329 lines
8.1 KiB
YAML
329 lines
8.1 KiB
YAML
|
# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru>
|
||
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||
|
|
||
|
####################
|
||
|
# Prepare for tests:
|
||
|
|
||
|
# Create test roles:
|
||
|
- name: postgresql_membership - create test roles
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_user:
|
||
|
login_user: "{{ pg_user }}"
|
||
|
db: postgres
|
||
|
name: "{{ item }}"
|
||
|
ignore_errors: yes
|
||
|
with_items:
|
||
|
- group1
|
||
|
- group2
|
||
|
- user1
|
||
|
- user2
|
||
|
|
||
|
################
|
||
|
# Do main tests:
|
||
|
|
||
|
### Test check_mode
|
||
|
# Grant group1 to user1 in check_mode:
|
||
|
- name: postgresql_membership - grant group1 to user1 in check_mode
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_membership:
|
||
|
login_user: "{{ pg_user }}"
|
||
|
db: postgres
|
||
|
group: group1
|
||
|
user: user1
|
||
|
state: present
|
||
|
register: result
|
||
|
ignore_errors: yes
|
||
|
check_mode: yes
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- result.changed == true
|
||
|
- result.groups == ["group1"]
|
||
|
- result.queries == ["GRANT \"group1\" TO \"user1\""]
|
||
|
- result.granted.group1 == ["user1"]
|
||
|
- result.state == "present"
|
||
|
- result.target_roles == ["user1"]
|
||
|
|
||
|
# Try to revoke group1 from user1 to check that
|
||
|
# nothing actually changed in check_mode at the previous step:
|
||
|
- name: postgresql_membership - try to revoke group1 from user1 for checking check_mode
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_membership:
|
||
|
login_user: "{{ pg_user }}"
|
||
|
db: postgres
|
||
|
group: group1
|
||
|
user: user1
|
||
|
state: absent
|
||
|
register: result
|
||
|
ignore_errors: yes
|
||
|
check_mode: yes
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- result.changed == false
|
||
|
- result.groups == ["group1"]
|
||
|
- result.queries == []
|
||
|
- result.revoked.group1 == []
|
||
|
- result.state == "absent"
|
||
|
- result.target_roles == ["user1"]
|
||
|
### End of test check_mode
|
||
|
|
||
|
# Grant group1 to user1:
|
||
|
- name: postgresql_membership - grant group1 to user1
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_membership:
|
||
|
login_user: "{{ pg_user }}"
|
||
|
db: postgres
|
||
|
group: group1
|
||
|
user: user1
|
||
|
state: present
|
||
|
register: result
|
||
|
ignore_errors: yes
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- result.changed == true
|
||
|
- result.groups == ["group1"]
|
||
|
- result.queries == ["GRANT \"group1\" TO \"user1\""]
|
||
|
- result.granted.group1 == ["user1"]
|
||
|
- result.state == "present"
|
||
|
- result.target_roles == ["user1"]
|
||
|
|
||
|
# Grant group1 to user1 againt to check that nothing changes:
|
||
|
- name: postgresql_membership - grant group1 to user1 again
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_membership:
|
||
|
login_user: "{{ pg_user }}"
|
||
|
db: postgres
|
||
|
group: group1
|
||
|
user: user1
|
||
|
state: present
|
||
|
register: result
|
||
|
ignore_errors: yes
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- result.changed == false
|
||
|
- result.groups == ["group1"]
|
||
|
- result.queries == []
|
||
|
- result.granted.group1 == []
|
||
|
- result.state == "present"
|
||
|
- result.target_roles == ["user1"]
|
||
|
|
||
|
# Revoke group1 from user1:
|
||
|
- name: postgresql_membership - revoke group1 from user1
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_membership:
|
||
|
login_user: "{{ pg_user }}"
|
||
|
db: postgres
|
||
|
group: group1
|
||
|
user: user1
|
||
|
state: absent
|
||
|
register: result
|
||
|
ignore_errors: yes
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- result.changed == true
|
||
|
- result.groups == ["group1"]
|
||
|
- result.queries == ["REVOKE \"group1\" FROM \"user1\""]
|
||
|
- result.revoked.group1 == ["user1"]
|
||
|
- result.state == "absent"
|
||
|
- result.target_roles == ["user1"]
|
||
|
|
||
|
# Revoke group1 from user1 again to check that nothing changes:
|
||
|
- name: postgresql_membership - revoke group1 from user1 again
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_membership:
|
||
|
login_user: "{{ pg_user }}"
|
||
|
db: postgres
|
||
|
group: group1
|
||
|
user: user1
|
||
|
state: absent
|
||
|
register: result
|
||
|
ignore_errors: yes
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- result.changed == false
|
||
|
- result.groups == ["group1"]
|
||
|
- result.queries == []
|
||
|
- result.revoked.group1 == []
|
||
|
- result.state == "absent"
|
||
|
- result.target_roles == ["user1"]
|
||
|
|
||
|
# Grant group1 and group2 to user1 and user2:
|
||
|
- name: postgresql_membership - grant two groups to two users
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_membership:
|
||
|
login_user: "{{ pg_user }}"
|
||
|
db: postgres
|
||
|
group:
|
||
|
- group1
|
||
|
- group2
|
||
|
user:
|
||
|
- user1
|
||
|
- user2
|
||
|
state: present
|
||
|
register: result
|
||
|
ignore_errors: yes
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- result.changed == true
|
||
|
- result.groups == ["group1", "group2"]
|
||
|
- result.queries == ["GRANT \"group1\" TO \"user1\"", "GRANT \"group1\" TO \"user2\"", "GRANT \"group2\" TO \"user1\"", "GRANT \"group2\" TO \"user2\""]
|
||
|
- result.granted.group1 == ["user1", "user2"]
|
||
|
- result.granted.group2 == ["user1", "user2"]
|
||
|
- result.state == "present"
|
||
|
- result.target_roles == ["user1", "user2"]
|
||
|
|
||
|
# Grant group1 and group2 to user1 and user2 again to check that nothing changes:
|
||
|
- name: postgresql_membership - grant two groups to two users again
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_membership:
|
||
|
login_user: "{{ pg_user }}"
|
||
|
db: postgres
|
||
|
group:
|
||
|
- group1
|
||
|
- group2
|
||
|
user:
|
||
|
- user1
|
||
|
- user2
|
||
|
state: present
|
||
|
register: result
|
||
|
ignore_errors: yes
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- result.changed == false
|
||
|
- result.groups == ["group1", "group2"]
|
||
|
- result.queries == []
|
||
|
- result.granted.group1 == []
|
||
|
- result.granted.group2 == []
|
||
|
- result.state == "present"
|
||
|
- result.target_roles == ["user1", "user2"]
|
||
|
|
||
|
# Revoke only group1 from user1:
|
||
|
- name: postgresql_membership - revoke one group from one user
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_membership:
|
||
|
login_user: "{{ pg_user }}"
|
||
|
db: postgres
|
||
|
group: group1
|
||
|
user: user1
|
||
|
state: absent
|
||
|
register: result
|
||
|
ignore_errors: yes
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- result.changed == true
|
||
|
- result.groups == ["group1"]
|
||
|
- result.queries == ["REVOKE \"group1\" FROM \"user1\""]
|
||
|
- result.revoked.group1 == ["user1"]
|
||
|
- result.state == "absent"
|
||
|
- result.target_roles == ["user1"]
|
||
|
|
||
|
# Try to grant group1 and group2 to user1 and user2 again to check that nothing changes with user2:
|
||
|
- name: postgresql_membership - grant two groups to two users again
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_membership:
|
||
|
login_user: "{{ pg_user }}"
|
||
|
db: postgres
|
||
|
group:
|
||
|
- group1
|
||
|
- group2
|
||
|
user:
|
||
|
- user1
|
||
|
- user2
|
||
|
state: present
|
||
|
register: result
|
||
|
ignore_errors: yes
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- result.changed == true
|
||
|
- result.groups == ["group1", "group2"]
|
||
|
- result.queries == ["GRANT \"group1\" TO \"user1\""]
|
||
|
- result.granted.group1 == ["user1"]
|
||
|
- result.granted.group2 == []
|
||
|
- result.state == "present"
|
||
|
- result.target_roles == ["user1", "user2"]
|
||
|
|
||
|
#####################
|
||
|
# Check fail_on_role:
|
||
|
|
||
|
# Try to grant non existent group to non existent role with fail_on_role=yes:
|
||
|
- name: postgresql_membership - grant group1 to user1
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_membership:
|
||
|
login_user: "{{ pg_user }}"
|
||
|
db: postgres
|
||
|
group: fake_group
|
||
|
user: fake_user
|
||
|
state: present
|
||
|
fail_on_role: yes
|
||
|
register: result
|
||
|
ignore_errors: yes
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- result.changed == false
|
||
|
|
||
|
# Try to grant non existent group to non existent role with fail_on_role=no:
|
||
|
- name: postgresql_membership - grant group1 to user1
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_membership:
|
||
|
login_user: "{{ pg_user }}"
|
||
|
db: postgres
|
||
|
group: fake_group
|
||
|
user: fake_user
|
||
|
state: present
|
||
|
fail_on_role: no
|
||
|
register: result
|
||
|
ignore_errors: yes
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- result.changed == false
|
||
|
- result.granted == {}
|
||
|
- result.groups == []
|
||
|
- result.target_roles == []
|
||
|
- result.state == 'present'
|
||
|
|
||
|
# Try to revoke non existent group from non existent role with fail_on_role=no:
|
||
|
- name: postgresql_membership - grant group1 to user1
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_membership:
|
||
|
login_user: "{{ pg_user }}"
|
||
|
db: postgres
|
||
|
group: fake_group
|
||
|
user: fake_user
|
||
|
state: absent
|
||
|
fail_on_role: no
|
||
|
register: result
|
||
|
ignore_errors: yes
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- result.changed == false
|
||
|
- result.revoked == {}
|
||
|
- result.groups == []
|
||
|
- result.target_roles == []
|
||
|
- result.state == 'absent'
|