do not try to drop roles in mysql hardening

.github/workflows/mysql_hardening.yml

@@ -79,6 +79,16 @@ jobs:
             sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
         if: ${{ startsWith(matrix.molecule_distro, 'Debian') }}
 
+      # Molecule has problems detecting the proper location for installing roles
+      # https://github.com/ansible/molecule/issues/3806
+      # we do not set a custom role path, but the automatically determined install path used is not compatible with the location molecule expects the role
+      # see CI logs of this action "INFO     Set ANSIBLE_ROLES_PATH" should not be present, since we do not set a custom path
+      # we have to find a proper way to configure this
+      - name: Temporary fix for roles
+        run: |
+          mkdir -p /home/runner/.ansible
+          ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles /home/runner/.ansible/roles
+
       - name: Test with molecule
         run: |
           molecule --version

molecule/mysql_hardening/prepare_tasks/mysql_users.yml

@@ -13,3 +13,20 @@
       - "CREATE USER 'user'@'keep' IDENTIFIED BY 'keep';"
       - "CREATE USER 'user'@'192.168.%' IDENTIFIED BY 'keep';"
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+
+- name: Detect role support on MySQL
+  community.mysql.mysql_query:
+    query: >
+      SELECT 1 FROM information_schema.COLUMNS
+                WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user'
+                AND COLUMN_NAME = 'is_role';
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  register: mysql_role_support
+
+- name: create roles for test
+  community.mysql.mysql_query:
+    query:
+       - "CREATE ROLE 'role_keep';"
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  when:
+    - mysql_role_support.rowcount[0] > 0

molecule/mysql_hardening/verify_tasks/mysql_users.yml

@@ -23,3 +23,19 @@
       - '"user@192.168.0.2" in mysql_users_list'
       - '"user@keep" in mysql_users_list'
       - '"user@192.168.%" in mysql_users_list'
+
+- name: Detect role support on MySQL
+  community.mysql.mysql_query:
+    query: >
+      SELECT 1 FROM information_schema.COLUMNS
+                WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user'
+                AND COLUMN_NAME = 'is_role';
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  register: mysql_role_support
+
+- name: assert that roles remain
+  ansible.builtin.assert:
+    that:
+       - '"role_keep@" in mysql_users_list'
+  when:
+    - mysql_role_support.rowcount[0] > 0

roles/mysql_hardening/tasks/mysql_secure_installation.yml

@@ -46,6 +46,16 @@
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   when: mysql_remove_remote_root
 
+- name: Detect role support on MySQL version >= 5.7.6 or Mariadb version >= 10.4.0
+  community.mysql.mysql_query:
+    query: >
+      SELECT 1 FROM information_schema.COLUMNS
+                WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user'
+                AND COLUMN_NAME = 'is_role';
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  register: mysql_role_support
+  check_mode: false
+
 - name: Get all users that have no authentication_string on MySQL version >= 5.7.6 or Mariadb version >= 10.4.0
   community.mysql.mysql_query:
     query: >
@@ -55,7 +65,8 @@
              OR authentication_string="")
         AND USER NOT IN ('mysql.sys',
                          'mysqlxsys',
-                         'mariadb.sys');
+                         'mariadb.sys')
+        {{ 'AND CONVERT(is_role USING utf8) = "N"' if mysql_role_support.rowcount[0] > 0 }};
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   register: mysql_users_wo_passwords_or_auth_string
   check_mode: false
@@ -75,7 +86,8 @@
              OR authentication_string="")
         AND USER NOT IN ('mysql.sys',
                          'mysqlxsys',
-                         'mariadb.sys');
+                         'mariadb.sys')
+        {{ 'AND is_role = "N"' if mysql_role_support.rowcount[0] > 0 }};
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   register: mysql_users_wo_passwords
   check_mode: false