mirror of https://github.com/ansible/ansible.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
396 lines
9.1 KiB
YAML
396 lines
9.1 KiB
YAML
# Setup
|
|
- name: Create DB
|
|
become_user: "{{ pg_user }}"
|
|
become: yes
|
|
postgresql_db:
|
|
state: present
|
|
name: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
|
|
- name: Create a user to be owner of objects
|
|
postgresql_user:
|
|
name: "{{ db_user3 }}"
|
|
state: present
|
|
encrypted: yes
|
|
password: password
|
|
role_attr_flags: CREATEDB,LOGIN
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
|
|
- name: Create a user to be given permissions and other tests
|
|
postgresql_user:
|
|
name: "{{ db_user2 }}"
|
|
state: present
|
|
encrypted: yes
|
|
password: password
|
|
role_attr_flags: LOGIN
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
|
|
######################################################
|
|
# Test foreign data wrapper and foreign server privs #
|
|
######################################################
|
|
|
|
# Foreign data wrapper setup
|
|
- name: Create foreign data wrapper extension
|
|
become: yes
|
|
become_user: "{{ pg_user }}"
|
|
shell: echo "CREATE EXTENSION postgres_fdw" | psql -d "{{ db_name }}"
|
|
|
|
- name: Create dummy foreign data wrapper
|
|
become: yes
|
|
become_user: "{{ pg_user }}"
|
|
shell: echo "CREATE FOREIGN DATA WRAPPER dummy" | psql -d "{{ db_name }}"
|
|
|
|
- name: Create foreign server
|
|
become: yes
|
|
become_user: "{{ pg_user }}"
|
|
shell: echo "CREATE SERVER dummy_server FOREIGN DATA WRAPPER dummy" | psql -d "{{ db_name }}"
|
|
|
|
# Test
|
|
- name: Grant foreign data wrapper privileges
|
|
postgresql_privs:
|
|
state: present
|
|
type: foreign_data_wrapper
|
|
roles: "{{ db_user2 }}"
|
|
privs: ALL
|
|
objs: dummy
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
register: result
|
|
ignore_errors: yes
|
|
|
|
# Checks
|
|
- assert:
|
|
that:
|
|
- "result.changed == true"
|
|
|
|
- name: Get foreign data wrapper privileges
|
|
become: yes
|
|
become_user: "{{ pg_user }}"
|
|
shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}"
|
|
vars:
|
|
fdw_query: >
|
|
SELECT fdwacl FROM pg_catalog.pg_foreign_data_wrapper
|
|
WHERE fdwname = ANY (ARRAY['dummy']) ORDER BY fdwname
|
|
register: fdw_result
|
|
|
|
- assert:
|
|
that:
|
|
- "fdw_result.stdout_lines[-1] == '(1 row)'"
|
|
- "'{{ db_user2 }}' in fdw_result.stdout_lines[-2]"
|
|
|
|
# Test
|
|
- name: Grant foreign data wrapper privileges second time
|
|
postgresql_privs:
|
|
state: present
|
|
type: foreign_data_wrapper
|
|
roles: "{{ db_user2 }}"
|
|
privs: ALL
|
|
objs: dummy
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
register: result
|
|
ignore_errors: yes
|
|
|
|
# Checks
|
|
- assert:
|
|
that:
|
|
- "result.changed == false"
|
|
|
|
# Test
|
|
- name: Revoke foreign data wrapper privileges
|
|
postgresql_privs:
|
|
state: absent
|
|
type: foreign_data_wrapper
|
|
roles: "{{ db_user2 }}"
|
|
privs: ALL
|
|
objs: dummy
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
register: result
|
|
ignore_errors: yes
|
|
|
|
# Checks
|
|
- assert:
|
|
that:
|
|
- "result.changed == true"
|
|
|
|
- name: Get foreign data wrapper privileges
|
|
become: yes
|
|
become_user: "{{ pg_user }}"
|
|
shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}"
|
|
vars:
|
|
fdw_query: >
|
|
SELECT fdwacl FROM pg_catalog.pg_foreign_data_wrapper
|
|
WHERE fdwname = ANY (ARRAY['dummy']) ORDER BY fdwname
|
|
register: fdw_result
|
|
|
|
- assert:
|
|
that:
|
|
- "fdw_result.stdout_lines[-1] == '(1 row)'"
|
|
- "'{{ db_user2 }}' not in fdw_result.stdout_lines[-2]"
|
|
|
|
# Test
|
|
- name: Revoke foreign data wrapper privileges for second time
|
|
postgresql_privs:
|
|
state: absent
|
|
type: foreign_data_wrapper
|
|
roles: "{{ db_user2 }}"
|
|
privs: ALL
|
|
objs: dummy
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
register: result
|
|
ignore_errors: yes
|
|
|
|
# Checks
|
|
- assert:
|
|
that:
|
|
- "result.changed == false"
|
|
|
|
# Test
|
|
- name: Grant foreign server privileges
|
|
postgresql_privs:
|
|
state: present
|
|
type: foreign_server
|
|
roles: "{{ db_user2 }}"
|
|
privs: ALL
|
|
objs: dummy_server
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
register: result
|
|
ignore_errors: yes
|
|
|
|
# Checks
|
|
- assert:
|
|
that:
|
|
- "result.changed == true"
|
|
|
|
- name: Get foreign server privileges
|
|
become: yes
|
|
become_user: "{{ pg_user }}"
|
|
shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}"
|
|
vars:
|
|
fdw_query: >
|
|
SELECT srvacl FROM pg_catalog.pg_foreign_server
|
|
WHERE srvname = ANY (ARRAY['dummy_server']) ORDER BY srvname
|
|
register: fs_result
|
|
|
|
- assert:
|
|
that:
|
|
- "fs_result.stdout_lines[-1] == '(1 row)'"
|
|
- "'{{ db_user2 }}' in fs_result.stdout_lines[-2]"
|
|
|
|
# Test
|
|
- name: Grant foreign server privileges for second time
|
|
postgresql_privs:
|
|
state: present
|
|
type: foreign_server
|
|
roles: "{{ db_user2 }}"
|
|
privs: ALL
|
|
objs: dummy_server
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
register: result
|
|
ignore_errors: yes
|
|
|
|
# Checks
|
|
- assert:
|
|
that:
|
|
- "result.changed == false"
|
|
|
|
# Test
|
|
- name: Revoke foreign server privileges
|
|
postgresql_privs:
|
|
state: absent
|
|
type: foreign_server
|
|
roles: "{{ db_user2 }}"
|
|
privs: ALL
|
|
objs: dummy_server
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
register: result
|
|
ignore_errors: yes
|
|
|
|
# Checks
|
|
- assert:
|
|
that:
|
|
- "result.changed == true"
|
|
|
|
- name: Get foreign server privileges
|
|
become: yes
|
|
become_user: "{{ pg_user }}"
|
|
shell: echo "{{ fdw_query }}" | psql -d "{{ db_name }}"
|
|
vars:
|
|
fdw_query: >
|
|
SELECT srvacl FROM pg_catalog.pg_foreign_server
|
|
WHERE srvname = ANY (ARRAY['dummy_server']) ORDER BY srvname
|
|
register: fs_result
|
|
|
|
- assert:
|
|
that:
|
|
- "fs_result.stdout_lines[-1] == '(1 row)'"
|
|
- "'{{ db_user2 }}' not in fs_result.stdout_lines[-2]"
|
|
|
|
# Test
|
|
- name: Revoke foreign server privileges for second time
|
|
postgresql_privs:
|
|
state: absent
|
|
type: foreign_server
|
|
roles: "{{ db_user2 }}"
|
|
privs: ALL
|
|
objs: dummy_server
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
register: result
|
|
ignore_errors: yes
|
|
|
|
# Checks
|
|
- assert:
|
|
that:
|
|
- "result.changed == false"
|
|
|
|
# Foreign data wrapper cleanup
|
|
- name: Drop foreign server
|
|
become: yes
|
|
become_user: "{{ pg_user }}"
|
|
shell: echo "DROP SERVER dummy_server" | psql -d "{{ db_name }}"
|
|
|
|
- name: Drop dummy foreign data wrapper
|
|
become: yes
|
|
become_user: "{{ pg_user }}"
|
|
shell: echo "DROP FOREIGN DATA WRAPPER dummy" | psql -d "{{ db_name }}"
|
|
|
|
- name: Drop foreign data wrapper extension
|
|
become: yes
|
|
become_user: "{{ pg_user }}"
|
|
shell: echo "DROP EXTENSION postgres_fdw" | psql -d "{{ db_name }}"
|
|
|
|
##########################################
|
|
# Test ALL_IN_SCHEMA for 'function' type #
|
|
##########################################
|
|
|
|
# Function ALL_IN_SCHEMA Setup
|
|
- name: Create function for test
|
|
postgresql_query:
|
|
query: CREATE FUNCTION public.a() RETURNS integer LANGUAGE SQL AS 'SELECT 2';
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ db_user3 }}"
|
|
login_password: password
|
|
|
|
# Test
|
|
- name: Grant execute to all functions
|
|
postgresql_privs:
|
|
type: function
|
|
state: present
|
|
privs: EXECUTE
|
|
roles: "{{ db_user2 }}"
|
|
objs: ALL_IN_SCHEMA
|
|
schema: public
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ db_user3 }}"
|
|
login_password: password
|
|
register: result
|
|
ignore_errors: yes
|
|
|
|
# Checks
|
|
- assert:
|
|
that: result.changed == true
|
|
|
|
- name: Check that all functions have execute privileges
|
|
become: yes
|
|
become_user: "{{ pg_user }}"
|
|
shell: psql {{ db_name }} -c "SELECT proacl FROM pg_proc WHERE proname = 'a'" -t
|
|
register: result
|
|
|
|
- assert:
|
|
that: "'{{ db_user2 }}=X/{{ db_user3 }}' in '{{ result.stdout_lines[0] }}'"
|
|
|
|
# Test
|
|
- name: Grant execute to all functions again
|
|
postgresql_privs:
|
|
type: function
|
|
state: present
|
|
privs: EXECUTE
|
|
roles: "{{ db_user2 }}"
|
|
objs: ALL_IN_SCHEMA
|
|
schema: public
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ db_user3 }}"
|
|
login_password: password
|
|
register: result
|
|
ignore_errors: yes
|
|
|
|
# Checks
|
|
- assert:
|
|
that: result.changed == false
|
|
|
|
# Test
|
|
- name: Revoke execute to all functions
|
|
postgresql_privs:
|
|
type: function
|
|
state: absent
|
|
privs: EXECUTE
|
|
roles: "{{ db_user2 }}"
|
|
objs: ALL_IN_SCHEMA
|
|
schema: public
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ db_user3 }}"
|
|
login_password: password
|
|
register: result
|
|
ignore_errors: yes
|
|
|
|
# Checks
|
|
- assert:
|
|
that: result.changed == true
|
|
|
|
# Test
|
|
- name: Revoke execute to all functions again
|
|
postgresql_privs:
|
|
type: function
|
|
state: absent
|
|
privs: EXECUTE
|
|
roles: "{{ db_user2 }}"
|
|
objs: ALL_IN_SCHEMA
|
|
schema: public
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ db_user3 }}"
|
|
login_password: password
|
|
register: result
|
|
ignore_errors: yes
|
|
|
|
- assert:
|
|
that: result.changed == false
|
|
|
|
# Function ALL_IN_SCHEMA cleanup
|
|
- name: Remove function for test
|
|
postgresql_query:
|
|
query: DROP FUNCTION public.a();
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ db_user3 }}"
|
|
login_password: password
|
|
|
|
# Cleanup
|
|
- name: Remove user given permissions
|
|
postgresql_user:
|
|
name: "{{ db_user2 }}"
|
|
state: absent
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
|
|
- name: Remove user owner of objects
|
|
postgresql_user:
|
|
name: "{{ db_user3 }}"
|
|
state: absent
|
|
db: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|
|
|
|
- name: Destroy DB
|
|
become_user: "{{ pg_user }}"
|
|
become: yes
|
|
postgresql_db:
|
|
state: absent
|
|
name: "{{ db_name }}"
|
|
login_user: "{{ pg_user }}"
|