Add an option to force an update of the password when SCRAM-SHA-256 is used

poloz-lab · poloz-lab · commit b042af0862a1 · 2022-07-06T17:36:11.000+02:00
diff --git a/README.md b/README.md
@@ -566,6 +566,11 @@ Administrator authentication mechanism.
 scram_sha_256 password synchronization verification is not supported.
 Default: 'scram_sha_1'
 
+##### `admin_update_password`
+Update password.
+Used with SCRAM-SHA-256 because password verification is not supported.
+Default: false
+
 ##### `admin_roles`
 Administrator user roles
 
@@ -659,6 +664,11 @@ Can be either 'scram_sha_1' or 'scram_sha_256'.
 scram_sha_256 password synchronization verification is not supported.
 Default: 'scram_sha_1'
 
+##### `update_password`
+Update password.
+Used with SCRAM-SHA-256 because password verification is not supported.
+Default: false
+
 ##### `roles`
 Array with user roles as string.
 Roles will be granted to user's database if no alternative database is explicitly defined.
diff --git a/lib/puppet/type/mongodb_user.rb b/lib/puppet/type/mongodb_user.rb
@@ -90,7 +90,7 @@ def to_s?(_value = @is)
     end
 
     def insync?(_is)
-      return true if @resource[:auth_mechanism] == :scram_sha_256
+      return !@resource[:update_password] if @resource[:auth_mechanism] == :scram_sha_256
 
       should_to_s == to_s?
     end
@@ -102,6 +102,11 @@ def insync?(_is)
     newvalues(:scram_sha_256, :scram_sha_1)
   end
 
+  newparam(:update_password, boolean: true) do
+    desc 'Update password. Used with SCRAM-SHA-256 because password verification is not supported.'
+    defaultto false
+  end
+
   newproperty(:scram_credentials) do
     desc 'The SCRAM-SHA-1 credentials of a user. These are read only and change when password or password_hash changes.'
   end
diff --git a/manifests/db.pp b/manifests/db.pp
@@ -11,15 +11,17 @@
 #  password - Plain text user password. This is UNSAFE, use 'password_hash' instead.
 #  roles (default: ['dbAdmin']) - array with user roles.
 #  tries (default: 10) - The maximum amount of two second tries to wait MongoDB startup.
+#  update_password (default: false) - Force an update of the password when scram_sha_256 is used.
 #
 define mongodb::db (
   String                                             $user,
-  Enum['scram_sha_1', 'scram_sha_256']               $auth_mechanism = 'scram_sha_1',
-  String                                             $db_name        = $name,
-  Optional[Variant[String[1], Sensitive[String[1]]]] $password_hash  = undef,
-  Optional[Variant[String[1], Sensitive[String[1]]]] $password       = undef,
-  Array[String]                                      $roles          = ['dbAdmin'],
-  Integer[0]                                         $tries          = 10,
+  Enum['scram_sha_1', 'scram_sha_256']               $auth_mechanism  = 'scram_sha_1',
+  String                                             $db_name         = $name,
+  Optional[Variant[String[1], Sensitive[String[1]]]] $password_hash   = undef,
+  Optional[Variant[String[1], Sensitive[String[1]]]] $password        = undef,
+  Array[String]                                      $roles           = ['dbAdmin'],
+  Integer[0]                                         $tries           = 10,
+  Boolean                                            $update_password = false,
 ) {
   unless $facts['mongodb_is_master'] == 'false' { # lint:ignore:quoted_booleans
     mongodb_database { $db_name:
@@ -39,7 +41,8 @@
 
     if $auth_mechanism == 'scram_sha_256' {
       $password_config = {
-        password => $password,
+        password        => $password,
+        update_password => $update_password,
       }
     } else {
       $password_config = {
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -77,6 +77,7 @@
   String $admin_username                                        = $mongodb::params::admin_username,
   Optional[Variant[String, Sensitive[String]]] $admin_password  = undef,
   Enum['scram_sha_1', 'scram_sha_256'] $admin_auth_mechanism    = $mongodb::params::admin_auth_mechanism,
+  Boolean $admin_update_password                                = false,
   Boolean $handle_creds                                         = $mongodb::params::handle_creds,
   Boolean $store_creds                                          = $mongodb::params::store_creds,
   Array $admin_roles                                            = $mongodb::params::admin_roles,
@@ -106,10 +107,11 @@
   }
   if $create_admin and ($service_ensure == 'running' or $service_ensure == true) {
     mongodb::db { 'admin':
-      user           => $admin_username,
-      auth_mechanism => $admin_auth_mechanism,
-      password       => $admin_password_unsensitive,
-      roles          => $admin_roles,
+      user            => $admin_username,
+      auth_mechanism  => $admin_auth_mechanism,
+      password        => $admin_password_unsensitive,
+      roles           => $admin_roles,
+      update_password => $admin_update_password,
     }
 
     # Make sure it runs before other DB creation
