Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for net.ssl.allowConnectionsWithoutCertificates setting in mongod.conf #577

Open
wants to merge 19 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ These should not affect the functionality of the module.
- Wrong APT-key [\#546](https://github.com/voxpupuli/puppet-mongodb/issues/546)
- Mongo 4.0.x: unable to create user [\#525](https://github.com/voxpupuli/puppet-mongodb/issues/525)
- user creation idempotency issues [\#412](https://github.com/voxpupuli/puppet-mongodb/issues/412)
- fix\(is\_master-fact\): use --ssl if --sslPEMKeyFile or --sslCAFile is s… [\#573](https://github.com/voxpupuli/puppet-mongodb/pull/573) ([buchstabensalat](https://github.com/buchstabensalat))
- fix\(is\_master-fact\): use --tls if --tlsCertificateKeyFile or --tlsCAFile is s… [\#573](https://github.com/voxpupuli/puppet-mongodb/pull/573) ([buchstabensalat](https://github.com/buchstabensalat))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is odd. Normally we don't modify changelog entries

- Fixed the problem: the user was not created for Mongodb 4.x [\#561](https://github.com/voxpupuli/puppet-mongodb/pull/561) ([identw](https://github.com/identw))
- Only create database and user when mongodb\_is\_master [\#558](https://github.com/voxpupuli/puppet-mongodb/pull/558) ([JvGinkel](https://github.com/JvGinkel))

Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -535,8 +535,8 @@ Set to true to disable fqdn SSL cert check
Default: False

##### `ssl_mode`
Ssl authorization mode. Valid options are: requireSSL, preferSSL, allowSSL.
Default: requireSSL
Ssl authorization mode. Valid options are: requireTLS, preferTLS, allowTLS.
Default: requireTLS

##### `service_manage`
Whether or not the MongoDB service resource should be part of the catalog.
Expand Down
29 changes: 15 additions & 14 deletions lib/facter/is_master.rb
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,14 @@ def get_options_from_hash_config(config)
result = []

result << "--port #{config['net.port']}" unless config['net.port'].nil?
# use --ssl and --host if:
# - sslMode is "requireSSL"
# - Parameter --sslPEMKeyFile is set
# - Parameter --sslCAFile is set
result << "--ssl --host #{Facter.value(:fqdn)}" if config['net.ssl.mode'] == 'requireSSL' || !config['net.ssl.PEMKeyFile'].nil? || !config['net.ssl.CAFile'].nil?
result << "--sslPEMKeyFile #{config['net.ssl.PEMKeyFile']}" unless config['net.ssl.PEMKeyFile'].nil?
result << "--sslCAFile #{config['net.ssl.CAFile']}" unless config['net.ssl.CAFile'].nil?
# use --tls and --host if:
# - sslMode is "requireTLS"
# - Parameter --tlsCertificateKeyFile is set
# - Parameter --tlsCAFile is set
result << "--tls --host #{Facter.value(:fqdn)}" if config['net.tls.mode'] == 'requireTLS' || !config['net.tls.certificateKeyFile'].nil? || !config['net.tls.CAFile'].nil?
result << "--tlsCertificateKeyFile #{config['net.tls.certificateKeyFile']}" unless config['net.tls.certificateKeyFile'].nil?
result << "--tlsCAFile #{config['net.tls.CAFile']}" unless config['net.tls.CAFile'].nil?

result << '--ipv6' unless config['net.ipv6'].nil?

result.join(' ')
Expand All @@ -32,13 +33,13 @@ def get_options_from_keyvalue_config(file)
result = []

result << "--port #{config['port']}" unless config['port'].nil?
# use --ssl and --host if:
# - sslMode is "requireSSL"
# - Parameter --sslPEMKeyFile is set
# - Parameter --sslCAFile is set
result << "--ssl --host #{Facter.value(:fqdn)}" if config['ssl'] == 'requireSSL' || !config['sslcert'].nil? || !config['sslca'].nil?
result << "--sslPEMKeyFile #{config['sslcert']}" unless config['sslcert'].nil?
result << "--sslCAFile #{config['sslca']}" unless config['sslca'].nil?
# use --tls and --host if:
# - sslMode is "requireTLS"
# - Parameter --tlsCertificateKeyFile is set
# - Parameter --tlsCAFile is set
result << "--tls --host #{Facter.value(:fqdn)}" if config['ssl'] == 'requireTLS' || !config['sslcert'].nil? || !config['sslca'].nil?
result << "--tlsCertificateKeyFile #{config['sslcert']}" unless config['sslcert'].nil?
result << "--tlsCAFile #{config['sslca']}" unless config['sslca'].nil?
result << '--ipv6' unless config['ipv6'].nil?

result.join(' ')
Expand Down
45 changes: 36 additions & 9 deletions lib/puppet/provider/mongodb.rb
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,10 @@ def self.mongo_conf
'bindip' => config['net.bindIp'],
'port' => config['net.port'],
'ipv6' => config['net.ipv6'],
'allowInvalidHostnames' => config['net.ssl.allowInvalidHostnames'],
'ssl' => config['net.ssl.mode'],
'sslcert' => config['net.ssl.PEMKeyFile'],
'sslca' => config['net.ssl.CAFile'],
'allowInvalidHostnames' => config['net.tls.allowInvalidHostnames'],
'ssl' => config['net.tls.mode'],
'sslcert' => config['net.tls.certificateKeyFile'],
'sslca' => config['net.tls.CAFile'],
'auth' => config['security.authorization'],
'shardsvr' => config['sharding.clusterRole'],
'confsvr' => config['sharding.clusterRole']
Expand Down Expand Up @@ -62,18 +62,18 @@ def self.mongo_cmd(db, host, cmd)

args = [db, '--quiet', '--host', host]
args.push('--ipv6') if ipv6_is_enabled(config)
args.push('--sslAllowInvalidHostnames') if ssl_invalid_hostnames(config)
args.push('--tlsAllowInvalidHostnames') if ssl_invalid_hostnames(config)

if ssl_is_enabled(config)
args.push('--ssl')
args += ['--sslPEMKeyFile', config['sslcert']]
args.push('--tls')
args += ['--tlsCertificateKeyFile', config['sslcert']]

ssl_ca = config['sslca']
args += ['--sslCAFile', ssl_ca] unless ssl_ca.nil?
args += ['--tlsCAFile', ssl_ca] unless ssl_ca.nil?
end

args += ['--eval', cmd]
mongo(args)
percona_clean(mongo(args))
end

def self.conn_string
Expand Down Expand Up @@ -157,6 +157,15 @@ def mongo_eval(cmd, db = 'admin', retries = 10, host = nil)
self.class.mongo_eval(cmd, db, retries, host)
end

def self.percona_clean(result)
if result.include? "Started a new thread for the timer service"
lines = result.split("\n")
lines.shift
result = lines.join("\n")
end
return result
end

# Mongo Version checker
def self.mongo_version
@mongo_version ||= mongo_eval('db.version()')
Expand All @@ -183,4 +192,22 @@ def self.mongo_4?
def mongo_4?
self.class.mongo_4?
end

def self.mongo_5?
v = mongo_version
!v[%r{^5\.}].nil?
end

def mongo_5?
self.class.mongo_5?
end

def self.mongo_6?
v = mongo_version
!v[%r{^5\.}].nil?
end

def mongo_6?
self.class.mongo_6?
end
end
4 changes: 3 additions & 1 deletion lib/puppet/provider/mongodb_database/mongodb.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,9 @@

def self.instances
require 'json'
dbs = JSON.parse mongo_eval('rs.slaveOk();printjson(db.getMongo().getDBs())')

pre_cmd = 'try { rs.secondaryOk() } catch (err) { rs.slaveOk() }'
dbs = JSON.parse mongo_eval(pre_cmd + ';printjson(db.getMongo().getDBs())')

dbs['databases'].map do |db|
new(name: db['name'],
Expand Down
2 changes: 1 addition & 1 deletion lib/puppet/provider/mongodb_user/mongodb.rb
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ def create
digestPassword: false
}

if mongo_4?
if mongo_4? || mongo_5? || mongo_6?
# SCRAM-SHA-256 requires digestPassword to be true.
command[:mechanisms] = ['SCRAM-SHA-1']
end
Expand Down
4 changes: 2 additions & 2 deletions lib/puppet/util/mongodb_output.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ def self.sanitize(data)
data.gsub!(%r{\w+\((.+?)\)}, '\1')

data.gsub!(%r{^Error\:.+}, '')
data.gsub!(%r{^.*warning\:.+}, '') # remove warnings if sslAllowInvalidHostnames is true
data.gsub!(%r{^.*The server certificate does not match the host name.+}, '') # remove warnings if sslAllowInvalidHostnames is true mongo 3.x
data.gsub!(%r{^.*warning\:.+}, '') # remove warnings if tlsAllowInvalidHostnames is true
data.gsub!(%r{^.*The server certificate does not match the host name.+}, '') # remove warnings if tlsAllowInvalidHostnames is true mongo 3.x
data
end
end
Expand Down
4 changes: 4 additions & 0 deletions manifests/repo.pp
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@
default => undef
}
$key = "${mongover[0]}.${mongover[1]}" ? {
'7.0' => 'E58830201F7DD82CD808AA84160D26BB1785BA38',
'6.0' => '39BD841E4BE5FB195A65400E6A26B1AE64C3C388',
'5.0' => 'F5679A222C647C87527C2F8CB00A0BD1E2C63C11',
'4.4' => '20691EEC35216C63CAF66CE1656408E390CFB1F5',
'4.2' => 'E162F504A20CDF15827F718D4B7C549A058F8B6B',
'4.0' => '9DA31620334BD75D9DCB49F368818C72E52529D4',
'3.6' => '2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5',
Expand Down
6 changes: 4 additions & 2 deletions manifests/server.pp
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
Variant[Boolean, String] $package_ensure = $mongodb::params::package_ensure,
String $package_name = $mongodb::params::server_package_name,
Variant[Boolean, Stdlib::Absolutepath] $logpath = $mongodb::params::logpath,
Array[Stdlib::Compat::Ip_address] $bind_ip = $mongodb::params::bind_ip,
Array[Stdlib::Host] $bind_ip = $mongodb::params::bind_ip,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it allowed to bind on a FQDN?

Optional[Boolean] $ipv6 = undef,
Boolean $logappend = true,
Optional[String] $system_logrotate = undef,
Expand Down Expand Up @@ -68,9 +68,11 @@
Optional[Boolean] $ssl = undef,
Optional[Stdlib::Absolutepath] $ssl_key = undef,
Optional[Stdlib::Absolutepath] $ssl_ca = undef,
Optional[Stdlib::Absolutepath] $ssl_cluster_file = undef,
Boolean $ssl_weak_cert = false,
Boolean $ssl_without_cert = false,
Boolean $ssl_invalid_hostnames = false,
Enum['requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode = 'requireSSL',
Enum['requireTLS', 'preferTLS', 'allowTLS'] $ssl_mode = 'requireTLS',
Boolean $restart = $mongodb::params::restart,
Optional[String] $storage_engine = undef,
Boolean $create_admin = $mongodb::params::create_admin,
Expand Down
140 changes: 73 additions & 67 deletions manifests/server/config.pp
Original file line number Diff line number Diff line change
@@ -1,72 +1,74 @@
# PRIVATE CLASS: do not call directly
class mongodb::server::config {
$ensure = $mongodb::server::ensure
$user = $mongodb::server::user
$group = $mongodb::server::group
$config = $mongodb::server::config
$config_content = $mongodb::server::config_content
$config_template = $mongodb::server::config_template
$config_data = $mongodb::server::config_data
$dbpath = $mongodb::server::dbpath
$dbpath_fix = $mongodb::server::dbpath_fix
$pidfilepath = $mongodb::server::pidfilepath
$pidfilemode = $mongodb::server::pidfilemode
$manage_pidfile = $mongodb::server::manage_pidfile
$logpath = $mongodb::server::logpath
$logappend = $mongodb::server::logappend
$system_logrotate = $mongodb::server::system_logrotate
$fork = $mongodb::server::fork
$port = $mongodb::server::port
$journal = $mongodb::server::journal
$nojournal = $mongodb::server::nojournal
$smallfiles = $mongodb::server::smallfiles
$cpu = $mongodb::server::cpu
$auth = $mongodb::server::auth
$noath = $mongodb::server::noauth
$create_admin = $mongodb::server::create_admin
$admin_username = $mongodb::server::admin_username
$admin_password = $mongodb::server::admin_password
$handle_creds = $mongodb::server::handle_creds
$store_creds = $mongodb::server::store_creds
$rcfile = $mongodb::server::rcfile
$verbose = $mongodb::server::verbose
$verbositylevel = $mongodb::server::verbositylevel
$objcheck = $mongodb::server::objcheck
$quota = $mongodb::server::quota
$quotafiles = $mongodb::server::quotafiles
$diaglog = $mongodb::server::diaglog
$oplog_size = $mongodb::server::oplog_size
$nohints = $mongodb::server::nohints
$nohttpinterface = $mongodb::server::nohttpinterface
$noscripting = $mongodb::server::noscripting
$notablescan = $mongodb::server::notablescan
$noprealloc = $mongodb::server::noprealloc
$nssize = $mongodb::server::nssize
$mms_token = $mongodb::server::mms_token
$mms_name = $mongodb::server::mms_name
$mms_interval = $mongodb::server::mms_interval
$configsvr = $mongodb::server::configsvr
$shardsvr = $mongodb::server::shardsvr
$replset = $mongodb::server::replset
$rest = $mongodb::server::rest
$quiet = $mongodb::server::quiet
$slowms = $mongodb::server::slowms
$keyfile = $mongodb::server::keyfile
$key = $mongodb::server::key
$ipv6 = $mongodb::server::ipv6
$bind_ip = $mongodb::server::bind_ip
$directoryperdb = $mongodb::server::directoryperdb
$profile = $mongodb::server::profile
$maxconns = $mongodb::server::maxconns
$set_parameter = $mongodb::server::set_parameter
$syslog = $mongodb::server::syslog
$ssl = $mongodb::server::ssl
$ssl_key = $mongodb::server::ssl_key
$ssl_ca = $mongodb::server::ssl_ca
$ssl_weak_cert = $mongodb::server::ssl_weak_cert
$ensure = $mongodb::server::ensure
$user = $mongodb::server::user
$group = $mongodb::server::group
$config = $mongodb::server::config
$config_content = $mongodb::server::config_content
$config_template = $mongodb::server::config_template
$config_data = $mongodb::server::config_data
$dbpath = $mongodb::server::dbpath
$dbpath_fix = $mongodb::server::dbpath_fix
$pidfilepath = $mongodb::server::pidfilepath
$pidfilemode = $mongodb::server::pidfilemode
$manage_pidfile = $mongodb::server::manage_pidfile
$logpath = $mongodb::server::logpath
$logappend = $mongodb::server::logappend
$system_logrotate = $mongodb::server::system_logrotate
$fork = $mongodb::server::fork
$port = $mongodb::server::port
$journal = $mongodb::server::journal
$nojournal = $mongodb::server::nojournal
$smallfiles = $mongodb::server::smallfiles
$cpu = $mongodb::server::cpu
$auth = $mongodb::server::auth
$noath = $mongodb::server::noauth
$create_admin = $mongodb::server::create_admin
$admin_username = $mongodb::server::admin_username
$admin_password = $mongodb::server::admin_password
$handle_creds = $mongodb::server::handle_creds
$store_creds = $mongodb::server::store_creds
$rcfile = $mongodb::server::rcfile
$verbose = $mongodb::server::verbose
$verbositylevel = $mongodb::server::verbositylevel
$objcheck = $mongodb::server::objcheck
$quota = $mongodb::server::quota
$quotafiles = $mongodb::server::quotafiles
$diaglog = $mongodb::server::diaglog
$oplog_size = $mongodb::server::oplog_size
$nohints = $mongodb::server::nohints
$nohttpinterface = $mongodb::server::nohttpinterface
$noscripting = $mongodb::server::noscripting
$notablescan = $mongodb::server::notablescan
$noprealloc = $mongodb::server::noprealloc
$nssize = $mongodb::server::nssize
$mms_token = $mongodb::server::mms_token
$mms_name = $mongodb::server::mms_name
$mms_interval = $mongodb::server::mms_interval
$configsvr = $mongodb::server::configsvr
$shardsvr = $mongodb::server::shardsvr
$replset = $mongodb::server::replset
$rest = $mongodb::server::rest
$quiet = $mongodb::server::quiet
$slowms = $mongodb::server::slowms
$keyfile = $mongodb::server::keyfile
$key = $mongodb::server::key
$ipv6 = $mongodb::server::ipv6
$bind_ip = $mongodb::server::bind_ip
$directoryperdb = $mongodb::server::directoryperdb
$profile = $mongodb::server::profile
$maxconns = $mongodb::server::maxconns
$set_parameter = $mongodb::server::set_parameter
$syslog = $mongodb::server::syslog
$ssl = $mongodb::server::ssl
$ssl_key = $mongodb::server::ssl_key
$ssl_ca = $mongodb::server::ssl_ca
$ssl_cluster_file = $mongodb::server::ssl_cluster_file
$ssl_weak_cert = $mongodb::server::ssl_weak_cert
$ssl_without_cert = $mongodb::server::ssl_without_cert
$ssl_invalid_hostnames = $mongodb::server::ssl_invalid_hostnames
$ssl_mode = $mongodb::server::ssl_mode
$storage_engine = $mongodb::server::storage_engine
$ssl_mode = $mongodb::server::ssl_mode
$storage_engine = $mongodb::server::storage_engine

File {
owner => $user,
Expand Down Expand Up @@ -107,10 +109,14 @@
# Template has available user-supplied data
# - $config_data
$cfg_content = template($config_template)
} else {
} elsif $facts['mongodb_version'] != undef and $facts['mongodb_version'] =~ /^3/ {
# Template has available user-supplied data
# - $config_data
$cfg_content = template('mongodb/mongodb.conf.2.6.erb')
} else {
# Template has available user-supplied data
# - $config_data
$cfg_content = template('mongodb/mongodb.conf.4.erb')
}

file { $config:
Expand Down
6 changes: 3 additions & 3 deletions spec/classes/server_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -290,11 +290,11 @@
let :params do
{
ssl: true,
ssl_mode: 'requireSSL'
ssl_mode: 'requireTLS'
}
end

it { is_expected.to contain_file(config_file).with_content(%r{^net\.ssl\.mode: requireSSL$}) }
it { is_expected.to contain_file(config_file).with_content(%r{^net\.tls\.mode: requireTLS}) }
end

context 'disabled' do
Expand All @@ -304,7 +304,7 @@
}
end

it { is_expected.not_to contain_file(config_file).with_content(%r{net\.ssl\.mode}) }
it { is_expected.not_to contain_file(config_file).with_content(%r{net\.tls\.mode}) }
end
end

Expand Down
2 changes: 1 addition & 1 deletion spec/unit/puppet/provider/mongodb_database/mongodb_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
tmp = Tempfile.new('test')
mongodconffile = tmp.path
allow(provider.class).to receive(:mongod_conf_file).and_return(mongodconffile)
allow(provider.class).to receive(:mongo_eval).with('rs.slaveOk();printjson(db.getMongo().getDBs())').and_return(raw_dbs)
allow(provider.class).to receive(:mongo_eval).with('try { rs.secondaryOk() } catch (err) { rs.slaveOk() };printjson(db.getMongo().getDBs())').and_return(raw_dbs)
allow(provider.class).to receive(:db_ismaster).and_return(true)
end

Expand Down
Loading