Fix CTRL Hash

- Update logic on how to validate if a user can login
- Wrap password string in single quotes for shell_out
- Fix filename for not_if
- Fix rpm dependency conflict with 8.0 client on centos 7
- Remove percona_8_on_centos_7 method and moved package remove the test cookbook
- Move package remove to new test fixture recipe

Co-authored-by: jcookfastrobot <jcook@fastrobot.com>
Signed-off-by: Dan Webb <dan.webb@damacus.io>

.github/workflows/ci.yml

@@ -24,105 +24,28 @@ jobs:
       matrix:
         os:
           - almalinux-8
+          - almalinux-9
           - centos-7
           - centos-stream-8
+          - centos-stream-9
           - debian-10
           - debian-11
-          - rockylinux-8
           - ubuntu-1804
           - ubuntu-2004
+          - ubuntu-2204
         suite:
-          - client-56
           - client-57
           - client-80
-          - devel-56
           - devel-57
           - devel-80
-          - server-56
           - server-57
           - server-80
-          - source-56
           - source-57
           - source-80
-          - replication-56
           - replication-57
           - replication-80
-          - resources-56
           - resources-57
           - resources-80
-        exclude:
-          - os: almalinux-8
-            suite: client-56
-          - os: almalinux-8
-            suite: devel-56
-          - os: almalinux-8
-            suite: server-56
-          - os: almalinux-8
-            suite: source-56
-          - os: almalinux-8
-            suite: replication-56
-          - os: almalinux-8
-            suite: resources-56
-          - os: centos-stream-8
-            suite: client-56
-          - os: centos-stream-8
-            suite: devel-56
-          - os: centos-stream-8
-            suite: server-56
-          - os: centos-stream-8
-            suite: source-56
-          - os: centos-stream-8
-            suite: replication-56
-          - os: centos-stream-8
-            suite: resources-56
-          - os: debian-10
-            suite: client-56
-          - os: debian-10
-            suite: devel-56
-          - os: debian-10
-            suite: server-56
-          - os: debian-10
-            suite: source-56
-          - os: debian-10
-            suite: replication-56
-          - os: debian-10
-            suite: resources-56
-          - os: debian-11
-            suite: client-56
-          - os: debian-11
-            suite: devel-56
-          - os: debian-11
-            suite: server-56
-          - os: debian-11
-            suite: source-56
-          - os: debian-11
-            suite: replication-56
-          - os: debian-11
-            suite: resources-56
-          - os: rockylinux-8
-            suite: client-56
-          - os: rockylinux-8
-            suite: devel-56
-          - os: rockylinux-8
-            suite: server-56
-          - os: rockylinux-8
-            suite: source-56
-          - os: rockylinux-8
-            suite: replication-56
-          - os: rockylinux-8
-            suite: resources-56
-          - os: ubuntu-2004
-            suite: client-56
-          - os: ubuntu-2004
-            suite: devel-56
-          - os: ubuntu-2004
-            suite: server-56
-          - os: ubuntu-2004
-            suite: source-56
-          - os: ubuntu-2004
-            suite: replication-56
-          - os: ubuntu-2004
-            suite: resources-56
       fail-fast: false
 
     steps:

CHANGELOG.md

@@ -4,6 +4,12 @@ This file is used to list changes made in each version of the percona cookbook.
 
 ## Unreleased
 
+- Fixed the user key in the ctrl_hash for the run_query method in the mysql_user custom resource
+- Updated ctrl_hash (now user_hash) parameters to validate if a user can login using username@host instead of username@ctrl_host
+- Wrapped password substring in single quotes to protect from special characters in sql_command_string helper method
+- Updated default encoding and collate in 8.0 to `utf8mb4` and `utf8mb4_0900_ai_ci` respectively
+- Fixed 8.0 client rpm dependency conflict on centos 7
+
 ## 3.2.11 - *2023-04-25*
 
 Standardise files with files in sous-chefs/repo-management
@@ -56,7 +62,7 @@ Standardise files with files in sous-chefs/repo-management
 - Add support to Alma Linux & Rocky Linux
 - Update default encoding when using 8.0 to `utf8mb3` to fix idempotency issues
 - Fix management of server `my.cnf`
-  - Set `manage_symlink_source` to `false` and set `force_unlink` to `true` to fix idempotency on Debian based systems
+- Set `manage_symlink_source` to `false` and set `force_unlink` to `true` to fix idempotency on Debian based systems
 - Fix issue when testing on Debian dokken images by removing mailutils (and thus mysql-common)
 
 ## 3.1.3 - *2022-02-17*

README.md

@@ -1,7 +1,6 @@
 # Percona Cookbook
 
 [![Cookbook Version](https://img.shields.io/cookbook/v/percona.svg)](https://supermarket.chef.io/cookbooks/percona)
-[![Build Status](https://img.shields.io/circleci/project/github/sous-chefs/percona/master.svg)](https://circleci.com/gh/sous-chefs/percona)
 [![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers)
 [![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors)
 [![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)

libraries/helpers.rb

@@ -120,11 +120,11 @@ def percona_jemalloc_lib
       end
 
       def percona_default_encoding
-        if node['percona']['version'].to_i >= 8
-          'utf8mb3'
-        else
-          'utf8'
-        end
+        node['percona']['version'].to_i >= 8 ? 'utf8mb4' : 'utf8'
+      end
+
+      def percona_default_collate
+        node['percona']['version'].to_i >= 8 ? 'utf8mb4_0900_ai_ci' : 'utf8_general_ci'
       end
 
       include Chef::Mixin::ShellOut
@@ -147,7 +147,7 @@ def sql_command_string(query, database, ctrl, grep_for = nil)
         Chef::Log.debug("Control Hash: [#{ctrl.to_json}]\n")
         cmd = "/usr/bin/mysql -B -e \"#{raw_query}\""
         cmd << " --user=#{ctrl[:user]}" if ctrl && ctrl.key?(:user) && !ctrl[:user].nil?
-        cmd << " -p#{ctrl[:password]}"  if ctrl && ctrl.key?(:password) && !ctrl[:password].nil?
+        cmd << " -p'#{ctrl[:password]}'" if ctrl && ctrl.key?(:password) && !ctrl[:password].nil?
         cmd << " -h #{ctrl[:host]}"     if ctrl && ctrl.key?(:host) && !ctrl[:host].nil? && ctrl[:host] != 'localhost'
         cmd << " -P #{ctrl[:port]}"     if ctrl && ctrl.key?(:port) && !ctrl[:port].nil? && ctrl[:host] != 'localhost'
         cmd << " -S #{default_socket}"   if ctrl && ctrl.key?(:host) && !ctrl[:host].nil? && ctrl[:host] == 'localhost'

recipes/package_repo.rb

@@ -35,7 +35,7 @@
 when 'rhel'
   dnf_module 'mysql' do
     action :disable
-    only_if { node['platform_version'].to_i >= 8 }
+    only_if { node['platform_version'].to_i == 8 }
   end
 
   yum_repository 'percona' do

resources/mysql_database.rb

@@ -27,7 +27,7 @@
 property :socket,        [String, nil], desired_state: false
 property :password,      [String, nil], sensitive: true, desired_state: false
 property :encoding,      String,         default: lazy { percona_default_encoding }
-property :collation,     String,         default: 'utf8_general_ci'
+property :collation,     String,         default: lazy { percona_default_collate }
 property :sql,           String
 
 action :create do
@@ -60,7 +60,7 @@
 end
 
 load_current_value do
-  lsocket = (socket && host == 'localhost') ? socket : nil
+  lsocket = (host == 'localhost') ? default_socket : nil
   ctrl = { user: user, password: password
                    }.merge!(lsocket.nil? ? { host: host, port: port } : { socket: lsocket })
   query = "SHOW DATABASES LIKE '#{database_name}'"

resources/mysql_user.rb

@@ -67,7 +67,7 @@
 
   def run_query(query)
     socket = new_resource.ctrl_host == 'localhost' ? default_socket : nil
-    ctrl_hash = { host: new_resource.ctrl_host, port: new_resource.ctrl_port, username: new_resource.ctrl_user, password: new_resource.ctrl_password, socket: socket }
+    ctrl_hash = { user: new_resource.ctrl_user, password: new_resource.ctrl_password }.merge!(socket.nil? ? { host: new_resource.ctrl_host, port: new_resource.ctrl_port } : { socket: socket })
     Chef::Log.debug("#{@new_resource}: Performing query [#{query}]")
     execute_sql(query, nil, ctrl_hash)
   end
@@ -101,11 +101,12 @@ def test_user_password
       run_query(test_sql).split("\n").count > 1
     else # Works for any authentication method as long as the host is localhost
       test_sql = "SELECT 'user can login'"
-      socket = new_resource.ctrl_host == 'localhost' ? default_socket : nil
-      ctrl_hash = { host: new_resource.ctrl_host, port: new_resource.ctrl_port, user: new_resource.username, password: new_resource.password, socket: socket }
+      socket = new_resource.host == 'localhost' ? default_socket : nil
+      # Passing host instead of ctrl_host to validate the user@scope login instead of user@ctrl_host
+      user_hash = { user: new_resource.username, password: new_resource.password }.merge!(socket.nil? ? { host: new_resource.host, port: new_resource.ctrl_port } : { socket: socket })
       Chef::Log.debug("#{@new_resource}: Performing query [#{test_sql}]")
 
-      if execute_sql_exitstatus(test_sql, ctrl_hash) == 0
+      if execute_sql_exitstatus(test_sql, user_hash) == 0
         true
       else # handles mysql_native_password authentication method
         test_sql = 'SELECT User,Host,authentication_string FROM mysql.user ' \

test/fixtures/cookbooks/test/recipes/_remove_mariadb_libs.rb

@@ -0,0 +1,6 @@
+# If we are installing 8.0 on a Centos 7 instance we need to remove the existing
+# mariadb-libs rpm to avoid a dependency conflict.
+package 'mariadb-libs' do
+  action :remove
+  only_if { platform_family?('rhel') && node['platform_version'].to_i == 7 && node['percona']['version'].to_i >= 8 }
+end

test/fixtures/cookbooks/test/recipes/client.rb

@@ -1,2 +1,3 @@
+include_recipe 'test::_remove_mariadb_libs'
 include_recipe 'percona::client'
 include_recipe 'percona::toolkit'

test/fixtures/cookbooks/test/recipes/server.rb

@@ -4,9 +4,10 @@
 node.default['percona']['server']['root_password'] = '7tCk(V5I'
 node.default['percona']['backup']['password'] = 'I}=sJ2bS'
 
-# Install postfix on RHEL to ensure we don't properly break mysql-libs compatibility
-package 'postfix' if platform_family?('rhel')
-
+include_recipe 'test::_remove_mariadb_libs'
 include_recipe 'test::_remove_mysql_common'
 include_recipe 'percona::server'
 include_recipe 'percona::backup'
+
+# Install postfix on RHEL to ensure we don't properly break mysql-libs compatibility
+package 'postfix' if platform_family?('rhel')

test/fixtures/cookbooks/test/recipes/user_database.rb

@@ -66,6 +66,36 @@
   action :run
 end
 
+# Create a user to test ctrl_user, ctrl_password, and ctrl_host
+bash 'create beauregard' do
+  code <<-EOF
+  echo "CREATE USER 'beauregard'@'localhost' IDENTIFIED BY '>mupp3ts'; GRANT ALL PRIVILEGES ON *.* TO 'beauregard'@'localhost' WITH GRANT OPTION; FLUSH PRIVILEGES;" | /usr/bin/mysql -u root;
+  touch /tmp/beauregardmarker
+  EOF
+  not_if { ::File.exist?('/tmp/beauregardmarker') }
+  action :run
+end
+
+# Create a user to test mysql_database_user password update via :create and non-root user
+bash 'create waldorf@localhost' do
+  code <<-EOF
+  echo "CREATE USER 'waldorf'@'localhost' IDENTIFIED BY 'balcony';" | /usr/bin/mysql -u root;
+  touch /tmp/waldorf_localhostmarker
+  EOF
+  not_if { ::File.exist?('/tmp/waldorf_localhostmarker') }
+  action :run
+end
+
+# Create a user to test mysql_database_user password update via :create and non-root user
+bash 'create waldorf' do
+  code <<-EOF
+  echo "CREATE USER 'waldorf'@'127.0.0.1' IDENTIFIED BY 'boxseat';" | /usr/bin/mysql -u root;
+  touch /tmp/waldorf_127marker
+  EOF
+  not_if { ::File.exist?('/tmp/waldorf_127marker') }
+  action :run
+end
+
 ## Resources we're testing
 percona_mysql_database 'databass' do
   action :create
@@ -170,6 +200,27 @@
   action :create
 end
 
+# Create new user with a ctrl_user as non-root to test ctrl_hash and validate ctrl_password with special character
+percona_mysql_user 'bunsen' do
+  database_name 'datasalmon'
+  password 'honeydont'
+  ctrl_user 'beauregard'
+  ctrl_password '>mupp3ts'
+  ctrl_host '127.0.0.1'
+  host 'localhost'
+  privileges [:select]
+  action [:create, :grant]
+end
+
+percona_mysql_user 'waldorf' do
+  password 'balcony'
+  ctrl_user 'beauregard'
+  ctrl_password '>mupp3ts'
+  ctrl_host '127.0.0.1'
+  host '127.0.0.1'
+  action :create
+end
+
 percona_mysql_database 'flush privileges' do
   database_name 'databass'
   password ''

test/integration/inspec/controls/resources_spec.rb

@@ -53,4 +53,8 @@
   describe sql.query("SELECT #{password_column} FROM mysql.user WHERE user='rizzo' AND host='127.0.0.1'") do
     its(:stdout) { should include '*125EA03B506F7C876D9321E9055F37601461E970' }
   end
+
+  describe sql.query('select User,Host from mysql.user') do
+    its(:stdout) { should match(/bunsen/) }
+  end
 end