Fix hashed passwords being returned by get_existing_authentication() …

…via the plugin_auth_string variable instead of plugin_hash_string (#629) * fix returned variable from plugin_auth_string to plugin_hash_string * Refactor to keep plugin_auth_string in addition to plugin_hash_string * Add breaking_changes to the changelog
ansible-collections · Jun 6, 2024 · 50e7413 · 50e7413
1 parent 6c4dca4
commit 50e7413
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 56 deletions.
diff --git a/changelogs/fragments/lie_fix_plugin_hash_string_return.yml b/changelogs/fragments/lie_fix_plugin_hash_string_return.yml
@@ -0,0 +1,6 @@
+---
+bugfixes:
+  - mysql_info - Add ``plugin_hash_string`` to ``users_info`` filter's output. The existing ``plugin_auth_string`` contained the hashed password and thus is missleading, it will be removed from community.mysql 4.0.0. (https://github.com/ansible-collections/community.mysql/pull/629).
+
+breaking_changes:
+  - mysql_info - The ``users_info`` filter returned variable ``plugin_auth_string`` contains the hashed password and it's misleading, it will be removed from community.mysql 4.0.0. Use the `plugin_hash_string` return value instead (https://github.com/ansible-collections/community.mysql/pull/629).
diff --git a/plugins/module_utils/user.py b/plugins/module_utils/user.py
@@ -118,11 +118,19 @@ def get_existing_authentication(cursor, user, host):
     if isinstance(rows, dict):
         rows = list(rows.values())
 
+    # 'plugin_auth_string' contains the hash string. Must be removed in c.mysql 4.0
+    # See https://github.com/ansible-collections/community.mysql/pull/629
     if isinstance(rows[0], tuple):
-        return {'plugin': rows[0][0], 'plugin_auth_string': rows[0][1]}
+        return {'plugin': rows[0][0],
+                'plugin_auth_string': rows[0][1],
+                'plugin_hash_string': rows[0][1]}
 
+    # 'plugin_auth_string' contains the hash string. Must be removed in c.mysql 4.0
+    # See https://github.com/ansible-collections/community.mysql/pull/629
     if isinstance(rows[0], dict):
-        return {'plugin': rows[0].get('plugin'), 'plugin_auth_string': rows[0].get('auth')}
+        return {'plugin': rows[0].get('plugin'),
+                'plugin_auth_string': rows[0].get('auth'),
+                'plugin_hash_string': rows[0].get('auth')}
     return None
 
 
@@ -152,7 +160,7 @@ def user_add(cursor, user, host, host_all, password, encrypted,
         existing_auth = get_existing_authentication(cursor, user, host)
         if existing_auth:
             plugin = existing_auth['plugin']
-            plugin_hash_string = existing_auth['auth_string']
+            plugin_hash_string = existing_auth['plugin_hash_string']
             password = None
             used_existing_password = True
     if password and encrypted:

diff --git a/tests/integration/targets/test_mysql_info/tasks/filter_users_info.yml b/tests/integration/targets/test_mysql_info/tasks/filter_users_info.yml
@@ -211,66 +211,32 @@
             TO users_info_tls_sub_issu_ciph@'host'
 
     - name: Mysql_info users_info | Prepare tests users for MariaDB
-      community.mysql.mysql_user:
-        name: "{{ item.name }}"
-        host: "users_info.com"
-        plugin: "{{ item.plugin | default(omit) }}"
-        plugin_auth_string: "{{ item.plugin_auth_string | default(omit) }}"
-        plugin_hash_string: "{{ item.plugin_hash_string | default(omit) }}"
-        tls_requires: "{{ item.tls_requires | default(omit) }}"
-        priv: "{{ item.priv }}"
-        resource_limits: "{{ item.resource_limits | default(omit) }}"
-        column_case_sensitive: true
-        state: present
-      loop:
-        - name: users_info_socket  # Only for MariaDB
-          priv:
-            '*.*': 'ALL'
-          plugin: 'unix_socket'
+      community.mysql.mysql_query:
+        query:
+          - >-
+            CREATE USER users_info_socket@'users_info.com' IDENTIFIED WITH
+            unix_socket
+          - GRANT ALL ON *.* to users_info_socket@'users_info.com'
       when:
         - db_engine == 'mariadb'
 
     - name: Mysql_info users_info | Prepare tests users for MySQL
-      community.mysql.mysql_user:
-        name: "{{ item.name }}"
-        host: "users_info.com"
-        plugin: "{{ item.plugin | default(omit) }}"
-        plugin_auth_string: "{{ item.plugin_auth_string | default(omit) }}"
-        plugin_hash_string: "{{ item.plugin_hash_string | default(omit) }}"
-        tls_requires: "{{ item.tls_requires | default(omit) }}"
-        priv: "{{ item.priv }}"
-        resource_limits: "{{ item.resource_limits | default(omit) }}"
-        column_case_sensitive: true
-        state: present
-      loop:
-        - name: users_info_sha256  # Only for MySQL
-          priv:
-            '*.*': 'ALL'
-          plugin_auth_string:
-            '$5$/<w*D`L4\"F$WQiI1Pev.7atAh8udYs3wqlzgdfV8LXoy7rqSEC7NF2'
-          plugin: 'sha256_password'
+      community.mysql.mysql_query:
+        query:
+          - >-
+            CREATE USER users_info_sha256@'users_info.com' IDENTIFIED WITH
+            sha256_password BY 'msandbox'
+          - GRANT ALL ON *.* to users_info_sha256@'users_info.com'
       when:
         - db_engine == 'mysql'
 
     - name: Mysql_info users_info | Prepare tests users for MySQL 8+
-      community.mysql.mysql_user:
-        name: "{{ item.name }}"
-        host: "users_info.com"
-        plugin: "{{ item.plugin | default(omit) }}"
-        plugin_auth_string: "{{ item.plugin_auth_string | default(omit) }}"
-        plugin_hash_string: "{{ item.plugin_hash_string | default(omit) }}"
-        tls_requires: "{{ item.tls_requires | default(omit) }}"
-        priv: "{{ item.priv }}"
-        resource_limits: "{{ item.resource_limits | default(omit) }}"
-        column_case_sensitive: true
-        state: present
-      loop:
-        - name: users_info_caching_sha2  # Only for MySQL 8+
-          priv:
-            '*.*': 'ALL'
-          plugin_auth_string:
-            '$A$005$61j/uF%Qb4-=O2xkeO82u2HNkF.lxDq0liO4U3xqi7bDUCbWM6HayRXWn1'
-          plugin: 'caching_sha2_password'
+      community.mysql.mysql_query:
+        query:
+          - >-
+            CREATE USER users_info_caching_sha2@'users_info.com' IDENTIFIED WITH
+            caching_sha2_password BY 'msandbox'
+          - GRANT ALL ON *.* to users_info_caching_sha2@'users_info.com'
       when:
         - db_engine == 'mysql'
         - db_version is version('8.0', '>=')
@@ -283,7 +249,7 @@
           - users_info
       register: result
 
-    - name: Recreate users from mysql_info users_info result
+    - name: Mysql_info users_info | Recreate users from mysql_info result
       community.mysql.mysql_user:
         name: "{{ item.name }}"
         host: "{{ item.host }}"