a-c-m
/
community.general
mirror of https://github.com/ansible-collections/community.general.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add optional input check to postgresql_ext (#282) 

* Add optional input check to postgresql_ext

Have added a new trust_input check to the postgresql_ext module that
allows for checking the input that is passed to the module.

* Add changelog fragment

* Update tests/integration/targets/postgresql_ext/tasks/postgresql_ext_initial.yml

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>

Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
pull/289/head
Thomas O'Donnell 2020-05-05 14:04:33 +02:00 committed by GitHub
parent 177314321b
commit 6c1c1604fb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 76 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changelogs/fragments/282-postgresql_ext_add_trust_input.yml Normal file
View File

@ -0,0 +1,3 @@
---
minor_changes:
- postgresql_ext - add the ``trust_input`` parameter (https://github.com/ansible-collections/community.general/pull/282).

14
plugins/modules/database/postgresql/postgresql_ext.py
View File

@ -80,6 +80,11 @@ options:
When version downgrade is needed, remove the extension and create new one with appropriate version. When version downgrade is needed, remove the extension and create new one with appropriate version.
- Set I(version=latest) to update the extension to the latest available version. - Set I(version=latest) to update the extension to the latest available version.
type: str type: str
trust_input:
description:
- If C(no), check whether values of some parameters are potentially dangerous.
type: bool
default: yes
seealso: seealso:
- name: PostgreSQL extensions - name: PostgreSQL extensions
description: General information about PostgreSQL extensions. description: General information about PostgreSQL extensions.
@ -175,6 +180,9 @@ except ImportError:
pass pass
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.general.plugins.module_utils.database import (
check_input,
)
from ansible_collections.community.general.plugins.module_utils.postgres import ( from ansible_collections.community.general.plugins.module_utils.postgres import (
connect_to_db, connect_to_db,
get_conn_params, get_conn_params,
@ -309,6 +317,7 @@ def main():
cascade=dict(type="bool", default=False), cascade=dict(type="bool", default=False),
session_role=dict(type="str"), session_role=dict(type="str"),
version=dict(type="str"), version=dict(type="str"),
trust_input=dict(type="bool", default=True),
) )
module = AnsibleModule( module = AnsibleModule(
@ -321,8 +330,13 @@ def main():
state = module.params["state"] state = module.params["state"]
cascade = module.params["cascade"] cascade = module.params["cascade"]
version = module.params["version"] version = module.params["version"]
session_role = module.params["session_role"]
trust_input = module.params["trust_input"]
changed = False changed = False
if not trust_input:
check_input(module, ext, schema, version, session_role)
if version and state == 'absent': if version and state == 'absent':
module.warn("Parameter version is ignored when state=absent") module.warn("Parameter version is ignored when state=absent")

41
tests/integration/targets/postgresql_ext/tasks/postgresql_ext_initial.yml
View File

@ -1,6 +1,8 @@
---
- name: postgresql_ext - install postgis on Linux - name: postgresql_ext - install postgis on Linux
package: name=postgis state=present package: name=postgis state=present
when: ansible_os_family != "Windows" when: ansible_os_family != "Windows"
- name: postgresql_ext - create schema schema1 - name: postgresql_ext - create schema schema1
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -8,6 +10,7 @@
database: postgres database: postgres
name: schema1 name: schema1
state: present state: present
- name: postgresql_ext - drop extension if exists - name: postgresql_ext - drop extension if exists
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -15,6 +18,7 @@
db: postgres db: postgres
query: DROP EXTENSION IF EXISTS postgis query: DROP EXTENSION IF EXISTS postgis
ignore_errors: true ignore_errors: true
- name: postgresql_ext - create extension postgis in check_mode - name: postgresql_ext - create extension postgis in check_mode
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -25,10 +29,12 @@
check_mode: true check_mode: true
ignore_errors: true ignore_errors: true
register: result register: result
- assert: - assert:
that: that:
- result is changed - result is changed
- result.queries == [] - result.queries == []
- name: postgresql_ext - check that extension doesn't exist after the previous step - name: postgresql_ext - check that extension doesn't exist after the previous step
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -37,9 +43,11 @@
query: SELECT extname FROM pg_extension WHERE extname='postgis' query: SELECT extname FROM pg_extension WHERE extname='postgis'
ignore_errors: true ignore_errors: true
register: result register: result
- assert: - assert:
that: that:
- result.rowcount == 0 - result.rowcount == 0
- name: postgresql_ext - create extension postgis - name: postgresql_ext - create extension postgis
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -49,10 +57,12 @@
name: postgis name: postgis
ignore_errors: true ignore_errors: true
register: result register: result
- assert: - assert:
that: that:
- result is changed - result is changed
- result.queries == ['CREATE EXTENSION "postgis"'] - result.queries == ['CREATE EXTENSION "postgis"']
- name: postgresql_ext - check that extension exists after the previous step - name: postgresql_ext - check that extension exists after the previous step
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -61,9 +71,11 @@
query: SELECT extname FROM pg_extension WHERE extname='postgis' query: SELECT extname FROM pg_extension WHERE extname='postgis'
ignore_errors: true ignore_errors: true
register: result register: result
- assert: - assert:
that: that:
- result.rowcount == 1 - result.rowcount == 1
- name: postgresql_ext - drop extension postgis - name: postgresql_ext - drop extension postgis
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -73,10 +85,12 @@
state: absent state: absent
ignore_errors: true ignore_errors: true
register: result register: result
- assert: - assert:
that: that:
- result is changed - result is changed
- result.queries == ['DROP EXTENSION "postgis"'] - result.queries == ['DROP EXTENSION "postgis"']
- name: postgresql_ext - check that extension doesn't exist after the previous step - name: postgresql_ext - check that extension doesn't exist after the previous step
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -85,9 +99,11 @@
query: SELECT extname FROM pg_extension WHERE extname='postgis' query: SELECT extname FROM pg_extension WHERE extname='postgis'
ignore_errors: true ignore_errors: true
register: result register: result
- assert: - assert:
that: that:
- result.rowcount == 0 - result.rowcount == 0
- name: postgresql_ext - create extension postgis - name: postgresql_ext - create extension postgis
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -97,10 +113,12 @@
schema: schema1 schema: schema1
ignore_errors: true ignore_errors: true
register: result register: result
- assert: - assert:
that: that:
- result is changed - result is changed
- result.queries == ['CREATE EXTENSION "postgis" WITH SCHEMA "schema1"'] - result.queries == ['CREATE EXTENSION "postgis" WITH SCHEMA "schema1"']
- name: postgresql_ext - check that extension exists after the previous step - name: postgresql_ext - check that extension exists after the previous step
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -109,9 +127,11 @@
query: "SELECT extname FROM pg_extension AS e LEFT JOIN pg_catalog.pg_namespace AS n \nON n.oid = e.extnamespace WHERE e.extname='postgis' AND n.nspname='schema1'\n" query: "SELECT extname FROM pg_extension AS e LEFT JOIN pg_catalog.pg_namespace AS n \nON n.oid = e.extnamespace WHERE e.extname='postgis' AND n.nspname='schema1'\n"
ignore_errors: true ignore_errors: true
register: result register: result
- assert: - assert:
that: that:
- result.rowcount == 1 - result.rowcount == 1
- name: postgresql_ext - drop extension postgis cascade - name: postgresql_ext - drop extension postgis cascade
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -122,10 +142,12 @@
cascade: true cascade: true
ignore_errors: true ignore_errors: true
register: result register: result
- assert: - assert:
that: that:
- result is changed - result is changed
- result.queries == ['DROP EXTENSION "postgis" CASCADE'] - result.queries == ['DROP EXTENSION "postgis" CASCADE']
- name: postgresql_ext - check that extension doesn't exist after the previous step - name: postgresql_ext - check that extension doesn't exist after the previous step
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -134,9 +156,11 @@
query: SELECT extname FROM pg_extension WHERE extname='postgis' query: SELECT extname FROM pg_extension WHERE extname='postgis'
ignore_errors: true ignore_errors: true
register: result register: result
- assert: - assert:
that: that:
- result.rowcount == 0 - result.rowcount == 0
- name: postgresql_ext - create extension postgis cascade - name: postgresql_ext - create extension postgis cascade
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -147,11 +171,13 @@
ignore_errors: true ignore_errors: true
register: result register: result
when: postgres_version_resp.stdout is version('9.6', '<=') when: postgres_version_resp.stdout is version('9.6', '<=')
- assert: - assert:
that: that:
- result is changed - result is changed
- result.queries == ['CREATE EXTENSION "postgis" CASCADE"'] - result.queries == ['CREATE EXTENSION "postgis" CASCADE"']
when: postgres_version_resp.stdout is version('9.6', '<=') when: postgres_version_resp.stdout is version('9.6', '<=')
- name: postgresql_ext - check that extension exists after the previous step - name: postgresql_ext - check that extension exists after the previous step
become_user: '{{ pg_user }}' become_user: '{{ pg_user }}'
become: true become: true
@ -161,7 +187,22 @@
ignore_errors: true ignore_errors: true
register: result register: result
when: postgres_version_resp.stdout is version('9.6', '<=') when: postgres_version_resp.stdout is version('9.6', '<=')
- assert: - assert:
that: that:
- result.rowcount == 1 - result.rowcount == 1
when: postgres_version_resp.stdout is version('9.6', '<=') when: postgres_version_resp.stdout is version('9.6', '<=')
- name: postgresql_ext - check that using a dangerous name fails
postgresql_ext:
db: postgres
name: postgis
session_role: 'curious.anonymous"; SELECT * FROM information_schema.tables; --'
trust_input: no
ignore_errors: true
register: result
- assert:
that:
- result is failed
- result.msg is search('is potentially dangerous')

2
tests/integration/targets/postgresql_ext/tasks/postgresql_ext_session_role.yml
View File

@ -63,6 +63,7 @@
db: "{{ db_session_role1 }}" db: "{{ db_session_role1 }}"
login_user: "{{ pg_user }}" login_user: "{{ pg_user }}"
session_role: "{{ db_session_role1 }}" session_role: "{{ db_session_role1 }}"
trust_input: no
when: when:
"pg_extension.stdout_lines[-1] == '1'" "pg_extension.stdout_lines[-1] == '1'"
@ -88,6 +89,7 @@
db: "{{ db_session_role1 }}" db: "{{ db_session_role1 }}"
login_user: "{{ pg_user }}" login_user: "{{ pg_user }}"
state: absent state: absent
trust_input: no
when: when:
"pg_extension.stdout_lines[-1] == '1'" "pg_extension.stdout_lines[-1] == '1'"

16
tests/integration/targets/postgresql_ext/tasks/postgresql_ext_version_opt.yml
View File

@ -29,6 +29,7 @@
name: "{{ test_ext }}" name: "{{ test_ext }}"
schema: "{{ test_schema }}" schema: "{{ test_schema }}"
version: '1.0' version: '1.0'
trust_input: no
check_mode: yes check_mode: yes
- assert: - assert:
@ -52,6 +53,7 @@
name: "{{ test_ext }}" name: "{{ test_ext }}"
schema: "{{ test_schema }}" schema: "{{ test_schema }}"
version: '1.0' version: '1.0'
trust_input: no
- assert: - assert:
that: that:
@ -75,6 +77,7 @@
name: "{{ test_ext }}" name: "{{ test_ext }}"
schema: "{{ test_schema }}" schema: "{{ test_schema }}"
version: '1.0' version: '1.0'
trust_input: no
check_mode: yes check_mode: yes
- assert: - assert:
@ -98,6 +101,7 @@
name: "{{ test_ext }}" name: "{{ test_ext }}"
schema: "{{ test_schema }}" schema: "{{ test_schema }}"
version: '1.0' version: '1.0'
trust_input: no
- assert: - assert:
that: that:
@ -120,6 +124,7 @@
name: "{{ test_ext }}" name: "{{ test_ext }}"
schema: "{{ test_schema }}" schema: "{{ test_schema }}"
version: '2.0' version: '2.0'
trust_input: no
check_mode: yes check_mode: yes
- assert: - assert:
@ -143,6 +148,7 @@
name: "{{ test_ext }}" name: "{{ test_ext }}"
schema: "{{ test_schema }}" schema: "{{ test_schema }}"
version: '2.0' version: '2.0'
trust_input: no
- assert: - assert:
that: that:
@ -165,6 +171,7 @@
<<: *pg_parameters <<: *pg_parameters
name: "{{ test_ext }}" name: "{{ test_ext }}"
schema: "{{ test_schema }}" schema: "{{ test_schema }}"
trust_input: no
- assert: - assert:
that: that:
@ -187,6 +194,7 @@
name: "{{ test_ext }}" name: "{{ test_ext }}"
schema: "{{ test_schema }}" schema: "{{ test_schema }}"
version: latest version: latest
trust_input: no
- assert: - assert:
that: that:
@ -210,6 +218,7 @@
name: "{{ test_ext }}" name: "{{ test_ext }}"
schema: "{{ test_schema }}" schema: "{{ test_schema }}"
version: latest version: latest
trust_input: no
- assert: - assert:
that: that:
@ -222,6 +231,7 @@
name: "{{ test_ext }}" name: "{{ test_ext }}"
schema: "{{ test_schema }}" schema: "{{ test_schema }}"
version: '1.0' version: '1.0'
trust_input: no
ignore_errors: yes ignore_errors: yes
- assert: - assert:
@ -234,6 +244,7 @@
<<: *pg_parameters <<: *pg_parameters
name: "{{ test_ext }}" name: "{{ test_ext }}"
state: absent state: absent
trust_input: no
check_mode: yes check_mode: yes
- assert: - assert:
@ -256,6 +267,7 @@
<<: *pg_parameters <<: *pg_parameters
name: "{{ test_ext }}" name: "{{ test_ext }}"
state: absent state: absent
trust_input: no
- assert: - assert:
that: that:
@ -277,6 +289,7 @@
<<: *pg_parameters <<: *pg_parameters
name: "{{ test_ext }}" name: "{{ test_ext }}"
state: absent state: absent
trust_input: no
- assert: - assert:
that: that:
@ -287,6 +300,7 @@
postgresql_ext: postgresql_ext:
<<: *pg_parameters <<: *pg_parameters
name: "{{ test_ext }}" name: "{{ test_ext }}"
trust_input: no
- assert: - assert:
that: that:
@ -308,6 +322,7 @@
postgresql_ext: postgresql_ext:
<<: *pg_parameters <<: *pg_parameters
name: non_existent name: non_existent
trust_input: no
ignore_errors: yes ignore_errors: yes
- assert: - assert:
@ -322,6 +337,7 @@
<<: *pg_parameters <<: *pg_parameters
name: "{{ test_ext }}" name: "{{ test_ext }}"
state: absent state: absent
trust_input: no
- name: postgresql_ext_version - drop the schema - name: postgresql_ext_version - drop the schema
<<: *task_parameters <<: *task_parameters