From 3bebeb9cc368c3716eae954729e6b34a912eaf2d Mon Sep 17 00:00:00 2001
From: Florian Apolloner <florian@apolloner.eu>
Date: Thu, 5 Mar 2020 16:48:16 +0100
Subject: [PATCH] Fixed mysql_user module idempotency for long privilege lists.
 (Fixes #68044)

---
 .../68044-mysql_user_idempotency.yml          |  2 +
 .../modules/database/mysql/mysql_user.py      |  6 +--
 .../targets/mysql_user/tasks/test_privs.yml   | 39 +++++++++++++++----
 3 files changed, 37 insertions(+), 10 deletions(-)
 create mode 100644 changelogs/fragments/68044-mysql_user_idempotency.yml

diff --git a/changelogs/fragments/68044-mysql_user_idempotency.yml b/changelogs/fragments/68044-mysql_user_idempotency.yml
new file mode 100644
index 00000000000..5638b883f65
--- /dev/null
+++ b/changelogs/fragments/68044-mysql_user_idempotency.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - "mysql_user - Fix idempotence when long grant lists are used (https://github.com/ansible/ansible/issues/68044)"
diff --git a/lib/ansible/modules/database/mysql/mysql_user.py b/lib/ansible/modules/database/mysql/mysql_user.py
index 34e4327d07d..28bea8ae797 100644
--- a/lib/ansible/modules/database/mysql/mysql_user.py
+++ b/lib/ansible/modules/database/mysql/mysql_user.py
@@ -490,14 +490,14 @@ def privileges_get(cursor, user, host):
         res = re.match("""GRANT (.+) ON (.+) TO (['`"]).*\\3@(['`"]).*\\4( IDENTIFIED BY PASSWORD (['`"]).+\\6)? ?(.*)""", grant[0])
         if res is None:
             raise InvalidPrivsError('unable to parse the MySQL grant string: %s' % grant[0])
-        privileges = res.group(1).split(", ")
-        privileges = [pick(x) for x in privileges]
+        privileges = res.group(1).split(",")
+        privileges = [pick(x.strip()) for x in privileges]
         if "WITH GRANT OPTION" in res.group(7):
             privileges.append('GRANT')
         if "REQUIRE SSL" in res.group(7):
             privileges.append('REQUIRESSL')
         db = res.group(2)
-        output[db] = privileges
+        output.setdefault(db, []).extend(privileges)
     return output
 
 
diff --git a/test/integration/targets/mysql_user/tasks/test_privs.yml b/test/integration/targets/mysql_user/tasks/test_privs.yml
index 70b33c2947f..cec13c2c8a1 100644
--- a/test/integration/targets/mysql_user/tasks/test_privs.yml
+++ b/test/integration/targets/mysql_user/tasks/test_privs.yml
@@ -28,7 +28,7 @@
 
 - include: assert_user.yml user_name={{user_name_2}} priv='SELECT'
   when: current_append_privs ==  "yes"
- 
+
 - name: create user with current privileges (expect changed=true)
   mysql_user:
     name: '{{ user_name_2 }}'
@@ -39,18 +39,18 @@
     login_unix_socket: '{{ mysql_socket }}'
   register: result
 
-- name: assert output message for current privileges 
+- name: assert output message for current privileges
   assert: { that: "result.changed == true" }
 
 - name: run command to show privileges for user (expect privileges in stdout)
   command: mysql "-e SHOW GRANTS FOR '{{user_name_2}}'@'localhost';"
   register: result
 
-- name: assert user has correct privileges 
+- name: assert user has correct privileges
   assert: { that: "'GRANT {{current_privilege | replace(',', ', ')}} ON *.*' in result.stdout" }
   when: current_append_privs ==  "no"
 
-- name: assert user has correct privileges 
+- name: assert user has correct privileges
   assert: { that: "'GRANT SELECT, {{current_privilege | replace(',', ', ')}} ON *.*' in result.stdout" }
   when: current_append_privs ==  "yes"
 
@@ -60,7 +60,7 @@
     state: present
     login_user: '{{ user_name_2 }}'
     login_password: '{{ user_password_2 }}'
-  ignore_errors: true 
+  ignore_errors: true
 
 - name: run command to test that database was not created
   command: mysql "-e show databases like '{{ db_name }}';"
@@ -95,7 +95,7 @@
   assert: { that: "result.changed == false" }
 
 # ============================================================
-- name: update user with all privileges 
+- name: update user with all privileges
   mysql_user:
     name: '{{ user_name_2 }}'
     password: '{{ user_password_2 }}'
@@ -113,7 +113,7 @@
     login_password: '{{ user_password_2 }}'
 
 - name: run command to test database was created using user new privileges
-  command: mysql "-e SHOW CREATE DATABASE {{ db_name }};" 
+  command: mysql "-e SHOW CREATE DATABASE {{ db_name }};"
 
 - name: drop database using user
   mysql_db:
@@ -122,6 +122,31 @@
     login_user: '{{ user_name_2 }}'
     login_password: '{{ user_password_2 }}'
 
+# ============================================================
+- name: update user with a long privileges list (mysql has a special multiline grant output)
+  mysql_user:
+    name: '{{ user_name_2 }}'
+    password: '{{ user_password_2 }}'
+    priv: '*.*:CREATE USER,FILE,PROCESS,RELOAD,REPLICATION CLIENT,REPLICATION SLAVE,SHOW DATABASES,SHUTDOWN,SUPER,CREATE,DROP,EVENT,LOCK TABLES,INSERT,UPDATE,DELETE,SELECT,SHOW VIEW,GRANT'
+    state: present
+    login_unix_socket: '{{ mysql_socket }}'
+  register: result
+
+- name: Assert that priv changed
+  assert: { that: "result.changed == true" }
+
+- name: Test idempotency (expect ok)
+  mysql_user:
+    name: '{{ user_name_2 }}'
+    password: '{{ user_password_2 }}'
+    priv: '*.*:CREATE USER,FILE,PROCESS,RELOAD,REPLICATION CLIENT,REPLICATION SLAVE,SHOW DATABASES,SHUTDOWN,SUPER,CREATE,DROP,EVENT,LOCK TABLES,INSERT,UPDATE,DELETE,SELECT,SHOW VIEW,GRANT'
+    state: present
+    login_unix_socket: '{{ mysql_socket }}'
+  register: result
+
+- name: Assert that priv did not change
+  assert: { that: "result.changed == false" }
+
 - name: remove username
   mysql_user:
     name: '{{ user_name_2 }}'