diff --git a/test/integration/destructive.yml b/test/integration/destructive.yml index 07e86e36f2d..21e1ec047a9 100644 --- a/test/integration/destructive.yml +++ b/test/integration/destructive.yml @@ -9,6 +9,7 @@ - { role: test_yum, tags: test_yum } - { role: test_apt, tags: test_apt } - { role: test_apt_repository, tags: test_apt_repository } + - { role: test_postgresql, tags: test_postgresql} - { role: test_mysql_db, tags: test_mysql_db} - { role: test_mysql_user, tags: test_mysql_user} - { role: test_mysql_variables, tags: test_mysql_variables} diff --git a/test/integration/roles/setup_postgresql_db/defaults/main.yml b/test/integration/roles/setup_postgresql_db/defaults/main.yml new file mode 100644 index 00000000000..08f3a91b46e --- /dev/null +++ b/test/integration/roles/setup_postgresql_db/defaults/main.yml @@ -0,0 +1,5 @@ +postgresql_service: postgresql + +postgresql_packages: + - postgresql-server + - python-psycopg2 diff --git a/test/integration/roles/setup_postgresql_db/files/pg_hba.conf b/test/integration/roles/setup_postgresql_db/files/pg_hba.conf new file mode 100644 index 00000000000..a8defb8ee6c --- /dev/null +++ b/test/integration/roles/setup_postgresql_db/files/pg_hba.conf @@ -0,0 +1,10 @@ +# !!! This file managed by Ansible. Any local changes may be overwritten. !!! + +# Database administrative login by UNIX sockets +# note: you may wish to restrict this further later +local all postgres trust + +# TYPE DATABASE USER CIDR-ADDRESS METHOD +local all all md5 +host all all 127.0.0.1/32 md5 +host all all ::1/128 md5 diff --git a/test/integration/roles/setup_postgresql_db/tasks/main.yml b/test/integration/roles/setup_postgresql_db/tasks/main.yml new file mode 100644 index 00000000000..1b3f103961b --- /dev/null +++ b/test/integration/roles/setup_postgresql_db/tasks/main.yml @@ -0,0 +1,71 @@ +- include_vars: '{{ item }}' + with_first_found: + - files: + - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml' + - '{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml' + - '{{ ansible_os_family }}.yml' + - 'default.yml' + paths: '../vars' + +# Make sure we start fresh +- name: remove rpm dependencies for postgresql test + yum: name={{ item }} state=absent + with_items: postgresql_packages + when: ansible_pkg_mgr == 'yum' + +- name: remove dpkg dependencies for postgresql test + apt: name={{ item }} state=absent + with_items: postgresql_packages + when: ansible_pkg_mgr == 'apt' + +- name: remove old db (red hat) + command: rm -rf "{{ pg_dir }}" + ignore_errors: True + when: ansible_os_family == "RedHat" + +# Theoretically, pg_dropcluster should work but it doesn't so rm files +- name: remove old db config (debian) + command: rm -rf /etc/postgresql + ignore_errors: True + when: ansible_os_family == "Debian" + +- name: remove old db files (debian) + command: rm -rf /var/lib/postgresql + ignore_errors: True + when: ansible_os_family == "Debian" + +- name: install rpm dependencies for postgresql test + yum: name={{ item }} state=latest + with_items: postgresql_packages + when: ansible_pkg_mgr == 'yum' + +- name: install dpkg dependencies for postgresql test + apt: name={{ item }} state=latest + with_items: postgresql_packages + when: ansible_pkg_mgr == 'apt' + +- name: Initialize postgres (systemd) + command: postgresql-setup initdb + when: ansible_distribution == "Fedora" or (ansible_os_family == "RedHat" and ansible_distribution_major_version|int >= 7) + +- name: Initialize postgres (sysv) + command: /sbin/service postgresql initdb + when: ansible_os_family == "RedHat" and ansible_distribution_major_version|int <= 6 + +- name: Iniitalize postgres (upstart) + command: /usr/bin/pg_createcluster {{ pg_ver }} main + when: ansible_os_family == 'Debian' + +- name: Copy pg_hba into place + copy: src=pg_hba.conf dest="{{ pg_hba_location }}" owner="postgres" group="root" mode="0644" + +- name: Generate locale on Debian systems + command: locale-gen pt_BR + when: ansible_os_family == 'Debian' + +- name: Generate locale on Debian systems + command: locale-gen es_MX + when: ansible_os_family == 'Debian' + +- name: restart postgresql service + service: name={{ postgresql_service }} state=restarted diff --git a/test/integration/roles/setup_postgresql_db/vars/Ubuntu-12.yml b/test/integration/roles/setup_postgresql_db/vars/Ubuntu-12.yml new file mode 100644 index 00000000000..b2507c98496 --- /dev/null +++ b/test/integration/roles/setup_postgresql_db/vars/Ubuntu-12.yml @@ -0,0 +1,11 @@ +postgresql_service: "postgresql" + +postgresql_packages: + - "postgresql" + - "postgresql-common" + - "python-psycopg2" + +pg_hba_location: "/etc/postgresql/9.1/main/pg_hba.conf" +pg_dir: "/var/lib/postgresql/9.1/main" +pg_ver: 9.1 + diff --git a/test/integration/roles/setup_postgresql_db/vars/Ubuntu-14.yml b/test/integration/roles/setup_postgresql_db/vars/Ubuntu-14.yml new file mode 100644 index 00000000000..7d704264da7 --- /dev/null +++ b/test/integration/roles/setup_postgresql_db/vars/Ubuntu-14.yml @@ -0,0 +1,10 @@ +postgresql_service: "postgresql" + +postgresql_packages: + - "postgresql" + - "postgresql-common" + - "python-psycopg2" + +pg_hba_location: "/etc/postgresql/9.3/main/pg_hba.conf" +pg_dir: "/var/lib/postgresql/9.3/main" +pg_ver: 9.3 diff --git a/test/integration/roles/setup_postgresql_db/vars/default.yml b/test/integration/roles/setup_postgresql_db/vars/default.yml new file mode 100644 index 00000000000..dc7db0fc981 --- /dev/null +++ b/test/integration/roles/setup_postgresql_db/vars/default.yml @@ -0,0 +1,8 @@ +postgresql_service: "postgresql" + +postgresql_packages: + - "postgresql-server" + - "python-psycopg2" + +pg_hba_location: "/var/lib/pgsql/data/pg_hba.conf" +pg_dir: "/var/lib/pgsql/data" diff --git a/test/integration/roles/test_postgresql/defaults/main.yml b/test/integration/roles/test_postgresql/defaults/main.yml new file mode 100644 index 00000000000..cfc50737c63 --- /dev/null +++ b/test/integration/roles/test_postgresql/defaults/main.yml @@ -0,0 +1,8 @@ +--- +# defaults file for test_postgresql_db +db_name: 'ansible_db' +db_user1: 'ansible_db_user1' +db_user2: 'ansible_db_user2' + +tmp_dir: '/tmp' + diff --git a/test/integration/roles/test_postgresql/meta/main.yml b/test/integration/roles/test_postgresql/meta/main.yml new file mode 100644 index 00000000000..85b1dc7e4cf --- /dev/null +++ b/test/integration/roles/test_postgresql/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - setup_postgresql_db diff --git a/test/integration/roles/test_postgresql/tasks/main.yml b/test/integration/roles/test_postgresql/tasks/main.yml new file mode 100644 index 00000000000..e814b5fd9ee --- /dev/null +++ b/test/integration/roles/test_postgresql/tasks/main.yml @@ -0,0 +1,882 @@ +# +# Create and destroy db +# +- name: Create DB + sudo_user: postgres + sudo: True + postgresql_db: + state: present + name: "{{ db_name }}" + register: result + +- name: assert that module reports the db was created + assert: + that: + - "result.changed == true" + - "result.db =='{{ db_name }}'" + +- name: Check that database created + sudo_user: postgres + sudo: True + shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + +- name: Run create on an already created db + sudo_user: postgres + sudo: True + postgresql_db: + state: present + name: "{{ db_name }}" + register: result + +- name: assert that module reports the db was unchanged + assert: + that: + - "result.changed == false" + +- name: Destroy DB + sudo_user: postgres + sudo: True + postgresql_db: + state: absent + name: "{{ db_name }}" + register: result + +- name: assert that module reports the db was changed + assert: + that: + - "result.changed == true" + +- name: Check that database was destroyed + sudo_user: postgres + sudo: True + shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + +- name: Destroy DB + sudo_user: postgres + sudo: True + postgresql_db: + state: absent + name: "{{ db_name }}" + register: result + +- name: assert that removing an alreaady removed db makes no change + assert: + that: + - "result.changed == false" + + +# This corner case works to add but not to drop. This is sufficiently crazy +# that I'm not going to attempt to fix it unless someone lets me know that they +# need the functionality +# +# - postgresql_db: +# state: 'present' +# name: '"silly.""name"' +# - shell: echo "select datname from pg_database where datname = 'silly.""name';" | psql +# register: result +# +# - assert: +# that: "result.stdout_lines[-1] == '(1 row)'" +# - postgresql_db: +# state: absent +# name: '"silly.""name"' +# - shell: echo "select datname from pg_database where datname = 'silly.""name';" | psql +# register: result +# +# - assert: +# that: "result.stdout_lines[-1] == '(0 rows)'" + +# +# Test encoding, collate, ctype, template options +# +- name: Create a DB with encoding, collate, ctype, and template options + sudo_user: postgres + sudo: True + postgresql_db: + name: '{{ db_name }}' + state: 'present' + encoding: 'LATIN1' + lc_collate: 'pt_BR' + lc_ctype: 'es_MX' + template: 'template0' + +- name: Check that the DB has all of our options + sudo_user: postgres + sudo: True + shell: echo "select datname, pg_encoding_to_char(encoding), datcollate, datctype from pg_database where datname = '{{ db_name }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + - "'LATIN1' in result.stdout_lines[-2]" + - "'pt_BR' in result.stdout_lines[-2]" + - "'es_MX' in result.stdout_lines[-2]" + - "'UTF8' not in result.stdout_lines[-2]" + - "'en_US' not in result.stdout_lines[-2]" + +- name: Check that running db cration with options a second time does nothing + sudo_user: postgres + sudo: True + postgresql_db: + name: '{{ db_name }}' + state: 'present' + encoding: 'LATIN1' + lc_collate: 'pt_BR' + lc_ctype: 'es_MX' + template: 'template0' + register: result + +- assert: + that: + - 'result.changed == False' + + +- name: Check that attempting to change encoding returns an error + sudo_user: postgres + sudo: True + postgresql_db: + name: '{{ db_name }}' + state: 'present' + encoding: 'UTF8' + lc_collate: 'pt_BR' + lc_ctype: 'es_MX' + template: 'template0' + register: result + ignore_errors: True + +- assert: + that: + - 'result.failed == True' + +- name: Cleanup test DB + sudo_user: postgres + sudo: True + postgresql_db: + name: '{{ db_name }}' + state: 'absent' + +- shell: echo "select datname, pg_encoding_to_char(encoding), datcollate, datctype from pg_database where datname = '{{ db_name }}';" | psql + sudo_user: postgres + sudo: True + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + +# +# Create and destroy user +# +- name: Create a user + sudo_user: postgres + sudo: True + postgresql_user: + name: "{{ db_user1 }}" + encrypted: 'yes' + password: "md55c8ccfd9d6711fc69a7eae647fc54f51" + register: result + +- name: Check that ansible reports they were created + assert: + that: + - "result.changed == True" + +- name: Check that they were created + sudo_user: postgres + sudo: True + shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + +- name: Check that creating user a second time does nothing + sudo_user: postgres + sudo: True + postgresql_user: + name: "{{ db_user1 }}" + encrypted: 'yes' + password: "md55c8ccfd9d6711fc69a7eae647fc54f51" + register: result + +- name: Check that ansible reports no change + assert: + that: + - "result.changed == False" + +- name: Remove user + sudo_user: postgres + sudo: True + postgresql_user: + name: "{{ db_user1 }}" + state: 'absent' + register: result + +- name: Check that ansible reports they were removed + assert: + that: + - "result.changed == True" + +- name: Check that they were removed + sudo_user: postgres + sudo: True + shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + +- name: Check that removing user a second time does nothing + sudo_user: postgres + sudo: True + postgresql_user: + name: "{{ db_user1 }}" + state: 'absent' + register: result + +- name: Check that ansible reports no change + assert: + that: + - "result.changed == False" + +- name: Create a user with all role attributes + sudo_user: postgres + sudo: True + postgresql_user: + name: "{{ db_user1 }}" + state: "present" + role_attr_flags: "SUPERUSER,CREATEROLE,CREATEDB,INHERIT,login" + +- name: Check that the user has the requested role attributes + sudo_user: postgres + sudo: True + shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + - "'super:t' in result.stdout_lines[-2]" + - "'createrole:t' in result.stdout_lines[-2]" + - "'create:t' in result.stdout_lines[-2]" + - "'inherit:t' in result.stdout_lines[-2]" + - "'login:t' in result.stdout_lines[-2]" + +- name: Modify a user to have no role attributes + sudo_user: postgres + sudo: True + postgresql_user: + name: "{{ db_user1 }}" + state: "present" + role_attr_flags: "NOSUPERUSER,NOCREATEROLE,NOCREATEDB,noinherit,NOLOGIN" + register: result + +- name: Check that ansible reports it modified the role + assert: + that: + - "result.changed == True" + +- name: Check that the user has the requested role attributes + sudo_user: postgres + sudo: True + shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + - "'super:f' in result.stdout_lines[-2]" + - "'createrole:f' in result.stdout_lines[-2]" + - "'create:f' in result.stdout_lines[-2]" + - "'inherit:f' in result.stdout_lines[-2]" + - "'login:f' in result.stdout_lines[-2]" + +- name: Modify a single role attribute on a user + sudo_user: postgres + sudo: True + postgresql_user: + name: "{{ db_user1 }}" + state: "present" + role_attr_flags: "LOGIN" + register: result + +- name: Check that ansible reports it modified the role + assert: + that: + - "result.changed == True" + +- name: Check that the user has the requested role attributes + sudo_user: postgres + sudo: True + shell: echo "select 'super:'||rolsuper, 'createrole:'||rolcreaterole, 'create:'||rolcreatedb, 'inherit:'||rolinherit, 'login:'||rolcanlogin from pg_roles where rolname='{{ db_user1 }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + - "'super:f' in result.stdout_lines[-2]" + - "'createrole:f' in result.stdout_lines[-2]" + - "'create:f' in result.stdout_lines[-2]" + - "'inherit:f' in result.stdout_lines[-2]" + - "'login:t' in result.stdout_lines[-2]" + +- name: Cleanup the user + sudo_user: postgres + sudo: True + postgresql_user: + name: "{{ db_user1 }}" + state: 'absent' + +- name: Check that they were removed + sudo_user: postgres + sudo: True + shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + +### TODO: test expires, fail_on_user + +# +# Test db ownership +# +- name: Create an unprivileged user to own a DB + sudo_user: postgres + sudo: True + postgresql_user: + name: "{{ db_user1 }}" + encrypted: 'yes' + password: "md55c8ccfd9d6711fc69a7eae647fc54f51" + +- name: Create db with user ownership + sudo_user: postgres + sudo: True + postgresql_db: + name: "{{ db_name }}" + state: "present" + owner: "{{ db_user1 }}" + +- name: Check that the user owns the newly created DB + sudo_user: postgres + sudo: True + shell: echo "select pg_catalog.pg_get_userbyid(datdba) from pg_catalog.pg_database where datname = '{{ db_name }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + - "'{{ db_user1 }}' == '{{ result.stdout_lines[-2] | trim }}'" + +- name: Change the owner on an existing db + sudo_user: postgres + sudo: True + postgresql_db: + name: "{{ db_name }}" + state: "present" + owner: "postgres" + register: result + +- name: assert that ansible says it changed the db + assert: + that: + - "result.changed == True" + +- name: Check that the user owns the newly created DB + sudo_user: postgres + sudo: True + shell: echo "select pg_catalog.pg_get_userbyid(datdba) from pg_catalog.pg_database where datname = '{{ db_name }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + - "'postgres' == '{{ result.stdout_lines[-2] | trim }}'" + +- name: Cleanup db + sudo_user: postgres + sudo: True + postgresql_db: + name: "{{ db_name }}" + state: "absent" + +- name: Check that database was destroyed + sudo_user: postgres + sudo: True + shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + +- name: Cleanup test user + sudo_user: postgres + sudo: True + postgresql_user: + name: "{{ db_user1 }}" + state: 'absent' + +- name: Check that they were removed + sudo_user: postgres + sudo: True + shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + +# +# Test settings privleges +# +- name: Create db + sudo_user: postgres + sudo: True + postgresql_db: + name: "{{ db_name }}" + state: "present" + +- name: Create some tables on the db + sudo_user: postgres + sudo: True + shell: echo "create table test_table1 (field text);" | psql {{ db_name }} + +- sudo_user: postgres + sudo: True + shell: echo "create table test_table2 (field text);" | psql {{ db_name }} + +- name: Create a user with some permissions on the db + sudo_user: postgres + sudo: True + postgresql_user: + name: "{{ db_user1 }}" + encrypted: 'yes' + password: "md55c8ccfd9d6711fc69a7eae647fc54f51" + db: "{{ db_name }}" + priv: 'test_table1:INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,TRIGGER/test_table2:INSERT/CREATE,CONNECT,TEMP' + +- name: Check that the user has the requested permissions (table1) + sudo_user: postgres + sudo: True + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} + register: result_table1 + +- name: Check that the user has the requested permissions (table2) + sudo_user: postgres + sudo: True + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} + register: result_table2 + +- name: Check that the user has the requested permissions (database) + sudo_user: postgres + sudo: True + shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} + register: result_database + +- assert: + that: + - "result_table1.stdout_lines[-1] == '(7 rows)'" + - "'INSERT' in result_table1.stdout" + - "'SELECT' in result_table1.stdout" + - "'UPDATE' in result_table1.stdout" + - "'DELETE' in result_table1.stdout" + - "'TRUNCATE' in result_table1.stdout" + - "'REFERENCES' in result_table1.stdout" + - "'TRIGGER' in result_table1.stdout" + - "result_table2.stdout_lines[-1] == '(1 row)'" + - "'INSERT' == '{{ result_table2.stdout_lines[-2] | trim }}'" + - "result_database.stdout_lines[-1] == '(1 row)'" + - "'{{ db_user1 }}=CTc/postgres' in result_database.stdout_lines[-2]" + +- name: Add another permission for the user + sudo_user: postgres + sudo: True + postgresql_user: + name: "{{ db_user1 }}" + encrypted: 'yes' + password: "md55c8ccfd9d6711fc69a7eae647fc54f51" + db: "{{ db_name }}" + priv: 'test_table2:select' + register: results + +- name: Check that ansible reports it changed the user + assert: + that: + - "results.changed == True" + +- name: Check that the user has the requested permissions (table2) + sudo_user: postgres + sudo: True + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} + register: result_table2 + +- assert: + that: + - "result_table2.stdout_lines[-1] == '(2 rows)'" + - "'INSERT' in result_table2.stdout" + - "'SELECT' in result_table2.stdout" + + +# +# Test priv setting via postgresql_privs module +# (Depends on state from previous _user privs tests) +# + +- name: Revoke a privilege + sudo_user: postgres + sudo: True + postgresql_privs: + type: "table" + state: "absent" + roles: "{{ db_user1 }}" + privs: "INSERT" + objs: "test_table2" + db: "{{ db_name }}" + register: results + +- name: Check that ansible reports it changed the user + assert: + that: + - "results.changed == True" + +- name: Check that the user has the requested permissions (table2) + sudo_user: postgres + sudo: True + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} + register: result_table2 + +- assert: + that: + - "result_table2.stdout_lines[-1] == '(1 row)'" + - "'SELECT' == '{{ result_table2.stdout_lines[-2] | trim }}'" + +- name: Revoke many privileges on multiple tables + sudo_user: postgres + sudo: True + postgresql_privs: + state: "absent" + roles: "{{ db_user1 }}" + privs: "INSERT,select,UPDATE,TRUNCATE,REFERENCES,TRIGGER,delete" + objs: "test_table2,test_table1" + db: "{{ db_name }}" + register: results + +- name: Check that ansible reports it changed the user + assert: + that: + - "results.changed == True" + +- name: Check that permissions were revoked (table1) + sudo_user: postgres + sudo: True + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} + register: result_table1 + +- name: Check that permissions were revoked (table2) + sudo_user: postgres + sudo: True + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} + register: result_table2 + +- assert: + that: + - "result_table1.stdout_lines[-1] == '(0 rows)'" + - "result_table2.stdout_lines[-1] == '(0 rows)'" + +- name: Revoke database privileges + sudo_user: postgres + sudo: True + postgresql_privs: + type: "database" + state: "absent" + roles: "{{ db_user1 }}" + privs: "Create,connect,TEMP" + objs: "{{ db_name }}" + db: "{{ db_name }}" + +- name: Check that the user has the requested permissions (database) + sudo_user: postgres + sudo: True + shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} + register: result_database + +- assert: + that: + - "result_database.stdout_lines[-1] == '(1 row)'" + - "'{{ db_user1 }}' not in result_database.stdout" + +- name: Grant database privileges + sudo_user: postgres + sudo: True + postgresql_privs: + type: "database" + state: "present" + roles: "{{ db_user1 }}" + privs: "CREATE,connect" + objs: "{{ db_name }}" + db: "{{ db_name }}" + register: results + +- name: Check that ansible reports it changed the user + assert: + that: + - "results.changed == True" + +- name: Check that the user has the requested permissions (database) + sudo_user: postgres + sudo: True + shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} + register: result_database + +- assert: + that: + - "result_database.stdout_lines[-1] == '(1 row)'" + - "'{{ db_user1 }}=Cc' in result_database.stdout" + +- name: Grant a single privilege on a table + sudo_user: postgres + sudo: True + postgresql_privs: + state: "present" + roles: "{{ db_user1 }}" + privs: "INSERT" + objs: "test_table1" + db: "{{ db_name }}" + +- name: Check that permissions were added (table1) + sudo_user: postgres + sudo: True + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} + register: result_table1 + +- assert: + that: + - "result_table1.stdout_lines[-1] == '(1 row)'" + - "'{{ result_table1.stdout_lines[-2] | trim }}' == 'INSERT'" + +- name: Grant many privileges on multiple tables + sudo_user: postgres + sudo: True + postgresql_privs: + state: "present" + roles: "{{ db_user1 }}" + privs: 'INSERT,SELECT,UPDATE,DELETE,TRUNCATE,REFERENCES,trigger' + objs: "test_table2,test_table1" + db: "{{ db_name }}" + +- name: Check that permissions were added (table1) + sudo_user: postgres + sudo: True + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table1';" | psql {{ db_name }} + register: result_table1 + +- name: Check that permissions were added (table2) + sudo_user: postgres + sudo: True + shell: echo "select privilege_type from information_schema.role_table_grants where grantee='{{ db_user1 }}' and table_name='test_table2';" | psql {{ db_name }} + register: result_table2 + +- assert: + that: + - "result_table1.stdout_lines[-1] == '(7 rows)'" + - "'INSERT' in result_table1.stdout" + - "'SELECT' in result_table1.stdout" + - "'UPDATE' in result_table1.stdout" + - "'DELETE' in result_table1.stdout" + - "'TRUNCATE' in result_table1.stdout" + - "'REFERENCES' in result_table1.stdout" + - "'TRIGGER' in result_table1.stdout" + - "result_table2.stdout_lines[-1] == '(7 rows)'" + - "'INSERT' in result_table2.stdout" + - "'SELECT' in result_table2.stdout" + - "'UPDATE' in result_table2.stdout" + - "'DELETE' in result_table2.stdout" + - "'TRUNCATE' in result_table2.stdout" + - "'REFERENCES' in result_table2.stdout" + - "'TRIGGER' in result_table2.stdout" + +# +# Cleanup +# +- name: Cleanup db + sudo_user: postgres + sudo: True + postgresql_db: + name: "{{ db_name }}" + state: "absent" + +- name: Check that database was destroyed + sudo_user: postgres + sudo: True + shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + +- name: Cleanup test user + sudo_user: postgres + sudo: True + postgresql_user: + name: "{{ db_user1 }}" + state: 'absent' + +- name: Check that they were removed + sudo_user: postgres + sudo: True + shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + +# +# Test login_user functionality +# +- name: Create a user to test login module parameters + sudo: True + sudo_user: postgres + postgresql_user: + name: "{{ db_user1 }}" + state: "present" + encrypted: 'no' + password: "password" + role_attr_flags: "CREATEDB,LOGIN,CREATEROLE" + +- name: Create db + postgresql_db: + name: "{{ db_name }}" + state: "present" + login_user: "{{ db_user1 }}" + login_password: "password" + login_host: "localhost" + +- name: Check that database created + sudo: True + sudo_user: postgres + shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + +- name: Create a user + postgresql_user: + name: "{{ db_user2 }}" + state: "present" + encrypted: 'yes' + password: "md55c8ccfd9d6711fc69a7eae647fc54f51" + db: "{{ db_name }}" + login_user: "{{ db_user1 }}" + login_password: "password" + login_host: "localhost" + +- name: Check that they were created + sudo: True + sudo_user: postgres + shell: echo "select * from pg_user where usename='{{ db_user2 }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(1 row)'" + +- name: Grant database privileges + postgresql_privs: + type: "database" + state: "present" + roles: "{{ db_user2 }}" + privs: "CREATE,connect" + objs: "{{ db_name }}" + db: "{{ db_name }}" + login: "{{ db_user1 }}" + password: "password" + host: "localhost" + +- name: Check that the user has the requested permissions (database) + sudo: True + sudo_user: postgres + shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }} + register: result_database + +- assert: + that: + - "result_database.stdout_lines[-1] == '(1 row)'" + - "'{{ db_user2 }}=Cc' in result_database.stdout" + +- name: Remove user + postgresql_user: + name: "{{ db_user2 }}" + state: 'absent' + priv: "ALL" + db: "{{ db_name }}" + login_user: "{{ db_user1 }}" + login_password: "password" + login_host: "localhost" + +- name: Check that they were removed + sudo: True + sudo_user: postgres + shell: echo "select * from pg_user where usename='{{ db_user2 }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + +- name: Destroy DB + postgresql_db: + state: absent + name: "{{ db_name }}" + login_user: "{{ db_user1 }}" + login_password: "password" + login_host: "localhost" + +- name: Check that database was destroyed + sudo: True + sudo_user: postgres + shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" + +# +# Cleanup +# +- name: Cleanup test user + sudo: True + sudo_user: postgres + postgresql_user: + name: "{{ db_user1 }}" + state: 'absent' + +- name: Check that they were removed + sudo: True + sudo_user: postgres + shell: echo "select * from pg_user where usename='{{ db_user1 }}';" | psql + register: result + +- assert: + that: + - "result.stdout_lines[-1] == '(0 rows)'" +