a-c-m
/
community.general
mirror of https://github.com/ansible-collections/community.general.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Avoid useless queries: use standard module hashlib 

When an unchanged MD5-hashed password was used and passlib was
unavailable, an useless 'ALTER USER' query was executed.

Once this useless query avoided, the last 'SELECT' query becomes
useless too.
pull/4420/head
Pierre-Louis Bonicoli 2017-04-16 23:18:57 +02:00 committed by Toshio Kuratomi
parent f59f042bb0
commit 69edd9e0bb
1 changed files with 13 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
lib/ansible/modules/database/postgresql/postgresql_user.py
View File

@ -207,8 +207,9 @@ EXAMPLES = '''
password: NULL password: NULL
''' '''
import re from hashlib import md5
import itertools import itertools
import re
from distutils.version import StrictVersion from distutils.version import StrictVersion
@ -219,6 +220,7 @@ except ImportError:
postgresqldb_found = False postgresqldb_found = False
else: else:
postgresqldb_found = True postgresqldb_found = True
from ansible.module_utils._text import to_bytes
from ansible.module_utils.six import iteritems from ansible.module_utils.six import iteritems
_flags = ('SUPERUSER', 'CREATEROLE', 'CREATEUSER', 'CREATEDB', 'INHERIT', 'LOGIN', 'REPLICATION') _flags = ('SUPERUSER', 'CREATEROLE', 'CREATEUSER', 'CREATEDB', 'INHERIT', 'LOGIN', 'REPLICATION')
@ -294,21 +296,17 @@ def user_alter(cursor, module, user, password, role_attr_flags, encrypted, expir
# Do we actually need to do anything? # Do we actually need to do anything?
pwchanging = False pwchanging = False
if password is not None: if password is not None:
if encrypted == 'ENCRYPTED': # 32: MD5 hashes are represented as a sequence of 32 hexadecimal digits
if password.startswith('md5'): # 3: The size of the 'md5' prefix
if password != current_role_attrs['rolpassword']: # When the provided password looks like a MD5-hash, value of
pwchanging = True # 'encrypted' is ignored.
else: if ((password.startswith('md5') and len(password) == 32+3) or encrypted == 'UNENCRYPTED'):
try:
from passlib.hash import postgres_md5 as pm
if pm.encrypt(password, user) != current_role_attrs['rolpassword']:
pwchanging = True
except ImportError:
# Cannot check if passlib is not installed, so assume password is different
pwchanging = True
else:
if password != current_role_attrs['rolpassword']: if password != current_role_attrs['rolpassword']:
pwchanging = True pwchanging = True
elif encrypted == 'ENCRYPTED':
hashed_password = 'md5{0}'.format(md5(to_bytes(password) + to_bytes(user)).hexdigest())
if hashed_password != current_role_attrs['rolpassword']:
pwchanging = True
role_attr_flags_changing = False role_attr_flags_changing = False
if role_attr_flags: if role_attr_flags:
@ -340,6 +338,7 @@ def user_alter(cursor, module, user, password, role_attr_flags, encrypted, expir
try: try:
cursor.execute(' '.join(alter), query_password_data) cursor.execute(' '.join(alter), query_password_data)
changed = True
except psycopg2.InternalError: except psycopg2.InternalError:
e = get_exception() e = get_exception()
if e.pgcode == '25006': if e.pgcode == '25006':
@ -351,15 +350,6 @@ def user_alter(cursor, module, user, password, role_attr_flags, encrypted, expir
else: else:
raise psycopg2.InternalError(e) raise psycopg2.InternalError(e)
# Grab new role attributes.
cursor.execute(select, {"user": user})
new_role_attrs = cursor.fetchone()
# Detect any differences between current_ and new_role_attrs.
for i in range(len(current_role_attrs)):
if current_role_attrs[i] != new_role_attrs[i]:
changed = True
elif no_password_changes and role_attr_flags != '': elif no_password_changes and role_attr_flags != '':
# Grab role information from pg_roles instead of pg_authid # Grab role information from pg_roles instead of pg_authid
select = "SELECT * FROM pg_roles where rolname=%(user)s" select = "SELECT * FROM pg_roles where rolname=%(user)s"