Skip to content

Commit

Permalink
Fix hashed passwords being returned by get_existing_authentication() …
Browse files Browse the repository at this point in the history
…via the plugin_auth_string variable instead of plugin_hash_string (ansible-collections#629)

* fix returned variable from plugin_auth_string to plugin_hash_string
* Refactor to keep plugin_auth_string in addition to plugin_hash_string
* Add breaking_changes to the changelog
  • Loading branch information
laurent-indermuehle authored Jun 6, 2024
1 parent 6c4dca4 commit 50e7413
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 56 deletions.
6 changes: 6 additions & 0 deletions changelogs/fragments/lie_fix_plugin_hash_string_return.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
bugfixes:
- mysql_info - Add ``plugin_hash_string`` to ``users_info`` filter's output. The existing ``plugin_auth_string`` contained the hashed password and thus is missleading, it will be removed from community.mysql 4.0.0. (https://github.com/ansible-collections/community.mysql/pull/629).

breaking_changes:
- mysql_info - The ``users_info`` filter returned variable ``plugin_auth_string`` contains the hashed password and it's misleading, it will be removed from community.mysql 4.0.0. Use the `plugin_hash_string` return value instead (https://github.com/ansible-collections/community.mysql/pull/629).
14 changes: 11 additions & 3 deletions plugins/module_utils/user.py
Original file line number Diff line number Diff line change
Expand Up @@ -118,11 +118,19 @@ def get_existing_authentication(cursor, user, host):
if isinstance(rows, dict):
rows = list(rows.values())

# 'plugin_auth_string' contains the hash string. Must be removed in c.mysql 4.0
# See https://github.com/ansible-collections/community.mysql/pull/629
if isinstance(rows[0], tuple):
return {'plugin': rows[0][0], 'plugin_auth_string': rows[0][1]}
return {'plugin': rows[0][0],
'plugin_auth_string': rows[0][1],
'plugin_hash_string': rows[0][1]}

# 'plugin_auth_string' contains the hash string. Must be removed in c.mysql 4.0
# See https://github.com/ansible-collections/community.mysql/pull/629
if isinstance(rows[0], dict):
return {'plugin': rows[0].get('plugin'), 'plugin_auth_string': rows[0].get('auth')}
return {'plugin': rows[0].get('plugin'),
'plugin_auth_string': rows[0].get('auth'),
'plugin_hash_string': rows[0].get('auth')}
return None


Expand Down Expand Up @@ -152,7 +160,7 @@ def user_add(cursor, user, host, host_all, password, encrypted,
existing_auth = get_existing_authentication(cursor, user, host)
if existing_auth:
plugin = existing_auth['plugin']
plugin_hash_string = existing_auth['auth_string']
plugin_hash_string = existing_auth['plugin_hash_string']
password = None
used_existing_password = True
if password and encrypted:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -211,66 +211,32 @@
TO users_info_tls_sub_issu_ciph@'host'
- name: Mysql_info users_info | Prepare tests users for MariaDB
community.mysql.mysql_user:
name: "{{ item.name }}"
host: "users_info.com"
plugin: "{{ item.plugin | default(omit) }}"
plugin_auth_string: "{{ item.plugin_auth_string | default(omit) }}"
plugin_hash_string: "{{ item.plugin_hash_string | default(omit) }}"
tls_requires: "{{ item.tls_requires | default(omit) }}"
priv: "{{ item.priv }}"
resource_limits: "{{ item.resource_limits | default(omit) }}"
column_case_sensitive: true
state: present
loop:
- name: users_info_socket # Only for MariaDB
priv:
'*.*': 'ALL'
plugin: 'unix_socket'
community.mysql.mysql_query:
query:
- >-
CREATE USER users_info_socket@'users_info.com' IDENTIFIED WITH
unix_socket
- GRANT ALL ON *.* to users_info_socket@'users_info.com'
when:
- db_engine == 'mariadb'

- name: Mysql_info users_info | Prepare tests users for MySQL
community.mysql.mysql_user:
name: "{{ item.name }}"
host: "users_info.com"
plugin: "{{ item.plugin | default(omit) }}"
plugin_auth_string: "{{ item.plugin_auth_string | default(omit) }}"
plugin_hash_string: "{{ item.plugin_hash_string | default(omit) }}"
tls_requires: "{{ item.tls_requires | default(omit) }}"
priv: "{{ item.priv }}"
resource_limits: "{{ item.resource_limits | default(omit) }}"
column_case_sensitive: true
state: present
loop:
- name: users_info_sha256 # Only for MySQL
priv:
'*.*': 'ALL'
plugin_auth_string:
'$5$/<w*D`L4\"F$WQiI1Pev.7atAh8udYs3wqlzgdfV8LXoy7rqSEC7NF2'
plugin: 'sha256_password'
community.mysql.mysql_query:
query:
- >-
CREATE USER users_info_sha256@'users_info.com' IDENTIFIED WITH
sha256_password BY 'msandbox'
- GRANT ALL ON *.* to users_info_sha256@'users_info.com'
when:
- db_engine == 'mysql'

- name: Mysql_info users_info | Prepare tests users for MySQL 8+
community.mysql.mysql_user:
name: "{{ item.name }}"
host: "users_info.com"
plugin: "{{ item.plugin | default(omit) }}"
plugin_auth_string: "{{ item.plugin_auth_string | default(omit) }}"
plugin_hash_string: "{{ item.plugin_hash_string | default(omit) }}"
tls_requires: "{{ item.tls_requires | default(omit) }}"
priv: "{{ item.priv }}"
resource_limits: "{{ item.resource_limits | default(omit) }}"
column_case_sensitive: true
state: present
loop:
- name: users_info_caching_sha2 # Only for MySQL 8+
priv:
'*.*': 'ALL'
plugin_auth_string:
'$A$005$61j/uF%Qb4-=O2xkeO82u2HNkF.lxDq0liO4U3xqi7bDUCbWM6HayRXWn1'
plugin: 'caching_sha2_password'
community.mysql.mysql_query:
query:
- >-
CREATE USER users_info_caching_sha2@'users_info.com' IDENTIFIED WITH
caching_sha2_password BY 'msandbox'
- GRANT ALL ON *.* to users_info_caching_sha2@'users_info.com'
when:
- db_engine == 'mysql'
- db_version is version('8.0', '>=')
Expand All @@ -283,7 +249,7 @@
- users_info
register: result

- name: Recreate users from mysql_info users_info result
- name: Mysql_info users_info | Recreate users from mysql_info result
community.mysql.mysql_user:
name: "{{ item.name }}"
host: "{{ item.host }}"
Expand Down

0 comments on commit 50e7413

Please sign in to comment.