Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix password changing for SHA-1 mechanism #649 #650

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Fix password changing for SHA-1 mechanism #649 #650

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
69819c5
Add mechanism (SHA-1) to password_hash command
Oct 27, 2022
7f381ae
roll back on master
Oct 27, 2022
d46d3ef
Add mechanism (SHA-1) to password_hash command
Oct 27, 2022
6d3cc73
Add mechanism (default SHA1) to password_hash command
Oct 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions lib/puppet/provider/mongodb_user/mongodb.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ def password_hash=(_value)
pwd: @resource[:password_hash],
digestPassword: false
}
command[:mechanisms] = @resource[:auth_mechanism] == :scram_sha_1 ? ['SCRAM-SHA-1'] : ['SCRAM-SHA-256']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'SCRAM-SHA-256' should not be possible.

This mechanism is not compatible with digestPassword: false.

@see https://www.mongodb.com/docs/v5.0/reference/command/updateUser/

The update of password_hash is not compatible with 'SCRAM-SHA-256'.

Copy link
Author

@makhovaa makhovaa Jan 11, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @poloz-lab ,
I agree with you, it should not be possible, but the module tries to use 256. I've just tested it with 4.2.0.

  1. I've changed password in hiera
  2. Run puppet agent and see the nest lines in debug output:
Debug: Executing: '/usr/bin/mongo unixtest_db --quiet --host 127.0.0.1:27017 --eval load('/root/.mongorc.js'); db.runCommand({"updateUser":"unixtest","pwd":"4c12585bf6d58e07be667e0b13bbf2eb","digestPassword":fals
e})'                                                                                                                                                                                                                
Notice: /Stage[main]/Tele2_mongodb/Mongodb::Db[unixtest_db]/Mongodb_user[User unixtest on db unixtest_db]/password_hash: defined 'password_hash' as '4c12585bf6d58e07be667e0b13bbf2eb' (corrective)
  1. Try new password:
# mongo -u test -p new_password TEST_DB
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/UNIXTEST_DB?compressors=disabled&gssapiServiceName=mongodb
Error: Authentication failed. :
connect@src/mongo/shell/mongo.js:372:17
@(connect):2:6
exception: connect failed
exiting with code 1
  1. The old password work.
  2. From the puppet run debug messages I catched the command which it uses to change password and format it regular bash:
# /usr/bin/mongo unixtest_db  --host 127.0.0.1:27017 --eval "load('/root/.mongorc.js'); db.runCommand({'updateUser':'unixtest','pwd':'4c12585bf6d58e07be667e0b13bbf2eb','digestPassword':false})"
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/unixtest_db?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("8b669dcf-57ec-4e21-ae5d-2304e484622c") }
MongoDB server version: 5.0.9
{
        "ok" : 0,
        "errmsg" : "Use of SCRAM-SHA-256 requires undigested passwords",
        "code" : 2,
        "codeName" : "BadValue",
        "$clusterTime" : {
                "clusterTime" : Timestamp(1673440333, 1),
                "signature" : {
                        "hash" : BinData(0,"5lUVoFtqmTq5zA6ZSHcZh71lBuk="),
                        "keyId" : NumberLong("7124297124161781766")
                }
        },
        "operationTime" : Timestamp(1673440333, 1)
}

But it works if I specify the mechanism:

# /usr/bin/mongo unixtest_db  --host 127.0.0.1:27017 --eval "load('/root/.mongorc.js'); db.runCommand({'updateUser':'unixtest','pwd':'4c12585bf6d58e07be667e0b13bbf2eb','digestPassword':false,'mechanisms':['SCRAM-SHA-1']})"
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/unixtest_db?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("2922dcab-a1e1-455a-84fb-51e50e17115f") }
MongoDB server version: 5.0.9
{
        "ok" : 1,
        "$clusterTime" : {
                "clusterTime" : Timestamp(1673440425, 1),
                "signature" : {
                        "hash" : BinData(0,"NlQ+MOKXhwZDtlTV7S/m8bYvA1g="),
                        "keyId" : NumberLong("7124297124161781766")
                }
        },
        "operationTime" : Timestamp(1673440425, 1)
}

So my changes just fix this issue by adding 'mechanisms':['SCRAM-SHA-1'] to the password changing command, but probably it can be fixed somewhere else.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @makhovaa ,

Yes you need to change it here.

But I was suggesting to not add the possibility to set 'SCRAM-SHA-256' in your ternary because as you see, we can not change the password when it's SCRAM-SHA-256.

Maybe it would be better to raise an error when we arrive there and we have the SCRAM-SHA-256 mechanism.

What do you think ?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, but the problem is I don't try to add SHA-256, The module just try to work with user credentials as if they are SHA-256. After looking through the module code I got the impression SHA-1 is a default mechanism, which must be used if user don't specify the alternative. But on practice, I have different and it tries to apply SHA-256:
"errmsg" : "Use of SCRAM-SHA-256 requires undigested passwords"


mongo_eval("db.runCommand(#{command.to_json})", @resource[:database])
else
Expand Down
3 changes: 2 additions & 1 deletion spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,8 @@
{
"updateUser":"new_user",
"pwd":"pass",
"digestPassword":false
"digestPassword":false,
"mechanisms":["SCRAM-SHA-1"]
}
EOS
allow(provider).to receive(:mongo_eval).
Expand Down