From 35df355248110ea44c2d11e8bb4aa0d0f2b21758 Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@telekom.de>
Date: Sat, 11 Nov 2023 03:47:22 +0100
Subject: [PATCH] add tests for roles

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---
 .../prepare_tasks/mysql_users.yml               | 17 +++++++++++++++++
 .../verify_tasks/mysql_users.yml                | 17 +++++++++++++++++
 .../tasks/mysql_secure_installation.yml         |  2 +-
 3 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/molecule/mysql_hardening/prepare_tasks/mysql_users.yml b/molecule/mysql_hardening/prepare_tasks/mysql_users.yml
index 0bc8ffc9..b5da0b43 100644
--- a/molecule/mysql_hardening/prepare_tasks/mysql_users.yml
+++ b/molecule/mysql_hardening/prepare_tasks/mysql_users.yml
@@ -14,3 +14,20 @@
       - "CREATE USER 'user'@'192.168.%' IDENTIFIED BY 'keep';"
       # - "CREATE ROLE 'keep';"
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+
+- name: Detect role support on MySQL
+  community.mysql.mysql_query:
+    query: >
+      SELECT 1 FROM information_schema.COLUMNS
+                WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user'
+                AND COLUMN_NAME = 'is_role';
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  register: mysql_role_support
+
+- name: create roles for test
+  community.mysql.mysql_query:
+    query:
+       - "CREATE ROLE 'role_keep';"
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+    when:
+      - mysql_role_support.rowcount[0] > 0
\ No newline at end of file
diff --git a/molecule/mysql_hardening/verify_tasks/mysql_users.yml b/molecule/mysql_hardening/verify_tasks/mysql_users.yml
index 7f10686c..178cc18b 100644
--- a/molecule/mysql_hardening/verify_tasks/mysql_users.yml
+++ b/molecule/mysql_hardening/verify_tasks/mysql_users.yml
@@ -23,3 +23,20 @@
       - '"user@192.168.0.2" in mysql_users_list'
       - '"user@keep" in mysql_users_list'
       - '"user@192.168.%" in mysql_users_list'
+
+- name: Detect role support on MySQL
+  community.mysql.mysql_query:
+    query: >
+      SELECT 1 FROM information_schema.COLUMNS
+                WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user'
+                AND COLUMN_NAME = 'is_role';
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  register: mysql_role_support
+
+- name: assert that roles remain
+  ansible.builtin.assert:
+    that:
+       - '"role_keep@%" in mysql_users_list'
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+    when:
+      - mysql_role_support.rowcount[0] > 0
\ No newline at end of file
diff --git a/roles/mysql_hardening/tasks/mysql_secure_installation.yml b/roles/mysql_hardening/tasks/mysql_secure_installation.yml
index a867f300..6bff22b2 100644
--- a/roles/mysql_hardening/tasks/mysql_secure_installation.yml
+++ b/roles/mysql_hardening/tasks/mysql_secure_installation.yml
@@ -70,7 +70,7 @@
         AND USER NOT IN ('mysql.sys',
                          'mysqlxsys',
                          'mariadb.sys')
-      {{ 'AND is_role like "N"' if mysql_role_support.rowcount[0] > 0 }};
+      {{ 'AND is_role = "N"' if mysql_role_support.rowcount[0] > 0 }};
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   register: mysql_users_wo_passwords_or_auth_string
   check_mode: false