From 1f1379ea610eaf2090358d42a6bb4189c2576540 Mon Sep 17 00:00:00 2001 From: Maarten Bezemer Date: Tue, 22 Nov 2016 16:18:45 +0100 Subject: [PATCH] Support forced SSL-verified connection with given CA certificate --- .../database/postgresql/postgresql_db.py | 36 +++++++++++++++-- .../database/postgresql/postgresql_privs.py | 39 +++++++++++++++++-- .../database/postgresql/postgresql_user.py | 36 +++++++++++++++-- 3 files changed, 101 insertions(+), 10 deletions(-) diff --git a/lib/ansible/modules/database/postgresql/postgresql_db.py b/lib/ansible/modules/database/postgresql/postgresql_db.py index ffd22060096..67dcf6eeafa 100755 --- a/lib/ansible/modules/database/postgresql/postgresql_db.py +++ b/lib/ansible/modules/database/postgresql/postgresql_db.py @@ -89,10 +89,25 @@ options: required: false default: present choices: [ "present", "absent" ] + ssl_mode: + description: + - Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server. + - See https://www.postgresql.org/docs/current/static/libpq-ssl.html for more information on the modes. + required: false + default: disable + choices: [disable, allow, prefer, require, verify-ca, verify-full] + version_added: '2.3' + ssl_rootcert: + description: + - Specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities. + required: false + default: null + version_added: '2.3' notes: - The default authentication assumes that you are either logging in as or sudo'ing to the C(postgres) account on the host. - This module uses I(psycopg2), a Python PostgreSQL database adapter. You must ensure that psycopg2 is installed on the host before using this module. If the remote host is the PostgreSQL server (which is the default case), then PostgreSQL must also be installed on the remote host. For Ubuntu-based systems, install the C(postgresql), C(libpq-dev), and C(python-psycopg2) packages on the remote host before using this module. + - The ssl_rootcert parameter requires at least Postgres version 8.4 and I(psycopg2) version 2.4.3. requirements: [ psycopg2 ] author: "Ansible Core Team" ''' @@ -242,6 +257,8 @@ def main(): lc_collate=dict(default=""), lc_ctype=dict(default=""), state=dict(default="present", choices=["absent", "present"]), + ssl_mode=dict(default="disable", choices=['disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']), + ssl_rootcert=dict(default=None), ), supports_check_mode = True ) @@ -257,6 +274,7 @@ def main(): lc_collate = module.params["lc_collate"] lc_ctype = module.params["lc_ctype"] state = module.params["state"] + sslrootcert = module.params["ssl_rootcert"] changed = False # To use defaults values, keyword arguments must be absent, so @@ -266,16 +284,21 @@ def main(): "login_host":"host", "login_user":"user", "login_password":"password", - "port":"port" + "port":"port", + "ssl_mode":"sslmode", + "ssl_rootcert":"sslrootcert" } kw = dict( (params_map[k], v) for (k, v) in iteritems(module.params) - if k in params_map and v != '' ) + if k in params_map and v != '' and v is not None) # If a login_unix_socket is specified, incorporate it here. is_localhost = "host" not in kw or kw["host"] == "" or kw["host"] == "localhost" if is_localhost and module.params["login_unix_socket"] != "": kw["host"] = module.params["login_unix_socket"] + if psycopg2.__version__ < '2.4.3' and sslrootcert is not None: + module.fail_json(msg='psycopg2 must be at least 2.4.3 in order to user the ssl_rootcert parameter') + try: db_connection = psycopg2.connect(database="postgres", **kw) # Enable autocommit so we can create databases @@ -287,6 +310,13 @@ def main(): .ISOLATION_LEVEL_AUTOCOMMIT) cursor = db_connection.cursor( cursor_factory=psycopg2.extras.DictCursor) + + except TypeError: + e = get_exception() + if 'sslrootcert' in e.args[0]: + module.fail_json(msg='Postgresql server must be at least version 8.4 to support sslrootcert') + module.fail_json(msg="unable to connect to database: %s" % e) + except Exception: e = get_exception() module.fail_json(msg="unable to connect to database: %s" % e) @@ -318,7 +348,7 @@ def main(): e = get_exception() module.fail_json(msg=str(e)) except SystemExit: - # Avoid catching this on Python 2.4 + # Avoid catching this on Python 2.4 raise except Exception: e = get_exception() diff --git a/lib/ansible/modules/database/postgresql/postgresql_privs.py b/lib/ansible/modules/database/postgresql/postgresql_privs.py index ae606464dc9..323ddc55f60 100644 --- a/lib/ansible/modules/database/postgresql/postgresql_privs.py +++ b/lib/ansible/modules/database/postgresql/postgresql_privs.py @@ -120,6 +120,20 @@ options: - 'Alias: I(login_password))' default: null required: no + ssl_mode: + description: + - Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server. + - See https://www.postgresql.org/docs/current/static/libpq-ssl.html for more information on the modes. + required: false + default: disable + choices: [disable, allow, prefer, require, verify-ca, verify-full] + version_added: '2.3' + ssl_rootcert: + description: + - Specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities. + required: false + default: null + version_added: '2.3' notes: - Default authentication assumes that postgresql_privs is run by the C(postgres) user on the remote host. (Ansible's C(user) or C(sudo-user)). @@ -139,6 +153,7 @@ notes: specified via I(login). If R has been granted the same privileges by another user also, R can still access database objects via these privileges. - When revoking privileges, C(RESTRICT) is assumed (see PostgreSQL docs). + - The ssl_rootcert parameter requires at least Postgres version 8.4 and I(psycopg2) version 2.4.3. requirements: [psycopg2] author: "Bernhard Weitzhofer (@b6d)" """ @@ -274,17 +289,31 @@ class Connection(object): "password":"password", "port":"port", "database": "database", + "ssl_mode":"sslmode", + "ssl_rootcert":"sslrootcert" } + kw = dict( (params_map[k], getattr(params, k)) for k in params_map - if getattr(params, k) != '' ) + if getattr(params, k) != '' and getattr(params, k) is not None ) # If a unix_socket is specified, incorporate it here. is_localhost = "host" not in kw or kw["host"] == "" or kw["host"] == "localhost" if is_localhost and params.unix_socket != "": kw["host"] = params.unix_socket - self.connection = psycopg2.connect(**kw) - self.cursor = self.connection.cursor() + sslrootcert = params.ssl_rootcert + if psycopg2.__version__ < '2.4.3' and sslrootcert is not None: + module.fail_json(msg='psycopg2 must be at least 2.4.3 in order to user the ssl_rootcert parameter') + + try: + self.connection = psycopg2.connect(**kw) + self.cursor = self.connection.cursor() + + except TypeError: + e = get_exception() + if 'sslrootcert' in e.args[0]: + module.fail_json(msg='Postgresql server must be at least version 8.4 to support sslrootcert') + module.fail_json(msg="unable to connect to database: %s" % e) def commit(self): @@ -541,7 +570,9 @@ def main(): port=dict(type='int', default=5432), unix_socket=dict(default='', aliases=['login_unix_socket']), login=dict(default='postgres', aliases=['login_user']), - password=dict(default='', aliases=['login_password'], no_log=True) + password=dict(default='', aliases=['login_password'], no_log=True), + ssl_mode=dict(default="disable", choices=['disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']), + ssl_rootcert=dict(default=None) ), supports_check_mode = True ) diff --git a/lib/ansible/modules/database/postgresql/postgresql_user.py b/lib/ansible/modules/database/postgresql/postgresql_user.py index 95c19caaba9..5376499fbeb 100644 --- a/lib/ansible/modules/database/postgresql/postgresql_user.py +++ b/lib/ansible/modules/database/postgresql/postgresql_user.py @@ -124,6 +124,20 @@ options: default: 'no' choices: [ "yes", "no" ] version_added: '2.0' + ssl_mode: + description: + - Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server. + - See https://www.postgresql.org/docs/current/static/libpq-ssl.html for more information on the modes. + required: false + default: disable + choices: [disable, allow, prefer, require, verify-ca, verify-full] + version_added: '2.3' + ssl_rootcert: + description: + - Specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities. + required: false + default: null + version_added: '2.3' notes: - The default authentication assumes that you are either logging in as or sudo'ing to the postgres account on the host. @@ -140,6 +154,7 @@ notes: - If you specify PUBLIC as the user, then the privilege changes will apply to all users. You may not specify password or role_attr_flags when the PUBLIC user is specified. + - The ssl_rootcert parameter requires at least Postgres version 8.4 and I(psycopg2) version 2.4.3. requirements: [ psycopg2 ] author: "Ansible Core Team" ''' @@ -580,7 +595,9 @@ def main(): role_attr_flags=dict(default=''), encrypted=dict(type='bool', default='no'), no_password_changes=dict(type='bool', default='no'), - expires=dict(default=None) + expires=dict(default=None), + ssl_mode=dict(default='disable', choices=['disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']), + ssl_rootcert=dict(default=None) ), supports_check_mode = True ) @@ -605,6 +622,7 @@ def main(): else: encrypted = "UNENCRYPTED" expires = module.params["expires"] + sslrootcert = module.params["ssl_rootcert"] if not postgresqldb_found: module.fail_json(msg="the python psycopg2 module is required") @@ -617,19 +635,31 @@ def main(): "login_user":"user", "login_password":"password", "port":"port", - "db":"database" + "db":"database", + "ssl_mode":"sslmode", + "ssl_rootcert":"sslrootcert" } kw = dict( (params_map[k], v) for (k, v) in iteritems(module.params) - if k in params_map and v != "" ) + if k in params_map and v != "" and v is not None) # If a login_unix_socket is specified, incorporate it here. is_localhost = "host" not in kw or kw["host"] == "" or kw["host"] == "localhost" if is_localhost and module.params["login_unix_socket"] != "": kw["host"] = module.params["login_unix_socket"] + if psycopg2.__version__ < '2.4.3' and sslrootcert is not None: + module.fail_json(msg='psycopg2 must be at least 2.4.3 in order to user the ssl_rootcert parameter') + try: db_connection = psycopg2.connect(**kw) cursor = db_connection.cursor(cursor_factory=psycopg2.extras.DictCursor) + + except TypeError: + e = get_exception() + if 'sslrootcert' in e.args[0]: + module.fail_json(msg='Postgresql server must be at least version 8.4 to support sslrootcert') + module.fail_json(msg="unable to connect to database: %s" % e) + except Exception: e = get_exception() module.fail_json(msg="unable to connect to database: %s" % e)