Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SCRAM-SHA-256 support #643

Merged
merged 4 commits into from
Jul 8, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .fixtures.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
fixtures:
repositories:
"stdlib": "git://github.com/puppetlabs/puppetlabs-stdlib.git"
"apt": "git://github.com/puppetlabs/puppetlabs-apt.git"
"stdlib": "https://github.com/puppetlabs/puppetlabs-stdlib.git"
"apt": "https://github.com/puppetlabs/puppetlabs-apt.git"
"systemd": "https://github.com/voxpupuli/puppet-systemd.git"
"zypprepo": "https://github.com/voxpupuli/puppet-zypprepo.git"
yumrepo_core:
Expand Down
21 changes: 21 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -561,6 +561,16 @@ Administrator user name
##### `admin_password`
Administrator user password

##### `admin_auth_mechanism`
Administrator authentication mechanism.
scram_sha_256 password synchronization verification is not supported.
Default: 'scram_sha_1'

##### `admin_update_password`
Update password.
Used with SCRAM-SHA-256 because password verification is not supported.
Default: false

##### `admin_roles`
Administrator user roles

Expand Down Expand Up @@ -648,6 +658,17 @@ For more information please refer to [MongoDB Authentication Process](http://doc
##### `password`
Plain-text user password (will be hashed)

##### `auth_mechanism`
Authentication mechanism.
Can be either 'scram_sha_1' or 'scram_sha_256'.
scram_sha_256 password synchronization verification is not supported.
Default: 'scram_sha_1'

##### `update_password`
Update password.
Used with SCRAM-SHA-256 because password verification is not supported.
Default: false

##### `roles`
Array with user roles as string.
Roles will be granted to user's database if no alternative database is explicitly defined.
Expand Down
20 changes: 16 additions & 4 deletions lib/puppet/provider/mongodb_user/mongodb.rb
Original file line number Diff line number Diff line change
Expand Up @@ -53,17 +53,25 @@ def create

command = {
createUser: @resource[:username],
pwd: password_hash,
customData: {
createdBy: "Puppet Mongodb_user['#{@resource[:name]}']"
},
roles: role_hashes(@resource[:roles], @resource[:database]),
digestPassword: false
}

if mongo_4? || mongo_5?
# SCRAM-SHA-256 requires digestPassword to be true.
command[:mechanisms] = ['SCRAM-SHA-1']
if @resource[:auth_mechanism] == :scram_sha_256
command[:mechanisms] = ['SCRAM-SHA-256']
command[:pwd] = @resource[:password]
command[:digestPassword] = true
else
command[:mechanisms] = ['SCRAM-SHA-1']
command[:pwd] = password_hash
command[:digestPassword] = false
end
else
command[:pwd] = password_hash
command[:digestPassword] = false
end

mongo_eval("db.runCommand(#{command.to_json})", @resource[:database])
Expand Down Expand Up @@ -112,6 +120,10 @@ def password=(value)
digestPassword: true
}

if mongo_4? || mongo_5?
command[:mechanisms] = @resource[:auth_mechanism] == :scram_sha_256 ? ['SCRAM-SHA-256'] : ['SCRAM-SHA-1']
end

mongo_eval("db.runCommand(#{command.to_json})", @resource[:database])
end
end
Expand Down
17 changes: 16 additions & 1 deletion lib/puppet/type/mongodb_user.rb
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ def to_s?(value)
end

newproperty(:password_hash) do
desc 'The password hash of the user. Use mongodb_password() for creating hash. Only available on MongoDB 3.0 and later.'
desc 'The password hash of the user. Use mongodb_password() for creating hash. Only available on MongoDB 3.0 and later. SCRAM-SHA-256 authentication mechanism is not supported.'
defaultto do
if @resource[:password].nil?
raise Puppet::Error, "Property 'password_hash' must be set. Use mongodb_password() for creating hash." if provider.database == :absent
Expand Down Expand Up @@ -90,10 +90,23 @@ def to_s?(_value = @is)
end

def insync?(_is)
return !@resource[:update_password] if @resource[:auth_mechanism] == :scram_sha_256

should_to_s == to_s?
end
end

newparam(:auth_mechanism) do
desc 'Authentication mechanism. Password verification is not supported with SCRAM-SHA-256.'
defaultto :scram_sha_1
newvalues(:scram_sha_256, :scram_sha_1)
end

newparam(:update_password, boolean: true) do
desc 'Update password. Used with SCRAM-SHA-256 because password verification is not supported.'
defaultto false
end

newproperty(:scram_credentials) do
desc 'The SCRAM-SHA-1 credentials of a user. These are read only and change when password or password_hash changes.'
end
Expand All @@ -115,6 +128,8 @@ def insync?(_is)
err("Either 'password_hash' or 'password' should be provided")
elsif !self[:password_hash].nil? && !self[:password].nil?
err("Only one of 'password_hash' or 'password' should be provided")
elsif !self[:password_hash].nil? && self[:auth_mechanism] == :scram_sha_256
err("'password_hash' is not supported with SCRAM-SHA-256 authentication mechanism")
end
if should(:scram_credentials)
raise("The parameter 'scram_credentials' is read-only and cannot be changed")
Expand Down
36 changes: 26 additions & 10 deletions manifests/db.pp
Original file line number Diff line number Diff line change
Expand Up @@ -5,19 +5,23 @@
# == Parameters
#
# user - Database username.
# auth_mechanism - Authentication mechanism. scram_sha_256 password verification is not supported. Defaults to 'scram_sha_1'.
# db_name - Database name. Defaults to $name.
# password_hash - Hashed password. Hex encoded md5 hash of "$username:mongo:$password".
# password - Plain text user password. This is UNSAFE, use 'password_hash' instead.
# roles (default: ['dbAdmin']) - array with user roles.
# tries (default: 10) - The maximum amount of two second tries to wait MongoDB startup.
# update_password (default: false) - Force an update of the password when scram_sha_256 is used.
#
define mongodb::db (
String $user,
String $db_name = $name,
Optional[Variant[String[1], Sensitive[String[1]]]] $password_hash = undef,
Optional[Variant[String[1], Sensitive[String[1]]]] $password = undef,
Array[String] $roles = ['dbAdmin'],
Integer[0] $tries = 10,
Enum['scram_sha_1', 'scram_sha_256'] $auth_mechanism = 'scram_sha_1',
String $db_name = $name,
Optional[Variant[String[1], Sensitive[String[1]]]] $password_hash = undef,
Optional[Variant[String[1], Sensitive[String[1]]]] $password = undef,
Array[String] $roles = ['dbAdmin'],
Integer[0] $tries = 10,
Boolean $update_password = false,
) {
unless $facts['mongodb_is_master'] == 'false' { # lint:ignore:quoted_booleans
mongodb_database { $db_name:
Expand All @@ -35,12 +39,24 @@
fail("Parameter 'password_hash' or 'password' should be provided to mongodb::db.")
}

if $auth_mechanism == 'scram_sha_256' {
$password_config = {
password => $password,
update_password => $update_password,
}
} else {
$password_config = {
password_hash => $hash,
}
}

mongodb_user { "User ${user} on db ${db_name}":
ensure => present,
password_hash => $hash,
username => $user,
database => $db_name,
roles => $roles,
ensure => present,
username => $user,
database => $db_name,
roles => $roles,
auth_mechanism => $auth_mechanism,
* => $password_config,
}
}
}
1 change: 1 addition & 0 deletions manifests/params.pp
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
$restart = true
$create_admin = false
$admin_username = 'admin'
$admin_auth_mechanism = 'scram_sha_1'
$admin_roles = [
'userAdmin', 'readWrite', 'dbAdmin', 'dbAdminAnyDatabase', 'readAnyDatabase',
'readWriteAnyDatabase', 'userAdminAnyDatabase', 'clusterAdmin',
Expand Down
10 changes: 7 additions & 3 deletions manifests/server.pp
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,8 @@
Boolean $create_admin = $mongodb::params::create_admin,
String $admin_username = $mongodb::params::admin_username,
Optional[Variant[String, Sensitive[String]]] $admin_password = undef,
Enum['scram_sha_1', 'scram_sha_256'] $admin_auth_mechanism = $mongodb::params::admin_auth_mechanism,
Boolean $admin_update_password = false,
Boolean $handle_creds = $mongodb::params::handle_creds,
Boolean $store_creds = $mongodb::params::store_creds,
Array $admin_roles = $mongodb::params::admin_roles,
Expand Down Expand Up @@ -105,9 +107,11 @@
}
if $create_admin and ($service_ensure == 'running' or $service_ensure == true) {
mongodb::db { 'admin':
user => $admin_username,
password => $admin_password_unsensitive,
roles => $admin_roles,
user => $admin_username,
auth_mechanism => $admin_auth_mechanism,
password => $admin_password_unsensitive,
roles => $admin_roles,
update_password => $admin_update_password,
}

# Make sure it runs before other DB creation
Expand Down
2 changes: 1 addition & 1 deletion spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -54,9 +54,9 @@
cmd_json = <<-EOS.gsub(%r{^\s*}, '').gsub(%r{$\n}, '')
{
"createUser":"new_user",
"pwd":"pass",
"customData":{"createdBy":"Puppet Mongodb_user['new_user']"},
"roles":[{"role":"role1","db":"new_database"},{"role":"role2","db":"other_database"}],
"pwd":"pass",
"digestPassword":false
}
EOS
Expand Down