VhDddlmZmZmZeZddlZddlZddlZddl m Z ddl m Z m Z ddlmZmZGddeZdZd Zd Zd Zd Zd ZdZd'dZ d(dZdZ d)dZdZdZd(dZ dZ!dZ"dZ#dZ$d*dZ%d(dZ&d(dZ'dZ(dZ)dZ*d Z+d!Z,d(d"Z-d#Z.d$Z/d%Z0d&Z1y)+)absolute_importdivisionprint_functionN) iteritems) mysql_driverget_server_implementation)mysql_sha256_password_hashmysql_sha256_password_hash_hexc eZdZy)InvalidPrivsErrorN)__name__ __module__ __qualname__m/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/mysql/plugins/module_utils/user.pyr r srr cf|jd|j}|d}d|vrd}|Sd}|S)NzSELECT @@sql_moderANSINOTANSIexecutefetchone)cursorresultmode_strmodes rget_moder"sD NN&' __ FayH  K Krc|r|jd|fn|jd||f|j}|ddkDS)Nz/SELECT count(*) FROM mysql.user WHERE user = %sz=SELECT count(*) FROM mysql.user WHERE user = %s AND host = %srr)ruserhosthost_allcounts r user_existsr#-sFH4'RVY]_cXde OO E 8a<rc|jd||f|j}t|tr|dj ddkDryyt|t r+|j D]}|j ddkDsyy)NzSHOW CREATE USER %s@%srz ACCOUNT LOCKTF)rr isinstancetuplefinddictvalues)rrr rress ruser_is_lockedr+7s NN+dD\:__ F&% !9>>. )A -  FD !==? Cxx'!+  rc"i}|r|jD]}||||j<td|jDr&|jdd|jdd|Sd|jvrd}|Sd}|Sy)Nc3$K|]}|dv yw))CIPHERISSUERSUBJECTNr.0keys r z$sanitize_requires..Os[#s55[sSSLX509)keysupperanypop) tls_requiressanitized_requiresr3s rsanitize_requiresr=Js$$& @C.:3.? syy{ + @ [ASAXAXAZ[ [  " "5$ /  " "64 0% % ',,. .!' "!"' !! rc|r\t|tr7t|j\}}dj d|D}||z }n|}dj ||f}||fS)Nz AND c3&K|] }d|z yw)z%s %%sNrr1s rr4z#mogrify_requires..as*Gc8c>*Gsz REQUIRE )r%r(zipitemsjoin)queryparamsr;kvrequires_querys rmogrify_requiresrH]sg lD ) **,-DAq$\\*GQ*GHN aKF)N  %!89 &=rc ||fSNr)rCrDr;s rdo_not_mogrify_requiresrKis &=rc|jd||fttd|jd}d}t j ||dj j}|jdS)NSHOW GRANTS FOR %s@%scd|dvS)NzON *.*rrxs rzget_grants..osAaD(8rrz!(?<=\bGRANT\b)(.*?)(?=(?:\bON\b)), ) rlistfilterfetchallresearchgroupstripsplit)rrr grants_linepatterngrantss r get_grantsr^msm NN*T4L9v8&//:KLMaPK2G YYw A / 5 5 7 = = ?F << rc|jd|j}t|trt |j }d|dj vr-|r|jd||dnA|jdd|in,|r|jd||dn|jd d|i|j}t|dk(rgSt|dtr&|Dcgc]}t|j }}g}|D] }|j|d|d |d d "|Scc}w) z Return a list of dict containing the plugin and auth_string for the specified username. If hostname is provided, return only the information about this particular account. SELECT VERSION()mariadbra?select plugin, auth from ( select plugin, password as auth from mysql.user where user=%(user)s and host=%(host)s union select plugin, authentication_string as auth from mysql.user where user=%(user)s and host=%(host)s) x group by plugin, auth )rr a select plugin, auth from ( select plugin, password as auth from mysql.user where user=%(user)s union select plugin, authentication_string as auth from mysql.user where user=%(user)s ) x group by plugin, auth rzselect plugin, authentication_string as auth from mysql.user where user=%(user)s and host=%(host)s group by plugin, authentication_stringzselect plugin, authentication_string as auth from mysql.user where user=%(user)s group by plugin, authentication_string)pluginplugin_auth_stringplugin_hash_string) rrr%r(rSr)lowerrUlenr&append)rrr srv_typerowsrowexisting_auth_listrs rget_existing_authenticationrnus^  NN%& H(D!)*HQK%%''  NN -  / NN$  !  NN:DHRV;W Y NN: K ?? D 4yA~ $q'4 /34cjjl#44)!!d"#A$"#A$#( )) 5s0 D;c | rt|s|jd|rdd| dS|jrdd| dSt|}|j |}|rt nt }d}| rGt||}|r9t|dk7r|jd|zd}n|dd }d}d}|dd }|r#|r!|j|rd |||ff}nd |||ff}n|r:|s8|rd |||ff}n|jd|f|jd}d |||ff}nz|r |r d||||ff}nm|r[|rY|dk(r d||||ff}n[|dk(r d||||ff}nM| r2|dvrt|| }n|jd|zdz|||ff}nd||||ff}n|rd|||ff}nd||ff}|| fz}|j|||r2|j|s|jdt|||||| #t!| D]\}}t#|||||| | t#|||dt%|||| d}| r5|jd||t'j(| ft+|||}|r|jd||fd| |dS)NNuser attributes were specified but the server does not support user attributesmsgF)changedpassword_changed attributesTrba An account with the username %s has a different password than the others existing accounts. Thus on_new_username can't decide which password to reuse so it will use your provided password instead. If no password is provided, the account will have an empty password!rrercz+CREATE USER %s@%s IDENTIFIED BY PASSWORD %sz=CREATE USER %s@%s IDENTIFIED WITH mysql_native_password AS %sz"CREATE USER %s@%s IDENTIFIED BY %s0SELECT CONCAT('*', UCASE(SHA1(UNHEX(SHA1(%s)))))z*CREATE USER %s@%s IDENTIFIED WITH %s AS %spamz-CREATE USER %s@%s IDENTIFIED WITH %s USING %sed25519z7CREATE USER %s@%s IDENTIFIED WITH %s USING PASSWORD(%s)caching_sha2_passwordsha256_passwordpasswordsalt-salt not handled for %s authentication pluginz*CREATE USER %s@%s IDENTIFIED WITH %s AS 0xz*CREATE USER %s@%s IDENTIFIED WITH %s BY %sz$CREATE USER %s@%s IDENTIFIED WITH %szCREATE USER %s@%smThe server version does not match the requirements for password_expire parameter. See module's documentation.*.*ALTER USER %s@%s ATTRIBUTE %sALTER USER %s@%s ACCOUNT LOCK)get_attribute_support fail_json check_modeget_user_implementationuse_old_user_mgmtrKrHrnrgwarnsupports_identified_by_passwordrrr server_supports_password_expireset_password_expirerprivileges_grantr^jsondumpsattributes_get)rrr r!r} encryptedrcrerdr~new_privrur;reuse_existing_passwordmodulepassword_expirepassword_expire_intervallockedimpl old_user_mgmtmogrifyused_existing_password existing_authquery_with_argsencrypted_passwordgenerated_hash_string query_with_args_and_tls_requiresdb_tableprivfinal_attributess ruser_addrsq /7mn e:VV TTT #6 *D**62M)6%B BC */&%21%56J%K")-&&q)(3I  / / 7KdTXZbMccO]`dfjlt_uuO ) BT4QYDZZO NNMPX{ [!'!21!5 ]`dfjl~_O &FtU[]oHpp & U?MPTVZ\bdvOwwO y WZ^`dfloAZBBO EE(FPbim(n%  %TW]%] ^KNccgkmqsyfzzOJTSWY_asLttO @4vBVV-d|;'6,'H$FNNG=>?33F;   "Z  [FD$AYZ'1 ONHd VT44 N OtUJvtT4RT`a6tTZZPZE[8\])&$= 6t E5K1K[k llrcd}t|dk(r5|ddk(r-t|ddjtjrd}|S)NF)r*rbT)rg frozensetissubsetstring hexdigits)r}ishashs ris_hashrsG F 8}x{c1 Xab\ " + +F,<,< =F Mrc d}d}d}t|}|j|}|r|s t||}n|g}d}|D]}|sVt|rJ|j d|j }|j d|j }|j d|dd|dd|dd|dd ||f|j d}t |tr|jd }|r |}t|sO|jd n<|r|j d |fn|j d|f|j d}||k7rDd}d}|js2|r|j d|||fd}n |j d|||fd}d}t|r|j|s|jd d}!dt!|j"vrdnd}"t%||||"}#t'|||}$|#dk(r|dk(s<|#dk(r|dk(s2|#|k(r|d k(s(|d!k(r|$s!d}!|jst)|||||d}d}|r|s|j d"||f|j }%d}!|%d|k7rd}!|r |%d#|k7rd}!| r|d$vr"|%d#t+|| %k7rd}!n |r |%d#|k7rd}!|!rd}&|r d&||||ff}&nb|rY|d'k(r d(||||ff}&nR|d)k(r d*||||ff}&nD| r2|d$vrt-|| %}'n|jd+|z d,'z|||ff}&nd-||||ff}&nd.|||ff}&|js|j|&d}d}| Wt/||||}(| sL| sJt1|(D]<\})}*d/|*vrd}|)| vs|d0k7sd1|*vsd2}|jst3||||)|*||d}>| s9t1| D]+\})}*|)|(vs d3}|jst5||||)|*||d}-t7| j9t7|(j9z}+|+D]p})g},g}-| r't;t7| |)t7|(|)z },n| r't;t7| |)t7|(|)z}-nt;t7| |)t7|(|)z },t;t7|(|)t7| |)z }-d4|,vsd5|,vr.t;t7d/d1gj=t7|-}-d/|-vxrd/|,v}|,d/gk(r|,j?d6tA|,tA|-zdkDsd7|,d8|-}|jsBtA|-dkDrt3||||)|-||tA|,dkDs\t5||||)|,||od}st/||||}.|xs|(|.k7}tC|}/i}0| r|/s|jd9 n tE|||}1|1i}1i}2| jGD]\}3}4|3|1vs |1|3|4k7s|4|2|3<|2rd:d;jI|2jGD34cgc] \}3}4|3d<|4c}4}3z}|js6|j d=||tKjL|2ftE|||}0n=|1|2fD567cic]&}5|5jGD]\}6}7|6|2vs|2|6|6|7(}0}6}5}7|0r|0nd}0d}n|1}0n|/r tE|||}0|sW|UtO||||k7rE|js0|r|j d>||fd?}n|j d@||fdA}n|rdB}ndC}d}|rtQ|jS|||}8|8|k7sdD}|jsq|sdE}9ndFdGjItU|||z}9|#dHjI|9dIf}:tW|:||f|}&ndHjI|9dJf}:|:||ff}&|j|&d}|||0dKS#tj$rI} | jddk(r*|j dd|||f|j dd}n| Yd} ~ d} ~ wwxYwcc}4}3wcc}7}6}5w)LNFzUser unchangeda SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user' AND COLUMN_NAME IN ('Password', 'authentication_string') ORDER BY COLUMN_NAME DESC LIMIT 1 a SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user' AND COLUMN_NAME IN ('Password', 'authentication_string') ORDER BY COLUMN_NAME ASC LIMIT 1 zL SELECT COALESCE( CASE WHEN rz = '' THEN NULL ELSE z, END, CASE WHEN zu END ) FROM mysql.user WHERE user = %s AND host = %s asciizkencrypted was specified however it does not appear to be a valid hash expecting: *SHA1(SHA1(your_password))rqzSELECT PASSWORD(%s)rvTzPassword updatedzSET PASSWORD FOR %s@%s = %szPassword updated (old style)zgT.A"6C#)#4#4 1&$hPTVbdn o&*G +"&/&9'NHdy06%00,VT44Q]_ij"& '"%X]]_!5INN(?#iPXFYBZ(Z#[L#'s8H+='>YxEXAY'Y"ZK#'Ih,?(@3xPXGYCZ(Z#[L +/?;/N'+C'0B,C,P,PQTUaQb,c'd $+l#:#Ywk?YL7)+&&w/{#c,&77!;JUWcdC!,,|,q0-fdD(LZfhrs{+a/,VT4;Xdfpq"&O' 'T(dJGJ:)z"9G2&9 $  %u v%3FD$%G"%-)+&')$","2"2"4:JC"448J38OSX8X49,S1:(2diiklFlFlHAI]g]`bgSRWAXAI7JKC",,'FtUYU_U_`tUuHvw+9&$+M(`,,`1c|ry|r t||}n|g}|D]} |jd||fy#t$r|jd||fY:wxYw)NTzDROP USER IF EXISTS %s@%szDROP USER %s@%s)rr Exception)rrr r!rrhostnames r user_deleter[su&vt4 F @ @ NN6x8H I@  @ NN,tX.> ? @s3AAc|jd|f|j}g}|D]}|j|d|S)Nz+SELECT Host FROM mysql.user WHERE user = %sr)rrUrh)rr hostnames_rawr hostname_raws rrrmsM NN@4'JOO%MI%* a)* rc i}|s|jd||fn|jd|f|j}d}|D]8}t|trt |j }|st jd|d}nt jd|d}|/t jd|d}|s|rtd|dz|jd jd } | D cgc]} || j} } t| } |s$d |jd vr| jd |jd} |j| gj| ;|Scc} w)a MySQL doesn't have a better method of getting privileges aside from the SHOW GRANTS query syntax, which requires us to then parse the returned string. Here's an example of the string that is returned from MySQL: GRANT USAGE ON *.* TO 'user'@'localhost' IDENTIFIED BY 'pass'; This function makes the query and returns a dictionary containing the results. The dictionary format is the same as that returned by privileges_unpack() below. rMzSHOW GRANTS FOR %sc|dk(ry|S)NrrrrOs rpickzprivileges_get..picks  HrzYGRANT (.+) ON (.+) TO (['`"]).*\3@(['`"]).*\4( IDENTIFIED BY PASSWORD (['`"]).+\6)? ?(.*)rzGRANT (.+) ON (.+) TO .*zGRANT (.+) TO (['`"]).*z*unable to parse the MySQL grant string: %srbrWITH GRANT OPTIONr)rrUr%r(rSr)rVmatchr rXrZrYnormalize_col_grantsrh setdefaultextend) rrr routputr]rgrantr* privilegesrPdbs rrrxsF .t =+dW5 __ F &5 eT "(E((}@EFG@HIC((958DC ; ((8%(CC##$PSXYZS[$[\ \YYq\'', /9:!d1779o: :**5 "ciil2!!'* YYq\"b!((4M&5N M;s9FcRdD]!}t||\}}|t|||}#|S)zFix and sort grants on columns in privileges list Make ['SELECT (A, B)', 'INSERT (A, B)', 'DETELE'] from ['SELECT (A', 'B)', 'INSERT (B', 'A)', 'DELETE']. See unit tests in tests/unit/plugins/modules/test_mysql_user.py )SELECTUPDATEINSERT REFERENCES)has_grant_on_colhandle_grant_on_col)rrstartends rrrsA>E%j%8 s  ,ZDJ E rcjd}d}t|D]\}}d|z|vr|}|d|vs|}n||||fSy)z|Check if there is a statement like SELECT (colA, colB) in the privilege list. Return (start index, end index). Nz%s ())NN) enumerate)rrrrnrs rrrsh E CZ(4 E>T !E  C  S_cz rc||k7rZt|d|}dj|||dz}t|}|j||j ||dzd|St|}t||||<|S)zNHandle cases when the privs like SELECT (colA, ...) is in the privileges list.NrRrb)rSrBsort_column_orderrhr)rrrr select_on_cols rrrs |j%() *U37";< )-8  m$ jq*+ Mj!)&-8u Mrc4|jd}|d}|djd}|jd}t|D])\}}|j}|jd||<+|j |ddj |dS)anSort column order in grants like SELECT (colA, colB, ...). MySQL changes columns order like below: --------------------------------------- mysql> GRANT SELECT (testColA, testColB), INSERT ON `testDb`.`testTable` TO 'testUser'@'localhost'; Query OK, 0 rows affected (0.04 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) mysql> SHOW GRANTS FOR testUser@localhost; +---------------------------------------------------------------------------------------------+ | Grants for testUser@localhost | +---------------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'testUser'@'localhost' | | GRANT SELECT (testColB, testColA), INSERT ON `testDb`.`testTable` TO 'testUser'@'localhost' | +---------------------------------------------------------------------------------------------+ We should sort columns in our statement, otherwise the module always will return that the state has changed. (rrbrr`rR)rZrstripr rYsortrB) statementtmp priv_namecolumnsicols rr r s8 //# CAI!fmmC GmmC GG$$3iikYYs^ $ LLN $))G"4 55rc 8|dk(rd}nd}i}g}|jjdD]}|jjdd}|djdd} | djd d} d } t| dkDr | dd k(s| dd k(r| dd z} | d| d<t | D]4\} } | jdd k7s|| jd|| | <6| dj | z|d<d|dvr|durSt jd|d||d<||dD](} |jt jdd | *nt jd|dj||d<||dD](} |jt jdd | *n0|djjd||d<||d}t||d||d<|r d|vrdg|d<|S)a Take a privileges string, typically passed as a parameter, and unserialize it into a dictionary, the same format as privileges_get() above. We have this custom format to avoid using YAML/JSON strings inside YAML playbooks. Example of a privileges string: mydb.*:INSERT,UPDATE/anotherdb.*:SELECT/yetanother.*:ALL The privilege USAGE stands for no privileges, so we add that in on *.* if it's not specified in the string, as MySQL will always provide this by default. r"r/:rbr.rFUNCTION PROCEDURErrTz,\s*(?=[^)]*(?:\(|$))z \s*\(.*\)rrr) rYrZrsplitrgr rBrVrhsubr8r)rrcolumn_case_sensitive ensure_usagequoterprivsitempiecesdbprivparts object_typersides rprivileges_unpackr-+sM v~ F E ""3' D$$S!,!!#q)q Q' u:>uQx:5q[9P(S.KaF1I!( GGAtzz##%(-tzz#Fq  G #((6"22q &) $,$&HH-Evay$Qvay!q *>ALL b!!<=>%'HH-EvayGX$Yvay!q *>ALL b!!<=>!'q  1 7 7 C8c |jdd}dj|Dcgc] }|dvs| c}}d|d|g} |s| jd||f} n| jd|} t|} |r3| j |r"t d j| | |\} } | g} d |vr| jd d j| } t | tr| f} |j| | ycc}w#tjtjtjf$r/} td |d t| d| dt| d d} ~ wwxYw)Nr/r0rr1zGRANT r2zTO %s@%szTO %srrrz0Error granting privileges, invalid priv string: z , params: z , query: z , exception: r)r3rBrhrrrHr%rrrProgrammingErrorOperationalError InternalErrorr ) rrr rrr;rr4r5rCrDrrs rrrsKT*H((tD!q /CADEK!,h 7 8E  Z  W "6 *D..v6(%&,O v$ () HHUOE&#_uf%=E>  ) )<+H+H,JdJd e_5@#f+uVYZ[V\!^_ __s" C8C8%C==2E/*EEctt|Dcgc] \}}|d|}}}dj|Scc}}w)zConverts privs dictionary to string of certain format. Args: priv (dict): Dict of privileges that needs to be converted to string. Returns: priv (str): String representation of input argument. rr)rrB)rr3val priv_lists rconvert_priv_dict_to_strr=s:7@oF(#sC%FIF 88I Gs4c<d}|j|||f|j}t|trt |j }|sy|d|d|d|dd}|jd|j}t|trt |j }d |dj vrWd }|j|||f|j}t|trt |j }|d|d <|S) zGet user resource limits. Args: cursor (cursor): DB driver cursor object. user (str): User name. host (str): User host name. Returns: Dictionary containing current resource limits. zSELECT max_questions AS MAX_QUERIES_PER_HOUR, max_updates AS MAX_UPDATES_PER_HOUR, max_connections AS MAX_CONNECTIONS_PER_HOUR, max_user_connections AS MAX_USER_CONNECTIONS FROM mysql.user WHERE User = %s AND Host = %sNrrbr)MAX_QUERIES_PER_HOURMAX_UPDATES_PER_HOURMAX_CONNECTIONS_PER_HOURMAX_USER_CONNECTIONSr`raz]SELECT max_statement_time AS MAX_STATEMENT_TIME FROM mysql.user WHERE User = %s AND Host = %sMAX_STATEMENT_TIME)rrr%r(rSr)rf)rrr rCr*current_limitsrires_max_statement_times rget_resource_limitsrGs=E  NN54,' // C#t3::<  !$A #A$'F #A N NN%& H(D!)*HQK%%''AutTl+!'!2 ,d 3%)*@*G*G*I%J "/Ea/H+, rc|s|Si}t|D]D\}}||vr|jd|z t|}||j |k7s@|||<F|S#t$r|jd|zY>wxYw)aCheck and match limits. Args: module (AnsibleModule): Ansible module object. current (dict): Dictionary with current limits. desired (dict): Dictionary with desired limits. Returns: Dictionary containing parameters that need to change. z)resource_limits: key '%s' is unsupported.rqz$Can't convert value '%s' to integer.)rrintrget)rcurrentdesiredneeds_to_changer3r;s rmatch_resource_limitsrNs Og& 'S g    !Ls!R  S Oc(C '++c" "#&OC  '   O   !G#!M  N Os AA<;A<ct|}|j|s|jd|jdd|j dj vrd|vr|jdt |||}t|||}|sy|r|ry g} t|D]\} } | j| d | d } | d d j| zz } |j| ||fy ) aLimit user resources. Args: module (AnsibleModule): Ansible module object. cursor (cursor): DB driver cursor object. user (str): User name. host (str): User host name. resource_limit (dict): Dictionary with desired limits. check_mode (bool): Run the function in check mode or not. Returns: True, if changed, False otherwise. zmThe server version does not match the requirements for resource_limits parameter. See module's documentation.rqr`rarrDz?MAX_STATEMENT_TIME resource limit is only supported by MariaDB.FTrzALTER USER %s@%sz WITH %s) rserver_supports_alter_userrrrrfrGrNrrhrB) rrrr resource_limitsrrrErMrr3r;rCs rlimit_resourcesrRs #6 *D  * *6 2Z [ NN%&)!,2244 ? 2   !b  c(tansible_collections.community.mysql.plugins.module_utils.mysqlrrSansible_collections.community.mysql.plugins.module_utils.implementations.mysql.hashr r rr rr#r+r=rHrKr^rnrrrrrrrrrr r-rrr=rGrNrRrrrrrrrrrrisBB  .   && ;B@E`mF]bzrz $>B  >0(6V6r':%_P 5p!H)XB,0($*r