diff options
Diffstat (limited to 'ansible_collections/community/postgresql/plugins')
29 files changed, 14766 insertions, 0 deletions
diff --git a/ansible_collections/community/postgresql/plugins/doc_fragments/postgres.py b/ansible_collections/community/postgresql/plugins/doc_fragments/postgres.py new file mode 100644 index 000000000..be74a4552 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/doc_fragments/postgres.py @@ -0,0 +1,92 @@ +# -*- coding: utf-8 -*- + +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + + +class ModuleDocFragment(object): + # Postgres documentation fragment + DOCUMENTATION = r''' +options: + login_user: + description: + - The username this module should use to establish its PostgreSQL session. + type: str + default: postgres + aliases: [ login ] + login_password: + description: + - The password this module should use to establish its PostgreSQL session. + type: str + default: '' + login_host: + description: + - Host running the database. + - If you have connection issues when using C(localhost), try to use C(127.0.0.1) instead. + default: '' + type: str + aliases: [ host ] + login_unix_socket: + description: + - Path to a Unix domain socket for local connections. + type: str + default: '' + aliases: [ unix_socket ] + port: + description: + - Database port to connect to. + type: int + default: 5432 + aliases: [ login_port ] + ssl_mode: + description: + - Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server. + - See U(https://www.postgresql.org/docs/current/static/libpq-ssl.html) for more information on the modes. + - Default of C(prefer) matches libpq default. + type: str + default: prefer + choices: [ allow, disable, prefer, require, verify-ca, verify-full ] + ca_cert: + description: + - Specifies the name of a file containing SSL certificate authority (CA) certificate(s). + - If the file exists, the server's certificate will be verified to be signed by one of these authorities. + type: str + aliases: [ ssl_rootcert ] + ssl_cert: + description: + - Specifies the file name of the client SSL certificate. + type: path + version_added: '2.4.0' + ssl_key: + description: + - Specifies the location for the secret key used for the client certificate. + type: path + version_added: '2.4.0' + connect_params: + description: + - Any additional parameters to be passed to libpg. + - These parameters take precedence. + type: dict + default: {} + version_added: '2.3.0' + +attributes: + check_mode: + description: Can run in check_mode and return changed status prediction without modifying target. + +notes: +- The default authentication assumes that you are either logging in as or sudo'ing to the C(postgres) account on the host. +- To avoid "Peer authentication failed for user postgres" error, + use postgres user as a I(become_user). +- This module uses C(psycopg2), a Python PostgreSQL database adapter. You must + ensure that C(psycopg2) is installed on the host before using this module. +- If the remote host is the PostgreSQL server (which is the default case), then + PostgreSQL must also be installed on the remote host. +- For Ubuntu-based systems, install the C(postgresql), C(libpq-dev), and C(python-psycopg2) packages + on the remote host before using this module. +- The ca_cert parameter requires at least Postgres version 8.4 and I(psycopg2) version 2.4.3. + +requirements: [ psycopg2 ] +''' diff --git a/ansible_collections/community/postgresql/plugins/module_utils/_version.py b/ansible_collections/community/postgresql/plugins/module_utils/_version.py new file mode 100644 index 000000000..0a34929e9 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/module_utils/_version.py @@ -0,0 +1,335 @@ +# Vendored copy of distutils/version.py from CPython 3.9.5 +# +# Implements multiple version numbering conventions for the +# Python Module Distribution Utilities. +# +# PSF License (see PSF-license.txt or https://opensource.org/licenses/Python-2.0) +# + +"""Provides classes to represent module version numbers (one class for +each style of version numbering). There are currently two such classes +implemented: StrictVersion and LooseVersion. +Every version number class implements the following interface: + * the 'parse' method takes a string and parses it to some internal + representation; if the string is an invalid version number, + 'parse' raises a ValueError exception + * the class constructor takes an optional string argument which, + if supplied, is passed to 'parse' + * __str__ reconstructs the string that was passed to 'parse' (or + an equivalent string -- ie. one that will generate an equivalent + version number instance) + * __repr__ generates Python code to recreate the version number instance + * _cmp compares the current instance with either another instance + of the same class or a string (which will be parsed to an instance + of the same class, thus must follow the same rules) +""" + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import re + +try: + RE_FLAGS = re.VERBOSE | re.ASCII +except AttributeError: + RE_FLAGS = re.VERBOSE + + +class Version: + """Abstract base class for version numbering classes. Just provides + constructor (__init__) and reproducer (__repr__), because those + seem to be the same for all version numbering classes; and route + rich comparisons to _cmp. + """ + + def __init__(self, vstring=None): + if vstring: + self.parse(vstring) + + def __repr__(self): + return "%s ('%s')" % (self.__class__.__name__, str(self)) + + def __eq__(self, other): + c = self._cmp(other) + if c is NotImplemented: + return c + return c == 0 + + def __lt__(self, other): + c = self._cmp(other) + if c is NotImplemented: + return c + return c < 0 + + def __le__(self, other): + c = self._cmp(other) + if c is NotImplemented: + return c + return c <= 0 + + def __gt__(self, other): + c = self._cmp(other) + if c is NotImplemented: + return c + return c > 0 + + def __ge__(self, other): + c = self._cmp(other) + if c is NotImplemented: + return c + return c >= 0 + + +# Interface for version-number classes -- must be implemented +# by the following classes (the concrete ones -- Version should +# be treated as an abstract class). +# __init__ (string) - create and take same action as 'parse' +# (string parameter is optional) +# parse (string) - convert a string representation to whatever +# internal representation is appropriate for +# this style of version numbering +# __str__ (self) - convert back to a string; should be very similar +# (if not identical to) the string supplied to parse +# __repr__ (self) - generate Python code to recreate +# the instance +# _cmp (self, other) - compare two version numbers ('other' may +# be an unparsed version string, or another +# instance of your version class) + + +class StrictVersion(Version): + """Version numbering for anal retentives and software idealists. + Implements the standard interface for version number classes as + described above. A version number consists of two or three + dot-separated numeric components, with an optional "pre-release" tag + on the end. The pre-release tag consists of the letter 'a' or 'b' + followed by a number. If the numeric components of two version + numbers are equal, then one with a pre-release tag will always + be deemed earlier (lesser) than one without. + The following are valid version numbers (shown in the order that + would be obtained by sorting according to the supplied cmp function): + 0.4 0.4.0 (these two are equivalent) + 0.4.1 + 0.5a1 + 0.5b3 + 0.5 + 0.9.6 + 1.0 + 1.0.4a3 + 1.0.4b1 + 1.0.4 + The following are examples of invalid version numbers: + 1 + 2.7.2.2 + 1.3.a4 + 1.3pl1 + 1.3c4 + The rationale for this version numbering system will be explained + in the distutils documentation. + """ + + version_re = re.compile(r'^(\d+) \. (\d+) (\. (\d+))? ([ab](\d+))?$', + RE_FLAGS) + + def parse(self, vstring): + match = self.version_re.match(vstring) + if not match: + raise ValueError("invalid version number '%s'" % vstring) + + (major, minor, patch, prerelease, prerelease_num) = \ + match.group(1, 2, 4, 5, 6) + + if patch: + self.version = tuple(map(int, [major, minor, patch])) + else: + self.version = tuple(map(int, [major, minor])) + (0,) + + if prerelease: + self.prerelease = (prerelease[0], int(prerelease_num)) + else: + self.prerelease = None + + def __str__(self): + if self.version[2] == 0: + vstring = '.'.join(map(str, self.version[0:2])) + else: + vstring = '.'.join(map(str, self.version)) + + if self.prerelease: + vstring = vstring + self.prerelease[0] + str(self.prerelease[1]) + + return vstring + + def _cmp(self, other): + if isinstance(other, str): + other = StrictVersion(other) + elif not isinstance(other, StrictVersion): + return NotImplemented + + if self.version != other.version: + # numeric versions don't match + # prerelease stuff doesn't matter + if self.version < other.version: + return -1 + else: + return 1 + + # have to compare prerelease + # case 1: neither has prerelease; they're equal + # case 2: self has prerelease, other doesn't; other is greater + # case 3: self doesn't have prerelease, other does: self is greater + # case 4: both have prerelease: must compare them! + + if (not self.prerelease and not other.prerelease): + return 0 + elif (self.prerelease and not other.prerelease): + return -1 + elif (not self.prerelease and other.prerelease): + return 1 + elif (self.prerelease and other.prerelease): + if self.prerelease == other.prerelease: + return 0 + elif self.prerelease < other.prerelease: + return -1 + else: + return 1 + else: + raise AssertionError("never get here") + +# end class StrictVersion + +# The rules according to Greg Stein: +# 1) a version number has 1 or more numbers separated by a period or by +# sequences of letters. If only periods, then these are compared +# left-to-right to determine an ordering. +# 2) sequences of letters are part of the tuple for comparison and are +# compared lexicographically +# 3) recognize the numeric components may have leading zeroes +# +# The LooseVersion class below implements these rules: a version number +# string is split up into a tuple of integer and string components, and +# comparison is a simple tuple comparison. This means that version +# numbers behave in a predictable and obvious way, but a way that might +# not necessarily be how people *want* version numbers to behave. There +# wouldn't be a problem if people could stick to purely numeric version +# numbers: just split on period and compare the numbers as tuples. +# However, people insist on putting letters into their version numbers; +# the most common purpose seems to be: +# - indicating a "pre-release" version +# ('alpha', 'beta', 'a', 'b', 'pre', 'p') +# - indicating a post-release patch ('p', 'pl', 'patch') +# but of course this can't cover all version number schemes, and there's +# no way to know what a programmer means without asking him. +# +# The problem is what to do with letters (and other non-numeric +# characters) in a version number. The current implementation does the +# obvious and predictable thing: keep them as strings and compare +# lexically within a tuple comparison. This has the desired effect if +# an appended letter sequence implies something "post-release": +# eg. "0.99" < "0.99pl14" < "1.0", and "5.001" < "5.001m" < "5.002". +# +# However, if letters in a version number imply a pre-release version, +# the "obvious" thing isn't correct. Eg. you would expect that +# "1.5.1" < "1.5.2a2" < "1.5.2", but under the tuple/lexical comparison +# implemented here, this just isn't so. +# +# Two possible solutions come to mind. The first is to tie the +# comparison algorithm to a particular set of semantic rules, as has +# been done in the StrictVersion class above. This works great as long +# as everyone can go along with bondage and discipline. Hopefully a +# (large) subset of Python module programmers will agree that the +# particular flavour of bondage and discipline provided by StrictVersion +# provides enough benefit to be worth using, and will submit their +# version numbering scheme to its domination. The free-thinking +# anarchists in the lot will never give in, though, and something needs +# to be done to accommodate them. +# +# Perhaps a "moderately strict" version class could be implemented that +# lets almost anything slide (syntactically), and makes some heuristic +# assumptions about non-digits in version number strings. This could +# sink into special-case-hell, though; if I was as talented and +# idiosyncratic as Larry Wall, I'd go ahead and implement a class that +# somehow knows that "1.2.1" < "1.2.2a2" < "1.2.2" < "1.2.2pl3", and is +# just as happy dealing with things like "2g6" and "1.13++". I don't +# think I'm smart enough to do it right though. +# +# In any case, I've coded the test suite for this module (see +# ../test/test_version.py) specifically to fail on things like comparing +# "1.2a2" and "1.2". That's not because the *code* is doing anything +# wrong, it's because the simple, obvious design doesn't match my +# complicated, hairy expectations for real-world version numbers. It +# would be a snap to fix the test suite to say, "Yep, LooseVersion does +# the Right Thing" (ie. the code matches the conception). But I'd rather +# have a conception that matches common notions about version numbers. + + +class LooseVersion(Version): + """Version numbering for anarchists and software realists. + Implements the standard interface for version number classes as + described above. A version number consists of a series of numbers, + separated by either periods or strings of letters. When comparing + version numbers, the numeric components will be compared + numerically, and the alphabetic components lexically. The following + are all valid version numbers, in no particular order: + 1.5.1 + 1.5.2b2 + 161 + 3.10a + 8.02 + 3.4j + 1996.07.12 + 3.2.pl0 + 3.1.1.6 + 2g6 + 11g + 0.960923 + 2.2beta29 + 1.13++ + 5.5.kw + 2.0b1pl0 + In fact, there is no such thing as an invalid version number under + this scheme; the rules for comparison are simple and predictable, + but may not always give the results you want (for some definition + of "want"). + """ + + component_re = re.compile(r'(\d+ | [a-z]+ | \.)', re.VERBOSE) + + def __init__(self, vstring=None): + if vstring: + self.parse(vstring) + + def parse(self, vstring): + # I've given up on thinking I can reconstruct the version string + # from the parsed tuple -- so I just store the string here for + # use by __str__ + self.vstring = vstring + components = [x for x in self.component_re.split(vstring) if x and x != '.'] + for i, obj in enumerate(components): + try: + components[i] = int(obj) + except ValueError: + pass + + self.version = components + + def __str__(self): + return self.vstring + + def __repr__(self): + return "LooseVersion ('%s')" % str(self) + + def _cmp(self, other): + if isinstance(other, str): + other = LooseVersion(other) + elif not isinstance(other, LooseVersion): + return NotImplemented + + if self.version == other.version: + return 0 + if self.version < other.version: + return -1 + if self.version > other.version: + return 1 + +# end class LooseVersion diff --git a/ansible_collections/community/postgresql/plugins/module_utils/database.py b/ansible_collections/community/postgresql/plugins/module_utils/database.py new file mode 100644 index 000000000..8aba6aad8 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/module_utils/database.py @@ -0,0 +1,193 @@ +# This code is part of Ansible, but is an independent component. +# This particular file snippet, and this file snippet only, is BSD licensed. +# Modules you write using this snippet, which is embedded dynamically by Ansible +# still belong to the author of the module, and may assign their own license +# to the complete work. +# +# Copyright (c) 2014, Toshio Kuratomi <tkuratomi@ansible.com> +# +# Simplified BSD License (see simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import re +from ansible.module_utils._text import to_native + + +# Input patterns for is_input_dangerous function: +# +# 1. '"' in string and '--' in string or +# "'" in string and '--' in string +PATTERN_1 = re.compile(r'(\'|\").*--') + +# 2. union \ intersect \ except + select +PATTERN_2 = re.compile(r'(UNION|INTERSECT|EXCEPT).*SELECT', re.IGNORECASE) + +# 3. ';' and any KEY_WORDS +PATTERN_3 = re.compile(r';.*(SELECT|UPDATE|INSERT|DELETE|DROP|TRUNCATE|ALTER)', re.IGNORECASE) + + +class SQLParseError(Exception): + pass + + +class UnclosedQuoteError(SQLParseError): + pass + + +# maps a type of identifier to the maximum number of dot levels that are +# allowed to specify that identifier. For example, a database column can be +# specified by up to 4 levels: database.schema.table.column +_PG_IDENTIFIER_TO_DOT_LEVEL = dict( + database=1, + schema=2, + table=3, + column=4, + role=1, + tablespace=1, + sequence=3, + publication=1, +) +_MYSQL_IDENTIFIER_TO_DOT_LEVEL = dict(database=1, table=2, column=3, role=1, vars=1) + + +def _find_end_quote(identifier, quote_char): + accumulate = 0 + while True: + try: + quote = identifier.index(quote_char) + except ValueError: + raise UnclosedQuoteError + accumulate = accumulate + quote + try: + next_char = identifier[quote + 1] + except IndexError: + return accumulate + if next_char == quote_char: + try: + identifier = identifier[quote + 2:] + accumulate = accumulate + 2 + except IndexError: + raise UnclosedQuoteError + else: + return accumulate + + +def _identifier_parse(identifier, quote_char): + if not identifier: + raise SQLParseError('Identifier name unspecified or unquoted trailing dot') + + already_quoted = False + if identifier.startswith(quote_char): + already_quoted = True + try: + end_quote = _find_end_quote(identifier[1:], quote_char=quote_char) + 1 + except UnclosedQuoteError: + already_quoted = False + else: + if end_quote < len(identifier) - 1: + if identifier[end_quote + 1] == '.': + dot = end_quote + 1 + first_identifier = identifier[:dot] + next_identifier = identifier[dot + 1:] + further_identifiers = _identifier_parse(next_identifier, quote_char) + further_identifiers.insert(0, first_identifier) + else: + raise SQLParseError('User escaped identifiers must escape extra quotes') + else: + further_identifiers = [identifier] + + if not already_quoted: + try: + dot = identifier.index('.') + except ValueError: + identifier = identifier.replace(quote_char, quote_char * 2) + identifier = ''.join((quote_char, identifier, quote_char)) + further_identifiers = [identifier] + else: + if dot == 0 or dot >= len(identifier) - 1: + identifier = identifier.replace(quote_char, quote_char * 2) + identifier = ''.join((quote_char, identifier, quote_char)) + further_identifiers = [identifier] + else: + first_identifier = identifier[:dot] + next_identifier = identifier[dot + 1:] + further_identifiers = _identifier_parse(next_identifier, quote_char) + first_identifier = first_identifier.replace(quote_char, quote_char * 2) + first_identifier = ''.join((quote_char, first_identifier, quote_char)) + further_identifiers.insert(0, first_identifier) + + return further_identifiers + + +def pg_quote_identifier(identifier, id_type): + identifier_fragments = _identifier_parse(identifier, quote_char='"') + if len(identifier_fragments) > _PG_IDENTIFIER_TO_DOT_LEVEL[id_type]: + raise SQLParseError('PostgreSQL does not support %s with more than %i dots' % (id_type, _PG_IDENTIFIER_TO_DOT_LEVEL[id_type])) + return '.'.join(identifier_fragments) + + +def mysql_quote_identifier(identifier, id_type): + identifier_fragments = _identifier_parse(identifier, quote_char='`') + if (len(identifier_fragments) - 1) > _MYSQL_IDENTIFIER_TO_DOT_LEVEL[id_type]: + raise SQLParseError('MySQL does not support %s with more than %i dots' % (id_type, _MYSQL_IDENTIFIER_TO_DOT_LEVEL[id_type])) + + special_cased_fragments = [] + for fragment in identifier_fragments: + if fragment == '`*`': + special_cased_fragments.append('*') + else: + special_cased_fragments.append(fragment) + + return '.'.join(special_cased_fragments) + + +def is_input_dangerous(string): + """Check if the passed string is potentially dangerous. + Can be used to prevent SQL injections. + + Note: use this function only when you can't use + psycopg2's cursor.execute method parametrized + (typically with DDL queries). + """ + if not string: + return False + + for pattern in (PATTERN_1, PATTERN_2, PATTERN_3): + if re.search(pattern, string): + return True + + return False + + +def check_input(module, *args): + """Wrapper for is_input_dangerous function.""" + needs_to_check = args + + dangerous_elements = [] + + for elem in needs_to_check: + try: + if isinstance(elem, str): + if is_input_dangerous(elem): + dangerous_elements.append(elem) + + elif isinstance(elem, list): + for e in elem: + if is_input_dangerous(e): + dangerous_elements.append(e) + + elif elem is None or isinstance(elem, bool): + pass + + else: + elem = str(elem) + if is_input_dangerous(elem): + dangerous_elements.append(elem) + except ValueError as e: + module.fail_json(msg=to_native(e)) + + if dangerous_elements: + module.fail_json(msg="Passed input '%s' is " + "potentially dangerous" % ', '.join(dangerous_elements)) diff --git a/ansible_collections/community/postgresql/plugins/module_utils/postgres.py b/ansible_collections/community/postgresql/plugins/module_utils/postgres.py new file mode 100644 index 000000000..e4a44df56 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/module_utils/postgres.py @@ -0,0 +1,477 @@ +# This code is part of Ansible, but is an independent component. +# This particular file snippet, and this file snippet only, is BSD licensed. +# Modules you write using this snippet, which is embedded dynamically by Ansible +# still belong to the author of the module, and may assign their own license +# to the complete work. +# +# Copyright (c), Ted Timmons <ted@timmons.me>, 2017. +# Most of this was originally added by other creators in the postgresql_user module. +# +# Simplified BSD License (see simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +from datetime import timedelta +from decimal import Decimal +from os import environ + +psycopg2 = None # This line needs for unit tests +try: + import psycopg2 + import psycopg2.extras + HAS_PSYCOPG2 = True +except ImportError: + HAS_PSYCOPG2 = False + +from ansible.module_utils.basic import missing_required_lib +from ansible.module_utils._text import to_native +from ansible.module_utils.six import iteritems +from ansible_collections.community.postgresql.plugins.module_utils.version import LooseVersion + +TYPES_NEED_TO_CONVERT = (Decimal, timedelta) + + +def postgres_common_argument_spec(): + """ + Return a dictionary with connection options. + + The options are commonly used by most of PostgreSQL modules. + """ + # Getting a dictionary of environment variables + env_vars = environ + + return dict( + login_user=dict( + default='postgres' if not env_vars.get("PGUSER") else env_vars.get("PGUSER"), + aliases=['login'] + ), + login_password=dict(default='', no_log=True), + login_host=dict(default='', aliases=['host']), + login_unix_socket=dict(default='', aliases=['unix_socket']), + port=dict( + type='int', + default=5432 if not env_vars.get("PGPORT") else int(env_vars.get("PGPORT")), + aliases=['login_port'] + ), + ssl_mode=dict( + default='prefer', + choices=[ + 'allow', + 'disable', + 'prefer', + 'require', + 'verify-ca', + 'verify-full' + ] + ), + ca_cert=dict(aliases=['ssl_rootcert']), + ssl_cert=dict(type='path'), + ssl_key=dict(type='path'), + connect_params=dict(default={}, type='dict'), + ) + + +def ensure_required_libs(module): + """Check required libraries.""" + if not HAS_PSYCOPG2: + module.fail_json(msg=missing_required_lib('psycopg2')) + + if module.params.get('ca_cert') and LooseVersion(psycopg2.__version__) < LooseVersion('2.4.3'): + module.fail_json(msg='psycopg2 must be at least 2.4.3 in order to use the ca_cert parameter') + + +def connect_to_db(module, conn_params, autocommit=False, fail_on_conn=True): + """Connect to a PostgreSQL database. + + Return a tuple containing a psycopg2 connection object and error message / None. + + Args: + module (AnsibleModule) -- object of ansible.module_utils.basic.AnsibleModule class + conn_params (dict) -- dictionary with connection parameters + + Kwargs: + autocommit (bool) -- commit automatically (default False) + fail_on_conn (bool) -- fail if connection failed or just warn and return None (default True) + """ + + db_connection = None + conn_err = None + try: + db_connection = psycopg2.connect(**conn_params) + if autocommit: + if LooseVersion(psycopg2.__version__) >= LooseVersion('2.4.2'): + db_connection.set_session(autocommit=True) + else: + db_connection.set_isolation_level(psycopg2.extensions.ISOLATION_LEVEL_AUTOCOMMIT) + + # Switch role, if specified: + if module.params.get('session_role'): + cursor = db_connection.cursor(cursor_factory=psycopg2.extras.DictCursor) + + try: + cursor.execute('SET ROLE "%s"' % module.params['session_role']) + except Exception as e: + module.fail_json(msg="Could not switch role: %s" % to_native(e)) + finally: + cursor.close() + + except TypeError as e: + if 'sslrootcert' in e.args[0]: + module.fail_json(msg='Postgresql server must be at least ' + 'version 8.4 to support sslrootcert') + + conn_err = to_native(e) + + except Exception as e: + conn_err = to_native(e) + + if conn_err is not None: + if fail_on_conn: + module.fail_json(msg="unable to connect to database: %s" % conn_err) + else: + module.warn("PostgreSQL server is unavailable: %s" % conn_err) + db_connection = None + + return db_connection, conn_err + + +def exec_sql(obj, query, query_params=None, return_bool=False, add_to_executed=True, dont_exec=False): + """Execute SQL. + + Auxiliary function for PostgreSQL user classes. + + Returns a query result if possible or a boolean value. + + Args: + obj (obj) -- must be an object of a user class. + The object must have module (AnsibleModule class object) and + cursor (psycopg cursor object) attributes + query (str) -- SQL query to execute + + Kwargs: + query_params (dict or tuple) -- Query parameters to prevent SQL injections, + could be a dict or tuple + return_bool (bool) -- return True instead of rows if a query was successfully executed. + It's necessary for statements that don't return any result like DDL queries (default False). + add_to_executed (bool) -- append the query to obj.executed_queries attribute + dont_exec (bool) -- used with add_to_executed=True to generate a query, add it + to obj.executed_queries list and return True (default False) + """ + + if dont_exec: + # This is usually needed to return queries in check_mode + # without execution + query = obj.cursor.mogrify(query, query_params) + if add_to_executed: + obj.executed_queries.append(query) + + return True + + try: + if query_params is not None: + obj.cursor.execute(query, query_params) + else: + obj.cursor.execute(query) + + if add_to_executed: + if query_params is not None: + obj.executed_queries.append(obj.cursor.mogrify(query, query_params)) + else: + obj.executed_queries.append(query) + + if not return_bool: + res = obj.cursor.fetchall() + return res + return True + except Exception as e: + obj.module.fail_json(msg="Cannot execute SQL '%s': %s" % (query, to_native(e))) + return False + + +def get_conn_params(module, params_dict, warn_db_default=True): + """Get connection parameters from the passed dictionary. + + Return a dictionary with parameters to connect to PostgreSQL server. + + Args: + module (AnsibleModule) -- object of ansible.module_utils.basic.AnsibleModule class + params_dict (dict) -- dictionary with variables + + Kwargs: + warn_db_default (bool) -- warn that the default DB is used (default True) + """ + + # To use defaults values, keyword arguments must be absent, so + # check which values are empty and don't include in the return dictionary + params_map = { + "login_host": "host", + "login_user": "user", + "login_password": "password", + "port": "port", + "ssl_mode": "sslmode", + "ca_cert": "sslrootcert", + "ssl_cert": "sslcert", + "ssl_key": "sslkey", + } + + # Might be different in the modules: + if LooseVersion(psycopg2.__version__) >= LooseVersion('2.7.0'): + if params_dict.get('db'): + params_map['db'] = 'dbname' + elif params_dict.get('database'): + params_map['database'] = 'dbname' + elif params_dict.get('login_db'): + params_map['login_db'] = 'dbname' + else: + if warn_db_default: + module.warn('Database name has not been passed, ' + 'used default database to connect to.') + else: + if params_dict.get('db'): + params_map['db'] = 'database' + elif params_dict.get('database'): + params_map['database'] = 'database' + elif params_dict.get('login_db'): + params_map['login_db'] = 'database' + else: + if warn_db_default: + module.warn('Database name has not been passed, ' + 'used default database to connect to.') + + kw = dict((params_map[k], v) for (k, v) in iteritems(params_dict) + if k in params_map and v != '' and v is not None) + + # If a login_unix_socket is specified, incorporate it here. + is_localhost = False + if 'host' not in kw or kw['host'] in [None, 'localhost']: + is_localhost = True + + if is_localhost and params_dict["login_unix_socket"] != "": + kw["host"] = params_dict["login_unix_socket"] + + # If connect_params is specified, merge it together + if params_dict.get("connect_params"): + kw.update(params_dict["connect_params"]) + + return kw + + +class PgRole(): + def __init__(self, module, cursor, name): + self.module = module + self.cursor = cursor + self.name = name + self.memberof = self.__fetch_members() + + def __fetch_members(self): + query = ("SELECT ARRAY(SELECT b.rolname FROM " + "pg_catalog.pg_auth_members m " + "JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid) " + "WHERE m.member = r.oid) " + "FROM pg_catalog.pg_roles r " + "WHERE r.rolname = %(dst_role)s") + + res = exec_sql(self, query, query_params={'dst_role': self.name}, + add_to_executed=False) + if res: + return res[0][0] + else: + return [] + + +class PgMembership(object): + def __init__(self, module, cursor, groups, target_roles, fail_on_role=True): + self.module = module + self.cursor = cursor + self.target_roles = [r.strip() for r in target_roles] + self.groups = [r.strip() for r in groups] + self.executed_queries = [] + self.granted = {} + self.revoked = {} + self.fail_on_role = fail_on_role + self.non_existent_roles = [] + self.changed = False + self.__check_roles_exist() + + def grant(self): + for group in self.groups: + self.granted[group] = [] + + for role in self.target_roles: + role_obj = PgRole(self.module, self.cursor, role) + # If role is in a group now, pass: + if group in role_obj.memberof: + continue + + query = 'GRANT "%s" TO "%s"' % (group, role) + self.changed = exec_sql(self, query, return_bool=True) + + if self.changed: + self.granted[group].append(role) + + return self.changed + + def revoke(self): + for group in self.groups: + self.revoked[group] = [] + + for role in self.target_roles: + role_obj = PgRole(self.module, self.cursor, role) + # If role is not in a group now, pass: + if group not in role_obj.memberof: + continue + + query = 'REVOKE "%s" FROM "%s"' % (group, role) + self.changed = exec_sql(self, query, return_bool=True) + + if self.changed: + self.revoked[group].append(role) + + return self.changed + + def match(self): + for role in self.target_roles: + role_obj = PgRole(self.module, self.cursor, role) + + desired_groups = set(self.groups) + current_groups = set(role_obj.memberof) + # 1. Get groups that the role is member of but not in self.groups and revoke them + groups_to_revoke = current_groups - desired_groups + for group in groups_to_revoke: + query = 'REVOKE "%s" FROM "%s"' % (group, role) + self.changed = exec_sql(self, query, return_bool=True) + if group in self.revoked: + self.revoked[group].append(role) + else: + self.revoked[group] = [role] + + # 2. Filter out groups that in self.groups and + # the role is already member of and grant the rest + groups_to_grant = desired_groups - current_groups + for group in groups_to_grant: + query = 'GRANT "%s" TO "%s"' % (group, role) + self.changed = exec_sql(self, query, return_bool=True) + if group in self.granted: + self.granted[group].append(role) + else: + self.granted[group] = [role] + + return self.changed + + def __check_roles_exist(self): + if self.groups: + existent_groups = self.__roles_exist(self.groups) + + for group in self.groups: + if group not in existent_groups: + if self.fail_on_role: + self.module.fail_json(msg="Role %s does not exist" % group) + else: + self.module.warn("Role %s does not exist, pass" % group) + self.non_existent_roles.append(group) + + existent_roles = self.__roles_exist(self.target_roles) + for role in self.target_roles: + if role not in existent_roles: + if self.fail_on_role: + self.module.fail_json(msg="Role %s does not exist" % role) + else: + self.module.warn("Role %s does not exist, pass" % role) + + if role not in self.groups: + self.non_existent_roles.append(role) + + else: + if self.fail_on_role: + self.module.exit_json(msg="Role role '%s' is a member of role '%s'" % (role, role)) + else: + self.module.warn("Role role '%s' is a member of role '%s', pass" % (role, role)) + + # Update role lists, excluding non existent roles: + if self.groups: + self.groups = [g for g in self.groups if g not in self.non_existent_roles] + + self.target_roles = [r for r in self.target_roles if r not in self.non_existent_roles] + + def __roles_exist(self, roles): + tmp = ["'" + x + "'" for x in roles] + query = "SELECT rolname FROM pg_roles WHERE rolname IN (%s)" % ','.join(tmp) + return [x[0] for x in exec_sql(self, query, add_to_executed=False)] + + +def set_search_path(cursor, search_path): + """Set session's search_path. + + Args: + cursor (Psycopg2 cursor): Database cursor object. + search_path (str): String containing comma-separated schema names. + """ + cursor.execute('SET search_path TO %s' % search_path) + + +def convert_elements_to_pg_arrays(obj): + """Convert list elements of the passed object + to PostgreSQL arrays represented as strings. + + Args: + obj (dict or list): Object whose elements need to be converted. + + Returns: + obj (dict or list): Object with converted elements. + """ + if isinstance(obj, dict): + for (key, elem) in iteritems(obj): + if isinstance(elem, list): + obj[key] = list_to_pg_array(elem) + + elif isinstance(obj, list): + for i, elem in enumerate(obj): + if isinstance(elem, list): + obj[i] = list_to_pg_array(elem) + + return obj + + +def list_to_pg_array(elem): + """Convert the passed list to PostgreSQL array + represented as a string. + + Args: + elem (list): List that needs to be converted. + + Returns: + elem (str): String representation of PostgreSQL array. + """ + elem = str(elem).strip('[]') + elem = '{' + elem + '}' + return elem + + +def convert_to_supported(val): + """Convert unsupported type to appropriate. + Args: + val (any) -- Any value fetched from database. + Returns value of appropriate type. + """ + if isinstance(val, Decimal): + return float(val) + + elif isinstance(val, timedelta): + return str(val) + + return val # By default returns the same value + + +def get_server_version(conn): + """Get server version. + + Args: + conn (psycopg.Connection) -- Psycopg connection object. + + Returns server version (int). + """ + if LooseVersion(psycopg2.__version__) >= LooseVersion('3.0.0'): + return conn.info.server_version + else: + return conn.server_version diff --git a/ansible_collections/community/postgresql/plugins/module_utils/saslprep.py b/ansible_collections/community/postgresql/plugins/module_utils/saslprep.py new file mode 100644 index 000000000..804200c37 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/module_utils/saslprep.py @@ -0,0 +1,178 @@ +# -*- coding: utf-8 -*- + +# This code is part of Ansible, but is an independent component. +# This particular file snippet, and this file snippet only, is BSD licensed. +# Modules you write using this snippet, which is embedded dynamically by Ansible +# still belong to the author of the module, and may assign their own license +# to the complete work. + +# Copyright: (c) 2020, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# +# Simplified BSD License (see simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +from stringprep import ( + in_table_a1, + in_table_b1, + in_table_c3, + in_table_c4, + in_table_c5, + in_table_c6, + in_table_c7, + in_table_c8, + in_table_c9, + in_table_c12, + in_table_c21_c22, + in_table_d1, + in_table_d2, +) +from unicodedata import normalize + +from ansible.module_utils.six import text_type + + +def is_unicode_str(string): + return True if isinstance(string, text_type) else False + + +def mapping_profile(string): + """RFC4013 Mapping profile implementation.""" + # Regarding RFC4013, + # This profile specifies: + # - non-ASCII space characters [StringPrep, C.1.2] that can be + # mapped to SPACE (U+0020), and + # - the "commonly mapped to nothing" characters [StringPrep, B.1] + # that can be mapped to nothing. + + tmp = [] + for c in string: + # If not the "commonly mapped to nothing" + if not in_table_b1(c): + if in_table_c12(c): + # map non-ASCII space characters + # (that can be mapped) to Unicode space + tmp.append(u' ') + else: + tmp.append(c) + + return u"".join(tmp) + + +def is_ral_string(string): + """RFC3454 Check bidirectional category of the string""" + # Regarding RFC3454, + # Table D.1 lists the characters that belong + # to Unicode bidirectional categories "R" and "AL". + # If a string contains any RandALCat character, a RandALCat + # character MUST be the first character of the string, and a + # RandALCat character MUST be the last character of the string. + if in_table_d1(string[0]): + if not in_table_d1(string[-1]): + raise ValueError('RFC3454: incorrect bidirectional RandALCat string.') + return True + return False + + +def prohibited_output_profile(string): + """RFC4013 Prohibited output profile implementation.""" + # Implements: + # RFC4013, 2.3. Prohibited Output. + # This profile specifies the following characters as prohibited input: + # - Non-ASCII space characters [StringPrep, C.1.2] + # - ASCII control characters [StringPrep, C.2.1] + # - Non-ASCII control characters [StringPrep, C.2.2] + # - Private Use characters [StringPrep, C.3] + # - Non-character code points [StringPrep, C.4] + # - Surrogate code points [StringPrep, C.5] + # - Inappropriate for plain text characters [StringPrep, C.6] + # - Inappropriate for canonical representation characters [StringPrep, C.7] + # - Change display properties or deprecated characters [StringPrep, C.8] + # - Tagging characters [StringPrep, C.9] + # RFC4013, 2.4. Bidirectional Characters. + # RFC4013, 2.5. Unassigned Code Points. + + # Determine how to handle bidirectional characters (RFC3454): + if is_ral_string(string): + # If a string contains any RandALCat characters, + # The string MUST NOT contain any LCat character: + is_prohibited_bidi_ch = in_table_d2 + bidi_table = 'D.2' + else: + # Forbid RandALCat characters in LCat string: + is_prohibited_bidi_ch = in_table_d1 + bidi_table = 'D.1' + + RFC = 'RFC4013' + for c in string: + # RFC4013 2.3. Prohibited Output: + if in_table_c12(c): + raise ValueError('%s: prohibited non-ASCII space characters ' + 'that cannot be replaced (C.1.2).' % RFC) + if in_table_c21_c22(c): + raise ValueError('%s: prohibited control characters (C.2.1).' % RFC) + if in_table_c3(c): + raise ValueError('%s: prohibited private Use characters (C.3).' % RFC) + if in_table_c4(c): + raise ValueError('%s: prohibited non-character code points (C.4).' % RFC) + if in_table_c5(c): + raise ValueError('%s: prohibited surrogate code points (C.5).' % RFC) + if in_table_c6(c): + raise ValueError('%s: prohibited inappropriate for plain text ' + 'characters (C.6).' % RFC) + if in_table_c7(c): + raise ValueError('%s: prohibited inappropriate for canonical ' + 'representation characters (C.7).' % RFC) + if in_table_c8(c): + raise ValueError('%s: prohibited change display properties / ' + 'deprecated characters (C.8).' % RFC) + if in_table_c9(c): + raise ValueError('%s: prohibited tagging characters (C.9).' % RFC) + + # RFC4013, 2.4. Bidirectional Characters: + if is_prohibited_bidi_ch(c): + raise ValueError('%s: prohibited bidi characters (%s).' % (RFC, bidi_table)) + + # RFC4013, 2.5. Unassigned Code Points: + if in_table_a1(c): + raise ValueError('%s: prohibited unassigned code points (A.1).' % RFC) + + +def saslprep(string): + """RFC4013 implementation. + Implements "SASLprep" profile (RFC4013) of the "stringprep" algorithm (RFC3454) + to prepare Unicode strings representing user names and passwords for comparison. + Regarding the RFC4013, the "SASLprep" profile is intended to be used by + Simple Authentication and Security Layer (SASL) mechanisms + (such as PLAIN, CRAM-MD5, and DIGEST-MD5), as well as other protocols + exchanging simple user names and/or passwords. + + Args: + string (unicode string): Unicode string to validate and prepare. + + Returns: + Prepared unicode string. + """ + # RFC4013: "The algorithm assumes all strings are + # comprised of characters from the Unicode [Unicode] character set." + # Validate the string is a Unicode string + # (text_type is the string type if PY3 and unicode otherwise): + if not is_unicode_str(string): + raise TypeError('input must be of type %s, not %s' % (text_type, type(string))) + + # RFC4013: 2.1. Mapping. + string = mapping_profile(string) + + # RFC4013: 2.2. Normalization. + # "This profile specifies using Unicode normalization form KC." + string = normalize('NFKC', string) + if not string: + return u'' + + # RFC4013: 2.3. Prohibited Output. + # RFC4013: 2.4. Bidirectional Characters. + # RFC4013: 2.5. Unassigned Code Points. + prohibited_output_profile(string) + + return string diff --git a/ansible_collections/community/postgresql/plugins/module_utils/version.py b/ansible_collections/community/postgresql/plugins/module_utils/version.py new file mode 100644 index 000000000..6afaca75e --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/module_utils/version.py @@ -0,0 +1,16 @@ +# -*- coding: utf-8 -*- + +# Copyright: (c) 2021, Felix Fontein <felix@fontein.de> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +"""Provide version object to compare version numbers.""" + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +# Once we drop support for Ansible 2.11, we can +# remove the _version.py file, and replace the following import by +# +# from ansible.module_utils.compat.version import LooseVersion + +from ._version import LooseVersion diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_copy.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_copy.py new file mode 100644 index 000000000..37ee9b80f --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_copy.py @@ -0,0 +1,427 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_copy +short_description: Copy data between a file/program and a PostgreSQL table +description: +- Copy data between a file/program and a PostgreSQL table. + +options: + copy_to: + description: + - Copy the contents of a table to a file. + - Can also copy the results of a SELECT query. + - Mutually exclusive with I(copy_from) and I(dst). + type: path + aliases: [ to ] + copy_from: + description: + - Copy data from a file to a table (appending the data to whatever is in the table already). + - Mutually exclusive with I(copy_to) and I(src). + type: path + aliases: [ from ] + src: + description: + - Copy data from I(copy_from) to I(src=tablename). + - Used with I(copy_to) only. + type: str + aliases: [ source ] + dst: + description: + - Copy data to I(dst=tablename) from I(copy_from=/path/to/data.file). + - Used with I(copy_from) only. + type: str + aliases: [ destination ] + columns: + description: + - List of column names for the src/dst table to COPY FROM/TO. + type: list + elements: str + aliases: [ column ] + program: + description: + - Mark I(src)/I(dst) as a program. Data will be copied to/from a program. + - See block Examples and PROGRAM arg description U(https://www.postgresql.org/docs/current/sql-copy.html). + type: bool + default: false + options: + description: + - Options of COPY command. + - See the full list of available options U(https://www.postgresql.org/docs/current/sql-copy.html). + type: dict + db: + description: + - Name of database to connect to. + type: str + aliases: [ login_db ] + session_role: + description: + - Switch to session_role after connecting. + The specified session_role must be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though + the session_role were the one that had logged in originally. + type: str + trust_input: + description: + - If C(false), check whether values of parameters are potentially dangerous. + - It makes sense to use C(false) only when SQL injections are possible. + type: bool + default: true + version_added: '0.2.0' +notes: +- Supports PostgreSQL version 9.4+. +- COPY command is only allowed to database superusers. + +attributes: + check_mode: + support: partial + details: + - If I(check_mode=true), we just check the src/dst table availability + and return the COPY query that actually has not been executed. + - If i(check_mode=true) and the source has been passed as SQL, the module + will execute it and roll the transaction back, but pay attention + it can affect database performance (e.g., if SQL collects a lot of data). + +seealso: +- name: COPY command reference + description: Complete reference of the COPY command documentation. + link: https://www.postgresql.org/docs/current/sql-copy.html + +author: +- Andrew Klychkov (@Andersson007) + +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +- name: Copy text TAB-separated data from file /tmp/data.txt to acme table + community.postgresql.postgresql_copy: + copy_from: /tmp/data.txt + dst: acme + +- name: Copy CSV (comma-separated) data from file /tmp/data.csv to columns id, name of table acme + community.postgresql.postgresql_copy: + copy_from: /tmp/data.csv + dst: acme + columns: id,name + options: + format: csv + +- name: > + Copy text vertical-bar-separated data from file /tmp/data.txt to bar table. + The NULL values are specified as N + community.postgresql.postgresql_copy: + copy_from: /tmp/data.csv + dst: bar + options: + delimiter: '|' + null: 'N' + +- name: Copy data from acme table to file /tmp/data.txt in text format, TAB-separated + community.postgresql.postgresql_copy: + src: acme + copy_to: /tmp/data.txt + +- name: Copy data from SELECT query to/tmp/data.csv in CSV format + community.postgresql.postgresql_copy: + src: 'SELECT * FROM acme' + copy_to: /tmp/data.csv + options: + format: csv + +- name: Copy CSV data from my_table to gzip + community.postgresql.postgresql_copy: + src: my_table + copy_to: 'gzip > /tmp/data.csv.gz' + program: true + options: + format: csv + +- name: > + Copy data from columns id, name of table bar to /tmp/data.txt. + Output format is text, vertical-bar-separated, NULL as N + community.postgresql.postgresql_copy: + src: bar + columns: + - id + - name + copy_to: /tmp/data.csv + options: + delimiter: '|' + null: 'N' +''' + +RETURN = r''' +queries: + description: List of executed queries. + returned: always + type: str + sample: [ "COPY test_table FROM '/tmp/data_file.txt' (FORMAT csv, DELIMITER ',', NULL 'NULL')" ] +src: + description: Data source. + returned: always + type: str + sample: "mytable" +dst: + description: Data destination. + returned: always + type: str + sample: "/tmp/data.csv" +''' + +try: + from psycopg2.extras import DictCursor +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, + pg_quote_identifier, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + exec_sql, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) +from ansible.module_utils.six import iteritems + + +class PgCopyData(object): + + """Implements behavior of COPY FROM, COPY TO PostgreSQL command. + + Arguments: + module (AnsibleModule) -- object of AnsibleModule class + cursor (cursor) -- cursor object of psycopg2 library + + Attributes: + module (AnsibleModule) -- object of AnsibleModule class + cursor (cursor) -- cursor object of psycopg2 library + changed (bool) -- something was changed after execution or not + executed_queries (list) -- executed queries + dst (str) -- data destination table (when copy_from) + src (str) -- data source table (when copy_to) + opt_need_quotes (tuple) -- values of these options must be passed + to SQL in quotes + """ + + def __init__(self, module, cursor): + self.module = module + self.cursor = cursor + self.executed_queries = [] + self.changed = False + self.dst = '' + self.src = '' + self.opt_need_quotes = ( + 'DELIMITER', + 'NULL', + 'QUOTE', + 'ESCAPE', + 'ENCODING', + ) + + def copy_from(self): + """Implements COPY FROM command behavior.""" + self.src = self.module.params['copy_from'] + self.dst = self.module.params['dst'] + + query_fragments = ['COPY %s' % pg_quote_identifier(self.dst, 'table')] + + if self.module.params.get('columns'): + query_fragments.append('(%s)' % ','.join(self.module.params['columns'])) + + query_fragments.append('FROM') + + if self.module.params.get('program'): + query_fragments.append('PROGRAM') + + query_fragments.append("'%s'" % self.src) + + if self.module.params.get('options'): + query_fragments.append(self.__transform_options()) + + # Note: check mode is implemented here: + if self.module.check_mode: + self.changed = self.__check_table(self.dst) + + if self.changed: + self.executed_queries.append(' '.join(query_fragments)) + else: + if exec_sql(self, ' '.join(query_fragments), return_bool=True): + self.changed = True + + def copy_to(self): + """Implements COPY TO command behavior.""" + self.src = self.module.params['src'] + self.dst = self.module.params['copy_to'] + + if 'SELECT ' in self.src.upper(): + # If src is SQL SELECT statement: + query_fragments = ['COPY (%s)' % self.src] + else: + # If src is a table: + query_fragments = ['COPY %s' % pg_quote_identifier(self.src, 'table')] + + if self.module.params.get('columns'): + query_fragments.append('(%s)' % ','.join(self.module.params['columns'])) + + query_fragments.append('TO') + + if self.module.params.get('program'): + query_fragments.append('PROGRAM') + + query_fragments.append("'%s'" % self.dst) + + if self.module.params.get('options'): + query_fragments.append(self.__transform_options()) + + # Note: check mode is implemented here: + if self.module.check_mode: + self.changed = self.__check_table(self.src) + + if self.changed: + self.executed_queries.append(' '.join(query_fragments)) + else: + if exec_sql(self, ' '.join(query_fragments), return_bool=True): + self.changed = True + + def __transform_options(self): + """Transform options dict into a suitable string.""" + for (key, val) in iteritems(self.module.params['options']): + if key.upper() in self.opt_need_quotes: + self.module.params['options'][key] = "'%s'" % val + + opt = ['%s %s' % (key, val) for (key, val) in iteritems(self.module.params['options'])] + return '(%s)' % ', '.join(opt) + + def __check_table(self, table): + """Check table or SQL in transaction mode for check_mode. + + Return True if it is OK. + + Arguments: + table (str) - Table name that needs to be checked. + It can be SQL SELECT statement that was passed + instead of the table name. + """ + if 'SELECT ' in table.upper(): + # In this case table is actually SQL SELECT statement. + # If SQL fails, it's handled by exec_sql(): + exec_sql(self, table, add_to_executed=False) + # If exec_sql was passed, it means all is OK: + return True + + exec_sql(self, 'SELECT 1 FROM %s' % pg_quote_identifier(table, 'table'), + add_to_executed=False) + # If SQL was executed successfully: + return True + + +# =========================================== +# Module execution. +# + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + copy_to=dict(type='path', aliases=['to']), + copy_from=dict(type='path', aliases=['from']), + src=dict(type='str', aliases=['source']), + dst=dict(type='str', aliases=['destination']), + columns=dict(type='list', elements='str', aliases=['column']), + options=dict(type='dict'), + program=dict(type='bool', default=False), + db=dict(type='str', aliases=['login_db']), + session_role=dict(type='str'), + trust_input=dict(type='bool', default=True), + ) + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + mutually_exclusive=[ + ['copy_from', 'copy_to'], + ['copy_from', 'src'], + ['copy_to', 'dst'], + ] + ) + + if not module.params['trust_input']: + # Check input for potentially dangerous elements: + opt_list = None + if module.params['options']: + opt_list = ['%s %s' % (key, val) for (key, val) in iteritems(module.params['options'])] + + check_input(module, + module.params['copy_to'], + module.params['copy_from'], + module.params['src'], + module.params['dst'], + opt_list, + module.params['columns'], + module.params['session_role']) + + # Note: we don't need to check mutually exclusive params here, because they are + # checked automatically by AnsibleModule (mutually_exclusive=[] list above). + if module.params.get('copy_from') and not module.params.get('dst'): + module.fail_json(msg='dst param is necessary with copy_from') + + elif module.params.get('copy_to') and not module.params.get('src'): + module.fail_json(msg='src param is necessary with copy_to') + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + # Connect to DB and make cursor object: + conn_params = get_conn_params(module, module.params) + db_connection, dummy = connect_to_db(module, conn_params, autocommit=False) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + ############## + # Create the object and do main job: + data = PgCopyData(module, cursor) + + # Note: parameters like dst, src, etc. are got + # from module object into data object of PgCopyData class. + # Therefore not need to pass args to the methods below. + # Note: check mode is implemented inside the methods below + # by checking passed module.check_mode arg. + if module.params.get('copy_to'): + data.copy_to() + + elif module.params.get('copy_from'): + data.copy_from() + + # Finish: + if module.check_mode: + db_connection.rollback() + else: + db_connection.commit() + + cursor.close() + db_connection.close() + + # Return some values: + module.exit_json( + changed=data.changed, + queries=data.executed_queries, + src=data.src, + dst=data.dst, + ) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_db.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_db.py new file mode 100644 index 000000000..e45d9b769 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_db.py @@ -0,0 +1,786 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: Ansible Project +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_db +short_description: Add or remove PostgreSQL databases from a remote host +description: + - Add or remove PostgreSQL databases from a remote host. +options: + name: + description: + - Name of the database to add or remove. + type: str + required: true + aliases: [ db ] + owner: + description: + - Name of the role to set as owner of the database. + type: str + default: '' + template: + description: + - Template used to create the database. + type: str + default: '' + encoding: + description: + - Encoding of the database. + type: str + default: '' + lc_collate: + description: + - Collation order (LC_COLLATE) to use in the database + must match collation order of template database unless C(template0) is used as template. + type: str + default: '' + lc_ctype: + description: + - Character classification (LC_CTYPE) to use in the database (e.g. lower, upper, ...). + - Must match LC_CTYPE of template database unless C(template0) is used as template. + type: str + default: '' + session_role: + description: + - Switch to session_role after connecting. + - The specified session_role must be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though the session_role + were the one that had logged in originally. + type: str + state: + description: + - The database state. + - C(present) implies that the database should be created if necessary. + - C(absent) implies that the database should be removed if present. + - C(dump) requires a target definition to which the database will be backed up. (Added in Ansible 2.4) + Note that in some PostgreSQL versions of pg_dump, which is an embedded PostgreSQL utility and is used by the module, + returns rc 0 even when errors occurred (e.g. the connection is forbidden by pg_hba.conf, etc.), + so the module returns changed=True but the dump has not actually been done. Please, be sure that your version of + pg_dump returns rc 1 in this case. + - C(restore) also requires a target definition from which the database will be restored. (Added in Ansible 2.4). + - The format of the backup will be detected based on the target name. + - Supported compression formats for dump and restore determined by target file format C(.pgc) (custom), C(.bz2) (bzip2), C(.gz) (gzip/pigz) and C(.xz) (xz). + - Supported formats for dump and restore determined by target file format C(.sql) (plain), C(.tar) (tar), C(.pgc) (custom) and C(.dir) (directory) + For the directory format which is supported since collection version 1.4.0. + - "Restore program is selected by target file format: C(.tar), C(.pgc), and C(.dir) are handled by pg_restore, other with pgsql." + - "." + - C(rename) is used to rename the database C(name) to C(target). + - If the database C(name) exists, it will be renamed to C(target). + - If the database C(name) does not exist and the C(target) database exists, + the module will report that nothing has changed. + - If both the databases exist as well as when they have the same value, an error will be raised. + - When I(state=rename), in addition to the C(name) option, the module requires the C(target) option. Other options are ignored. + Supported since collection version 1.4.0. + type: str + choices: [ absent, dump, present, rename, restore ] + default: present + force: + description: + - Used to forcefully drop a database when the I(state) is C(absent), ignored otherwise. + type: bool + default: False + target: + description: + - File to back up or restore from. + - Used when I(state) is C(dump) or C(restore). + type: path + default: '' + target_opts: + description: + - Additional arguments for pg_dump or restore program (pg_restore or psql, depending on target's format). + - Used when I(state) is C(dump) or C(restore). + type: str + default: '' + maintenance_db: + description: + - The value specifies the initial database (which is also called as maintenance DB) that Ansible connects to. + type: str + default: postgres + conn_limit: + description: + - Specifies the database connection limit. + type: str + default: '' + tablespace: + description: + - The tablespace to set for the database + U(https://www.postgresql.org/docs/current/sql-alterdatabase.html). + - If you want to move the database back to the default tablespace, + explicitly set this to pg_default. + type: path + default: '' + dump_extra_args: + description: + - Provides additional arguments when I(state) is C(dump). + - Cannot be used with dump-file-format-related arguments like ``--format=d``. + type: str + version_added: '0.2.0' + trust_input: + description: + - If C(false), check whether values of parameters I(owner), I(conn_limit), I(encoding), + I(db), I(template), I(tablespace), I(session_role) are potentially dangerous. + - It makes sense to use C(false) only when SQL injections via the parameters are possible. + type: bool + default: true + version_added: '0.2.0' +seealso: +- name: CREATE DATABASE reference + description: Complete reference of the CREATE DATABASE command documentation. + link: https://www.postgresql.org/docs/current/sql-createdatabase.html +- name: DROP DATABASE reference + description: Complete reference of the DROP DATABASE command documentation. + link: https://www.postgresql.org/docs/current/sql-dropdatabase.html +- name: pg_dump reference + description: Complete reference of pg_dump documentation. + link: https://www.postgresql.org/docs/current/app-pgdump.html +- name: pg_restore reference + description: Complete reference of pg_restore documentation. + link: https://www.postgresql.org/docs/current/app-pgrestore.html +- module: community.postgresql.postgresql_tablespace +- module: community.postgresql.postgresql_info +- module: community.postgresql.postgresql_ping + +notes: +- State C(dump) and C(restore) don't require I(psycopg2) since version 2.8. + +attributes: + check_mode: + support: full + +author: "Ansible Core Team" + +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +- name: Create a new database with name "acme" + community.postgresql.postgresql_db: + name: acme + +# Note: If a template different from "template0" is specified, +# encoding and locale settings must match those of the template. +- name: Create a new database with name "acme" and specific encoding and locale # settings + community.postgresql.postgresql_db: + name: acme + encoding: UTF-8 + lc_collate: de_DE.UTF-8 + lc_ctype: de_DE.UTF-8 + template: template0 + +# Note: Default limit for the number of concurrent connections to +# a specific database is "-1", which means "unlimited" +- name: Create a new database with name "acme" which has a limit of 100 concurrent connections + community.postgresql.postgresql_db: + name: acme + conn_limit: "100" + +- name: Dump an existing database to a file + community.postgresql.postgresql_db: + name: acme + state: dump + target: /tmp/acme.sql + +- name: Dump an existing database to a file excluding the test table + community.postgresql.postgresql_db: + name: acme + state: dump + target: /tmp/acme.sql + dump_extra_args: --exclude-table=test + +- name: Dump an existing database to a file (with compression) + community.postgresql.postgresql_db: + name: acme + state: dump + target: /tmp/acme.sql.gz + +- name: Dump a single schema for an existing database + community.postgresql.postgresql_db: + name: acme + state: dump + target: /tmp/acme.sql + target_opts: "-n public" + +- name: Dump only table1 and table2 from the acme database + community.postgresql.postgresql_db: + name: acme + state: dump + target: /tmp/table1_table2.sql + target_opts: "-t table1 -t table2" + +- name: Dump an existing database using the directory format + community.postgresql.postgresql_db: + name: acme + state: dump + target: /tmp/acme.dir + +- name: Dump an existing database using the custom format + community.postgresql.postgresql_db: + name: acme + state: dump + target: /tmp/acme.pgc + +# name: acme - the name of the database to connect through which the recovery will take place +- name: Restore database using the tar format + community.postgresql.postgresql_db: + name: acme + state: restore + target: /tmp/acme.tar + +# Note: In the example below, if database foo exists and has another tablespace +# the tablespace will be changed to foo. Access to the database will be locked +# until the copying of database files is finished. +- name: Create a new database called foo in tablespace bar + community.postgresql.postgresql_db: + name: foo + tablespace: bar + +# Rename the database foo to bar. +# If the database foo exists, it will be renamed to bar. +# If the database foo does not exist and the bar database exists, +# the module will report that nothing has changed. +# If both the databases exist, an error will be raised. +- name: Rename the database foo to bar + community.postgresql.postgresql_db: + name: foo + state: rename + target: bar +''' + +RETURN = r''' +executed_commands: + description: List of commands which tried to run. + returned: always + type: list + sample: ["CREATE DATABASE acme"] + version_added: '0.2.0' +''' + + +import os +import subprocess +import traceback + +try: + from psycopg2.extras import DictCursor +except ImportError: + HAS_PSYCOPG2 = False +else: + HAS_PSYCOPG2 = True + +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + get_conn_params, + ensure_required_libs, + postgres_common_argument_spec +) +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, + SQLParseError, +) +from ansible.module_utils.six.moves import shlex_quote +from ansible.module_utils._text import to_native + +executed_commands = [] + + +class NotSupportedError(Exception): + pass + +# =========================================== +# PostgreSQL module specific support methods. +# + + +def set_owner(cursor, db, owner): + query = 'ALTER DATABASE "%s" OWNER TO "%s"' % (db, owner) + executed_commands.append(query) + cursor.execute(query) + return True + + +def set_conn_limit(cursor, db, conn_limit): + query = 'ALTER DATABASE "%s" CONNECTION LIMIT %s' % (db, conn_limit) + executed_commands.append(query) + cursor.execute(query) + return True + + +def get_encoding_id(cursor, encoding): + query = "SELECT pg_char_to_encoding(%(encoding)s) AS encoding_id;" + cursor.execute(query, {'encoding': encoding}) + return cursor.fetchone()['encoding_id'] + + +def get_db_info(cursor, db): + query = """ + SELECT rolname AS owner, + pg_encoding_to_char(encoding) AS encoding, encoding AS encoding_id, + datcollate AS lc_collate, datctype AS lc_ctype, pg_database.datconnlimit AS conn_limit, + spcname AS tablespace + FROM pg_database + JOIN pg_roles ON pg_roles.oid = pg_database.datdba + JOIN pg_tablespace ON pg_tablespace.oid = pg_database.dattablespace + WHERE datname = %(db)s + """ + cursor.execute(query, {'db': db}) + return cursor.fetchone() + + +def db_exists(cursor, db): + query = "SELECT * FROM pg_database WHERE datname=%(db)s" + cursor.execute(query, {'db': db}) + return cursor.rowcount == 1 + + +def db_dropconns(cursor, db): + if cursor.connection.server_version >= 90200: + """ Drop DB connections in Postgres 9.2 and above """ + query_terminate = ("SELECT pg_terminate_backend(pg_stat_activity.pid) FROM pg_stat_activity " + "WHERE pg_stat_activity.datname=%(db)s AND pid <> pg_backend_pid()") + else: + """ Drop DB connections in Postgres 9.1 and below """ + query_terminate = ("SELECT pg_terminate_backend(pg_stat_activity.procpid) FROM pg_stat_activity " + "WHERE pg_stat_activity.datname=%(db)s AND procpid <> pg_backend_pid()") + query_block = ("UPDATE pg_database SET datallowconn = false WHERE datname=%(db)s") + query = query_block + '; ' + query_terminate + + cursor.execute(query, {'db': db}) + + +def db_delete(cursor, db, force=False): + if db_exists(cursor, db): + query = 'DROP DATABASE "%s"' % db + if force: + if cursor.connection.server_version >= 130000: + query = ('DROP DATABASE "%s" WITH (FORCE)' % db) + else: + db_dropconns(cursor, db) + executed_commands.append(query) + cursor.execute(query) + return True + else: + return False + + +def db_create(cursor, db, owner, template, encoding, lc_collate, lc_ctype, conn_limit, tablespace): + params = dict(enc=encoding, collate=lc_collate, ctype=lc_ctype, conn_limit=conn_limit, tablespace=tablespace) + if not db_exists(cursor, db): + query_fragments = ['CREATE DATABASE "%s"' % db] + if owner: + query_fragments.append('OWNER "%s"' % owner) + if template: + query_fragments.append('TEMPLATE "%s"' % template) + if encoding: + query_fragments.append('ENCODING %(enc)s') + if lc_collate: + query_fragments.append('LC_COLLATE %(collate)s') + if lc_ctype: + query_fragments.append('LC_CTYPE %(ctype)s') + if tablespace: + query_fragments.append('TABLESPACE "%s"' % tablespace) + if conn_limit: + query_fragments.append("CONNECTION LIMIT %(conn_limit)s" % {"conn_limit": conn_limit}) + query = ' '.join(query_fragments) + executed_commands.append(cursor.mogrify(query, params)) + cursor.execute(query, params) + return True + else: + db_info = get_db_info(cursor, db) + if (encoding and get_encoding_id(cursor, encoding) != db_info['encoding_id']): + raise NotSupportedError( + 'Changing database encoding is not supported. ' + 'Current encoding: %s' % db_info['encoding'] + ) + elif lc_collate and lc_collate != db_info['lc_collate']: + raise NotSupportedError( + 'Changing LC_COLLATE is not supported. ' + 'Current LC_COLLATE: %s' % db_info['lc_collate'] + ) + elif lc_ctype and lc_ctype != db_info['lc_ctype']: + raise NotSupportedError( + 'Changing LC_CTYPE is not supported.' + 'Current LC_CTYPE: %s' % db_info['lc_ctype'] + ) + else: + changed = False + + if owner and owner != db_info['owner']: + changed = set_owner(cursor, db, owner) + + if conn_limit and conn_limit != str(db_info['conn_limit']): + changed = set_conn_limit(cursor, db, conn_limit) + + if tablespace and tablespace != db_info['tablespace']: + changed = set_tablespace(cursor, db, tablespace) + + return changed + + +def db_matches(cursor, db, owner, template, encoding, lc_collate, lc_ctype, conn_limit, tablespace): + if not db_exists(cursor, db): + return False + else: + db_info = get_db_info(cursor, db) + if (encoding and get_encoding_id(cursor, encoding) != db_info['encoding_id']): + return False + elif lc_collate and lc_collate != db_info['lc_collate']: + return False + elif lc_ctype and lc_ctype != db_info['lc_ctype']: + return False + elif owner and owner != db_info['owner']: + return False + elif conn_limit and conn_limit != str(db_info['conn_limit']): + return False + elif tablespace and tablespace != db_info['tablespace']: + return False + else: + return True + + +def db_dump(module, target, target_opts="", + db=None, + dump_extra_args=None, + user=None, + password=None, + host=None, + port=None, + **kw): + + flags = login_flags(db, host, port, user, db_prefix=False) + cmd = module.get_bin_path('pg_dump', True) + comp_prog_path = None + + if os.path.splitext(target)[-1] == '.tar': + flags.append(' --format=t') + elif os.path.splitext(target)[-1] == '.pgc': + flags.append(' --format=c') + elif os.path.splitext(target)[-1] == '.dir': + flags.append(' --format=d') + + if os.path.splitext(target)[-1] == '.gz': + if module.get_bin_path('pigz'): + comp_prog_path = module.get_bin_path('pigz', True) + else: + comp_prog_path = module.get_bin_path('gzip', True) + elif os.path.splitext(target)[-1] == '.bz2': + comp_prog_path = module.get_bin_path('bzip2', True) + elif os.path.splitext(target)[-1] == '.xz': + comp_prog_path = module.get_bin_path('xz', True) + + cmd += "".join(flags) + + if dump_extra_args: + cmd += " {0} ".format(dump_extra_args) + + if target_opts: + cmd += " {0} ".format(target_opts) + + if comp_prog_path: + # Use a fifo to be notified of an error in pg_dump + # Using shell pipe has no way to return the code of the first command + # in a portable way. + fifo = os.path.join(module.tmpdir, 'pg_fifo') + os.mkfifo(fifo) + cmd = '{1} <{3} > {2} & {0} >{3}'.format(cmd, comp_prog_path, shlex_quote(target), fifo) + else: + if ' --format=d' in cmd: + cmd = '{0} -f {1}'.format(cmd, shlex_quote(target)) + else: + cmd = '{0} > {1}'.format(cmd, shlex_quote(target)) + + return do_with_password(module, cmd, password) + + +def db_restore(module, target, target_opts="", + db=None, + user=None, + password=None, + host=None, + port=None, + **kw): + + flags = login_flags(db, host, port, user) + comp_prog_path = None + cmd = module.get_bin_path('psql', True) + + if os.path.splitext(target)[-1] == '.sql': + flags.append(' --file={0}'.format(target)) + + elif os.path.splitext(target)[-1] == '.tar': + flags.append(' --format=Tar') + cmd = module.get_bin_path('pg_restore', True) + + elif os.path.splitext(target)[-1] == '.pgc': + flags.append(' --format=Custom') + cmd = module.get_bin_path('pg_restore', True) + + elif os.path.splitext(target)[-1] == '.dir': + flags.append(' --format=Directory') + cmd = module.get_bin_path('pg_restore', True) + + elif os.path.splitext(target)[-1] == '.gz': + comp_prog_path = module.get_bin_path('zcat', True) + + elif os.path.splitext(target)[-1] == '.bz2': + comp_prog_path = module.get_bin_path('bzcat', True) + + elif os.path.splitext(target)[-1] == '.xz': + comp_prog_path = module.get_bin_path('xzcat', True) + + cmd += "".join(flags) + if target_opts: + cmd += " {0} ".format(target_opts) + + if comp_prog_path: + env = os.environ.copy() + if password: + env = {"PGPASSWORD": password} + p1 = subprocess.Popen([comp_prog_path, target], stdout=subprocess.PIPE, stderr=subprocess.PIPE) + p2 = subprocess.Popen(cmd, stdin=p1.stdout, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True, env=env) + (stdout2, stderr2) = p2.communicate() + p1.stdout.close() + p1.wait() + if p1.returncode != 0: + stderr1 = p1.stderr.read() + return p1.returncode, '', stderr1, 'cmd: ****' + else: + return p2.returncode, '', stderr2, 'cmd: ****' + else: + if '--format=Directory' in cmd: + cmd = '{0} {1}'.format(cmd, shlex_quote(target)) + else: + cmd = '{0} < {1}'.format(cmd, shlex_quote(target)) + + return do_with_password(module, cmd, password) + + +def login_flags(db, host, port, user, db_prefix=True): + """ + returns a list of connection argument strings each prefixed + with a space and quoted where necessary to later be combined + in a single shell string with `"".join(rv)` + + db_prefix determines if "--dbname" is prefixed to the db argument, + since the argument was introduced in 9.3. + """ + flags = [] + if db: + if db_prefix: + flags.append(' --dbname={0}'.format(shlex_quote(db))) + else: + flags.append(' {0}'.format(shlex_quote(db))) + if host: + flags.append(' --host={0}'.format(host)) + if port: + flags.append(' --port={0}'.format(port)) + if user: + flags.append(' --username={0}'.format(user)) + return flags + + +def do_with_password(module, cmd, password): + env = {} + if password: + env = {"PGPASSWORD": password} + executed_commands.append(cmd) + rc, stderr, stdout = module.run_command(cmd, use_unsafe_shell=True, environ_update=env) + return rc, stderr, stdout, cmd + + +def set_tablespace(cursor, db, tablespace): + query = 'ALTER DATABASE "%s" SET TABLESPACE "%s"' % (db, tablespace) + executed_commands.append(query) + cursor.execute(query) + return True + + +def rename_db(module, cursor, db, target, check_mode=False): + source_db = db_exists(cursor, db) + target_db = db_exists(cursor, target) + + if source_db and target_db: + module.fail_json(msg='Both the source and the target databases exist.') + + if not source_db and target_db: + # If the source db doesn't exist and + # the target db exists, we assume that + # the desired state has been reached and + # respectively nothing needs to be changed + return False + + if not source_db and not target_db: + module.fail_json(msg='The source and the target databases do not exist.') + + if source_db and not target_db: + if check_mode: + return True + + query = 'ALTER DATABASE "%s" RENAME TO "%s"' % (db, target) + executed_commands.append(query) + cursor.execute(query) + return True + +# =========================================== +# Module execution. +# + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + db=dict(type='str', required=True, aliases=['name']), + owner=dict(type='str', default=''), + template=dict(type='str', default=''), + encoding=dict(type='str', default=''), + lc_collate=dict(type='str', default=''), + lc_ctype=dict(type='str', default=''), + state=dict(type='str', default='present', + choices=['absent', 'dump', 'present', 'rename', 'restore']), + target=dict(type='path', default=''), + target_opts=dict(type='str', default=''), + maintenance_db=dict(type='str', default="postgres"), + session_role=dict(type='str'), + conn_limit=dict(type='str', default=''), + tablespace=dict(type='path', default=''), + dump_extra_args=dict(type='str', default=None), + trust_input=dict(type='bool', default=True), + force=dict(type='bool', default=False), + ) + + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True + ) + + db = module.params["db"] + owner = module.params["owner"] + template = module.params["template"] + encoding = module.params["encoding"] + lc_collate = module.params["lc_collate"] + lc_ctype = module.params["lc_ctype"] + target = module.params["target"] + target_opts = module.params["target_opts"] + state = module.params["state"] + changed = False + maintenance_db = module.params['maintenance_db'] + session_role = module.params["session_role"] + conn_limit = module.params['conn_limit'] + tablespace = module.params['tablespace'] + dump_extra_args = module.params['dump_extra_args'] + trust_input = module.params['trust_input'] + force = module.params['force'] + + if state == 'rename': + if not target: + module.fail_json(msg='The "target" option must be defined when the "rename" option is used.') + + if db == target: + module.fail_json(msg='The "name/db" option and the "target" option cannot be the same.') + + if maintenance_db == db: + module.fail_json(msg='The "maintenance_db" option and the "name/db" option cannot be the same.') + + # Check input + if not trust_input: + # Check input for potentially dangerous elements: + check_input(module, owner, conn_limit, encoding, db, template, tablespace, session_role) + + raw_connection = state in ("dump", "restore") + + if not raw_connection: + ensure_required_libs(module) + + if target == "": + target = "{0}/{1}.sql".format(os.getcwd(), db) + target = os.path.expanduser(target) + + # Such a transformation is used, since the connection should go to 'maintenance_db' + params_dict = module.params + params_dict["db"] = module.params["maintenance_db"] + + # Parameters for connecting to the database + conn_params = get_conn_params(module, params_dict, warn_db_default=False) + + if not raw_connection: + db_connection, dummy = connect_to_db(module, conn_params, autocommit=True) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + if session_role: + try: + cursor.execute('SET ROLE "%s"' % session_role) + except Exception as e: + module.fail_json(msg="Could not switch role: %s" % to_native(e), exception=traceback.format_exc()) + + try: + if module.check_mode: + if state == "absent": + changed = db_exists(cursor, db) + + elif state == "present": + changed = not db_matches(cursor, db, owner, template, encoding, lc_collate, lc_ctype, conn_limit, tablespace) + + elif state == "rename": + changed = rename_db(module, cursor, db, target, check_mode=True) + + module.exit_json(changed=changed, db=db, executed_commands=executed_commands) + + if state == "absent": + try: + changed = db_delete(cursor, db, force) + except SQLParseError as e: + module.fail_json(msg=to_native(e), exception=traceback.format_exc()) + + elif state == "present": + try: + changed = db_create(cursor, db, owner, template, encoding, lc_collate, lc_ctype, conn_limit, tablespace) + except SQLParseError as e: + module.fail_json(msg=to_native(e), exception=traceback.format_exc()) + + elif raw_connection: + # Parameters for performing dump/restore + conn_params = get_conn_params(module, module.params, warn_db_default=False) + + method = state == "dump" and db_dump or db_restore + try: + if state == 'dump': + rc, stdout, stderr, cmd = method(module, target, target_opts, db, dump_extra_args, **conn_params) + else: + rc, stdout, stderr, cmd = method(module, target, target_opts, db, **conn_params) + + if rc != 0: + module.fail_json(msg=stderr, stdout=stdout, rc=rc, cmd=cmd) + else: + module.exit_json(changed=True, msg=stdout, stderr=stderr, rc=rc, cmd=cmd, + executed_commands=executed_commands) + except SQLParseError as e: + module.fail_json(msg=to_native(e), exception=traceback.format_exc()) + + elif state == 'rename': + changed = rename_db(module, cursor, db, target) + + except NotSupportedError as e: + module.fail_json(msg=to_native(e), exception=traceback.format_exc()) + except SystemExit: + # Avoid catching this on Python 2.4 + raise + except Exception as e: + module.fail_json(msg="Database query failed: %s" % to_native(e), exception=traceback.format_exc()) + + if not raw_connection: + cursor.close() + db_connection.close() + + module.exit_json(changed=changed, db=db, executed_commands=executed_commands) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_ext.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_ext.py new file mode 100644 index 000000000..e9f9e46b7 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_ext.py @@ -0,0 +1,475 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: Ansible Project +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_ext +short_description: Add or remove PostgreSQL extensions from a database +description: +- Add or remove PostgreSQL extensions from a database. +options: + name: + description: + - Name of the extension to add or remove. + required: true + type: str + aliases: + - ext + db: + description: + - Name of the database to add or remove the extension to/from. + required: true + type: str + aliases: + - login_db + schema: + description: + - Name of the schema to add the extension to. + type: str + session_role: + description: + - Switch to session_role after connecting. + - The specified session_role must be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally. + type: str + state: + description: + - The database extension state. + default: present + choices: [ absent, present ] + type: str + cascade: + description: + - Automatically install/remove any extensions that this extension depends on + that are not already installed/removed (supported since PostgreSQL 9.6). + type: bool + default: false + login_unix_socket: + description: + - Path to a Unix domain socket for local connections. + type: str + ssl_mode: + description: + - Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server. + - See U(https://www.postgresql.org/docs/current/static/libpq-ssl.html) for more information on the modes. + - Default of C(prefer) matches libpq default. + type: str + default: prefer + choices: [ allow, disable, prefer, require, verify-ca, verify-full ] + ca_cert: + description: + - Specifies the name of a file containing SSL certificate authority (CA) certificate(s). + - If the file exists, the server's certificate will be verified to be signed by one of these authorities. + type: str + aliases: [ ssl_rootcert ] + version: + description: + - Extension version to add or update to. Has effect with I(state=present) only. + - If not specified and extension is not installed in the database, + the latest version available will be created. + - If extension is already installed, will update to the given version if a valid update + path exists. + - Downgrading is only supported if the extension provides a downgrade path otherwise + the extension must be removed and a lower version of the extension must be made available. + - Set I(version=latest) to always update the extension to the latest available version. + type: str + trust_input: + description: + - If C(false), check whether values of parameters I(ext), I(schema), + I(version), I(session_role) are potentially dangerous. + - It makes sense to use C(false) only when SQL injections via the parameters are possible. + type: bool + default: true + version_added: '0.2.0' +seealso: +- name: PostgreSQL extensions + description: General information about PostgreSQL extensions. + link: https://www.postgresql.org/docs/current/external-extensions.html +- name: CREATE EXTENSION reference + description: Complete reference of the CREATE EXTENSION command documentation. + link: https://www.postgresql.org/docs/current/sql-createextension.html +- name: ALTER EXTENSION reference + description: Complete reference of the ALTER EXTENSION command documentation. + link: https://www.postgresql.org/docs/current/sql-alterextension.html +- name: DROP EXTENSION reference + description: Complete reference of the DROP EXTENSION command documentation. + link: https://www.postgresql.org/docs/current/sql-droppublication.html + +notes: +- Incomparable versions, for example PostGIS ``unpackaged``, cannot be installed. + +attributes: + check_mode: + support: full + +author: +- Daniel Schep (@dschep) +- Thomas O'Donnell (@andytom) +- Sandro Santilli (@strk) +- Andrew Klychkov (@Andersson007) +- Keith Fiske (@keithf4) + +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +- name: Adds postgis extension to the database acme in the schema foo + community.postgresql.postgresql_ext: + name: postgis + db: acme + schema: foo + +- name: Removes postgis extension to the database acme + community.postgresql.postgresql_ext: + name: postgis + db: acme + state: absent + +- name: Adds earthdistance extension to the database template1 cascade + community.postgresql.postgresql_ext: + name: earthdistance + db: template1 + cascade: true + +# In the example below, if earthdistance extension is installed, +# it will be removed too because it depends on cube: +- name: Removes cube extension from the database acme cascade + community.postgresql.postgresql_ext: + name: cube + db: acme + cascade: true + state: absent + +- name: Create extension foo of version 1.2 or update it to that version if it's already created and a valid update path exists + community.postgresql.postgresql_ext: + db: acme + name: foo + version: 1.2 + +- name: Create the latest available version of extension foo. If already installed, update it to the latest version + community.postgresql.postgresql_ext: + db: acme + name: foo + version: latest +''' + +RETURN = r''' +query: + description: List of executed queries. + returned: always + type: list + sample: ["DROP EXTENSION \"acme\""] + +''' + +import traceback + +try: + from psycopg2.extras import DictCursor +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) +from ansible.module_utils._text import to_native + +executed_queries = [] + + +# =========================================== +# PostgreSQL module specific support methods. +# + + +def ext_delete(cursor, ext, current_version, cascade): + """Remove the extension from the database. + + Return True if success. + + Args: + cursor (cursor) -- cursor object of psycopg2 library + ext (str) -- extension name + current_version (str) -- installed version of the extension. + Value obtained from ext_get_versions and used to + determine if the extension was installed. + cascade (boolean) -- Pass the CASCADE flag to the DROP commmand + """ + if current_version: + query = "DROP EXTENSION \"%s\"" % ext + if cascade: + query += " CASCADE" + cursor.execute(query) + executed_queries.append(cursor.mogrify(query)) + return True + else: + return False + + +def ext_update_version(cursor, ext, version): + """Update extension version. + + Return True if success. + + Args: + cursor (cursor) -- cursor object of psycopg2 library + ext (str) -- extension name + version (str) -- extension version + """ + query = "ALTER EXTENSION \"%s\" UPDATE" % ext + params = {} + + if version != 'latest': + query += " TO %(ver)s" + params['ver'] = version + + cursor.execute(query, params) + executed_queries.append(cursor.mogrify(query, params)) + + return True + + +def ext_create(cursor, ext, schema, cascade, version): + """ + Create the extension objects inside the database. + + Return True if success. + + Args: + cursor (cursor) -- cursor object of psycopg2 library + ext (str) -- extension name + schema (str) -- target schema for extension objects + version (str) -- extension version + """ + query = "CREATE EXTENSION \"%s\"" % ext + params = {} + + if schema: + query += " WITH SCHEMA \"%s\"" % schema + if version != 'latest': + query += " VERSION %(ver)s" + params['ver'] = version + if cascade: + query += " CASCADE" + + cursor.execute(query, params) + executed_queries.append(cursor.mogrify(query, params)) + return True + + +def ext_get_versions(cursor, ext): + """ + Get the currently created extension version if it is installed + in the database and versions that are available if it is + installed on the system. + + Return tuple (current_version, [list of available versions]). + + Note: the list of available versions contains only versions + that higher than the current created version. + If the extension is not created, this list will contain all + available versions. + + Args: + cursor (cursor) -- cursor object of psycopg2 library + ext (str) -- extension name + """ + + current_version = None + params = {} + params['ext'] = ext + + # 1. Get the current extension version: + query = ("SELECT extversion FROM pg_catalog.pg_extension " + "WHERE extname = %(ext)s") + + cursor.execute(query, params) + + res = cursor.fetchone() + if res: + current_version = res[0] + + # 2. Get available versions: + query = ("SELECT version FROM pg_available_extension_versions " + "WHERE name = %(ext)s") + + cursor.execute(query, params) + + available_versions = set(r[0] for r in cursor.fetchall()) + + if current_version is None: + current_version = False + + return (current_version, available_versions) + + +def ext_valid_update_path(cursor, ext, current_version, version): + """ + Check to see if the installed extension version has a valid update + path to the given version. A version of 'latest' is always a valid path. + + Return True if a valid path exists. Otherwise return False. + + Args: + cursor (cursor) -- cursor object of psycopg2 library + ext (str) -- extension name + current_version (str) -- installed version of the extension. + version (str) -- target extension version to update to. + A value of 'latest' is always a valid path and will result + in the extension update command always being run. + """ + + valid_path = False + params = {} + if version != 'latest': + query = ("SELECT path FROM pg_extension_update_paths(%(ext)s) " + "WHERE source = %(cv)s " + "AND target = %(ver)s") + + params['ext'] = ext + params['cv'] = current_version + params['ver'] = version + + cursor.execute(query, params) + res = cursor.fetchone() + if res is not None: + valid_path = True + else: + valid_path = True + + return (valid_path) + + +# =========================================== +# Module execution. +# + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + db=dict(type="str", required=True, aliases=["login_db"]), + ext=dict(type="str", required=True, aliases=["name"]), + schema=dict(type="str"), + state=dict(type="str", default="present", choices=["absent", "present"]), + cascade=dict(type="bool", default=False), + session_role=dict(type="str"), + version=dict(type="str"), + trust_input=dict(type="bool", default=True), + ) + + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + ext = module.params["ext"] + schema = module.params["schema"] + state = module.params["state"] + cascade = module.params["cascade"] + version = module.params["version"] + session_role = module.params["session_role"] + trust_input = module.params["trust_input"] + changed = False + + if not trust_input: + check_input(module, ext, schema, version, session_role) + + if version and state == 'absent': + module.warn("Parameter version is ignored when state=absent") + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + conn_params = get_conn_params(module, module.params) + db_connection, dummy = connect_to_db(module, conn_params, autocommit=True) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + try: + # Get extension info and available versions: + curr_version, available_versions = ext_get_versions(cursor, ext) + + if state == "present": + + # If version passed + if version: + # If extension is installed, update to passed version if a valid path exists + if curr_version: + # Given version already installed + if curr_version == version: + changed = False + # Attempt to update to given version or latest version defined in extension control file + # ALTER EXTENSION is actually run if valid, so 'changed' will be true even if nothing updated + else: + valid_update_path = ext_valid_update_path(cursor, ext, curr_version, version) + if valid_update_path: + if module.check_mode: + changed = True + else: + changed = ext_update_version(cursor, ext, version) + else: + module.fail_json(msg="Passed version '%s' has no valid update path from " + "the currently installed version '%s' or " + "the passed version is not available" % (version, curr_version)) + else: + # If not requesting latest version and passed version not available + if version != 'latest' and version not in available_versions: + module.fail_json(msg="Passed version '%s' is not available" % version) + # Else install the passed version when available + else: + if module.check_mode: + changed = True + else: + changed = ext_create(cursor, ext, schema, cascade, version) + + # If version is not passed: + else: + # Extension exists, no request to update so no change + if curr_version: + changed = False + else: + # If the ext doesn't exist and is available: + if available_versions: + if module.check_mode: + changed = True + else: + changed = ext_create(cursor, ext, schema, cascade, 'latest') + + # If the ext doesn't exist and is not available: + else: + module.fail_json(msg="Extension %s is not available" % ext) + + elif state == "absent": + if curr_version: + if module.check_mode: + changed = True + else: + changed = ext_delete(cursor, ext, curr_version, cascade) + else: + changed = False + + except Exception as e: + db_connection.close() + module.fail_json(msg="Management of PostgreSQL extension failed: %s" % to_native(e), exception=traceback.format_exc()) + + db_connection.close() + module.exit_json(changed=changed, db=module.params["db"], ext=ext, queries=executed_queries) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_idx.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_idx.py new file mode 100644 index 000000000..2ffb33a8c --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_idx.py @@ -0,0 +1,594 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018-2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_idx +short_description: Create or drop indexes from a PostgreSQL database +description: +- Create or drop indexes from a PostgreSQL database. + +options: + idxname: + description: + - Name of the index to create or drop. + type: str + required: true + aliases: + - name + db: + description: + - Name of database to connect to and where the index will be created/dropped. + type: str + aliases: + - login_db + session_role: + description: + - Switch to session_role after connecting. + The specified session_role must be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though + the session_role were the one that had logged in originally. + type: str + schema: + description: + - Name of a database schema where the index will be created. + type: str + state: + description: + - Index state. + - C(present) implies the index will be created if it does not exist. + - C(absent) implies the index will be dropped if it exists. + type: str + default: present + choices: [ absent, present ] + table: + description: + - Table to create index on it. + - Mutually exclusive with I(state=absent). + type: str + columns: + description: + - List of index columns that need to be covered by index. + - Mutually exclusive with I(state=absent). + type: list + elements: str + aliases: + - column + cond: + description: + - Index conditions. + - Mutually exclusive with I(state=absent). + type: str + idxtype: + description: + - Index type (like btree, gist, gin, etc.). + - Mutually exclusive with I(state=absent). + type: str + aliases: + - type + concurrent: + description: + - Enable or disable concurrent mode (CREATE / DROP INDEX CONCURRENTLY). + - Pay attention, if I(concurrent=false), the table will be locked (ACCESS EXCLUSIVE) during the building process. + For more information about the lock levels see U(https://www.postgresql.org/docs/current/explicit-locking.html). + - If the building process was interrupted for any reason when I(cuncurrent=true), the index becomes invalid. + In this case it should be dropped and created again. + - Mutually exclusive with I(cascade=true). + type: bool + default: true + unique: + description: + - Enable unique index. + - Only btree currently supports unique indexes. + type: bool + default: false + version_added: '0.2.0' + tablespace: + description: + - Set a tablespace for the index. + - Mutually exclusive with I(state=absent). + type: str + storage_params: + description: + - Storage parameters like fillfactor, vacuum_cleanup_index_scale_factor, etc. + - Mutually exclusive with I(state=absent). + type: list + elements: str + cascade: + description: + - Automatically drop objects that depend on the index, + and in turn all objects that depend on those objects. + - It used only with I(state=absent). + - Mutually exclusive with I(concurrent=true). + type: bool + default: false + trust_input: + description: + - If C(false), check whether values of parameters I(idxname), I(session_role), + I(schema), I(table), I(columns), I(tablespace), I(storage_params), + I(cond) are potentially dangerous. + - It makes sense to use C(false) only when SQL injections via the parameters are possible. + type: bool + default: true + version_added: '0.2.0' + +seealso: +- module: community.postgresql.postgresql_table +- module: community.postgresql.postgresql_tablespace +- name: PostgreSQL indexes reference + description: General information about PostgreSQL indexes. + link: https://www.postgresql.org/docs/current/indexes.html +- name: CREATE INDEX reference + description: Complete reference of the CREATE INDEX command documentation. + link: https://www.postgresql.org/docs/current/sql-createindex.html +- name: ALTER INDEX reference + description: Complete reference of the ALTER INDEX command documentation. + link: https://www.postgresql.org/docs/current/sql-alterindex.html +- name: DROP INDEX reference + description: Complete reference of the DROP INDEX command documentation. + link: https://www.postgresql.org/docs/current/sql-dropindex.html + +notes: +- The index building process can affect database performance. +- To avoid table locks on production databases, use I(concurrent=true) (default behavior). + +attributes: + check_mode: + support: full + +author: +- Andrew Klychkov (@Andersson007) +- Thomas O'Donnell (@andytom) + +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +- name: Create btree index if not exists test_idx concurrently covering columns id and name of table products + community.postgresql.postgresql_idx: + db: acme + table: products + columns: id,name + name: test_idx + +- name: Create btree index test_idx concurrently with tablespace called ssd and storage parameter + community.postgresql.postgresql_idx: + db: acme + table: products + columns: + - id + - name + idxname: test_idx + tablespace: ssd + storage_params: + - fillfactor=90 + +- name: Create gist index test_gist_idx concurrently on column geo_data of table map + community.postgresql.postgresql_idx: + db: somedb + table: map + idxtype: gist + columns: geo_data + idxname: test_gist_idx + +# Note: for the example below pg_trgm extension must be installed for gin_trgm_ops +- name: Create gin index gin0_idx not concurrently on column comment of table test + community.postgresql.postgresql_idx: + idxname: gin0_idx + table: test + columns: comment gin_trgm_ops + concurrent: false + idxtype: gin + +- name: Drop btree test_idx concurrently + community.postgresql.postgresql_idx: + db: mydb + idxname: test_idx + state: absent + +- name: Drop test_idx cascade + community.postgresql.postgresql_idx: + db: mydb + idxname: test_idx + state: absent + cascade: true + concurrent: false + +- name: Create btree index test_idx concurrently on columns id,comment where column id > 1 + community.postgresql.postgresql_idx: + db: mydb + table: test + columns: id,comment + idxname: test_idx + cond: id > 1 + +- name: Create unique btree index if not exists test_unique_idx on column name of table products + community.postgresql.postgresql_idx: + db: acme + table: products + columns: name + name: test_unique_idx + unique: true + concurrent: false +''' + +RETURN = r''' +name: + description: Index name. + returned: always + type: str + sample: 'foo_idx' +state: + description: Index state. + returned: always + type: str + sample: 'present' +schema: + description: Schema where index exists. + returned: always + type: str + sample: 'public' +tablespace: + description: Tablespace where index exists. + returned: always + type: str + sample: 'ssd' +query: + description: Query that was tried to be executed. + returned: always + type: str + sample: 'CREATE INDEX CONCURRENTLY foo_idx ON test_table USING BTREE (id)' +storage_params: + description: Index storage parameters. + returned: always + type: list + sample: [ "fillfactor=90" ] +valid: + description: Index validity. + returned: always + type: bool + sample: true +''' + +try: + from psycopg2.extras import DictCursor +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import check_input +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + exec_sql, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) + + +VALID_IDX_TYPES = ('BTREE', 'HASH', 'GIST', 'SPGIST', 'GIN', 'BRIN') + + +# =========================================== +# PostgreSQL module specific support methods. +# + +class Index(object): + + """Class for working with PostgreSQL indexes. + + TODO: + 1. Add possibility to change ownership + 2. Add possibility to change tablespace + 3. Add list called executed_queries (executed_query should be left too) + 4. Use self.module instead of passing arguments to the methods whenever possible + + Args: + module (AnsibleModule) -- object of AnsibleModule class + cursor (cursor) -- cursor object of psycopg2 library + schema (str) -- name of the index schema + name (str) -- name of the index + + Attrs: + module (AnsibleModule) -- object of AnsibleModule class + cursor (cursor) -- cursor object of psycopg2 library + schema (str) -- name of the index schema + name (str) -- name of the index + exists (bool) -- flag the index exists in the DB or not + info (dict) -- dict that contents information about the index + executed_query (str) -- executed query + """ + + def __init__(self, module, cursor, schema, name): + self.name = name + if schema: + self.schema = schema + else: + self.schema = 'public' + self.module = module + self.cursor = cursor + self.info = { + 'name': self.name, + 'state': 'absent', + 'schema': '', + 'tblname': '', + 'tblspace': '', + 'valid': True, + 'storage_params': [], + } + self.exists = False + self.__exists_in_db() + self.executed_query = '' + + def get_info(self): + """Refresh index info. + + Return self.info dict. + """ + self.__exists_in_db() + return self.info + + def __exists_in_db(self): + """Check index existence, collect info, add it to self.info dict. + + Return True if the index exists, otherwise, return False. + """ + query = ("SELECT i.schemaname, i.tablename, i.tablespace, " + "pi.indisvalid, c.reloptions " + "FROM pg_catalog.pg_indexes AS i " + "JOIN pg_catalog.pg_class AS c " + "ON i.indexname = c.relname " + "JOIN pg_catalog.pg_index AS pi " + "ON c.oid = pi.indexrelid " + "WHERE i.indexname = %(name)s") + + res = exec_sql(self, query, query_params={'name': self.name}, add_to_executed=False) + if res: + self.exists = True + self.info = dict( + name=self.name, + state='present', + schema=res[0][0], + tblname=res[0][1], + tblspace=res[0][2] if res[0][2] else '', + valid=res[0][3], + storage_params=res[0][4] if res[0][4] else [], + ) + return True + + else: + self.exists = False + return False + + def create(self, tblname, idxtype, columns, cond, tblspace, + storage_params, concurrent=True, unique=False): + """Create PostgreSQL index. + + Return True if success, otherwise, return False. + + Args: + tblname (str) -- name of a table for the index + idxtype (str) -- type of the index like BTREE, BRIN, etc + columns (str) -- string of comma-separated columns that need to be covered by index + tblspace (str) -- tablespace for storing the index + storage_params (str) -- string of comma-separated storage parameters + + Kwargs: + concurrent (bool) -- build index in concurrent mode, default True + """ + if self.exists: + return False + + if idxtype is None: + idxtype = "BTREE" + + query = 'CREATE' + + if unique: + query += ' UNIQUE' + + query += ' INDEX' + + if concurrent: + query += ' CONCURRENTLY' + + query += ' "%s"' % self.name + + query += ' ON "%s"."%s" ' % (self.schema, tblname) + + query += 'USING %s (%s)' % (idxtype, columns) + + if storage_params: + query += ' WITH (%s)' % storage_params + + if tblspace: + query += ' TABLESPACE "%s"' % tblspace + + if cond: + query += ' WHERE %s' % cond + + self.executed_query = query + + return exec_sql(self, query, return_bool=True, add_to_executed=False) + + def drop(self, cascade=False, concurrent=True): + """Drop PostgreSQL index. + + Return True if success, otherwise, return False. + + Args: + schema (str) -- name of the index schema + + Kwargs: + cascade (bool) -- automatically drop objects that depend on the index, + default False + concurrent (bool) -- build index in concurrent mode, default True + """ + if not self.exists: + return False + + query = 'DROP INDEX' + + if concurrent: + query += ' CONCURRENTLY' + + query += ' "%s"."%s"' % (self.schema, self.name) + + if cascade: + query += ' CASCADE' + + self.executed_query = query + + return exec_sql(self, query, return_bool=True, add_to_executed=False) + + +# =========================================== +# Module execution. +# + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + idxname=dict(type='str', required=True, aliases=['name']), + db=dict(type='str', aliases=['login_db']), + state=dict(type='str', default='present', choices=['absent', 'present']), + concurrent=dict(type='bool', default=True), + unique=dict(type='bool', default=False), + table=dict(type='str'), + idxtype=dict(type='str', aliases=['type']), + columns=dict(type='list', elements='str', aliases=['column']), + cond=dict(type='str'), + session_role=dict(type='str'), + tablespace=dict(type='str'), + storage_params=dict(type='list', elements='str'), + cascade=dict(type='bool', default=False), + schema=dict(type='str'), + trust_input=dict(type='bool', default=True), + ) + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + idxname = module.params["idxname"] + state = module.params["state"] + concurrent = module.params["concurrent"] + unique = module.params["unique"] + table = module.params["table"] + idxtype = module.params["idxtype"] + columns = module.params["columns"] + cond = module.params["cond"] + tablespace = module.params["tablespace"] + storage_params = module.params["storage_params"] + cascade = module.params["cascade"] + schema = module.params["schema"] + session_role = module.params["session_role"] + trust_input = module.params["trust_input"] + + if not trust_input: + # Check input for potentially dangerous elements: + check_input(module, idxname, session_role, schema, table, columns, + tablespace, storage_params, cond) + + if concurrent and cascade: + module.fail_json(msg="Concurrent mode and cascade parameters are mutually exclusive") + + if unique and (idxtype and idxtype != 'btree'): + module.fail_json(msg="Only btree currently supports unique indexes") + + if state == 'present': + if not table: + module.fail_json(msg="Table must be specified") + if not columns: + module.fail_json(msg="At least one column must be specified") + else: + if table or columns or cond or idxtype or tablespace: + module.fail_json(msg="Index %s is going to be removed, so it does not " + "make sense to pass a table name, columns, conditions, " + "index type, or tablespace" % idxname) + + if cascade and state != 'absent': + module.fail_json(msg="cascade parameter used only with state=absent") + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + conn_params = get_conn_params(module, module.params) + db_connection, dummy = connect_to_db(module, conn_params, autocommit=True) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + # Set defaults: + changed = False + + # Do job: + index = Index(module, cursor, schema, idxname) + kw = index.get_info() + kw['query'] = '' + + # + # check_mode start + if module.check_mode: + if state == 'present' and index.exists: + kw['changed'] = False + module.exit_json(**kw) + + elif state == 'present' and not index.exists: + kw['changed'] = True + module.exit_json(**kw) + + elif state == 'absent' and not index.exists: + kw['changed'] = False + module.exit_json(**kw) + + elif state == 'absent' and index.exists: + kw['changed'] = True + module.exit_json(**kw) + # check_mode end + # + + if state == "present": + if idxtype and idxtype.upper() not in VALID_IDX_TYPES: + module.fail_json(msg="Index type '%s' of %s is not in valid types" % (idxtype, idxname)) + + columns = ','.join(columns) + + if storage_params: + storage_params = ','.join(storage_params) + + changed = index.create(table, idxtype, columns, cond, tablespace, storage_params, concurrent, unique) + + if changed: + kw = index.get_info() + kw['state'] = 'present' + kw['query'] = index.executed_query + + else: + changed = index.drop(cascade, concurrent) + + if changed: + kw['state'] = 'absent' + kw['query'] = index.executed_query + + if not kw['valid']: + db_connection.rollback() + module.warn("Index %s is invalid! ROLLBACK" % idxname) + + if not concurrent: + db_connection.commit() + + kw['changed'] = changed + db_connection.close() + module.exit_json(**kw) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_info.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_info.py new file mode 100644 index 000000000..55bb6ebd8 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_info.py @@ -0,0 +1,1111 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_info +short_description: Gather information about PostgreSQL servers +description: +- Gathers information about PostgreSQL servers. +options: + filter: + description: + - Limit the collected information by comma separated string or YAML list. + - Allowable values are C(version), + C(databases), C(in_recovery), C(settings), C(tablespaces), C(roles), + C(replications), C(repl_slots). + - By default, collects all subsets. + - You can use shell-style (fnmatch) wildcard to pass groups of values (see Examples). + - You can use '!' before value (for example, C(!settings)) to exclude it from the information. + - If you pass including and excluding values to the filter, for example, I(filter=!settings,ver), + the excluding values will be ignored. + type: list + elements: str + db: + description: + - Name of database to connect. + type: str + aliases: + - login_db + session_role: + description: + - Switch to session_role after connecting. The specified session_role must + be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though + the session_role were the one that had logged in originally. + type: str + trust_input: + description: + - If C(false), check whether a value of I(session_role) is potentially dangerous. + - It makes sense to use C(false) only when SQL injections via I(session_role) are possible. + type: bool + default: true + version_added: '0.2.0' + +attributes: + check_mode: + support: full + +seealso: +- module: community.postgresql.postgresql_ping + +author: +- Andrew Klychkov (@Andersson007) + +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +# Display info from postgres hosts. +# ansible postgres -m postgresql_info + +# Display only databases and roles info from all hosts using shell-style wildcards: +# ansible all -m postgresql_info -a 'filter=dat*,rol*' + +# Display only replications and repl_slots info from standby hosts using shell-style wildcards: +# ansible standby -m postgresql_info -a 'filter=repl*' + +# Display all info from databases hosts except settings: +# ansible databases -m postgresql_info -a 'filter=!settings' + +- name: Collect PostgreSQL version and extensions + become: true + become_user: postgres + community.postgresql.postgresql_info: + filter: ver*,ext* + +- name: Collect all info except settings and roles + become: true + become_user: postgres + community.postgresql.postgresql_info: + filter: "!settings,!roles" + +# On FreeBSD with PostgreSQL 9.5 version and lower use pgsql user to become +# and pass "postgres" as a database to connect to +- name: Collect tablespaces and repl_slots info + become: true + become_user: pgsql + community.postgresql.postgresql_info: + db: postgres + filter: + - tablesp* + - repl_sl* + +- name: Collect all info except databases + become: true + become_user: postgres + community.postgresql.postgresql_info: + filter: + - "!databases" +''' + +RETURN = r''' +version: + description: Database server version U(https://www.postgresql.org/support/versioning/). + returned: always + type: dict + sample: { "version": { "major": 10, "minor": 6 } } + contains: + major: + description: Major server version. + returned: always + type: int + sample: 11 + minor: + description: Minor server version. + returned: always + type: int + sample: 1 + patch: + description: Patch server version. + returned: if supported + type: int + sample: 5 + version_added: '1.2.0' + full: + description: Full server version. + returned: always + type: str + sample: '13.2' + version_added: '1.2.0' + raw: + description: Full output returned by ``SELECT version()``. + returned: always + type: str + sample: 'PostgreSQL 13.2 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 10.2.1 20201125 (Red Hat 10.2.1-9), 64-bit' + version_added: '1.2.0' +in_recovery: + description: Indicates if the service is in recovery mode or not. + returned: always + type: bool + sample: false +databases: + description: Information about databases. + returned: always + type: dict + sample: + - { "postgres": { "access_priv": "", "collate": "en_US.UTF-8", + "ctype": "en_US.UTF-8", "encoding": "UTF8", "owner": "postgres", "size": "7997 kB" } } + contains: + database_name: + description: Database name. + returned: always + type: dict + sample: template1 + contains: + access_priv: + description: Database access privileges. + returned: always + type: str + sample: "=c/postgres_npostgres=CTc/postgres" + collate: + description: + - Database collation U(https://www.postgresql.org/docs/current/collation.html). + returned: always + type: str + sample: en_US.UTF-8 + ctype: + description: + - Database LC_CTYPE U(https://www.postgresql.org/docs/current/multibyte.html). + returned: always + type: str + sample: en_US.UTF-8 + encoding: + description: + - Database encoding U(https://www.postgresql.org/docs/current/multibyte.html). + returned: always + type: str + sample: UTF8 + owner: + description: + - Database owner U(https://www.postgresql.org/docs/current/sql-createdatabase.html). + returned: always + type: str + sample: postgres + size: + description: Database size in bytes. + returned: always + type: str + sample: 8189415 + extensions: + description: + - Extensions U(https://www.postgresql.org/docs/current/sql-createextension.html). + returned: always + type: dict + sample: + - { "plpgsql": { "description": "PL/pgSQL procedural language", + "extversion": { "major": 1, "minor": 0, "raw": '1.0' } } } + contains: + extdescription: + description: Extension description. + returned: if existent + type: str + sample: PL/pgSQL procedural language + extversion: + description: Extension description. + returned: always + type: dict + contains: + major: + description: Extension major version. + returned: always + type: int + sample: 1 + minor: + description: Extension minor version. + returned: always + type: int + sample: 0 + raw: + description: Extension full version. + returned: always + type: str + sample: '1.0' + nspname: + description: Namespace where the extension is. + returned: always + type: str + sample: pg_catalog + languages: + description: Procedural languages U(https://www.postgresql.org/docs/current/xplang.html). + returned: always + type: dict + sample: { "sql": { "lanacl": "", "lanowner": "postgres" } } + contains: + lanacl: + description: + - Language access privileges + U(https://www.postgresql.org/docs/current/catalog-pg-language.html). + returned: always + type: str + sample: "{postgres=UC/postgres,=U/postgres}" + lanowner: + description: + - Language owner U(https://www.postgresql.org/docs/current/catalog-pg-language.html). + returned: always + type: str + sample: postgres + namespaces: + description: + - Namespaces (schema) U(https://www.postgresql.org/docs/current/sql-createschema.html). + returned: always + type: dict + sample: { "pg_catalog": { "nspacl": "{postgres=UC/postgres,=U/postgres}", "nspowner": "postgres" } } + contains: + nspacl: + description: + - Access privileges U(https://www.postgresql.org/docs/current/catalog-pg-namespace.html). + returned: always + type: str + sample: "{postgres=UC/postgres,=U/postgres}" + nspowner: + description: + - Schema owner U(https://www.postgresql.org/docs/current/catalog-pg-namespace.html). + returned: always + type: str + sample: postgres + publications: + description: + - Information about logical replication publications (available for PostgreSQL 10 and higher) + U(https://www.postgresql.org/docs/current/logical-replication-publication.html). + - Content depends on PostgreSQL server version. + returned: if configured + type: dict + sample: { "pub1": { "ownername": "postgres", "puballtables": true, "pubinsert": true, "pubupdate": true } } + version_added: '0.2.0' + subscriptions: + description: + - Information about replication subscriptions (available for PostgreSQL 10 and higher) + U(https://www.postgresql.org/docs/current/logical-replication-subscription.html). + - Content depends on PostgreSQL server version. + - The return values for the superuser and the normal user may differ + U(https://www.postgresql.org/docs/current/catalog-pg-subscription.html). + returned: if configured + type: dict + sample: + - { "my_subscription": {"ownername": "postgres", "subenabled": true, "subpublications": ["first_publication"] } } + version_added: '0.2.0' +repl_slots: + description: + - Replication slots (available in 9.4 and later) + U(https://www.postgresql.org/docs/current/view-pg-replication-slots.html). + returned: if existent + type: dict + sample: { "slot0": { "active": false, "database": null, "plugin": null, "slot_type": "physical" } } + contains: + active: + description: + - True means that a receiver has connected to it, and it is currently reserving archives. + returned: always + type: bool + sample: true + database: + description: Database name this slot is associated with, or null. + returned: always + type: str + sample: acme + plugin: + description: + - Base name of the shared object containing the output plugin + this logical slot is using, or null for physical slots. + returned: always + type: str + sample: pgoutput + slot_type: + description: The slot type - physical or logical. + returned: always + type: str + sample: logical +replications: + description: + - Information about the current replications by process PIDs + U(https://www.postgresql.org/docs/current/monitoring-stats.html#MONITORING-STATS-VIEWS-TABLE). + returned: if pg_stat_replication view existent + type: dict + sample: + - { "76580": { "app_name": "standby1", "backend_start": "2019-02-03 00:14:33.908593+03", + "client_addr": "10.10.10.2", "client_hostname": "", "state": "streaming", "usename": "postgres" } } + contains: + usename: + description: + - Name of the user logged into this WAL sender process ('usename' is a column name in pg_stat_replication view). + returned: always + type: str + sample: replication_user + app_name: + description: Name of the application that is connected to this WAL sender. + returned: if existent + type: str + sample: acme_srv + client_addr: + description: + - IP address of the client connected to this WAL sender. + - If this field is null, it indicates that the client is connected + via a Unix socket on the server machine. + returned: always + type: str + sample: 10.0.0.101 + client_hostname: + description: + - Host name of the connected client, as reported by a reverse DNS lookup of client_addr. + - This field will only be non-null for IP connections, and only when log_hostname is enabled. + returned: always + type: str + sample: dbsrv1 + backend_start: + description: Time when this process was started, i.e., when the client connected to this WAL sender. + returned: always + type: str + sample: "2019-02-03 00:14:33.908593+03" + state: + description: Current WAL sender state. + returned: always + type: str + sample: streaming +tablespaces: + description: + - Information about tablespaces U(https://www.postgresql.org/docs/current/catalog-pg-tablespace.html). + returned: always + type: dict + sample: + - { "test": { "spcacl": "{postgres=C/postgres,andreyk=C/postgres}", "spcoptions": [ "seq_page_cost=1" ], + "spcowner": "postgres" } } + contains: + spcacl: + description: Tablespace access privileges. + returned: always + type: str + sample: "{postgres=C/postgres,andreyk=C/postgres}" + spcoptions: + description: Tablespace-level options. + returned: always + type: list + sample: [ "seq_page_cost=1" ] + spcowner: + description: Owner of the tablespace. + returned: always + type: str + sample: test_user +roles: + description: + - Information about roles U(https://www.postgresql.org/docs/current/user-manag.html). + returned: always + type: dict + sample: + - { "test_role": { "canlogin": true, "member_of": [ "user_ro" ], "superuser": false, + "valid_until": "9999-12-31T23:59:59.999999+00:00" } } + contains: + canlogin: + description: Login privilege U(https://www.postgresql.org/docs/current/role-attributes.html). + returned: always + type: bool + sample: true + member_of: + description: + - Role membership U(https://www.postgresql.org/docs/current/role-membership.html). + returned: always + type: list + sample: [ "read_only_users" ] + superuser: + description: User is a superuser or not. + returned: always + type: bool + sample: false + valid_until: + description: + - Password expiration date U(https://www.postgresql.org/docs/current/sql-alterrole.html). + returned: always + type: str + sample: "9999-12-31T23:59:59.999999+00:00" +pending_restart_settings: + description: + - List of settings that are pending restart to be set. + returned: always + type: list + sample: [ "shared_buffers" ] +settings: + description: + - Information about run-time server parameters + U(https://www.postgresql.org/docs/current/view-pg-settings.html). + returned: always + type: dict + sample: + - { "work_mem": { "boot_val": "4096", "context": "user", "max_val": "2147483647", + "min_val": "64", "setting": "8192", "sourcefile": "/var/lib/pgsql/10/data/postgresql.auto.conf", + "unit": "kB", "vartype": "integer", "val_in_bytes": 4194304 } } + contains: + setting: + description: Current value of the parameter. + returned: always + type: str + sample: 49152 + unit: + description: Implicit unit of the parameter. + returned: always + type: str + sample: kB + boot_val: + description: + - Parameter value assumed at server startup if the parameter is not otherwise set. + returned: always + type: str + sample: 4096 + min_val: + description: + - Minimum allowed value of the parameter (null for non-numeric values). + returned: always + type: str + sample: 64 + max_val: + description: + - Maximum allowed value of the parameter (null for non-numeric values). + returned: always + type: str + sample: 2147483647 + sourcefile: + description: + - Configuration file the current value was set in. + - Null for values set from sources other than configuration files, + or when examined by a user who is neither a superuser or a member of pg_read_all_settings. + - Helpful when using include directives in configuration files. + returned: always + type: str + sample: /var/lib/pgsql/10/data/postgresql.auto.conf + context: + description: + - Context required to set the parameter's value. + - For more information see U(https://www.postgresql.org/docs/current/view-pg-settings.html). + returned: always + type: str + sample: user + vartype: + description: + - Parameter type (bool, enum, integer, real, or string). + returned: always + type: str + sample: integer + val_in_bytes: + description: + - Current value of the parameter in bytes. + returned: if supported + type: int + sample: 2147483647 + pretty_val: + description: + - Value presented in the pretty form. + returned: always + type: str + sample: 2MB + pending_restart: + description: + - True if the value has been changed in the configuration file but needs a restart; or false otherwise. + - Returns only if C(settings) is passed. + returned: always + type: bool + sample: false +''' + +import re +from fnmatch import fnmatch + +try: + from psycopg2.extras import DictCursor +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) +from ansible.module_utils.six import iteritems +from ansible.module_utils._text import to_native + + +# =========================================== +# PostgreSQL module specific support methods. +# + +class PgDbConn(object): + """Auxiliary class for working with PostgreSQL connection objects. + + Arguments: + module (AnsibleModule): Object of AnsibleModule class that + contains connection parameters. + """ + + def __init__(self, module): + self.module = module + self.db_conn = None + self.cursor = None + + def connect(self, fail_on_conn=True): + """Connect to a PostgreSQL database and return a cursor object. + + Note: connection parameters are passed by self.module object. + """ + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(self.module) + conn_params = get_conn_params(self.module, self.module.params, warn_db_default=False) + self.db_conn, dummy = connect_to_db(self.module, conn_params, fail_on_conn=fail_on_conn) + if self.db_conn is None: + # only happens if fail_on_conn is False and there actually was an issue connecting to the DB + return None + return self.db_conn.cursor(cursor_factory=DictCursor) + + def reconnect(self, dbname): + """Reconnect to another database and return a PostgreSQL cursor object. + + Arguments: + dbname (string): Database name to connect to. + """ + if self.db_conn is not None: + self.db_conn.close() + + # the lines below seem redundant but they are actually needed for connect to work as expected + self.module.params['db'] = dbname + self.module.params['database'] = dbname + self.module.params['login_db'] = dbname + return self.connect(fail_on_conn=False) + + +class PgClusterInfo(object): + """Class for collection information about a PostgreSQL instance. + + Arguments: + module (AnsibleModule): Object of AnsibleModule class. + db_conn_obj (psycopg2.connect): PostgreSQL connection object. + """ + + def __init__(self, module, db_conn_obj): + self.module = module + self.db_obj = db_conn_obj + self.cursor = db_conn_obj.connect() + self.pg_info = { + "version": {}, + "in_recovery": None, + "tablespaces": {}, + "databases": {}, + "replications": {}, + "repl_slots": {}, + "settings": {}, + "roles": {}, + "pending_restart_settings": [], + } + + def collect(self, val_list=False): + """Collect information based on 'filter' option.""" + subset_map = { + "version": self.get_pg_version, + "in_recovery": self.get_recovery_state, + "tablespaces": self.get_tablespaces, + "databases": self.get_db_info, + "replications": self.get_repl_info, + "repl_slots": self.get_rslot_info, + "settings": self.get_settings, + "roles": self.get_role_info, + } + + incl_list = [] + excl_list = [] + # Notice: incl_list and excl_list + # don't make sense together, therefore, + # if incl_list is not empty, we collect + # only values from it: + if val_list: + for i in val_list: + if i[0] != '!': + incl_list.append(i) + else: + excl_list.append(i.lstrip('!')) + + if incl_list: + for s in subset_map: + for i in incl_list: + if fnmatch(s, i): + subset_map[s]() + break + elif excl_list: + found = False + # Collect info: + for s in subset_map: + for e in excl_list: + if fnmatch(s, e): + found = True + + if not found: + subset_map[s]() + else: + found = False + + # Default behaviour, if include or exclude is not passed: + else: + # Just collect info for each item: + for s in subset_map: + subset_map[s]() + + self.cursor.close() + self.db_obj.db_conn.close() + + return self.pg_info + + def get_pub_info(self): + """Get publication statistics.""" + query = ("SELECT p.*, r.rolname AS ownername " + "FROM pg_catalog.pg_publication AS p " + "JOIN pg_catalog.pg_roles AS r " + "ON p.pubowner = r.oid") + + result = self.__exec_sql(query) + + if result: + result = [dict(row) for row in result] + else: + return {} + + publications = {} + + for elem in result: + if not publications.get(elem['pubname']): + publications[elem['pubname']] = {} + + for key, val in iteritems(elem): + if key != 'pubname': + publications[elem['pubname']][key] = val + + return publications + + def get_subscr_info(self): + """Get subscription statistics.""" + columns_sub_table = ("SELECT column_name " + "FROM information_schema.columns " + "WHERE table_schema = 'pg_catalog' " + "AND table_name = 'pg_subscription'") + columns_result = self.__exec_sql(columns_sub_table) + columns = ", ".join(["s.%s" % column[0] for column in columns_result]) + + query = ("SELECT %s, r.rolname AS ownername, d.datname AS dbname " + "FROM pg_catalog.pg_subscription s " + "JOIN pg_catalog.pg_database d " + "ON s.subdbid = d.oid " + "JOIN pg_catalog.pg_roles AS r " + "ON s.subowner = r.oid" % columns) + + result = self.__exec_sql(query) + + if result: + result = [dict(row) for row in result] + else: + return {} + + subscr_info = {} + + for elem in result: + if not subscr_info.get(elem['dbname']): + subscr_info[elem['dbname']] = {} + + if not subscr_info[elem['dbname']].get(elem['subname']): + subscr_info[elem['dbname']][elem['subname']] = {} + + for key, val in iteritems(elem): + if key not in ('subname', 'dbname'): + subscr_info[elem['dbname']][elem['subname']][key] = val + + return subscr_info + + def get_tablespaces(self): + """Get information about tablespaces.""" + # Check spcoption exists: + opt = self.__exec_sql("SELECT column_name " + "FROM information_schema.columns " + "WHERE table_name = 'pg_tablespace' " + "AND column_name = 'spcoptions'") + + if not opt: + query = ("SELECT s.spcname, pg_catalog.pg_get_userbyid(s.spcowner) as rolname, s.spcacl " + "FROM pg_tablespace AS s ") + else: + query = ("SELECT s.spcname, pg_catalog.pg_get_userbyid(s.spcowner) as rolname, s.spcacl, s.spcoptions " + "FROM pg_tablespace AS s ") + + res = self.__exec_sql(query) + ts_dict = {} + for i in res: + ts_name = i[0] + ts_info = dict( + spcowner=i[1], + spcacl=i[2] if i[2] else '', + ) + if opt: + ts_info['spcoptions'] = i[3] if i[3] else [] + + ts_dict[ts_name] = ts_info + + self.pg_info["tablespaces"] = ts_dict + + def get_ext_info(self): + """Get information about existing extensions.""" + # Check that pg_extension exists: + res = self.__exec_sql("SELECT EXISTS (SELECT 1 FROM " + "information_schema.tables " + "WHERE table_name = 'pg_extension')") + if not res[0][0]: + return True + + query = ("SELECT e.extname, e.extversion, n.nspname, c.description " + "FROM pg_catalog.pg_extension AS e " + "LEFT JOIN pg_catalog.pg_namespace AS n " + "ON n.oid = e.extnamespace " + "LEFT JOIN pg_catalog.pg_description AS c " + "ON c.objoid = e.oid " + "AND c.classoid = 'pg_catalog.pg_extension'::pg_catalog.regclass") + res = self.__exec_sql(query) + ext_dict = {} + for i in res: + ext_ver_raw = i[1] + + if re.search(r'^([0-9]+([\-]*[0-9]+)?\.)*[0-9]+([\-]*[0-9]+)?$', i[1]) is None: + ext_ver = [None, None] + else: + ext_ver = i[1].split('.') + if re.search(r'-', ext_ver[0]) is not None: + ext_ver = ext_ver[0].split('-') + else: + try: + if re.search(r'-', ext_ver[1]) is not None: + ext_ver[1] = ext_ver[1].split('-')[0] + except IndexError: + ext_ver.append(None) + + ext_dict[i[0]] = dict( + extversion=dict( + major=int(ext_ver[0]) if ext_ver[0] else None, + minor=int(ext_ver[1]) if ext_ver[1] else None, + raw=ext_ver_raw, + ), + nspname=i[2], + description=i[3], + ) + + return ext_dict + + def get_role_info(self): + """Get information about roles (in PgSQL groups and users are roles).""" + query = ("SELECT r.rolname, r.rolsuper, r.rolcanlogin, " + "r.rolvaliduntil, " + "ARRAY(SELECT b.rolname " + "FROM pg_catalog.pg_auth_members AS m " + "JOIN pg_catalog.pg_roles AS b ON (m.roleid = b.oid) " + "WHERE m.member = r.oid) AS memberof " + "FROM pg_catalog.pg_roles AS r " + "WHERE r.rolname !~ '^pg_'") + + res = self.__exec_sql(query) + rol_dict = {} + for i in res: + rol_dict[i[0]] = dict( + superuser=i[1], + canlogin=i[2], + valid_until=i[3] if i[3] else '', + member_of=i[4] if i[4] else [], + ) + + self.pg_info["roles"] = rol_dict + + def get_rslot_info(self): + """Get information about replication slots if exist.""" + # Check that pg_replication_slots exists: + res = self.__exec_sql("SELECT EXISTS (SELECT 1 FROM " + "information_schema.tables " + "WHERE table_name = 'pg_replication_slots')") + if not res[0][0]: + return True + + query = ("SELECT slot_name, plugin, slot_type, database, " + "active FROM pg_replication_slots") + res = self.__exec_sql(query) + + # If there is no replication: + if not res: + return True + + rslot_dict = {} + for i in res: + rslot_dict[i[0]] = dict( + plugin=i[1], + slot_type=i[2], + database=i[3], + active=i[4], + ) + + self.pg_info["repl_slots"] = rslot_dict + + def get_settings(self): + """Get server settings.""" + # Check pending restart column exists: + pend_rest_col_exists = self.__exec_sql("SELECT 1 FROM information_schema.columns " + "WHERE table_name = 'pg_settings' " + "AND column_name = 'pending_restart'") + if not pend_rest_col_exists: + query = ("SELECT name, setting, unit, context, vartype, " + "boot_val, min_val, max_val, sourcefile " + "FROM pg_settings") + else: + query = ("SELECT name, setting, unit, context, vartype, " + "boot_val, min_val, max_val, sourcefile, pending_restart " + "FROM pg_settings") + + res = self.__exec_sql(query) + + set_dict = {} + for i in res: + val_in_bytes = None + setting = i[1] + if i[2]: + unit = i[2] + else: + unit = '' + + if unit == 'kB': + val_in_bytes = int(setting) * 1024 + + elif unit == '8kB': + val_in_bytes = int(setting) * 1024 * 8 + + elif unit == 'MB': + val_in_bytes = int(setting) * 1024 * 1024 + + if val_in_bytes is not None and val_in_bytes < 0: + val_in_bytes = 0 + + setting_name = i[0] + pretty_val = self.__get_pretty_val(setting_name) + + pending_restart = None + if pend_rest_col_exists: + pending_restart = i[9] + + set_dict[setting_name] = dict( + setting=setting, + unit=unit, + context=i[3], + vartype=i[4], + boot_val=i[5] if i[5] else '', + min_val=i[6] if i[6] else '', + max_val=i[7] if i[7] else '', + sourcefile=i[8] if i[8] else '', + pretty_val=pretty_val, + ) + if val_in_bytes is not None: + set_dict[setting_name]['val_in_bytes'] = val_in_bytes + + if pending_restart is not None: + set_dict[setting_name]['pending_restart'] = pending_restart + if pending_restart: + self.pg_info["pending_restart_settings"].append(setting_name) + + self.pg_info["settings"] = set_dict + + def get_repl_info(self): + """Get information about replication if the server is a primary.""" + # Check that pg_replication_slots exists: + res = self.__exec_sql("SELECT EXISTS (SELECT 1 FROM " + "information_schema.tables " + "WHERE table_name = 'pg_stat_replication')") + if not res[0][0]: + return True + + query = ("SELECT r.pid, pg_catalog.pg_get_userbyid(r.usesysid) AS rolname, r.application_name, r.client_addr, " + "r.client_hostname, r.backend_start::text, r.state " + "FROM pg_stat_replication AS r ") + res = self.__exec_sql(query) + + # If there is no replication: + if not res: + return True + + repl_dict = {} + for i in res: + repl_dict[i[0]] = dict( + usename=i[1], + app_name=i[2] if i[2] else '', + client_addr=i[3], + client_hostname=i[4] if i[4] else '', + backend_start=i[5], + state=i[6], + ) + + self.pg_info["replications"] = repl_dict + + def get_lang_info(self): + """Get information about current supported languages.""" + query = ("SELECT l.lanname, pg_catalog.pg_get_userbyid(l.lanowner) AS rolname, l.lanacl " + "FROM pg_language AS l ") + res = self.__exec_sql(query) + lang_dict = {} + for i in res: + lang_dict[i[0]] = dict( + lanowner=i[1], + lanacl=i[2] if i[2] else '', + ) + + return lang_dict + + def get_namespaces(self): + """Get information about namespaces.""" + query = ("SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) AS rolname, n.nspacl " + "FROM pg_catalog.pg_namespace AS n ") + res = self.__exec_sql(query) + + nsp_dict = {} + for i in res: + nsp_dict[i[0]] = dict( + nspowner=i[1], + nspacl=i[2] if i[2] else '', + ) + + return nsp_dict + + def get_pg_version(self): + """Get major and minor PostgreSQL server version.""" + query = "SELECT version()" + raw = self.__exec_sql(query)[0][0] + full = raw.split()[1] + m = re.match(r"(\d+)\.(\d+)(?:\.(\d+))?", full) + + major = int(m.group(1)) + minor = int(m.group(2)) + patch = None + if m.group(3) is not None: + patch = int(m.group(3)) + + self.pg_info["version"] = dict( + major=major, + minor=minor, + full=full, + raw=raw, + ) + + if patch is not None: + self.pg_info["version"]["patch"] = patch + + def get_recovery_state(self): + """Get if the service is in recovery mode.""" + self.pg_info["in_recovery"] = self.__exec_sql("SELECT pg_is_in_recovery()")[0][0] + + def get_db_info(self): + """Get information about the current database.""" + # Following query returns: + # Name, Owner, Encoding, Collate, Ctype, Access Priv, Size + query = ("SELECT d.datname, " + "pg_catalog.pg_get_userbyid(d.datdba), " + "pg_catalog.pg_encoding_to_char(d.encoding), " + "d.datcollate, " + "d.datctype, " + "pg_catalog.array_to_string(d.datacl, E'\n'), " + "CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') " + "THEN pg_catalog.pg_database_size(d.datname)::text " + "ELSE 'No Access' END, " + "t.spcname " + "FROM pg_catalog.pg_database AS d " + "JOIN pg_catalog.pg_tablespace t ON d.dattablespace = t.oid " + "WHERE d.datname != 'template0'") + + res = self.__exec_sql(query) + + db_dict = {} + for i in res: + db_dict[i[0]] = dict( + owner=i[1], + encoding=i[2], + collate=i[3], + ctype=i[4], + access_priv=i[5] if i[5] else '', + size=i[6], + ) + + if self.cursor.connection.server_version >= 100000: + subscr_info = self.get_subscr_info() + + for datname in db_dict: + self.cursor = self.db_obj.reconnect(datname) + if self.cursor is None: + # that means we don't have permission to access these database + db_dict[datname]['namespaces'] = {} + db_dict[datname]['extensions'] = {} + db_dict[datname]['languages'] = {} + db_dict[datname]['error'] = "Could not connect to the database." + continue + db_dict[datname]['namespaces'] = self.get_namespaces() + db_dict[datname]['extensions'] = self.get_ext_info() + db_dict[datname]['languages'] = self.get_lang_info() + if self.cursor.connection.server_version >= 100000: + db_dict[datname]['publications'] = self.get_pub_info() + db_dict[datname]['subscriptions'] = subscr_info.get(datname, {}) + + self.pg_info["databases"] = db_dict + + def __get_pretty_val(self, setting): + """Get setting's value represented by SHOW command.""" + return self.__exec_sql('SHOW "%s"' % setting)[0][0] + + def __exec_sql(self, query): + """Execute SQL and return the result.""" + try: + self.cursor.execute(query) + res = self.cursor.fetchall() + if res: + return res + except Exception as e: + self.module.fail_json(msg="Cannot execute SQL '%s': %s" % (query, to_native(e))) + self.cursor.close() + return False + +# =========================================== +# Module execution. +# + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + db=dict(type='str', aliases=['login_db']), + filter=dict(type='list', elements='str'), + session_role=dict(type='str'), + trust_input=dict(type='bool', default=True), + ) + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + filter_ = module.params['filter'] + + if not module.params['trust_input']: + # Check input for potentially dangerous elements: + check_input(module, module.params['session_role']) + + db_conn_obj = PgDbConn(module) + + # Do job: + pg_info = PgClusterInfo(module, db_conn_obj) + + module.exit_json(**pg_info.collect(filter_)) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_lang.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_lang.py new file mode 100644 index 000000000..3d696dba6 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_lang.py @@ -0,0 +1,353 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# (c) 2014, Jens Depuydt <http://www.jensd.be> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +DOCUMENTATION = r''' +--- +module: postgresql_lang +short_description: Adds, removes or changes procedural languages with a PostgreSQL database +description: +- Adds, removes or changes procedural languages with a PostgreSQL database. +- This module allows you to add a language, remote a language or change the trust + relationship with a PostgreSQL database. +- The module can be used on the machine where executed or on a remote host. +- When removing a language from a database, it is possible that dependencies prevent + the database from being removed. In that case, you can specify I(cascade=true) to + automatically drop objects that depend on the language (such as functions in the + language). +- In case the language can't be deleted because it is required by the + database system, you can specify I(fail_on_drop=false) to ignore the error. +- Be careful when marking a language as trusted since this could be a potential + security breach. Untrusted languages allow only users with the PostgreSQL superuser + privilege to use this language to create new functions. +options: + lang: + description: + - Name of the procedural language to add, remove or change. + required: true + type: str + aliases: + - name + trust: + description: + - Make this language trusted for the selected db. + type: bool + default: 'false' + db: + description: + - Name of database to connect to and where the language will be added, removed or changed. + type: str + aliases: + - login_db + required: true + force_trust: + description: + - Marks the language as trusted, even if it's marked as untrusted in pg_pltemplate. + - Use with care! + type: bool + default: 'false' + fail_on_drop: + description: + - If C(true), fail when removing a language. Otherwise just log and continue. + - In some cases, it is not possible to remove a language (used by the db-system). + - When dependencies block the removal, consider using I(cascade). + type: bool + default: 'true' + cascade: + description: + - When dropping a language, also delete object that depend on this language. + - Only used when I(state=absent). + type: bool + default: 'false' + session_role: + description: + - Switch to session_role after connecting. + - The specified I(session_role) must be a role that the current I(login_user) is a member of. + - Permissions checking for SQL commands is carried out as though the + I(session_role) were the one that had logged in originally. + type: str + state: + description: + - The state of the language for the selected database. + type: str + default: present + choices: [ absent, present ] + owner: + description: + - Set an owner for the language. + - Ignored when I(state=absent). + type: str + version_added: '0.2.0' + trust_input: + description: + - If C(false), check whether values of parameters I(lang), I(session_role), + I(owner) are potentially dangerous. + - It makes sense to use C(false) only when SQL injections via the parameters are possible. + type: bool + default: true + version_added: '0.2.0' +seealso: +- name: PostgreSQL languages + description: General information about PostgreSQL languages. + link: https://www.postgresql.org/docs/current/xplang.html +- name: CREATE LANGUAGE reference + description: Complete reference of the CREATE LANGUAGE command documentation. + link: https://www.postgresql.org/docs/current/sql-createlanguage.html +- name: ALTER LANGUAGE reference + description: Complete reference of the ALTER LANGUAGE command documentation. + link: https://www.postgresql.org/docs/current/sql-alterlanguage.html +- name: DROP LANGUAGE reference + description: Complete reference of the DROP LANGUAGE command documentation. + link: https://www.postgresql.org/docs/current/sql-droplanguage.html + +attributes: + check_mode: + support: full + +author: +- Jens Depuydt (@jensdepuydt) +- Thomas O'Donnell (@andytom) + +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +- name: Add language pltclu to database testdb if it doesn't exist + community.postgresql.postgresql_lang: db=testdb lang=pltclu state=present + +# Add language pltclu to database testdb if it doesn't exist and mark it as trusted. +# Marks the language as trusted if it exists but isn't trusted yet. +# force_trust makes sure that the language will be marked as trusted +- name: Add language pltclu to database testdb if it doesn't exist and mark it as trusted + community.postgresql.postgresql_lang: + db: testdb + lang: pltclu + state: present + trust: true + force_trust: true + +- name: Remove language pltclu from database testdb + community.postgresql.postgresql_lang: + db: testdb + lang: pltclu + state: absent + +- name: Remove language pltclu from database testdb and remove all dependencies + community.postgresql.postgresql_lang: + db: testdb + lang: pltclu + state: absent + cascade: true + +- name: Remove language c from database testdb but ignore errors if something prevents the removal + community.postgresql.postgresql_lang: + db: testdb + lang: pltclu + state: absent + fail_on_drop: false + +- name: In testdb change owner of mylang to alice + community.postgresql.postgresql_lang: + db: testdb + lang: mylang + owner: alice +''' + +RETURN = r''' +queries: + description: List of executed queries. + returned: always + type: list + sample: ['CREATE LANGUAGE "acme"'] +''' + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import check_input +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) + +executed_queries = [] + + +def lang_exists(cursor, lang): + """Checks if language exists for db""" + query = "SELECT lanname FROM pg_language WHERE lanname = %(lang)s" + cursor.execute(query, {'lang': lang}) + return cursor.rowcount > 0 + + +def lang_istrusted(cursor, lang): + """Checks if language is trusted for db""" + query = "SELECT lanpltrusted FROM pg_language WHERE lanname = %(lang)s" + cursor.execute(query, {'lang': lang}) + return cursor.fetchone()[0] + + +def lang_altertrust(cursor, lang, trust): + """Changes if language is trusted for db""" + query = "UPDATE pg_language SET lanpltrusted = %(trust)s WHERE lanname = %(lang)s" + cursor.execute(query, {'trust': trust, 'lang': lang}) + executed_queries.append(cursor.mogrify(query, {'trust': trust, 'lang': lang})) + return True + + +def lang_add(cursor, lang, trust): + """Adds language for db""" + if trust: + query = 'CREATE TRUSTED LANGUAGE "%s"' % lang + else: + query = 'CREATE LANGUAGE "%s"' % lang + executed_queries.append(query) + cursor.execute(query) + return True + + +def lang_drop(cursor, lang, cascade): + """Drops language for db""" + cursor.execute("SAVEPOINT ansible_pgsql_lang_drop") + try: + if cascade: + query = "DROP LANGUAGE \"%s\" CASCADE" % lang + else: + query = "DROP LANGUAGE \"%s\"" % lang + executed_queries.append(query) + cursor.execute(query) + except Exception: + cursor.execute("ROLLBACK TO SAVEPOINT ansible_pgsql_lang_drop") + cursor.execute("RELEASE SAVEPOINT ansible_pgsql_lang_drop") + return False + cursor.execute("RELEASE SAVEPOINT ansible_pgsql_lang_drop") + return True + + +def get_lang_owner(cursor, lang): + """Get language owner. + + Args: + cursor (cursor): psycopg2 cursor object. + lang (str): language name. + """ + query = ("SELECT r.rolname FROM pg_language l " + "JOIN pg_roles r ON l.lanowner = r.oid " + "WHERE l.lanname = %(lang)s") + cursor.execute(query, {'lang': lang}) + return cursor.fetchone()[0] + + +def set_lang_owner(cursor, lang, owner): + """Set language owner. + + Args: + cursor (cursor): psycopg2 cursor object. + lang (str): language name. + owner (str): name of new owner. + """ + query = "ALTER LANGUAGE \"%s\" OWNER TO \"%s\"" % (lang, owner) + executed_queries.append(query) + cursor.execute(query) + return True + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + db=dict(type="str", required=True, aliases=["login_db"]), + lang=dict(type="str", required=True, aliases=["name"]), + state=dict(type="str", default="present", choices=["absent", "present"]), + trust=dict(type="bool", default="false"), + force_trust=dict(type="bool", default="false"), + cascade=dict(type="bool", default="false"), + fail_on_drop=dict(type="bool", default="true"), + session_role=dict(type="str"), + owner=dict(type="str"), + trust_input=dict(type="bool", default="true") + ) + + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + db = module.params["db"] + lang = module.params["lang"] + state = module.params["state"] + trust = module.params["trust"] + force_trust = module.params["force_trust"] + cascade = module.params["cascade"] + fail_on_drop = module.params["fail_on_drop"] + owner = module.params["owner"] + session_role = module.params["session_role"] + trust_input = module.params["trust_input"] + + if not trust_input: + # Check input for potentially dangerous elements: + check_input(module, lang, session_role, owner) + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + conn_params = get_conn_params(module, module.params) + db_connection, dummy = connect_to_db(module, conn_params, autocommit=False) + cursor = db_connection.cursor() + + changed = False + kw = {'db': db, 'lang': lang, 'trust': trust} + + if state == "present": + if lang_exists(cursor, lang): + lang_trusted = lang_istrusted(cursor, lang) + if (lang_trusted and not trust) or (not lang_trusted and trust): + if module.check_mode: + changed = True + else: + changed = lang_altertrust(cursor, lang, trust) + else: + if module.check_mode: + changed = True + else: + changed = lang_add(cursor, lang, trust) + if force_trust: + changed = lang_altertrust(cursor, lang, trust) + + else: + if lang_exists(cursor, lang): + if module.check_mode: + changed = True + kw['lang_dropped'] = True + else: + changed = lang_drop(cursor, lang, cascade) + if fail_on_drop and not changed: + msg = ("unable to drop language, use cascade " + "to delete dependencies or fail_on_drop=false to ignore") + module.fail_json(msg=msg) + kw['lang_dropped'] = changed + + if owner and state == 'present': + if lang_exists(cursor, lang): + if owner != get_lang_owner(cursor, lang): + changed = set_lang_owner(cursor, lang, owner) + + if changed: + if module.check_mode: + db_connection.rollback() + else: + db_connection.commit() + + kw['changed'] = changed + kw['queries'] = executed_queries + db_connection.close() + module.exit_json(**kw) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_membership.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_membership.py new file mode 100644 index 000000000..68d7db2ef --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_membership.py @@ -0,0 +1,265 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_membership +short_description: Add or remove PostgreSQL roles from groups +description: +- Adds or removes PostgreSQL roles from groups (other roles). +- Users are roles with login privilege. +- Groups are PostgreSQL roles usually without LOGIN privilege. +- "Common use case:" +- 1) add a new group (groups) by M(community.postgresql.postgresql_user) module with I(role_attr_flags=NOLOGIN) +- 2) grant them desired privileges by M(community.postgresql.postgresql_privs) module +- 3) add desired PostgreSQL users to the new group (groups) by this module +options: + groups: + description: + - The list of groups (roles) that need to be granted to or revoked from I(target_roles). + required: true + type: list + elements: str + aliases: + - group + - source_role + - source_roles + target_roles: + description: + - The list of target roles (groups will be granted to them). + required: true + type: list + elements: str + aliases: + - target_role + - users + - user + fail_on_role: + description: + - If C(true), fail when group or target_role doesn't exist. If C(false), just warn and continue. + default: true + type: bool + state: + description: + - Membership state. + - I(state=present) implies the I(groups)must be granted to I(target_roles). + - I(state=absent) implies the I(groups) must be revoked from I(target_roles). + - I(state=exact) implies that I(target_roles) will be members of only the I(groups) + (available since community.postgresql 2.2.0). + Any other groups will be revoked from I(target_roles). + type: str + default: present + choices: [ absent, exact, present ] + db: + description: + - Name of database to connect to. + type: str + aliases: + - login_db + session_role: + description: + - Switch to session_role after connecting. + The specified session_role must be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though + the session_role were the one that had logged in originally. + type: str + trust_input: + description: + - If C(false), check whether values of parameters I(groups), + I(target_roles), I(session_role) are potentially dangerous. + - It makes sense to use C(false) only when SQL injections via the parameters are possible. + type: bool + default: true + version_added: '0.2.0' +seealso: +- module: community.postgresql.postgresql_user +- module: community.postgresql.postgresql_privs +- module: community.postgresql.postgresql_owner +- name: PostgreSQL role membership reference + description: Complete reference of the PostgreSQL role membership documentation. + link: https://www.postgresql.org/docs/current/role-membership.html +- name: PostgreSQL role attributes reference + description: Complete reference of the PostgreSQL role attributes documentation. + link: https://www.postgresql.org/docs/current/role-attributes.html + +attributes: + check_mode: + support: full + +author: +- Andrew Klychkov (@Andersson007) + +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +- name: Grant role read_only to alice and bob + community.postgresql.postgresql_membership: + group: read_only + target_roles: + - alice + - bob + state: present + +# you can also use target_roles: alice,bob,etc to pass the role list + +- name: Revoke role read_only and exec_func from bob. Ignore if roles don't exist + community.postgresql.postgresql_membership: + groups: + - read_only + - exec_func + target_role: bob + fail_on_role: false + state: absent + +- name: > + Make sure alice and bob are members only of marketing and sales. + If they are members of other groups, they will be removed from those groups + community.postgresql.postgresql_membership: + group: + - marketing + - sales + target_roles: + - alice + - bob + state: exact + +- name: Make sure alice and bob do not belong to any groups + community.postgresql.postgresql_membership: + group: [] + target_roles: + - alice + - bob + state: exact +''' + +RETURN = r''' +queries: + description: List of executed queries. + returned: always + type: str + sample: [ "GRANT \"user_ro\" TO \"alice\"" ] +granted: + description: Dict of granted groups and roles. + returned: if I(state=present) + type: dict + sample: { "ro_group": [ "alice", "bob" ] } +revoked: + description: Dict of revoked groups and roles. + returned: if I(state=absent) + type: dict + sample: { "ro_group": [ "alice", "bob" ] } +state: + description: Membership state that tried to be set. + returned: always + type: str + sample: "present" +''' + +try: + from psycopg2.extras import DictCursor +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import check_input +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + ensure_required_libs, + get_conn_params, + PgMembership, + postgres_common_argument_spec, +) + + +# =========================================== +# Module execution. +# + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + groups=dict(type='list', elements='str', required=True, aliases=['group', 'source_role', 'source_roles']), + target_roles=dict(type='list', elements='str', required=True, aliases=['target_role', 'user', 'users']), + fail_on_role=dict(type='bool', default=True), + state=dict(type='str', default='present', choices=['absent', 'exact', 'present']), + db=dict(type='str', aliases=['login_db']), + session_role=dict(type='str'), + trust_input=dict(type='bool', default=True), + ) + + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + groups = module.params['groups'] + target_roles = module.params['target_roles'] + fail_on_role = module.params['fail_on_role'] + state = module.params['state'] + session_role = module.params['session_role'] + trust_input = module.params['trust_input'] + if not trust_input: + # Check input for potentially dangerous elements: + check_input(module, groups, target_roles, session_role) + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + conn_params = get_conn_params(module, module.params, warn_db_default=False) + db_connection, dummy = connect_to_db(module, conn_params, autocommit=False) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + ############## + # Create the object and do main job: + + pg_membership = PgMembership(module, cursor, groups, target_roles, fail_on_role) + + if state == 'present': + pg_membership.grant() + + elif state == 'exact': + pg_membership.match() + + elif state == 'absent': + pg_membership.revoke() + + # Rollback if it's possible and check_mode: + if module.check_mode: + db_connection.rollback() + else: + db_connection.commit() + + cursor.close() + db_connection.close() + + # Make return values: + return_dict = dict( + changed=pg_membership.changed, + state=state, + groups=pg_membership.groups, + target_roles=pg_membership.target_roles, + queries=pg_membership.executed_queries, + ) + + if state == 'present': + return_dict['granted'] = pg_membership.granted + elif state == 'absent': + return_dict['revoked'] = pg_membership.revoked + elif state == 'exact': + return_dict['granted'] = pg_membership.granted + return_dict['revoked'] = pg_membership.revoked + + module.exit_json(**return_dict) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_owner.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_owner.py new file mode 100644 index 000000000..934e3b957 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_owner.py @@ -0,0 +1,463 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_owner +short_description: Change an owner of PostgreSQL database object +description: +- Change an owner of PostgreSQL database object. +- Also allows to reassign the ownership of database objects owned by a database role to another role. + +options: + new_owner: + description: + - Role (user/group) to set as an I(obj_name) owner. + type: str + required: true + obj_name: + description: + - Name of a database object to change ownership. + - Mutually exclusive with I(reassign_owned_by). + type: str + obj_type: + description: + - Type of a database object. + - Mutually exclusive with I(reassign_owned_by). + type: str + choices: [ database, function, matview, sequence, schema, table, tablespace, view ] + aliases: + - type + reassign_owned_by: + description: + - Caution - the ownership of all the objects within the specified I(db), + owned by this role(s) will be reassigned to I(new_owner). + - REASSIGN OWNED is often used to prepare for the removal of one or more roles. + - REASSIGN OWNED does not affect objects within other databases. + - Execute this command in each database that contains objects owned by a role that is to be removed. + - If role(s) exists, always returns changed True. + - Cannot reassign ownership of objects that are required by the database system. + - Mutually exclusive with C(obj_type). + type: list + elements: str + fail_on_role: + description: + - If C(true), fail when I(reassign_owned_by) role does not exist. + Otherwise just warn and continue. + - Mutually exclusive with I(obj_name) and I(obj_type). + default: true + type: bool + db: + description: + - Name of database to connect to. + type: str + aliases: + - login_db + session_role: + description: + - Switch to session_role after connecting. + The specified session_role must be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though + the session_role were the one that had logged in originally. + type: str + trust_input: + description: + - If C(false), check whether values of parameters I(new_owner), I(obj_name), + I(reassign_owned_by), I(session_role) are potentially dangerous. + - It makes sense to use C(false) only when SQL injections via the parameters are possible. + type: bool + default: true + version_added: '0.2.0' +seealso: +- module: community.postgresql.postgresql_user +- module: community.postgresql.postgresql_privs +- module: community.postgresql.postgresql_membership +- name: PostgreSQL REASSIGN OWNED command reference + description: Complete reference of the PostgreSQL REASSIGN OWNED command documentation. + link: https://www.postgresql.org/docs/current/sql-reassign-owned.html + +attributes: + check_mode: + support: full + +author: +- Andrew Klychkov (@Andersson007) + +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +# Set owner as alice for function myfunc in database bar by ansible ad-hoc command: +# ansible -m postgresql_owner -a "db=bar new_owner=alice obj_name=myfunc obj_type=function" + +- name: The same as above by playbook + community.postgresql.postgresql_owner: + db: bar + new_owner: alice + obj_name: myfunc + obj_type: function + +- name: Set owner as bob for table acme in database bar + community.postgresql.postgresql_owner: + db: bar + new_owner: bob + obj_name: acme + obj_type: table + +- name: Set owner as alice for view test_view in database bar + community.postgresql.postgresql_owner: + db: bar + new_owner: alice + obj_name: test_view + obj_type: view + +- name: Set owner as bob for tablespace ssd in database foo + community.postgresql.postgresql_owner: + db: foo + new_owner: bob + obj_name: ssd + obj_type: tablespace + +- name: Reassign all databases owned by bob to alice and all objects in database bar owned by bob to alice + community.postgresql.postgresql_owner: + db: bar + new_owner: alice + reassign_owned_by: bob + +- name: Reassign all databases owned by bob or bill to alice and all objects in database bar owned by bob or bill to alice + community.postgresql.postgresql_owner: + db: bar + new_owner: alice + reassign_owned_by: + - bob + - bill +''' + +RETURN = r''' +queries: + description: List of executed queries. + returned: always + type: str + sample: [ 'REASSIGN OWNED BY "bob" TO "alice"' ] +''' + +try: + from psycopg2.extras import DictCursor +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, + pg_quote_identifier, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + exec_sql, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) + + +class PgOwnership(object): + + """Class for changing ownership of PostgreSQL objects. + + Arguments: + module (AnsibleModule): Object of Ansible module class. + cursor (psycopg2.connect.cursor): Cursor object for interaction with the database. + role (str): Role name to set as a new owner of objects. + + Important: + If you want to add handling of a new type of database objects: + 1. Add a specific method for this like self.__set_db_owner(), etc. + 2. Add a condition with a check of ownership for new type objects to self.__is_owner() + 3. Add a condition with invocation of the specific method to self.set_owner() + 4. Add the information to the module documentation + That's all. + """ + + def __init__(self, module, cursor, role): + self.module = module + self.cursor = cursor + self.check_role_exists(role) + self.role = role + self.changed = False + self.executed_queries = [] + self.obj_name = '' + self.obj_type = '' + + def check_role_exists(self, role, fail_on_role=True): + """Check the role exists or not. + + Arguments: + role (str): Role name. + fail_on_role (bool): If True, fail when the role does not exist. + Otherwise just warn and continue. + """ + if not self.__role_exists(role): + if fail_on_role: + self.module.fail_json(msg="Role '%s' does not exist" % role) + else: + self.module.warn("Role '%s' does not exist, pass" % role) + + return False + + else: + return True + + def reassign(self, old_owners, fail_on_role): + """Implements REASSIGN OWNED BY command. + + If success, set self.changed as True. + + Arguments: + old_owners (list): The ownership of all the objects within + the current database, and of all shared objects (databases, tablespaces), + owned by these roles will be reassigned to self.role. + fail_on_role (bool): If True, fail when a role from old_owners does not exist. + Otherwise just warn and continue. + """ + roles = [] + for r in old_owners: + if self.check_role_exists(r, fail_on_role): + roles.append('"%s"' % r) + + # Roles do not exist, nothing to do, exit: + if not roles: + return False + + old_owners = ','.join(roles) + + query = ['REASSIGN OWNED BY'] + query.append(old_owners) + query.append('TO "%s"' % self.role) + query = ' '.join(query) + + self.changed = exec_sql(self, query, return_bool=True) + + def set_owner(self, obj_type, obj_name): + """Change owner of a database object. + + Arguments: + obj_type (str): Type of object (like database, table, view, etc.). + obj_name (str): Object name. + """ + self.obj_name = obj_name + self.obj_type = obj_type + + # if a new_owner is the object owner now, + # nothing to do: + if self.__is_owner(): + return False + + if obj_type == 'database': + self.__set_db_owner() + + elif obj_type == 'function': + self.__set_func_owner() + + elif obj_type == 'sequence': + self.__set_seq_owner() + + elif obj_type == 'schema': + self.__set_schema_owner() + + elif obj_type == 'table': + self.__set_table_owner() + + elif obj_type == 'tablespace': + self.__set_tablespace_owner() + + elif obj_type == 'view': + self.__set_view_owner() + + elif obj_type == 'matview': + self.__set_mat_view_owner() + + def __is_owner(self): + """Return True if self.role is the current object owner.""" + if self.obj_type == 'table': + query = ("SELECT 1 FROM pg_tables " + "WHERE tablename = %(obj_name)s " + "AND tableowner = %(role)s") + + elif self.obj_type == 'database': + query = ("SELECT 1 FROM pg_database AS d " + "JOIN pg_roles AS r ON d.datdba = r.oid " + "WHERE d.datname = %(obj_name)s " + "AND r.rolname = %(role)s") + + elif self.obj_type == 'function': + query = ("SELECT 1 FROM pg_proc AS f " + "JOIN pg_roles AS r ON f.proowner = r.oid " + "WHERE f.proname = %(obj_name)s " + "AND r.rolname = %(role)s") + + elif self.obj_type == 'sequence': + query = ("SELECT 1 FROM pg_class AS c " + "JOIN pg_roles AS r ON c.relowner = r.oid " + "WHERE c.relkind = 'S' AND c.relname = %(obj_name)s " + "AND r.rolname = %(role)s") + + elif self.obj_type == 'schema': + query = ("SELECT 1 FROM information_schema.schemata " + "WHERE schema_name = %(obj_name)s " + "AND schema_owner = %(role)s") + + elif self.obj_type == 'tablespace': + query = ("SELECT 1 FROM pg_tablespace AS t " + "JOIN pg_roles AS r ON t.spcowner = r.oid " + "WHERE t.spcname = %(obj_name)s " + "AND r.rolname = %(role)s") + + elif self.obj_type == 'view': + query = ("SELECT 1 FROM pg_views " + "WHERE viewname = %(obj_name)s " + "AND viewowner = %(role)s") + + elif self.obj_type == 'matview': + query = ("SELECT 1 FROM pg_matviews " + "WHERE matviewname = %(obj_name)s " + "AND matviewowner = %(role)s") + + query_params = {'obj_name': self.obj_name, 'role': self.role} + return exec_sql(self, query, query_params, add_to_executed=False) + + def __set_db_owner(self): + """Set the database owner.""" + query = 'ALTER DATABASE "%s" OWNER TO "%s"' % (self.obj_name, self.role) + self.changed = exec_sql(self, query, return_bool=True) + + def __set_func_owner(self): + """Set the function owner.""" + query = 'ALTER FUNCTION %s OWNER TO "%s"' % (self.obj_name, self.role) + self.changed = exec_sql(self, query, return_bool=True) + + def __set_seq_owner(self): + """Set the sequence owner.""" + query = 'ALTER SEQUENCE %s OWNER TO "%s"' % (pg_quote_identifier(self.obj_name, 'table'), + self.role) + self.changed = exec_sql(self, query, return_bool=True) + + def __set_schema_owner(self): + """Set the schema owner.""" + query = 'ALTER SCHEMA %s OWNER TO "%s"' % (pg_quote_identifier(self.obj_name, 'schema'), + self.role) + self.changed = exec_sql(self, query, return_bool=True) + + def __set_table_owner(self): + """Set the table owner.""" + query = 'ALTER TABLE %s OWNER TO "%s"' % (pg_quote_identifier(self.obj_name, 'table'), + self.role) + self.changed = exec_sql(self, query, return_bool=True) + + def __set_tablespace_owner(self): + """Set the tablespace owner.""" + query = 'ALTER TABLESPACE "%s" OWNER TO "%s"' % (self.obj_name, self.role) + self.changed = exec_sql(self, query, return_bool=True) + + def __set_view_owner(self): + """Set the view owner.""" + query = 'ALTER VIEW %s OWNER TO "%s"' % (pg_quote_identifier(self.obj_name, 'table'), + self.role) + self.changed = exec_sql(self, query, return_bool=True) + + def __set_mat_view_owner(self): + """Set the materialized view owner.""" + query = 'ALTER MATERIALIZED VIEW %s OWNER TO "%s"' % (pg_quote_identifier(self.obj_name, 'table'), + self.role) + self.changed = exec_sql(self, query, return_bool=True) + + def __role_exists(self, role): + """Return True if role exists, otherwise return False.""" + query_params = {'role': role} + query = "SELECT 1 FROM pg_roles WHERE rolname = %(role)s" + return exec_sql(self, query, query_params, add_to_executed=False) + + +# =========================================== +# Module execution. +# + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + new_owner=dict(type='str', required=True), + obj_name=dict(type='str'), + obj_type=dict(type='str', aliases=['type'], choices=[ + 'database', 'function', 'matview', 'sequence', 'schema', 'table', 'tablespace', 'view']), + reassign_owned_by=dict(type='list', elements='str'), + fail_on_role=dict(type='bool', default=True), + db=dict(type='str', aliases=['login_db']), + session_role=dict(type='str'), + trust_input=dict(type='bool', default=True), + ) + module = AnsibleModule( + argument_spec=argument_spec, + mutually_exclusive=[ + ['obj_name', 'reassign_owned_by'], + ['obj_type', 'reassign_owned_by'], + ['obj_name', 'fail_on_role'], + ['obj_type', 'fail_on_role'], + ], + supports_check_mode=True, + ) + + new_owner = module.params['new_owner'] + obj_name = module.params['obj_name'] + obj_type = module.params['obj_type'] + reassign_owned_by = module.params['reassign_owned_by'] + fail_on_role = module.params['fail_on_role'] + session_role = module.params['session_role'] + trust_input = module.params['trust_input'] + if not trust_input: + # Check input for potentially dangerous elements: + check_input(module, new_owner, obj_name, reassign_owned_by, session_role) + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + conn_params = get_conn_params(module, module.params) + db_connection, dummy = connect_to_db(module, conn_params, autocommit=False) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + ############## + # Create the object and do main job: + pg_ownership = PgOwnership(module, cursor, new_owner) + + # if we want to change ownership: + if obj_name: + pg_ownership.set_owner(obj_type, obj_name) + + # if we want to reassign objects owned by roles: + elif reassign_owned_by: + pg_ownership.reassign(reassign_owned_by, fail_on_role) + + # Rollback if it's possible and check_mode: + if module.check_mode: + db_connection.rollback() + else: + db_connection.commit() + + cursor.close() + db_connection.close() + + module.exit_json( + changed=pg_ownership.changed, + queries=pg_ownership.executed_queries, + ) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_pg_hba.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_pg_hba.py new file mode 100644 index 000000000..002e7817d --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_pg_hba.py @@ -0,0 +1,907 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# Copyright: (c) 2019, Sebastiaan Mannem (@sebasmannem) <sebastiaan.mannem@enterprisedb.com> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +''' +This module is used to manage postgres pg_hba files with Ansible. +''' + +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_pg_hba +short_description: Add, remove or modify a rule in a pg_hba file +description: + - The fundamental function of the module is to create, or delete lines in pg_hba files. + - The lines in the file should be in a typical pg_hba form and lines should be unique per key (type, databases, users, source). + If they are not unique and the SID is 'the one to change', only one for I(state=present) or + none for I(state=absent) of the SID's will remain. +extends_documentation_fragment: files +options: + address: + description: + - The source address/net where the connections could come from. + - Will not be used for entries of I(type)=C(local). + - You can also use keywords C(all), C(samehost), and C(samenet). + default: samehost + type: str + aliases: [ source, src ] + backup: + description: + - If set, create a backup of the C(pg_hba) file before it is modified. + The location of the backup is returned in the (backup) variable by this module. + default: false + type: bool + backup_file: + description: + - Write backup to a specific backupfile rather than a temp file. + type: str + create: + description: + - Create an C(pg_hba) file if none exists. + - When set to false, an error is raised when the C(pg_hba) file doesn't exist. + default: false + type: bool + contype: + description: + - Type of the rule. If not set, C(postgresql_pg_hba) will only return contents. + type: str + choices: [ local, host, hostnossl, hostssl, hostgssenc, hostnogssenc ] + comment: + description: + - A comment that will be placed in the same line behind the rule. See also the I(keep_comments_at_rules) parameter. + type: str + version_added: '1.5.0' + databases: + description: + - Databases this line applies to. + default: all + type: str + dest: + description: + - Path to C(pg_hba) file to modify. + type: path + required: true + method: + description: + - Authentication method to be used. + type: str + choices: [ cert, gss, ident, krb5, ldap, md5, pam, password, peer, radius, reject, scram-sha-256 , sspi, trust ] + default: md5 + netmask: + description: + - The netmask of the source address. + type: str + options: + description: + - Additional options for the authentication I(method). + type: str + order: + description: + - The entries will be written out in a specific order. + With this option you can control by which field they are ordered first, second and last. + s=source, d=databases, u=users. + This option is deprecated since 2.9 and will be removed in community.postgresql 3.0.0. + Sortorder is now hardcoded to sdu. + type: str + default: sdu + choices: [ sdu, sud, dsu, dus, usd, uds ] + overwrite: + description: + - Remove all existing rules before adding rules. (Like I(state=absent) for all pre-existing rules.) + type: bool + default: false + keep_comments_at_rules: + description: + - If C(true), comments that stand together with a rule in one line are kept behind that line. + - If C(false), such comments are moved to the beginning of the file, like all other comments. + type: bool + default: false + version_added: '1.5.0' + rules: + description: + - A list of objects, specifying rules for the pg_hba.conf. Use this to manage multiple rules at once. + - "Each object can have the following keys (the 'rule-specific arguments'), which are treated the same as if they were arguments of this module:" + - C(address), C(comment), C(contype), C(databases), C(method), C(netmask), C(options), C(state), C(users) + - See also C(rules_behavior). + type: list + elements: dict + rules_behavior: + description: + - "Configure how the I(rules) argument works together with the rule-specific arguments outside the I(rules) argument." + - See I(rules) for the complete list of rule-specific arguments. + - When set to C(conflict), fail if I(rules) and, for example, I(address) are set. + - If C(combine), the normal rule-specific arguments are not defining a rule, but are used as defaults for the arguments in the I(rules) argument. + - Is used only when I(rules) is specified, ignored otherwise. + type: str + choices: [ conflict, combine ] + default: conflict + state: + description: + - The lines will be added/modified when C(state=present) and removed when C(state=absent). + type: str + default: present + choices: [ absent, present ] + users: + description: + - Users this line applies to. + type: str + default: all + +notes: + - The default authentication assumes that on the host, you are either logging in as or + sudo'ing to an account with appropriate permissions to read and modify the file. + - This module also returns the pg_hba info. You can use this module to only retrieve it by only specifying I(dest). + The info can be found in the returned data under key pg_hba, being a list, containing a dict per rule. + - This module will sort resulting C(pg_hba) files if a rule change is required. + This could give unexpected results with manual created hba files, if it was improperly sorted. + For example a rule was created for a net first and for a ip in that net range next. + In that situation, the 'ip specific rule' will never hit, it is in the C(pg_hba) file obsolete. + After the C(pg_hba) file is rewritten by the M(community.postgresql.postgresql_pg_hba) module, the ip specific rule will be sorted above the range rule. + And then it will hit, which will give unexpected results. + - With the 'order' parameter you can control which field is used to sort first, next and last. + +seealso: +- name: PostgreSQL pg_hba.conf file reference + description: Complete reference of the PostgreSQL pg_hba.conf file documentation. + link: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html + +requirements: + - ipaddress + +attributes: + check_mode: + support: full + description: Can run in check_mode and return changed status prediction without modifying target + diff_mode: + support: full + description: Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode + +author: +- Sebastiaan Mannem (@sebasmannem) +- Felix Hamme (@betanummeric) +''' + +EXAMPLES = ''' +- name: Grant users joe and simon access to databases sales and logistics from ipv6 localhost ::1/128 using peer authentication + community.postgresql.postgresql_pg_hba: + dest: /var/lib/postgres/data/pg_hba.conf + contype: host + users: joe,simon + source: ::1 + databases: sales,logistics + method: peer + create: true + +- name: Grant user replication from network 192.168.0.100/24 access for replication with client cert authentication + community.postgresql.postgresql_pg_hba: + dest: /var/lib/postgres/data/pg_hba.conf + contype: host + users: replication + source: 192.168.0.100/24 + databases: replication + method: cert + +- name: Revoke access from local user mary on database mydb + community.postgresql.postgresql_pg_hba: + dest: /var/lib/postgres/data/pg_hba.conf + contype: local + users: mary + databases: mydb + state: absent + +- name: Grant some_user access to some_db, comment that and keep other rule-specific comments attached to their rules + community.postgresql.postgresql_pg_hba: + dest: /var/lib/postgres/data/pg_hba.conf + contype: host + users: some_user + databases: some_db + method: md5 + source: ::/0 + keep_comments_at_rules: true + comment: "this rule is an example" + +- name: Replace everything with a new set of rules + community.postgresql.postgresql_pg_hba: + dest: /var/lib/postgres/data/pg_hba.conf + overwrite: true # remove preexisting rules + + # custom defaults + rules_behavior: combine + contype: hostssl + address: 2001:db8::/64 + comment: added in bulk + + rules: + - users: user1 + databases: db1 + # contype, address and comment come from custom default + - users: user2 + databases: db2 + comment: added with love # overwrite custom default for this rule + # contype and address come from custom default + - users: user3 + databases: db3 + # contype, address and comment come from custom default +''' + +RETURN = r''' +msgs: + description: List of textual messages what was done. + returned: always + type: list + sample: + "msgs": [ + "Removing", + "Changed", + "Writing" + ] +backup_file: + description: File that the original pg_hba file was backed up to. + returned: changed + type: str + sample: /tmp/pg_hba_jxobj_p +pg_hba: + description: List of the pg_hba rules as they are configured in the specified hba file. + returned: always + type: list + sample: + "pg_hba": [ + { + "db": "all", + "method": "md5", + "src": "samehost", + "type": "host", + "usr": "all" + } + ] +''' + +import os +import re +import traceback + +IPADDRESS_IMP_ERR = None +try: + import ipaddress +except ImportError: + IPADDRESS_IMP_ERR = traceback.format_exc() + +import tempfile +import shutil +from ansible.module_utils.basic import AnsibleModule, missing_required_lib + +# from ansible.module_utils.postgres import postgres_common_argument_spec + +PG_HBA_METHODS = ["trust", "reject", "md5", "password", "gss", "sspi", "krb5", "ident", "peer", + "ldap", "radius", "cert", "pam", "scram-sha-256"] +PG_HBA_TYPES = ["local", "host", "hostssl", "hostnossl", "hostgssenc", "hostnogssenc"] +PG_HBA_ORDERS = ["sdu", "sud", "dsu", "dus", "usd", "uds"] +PG_HBA_HDR = ['type', 'db', 'usr', 'src', 'mask', 'method', 'options'] + +WHITESPACES_RE = re.compile(r'\s+') + + +class PgHbaError(Exception): + ''' + This exception is raised when parsing the pg_hba file ends in an error. + ''' + + +class PgHbaRuleError(PgHbaError): + ''' + This exception is raised when parsing the pg_hba file ends in an error. + ''' + + +class PgHbaRuleChanged(PgHbaRuleError): + ''' + This exception is raised when a new parsed rule is a changed version of an existing rule. + ''' + + +class PgHbaValueError(PgHbaError): + ''' + This exception is raised when a new parsed rule is a changed version of an existing rule. + ''' + + +class PgHbaRuleValueError(PgHbaRuleError): + ''' + This exception is raised when a new parsed rule is a changed version of an existing rule. + ''' + + +class PgHba(object): + """ + PgHba object to read/write entries to/from. + pg_hba_file - the pg_hba file almost always /etc/pg_hba + """ + + def __init__(self, pg_hba_file=None, order="sdu", backup=False, create=False, keep_comments_at_rules=False): + if order not in PG_HBA_ORDERS: + msg = "invalid order setting {0} (should be one of '{1}')." + raise PgHbaError(msg.format(order, "', '".join(PG_HBA_ORDERS))) + self.pg_hba_file = pg_hba_file + self.rules = None + self.comment = None + self.order = order + self.backup = backup + self.last_backup = None + self.create = create + self.keep_comments_at_rules = keep_comments_at_rules + self.unchanged() + # self.databases will be update by add_rule and gives some idea of the number of databases + # (at least that are handled by this pg_hba) + self.databases = set(['postgres', 'template0', 'template1']) + + # self.databases will be update by add_rule and gives some idea of the number of users + # (at least that are handled by this pg_hba) since this might also be groups with multiple + # users, this might be totally off, but at least it is some info... + self.users = set(['postgres']) + + self.preexisting_rules = None + self.read() + + def clear_rules(self): + self.rules = {} + + def unchanged(self): + ''' + This method resets self.diff to a empty default + ''' + self.diff = {'before': {'file': self.pg_hba_file, 'pg_hba': []}, + 'after': {'file': self.pg_hba_file, 'pg_hba': []}} + + def read(self): + ''' + Read in the pg_hba from the system + ''' + self.rules = {} + self.comment = [] + # read the pg_hbafile + try: + with open(self.pg_hba_file, 'r') as file: + for line in file: + # split into line and comment + line = line.strip() + comment = None + if '#' in line: + line, comment = line.split('#', 1) + if comment == '': + comment = None + line = line.rstrip() + # if there is just a comment, save it + if line == '': + if comment is not None: + self.comment.append('#' + comment) + else: + if comment is not None and not self.keep_comments_at_rules: + # save the comment independent of the line + self.comment.append('#' + comment) + comment = None + try: + self.add_rule(PgHbaRule(line=line, comment=comment)) + except PgHbaRuleError: + pass + self.unchanged() + self.preexisting_rules = dict(self.rules) + except IOError: + pass + + def write(self, backup_file=''): + ''' + This method writes the PgHba rules (back) to a file. + ''' + if not self.changed(): + return False + + contents = self.render() + if self.pg_hba_file: + if not (os.path.isfile(self.pg_hba_file) or self.create): + raise PgHbaError("pg_hba file '{0}' doesn't exist. " + "Use create option to autocreate.".format(self.pg_hba_file)) + if self.backup and os.path.isfile(self.pg_hba_file): + if backup_file: + self.last_backup = backup_file + else: + _backup_file_h, self.last_backup = tempfile.mkstemp(prefix='pg_hba') + shutil.copy(self.pg_hba_file, self.last_backup) + fileh = open(self.pg_hba_file, 'w') + else: + filed, _path = tempfile.mkstemp(prefix='pg_hba') + fileh = os.fdopen(filed, 'w') + + fileh.write(contents) + self.unchanged() + fileh.close() + return True + + def add_rule(self, rule): + ''' + This method can be used to add a rule to the list of rules in this PgHba object + ''' + key = rule.key() + try: + try: + oldrule = self.rules[key] + except KeyError: + raise PgHbaRuleChanged + ekeys = set(list(oldrule.keys()) + list(rule.keys())) + ekeys.remove('line') + for k in ekeys: + if oldrule.get(k) != rule.get(k): + raise PgHbaRuleChanged('{0} changes {1}'.format(rule, oldrule)) + except PgHbaRuleChanged: + self.rules[key] = rule + self.diff['after']['pg_hba'].append(rule.line()) + if rule['db'] not in ['all', 'samerole', 'samegroup', 'replication']: + databases = set(rule['db'].split(',')) + self.databases.update(databases) + if rule['usr'] != 'all': + user = rule['usr'] + if user[0] == '+': + user = user[1:] + self.users.add(user) + + def remove_rule(self, rule): + ''' + This method can be used to find and remove a rule. It doesn't look for the exact rule, only + the rule with the same key. + ''' + keys = rule.key() + try: + del self.rules[keys] + self.diff['before']['pg_hba'].append(rule.line()) + except KeyError: + pass + + def get_rules(self, with_lines=False): + ''' + This method returns all the rules of the PgHba object + ''' + rules = sorted(self.rules.values()) + for rule in rules: + ret = {} + for key, value in rule.items(): + ret[key] = value + if not with_lines: + if 'line' in ret: + del ret['line'] + else: + ret['line'] = rule.line() + + yield ret + + def render(self): + ''' + This method renders the content of the PgHba rules and comments. + The returning value can be used directly to write to a new file. + ''' + comment = '\n'.join(self.comment) + rule_lines = [] + for rule in self.get_rules(with_lines=True): + if 'comment' in rule: + rule_lines.append(rule['line'] + '\t#' + rule['comment']) + else: + rule_lines.append(rule['line']) + result = comment + '\n' + '\n'.join(rule_lines) + # End it properly with a linefeed (if not already). + if result and result[-1] not in ['\n', '\r']: + result += '\n' + return result + + def changed(self): + ''' + This method can be called to detect if the PgHba file has been changed. + ''' + if not self.preexisting_rules and not self.rules: + return False + return self.preexisting_rules != self.rules + + +class PgHbaRule(dict): + ''' + This class represents one rule as defined in a line in a PgHbaFile. + ''' + + def __init__(self, contype=None, databases=None, users=None, source=None, netmask=None, + method=None, options=None, line=None, comment=None): + ''' + This function can be called with a comma seperated list of databases and a comma seperated + list of users and it will act as a generator that returns a expanded list of rules one by + one. + ''' + + super(PgHbaRule, self).__init__() + + if line: + # Read values from line if parsed + self.fromline(line) + + if comment: + self['comment'] = comment + + # read rule cols from parsed items + rule = dict(zip(PG_HBA_HDR, [contype, databases, users, source, netmask, method, options])) + for key, value in rule.items(): + if value: + self[key] = value + + # Some sanity checks + for key in ['method', 'type']: + if key not in self: + raise PgHbaRuleError('Missing {0} in rule {1}'.format(key, self)) + + if self['method'] not in PG_HBA_METHODS: + msg = "invalid method {0} (should be one of '{1}')." + raise PgHbaRuleValueError(msg.format(self['method'], "', '".join(PG_HBA_METHODS))) + + if self['type'] not in PG_HBA_TYPES: + msg = "invalid connection type {0} (should be one of '{1}')." + raise PgHbaRuleValueError(msg.format(self['type'], "', '".join(PG_HBA_TYPES))) + + if self['type'] == 'local': + self.unset('src') + self.unset('mask') + elif 'src' not in self: + raise PgHbaRuleError('Missing src in rule {1}'.format(self)) + elif '/' in self['src']: + self.unset('mask') + else: + self['src'] = str(self.source()) + self.unset('mask') + + def unset(self, key): + ''' + This method is used to unset certain columns if they exist + ''' + if key in self: + del self[key] + + def line(self): + ''' + This method can be used to return (or generate) the line + ''' + try: + return self['line'] + except KeyError: + self['line'] = "\t".join([self[k] for k in PG_HBA_HDR if k in self.keys()]) + return self['line'] + + def fromline(self, line): + ''' + split into 'type', 'db', 'usr', 'src', 'mask', 'method', 'options' cols + ''' + if WHITESPACES_RE.sub('', line) == '': + # empty line. skip this one... + return + cols = WHITESPACES_RE.split(line) + if len(cols) < 4: + msg = "Rule {0} has too few columns." + raise PgHbaValueError(msg.format(line)) + if cols[0] not in PG_HBA_TYPES: + msg = "Rule {0} has unknown type: {1}." + raise PgHbaValueError(msg.format(line, cols[0])) + if cols[0] == 'local': + cols.insert(3, None) # No address + cols.insert(3, None) # No IP-mask + if len(cols) < 6: + cols.insert(4, None) # No IP-mask + elif cols[5] not in PG_HBA_METHODS: + cols.insert(4, None) # No IP-mask + if cols[5] not in PG_HBA_METHODS: + raise PgHbaValueError("Rule {0} of '{1}' type has invalid auth-method '{2}'".format(line, cols[0], cols[5])) + + if len(cols) < 7: + cols.insert(6, None) # No auth-options + else: + cols[6] = " ".join(cols[6:]) # combine all auth-options + rule = dict(zip(PG_HBA_HDR, cols[:7])) + for key, value in rule.items(): + if value: + self[key] = value + + def key(self): + ''' + This method can be used to get the key from a rule. + ''' + if self['type'] == 'local': + source = 'local' + else: + source = str(self.source()) + return (source, self['db'], self['usr']) + + def source(self): + ''' + This method is used to get the source of a rule as an ipaddress object if possible. + ''' + if 'mask' in self.keys(): + try: + ipaddress.ip_address(u'{0}'.format(self['src'])) + except ValueError: + raise PgHbaValueError('Mask was specified, but source "{0}" ' + 'is not valid ip'.format(self['src'])) + # ipaddress module cannot work with ipv6 netmask, so lets convert it to prefixlen + # furthermore ipv4 with bad netmask throws 'Rule {} doesn't seem to be an ip, but has a + # mask error that doesn't seem to describe what is going on. + try: + mask_as_ip = ipaddress.ip_address(u'{0}'.format(self['mask'])) + except ValueError: + raise PgHbaValueError('Mask {0} seems to be invalid'.format(self['mask'])) + binvalue = "{0:b}".format(int(mask_as_ip)) + if '01' in binvalue: + raise PgHbaValueError('IP mask {0} seems invalid ' + '(binary value has 1 after 0)'.format(self['mask'])) + prefixlen = binvalue.count('1') + sourcenw = '{0}/{1}'.format(self['src'], prefixlen) + try: + return ipaddress.ip_network(u'{0}'.format(sourcenw), strict=False) + except ValueError: + raise PgHbaValueError('{0} is not valid address range'.format(sourcenw)) + + try: + return ipaddress.ip_network(u'{0}'.format(self['src']), strict=False) + except ValueError: + return self['src'] + + def __lt__(self, other): + """This function helps sorted to decide how to sort. + + It just checks itself against the other and decides on some key values + if it should be sorted higher or lower in the list. + The way it works: + For networks, every 1 in 'netmask in binary' makes the subnet more specific. + Therefore I chose to use prefix as the weight. + So a single IP (/32) should have twice the weight of a /16 network. + To keep everything in the same weight scale, + - for ipv6, we use a weight scale of 0 (all possible ipv6 addresses) to 128 (single ip) + - for ipv4, we use a weight scale of 0 (all possible ipv4 addresses) to 128 (single ip) + Therefore for ipv4, we use prefixlen (0-32) * 4 for weight, + which corresponds to ipv6 (0-128). + """ + myweight = self.source_weight() + hisweight = other.source_weight() + if myweight != hisweight: + return myweight > hisweight + + myweight = self.db_weight() + hisweight = other.db_weight() + if myweight != hisweight: + return myweight < hisweight + + myweight = self.user_weight() + hisweight = other.user_weight() + if myweight != hisweight: + return myweight < hisweight + try: + return self['src'] < other['src'] + except TypeError: + return self.source_type_weight() < other.source_type_weight() + except Exception: + # When all else fails, just compare the exact line. + return self.line() < other.line() + + def source_weight(self): + """Report the weight of this source net. + + Basically this is the netmask, where IPv4 is normalized to IPv6 + (IPv4/32 has the same weight as IPv6/128). + """ + if self['type'] == 'local': + return 130 + + sourceobj = self.source() + if isinstance(sourceobj, ipaddress.IPv4Network): + return sourceobj.prefixlen * 4 + if isinstance(sourceobj, ipaddress.IPv6Network): + return sourceobj.prefixlen + if isinstance(sourceobj, str): + # You can also write all to match any IP address, + # samehost to match any of the server's own IP addresses, + # or samenet to match any address in any subnet that the server is connected to. + if sourceobj == 'all': + # (all is considered the full range of all ips, which has a weight of 0) + return 0 + if sourceobj == 'samehost': + # (sort samehost second after local) + return 129 + if sourceobj == 'samenet': + # Might write some fancy code to determine all prefix's + # from all interfaces and find a sane value for this one. + # For now, let's assume IPv4/24 or IPv6/96 (both have weight 96). + return 96 + if sourceobj[0] == '.': + # suffix matching (domain name), let's assume a very large scale + # and therefore a very low weight IPv4/16 or IPv6/64 (both have weight 64). + return 64 + # hostname, let's assume only one host matches, which is + # IPv4/32 or IPv6/128 (both have weight 128) + return 128 + raise PgHbaValueError('Cannot deduct the source weight of this source {1}'.format(sourceobj)) + + def source_type_weight(self): + """Give a weight on the type of this source. + + Basically make sure that IPv6Networks are sorted higher than IPv4Networks. + This is a 'when all else fails' solution in __lt__. + """ + if self['type'] == 'local': + return 3 + + sourceobj = self.source() + if isinstance(sourceobj, ipaddress.IPv4Network): + return 2 + if isinstance(sourceobj, ipaddress.IPv6Network): + return 1 + if isinstance(sourceobj, str): + return 0 + raise PgHbaValueError('This source {0} is of an unknown type...'.format(sourceobj)) + + def db_weight(self): + """Report the weight of the database. + + Normally, just 1, but for replication this is 0, and for 'all', this is more than 2. + """ + if self['db'] == 'all': + return 100000 + if self['db'] == 'replication': + return 0 + if self['db'] in ['samerole', 'samegroup']: + return 1 + return 1 + self['db'].count(',') + + def user_weight(self): + """Report weight when comparing users.""" + if self['usr'] == 'all': + return 1000000 + return 1 + + +def main(): + ''' + This function is the main function of this module + ''' + # argument_spec = postgres_common_argument_spec() + argument_spec = dict() + argument_spec.update( + address=dict(type='str', default='samehost', aliases=['source', 'src']), + backup=dict(type='bool', default=False), + backup_file=dict(type='str'), + contype=dict(type='str', default=None, choices=PG_HBA_TYPES), + comment=dict(type='str', default=None), + create=dict(type='bool', default=False), + databases=dict(type='str', default='all'), + dest=dict(type='path', required=True), + method=dict(type='str', default='md5', choices=PG_HBA_METHODS), + netmask=dict(type='str'), + options=dict(type='str'), + order=dict(type='str', default="sdu", choices=PG_HBA_ORDERS, + removed_in_version='3.0.0', removed_from_collection='community.postgresql'), + keep_comments_at_rules=dict(type='bool', default=False), + state=dict(type='str', default="present", choices=["absent", "present"]), + users=dict(type='str', default='all'), + rules=dict(type='list', elements='dict'), + rules_behavior=dict(type='str', default='conflict', choices=['combine', 'conflict']), + overwrite=dict(type='bool', default=False), + ) + module = AnsibleModule( + argument_spec=argument_spec, + add_file_common_args=True, + supports_check_mode=True + ) + if IPADDRESS_IMP_ERR is not None: + module.fail_json(msg=missing_required_lib('ipaddress'), exception=IPADDRESS_IMP_ERR) + + create = bool(module.params["create"] or module.check_mode) + if module.check_mode: + backup = False + else: + backup = module.params['backup'] + dest = module.params["dest"] + order = module.params["order"] + keep_comments_at_rules = module.params["keep_comments_at_rules"] + rules = module.params["rules"] + rules_behavior = module.params["rules_behavior"] + overwrite = module.params["overwrite"] + + ret = {'msgs': []} + try: + pg_hba = PgHba(dest, order, backup=backup, create=create, keep_comments_at_rules=keep_comments_at_rules) + except PgHbaError as error: + module.fail_json(msg='Error reading file:\n{0}'.format(error)) + + if overwrite: + pg_hba.clear_rules() + + rule_keys = [ + 'address', + 'comment', + 'contype', + 'databases', + 'method', + 'netmask', + 'options', + 'state', + 'users' + ] + if rules is None: + single_rule = dict() + for key in rule_keys: + single_rule[key] = module.params[key] + rules = [single_rule] + else: + if rules_behavior == 'conflict': + # it's ok if the module default is set + used_rule_keys = [key for key in rule_keys if module.params[key] != argument_spec[key].get('default', None)] + if len(used_rule_keys) > 0: + module.fail_json(msg='conflict: either argument "rules_behavior" needs to be changed or "rules" must' + ' not be set or {0} must not be set'.format(used_rule_keys)) + + new_rules = [] + for index, rule in enumerate(rules): + # alias handling + address_keys = [key for key in rule.keys() if key in ('address', 'source', 'src')] + if len(address_keys) > 1: + module.fail_json(msg='rule number {0} of the "rules" argument ({1}) uses ambiguous settings: ' + '{2} are aliases, only one is allowed'.format(index, address_keys, rule)) + if len(address_keys) == 1: + address = rule[address_keys[0]] + del rule[address_keys[0]] + rule['address'] = address + + for key in rule_keys: + if key not in rule: + if rules_behavior == 'combine': + # use user-supplied defaults or module defaults + rule[key] = module.params[key] + else: + # use module defaults + rule[key] = argument_spec[key].get('default', None) + new_rules.append(rule) + rules = new_rules + + for rule in rules: + if rule.get('contype', None) is None: + continue + + try: + for database in rule['databases'].split(','): + for user in rule['users'].split(','): + pg_hba_rule = PgHbaRule(rule['contype'], database, user, rule['address'], rule['netmask'], + rule['method'], rule['options'], comment=rule['comment']) + if rule['state'] == "present": + ret['msgs'].append('Adding rule {0}'.format(pg_hba_rule)) + pg_hba.add_rule(pg_hba_rule) + else: + ret['msgs'].append('Removing rule {0}'.format(pg_hba_rule)) + pg_hba.remove_rule(pg_hba_rule) + except PgHbaError as error: + module.fail_json(msg='Error modifying rules:\n{0}'.format(error)) + file_args = module.load_file_common_arguments(module.params) + ret['changed'] = changed = pg_hba.changed() + if changed: + ret['msgs'].append('Changed') + ret['diff'] = pg_hba.diff + + if not module.check_mode: + ret['msgs'].append('Writing') + try: + if pg_hba.write(module.params['backup_file']): + module.set_fs_attributes_if_different(file_args, True, pg_hba.diff, + expand=False) + except PgHbaError as error: + module.fail_json(msg='Error writing file:\n{0}'.format(error)) + if pg_hba.last_backup: + ret['backup_file'] = pg_hba.last_backup + + ret['pg_hba'] = list(pg_hba.get_rules()) + module.exit_json(**ret) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_ping.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_ping.py new file mode 100644 index 000000000..fd104022b --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_ping.py @@ -0,0 +1,215 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018-2020 Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_ping +short_description: Check remote PostgreSQL server availability +description: +- Simple module to check remote PostgreSQL server availability. +options: + db: + description: + - Name of a database to connect to. + type: str + aliases: + - login_db + session_role: + description: + - Switch to session_role after connecting. The specified session_role must + be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though + the session_role were the one that had logged in originally. + type: str + version_added: '0.2.0' + trust_input: + description: + - If C(false), check whether a value of I(session_role) is potentially dangerous. + - It makes sense to use C(false) only when SQL injections via I(session_role) are possible. + type: bool + default: true + version_added: '0.2.0' +seealso: +- module: community.postgresql.postgresql_info +attributes: + check_mode: + support: full +author: +- Andrew Klychkov (@Andersson007) +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +# PostgreSQL ping dbsrv server from the shell: +# ansible dbsrv -m postgresql_ping + +# In the example below you need to generate certificates previously. +# See https://www.postgresql.org/docs/current/libpq-ssl.html for more information. +- name: > + Ping PostgreSQL server using non-default credentials and SSL + registering the return values into the result variable for future use + community.postgresql.postgresql_ping: + db: protected_db + login_host: dbsrv + login_user: secret + login_password: secret_pass + ca_cert: /root/root.crt + ssl_mode: verify-full + register: result + # If you need to fail when the server is not available, + # uncomment the following line: + #failed_when: not result.is_available + +# You can use the registered result with another task +- name: This task should be executed only if the server is available + # ... + when: result.is_available == true +''' + +RETURN = r''' +is_available: + description: PostgreSQL server availability. + returned: always + type: bool + sample: true +server_version: + description: PostgreSQL server version. + returned: always + type: dict + sample: { major: 13, minor: 2, full: '13.2', raw: 'PostgreSQL 13.2 on x86_64-pc-linux-gnu' } +conn_err_msg: + description: Connection error message. + returned: always + type: str + sample: '' + version_added: 1.7.0 +''' + +import re + +try: + from psycopg2.extras import DictCursor +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + exec_sql, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) + + +# =========================================== +# PostgreSQL module specific support methods. +# + + +class PgPing(object): + def __init__(self, module, cursor): + self.module = module + self.cursor = cursor + self.is_available = False + self.version = {} + + def do(self): + self.get_pg_version() + return (self.is_available, self.version) + + def get_pg_version(self): + query = "SELECT version()" + raw = exec_sql(self, query, add_to_executed=False)[0][0] + + if not raw: + return + + self.is_available = True + + full = raw.split()[1] + m = re.match(r"(\d+)\.(\d+)(?:\.(\d+))?", full) + + major = int(m.group(1)) + minor = int(m.group(2)) + patch = None + if m.group(3) is not None: + patch = int(m.group(3)) + + self.version = dict( + major=major, + minor=minor, + full=full, + raw=raw, + ) + + if patch is not None: + self.version['patch'] = patch + + +# =========================================== +# Module execution. +# + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + db=dict(type='str', aliases=['login_db']), + session_role=dict(type='str'), + trust_input=dict(type='bool', default=True), + ) + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + if not module.params['trust_input']: + # Check input for potentially dangerous elements: + check_input(module, module.params['session_role']) + + # Set some default values: + cursor = False + db_connection = False + result = dict( + changed=False, + is_available=False, + server_version=dict(), + conn_err_msg='', + ) + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + conn_params = get_conn_params(module, module.params, warn_db_default=False) + db_connection, err = connect_to_db(module, conn_params, fail_on_conn=False) + if err: + result['conn_err_msg'] = err + + if db_connection is not None: + cursor = db_connection.cursor(cursor_factory=DictCursor) + + # Do job: + pg_ping = PgPing(module, cursor) + if cursor: + # If connection established: + result["is_available"], result["server_version"] = pg_ping.do() + cursor.close() + db_connection.close() + + module.exit_json(**result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_privs.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_privs.py new file mode 100644 index 000000000..44aaeba3b --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_privs.py @@ -0,0 +1,1216 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: Ansible Project +# Copyright: (c) 2019, Tobias Birkefeld (@tcraxs) <t@craxs.de> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_privs +short_description: Grant or revoke privileges on PostgreSQL database objects +description: +- Grant or revoke privileges on PostgreSQL database objects. +- This module is basically a wrapper around most of the functionality of + PostgreSQL's GRANT and REVOKE statements with detection of changes + (GRANT/REVOKE I(privs) ON I(type) I(objs) TO/FROM I(roles)). +- B(WARNING) The C(usage_on_types) option has been B(deprecated) and will be removed in + community.postgresql 3.0.0, please use the C(type) option with value C(type) to + GRANT/REVOKE permissions on types explicitly. +options: + database: + description: + - Name of database to connect to. + required: true + type: str + aliases: + - db + - login_db + state: + description: + - If C(present), the specified privileges are granted, if C(absent) they are revoked. + type: str + default: present + choices: [ absent, present ] + privs: + description: + - Comma separated list of privileges to grant/revoke. + type: str + aliases: + - priv + type: + description: + - Type of database object to set privileges on. + - The C(default_privs) choice is available starting at version 2.7. + - The C(foreign_data_wrapper) and C(foreign_server) object types are available since Ansible version 2.8. + - The C(type) choice is available since Ansible version 2.10. + - The C(procedure) is supported since collection version 1.3.0 and PostgreSQL 11. + type: str + default: table + choices: [ database, default_privs, foreign_data_wrapper, foreign_server, function, + group, language, table, tablespace, schema, sequence, type , procedure] + objs: + description: + - Comma separated list of database objects to set privileges on. + - If I(type) is C(table), C(partition table), C(sequence), C(function) or C(procedure), + the special value C(ALL_IN_SCHEMA) can be provided instead to specify all + database objects of I(type) in the schema specified via I(schema). + (This also works with PostgreSQL < 9.0.) (C(ALL_IN_SCHEMA) is available + for C(function) and C(partition table) since Ansible 2.8). + - C(procedure) is supported since PostgreSQL 11 and community.postgresql collection 1.3.0. + - If I(type) is C(database), this parameter can be omitted, in which case + privileges are set for the database specified via I(database). + - If I(type) is C(function) or C(procedure), colons (":") in object names will be + replaced with commas (needed to specify signatures, see examples). + type: str + aliases: + - obj + schema: + description: + - Schema that contains the database objects specified via I(objs). + - May only be provided if I(type) is C(table), C(sequence), C(function), C(procedure), C(type), + or C(default_privs). Defaults to C(public) in these cases. + - Pay attention, for embedded types when I(type=type) + I(schema) can be C(pg_catalog) or C(information_schema) respectively. + - If not specified, uses C(public). Not to pass any schema, use C(not-specified). + type: str + roles: + description: + - Comma separated list of role (user/group) names to set permissions for. + - The special value C(PUBLIC) can be provided instead to set permissions + for the implicitly defined PUBLIC group. + type: str + required: true + aliases: + - role + fail_on_role: + description: + - If C(true), fail when target role (for whom privs need to be granted) does not exist. + Otherwise just warn and continue. + default: true + type: bool + session_role: + description: + - Switch to session_role after connecting. + - The specified session_role must be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though the session_role were the one that had logged in originally. + type: str + target_roles: + description: + - A list of existing role (user/group) names to set as the + default permissions for database objects subsequently created by them. + - Parameter I(target_roles) is only available with C(type=default_privs). + type: str + grant_option: + description: + - Whether C(role) may grant/revoke the specified privileges/group memberships to others. + - Set to C(false) to revoke GRANT OPTION, leave unspecified to make no changes. + - I(grant_option) only has an effect if I(state) is C(present). + type: bool + aliases: + - admin_option + password: + description: + - The password to authenticate with. + - This option has been B(deprecated) and will be removed in community.postgresql 4.0.0, + use the I(login_password) option instead. + - Mutually exclusive with I(login_password). + type: str + default: '' + trust_input: + description: + - If C(false), check whether values of parameters I(roles), I(target_roles), I(session_role), + I(schema) are potentially dangerous. + - It makes sense to use C(false) only when SQL injections via the parameters are possible. + type: bool + default: true + version_added: '0.2.0' + usage_on_types: + description: + - This option has been B(deprecated) and will be removed in community.postgresql 3.0.0, + please use the I(type) option with value C(type) to GRANT/REVOKE permissions on types + explicitly. + - When adding default privileges, the module always implicitly adds ``USAGE ON TYPES``. + - To avoid this behavior, set I(usage_on_types) to C(false). + - Added to save backwards compatibility. + - Used only when adding default privileges, ignored otherwise. + type: bool + default: true + version_added: '1.2.0' + +notes: +- Parameters that accept comma separated lists (I(privs), I(objs), I(roles)) + have singular alias names (I(priv), I(obj), I(role)). +- To revoke only C(GRANT OPTION) for a specific object, set I(state) to + C(present) and I(grant_option) to C(false) (see examples). +- Note that when revoking privileges from a role R, this role may still have + access via privileges granted to any role R is a member of including C(PUBLIC). +- Note that when you use C(PUBLIC) role, the module always reports that the state has been changed. +- Note that when revoking privileges from a role R, you do so as the user + specified via I(login_user). If R has been granted the same privileges by + another user also, R can still access database objects via these privileges. +- When revoking privileges, C(RESTRICT) is assumed (see PostgreSQL docs). + +seealso: +- module: community.postgresql.postgresql_user +- module: community.postgresql.postgresql_owner +- module: community.postgresql.postgresql_membership +- name: PostgreSQL privileges + description: General information about PostgreSQL privileges. + link: https://www.postgresql.org/docs/current/ddl-priv.html +- name: PostgreSQL GRANT command reference + description: Complete reference of the PostgreSQL GRANT command documentation. + link: https://www.postgresql.org/docs/current/sql-grant.html +- name: PostgreSQL REVOKE command reference + description: Complete reference of the PostgreSQL REVOKE command documentation. + link: https://www.postgresql.org/docs/current/sql-revoke.html + +attributes: + check_mode: + support: full + +extends_documentation_fragment: +- community.postgresql.postgres + +author: +- Bernhard Weitzhofer (@b6d) +- Tobias Birkefeld (@tcraxs) +''' + +EXAMPLES = r''' +# On database "library": +# GRANT SELECT, INSERT, UPDATE ON TABLE public.books, public.authors +# TO librarian, reader WITH GRANT OPTION +- name: Grant privs to librarian and reader on database library + community.postgresql.postgresql_privs: + database: library + state: present + privs: SELECT,INSERT,UPDATE + type: table + objs: books,authors + schema: public + roles: librarian,reader + grant_option: true + +- name: Same as above leveraging default values + community.postgresql.postgresql_privs: + db: library + privs: SELECT,INSERT,UPDATE + objs: books,authors + roles: librarian,reader + grant_option: true + +# REVOKE GRANT OPTION FOR INSERT ON TABLE books FROM reader +# Note that role "reader" will be *granted* INSERT privilege itself if this +# isn't already the case (since state: present). +- name: Revoke privs from reader + community.postgresql.postgresql_privs: + db: library + state: present + priv: INSERT + obj: books + role: reader + grant_option: false + +# "public" is the default schema. This also works for PostgreSQL 8.x. +- name: REVOKE INSERT, UPDATE ON ALL TABLES IN SCHEMA public FROM reader + community.postgresql.postgresql_privs: + db: library + state: absent + privs: INSERT,UPDATE + objs: ALL_IN_SCHEMA + role: reader + +- name: GRANT ALL PRIVILEGES ON SCHEMA public, math TO librarian + community.postgresql.postgresql_privs: + db: library + privs: ALL + type: schema + objs: public,math + role: librarian + +# Note the separation of arguments with colons. +- name: GRANT ALL PRIVILEGES ON FUNCTION math.add(int, int) TO librarian, reader + community.postgresql.postgresql_privs: + db: library + privs: ALL + type: function + obj: add(int:int) + schema: math + roles: librarian,reader + +# Note that group role memberships apply cluster-wide and therefore are not +# restricted to database "library" here. +- name: GRANT librarian, reader TO alice, bob WITH ADMIN OPTION + community.postgresql.postgresql_privs: + db: library + type: group + objs: librarian,reader + roles: alice,bob + admin_option: true + +# Note that here "db: postgres" specifies the database to connect to, not the +# database to grant privileges on (which is specified via the "objs" param) +- name: GRANT ALL PRIVILEGES ON DATABASE library TO librarian + community.postgresql.postgresql_privs: + db: postgres + privs: ALL + type: database + obj: library + role: librarian + +# If objs is omitted for type "database", it defaults to the database +# to which the connection is established +- name: GRANT ALL PRIVILEGES ON DATABASE library TO librarian + community.postgresql.postgresql_privs: + db: library + privs: ALL + type: database + role: librarian + +# Available since version 2.7 +# Objs must be set, ALL_DEFAULT to TABLES/SEQUENCES/TYPES/FUNCTIONS +# ALL_DEFAULT works only with privs=ALL +# For specific +- name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO librarian + community.postgresql.postgresql_privs: + db: library + objs: ALL_DEFAULT + privs: ALL + type: default_privs + role: librarian + grant_option: true + +# Available since version 2.7 +# Objs must be set, ALL_DEFAULT to TABLES/SEQUENCES/TYPES/FUNCTIONS +# ALL_DEFAULT works only with privs=ALL +# For specific +- name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO reader, step 1 + community.postgresql.postgresql_privs: + db: library + objs: TABLES,SEQUENCES + privs: SELECT + type: default_privs + role: reader + +- name: ALTER DEFAULT PRIVILEGES ON DATABASE library TO reader, step 2 + community.postgresql.postgresql_privs: + db: library + objs: TYPES + privs: USAGE + type: default_privs + role: reader + +# Available since version 2.8 +- name: GRANT ALL PRIVILEGES ON FOREIGN DATA WRAPPER fdw TO reader + community.postgresql.postgresql_privs: + db: test + objs: fdw + privs: ALL + type: foreign_data_wrapper + role: reader + +# Available since community.postgresql 0.2.0 +- name: GRANT ALL PRIVILEGES ON TYPE customtype TO reader + community.postgresql.postgresql_privs: + db: test + objs: customtype + privs: ALL + type: type + role: reader + +# Available since version 2.8 +- name: GRANT ALL PRIVILEGES ON FOREIGN SERVER fdw_server TO reader + community.postgresql.postgresql_privs: + db: test + objs: fdw_server + privs: ALL + type: foreign_server + role: reader + +# Available since version 2.8 +# Grant 'execute' permissions on all functions in schema 'common' to role 'caller' +- name: GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA common TO caller + community.postgresql.postgresql_privs: + type: function + state: present + privs: EXECUTE + roles: caller + objs: ALL_IN_SCHEMA + schema: common + +# Available since collection version 1.3.0 +# Grant 'execute' permissions on all procedures in schema 'common' to role 'caller' +# Needs PostreSQL 11 or higher and community.postgresql 1.3.0 or higher +- name: GRANT EXECUTE ON ALL PROCEDURES IN SCHEMA common TO caller + community.postgresql.postgresql_privs: + type: procedure + state: present + privs: EXECUTE + roles: caller + objs: ALL_IN_SCHEMA + schema: common + +# Available since version 2.8 +# ALTER DEFAULT PRIVILEGES FOR ROLE librarian IN SCHEMA library GRANT SELECT ON TABLES TO reader +# GRANT SELECT privileges for new TABLES objects created by librarian as +# default to the role reader. +# For specific +- name: ALTER privs + community.postgresql.postgresql_privs: + db: library + schema: library + objs: TABLES + privs: SELECT + type: default_privs + role: reader + target_roles: librarian + +# Available since version 2.8 +# ALTER DEFAULT PRIVILEGES FOR ROLE librarian IN SCHEMA library REVOKE SELECT ON TABLES FROM reader +# REVOKE SELECT privileges for new TABLES objects created by librarian as +# default from the role reader. +# For specific +- name: ALTER privs + community.postgresql.postgresql_privs: + db: library + state: absent + schema: library + objs: TABLES + privs: SELECT + type: default_privs + role: reader + target_roles: librarian + +# Available since community.postgresql 0.2.0 +- name: Grant type privileges for pg_catalog.numeric type to alice + community.postgresql.postgresql_privs: + type: type + roles: alice + privs: ALL + objs: numeric + schema: pg_catalog + db: acme + +- name: Alter default privileges grant usage on schemas to datascience + community.postgresql.postgresql_privs: + database: test + type: default_privs + privs: usage + objs: schemas + role: datascience +''' + +RETURN = r''' +queries: + description: List of executed queries. + returned: always + type: list + sample: ['REVOKE GRANT OPTION FOR INSERT ON TABLE "books" FROM "reader";'] +''' + +import traceback + +PSYCOPG2_IMP_ERR = None +try: + import psycopg2 + import psycopg2.extensions +except ImportError: + PSYCOPG2_IMP_ERR = traceback.format_exc() + psycopg2 = None + +# import module snippets +from ansible.module_utils.basic import AnsibleModule, missing_required_lib +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + pg_quote_identifier, + check_input, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import postgres_common_argument_spec, get_conn_params +from ansible.module_utils._text import to_native + +VALID_PRIVS = frozenset(('SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', + 'REFERENCES', 'TRIGGER', 'CREATE', 'CONNECT', + 'TEMPORARY', 'TEMP', 'EXECUTE', 'USAGE', 'ALL')) +VALID_DEFAULT_OBJS = {'TABLES': ('ALL', 'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER'), + 'SEQUENCES': ('ALL', 'SELECT', 'UPDATE', 'USAGE'), + 'FUNCTIONS': ('ALL', 'EXECUTE'), + 'TYPES': ('ALL', 'USAGE'), + 'SCHEMAS': ('CREATE', 'USAGE'), } + +executed_queries = [] + + +class Error(Exception): + pass + + +def role_exists(module, cursor, rolname): + """Check user exists or not""" + query = "SELECT 1 FROM pg_roles WHERE rolname = '%s'" % rolname + try: + cursor.execute(query) + return cursor.rowcount > 0 + + except Exception as e: + module.fail_json(msg="Cannot execute SQL '%s': %s" % (query, to_native(e))) + + return False + + +# We don't have functools.partial in Python < 2.5 +def partial(f, *args, **kwargs): + """Partial function application""" + + def g(*g_args, **g_kwargs): + new_kwargs = kwargs.copy() + new_kwargs.update(g_kwargs) + return f(*(args + g_args), **g_kwargs) + + g.f = f + g.args = args + g.kwargs = kwargs + return g + + +class Connection(object): + """Wrapper around a psycopg2 connection with some convenience methods""" + + def __init__(self, params, module): + self.database = params.database + self.module = module + + conn_params = get_conn_params(module, params.__dict__, warn_db_default=False) + + sslrootcert = params.ca_cert + if psycopg2.__version__ < '2.4.3' and sslrootcert is not None: + raise ValueError('psycopg2 must be at least 2.4.3 in order to user the ca_cert parameter') + + self.connection = psycopg2.connect(**conn_params) + self.cursor = self.connection.cursor() + self.pg_version = self.connection.server_version + + def commit(self): + self.connection.commit() + + def rollback(self): + self.connection.rollback() + + @property + def encoding(self): + """Connection encoding in Python-compatible form""" + return psycopg2.extensions.encodings[self.connection.encoding] + + # Methods for querying database objects + + # PostgreSQL < 9.0 doesn't support "ALL TABLES IN SCHEMA schema"-like + # phrases in GRANT or REVOKE statements, therefore alternative methods are + # provided here. + + def schema_exists(self, schema): + query = """SELECT count(*) + FROM pg_catalog.pg_namespace WHERE nspname = %s""" + self.cursor.execute(query, (schema,)) + return self.cursor.fetchone()[0] > 0 + + def get_all_tables_in_schema(self, schema): + if schema: + if not self.schema_exists(schema): + raise Error('Schema "%s" does not exist.' % schema) + + query = """SELECT relname + FROM pg_catalog.pg_class c + JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace + WHERE nspname = %s AND relkind in ('r', 'v', 'm', 'p')""" + self.cursor.execute(query, (schema,)) + else: + query = ("SELECT relname FROM pg_catalog.pg_class " + "WHERE relkind in ('r', 'v', 'm', 'p')") + self.cursor.execute(query) + return [t[0] for t in self.cursor.fetchall()] + + def get_all_sequences_in_schema(self, schema): + if schema: + if not self.schema_exists(schema): + raise Error('Schema "%s" does not exist.' % schema) + query = """SELECT relname + FROM pg_catalog.pg_class c + JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace + WHERE nspname = %s AND relkind = 'S'""" + self.cursor.execute(query, (schema,)) + else: + self.cursor.execute("SELECT relname FROM pg_catalog.pg_class WHERE relkind = 'S'") + return [t[0] for t in self.cursor.fetchall()] + + def get_all_functions_in_schema(self, schema): + if schema: + if not self.schema_exists(schema): + raise Error('Schema "%s" does not exist.' % schema) + + query = ("SELECT p.proname, oidvectortypes(p.proargtypes) " + "FROM pg_catalog.pg_proc p " + "JOIN pg_namespace n ON n.oid = p.pronamespace " + "WHERE nspname = %s") + + if self.pg_version >= 110000: + query += " and p.prokind = 'f'" + + self.cursor.execute(query, (schema,)) + else: + self.cursor.execute("SELECT p.proname, oidvectortypes(p.proargtypes) FROM pg_catalog.pg_proc p") + return ["%s(%s)" % (t[0], t[1]) for t in self.cursor.fetchall()] + + def get_all_procedures_in_schema(self, schema): + if self.pg_version < 110000: + raise Error("PostgreSQL verion must be >= 11 for type=procedure. Exit") + + if schema: + if not self.schema_exists(schema): + raise Error('Schema "%s" does not exist.' % schema) + + query = ("SELECT p.proname, oidvectortypes(p.proargtypes) " + "FROM pg_catalog.pg_proc p " + "JOIN pg_namespace n ON n.oid = p.pronamespace " + "WHERE nspname = %s and p.prokind = 'p'") + + self.cursor.execute(query, (schema,)) + else: + query = ("SELECT p.proname, oidvectortypes(p.proargtypes) " + "FROM pg_catalog.pg_proc p WHERE p.prokind = 'p'") + self.cursor.execute(query) + return ["%s(%s)" % (t[0], t[1]) for t in self.cursor.fetchall()] + + # Methods for getting access control lists and group membership info + + # To determine whether anything has changed after granting/revoking + # privileges, we compare the access control lists of the specified database + # objects before and afterwards. Python's list/string comparison should + # suffice for change detection, we should not actually have to parse ACLs. + # The same should apply to group membership information. + + def get_table_acls(self, schema, tables): + if schema: + query = """SELECT relacl + FROM pg_catalog.pg_class c + JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace + WHERE nspname = %s AND relkind in ('r','p','v','m') AND relname = ANY (%s) + ORDER BY relname""" + self.cursor.execute(query, (schema, tables)) + else: + query = ("SELECT relacl FROM pg_catalog.pg_class " + "WHERE relkind in ('r','p','v','m') AND relname = ANY (%s) " + "ORDER BY relname") + self.cursor.execute(query) + return [t[0] for t in self.cursor.fetchall()] + + def get_sequence_acls(self, schema, sequences): + if schema: + query = """SELECT relacl + FROM pg_catalog.pg_class c + JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace + WHERE nspname = %s AND relkind = 'S' AND relname = ANY (%s) + ORDER BY relname""" + self.cursor.execute(query, (schema, sequences)) + else: + query = ("SELECT relacl FROM pg_catalog.pg_class " + "WHERE relkind = 'S' AND relname = ANY (%s) ORDER BY relname") + self.cursor.execute(query) + return [t[0] for t in self.cursor.fetchall()] + + def get_function_acls(self, schema, function_signatures): + funcnames = [f.split('(', 1)[0] for f in function_signatures] + if schema: + query = """SELECT proacl + FROM pg_catalog.pg_proc p + JOIN pg_catalog.pg_namespace n ON n.oid = p.pronamespace + WHERE nspname = %s AND proname = ANY (%s) + ORDER BY proname, proargtypes""" + self.cursor.execute(query, (schema, funcnames)) + else: + query = ("SELECT proacl FROM pg_catalog.pg_proc WHERE proname = ANY (%s) " + "ORDER BY proname, proargtypes") + self.cursor.execute(query) + return [t[0] for t in self.cursor.fetchall()] + + def get_schema_acls(self, schemas): + query = """SELECT nspacl FROM pg_catalog.pg_namespace + WHERE nspname = ANY (%s) ORDER BY nspname""" + self.cursor.execute(query, (schemas,)) + return [t[0] for t in self.cursor.fetchall()] + + def get_language_acls(self, languages): + query = """SELECT lanacl FROM pg_catalog.pg_language + WHERE lanname = ANY (%s) ORDER BY lanname""" + self.cursor.execute(query, (languages,)) + return [t[0] for t in self.cursor.fetchall()] + + def get_tablespace_acls(self, tablespaces): + query = """SELECT spcacl FROM pg_catalog.pg_tablespace + WHERE spcname = ANY (%s) ORDER BY spcname""" + self.cursor.execute(query, (tablespaces,)) + return [t[0] for t in self.cursor.fetchall()] + + def get_database_acls(self, databases): + query = """SELECT datacl FROM pg_catalog.pg_database + WHERE datname = ANY (%s) ORDER BY datname""" + self.cursor.execute(query, (databases,)) + return [t[0] for t in self.cursor.fetchall()] + + def get_group_memberships(self, groups): + query = """SELECT roleid, grantor, member, admin_option + FROM pg_catalog.pg_auth_members am + JOIN pg_catalog.pg_roles r ON r.oid = am.roleid + WHERE r.rolname = ANY(%s) + ORDER BY roleid, grantor, member""" + self.cursor.execute(query, (groups,)) + return self.cursor.fetchall() + + def get_default_privs(self, schema, *args): + if schema: + query = """SELECT defaclacl + FROM pg_default_acl a + JOIN pg_namespace b ON a.defaclnamespace=b.oid + WHERE b.nspname = %s;""" + self.cursor.execute(query, (schema,)) + else: + self.cursor.execute("SELECT defaclacl FROM pg_default_acl;") + return [t[0] for t in self.cursor.fetchall()] + + def get_foreign_data_wrapper_acls(self, fdws): + query = """SELECT fdwacl FROM pg_catalog.pg_foreign_data_wrapper + WHERE fdwname = ANY (%s) ORDER BY fdwname""" + self.cursor.execute(query, (fdws,)) + return [t[0] for t in self.cursor.fetchall()] + + def get_foreign_server_acls(self, fs): + query = """SELECT srvacl FROM pg_catalog.pg_foreign_server + WHERE srvname = ANY (%s) ORDER BY srvname""" + self.cursor.execute(query, (fs,)) + return [t[0] for t in self.cursor.fetchall()] + + def get_type_acls(self, schema, types): + if schema: + query = """SELECT t.typacl FROM pg_catalog.pg_type t + JOIN pg_catalog.pg_namespace n ON n.oid = t.typnamespace + WHERE n.nspname = %s AND t.typname = ANY (%s) ORDER BY typname""" + self.cursor.execute(query, (schema, types)) + else: + query = "SELECT typacl FROM pg_catalog.pg_type WHERE typname = ANY (%s) ORDER BY typname" + self.cursor.execute(query) + return [t[0] for t in self.cursor.fetchall()] + + # Manipulating privileges + + # WARNING: usage_on_types has been deprecated and will be removed in community.postgresql 3.0.0, please use an obj_type of 'type' instead. + def manipulate_privs(self, obj_type, privs, objs, orig_objs, roles, target_roles, + state, grant_option, schema_qualifier=None, fail_on_role=True, usage_on_types=True): + """Manipulate database object privileges. + + :param obj_type: Type of database object to grant/revoke + privileges for. + :param privs: Either a list of privileges to grant/revoke + or None if type is "group". + :param objs: List of database objects to grant/revoke + privileges for. + :param orig_objs: ALL_IN_SCHEMA or None + :param roles: Either a list of role names or "PUBLIC" + for the implicitly defined "PUBLIC" group + :param target_roles: List of role names to grant/revoke + default privileges as. + :param state: "present" to grant privileges, "absent" to revoke. + :param grant_option: Only for state "present": If True, set + grant/admin option. If False, revoke it. + If None, don't change grant option. + :param schema_qualifier: Some object types ("TABLE", "SEQUENCE", + "FUNCTION") must be qualified by schema. + Ignored for other Types. + """ + # get_status: function to get current status + if obj_type == 'table': + get_status = partial(self.get_table_acls, schema_qualifier) + elif obj_type == 'sequence': + get_status = partial(self.get_sequence_acls, schema_qualifier) + elif obj_type in ('function', 'procedure'): + get_status = partial(self.get_function_acls, schema_qualifier) + elif obj_type == 'schema': + get_status = self.get_schema_acls + elif obj_type == 'language': + get_status = self.get_language_acls + elif obj_type == 'tablespace': + get_status = self.get_tablespace_acls + elif obj_type == 'database': + get_status = self.get_database_acls + elif obj_type == 'group': + get_status = self.get_group_memberships + elif obj_type == 'default_privs': + get_status = partial(self.get_default_privs, schema_qualifier) + elif obj_type == 'foreign_data_wrapper': + get_status = self.get_foreign_data_wrapper_acls + elif obj_type == 'foreign_server': + get_status = self.get_foreign_server_acls + elif obj_type == 'type': + get_status = partial(self.get_type_acls, schema_qualifier) + else: + raise Error('Unsupported database object type "%s".' % obj_type) + + # Return False (nothing has changed) if there are no objs to work on. + if not objs: + return False + + quoted_schema_qualifier = '"%s"' % schema_qualifier.replace('"', '""') if schema_qualifier else None + # obj_ids: quoted db object identifiers (sometimes schema-qualified) + if obj_type in ('function', 'procedure'): + obj_ids = [] + for obj in objs: + try: + f, args = obj.split('(', 1) + except Exception: + raise Error('Illegal function / procedure signature: "%s".' % obj) + obj_ids.append('%s."%s"(%s' % (quoted_schema_qualifier, f, args)) + elif obj_type in ['table', 'sequence', 'type']: + obj_ids = ['%s."%s"' % (quoted_schema_qualifier, o) for o in objs] + else: + obj_ids = ['"%s"' % o for o in objs] + + # set_what: SQL-fragment specifying what to set for the target roles: + # Either group membership or privileges on objects of a certain type + if obj_type == 'group': + set_what = ','.join(obj_ids) + elif obj_type == 'default_privs': + # We don't want privs to be quoted here + set_what = ','.join(privs) + else: + # function types are already quoted above + if obj_type not in ('function', 'procedure'): + obj_ids = [pg_quote_identifier(i, 'table') for i in obj_ids] + # Note: obj_type has been checked against a set of string literals + # and privs was escaped when it was parsed + # Note: Underscores are replaced with spaces to support multi-word obj_type + if orig_objs is not None: + set_what = '%s ON %s %s' % (','.join(privs), orig_objs, quoted_schema_qualifier) + else: + set_what = '%s ON %s %s' % (','.join(privs), obj_type.replace('_', ' '), ','.join(obj_ids)) + + # for_whom: SQL-fragment specifying for whom to set the above + if roles == 'PUBLIC': + for_whom = 'PUBLIC' + else: + for_whom = [] + for r in roles: + if not role_exists(self.module, self.cursor, r): + if fail_on_role: + self.module.fail_json(msg="Role '%s' does not exist" % r.strip()) + + else: + self.module.warn("Role '%s' does not exist, pass it" % r.strip()) + else: + for_whom.append('"%s"' % r) + + if not for_whom: + return False + + for_whom = ','.join(for_whom) + + # as_who: + as_who = None + if target_roles: + as_who = ','.join('"%s"' % r for r in target_roles) + + status_before = get_status(objs) + + query = QueryBuilder(state) \ + .for_objtype(obj_type) \ + .with_grant_option(grant_option) \ + .for_whom(for_whom) \ + .as_who(as_who) \ + .for_schema(quoted_schema_qualifier) \ + .set_what(set_what) \ + .for_objs(objs) \ + .usage_on_types(usage_on_types) \ + .build() + + executed_queries.append(query) + self.cursor.execute(query) + if roles == 'PUBLIC': + return True + + status_after = get_status(objs) + + def nonesorted(e): + # For python 3+ that can fail trying + # to compare NoneType elements by sort method. + if e is None: + return '' + return e + + status_before.sort(key=nonesorted) + status_after.sort(key=nonesorted) + return status_before != status_after + + +class QueryBuilder(object): + def __init__(self, state): + self._grant_option = None + self._for_whom = None + self._as_who = None + self._set_what = None + self._obj_type = None + self._state = state + self._schema = None + self._objs = None + self._usage_on_types = None + self.query = [] + + def for_objs(self, objs): + self._objs = objs + return self + + def for_schema(self, schema): + self._schema = ' IN SCHEMA %s' % schema if schema is not None else '' + return self + + def with_grant_option(self, option): + self._grant_option = option + return self + + def for_whom(self, who): + self._for_whom = who + return self + + def usage_on_types(self, usage_on_types): + self._usage_on_types = usage_on_types + return self + + def as_who(self, target_roles): + self._as_who = target_roles + return self + + def set_what(self, what): + self._set_what = what + return self + + def for_objtype(self, objtype): + self._obj_type = objtype + return self + + def build(self): + if self._state == 'present': + self.build_present() + elif self._state == 'absent': + self.build_absent() + else: + self.build_absent() + return '\n'.join(self.query) + + def add_default_revoke(self): + for obj in self._objs: + if self._as_who: + self.query.append( + 'ALTER DEFAULT PRIVILEGES FOR ROLE {0}{1} REVOKE ALL ON {2} FROM {3};'.format(self._as_who, + self._schema, obj, + self._for_whom)) + else: + self.query.append( + 'ALTER DEFAULT PRIVILEGES{0} REVOKE ALL ON {1} FROM {2};'.format(self._schema, obj, + self._for_whom)) + + def add_grant_option(self): + if self._grant_option: + if self._obj_type == 'group': + self.query[-1] += ' WITH ADMIN OPTION;' + else: + self.query[-1] += ' WITH GRANT OPTION;' + elif self._grant_option is False: + self.query[-1] += ';' + if self._obj_type == 'group': + self.query.append('REVOKE ADMIN OPTION FOR {0} FROM {1};'.format(self._set_what, self._for_whom)) + elif not self._obj_type == 'default_privs': + self.query.append('REVOKE GRANT OPTION FOR {0} FROM {1};'.format(self._set_what, self._for_whom)) + else: + self.query[-1] += ';' + + def add_default_priv(self): + for obj in self._objs: + if self._as_who: + self.query.append( + 'ALTER DEFAULT PRIVILEGES FOR ROLE {0}{1} GRANT {2} ON {3} TO {4}'.format(self._as_who, + self._schema, + self._set_what, + obj, + self._for_whom)) + else: + self.query.append( + 'ALTER DEFAULT PRIVILEGES{0} GRANT {1} ON {2} TO {3}'.format(self._schema, + self._set_what, + obj, + self._for_whom)) + self.add_grant_option() + + if self._usage_on_types: + + if self._as_who: + self.query.append( + 'ALTER DEFAULT PRIVILEGES FOR ROLE {0}{1} GRANT USAGE ON TYPES TO {2}'.format(self._as_who, + self._schema, + self._for_whom)) + else: + self.query.append( + 'ALTER DEFAULT PRIVILEGES{0} GRANT USAGE ON TYPES TO {1}'.format(self._schema, self._for_whom)) + self.add_grant_option() + + def build_present(self): + if self._obj_type == 'default_privs': + self.add_default_revoke() + self.add_default_priv() + else: + self.query.append('GRANT {0} TO {1}'.format(self._set_what, self._for_whom)) + self.add_grant_option() + + def build_absent(self): + if self._obj_type == 'default_privs': + self.query = [] + for obj in ['TABLES', 'SEQUENCES', 'TYPES']: + if self._as_who: + self.query.append( + 'ALTER DEFAULT PRIVILEGES FOR ROLE {0}{1} REVOKE ALL ON {2} FROM {3};'.format(self._as_who, + self._schema, obj, + self._for_whom)) + else: + self.query.append( + 'ALTER DEFAULT PRIVILEGES{0} REVOKE ALL ON {1} FROM {2};'.format(self._schema, obj, + self._for_whom)) + else: + self.query.append('REVOKE {0} FROM {1};'.format(self._set_what, self._for_whom)) + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + database=dict(required=True, aliases=['db', 'login_db']), + state=dict(default='present', choices=['present', 'absent']), + privs=dict(required=False, aliases=['priv']), + type=dict(default='table', + choices=['table', + 'sequence', + 'function', + 'procedure', + 'database', + 'schema', + 'language', + 'tablespace', + 'group', + 'default_privs', + 'foreign_data_wrapper', + 'foreign_server', + 'type', ]), + objs=dict(required=False, aliases=['obj']), + schema=dict(required=False), + roles=dict(required=True, aliases=['role']), + session_role=dict(required=False), + target_roles=dict(required=False), + grant_option=dict(required=False, type='bool', + aliases=['admin_option']), + # WARNING: password is deprecated and will be removed in community.postgresql 4.0.0, + # login_password should be used instead + password=dict(default='', no_log=True, + removed_in_version='4.0.0', + removed_from_collection='community.postgreql'), + fail_on_role=dict(type='bool', default=True), + trust_input=dict(type='bool', default=True), + usage_on_types=dict(type='bool', default=True, + removed_in_version='3.0.0', + removed_from_collection='community.postgresql'), + ) + + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + fail_on_role = module.params['fail_on_role'] + usage_on_types = module.params['usage_on_types'] + + # Create type object as namespace for module params + p = type('Params', (), module.params) + + # WARNING: password is deprecated and will be removed in community.postgresql 4.0.0, + # login_password should be used instead + # https://github.com/ansible-collections/community.postgresql/issues/406 + if p.password: + if p.login_password: + module.fail_json(msg='Use the "password" or "login_password" option but not both ' + 'to pass a password to log in with.') + p.login_password = p.password + + # param "schema": default, allowed depends on param "type" + if p.type in ['table', 'sequence', 'function', 'procedure', 'type', 'default_privs']: + if p.objs == 'schemas' or p.schema == 'not-specified': + p.schema = None + else: + p.schema = p.schema or 'public' + elif p.schema: + module.fail_json(msg='Argument "schema" is not allowed ' + 'for type "%s".' % p.type) + + # param "objs": ALL_IN_SCHEMA can be used only + # when param "type" is table, sequence, function or procedure + if p.objs == 'ALL_IN_SCHEMA' and p.type not in ('table', 'sequence', 'function', 'procedure'): + module.fail_json(msg='Argument "objs": ALL_IN_SCHEMA can be used only for ' + 'type: table, sequence, function or procedure, ' + '%s was passed.' % p.type) + + # param "objs": default, required depends on param "type" + if p.type == 'database': + p.objs = p.objs or p.database + elif not p.objs: + module.fail_json(msg='Argument "objs" is required ' + 'for type "%s".' % p.type) + + # param "privs": allowed, required depends on param "type" + if p.type == 'group': + if p.privs: + module.fail_json(msg='Argument "privs" is not allowed ' + 'for type "group".') + elif not p.privs: + module.fail_json(msg='Argument "privs" is required ' + 'for type "%s".' % p.type) + + # Check input + if not p.trust_input: + # Check input for potentially dangerous elements: + check_input(module, p.roles, p.target_roles, p.session_role, p.schema) + + # Connect to Database + if not psycopg2: + module.fail_json(msg=missing_required_lib('psycopg2'), exception=PSYCOPG2_IMP_ERR) + try: + conn = Connection(p, module) + except psycopg2.Error as e: + module.fail_json(msg='Could not connect to database: %s' % to_native(e), exception=traceback.format_exc()) + except TypeError as e: + if 'sslrootcert' in e.args[0]: + module.fail_json(msg='Postgresql server must be at least version 8.4 to support sslrootcert') + module.fail_json(msg="unable to connect to database: %s" % to_native(e), exception=traceback.format_exc()) + except ValueError as e: + # We raise this when the psycopg library is too old + module.fail_json(msg=to_native(e)) + + if p.session_role: + try: + conn.cursor.execute('SET ROLE "%s"' % p.session_role) + except Exception as e: + module.fail_json(msg="Could not switch to role %s: %s" % (p.session_role, to_native(e)), exception=traceback.format_exc()) + + try: + # privs + if p.privs: + privs = frozenset(pr.upper() for pr in p.privs.split(',')) + if not privs.issubset(VALID_PRIVS): + module.fail_json(msg='Invalid privileges specified: %s' % privs.difference(VALID_PRIVS)) + else: + privs = None + # objs: + orig_objs = None + if p.objs == 'ALL_IN_SCHEMA': + if p.type == 'table': + objs = conn.get_all_tables_in_schema(p.schema) + elif p.type == 'sequence': + objs = conn.get_all_sequences_in_schema(p.schema) + elif p.type == 'function': + objs = conn.get_all_functions_in_schema(p.schema) + elif p.type == 'procedure': + objs = conn.get_all_procedures_in_schema(p.schema) + + if conn.pg_version >= 90000: + if p.type == 'table': + orig_objs = 'ALL TABLES IN SCHEMA' + elif p.type == 'sequence': + orig_objs = 'ALL SEQUENCES IN SCHEMA' + elif p.type == 'function': + orig_objs = 'ALL FUNCTIONS IN SCHEMA' + elif p.type == 'procedure': + orig_objs = 'ALL PROCEDURES IN SCHEMA' + + elif p.type == 'default_privs': + if p.objs == 'ALL_DEFAULT': + VALID_DEFAULT_OBJS.pop('SCHEMAS') + objs = frozenset(VALID_DEFAULT_OBJS.keys()) + else: + objs = frozenset(obj.upper() for obj in p.objs.split(',')) + if not objs.issubset(VALID_DEFAULT_OBJS): + module.fail_json( + msg='Invalid Object set specified: %s' % objs.difference(VALID_DEFAULT_OBJS.keys())) + # Again, do we have valid privs specified for object type: + valid_objects_for_priv = frozenset(obj for obj in objs if privs.issubset(VALID_DEFAULT_OBJS[obj])) + if not valid_objects_for_priv == objs: + module.fail_json( + msg='Invalid priv specified. Valid object for priv: {0}. Objects: {1}'.format( + valid_objects_for_priv, objs)) + else: + objs = p.objs.split(',') + + # function signatures are encoded using ':' to separate args + if p.type in ('function', 'procedure'): + objs = [obj.replace(':', ',') for obj in objs] + + # roles + if p.roles.upper() == 'PUBLIC': + roles = 'PUBLIC' + else: + roles = p.roles.split(',') + + if len(roles) == 1 and not role_exists(module, conn.cursor, roles[0]): + if fail_on_role: + module.fail_json(msg="Role '%s' does not exist" % roles[0].strip()) + else: + module.warn("Role '%s' does not exist, nothing to do" % roles[0].strip()) + module.exit_json(changed=False, queries=executed_queries) + + # check if target_roles is set with type: default_privs + if p.target_roles and not p.type == 'default_privs': + module.warn('"target_roles" will be ignored ' + 'Argument "type: default_privs" is required for usage of "target_roles".') + + # target roles + if p.target_roles: + target_roles = p.target_roles.split(',') + else: + target_roles = None + + changed = conn.manipulate_privs( + obj_type=p.type, + privs=privs, + objs=objs, + orig_objs=orig_objs, + roles=roles, + target_roles=target_roles, + state=p.state, + grant_option=p.grant_option, + schema_qualifier=p.schema, + fail_on_role=fail_on_role, + usage_on_types=usage_on_types, + ) + + except Error as e: + conn.rollback() + module.fail_json(msg=to_native(e), exception=traceback.format_exc()) + + except psycopg2.Error as e: + conn.rollback() + module.fail_json(msg=to_native(e)) + + if module.check_mode or not changed: + conn.rollback() + else: + conn.commit() + + conn.cursor.close() + conn.connection.close() + + module.exit_json(changed=changed, queries=executed_queries) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_publication.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_publication.py new file mode 100644 index 000000000..5edfc2abb --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_publication.py @@ -0,0 +1,691 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Loic Blot (@nerzhul) <loic.blot@unix-experience.fr> +# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +DOCUMENTATION = r''' +--- +module: postgresql_publication +short_description: Add, update, or remove PostgreSQL publication +description: +- Add, update, or remove PostgreSQL publication. +options: + name: + description: + - Name of the publication to add, update, or remove. + required: true + type: str + db: + description: + - Name of the database to connect to and where + the publication state will be changed. + aliases: [ login_db ] + type: str + tables: + description: + - List of tables to add to the publication. + - If no value is set all tables are targeted. + - If the publication already exists for specific tables and I(tables) is not passed, + nothing will be changed. + - If you need to add all tables to the publication with the same name, + drop existent and create new without passing I(tables). + type: list + elements: str + state: + description: + - The publication state. + default: present + choices: [ absent, present ] + type: str + parameters: + description: + - Dictionary with optional publication parameters. + - Available parameters depend on PostgreSQL version. + type: dict + owner: + description: + - Publication owner. + - If I(owner) is not defined, the owner will be set as I(login_user) or I(session_role). + type: str + cascade: + description: + - Drop publication dependencies. Has effect with I(state=absent) only. + type: bool + default: false + session_role: + description: + - Switch to session_role after connecting. The specified session_role must + be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though + the session_role were the one that had logged in originally. + type: str + version_added: '0.2.0' + trust_input: + description: + - If C(false), check whether values of parameters I(name), I(tables), I(owner), + I(session_role), I(params) are potentially dangerous. + - It makes sense to use C(false) only when SQL injections via the parameters are possible. + type: bool + default: true + version_added: '0.2.0' + +notes: +- PostgreSQL version must be 10 or greater. + +attributes: + check_mode: + support: full + +seealso: +- name: CREATE PUBLICATION reference + description: Complete reference of the CREATE PUBLICATION command documentation. + link: https://www.postgresql.org/docs/current/sql-createpublication.html +- name: ALTER PUBLICATION reference + description: Complete reference of the ALTER PUBLICATION command documentation. + link: https://www.postgresql.org/docs/current/sql-alterpublication.html +- name: DROP PUBLICATION reference + description: Complete reference of the DROP PUBLICATION command documentation. + link: https://www.postgresql.org/docs/current/sql-droppublication.html +author: +- Loic Blot (@nerzhul) <loic.blot@unix-experience.fr> +- Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +- name: Create a new publication with name "acme" targeting all tables in database "test" + community.postgresql.postgresql_publication: + db: test + name: acme + +- name: Create publication "acme" publishing only prices and vehicles tables + community.postgresql.postgresql_publication: + name: acme + tables: + - prices + - vehicles + +- name: > + Create publication "acme", set user alice as an owner, targeting all tables + Allowable DML operations are INSERT and UPDATE only + community.postgresql.postgresql_publication: + name: acme + owner: alice + parameters: + publish: 'insert,update' + +- name: > + Assuming publication "acme" exists and there are targeted + tables "prices" and "vehicles", add table "stores" to the publication + community.postgresql.postgresql_publication: + name: acme + tables: + - prices + - vehicles + - stores + +- name: Remove publication "acme" if exists in database "test" + community.postgresql.postgresql_publication: + db: test + name: acme + state: absent +''' + +RETURN = r''' +exists: + description: + - Flag indicates the publication exists or not at the end of runtime. + returned: always + type: bool + sample: true +queries: + description: List of executed queries. + returned: always + type: str + sample: [ 'DROP PUBLICATION "acme" CASCADE' ] +owner: + description: Owner of the publication at the end of runtime. + returned: if publication exists + type: str + sample: "alice" +tables: + description: + - List of tables in the publication at the end of runtime. + - If all tables are published, returns empty list. + returned: if publication exists + type: list + sample: ["\"public\".\"prices\"", "\"public\".\"vehicles\""] +alltables: + description: + - Flag indicates that all tables are published. + returned: if publication exists + type: bool + sample: false +parameters: + description: Publication parameters at the end of runtime. + returned: if publication exists + type: dict + sample: {'publish': {'insert': false, 'delete': false, 'update': true}} +''' + + +try: + from psycopg2.extras import DictCursor +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, + pg_quote_identifier, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + exec_sql, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) +from ansible.module_utils.six import iteritems + +SUPPORTED_PG_VERSION = 10000 + + +################################ +# Module functions and classes # +################################ + +def transform_tables_representation(tbl_list): + """Add 'public.' to names of tables where a schema identifier is absent + and add quotes to each element. + + Args: + tbl_list (list): List of table names. + + Returns: + tbl_list (list): Changed list. + """ + for i, table in enumerate(tbl_list): + if '.' not in table: + tbl_list[i] = pg_quote_identifier('public.%s' % table.strip(), 'table') + else: + tbl_list[i] = pg_quote_identifier(table.strip(), 'table') + + return tbl_list + + +class PgPublication(): + """Class to work with PostgreSQL publication. + + Args: + module (AnsibleModule): Object of AnsibleModule class. + cursor (cursor): Cursor object of psycopg2 library to work with PostgreSQL. + name (str): The name of the publication. + + Attributes: + module (AnsibleModule): Object of AnsibleModule class. + cursor (cursor): Cursor object of psycopg2 library to work with PostgreSQL. + name (str): Name of the publication. + executed_queries (list): List of executed queries. + attrs (dict): Dict with publication attributes. + exists (bool): Flag indicates the publication exists or not. + """ + + def __init__(self, module, cursor, name): + self.module = module + self.cursor = cursor + self.name = name + self.executed_queries = [] + self.attrs = { + 'alltables': False, + 'tables': [], + 'parameters': {}, + 'owner': '', + } + self.exists = self.check_pub() + + def get_info(self): + """Refresh the publication information. + + Returns: + ``self.attrs``. + """ + self.exists = self.check_pub() + return self.attrs + + def check_pub(self): + """Check the publication and refresh ``self.attrs`` publication attribute. + + Returns: + True if the publication with ``self.name`` exists, False otherwise. + """ + + pub_info = self.__get_general_pub_info() + + if not pub_info: + # Publication does not exist: + return False + + self.attrs['owner'] = pub_info.get('pubowner') + + # Publication DML operations: + self.attrs['parameters']['publish'] = {} + self.attrs['parameters']['publish']['insert'] = pub_info.get('pubinsert', False) + self.attrs['parameters']['publish']['update'] = pub_info.get('pubupdate', False) + self.attrs['parameters']['publish']['delete'] = pub_info.get('pubdelete', False) + if pub_info.get('pubtruncate'): + self.attrs['parameters']['publish']['truncate'] = pub_info.get('pubtruncate') + + # If alltables flag is False, get the list of targeted tables: + if not pub_info.get('puballtables'): + table_info = self.__get_tables_pub_info() + # Join sublists [['schema', 'table'], ...] to ['schema.table', ...] + # for better representation: + for i, schema_and_table in enumerate(table_info): + table_info[i] = pg_quote_identifier('.'.join(schema_and_table), 'table') + + self.attrs['tables'] = table_info + else: + self.attrs['alltables'] = True + + # Publication exists: + return True + + def create(self, tables, params, owner, check_mode=True): + """Create the publication. + + Args: + tables (list): List with names of the tables that need to be added to the publication. + params (dict): Dict contains optional publication parameters and their values. + owner (str): Name of the publication owner. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + changed (bool): True if publication has been created, otherwise False. + """ + changed = True + + query_fragments = ["CREATE PUBLICATION %s" % pg_quote_identifier(self.name, 'publication')] + + if tables: + query_fragments.append("FOR TABLE %s" % ', '.join(tables)) + else: + query_fragments.append("FOR ALL TABLES") + + if params: + params_list = [] + # Make list ["param = 'value'", ...] from params dict: + for (key, val) in iteritems(params): + params_list.append("%s = '%s'" % (key, val)) + + # Add the list to query_fragments: + query_fragments.append("WITH (%s)" % ', '.join(params_list)) + + changed = self.__exec_sql(' '.join(query_fragments), check_mode=check_mode) + + if owner: + # If check_mode, just add possible SQL to + # executed_queries and return: + self.__pub_set_owner(owner, check_mode=check_mode) + + return changed + + def update(self, tables, params, owner, check_mode=True): + """Update the publication. + + Args: + tables (list): List with names of the tables that need to be presented in the publication. + params (dict): Dict contains optional publication parameters and their values. + owner (str): Name of the publication owner. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + changed (bool): True if publication has been updated, otherwise False. + """ + changed = False + + # Add or drop tables from published tables suit: + if tables and not self.attrs['alltables']: + + # 1. If needs to add table to the publication: + for tbl in tables: + if tbl not in self.attrs['tables']: + # If needs to add table to the publication: + changed = self.__pub_add_table(tbl, check_mode=check_mode) + + # 2. if there is a table in targeted tables + # that's not presented in the passed tables: + for tbl in self.attrs['tables']: + if tbl not in tables: + changed = self.__pub_drop_table(tbl, check_mode=check_mode) + + elif tables and self.attrs['alltables']: + changed = self.__pub_set_tables(tables, check_mode=check_mode) + + # Update pub parameters: + if params: + for key, val in iteritems(params): + if self.attrs['parameters'].get(key): + + # In PostgreSQL 10/11 only 'publish' optional parameter is presented. + if key == 'publish': + # 'publish' value can be only a string with comma-separated items + # of allowed DML operations like 'insert,update' or + # 'insert,update,delete', etc. + # Make dictionary to compare with current attrs later: + val_dict = self.attrs['parameters']['publish'].copy() + val_list = val.split(',') + for v in val_dict: + if v in val_list: + val_dict[v] = True + else: + val_dict[v] = False + + # Compare val_dict and the dict with current 'publish' parameters, + # if they're different, set new values: + if val_dict != self.attrs['parameters']['publish']: + changed = self.__pub_set_param(key, val, check_mode=check_mode) + + # Default behavior for other cases: + elif self.attrs['parameters'][key] != val: + changed = self.__pub_set_param(key, val, check_mode=check_mode) + + else: + # If the parameter was not set before: + changed = self.__pub_set_param(key, val, check_mode=check_mode) + + # Update pub owner: + if owner: + if owner != self.attrs['owner']: + changed = self.__pub_set_owner(owner, check_mode=check_mode) + + return changed + + def drop(self, cascade=False, check_mode=True): + """Drop the publication. + + Kwargs: + cascade (bool): Flag indicates that publication needs to be deleted + with its dependencies. + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + changed (bool): True if publication has been updated, otherwise False. + """ + if self.exists: + query_fragments = [] + query_fragments.append("DROP PUBLICATION %s" % pg_quote_identifier(self.name, 'publication')) + if cascade: + query_fragments.append("CASCADE") + + return self.__exec_sql(' '.join(query_fragments), check_mode=check_mode) + + def __get_general_pub_info(self): + """Get and return general publication information. + + Returns: + Dict with publication information if successful, False otherwise. + """ + # Check pg_publication.pubtruncate exists (supported from PostgreSQL 11): + pgtrunc_sup = exec_sql(self, ("SELECT 1 FROM information_schema.columns " + "WHERE table_name = 'pg_publication' " + "AND column_name = 'pubtruncate'"), add_to_executed=False) + + if pgtrunc_sup: + query = ("SELECT r.rolname AS pubowner, p.puballtables, p.pubinsert, " + "p.pubupdate , p.pubdelete, p.pubtruncate FROM pg_publication AS p " + "JOIN pg_catalog.pg_roles AS r " + "ON p.pubowner = r.oid " + "WHERE p.pubname = %(pname)s") + else: + query = ("SELECT r.rolname AS pubowner, p.puballtables, p.pubinsert, " + "p.pubupdate , p.pubdelete FROM pg_publication AS p " + "JOIN pg_catalog.pg_roles AS r " + "ON p.pubowner = r.oid " + "WHERE p.pubname = %(pname)s") + + result = exec_sql(self, query, query_params={'pname': self.name}, add_to_executed=False) + if result: + return result[0] + else: + return False + + def __get_tables_pub_info(self): + """Get and return tables that are published by the publication. + + Returns: + List of dicts with published tables. + """ + query = ("SELECT schemaname, tablename " + "FROM pg_publication_tables WHERE pubname = %(pname)s") + return exec_sql(self, query, query_params={'pname': self.name}, add_to_executed=False) + + def __pub_add_table(self, table, check_mode=False): + """Add a table to the publication. + + Args: + table (str): Table name. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + True if successful, False otherwise. + """ + query = ("ALTER PUBLICATION %s ADD TABLE %s" % (pg_quote_identifier(self.name, 'publication'), + pg_quote_identifier(table, 'table'))) + return self.__exec_sql(query, check_mode=check_mode) + + def __pub_drop_table(self, table, check_mode=False): + """Drop a table from the publication. + + Args: + table (str): Table name. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + True if successful, False otherwise. + """ + query = ("ALTER PUBLICATION %s DROP TABLE %s" % (pg_quote_identifier(self.name, 'publication'), + pg_quote_identifier(table, 'table'))) + return self.__exec_sql(query, check_mode=check_mode) + + def __pub_set_tables(self, tables, check_mode=False): + """Set a table suit that need to be published by the publication. + + Args: + tables (list): List of tables. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + True if successful, False otherwise. + """ + quoted_tables = [pg_quote_identifier(t, 'table') for t in tables] + query = ("ALTER PUBLICATION %s SET TABLE %s" % (pg_quote_identifier(self.name, 'publication'), + ', '.join(quoted_tables))) + return self.__exec_sql(query, check_mode=check_mode) + + def __pub_set_param(self, param, value, check_mode=False): + """Set an optional publication parameter. + + Args: + param (str): Name of the parameter. + value (str): Parameter value. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + True if successful, False otherwise. + """ + query = ("ALTER PUBLICATION %s SET (%s = '%s')" % (pg_quote_identifier(self.name, 'publication'), + param, value)) + return self.__exec_sql(query, check_mode=check_mode) + + def __pub_set_owner(self, role, check_mode=False): + """Set a publication owner. + + Args: + role (str): Role (user) name that needs to be set as a publication owner. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + True if successful, False otherwise. + """ + query = ('ALTER PUBLICATION %s ' + 'OWNER TO "%s"' % (pg_quote_identifier(self.name, 'publication'), role)) + return self.__exec_sql(query, check_mode=check_mode) + + def __exec_sql(self, query, check_mode=False): + """Execute SQL query. + + Note: If we need just to get information from the database, + we use ``exec_sql`` function directly. + + Args: + query (str): Query that needs to be executed. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just add ``query`` to ``self.executed_queries`` and return True. + + Returns: + True if successful, False otherwise. + """ + if check_mode: + self.executed_queries.append(query) + return True + else: + return exec_sql(self, query, return_bool=True) + + +# =========================================== +# Module execution. +# + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + name=dict(required=True), + db=dict(type='str', aliases=['login_db']), + state=dict(type='str', default='present', choices=['absent', 'present']), + tables=dict(type='list', elements='str'), + parameters=dict(type='dict'), + owner=dict(type='str'), + cascade=dict(type='bool', default=False), + session_role=dict(type='str'), + trust_input=dict(type='bool', default=True), + ) + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + # Parameters handling: + name = module.params['name'] + state = module.params['state'] + tables = module.params['tables'] + params = module.params['parameters'] + owner = module.params['owner'] + cascade = module.params['cascade'] + session_role = module.params['session_role'] + trust_input = module.params['trust_input'] + + if not trust_input: + # Check input for potentially dangerous elements: + if not params: + params_list = None + else: + params_list = ['%s = %s' % (k, v) for k, v in iteritems(params)] + + check_input(module, name, tables, owner, session_role, params_list) + + if state == 'absent': + if tables: + module.warn('parameter "tables" is ignored when "state=absent"') + if params: + module.warn('parameter "parameters" is ignored when "state=absent"') + if owner: + module.warn('parameter "owner" is ignored when "state=absent"') + + if state == 'present' and cascade: + module.warn('parameter "cascade" is ignored when "state=present"') + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + # Connect to DB and make cursor object: + conn_params = get_conn_params(module, module.params) + # We check publication state without DML queries execution, so set autocommit: + db_connection, dummy = connect_to_db(module, conn_params, autocommit=True) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + # Check version: + if cursor.connection.server_version < SUPPORTED_PG_VERSION: + module.fail_json(msg="PostgreSQL server version should be 10.0 or greater") + + # Nothing was changed by default: + changed = False + + ################################### + # Create object and do rock'n'roll: + publication = PgPublication(module, cursor, name) + + if tables: + tables = transform_tables_representation(tables) + + # If module.check_mode=True, nothing will be changed: + if state == 'present': + if not publication.exists: + changed = publication.create(tables, params, owner, check_mode=module.check_mode) + + else: + changed = publication.update(tables, params, owner, check_mode=module.check_mode) + + elif state == 'absent': + changed = publication.drop(cascade=cascade, check_mode=module.check_mode) + + # Get final publication info: + pub_fin_info = {} + if state == 'present' or (state == 'absent' and module.check_mode): + pub_fin_info = publication.get_info() + elif state == 'absent' and not module.check_mode: + publication.exists = False + + # Connection is not needed any more: + cursor.close() + db_connection.close() + + # Update publication info and return ret values: + module.exit_json(changed=changed, queries=publication.executed_queries, exists=publication.exists, **pub_fin_info) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_query.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_query.py new file mode 100644 index 000000000..83f1665ee --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_query.py @@ -0,0 +1,538 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2017, Felix Archambault +# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_query +short_description: Run PostgreSQL queries +description: +- Runs arbitrary PostgreSQL queries. +- B(WARNING) The C(path_to_script) and C(as_single_query) options as well as + the C(query_list) and C(query_all_results) return values have been B(deprecated) and + will be removed in community.postgresql 3.0.0, please use the + M(community.postgresql.postgresql_script) module to execute statements from scripts. +- Does not run against backup files. Use M(community.postgresql.postgresql_db) with I(state=restore) + to run queries on files made by pg_dump/pg_dumpall utilities. +options: + query: + description: + - SQL query string or list of queries to run. Variables can be escaped with psycopg2 syntax + U(http://initd.org/psycopg/docs/usage.html). + type: raw + positional_args: + description: + - List of values to be passed as positional arguments to the query. + When the value is a list, it will be converted to PostgreSQL array. + - Mutually exclusive with I(named_args). + type: list + elements: raw + named_args: + description: + - Dictionary of key-value arguments to pass to the query. + When the value is a list, it will be converted to PostgreSQL array. + - Mutually exclusive with I(positional_args). + type: dict + path_to_script: + description: + - This option has been B(deprecated) and will be removed in community.postgresql 3.0.0, + please use the M(community.postgresql.postgresql_script) module to execute + statements from scripts. + - Path to a SQL script on the target machine. + - If the script contains several queries, they must be semicolon-separated. + - To run scripts containing objects with semicolons + (for example, function and procedure definitions), use I(as_single_query=true). + - To upload dumps or to execute other complex scripts, the preferable way + is to use the M(community.postgresql.postgresql_db) module with I(state=restore). + - Mutually exclusive with I(query). + type: path + session_role: + description: + - Switch to session_role after connecting. The specified session_role must + be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though + the session_role were the one that had logged in originally. + type: str + db: + description: + - Name of database to connect to and run queries against. + type: str + aliases: + - login_db + autocommit: + description: + - Execute in autocommit mode when the query can't be run inside a transaction block + (e.g., VACUUM). + - Mutually exclusive with I(check_mode). + type: bool + default: false + encoding: + description: + - Set the client encoding for the current session (e.g. C(UTF-8)). + - The default is the encoding defined by the database. + type: str + version_added: '0.2.0' + trust_input: + description: + - If C(false), check whether a value of I(session_role) is potentially dangerous. + - It makes sense to use C(false) only when SQL injections via I(session_role) are possible. + type: bool + default: true + version_added: '0.2.0' + search_path: + description: + - List of schema names to look in. + type: list + elements: str + version_added: '1.0.0' + as_single_query: + description: + - This option has been B(deprecated) and will be removed in community.postgresql 3.0.0, + please use the M(community.postgresql.postgresql_script) module to execute + statements from scripts. + - If C(true), when reading from the I(path_to_script) file, + executes its whole content in a single query (not splitting it up + into separate queries by semicolons). It brings the following changes in + the module's behavior. + - When C(true), the C(query_all_results) return value + contains only the result of the last statement. + - Whether the state is reported as changed or not + is determined by the last statement of the file. + - Used only when I(path_to_script) is specified, otherwise ignored. + - If set to C(false), the script can contain only semicolon-separated queries. + (see the I(path_to_script) option documentation). + type: bool + default: true + version_added: '1.1.0' +seealso: +- module: community.postgresql.postgresql_script +- module: community.postgresql.postgresql_db +- name: PostgreSQL Schema reference + description: Complete reference of the PostgreSQL schema documentation. + link: https://www.postgresql.org/docs/current/ddl-schemas.html + +attributes: + check_mode: + support: full + +author: +- Felix Archambault (@archf) +- Andrew Klychkov (@Andersson007) +- Will Rouesnel (@wrouesnel) + +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +- name: Simple select query to acme db + community.postgresql.postgresql_query: + db: acme + query: SELECT version() + +# The result of each query will be stored in query_all_results return value +- name: Run several queries against acme db + community.postgresql.postgresql_query: + db: acme + query: + - SELECT version() + - SELECT id FROM accounts + +- name: Select query to db acme with positional arguments and non-default credentials + community.postgresql.postgresql_query: + db: acme + login_user: django + login_password: mysecretpass + query: SELECT * FROM acme WHERE id = %s AND story = %s + positional_args: + - 1 + - test + +- name: Select query to test_db with named_args + community.postgresql.postgresql_query: + db: test_db + query: SELECT * FROM test WHERE id = %(id_val)s AND story = %(story_val)s + named_args: + id_val: 1 + story_val: test + +- name: Insert query to test_table in db test_db + community.postgresql.postgresql_query: + db: test_db + query: INSERT INTO test_table (id, story) VALUES (2, 'my_long_story') + +- name: Use connect_params to add any additional connection parameters that libpg supports + community.postgresql.postgresql_query: + connect_params: + target_session_attrs: read-write + connect_timeout: 10 + login_host: "host1,host2" + login_user: "test" + login_password: "test1234" + db: 'test' + query: 'insert into test (test) values (now())' + + +# WARNING: The path_to_script and as_single_query options have been deprecated +# and will be removed in community.postgresql 3.0.0, please +# use the community.postgresql.postgresql_script module instead. +# If your script contains semicolons as parts of separate objects +# like functions, procedures, and so on, use "as_single_query: true" +- name: Run queries from SQL script using UTF-8 client encoding for session + community.postgresql.postgresql_query: + db: test_db + path_to_script: /var/lib/pgsql/test.sql + positional_args: + - 1 + encoding: UTF-8 + +- name: Example of using autocommit parameter + community.postgresql.postgresql_query: + db: test_db + query: VACUUM + autocommit: true + +- name: > + Insert data to the column of array type using positional_args. + Note that we use quotes here, the same as for passing JSON, etc. + community.postgresql.postgresql_query: + query: INSERT INTO test_table (array_column) VALUES (%s) + positional_args: + - '{1,2,3}' + +# Pass list and string vars as positional_args +- name: Set vars + ansible.builtin.set_fact: + my_list: + - 1 + - 2 + - 3 + my_arr: '{1, 2, 3}' + +- name: Select from test table by passing positional_args as arrays + community.postgresql.postgresql_query: + query: SELECT * FROM test_array_table WHERE arr_col1 = %s AND arr_col2 = %s + positional_args: + - '{{ my_list }}' + - '{{ my_arr|string }}' + +# Select from test table looking into app1 schema first, then, +# if the schema doesn't exist or the table hasn't been found there, +# try to find it in the schema public +- name: Select from test using search_path + community.postgresql.postgresql_query: + query: SELECT * FROM test_array_table + search_path: + - app1 + - public + +# If you use a variable in positional_args / named_args that can +# be undefined and you wish to set it as NULL, the constructions like +# "{{ my_var if (my_var is defined) else none | default(none) }}" +# will not work as expected substituting an empty string instead of NULL. +# If possible, we suggest to use Ansible's DEFAULT_JINJA2_NATIVE configuration +# (https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-jinja2-native). +# Enabling it fixes this problem. If you cannot enable it, the following workaround +# can be used. +# You should precheck such a value and define it as NULL when undefined. +# For example: +- name: When undefined, set to NULL + set_fact: + my_var: NULL + when: my_var is undefined + +# Then: +- name: Insert a value using positional arguments + community.postgresql.postgresql_query: + query: INSERT INTO test_table (col1) VALUES (%s) + positional_args: + - '{{ my_var }}' +''' + +RETURN = r''' +query: + description: + - Executed query. + - When reading several queries from a file, it contains only the last one. + returned: always + type: str + sample: 'SELECT * FROM bar' +statusmessage: + description: + - Attribute containing the message returned by the command. + - When reading several queries from a file, it contains a message of the last one. + returned: always + type: str + sample: 'INSERT 0 1' +query_result: + description: + - List of dictionaries in column:value form representing returned rows. + - When running queries from a file, returns result of the last query. + returned: always + type: list + elements: dict + sample: [{"Column": "Value1"},{"Column": "Value2"}] +query_list: + description: + - List of executed queries. + Useful when reading several queries from a file. + returned: always + type: list + elements: str + sample: ['SELECT * FROM foo', 'SELECT * FROM bar'] +query_all_results: + description: + - List containing results of all queries executed (one sublist for every query). + Useful when running a list of queries. + returned: always + type: list + elements: list + sample: [[{"Column": "Value1"},{"Column": "Value2"}], [{"Column": "Value1"},{"Column": "Value2"}]] +rowcount: + description: + - Number of produced or affected rows. + - When using a script with multiple queries, + it contains a total number of produced or affected rows. + returned: changed + type: int + sample: 5 +''' + +try: + from psycopg2 import ProgrammingError as Psycopg2ProgrammingError + from psycopg2.extras import DictCursor +except ImportError: + # it is needed for checking 'no result to fetch' in main(), + # psycopg2 availability will be checked by connect_to_db() into + # ansible.module_utils.postgres + pass + +import re + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + convert_elements_to_pg_arrays, + convert_to_supported, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, + set_search_path, + TYPES_NEED_TO_CONVERT, +) +from ansible.module_utils._text import to_native +from ansible.module_utils.six import iteritems + +# =========================================== +# Module execution. +# + + +def insane_query(string): + for c in string: + if c not in (' ', '\n', '', '\t'): + return False + + return True + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + query=dict(type='raw'), + db=dict(type='str', aliases=['login_db']), + positional_args=dict(type='list', elements='raw'), + named_args=dict(type='dict'), + session_role=dict(type='str'), + path_to_script=dict(type='path'), + autocommit=dict(type='bool', default=False), + encoding=dict(type='str'), + trust_input=dict(type='bool', default=True), + search_path=dict(type='list', elements='str'), + as_single_query=dict(type='bool', default=True), + ) + + module = AnsibleModule( + argument_spec=argument_spec, + mutually_exclusive=(('positional_args', 'named_args'),), + supports_check_mode=True, + ) + + query = module.params["query"] + positional_args = module.params["positional_args"] + named_args = module.params["named_args"] + path_to_script = module.params["path_to_script"] + autocommit = module.params["autocommit"] + encoding = module.params["encoding"] + session_role = module.params["session_role"] + trust_input = module.params["trust_input"] + search_path = module.params["search_path"] + as_single_query = module.params["as_single_query"] + + if query and not isinstance(query, (str, list)): + module.fail_json(msg="query argument must be of type string or list") + + if not trust_input: + # Check input for potentially dangerous elements: + check_input(module, session_role) + + if autocommit and module.check_mode: + module.fail_json(msg="Using autocommit is mutually exclusive with check_mode") + + if path_to_script and query: + module.fail_json(msg="path_to_script is mutually exclusive with query") + + query_list = [] + if path_to_script: + depr_msg = ("The 'path_to_script' option is deprecated. Please use the " + "'community.postgresql.postgresql_script' module to execute " + "statements from scripts") + module.deprecate(msg=depr_msg, version="3.0.0", collection_name="community.postgresql") + + try: + with open(path_to_script, 'rb') as f: + query = to_native(f.read()) + + if not as_single_query: + depr_msg = ("The 'as_single_query' option is deprecated. Please use the " + "'community.postgresql.postgresql_script' module to execute " + "statements from scripts") + module.deprecate(msg=depr_msg, version="3.0.0", collection_name="community.postgresql") + + if ';' in query: + for q in query.split(';'): + if insane_query(q): + continue + else: + query_list.append(q) + else: + query_list.append(query) + else: + query_list.append(query) + + except Exception as e: + module.fail_json(msg="Cannot read file '%s' : %s" % (path_to_script, to_native(e))) + else: + if isinstance(query, str): + query_list.append(query) + else: # if it's a list + query_list = query + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + conn_params = get_conn_params(module, module.params) + db_connection, dummy = connect_to_db(module, conn_params, autocommit=autocommit) + if encoding is not None: + db_connection.set_client_encoding(encoding) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + if search_path: + set_search_path(cursor, '%s' % ','.join([x.strip(' ') for x in search_path])) + + # Prepare args: + if positional_args: + args = positional_args + elif named_args: + args = named_args + else: + args = None + + # Convert elements of type list to strings + # representing PG arrays + if args: + args = convert_elements_to_pg_arrays(args) + + # Set defaults: + changed = False + + query_all_results = [] + rowcount = 0 + statusmessage = '' + + # Execute query: + for query in query_list: + try: + cursor.execute(query, args) + statusmessage = cursor.statusmessage + if cursor.rowcount > 0: + rowcount += cursor.rowcount + + query_result = [] + try: + for row in cursor.fetchall(): + # Ansible engine does not support decimals. + # An explicit conversion is required on the module's side + row = dict(row) + for (key, val) in iteritems(row): + if isinstance(val, TYPES_NEED_TO_CONVERT): + row[key] = convert_to_supported(val) + + query_result.append(row) + + except Psycopg2ProgrammingError as e: + if to_native(e) == 'no results to fetch': + query_result = {} + + except Exception as e: + module.fail_json(msg="Cannot fetch rows from cursor: %s" % to_native(e)) + + query_all_results.append(query_result) + + if 'SELECT' not in statusmessage: + if re.search(re.compile(r'(UPDATE|INSERT|DELETE)'), statusmessage): + s = statusmessage.split() + if len(s) == 3: + if s[2] != '0': + changed = True + + elif len(s) == 2: + if s[1] != '0': + changed = True + + else: + changed = True + + else: + changed = True + + except Exception as e: + if not autocommit: + db_connection.rollback() + + cursor.close() + db_connection.close() + module.fail_json(msg="Cannot execute SQL '%s' %s: %s, query list: %s" % (query, args, to_native(e), query_list)) + + if module.check_mode: + db_connection.rollback() + else: + if not autocommit: + db_connection.commit() + + kw = dict( + changed=changed, + query=cursor.query, + query_list=query_list, + statusmessage=statusmessage, + query_result=query_result, + query_all_results=query_all_results, + rowcount=rowcount, + ) + + cursor.close() + db_connection.close() + + module.exit_json(**kw) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_schema.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_schema.py new file mode 100644 index 000000000..f107e1aa0 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_schema.py @@ -0,0 +1,288 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2016, Ansible Project +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_schema +short_description: Add or remove PostgreSQL schema +description: +- Add or remove PostgreSQL schema. +options: + name: + description: + - Name of the schema to add or remove. + required: true + type: str + aliases: + - schema + database: + description: + - Name of the database to connect to and add or remove the schema. + type: str + default: postgres + aliases: + - db + - login_db + owner: + description: + - Name of the role to set as owner of the schema. + type: str + default: '' + session_role: + description: + - Switch to session_role after connecting. + - The specified session_role must be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though the session_role + were the one that had logged in originally. + type: str + state: + description: + - The schema state. + type: str + default: present + choices: [ absent, present ] + cascade_drop: + description: + - Drop schema with CASCADE to remove child objects. + type: bool + default: false + trust_input: + description: + - If C(false), check whether values of parameters I(schema), I(owner), I(session_role) are potentially dangerous. + - It makes sense to use C(false) only when SQL injections via the parameters are possible. + type: bool + default: true + version_added: '0.2.0' +seealso: +- name: PostgreSQL schemas + description: General information about PostgreSQL schemas. + link: https://www.postgresql.org/docs/current/ddl-schemas.html +- name: CREATE SCHEMA reference + description: Complete reference of the CREATE SCHEMA command documentation. + link: https://www.postgresql.org/docs/current/sql-createschema.html +- name: ALTER SCHEMA reference + description: Complete reference of the ALTER SCHEMA command documentation. + link: https://www.postgresql.org/docs/current/sql-alterschema.html +- name: DROP SCHEMA reference + description: Complete reference of the DROP SCHEMA command documentation. + link: https://www.postgresql.org/docs/current/sql-dropschema.html + +attributes: + check_mode: + support: full + +author: +- Flavien Chantelot (@Dorn-) <contact@flavien.io> +- Thomas O'Donnell (@andytom) + +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +- name: Create a new schema with name acme in test database + community.postgresql.postgresql_schema: + db: test + name: acme + +- name: Create a new schema acme with a user bob who will own it + community.postgresql.postgresql_schema: + name: acme + owner: bob + +- name: Drop schema "acme" with cascade + community.postgresql.postgresql_schema: + name: acme + state: absent + cascade_drop: true +''' + +RETURN = r''' +schema: + description: Name of the schema. + returned: success, changed + type: str + sample: "acme" +queries: + description: List of executed queries. + returned: always + type: list + sample: ["CREATE SCHEMA \"acme\""] +''' + +import traceback + +try: + from psycopg2.extras import DictCursor +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, + pg_quote_identifier, + SQLParseError, +) +from ansible.module_utils._text import to_native + +executed_queries = [] + + +class NotSupportedError(Exception): + pass + + +# =========================================== +# PostgreSQL module specific support methods. +# + +def set_owner(cursor, schema, owner): + query = 'ALTER SCHEMA %s OWNER TO "%s"' % ( + pg_quote_identifier(schema, 'schema'), owner) + cursor.execute(query) + executed_queries.append(query) + return True + + +def get_schema_info(cursor, schema): + query = ("SELECT schema_owner AS owner " + "FROM information_schema.schemata " + "WHERE schema_name = %(schema)s") + cursor.execute(query, {'schema': schema}) + return cursor.fetchone() + + +def schema_exists(cursor, schema): + query = ("SELECT schema_name FROM information_schema.schemata " + "WHERE schema_name = %(schema)s") + cursor.execute(query, {'schema': schema}) + return cursor.rowcount == 1 + + +def schema_delete(cursor, schema, cascade): + if schema_exists(cursor, schema): + query = "DROP SCHEMA %s" % pg_quote_identifier(schema, 'schema') + if cascade: + query += " CASCADE" + cursor.execute(query) + executed_queries.append(query) + return True + else: + return False + + +def schema_create(cursor, schema, owner): + if not schema_exists(cursor, schema): + query_fragments = ['CREATE SCHEMA %s' % pg_quote_identifier(schema, 'schema')] + if owner: + query_fragments.append('AUTHORIZATION "%s"' % owner) + query = ' '.join(query_fragments) + cursor.execute(query) + executed_queries.append(query) + return True + else: + schema_info = get_schema_info(cursor, schema) + if owner and owner != schema_info['owner']: + return set_owner(cursor, schema, owner) + else: + return False + + +def schema_matches(cursor, schema, owner): + if not schema_exists(cursor, schema): + return False + else: + schema_info = get_schema_info(cursor, schema) + if owner and owner != schema_info['owner']: + return False + else: + return True + +# =========================================== +# Module execution. +# + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + schema=dict(type="str", required=True, aliases=['name']), + owner=dict(type="str", default=""), + database=dict(type="str", default="postgres", aliases=["db", "login_db"]), + cascade_drop=dict(type="bool", default=False), + state=dict(type="str", default="present", choices=["absent", "present"]), + session_role=dict(type="str"), + trust_input=dict(type="bool", default=True), + ) + + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + schema = module.params["schema"] + owner = module.params["owner"] + state = module.params["state"] + cascade_drop = module.params["cascade_drop"] + session_role = module.params["session_role"] + trust_input = module.params["trust_input"] + + if not trust_input: + # Check input for potentially dangerous elements: + check_input(module, schema, owner, session_role) + + changed = False + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + conn_params = get_conn_params(module, module.params) + db_connection, dummy = connect_to_db(module, conn_params, autocommit=True) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + try: + if module.check_mode: + if state == "absent": + changed = not schema_exists(cursor, schema) + elif state == "present": + changed = not schema_matches(cursor, schema, owner) + module.exit_json(changed=changed, schema=schema) + + if state == "absent": + try: + changed = schema_delete(cursor, schema, cascade_drop) + except SQLParseError as e: + module.fail_json(msg=to_native(e), exception=traceback.format_exc()) + + elif state == "present": + try: + changed = schema_create(cursor, schema, owner) + except SQLParseError as e: + module.fail_json(msg=to_native(e), exception=traceback.format_exc()) + except NotSupportedError as e: + module.fail_json(msg=to_native(e), exception=traceback.format_exc()) + except SystemExit: + # Avoid catching this on Python 2.4 + raise + except Exception as e: + module.fail_json(msg="Database query failed: %s" % to_native(e), exception=traceback.format_exc()) + + db_connection.close() + module.exit_json(changed=changed, schema=schema, queries=executed_queries) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_script.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_script.py new file mode 100644 index 000000000..acd97f4d2 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_script.py @@ -0,0 +1,353 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2022, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_script + +short_description: Run PostgreSQL statements from a file + +description: +- Runs arbitrary PostgreSQL statements from a file. +- The module always reports that the state has changed. +- Does not run against backup files. + Use M(community.postgresql.postgresql_db) with I(state=restore) + to run queries on files made by pg_dump/pg_dumpall utilities. + +version_added: '2.1.0' + +options: + positional_args: + description: + - List of values to substitute variable placeholders within the file content. + - When the value is a list, it will be converted to PostgreSQL array. + - Mutually exclusive with I(named_args). + type: list + elements: raw + named_args: + description: + - Dictionary of key-value arguments to substitute + variable placeholders within the file content. + - When the value is a list, it will be converted to PostgreSQL array. + - Mutually exclusive with I(positional_args). + type: dict + path: + description: + - Path to a SQL script on the target machine. + - To upload dumps, the preferable way + is to use the M(community.postgresql.postgresql_db) module with I(state=restore). + type: path + session_role: + description: + - Switch to C(session_role) after connecting. The specified role must + be a role that the current C(login_user) is a member of. + - Permissions checking for SQL commands is carried out as though + the C(session_role) were the one that had logged in originally. + type: str + db: + description: + - Name of database to connect to and run queries against. + type: str + aliases: + - login_db + encoding: + description: + - Set the client encoding for the current session (e.g. C(UTF-8)). + - The default is the encoding defined by the database. + type: str + trust_input: + description: + - If C(false), check whether a value of I(session_role) is potentially dangerous. + - It makes sense to use C(false) only when SQL injections + via I(session_role) are possible. + type: bool + default: true + search_path: + description: + - Overrides the list of schemas to search for db objects in. + type: list + elements: str + +seealso: +- module: community.postgresql.postgresql_db +- module: community.postgresql.postgresql_query +- name: PostgreSQL Schema reference + description: Complete reference of the PostgreSQL schema documentation. + link: https://www.postgresql.org/docs/current/ddl-schemas.html + +attributes: + check_mode: + support: none + +author: +- Douglas J Hunley (@hunleyd) +- A. Hart (@jtelcontar) +- Daniel Scharon (@DanScharon) +- Andrew Klychkov (@Andersson007) + +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +# Assuming that the file contains +# SELECT * FROM id_talbe WHERE id = %s, +# '%s' will be substituted with 1 +- name: Run query from SQL script using UTF-8 client encoding for session and positional args + community.postgresql.postgresql_script: + db: test_db + path: /var/lib/pgsql/test.sql + positional_args: + - 1 + encoding: UTF-8 + +# Assuming that the file contains +# SELECT * FROM test WHERE id = %(id_val)s AND story = %(story_val)s, +# %-values will be substituted with 1 and 'test' +- name: Select query to test_db with named_args + community.postgresql.postgresql_script: + db: test_db + path: /var/lib/pgsql/test.sql + named_args: + id_val: 1 + story_val: test + +- block: + # Assuming that the the file contains + # SELECT * FROM test_array_table WHERE arr_col1 = %s AND arr_col2 = %s + # Pass list and string vars as positional_args + - name: Set vars + ansible.builtin.set_fact: + my_list: + - 1 + - 2 + - 3 + my_arr: '{1, 2, 3}' + - name: Passing positional_args as arrays + community.postgresql.postgresql_script: + path: /var/lib/pgsql/test.sql + positional_args: + - '{{ my_list }}' + - '{{ my_arr|string }}' + +# Assuming that the the file contains +# SELECT * FROM test_table, +# look into app1 schema first, then, +# if the schema doesn't exist or the table hasn't been found there, +# try to find it in the schema public +- name: Select from test using search_path + community.postgresql.postgresql_script: + path: /var/lib/pgsql/test.sql + search_path: + - app1 + - public + +- block: + # If you use a variable in positional_args/named_args that can + # be undefined and you wish to set it as NULL, constructions like + # "{{ my_var if (my_var is defined) else none | default(none) }}" + # will not work as expected substituting an empty string instead of NULL. + # If possible, we suggest using Ansible's DEFAULT_JINJA2_NATIVE configuration + # (https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-jinja2-native). + # Enabling it fixes this problem. If you cannot enable it, the following workaround + # can be used. + # You should precheck such a value and define it as NULL when undefined. + # For example: + - name: When undefined, set to NULL + set_fact: + my_var: NULL + when: my_var is undefined + + # Then, assuming that the file contains + # INSERT INTO test_table (col1) VALUES (%s) + - name: Insert a value using positional arguments + community.postgresql.postgresql_script: + path: /var/lib/pgsql/test.sql + positional_args: + - '{{ my_var }}' +''' + +RETURN = r''' +query: + description: + - Executed query. + - When the C(positional_args) or C(named_args) options are used, + the query contains all variables that were substituted + inside the database connector. + returned: always + type: str + sample: 'SELECT * FROM bar' +statusmessage: + description: + - Attribute containing the message returned by the database connector + after executing the script content. + - When there are several statements in the script, returns a message + related to the last statement. + returned: always + type: str + sample: 'INSERT 0 1' +query_result: + description: + - List of dictionaries in the column:value form representing returned rows. + - When there are several statements in the script, + returns result of the last statement. + returned: always + type: list + elements: dict + sample: [{"Column": "Value1"},{"Column": "Value2"}] +rowcount: + description: + - Number of produced or affected rows. + - When there are several statements in the script, + returns a number of rows affected by the last statement. + returned: changed + type: int + sample: 5 +''' + +try: + from psycopg2 import ProgrammingError as Psycopg2ProgrammingError + from psycopg2.extras import DictCursor +except ImportError: + # it is needed for checking 'no result to fetch' in main(), + # psycopg2 availability will be checked by connect_to_db() into + # ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + convert_elements_to_pg_arrays, + convert_to_supported, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, + set_search_path, + TYPES_NEED_TO_CONVERT, +) +from ansible.module_utils._text import to_native +from ansible.module_utils.six import iteritems + +# =========================================== +# Module execution. +# + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + path=dict(type='path'), + db=dict(type='str', aliases=['login_db']), + positional_args=dict(type='list', elements='raw'), + named_args=dict(type='dict'), + session_role=dict(type='str'), + encoding=dict(type='str'), + trust_input=dict(type='bool', default=True), + search_path=dict(type='list', elements='str'), + ) + + module = AnsibleModule( + argument_spec=argument_spec, + mutually_exclusive=(('positional_args', 'named_args'),), + supports_check_mode=False, + ) + + path = module.params["path"] + positional_args = module.params["positional_args"] + named_args = module.params["named_args"] + encoding = module.params["encoding"] + session_role = module.params["session_role"] + trust_input = module.params["trust_input"] + search_path = module.params["search_path"] + + if not trust_input: + # Check input for potentially dangerous elements: + check_input(module, session_role) + + try: + with open(path, 'rb') as f: + script_content = to_native(f.read()) + + except Exception as e: + module.fail_json(msg="Cannot read file '%s' : %s" % (path, to_native(e))) + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + conn_params = get_conn_params(module, module.params) + db_connection, dummy = connect_to_db(module, conn_params, autocommit=True) + if encoding is not None: + db_connection.set_client_encoding(encoding) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + if search_path: + set_search_path(cursor, '%s' % ','.join([x.strip(' ') for x in search_path])) + + # Prepare args: + if positional_args: + args = positional_args + elif named_args: + args = named_args + else: + args = None + + # Convert elements of type list to strings + # representing PG arrays + if args: + args = convert_elements_to_pg_arrays(args) + + # Execute script content: + try: + cursor.execute(script_content, args) + except Exception as e: + cursor.close() + db_connection.close() + module.fail_json(msg="Cannot execute SQL '%s' %s: %s" % (script_content, args, to_native(e))) + + statusmessage = cursor.statusmessage + + rowcount = cursor.rowcount + + query_result = [] + try: + for row in cursor.fetchall(): + # Ansible engine does not support decimals. + # An explicit conversion is required on the module's side + row = dict(row) + for (key, val) in iteritems(row): + if isinstance(val, TYPES_NEED_TO_CONVERT): + row[key] = convert_to_supported(val) + + query_result.append(row) + + except Psycopg2ProgrammingError as e: + if to_native(e) == "no results to fetch": + query_result = {} + + except Exception as e: + module.fail_json(msg="Cannot fetch rows from cursor: %s" % to_native(e)) + + kw = dict( + changed=True, + query=cursor.query, + statusmessage=statusmessage, + query_result=query_result, + rowcount=rowcount, + ) + + cursor.close() + db_connection.close() + + module.exit_json(**kw) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_sequence.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_sequence.py new file mode 100644 index 000000000..c874cb970 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_sequence.py @@ -0,0 +1,637 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Tobias Birkefeld (@tcraxs) <t@craxs.de> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_sequence +short_description: Create, drop, or alter a PostgreSQL sequence +description: +- Allows to create, drop or change the definition of a sequence generator. +options: + sequence: + description: + - The name of the sequence. + required: true + type: str + aliases: + - name + state: + description: + - The sequence state. + - If I(state=absent) other options will be ignored except of I(name) and + I(schema). + default: present + choices: [ absent, present ] + type: str + data_type: + description: + - Specifies the data type of the sequence. Valid types are bigint, integer, + and smallint. bigint is the default. The data type determines the default + minimum and maximum values of the sequence. For more info see the + documentation + U(https://www.postgresql.org/docs/current/sql-createsequence.html). + - Supported from PostgreSQL 10. + choices: [ bigint, integer, smallint ] + type: str + increment: + description: + - Increment specifies which value is added to the current sequence value + to create a new value. + - A positive value will make an ascending sequence, a negative one a + descending sequence. The default value is 1. + type: int + minvalue: + description: + - Minvalue determines the minimum value a sequence can generate. The + default for an ascending sequence is 1. The default for a descending + sequence is the minimum value of the data type. + type: int + aliases: + - min + maxvalue: + description: + - Maxvalue determines the maximum value for the sequence. The default for + an ascending sequence is the maximum + value of the data type. The default for a descending sequence is -1. + type: int + aliases: + - max + start: + description: + - Start allows the sequence to begin anywhere. The default starting value + is I(minvalue) for ascending sequences and I(maxvalue) for descending + ones. + type: int + cache: + description: + - Cache specifies how many sequence numbers are to be preallocated and + stored in memory for faster access. The minimum value is 1 (only one + value can be generated at a time, i.e., no cache), and this is also + the default. + type: int + cycle: + description: + - The cycle option allows the sequence to wrap around when the I(maxvalue) + or I(minvalue) has been reached by an ascending or descending sequence + respectively. If the limit is reached, the next number generated will be + the minvalue or maxvalue, respectively. + - If C(false) (NO CYCLE) is specified, any calls to nextval after the sequence + has reached its maximum value will return an error. False (NO CYCLE) is + the default. + type: bool + default: false + cascade: + description: + - Automatically drop objects that depend on the sequence, and in turn all + objects that depend on those objects. + - Ignored if I(state=present). + - Only used with I(state=absent). + type: bool + default: false + rename_to: + description: + - The new name for the I(sequence). + - Works only for existing sequences. + type: str + owner: + description: + - Set the owner for the I(sequence). + type: str + schema: + description: + - The schema of the I(sequence). This is be used to create and relocate + a I(sequence) in the given schema. + default: public + type: str + newschema: + description: + - The new schema for the I(sequence). Will be used for moving a + I(sequence) to another I(schema). + - Works only for existing sequences. + type: str + session_role: + description: + - Switch to session_role after connecting. The specified I(session_role) + must be a role that the current I(login_user) is a member of. + - Permissions checking for SQL commands is carried out as though + the I(session_role) were the one that had logged in originally. + type: str + db: + description: + - Name of database to connect to and run queries against. + type: str + default: '' + aliases: + - database + - login_db + trust_input: + description: + - If C(false), check whether values of parameters I(sequence), I(schema), I(rename_to), + I(owner), I(newschema), I(session_role) are potentially dangerous. + - It makes sense to use C(false) only when SQL injections via the parameters are possible. + type: bool + default: true + version_added: '0.2.0' + +notes: +- If you do not pass db parameter, sequence will be created in the database + named postgres. + +attributes: + check_mode: + support: full + +seealso: +- module: community.postgresql.postgresql_table +- module: community.postgresql.postgresql_owner +- module: community.postgresql.postgresql_privs +- module: community.postgresql.postgresql_tablespace +- name: CREATE SEQUENCE reference + description: Complete reference of the CREATE SEQUENCE command documentation. + link: https://www.postgresql.org/docs/current/sql-createsequence.html +- name: ALTER SEQUENCE reference + description: Complete reference of the ALTER SEQUENCE command documentation. + link: https://www.postgresql.org/docs/current/sql-altersequence.html +- name: DROP SEQUENCE reference + description: Complete reference of the DROP SEQUENCE command documentation. + link: https://www.postgresql.org/docs/current/sql-dropsequence.html +author: +- Tobias Birkefeld (@tcraxs) +- Thomas O'Donnell (@andytom) +extends_documentation_fragment: +- community.postgresql.postgres + +''' + +EXAMPLES = r''' +- name: Create an ascending bigint sequence called foobar in the default + database + community.postgresql.postgresql_sequence: + name: foobar + +- name: Create an ascending integer sequence called foobar, starting at 101 + community.postgresql.postgresql_sequence: + name: foobar + data_type: integer + start: 101 + +- name: Create an descending sequence called foobar, starting at 101 and + preallocated 10 sequence numbers in cache + community.postgresql.postgresql_sequence: + name: foobar + increment: -1 + cache: 10 + start: 101 + +- name: Create an ascending sequence called foobar, which cycle between 1 to 10 + community.postgresql.postgresql_sequence: + name: foobar + cycle: true + min: 1 + max: 10 + +- name: Create an ascending bigint sequence called foobar in the default + database with owner foobar + community.postgresql.postgresql_sequence: + name: foobar + owner: foobar + +- name: Rename an existing sequence named foo to bar + community.postgresql.postgresql_sequence: + name: foo + rename_to: bar + +- name: Change the schema of an existing sequence to foobar + community.postgresql.postgresql_sequence: + name: foobar + newschema: foobar + +- name: Change the owner of an existing sequence to foobar + community.postgresql.postgresql_sequence: + name: foobar + owner: foobar + +- name: Drop a sequence called foobar + community.postgresql.postgresql_sequence: + name: foobar + state: absent + +- name: Drop a sequence called foobar with cascade + community.postgresql.postgresql_sequence: + name: foobar + cascade: true + state: absent +''' + +RETURN = r''' +state: + description: Sequence state at the end of execution. + returned: always + type: str + sample: 'present' +sequence: + description: Sequence name. + returned: always + type: str + sample: 'foobar' +queries: + description: List of queries that was tried to be executed. + returned: always + type: str + sample: [ "CREATE SEQUENCE \"foo\"" ] +schema: + description: Name of the schema of the sequence. + returned: always + type: str + sample: 'foo' +data_type: + description: Shows the current data type of the sequence. + returned: always + type: str + sample: 'bigint' +increment: + description: The value of increment of the sequence. A positive value will + make an ascending sequence, a negative one a descending + sequence. + returned: always + type: int + sample: -1 +minvalue: + description: The value of minvalue of the sequence. + returned: always + type: int + sample: 1 +maxvalue: + description: The value of maxvalue of the sequence. + returned: always + type: int + sample: 9223372036854775807 +start: + description: The value of start of the sequence. + returned: always + type: int + sample: 12 +cycle: + description: Shows if the sequence cycle or not. + returned: always + type: bool + sample: false +owner: + description: Shows the current owner of the sequence + after the successful run of the task. + returned: always + type: str + sample: 'postgres' +newname: + description: Shows the new sequence name after rename. + returned: on success + type: str + sample: 'barfoo' +newschema: + description: Shows the new schema of the sequence after schema change. + returned: on success + type: str + sample: 'foobar' +''' + + +try: + from psycopg2.extras import DictCursor +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + exec_sql, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) + + +class Sequence(object): + """Implements behavior of CREATE, ALTER or DROP SEQUENCE PostgreSQL command. + + Arguments: + module (AnsibleModule) -- object of AnsibleModule class + cursor (cursor) -- cursor object of psycopg2 library + + Attributes: + module (AnsibleModule) -- object of AnsibleModule class + cursor (cursor) -- cursor object of psycopg2 library + changed (bool) -- something was changed after execution or not + executed_queries (list) -- executed queries + name (str) -- name of the sequence + owner (str) -- name of the owner of the sequence + schema (str) -- name of the schema (default: public) + data_type (str) -- data type of the sequence + start_value (int) -- value of the sequence start + minvalue (int) -- minimum value of the sequence + maxvalue (int) -- maximum value of the sequence + increment (int) -- increment value of the sequence + cycle (bool) -- sequence can cycle or not + new_name (str) -- name of the renamed sequence + new_schema (str) -- name of the new schema + exists (bool) -- sequence exists or not + """ + + def __init__(self, module, cursor): + self.module = module + self.cursor = cursor + self.executed_queries = [] + self.name = self.module.params['sequence'] + self.owner = '' + self.schema = self.module.params['schema'] + self.data_type = '' + self.start_value = '' + self.minvalue = '' + self.maxvalue = '' + self.increment = '' + self.cycle = '' + self.new_name = '' + self.new_schema = '' + self.exists = False + # Collect info + self.get_info() + + def get_info(self): + """Getter to refresh and get sequence info""" + query = ("SELECT " + "s.sequence_schema AS schemaname, " + "s.sequence_name AS sequencename, " + "pg_get_userbyid(c.relowner) AS sequenceowner, " + "s.data_type::regtype AS data_type, " + "s.start_value AS start_value, " + "s.minimum_value AS min_value, " + "s.maximum_value AS max_value, " + "s.increment AS increment_by, " + "s.cycle_option AS cycle " + "FROM information_schema.sequences s " + "JOIN pg_class c ON c.relname = s.sequence_name " + "LEFT JOIN pg_namespace n ON n.oid = c.relnamespace " + "WHERE NOT pg_is_other_temp_schema(n.oid) " + "AND c.relkind = 'S'::\"char\" " + "AND sequence_name = %(name)s " + "AND sequence_schema = %(schema)s") + + res = exec_sql(self, query, + query_params={'name': self.name, 'schema': self.schema}, + add_to_executed=False) + + if not res: + self.exists = False + return False + + if res: + self.exists = True + self.schema = res[0]['schemaname'] + self.name = res[0]['sequencename'] + self.owner = res[0]['sequenceowner'] + self.data_type = res[0]['data_type'] + self.start_value = res[0]['start_value'] + self.minvalue = res[0]['min_value'] + self.maxvalue = res[0]['max_value'] + self.increment = res[0]['increment_by'] + self.cycle = res[0]['cycle'] + + def create(self): + """Implements CREATE SEQUENCE command behavior.""" + query = ['CREATE SEQUENCE'] + query.append(self.__add_schema()) + + if self.module.params.get('data_type'): + query.append('AS %s' % self.module.params['data_type']) + + if self.module.params.get('increment'): + query.append('INCREMENT BY %s' % self.module.params['increment']) + + if self.module.params.get('minvalue'): + query.append('MINVALUE %s' % self.module.params['minvalue']) + + if self.module.params.get('maxvalue'): + query.append('MAXVALUE %s' % self.module.params['maxvalue']) + + if self.module.params.get('start'): + query.append('START WITH %s' % self.module.params['start']) + + if self.module.params.get('cache'): + query.append('CACHE %s' % self.module.params['cache']) + + if self.module.params.get('cycle'): + query.append('CYCLE') + + return exec_sql(self, ' '.join(query), return_bool=True) + + def drop(self): + """Implements DROP SEQUENCE command behavior.""" + query = ['DROP SEQUENCE'] + query.append(self.__add_schema()) + + if self.module.params.get('cascade'): + query.append('CASCADE') + + return exec_sql(self, ' '.join(query), return_bool=True) + + def rename(self): + """Implements ALTER SEQUENCE RENAME TO command behavior.""" + query = ['ALTER SEQUENCE'] + query.append(self.__add_schema()) + query.append('RENAME TO "%s"' % self.module.params['rename_to']) + + return exec_sql(self, ' '.join(query), return_bool=True) + + def set_owner(self): + """Implements ALTER SEQUENCE OWNER TO command behavior.""" + query = ['ALTER SEQUENCE'] + query.append(self.__add_schema()) + query.append('OWNER TO "%s"' % self.module.params['owner']) + + return exec_sql(self, ' '.join(query), return_bool=True) + + def set_schema(self): + """Implements ALTER SEQUENCE SET SCHEMA command behavior.""" + query = ['ALTER SEQUENCE'] + query.append(self.__add_schema()) + query.append('SET SCHEMA "%s"' % self.module.params['newschema']) + + return exec_sql(self, ' '.join(query), return_bool=True) + + def __add_schema(self): + return '"%s"."%s"' % (self.schema, self.name) + + +# =========================================== +# Module execution. +# + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + sequence=dict(type='str', required=True, aliases=['name']), + state=dict(type='str', default='present', choices=['absent', 'present']), + data_type=dict(type='str', choices=['bigint', 'integer', 'smallint']), + increment=dict(type='int'), + minvalue=dict(type='int', aliases=['min']), + maxvalue=dict(type='int', aliases=['max']), + start=dict(type='int'), + cache=dict(type='int'), + cycle=dict(type='bool', default=False), + schema=dict(type='str', default='public'), + cascade=dict(type='bool', default=False), + rename_to=dict(type='str'), + owner=dict(type='str'), + newschema=dict(type='str'), + db=dict(type='str', default='', aliases=['login_db', 'database']), + session_role=dict(type='str'), + trust_input=dict(type="bool", default=True), + ) + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + mutually_exclusive=[ + ['rename_to', 'data_type'], + ['rename_to', 'increment'], + ['rename_to', 'minvalue'], + ['rename_to', 'maxvalue'], + ['rename_to', 'start'], + ['rename_to', 'cache'], + ['rename_to', 'cycle'], + ['rename_to', 'cascade'], + ['rename_to', 'owner'], + ['rename_to', 'newschema'], + ['cascade', 'data_type'], + ['cascade', 'increment'], + ['cascade', 'minvalue'], + ['cascade', 'maxvalue'], + ['cascade', 'start'], + ['cascade', 'cache'], + ['cascade', 'cycle'], + ['cascade', 'owner'], + ['cascade', 'newschema'], + ] + ) + + if not module.params["trust_input"]: + check_input( + module, + module.params['sequence'], + module.params['schema'], + module.params['rename_to'], + module.params['owner'], + module.params['newschema'], + module.params['session_role'], + ) + + # Note: we don't need to check mutually exclusive params here, because they are + # checked automatically by AnsibleModule (mutually_exclusive=[] list above). + + # Change autocommit to False if check_mode: + autocommit = not module.check_mode + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + # Connect to DB and make cursor object: + conn_params = get_conn_params(module, module.params) + db_connection, dummy = connect_to_db(module, conn_params, autocommit=autocommit) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + ############## + # Create the object and do main job: + data = Sequence(module, cursor) + + # Set defaults: + changed = False + + # Create new sequence + if not data.exists and module.params['state'] == 'present': + if module.params.get('rename_to'): + module.fail_json(msg="Sequence '%s' does not exist, nothing to rename" % module.params['sequence']) + if module.params.get('newschema'): + module.fail_json(msg="Sequence '%s' does not exist, change of schema not possible" % module.params['sequence']) + + changed = data.create() + + # Drop non-existing sequence + elif not data.exists and module.params['state'] == 'absent': + # Nothing to do + changed = False + + # Drop existing sequence + elif data.exists and module.params['state'] == 'absent': + changed = data.drop() + + # Rename sequence + if data.exists and module.params.get('rename_to'): + if data.name != module.params['rename_to']: + changed = data.rename() + if changed: + data.new_name = module.params['rename_to'] + + # Refresh information + if module.params['state'] == 'present': + data.get_info() + + # Change owner, schema and settings + if module.params['state'] == 'present' and data.exists: + # change owner + if module.params.get('owner'): + if data.owner != module.params['owner']: + changed = data.set_owner() + + # Set schema + if module.params.get('newschema'): + if data.schema != module.params['newschema']: + changed = data.set_schema() + if changed: + data.new_schema = module.params['newschema'] + + # Rollback if it's possible and check_mode: + if module.check_mode: + db_connection.rollback() + else: + db_connection.commit() + + cursor.close() + db_connection.close() + + # Make return values: + kw = dict( + changed=changed, + state='present', + sequence=data.name, + queries=data.executed_queries, + schema=data.schema, + data_type=data.data_type, + increment=data.increment, + minvalue=data.minvalue, + maxvalue=data.maxvalue, + start=data.start_value, + cycle=data.cycle, + owner=data.owner, + ) + + if module.params['state'] == 'present': + if data.new_name: + kw['newname'] = data.new_name + if data.new_schema: + kw['newschema'] = data.new_schema + + elif module.params['state'] == 'absent': + kw['state'] = 'absent' + + module.exit_json(**kw) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_set.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_set.py new file mode 100644 index 000000000..966aeb004 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_set.py @@ -0,0 +1,514 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_set +short_description: Change a PostgreSQL server configuration parameter +description: + - Allows to change a PostgreSQL server configuration parameter. + - The module uses ALTER SYSTEM command and applies changes by reload server configuration. + - ALTER SYSTEM is used for changing server configuration parameters across the entire database cluster. + - It can be more convenient and safe than the traditional method of manually editing the postgresql.conf file. + - ALTER SYSTEM writes the given parameter setting to the $PGDATA/postgresql.auto.conf file, + which is read in addition to postgresql.conf. + - The module allows to reset parameter to boot_val (cluster initial value) by I(reset=true) or remove parameter + string from postgresql.auto.conf and reload I(value=default) (for settings with postmaster context restart is required). + - After change you can see in the ansible output the previous and + the new parameter value and other information using returned values and M(ansible.builtin.debug) module. +options: + name: + description: + - Name of PostgreSQL server parameter. Pay attention that parameters are case sensitive (see examples below). + type: str + required: true + value: + description: + - Parameter value to set. + - To remove parameter string from postgresql.auto.conf and + reload the server configuration you must pass I(value=default). + With I(value=default) the playbook always returns changed is true. + type: str + reset: + description: + - Restore parameter to initial state (boot_val). Mutually exclusive with I(value). + type: bool + default: false + session_role: + description: + - Switch to session_role after connecting. The specified session_role must + be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though + the session_role were the one that had logged in originally. + type: str + db: + description: + - Name of database to connect. + type: str + aliases: + - login_db + trust_input: + description: + - If C(false), check whether values of parameters are potentially dangerous. + - It makes sense to use C(false) only when SQL injections are possible. + type: bool + default: true + version_added: '0.2.0' +notes: +- Supported version of PostgreSQL is 9.4 and later. +- Pay attention, change setting with 'postmaster' context can return changed is true + when actually nothing changes because the same value may be presented in + several different form, for example, 1024MB, 1GB, etc. However in pg_settings + system view it can be defined like 131072 number of 8kB pages. + The final check of the parameter value cannot compare it because the server was + not restarted and the value in pg_settings is not updated yet. +- For some parameters restart of PostgreSQL server is required. + See official documentation U(https://www.postgresql.org/docs/current/view-pg-settings.html). + +attributes: + check_mode: + support: full + +seealso: +- module: community.postgresql.postgresql_info +- name: PostgreSQL server configuration + description: General information about PostgreSQL server configuration. + link: https://www.postgresql.org/docs/current/runtime-config.html +- name: PostgreSQL view pg_settings reference + description: Complete reference of the pg_settings view documentation. + link: https://www.postgresql.org/docs/current/view-pg-settings.html +- name: PostgreSQL ALTER SYSTEM command reference + description: Complete reference of the ALTER SYSTEM command documentation. + link: https://www.postgresql.org/docs/current/sql-altersystem.html +author: +- Andrew Klychkov (@Andersson007) +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +- name: Restore wal_keep_segments parameter to initial state + community.postgresql.postgresql_set: + name: wal_keep_segments + reset: true + +# Set work_mem parameter to 32MB and show what's been changed and restart is required or not +# (output example: "msg": "work_mem 4MB >> 64MB restart_req: False") +- name: Set work mem parameter + community.postgresql.postgresql_set: + name: work_mem + value: 32mb + register: set + +- name: Print the result if the setting changed + ansible.builtin.debug: + msg: "{{ set.name }} {{ set.prev_val_pretty }} >> {{ set.value_pretty }} restart_req: {{ set.restart_required }}" + when: set.changed +# Ensure that the restart of PostgreSQL server must be required for some parameters. +# In this situation you see the same parameter in prev_val_pretty and value_pretty, but 'changed=True' +# (If you passed the value that was different from the current server setting). + +- name: Set log_min_duration_statement parameter to 1 second + community.postgresql.postgresql_set: + name: log_min_duration_statement + value: 1s + +- name: Set wal_log_hints parameter to default value (remove parameter from postgresql.auto.conf) + community.postgresql.postgresql_set: + name: wal_log_hints + value: default + +- name: Set TimeZone parameter (careful, case sensitive) + community.postgresql.postgresql_set: + name: TimeZone + value: 'Europe/Paris' + +''' + +RETURN = r''' +name: + description: Name of PostgreSQL server parameter. + returned: always + type: str + sample: 'shared_buffers' +restart_required: + description: Information about parameter current state. + returned: always + type: bool + sample: true +prev_val_pretty: + description: Information about previous state of the parameter. + returned: always + type: str + sample: '4MB' +value_pretty: + description: Information about current state of the parameter. + returned: always + type: str + sample: '64MB' +value: + description: + - Dictionary that contains the current parameter value (at the time of playbook finish). + - Pay attention that for real change some parameters restart of PostgreSQL server is required. + - Returns the current value in the check mode. + returned: always + type: dict + sample: { "value": 67108864, "unit": "b" } +context: + description: + - PostgreSQL setting context. + returned: always + type: str + sample: user +''' + +try: + from psycopg2.extras import DictCursor +except Exception: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from copy import deepcopy + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) +from ansible.module_utils._text import to_native + +PG_REQ_VER = 90400 + +# To allow to set value like 1mb instead of 1MB, etc: +LOWERCASE_SIZE_UNITS = ("mb", "gb", "tb") + +# =========================================== +# PostgreSQL module specific support methods. +# + + +def param_get(cursor, module, name): + query = ("SELECT name, setting, unit, context, boot_val " + "FROM pg_settings WHERE name = %(name)s") + try: + cursor.execute(query, {'name': name}) + info = cursor.fetchone() + cursor.execute("SHOW %s" % name) + val = cursor.fetchone() + + except Exception as e: + module.fail_json(msg="Unable to get %s value due to : %s" % (name, to_native(e))) + + if not info: + module.fail_json(msg="No such parameter: %s. " + "Please check its spelling or presence in your PostgreSQL version " + "(https://www.postgresql.org/docs/current/runtime-config.html)" % name) + + raw_val = info['setting'] + unit = info['unit'] + context = info['context'] + boot_val = info['boot_val'] + + if val[name] == 'True': + val[name] = 'on' + elif val[name] == 'False': + val[name] = 'off' + + if unit == 'kB': + if int(raw_val) > 0: + raw_val = int(raw_val) * 1024 + if int(boot_val) > 0: + boot_val = int(boot_val) * 1024 + + unit = 'b' + + elif unit == 'MB': + if int(raw_val) > 0: + raw_val = int(raw_val) * 1024 * 1024 + if int(boot_val) > 0: + boot_val = int(boot_val) * 1024 * 1024 + + unit = 'b' + + return { + 'current_val': val[name], + 'raw_val': raw_val, + 'unit': unit, + 'boot_val': boot_val, + 'context': context, + } + + +def pretty_to_bytes(pretty_val): + # The function returns a value in bytes + # if the value contains 'B', 'kB', 'MB', 'GB', 'TB'. + # Otherwise it returns the passed argument. + + # It's sometimes possible to have an empty values + if not pretty_val: + return pretty_val + + # If the first char is not a digit, it does not make sense + # to parse further, so just return a passed value + if not pretty_val[0].isdigit(): + return pretty_val + + # If the last char is not an alphabetical symbol, it means that + # it does not contain any suffixes, so no sense to parse further + if not pretty_val[-1].isalpha(): + try: + pretty_val = int(pretty_val) + + except ValueError: + try: + pretty_val = float(pretty_val) + + except ValueError: + return pretty_val + + return pretty_val + + # Extract digits + num_part = [] + for c in pretty_val: + # When we reach the first non-digit element, + # e.g. in 1024kB, stop iterating + if not c.isdigit(): + break + else: + num_part.append(c) + + num_part = int(''.join(num_part)) + + val_in_bytes = None + + if len(pretty_val) >= 2: + if 'kB' in pretty_val[-2:]: + val_in_bytes = num_part * 1024 + + elif 'MB' in pretty_val[-2:]: + val_in_bytes = num_part * 1024 * 1024 + + elif 'GB' in pretty_val[-2:]: + val_in_bytes = num_part * 1024 * 1024 * 1024 + + elif 'TB' in pretty_val[-2:]: + val_in_bytes = num_part * 1024 * 1024 * 1024 * 1024 + + # For cases like "1B" + if not val_in_bytes and 'B' in pretty_val[-1]: + val_in_bytes = num_part + + if val_in_bytes is not None: + return val_in_bytes + else: + return pretty_val + + +def param_set(cursor, module, name, value, context): + try: + if str(value).lower() == 'default': + query = "ALTER SYSTEM SET %s = DEFAULT" % name + else: + if isinstance(value, str) and ',' in value and not name.endswith(('_command', '_prefix')): + # Issue https://github.com/ansible-collections/community.postgresql/issues/78 + # Change value from 'one, two, three' -> "'one','two','three'" + value = ','.join(["'" + elem.strip() + "'" for elem in value.split(',')]) + query = "ALTER SYSTEM SET %s = %s" % (name, value) + else: + query = "ALTER SYSTEM SET %s = '%s'" % (name, value) + cursor.execute(query) + + if context != 'postmaster': + cursor.execute("SELECT pg_reload_conf()") + + except Exception as e: + module.fail_json(msg="Unable to get %s value due to : %s" % (name, to_native(e))) + + return True + + +# =========================================== +# Module execution. +# + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + name=dict(type='str', required=True), + db=dict(type='str', aliases=['login_db']), + value=dict(type='str'), + reset=dict(type='bool', default=False), + session_role=dict(type='str'), + trust_input=dict(type='bool', default=True), + ) + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + name = module.params['name'] + value = module.params['value'] + reset = module.params['reset'] + session_role = module.params['session_role'] + trust_input = module.params['trust_input'] + + if not trust_input: + # Check input for potentially dangerous elements: + check_input(module, name, value, session_role) + + if value: + # Convert a value like 1mb (Postgres does not support) to 1MB, etc: + if len(value) > 2 and value[:-2].isdigit() and value[-2:] in LOWERCASE_SIZE_UNITS: + value = value.upper() + + # Convert a value like 1b (Postgres does not support) to 1B: + elif len(value) > 1 and ('b' in value[-1] and value[:-1].isdigit()): + value = value.upper() + + if value is not None and reset: + module.fail_json(msg="%s: value and reset params are mutually exclusive" % name) + + if value is None and not reset: + module.fail_json(msg="%s: at least one of value or reset param must be specified" % name) + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + conn_params = get_conn_params(module, module.params, warn_db_default=False) + db_connection, dummy = connect_to_db(module, conn_params, autocommit=True) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + kw = {} + # Check server version (needs 9.4 or later): + ver = db_connection.server_version + if ver < PG_REQ_VER: + module.warn("PostgreSQL is %s version but %s or later is required" % (ver, PG_REQ_VER)) + kw = dict( + changed=False, + restart_required=False, + value_pretty="", + prev_val_pretty="", + value={"value": "", "unit": ""}, + ) + kw['name'] = name + db_connection.close() + module.exit_json(**kw) + + # Set default returned values: + restart_required = False + changed = False + kw['name'] = name + kw['restart_required'] = False + + # Get info about param state: + res = param_get(cursor, module, name) + current_val = res['current_val'] + raw_val = res['raw_val'] + unit = res['unit'] + boot_val = res['boot_val'] + context = res['context'] + + if value == 'True': + value = 'on' + elif value == 'False': + value = 'off' + + kw['prev_val_pretty'] = current_val + kw['value_pretty'] = deepcopy(kw['prev_val_pretty']) + kw['context'] = context + + # Do job + if context == "internal": + module.fail_json(msg="%s: cannot be changed (internal context). See " + "https://www.postgresql.org/docs/current/runtime-config-preset.html" % name) + + if context == "postmaster": + restart_required = True + + # If check_mode, just compare and exit: + if module.check_mode: + if pretty_to_bytes(value) == pretty_to_bytes(current_val): + kw['changed'] = False + + else: + kw['value_pretty'] = value + kw['changed'] = True + + # Anyway returns current raw value in the check_mode: + kw['value'] = dict( + value=raw_val, + unit=unit, + ) + kw['restart_required'] = restart_required + module.exit_json(**kw) + + # Set param (value can be an empty string): + if value is not None and value != current_val: + changed = param_set(cursor, module, name, value, context) + + kw['value_pretty'] = value + + # Reset param: + elif reset: + if raw_val == boot_val: + # nothing to change, exit: + kw['value'] = dict( + value=raw_val, + unit=unit, + ) + module.exit_json(**kw) + + changed = param_set(cursor, module, name, boot_val, context) + + cursor.close() + db_connection.close() + + # Reconnect and recheck current value: + if context in ('sighup', 'superuser-backend', 'backend', 'superuser', 'user'): + db_connection, dummy = connect_to_db(module, conn_params, autocommit=True) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + res = param_get(cursor, module, name) + # f_ means 'final' + f_value = res['current_val'] + f_raw_val = res['raw_val'] + + if raw_val == f_raw_val: + changed = False + + else: + changed = True + + kw['value_pretty'] = f_value + kw['value'] = dict( + value=f_raw_val, + unit=unit, + ) + + cursor.close() + db_connection.close() + + kw['changed'] = changed + kw['restart_required'] = restart_required + + if restart_required and changed: + module.warn("Restart of PostgreSQL is required for setting %s" % name) + + module.exit_json(**kw) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_slot.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_slot.py new file mode 100644 index 000000000..b863784af --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_slot.py @@ -0,0 +1,310 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, John Scalia (@jscalia), Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_slot +short_description: Add or remove replication slots from a PostgreSQL database +description: +- Add or remove physical or logical replication slots from a PostgreSQL database. + +options: + name: + description: + - Name of the replication slot to add or remove. + type: str + required: true + aliases: + - slot_name + slot_type: + description: + - Slot type. + type: str + default: physical + choices: [ logical, physical ] + state: + description: + - The slot state. + - I(state=present) implies the slot must be present in the system. + - I(state=absent) implies the I(groups) must be revoked from I(target_roles). + type: str + default: present + choices: [ absent, present ] + immediately_reserve: + description: + - Optional parameter that when C(true) specifies that the LSN for this replication slot be reserved + immediately, otherwise the default, C(false), specifies that the LSN is reserved on the first connection + from a streaming replication client. + - Is available from PostgreSQL version 9.6. + - Uses only with I(slot_type=physical). + - Mutually exclusive with I(slot_type=logical). + type: bool + default: false + output_plugin: + description: + - All logical slots must indicate which output plugin decoder they're using. + - This parameter does not apply to physical slots. + - It will be ignored with I(slot_type=physical). + type: str + default: "test_decoding" + db: + description: + - Name of database to connect to. + type: str + aliases: + - login_db + session_role: + description: + - Switch to session_role after connecting. + The specified session_role must be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though + the session_role were the one that had logged in originally. + type: str + trust_input: + description: + - If C(false), check the value of I(session_role) is potentially dangerous. + - It makes sense to use C(false) only when SQL injections via I(session_role) are possible. + type: bool + default: true + version_added: '0.2.0' + +notes: +- Physical replication slots were introduced to PostgreSQL with version 9.4, + while logical replication slots were added beginning with version 10.0. + +attributes: + check_mode: + support: full + +seealso: +- name: PostgreSQL pg_replication_slots view reference + description: Complete reference of the PostgreSQL pg_replication_slots view. + link: https://www.postgresql.org/docs/current/view-pg-replication-slots.html +- name: PostgreSQL streaming replication protocol reference + description: Complete reference of the PostgreSQL streaming replication protocol documentation. + link: https://www.postgresql.org/docs/current/protocol-replication.html +- name: PostgreSQL logical replication protocol reference + description: Complete reference of the PostgreSQL logical replication protocol documentation. + link: https://www.postgresql.org/docs/current/protocol-logical-replication.html + +author: +- John Scalia (@jscalia) +- Andrew Klychkov (@Andersson007) +- Thomas O'Donnell (@andytom) +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +- name: Create physical_one physical slot if doesn't exist + become_user: postgres + community.postgresql.postgresql_slot: + slot_name: physical_one + db: ansible + +- name: Remove physical_one slot if exists + become_user: postgres + community.postgresql.postgresql_slot: + slot_name: physical_one + db: ansible + state: absent + +- name: Create logical_one logical slot to the database acme if doesn't exist + community.postgresql.postgresql_slot: + name: logical_slot_one + slot_type: logical + state: present + output_plugin: custom_decoder_one + db: "acme" + +- name: Remove logical_one slot if exists from the cluster running on another host and non-standard port + community.postgresql.postgresql_slot: + name: logical_one + login_host: mydatabase.example.org + port: 5433 + login_user: ourSuperuser + login_password: thePassword + state: absent +''' + +RETURN = r''' +name: + description: Name of the slot. + returned: always + type: str + sample: "physical_one" +queries: + description: List of executed queries. + returned: always + type: str + sample: [ "SELECT pg_create_physical_replication_slot('physical_one', False, False)" ] +''' + +try: + from psycopg2.extras import DictCursor +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + exec_sql, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) + + +# =========================================== +# PostgreSQL module specific support methods. +# + +class PgSlot(object): + def __init__(self, module, cursor, name): + self.module = module + self.cursor = cursor + self.name = name + self.exists = False + self.kind = '' + self.__slot_exists() + self.changed = False + self.executed_queries = [] + + def create(self, kind='physical', immediately_reserve=False, output_plugin=False, just_check=False): + if self.exists: + if self.kind == kind: + return False + else: + self.module.warn("slot with name '%s' already exists " + "but has another type '%s'" % (self.name, self.kind)) + return False + + if just_check: + return None + + if kind == 'physical': + # Check server version (immediately_reserved needs 9.6+): + if self.cursor.connection.server_version < 90600: + query = "SELECT pg_create_physical_replication_slot(%(name)s)" + + else: + query = "SELECT pg_create_physical_replication_slot(%(name)s, %(i_reserve)s)" + + self.changed = exec_sql(self, query, + query_params={'name': self.name, 'i_reserve': immediately_reserve}, + return_bool=True) + + elif kind == 'logical': + query = "SELECT pg_create_logical_replication_slot(%(name)s, %(o_plugin)s)" + self.changed = exec_sql(self, query, + query_params={'name': self.name, 'o_plugin': output_plugin}, return_bool=True) + + def drop(self): + if not self.exists: + return False + + query = "SELECT pg_drop_replication_slot(%(name)s)" + self.changed = exec_sql(self, query, query_params={'name': self.name}, return_bool=True) + + def __slot_exists(self): + query = "SELECT slot_type FROM pg_replication_slots WHERE slot_name = %(name)s" + res = exec_sql(self, query, query_params={'name': self.name}, add_to_executed=False) + if res: + self.exists = True + self.kind = res[0][0] + + +# =========================================== +# Module execution. +# + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + db=dict(type="str", aliases=["login_db"]), + name=dict(type="str", required=True, aliases=["slot_name"]), + slot_type=dict(type="str", default="physical", choices=["logical", "physical"]), + immediately_reserve=dict(type="bool", default=False), + session_role=dict(type="str"), + output_plugin=dict(type="str", default="test_decoding"), + state=dict(type="str", default="present", choices=["absent", "present"]), + trust_input=dict(type="bool", default=True), + ) + + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + name = module.params["name"] + slot_type = module.params["slot_type"] + immediately_reserve = module.params["immediately_reserve"] + state = module.params["state"] + output_plugin = module.params["output_plugin"] + + if not module.params["trust_input"]: + check_input(module, module.params['session_role']) + + if immediately_reserve and slot_type == 'logical': + module.fail_json(msg="Module parameters immediately_reserve and slot_type=logical are mutually exclusive") + + # When slot_type is logical and parameter db is not passed, + # the default database will be used to create the slot and + # the user should know about this. + # When the slot type is physical, + # it doesn't matter which database will be used + # because physical slots are global objects. + if slot_type == 'logical': + warn_db_default = True + else: + warn_db_default = False + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + conn_params = get_conn_params(module, module.params, warn_db_default=warn_db_default) + db_connection, dummy = connect_to_db(module, conn_params, autocommit=True) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + ################################## + # Create an object and do main job + pg_slot = PgSlot(module, cursor, name) + + changed = False + + if module.check_mode: + if state == "present": + if not pg_slot.exists: + changed = True + + pg_slot.create(slot_type, immediately_reserve, output_plugin, just_check=True) + + elif state == "absent": + if pg_slot.exists: + changed = True + else: + if state == "absent": + pg_slot.drop() + + elif state == "present": + pg_slot.create(slot_type, immediately_reserve, output_plugin) + + changed = pg_slot.changed + + db_connection.close() + module.exit_json(changed=changed, name=name, queries=pg_slot.executed_queries) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_subscription.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_subscription.py new file mode 100644 index 000000000..ae46a0dea --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_subscription.py @@ -0,0 +1,741 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +DOCUMENTATION = r''' +--- +module: postgresql_subscription +short_description: Add, update, or remove PostgreSQL subscription +description: +- Add, update, or remove PostgreSQL subscription. +version_added: '0.2.0' + +options: + name: + description: + - Name of the subscription to add, update, or remove. + type: str + required: true + db: + description: + - Name of the database to connect to and where + the subscription state will be changed. + aliases: [ login_db ] + type: str + required: true + state: + description: + - The subscription state. + - C(present) implies that if I(name) subscription doesn't exist, it will be created. + - C(absent) implies that if I(name) subscription exists, it will be removed. + - C(refresh) implies that if I(name) subscription exists, it will be refreshed. + Fetch missing table information from publisher. Always returns ``changed`` is ``True``. + This will start replication of tables that were added to the subscribed-to publications + since the last invocation of REFRESH PUBLICATION or since CREATE SUBSCRIPTION. + The existing data in the publications that are being subscribed to + should be copied once the replication starts. + - For more information about C(refresh) see U(https://www.postgresql.org/docs/current/sql-altersubscription.html). + type: str + choices: [ absent, present, refresh ] + default: present + owner: + description: + - Subscription owner. + - If I(owner) is not defined, the owner will be set as I(login_user) or I(session_role). + - Ignored when I(state) is not C(present). + type: str + publications: + description: + - The publication names on the publisher to use for the subscription. + - Ignored when I(state) is not C(present). + type: list + elements: str + connparams: + description: + - The connection dict param-value to connect to the publisher. + - For more information see U(https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING). + - Ignored when I(state) is not C(present). + type: dict + cascade: + description: + - Drop subscription dependencies. Has effect with I(state=absent) only. + - Ignored when I(state) is not C(absent). + type: bool + default: false + subsparams: + description: + - Dictionary of optional parameters for a subscription, e.g. copy_data, enabled, create_slot, etc. + - For update the subscription allowed keys are C(enabled), C(slot_name), C(synchronous_commit), C(publication_name). + - See available parameters to create a new subscription + on U(https://www.postgresql.org/docs/current/sql-createsubscription.html). + - Ignored when I(state) is not C(present). + type: dict + session_role: + description: + - Switch to session_role after connecting. The specified session_role must + be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though + the session_role were the one that had logged in originally. + type: str + version_added: '0.2.0' + trust_input: + description: + - If C(false), check whether values of parameters I(name), I(publications), I(owner), + I(session_role), I(connparams), I(subsparams) are potentially dangerous. + - It makes sense to use C(true) only when SQL injections via the parameters are possible. + type: bool + default: true + version_added: '0.2.0' + +notes: +- PostgreSQL version must be 10 or greater. + +attributes: + check_mode: + support: full + +seealso: +- module: community.postgresql.postgresql_publication +- module: community.postgresql.postgresql_info +- name: CREATE SUBSCRIPTION reference + description: Complete reference of the CREATE SUBSCRIPTION command documentation. + link: https://www.postgresql.org/docs/current/sql-createsubscription.html +- name: ALTER SUBSCRIPTION reference + description: Complete reference of the ALTER SUBSCRIPTION command documentation. + link: https://www.postgresql.org/docs/current/sql-altersubscription.html +- name: DROP SUBSCRIPTION reference + description: Complete reference of the DROP SUBSCRIPTION command documentation. + link: https://www.postgresql.org/docs/current/sql-dropsubscription.html + +author: +- Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> + +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +- name: > + Create acme subscription in mydb database using acme_publication and + the following connection parameters to connect to the publisher. + Set the subscription owner as alice. + community.postgresql.postgresql_subscription: + db: mydb + name: acme + state: present + publications: acme_publication + owner: alice + connparams: + host: 127.0.0.1 + port: 5432 + user: repl + password: replpass + dbname: mydb + +- name: Assuming that acme subscription exists, try to change conn parameters + community.postgresql.postgresql_subscription: + db: mydb + name: acme + connparams: + host: 127.0.0.1 + port: 5432 + user: repl + password: replpass + connect_timeout: 100 + +- name: Refresh acme publication + community.postgresql.postgresql_subscription: + db: mydb + name: acme + state: refresh + +- name: Drop acme subscription from mydb with dependencies (cascade=true) + community.postgresql.postgresql_subscription: + db: mydb + name: acme + state: absent + cascade: true + +- name: Assuming that acme subscription exists and enabled, disable the subscription + community.postgresql.postgresql_subscription: + db: mydb + name: acme + state: present + subsparams: + enabled: false +''' + +RETURN = r''' +name: + description: + - Name of the subscription. + returned: always + type: str + sample: acme +exists: + description: + - Flag indicates the subscription exists or not at the end of runtime. + returned: always + type: bool + sample: true +queries: + description: List of executed queries. + returned: always + type: str + sample: [ 'DROP SUBSCRIPTION "mysubscription"' ] +initial_state: + description: Subscription configuration at the beginning of runtime. + returned: always + type: dict + sample: {"conninfo": {}, "enabled": true, "owner": "postgres", "slotname": "test", "synccommit": true} +final_state: + description: Subscription configuration at the end of runtime. + returned: always + type: dict + sample: {"conninfo": {}, "enabled": true, "owner": "postgres", "slotname": "test", "synccommit": true} +''' + +from copy import deepcopy + +try: + from psycopg2.extras import DictCursor +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import check_input +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + exec_sql, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) +from ansible.module_utils.six import iteritems + +SUPPORTED_PG_VERSION = 10000 + +SUBSPARAMS_KEYS_FOR_UPDATE = ('enabled', 'synchronous_commit', 'slot_name') + + +################################ +# Module functions and classes # +################################ + +def convert_conn_params(conn_dict): + """Converts the passed connection dictionary to string. + + Args: + conn_dict (list): Dictionary which needs to be converted. + + Returns: + Connection string. + """ + conn_list = [] + for (param, val) in iteritems(conn_dict): + conn_list.append('%s=%s' % (param, val)) + + return ' '.join(conn_list) + + +def convert_subscr_params(params_dict): + """Converts the passed params dictionary to string. + + Args: + params_dict (list): Dictionary which needs to be converted. + + Returns: + Parameters string. + """ + params_list = [] + for (param, val) in iteritems(params_dict): + if val is False: + val = 'false' + elif val is True: + val = 'true' + + params_list.append('%s = %s' % (param, val)) + + return ', '.join(params_list) + + +def cast_connparams(connparams_dict): + """Cast the passed connparams_dict dictionary + + Returns: + Dictionary + """ + for (param, val) in iteritems(connparams_dict): + try: + connparams_dict[param] = int(val) + except ValueError: + connparams_dict[param] = val + + return connparams_dict + + +class PgSubscription(): + """Class to work with PostgreSQL subscription. + + Args: + module (AnsibleModule): Object of AnsibleModule class. + cursor (cursor): Cursor object of psycopg2 library to work with PostgreSQL. + name (str): The name of the subscription. + db (str): The database name the subscription will be associated with. + + Attributes: + module (AnsibleModule): Object of AnsibleModule class. + cursor (cursor): Cursor object of psycopg2 library to work with PostgreSQL. + name (str): Name of subscription. + executed_queries (list): List of executed queries. + attrs (dict): Dict with subscription attributes. + exists (bool): Flag indicates the subscription exists or not. + """ + + def __init__(self, module, cursor, name, db): + self.module = module + self.cursor = cursor + self.name = name + self.db = db + self.executed_queries = [] + self.attrs = { + 'owner': None, + 'enabled': None, + 'synccommit': None, + 'conninfo': {}, + 'slotname': None, + 'publications': [], + } + self.empty_attrs = deepcopy(self.attrs) + self.exists = self.check_subscr() + + def get_info(self): + """Refresh the subscription information. + + Returns: + ``self.attrs``. + """ + self.exists = self.check_subscr() + return self.attrs + + def check_subscr(self): + """Check the subscription and refresh ``self.attrs`` subscription attribute. + + Returns: + True if the subscription with ``self.name`` exists, False otherwise. + """ + + subscr_info = self.__get_general_subscr_info() + + if not subscr_info: + # The subscription does not exist: + self.attrs = deepcopy(self.empty_attrs) + return False + + self.attrs['owner'] = subscr_info.get('rolname') + self.attrs['enabled'] = subscr_info.get('subenabled') + self.attrs['synccommit'] = subscr_info.get('subenabled') + self.attrs['slotname'] = subscr_info.get('subslotname') + self.attrs['publications'] = subscr_info.get('subpublications') + if subscr_info.get('subconninfo'): + for param in subscr_info['subconninfo'].split(' '): + tmp = param.split('=') + try: + self.attrs['conninfo'][tmp[0]] = int(tmp[1]) + except ValueError: + self.attrs['conninfo'][tmp[0]] = tmp[1] + + return True + + def create(self, connparams, publications, subsparams, check_mode=True): + """Create the subscription. + + Args: + connparams (str): Connection string in libpq style. + publications (list): Publications on the primary to use. + subsparams (str): Parameters string in WITH () clause style. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + changed (bool): True if the subscription has been created, otherwise False. + """ + query_fragments = [] + query_fragments.append("CREATE SUBSCRIPTION %s CONNECTION '%s' " + "PUBLICATION %s" % (self.name, connparams, ', '.join(publications))) + + if subsparams: + query_fragments.append("WITH (%s)" % subsparams) + + changed = self.__exec_sql(' '.join(query_fragments), check_mode=check_mode) + + return changed + + def update(self, connparams, publications, subsparams, check_mode=True): + """Update the subscription. + + Args: + connparams (dict): Connection dict in libpq style. + publications (list): Publications on the primary to use. + subsparams (dict): Dictionary of optional parameters. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + changed (bool): True if subscription has been updated, otherwise False. + """ + changed = False + + if connparams: + if connparams != self.attrs['conninfo']: + changed = self.__set_conn_params(convert_conn_params(connparams), + check_mode=check_mode) + + if publications: + if sorted(self.attrs['publications']) != sorted(publications): + changed = self.__set_publications(publications, check_mode=check_mode) + + if subsparams: + params_to_update = [] + + for (param, value) in iteritems(subsparams): + if param == 'enabled': + if self.attrs['enabled'] and value is False: + changed = self.enable(enabled=False, check_mode=check_mode) + elif not self.attrs['enabled'] and value is True: + changed = self.enable(enabled=True, check_mode=check_mode) + + elif param == 'synchronous_commit': + if self.attrs['synccommit'] is True and value is False: + params_to_update.append("%s = false" % param) + elif self.attrs['synccommit'] is False and value is True: + params_to_update.append("%s = true" % param) + + elif param == 'slot_name': + if self.attrs['slotname'] and self.attrs['slotname'] != value: + params_to_update.append("%s = %s" % (param, value)) + + else: + self.module.warn("Parameter '%s' is not in params supported " + "for update '%s', ignored..." % (param, SUBSPARAMS_KEYS_FOR_UPDATE)) + + if params_to_update: + changed = self.__set_params(params_to_update, check_mode=check_mode) + + return changed + + def drop(self, cascade=False, check_mode=True): + """Drop the subscription. + + Kwargs: + cascade (bool): Flag indicates that the subscription needs to be deleted + with its dependencies. + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + changed (bool): True if the subscription has been removed, otherwise False. + """ + if self.exists: + query_fragments = ["DROP SUBSCRIPTION %s" % self.name] + if cascade: + query_fragments.append("CASCADE") + + return self.__exec_sql(' '.join(query_fragments), check_mode=check_mode) + + def set_owner(self, role, check_mode=True): + """Set a subscription owner. + + Args: + role (str): Role (user) name that needs to be set as a subscription owner. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + True if successful, False otherwise. + """ + query = 'ALTER SUBSCRIPTION %s OWNER TO "%s"' % (self.name, role) + return self.__exec_sql(query, check_mode=check_mode) + + def refresh(self, check_mode=True): + """Refresh publication. + + Fetches missing table info from publisher. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + True if successful, False otherwise. + """ + query = 'ALTER SUBSCRIPTION %s REFRESH PUBLICATION' % self.name + return self.__exec_sql(query, check_mode=check_mode) + + def __set_params(self, params_to_update, check_mode=True): + """Update optional subscription parameters. + + Args: + params_to_update (list): Parameters with values to update. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + True if successful, False otherwise. + """ + query = 'ALTER SUBSCRIPTION %s SET (%s)' % (self.name, ', '.join(params_to_update)) + return self.__exec_sql(query, check_mode=check_mode) + + def __set_conn_params(self, connparams, check_mode=True): + """Update connection parameters. + + Args: + connparams (str): Connection string in libpq style. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + True if successful, False otherwise. + """ + query = "ALTER SUBSCRIPTION %s CONNECTION '%s'" % (self.name, connparams) + return self.__exec_sql(query, check_mode=check_mode) + + def __set_publications(self, publications, check_mode=True): + """Update publications. + + Args: + publications (list): Publications on the primary to use. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + True if successful, False otherwise. + """ + query = 'ALTER SUBSCRIPTION %s SET PUBLICATION %s' % (self.name, ', '.join(publications)) + return self.__exec_sql(query, check_mode=check_mode) + + def enable(self, enabled=True, check_mode=True): + """Enable or disable the subscription. + + Kwargs: + enable (bool): Flag indicates that the subscription needs + to be enabled or disabled. + check_mode (bool): If True, don't actually change anything, + just make SQL, add it to ``self.executed_queries`` and return True. + + Returns: + True if successful, False otherwise. + """ + if enabled: + query = 'ALTER SUBSCRIPTION %s ENABLE' % self.name + else: + query = 'ALTER SUBSCRIPTION %s DISABLE' % self.name + + return self.__exec_sql(query, check_mode=check_mode) + + def __get_general_subscr_info(self): + """Get and return general subscription information. + + Returns: + Dict with subscription information if successful, False otherwise. + """ + query = ("SELECT d.datname, r.rolname, s.subenabled, " + "s.subconninfo, s.subslotname, s.subsynccommit, " + "s.subpublications FROM pg_catalog.pg_subscription s " + "JOIN pg_catalog.pg_database d " + "ON s.subdbid = d.oid " + "JOIN pg_catalog.pg_roles AS r " + "ON s.subowner = r.oid " + "WHERE s.subname = %(name)s AND d.datname = %(db)s") + + result = exec_sql(self, query, query_params={'name': self.name, 'db': self.db}, add_to_executed=False) + if result: + return result[0] + else: + return False + + def __exec_sql(self, query, check_mode=False): + """Execute SQL query. + + Note: If we need just to get information from the database, + we use ``exec_sql`` function directly. + + Args: + query (str): Query that needs to be executed. + + Kwargs: + check_mode (bool): If True, don't actually change anything, + just add ``query`` to ``self.executed_queries`` and return True. + + Returns: + True if successful, False otherwise. + """ + if check_mode: + self.executed_queries.append(query) + return True + else: + return exec_sql(self, query, return_bool=True) + + +# =========================================== +# Module execution. +# + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + name=dict(type='str', required=True), + db=dict(type='str', required=True, aliases=['login_db']), + state=dict(type='str', default='present', choices=['absent', 'present', 'refresh']), + publications=dict(type='list', elements='str'), + connparams=dict(type='dict'), + cascade=dict(type='bool', default=False), + owner=dict(type='str'), + subsparams=dict(type='dict'), + session_role=dict(type='str'), + trust_input=dict(type='bool', default=True), + ) + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + # Parameters handling: + db = module.params['db'] + name = module.params['name'] + state = module.params['state'] + publications = module.params['publications'] + cascade = module.params['cascade'] + owner = module.params['owner'] + subsparams = module.params['subsparams'] + connparams = module.params['connparams'] + session_role = module.params['session_role'] + trust_input = module.params['trust_input'] + + if not trust_input: + # Check input for potentially dangerous elements: + if not subsparams: + subsparams_str = None + else: + subsparams_str = convert_subscr_params(subsparams) + + if not connparams: + connparams_str = None + else: + connparams_str = convert_conn_params(connparams) + + check_input(module, name, publications, owner, session_role, + connparams_str, subsparams_str) + + if state == 'present' and cascade: + module.warn('parameter "cascade" is ignored when state is not absent') + + if state != 'present': + if owner: + module.warn("parameter 'owner' is ignored when state is not 'present'") + if publications: + module.warn("parameter 'publications' is ignored when state is not 'present'") + if connparams: + module.warn("parameter 'connparams' is ignored when state is not 'present'") + if subsparams: + module.warn("parameter 'subsparams' is ignored when state is not 'present'") + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + # Connect to DB and make cursor object: + pg_conn_params = get_conn_params(module, module.params) + # We check subscription state without DML queries execution, so set autocommit: + db_connection, dummy = connect_to_db(module, pg_conn_params, autocommit=True) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + # Check version: + if cursor.connection.server_version < SUPPORTED_PG_VERSION: + module.fail_json(msg="PostgreSQL server version should be 10.0 or greater") + + # Set defaults: + changed = False + initial_state = {} + final_state = {} + + ################################### + # Create object and do rock'n'roll: + subscription = PgSubscription(module, cursor, name, db) + + if subscription.exists: + initial_state = deepcopy(subscription.attrs) + final_state = deepcopy(initial_state) + + if state == 'present': + if not subscription.exists: + if subsparams: + subsparams = convert_subscr_params(subsparams) + + if connparams: + connparams = convert_conn_params(connparams) + + changed = subscription.create(connparams, + publications, + subsparams, + check_mode=module.check_mode) + + else: + if connparams: + connparams = cast_connparams(connparams) + + changed = subscription.update(connparams, + publications, + subsparams, + check_mode=module.check_mode) + + if owner and subscription.attrs['owner'] != owner: + changed = subscription.set_owner(owner, check_mode=module.check_mode) or changed + + elif state == 'absent': + changed = subscription.drop(cascade, check_mode=module.check_mode) + + elif state == 'refresh': + if not subscription.exists: + module.fail_json(msg="Refresh failed: subscription '%s' does not exist" % name) + + # Always returns True: + changed = subscription.refresh(check_mode=module.check_mode) + + # Get final subscription info: + final_state = subscription.get_info() + + # Connection is not needed any more: + cursor.close() + db_connection.close() + + # Return ret values and exit: + module.exit_json(changed=changed, + name=name, + exists=subscription.exists, + queries=subscription.executed_queries, + initial_state=initial_state, + final_state=final_state) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_table.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_table.py new file mode 100644 index 000000000..33f1c752f --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_table.py @@ -0,0 +1,619 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_table +short_description: Create, drop, or modify a PostgreSQL table +description: +- Allows to create, drop, rename, truncate a table, or change some table attributes. +options: + table: + description: + - Table name. + required: true + aliases: + - name + type: str + state: + description: + - The table state. I(state=absent) is mutually exclusive with I(tablespace), I(owner), I(unlogged), + I(like), I(including), I(columns), I(truncate), I(storage_params) and, I(rename). + type: str + default: present + choices: [ absent, present ] + tablespace: + description: + - Set a tablespace for the table. + type: str + owner: + description: + - Set a table owner. + type: str + unlogged: + description: + - Create an unlogged table. + type: bool + default: false + like: + description: + - Create a table like another table (with similar DDL). + Mutually exclusive with I(columns), I(rename), and I(truncate). + type: str + including: + description: + - Keywords that are used with like parameter, may be DEFAULTS, CONSTRAINTS, INDEXES, STORAGE, COMMENTS or ALL. + Needs I(like) specified. Mutually exclusive with I(columns), I(rename), and I(truncate). + type: str + columns: + description: + - Columns that are needed. + type: list + elements: str + rename: + description: + - New table name. Mutually exclusive with I(tablespace), I(owner), + I(unlogged), I(like), I(including), I(columns), I(truncate), and I(storage_params). + type: str + truncate: + description: + - Truncate a table. Mutually exclusive with I(tablespace), I(owner), I(unlogged), + I(like), I(including), I(columns), I(rename), and I(storage_params). + type: bool + default: false + storage_params: + description: + - Storage parameters like fillfactor, autovacuum_vacuum_treshold, etc. + Mutually exclusive with I(rename) and I(truncate). + type: list + elements: str + db: + description: + - Name of database to connect and where the table will be created. + type: str + default: '' + aliases: + - login_db + session_role: + description: + - Switch to session_role after connecting. + The specified session_role must be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though + the session_role were the one that had logged in originally. + type: str + cascade: + description: + - Automatically drop objects that depend on the table (such as views). + Used with I(state=absent) only. + type: bool + default: false + trust_input: + description: + - If C(false), check whether values of parameters are potentially dangerous. + - It makes sense to use C(false) only when SQL injections are possible. + type: bool + default: true + version_added: '0.2.0' + +notes: +- If you do not pass db parameter, tables will be created in the database + named postgres. +- PostgreSQL allows to create columnless table, so columns param is optional. +- Unlogged tables are available from PostgreSQL server version 9.1. + +attributes: + check_mode: + support: full + +seealso: +- module: community.postgresql.postgresql_sequence +- module: community.postgresql.postgresql_idx +- module: community.postgresql.postgresql_info +- module: community.postgresql.postgresql_tablespace +- module: community.postgresql.postgresql_owner +- module: community.postgresql.postgresql_privs +- module: community.postgresql.postgresql_copy +- name: CREATE TABLE reference + description: Complete reference of the CREATE TABLE command documentation. + link: https://www.postgresql.org/docs/current/sql-createtable.html +- name: ALTER TABLE reference + description: Complete reference of the ALTER TABLE command documentation. + link: https://www.postgresql.org/docs/current/sql-altertable.html +- name: DROP TABLE reference + description: Complete reference of the DROP TABLE command documentation. + link: https://www.postgresql.org/docs/current/sql-droptable.html +- name: PostgreSQL data types + description: Complete reference of the PostgreSQL data types documentation. + link: https://www.postgresql.org/docs/current/datatype.html +author: +- Andrei Klychkov (@Andersson007) +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +- name: Create tbl2 in the acme database with the DDL like tbl1 with testuser as an owner + community.postgresql.postgresql_table: + db: acme + name: tbl2 + like: tbl1 + owner: testuser + +- name: Create tbl2 in the acme database and tablespace ssd with the DDL like tbl1 including comments and indexes + community.postgresql.postgresql_table: + db: acme + table: tbl2 + like: tbl1 + including: comments, indexes + tablespace: ssd + +- name: Create test_table with several columns in ssd tablespace with fillfactor=10 and autovacuum_analyze_threshold=1 + community.postgresql.postgresql_table: + name: test_table + columns: + - id bigserial primary key + - num bigint + - stories text + tablespace: ssd + storage_params: + - fillfactor=10 + - autovacuum_analyze_threshold=1 + +- name: Create an unlogged table in schema acme + community.postgresql.postgresql_table: + name: acme.useless_data + columns: waste_id int + unlogged: true + +- name: Rename table foo to bar + community.postgresql.postgresql_table: + table: foo + rename: bar + +- name: Rename table foo from schema acme to bar + community.postgresql.postgresql_table: + name: acme.foo + rename: bar + +- name: Set owner to someuser + community.postgresql.postgresql_table: + name: foo + owner: someuser + +- name: Change tablespace of foo table to new_tablespace and set owner to new_user + community.postgresql.postgresql_table: + name: foo + tablespace: new_tablespace + owner: new_user + +- name: Truncate table foo + community.postgresql.postgresql_table: + name: foo + truncate: true + +- name: Drop table foo from schema acme + community.postgresql.postgresql_table: + name: acme.foo + state: absent + +- name: Drop table bar cascade + community.postgresql.postgresql_table: + name: bar + state: absent + cascade: true +''' + +RETURN = r''' +table: + description: Name of a table. + returned: always + type: str + sample: 'foo' +state: + description: Table state. + returned: always + type: str + sample: 'present' +owner: + description: Table owner. + returned: always + type: str + sample: 'postgres' +tablespace: + description: Tablespace. + returned: always + type: str + sample: 'ssd_tablespace' +queries: + description: List of executed queries. + returned: always + type: str + sample: [ 'CREATE TABLE "test_table" (id bigint)' ] +storage_params: + description: Storage parameters. + returned: always + type: list + sample: [ "fillfactor=100", "autovacuum_analyze_threshold=1" ] +''' + +try: + from psycopg2.extras import DictCursor +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, + pg_quote_identifier, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + exec_sql, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) + + +# =========================================== +# PostgreSQL module specific support methods. +# + +class Table(object): + def __init__(self, name, module, cursor): + self.name = name + self.module = module + self.cursor = cursor + self.info = { + 'owner': '', + 'tblspace': '', + 'storage_params': [], + } + self.exists = False + self.__exists_in_db() + self.executed_queries = [] + + def get_info(self): + """Getter to refresh and get table info""" + self.__exists_in_db() + + def __exists_in_db(self): + """Check table exists and refresh info""" + if "." in self.name: + schema = self.name.split('.')[-2] + tblname = self.name.split('.')[-1] + else: + schema = 'public' + tblname = self.name + + query = ("SELECT t.tableowner, t.tablespace, c.reloptions " + "FROM pg_tables AS t " + "INNER JOIN pg_class AS c ON c.relname = t.tablename " + "INNER JOIN pg_namespace AS n ON c.relnamespace = n.oid " + "WHERE t.tablename = %(tblname)s " + "AND n.nspname = %(schema)s") + res = exec_sql(self, query, query_params={'tblname': tblname, 'schema': schema}, + add_to_executed=False) + if res: + self.exists = True + self.info = dict( + owner=res[0][0], + tblspace=res[0][1] if res[0][1] else '', + storage_params=res[0][2] if res[0][2] else [], + ) + + return True + else: + self.exists = False + return False + + def create(self, columns='', params='', tblspace='', + unlogged=False, owner=''): + """ + Create table. + If table exists, check passed args (params, tblspace, owner) and, + if they're different from current, change them. + Arguments: + params - storage params (passed by "WITH (...)" in SQL), + comma separated. + tblspace - tablespace. + owner - table owner. + unlogged - create unlogged table. + columns - column string (comma separated). + """ + name = pg_quote_identifier(self.name, 'table') + + changed = False + + if self.exists: + if tblspace == 'pg_default' and self.info['tblspace'] is None: + pass # Because they have the same meaning + elif tblspace and self.info['tblspace'] != tblspace: + self.set_tblspace(tblspace) + changed = True + + if owner and self.info['owner'] != owner: + self.set_owner(owner) + changed = True + + if params: + param_list = [p.strip(' ') for p in params.split(',')] + + new_param = False + for p in param_list: + if p not in self.info['storage_params']: + new_param = True + + if new_param: + self.set_stor_params(params) + changed = True + + if changed: + return True + return False + + query = "CREATE" + if unlogged: + query += " UNLOGGED TABLE %s" % name + else: + query += " TABLE %s" % name + + if columns: + query += " (%s)" % columns + else: + query += " ()" + + if params: + query += " WITH (%s)" % params + + if tblspace: + query += ' TABLESPACE "%s"' % tblspace + + if exec_sql(self, query, return_bool=True): + changed = True + + if owner: + changed = self.set_owner(owner) + + return changed + + def create_like(self, src_table, including='', tblspace='', + unlogged=False, params='', owner=''): + """ + Create table like another table (with similar DDL). + Arguments: + src_table - source table. + including - corresponds to optional INCLUDING expression + in CREATE TABLE ... LIKE statement. + params - storage params (passed by "WITH (...)" in SQL), + comma separated. + tblspace - tablespace. + owner - table owner. + unlogged - create unlogged table. + """ + changed = False + + name = pg_quote_identifier(self.name, 'table') + + query = "CREATE" + if unlogged: + query += " UNLOGGED TABLE %s" % name + else: + query += " TABLE %s" % name + + query += " (LIKE %s" % pg_quote_identifier(src_table, 'table') + + if including: + including = including.split(',') + for i in including: + query += " INCLUDING %s" % i + + query += ')' + + if params: + query += " WITH (%s)" % params + + if tblspace: + query += ' TABLESPACE "%s"' % tblspace + + if exec_sql(self, query, return_bool=True): + changed = True + + if owner: + changed = self.set_owner(owner) + + return changed + + def truncate(self): + query = "TRUNCATE TABLE %s" % pg_quote_identifier(self.name, 'table') + return exec_sql(self, query, return_bool=True) + + def rename(self, newname): + query = "ALTER TABLE %s RENAME TO %s" % (pg_quote_identifier(self.name, 'table'), + pg_quote_identifier(newname, 'table')) + return exec_sql(self, query, return_bool=True) + + def set_owner(self, username): + query = 'ALTER TABLE %s OWNER TO "%s"' % (pg_quote_identifier(self.name, 'table'), username) + return exec_sql(self, query, return_bool=True) + + def drop(self, cascade=False): + if not self.exists: + return False + + query = "DROP TABLE %s" % pg_quote_identifier(self.name, 'table') + if cascade: + query += " CASCADE" + return exec_sql(self, query, return_bool=True) + + def set_tblspace(self, tblspace): + query = 'ALTER TABLE %s SET TABLESPACE "%s"' % (pg_quote_identifier(self.name, 'table'), tblspace) + return exec_sql(self, query, return_bool=True) + + def set_stor_params(self, params): + query = "ALTER TABLE %s SET (%s)" % (pg_quote_identifier(self.name, 'table'), params) + return exec_sql(self, query, return_bool=True) + + +# =========================================== +# Module execution. +# + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + table=dict(type='str', required=True, aliases=['name']), + state=dict(type='str', default='present', choices=['absent', 'present']), + db=dict(type='str', default='', aliases=['login_db']), + tablespace=dict(type='str'), + owner=dict(type='str'), + unlogged=dict(type='bool', default=False), + like=dict(type='str'), + including=dict(type='str'), + rename=dict(type='str'), + truncate=dict(type='bool', default=False), + columns=dict(type='list', elements='str'), + storage_params=dict(type='list', elements='str'), + session_role=dict(type='str'), + cascade=dict(type='bool', default=False), + trust_input=dict(type='bool', default=True), + ) + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + table = module.params['table'] + state = module.params['state'] + tablespace = module.params['tablespace'] + owner = module.params['owner'] + unlogged = module.params['unlogged'] + like = module.params['like'] + including = module.params['including'] + newname = module.params['rename'] + storage_params = module.params['storage_params'] + truncate = module.params['truncate'] + columns = module.params['columns'] + cascade = module.params['cascade'] + session_role = module.params['session_role'] + trust_input = module.params['trust_input'] + + if not trust_input: + # Check input for potentially dangerous elements: + check_input(module, table, tablespace, owner, like, including, + newname, storage_params, columns, session_role) + + if state == 'present' and cascade: + module.warn("cascade=true is ignored when state=present") + + # Check mutual exclusive parameters: + if state == 'absent' and (truncate or newname or columns or tablespace or like or storage_params or unlogged or owner or including): + module.fail_json(msg="%s: state=absent is mutually exclusive with: " + "truncate, rename, columns, tablespace, " + "including, like, storage_params, unlogged, owner" % table) + + if truncate and (newname or columns or like or unlogged or storage_params or owner or tablespace or including): + module.fail_json(msg="%s: truncate is mutually exclusive with: " + "rename, columns, like, unlogged, including, " + "storage_params, owner, tablespace" % table) + + if newname and (columns or like or unlogged or storage_params or owner or tablespace or including): + module.fail_json(msg="%s: rename is mutually exclusive with: " + "columns, like, unlogged, including, " + "storage_params, owner, tablespace" % table) + + if like and columns: + module.fail_json(msg="%s: like and columns params are mutually exclusive" % table) + if including and not like: + module.fail_json(msg="%s: including param needs like param specified" % table) + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + conn_params = get_conn_params(module, module.params) + db_connection, dummy = connect_to_db(module, conn_params, autocommit=False) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + if storage_params: + storage_params = ','.join(storage_params) + + if columns: + columns = ','.join(columns) + + ############## + # Do main job: + table_obj = Table(table, module, cursor) + + # Set default returned values: + changed = False + kw = {} + kw['table'] = table + kw['state'] = '' + if table_obj.exists: + kw = dict( + table=table, + state='present', + owner=table_obj.info['owner'], + tablespace=table_obj.info['tblspace'], + storage_params=table_obj.info['storage_params'], + ) + + if state == 'absent': + changed = table_obj.drop(cascade=cascade) + + elif truncate: + changed = table_obj.truncate() + + elif newname: + changed = table_obj.rename(newname) + q = table_obj.executed_queries + table_obj = Table(newname, module, cursor) + table_obj.executed_queries = q + + elif state == 'present' and not like: + changed = table_obj.create(columns, storage_params, + tablespace, unlogged, owner) + + elif state == 'present' and like: + changed = table_obj.create_like(like, including, tablespace, + unlogged, storage_params) + + if changed: + if module.check_mode: + db_connection.rollback() + else: + db_connection.commit() + + # Refresh table info for RETURN. + # Note, if table has been renamed, it gets info by newname: + table_obj.get_info() + db_connection.commit() + if table_obj.exists: + kw = dict( + table=table, + state='present', + owner=table_obj.info['owner'], + tablespace=table_obj.info['tblspace'], + storage_params=table_obj.info['storage_params'], + ) + else: + # We just change the table state here + # to keep other information about the dropped table: + kw['state'] = 'absent' + + kw['queries'] = table_obj.executed_queries + kw['changed'] = changed + db_connection.close() + module.exit_json(**kw) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_tablespace.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_tablespace.py new file mode 100644 index 000000000..243005733 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_tablespace.py @@ -0,0 +1,545 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2017, Flavien Chantelot (@Dorn-) +# Copyright: (c) 2018, Antoine Levy-Lambert (@antoinell) +# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_tablespace +short_description: Add or remove PostgreSQL tablespaces from remote hosts +description: +- Adds or removes PostgreSQL tablespaces from remote hosts. +options: + tablespace: + description: + - Name of the tablespace to add or remove. + required: true + type: str + aliases: + - name + location: + description: + - Path to the tablespace directory in the file system. + - Ensure that the location exists and has right privileges. + type: path + aliases: + - path + state: + description: + - Tablespace state. + - I(state=present) implies the tablespace must be created if it doesn't exist. + - I(state=absent) implies the tablespace must be removed if present. + I(state=absent) is mutually exclusive with I(location), I(owner), i(set). + - See the Notes section for information about check mode restrictions. + type: str + default: present + choices: [ absent, present ] + owner: + description: + - Name of the role to set as an owner of the tablespace. + - If this option is not specified, the tablespace owner is a role that creates the tablespace. + type: str + set: + description: + - Dict of tablespace options to set. Supported from PostgreSQL 9.0. + - For more information see U(https://www.postgresql.org/docs/current/sql-createtablespace.html). + - When reset is passed as an option's value, if the option was set previously, it will be removed. + type: dict + rename_to: + description: + - New name of the tablespace. + - The new name cannot begin with pg_, as such names are reserved for system tablespaces. + type: str + session_role: + description: + - Switch to session_role after connecting. The specified session_role must + be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though + the session_role were the one that had logged in originally. + type: str + db: + description: + - Name of database to connect to and run queries against. + type: str + aliases: + - login_db + trust_input: + description: + - If C(false), check whether values of parameters I(tablespace), I(location), I(owner), + I(rename_to), I(session_role), I(settings_list) are potentially dangerous. + - It makes sense to use C(false) only when SQL injections via the parameters are possible. + type: bool + default: true + version_added: '0.2.0' + +attributes: + check_mode: + support: partial + details: + - I(state=absent) and I(state=present) (the second one if the tablespace doesn't exist) do not + support check mode because the corresponding PostgreSQL DROP and CREATE TABLESPACE commands + can not be run inside the transaction block. + +seealso: +- name: PostgreSQL tablespaces + description: General information about PostgreSQL tablespaces. + link: https://www.postgresql.org/docs/current/manage-ag-tablespaces.html +- name: CREATE TABLESPACE reference + description: Complete reference of the CREATE TABLESPACE command documentation. + link: https://www.postgresql.org/docs/current/sql-createtablespace.html +- name: ALTER TABLESPACE reference + description: Complete reference of the ALTER TABLESPACE command documentation. + link: https://www.postgresql.org/docs/current/sql-altertablespace.html +- name: DROP TABLESPACE reference + description: Complete reference of the DROP TABLESPACE command documentation. + link: https://www.postgresql.org/docs/current/sql-droptablespace.html + +author: +- Flavien Chantelot (@Dorn-) +- Antoine Levy-Lambert (@antoinell) +- Andrew Klychkov (@Andersson007) + +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +- name: Create a new tablespace called acme and set bob as an its owner + community.postgresql.postgresql_tablespace: + name: acme + owner: bob + location: /data/foo + +- name: Create a new tablespace called bar with tablespace options + community.postgresql.postgresql_tablespace: + name: bar + set: + random_page_cost: 1 + seq_page_cost: 1 + +- name: Reset random_page_cost option + community.postgresql.postgresql_tablespace: + name: bar + set: + random_page_cost: reset + +- name: Rename the tablespace from bar to pcie_ssd + community.postgresql.postgresql_tablespace: + name: bar + rename_to: pcie_ssd + +- name: Drop tablespace called bloat + community.postgresql.postgresql_tablespace: + name: bloat + state: absent +''' + +RETURN = r''' +queries: + description: List of queries that was tried to be executed. + returned: always + type: str + sample: [ "CREATE TABLESPACE bar LOCATION '/incredible/ssd'" ] +tablespace: + description: Tablespace name. + returned: always + type: str + sample: 'ssd' +owner: + description: Tablespace owner. + returned: always + type: str + sample: 'Bob' +options: + description: Tablespace options. + returned: always + type: dict + sample: { 'random_page_cost': 1, 'seq_page_cost': 1 } +location: + description: Path to the tablespace in the file system. + returned: always + type: str + sample: '/incredible/fast/ssd' +newname: + description: New tablespace name. + returned: if existent + type: str + sample: new_ssd +state: + description: Tablespace state at the end of execution. + returned: always + type: str + sample: 'present' +''' + +try: + from psycopg2 import __version__ as PSYCOPG2_VERSION + from psycopg2.extras import DictCursor + from psycopg2.extensions import ISOLATION_LEVEL_AUTOCOMMIT as AUTOCOMMIT + from psycopg2.extensions import ISOLATION_LEVEL_READ_COMMITTED as READ_COMMITTED +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.six import iteritems + +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + exec_sql, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) + + +class PgTablespace(object): + + """Class for working with PostgreSQL tablespaces. + + Args: + module (AnsibleModule) -- object of AnsibleModule class + cursor (cursor) -- cursor object of psycopg2 library + name (str) -- name of the tablespace + + Attrs: + module (AnsibleModule) -- object of AnsibleModule class + cursor (cursor) -- cursor object of psycopg2 library + name (str) -- name of the tablespace + exists (bool) -- flag the tablespace exists in the DB or not + owner (str) -- tablespace owner + location (str) -- path to the tablespace directory in the file system + executed_queries (list) -- list of executed queries + new_name (str) -- new name for the tablespace + opt_not_supported (bool) -- flag indicates a tablespace option is supported or not + """ + + def __init__(self, module, cursor, name): + self.module = module + self.cursor = cursor + self.name = name + self.exists = False + self.owner = '' + self.settings = {} + self.location = '' + self.executed_queries = [] + self.new_name = '' + self.opt_not_supported = False + # Collect info: + self.get_info() + + def get_info(self): + """Get tablespace information.""" + # Check that spcoptions exists: + opt = exec_sql(self, "SELECT 1 FROM information_schema.columns " + "WHERE table_name = 'pg_tablespace' " + "AND column_name = 'spcoptions'", add_to_executed=False) + + # For 9.1 version and earlier: + location = exec_sql(self, "SELECT 1 FROM information_schema.columns " + "WHERE table_name = 'pg_tablespace' " + "AND column_name = 'spclocation'", add_to_executed=False) + if location: + location = 'spclocation' + else: + location = 'pg_tablespace_location(t.oid)' + + if not opt: + self.opt_not_supported = True + query = ("SELECT r.rolname, (SELECT Null), %s " + "FROM pg_catalog.pg_tablespace AS t " + "JOIN pg_catalog.pg_roles AS r " + "ON t.spcowner = r.oid " % location) + else: + query = ("SELECT r.rolname, t.spcoptions, %s " + "FROM pg_catalog.pg_tablespace AS t " + "JOIN pg_catalog.pg_roles AS r " + "ON t.spcowner = r.oid " % location) + + res = exec_sql(self, query + "WHERE t.spcname = %(name)s", + query_params={'name': self.name}, add_to_executed=False) + + if not res: + self.exists = False + return False + + if res[0][0]: + self.exists = True + self.owner = res[0][0] + + if res[0][1]: + # Options exist: + for i in res[0][1]: + i = i.split('=') + self.settings[i[0]] = i[1] + + if res[0][2]: + # Location exists: + self.location = res[0][2] + + def create(self, location): + """Create tablespace. + + Return True if success, otherwise, return False. + + args: + location (str) -- tablespace directory path in the FS + """ + query = ('CREATE TABLESPACE "%s" LOCATION \'%s\'' % (self.name, location)) + return exec_sql(self, query, return_bool=True) + + def drop(self): + """Drop tablespace. + + Return True if success, otherwise, return False. + """ + return exec_sql(self, 'DROP TABLESPACE "%s"' % self.name, return_bool=True) + + def set_owner(self, new_owner): + """Set tablespace owner. + + Return True if success, otherwise, return False. + + args: + new_owner (str) -- name of a new owner for the tablespace" + """ + if new_owner == self.owner: + return False + + query = 'ALTER TABLESPACE "%s" OWNER TO "%s"' % (self.name, new_owner) + return exec_sql(self, query, return_bool=True) + + def rename(self, newname): + """Rename tablespace. + + Return True if success, otherwise, return False. + + args: + newname (str) -- new name for the tablespace" + """ + query = 'ALTER TABLESPACE "%s" RENAME TO "%s"' % (self.name, newname) + self.new_name = newname + return exec_sql(self, query, return_bool=True) + + def set_settings(self, new_settings): + """Set tablespace settings (options). + + If some setting has been changed, set changed = True. + After all settings list is handling, return changed. + + args: + new_settings (list) -- list of new settings + """ + # settings must be a dict {'key': 'value'} + if self.opt_not_supported: + return False + + changed = False + + # Apply new settings: + for i in new_settings: + if new_settings[i] == 'reset': + if i in self.settings: + changed = self.__reset_setting(i) + self.settings[i] = None + + elif (i not in self.settings) or (str(new_settings[i]) != self.settings[i]): + changed = self.__set_setting("%s = '%s'" % (i, new_settings[i])) + + return changed + + def __reset_setting(self, setting): + """Reset tablespace setting. + + Return True if success, otherwise, return False. + + args: + setting (str) -- string in format "setting_name = 'setting_value'" + """ + query = 'ALTER TABLESPACE "%s" RESET (%s)' % (self.name, setting) + return exec_sql(self, query, return_bool=True) + + def __set_setting(self, setting): + """Set tablespace setting. + + Return True if success, otherwise, return False. + + args: + setting (str) -- string in format "setting_name = 'setting_value'" + """ + query = 'ALTER TABLESPACE "%s" SET (%s)' % (self.name, setting) + return exec_sql(self, query, return_bool=True) + + +# =========================================== +# Module execution. +# + + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + tablespace=dict(type='str', required=True, aliases=['name']), + state=dict(type='str', default="present", choices=["absent", "present"]), + location=dict(type='path', aliases=['path']), + owner=dict(type='str'), + set=dict(type='dict'), + rename_to=dict(type='str'), + db=dict(type='str', aliases=['login_db']), + session_role=dict(type='str'), + trust_input=dict(type='bool', default=True), + ) + + module = AnsibleModule( + argument_spec=argument_spec, + mutually_exclusive=(('positional_args', 'named_args'),), + supports_check_mode=True, + ) + + tablespace = module.params["tablespace"] + state = module.params["state"] + location = module.params["location"] + owner = module.params["owner"] + rename_to = module.params["rename_to"] + settings = module.params["set"] + session_role = module.params["session_role"] + trust_input = module.params["trust_input"] + + if state == 'absent' and (location or owner or rename_to or settings): + module.fail_json(msg="state=absent is mutually exclusive location, " + "owner, rename_to, and set") + + if not trust_input: + # Check input for potentially dangerous elements: + if not settings: + settings_list = None + else: + settings_list = ['%s = %s' % (k, v) for k, v in iteritems(settings)] + + check_input(module, tablespace, location, owner, + rename_to, session_role, settings_list) + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + conn_params = get_conn_params(module, module.params, warn_db_default=False) + db_connection, dummy = connect_to_db(module, conn_params, autocommit=True) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + # Change autocommit to False if check_mode: + if module.check_mode: + if PSYCOPG2_VERSION >= '2.4.2': + db_connection.set_session(autocommit=False) + else: + db_connection.set_isolation_level(READ_COMMITTED) + + # Set defaults: + autocommit = False + changed = False + + ############## + # Create PgTablespace object and do main job: + tblspace = PgTablespace(module, cursor, tablespace) + + # If tablespace exists with different location, exit: + if tblspace.exists and location and location != tblspace.location: + module.fail_json(msg="Tablespace '%s' exists with " + "different location '%s'" % (tblspace.name, tblspace.location)) + + # Create new tablespace: + if not tblspace.exists and state == 'present': + if rename_to: + module.fail_json(msg="Tablespace %s does not exist, nothing to rename" % tablespace) + + if not location: + module.fail_json(msg="'location' parameter must be passed with " + "state=present if the tablespace doesn't exist") + + # Because CREATE TABLESPACE can not be run inside the transaction block: + autocommit = True + if PSYCOPG2_VERSION >= '2.4.2': + db_connection.set_session(autocommit=True) + else: + db_connection.set_isolation_level(AUTOCOMMIT) + + changed = tblspace.create(location) + + # Drop non-existing tablespace: + elif not tblspace.exists and state == 'absent': + # Nothing to do: + module.fail_json(msg="Tries to drop nonexistent tablespace '%s'" % tblspace.name) + + # Drop existing tablespace: + elif tblspace.exists and state == 'absent': + # Because DROP TABLESPACE can not be run inside the transaction block: + autocommit = True + if PSYCOPG2_VERSION >= '2.4.2': + db_connection.set_session(autocommit=True) + else: + db_connection.set_isolation_level(AUTOCOMMIT) + + changed = tblspace.drop() + + # Rename tablespace: + elif tblspace.exists and rename_to: + if tblspace.name != rename_to: + changed = tblspace.rename(rename_to) + + if state == 'present': + # Refresh information: + tblspace.get_info() + + # Change owner and settings: + if state == 'present' and tblspace.exists: + if owner: + changed = tblspace.set_owner(owner) + + if settings: + changed = tblspace.set_settings(settings) + + tblspace.get_info() + + # Rollback if it's possible and check_mode: + if not autocommit: + if module.check_mode: + db_connection.rollback() + else: + db_connection.commit() + + cursor.close() + db_connection.close() + + # Make return values: + kw = dict( + changed=changed, + state='present', + tablespace=tblspace.name, + owner=tblspace.owner, + queries=tblspace.executed_queries, + options=tblspace.settings, + location=tblspace.location, + ) + + if state == 'present': + kw['state'] = 'present' + + if tblspace.new_name: + kw['newname'] = tblspace.new_name + + elif state == 'absent': + kw['state'] = 'absent' + + module.exit_json(**kw) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_user.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_user.py new file mode 100644 index 000000000..594e0f1ae --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_user.py @@ -0,0 +1,1085 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: Ansible Project +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_user +short_description: Create, alter, or remove a user (role) from a PostgreSQL server instance +description: +- Creates, alters, or removes a user (role) from a PostgreSQL server instance + ("cluster" in PostgreSQL terminology) and, optionally, + grants the user access to an existing database or tables. +- A user is a role with login privilege. +- You can also use it to grant or revoke user's privileges in a particular database. +- You cannot remove a user while it still has any privileges granted to it in any database. +- Set I(fail_on_user) to C(false) to make the module ignore failures when trying to remove a user. + In this case, the module reports if changes happened as usual and separately reports + whether the user has been removed or not. +- B(WARNING) The I(priv) option has been B(deprecated) and will be removed in community.postgresql 3.0.0. Please use the + M(community.postgresql.postgresql_privs) module instead. +- B(WARNING) The I(groups) option has been B(deprecated) ans will be removed in community.postgresql 3.0.0. + Please use the M(community.postgresql.postgresql_membership) module instead. +options: + name: + description: + - Name of the user (role) to add or remove. + type: str + required: true + aliases: + - user + password: + description: + - Set the user's password, before 1.4 this was required. + - Password can be passed unhashed or hashed (MD5-hashed). + - An unhashed password is automatically hashed when saved into the + database if I(encrypted) is set, otherwise it is saved in + plain text format. + - When passing an MD5-hashed password, you must generate it with the format + C('str["md5"] + md5[ password + username ]'), resulting in a total of + 35 characters. An easy way to do this is + C(echo "md5`echo -n 'verysecretpasswordJOE' | md5sum | awk '{print $1}'`"). + - Note that if the provided password string is already in MD5-hashed + format, then it is used as-is, regardless of I(encrypted) option. + type: str + db: + description: + - Name of database to connect to and where user's permissions are granted. + type: str + default: '' + aliases: + - login_db + fail_on_user: + description: + - If C(true), fails when the user (role) cannot be removed. Otherwise just log and continue. + default: true + type: bool + aliases: + - fail_on_role + priv: + description: + - This option has been B(deprecated) and will be removed in + community.postgresql 3.0.0. Please use the M(community.postgresql.postgresql_privs) module to + GRANT/REVOKE permissions instead. + - "Slash-separated PostgreSQL privileges string: C(priv1/priv2), where + you can define the user's privileges for the database ( allowed options - 'CREATE', + 'CONNECT', 'TEMPORARY', 'TEMP', 'ALL'. For example C(CONNECT) ) or + for table ( allowed options - 'SELECT', 'INSERT', 'UPDATE', 'DELETE', + 'TRUNCATE', 'REFERENCES', 'TRIGGER', 'ALL'. For example + C(table:SELECT) ). Mixed example of this string: + C(CONNECT/CREATE/table1:SELECT/table2:INSERT)." + - When I(priv) contains tables, the module uses the schema C(public) by default. + If you need to specify a different schema, use the C(schema_name.table_name) notation, + for example, C(pg_catalog.pg_stat_database:SELECT). + type: str + role_attr_flags: + description: + - "PostgreSQL user attributes string in the format: CREATEDB,CREATEROLE,SUPERUSER." + - Note that '[NO]CREATEUSER' is deprecated. + - To create a simple role for using it like a group, use C(NOLOGIN) flag. + - See the full list of supported flags in documentation for your PostgreSQL version. + type: str + default: '' + session_role: + description: + - Switch to session role after connecting. + - The specified session role must be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though the session role + were the one that had logged in originally. + type: str + state: + description: + - The user (role) state. + type: str + default: present + choices: [ absent, present ] + encrypted: + description: + - Whether the password is stored hashed in the database. + - You can specify an unhashed password, and PostgreSQL ensures + the stored password is hashed when I(encrypted=true) is set. + If you specify a hashed password, the module uses it as-is, + regardless of the setting of I(encrypted). + - "Note: Postgresql 10 and newer does not support unhashed passwords." + - Previous to Ansible 2.6, this was C(false) by default. + default: true + type: bool + expires: + description: + - The date at which the user's password is to expire. + - If set to C('infinity'), user's password never expires. + - Note that this value must be a valid SQL date and time type. + type: str + no_password_changes: + description: + - If C(true), does not inspect the database for password changes. + If the user already exists, skips all password related checks. + Useful when C(pg_authid) is not accessible (such as in AWS RDS). + Otherwise, makes password changes as necessary. + default: false + type: bool + conn_limit: + description: + - Specifies the user (role) connection limit. + type: int + ssl_mode: + description: + - Determines how an SSL session is negotiated with the server. + - See U(https://www.postgresql.org/docs/current/static/libpq-ssl.html) for more information on the modes. + - Default of C(prefer) matches libpq default. + type: str + default: prefer + choices: [ allow, disable, prefer, require, verify-ca, verify-full ] + ca_cert: + description: + - Specifies the name of a file containing SSL certificate authority (CA) certificate(s). + - If the file exists, verifies that the server's certificate is signed by one of these authorities. + type: str + aliases: [ ssl_rootcert ] + groups: + description: + - This option has been B(deprecated) and will be removed in community.postgresql 3.0.0. + Please use the I(postgresql_membership) module to GRANT/REVOKE group/role memberships + instead. + - The list of groups (roles) that you want to grant to the user. + type: list + elements: str + comment: + description: + - Adds a comment on the user (equivalent to the C(COMMENT ON ROLE) statement). + type: str + version_added: '0.2.0' + trust_input: + description: + - If C(false), checks whether values of options I(name), I(password), I(privs), I(expires), + I(role_attr_flags), I(groups), I(comment), I(session_role) are potentially dangerous. + - It makes sense to use C(false) only when SQL injections through the options are possible. + type: bool + default: true + version_added: '0.2.0' +notes: +- The module creates a user (role) with login privilege by default. + Use C(NOLOGIN) I(role_attr_flags) to change this behaviour. +- If you specify C(PUBLIC) as the user (role), then the privilege changes apply to all users (roles). + You may not specify password or role_attr_flags when the C(PUBLIC) user is specified. +- SCRAM-SHA-256-hashed passwords (SASL Authentication) require PostgreSQL version 10 or newer. + On the previous versions the whole hashed string is used as a password. +- 'Working with SCRAM-SHA-256-hashed passwords, be sure you use the I(environment:) variable + C(PGOPTIONS: "-c password_encryption=scram-sha-256") (see the provided example).' +- On some systems (such as AWS RDS), C(pg_authid) is not accessible, thus, the module cannot compare + the current and desired C(password). In this case, the module assumes that the passwords are + different and changes it reporting that the state has been changed. + To skip all password related checks for existing users, use I(no_password_changes=true). +- On some systems (such as AWS RDS), C(SUPERUSER) is unavailable. This means the C(SUPERUSER) and + C(NOSUPERUSER) I(role_attr_flags) should not be specified to preserve idempotency and avoid + InsufficientPrivilege errors. + +attributes: + check_mode: + support: full + +seealso: +- module: community.postgresql.postgresql_privs +- module: community.postgresql.postgresql_membership +- module: community.postgresql.postgresql_owner +- name: PostgreSQL database roles + description: Complete reference of the PostgreSQL database roles documentation. + link: https://www.postgresql.org/docs/current/user-manag.html +- name: PostgreSQL SASL Authentication + description: Complete reference of the PostgreSQL SASL Authentication. + link: https://www.postgresql.org/docs/current/sasl-authentication.html +author: +- Ansible Core Team +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +# This example uses the 'priv' argument which is deprecated. +# You should use the 'postgresql_privs' module instead. +- name: Connect to acme database, create django user, and grant access to database and products table + community.postgresql.postgresql_user: + db: acme + name: django + password: ceec4eif7ya + priv: "CONNECT/products:ALL" + expires: "Jan 31 2020" + +- name: Add a comment on django user + community.postgresql.postgresql_user: + db: acme + name: django + comment: This is a test user + +# Connect to default database, create rails user, set its password (MD5- or SHA256-hashed), +# and grant privilege to create other databases and demote rails from super user status if user exists +# the hash from the corresponding pg_authid entry. +- name: Create rails user, set MD5-hashed password, grant privs + community.postgresql.postgresql_user: + name: rails + password: md59543f1d82624df2b31672ec0f7050460 + # password: SCRAM-SHA-256$4096:zFuajwIVdli9mK=NJkcv1Q++$JC4gWIrEHmF6sqRbEiZw5FFW45HUPrpVzNdoM72o730+;fqA4vLN3mCZGbhcbQyvNYY7anCrUTsem1eCh/4YA94= + role_attr_flags: CREATEDB,NOSUPERUSER + # When using sha256-hashed password: + #environment: + # PGOPTIONS: "-c password_encryption=scram-sha-256" + +# This example uses the 'priv' argument which is deprecated. +# You should use the 'postgresql_privs' module instead. +- name: Connect to acme database and remove test user privileges from there + community.postgresql.postgresql_user: + db: acme + name: test + priv: "ALL/products:ALL" + state: absent + fail_on_user: false + +# This example uses the 'priv' argument which is deprecated. +# You should use the 'postgresql_privs' module instead. +- name: Connect to test database, remove test user from cluster + community.postgresql.postgresql_user: + db: test + name: test + priv: ALL + state: absent + +# This example uses the 'priv' argument which is deprecated. +# You should use the 'postgresql_privs' module instead. +- name: Connect to acme database and set user's password with no expire date + community.postgresql.postgresql_user: + db: acme + name: django + password: mysupersecretword + priv: "CONNECT/products:ALL" + expires: infinity + +# Example privileges string format +# INSERT,UPDATE/table:SELECT/anothertable:ALL + +- name: Connect to test database and remove an existing user's password + community.postgresql.postgresql_user: + db: test + user: test + password: "" + +# This example uses the `group` argument which is deprecated. +# You should use the `postgresql_membership` module instead. +- name: Create user test and grant group user_ro and user_rw to it + community.postgresql.postgresql_user: + name: test + groups: + - user_ro + - user_rw + +# Create user with a cleartext password if it does not exist or update its password. +# The password will be encrypted with SCRAM algorithm (available since PostgreSQL 10) +- name: Create appclient user with SCRAM-hashed password + community.postgresql.postgresql_user: + name: appclient + password: "secret123" + environment: + PGOPTIONS: "-c password_encryption=scram-sha-256" + +# This example uses the 'priv' argument which is deprecated. +# You should use the 'postgresql_privs' module instead. +- name: Create a user, grant SELECT on pg_catalog.pg_stat_database + community.postgresql.postgresql_user: + name: monitoring + priv: 'pg_catalog.pg_stat_database:SELECT' +''' + +RETURN = r''' +queries: + description: List of executed queries. + returned: always + type: list + sample: ['CREATE USER "alice"', 'GRANT CONNECT ON DATABASE "acme" TO "alice"'] +''' + +import itertools +import re +import traceback +from hashlib import md5, sha256 +import hmac +from base64 import b64decode + +try: + import psycopg2 + from psycopg2.extras import DictCursor +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + pg_quote_identifier, + SQLParseError, + check_input, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + ensure_required_libs, + get_conn_params, + get_server_version, + PgMembership, + postgres_common_argument_spec, +) +from ansible.module_utils._text import to_bytes, to_native, to_text +from ansible.module_utils.six import iteritems +from ansible_collections.community.postgresql.plugins.module_utils import saslprep + +try: + # pbkdf2_hmac is missing on python 2.6, we can safely assume, + # that postresql 10 capable instance have at least python 2.7 installed + from hashlib import pbkdf2_hmac + pbkdf2_found = True +except ImportError: + pbkdf2_found = False + + +FLAGS = ('SUPERUSER', 'CREATEROLE', 'CREATEDB', 'INHERIT', 'LOGIN', 'REPLICATION') +FLAGS_BY_VERSION = {'BYPASSRLS': 90500} + +SCRAM_SHA256_REGEX = r'^SCRAM-SHA-256\$(\d+):([A-Za-z0-9+\/=]+)\$([A-Za-z0-9+\/=]+):([A-Za-z0-9+\/=]+)$' + +# WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 +VALID_PRIVS = dict(table=frozenset(('SELECT', 'INSERT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER', 'ALL')), + database=frozenset( + ('CREATE', 'CONNECT', 'TEMPORARY', 'TEMP', 'ALL')), + ) + +# map to cope with idiosyncrasies of SUPERUSER and LOGIN +PRIV_TO_AUTHID_COLUMN = dict(SUPERUSER='rolsuper', CREATEROLE='rolcreaterole', + CREATEDB='rolcreatedb', INHERIT='rolinherit', LOGIN='rolcanlogin', + REPLICATION='rolreplication', BYPASSRLS='rolbypassrls') + +executed_queries = [] + +# This is a special list for debugging. +# If you need to fetch information (e.g. results of cursor.fetchall(), +# queries built with cursor.mogrify(), vars values, etc.): +# 1. Put debug_info.append(<information_you_need>) as many times as you need. +# 2. Run integration tests or you playbook with -vvv +# 3. If it's not empty, you'll see the list in the returned json. +debug_info = [] + + +class InvalidFlagsError(Exception): + pass + + +class InvalidPrivsError(Exception): + pass + +# =========================================== +# PostgreSQL module specific support methods. +# + + +def user_exists(cursor, user): + # The PUBLIC user is a special case that is always there + if user == 'PUBLIC': + return True + query = "SELECT rolname FROM pg_roles WHERE rolname=%(user)s" + cursor.execute(query, {'user': user}) + return cursor.rowcount > 0 + + +def user_add(cursor, user, password, role_attr_flags, encrypted, expires, conn_limit): + """Create a new database user (role).""" + # Note: role_attr_flags escaped by parse_role_attrs and encrypted is a + # literal + query_password_data = dict(password=password, expires=expires) + query = ['CREATE USER "%(user)s"' % + {"user": user}] + if password is not None and password != '': + query.append("WITH %(crypt)s" % {"crypt": encrypted}) + query.append("PASSWORD %(password)s") + if expires is not None: + query.append("VALID UNTIL %(expires)s") + if conn_limit is not None: + query.append("CONNECTION LIMIT %(conn_limit)s" % {"conn_limit": conn_limit}) + query.append(role_attr_flags) + query = ' '.join(query) + executed_queries.append(query) + cursor.execute(query, query_password_data) + return True + + +def user_should_we_change_password(current_role_attrs, user, password, encrypted): + """Check if we should change the user's password. + + Compare the proposed password with the existing one, comparing + hashes if encrypted. If we can't access it assume yes. + """ + + if current_role_attrs is None: + # on some databases, E.g. AWS RDS instances, there is no access to + # the pg_authid relation to check the pre-existing password, so we + # just assume password is different + return True + + # Do we actually need to do anything? + pwchanging = False + if password is not None: + # Empty password means that the role shouldn't have a password, which + # means we need to check if the current password is None. + if password == '': + if current_role_attrs['rolpassword'] is not None: + pwchanging = True + # If the provided password is a SCRAM hash, compare it directly to the current password + elif re.match(SCRAM_SHA256_REGEX, password): + if password != current_role_attrs['rolpassword']: + pwchanging = True + + # SCRAM hashes are represented as a special object, containing hash data: + # `SCRAM-SHA-256$<iteration count>:<salt>$<StoredKey>:<ServerKey>` + # for reference, see https://www.postgresql.org/docs/current/catalog-pg-authid.html + elif current_role_attrs['rolpassword'] is not None \ + and pbkdf2_found \ + and re.match(SCRAM_SHA256_REGEX, current_role_attrs['rolpassword']): + + r = re.match(SCRAM_SHA256_REGEX, current_role_attrs['rolpassword']) + try: + # extract SCRAM params from rolpassword + it = int(r.group(1)) + salt = b64decode(r.group(2)) + server_key = b64decode(r.group(4)) + # we'll never need `storedKey` as it is only used for server auth in SCRAM + # storedKey = b64decode(r.group(3)) + + # from RFC5802 https://tools.ietf.org/html/rfc5802#section-3 + # SaltedPassword := Hi(Normalize(password), salt, i) + # ServerKey := HMAC(SaltedPassword, "Server Key") + normalized_password = saslprep.saslprep(to_text(password)) + salted_password = pbkdf2_hmac('sha256', to_bytes(normalized_password), salt, it) + + server_key_verifier = hmac.new(salted_password, digestmod=sha256) + server_key_verifier.update(b'Server Key') + + if server_key_verifier.digest() != server_key: + pwchanging = True + except Exception: + # We assume the password is not scram encrypted + # or we cannot check it properly, e.g. due to missing dependencies + pwchanging = True + + # 32: MD5 hashes are represented as a sequence of 32 hexadecimal digits + # 3: The size of the 'md5' prefix + # When the provided password looks like a MD5-hash, value of + # 'encrypted' is ignored. + elif (password.startswith('md5') and len(password) == 32 + 3) or encrypted == 'UNENCRYPTED': + if password != current_role_attrs['rolpassword']: + pwchanging = True + elif encrypted == 'ENCRYPTED': + hashed_password = 'md5{0}'.format(md5(to_bytes(password) + to_bytes(user)).hexdigest()) + if hashed_password != current_role_attrs['rolpassword']: + pwchanging = True + + return pwchanging + + +def user_alter(db_connection, module, user, password, role_attr_flags, encrypted, expires, no_password_changes, conn_limit): + """Change user password and/or attributes. Return True if changed, False otherwise.""" + changed = False + + cursor = db_connection.cursor(cursor_factory=DictCursor) + # Note: role_attr_flags escaped by parse_role_attrs and encrypted is a + # literal + if user == 'PUBLIC': + if password is not None: + module.fail_json(msg="cannot change the password for PUBLIC user") + elif role_attr_flags != '': + module.fail_json(msg="cannot change the role_attr_flags for PUBLIC user") + else: + return False + + # Handle passwords. + if not no_password_changes and (password is not None or role_attr_flags != '' or expires is not None or conn_limit is not None): + # Select password and all flag-like columns in order to verify changes. + try: + select = "SELECT * FROM pg_authid where rolname=%(user)s" + cursor.execute(select, {"user": user}) + # Grab current role attributes. + current_role_attrs = cursor.fetchone() + except psycopg2.ProgrammingError: + current_role_attrs = None + db_connection.rollback() + + pwchanging = user_should_we_change_password(current_role_attrs, user, password, encrypted) + + if current_role_attrs is None: + try: + # AWS RDS instances does not allow user to access pg_authid + # so try to get current_role_attrs from pg_roles tables + select = "SELECT * FROM pg_roles where rolname=%(user)s" + cursor.execute(select, {"user": user}) + # Grab current role attributes from pg_roles + current_role_attrs = cursor.fetchone() + except psycopg2.ProgrammingError as e: + db_connection.rollback() + module.fail_json(msg="Failed to get role details for current user %s: %s" % (user, e)) + + role_attr_flags_changing = False + if role_attr_flags: + role_attr_flags_dict = {} + for r in role_attr_flags.split(' '): + if r.startswith('NO'): + role_attr_flags_dict[r.replace('NO', '', 1)] = False + else: + role_attr_flags_dict[r] = True + + for role_attr_name, role_attr_value in role_attr_flags_dict.items(): + if current_role_attrs[PRIV_TO_AUTHID_COLUMN[role_attr_name]] != role_attr_value: + role_attr_flags_changing = True + + if expires is not None: + cursor.execute("SELECT %s::timestamptz;", (expires,)) + expires_with_tz = cursor.fetchone()[0] + expires_changing = expires_with_tz != current_role_attrs.get('rolvaliduntil') + else: + expires_changing = False + + conn_limit_changing = (conn_limit is not None and conn_limit != current_role_attrs['rolconnlimit']) + + if not pwchanging and not role_attr_flags_changing and not expires_changing and not conn_limit_changing: + return False + + alter = ['ALTER USER "%(user)s"' % {"user": user}] + if pwchanging: + if password != '': + alter.append("WITH %(crypt)s" % {"crypt": encrypted}) + alter.append("PASSWORD %(password)s") + else: + alter.append("WITH PASSWORD NULL") + alter.append(role_attr_flags) + elif role_attr_flags: + alter.append('WITH %s' % role_attr_flags) + if expires is not None: + alter.append("VALID UNTIL %(expires)s") + if conn_limit is not None: + alter.append("CONNECTION LIMIT %(conn_limit)s" % {"conn_limit": conn_limit}) + + query_password_data = dict(password=password, expires=expires) + try: + statement = ' '.join(alter) + cursor.execute(statement, query_password_data) + changed = True + executed_queries.append(statement) + except psycopg2.InternalError as e: + if e.pgcode == '25006': + # Handle errors due to read-only transactions indicated by pgcode 25006 + # ERROR: cannot execute ALTER ROLE in a read-only transaction + changed = False + module.fail_json(msg=e.pgerror, exception=traceback.format_exc()) + return changed + else: + raise psycopg2.InternalError(e) + except psycopg2.NotSupportedError as e: + module.fail_json(msg=e.pgerror, exception=traceback.format_exc()) + + elif no_password_changes and role_attr_flags != '': + # Grab role information from pg_roles instead of pg_authid + select = "SELECT * FROM pg_roles where rolname=%(user)s" + cursor.execute(select, {"user": user}) + # Grab current role attributes. + current_role_attrs = cursor.fetchone() + + role_attr_flags_changing = False + + if role_attr_flags: + role_attr_flags_dict = {} + for r in role_attr_flags.split(' '): + if r.startswith('NO'): + role_attr_flags_dict[r.replace('NO', '', 1)] = False + else: + role_attr_flags_dict[r] = True + + for role_attr_name, role_attr_value in role_attr_flags_dict.items(): + if current_role_attrs[PRIV_TO_AUTHID_COLUMN[role_attr_name]] != role_attr_value: + role_attr_flags_changing = True + + if not role_attr_flags_changing: + return False + + alter = ['ALTER USER "%(user)s"' % + {"user": user}] + if role_attr_flags: + alter.append('WITH %s' % role_attr_flags) + + try: + statement = ' '.join(alter) + cursor.execute(statement) + executed_queries.append(statement) + except psycopg2.InternalError as e: + if e.pgcode == '25006': + # Handle errors due to read-only transactions indicated by pgcode 25006 + # ERROR: cannot execute ALTER ROLE in a read-only transaction + changed = False + module.fail_json(msg=e.pgerror, exception=traceback.format_exc()) + return changed + else: + raise psycopg2.InternalError(e) + + # Grab new role attributes. + cursor.execute(select, {"user": user}) + new_role_attrs = cursor.fetchone() + + # Detect any differences between current_ and new_role_attrs. + changed = current_role_attrs != new_role_attrs + + return changed + + +def user_delete(cursor, user): + """Try to remove a user. Returns True if successful otherwise False""" + cursor.execute("SAVEPOINT ansible_pgsql_user_delete") + try: + query = 'DROP USER "%s"' % user + executed_queries.append(query) + cursor.execute(query) + except Exception: + cursor.execute("ROLLBACK TO SAVEPOINT ansible_pgsql_user_delete") + cursor.execute("RELEASE SAVEPOINT ansible_pgsql_user_delete") + return False + + cursor.execute("RELEASE SAVEPOINT ansible_pgsql_user_delete") + return True + + +# WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 +def has_table_privileges(cursor, user, table, privs): + """ + Return the difference between the privileges that a user already has and + the privileges that they desire to have. + + :returns: tuple of: + * privileges that they have and were requested + * privileges they currently hold but were not requested + * privileges requested that they do not hold + """ + cur_privs = get_table_privileges(cursor, user, table) + have_currently = cur_privs.intersection(privs) + other_current = cur_privs.difference(privs) + desired = privs.difference(cur_privs) + return (have_currently, other_current, desired) + + +# WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 +def get_table_privileges(cursor, user, table): + if '.' in table: + schema, table = table.split('.', 1) + else: + schema = 'public' + query = ("SELECT privilege_type FROM information_schema.role_table_grants " + "WHERE grantee=%(user)s AND table_name=%(table)s AND table_schema=%(schema)s") + cursor.execute(query, {'user': user, 'table': table, 'schema': schema}) + return frozenset([x[0] for x in cursor.fetchall()]) + + +# WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 +def grant_table_privileges(cursor, user, table, privs): + # Note: priv escaped by parse_privs + privs = ', '.join(privs) + query = 'GRANT %s ON TABLE %s TO "%s"' % ( + privs, pg_quote_identifier(table, 'table'), user) + executed_queries.append(query) + cursor.execute(query) + + +# WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 +def revoke_table_privileges(cursor, user, table, privs): + # Note: priv escaped by parse_privs + privs = ', '.join(privs) + query = 'REVOKE %s ON TABLE %s FROM "%s"' % ( + privs, pg_quote_identifier(table, 'table'), user) + executed_queries.append(query) + cursor.execute(query) + + +# WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 +def get_database_privileges(cursor, user, db): + priv_map = { + 'C': 'CREATE', + 'T': 'TEMPORARY', + 'c': 'CONNECT', + } + query = 'SELECT datacl FROM pg_database WHERE datname = %s' + cursor.execute(query, (db,)) + datacl = cursor.fetchone()[0] + if datacl is None: + return set() + r = re.search(r'%s\\?"?=(C?T?c?)/[^,]+,?' % user, datacl) + if r is None: + return set() + o = set() + for v in r.group(1): + o.add(priv_map[v]) + return normalize_privileges(o, 'database') + + +# WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 +def has_database_privileges(cursor, user, db, privs): + """ + Return the difference between the privileges that a user already has and + the privileges that they desire to have. + + :returns: tuple of: + * privileges that they have and were requested + * privileges they currently hold but were not requested + * privileges requested that they do not hold + """ + cur_privs = get_database_privileges(cursor, user, db) + have_currently = cur_privs.intersection(privs) + other_current = cur_privs.difference(privs) + desired = privs.difference(cur_privs) + return (have_currently, other_current, desired) + + +# WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 +def grant_database_privileges(cursor, user, db, privs): + # Note: priv escaped by parse_privs + privs = ', '.join(privs) + if user == "PUBLIC": + query = 'GRANT %s ON DATABASE %s TO PUBLIC' % ( + privs, pg_quote_identifier(db, 'database')) + else: + query = 'GRANT %s ON DATABASE %s TO "%s"' % ( + privs, pg_quote_identifier(db, 'database'), user) + + executed_queries.append(query) + cursor.execute(query) + + +# WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 +def revoke_database_privileges(cursor, user, db, privs): + # Note: priv escaped by parse_privs + privs = ', '.join(privs) + if user == "PUBLIC": + query = 'REVOKE %s ON DATABASE %s FROM PUBLIC' % ( + privs, pg_quote_identifier(db, 'database')) + else: + query = 'REVOKE %s ON DATABASE %s FROM "%s"' % ( + privs, pg_quote_identifier(db, 'database'), user) + + executed_queries.append(query) + cursor.execute(query) + + +# WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 +def revoke_privileges(cursor, user, privs): + if privs is None: + return False + + revoke_funcs = dict(table=revoke_table_privileges, + database=revoke_database_privileges) + check_funcs = dict(table=has_table_privileges, + database=has_database_privileges) + + changed = False + for type_ in privs: + for name, privileges in iteritems(privs[type_]): + # Check that any of the privileges requested to be removed are + # currently granted to the user + differences = check_funcs[type_](cursor, user, name, privileges) + if differences[0]: + revoke_funcs[type_](cursor, user, name, privileges) + changed = True + return changed + + +# WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 +def grant_privileges(cursor, user, privs): + if privs is None: + return False + + grant_funcs = dict(table=grant_table_privileges, + database=grant_database_privileges) + check_funcs = dict(table=has_table_privileges, + database=has_database_privileges) + + changed = False + for type_ in privs: + for name, privileges in iteritems(privs[type_]): + # Check that any of the privileges requested for the user are + # currently missing + differences = check_funcs[type_](cursor, user, name, privileges) + if differences[2]: + grant_funcs[type_](cursor, user, name, privileges) + changed = True + return changed + + +def parse_role_attrs(role_attr_flags, srv_version): + """ + Parse role attributes string for user creation. + Format: + + attributes[,attributes,...] + + Where: + + attributes := CREATEDB,CREATEROLE,NOSUPERUSER,... + [ "[NO]SUPERUSER","[NO]CREATEROLE", "[NO]CREATEDB", + "[NO]INHERIT", "[NO]LOGIN", "[NO]REPLICATION", + "[NO]BYPASSRLS" ] + + Note: "[NO]BYPASSRLS" role attribute introduced in 9.5 + Note: "[NO]CREATEUSER" role attribute is deprecated. + + """ + flags = frozenset(role.upper() for role in role_attr_flags.split(',') if role) + + valid_flags = frozenset(itertools.chain(FLAGS, get_valid_flags_by_version(srv_version))) + valid_flags = frozenset(itertools.chain(valid_flags, ('NO%s' % flag for flag in valid_flags))) + + if not flags.issubset(valid_flags): + raise InvalidFlagsError('Invalid role_attr_flags specified: %s' % + ' '.join(flags.difference(valid_flags))) + + return ' '.join(flags) + + +# WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 +def normalize_privileges(privs, type_): + new_privs = set(privs) + if 'ALL' in new_privs: + new_privs.update(VALID_PRIVS[type_]) + new_privs.remove('ALL') + if 'TEMP' in new_privs: + new_privs.add('TEMPORARY') + new_privs.remove('TEMP') + + return new_privs + + +# WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 +def parse_privs(privs, db): + """ + Parse privilege string to determine permissions for database db. + Format: + + privileges[/privileges/...] + + Where: + + privileges := DATABASE_PRIVILEGES[,DATABASE_PRIVILEGES,...] | + TABLE_NAME:TABLE_PRIVILEGES[,TABLE_PRIVILEGES,...] + """ + if privs is None: + return privs + + o_privs = { + 'database': {}, + 'table': {} + } + for token in privs.split('/'): + if ':' not in token: + type_ = 'database' + name = db + priv_set = frozenset(x.strip().upper() + for x in token.split(',') if x.strip()) + else: + type_ = 'table' + name, privileges = token.split(':', 1) + priv_set = frozenset(x.strip().upper() + for x in privileges.split(',') if x.strip()) + + if not priv_set.issubset(VALID_PRIVS[type_]): + raise InvalidPrivsError('Invalid privs specified for %s: %s' % + (type_, ' '.join(priv_set.difference(VALID_PRIVS[type_])))) + + priv_set = normalize_privileges(priv_set, type_) + o_privs[type_][name] = priv_set + + return o_privs + + +def get_valid_flags_by_version(srv_version): + """ + Some role attributes were introduced after certain versions. We want to + compile a list of valid flags against the current Postgres version. + """ + return [ + flag + for flag, version_introduced in FLAGS_BY_VERSION.items() + if srv_version >= version_introduced + ] + + +def get_comment(cursor, user): + """Get user's comment.""" + query = ("SELECT pg_catalog.shobj_description(r.oid, 'pg_authid') " + "FROM pg_catalog.pg_roles r " + "WHERE r.rolname = %(user)s") + cursor.execute(query, {'user': user}) + return cursor.fetchone()[0] + + +def add_comment(cursor, user, comment): + """Add comment on user.""" + if comment != get_comment(cursor, user): + query = 'COMMENT ON ROLE "%s" IS ' % user + cursor.execute(query + '%(comment)s', {'comment': comment}) + executed_queries.append(cursor.mogrify(query + '%(comment)s', {'comment': comment})) + return True + else: + return False + + +# =========================================== +# Module execution. +# + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + user=dict(type='str', required=True, aliases=['name']), + password=dict(type='str', default=None, no_log=True), + state=dict(type='str', default='present', choices=['absent', 'present']), + priv=dict(type='str', default=None, removed_in_version='3.0.0', removed_from_collection='community.postgreql'), + db=dict(type='str', default='', aliases=['login_db']), + fail_on_user=dict(type='bool', default=True, aliases=['fail_on_role']), + role_attr_flags=dict(type='str', default=''), + encrypted=dict(type='bool', default=True), + no_password_changes=dict(type='bool', default=False, no_log=False), + expires=dict(type='str', default=None), + conn_limit=dict(type='int', default=None), + session_role=dict(type='str'), + # WARNING: groups are deprecated and will be removed in community.postgresql 3.0.0 + groups=dict(type='list', elements='str', removed_in_version='3.0.0', removed_from_collection='community.postgreql'), + comment=dict(type='str', default=None), + trust_input=dict(type='bool', default=True), + ) + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True + ) + + user = module.params["user"] + password = module.params["password"] + state = module.params["state"] + fail_on_user = module.params["fail_on_user"] + # WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 + if module.params['db'] == '' and module.params["priv"] is not None: + module.fail_json(msg="privileges require a database to be specified") + # WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 + privs = parse_privs(module.params["priv"], module.params["db"]) + no_password_changes = module.params["no_password_changes"] + if module.params["encrypted"]: + encrypted = "ENCRYPTED" + else: + encrypted = "UNENCRYPTED" + expires = module.params["expires"] + conn_limit = module.params["conn_limit"] + role_attr_flags = module.params["role_attr_flags"] + # WARNING: groups are deprecated and will be removed in community.postgresql 3.0.0 + groups = module.params["groups"] + if groups: + groups = [e.strip() for e in groups] + comment = module.params["comment"] + session_role = module.params['session_role'] + + trust_input = module.params['trust_input'] + if not trust_input: + # Check input for potentially dangerous elements: + # WARNING: groups are deprecated and will be removed in community.postgresql 3.0.0 + check_input(module, user, password, privs, expires, + role_attr_flags, groups, comment, session_role) + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + conn_params = get_conn_params(module, module.params, warn_db_default=False) + db_connection, dummy = connect_to_db(module, conn_params) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + srv_version = get_server_version(db_connection) + + try: + role_attr_flags = parse_role_attrs(role_attr_flags, srv_version) + except InvalidFlagsError as e: + module.fail_json(msg=to_native(e), exception=traceback.format_exc()) + + kw = dict(user=user) + changed = False + user_removed = False + + if state == "present": + if user_exists(cursor, user): + try: + changed = user_alter(db_connection, module, user, password, + role_attr_flags, encrypted, expires, no_password_changes, conn_limit) + except SQLParseError as e: + module.fail_json(msg=to_native(e), exception=traceback.format_exc()) + else: + try: + changed = user_add(cursor, user, password, + role_attr_flags, encrypted, expires, conn_limit) + except psycopg2.ProgrammingError as e: + module.fail_json(msg="Unable to add user with given requirement " + "due to : %s" % to_native(e), + exception=traceback.format_exc()) + except SQLParseError as e: + module.fail_json(msg=to_native(e), exception=traceback.format_exc()) + # WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 + try: + changed = grant_privileges(cursor, user, privs) or changed + except SQLParseError as e: + module.fail_json(msg=to_native(e), exception=traceback.format_exc()) + + # WARNING: groups are deprecated and will be removed in community.postgresql 3.0.0 + if groups: + target_roles = [] + target_roles.append(user) + pg_membership = PgMembership(module, cursor, groups, target_roles) + changed = pg_membership.grant() or changed + executed_queries.extend(pg_membership.executed_queries) + + if comment is not None: + try: + changed = add_comment(cursor, user, comment) or changed + except Exception as e: + module.fail_json(msg='Unable to add comment on role: %s' % to_native(e), + exception=traceback.format_exc()) + + else: + if user_exists(cursor, user): + if module.check_mode: + changed = True + kw['user_removed'] = True + else: + # WARNING: privs are deprecated and will be removed in community.postgresql 3.0.0 + try: + changed = revoke_privileges(cursor, user, privs) + user_removed = user_delete(cursor, user) + except SQLParseError as e: + module.fail_json(msg=to_native(e), exception=traceback.format_exc()) + changed = changed or user_removed + if fail_on_user and not user_removed: + msg = "Unable to remove user" + module.fail_json(msg=msg) + kw['user_removed'] = user_removed + + if module.check_mode: + db_connection.rollback() + else: + db_connection.commit() + + cursor.close() + db_connection.close() + + kw['changed'] = changed + kw['queries'] = executed_queries + if debug_info: + kw['debug_info'] = debug_info + module.exit_json(**kw) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/community/postgresql/plugins/modules/postgresql_user_obj_stat_info.py b/ansible_collections/community/postgresql/plugins/modules/postgresql_user_obj_stat_info.py new file mode 100644 index 000000000..f443d50c3 --- /dev/null +++ b/ansible_collections/community/postgresql/plugins/modules/postgresql_user_obj_stat_info.py @@ -0,0 +1,342 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2020, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +DOCUMENTATION = r''' +--- +module: postgresql_user_obj_stat_info +short_description: Gather statistics about PostgreSQL user objects +description: +- Gathers statistics about PostgreSQL user objects. +version_added: '0.2.0' +options: + filter: + description: + - Limit the collected information by comma separated string or YAML list. + - Allowable values are C(functions), C(indexes), C(tables). + - By default, collects all subsets. + - Unsupported values are ignored. + type: list + elements: str + schema: + description: + - Restrict the output by certain schema. + type: str + db: + description: + - Name of database to connect. + type: str + aliases: + - login_db + session_role: + description: + - Switch to session_role after connecting. The specified session_role must + be a role that the current login_user is a member of. + - Permissions checking for SQL commands is carried out as though + the session_role were the one that had logged in originally. + type: str + trust_input: + description: + - If C(false), check the value of I(session_role) is potentially dangerous. + - It makes sense to use C(false) only when SQL injections via I(session_role) are possible. + type: bool + default: true + version_added: '0.2.0' + +notes: +- C(size) and C(total_size) returned values are presented in bytes. +- For tracking function statistics the PostgreSQL C(track_functions) parameter must be enabled. + See U(https://www.postgresql.org/docs/current/runtime-config-statistics.html) for more information. + +attributes: + check_mode: + support: full + +seealso: +- module: community.postgresql.postgresql_info +- module: community.postgresql.postgresql_ping +- name: PostgreSQL statistics collector reference + description: Complete reference of the PostgreSQL statistics collector documentation. + link: https://www.postgresql.org/docs/current/monitoring-stats.html +author: +- Andrew Klychkov (@Andersson007) +- Thomas O'Donnell (@andytom) +extends_documentation_fragment: +- community.postgresql.postgres +''' + +EXAMPLES = r''' +- name: Collect information about all supported user objects of the acme database + community.postgresql.postgresql_user_obj_stat_info: + db: acme + +- name: Collect information about all supported user objects in the custom schema of the acme database + community.postgresql.postgresql_user_obj_stat_info: + db: acme + schema: custom + +- name: Collect information about user tables and indexes in the acme database + community.postgresql.postgresql_user_obj_stat_info: + db: acme + filter: tables, indexes +''' + +RETURN = r''' +indexes: + description: User index statistics. + returned: always + type: dict + sample: {"public": {"test_id_idx": {"idx_scan": 0, "idx_tup_fetch": 0, "idx_tup_read": 0, "relname": "test", "size": 8192, ...}}} +tables: + description: User table statistics. + returned: always + type: dict + sample: {"public": {"test": {"analyze_count": 3, "n_dead_tup": 0, "n_live_tup": 0, "seq_scan": 2, "size": 0, "total_size": 8192, ...}}} +functions: + description: User function statistics. + returned: always + type: dict + sample: {"public": {"inc": {"calls": 1, "funcid": 26722, "self_time": 0.23, "total_time": 0.23}}} +''' + +try: + from psycopg2.extras import DictCursor +except ImportError: + # psycopg2 is checked by connect_to_db() + # from ansible.module_utils.postgres + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.community.postgresql.plugins.module_utils.database import ( + check_input, +) +from ansible_collections.community.postgresql.plugins.module_utils.postgres import ( + connect_to_db, + exec_sql, + ensure_required_libs, + get_conn_params, + postgres_common_argument_spec, +) +from ansible.module_utils.six import iteritems + + +# =========================================== +# PostgreSQL module specific support methods. +# + + +class PgUserObjStatInfo(): + """Class to collect information about PostgreSQL user objects. + + Args: + module (AnsibleModule): Object of AnsibleModule class. + cursor (cursor): Cursor object of psycopg2 library to work with PostgreSQL. + + Attributes: + module (AnsibleModule): Object of AnsibleModule class. + cursor (cursor): Cursor object of psycopg2 library to work with PostgreSQL. + executed_queries (list): List of executed queries. + info (dict): Statistics dictionary. + obj_func_mapping (dict): Mapping of object types to corresponding functions. + schema (str): Name of a schema to restrict stat collecting. + """ + + def __init__(self, module, cursor): + self.module = module + self.cursor = cursor + self.info = { + 'functions': {}, + 'indexes': {}, + 'tables': {}, + } + self.obj_func_mapping = { + 'functions': self.get_func_stat, + 'indexes': self.get_idx_stat, + 'tables': self.get_tbl_stat, + } + self.schema = None + + def collect(self, filter_=None, schema=None): + """Collect statistics information of user objects. + + Kwargs: + filter_ (list): List of subsets which need to be collected. + schema (str): Restrict stat collecting by certain schema. + + Returns: + ``self.info``. + """ + if schema: + self.set_schema(schema) + + if filter_: + for obj_type in filter_: + obj_type = obj_type.strip() + obj_func = self.obj_func_mapping.get(obj_type) + + if obj_func is not None: + obj_func() + else: + self.module.warn("Unknown filter option '%s'" % obj_type) + + else: + for obj_func in self.obj_func_mapping.values(): + obj_func() + + return self.info + + def get_func_stat(self): + """Get function statistics and fill out self.info dictionary.""" + query = "SELECT * FROM pg_stat_user_functions" + if self.schema: + query = "SELECT * FROM pg_stat_user_functions WHERE schemaname = %s" + + result = exec_sql(self, query, query_params=(self.schema,), + add_to_executed=False) + + if not result: + return + + self.__fill_out_info(result, + info_key='functions', + schema_key='schemaname', + name_key='funcname') + + def get_idx_stat(self): + """Get index statistics and fill out self.info dictionary.""" + query = "SELECT * FROM pg_stat_user_indexes" + if self.schema: + query = "SELECT * FROM pg_stat_user_indexes WHERE schemaname = %s" + + result = exec_sql(self, query, query_params=(self.schema,), + add_to_executed=False) + + if not result: + return + + self.__fill_out_info(result, + info_key='indexes', + schema_key='schemaname', + name_key='indexrelname') + + def get_tbl_stat(self): + """Get table statistics and fill out self.info dictionary.""" + query = "SELECT * FROM pg_stat_user_tables" + if self.schema: + query = "SELECT * FROM pg_stat_user_tables WHERE schemaname = %s" + + result = exec_sql(self, query, query_params=(self.schema,), + add_to_executed=False) + + if not result: + return + + self.__fill_out_info(result, + info_key='tables', + schema_key='schemaname', + name_key='relname') + + def __fill_out_info(self, result, info_key=None, schema_key=None, name_key=None): + # Convert result to list of dicts to handle it easier: + result = [dict(row) for row in result] + + for elem in result: + # Add schema name as a key if not presented: + if not self.info[info_key].get(elem[schema_key]): + self.info[info_key][elem[schema_key]] = {} + + # Add object name key as a subkey + # (they must be uniq over a schema, so no need additional checks): + self.info[info_key][elem[schema_key]][elem[name_key]] = {} + + # Add other other attributes to a certain index: + for key, val in iteritems(elem): + if key not in (schema_key, name_key): + self.info[info_key][elem[schema_key]][elem[name_key]][key] = val + + if info_key in ('tables', 'indexes'): + schemaname = elem[schema_key] + if self.schema: + schemaname = self.schema + + relname = '%s.%s' % (schemaname, elem[name_key]) + + result = exec_sql(self, "SELECT pg_relation_size (%s)", + query_params=(relname,), + add_to_executed=False) + + self.info[info_key][elem[schema_key]][elem[name_key]]['size'] = result[0][0] + + if info_key == 'tables': + result = exec_sql(self, "SELECT pg_total_relation_size (%s)", + query_params=(relname,), + add_to_executed=False) + + self.info[info_key][elem[schema_key]][elem[name_key]]['total_size'] = result[0][0] + + def set_schema(self, schema): + """If schema exists, sets self.schema, otherwise fails.""" + query = ("SELECT 1 FROM information_schema.schemata " + "WHERE schema_name = %s") + result = exec_sql(self, query, query_params=(schema,), + add_to_executed=False) + + if result and result[0][0]: + self.schema = schema + else: + self.module.fail_json(msg="Schema '%s' does not exist" % (schema)) + + +# =========================================== +# Module execution. +# + +def main(): + argument_spec = postgres_common_argument_spec() + argument_spec.update( + db=dict(type='str', aliases=['login_db']), + filter=dict(type='list', elements='str'), + session_role=dict(type='str'), + schema=dict(type='str'), + trust_input=dict(type="bool", default=True), + ) + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + filter_ = module.params["filter"] + schema = module.params["schema"] + + if not module.params["trust_input"]: + check_input(module, module.params['session_role']) + + # Ensure psycopg2 libraries are available before connecting to DB: + ensure_required_libs(module) + # Connect to DB and make cursor object: + pg_conn_params = get_conn_params(module, module.params) + # We don't need to commit anything, so, set it to False: + db_connection, dummy = connect_to_db(module, pg_conn_params, autocommit=False) + cursor = db_connection.cursor(cursor_factory=DictCursor) + + ############################ + # Create object and do work: + pg_obj_info = PgUserObjStatInfo(module, cursor) + + info_dict = pg_obj_info.collect(filter_, schema) + + # Clean up: + cursor.close() + db_connection.close() + + # Return information: + module.exit_json(**info_dict) + + +if __name__ == '__main__': + main() |