Add SCRAM-SHA-256 limited support

- auth_mechanism parameter for mongodb_user
- use password instead of password_hash if SCRAM-SHA-256, because password digestion is on the server
- insync is not verified for the password

Author: poloz-lab

README.md

@@ -561,6 +561,11 @@ Administrator user name
 ##### `admin_password`
 Administrator user password
 
+##### `admin_auth_mechanism`
+Administrator authentication mechanism.
+scram_sha_256 password synchronization verification is not supported.
+Default: 'scram_sha_1'
+
 ##### `admin_roles`
 Administrator user roles
 
@@ -648,6 +653,12 @@ For more information please refer to [MongoDB Authentication Process](http://doc
 ##### `password`
 Plain-text user password (will be hashed)
 
+##### `auth_mechanism`
+Authentication mechanism.
+Can be either 'scram_sha_1' or 'scram_sha_256'.
+scram_sha_256 password synchronization verification is not supported.
+Default: 'scram_sha_1'
+
 ##### `roles`
 Array with user roles as string.
 Roles will be granted to user's database if no alternative database is explicitly defined.

lib/puppet/provider/mongodb_user/mongodb.rb

@@ -53,17 +53,25 @@ def create
 
       command = {
         createUser: @resource[:username],
-        pwd: password_hash,
         customData: {
           createdBy: "Puppet Mongodb_user['#{@resource[:name]}']"
         },
         roles: role_hashes(@resource[:roles], @resource[:database]),
-        digestPassword: false
       }
 
       if mongo_4? || mongo_5?
-        # SCRAM-SHA-256 requires digestPassword to be true.
-        command[:mechanisms] = ['SCRAM-SHA-1']
+        if @resource[:auth_mechanism] == :scram_sha_256
+          command[:mechanisms] = ['SCRAM-SHA-256']
+          command[:pwd] = @resource[:password]
+          command[:digestPassword] = true
+        else
+          command[:mechanisms] = ['SCRAM-SHA-1']
+          command[:pwd] = password_hash
+          command[:digestPassword] = false
+        end
+      else
+        command[:pwd] = password_hash
+        command[:digestPassword] = false
       end
 
       mongo_eval("db.runCommand(#{command.to_json})", @resource[:database])
@@ -112,6 +120,10 @@ def password=(value)
         digestPassword: true
       }
 
+      if mongo_4? || mongo_5?
+        command[:mechanisms] = @resource[:auth_mechanism] == :scram_sha_256 ? ['SCRAM-SHA-256'] : ['SCRAM-SHA-1']
+      end
+
       mongo_eval("db.runCommand(#{command.to_json})", @resource[:database])
     end
   end

lib/puppet/type/mongodb_user.rb

@@ -53,7 +53,7 @@ def to_s?(value)
   end
 
   newproperty(:password_hash) do
-    desc 'The password hash of the user. Use mongodb_password() for creating hash. Only available on MongoDB 3.0 and later.'
+    desc 'The password hash of the user. Use mongodb_password() for creating hash. Only available on MongoDB 3.0 and later. SCRAM-SHA-256 authentication mechanism is not supported.'
     defaultto do
       if @resource[:password].nil?
         raise Puppet::Error, "Property 'password_hash' must be set. Use mongodb_password() for creating hash." if provider.database == :absent
@@ -90,10 +90,18 @@ def to_s?(_value = @is)
     end
 
     def insync?(_is)
+      return true if @resource[:auth_mechanism] == :scram_sha_256
+
       should_to_s == to_s?
     end
   end
 
+  newparam(:auth_mechanism) do
+    desc 'Authentication mechanism. Password verification is not supported with SCRAM-SHA-256.'
+    defaultto :scram_sha_1
+    newvalues(:scram_sha_256, :scram_sha_1)
+  end
+
   newproperty(:scram_credentials) do
     desc 'The SCRAM-SHA-1 credentials of a user. These are read only and change when password or password_hash changes.'
   end
@@ -115,6 +123,8 @@ def insync?(_is)
       err("Either 'password_hash' or 'password' should be provided")
     elsif !self[:password_hash].nil? && !self[:password].nil?
       err("Only one of 'password_hash' or 'password' should be provided")
+    elsif !self[:password_hash].nil? && self[:auth_mechanism] == :scram_sha_256
+      err("'password_hash' is not supported with SCRAM-SHA-256 authentication mechanism")
     end
     if should(:scram_credentials)
       raise("The parameter 'scram_credentials' is read-only and cannot be changed")

manifests/db.pp

@@ -5,6 +5,7 @@
 # == Parameters
 #
 #  user - Database username.
+#  auth_mechanism - Authentication mechanism. scram_sha_256 password verification is not supported. Defaults to 'scram_sha_1'.
 #  db_name - Database name. Defaults to $name.
 #  password_hash - Hashed password. Hex encoded md5 hash of "$username:mongo:$password".
 #  password - Plain text user password. This is UNSAFE, use 'password_hash' instead.
@@ -13,11 +14,12 @@
 #
 define mongodb::db (
   String                                             $user,
-  String                                             $db_name       = $name,
-  Optional[Variant[String[1], Sensitive[String[1]]]] $password_hash = undef,
-  Optional[Variant[String[1], Sensitive[String[1]]]] $password      = undef,
-  Array[String]                                      $roles         = ['dbAdmin'],
-  Integer[0]                                         $tries         = 10,
+  Enum['scram_sha_1', 'scram_sha_256']               $auth_mechanism = 'scram_sha_1',
+  String                                             $db_name        = $name,
+  Optional[Variant[String[1], Sensitive[String[1]]]] $password_hash  = undef,
+  Optional[Variant[String[1], Sensitive[String[1]]]] $password       = undef,
+  Array[String]                                      $roles          = ['dbAdmin'],
+  Integer[0]                                         $tries          = 10,
 ) {
   unless $facts['mongodb_is_master'] == 'false' { # lint:ignore:quoted_booleans
     mongodb_database { $db_name:
@@ -35,12 +37,23 @@
       fail("Parameter 'password_hash' or 'password' should be provided to mongodb::db.")
     }
 
+    if $auth_mechanism == 'scram_sha_256' {
+      $password_config = {
+        password => $password,
+      }
+    } else {
+      $password_config = {
+        password_hash => $hash,
+      }
+    }
+
     mongodb_user { "User ${user} on db ${db_name}":
-      ensure        => present,
-      password_hash => $hash,
-      username      => $user,
-      database      => $db_name,
-      roles         => $roles,
+      ensure         => present,
+      username       => $user,
+      database       => $db_name,
+      roles          => $roles,
+      auth_mechanism => $auth_mechanism,
+      *              => $password_config,
     }
   }
 }

manifests/params.pp

@@ -11,6 +11,7 @@
   $restart               = true
   $create_admin          = false
   $admin_username        = 'admin'
+  $admin_auth_mechanism  = 'scram_sha_1'
   $admin_roles           = [
     'userAdmin', 'readWrite', 'dbAdmin', 'dbAdminAnyDatabase', 'readAnyDatabase',
     'readWriteAnyDatabase', 'userAdminAnyDatabase', 'clusterAdmin',

manifests/server.pp

@@ -76,6 +76,7 @@
   Boolean $create_admin                                         = $mongodb::params::create_admin,
   String $admin_username                                        = $mongodb::params::admin_username,
   Optional[Variant[String, Sensitive[String]]] $admin_password  = undef,
+  Enum['scram_sha_1', 'scram_sha_256'] $admin_auth_mechanism    = $mongodb::params::admin_auth_mechanism,
   Boolean $handle_creds                                         = $mongodb::params::handle_creds,
   Boolean $store_creds                                          = $mongodb::params::store_creds,
   Array $admin_roles                                            = $mongodb::params::admin_roles,
@@ -105,9 +106,10 @@
   }
   if $create_admin and ($service_ensure == 'running' or $service_ensure == true) {
     mongodb::db { 'admin':
-      user     => $admin_username,
-      password => $admin_password_unsensitive,
-      roles    => $admin_roles,
+      user           => $admin_username,
+      auth_mechanism => $admin_auth_mechanism,
+      password       => $admin_password_unsensitive,
+      roles          => $admin_roles,
     }
 
     # Make sure it runs before other DB creation