password_expire support for mysql_user

plugins/module_utils/implementations/mariadb/user.py

@@ -23,3 +23,9 @@ def server_supports_alter_user(cursor):
     version = get_server_version(cursor)
 
     return LooseVersion(version) >= LooseVersion("10.2")
+
+
+def server_supports_password_expire(cursor):
+    version = get_server_version(cursor)
+
+    return LooseVersion(version) >= LooseVersion("10.4.3")

plugins/module_utils/implementations/mysql/user.py

@@ -24,3 +24,9 @@ def server_supports_alter_user(cursor):
     version = get_server_version(cursor)
 
     return LooseVersion(version) >= LooseVersion("5.6")
+
+
+def server_supports_password_expire(cursor):
+    version = get_server_version(cursor)
+
+    return LooseVersion(version) >= LooseVersion("5.7")

plugins/module_utils/user.py

@@ -151,12 +151,13 @@
 
 def user_add(cursor, user, host, host_all, password, encrypted,
              plugin, plugin_hash_string, plugin_auth_string, new_priv,
-             tls_requires, check_mode, reuse_existing_password):
+             tls_requires, module, reuse_existing_password,
+             password_expire, password_expire_interval):
     # we cannot create users without a proper hostname
     if host_all:
         return {'changed': False, 'password_changed': False}
 
-    if check_mode:
+    if module.check_mode:
         return {'changed': True, 'password_changed': None}
 
     # Determine what user management method server uses
@@ -200,6 +201,12 @@
     query_with_args_and_tls_requires = query_with_args + (tls_requires,)
     cursor.execute(*mogrify(*query_with_args_and_tls_requires))
 
+    if password_expire:
+        if not impl.server_supports_password_expire(cursor):
+            module.fail_json(msg="The server version does not match the requirements "
+                             "for password_expire parameter. See module's documentation.")
+        set_password_expire(cursor, user, host, password_expire, password_expire_interval)
+
     if new_priv is not None:
         for db_table, priv in iteritems(new_priv):
             privileges_grant(cursor, user, host, db_table, priv, tls_requires)
@@ -218,7 +225,8 @@
 
 def user_mod(cursor, user, host, host_all, password, encrypted,
              plugin, plugin_hash_string, plugin_auth_string, new_priv,
-             append_privs, subtract_privs, tls_requires, module, role=False, maria_role=False):
+             append_privs, subtract_privs, tls_requires, module,
+             password_expire, password_expire_interval, role=False, maria_role=False):
     changed = False
     msg = "User unchanged"
     grant_option = False
@@ -301,6 +309,30 @@
                                 raise e
                     changed = True
 
+        # Handle password expiration
+        if bool(password_expire):
+            if impl.server_supports_password_expire(cursor):
+                update = False
+                mariadb_role = True if "mariadb" in str(impl.__name__) else False
+                current_password_policy = get_password_expiration_policy(cursor, user, host, maria_role=mariadb_role)
+                password_expired = is_password_expired(cursor, user, host)
+                # Check if changes needed to be applied.
+                if not ((current_password_policy == -1 and password_expire == "default") or
+                        (current_password_policy == 0 and password_expire == "never") or
+                        (current_password_policy == password_expire_interval and password_expire == "interval") or
+                        (password_expire == 'now' and password_expired)):
+
+                    update = True
+
+                    if module.check_mode:
+                        return {'changed': True, 'msg': msg, 'password_changed': password_changed}
+                    set_password_expire(cursor, user, host, password_expire, password_expire_interval)
+                    password_changed = True
+                    changed = True
+            else:
+                module.fail_json(msg="The server version does not match the requirements "
+                                 "for password_expire parameter. See module's documentation.")
+
         # Handle plugin authentication
         if plugin and not role:
             cursor.execute("SELECT plugin, authentication_string FROM mysql.user "
@@ -924,6 +956,77 @@
     return True
 
 
+def set_password_expire(cursor, user, host, password_expire, password_expire_interval):
+    """Fuction to set passowrd expiration for user.
+
+    Args:
+        cursor (cursor): DB driver cursor object.
+        user (str): User name.
+        host (str): User hostname.
+        password_expire (str): Password expiration mode.
+        password_expire_days (int): Invterval of days password expires.
+    """
+    if password_expire.lower() == "never":
+        statment = "PASSWORD EXPIRE NEVER"
+    elif password_expire.lower() == "default":
+        statment = "PASSWORD EXPIRE DEFAULT"
+    elif password_expire.lower() == "interval":
+        statment = "PASSWORD EXPIRE INTERVAL %d DAY" % (password_expire_interval)
+    elif password_expire.lower() == "now":
+        statment = "PASSWORD EXPIRE"
+
+    params = (user, host)
+    query = ["ALTER USER %s@%s"]
+
+    query.append(statment)
+    query = ' '.join(query)
+    cursor.execute(query, params)
+
+
+def get_password_expiration_policy(cursor, user, host, maria_role=False):
+    """Function to get password policy for user.
+
+    Args:
+        cursor (cursor): DB driver cursor object.
+        user (str): User name.
+        host (str): User hostname.
+        maria_role (bool, optional): mariadb or mysql. Defaults to False.
+
+    Returns:
+        policy (int): Current users password policy.
+    """
+    if not maria_role:
+        statment = "SELECT IFNULL(password_lifetime, -1) FROM mysql.user \
+            WHERE User = %s AND Host = %s", (user, host)
+    else:
+        statment = "SELECT JSON_EXTRACT(Priv, '$.password_lifetime') AS password_lifetime \
+            FROM mysql.global_priv \
+            WHERE User = %s AND Host = %s", (user, host)
+    cursor.execute(*statment)
+    policy = cursor.fetchone()[0]
+    return int(policy)
+
+
+def is_password_expired(cursor, user, host):
+    """Function to check if password is expired
+
+    Args:
+        cursor (cursor): DB driver cursor object.
+        user (str): User name.
+        host (str): User hostname.
+
+    Returns:
+        expired (bool): True if expired, else False.
+    """
+    statment = "SELECT password_expired FROM mysql.user \
+            WHERE User = %s AND Host = %s", (user, host)
+    cursor.execute(*statment)
+    expired = cursor.fetchone()[0]
+    if str(expired) == "Y":
+        return True
+    return False
+
+
 def get_impl(cursor):
     global impl
     cursor.execute("SELECT VERSION()")

plugins/modules/mysql_role.py

@@ -932,7 +932,8 @@ def update(self, users, privs, check_mode=False,
             result = user_mod(self.cursor, self.name, self.host,
                               None, None, None, None, None, None,
                               privs, append_privs, subtract_privs, None,
-                              self.module, role=True, maria_role=self.is_mariadb)
+                              self.module, None, None, role=True,
+                              maria_role=self.is_mariadb)
             changed = result['changed']
 
         if admin:

plugins/modules/mysql_user.py

@@ -155,6 +155,18 @@
       - Cannot be used to set global variables, use the M(community.mysql.mysql_variables) module instead.
     type: dict
     version_added: '3.6.0'
+  password_expire:
+    description:
+      - C(never) password will never expire.
+      - C(default) password is defined ussing global system varaiable I(default_password_lifetime) setting.
+      - C(interval) password will expire in days which is defined in I(password_expire_interval).
+      - C(now) password will expire immediately.
+    type: str
+    choices: [ now, never, default, interval ]
+  password_expire_interval:
+    description:
+      - number of days password will expire. Used when I(password_expire=interval).
+    type: int
 
   column_case_sensitive:
     description:
@@ -415,6 +427,8 @@ def main():
         force_context=dict(type='bool', default=False),
         session_vars=dict(type='dict'),
         column_case_sensitive=dict(type='bool', default=None),  # TODO 4.0.0 add default=True
+        password_expire=dict(type='str', choices=['now', 'never', 'default', 'interval'], no_log=True),
+        password_expire_interval=dict(type='int', no_log=True),
     )
     module = AnsibleModule(
         argument_spec=argument_spec,
@@ -451,6 +465,8 @@ def main():
     resource_limits = module.params["resource_limits"]
     session_vars = module.params["session_vars"]
     column_case_sensitive = module.params["column_case_sensitive"]
+    password_expire = module.params["password_expire"]
+    password_expire_interval = module.params["password_expire_interval"]
 
     if priv and not isinstance(priv, (str, dict)):
         module.fail_json(msg="priv parameter must be str or dict but %s was passed" % type(priv))
@@ -461,6 +477,15 @@ def main():
     if mysql_driver is None:
         module.fail_json(msg=mysql_driver_fail_msg)
 
+    if password_expire == "interval" and not password_expire_interval:
+        module.fail_json(msg="password_expire value interval \
+                         should be used with password_expire_interval")
+
+    if password_expire_interval:
+        if password_expire_interval < 1:
+            module.fail_json(msg="password_expire_interval value \
+                             should be positive number")
+
     cursor = None
     try:
         if check_implicit_admin:
@@ -506,12 +531,14 @@ def main():
                 if update_password == "always":
                     result = user_mod(cursor, user, host, host_all, password, encrypted,
                                       plugin, plugin_hash_string, plugin_auth_string,
-                                      priv, append_privs, subtract_privs, tls_requires, module)
+                                      priv, append_privs, subtract_privs, tls_requires, module,
+                                      password_expire, password_expire_interval)
 
                 else:
                     result = user_mod(cursor, user, host, host_all, None, encrypted,
                                       None, None, None,
-                                      priv, append_privs, subtract_privs, tls_requires, module)
+                                      priv, append_privs, subtract_privs, tls_requires, module,
+                                      password_expire, password_expire_interval)
                 changed = result['changed']
                 msg = result['msg']
                 password_changed = result['password_changed']
@@ -527,7 +554,8 @@ def main():
                 reuse_existing_password = update_password == 'on_new_username'
                 result = user_add(cursor, user, host, host_all, password, encrypted,
                                   plugin, plugin_hash_string, plugin_auth_string,
-                                  priv, tls_requires, module.check_mode, reuse_existing_password)
+                                  priv, tls_requires, module, reuse_existing_password,
+                                  password_expire, password_expire_interval)
                 changed = result['changed']
                 password_changed = result['password_changed']
                 if changed:

tests/integration/targets/test_mysql_user/tasks/main.yml

@@ -43,6 +43,8 @@
 
     - include_tasks: test_idempotency.yml
 
+    - include_tasks: test_password_expire.yml
+
     # ============================================================
     # Create user with no privileges and verify default privileges are assign
     #