From e66c2eb6bb7b22f9950f47ab3a6a18debf6f2dde Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Date: Tue, 29 Nov 2022 15:09:27 +0100
Subject: [PATCH 1/2] Add OpenSUSE support  (#605)

* Add variables for mariadb on opensuse

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* enable pipeline

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* add a note about the reuirement of the jmespath library.

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* Use python3 on opensuse

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* fix my yml.

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* use right ansible variable

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* Suse requires python-rpm

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* try zypper

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* python-xml

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* another try at fixing the install

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* fix my yml

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* another try

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* another try

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* another try now with rpm.

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* fix my yml...

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* typo

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* do the test for Suse on the shell and not in ansible

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* specify to use bash

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* specify to use bash

* try the removes keyword of builtin.shell

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* fix ansible syntax

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* fix zypper syntax

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* ensure pymysql is present

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* set ansible python interpreter in converge-step, too

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* move install task to prepare

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>
---
 .github/workflows/mysql_hardening.yml |  2 +-
 molecule/mysql_hardening/converge.yml |  7 +++++++
 molecule/mysql_hardening/prepare.yml  | 15 +++++++++------
 roles/mysql_hardening/README.md       |  1 +
 roles/mysql_hardening/vars/Suse.yml   | 10 ++++++++++
 5 files changed, 28 insertions(+), 7 deletions(-)
 create mode 100644 roles/mysql_hardening/vars/Suse.yml

diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml
index 674bc1a3c..31f783df4 100644
--- a/.github/workflows/mysql_hardening.yml
+++ b/.github/workflows/mysql_hardening.yml
@@ -37,7 +37,7 @@ jobs:
           - debian11
           # - amazon  # geerlingguy.mysql does not support fedora
           # - arch  # needs to be fixed
-          # - opensuse_tumbleweed  # needs to be fixed
+          - opensuse_tumbleweed  # needs to be fixed
           # - fedora  # geerlingguy.mysql does not support fedora
     steps:
       - name: Checkout repo
diff --git a/molecule/mysql_hardening/converge.yml b/molecule/mysql_hardening/converge.yml
index 1532fa71f..cf3f0fbe9 100644
--- a/molecule/mysql_hardening/converge.yml
+++ b/molecule/mysql_hardening/converge.yml
@@ -24,6 +24,13 @@
         - mysql_python_package_debian is not defined
         - ansible_distribution != "Ubuntu"
         - ansible_distribution_major_version|int < 20
+
+    - name: Use Python 3 on Suse
+      set_fact:
+        ansible_python_interpreter: /usr/bin/python3
+      when:
+        - ansible_os_family == 'Suse'
+
     - include_role:
         name: mysql_hardening
   vars:
diff --git a/molecule/mysql_hardening/prepare.yml b/molecule/mysql_hardening/prepare.yml
index f5ef673d5..e607debdc 100644
--- a/molecule/mysql_hardening/prepare.yml
+++ b/molecule/mysql_hardening/prepare.yml
@@ -15,6 +15,12 @@
         - ansible_distribution == 'Debian'
         - ansible_distribution_major_version|int >= 11
 
+    - name: Use Python 3 on Suse
+      set_fact:
+        ansible_python_interpreter: /usr/bin/python3
+      when:
+        - ansible_os_family == 'Suse'
+
     - name: Use Python 2 on Debian 10
       set_fact:
         ansible_python_interpreter: /usr/bin/python
@@ -29,11 +35,9 @@
         update_cache: true
       when: ansible_os_family == 'Debian'
 
-    - name: install required tools on SuSE
-      community.general.zypper:
-        name: "python-xml"
-        state: present
-      when: ansible_facts.os_family == 'Suse'
+    - name: Install required python packages on Suse
+      ansible.builtin.shell: zypper -n install python-xml python3-rpm python3-PyMySQL
+      when: ansible_os_family == 'Suse'
 
     - name: create missing directory
       file:
@@ -56,7 +60,6 @@
         - ansible_distribution != "Ubuntu"
         - ansible_distribution_major_version|int < 20
 
-
     - include_role:
         name: dev-sec.mysql
 
diff --git a/roles/mysql_hardening/README.md b/roles/mysql_hardening/README.md
index ee7cbd721..b70289d7e 100644
--- a/roles/mysql_hardening/README.md
+++ b/roles/mysql_hardening/README.md
@@ -16,6 +16,7 @@ It configures:
 
 - Ansible 2.9.0
 - An existing MySQL installation
+- python-jmespath on the ansible host
 
 ### Example playbook
 
diff --git a/roles/mysql_hardening/vars/Suse.yml b/roles/mysql_hardening/vars/Suse.yml
new file mode 100644
index 000000000..90707961e
--- /dev/null
+++ b/roles/mysql_hardening/vars/Suse.yml
@@ -0,0 +1,10 @@
+---
+mysql_daemon: mariadb
+mysql_hardening_mysql_conf_file: '/etc/my.cnf'
+mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d'
+
+mysql_cnf_owner: 'root'  # owner of /etc/my.cnf.d/*.cnf files
+mysql_cnf_group: 'mysql'  # owner of /etc/my.cnf.d/*.cnf files
+
+mysql_hardening_group: 'mysql'
+login_unix_socket: '/run/mysql/mysql.sock'

From d3e6df3dbf24438407d2c8be1838539206652368 Mon Sep 17 00:00:00 2001
From: dev-sec CI <hello@dev-sec.io>
Date: Tue, 29 Nov 2022 14:11:39 +0000
Subject: [PATCH 2/2] update changelog

---
 CHANGELOG.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1545526d6..0a7d8ec09 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,11 +1,12 @@
 # Changelog
 
-## [8.3.1](https://github.com/dev-sec/ansible-collection-hardening/tree/8.3.1) (2022-11-24)
+## [8.4.0](https://github.com/dev-sec/ansible-collection-hardening/tree/8.4.0) (2022-11-29)
 
-[Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/8.3.0...8.3.1)
+[Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/8.3.0...8.4.0)
 
 **Implemented enhancements:**
 
+- Add OpenSUSE support  [\#605](https://github.com/dev-sec/ansible-collection-hardening/pull/605) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] ([rndmh3ro](https://github.com/rndmh3ro))
 - Allow ssh\_allow\_tcp\_forwarding to be a boolean [\#600](https://github.com/dev-sec/ansible-collection-hardening/pull/600) [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([crisbal](https://github.com/crisbal))
 - OpenBSD does not support GSSAPI Authentication [\#598](https://github.com/dev-sec/ansible-collection-hardening/pull/598) [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([dennisse](https://github.com/dennisse))
 - add Ansible specific templates for issues [\#596](https://github.com/dev-sec/ansible-collection-hardening/pull/596) ([schurzi](https://github.com/schurzi))