Skip to content

Fix password changing for SHA-1 mechanism #649#650

Open
makhovaa wants to merge 4 commits intovoxpupuli:masterfrom
makhovaa:sha1-pass
Open

Fix password changing for SHA-1 mechanism #649#650
makhovaa wants to merge 4 commits intovoxpupuli:masterfrom
makhovaa:sha1-pass

Conversation

@makhovaa
Copy link
Copy Markdown

@makhovaa makhovaa commented Oct 27, 2022

Pull Request (PR) description

Added the mechanism parameter for the password_hash command

 def password_hash=(_value)
    if db_ismaster
      command = {
        updateUser: @resource[:username],
        pwd: @resource[:password_hash],
        digestPassword: false
      }
      command[:mechanisms] = @resource[:auth_mechanism] == :scram_sha_1 ? ['SCRAM-SHA-1'] : ['SCRAM-SHA-256']

      mongo_eval("db.runCommand(#{command.to_json})", @resource[:database])
    else
      Puppet.warning 'User password operations are available only from master host'
    end
  end

Changed unit test for mongodb_user due to new expected line generated for password_hash command.

This Pull Request (PR) fixes the following issues

Fixes #649

Aleksandr Makhov added 4 commits October 27, 2022 13:22
Add mechanism (SHA-1) to password_hash command
69819c5
roll back on master
7f381ae
Add mechanism (SHA-1) to password_hash command
d46d3ef
Add mechanism (default SHA1) to password_hash command
6d3cc73 
According the ussie voxpupuli#649, the module ignore changes in passwrd hashes.
Add the mechanism parameter to the password_hash command
Changed unit test to mongodb_user due to new expected line generated for
password_hash command.
poloz-lab
poloz-lab reviewed Dec 8, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@poloz-lab poloz-lab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @makhovaa ,

I'm not a maintainer, just a user, but I have a little suggestion as I've worked on #643.

Thank's for contributing to this module.

Comment thread lib/puppet/provider/mongodb_user/mongodb.rb
pwd: @resource[:password_hash],
digestPassword: false
}
command[:mechanisms] = @resource[:auth_mechanism] == :scram_sha_1 ? ['SCRAM-SHA-1'] : ['SCRAM-SHA-256']
Copy link
Copy Markdown
Contributor

@poloz-lab poloz-lab Dec 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'SCRAM-SHA-256' should not be possible.

This mechanism is not compatible with digestPassword: false.

@see https://www.mongodb.com/docs/v5.0/reference/command/updateUser/

The update of password_hash is not compatible with 'SCRAM-SHA-256'.

Copy link
Copy Markdown
Author

@makhovaa makhovaa Jan 11, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @poloz-lab ,
I agree with you, it should not be possible, but the module tries to use 256. I've just tested it with 4.2.0.

  1. I've changed password in hiera
  2. Run puppet agent and see the nest lines in debug output:
Debug: Executing: '/usr/bin/mongo unixtest_db --quiet --host 127.0.0.1:27017 --eval load('/root/.mongorc.js'); db.runCommand({"updateUser":"unixtest","pwd":"4c12585bf6d58e07be667e0b13bbf2eb","digestPassword":fals
e})'                                                                                                                                                                                                                
Notice: /Stage[main]/Tele2_mongodb/Mongodb::Db[unixtest_db]/Mongodb_user[User unixtest on db unixtest_db]/password_hash: defined 'password_hash' as '4c12585bf6d58e07be667e0b13bbf2eb' (corrective)
  1. Try new password:
# mongo -u test -p new_password TEST_DB
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/UNIXTEST_DB?compressors=disabled&gssapiServiceName=mongodb
Error: Authentication failed. :
connect@src/mongo/shell/mongo.js:372:17
@(connect):2:6
exception: connect failed
exiting with code 1
  1. The old password work.
  2. From the puppet run debug messages I catched the command which it uses to change password and format it regular bash:
# /usr/bin/mongo unixtest_db  --host 127.0.0.1:27017 --eval "load('/root/.mongorc.js'); db.runCommand({'updateUser':'unixtest','pwd':'4c12585bf6d58e07be667e0b13bbf2eb','digestPassword':false})"
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/unixtest_db?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("8b669dcf-57ec-4e21-ae5d-2304e484622c") }
MongoDB server version: 5.0.9
{
        "ok" : 0,
        "errmsg" : "Use of SCRAM-SHA-256 requires undigested passwords",
        "code" : 2,
        "codeName" : "BadValue",
        "$clusterTime" : {
                "clusterTime" : Timestamp(1673440333, 1),
                "signature" : {
                        "hash" : BinData(0,"5lUVoFtqmTq5zA6ZSHcZh71lBuk="),
                        "keyId" : NumberLong("7124297124161781766")
                }
        },
        "operationTime" : Timestamp(1673440333, 1)
}

But it works if I specify the mechanism:

# /usr/bin/mongo unixtest_db  --host 127.0.0.1:27017 --eval "load('/root/.mongorc.js'); db.runCommand({'updateUser':'unixtest','pwd':'4c12585bf6d58e07be667e0b13bbf2eb','digestPassword':false,'mechanisms':['SCRAM-SHA-1']})"
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/unixtest_db?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("2922dcab-a1e1-455a-84fb-51e50e17115f") }
MongoDB server version: 5.0.9
{
        "ok" : 1,
        "$clusterTime" : {
                "clusterTime" : Timestamp(1673440425, 1),
                "signature" : {
                        "hash" : BinData(0,"NlQ+MOKXhwZDtlTV7S/m8bYvA1g="),
                        "keyId" : NumberLong("7124297124161781766")
                }
        },
        "operationTime" : Timestamp(1673440425, 1)
}

So my changes just fix this issue by adding 'mechanisms':['SCRAM-SHA-1'] to the password changing command, but probably it can be fixed somewhere else.

Copy link
Copy Markdown
Contributor

@poloz-lab poloz-lab Jan 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @makhovaa ,

Yes you need to change it here.

But I was suggesting to not add the possibility to set 'SCRAM-SHA-256' in your ternary because as you see, we can not change the password when it's SCRAM-SHA-256.

Maybe it would be better to raise an error when we arrive there and we have the SCRAM-SHA-256 mechanism.

What do you think ?

Copy link
Copy Markdown
Author

@makhovaa makhovaa Jan 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, but the problem is I don't try to add SHA-256, The module just try to work with user credentials as if they are SHA-256. After looking through the module code I got the impression SHA-1 is a default mechanism, which must be used if user don't specify the alternative. But on practice, I have different and it tries to apply SHA-256:
"errmsg" : "Use of SCRAM-SHA-256 requires undigested passwords"

@JvGinkel JvGinkel mentioned this pull request Jan 25, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@poloz-lab poloz-lab poloz-lab left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Cannot change user's password

2 participants

@makhovaa @poloz-lab