Add support for net.ssl.allowConnectionsWithoutCertificates setting in mongod.conf

CHANGELOG.md

@@ -18,7 +18,7 @@ These should not affect the functionality of the module.
 - Wrong APT-key [\#546](https://github.com/voxpupuli/puppet-mongodb/issues/546)
 - Mongo 4.0.x: unable to create user [\#525](https://github.com/voxpupuli/puppet-mongodb/issues/525)
 - user creation idempotency issues [\#412](https://github.com/voxpupuli/puppet-mongodb/issues/412)
-- fix\(is\_master-fact\): use --ssl if --sslPEMKeyFile or --sslCAFile is s… [\#573](https://github.com/voxpupuli/puppet-mongodb/pull/573) ([buchstabensalat](https://github.com/buchstabensalat))
+- fix\(is\_master-fact\): use --tls if --tlsCertificateKeyFile or --tlsCAFile is s… [\#573](https://github.com/voxpupuli/puppet-mongodb/pull/573) ([buchstabensalat](https://github.com/buchstabensalat))
 - Fixed the problem: the user was not created for Mongodb 4.x [\#561](https://github.com/voxpupuli/puppet-mongodb/pull/561) ([identw](https://github.com/identw))
 - Only create database and user when mongodb\_is\_master [\#558](https://github.com/voxpupuli/puppet-mongodb/pull/558) ([JvGinkel](https://github.com/JvGinkel))
 

README.md

@@ -535,8 +535,8 @@ Set to true to disable fqdn SSL cert check
 Default: False
 
 ##### `ssl_mode`
-Ssl authorization mode. Valid options are: requireSSL, preferSSL, allowSSL.
-Default: requireSSL
+Ssl authorization mode. Valid options are: requireTLS, preferTLS, allowTLS.
+Default: requireTLS
 
 ##### `service_manage`
 Whether or not the MongoDB service resource should be part of the catalog.

lib/facter/is_master.rb

@@ -10,13 +10,14 @@ def get_options_from_hash_config(config)
   result = []
 
   result << "--port #{config['net.port']}" unless config['net.port'].nil?
-  # use --ssl and --host if:
-  # - sslMode is "requireSSL"
-  # - Parameter --sslPEMKeyFile is set
-  # - Parameter --sslCAFile is set
-  result << "--ssl --host #{Facter.value(:fqdn)}" if config['net.ssl.mode'] == 'requireSSL' || !config['net.ssl.PEMKeyFile'].nil? || !config['net.ssl.CAFile'].nil?
-  result << "--sslPEMKeyFile #{config['net.ssl.PEMKeyFile']}" unless config['net.ssl.PEMKeyFile'].nil?
-  result << "--sslCAFile #{config['net.ssl.CAFile']}" unless config['net.ssl.CAFile'].nil?
+  # use --tls and --host if:
+  # - sslMode is "requireTLS"
+  # - Parameter --tlsCertificateKeyFile is set
+  # - Parameter --tlsCAFile is set
+  result << "--tls --host #{Facter.value(:fqdn)}" if config['net.tls.mode'] == 'requireTLS' || !config['net.tls.certificateKeyFile'].nil? || !config['net.tls.CAFile'].nil?
+  result << "--tlsCertificateKeyFile #{config['net.tls.certificateKeyFile']}" unless config['net.tls.certificateKeyFile'].nil?
+  result << "--tlsCAFile #{config['net.tls.CAFile']}" unless config['net.tls.CAFile'].nil?
+
   result << '--ipv6' unless config['net.ipv6'].nil?
 
   result.join(' ')
@@ -32,13 +33,13 @@ def get_options_from_keyvalue_config(file)
   result = []
 
   result << "--port #{config['port']}" unless config['port'].nil?
-  # use --ssl and --host if:
-  # - sslMode is "requireSSL"
-  # - Parameter --sslPEMKeyFile is set
-  # - Parameter --sslCAFile is set
-  result << "--ssl --host #{Facter.value(:fqdn)}" if config['ssl'] == 'requireSSL' || !config['sslcert'].nil? || !config['sslca'].nil?
-  result << "--sslPEMKeyFile #{config['sslcert']}" unless config['sslcert'].nil?
-  result << "--sslCAFile #{config['sslca']}" unless config['sslca'].nil?
+  # use --tls and --host if:
+  # - sslMode is "requireTLS"
+  # - Parameter --tlsCertificateKeyFile is set
+  # - Parameter --tlsCAFile is set
+  result << "--tls --host #{Facter.value(:fqdn)}" if config['ssl'] == 'requireTLS' || !config['sslcert'].nil? || !config['sslca'].nil?
+  result << "--tlsCertificateKeyFile #{config['sslcert']}" unless config['sslcert'].nil?
+  result << "--tlsCAFile #{config['sslca']}" unless config['sslca'].nil?
   result << '--ipv6' unless config['ipv6'].nil?
 
   result.join(' ')

lib/puppet/provider/mongodb.rb

@@ -31,10 +31,10 @@ def self.mongo_conf
       'bindip' => config['net.bindIp'],
       'port' => config['net.port'],
       'ipv6' => config['net.ipv6'],
-      'allowInvalidHostnames' => config['net.ssl.allowInvalidHostnames'],
-      'ssl' => config['net.ssl.mode'],
-      'sslcert' => config['net.ssl.PEMKeyFile'],
-      'sslca' => config['net.ssl.CAFile'],
+      'allowInvalidHostnames' => config['net.tls.allowInvalidHostnames'],
+      'ssl' => config['net.tls.mode'],
+      'sslcert' => config['net.tls.certificateKeyFile'],
+      'sslca' => config['net.tls.CAFile'],
       'auth' => config['security.authorization'],
       'shardsvr' => config['sharding.clusterRole'],
       'confsvr' => config['sharding.clusterRole']
@@ -62,14 +62,14 @@ def self.mongo_cmd(db, host, cmd)
 
     args = [db, '--quiet', '--host', host]
     args.push('--ipv6') if ipv6_is_enabled(config)
-    args.push('--sslAllowInvalidHostnames') if ssl_invalid_hostnames(config)
+    args.push('--tlsAllowInvalidHostnames') if ssl_invalid_hostnames(config)
 
     if ssl_is_enabled(config)
-      args.push('--ssl')
-      args += ['--sslPEMKeyFile', config['sslcert']]
+      args.push('--tls')
+      args += ['--tlsCertificateKeyFile', config['sslcert']]
 
       ssl_ca = config['sslca']
-      args += ['--sslCAFile', ssl_ca] unless ssl_ca.nil?
+      args += ['--tlsCAFile', ssl_ca] unless ssl_ca.nil?
     end
 
     args += ['--eval', cmd]

lib/puppet/util/mongodb_output.rb

@@ -7,8 +7,8 @@ def self.sanitize(data)
         data.gsub!(%r{\w+\((.+?)\)}, '\1')
 
         data.gsub!(%r{^Error\:.+}, '')
-        data.gsub!(%r{^.*warning\:.+}, '') # remove warnings if sslAllowInvalidHostnames is true
-        data.gsub!(%r{^.*The server certificate does not match the host name.+}, '') # remove warnings if sslAllowInvalidHostnames is true mongo 3.x
+        data.gsub!(%r{^.*warning\:.+}, '') # remove warnings if tlsAllowInvalidHostnames is true
+        data.gsub!(%r{^.*The server certificate does not match the host name.+}, '') # remove warnings if tlsAllowInvalidHostnames is true mongo 3.x
         data
       end
     end

manifests/server.pp

@@ -19,7 +19,7 @@
   Variant[Boolean, String] $package_ensure              = $mongodb::params::package_ensure,
   String $package_name                                  = $mongodb::params::server_package_name,
   Variant[Boolean, Stdlib::Absolutepath] $logpath       = $mongodb::params::logpath,
-  Array[Stdlib::Compat::Ip_address] $bind_ip            = $mongodb::params::bind_ip,
+  Array[Stdlib::Host] $bind_ip                          = $mongodb::params::bind_ip,
   Optional[Boolean] $ipv6                               = undef,
   Boolean $logappend                                    = true,
   Optional[String] $system_logrotate                    = undef,
@@ -68,9 +68,11 @@
   Optional[Boolean] $ssl                                = undef,
   Optional[Stdlib::Absolutepath] $ssl_key               = undef,
   Optional[Stdlib::Absolutepath] $ssl_ca                = undef,
+  Optional[Stdlib::Absolutepath] $ssl_cluster_file      = undef,
   Boolean $ssl_weak_cert                                = false,
+  Boolean $ssl_without_cert                             = false,
   Boolean $ssl_invalid_hostnames                        = false,
-  Enum['requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode = 'requireSSL',
+  Enum['requireTLS', 'preferTLS', 'allowTLS'] $ssl_mode = 'requireTLS',
   Boolean $restart                                      = $mongodb::params::restart,
   Optional[String] $storage_engine                      = undef,
   Boolean $create_admin                                 = $mongodb::params::create_admin,

manifests/server/config.pp

@@ -1,72 +1,74 @@
 # PRIVATE CLASS: do not call directly
 class mongodb::server::config {
-  $ensure           = $mongodb::server::ensure
-  $user             = $mongodb::server::user
-  $group            = $mongodb::server::group
-  $config           = $mongodb::server::config
-  $config_content   = $mongodb::server::config_content
-  $config_template  = $mongodb::server::config_template
-  $config_data      = $mongodb::server::config_data
-  $dbpath           = $mongodb::server::dbpath
-  $dbpath_fix       = $mongodb::server::dbpath_fix
-  $pidfilepath      = $mongodb::server::pidfilepath
-  $pidfilemode      = $mongodb::server::pidfilemode
-  $manage_pidfile   = $mongodb::server::manage_pidfile
-  $logpath          = $mongodb::server::logpath
-  $logappend        = $mongodb::server::logappend
-  $system_logrotate = $mongodb::server::system_logrotate
-  $fork             = $mongodb::server::fork
-  $port             = $mongodb::server::port
-  $journal          = $mongodb::server::journal
-  $nojournal        = $mongodb::server::nojournal
-  $smallfiles       = $mongodb::server::smallfiles
-  $cpu              = $mongodb::server::cpu
-  $auth             = $mongodb::server::auth
-  $noath            = $mongodb::server::noauth
-  $create_admin     = $mongodb::server::create_admin
-  $admin_username   = $mongodb::server::admin_username
-  $admin_password   = $mongodb::server::admin_password
-  $handle_creds     = $mongodb::server::handle_creds
-  $store_creds      = $mongodb::server::store_creds
-  $rcfile           = $mongodb::server::rcfile
-  $verbose          = $mongodb::server::verbose
-  $verbositylevel   = $mongodb::server::verbositylevel
-  $objcheck         = $mongodb::server::objcheck
-  $quota            = $mongodb::server::quota
-  $quotafiles       = $mongodb::server::quotafiles
-  $diaglog          = $mongodb::server::diaglog
-  $oplog_size       = $mongodb::server::oplog_size
-  $nohints          = $mongodb::server::nohints
-  $nohttpinterface  = $mongodb::server::nohttpinterface
-  $noscripting      = $mongodb::server::noscripting
-  $notablescan      = $mongodb::server::notablescan
-  $noprealloc       = $mongodb::server::noprealloc
-  $nssize           = $mongodb::server::nssize
-  $mms_token        = $mongodb::server::mms_token
-  $mms_name         = $mongodb::server::mms_name
-  $mms_interval     = $mongodb::server::mms_interval
-  $configsvr        = $mongodb::server::configsvr
-  $shardsvr         = $mongodb::server::shardsvr
-  $replset          = $mongodb::server::replset
-  $rest             = $mongodb::server::rest
-  $quiet            = $mongodb::server::quiet
-  $slowms           = $mongodb::server::slowms
-  $keyfile          = $mongodb::server::keyfile
-  $key              = $mongodb::server::key
-  $ipv6             = $mongodb::server::ipv6
-  $bind_ip          = $mongodb::server::bind_ip
-  $directoryperdb   = $mongodb::server::directoryperdb
-  $profile          = $mongodb::server::profile
-  $maxconns         = $mongodb::server::maxconns
-  $set_parameter    = $mongodb::server::set_parameter
-  $syslog           = $mongodb::server::syslog
-  $ssl              = $mongodb::server::ssl
-  $ssl_key          = $mongodb::server::ssl_key
-  $ssl_ca           = $mongodb::server::ssl_ca
-  $ssl_weak_cert    = $mongodb::server::ssl_weak_cert
+  $ensure                = $mongodb::server::ensure
+  $user                  = $mongodb::server::user
+  $group                 = $mongodb::server::group
+  $config                = $mongodb::server::config
+  $config_content        = $mongodb::server::config_content
+  $config_template       = $mongodb::server::config_template
+  $config_data           = $mongodb::server::config_data
+  $dbpath                = $mongodb::server::dbpath
+  $dbpath_fix            = $mongodb::server::dbpath_fix
+  $pidfilepath           = $mongodb::server::pidfilepath
+  $pidfilemode           = $mongodb::server::pidfilemode
+  $manage_pidfile        = $mongodb::server::manage_pidfile
+  $logpath               = $mongodb::server::logpath
+  $logappend             = $mongodb::server::logappend
+  $system_logrotate      = $mongodb::server::system_logrotate
+  $fork                  = $mongodb::server::fork
+  $port                  = $mongodb::server::port
+  $journal               = $mongodb::server::journal
+  $nojournal             = $mongodb::server::nojournal
+  $smallfiles            = $mongodb::server::smallfiles
+  $cpu                   = $mongodb::server::cpu
+  $auth                  = $mongodb::server::auth
+  $noath                 = $mongodb::server::noauth
+  $create_admin          = $mongodb::server::create_admin
+  $admin_username        = $mongodb::server::admin_username
+  $admin_password        = $mongodb::server::admin_password
+  $handle_creds          = $mongodb::server::handle_creds
+  $store_creds           = $mongodb::server::store_creds
+  $rcfile                = $mongodb::server::rcfile
+  $verbose               = $mongodb::server::verbose
+  $verbositylevel        = $mongodb::server::verbositylevel
+  $objcheck              = $mongodb::server::objcheck
+  $quota                 = $mongodb::server::quota
+  $quotafiles            = $mongodb::server::quotafiles
+  $diaglog               = $mongodb::server::diaglog
+  $oplog_size            = $mongodb::server::oplog_size
+  $nohints               = $mongodb::server::nohints
+  $nohttpinterface       = $mongodb::server::nohttpinterface
+  $noscripting           = $mongodb::server::noscripting
+  $notablescan           = $mongodb::server::notablescan
+  $noprealloc            = $mongodb::server::noprealloc
+  $nssize                = $mongodb::server::nssize
+  $mms_token             = $mongodb::server::mms_token
+  $mms_name              = $mongodb::server::mms_name
+  $mms_interval          = $mongodb::server::mms_interval
+  $configsvr             = $mongodb::server::configsvr
+  $shardsvr              = $mongodb::server::shardsvr
+  $replset               = $mongodb::server::replset
+  $rest                  = $mongodb::server::rest
+  $quiet                 = $mongodb::server::quiet
+  $slowms                = $mongodb::server::slowms
+  $keyfile               = $mongodb::server::keyfile
+  $key                   = $mongodb::server::key
+  $ipv6                  = $mongodb::server::ipv6
+  $bind_ip               = $mongodb::server::bind_ip
+  $directoryperdb        = $mongodb::server::directoryperdb
+  $profile               = $mongodb::server::profile
+  $maxconns              = $mongodb::server::maxconns
+  $set_parameter         = $mongodb::server::set_parameter
+  $syslog                = $mongodb::server::syslog
+  $ssl                   = $mongodb::server::ssl
+  $ssl_key               = $mongodb::server::ssl_key
+  $ssl_ca                = $mongodb::server::ssl_ca
+  $ssl_cluster_file      = $mongodb::server::ssl_cluster_file
+  $ssl_weak_cert         = $mongodb::server::ssl_weak_cert
+  $ssl_without_cert      = $mongodb::server::ssl_without_cert
   $ssl_invalid_hostnames = $mongodb::server::ssl_invalid_hostnames
-  $ssl_mode         = $mongodb::server::ssl_mode
-  $storage_engine   = $mongodb::server::storage_engine
+  $ssl_mode              = $mongodb::server::ssl_mode
+  $storage_engine        = $mongodb::server::storage_engine
 
   File {
     owner => $user,
@@ -107,10 +109,14 @@
       # Template has available user-supplied data
       # - $config_data
       $cfg_content = template($config_template)
-    } else {
+    } elsif $facts['mongodb_version'] != undef and $facts['mongodb_version'] =~ /^3/ {
       # Template has available user-supplied data
       # - $config_data
       $cfg_content = template('mongodb/mongodb.conf.2.6.erb')
+    } else {
+      # Template has available user-supplied data
+      # - $config_data
+      $cfg_content = template('mongodb/mongodb.conf.4.erb')
     }
 
     file { $config:

spec/classes/server_spec.rb

@@ -290,11 +290,11 @@
           let :params do
             {
               ssl: true,
-              ssl_mode: 'requireSSL'
+              ssl_mode: 'requireTLS'
             }
           end
 
-          it { is_expected.to contain_file(config_file).with_content(%r{^net\.ssl\.mode: requireSSL$}) }
+          it { is_expected.to contain_file(config_file).with_content(%r{^net\.tls\.mode: requireTLS}) }
         end
 
         context 'disabled' do
@@ -304,7 +304,7 @@
             }
           end
 
-          it { is_expected.not_to contain_file(config_file).with_content(%r{net\.ssl\.mode}) }
+          it { is_expected.not_to contain_file(config_file).with_content(%r{net\.tls\.mode}) }
         end
       end
 

templates/mongodb.conf.2.6.erb

@@ -114,9 +114,15 @@ net.ssl.PEMKeyFile: <%= @ssl_key %>
 <% if @ssl_ca -%>
 net.ssl.CAFile: <%= @ssl_ca %>
 <% end -%>
+<% if @ssl_cluster_file -%>
+net.ssl.clusterFile: <%= @ssl_cluster_file %>
+<% end -%>
 <% if @ssl_weak_cert -%>
 net.ssl.weakCertificateValidation: <%= @ssl_weak_cert %>
 <% end -%>
+<% if @ssl_without_cert -%>
+net.ssl.allowConnectionsWithoutCertificates: <%= @ssl_without_cert %>
+<% end -%>
 <% if @ssl_invalid_hostnames -%>
 net.ssl.allowInvalidHostnames: <%= @ssl_invalid_hostnames %>
 <% end -%>