diff --git a/changelogs/fragments/282-postgresql_ext_add_trust_input.yml b/changelogs/fragments/282-postgresql_ext_add_trust_input.yml new file mode 100644 index 0000000000..d4b383c1e1 --- /dev/null +++ b/changelogs/fragments/282-postgresql_ext_add_trust_input.yml @@ -0,0 +1,3 @@ +--- +minor_changes: +- postgresql_ext - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/282). diff --git a/plugins/modules/database/postgresql/postgresql_ext.py b/plugins/modules/database/postgresql/postgresql_ext.py index eaf8f6dc19..8a7991b166 100644 --- a/plugins/modules/database/postgresql/postgresql_ext.py +++ b/plugins/modules/database/postgresql/postgresql_ext.py @@ -80,6 +80,11 @@ options: When version downgrade is needed, remove the extension and create new one with appropriate version. - Set I(version=latest) to update the extension to the latest available version. type: str + trust_input: + description: + - If C(no), check whether values of some parameters are potentially dangerous. + type: bool + default: yes seealso: - name: PostgreSQL extensions description: General information about PostgreSQL extensions. @@ -175,6 +180,9 @@ except ImportError: pass from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.general.plugins.module_utils.database import ( + check_input, +) from ansible_collections.community.general.plugins.module_utils.postgres import ( connect_to_db, get_conn_params, @@ -309,6 +317,7 @@ def main(): cascade=dict(type="bool", default=False), session_role=dict(type="str"), version=dict(type="str"), + trust_input=dict(type="bool", default=True), ) module = AnsibleModule( @@ -321,8 +330,13 @@ def main(): state = module.params["state"] cascade = module.params["cascade"] version = module.params["version"] + session_role = module.params["session_role"] + trust_input = module.params["trust_input"] changed = False + if not trust_input: + check_input(module, ext, schema, version, session_role) + if version and state == 'absent': module.warn("Parameter version is ignored when state=absent") diff --git a/tests/integration/targets/postgresql_ext/tasks/postgresql_ext_initial.yml b/tests/integration/targets/postgresql_ext/tasks/postgresql_ext_initial.yml index d6e87acade..cabf1f4901 100644 --- a/tests/integration/targets/postgresql_ext/tasks/postgresql_ext_initial.yml +++ b/tests/integration/targets/postgresql_ext/tasks/postgresql_ext_initial.yml @@ -1,6 +1,8 @@ +--- - name: postgresql_ext - install postgis on Linux package: name=postgis state=present when: ansible_os_family != "Windows" + - name: postgresql_ext - create schema schema1 become_user: '{{ pg_user }}' become: true @@ -8,6 +10,7 @@ database: postgres name: schema1 state: present + - name: postgresql_ext - drop extension if exists become_user: '{{ pg_user }}' become: true @@ -15,6 +18,7 @@ db: postgres query: DROP EXTENSION IF EXISTS postgis ignore_errors: true + - name: postgresql_ext - create extension postgis in check_mode become_user: '{{ pg_user }}' become: true @@ -25,10 +29,12 @@ check_mode: true ignore_errors: true register: result + - assert: that: - result is changed - result.queries == [] + - name: postgresql_ext - check that extension doesn't exist after the previous step become_user: '{{ pg_user }}' become: true @@ -37,9 +43,11 @@ query: SELECT extname FROM pg_extension WHERE extname='postgis' ignore_errors: true register: result + - assert: that: - result.rowcount == 0 + - name: postgresql_ext - create extension postgis become_user: '{{ pg_user }}' become: true @@ -49,10 +57,12 @@ name: postgis ignore_errors: true register: result + - assert: that: - result is changed - result.queries == ['CREATE EXTENSION "postgis"'] + - name: postgresql_ext - check that extension exists after the previous step become_user: '{{ pg_user }}' become: true @@ -61,9 +71,11 @@ query: SELECT extname FROM pg_extension WHERE extname='postgis' ignore_errors: true register: result + - assert: that: - result.rowcount == 1 + - name: postgresql_ext - drop extension postgis become_user: '{{ pg_user }}' become: true @@ -73,10 +85,12 @@ state: absent ignore_errors: true register: result + - assert: that: - result is changed - result.queries == ['DROP EXTENSION "postgis"'] + - name: postgresql_ext - check that extension doesn't exist after the previous step become_user: '{{ pg_user }}' become: true @@ -85,9 +99,11 @@ query: SELECT extname FROM pg_extension WHERE extname='postgis' ignore_errors: true register: result + - assert: that: - result.rowcount == 0 + - name: postgresql_ext - create extension postgis become_user: '{{ pg_user }}' become: true @@ -97,10 +113,12 @@ schema: schema1 ignore_errors: true register: result + - assert: that: - result is changed - result.queries == ['CREATE EXTENSION "postgis" WITH SCHEMA "schema1"'] + - name: postgresql_ext - check that extension exists after the previous step become_user: '{{ pg_user }}' become: true @@ -109,9 +127,11 @@ query: "SELECT extname FROM pg_extension AS e LEFT JOIN pg_catalog.pg_namespace AS n \nON n.oid = e.extnamespace WHERE e.extname='postgis' AND n.nspname='schema1'\n" ignore_errors: true register: result + - assert: that: - result.rowcount == 1 + - name: postgresql_ext - drop extension postgis cascade become_user: '{{ pg_user }}' become: true @@ -122,10 +142,12 @@ cascade: true ignore_errors: true register: result + - assert: that: - result is changed - result.queries == ['DROP EXTENSION "postgis" CASCADE'] + - name: postgresql_ext - check that extension doesn't exist after the previous step become_user: '{{ pg_user }}' become: true @@ -134,9 +156,11 @@ query: SELECT extname FROM pg_extension WHERE extname='postgis' ignore_errors: true register: result + - assert: that: - result.rowcount == 0 + - name: postgresql_ext - create extension postgis cascade become_user: '{{ pg_user }}' become: true @@ -147,11 +171,13 @@ ignore_errors: true register: result when: postgres_version_resp.stdout is version('9.6', '<=') + - assert: that: - result is changed - result.queries == ['CREATE EXTENSION "postgis" CASCADE"'] when: postgres_version_resp.stdout is version('9.6', '<=') + - name: postgresql_ext - check that extension exists after the previous step become_user: '{{ pg_user }}' become: true @@ -161,7 +187,22 @@ ignore_errors: true register: result when: postgres_version_resp.stdout is version('9.6', '<=') + - assert: that: - result.rowcount == 1 when: postgres_version_resp.stdout is version('9.6', '<=') + +- name: postgresql_ext - check that using a dangerous name fails + postgresql_ext: + db: postgres + name: postgis + session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --' + trust_input: no + ignore_errors: true + register: result + +- assert: + that: + - result is failed + - result.msg is search('is potentially dangerous') diff --git a/tests/integration/targets/postgresql_ext/tasks/postgresql_ext_session_role.yml b/tests/integration/targets/postgresql_ext/tasks/postgresql_ext_session_role.yml index a23f6aee40..c1fed5bf6a 100644 --- a/tests/integration/targets/postgresql_ext/tasks/postgresql_ext_session_role.yml +++ b/tests/integration/targets/postgresql_ext/tasks/postgresql_ext_session_role.yml @@ -63,6 +63,7 @@ db: "{{ db_session_role1 }}" login_user: "{{ pg_user }}" session_role: "{{ db_session_role1 }}" + trust_input: no when: "pg_extension.stdout_lines[-1] == '1'" @@ -88,6 +89,7 @@ db: "{{ db_session_role1 }}" login_user: "{{ pg_user }}" state: absent + trust_input: no when: "pg_extension.stdout_lines[-1] == '1'" diff --git a/tests/integration/targets/postgresql_ext/tasks/postgresql_ext_version_opt.yml b/tests/integration/targets/postgresql_ext/tasks/postgresql_ext_version_opt.yml index d2beac6708..b459350533 100644 --- a/tests/integration/targets/postgresql_ext/tasks/postgresql_ext_version_opt.yml +++ b/tests/integration/targets/postgresql_ext/tasks/postgresql_ext_version_opt.yml @@ -29,6 +29,7 @@ name: "{{ test_ext }}" schema: "{{ test_schema }}" version: '1.0' + trust_input: no check_mode: yes - assert: @@ -52,6 +53,7 @@ name: "{{ test_ext }}" schema: "{{ test_schema }}" version: '1.0' + trust_input: no - assert: that: @@ -75,6 +77,7 @@ name: "{{ test_ext }}" schema: "{{ test_schema }}" version: '1.0' + trust_input: no check_mode: yes - assert: @@ -98,6 +101,7 @@ name: "{{ test_ext }}" schema: "{{ test_schema }}" version: '1.0' + trust_input: no - assert: that: @@ -120,6 +124,7 @@ name: "{{ test_ext }}" schema: "{{ test_schema }}" version: '2.0' + trust_input: no check_mode: yes - assert: @@ -143,6 +148,7 @@ name: "{{ test_ext }}" schema: "{{ test_schema }}" version: '2.0' + trust_input: no - assert: that: @@ -165,6 +171,7 @@ <<: *pg_parameters name: "{{ test_ext }}" schema: "{{ test_schema }}" + trust_input: no - assert: that: @@ -187,6 +194,7 @@ name: "{{ test_ext }}" schema: "{{ test_schema }}" version: latest + trust_input: no - assert: that: @@ -210,6 +218,7 @@ name: "{{ test_ext }}" schema: "{{ test_schema }}" version: latest + trust_input: no - assert: that: @@ -222,6 +231,7 @@ name: "{{ test_ext }}" schema: "{{ test_schema }}" version: '1.0' + trust_input: no ignore_errors: yes - assert: @@ -234,6 +244,7 @@ <<: *pg_parameters name: "{{ test_ext }}" state: absent + trust_input: no check_mode: yes - assert: @@ -256,6 +267,7 @@ <<: *pg_parameters name: "{{ test_ext }}" state: absent + trust_input: no - assert: that: @@ -277,6 +289,7 @@ <<: *pg_parameters name: "{{ test_ext }}" state: absent + trust_input: no - assert: that: @@ -287,6 +300,7 @@ postgresql_ext: <<: *pg_parameters name: "{{ test_ext }}" + trust_input: no - assert: that: @@ -308,6 +322,7 @@ postgresql_ext: <<: *pg_parameters name: non_existent + trust_input: no ignore_errors: yes - assert: @@ -322,6 +337,7 @@ <<: *pg_parameters name: "{{ test_ext }}" state: absent + trust_input: no - name: postgresql_ext_version - drop the schema <<: *task_parameters