From 5b1c047a56c2d1d26ae4d730f3d4a071f90e7b61 Mon Sep 17 00:00:00 2001 From: Andrey Klychkov Date: Thu, 26 Sep 2019 12:53:13 +0300 Subject: [PATCH] postgresql: move CI test to separate targets (#62855) --- .../integration/targets/postgresql_db/aliases | 4 + .../targets/postgresql_db/defaults/main.yml | 3 + .../meta/main.yml | 0 .../targets/postgresql_db/tasks/main.yml | 28 + .../tasks/postgresql_db_general.yml} | 0 .../tasks/postgresql_db_initial.yml | 312 +++++++ .../tasks/state_dump_restore.yml | 22 + .../defaults/main.yml | 34 - .../postgresql_db_user_privs/tasks/main.yml | 47 -- .../tasks/unsorted.yml | 789 ------------------ .../aliases | 2 - .../postgresql_privs/defaults/main.yml | 4 + .../targets/postgresql_privs/meta/main.yml | 3 + .../targets/postgresql_privs/tasks/main.yml | 9 + .../tasks/pg_authid_not_readable.yml | 0 .../tasks/postgresql_privs_general.yml} | 0 .../tasks/postgresql_privs_initial.yml | 325 ++++++++ .../tasks/test_target_role.yml | 23 +- .../targets/postgresql_shared/aliases | 24 + .../postgresql_shared/defaults/main.yml | 6 + .../targets/postgresql_shared/meta/main.yml | 3 + .../targets/postgresql_shared/tasks/main.yml | 6 + .../tasks/session_role.yml | 2 +- .../targets/postgresql_user/aliases | 3 + .../targets/postgresql_user/defaults/main.yml | 3 + .../targets/postgresql_user/meta/main.yml | 3 + .../targets/postgresql_user/tasks/main.yml | 5 + .../tasks/postgresql_user_general.yml} | 0 .../tasks/postgresql_user_initial.yml | 153 ++++ .../tasks/test_no_password_change.yml | 0 .../tasks/test_password.yml | 0 31 files changed, 938 insertions(+), 875 deletions(-) create mode 100644 test/integration/targets/postgresql_db/aliases create mode 100644 test/integration/targets/postgresql_db/defaults/main.yml rename test/integration/targets/{postgresql_db_user_privs => postgresql_db}/meta/main.yml (100%) create mode 100644 test/integration/targets/postgresql_db/tasks/main.yml rename test/integration/targets/{postgresql_db_user_privs/tasks/postgresql_db.yml => postgresql_db/tasks/postgresql_db_general.yml} (100%) create mode 100644 test/integration/targets/postgresql_db/tasks/postgresql_db_initial.yml rename test/integration/targets/{postgresql_db_user_privs => postgresql_db}/tasks/state_dump_restore.yml (91%) delete mode 100644 test/integration/targets/postgresql_db_user_privs/defaults/main.yml delete mode 100644 test/integration/targets/postgresql_db_user_privs/tasks/main.yml delete mode 100644 test/integration/targets/postgresql_db_user_privs/tasks/unsorted.yml rename test/integration/targets/{postgresql_db_user_privs => postgresql_privs}/aliases (65%) create mode 100644 test/integration/targets/postgresql_privs/defaults/main.yml create mode 100644 test/integration/targets/postgresql_privs/meta/main.yml create mode 100644 test/integration/targets/postgresql_privs/tasks/main.yml rename test/integration/targets/{postgresql_db_user_privs => postgresql_privs}/tasks/pg_authid_not_readable.yml (100%) rename test/integration/targets/{postgresql_db_user_privs/tasks/postgresql_privs.yml => postgresql_privs/tasks/postgresql_privs_general.yml} (100%) create mode 100644 test/integration/targets/postgresql_privs/tasks/postgresql_privs_initial.yml rename test/integration/targets/{postgresql_db_user_privs => postgresql_privs}/tasks/test_target_role.yml (83%) create mode 100644 test/integration/targets/postgresql_shared/aliases create mode 100644 test/integration/targets/postgresql_shared/defaults/main.yml create mode 100644 test/integration/targets/postgresql_shared/meta/main.yml create mode 100644 test/integration/targets/postgresql_shared/tasks/main.yml rename test/integration/targets/{postgresql_db_user_privs => postgresql_shared}/tasks/session_role.yml (99%) create mode 100644 test/integration/targets/postgresql_user/aliases create mode 100644 test/integration/targets/postgresql_user/defaults/main.yml create mode 100644 test/integration/targets/postgresql_user/meta/main.yml create mode 100644 test/integration/targets/postgresql_user/tasks/main.yml rename test/integration/targets/{postgresql_db_user_privs/tasks/postgresql_user.yml => postgresql_user/tasks/postgresql_user_general.yml} (100%) create mode 100644 test/integration/targets/postgresql_user/tasks/postgresql_user_initial.yml rename test/integration/targets/{postgresql_db_user_privs => postgresql_user}/tasks/test_no_password_change.yml (100%) rename test/integration/targets/{postgresql_db_user_privs => postgresql_user}/tasks/test_password.yml (100%) diff --git a/test/integration/targets/postgresql_db/aliases b/test/integration/targets/postgresql_db/aliases new file mode 100644 index 00000000000..3b8d495b2c0 --- /dev/null +++ b/test/integration/targets/postgresql_db/aliases @@ -0,0 +1,4 @@ +destructive +shippable/posix/group4 +postgresql_db +skip/osx diff --git a/test/integration/targets/postgresql_db/defaults/main.yml b/test/integration/targets/postgresql_db/defaults/main.yml new file mode 100644 index 00000000000..0ed08c99e5b --- /dev/null +++ b/test/integration/targets/postgresql_db/defaults/main.yml @@ -0,0 +1,3 @@ +db_name: 'ansible_db' +db_user1: 'ansible_db_user1' +tmp_dir: '/tmp' diff --git a/test/integration/targets/postgresql_db_user_privs/meta/main.yml b/test/integration/targets/postgresql_db/meta/main.yml similarity index 100% rename from test/integration/targets/postgresql_db_user_privs/meta/main.yml rename to test/integration/targets/postgresql_db/meta/main.yml diff --git a/test/integration/targets/postgresql_db/tasks/main.yml b/test/integration/targets/postgresql_db/tasks/main.yml new file mode 100644 index 00000000000..d9e6447835e --- /dev/null +++ b/test/integration/targets/postgresql_db/tasks/main.yml @@ -0,0 +1,28 @@ +# Initial tests of postgresql_db module: +- import_tasks: postgresql_db_initial.yml + +# General tests: +- import_tasks: postgresql_db_general.yml + +# Dump/restore tests per format: +- include_tasks: state_dump_restore.yml + vars: + test_fixture: user + file: '{{ loop_item }}' + loop: + - dbdata.sql + - dbdata.sql.gz + - dbdata.sql.bz2 + - dbdata.sql.xz + - dbdata.tar + - dbdata.tar.gz + - dbdata.tar.bz2 + - dbdata.tar.xz + loop_control: + loop_var: loop_item + +# Dump/restore tests per other logins: +- import_tasks: state_dump_restore.yml + vars: + file: dbdata.tar + test_fixture: admin diff --git a/test/integration/targets/postgresql_db_user_privs/tasks/postgresql_db.yml b/test/integration/targets/postgresql_db/tasks/postgresql_db_general.yml similarity index 100% rename from test/integration/targets/postgresql_db_user_privs/tasks/postgresql_db.yml rename to test/integration/targets/postgresql_db/tasks/postgresql_db_general.yml diff --git a/test/integration/targets/postgresql_db/tasks/postgresql_db_initial.yml b/test/integration/targets/postgresql_db/tasks/postgresql_db_initial.yml new file mode 100644 index 00000000000..352e46c813e --- /dev/null +++ b/test/integration/targets/postgresql_db/tasks/postgresql_db_initial.yml @@ -0,0 +1,312 @@ +# +# Create and destroy db +# +- name: Create DB + become_user: "{{ pg_user }}" + become: yes + postgresql_db: + state: present + name: "{{ db_name }}" + login_user: "{{ pg_user }}" + register: result + +- name: assert that module reports the db was created + assert: + that: + - result is changed + - "result.db == db_name" + +- name: Check that database created + become_user: "{{ pg_user }}" + become: yes + shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + +- name: Run create on an already created db + become_user: "{{ pg_user }}" + become: yes + postgresql_db: + state: present + name: "{{ db_name }}" + login_user: "{{ pg_user }}" + register: result + +- name: assert that module reports the db was unchanged + assert: + that: + - result is not changed + +- name: Destroy DB + become_user: "{{ pg_user }}" + become: yes + postgresql_db: + state: absent + name: "{{ db_name }}" + login_user: "{{ pg_user }}" + register: result + +- name: assert that module reports the db was changed + assert: + that: + - result is changed + +- name: Check that database was destroyed + become_user: "{{ pg_user }}" + become: yes + shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + +- name: Destroy DB + become_user: "{{ pg_user }}" + become: yes + postgresql_db: + state: absent + name: "{{ db_name }}" + login_user: "{{ pg_user }}" + register: result + +- name: assert that removing an already removed db makes no change + assert: + that: + - result is not changed + + +# This corner case works to add but not to drop. This is sufficiently crazy +# that I'm not going to attempt to fix it unless someone lets me know that they +# need the functionality +# +# - postgresql_db: +# state: 'present' +# name: '"silly.""name"' +# - shell: echo "select datname from pg_database where datname = 'silly.""name';" | psql +# register: result +# +# - assert: +# that: "result.stdout_lines[-1] == '(1 row)'" +# - postgresql_db: +# state: absent +# name: '"silly.""name"' +# - shell: echo "select datname from pg_database where datname = 'silly.""name';" | psql +# register: result +# +# - assert: +# that: "result.stdout_lines[-1] == '(0 rows)'" + +# +# Test conn_limit, encoding, collate, ctype, template options +# +- name: Create a DB with conn_limit, encoding, collate, ctype, and template options + become_user: "{{ pg_user }}" + become: yes + postgresql_db: + name: '{{ db_name }}' + state: 'present' + conn_limit: '100' + encoding: 'LATIN1' + lc_collate: 'pt_BR{{ locale_latin_suffix }}' + lc_ctype: 'es_ES{{ locale_latin_suffix }}' + template: 'template0' + login_user: "{{ pg_user }}" + +- name: Check that the DB has all of our options + become_user: "{{ pg_user }}" + become: yes + shell: echo "select datname, datconnlimit, pg_encoding_to_char(encoding), datcollate, datctype from pg_database where datname = '{{ db_name }}';" | psql -d postgres + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + - "'LATIN1' in result.stdout_lines[-2]" + - "'pt_BR' in result.stdout_lines[-2]" + - "'es_ES' in result.stdout_lines[-2]" + - "'UTF8' not in result.stdout_lines[-2]" + - "'en_US' not in result.stdout_lines[-2]" + - "'100' in result.stdout_lines[-2]" + +- name: Check that running db creation with options a second time does nothing + become_user: "{{ pg_user }}" + become: yes + postgresql_db: + name: '{{ db_name }}' + state: 'present' + conn_limit: '100' + encoding: 'LATIN1' + lc_collate: 'pt_BR{{ locale_latin_suffix }}' + lc_ctype: 'es_ES{{ locale_latin_suffix }}' + template: 'template0' + login_user: "{{ pg_user }}" + register: result + +- assert: + that: + - result is not changed + + +- name: Check that attempting to change encoding returns an error + become_user: "{{ pg_user }}" + become: yes + postgresql_db: + name: '{{ db_name }}' + state: 'present' + encoding: 'UTF8' + lc_collate: 'pt_BR{{ locale_utf8_suffix }}' + lc_ctype: 'es_ES{{ locale_utf8_suffix }}' + template: 'template0' + login_user: "{{ pg_user }}" + register: result + ignore_errors: yes + +- assert: + that: + - result is failed + +- name: Check that changing the conn_limit actually works + become_user: "{{ pg_user }}" + become: yes + postgresql_db: + name: '{{ db_name }}' + state: 'present' + conn_limit: '200' + encoding: 'LATIN1' + lc_collate: 'pt_BR{{ locale_latin_suffix }}' + lc_ctype: 'es_ES{{ locale_latin_suffix }}' + template: 'template0' + login_user: "{{ pg_user }}" + register: result + +- assert: + that: + - result is changed + +- name: Check that conn_limit has actually been set / updated to 200 + become_user: "{{ pg_user }}" + become: yes + shell: echo "SELECT datconnlimit AS conn_limit FROM pg_database WHERE datname = '{{ db_name }}';" | psql -d postgres + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + - "'200' == '{{ result.stdout_lines[-2] | trim }}'" + +- name: Cleanup test DB + become_user: "{{ pg_user }}" + become: yes + postgresql_db: + name: '{{ db_name }}' + state: 'absent' + login_user: "{{ pg_user }}" + +- shell: echo "select datname, pg_encoding_to_char(encoding), datcollate, datctype from pg_database where datname = '{{ db_name }}';" | psql -d postgres + become_user: "{{ pg_user }}" + become: yes + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + +# +# Test db ownership +# +- name: Create an unprivileged user to own a DB + become_user: "{{ pg_user }}" + become: yes + postgresql_user: + name: "{{ db_user1 }}" + encrypted: 'yes' + password: "md55c8ccfd9d6711fc69a7eae647fc54f51" + login_user: "{{ pg_user }}" + db: postgres + +- name: Create db with user ownership + become_user: "{{ pg_user }}" + become: yes + postgresql_db: + name: "{{ db_name }}" + state: "present" + owner: "{{ db_user1 }}" + login_user: "{{ pg_user }}" + +- name: Check that the user owns the newly created DB + become_user: "{{ pg_user }}" + become: yes + shell: echo "select pg_catalog.pg_get_userbyid(datdba) from pg_catalog.pg_database where datname = '{{ db_name }}';" | psql -d postgres + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + - "'{{ db_user1 }}' == '{{ result.stdout_lines[-2] | trim }}'" + +- name: Change the owner on an existing db + become_user: "{{ pg_user }}" + become: yes + postgresql_db: + name: "{{ db_name }}" + state: "present" + owner: "{{ pg_user }}" + login_user: "{{ pg_user }}" + register: result + +- name: assert that ansible says it changed the db + assert: + that: + - result is changed + +- name: Check that the user owns the newly created DB + become_user: "{{ pg_user }}" + become: yes + shell: echo "select pg_catalog.pg_get_userbyid(datdba) from pg_catalog.pg_database where datname = '{{ db_name }}';" | psql -d postgres + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + - "'{{ pg_user }}' == '{{ result.stdout_lines[-2] | trim }}'" + +- name: Cleanup db + become_user: "{{ pg_user }}" + become: yes + postgresql_db: + name: "{{ db_name }}" + state: "absent" + login_user: "{{ pg_user }}" + +- name: Check that database was destroyed + become_user: "{{ pg_user }}" + become: yes + shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + +- name: Cleanup test user + become_user: "{{ pg_user }}" + become: yes + postgresql_user: + name: "{{ db_user1 }}" + state: 'absent' + login_user: "{{ pg_user }}" + db: postgres + +- name: Check that they were removed + become_user: "{{ pg_user }}" + become: yes + shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" diff --git a/test/integration/targets/postgresql_db_user_privs/tasks/state_dump_restore.yml b/test/integration/targets/postgresql_db/tasks/state_dump_restore.yml similarity index 91% rename from test/integration/targets/postgresql_db_user_privs/tasks/state_dump_restore.yml rename to test/integration/targets/postgresql_db/tasks/state_dump_restore.yml index d4327d362f4..882e5c60486 100644 --- a/test/integration/targets/postgresql_db_user_privs/tasks/state_dump_restore.yml +++ b/test/integration/targets/postgresql_db/tasks/state_dump_restore.yml @@ -18,6 +18,19 @@ # along with Ansible. If not, see . # ============================================================ + +- name: Create a test user + become: yes + become_user: "{{ pg_user }}" + postgresql_user: + name: "{{ db_user1 }}" + state: "present" + encrypted: 'yes' + password: "password" + role_attr_flags: "CREATEDB,LOGIN,CREATEROLE" + login_user: "{{ pg_user }}" + db: postgres + - set_fact: db_file_name="{{tmp_dir}}/{{file}}" - set_fact: @@ -138,3 +151,12 @@ - name: remove file name file: name={{ db_file_name }} state=absent + +- name: Remove the test user + become: yes + become_user: "{{ pg_user }}" + postgresql_user: + name: "{{ db_user1 }}" + state: "absent" + login_user: "{{ pg_user }}" + db: postgres diff --git a/test/integration/targets/postgresql_db_user_privs/defaults/main.yml b/test/integration/targets/postgresql_db_user_privs/defaults/main.yml deleted file mode 100644 index 3f58d7eecb9..00000000000 --- a/test/integration/targets/postgresql_db_user_privs/defaults/main.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -# defaults file for test_postgresql_db -db_name: 'ansible_db' -db_user1: 'ansible_db_user1' -db_user2: 'ansible_db_user2' -db_user3: 'ansible_db_user3' -db_default: 'postgres' - -tmp_dir: '/tmp' -db_session_role1: 'session_role1' -db_session_role2: 'session_role2' - -pg_hba_test_ips: -- contype: local - users: 'all,postgres,test' -- source: '0000:ffff::' - netmask: 'ffff:fff0::' -- source: '192.168.0.0/24' - netmask: '' - databases: 'all,replication' -- source: '192.168.1.0/24' - netmask: '' - databases: 'all' - method: reject -- source: '127.0.0.1/32' - netmask: '' -- source: '::1/128' - netmask: '' -- source: '0000:ff00::' - netmask: 'ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00' - method: scram-sha-256 -- source: '172.16.0.0' - netmask: '255.255.0.0' - method: trust diff --git a/test/integration/targets/postgresql_db_user_privs/tasks/main.yml b/test/integration/targets/postgresql_db_user_privs/tasks/main.yml deleted file mode 100644 index 86c89d31b6a..00000000000 --- a/test/integration/targets/postgresql_db_user_privs/tasks/main.yml +++ /dev/null @@ -1,47 +0,0 @@ -# Unsorted tests that were moved from here to unsorted.yml -- import_tasks: unsorted.yml - -- include_tasks: '{{ loop_item }}' - loop: - # Test postgresql_user module - - postgresql_user.yml - - # Verify different session_role scenarios - - session_role.yml - - # Test postgresql_db module, specific options - - postgresql_db.yml - - # Test postgresql_privs - - postgresql_privs.yml - loop_control: - loop_var: loop_item - -# Test default_privs with target_role -- import_tasks: test_target_role.yml - when: postgres_version_resp.stdout is version('9.1', '>=') - -# dump/restore tests per format -# ============================================================ -- include_tasks: state_dump_restore.yml - vars: - test_fixture: user - file: '{{ loop_item }}' - loop: - - dbdata.sql - - dbdata.sql.gz - - dbdata.sql.bz2 - - dbdata.sql.xz - - dbdata.tar - - dbdata.tar.gz - - dbdata.tar.bz2 - - dbdata.tar.xz - loop_control: - loop_var: loop_item - -# dump/restore tests per other logins -# ============================================================ -- import_tasks: state_dump_restore.yml - vars: - file: dbdata.tar - test_fixture: admin diff --git a/test/integration/targets/postgresql_db_user_privs/tasks/unsorted.yml b/test/integration/targets/postgresql_db_user_privs/tasks/unsorted.yml deleted file mode 100644 index 963b9db90be..00000000000 --- a/test/integration/targets/postgresql_db_user_privs/tasks/unsorted.yml +++ /dev/null @@ -1,789 +0,0 @@ -# -# Create and destroy db -# -- name: Create DB - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: present - name: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - -- name: assert that module reports the db was created - assert: - that: - - result is changed - - "result.db == db_name" - -- name: Check that database created - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - -- name: Run create on an already created db - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: present - name: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - -- name: assert that module reports the db was unchanged - assert: - that: - - result is not changed - -- name: Destroy DB - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: absent - name: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - -- name: assert that module reports the db was changed - assert: - that: - - result is changed - -- name: Check that database was destroyed - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - -- name: Destroy DB - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - state: absent - name: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - -- name: assert that removing an already removed db makes no change - assert: - that: - - result is not changed - - -# This corner case works to add but not to drop. This is sufficiently crazy -# that I'm not going to attempt to fix it unless someone lets me know that they -# need the functionality -# -# - postgresql_db: -# state: 'present' -# name: '"silly.""name"' -# - shell: echo "select datname from pg_database where datname = 'silly.""name';" | psql -# register: result -# -# - assert: -# that: "result.stdout_lines[-1] == '(1 row)'" -# - postgresql_db: -# state: absent -# name: '"silly.""name"' -# - shell: echo "select datname from pg_database where datname = 'silly.""name';" | psql -# register: result -# -# - assert: -# that: "result.stdout_lines[-1] == '(0 rows)'" - -# -# Test conn_limit, encoding, collate, ctype, template options -# -- name: Create a DB with conn_limit, encoding, collate, ctype, and template options - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: '{{ db_name }}' - state: 'present' - conn_limit: '100' - encoding: 'LATIN1' - lc_collate: 'pt_BR{{ locale_latin_suffix }}' - lc_ctype: 'es_ES{{ locale_latin_suffix }}' - template: 'template0' - login_user: "{{ pg_user }}" - -- name: Check that the DB has all of our options - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datname, datconnlimit, pg_encoding_to_char(encoding), datcollate, datctype from pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - - "'LATIN1' in result.stdout_lines[-2]" - - "'pt_BR' in result.stdout_lines[-2]" - - "'es_ES' in result.stdout_lines[-2]" - - "'UTF8' not in result.stdout_lines[-2]" - - "'en_US' not in result.stdout_lines[-2]" - - "'100' in result.stdout_lines[-2]" - -- name: Check that running db creation with options a second time does nothing - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: '{{ db_name }}' - state: 'present' - conn_limit: '100' - encoding: 'LATIN1' - lc_collate: 'pt_BR{{ locale_latin_suffix }}' - lc_ctype: 'es_ES{{ locale_latin_suffix }}' - template: 'template0' - login_user: "{{ pg_user }}" - register: result - -- assert: - that: - - result is not changed - - -- name: Check that attempting to change encoding returns an error - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: '{{ db_name }}' - state: 'present' - encoding: 'UTF8' - lc_collate: 'pt_BR{{ locale_utf8_suffix }}' - lc_ctype: 'es_ES{{ locale_utf8_suffix }}' - template: 'template0' - login_user: "{{ pg_user }}" - register: result - ignore_errors: yes - -- assert: - that: - - result is failed - -- name: Check that changing the conn_limit actually works - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: '{{ db_name }}' - state: 'present' - conn_limit: '200' - encoding: 'LATIN1' - lc_collate: 'pt_BR{{ locale_latin_suffix }}' - lc_ctype: 'es_ES{{ locale_latin_suffix }}' - template: 'template0' - login_user: "{{ pg_user }}" - register: result - -- assert: - that: - - result is changed - -- name: Check that conn_limit has actually been set / updated to 200 - become_user: "{{ pg_user }}" - become: yes - shell: echo "SELECT datconnlimit AS conn_limit FROM pg_database WHERE datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - - "'200' == '{{ result.stdout_lines[-2] | trim }}'" - -- name: Cleanup test DB - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: '{{ db_name }}' - state: 'absent' - login_user: "{{ pg_user }}" - -- shell: echo "select datname, pg_encoding_to_char(encoding), datcollate, datctype from pg_database where datname = '{{ db_name }}';" | psql -d postgres - become_user: "{{ pg_user }}" - become: yes - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - -# -# Create and destroy user, test 'password' and 'encrypted' parameters -# -# unencrypted values are not supported on newer versions -# do not run the encrypted: no tests if on 10+ -- set_fact: - encryption_values: - - 'yes' - -- set_fact: - encryption_values: '{{ encryption_values + ["no"]}}' - when: postgres_version_resp.stdout is version('10', '<=') - -- include_tasks: test_password.yml - vars: - encrypted: '{{ loop_item }}' - db_password1: 'secretù' # use UTF-8 - loop: '{{ encryption_values }}' - loop_control: - loop_var: loop_item - -# BYPASSRLS role attribute was introduced in PostgreSQL 9.5, so -# we want to test attribute management differently depending -# on the version. -- set_fact: - bypassrls_supported: "{{ postgres_version_resp.stdout is version('9.5.0', '>=') }}" - -# test 'no_password_change' and 'role_attr_flags' parameters -- include_tasks: test_no_password_change.yml - vars: - no_password_changes: '{{ loop_item }}' - loop: - - 'yes' - - 'no' - loop_control: - loop_var: loop_item - -### TODO: fail_on_user - -# -# Test db ownership -# -- name: Create an unprivileged user to own a DB - become_user: "{{ pg_user }}" - become: yes - postgresql_user: - name: "{{ db_user1 }}" - encrypted: 'yes' - password: "md55c8ccfd9d6711fc69a7eae647fc54f51" - login_user: "{{ pg_user }}" - db: postgres - -- name: Create db with user ownership - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: "{{ db_name }}" - state: "present" - owner: "{{ db_user1 }}" - login_user: "{{ pg_user }}" - -- name: Check that the user owns the newly created DB - become_user: "{{ pg_user }}" - become: yes - shell: echo "select pg_catalog.pg_get_userbyid(datdba) from pg_catalog.pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - - "'{{ db_user1 }}' == '{{ result.stdout_lines[-2] | trim }}'" - -- name: Change the owner on an existing db - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: "{{ db_name }}" - state: "present" - owner: "{{ pg_user }}" - login_user: "{{ pg_user }}" - register: result - -- name: assert that ansible says it changed the db - assert: - that: - - result is changed - -- name: Check that the user owns the newly created DB - become_user: "{{ pg_user }}" - become: yes - shell: echo "select pg_catalog.pg_get_userbyid(datdba) from pg_catalog.pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - - "'{{ pg_user }}' == '{{ result.stdout_lines[-2] | trim }}'" - -- name: Cleanup db - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: "{{ db_name }}" - state: "absent" - login_user: "{{ pg_user }}" - -- name: Check that database was destroyed - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - -- name: Cleanup test user - become_user: "{{ pg_user }}" - become: yes - postgresql_user: - name: "{{ db_user1 }}" - state: 'absent' - login_user: "{{ pg_user }}" - db: postgres - -- name: Check that they were removed - become_user: "{{ pg_user }}" - become: yes - shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - -# -# Test settings privileges -# -- name: Create db - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: "{{ db_name }}" - state: "present" - login_user: "{{ pg_user }}" - -- name: Create some tables on the db - become_user: "{{ pg_user }}" - become: yes - shell: echo "create table test_table1 (field text);" | psql {{ db_name }} - -- become_user: "{{ pg_user }}" - become: yes - shell: echo "create table test_table2 (field text);" | psql {{ db_name }} - -- vars: - db_password: 'secretù' # use UTF-8 - block: - - name: Create a user with some permissions on the db - become_user: "{{ pg_user }}" - become: yes - postgresql_user: - name: "{{ db_user1 }}" - encrypted: 'yes' - password: "md5{{ (db_password ~ db_user1) | hash('md5')}}" - db: "{{ db_name }}" - priv: 'test_table1:INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,TRIGGER/test_table2:INSERT/CREATE,CONNECT,TEMP' - login_user: "{{ pg_user }}" - - - include_tasks: pg_authid_not_readable.yml - -- name: Check that the user has the requested permissions (table1) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} - register: result_table1 - -- name: Check that the user has the requested permissions (table2) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} - register: result_table2 - -- name: Check that the user has the requested permissions (database) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} - register: result_database - -- assert: - that: - - "result_table1.stdout_lines[-1] == '(7 rows)'" - - "'INSERT' in result_table1.stdout" - - "'SELECT' in result_table1.stdout" - - "'UPDATE' in result_table1.stdout" - - "'DELETE' in result_table1.stdout" - - "'TRUNCATE' in result_table1.stdout" - - "'REFERENCES' in result_table1.stdout" - - "'TRIGGER' in result_table1.stdout" - - "result_table2.stdout_lines[-1] == '(1 row)'" - - "'INSERT' == '{{ result_table2.stdout_lines[-2] | trim }}'" - - "result_database.stdout_lines[-1] == '(1 row)'" - - "'{{ db_user1 }}=CTc/{{ pg_user }}' in result_database.stdout_lines[-2]" - -- name: Add another permission for the user - become_user: "{{ pg_user }}" - become: yes - postgresql_user: - name: "{{ db_user1 }}" - encrypted: 'yes' - password: "md55c8ccfd9d6711fc69a7eae647fc54f51" - db: "{{ db_name }}" - priv: 'test_table2:select' - login_user: "{{ pg_user }}" - register: result - -- name: Check that ansible reports it changed the user - assert: - that: - - result is changed - -- name: Check that the user has the requested permissions (table2) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} - register: result_table2 - -- assert: - that: - - "result_table2.stdout_lines[-1] == '(2 rows)'" - - "'INSERT' in result_table2.stdout" - - "'SELECT' in result_table2.stdout" - - -# -# Test priv setting via postgresql_privs module -# (Depends on state from previous _user privs tests) -# - -- name: Revoke a privilege - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - type: "table" - state: "absent" - roles: "{{ db_user1 }}" - privs: "INSERT" - objs: "test_table2" - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - -- name: Check that ansible reports it changed the user - assert: - that: - - result is changed - -- name: Check that the user has the requested permissions (table2) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} - register: result_table2 - -- assert: - that: - - "result_table2.stdout_lines[-1] == '(1 row)'" - - "'SELECT' == '{{ result_table2.stdout_lines[-2] | trim }}'" - -- name: Revoke many privileges on multiple tables - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - state: "absent" - roles: "{{ db_user1 }}" - privs: "INSERT,select,UPDATE,TRUNCATE,REFERENCES,TRIGGER,delete" - objs: "test_table2,test_table1" - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - -- name: Check that ansible reports it changed the user - assert: - that: - - result is changed - -- name: Check that permissions were revoked (table1) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} - register: result_table1 - -- name: Check that permissions were revoked (table2) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} - register: result_table2 - -- assert: - that: - - "result_table1.stdout_lines[-1] == '(0 rows)'" - - "result_table2.stdout_lines[-1] == '(0 rows)'" - -- name: Revoke database privileges - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - type: "database" - state: "absent" - roles: "{{ db_user1 }}" - privs: "Create,connect,TEMP" - objs: "{{ db_name }}" - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - -- name: Check that the user has the requested permissions (database) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} - register: result_database - -- assert: - that: - - "result_database.stdout_lines[-1] == '(1 row)'" - - "'{{ db_user1 }}' not in result_database.stdout" - -- name: Grant database privileges - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - type: "database" - state: "present" - roles: "{{ db_user1 }}" - privs: "CREATE,connect" - objs: "{{ db_name }}" - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - register: result - -- name: Check that ansible reports it changed the user - assert: - that: - - result is changed - -- name: Check that the user has the requested permissions (database) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} - register: result_database - -- assert: - that: - - "result_database.stdout_lines[-1] == '(1 row)'" - - "'{{ db_user1 }}=Cc' in result_database.stdout" - -- name: Grant a single privilege on a table - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - state: "present" - roles: "{{ db_user1 }}" - privs: "INSERT" - objs: "test_table1" - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - -- name: Check that permissions were added (table1) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} - register: result_table1 - -- assert: - that: - - "result_table1.stdout_lines[-1] == '(1 row)'" - - "'{{ result_table1.stdout_lines[-2] | trim }}' == 'INSERT'" - -- name: Grant many privileges on multiple tables - become_user: "{{ pg_user }}" - become: yes - postgresql_privs: - state: "present" - roles: "{{ db_user1 }}" - privs: 'INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,trigger' - objs: "test_table2,test_table1" - db: "{{ db_name }}" - login_user: "{{ pg_user }}" - -- name: Check that permissions were added (table1) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} - register: result_table1 - -- name: Check that permissions were added (table2) - become_user: "{{ pg_user }}" - become: yes - shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} - register: result_table2 - -- assert: - that: - - "result_table1.stdout_lines[-1] == '(7 rows)'" - - "'INSERT' in result_table1.stdout" - - "'SELECT' in result_table1.stdout" - - "'UPDATE' in result_table1.stdout" - - "'DELETE' in result_table1.stdout" - - "'TRUNCATE' in result_table1.stdout" - - "'REFERENCES' in result_table1.stdout" - - "'TRIGGER' in result_table1.stdout" - - "result_table2.stdout_lines[-1] == '(7 rows)'" - - "'INSERT' in result_table2.stdout" - - "'SELECT' in result_table2.stdout" - - "'UPDATE' in result_table2.stdout" - - "'DELETE' in result_table2.stdout" - - "'TRUNCATE' in result_table2.stdout" - - "'REFERENCES' in result_table2.stdout" - - "'TRIGGER' in result_table2.stdout" - -# -# Cleanup -# -- name: Cleanup db - become_user: "{{ pg_user }}" - become: yes - postgresql_db: - name: "{{ db_name }}" - state: "absent" - login_user: "{{ pg_user }}" - -- name: Check that database was destroyed - become_user: "{{ pg_user }}" - become: yes - shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - -- name: Cleanup test user - become_user: "{{ pg_user }}" - become: yes - postgresql_user: - name: "{{ db_user1 }}" - state: 'absent' - login_user: "{{ pg_user }}" - db: postgres - -- name: Check that they were removed - become_user: "{{ pg_user }}" - become: yes - shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - -# -# Test login_user functionality -# -- name: Create a user to test login module parameters - become: yes - become_user: "{{ pg_user }}" - postgresql_user: - name: "{{ db_user1 }}" - state: "present" - encrypted: 'yes' - password: "password" - role_attr_flags: "CREATEDB,LOGIN,CREATEROLE" - login_user: "{{ pg_user }}" - db: postgres - -- name: Create db - postgresql_db: - name: "{{ db_name }}" - state: "present" - login_user: "{{ db_user1 }}" - login_password: "password" - login_host: "localhost" - -- name: Check that database created - become: yes - become_user: "{{ pg_user }}" - shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - -- name: Create a user - postgresql_user: - name: "{{ db_user2 }}" - state: "present" - encrypted: 'yes' - password: "md55c8ccfd9d6711fc69a7eae647fc54f51" - db: "{{ db_name }}" - login_user: "{{ db_user1 }}" - login_password: "password" - login_host: "localhost" - -- name: Check that it was created - become: yes - become_user: "{{ pg_user }}" - shell: echo "select * from pg_user where usename='{{ db_user2 }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(1 row)'" - -- name: Grant database privileges - postgresql_privs: - type: "database" - state: "present" - roles: "{{ db_user2 }}" - privs: "CREATE,connect" - objs: "{{ db_name }}" - db: "{{ db_name }}" - login: "{{ db_user1 }}" - password: "password" - host: "localhost" - -- name: Check that the user has the requested permissions (database) - become: yes - become_user: "{{ pg_user }}" - shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} - register: result_database - -- assert: - that: - - "result_database.stdout_lines[-1] == '(1 row)'" - - "db_user2 ~ '=Cc' in result_database.stdout" - -- name: Remove user - postgresql_user: - name: "{{ db_user2 }}" - state: 'absent' - priv: "ALL" - db: "{{ db_name }}" - login_user: "{{ db_user1 }}" - login_password: "password" - login_host: "localhost" - -- name: Check that they were removed - become: yes - become_user: "{{ pg_user }}" - shell: echo "select * from pg_user where usename='{{ db_user2 }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" - -- name: Destroy DB - postgresql_db: - state: absent - name: "{{ db_name }}" - login_user: "{{ db_user1 }}" - login_password: "password" - login_host: "localhost" - -- name: Check that database was destroyed - become: yes - become_user: "{{ pg_user }}" - shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres - register: result - -- assert: - that: - - "result.stdout_lines[-1] == '(0 rows)'" diff --git a/test/integration/targets/postgresql_db_user_privs/aliases b/test/integration/targets/postgresql_privs/aliases similarity index 65% rename from test/integration/targets/postgresql_db_user_privs/aliases rename to test/integration/targets/postgresql_privs/aliases index 638474beaa7..585cf35af97 100644 --- a/test/integration/targets/postgresql_db_user_privs/aliases +++ b/test/integration/targets/postgresql_privs/aliases @@ -1,6 +1,4 @@ destructive shippable/posix/group4 -postgresql_db -postgresql_privs postgresql_user skip/osx diff --git a/test/integration/targets/postgresql_privs/defaults/main.yml b/test/integration/targets/postgresql_privs/defaults/main.yml new file mode 100644 index 00000000000..28a83c59ffc --- /dev/null +++ b/test/integration/targets/postgresql_privs/defaults/main.yml @@ -0,0 +1,4 @@ +db_name: ansible_db +db_user1: ansible_db_user1 +db_user2: ansible_db_user2 +db_user3: ansible_db_user3 diff --git a/test/integration/targets/postgresql_privs/meta/main.yml b/test/integration/targets/postgresql_privs/meta/main.yml new file mode 100644 index 00000000000..f3345cb6151 --- /dev/null +++ b/test/integration/targets/postgresql_privs/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: +- setup_postgresql_db diff --git a/test/integration/targets/postgresql_privs/tasks/main.yml b/test/integration/targets/postgresql_privs/tasks/main.yml new file mode 100644 index 00000000000..95bc198d90f --- /dev/null +++ b/test/integration/targets/postgresql_privs/tasks/main.yml @@ -0,0 +1,9 @@ +# Initial CI tests of postgresql_privs module: +- import_tasks: postgresql_privs_initial.yml + +# General tests: +- import_tasks: postgresql_privs_general.yml + +# Tests default_privs with target_role: +- import_tasks: test_target_role.yml + when: postgres_version_resp.stdout is version('9.1', '>=') diff --git a/test/integration/targets/postgresql_db_user_privs/tasks/pg_authid_not_readable.yml b/test/integration/targets/postgresql_privs/tasks/pg_authid_not_readable.yml similarity index 100% rename from test/integration/targets/postgresql_db_user_privs/tasks/pg_authid_not_readable.yml rename to test/integration/targets/postgresql_privs/tasks/pg_authid_not_readable.yml diff --git a/test/integration/targets/postgresql_db_user_privs/tasks/postgresql_privs.yml b/test/integration/targets/postgresql_privs/tasks/postgresql_privs_general.yml similarity index 100% rename from test/integration/targets/postgresql_db_user_privs/tasks/postgresql_privs.yml rename to test/integration/targets/postgresql_privs/tasks/postgresql_privs_general.yml diff --git a/test/integration/targets/postgresql_privs/tasks/postgresql_privs_initial.yml b/test/integration/targets/postgresql_privs/tasks/postgresql_privs_initial.yml new file mode 100644 index 00000000000..760d30e912d --- /dev/null +++ b/test/integration/targets/postgresql_privs/tasks/postgresql_privs_initial.yml @@ -0,0 +1,325 @@ +# The tests below were added initially and moved here +# from the shared target called ``postgresql`` by @Andersson007 . +# You can see modern examples of CI tests in postgresql_publication directory, for example. + +# +# Test settings privileges +# +- name: Create db + become_user: "{{ pg_user }}" + become: yes + postgresql_db: + name: "{{ db_name }}" + state: "present" + login_user: "{{ pg_user }}" + +- name: Create some tables on the db + become_user: "{{ pg_user }}" + become: yes + shell: echo "create table test_table1 (field text);" | psql {{ db_name }} + +- become_user: "{{ pg_user }}" + become: yes + shell: echo "create table test_table2 (field text);" | psql {{ db_name }} + +- vars: + db_password: 'secretù' # use UTF-8 + block: + - name: Create a user with some permissions on the db + become_user: "{{ pg_user }}" + become: yes + postgresql_user: + name: "{{ db_user1 }}" + encrypted: 'yes' + password: "md5{{ (db_password ~ db_user1) | hash('md5')}}" + db: "{{ db_name }}" + priv: 'test_table1:INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,TRIGGER/test_table2:INSERT/CREATE,CONNECT,TEMP' + login_user: "{{ pg_user }}" + + - include_tasks: pg_authid_not_readable.yml + +- name: Check that the user has the requested permissions (table1) + become_user: "{{ pg_user }}" + become: yes + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} + register: result_table1 + +- name: Check that the user has the requested permissions (table2) + become_user: "{{ pg_user }}" + become: yes + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} + register: result_table2 + +- name: Check that the user has the requested permissions (database) + become_user: "{{ pg_user }}" + become: yes + shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} + register: result_database + +- assert: + that: + - "result_table1.stdout_lines[-1] == '(7 rows)'" + - "'INSERT' in result_table1.stdout" + - "'SELECT' in result_table1.stdout" + - "'UPDATE' in result_table1.stdout" + - "'DELETE' in result_table1.stdout" + - "'TRUNCATE' in result_table1.stdout" + - "'REFERENCES' in result_table1.stdout" + - "'TRIGGER' in result_table1.stdout" + - "result_table2.stdout_lines[-1] == '(1 row)'" + - "'INSERT' == '{{ result_table2.stdout_lines[-2] | trim }}'" + - "result_database.stdout_lines[-1] == '(1 row)'" + - "'{{ db_user1 }}=CTc/{{ pg_user }}' in result_database.stdout_lines[-2]" + +- name: Add another permission for the user + become_user: "{{ pg_user }}" + become: yes + postgresql_user: + name: "{{ db_user1 }}" + encrypted: 'yes' + password: "md55c8ccfd9d6711fc69a7eae647fc54f51" + db: "{{ db_name }}" + priv: 'test_table2:select' + login_user: "{{ pg_user }}" + register: result + +- name: Check that ansible reports it changed the user + assert: + that: + - result is changed + +- name: Check that the user has the requested permissions (table2) + become_user: "{{ pg_user }}" + become: yes + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} + register: result_table2 + +- assert: + that: + - "result_table2.stdout_lines[-1] == '(2 rows)'" + - "'INSERT' in result_table2.stdout" + - "'SELECT' in result_table2.stdout" + +# +# Test priv setting via postgresql_privs module +# (Depends on state from previous _user privs tests) +# + +- name: Revoke a privilege + become_user: "{{ pg_user }}" + become: yes + postgresql_privs: + type: "table" + state: "absent" + roles: "{{ db_user1 }}" + privs: "INSERT" + objs: "test_table2" + db: "{{ db_name }}" + login_user: "{{ pg_user }}" + register: result + +- name: Check that ansible reports it changed the user + assert: + that: + - result is changed + +- name: Check that the user has the requested permissions (table2) + become_user: "{{ pg_user }}" + become: yes + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} + register: result_table2 + +- assert: + that: + - "result_table2.stdout_lines[-1] == '(1 row)'" + - "'SELECT' == '{{ result_table2.stdout_lines[-2] | trim }}'" + +- name: Revoke many privileges on multiple tables + become_user: "{{ pg_user }}" + become: yes + postgresql_privs: + state: "absent" + roles: "{{ db_user1 }}" + privs: "INSERT,select,UPDATE,TRUNCATE,REFERENCES,TRIGGER,delete" + objs: "test_table2,test_table1" + db: "{{ db_name }}" + login_user: "{{ pg_user }}" + register: result + +- name: Check that ansible reports it changed the user + assert: + that: + - result is changed + +- name: Check that permissions were revoked (table1) + become_user: "{{ pg_user }}" + become: yes + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} + register: result_table1 + +- name: Check that permissions were revoked (table2) + become_user: "{{ pg_user }}" + become: yes + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} + register: result_table2 + +- assert: + that: + - "result_table1.stdout_lines[-1] == '(0 rows)'" + - "result_table2.stdout_lines[-1] == '(0 rows)'" + +- name: Revoke database privileges + become_user: "{{ pg_user }}" + become: yes + postgresql_privs: + type: "database" + state: "absent" + roles: "{{ db_user1 }}" + privs: "Create,connect,TEMP" + objs: "{{ db_name }}" + db: "{{ db_name }}" + login_user: "{{ pg_user }}" + +- name: Check that the user has the requested permissions (database) + become_user: "{{ pg_user }}" + become: yes + shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} + register: result_database + +- assert: + that: + - "result_database.stdout_lines[-1] == '(1 row)'" + - "'{{ db_user1 }}' not in result_database.stdout" + +- name: Grant database privileges + become_user: "{{ pg_user }}" + become: yes + postgresql_privs: + type: "database" + state: "present" + roles: "{{ db_user1 }}" + privs: "CREATE,connect" + objs: "{{ db_name }}" + db: "{{ db_name }}" + login_user: "{{ pg_user }}" + register: result + +- name: Check that ansible reports it changed the user + assert: + that: + - result is changed + +- name: Check that the user has the requested permissions (database) + become_user: "{{ pg_user }}" + become: yes + shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} + register: result_database + +- assert: + that: + - "result_database.stdout_lines[-1] == '(1 row)'" + - "'{{ db_user1 }}=Cc' in result_database.stdout" + +- name: Grant a single privilege on a table + become_user: "{{ pg_user }}" + become: yes + postgresql_privs: + state: "present" + roles: "{{ db_user1 }}" + privs: "INSERT" + objs: "test_table1" + db: "{{ db_name }}" + login_user: "{{ pg_user }}" + +- name: Check that permissions were added (table1) + become_user: "{{ pg_user }}" + become: yes + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} + register: result_table1 + +- assert: + that: + - "result_table1.stdout_lines[-1] == '(1 row)'" + - "'{{ result_table1.stdout_lines[-2] | trim }}' == 'INSERT'" + +- name: Grant many privileges on multiple tables + become_user: "{{ pg_user }}" + become: yes + postgresql_privs: + state: "present" + roles: "{{ db_user1 }}" + privs: 'INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,trigger' + objs: "test_table2,test_table1" + db: "{{ db_name }}" + login_user: "{{ pg_user }}" + +- name: Check that permissions were added (table1) + become_user: "{{ pg_user }}" + become: yes + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} + register: result_table1 + +- name: Check that permissions were added (table2) + become_user: "{{ pg_user }}" + become: yes + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} + register: result_table2 + +- assert: + that: + - "result_table1.stdout_lines[-1] == '(7 rows)'" + - "'INSERT' in result_table1.stdout" + - "'SELECT' in result_table1.stdout" + - "'UPDATE' in result_table1.stdout" + - "'DELETE' in result_table1.stdout" + - "'TRUNCATE' in result_table1.stdout" + - "'REFERENCES' in result_table1.stdout" + - "'TRIGGER' in result_table1.stdout" + - "result_table2.stdout_lines[-1] == '(7 rows)'" + - "'INSERT' in result_table2.stdout" + - "'SELECT' in result_table2.stdout" + - "'UPDATE' in result_table2.stdout" + - "'DELETE' in result_table2.stdout" + - "'TRUNCATE' in result_table2.stdout" + - "'REFERENCES' in result_table2.stdout" + - "'TRIGGER' in result_table2.stdout" + +# +# Cleanup +# +- name: Cleanup db + become_user: "{{ pg_user }}" + become: yes + postgresql_db: + name: "{{ db_name }}" + state: "absent" + login_user: "{{ pg_user }}" + +- name: Check that database was destroyed + become_user: "{{ pg_user }}" + become: yes + shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + +- name: Cleanup test user + become_user: "{{ pg_user }}" + become: yes + postgresql_user: + name: "{{ db_user1 }}" + state: 'absent' + login_user: "{{ pg_user }}" + db: postgres + +- name: Check that they were removed + become_user: "{{ pg_user }}" + become: yes + shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql -d postgres + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" diff --git a/test/integration/targets/postgresql_db_user_privs/tasks/test_target_role.yml b/test/integration/targets/postgresql_privs/tasks/test_target_role.yml similarity index 83% rename from test/integration/targets/postgresql_db_user_privs/tasks/test_target_role.yml rename to test/integration/targets/postgresql_privs/tasks/test_target_role.yml index 75b58ddfd81..1a12236d7c1 100644 --- a/test/integration/targets/postgresql_db_user_privs/tasks/test_target_role.yml +++ b/test/integration/targets/postgresql_privs/tasks/test_target_role.yml @@ -1,6 +1,12 @@ ---- - # Setup +- name: Create a test user + become_user: "{{ pg_user }}" + become: yes + postgresql_user: + name: "{{ db_user1 }}" + login_user: "{{ pg_user }}" + db: postgres + - name: Create DB become_user: "{{ pg_user }}" become: yes @@ -72,6 +78,8 @@ # Cleanup - name: Remove user given permissions + become_user: "{{ pg_user }}" + become: yes postgresql_user: name: "{{ db_user2 }}" state: absent @@ -79,6 +87,8 @@ login_user: "{{ pg_user }}" - name: Remove user owner of objects + become_user: "{{ pg_user }}" + become: yes postgresql_user: name: "{{ db_user3 }}" state: absent @@ -92,3 +102,12 @@ state: absent name: "{{ db_name }}" login_user: "{{ pg_user }}" + +- name: Remove test user + become_user: "{{ pg_user }}" + become: yes + postgresql_user: + name: "{{ db_user1 }}" + state: absent + db: postgres + login_user: "{{ pg_user }}" diff --git a/test/integration/targets/postgresql_shared/aliases b/test/integration/targets/postgresql_shared/aliases new file mode 100644 index 00000000000..5bb5b301ed2 --- /dev/null +++ b/test/integration/targets/postgresql_shared/aliases @@ -0,0 +1,24 @@ +destructive +shippable/posix/group4 +postgresql_db +postgresql_copy +postgresql_ext +postgresql_idx +postgresql_info +postgresql_lang +postgresql_membership +postgresql_owner +postgresql_pg_hba +postgresql_ping +postgresql_privs +postgresql_publication +postgresql_query +postgresql_schema +postgresql_sequence +postgresql_set +postgresql_shared +postgresql_slot +postgresql_table +postgresql_tablespace +postgresql_user +skip/osx diff --git a/test/integration/targets/postgresql_shared/defaults/main.yml b/test/integration/targets/postgresql_shared/defaults/main.yml new file mode 100644 index 00000000000..4ef0d541e71 --- /dev/null +++ b/test/integration/targets/postgresql_shared/defaults/main.yml @@ -0,0 +1,6 @@ +db_name: 'ansible_db' +db_user1: 'ansible_db_user1' +tmp_dir: '/tmp' + +db_session_role1: 'session_role1' +db_session_role2: 'session_role2' diff --git a/test/integration/targets/postgresql_shared/meta/main.yml b/test/integration/targets/postgresql_shared/meta/main.yml new file mode 100644 index 00000000000..85b1dc7e4cf --- /dev/null +++ b/test/integration/targets/postgresql_shared/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - setup_postgresql_db diff --git a/test/integration/targets/postgresql_shared/tasks/main.yml b/test/integration/targets/postgresql_shared/tasks/main.yml new file mode 100644 index 00000000000..ab0288b7a13 --- /dev/null +++ b/test/integration/targets/postgresql_shared/tasks/main.yml @@ -0,0 +1,6 @@ +# This test role is for testing general (non-specific) functionality +# that's presented in all modules (or in a part of them). +# If you want to add tests make a new test file and include here. + +# Verify different session_role scenarios: +- import_tasks: session_role.yml diff --git a/test/integration/targets/postgresql_db_user_privs/tasks/session_role.yml b/test/integration/targets/postgresql_shared/tasks/session_role.yml similarity index 99% rename from test/integration/targets/postgresql_db_user_privs/tasks/session_role.yml rename to test/integration/targets/postgresql_shared/tasks/session_role.yml index 6b17f522e84..c51ca18e06e 100644 --- a/test/integration/targets/postgresql_db_user_privs/tasks/session_role.yml +++ b/test/integration/targets/postgresql_shared/tasks/session_role.yml @@ -3,7 +3,7 @@ become: yes postgresql_db: state: present - name: "{{ db_name }}" + name: must_fail login_user: "{{ pg_user }}" session_role: "{{ db_session_role1 }}" register: result diff --git a/test/integration/targets/postgresql_user/aliases b/test/integration/targets/postgresql_user/aliases new file mode 100644 index 00000000000..fe75653cadc --- /dev/null +++ b/test/integration/targets/postgresql_user/aliases @@ -0,0 +1,3 @@ +destructive +shippable/posix/group4 +skip/osx diff --git a/test/integration/targets/postgresql_user/defaults/main.yml b/test/integration/targets/postgresql_user/defaults/main.yml new file mode 100644 index 00000000000..bc9ef19b93a --- /dev/null +++ b/test/integration/targets/postgresql_user/defaults/main.yml @@ -0,0 +1,3 @@ +db_name: 'ansible_db' +db_user1: 'ansible_db_user1' +db_user2: 'ansible_db_user2' diff --git a/test/integration/targets/postgresql_user/meta/main.yml b/test/integration/targets/postgresql_user/meta/main.yml new file mode 100644 index 00000000000..f3345cb6151 --- /dev/null +++ b/test/integration/targets/postgresql_user/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: +- setup_postgresql_db diff --git a/test/integration/targets/postgresql_user/tasks/main.yml b/test/integration/targets/postgresql_user/tasks/main.yml new file mode 100644 index 00000000000..04fbeff86b6 --- /dev/null +++ b/test/integration/targets/postgresql_user/tasks/main.yml @@ -0,0 +1,5 @@ +# Initial CI tests of postgresql_user module +- import_tasks: postgresql_user_initial.yml + +# General tests: +- import_tasks: postgresql_user_general.yml diff --git a/test/integration/targets/postgresql_db_user_privs/tasks/postgresql_user.yml b/test/integration/targets/postgresql_user/tasks/postgresql_user_general.yml similarity index 100% rename from test/integration/targets/postgresql_db_user_privs/tasks/postgresql_user.yml rename to test/integration/targets/postgresql_user/tasks/postgresql_user_general.yml diff --git a/test/integration/targets/postgresql_user/tasks/postgresql_user_initial.yml b/test/integration/targets/postgresql_user/tasks/postgresql_user_initial.yml new file mode 100644 index 00000000000..ccd42847c67 --- /dev/null +++ b/test/integration/targets/postgresql_user/tasks/postgresql_user_initial.yml @@ -0,0 +1,153 @@ +# +# Create and destroy user, test 'password' and 'encrypted' parameters +# +# unencrypted values are not supported on newer versions +# do not run the encrypted: no tests if on 10+ +- set_fact: + encryption_values: + - 'yes' + +- set_fact: + encryption_values: '{{ encryption_values + ["no"]}}' + when: postgres_version_resp.stdout is version('10', '<=') + +- include_tasks: test_password.yml + vars: + encrypted: '{{ loop_item }}' + db_password1: 'secretù' # use UTF-8 + loop: '{{ encryption_values }}' + loop_control: + loop_var: loop_item + +# BYPASSRLS role attribute was introduced in PostgreSQL 9.5, so +# we want to test attribute management differently depending +# on the version. +- set_fact: + bypassrls_supported: "{{ postgres_version_resp.stdout is version('9.5.0', '>=') }}" + +# test 'no_password_change' and 'role_attr_flags' parameters +- include_tasks: test_no_password_change.yml + vars: + no_password_changes: '{{ loop_item }}' + loop: + - 'yes' + - 'no' + loop_control: + loop_var: loop_item + +### TODO: fail_on_user + +# +# Test login_user functionality +# +- name: Create a user to test login module parameters + become: yes + become_user: "{{ pg_user }}" + postgresql_user: + name: "{{ db_user1 }}" + state: "present" + encrypted: 'yes' + password: "password" + role_attr_flags: "CREATEDB,LOGIN,CREATEROLE" + login_user: "{{ pg_user }}" + db: postgres + +- name: Create db + postgresql_db: + name: "{{ db_name }}" + state: "present" + login_user: "{{ db_user1 }}" + login_password: "password" + login_host: "localhost" + +- name: Check that database created + become: yes + become_user: "{{ pg_user }}" + shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + +- name: Create a user + postgresql_user: + name: "{{ db_user2 }}" + state: "present" + encrypted: 'yes' + password: "md55c8ccfd9d6711fc69a7eae647fc54f51" + db: "{{ db_name }}" + login_user: "{{ db_user1 }}" + login_password: "password" + login_host: "localhost" + +- name: Check that it was created + become: yes + become_user: "{{ pg_user }}" + shell: echo "select * from pg_user where usename='{{ db_user2 }}';" | psql -d postgres + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + +- name: Grant database privileges + postgresql_privs: + type: "database" + state: "present" + roles: "{{ db_user2 }}" + privs: "CREATE,connect" + objs: "{{ db_name }}" + db: "{{ db_name }}" + login: "{{ db_user1 }}" + password: "password" + host: "localhost" + +- name: Check that the user has the requested permissions (database) + become: yes + become_user: "{{ pg_user }}" + shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} + register: result_database + +- assert: + that: + - "result_database.stdout_lines[-1] == '(1 row)'" + - "db_user2 ~ '=Cc' in result_database.stdout" + +- name: Remove user + postgresql_user: + name: "{{ db_user2 }}" + state: 'absent' + priv: "ALL" + db: "{{ db_name }}" + login_user: "{{ db_user1 }}" + login_password: "password" + login_host: "localhost" + +- name: Check that they were removed + become: yes + become_user: "{{ pg_user }}" + shell: echo "select * from pg_user where usename='{{ db_user2 }}';" | psql -d postgres + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + +- name: Destroy DB + postgresql_db: + state: absent + name: "{{ db_name }}" + login_user: "{{ db_user1 }}" + login_password: "password" + login_host: "localhost" + +- name: Check that database was destroyed + become: yes + become_user: "{{ pg_user }}" + shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" diff --git a/test/integration/targets/postgresql_db_user_privs/tasks/test_no_password_change.yml b/test/integration/targets/postgresql_user/tasks/test_no_password_change.yml similarity index 100% rename from test/integration/targets/postgresql_db_user_privs/tasks/test_no_password_change.yml rename to test/integration/targets/postgresql_user/tasks/test_no_password_change.yml diff --git a/test/integration/targets/postgresql_db_user_privs/tasks/test_password.yml b/test/integration/targets/postgresql_user/tasks/test_password.yml similarity index 100% rename from test/integration/targets/postgresql_db_user_privs/tasks/test_password.yml rename to test/integration/targets/postgresql_user/tasks/test_password.yml