make ismaster work with authentication enbaled before user admin is created

Johan De Wit · Johan De Wit · commit 65e2ad35cc9a · 2023-07-05T17:32:06.000+02:00
diff --git a/lib/facter/is_master.rb b/lib/facter/is_master.rb
@@ -16,39 +16,71 @@ def get_options_from_hash_config(config)
   # - sslMode is "requireSSL"
   # - Parameter --sslPEMKeyFile is set
   # - Parameter --sslCAFile is set
-  result << "--ssl --host #{Facter.value(:fqdn)}" if ['allowSSL', 'preferSSL', 'requireSSL'].include? config['net.ssl.mode'] || !config['net.ssl.PEMKeyFile'].nil? || !config['net.ssl.CAFile'].nil?
+  result << "--ssl --host #{Facter.value(:fqdn)}" if config['net.ssl.mode'] == 'requireSSL' || !config['net.ssl.PEMKeyFile'].nil? || !config['net.ssl.CAFile'].nil?
   result << "--sslPEMKeyFile #{config['net.ssl.PEMKeyFile']}" unless config['net.ssl.PEMKeyFile'].nil?
   result << "--sslCAFile #{config['net.ssl.CAFile']}" unless config['net.ssl.CAFile'].nil?
-  result << "--sslAllowInvalidHostnames" if config['net.ssl.allowInvalidHostnames'] == true
   # use --tls and --host if:
   # - tlsMode is "requireTLS"
   # - Parameter --tlsCertificateKeyFile is set
   # - Parameter --tlsCAFile is set
-  result << "--tls --host #{Facter.value(:fqdn)}" if ['allowTLS', 'prefeTLS', 'requireTLS'].include? config['net.tls.mode'] || !config['net.tls.certificateKeyFile'].nil? || !config['net.tls.CAFile'].nil?
+  result << "--tls --host #{Facter.value(:fqdn)}" if config['net.tls.mode'] == 'requireTLS' || !config['net.tls.certificateKeyFile'].nil? || !config['net.tls.CAFile'].nil?
   result << "--tlsCertificateKeyFile #{config['net.tls.certificateKeyFile']}" unless config['net.tls.certificateKeyFile'].nil?
   result << "--tlsCAFile #{config['net.tls.CAFile']}" unless config['net.tls.CAFile'].nil?
-  result << "--tlsAllowInvalidHostnames" if config['net.tls.allowInvalidHostnames'] == true
 
   result << '--ipv6' unless config['net.ipv6'].nil?
 
   result.join(' ')
 end
 
+def get_options_from_keyvalue_config(file)
+  config = {}
+  File.readlines(file).map do |line|
+    k, v = line.split('=')
+    config[k.rstrip] = v.lstrip.chomp if k && v
+  end
+
+  result = []
+
+  result << "--port #{config['port']}" unless config['port'].nil?
+  # use --ssl and --host if:
+  # - sslMode is "requireSSL"
+  # - Parameter --sslPEMKeyFile is set
+  # - Parameter --sslCAFile is set
+  result << "--ssl --host #{Facter.value(:fqdn)}" if config['ssl'] == 'requireSSL' || !config['sslcert'].nil? || !config['sslca'].nil?
+  result << "--sslPEMKeyFile #{config['sslcert']}" unless config['sslcert'].nil?
+  result << "--sslCAFile #{config['sslca']}" unless config['sslca'].nil?
+  # use --tls and --host if:
+  # - tlsMode is "requireTLS"
+  # - Parameter --tlsCertificateKeyFile is set
+  # - Parameter --tlsCAFile is set
+  result << "--tls --host #{Facter.value(:fqdn)}" if config['tls'] == 'requireTLS' || !config['tlscert'].nil? || !config['tlsca'].nil?
+  result << "--tlsCertificateKeyFile #{config['tlscert']}" unless config['tlscert'].nil?
+  result << "--tlsCAFile #{config['tlsca']}" unless config['tlsca'].nil?
+
+  result << '--ipv6' unless config['ipv6'].nil?
+
+  result.join(' ')
+end
+
 def get_options_from_config(file)
   config = YAML.load_file(file)
-  get_options_from_hash_config(config)
+  if config.is_a?(Hash) # Using a valid YAML file for mongo 2.6
+    get_options_from_hash_config(config)
+  else # It has to be a key-value config file
+    get_options_from_keyvalue_config(file)
+  end
 end
 
 Facter.add('mongodb_is_master') do
   setcode do
-    if %w[mongo mongod].all? { |m| Facter::Util::Resolution.which m }
+    if %w[mongosh mongod].all? { |m| Facter::Util::Resolution.which m }
       file = mongod_conf_file
       if file
         options = get_options_from_config(file)
         e = File.exist?('/root/.mongoshrc.js') ? 'load(\'/root/.mongoshrc.js\'); ' : ''
 
         # Check if the mongodb server is responding:
-        Facter::Core::Execution.exec("mongosh --quiet #{options} --eval \"#{e}EJSON.stringify(db.adminCommand({ ping: 1 }))\"")
+        Facter::Core::Execution.exec("mongosh --quiet #{options} --eval \"#{e}printjson(db.adminCommand({ ping: 1 }))\"")
 
         if $CHILD_STATUS.success?
           Facter::Core::Execution.exec("mongosh --quiet #{options} --eval \"#{e}db.isMaster().ismaster\"")
diff --git a/lib/facter/mongodb_version.rb b/lib/facter/mongodb_version.rb
@@ -2,9 +2,9 @@
 
 Facter.add(:mongodb_version) do
   setcode do
-    if Facter::Core::Execution.which('mongo')
-      mongodb_version = Facter::Core::Execution.execute('mongo --version 2>&1')
-      %r{MongoDB shell version:?\s+v?([\w.]+)}.match(mongodb_version)[1]
+    if Facter::Core::Execution.which('mongod')
+      mongodb_version = Facter::Core::Execution.execute('mongod --version 2>&1')
+      %r{^db version:?\s+v?([\w.]+)}.match(mongodb_version)[1]
     end
   end
 end
diff --git a/lib/puppet/provider/mongodb.rb b/lib/puppet/provider/mongodb.rb
@@ -143,15 +143,24 @@ def self.db_ismaster
     cmd_ismaster = 'db.isMaster().ismaster'
     cmd_ismaster = mongoshrc_file + cmd_ismaster if mongoshrc_file
     db = 'admin'
-    res = mongosh_cmd(db, conn_string, cmd_ismaster).to_s.split(%r{\n}).last.chomp
 
-    # Retry command without authentication when mongorc_file is set and authentication failed
-    if mongorc_file && res =~ %r{Authentication failed}
-      res = mongosh_cmd(db, conn_string, 'db.isMaster().ismaster').to_s.chomp
+    full_command = if mongoshrc_file
+                     mongoshrc_file + cmd_ismaster
+                   else
+                     cmd_ismaster
+                   end
+    begin
+        Puppet.debug("MONGODB: In self.db_ismaster with cmd #{cmd_ismaster}")
+       res = mongosh_cmd(db, conn_string, cmd_ismaster).to_s.split(%r{\n}).last.chomp
+    rescue StandardError => e
+      Puppet.debug("MONGODB: In self.db_ismaster in rescue")
+      if self.auth_enabled && e.message =~ %r{Authentication failed}
+        res = mongosh_cmd(db, conn_string, 'db.isMaster().ismaster').to_s.chomp
+        Puppet.debug("MONGODB: In self.db_ismaster with res is #{res}")
+      end
     end
 
-    Puppet.debug("In self.db_is_master with res is #{res}")
-
+    Puppet.debug("MONGODB: In self.db_is_master with res is #{res}")
     res.eql?('true')
   end
 
diff --git a/lib/puppet/provider/mongodb_database/mongodb.rb b/lib/puppet/provider/mongodb_database/mongodb.rb
@@ -30,10 +30,26 @@ def self.prefetch(resources)
     end
   end
 
+  def auth_enabled
+    Puppet.debug('MONGODB_DATABASE: in auth_enabled')
+    self.class.auth_enabled
+  end
+
   def create
     if db_ismaster
-      out = mongo_eval('db.dummyData.insert({"created_by_puppet": 1})', @resource[:name])
-      raise "Failed to create DB '#{@resource[:name]}'\n#{out}" if %r{writeError} =~ out
+      begin
+        Puppet.debug("MONGODB_DATABASE: In create")
+        out = mongo_eval('db.dummyData.insertOne({"created_by_puppet": 1})', @resource[:name])
+      rescue StandardError => e
+        Puppet.debug("MONGODB_DATABSE: In create in rescue")
+        if auth_enabled && e.message =~ %r{not authorized on admin to execute commanda} && @resource[:name] == 'admin'
+          Puppet.warning 'Skipping database creation for admin, need admin user first when security is enabled'
+          @property_hash[:ensure] = :present
+          @property_hash[:name] = @resource[:name]
+        else
+          raise "Failed to create DB '#{@resource[:name]}'\n#{out}" if %r{writeError} =~ out
+        end
+      end
     else
       Puppet.warning 'Database creation is available only from master host'
     end
diff --git a/lib/puppet/provider/mongodb_replset/mongo.rb b/lib/puppet/provider/mongodb_replset/mongo.rb
@@ -289,7 +289,7 @@ def set_members
       return
     end
 
-    Puppet.debug("REPLICASET DEBUG BIG Is replicaset initiated ? #{rs_initiated?}")
+    #Puppet.debug("REPLICASET DEBUG BIG Is replicaset initiated ? #{rs_initiated?}")
     # When no replicaset is initiated yet, and authenticatoin is anabled,
     # mongo_eval still adds the mongorcsh.js.  This gives an 'MongoServerError: Authentication failed.' error.
     # In this stage, we only can connect to localhost, and only rs.status() and rs.initiate() is possible.
diff --git a/lib/puppet/provider/mongodb_shard/mongo.rb b/lib/puppet/provider/mongodb_shard/mongo.rb
@@ -13,7 +13,7 @@
 
   mk_resource_methods
 
-  commands mongo: 'mongo'
+  commands mongosh: 'mongosh'
 
   def initialize(value = {})
     super(value)
diff --git a/lib/puppet/provider/mongodb_user/mongodb.rb b/lib/puppet/provider/mongodb_user/mongodb.rb
@@ -9,24 +9,28 @@
   def self.instances
     require 'json'
 
-    if db_ismaster
+    Puppet.debug("MONGODB_USER self.instances")
+
+    #if db_ismaster
       script = 'EJSON.stringify(db.system.users.find().toArray())'
       # A hack to prevent prefetching failures until admin user is created
       script = "try {#{script}} catch (e) { if (e.message.match(/requires authentication/) || e.message.match(/not authorized on admin/)) { 'not authorized on admin' } else {throw e}}" if auth_enabled
 
       out = mongo_eval(script)
-      Puppet.debug("Result of out in self.instances: #{out}")
-      Puppet.debug("Type of out in self.instances: #{out.class}")
-      Puppet.debug("Methods of out in self.instances: #{out.methods}")
-      Puppet.debug("String of out in self.instances: #{out.to_s} has type #{out.to_s.class}")
-      Puppet.debug("Json of out in self.instances: #{out.to_json} has type #{out.to_s.class}")
+      Puppet.debug("MONGODB_USER Result of out in self.instances: #{out}")
+      Puppet.debug("MONGODB_USER Type of out in self.instances: #{out.class}")
+      Puppet.debug("MONGODB_USER Methods of out in self.instances: #{out.methods}")
+      Puppet.debug("MONGODB_USER String of out in self.instances: #{out.to_s} has type #{out.to_s.class}")
+      Puppet.debug("MONGODB_USER Json of out in self.instances: #{out.to_json} has type #{out.to_s.class}")
 
 
+      Puppet.debug("MONGODB_USER Just before return if auth_enabled and error requires authentication or not authorized on admin")
       return [] if auth_enabled && (out.include?('requires authentication') || out.include?('not authorized on admin'))
+      Puppet.debug("MONGODB_USER after return []")
 
       users = JSON.parse out
-      Puppet.debug("Result of users in self.instances: #{users}")
-      Puppet.debug("Type of users in self.instances: #{users.class}")
+      Puppet.debug("MONGODB_USER Result of users in self.instances: #{users}")
+      Puppet.debug("MONGODB_USER Type of users in self.instances: #{users.class}")
 
       users.map do |user|
         new(name: user['_id'],
@@ -37,14 +41,15 @@ def self.instances
             password_hash: user['credentials']['MONGODB-CR'],
             scram_credentials: user['credentials']['SCRAM-SHA-1'])
       end
-    else
-      Puppet.warning 'User info is available only from master host'
-      []
-    end
+    #else
+    #  Puppet.warning 'User info is available only from master host'
+    #  []
+    #end
   end
 
   # Assign prefetched users based on username and database, not on id and name
   def self.prefetch(resources)
+    Puppet.debug("MONGODB_USER self.prefetch")
     users = instances
     resources.each do |name, resource|
       provider = users.find { |user| user.username == resource[:username] && user.database == resource[:database] }
@@ -55,6 +60,7 @@ def self.prefetch(resources)
   mk_resource_methods
 
   def create
+    Puppet.debug("MONGODB_USER create")
     Puppet.debug("In mongodb_user.create. Only works when on the primery node")
     if db_ismaster
       password_hash = @resource[:password_hash]
@@ -100,14 +106,17 @@ def create
   end
 
   def destroy
+    Puppet.debug("MONGODB_USER destroy")
     mongo_eval("db.dropUser(#{@resource[:username].to_json})", @resource[:database])
   end
 
   def exists?
+    Puppet.debug("MONGODB_USER exists?")
     !(@property_hash[:ensure] == :absent || @property_hash[:ensure].nil?)
   end
 
   def password_hash=(_value)
+    Puppet.debug("MONGODB_USER password_hash with #{_value}")
     if db_ismaster
       command = {
         updateUser: @resource[:username],
@@ -122,6 +131,7 @@ def password_hash=(_value)
   end
 
   def password=(value)
+    Puppet.debug("MONGODB_USER password= with #{value}")
     if mongo_26?
       mongo_eval("db.changeUserPassword(#{@resource[:username].to_json}, #{value.to_json})", @resource[:database])
     else
@@ -140,6 +150,7 @@ def password=(value)
   end
 
   def roles=(roles)
+    Puppet.debug("MONGODB_USER roles with #{roles}")
     if db_ismaster
       grant = to_roles(roles, @resource[:database]) - to_roles(@property_hash[:roles], @resource[:database])
       mongo_eval("db.getSiblingDB(#{@resource[:database].to_json}).grantRolesToUser(#{@resource[:username].to_json}, #{role_hashes(grant, @resource[:database]).to_json})") unless grant.empty?
@@ -154,6 +165,7 @@ def roles=(roles)
   private
 
   def self.from_roles(roles, db)
+    Puppet.debug("MONGODB_USER self.from_roles with #{roles} and db is #{db}")
     roles.map do |entry|
       if entry['db'].empty? || entry['db'] == db
         entry['role']
@@ -164,6 +176,7 @@ def self.from_roles(roles, db)
   end
 
   def to_roles(roles, db)
+    Puppet.debug("MONGODB_USER self.to_roles with #{roles} and db is #{db}")
     roles.map do |entry|
       if entry.include? '@'
         entry
@@ -174,6 +187,7 @@ def to_roles(roles, db)
   end
 
   def role_hashes(roles, db)
+    Puppet.debug("MONGODB_USER self.role_hashes with #{roles} and db is #{db}")
     roles.sort.map do |entry|
       if entry.include? '@'
         {
