simplify MySQL queries for user deletion (#641)

* use rowcount to determine mysql results Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use correct list level Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * remove json_query Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * remove intermediate vars Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add check for count Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * drop condition, since one result must exist Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * move rowcount in condition Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * do loop in ansible to report each deleted user Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add idempotency check Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * additional tests to verify user deletion Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * actually iterate the whole user list when deleting Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix tests for SuSE Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * adopt suggestions Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> --------- Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
dev-sec · Mar 1, 2023 · 6e5621c · 6e5621c
1 parent 2d72124
commit 6e5621c
Show file tree

Hide file tree

Showing 6 changed files with 58 additions and 27 deletions.
diff --git a/molecule/mysql_hardening/molecule.yml b/molecule/mysql_hardening/molecule.yml
@@ -53,6 +53,6 @@ scenario:
     - create
     - prepare
     - converge
-    # - idempotence  # not idempotent
+    - idempotence
     - verify
     - destroy
diff --git a/molecule/mysql_hardening/prepare.yml b/molecule/mysql_hardening/prepare.yml
@@ -70,11 +70,8 @@
     - include_role:
         name: dev-sec.mysql
 
-    - name: create a user with an empty password
-      community.mysql.mysql_query:
-        query:
-          - "CREATE USER foo@bar;"
-        login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+    - name: include MySQL user prepare tasks
+      include_tasks: prepare_tasks/mysql_users.yml
   vars:
     overwrite_global_mycnf: false
     mysql_root_password: iloverandompasswordsbutthiswilldo

diff --git a/molecule/mysql_hardening/prepare_tasks/mysql_users.yml b/molecule/mysql_hardening/prepare_tasks/mysql_users.yml
@@ -0,0 +1,15 @@
+---
+- name: create users for test
+  community.mysql.mysql_query:
+    query:
+      - "CREATE USER 'user'@'delete';"
+      - "CREATE USER 'user'@'127.0.0.1';"
+      - "CREATE USER 'user'@'::1';"
+      - "CREATE USER 'user'@'%';"
+      - "CREATE USER 'user'@'192.168.0.%';"
+      - "CREATE USER 'user'@'192.168.0.1';"
+      - "CREATE USER    '%'@'192.168.0.1';"
+      - "CREATE USER 'user'@'192.168.0.2' IDENTIFIED BY 'keep';"
+      - "CREATE USER 'user'@'keep' IDENTIFIED BY 'keep';"
+      - "CREATE USER 'user'@'192.168.%' IDENTIFIED BY 'keep';"
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
diff --git a/molecule/mysql_hardening/verify.yml b/molecule/mysql_hardening/verify.yml
@@ -34,9 +34,18 @@
         update_cache: true
       when: ansible_distribution == 'Debian'
 
+    - name: Use Python 3 on Suse
+      set_fact:
+        ansible_python_interpreter: /usr/bin/python3
+      when:
+        - ansible_os_family == 'Suse'
+
     - name: include tests for the service
       include_tasks: verify_tasks/service.yml
 
+    - name: include tests for MySQL user
+      include_tasks: verify_tasks/mysql_users.yml
+
     - name: download cinc-auditor
       get_url:
         url: https://omnitruck.cinc.sh/install.sh

diff --git a/molecule/mysql_hardening/verify_tasks/mysql_users.yml b/molecule/mysql_hardening/verify_tasks/mysql_users.yml
@@ -0,0 +1,25 @@
+---
+- name: Get all users from MySQL server
+  community.mysql.mysql_query:
+    query: >
+      SELECT CONCAT(USER, '@', HOST) AS users FROM mysql.user;
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  register: mysql_users
+
+- name: create list of users from mysql query
+  set_fact:
+    mysql_users_list: "{{ mysql_users.query_result.0  | json_query('[*].users') | list }}"
+
+- name: assert that only accounts with password remain
+  ansible.builtin.assert:
+    that:
+      - '"user@delete" not in mysql_users_list'
+      - '"user@127.0.0.1" not in mysql_users_list'
+      - '"user@::1" not in mysql_users_list'
+      - '"user@%" not in mysql_users_list'
+      - '"user@192.168.0.%" not in mysql_users_list'
+      - '"user@192.168.0.1" not in mysql_users_list'
+      - '"%@192.168.0.1" not in mysql_users_list'
+      - '"user@192.168.0.2" in mysql_users_list'
+      - '"user@keep" in mysql_users_list'
+      - '"user@192.168.%" in mysql_users_list'
diff --git a/roles/mysql_hardening/tasks/mysql_secure_installation.yml b/roles/mysql_hardening/tasks/mysql_secure_installation.yml
@@ -49,14 +49,13 @@
 - name: Get all users that have no authentication_string on MySQL version >= 5.7.6 or Mariadb version >= 10.4.0
   community.mysql.mysql_query:
     query: >
-      SELECT GROUP_CONCAT(QUOTE(USER), '@', QUOTE(HOST) SEPARATOR ', ') AS users
+      SELECT CONCAT(QUOTE(USER), '@', QUOTE(HOST)) AS user
       FROM mysql.user
       WHERE (length(authentication_string)=0
              OR authentication_string="")
         AND USER NOT IN ('mysql.sys',
                          'mysqlxsys',
                          'mariadb.sys');
-
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   register: mysql_users_wo_passwords_or_auth_string
   when: >
@@ -67,7 +66,7 @@
 - name: Get all users that have no password or authentication_string on MySQL version < 5.7.6 or Mariadb version < 10.4.0
   community.mysql.mysql_query:
     query: >
-      SELECT GROUP_CONCAT(QUOTE(USER), '@', QUOTE(HOST) SEPARATOR ', ') AS users
+      SELECT CONCAT(QUOTE(USER), '@', QUOTE(HOST)) AS user
       FROM mysql.user
       WHERE (length(password)=0
              OR password="")
@@ -83,25 +82,11 @@
     (mysql_distribution == "mariadb" and mysql_version.version.full is
     version('10.4.0', '<'))
 
-- name: Create a fact for users without password or authentication_string
-  ansible.builtin.set_fact:
-    users_wo_auth: "{{ mysql_users_wo_passwords_or_auth_string.query_result.0.0 | community.general.json_query('users') }}"
-  when:
-    - mysql_users_wo_passwords_or_auth_string.query_result is defined
-    - mysql_users_wo_passwords_or_auth_string.query_result != "" # noqa empty-string-compare
-
-- name: Create a fact for users without password
-  ansible.builtin.set_fact:
-    users_wo_auth: "{{ mysql_users_wo_passwords.query_result.0.0 | community.general.json_query('users') }}"
-  when:
-    - mysql_users_wo_passwords.query_result is defined
-    - mysql_users_wo_passwords.query_result != "" # noqa empty-string-compare
-
 - name: Ensure that there are no users without password or authentication_string
   community.mysql.mysql_query:
     query:
-      - DROP USER {{ users_wo_auth }}
+      - DROP USER {{ item.user }}
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
-  when:
-    - users_wo_auth is defined
-    - users_wo_auth != "" # noqa empty-string-compare
+  with_community.general.flattened:
+    - "{{ mysql_users_wo_passwords.query_result | default([]) }}"
+    - "{{ mysql_users_wo_passwords_or_auth_string.query_result | default([]) }}"