Merge pull request voxpupuli#271 from tanadeau/2.6-ssl-support

MongoDB 2.6 SSL support

Author: hunner

README.md

@@ -67,7 +67,7 @@ For Red Hat family systems, the client can be installed in a similar fashion:
 class {'::mongodb::client':}
 ```
 
-Note that for Debian/Ubuntu family systems the client is installed with the 
+Note that for Debian/Ubuntu family systems the client is installed with the
 server. Using the client class will by default install the server.
 
 If one plans to configure sharding for a Mongo deployment, the module offer
@@ -427,11 +427,11 @@ class mongodb::server {
 Set to true to enable a simple REST interface. Default: false
 
 #####`quiet`
-Runs the mongod or mongos instance in a quiet mode that attempts to limit the 
+Runs the mongod or mongos instance in a quiet mode that attempts to limit the
 amount of output. This option suppresses : "output from database commands, including drop, dropIndexes, diagLogging, validate, and clean", "replication activity", "connection accepted events" and "connection closed events".
 Default: false
 
-> For production systems this option is **not** recommended as it may make tracking 
+> For production systems this option is **not** recommended as it may make tracking
 problems during particular connections much more difficult.
 
 #####`slowms`
@@ -476,8 +476,9 @@ this slave instance will replicate. Default: <>
 
 #####`ssl`
 Set to true to enable ssl. Default: <>
-*Important*: You need to have ssl_key and ssl_ca set as well and files
-need to pre-exist on node.
+*Important*: You need to have ssl_key set as well, and the file needs to
+pre-exist on node. If you wish to use certificate validation, ssl_ca must also
+be set.
 
 #####`ssl_key`
 Default: <>

lib/puppet/provider/mongodb.rb

@@ -28,55 +28,79 @@ def self.get_mongod_conf_file
     file
   end
 
-  def self.ipv6_is_enabled
+  def self.get_mongo_conf
     file = get_mongod_conf_file
+    # The mongo conf is probably a key-value store, even though 2.6 is
+    # supposed to use YAML, because the config template is applied
+    # based on $::mongodb::globals::version which is the user will not
+    # necessarily set. This attempts to get the port from both types of
+    # config files.
     config = YAML.load_file(file)
-    if config.kind_of?(Hash)
-      ipv6 = config['net.ipv6']
-    else # It has to be a key-value store
+    config_hash = Hash.new
+    if config.kind_of?(Hash) # Using a valid YAML file for mongo 2.6
+      config_hash['bindip'] = config['net.bindIp']
+      config_hash['port'] = config['net.port']
+      config_hash['ipv6'] = config['net.ipv6']
+      config_hash['ssl'] = config['net.ssl.mode']
+      config_hash['sslcert'] = config['net.ssl.PEMKeyFile']
+      config_hash['sslca'] = config['net.ssl.CAFile']
+      config_hash['auth'] = config['security.authorization']
+      config_hash['shardsvr'] = config['sharding.clusterRole']
+      config_hash['confsvr'] = config['sharding.clusterRole']
+    else # It has to be a key-value config file
       config = {}
       File.readlines(file).collect do |line|
         k,v = line.split('=')
         config[k.rstrip] = v.lstrip.chomp if k and v
       end
-      ipv6 = config['ipv6']
+      config_hash['bindip'] = config['bind_ip']
+      config_hash['port'] = config['port']
+      config_hash['ipv6'] = config['ipv6']
+      config_hash['ssl'] = config['sslMode']
+      config_hash['sslcert'] = config['sslPEMKeyFile']
+      config_hash['sslca'] = config['sslCAFile']
+      config_hash['auth'] = config['auth']
+      config_hash['shardsvr'] = config['shardsvr']
+      config_hash['confsvr'] = config['confsvr']
     end
-    ipv6
+
+    config_hash
   end
 
-  def self.mongo_cmd(db, host, cmd)
-    if ipv6_is_enabled
-      out = mongo([db, '--quiet', '--ipv6', '--host', host, '--eval', cmd])
-    else
-      out = mongo([db, '--quiet', '--host', host, '--eval', cmd])
-    end
+  def self.ipv6_is_enabled(config=nil)
+    config ||= get_mongo_conf
+    config['ipv6']
   end
 
-  def self.get_conn_string
-    file = get_mongod_conf_file
-    # The mongo conf is probably a key-value store, even though 2.6 is
-    # supposed to use YAML, because the config template is applied
-    # based on $::mongodb::globals::version which is the user will not
-    # necessarily set. This attempts to get the port from both types of
-    # config files.
-    config = YAML.load_file(file)
-    if config.kind_of?(Hash) # Using a valid YAML file for mongo 2.6
-      bindip = config['net.bindIp']
-      port = config['net.port']
-      shardsvr = config['sharding.clusterRole']
-      confsvr = config['sharding.clusterRole']
-    else # It has to be a key-value config file
-      config = {}
-      File.readlines(file).collect do |line|
-         k,v = line.split('=')
-         config[k.rstrip] = v.lstrip.chomp if k and v
+  def self.ssl_is_enabled(config=nil)
+    config ||= get_mongo_conf
+    ssl_mode = config.fetch('ssl')
+    ssl_mode.nil? ? false : ssl_mode != 'disabled'
+  end
+
+  def self.mongo_cmd(db, host, cmd)
+    config = get_mongo_conf
+
+    args = [db, '--quiet', '--host', host]
+    args.push('--ipv6') if ipv6_is_enabled(config)
+
+    if ssl_is_enabled(config)
+      args.push('--ssl')
+      args += ['--sslPEMKeyFile', config['sslcert']]
+
+      ssl_ca = config['sslca']
+      unless ssl_ca.nil?
+        args += ['--sslCAFile', ssl_ca]
       end
-      bindip = config['bind_ip']
-      port = config['port']
-      shardsvr = config['shardsvr']
-      confsvr = config['confsvr']
     end
 
+    args += ['--eval', cmd]
+    mongo(args)
+  end
+
+  def self.get_conn_string
+    config = get_mongo_conf
+    bindip = config.fetch('bindip')
     if bindip
       first_ip_in_list = bindip.split(',').first
       case first_ip_in_list
@@ -89,6 +113,9 @@ def self.get_conn_string
       end
     end
 
+    port = config.fetch('port')
+    shardsvr = config.fetch('shardsvr')
+    confsvr = config.fetch('confsvr')
     if port
       port_real = port
     elsif !port and (confsvr.eql? 'configsvr' or confsvr.eql? 'true')
@@ -105,7 +132,7 @@ def self.get_conn_string
   def self.db_ismaster
     cmd_ismaster = 'printjson(db.isMaster())'
     if mongorc_file
-        cmd_ismaster = mongorc_file + cmd_ismaster
+      cmd_ismaster = mongorc_file + cmd_ismaster
     end
     db = 'admin'
     out = mongo_cmd(db, get_conn_string, cmd_ismaster)
@@ -121,29 +148,17 @@ def db_ismaster
     self.class.db_ismaster
   end
 
-  def self.auth_enabled
-    auth_enabled = false
-    file = get_mongod_conf_file
-    config = YAML.load_file(file)
-    if config.kind_of?(Hash)
-      auth_enabled = config['security.authorization']
-    else # It has to be a key-value store
-      config = {}
-      File.readlines(file).collect do |line|
-        k,v = line.split('=')
-        config[k.rstrip] = v.lstrip.chomp if k and v
-      end
-      auth_enabled = config['auth']
-    end
-    return auth_enabled
+  def self.auth_enabled(config=nil)
+    config ||= get_mongo_conf
+    config['auth']
   end
 
   # Mongo Command Wrapper
   def self.mongo_eval(cmd, db = 'admin', retries = 10, host = nil)
     retry_count = retries
     retry_sleep = 3
     if mongorc_file
-        cmd = mongorc_file + cmd
+      cmd = mongorc_file + cmd
     end
 
     out = nil

manifests/server/config.pp

@@ -132,6 +132,9 @@
       # - $shardsvr
       # - $slowms
       # - $smallfiles
+      # - $ssl
+      # - $ssl_ca
+      # - $ssl_key
       # - $syslog
       # - $verbose
       # - $verbositylevel

templates/mongodb.conf.2.6.erb

@@ -102,6 +102,13 @@ net.maxIncomingConnections: <%= @maxconns %>
 <% if ! @nohttpinterface.nil? -%>
 net.http.enabled: <%= ! @nohttpinterface %>
 <% end -%>
+<% if @ssl -%>
+net.ssl.mode: requireSSL
+net.ssl.PEMKeyFile: <%= @ssl_key %>
+<% if @ssl_ca -%>
+net.ssl.CAFile: <%= @ssl_ca %>
+<% end -%>
+<% end -%>
 
 #Replication
 <% if @replset -%>

templates/mongodb.conf.erb

@@ -186,5 +186,7 @@ quiet = <%= @quiet %>
 <% if @ssl -%>
 sslOnNormalPorts = true
 sslPEMKeyFile = <%= @ssl_key %>
+<% if @ssl_ca -%>
 sslCAFile = <%= @ssl_ca %>
 <% end -%>
+<% end -%>