main.yml | 90 +--------- .../targets/postgresql/tasks/test_user.yml | 166 ++++++++++++++++++ 2 files changed, 174 insertions(+), 82 deletions(-) create mode 100644 test/integration/targets/postgresql/tasks/test_user.yml diff --git a/test/integration/targets/postgresql/tasks/main.yml b/test/integration/targets/postgresql/tasks/main.yml index 5b858f8bfe..dde8947b6e 100644 --- a/test/integration/targets/postgresql/tasks/main.yml +++ b/test/integration/targets/postgresql/tasks/main.yml @@ -186,87 +186,13 @@ # # Create and destroy user # -- name: Create a user - become_user: "{{ pg_user }}" - become: True - postgresql_user: - name: "{{ db_user1 }}" - encrypted: 'yes' - password: "md55c8ccfd9d6711fc69a7eae647fc54f51" - login_user: "{{ pg_user }}" - db: postgres - register: result - -- name: Check that ansible reports they were created - assert: - that: - - "result.changed == True" - -- name: Check that they were created - become_user: "{{ pg_user }}" - become: True - shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - -- name: Check that creating user a second time does nothing - become_user: "{{ pg_user }}" - become: True - postgresql_user: - name: "{{ db_user1 }}" - encrypted: 'yes' - password: "md55c8ccfd9d6711fc69a7eae647fc54f51" - login_user: "{{ pg_user }}" - db: postgres - register: result - -- name: Check that ansible reports no change - assert: - that: - - "result.changed == False" - -- name: Remove user - become_user: "{{ pg_user }}" - become: True - postgresql_user: - name: "{{ db_user1 }}" - state: 'absent' - login_user: "{{ pg_user }}" - db: postgres - register: result - -- name: Check that ansible reports they were removed - assert: - that: - - "result.changed == True" - -- name: Check that they were removed - become_user: "{{ pg_user }}" - become: True - shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - -- name: Check that removing user a second time does nothing - become_user: "{{ pg_user }}" - become: True - postgresql_user: - name: "{{ db_user1 }}" - state: 'absent' - login_user: "{{ pg_user }}" - db: postgres - register: result - -- name: Check that ansible reports no change - assert: - that: - - "result.changed == False" +- include: test_user.yml + vars: + encrypted: '{{ item.user_creation_encrypted_value }}' + db_password1: 'secretù' # use UTF-8 + with_items: + - user_creation_encrypted_value: 'yes' + - user_creation_encrypted_value: 'no' # BYPASSRLS role attribute was introduced in Postgres 9.5, so # we want to test atrribute management differently depending @@ -875,7 +801,7 @@ login_password: "password" login_host: "localhost" -- name: Check that they were created +- name: Check that it was created become: True become_user: "{{ pg_user }}" shell: echo "select * from pg_user where usename='{{ db_user2 }}';" | psql -d postgres diff --git a/test/integration/targets/postgresql/tasks/test_user.yml b/test/integration/targets/postgresql/tasks/test_user.yml new file mode 100644 index 0000000000..eaa7546e88 --- /dev/null +++ b/test/integration/targets/postgresql/tasks/test_user.yml @@ -0,0 +1,166 @@ +- vars: + task_parameters: &task_parameters + become_user: "{{ pg_user }}" + become: True + register: result + task_parameters_readonly: &task_parameters_readonly + become_user: "{{ pg_user }}" + become: True + register: result + environment: + PGOPTIONS: '-c default_transaction_read_only=on' # ensure 'alter user' query isn't executed + postgresql_parameters: ¶meters + db: postgres + name: "{{ db_user1 }}" + login_user: "{{ pg_user }}" + + block: # block is only used here in order to be able to define YAML anchors at the beginning in 'vars' section + - name: 'Check that PGOPTIONS environment variable is effective (1/2)' + <<: *task_parameters_readonly + postgresql_user: + <<: *parameters + password: '{{ db_password1 }}' + ignore_errors: true + + - name: 'Check that PGOPTIONS environment variable is effective (2/2)' + assert: + that: + - "{{ result|failed }}" + + - name: 'Create a user (password encrypted: {{ encrypted }})' + <<: *task_parameters + postgresql_user: + <<: *parameters + password: '{{ db_password1 }}' + encrypted: '{{ encrypted }}' + + - block: &changed # block is only used here in order to be able to define YAML anchor + - name: Check that ansible reports it was created + assert: + that: + - "{{ result|changed }}" + + - name: Check that it was created + <<: *task_parameters + shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres + + - assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + + - name: Check that creating user a second time does nothing + <<: *task_parameters_readonly + postgresql_user: + <<: *parameters + password: '{{ db_password1 }}' + encrypted: '{{ encrypted }}' + + - block: ¬_changed # block is only used here in order to be able to define YAML anchor + - name: Check that ansible reports no change + assert: + that: + - "{{ not result|changed }}" + + - block: + + - name: 'Using MD5-hashed password: check that password not changed when using cleartext password' + <<: *task_parameters_readonly + postgresql_user: + <<: *parameters + password: '{{ db_password1 }}' + encrypted: 'yes' + + - <<: *not_changed + + - name: "Using MD5-hashed password: check that password not changed when using md5 hash with 'ENCRYPTED'" + <<: *task_parameters_readonly + postgresql_user: + <<: *parameters + password: "md5{{ (db_password1 ~ db_user1) | hash('md5')}}" + encrypted: 'yes' + + - <<: *not_changed + + - name: "Using MD5-hashed password: check that password not changed when using md5 hash with 'UNENCRYPTED'" + <<: *task_parameters_readonly + postgresql_user: + <<: *parameters + password: "md5{{ (db_password1 ~ db_user1) | hash('md5')}}" + encrypted: 'no' + + - <<: *not_changed + + - name: 'Using MD5-hashed password: check that password changed when using another cleartext password' + <<: *task_parameters + postgresql_user: + <<: *parameters + password: 'prefix{{ db_password1 }}' + encrypted: 'yes' + + - <<: *changed + + - name: "Using MD5-hashed password: check that password changed when using another md5 hash with 'ENCRYPTED'" + <<: *task_parameters + postgresql_user: + <<: *parameters + password: "md5{{ ('prefix1' ~ db_password1 ~ db_user1) | hash('md5')}}" + encrypted: 'yes' + + - <<: *changed + + - name: "Using MD5-hashed password: check that password changed when using md5 hash with 'UNENCRYPTED'" + <<: *task_parameters + postgresql_user: + <<: *parameters + password: "md5{{ ('prefix2' ~ db_password1 ~ db_user1) | hash('md5')}}" + encrypted: 'no' + + - <<: *changed + + when: encrypted == 'yes' + + - block: + + - name: 'Using cleartext password: check that password not changed when using cleartext password' + <<: *task_parameters_readonly + postgresql_user: + <<: *parameters + password: "{{ db_password1 }}" + encrypted: 'no' + + - <<: *not_changed + + - name: 'Using cleartext password: check that password changed when using another cleartext password' + <<: *task_parameters + postgresql_user: + <<: *parameters + password: "changed{{ db_password1 }}" + encrypted: 'no' + + - <<: *changed + + when: encrypted == 'no' + + - name: Remove user + <<: *task_parameters + postgresql_user: + state: 'absent' + <<: *parameters + + - <<: *changed + + - name: Check that they were removed + <<: *task_parameters_readonly + shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres + + - assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + + - name: Check that removing user a second time does nothing + <<: *task_parameters_readonly + postgresql_user: + state: 'absent' + <<: *parameters + + - <<: *not_changed