From bad039d15f77d3d12d213f0f739e9fc6ea7b4da1 Mon Sep 17 00:00:00 2001 From: Steve Traylen Date: Tue, 17 Jan 2023 10:02:46 +0100 Subject: [PATCH] New server::admin_password_hash parameter Allow mongdb to be set up with the specification of a hash of the password rather than a password itself. --- REFERENCE.md | 9 ++ manifests/server.pp | 178 ++++++++++++++++++------------------ spec/classes/server_spec.rb | 23 +++++ 3 files changed, 123 insertions(+), 87 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index d25a6b4be..0240909a4 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1185,6 +1185,7 @@ The following parameters are available in the `mongodb::server` class: * [`tls_conn_without_cert`](#-mongodb--server--tls_conn_without_cert) * [`tls_invalid_hostnames`](#-mongodb--server--tls_invalid_hostnames) * [`tls_mode`](#-mongodb--server--tls_mode) +* [`admin_password_hash`](#-mongodb--server--admin_password_hash) * [`ensure`](#-mongodb--server--ensure) * [`user`](#-mongodb--server--user) * [`group`](#-mongodb--server--group) @@ -1315,6 +1316,14 @@ Defines if TLS is used for all network connections. Allowed values are 'requireT Default value: `'requireTLS'` +##### `admin_password_hash` + +Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]` + +Hashed password. Hex encoded md5 hash of mongodb password. + +Default value: `undef` + ##### `ensure` Data type: `Variant[Boolean, String]` diff --git a/manifests/server.pp b/manifests/server.pp index 3d094998a..e64eb600a 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -12,95 +12,98 @@ # Set to true to disable the validation of the hostnames in TLS certificates. # @param tls_mode # Defines if TLS is used for all network connections. Allowed values are 'requireTLS', 'preferTLS' or 'allowTLS'. +# @param admin_password_hash +# Hashed password. Hex encoded md5 hash of mongodb password. # class mongodb::server ( - Variant[Boolean, String] $ensure = $mongodb::params::ensure, - String $user = $mongodb::params::user, - String $group = $mongodb::params::group, - Stdlib::Absolutepath $config = $mongodb::params::config, - Stdlib::Absolutepath $dbpath = $mongodb::params::dbpath, - Boolean $dbpath_fix = $mongodb::params::dbpath_fix, - Optional[Stdlib::Absolutepath] $pidfilepath = $mongodb::params::pidfilepath, - String $pidfilemode = $mongodb::params::pidfilemode, - Boolean $manage_pidfile = $mongodb::params::manage_pidfile, - String $rcfile = $mongodb::params::rcfile, - Boolean $service_manage = $mongodb::params::service_manage, - Optional[String] $service_provider = $mongodb::params::service_provider, - Optional[String] $service_name = $mongodb::params::service_name, - Boolean $service_enable = $mongodb::params::service_enable, - Enum['stopped', 'running'] $service_ensure = $mongodb::params::service_ensure, - Optional[Enum['stopped', 'running']] $service_status = $mongodb::params::service_status, - Variant[Boolean, String] $package_ensure = $mongodb::params::package_ensure, - String $package_name = $mongodb::params::server_package_name, - Variant[Boolean, Stdlib::Absolutepath] $logpath = $mongodb::params::logpath, - Array[Stdlib::IP::Address] $bind_ip = $mongodb::params::bind_ip, - Optional[Boolean] $ipv6 = undef, - Boolean $logappend = true, - Optional[String] $system_logrotate = undef, - Optional[Boolean] $fork = $mongodb::params::fork, - Optional[Integer[1, 65535]] $port = undef, - Optional[Boolean] $journal = $mongodb::params::journal, - Optional[Boolean] $nojournal = undef, - Optional[Boolean] $smallfiles = undef, - Optional[Boolean] $cpu = undef, - Boolean $auth = false, - Optional[Boolean] $noauth = undef, - Optional[Boolean] $verbose = undef, - Optional[String] $verbositylevel = undef, - Optional[Boolean] $objcheck = undef, - Optional[Boolean] $quota = undef, - Optional[Integer] $quotafiles = undef, - Optional[Integer[0, 7]] $diaglog = undef, - Optional[Boolean] $directoryperdb = undef, - $profile = undef, - Optional[Integer] $maxconns = undef, - Optional[Integer] $oplog_size = undef, - $nohints = undef, - Optional[Boolean] $nohttpinterface = undef, - Optional[Boolean] $noscripting = undef, - Optional[Boolean] $notablescan = undef, - Optional[Boolean] $noprealloc = undef, - Optional[Integer] $nssize = undef, - $mms_token = undef, - $mms_name = undef, - $mms_interval = undef, - Optional[String] $replset = undef, - Optional[Hash] $replset_config = undef, - Optional[Array] $replset_members = undef, - Optional[Boolean] $configsvr = undef, - Optional[Boolean] $shardsvr = undef, - Optional[Boolean] $rest = undef, - Optional[Boolean] $quiet = undef, - Optional[Integer] $slowms = undef, - Optional[Stdlib::Absolutepath] $keyfile = undef, - Optional[Variant[String[6], Sensitive[String[6]]]] $key = undef, - Optional[Variant[String[1], Array[String[1]]]] $set_parameter = undef, - Optional[Boolean] $syslog = undef, - $config_content = undef, - Optional[String] $config_template = undef, - Optional[Hash] $config_data = undef, - Optional[Boolean] $ssl = undef, - Optional[Stdlib::Absolutepath] $ssl_key = undef, - Optional[Stdlib::Absolutepath] $ssl_ca = undef, - Boolean $ssl_weak_cert = false, - Boolean $ssl_invalid_hostnames = false, - Enum['requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode = 'requireSSL', - Boolean $tls = false, - Optional[Stdlib::Absolutepath] $tls_key = undef, - Optional[Stdlib::Absolutepath] $tls_ca = undef, - Boolean $tls_conn_without_cert = false, - Boolean $tls_invalid_hostnames = false, - Enum['requireTLS', 'preferTLS', 'allowTLS'] $tls_mode = 'requireTLS', - Boolean $restart = $mongodb::params::restart, - Optional[String] $storage_engine = undef, - Boolean $create_admin = $mongodb::params::create_admin, - String $admin_username = $mongodb::params::admin_username, - Optional[Variant[String, Sensitive[String]]] $admin_password = undef, - Enum['scram_sha_1', 'scram_sha_256'] $admin_auth_mechanism = $mongodb::params::admin_auth_mechanism, - Boolean $admin_update_password = false, - Boolean $handle_creds = $mongodb::params::handle_creds, - Boolean $store_creds = $mongodb::params::store_creds, - Array $admin_roles = $mongodb::params::admin_roles, + Variant[Boolean, String] $ensure = $mongodb::params::ensure, + String $user = $mongodb::params::user, + String $group = $mongodb::params::group, + Stdlib::Absolutepath $config = $mongodb::params::config, + Stdlib::Absolutepath $dbpath = $mongodb::params::dbpath, + Boolean $dbpath_fix = $mongodb::params::dbpath_fix, + Optional[Stdlib::Absolutepath] $pidfilepath = $mongodb::params::pidfilepath, + String $pidfilemode = $mongodb::params::pidfilemode, + Boolean $manage_pidfile = $mongodb::params::manage_pidfile, + String $rcfile = $mongodb::params::rcfile, + Boolean $service_manage = $mongodb::params::service_manage, + Optional[String] $service_provider = $mongodb::params::service_provider, + Optional[String] $service_name = $mongodb::params::service_name, + Boolean $service_enable = $mongodb::params::service_enable, + Enum['stopped', 'running'] $service_ensure = $mongodb::params::service_ensure, + Optional[Enum['stopped', 'running']] $service_status = $mongodb::params::service_status, + Variant[Boolean, String] $package_ensure = $mongodb::params::package_ensure, + String $package_name = $mongodb::params::server_package_name, + Variant[Boolean, Stdlib::Absolutepath] $logpath = $mongodb::params::logpath, + Array[Stdlib::IP::Address] $bind_ip = $mongodb::params::bind_ip, + Optional[Boolean] $ipv6 = undef, + Boolean $logappend = true, + Optional[String] $system_logrotate = undef, + Optional[Boolean] $fork = $mongodb::params::fork, + Optional[Integer[1, 65535]] $port = undef, + Optional[Boolean] $journal = $mongodb::params::journal, + Optional[Boolean] $nojournal = undef, + Optional[Boolean] $smallfiles = undef, + Optional[Boolean] $cpu = undef, + Boolean $auth = false, + Optional[Boolean] $noauth = undef, + Optional[Boolean] $verbose = undef, + Optional[String] $verbositylevel = undef, + Optional[Boolean] $objcheck = undef, + Optional[Boolean] $quota = undef, + Optional[Integer] $quotafiles = undef, + Optional[Integer[0, 7]] $diaglog = undef, + Optional[Boolean] $directoryperdb = undef, + $profile = undef, + Optional[Integer] $maxconns = undef, + Optional[Integer] $oplog_size = undef, + $nohints = undef, + Optional[Boolean] $nohttpinterface = undef, + Optional[Boolean] $noscripting = undef, + Optional[Boolean] $notablescan = undef, + Optional[Boolean] $noprealloc = undef, + Optional[Integer] $nssize = undef, + $mms_token = undef, + $mms_name = undef, + $mms_interval = undef, + Optional[String] $replset = undef, + Optional[Hash] $replset_config = undef, + Optional[Array] $replset_members = undef, + Optional[Boolean] $configsvr = undef, + Optional[Boolean] $shardsvr = undef, + Optional[Boolean] $rest = undef, + Optional[Boolean] $quiet = undef, + Optional[Integer] $slowms = undef, + Optional[Stdlib::Absolutepath] $keyfile = undef, + Optional[Variant[String[6], Sensitive[String[6]]]] $key = undef, + Optional[Variant[String[1], Array[String[1]]]] $set_parameter = undef, + Optional[Boolean] $syslog = undef, + $config_content = undef, + Optional[String] $config_template = undef, + Optional[Hash] $config_data = undef, + Optional[Boolean] $ssl = undef, + Optional[Stdlib::Absolutepath] $ssl_key = undef, + Optional[Stdlib::Absolutepath] $ssl_ca = undef, + Boolean $ssl_weak_cert = false, + Boolean $ssl_invalid_hostnames = false, + Enum['requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode = 'requireSSL', + Boolean $tls = false, + Optional[Stdlib::Absolutepath] $tls_key = undef, + Optional[Stdlib::Absolutepath] $tls_ca = undef, + Boolean $tls_conn_without_cert = false, + Boolean $tls_invalid_hostnames = false, + Enum['requireTLS', 'preferTLS', 'allowTLS'] $tls_mode = 'requireTLS', + Boolean $restart = $mongodb::params::restart, + Optional[String] $storage_engine = undef, + Boolean $create_admin = $mongodb::params::create_admin, + String $admin_username = $mongodb::params::admin_username, + Optional[Variant[String, Sensitive[String]]] $admin_password = undef, + Optional[Variant[String[1], Sensitive[String[1]]]] $admin_password_hash = undef, + Enum['scram_sha_1', 'scram_sha_256'] $admin_auth_mechanism = $mongodb::params::admin_auth_mechanism, + Boolean $admin_update_password = false, + Boolean $handle_creds = $mongodb::params::handle_creds, + Boolean $store_creds = $mongodb::params::store_creds, + Array $admin_roles = $mongodb::params::admin_roles, ) inherits mongodb::params { contain mongodb::server::install contain mongodb::server::config @@ -130,6 +133,7 @@ user => $admin_username, auth_mechanism => $admin_auth_mechanism, password => $admin_password_unsensitive, + password_hash => $admin_password_hash, roles => $admin_roles, update_password => $admin_update_password, } diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index e71e86eda..98db5c18e 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -108,6 +108,29 @@ it { is_expected.to contain_mongodb_database('admin').that_requires('Service[mongodb]') } end + describe 'with admin_password_hash => xxx89adfaxd' do + let(:params) do + { + create_admin: true, + admin_username: 'admin', + admin_password_hash: 'xxx89adfaxd' + } + end + + it_behaves_like 'server classes' + + it do + is_expected.to contain_mongodb__db('admin'). + with_user('admin'). + with_password_hash('xxx89adfaxd'). + with_roles(%w[userAdmin readWrite dbAdmin dbAdminAnyDatabase readAnyDatabase + readWriteAnyDatabase userAdminAnyDatabase clusterAdmin clusterManager + clusterMonitor hostManager root restore]) + end + + it { is_expected.to contain_mongodb_database('admin').that_requires('Service[mongodb]') } + end + describe 'with preset variables' do let :params do {