SCRAM-SHA-256 support

.fixtures.yml

@@ -1,7 +1,7 @@
 fixtures:
   repositories:
-    "stdlib": "git://github.com/puppetlabs/puppetlabs-stdlib.git"
-    "apt": "git://github.com/puppetlabs/puppetlabs-apt.git"
+    "stdlib": "https://github.com/puppetlabs/puppetlabs-stdlib.git"
+    "apt": "https://github.com/puppetlabs/puppetlabs-apt.git"
     "systemd": "https://github.com/voxpupuli/puppet-systemd.git"
     "zypprepo": "https://github.com/voxpupuli/puppet-zypprepo.git"
     yumrepo_core:

README.md

@@ -561,6 +561,16 @@ Administrator user name
 ##### `admin_password`
 Administrator user password
 
+##### `admin_auth_mechanism`
+Administrator authentication mechanism.
+scram_sha_256 password synchronization verification is not supported.
+Default: 'scram_sha_1'
+
+##### `admin_update_password`
+Update password.
+Used with SCRAM-SHA-256 because password verification is not supported.
+Default: false
+
 ##### `admin_roles`
 Administrator user roles
 
@@ -648,6 +658,17 @@ For more information please refer to [MongoDB Authentication Process](http://doc
 ##### `password`
 Plain-text user password (will be hashed)
 
+##### `auth_mechanism`
+Authentication mechanism.
+Can be either 'scram_sha_1' or 'scram_sha_256'.
+scram_sha_256 password synchronization verification is not supported.
+Default: 'scram_sha_1'
+
+##### `update_password`
+Update password.
+Used with SCRAM-SHA-256 because password verification is not supported.
+Default: false
+
 ##### `roles`
 Array with user roles as string.
 Roles will be granted to user's database if no alternative database is explicitly defined.

lib/puppet/provider/mongodb_user/mongodb.rb

@@ -53,17 +53,25 @@ def create
 
       command = {
         createUser: @resource[:username],
-        pwd: password_hash,
         customData: {
           createdBy: "Puppet Mongodb_user['#{@resource[:name]}']"
         },
         roles: role_hashes(@resource[:roles], @resource[:database]),
-        digestPassword: false
       }
 
       if mongo_4? || mongo_5?
-        # SCRAM-SHA-256 requires digestPassword to be true.
-        command[:mechanisms] = ['SCRAM-SHA-1']
+        if @resource[:auth_mechanism] == :scram_sha_256
+          command[:mechanisms] = ['SCRAM-SHA-256']
+          command[:pwd] = @resource[:password]
+          command[:digestPassword] = true
+        else
+          command[:mechanisms] = ['SCRAM-SHA-1']
+          command[:pwd] = password_hash
+          command[:digestPassword] = false
+        end
+      else
+        command[:pwd] = password_hash
+        command[:digestPassword] = false
       end
 
       mongo_eval("db.runCommand(#{command.to_json})", @resource[:database])
@@ -112,6 +120,10 @@ def password=(value)
         digestPassword: true
       }
 
+      if mongo_4? || mongo_5?
+        command[:mechanisms] = @resource[:auth_mechanism] == :scram_sha_256 ? ['SCRAM-SHA-256'] : ['SCRAM-SHA-1']
+      end
+
       mongo_eval("db.runCommand(#{command.to_json})", @resource[:database])
     end
   end

lib/puppet/type/mongodb_user.rb

@@ -53,7 +53,7 @@ def to_s?(value)
   end
 
   newproperty(:password_hash) do
-    desc 'The password hash of the user. Use mongodb_password() for creating hash. Only available on MongoDB 3.0 and later.'
+    desc 'The password hash of the user. Use mongodb_password() for creating hash. Only available on MongoDB 3.0 and later. SCRAM-SHA-256 authentication mechanism is not supported.'
     defaultto do
       if @resource[:password].nil?
         raise Puppet::Error, "Property 'password_hash' must be set. Use mongodb_password() for creating hash." if provider.database == :absent
@@ -90,10 +90,23 @@ def to_s?(_value = @is)
     end
 
     def insync?(_is)
+      return !@resource[:update_password] if @resource[:auth_mechanism] == :scram_sha_256
+
       should_to_s == to_s?
     end
   end
 
+  newparam(:auth_mechanism) do
+    desc 'Authentication mechanism. Password verification is not supported with SCRAM-SHA-256.'
+    defaultto :scram_sha_1
+    newvalues(:scram_sha_256, :scram_sha_1)
+  end
+
+  newparam(:update_password, boolean: true) do
+    desc 'Update password. Used with SCRAM-SHA-256 because password verification is not supported.'
+    defaultto false
+  end
+
   newproperty(:scram_credentials) do
     desc 'The SCRAM-SHA-1 credentials of a user. These are read only and change when password or password_hash changes.'
   end
@@ -115,6 +128,8 @@ def insync?(_is)
       err("Either 'password_hash' or 'password' should be provided")
     elsif !self[:password_hash].nil? && !self[:password].nil?
       err("Only one of 'password_hash' or 'password' should be provided")
+    elsif !self[:password_hash].nil? && self[:auth_mechanism] == :scram_sha_256
+      err("'password_hash' is not supported with SCRAM-SHA-256 authentication mechanism")
     end
     if should(:scram_credentials)
       raise("The parameter 'scram_credentials' is read-only and cannot be changed")

manifests/db.pp

@@ -5,19 +5,23 @@
 # == Parameters
 #
 #  user - Database username.
+#  auth_mechanism - Authentication mechanism. scram_sha_256 password verification is not supported. Defaults to 'scram_sha_1'.
 #  db_name - Database name. Defaults to $name.
 #  password_hash - Hashed password. Hex encoded md5 hash of "$username:mongo:$password".
 #  password - Plain text user password. This is UNSAFE, use 'password_hash' instead.
 #  roles (default: ['dbAdmin']) - array with user roles.
 #  tries (default: 10) - The maximum amount of two second tries to wait MongoDB startup.
+#  update_password (default: false) - Force an update of the password when scram_sha_256 is used.
 #
 define mongodb::db (
   String                                             $user,
-  String                                             $db_name       = $name,
-  Optional[Variant[String[1], Sensitive[String[1]]]] $password_hash = undef,
-  Optional[Variant[String[1], Sensitive[String[1]]]] $password      = undef,
-  Array[String]                                      $roles         = ['dbAdmin'],
-  Integer[0]                                         $tries         = 10,
+  Enum['scram_sha_1', 'scram_sha_256']               $auth_mechanism  = 'scram_sha_1',
+  String                                             $db_name         = $name,
+  Optional[Variant[String[1], Sensitive[String[1]]]] $password_hash   = undef,
+  Optional[Variant[String[1], Sensitive[String[1]]]] $password        = undef,
+  Array[String]                                      $roles           = ['dbAdmin'],
+  Integer[0]                                         $tries           = 10,
+  Boolean                                            $update_password = false,
 ) {
   unless $facts['mongodb_is_master'] == 'false' { # lint:ignore:quoted_booleans
     mongodb_database { $db_name:
@@ -35,12 +39,24 @@
       fail("Parameter 'password_hash' or 'password' should be provided to mongodb::db.")
     }
 
+    if $auth_mechanism == 'scram_sha_256' {
+      $password_config = {
+        password        => $password,
+        update_password => $update_password,
+      }
+    } else {
+      $password_config = {
+        password_hash => $hash,
+      }
+    }
+
     mongodb_user { "User ${user} on db ${db_name}":
-      ensure        => present,
-      password_hash => $hash,
-      username      => $user,
-      database      => $db_name,
-      roles         => $roles,
+      ensure         => present,
+      username       => $user,
+      database       => $db_name,
+      roles          => $roles,
+      auth_mechanism => $auth_mechanism,
+      *              => $password_config,
     }
   }
 }

manifests/params.pp

@@ -11,6 +11,7 @@
   $restart               = true
   $create_admin          = false
   $admin_username        = 'admin'
+  $admin_auth_mechanism  = 'scram_sha_1'
   $admin_roles           = [
     'userAdmin', 'readWrite', 'dbAdmin', 'dbAdminAnyDatabase', 'readAnyDatabase',
     'readWriteAnyDatabase', 'userAdminAnyDatabase', 'clusterAdmin',

manifests/server.pp

@@ -76,6 +76,8 @@
   Boolean $create_admin                                         = $mongodb::params::create_admin,
   String $admin_username                                        = $mongodb::params::admin_username,
   Optional[Variant[String, Sensitive[String]]] $admin_password  = undef,
+  Enum['scram_sha_1', 'scram_sha_256'] $admin_auth_mechanism    = $mongodb::params::admin_auth_mechanism,
+  Boolean $admin_update_password                                = false,
   Boolean $handle_creds                                         = $mongodb::params::handle_creds,
   Boolean $store_creds                                          = $mongodb::params::store_creds,
   Array $admin_roles                                            = $mongodb::params::admin_roles,
@@ -105,9 +107,11 @@
   }
   if $create_admin and ($service_ensure == 'running' or $service_ensure == true) {
     mongodb::db { 'admin':
-      user     => $admin_username,
-      password => $admin_password_unsensitive,
-      roles    => $admin_roles,
+      user            => $admin_username,
+      auth_mechanism  => $admin_auth_mechanism,
+      password        => $admin_password_unsensitive,
+      roles           => $admin_roles,
+      update_password => $admin_update_password,
     }
 
     # Make sure it runs before other DB creation

spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb

@@ -54,9 +54,9 @@
       cmd_json = <<-EOS.gsub(%r{^\s*}, '').gsub(%r{$\n}, '')
       {
         "createUser":"new_user",
-        "pwd":"pass",
         "customData":{"createdBy":"Puppet Mongodb_user['new_user']"},
         "roles":[{"role":"role1","db":"new_database"},{"role":"role2","db":"other_database"}],
+        "pwd":"pass",
         "digestPassword":false
       }
       EOS