Merge pull request #369 from noris-network/master

MODULES-5483: Auth and FQDN certs => Fail

README.md

@@ -501,6 +501,10 @@ Default: <>
 Set to true to disable mandatory SSL client authentication
 Default: False
 
+##### `ssl_invalid_hostnames`
+Set to true to disable fqdn SSL cert check
+Default: False
+
 ##### `service_manage`
 Whether or not the MongoDB service resource should be part of the catalog.
 Default: true

lib/facter/is_master.rb

@@ -20,6 +20,18 @@ def get_mongod_conf_file
         unless config['net.port'].nil?
           mongoPort = "--port #{config['net.port']}"
         end
+        if config['net.ssl.mode'] == "requireSSL"
+          ssl = "--ssl --host #{Facter.value(:fqdn)}"
+        end
+        unless config['net.ssl.PEMKeyFile'].nil?
+          sslkey = "--sslPEMKeyFile #{config['net.ssl.PEMKeyFile']}"
+        end
+        unless config['net.ssl.CAFile'].nil?
+          sslca = "--sslCAFile #{config['net.ssl.CAFile']}"
+        end
+        unless config['net.ipv6'].nil?
+          ipv6 = "--ipv6"
+        end
       else # It has to be a key-value config file
         config = {}
         File.readlines(file).collect do |line|
@@ -29,15 +41,26 @@ def get_mongod_conf_file
         unless config['port'].nil?
           mongoPort = "--port #{config['port']}"
         end
+        if config['ssl'] == "requireSSL"
+          ssl = "--ssl --host #{Facter.value(:fqdn)}"
+        end
+        unless config['sslcert'].nil?
+          sslkey = "--sslPEMKeyFile #{config['sslcert']}"
+        end
+        unless config['sslca'].nil?
+          sslca = "--sslCAFile #{config['sslca']}"
+        end
+        unless config['ipv6'].nil?
+          ipv6 = "--ipv6"
+        end
       end
       e = File.exists?('/root/.mongorc.js') ? 'load(\'/root/.mongorc.js\'); ' : ''
 
       # Check if the mongodb server is responding:
-      Facter::Core::Execution.exec("mongo --quiet #{mongoPort} --eval \"#{e}printjson(db.adminCommand({ ping: 1 }))\"")
+      Facter::Core::Execution.exec("mongo --quiet #{ssl} #{sslkey} #{sslca} #{ipv6} #{mongoPort} --eval \"#{e}printjson(db.adminCommand({ ping: 1 }))\"")
 
       if $?.success?
-        mongo_output = Facter::Core::Execution.exec("mongo --quiet #{mongoPort} --eval \"#{e}printjson(db.isMaster())\"")
-        JSON.parse(mongo_output.gsub(/\w+\(.+?\)/, '"foo"'))['ismaster'] ||= false
+        Facter::Core::Execution.exec("mongo --quiet #{ssl} #{sslkey} #{sslca} #{ipv6} #{mongoPort} --eval \"#{e}db.isMaster().ismaster\"")
       else
         'not_responding'
       end

lib/puppet/provider/mongodb.rb

@@ -41,6 +41,7 @@ def self.get_mongo_conf
       config_hash['bindip'] = config['net.bindIp']
       config_hash['port'] = config['net.port']
       config_hash['ipv6'] = config['net.ipv6']
+      config_hash['allowInvalidHostnames'] = config['net.ssl.allowInvalidHostnames']
       config_hash['ssl'] = config['net.ssl.mode']
       config_hash['sslcert'] = config['net.ssl.PEMKeyFile']
       config_hash['sslca'] = config['net.ssl.CAFile']
@@ -57,6 +58,7 @@ def self.get_mongo_conf
       config_hash['port'] = config['port']
       config_hash['ipv6'] = config['ipv6']
       config_hash['ssl'] = config['sslOnNormalPorts']
+      config_hash['allowInvalidHostnames'] = config['allowInvalidHostnames']
       config_hash['sslcert'] = config['sslPEMKeyFile']
       config_hash['sslca'] = config['sslCAFile']
       config_hash['auth'] = config['auth']
@@ -78,11 +80,17 @@ def self.ssl_is_enabled(config=nil)
     ssl_mode.nil? ? false : ssl_mode != 'disabled'
   end
 
+  def self.ssl_invalid_hostnames(config=nil)
+    config ||= get_mongo_conf
+    config['allowInvalidHostnames']
+  end
+
   def self.mongo_cmd(db, host, cmd)
     config = get_mongo_conf
 
     args = [db, '--quiet', '--host', host]
     args.push('--ipv6') if ipv6_is_enabled(config)
+    args.push('--sslAllowInvalidHostnames') if ssl_invalid_hostnames(config)
 
     if ssl_is_enabled(config)
       args.push('--ssl')
@@ -180,6 +188,8 @@ def self.mongo_eval(cmd, db = 'admin', retries = 10, host = nil)
       out.gsub!(/#{data_type}\(([^)]*)\)/, '\1')
     end
     out.gsub!(/^Error\:.+/, '')
+    out.gsub!(/^.*warning\:.+/, '') # remove warnings if sslAllowInvalidHostnames is true
+    out.gsub!(/^.*The server certificate does not match the host name.+/, '') # remove warnings if sslAllowInvalidHostnames is true mongo 3.x
     out
   end
 

lib/puppet/provider/mongodb_replset/mongo.rb

@@ -275,6 +275,7 @@ def self.mongo_command(command, host=nil, retries=4)
 
     #Hack to avoid non-json empty sets
     output = "{}" if output == "null\n"
+    output = "{}" if output == "\nnull\n"
 
     # Parse the JSON output and return
     JSON.parse(output)

manifests/server.pp

@@ -1,103 +1,105 @@
 # This installs a MongoDB server. See README.md for more details.
 class mongodb::server (
-  $ensure           = $mongodb::params::ensure,
-
-  $user             = $mongodb::params::user,
-  $group            = $mongodb::params::group,
-
-  $config           = $mongodb::params::config,
-  $dbpath           = $mongodb::params::dbpath,
-  $dbpath_fix       = $mongodb::params::dbpath_fix,
-  $pidfilepath      = $mongodb::params::pidfilepath,
-  $pidfilemode      = $mongodb::params::pidfilemode,
-  $manage_pidfile   = $mongodb::params::manage_pidfile,
-  $rcfile           = $mongodb::params::rcfile,
-
-  $service_manage   = $mongodb::params::service_manage,
-  $service_provider = $mongodb::params::service_provider,
-  $service_name     = $mongodb::params::service_name,
-  $service_enable   = $mongodb::params::service_enable,
-  $service_ensure   = $mongodb::params::service_ensure,
-  $service_status   = $mongodb::params::service_status,
-
-  $package_ensure   = $mongodb::params::package_ensure,
-  $package_name     = $mongodb::params::server_package_name,
-
-  $logpath          = $mongodb::params::logpath,
-  $bind_ip          = $mongodb::params::bind_ip,
-  $ipv6             = undef,
-  $logappend        = true,
-  $system_logrotate = undef,
-  $fork             = $mongodb::params::fork,
-  $port             = undef,
-  $journal          = $mongodb::params::journal,
-  $nojournal        = undef,
-  $smallfiles       = undef,
-  $cpu              = undef,
-  $auth             = false,
-  $noauth           = undef,
-  $verbose          = undef,
-  $verbositylevel   = undef,
-  $objcheck         = undef,
-  $quota            = undef,
-  $quotafiles       = undef,
-  $diaglog          = undef,
-  $directoryperdb   = undef,
-  $profile          = undef,
-  $maxconns         = undef,
-  $oplog_size       = undef,
-  $nohints          = undef,
-  $nohttpinterface  = undef,
-  $noscripting      = undef,
-  $notablescan      = undef,
-  $noprealloc       =  undef,
-  $nssize           = undef,
-  $mms_token        = undef,
-  $mms_name         = undef,
-  $mms_interval     = undef,
-  $replset          = undef,
-  $replset_config   = undef,
-  $replset_members  = undef,
-  $configsvr        = undef,
-  $shardsvr         = undef,
-  $rest             = undef,
-  $quiet            = undef,
-  $slowms           = undef,
-  $keyfile          = undef,
-  $key              = undef,
-  $set_parameter    = undef,
-  $syslog           = undef,
-  $config_content   = undef,
-  $config_template  = undef,
-  $ssl              = undef,
-  $ssl_key          = undef,
-  $ssl_ca           = undef,
-  $ssl_weak_cert    = false,
-  $restart          = $mongodb::params::restart,
-  $storage_engine   = undef,
-
-  $create_admin     = $mongodb::params::create_admin,
-  $admin_username   = $mongodb::params::admin_username,
-  $admin_password   = undef,
-  $handle_creds     = $mongodb::params::handle_creds,
-  $store_creds      = $mongodb::params::store_creds,
-  $admin_roles      = ['userAdmin', 'readWrite', 'dbAdmin',
-                      'dbAdminAnyDatabase', 'readAnyDatabase',
-                      'readWriteAnyDatabase', 'userAdminAnyDatabase',
-                      'clusterAdmin', 'clusterManager', 'clusterMonitor',
-                      'hostManager', 'root', 'restore'],
+  $ensure                = $mongodb::params::ensure,
+
+  $user                  = $mongodb::params::user,
+  $group                 = $mongodb::params::group,
+
+  $config                = $mongodb::params::config,
+  $dbpath                = $mongodb::params::dbpath,
+  $dbpath_fix            = $mongodb::params::dbpath_fix,
+  $pidfilepath           = $mongodb::params::pidfilepath,
+  $pidfilemode           = $mongodb::params::pidfilemode,
+  $manage_pidfile        = $mongodb::params::manage_pidfile,
+  $rcfile                = $mongodb::params::rcfile,
+
+  $service_manage        = $mongodb::params::service_manage,
+  $service_provider      = $mongodb::params::service_provider,
+  $service_name          = $mongodb::params::service_name,
+  $service_enable        = $mongodb::params::service_enable,
+  $service_ensure        = $mongodb::params::service_ensure,
+  $service_status        = $mongodb::params::service_status,
+
+  $package_ensure        = $mongodb::params::package_ensure,
+  $package_name          = $mongodb::params::server_package_name,
+
+  $logpath               = $mongodb::params::logpath,
+  $bind_ip               = $mongodb::params::bind_ip,
+  $ipv6                  = undef,
+  $logappend             = true,
+  $system_logrotate      = undef,
+  $fork                  = $mongodb::params::fork,
+  $port                  = undef,
+  $journal               = $mongodb::params::journal,
+  $nojournal             = undef,
+  $smallfiles            = undef,
+  $cpu                   = undef,
+  $auth                  = false,
+  $noauth                = undef,
+  $verbose               = undef,
+  $verbositylevel        = undef,
+  $objcheck              = undef,
+  $quota                 = undef,
+  $quotafiles            = undef,
+  $diaglog               = undef,
+  $directoryperdb        = undef,
+  $profile               = undef,
+  $maxconns              = undef,
+  $oplog_size            = undef,
+  $nohints               = undef,
+  $nohttpinterface       = undef,
+  $noscripting           = undef,
+  $notablescan           = undef,
+  $noprealloc            =  undef,
+  $nssize                = undef,
+  $mms_token             = undef,
+  $mms_name              = undef,
+  $mms_interval          = undef,
+  $replset               = undef,
+  $replset_config        = undef,
+  $replset_members       = undef,
+  $configsvr             = undef,
+  $shardsvr              = undef,
+  $rest                  = undef,
+  $quiet                 = undef,
+  $slowms                = undef,
+  $keyfile               = undef,
+  $key                   = undef,
+  $set_parameter         = undef,
+  $syslog                = undef,
+  $config_content        = undef,
+  $config_template       = undef,
+  $ssl                   = undef,
+  $ssl_key               = undef,
+  $ssl_ca                = undef,
+  $ssl_weak_cert         = false,
+  $ssl_invalid_hostnames = false,
+  $restart               = $mongodb::params::restart,
+  $storage_engine        = undef,
+
+  $create_admin          = $mongodb::params::create_admin,
+  $admin_username        = $mongodb::params::admin_username,
+  $admin_password        = undef,
+  $handle_creds          = $mongodb::params::handle_creds,
+  $store_creds           = $mongodb::params::store_creds,
+  $admin_roles           = ['userAdmin', 'readWrite', 'dbAdmin',
+                            'dbAdminAnyDatabase', 'readAnyDatabase',
+                            'readWriteAnyDatabase', 'userAdminAnyDatabase',
+                            'clusterAdmin', 'clusterManager', 'clusterMonitor',
+                            'hostManager', 'root', 'restore'],
 
   # Deprecated parameters
-  $master          = undef,
-  $slave           = undef,
-  $only            = undef,
-  $source          = undef,
+  $master                = undef,
+  $slave                 = undef,
+  $only                  = undef,
+  $source                = undef,
 ) inherits mongodb::params {
 
 
   if $ssl {
     validate_string($ssl_key, $ssl_ca)
     validate_bool($ssl_weak_cert)
+    validate_bool($ssl_invalid_hostnames)
   }
 
   if ($ensure == 'present' or $ensure == true) {

manifests/server/config.pp

@@ -67,6 +67,7 @@
   $ssl_key          = $mongodb::server::ssl_key
   $ssl_ca           = $mongodb::server::ssl_ca
   $ssl_weak_cert    = $mongodb::server::ssl_weak_cert
+  $ssl_invalid_hostnames = $mongodb::server::ssl_invalid_hostnames
   $storage_engine   = $mongodb::server::storage_engine
   $version          = $mongodb::server::version
 
@@ -146,6 +147,7 @@
       # - $ssl_ca
       # - $ssl_key
       # - $ssl_weak_cert
+      # - $ssl_invalid_hostnames
       # - $syslog
       # - $system_logrotate
       # - $verbose
@@ -202,6 +204,7 @@
       # - $ssl_ca
       # - $ssl_key
       # - $ssl_weak_cert
+      # - $ssl_invalid_hostnames
       # - storage_engine_internal
       # - $syslog
       # - $verbose

templates/mongodb.conf.2.6.erb

@@ -117,6 +117,9 @@ net.ssl.CAFile: <%= @ssl_ca %>
 <% if @ssl_weak_cert -%>
 net.ssl.weakCertificateValidation: <%= @ssl_weak_cert %>
 <% end -%>
+<% if @ssl_invalid_hostnames -%>
+net.ssl.allowInvalidHostnames: <%= @ssl_invalid_hostnames %>
+<% end -%>
 <% end -%>
 
 #Replication

templates/mongodb.conf.erb

@@ -196,4 +196,7 @@ sslCAFile = <%= @ssl_ca %>
 # - after 3.0.0: sslAllowConnectionsWithoutCertificates
 sslWeakCertificateValidation = <%= @ssl_weak_cert %>
 <% end -%>
+<% if @ssl_invalid_hostnames -%>
+net.ssl.allowInvalidHostnames = <%= @ssl_invalid_hostnames %>
+<% end -%>
 <% end -%>