remove secure-auth param if mysql => 8.0.3

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> install collection in molecule Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> remove deprecated ubuntu 16.04 from tests Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
dev-sec · Apr 1, 2021 · 2fb54bd · 2fb54bd
1 parent d758fa5
commit 2fb54bd
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 4 deletions.
diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml
@@ -24,7 +24,6 @@ jobs:
         molecule_distro:
           - centos7
           - centos8
-          - ubuntu1604
           - ubuntu1804
           - ubuntu2004
           - debian9

diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml
@@ -24,7 +24,6 @@ jobs:
         molecule_distro:
           - centos7
           - centos8
-          - ubuntu1604
           - ubuntu1804
           - ubuntu2004
           - debian9

diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml
@@ -24,7 +24,6 @@ jobs:
         molecule_distro:
           - centos7
           - centos8
-          - ubuntu1604
           - ubuntu1804
           - ubuntu2004
           - debian9

diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml
@@ -25,7 +25,6 @@ jobs:
           - centos7
           - centos8
           - fedora
-          - ubuntu1604
           - ubuntu1804
           - ubuntu2004
           - debian9

diff --git a/molecule/mysql_hardening/molecule.yml b/molecule/mysql_hardening/molecule.yml
@@ -3,6 +3,7 @@ dependency:
   name: galaxy
   options:
     role-file: molecule/mysql_hardening/requirements.yml
+    requirements-file: molecule/mysql_hardening/requirements.yml
 driver:
   name: docker
 lint: |

diff --git a/roles/mysql_hardening/tasks/main.yml b/roles/mysql_hardening/tasks/main.yml
@@ -21,6 +21,29 @@
   when: "not lookup('varnames', '^' + item.key + '$')"
   with_dict: '{{ os_vars }}'
 
+- name: Gather package facts to check for mysql/mariadb version
+  ansible.builtin.package_facts:
+    manager: auto
+
+- name: Check if MySQL or MariaDB is used
+  set_fact:
+    mysql_distribution: "{{ ansible_facts.packages['mysql-server'] is defined | ternary('mysql', 'mariadb') }}"
+
+- name: Check which MySQL/MariaDB version is used
+  community.mysql.mysql_info:
+    filter: version
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  register: mysql_version
+
+# see https://stackoverflow.com/a/59451077/2953919 for the
+# dict2items and vice versa magic
+- name: Drop the secure-auth parameter on MySQL >=8.0.3 (not mariadb)
+  set_fact:
+    mysql_hardening_options: "{{ mysql_hardening_options| dict2items | rejectattr('key', 'search', 'secure-auth') | list | items2dict }}"
+  when:
+    - mysql_version.version.full is version('8.0.3', '>=')
+    - mysql_distribution == "mysql"
+
 - include: configure.yml
   when: mysql_hardening_enabled | bool
   tags: