add tests for roles

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2024-11-10 09:14:18 +00:00 · 2023-11-11 03:47:22 +01:00 · 2023-11-11 03:47:22 +01:00 · 35df355248
commit 35df355248
parent ec8811acdf
3 changed files with 35 additions and 1 deletions
--- a/molecule/mysql_hardening/prepare_tasks/mysql_users.yml
+++ b/molecule/mysql_hardening/prepare_tasks/mysql_users.yml
@ -14,3 +14,20 @@
      - "CREATE USER 'user'@'192.168.%' IDENTIFIED BY 'keep';"
      # - "CREATE ROLE 'keep';"
    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+
+- name: Detect role support on MySQL
+  community.mysql.mysql_query:
+    query: >
+      SELECT 1 FROM information_schema.COLUMNS
+                WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user'
+                AND COLUMN_NAME = 'is_role';
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  register: mysql_role_support
+
+- name: create roles for test
+  community.mysql.mysql_query:
+    query:
+       - "CREATE ROLE 'role_keep';"
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+    when:
+      - mysql_role_support.rowcount[0] > 0
--- a/molecule/mysql_hardening/verify_tasks/mysql_users.yml
+++ b/molecule/mysql_hardening/verify_tasks/mysql_users.yml
@ -23,3 +23,20 @@
      - '"user@192.168.0.2" in mysql_users_list'
      - '"user@keep" in mysql_users_list'
      - '"user@192.168.%" in mysql_users_list'
+
+- name: Detect role support on MySQL
+  community.mysql.mysql_query:
+    query: >
+      SELECT 1 FROM information_schema.COLUMNS
+                WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user'
+                AND COLUMN_NAME = 'is_role';
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  register: mysql_role_support
+
+- name: assert that roles remain
+  ansible.builtin.assert:
+    that:
+       - '"role_keep@%" in mysql_users_list'
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+    when:
+      - mysql_role_support.rowcount[0] > 0
--- a/roles/mysql_hardening/tasks/mysql_secure_installation.yml
+++ b/roles/mysql_hardening/tasks/mysql_secure_installation.yml
@ -70,7 +70,7 @@
        AND USER NOT IN ('mysql.sys',
                         'mysqlxsys',
                         'mariadb.sys')
-      {{ 'AND is_role like "N"' if mysql_role_support.rowcount[0] > 0 }};
+      {{ 'AND is_role = "N"' if mysql_role_support.rowcount[0] > 0 }};
    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
  register: mysql_users_wo_passwords_or_auth_string
  check_mode: false