Add support for REQUIRE SSL|X509 option

edestecd · edestecd · commit f4961e953c2d · 2016-09-29T10:05:55.000-04:00
diff --git a/lib/puppet/provider/mysql.rb b/lib/puppet/provider/mysql.rb
@@ -104,8 +104,10 @@ def self.cmd_privs(privileges)
   # Take in potential options and build up a query string with them.
   def self.cmd_options(options)
     option_string = ''
-    options.each do |opt|
-      if opt == 'GRANT'
+    options.sort.reverse_each do |opt|
+      if op = opt.match(/^REQUIRE\s(SSL|X509)$/)
+        option_string << " #{op[0]}"
+      elsif opt == 'GRANT'
         option_string << ' WITH GRANT OPTION'
       end
     end
diff --git a/lib/puppet/provider/mysql_grant/mysql.rb b/lib/puppet/provider/mysql_grant/mysql.rb
@@ -46,11 +46,11 @@ def self.instances
             end
           end
           # Same here, but to remove OPTION leaving just GRANT.
-          if rest.match(/WITH\sGRANT\sOPTION/)           
-		options = ['GRANT']
-          else
-                options = ['NONE']
-          end
+          options = []
+          req_opt = rest.match(/REQUIRE\s(SSL|X509)/)
+          options << req_opt[0] if req_opt
+          options << 'GRANT' if rest.match(/WITH\sGRANT\sOPTION/)
+          options << 'NONE' if options.empty?
           # fix double backslash that MySQL prints, so resources match
           table.gsub!("\\\\", "\\")
           # We need to return an array of instances so capture these
diff --git a/spec/acceptance/types/mysql_grant_spec.rb b/spec/acceptance/types/mysql_grant_spec.rb
@@ -17,7 +17,7 @@ class { 'mysql::server':
   describe 'missing privileges for user' do
     it 'should fail' do
       pp = <<-EOS
-        mysql_user { 'test1@tester': 
+        mysql_user { 'test1@tester':
           ensure => present,
         }
         mysql_grant { 'test1@tester/test.*':
@@ -129,7 +129,35 @@ class { 'mysql::server':
     end
   end
 
-  describe 'adding option' do
+  describe 'adding REQUIRE SSL option' do
+    it 'should work without errors' do
+      pp = <<-EOS
+        mysql_user { 'test3@tester':
+          ensure => present,
+        }
+        mysql_grant { 'test3@tester/test.*':
+          ensure     => 'present',
+          table      => 'test.*',
+          user       => 'test3@tester',
+          options    => ['REQUIRE SSL'],
+          privileges => ['SELECT', 'UPDATE'],
+          require    => Mysql_user['test3@tester'],
+        }
+      EOS
+
+      apply_manifest(pp, :catch_failures => true)
+    end
+
+    it 'should find the user' do
+      shell("mysql -NBe \"SHOW GRANTS FOR test3@tester\"") do |r|
+        expect(r.stdout).to match(/GRANT USAGE ON *.* TO 'test3'@'tester' REQUIRE SSL$/)
+        expect(r.stdout).to match(/GRANT SELECT, UPDATE ON `test`.* TO 'test3'@'tester'$/)
+        expect(r.stderr).to be_empty
+      end
+    end
+  end
+
+  describe 'adding GRANT option' do
     it 'should work without errors' do
       pp = <<-EOS
         mysql_user { 'test3@tester':
@@ -156,6 +184,62 @@ class { 'mysql::server':
     end
   end
 
+  describe 'adding REQUIRE X509 and GRANT option' do
+    it 'should work without errors' do
+      pp = <<-EOS
+        mysql_user { 'test3@tester':
+          ensure => present,
+        }
+        mysql_grant { 'test3@tester/test.*':
+          ensure     => 'present',
+          table      => 'test.*',
+          user       => 'test3@tester',
+          options    => ['REQUIRE X509', 'GRANT'],
+          privileges => ['SELECT', 'UPDATE'],
+          require    => Mysql_user['test3@tester'],
+        }
+      EOS
+
+      apply_manifest(pp, :catch_failures => true)
+    end
+
+    it 'should find the user' do
+      shell("mysql -NBe \"SHOW GRANTS FOR test3@tester\"") do |r|
+        expect(r.stdout).to match(/GRANT USAGE ON *.* TO 'test3'@'tester' REQUIRE X509$/)
+        expect(r.stdout).to match(/GRANT SELECT, UPDATE ON `test`.* TO 'test3'@'tester' WITH GRANT OPTION$/)
+        expect(r.stderr).to be_empty
+      end
+    end
+  end
+
+  describe 'adding GRANT and REQUIRE X509 option' do
+    it 'should work without errors' do
+      pp = <<-EOS
+        mysql_user { 'test3@tester':
+          ensure => present,
+        }
+        mysql_grant { 'test3@tester/test.*':
+          ensure     => 'present',
+          table      => 'test.*',
+          user       => 'test3@tester',
+          options    => ['GRANT', 'REQUIRE X509'],
+          privileges => ['SELECT', 'UPDATE'],
+          require    => Mysql_user['test3@tester'],
+        }
+      EOS
+
+      apply_manifest(pp, :catch_failures => true)
+    end
+
+    it 'should find the user' do
+      shell("mysql -NBe \"SHOW GRANTS FOR test3@tester\"") do |r|
+        expect(r.stdout).to match(/GRANT USAGE ON *.* TO 'test3'@'tester' REQUIRE X509$/)
+        expect(r.stdout).to match(/GRANT SELECT, UPDATE ON `test`.* TO 'test3'@'tester' WITH GRANT OPTION$/)
+        expect(r.stderr).to be_empty
+      end
+    end
+  end
+
   describe 'adding all privileges without table' do
     it 'should fail' do
       pp = <<-EOS
