[x509] Add x509 support for admin user

* use x509 autentication method for admin user, used to login in the
  api.
* add supported_athentication_mechanisms, whish restricts the suppported
  authentication mechanism supported by the server.

Author: Johan De Wit

REFERENCE.md

@@ -1263,6 +1263,7 @@ The following parameters are available in the `mongodb::server` class:
 * [`admin_username`](#-mongodb--server--admin_username)
 * [`admin_password`](#-mongodb--server--admin_password)
 * [`admin_auth_mechanism`](#-mongodb--server--admin_auth_mechanism)
+* [`admin_tls_key`](#-mongodb--server--admin_tls_key)
 * [`admin_update_password`](#-mongodb--server--admin_update_password)
 * [`handle_creds`](#-mongodb--server--handle_creds)
 * [`store_creds`](#-mongodb--server--store_creds)
@@ -1934,12 +1935,20 @@ Default value: `undef`
 
 ##### <a name="-mongodb--server--admin_auth_mechanism"></a>`admin_auth_mechanism`
 
-Data type: `Enum['scram_sha_1', 'scram_sha_256']`
+Data type: `Enum['scram_sha_1', 'scram_sha_256', 'x509']`
 
 
 
 Default value: `$mongodb::params::admin_auth_mechanism`
 
+##### <a name="-mongodb--server--admin_tls_key"></a>`admin_tls_key`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+Filepath of the administrators x509 certificate. Its the user of this class that needs to manage this certificate.
+
+Default value: `undef`
+
 ##### <a name="-mongodb--server--admin_update_password"></a>`admin_update_password`
 
 Data type: `Boolean`
@@ -2042,7 +2051,7 @@ Data type: `String`
 
 ##### <a name="-mongodb--db--auth_mechanism"></a>`auth_mechanism`
 
-Data type: `Enum['scram_sha_1', 'scram_sha_256']`
+Data type: `Enum['scram_sha_1', 'scram_sha_256', 'x509']`
 
 
 
@@ -2360,7 +2369,7 @@ The following parameters are available in the `mongodb_user` type.
 
 ##### <a name="-mongodb_user--auth_mechanism"></a>`auth_mechanism`
 
-Valid values: `scram_sha_256`, `scram_sha_1`
+Valid values: `scram_sha_256`, `scram_sha_1`, `x509`
 
 Authentication mechanism. Password verification is not supported with SCRAM-SHA-256.
 

lib/facter/is_master.rb

@@ -8,7 +8,23 @@ def mongod_conf_file
   locations.find { |location| File.exist? location }
 end
 
+def mongosh_conf_file
+  '/root/.mongosh.yaml' if File.exist?('/root/mongosh.yaml')
+end
+
 def get_options_from_hash_config(config)
+  # read also the mongoshrc.yaml yaml file, to retrieve the admins certkey file
+  if mongosh_conf_file
+    mongosh_config = YAML.load_file(mongosh_conf_file)
+    # check which tlscert we need to use
+    if mongosh_config['admin']
+      tlscert = mongosh_config['admin']['tlsCertificateKeyFile'] if mongosh_config['admin']['tlsCertificateKeyFile']
+      auth_mech = mongosh_config['admin']['auth_mechanism'] if mongosh_config['admin']['auth_mechanism']
+    end
+  else
+    tlscert = config['net.tls.certificateKeyFile']
+  end
+
   result = []
 
   result << "--port #{config['net.port']}" unless config['net.port'].nil?
@@ -23,52 +39,23 @@ def get_options_from_hash_config(config)
   # - tlsMode is "requireTLS"
   # - Parameter --tlsCertificateKeyFile is set
   # - Parameter --tlsCAFile is set
-  result << "--tls --host #{Facter.value(:fqdn)}" if config['net.tls.mode'] == 'requireTLS' || !config['net.tls.certificateKeyFile'].nil? || !config['net.tls.CAFile'].nil?
-  result << "--tlsCertificateKeyFile #{config['net.tls.certificateKeyFile']}" unless config['net.tls.certificateKeyFile'].nil?
+  result << "--tls --host #{Facter.value(:fqdn)}" if config['net.tls.mode'] == 'requireTLS' || !tlscert.nil? || !config['net.tls.CAFile'].nil?
+  result << "--tlsCertificateKeyFile #{tlscert}" unless tlscert.nil?
   result << "--tlsCAFile #{config['net.tls.CAFile']}" unless config['net.tls.CAFile'].nil?
 
-  result << '--ipv6' unless config['net.ipv6'].nil?
-
-  result.join(' ')
-end
-
-def get_options_from_keyvalue_config(file)
-  config = {}
-  File.readlines(file).map do |line|
-    k, v = line.split('=')
-    config[k.rstrip] = v.lstrip.chomp if k && v
-  end
-
-  result = []
-
-  result << "--port #{config['port']}" unless config['port'].nil?
-  # use --ssl and --host if:
-  # - sslMode is "requireSSL"
-  # - Parameter --sslPEMKeyFile is set
-  # - Parameter --sslCAFile is set
-  result << "--ssl --host #{Facter.value(:fqdn)}" if config['ssl'] == 'requireSSL' || !config['sslcert'].nil? || !config['sslca'].nil?
-  result << "--sslPEMKeyFile #{config['sslcert']}" unless config['sslcert'].nil?
-  result << "--sslCAFile #{config['sslca']}" unless config['sslca'].nil?
-  # use --tls and --host if:
-  # - tlsMode is "requireTLS"
-  # - Parameter --tlsCertificateKeyFile is set
-  # - Parameter --tlsCAFile is set
-  result << "--tls --host #{Facter.value(:fqdn)}" if config['tls'] == 'requireTLS' || !config['tlscert'].nil? || !config['tlsca'].nil?
-  result << "--tlsCertificateKeyFile #{config['tlscert']}" unless config['tlscert'].nil?
-  result << "--tlsCAFile #{config['tlsca']}" unless config['tlsca'].nil?
+  # use --authenticationMechanism, ---authenticationDatabase
+  # when
+  # - authenticationMechanism MONGODB-X509
+  result << "--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509" if auth_mech && auth_mech == 'x509'
 
-  result << '--ipv6' unless config['ipv6'].nil?
+  result << '--ipv6' unless config['net.ipv6'].nil?
 
   result.join(' ')
 end
 
 def get_options_from_config(file)
   config = YAML.load_file(file)
-  if config.is_a?(Hash) # Using a valid YAML file for mongo 2.6
-    get_options_from_hash_config(config)
-  else # It has to be a key-value config file
-    get_options_from_keyvalue_config(file)
-  end
+  get_options_from_hash_config(config)
 end
 
 Facter.add('mongodb_is_master') do

lib/puppet/provider/mongodb.rb

@@ -29,6 +29,16 @@ def self.mongod_conf_file
 
   def self.mongo_conf
     config = YAML.load_file(mongod_conf_file) || {}
+    mongosh_config = {}
+    mongosh_config = YAML.load_file("#{Facter.value(:root_home)}/.mongosh.yaml") if File.file?("#{Facter.value(:root_home)}/.mongosh.yaml")
+    # determine if we need the tls for connecion or client
+    if mongosh_config['admin'] && mongosh_config['admin']['tlsCertificateKeyFile']
+      tlscert = mongosh_config['admin']['tlsCertificateKeyFile']
+      auth_mech = mongosh_config['admin']['auth_mechanism'] if mongosh_config['admin']['auth_mechanism']
+    else
+      tlscert =config['net.tls.certificateKeyFile']
+    end
+
     {
       'bindip' => config['net.bindIp'],
       'port' => config['net.port'],
@@ -39,9 +49,10 @@ def self.mongo_conf
       'sslca' => config['net.ssl.CAFile'],
       'tlsallowInvalidHostnames' => config['net.tls.allowInvalidHostnames'],
       'tls' => config['net.tls.mode'],
-      'tlscert' => config['net.tls.certificateKeyFile'],
+      'tlscert' => tlscert,
       'tlsca' => config['net.tls.CAFile'],
       'auth' => config['security.authorization'],
+      'auth_mechanism' => auth_mech,
       'shardsvr' => config['sharding.clusterRole'],
       'confsvr' => config['sharding.clusterRole']
     }
@@ -92,15 +103,19 @@ def self.mongosh_cmd(db, host, cmd)
 
     if tls_is_enabled(config)
       args.push('--tls')
-      args += ['--tlsCertificateKeyFile', config['tlscert']]
 
       tls_ca = config['tlsca']
       args += ['--tlsCAFile', tls_ca] unless tls_ca.nil?
+      args += ['--tlsCertificateKeyFile', config['tlscert']]
 
       args.push('--tlsAllowInvalidHostnames') if tls_invalid_hostnames(config)
     end
 
-    args += ['--eval', cmd]
+    if $config['auth_mechanism'] && $config['auth_mechanism'] == 'x509'
+      args.push("--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509")
+    end
+
+    args += ['--eval', "\"#{cmd}\""]
     mongosh(args)
   end
 

lib/puppet/provider/mongodb_user/mongodb.rb

@@ -19,6 +19,8 @@ def self.instances
 
       users = JSON.parse out
 
+      Puppet.debug("XXXXXXXX In self.instances, retrieved users: #{users}")
+
       users.map do |user|
         db = if user['db'] == '$external'
                # For external users, we need to retreive the original DB name from here.
@@ -29,10 +31,12 @@ def self.instances
         u = new(name: user['_id'],
             ensure: :present,
             username: user['user'],
-            database: user['db'],
-            roles: from_roles(user['roles'], user['db']),
+            database: db,
+            roles: from_roles(user['roles'], db),
             password_hash: user['credentials']['MONGODB-CR'],
             scram_credentials: user['credentials']['SCRAM-SHA-1'])
+        Puppet.debug("Fetching users, creating the found resources: #{u}")
+        u
       end
     else
       Puppet.warning 'User info is available only from master host'
@@ -56,6 +60,7 @@ def create
       password_hash = @resource[:password_hash]
       password_hash = Puppet::Util::MongodbMd5er.md5(@resource[:username], @resource[:password]) if !password_hash && @resource[:password]
 
+
       command = {
         createUser: @resource[:username],
         customData: {
@@ -64,17 +69,17 @@ def create
         roles: role_hashes(@resource[:roles], @resource[:database]),
       }
 
-      # is this still needed / we only support verion 4 and higher
-      if mongo_4? || mongo_5? || mongo_6?
-        if @resource[:auth_mechanism] == :scram_sha_256
-          command[:mechanisms] = ['SCRAM-SHA-256']
-          command[:pwd] = @resource[:password]
-          command[:digestPassword] = true
-        else
-          command[:mechanisms] = ['SCRAM-SHA-1']
-          command[:pwd] = password_hash
-          command[:digestPassword] = false
-        end
+      case @resource[:auth_mechanism]
+      when :scram_sha_256 # rubocop:disable Naming/VariableNumber
+        command[:mechanisms] = ['SCRAM-SHA-256']
+        command[:pwd] = @resource[:password]
+        command[:digestPassword] = true
+      when :scram_sha_1 # rubocop:disable Naming/VariableNumber
+        command[:mechanisms] = ['SCRAM-SHA-1']
+        command[:pwd] = password_hash
+        command[:digestPassword] = false
+      when :x509
+        command[:mechanisms] = ['MONGODB-X509']
       else
         command[:pwd] = password_hash
         command[:digestPassword] = false
@@ -93,6 +98,9 @@ def create
       @property_hash[:roles] = @resource[:roles]
 
       exists?
+
+    else
+      Puppet.warning 'User creation is available only from master host'
     end
   end
 

lib/puppet/type/mongodb_user.rb

@@ -57,7 +57,7 @@ def to_s?(value)
   newproperty(:password_hash) do
     desc 'The password hash of the user. Use mongodb_password() for creating hash. Only available on MongoDB 3.0 and later. SCRAM-SHA-256 authentication mechanism is not supported.'
     defaultto do
-      raise Puppet::Error, "Property 'password_hash' must be set. Use mongodb_password() for creating hash." if @resource[:password].nil? && (provider.database == :absent)
+      raise Puppet::Error, "Property 'password_hash' must be set. Use mongodb_password() for creating hash." if @resource[:auth_mechanism] != :x509 && @resource[:password].nil? && (@resource[:password].nil? && (provider.database == :absent))
     end
     newvalue(%r{^\w+$})
 
@@ -97,7 +97,7 @@ def insync?(_is)
   newparam(:auth_mechanism) do
     desc 'Authentication mechanism. Password verification is not supported with SCRAM-SHA-256.'
     defaultto :scram_sha_1
-    newvalues(:scram_sha_256, :scram_sha_1)
+    newvalues(:scram_sha_256, :scram_sha_1, :x509)
   end
 
   newparam(:update_password, boolean: true) do
@@ -122,12 +122,14 @@ def insync?(_is)
   end
 
   validate do
-    if self[:password_hash].nil? && self[:password].nil? && provider.password.nil? && provider.password_hash.nil?
-      err("Either 'password_hash' or 'password' should be provided")
-    elsif !self[:password_hash].nil? && !self[:password].nil?
-      err("Only one of 'password_hash' or 'password' should be provided")
-    elsif !self[:password_hash].nil? && self[:auth_mechanism] == :scram_sha_256
-      err("'password_hash' is not supported with SCRAM-SHA-256 authentication mechanism")
+    if self[:auth_mechanism] != :x509
+      if self[:password_hash].nil? && self[:password].nil? && provider.password.nil? && provider.password_hash.nil?
+        err("Either 'password_hash' or 'password' should be provided")
+      elsif !self[:password_hash].nil? && !self[:password].nil?
+        err("Only one of 'password_hash' or 'password' should be provided")
+      elsif !self[:password_hash].nil? && self[:auth_mechanism] == :scram_sha_256
+        err("'password_hash' is not supported with SCRAM-SHA-256 authentication mechanism")
+      end
     end
     raise("The parameter 'scram_credentials' is read-only and cannot be changed") if should(:scram_credentials)
   end

manifests/db.pp

@@ -19,7 +19,7 @@
 #
 define mongodb::db (
   String                                             $user,
-  Enum['scram_sha_1', 'scram_sha_256']               $auth_mechanism  = 'scram_sha_1',
+  Enum['scram_sha_1', 'scram_sha_256', 'x509']       $auth_mechanism  = 'scram_sha_1',
   String                                             $db_name         = $name,
   Optional[Variant[String[1], Sensitive[String[1]]]] $password_hash   = undef,
   Optional[Variant[String[1], Sensitive[String[1]]]] $password        = undef,
@@ -33,25 +33,29 @@
       tries  => $tries,
     }
 
-    if $password_hash =~ Sensitive[String] {
-      $hash = $password_hash.unwrap
-    } elsif $password_hash {
-      $hash = $password_hash
-    } elsif $password {
-      $hash = mongodb_password($user, $password)
-    } else {
-      fail("Parameter 'password_hash' or 'password' should be provided to mongodb::db.")
-    }
+    if $auth_mechanism != 'x509' {
+      if $password_hash =~ Sensitive[String] {
+        $hash = $password_hash.unwrap
+      } elsif $password_hash {
+        $hash = $password_hash
+      } elsif $password {
+        $hash = mongodb_password($user, $password)
+      } else {
+        fail("Parameter 'password_hash' or 'password' should be provided to mongodb::db.")
+      }
 
-    if $auth_mechanism == 'scram_sha_256' {
-      $password_config = {
-        password        => $password,
-        update_password => $update_password,
+      if $auth_mechanism == 'scram_sha_256' {
+        $password_config = {
+          password        => $password,
+          update_password => $update_password,
+        }
+      } else {
+        $password_config = {
+          password_hash => $hash,
+        }
       }
     } else {
-      $password_config = {
-        password_hash => $hash,
-      }
+      $password_config = {}
     }
 
     mongodb_user { "User ${user} on db ${db_name}":

manifests/mongos/params.pp

@@ -5,13 +5,8 @@
   $version = $mongodb::globals::version
 
   $package_ensure = pick($version, 'present')
-  if $manage_package {
-    $package_name = "mongodb-${mongodb::globals::edition}-mongos"
-  } elsif $facts['os']['family'] in ['RedHat', 'Suse'] {
-    $package_name = "mongodb-${mongodb::globals::edition}-mongos"
-  } else {
-    $package_name = 'mongodb-server'
-  }
+  # from versoin 4.4 on, package name is all the same in the upstream repositories
+  $package_name = "mongodb-${mongodb::globals::edition}-mongos"
 
   $config_content = undef
   $config_template = undef

manifests/params.pp

@@ -27,7 +27,6 @@
   $manage_package        = pick($mongodb::globals::manage_package, $mongodb::globals::manage_package_repo, false)
   $pidfilemode           = pick($mongodb::globals::pidfilemode, '0644')
   $manage_pidfile        = pick($mongodb::globals::manage_pidfile, true)
-
   $version               = $mongodb::globals::version
 
   $config_data           = undef