From 9a77eb7fc5999ad0ee41f89d046f42087b742fcc Mon Sep 17 00:00:00 2001
From: Steven POST <steven.post@sfpd.fgov.be>
Date: Tue, 23 Jul 2024 12:15:29 +0200
Subject: [PATCH 1/3] Test user creation on a replicaset

---
 spec/acceptance/replset_spec.rb | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/spec/acceptance/replset_spec.rb b/spec/acceptance/replset_spec.rb
index bb156835..ca00841e 100644
--- a/spec/acceptance/replset_spec.rb
+++ b/spec/acceptance/replset_spec.rb
@@ -347,5 +347,19 @@ class { 'mongodb::globals':
         expect(r.stdout).to match %r{created_by_puppet}
       end
     end
+
+    it 'create a user' do
+      pp = <<-EOS
+        mongodb_user {'testuser':
+          ensure        => present,
+          password_hash => mongodb_password('testuser', 'passw0rd'),
+          database      => 'testdb',
+          roles         => ['readWrite', 'dbAdmin'],
+        }
+      EOS
+
+      apply_manifest_on(hosts, pp, catch_failures: true)
+      apply_manifest_on(hosts, pp, catch_changes: true)
+    end
   end
 end

From 86f2960d0c320570c15f75b3f3715eb546ce7649 Mon Sep 17 00:00:00 2001
From: Steven POST <steven.post@sfpd.fgov.be>
Date: Tue, 23 Jul 2024 12:40:51 +0200
Subject: [PATCH 2/3] Retrieve user info on secondary nodes as well

Not doing this causes Puppet to display changes when adding secondary
users.
---
 lib/puppet/provider/mongodb_user/mongodb.rb   | 39 ++++++++-----------
 .../provider/mongodb_user/mongodb_spec.rb     |  7 ----
 2 files changed, 17 insertions(+), 29 deletions(-)

diff --git a/lib/puppet/provider/mongodb_user/mongodb.rb b/lib/puppet/provider/mongodb_user/mongodb.rb
index 7eeb79eb..75b3ae18 100644
--- a/lib/puppet/provider/mongodb_user/mongodb.rb
+++ b/lib/puppet/provider/mongodb_user/mongodb.rb
@@ -9,28 +9,23 @@
   def self.instances
     require 'json'
 
-    if db_ismaster
-      script = 'EJSON.stringify(db.system.users.find().toArray())'
-      # A hack to prevent prefetching failures until admin user is created
-      script = "try {#{script}} catch (e) { if (e.message.match(/requires authentication/) || e.message.match(/not authorized on admin/)) { 'not authorized on admin' } else {throw e}}" if auth_enabled
-
-      out = mongo_eval(script)
-      return [] if auth_enabled && (out.include?('requires authentication') || out.include?('not authorized on admin'))
-
-      users = JSON.parse out
-
-      users.map do |user|
-        new(name: user['_id'],
-            ensure: :present,
-            username: user['user'],
-            database: user['db'],
-            roles: from_roles(user['roles'], user['db']),
-            password_hash: user['credentials']['MONGODB-CR'],
-            scram_credentials: user['credentials']['SCRAM-SHA-1'])
-      end
-    else
-      Puppet.warning 'User info is available only from master host'
-      []
+    script = 'EJSON.stringify(db.system.users.find().toArray())'
+    # A hack to prevent prefetching failures until admin user is created
+    script = "try {#{script}} catch (e) { if (e.message.match(/requires authentication/) || e.message.match(/not authorized on admin/)) { 'not authorized on admin' } else {throw e}}" if auth_enabled
+
+    out = mongo_eval(script)
+    return [] if auth_enabled && (out.include?('requires authentication') || out.include?('not authorized on admin'))
+
+    users = JSON.parse out
+
+    users.map do |user|
+      new(name: user['_id'],
+          ensure: :present,
+          username: user['user'],
+          database: user['db'],
+          roles: from_roles(user['roles'], user['db']),
+          password_hash: user['credentials']['MONGODB-CR'],
+          scram_credentials: user['credentials']['SCRAM-SHA-1'])
     end
   end
 
diff --git a/spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb b/spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb
index 22ed42c8..cf2ccd6d 100644
--- a/spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb
+++ b/spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb
@@ -71,13 +71,6 @@
     end
   end
 
-  describe 'empty self.instances from slave' do
-    it 'doesn`t retrun array of users' do
-      allow(provider.class).to receive(:db_ismaster).and_return(false)
-      expect(provider.class.instances).to be_empty
-    end
-  end
-
   describe 'create' do
     it 'creates a user' do
       cmd_json = <<-EOS.gsub(%r{^\s*}, '').gsub(%r{$\n}, '')

From 97bcbfb866bf1938e443ff80b06efcb5cb887734 Mon Sep 17 00:00:00 2001
From: Steven POST <steven.post@sfpd.fgov.be>
Date: Tue, 23 Jul 2024 13:29:22 +0200
Subject: [PATCH 3/3] Add test for user on replicaset without auth

---
 spec/acceptance/replset_spec.rb | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/spec/acceptance/replset_spec.rb b/spec/acceptance/replset_spec.rb
index ca00841e..5f373f42 100644
--- a/spec/acceptance/replset_spec.rb
+++ b/spec/acceptance/replset_spec.rb
@@ -73,6 +73,20 @@ class { 'mongodb::globals':
         expect(r.stdout).to match %r{some value}
       end
     end
+
+    it 'create a user' do
+      pp = <<-EOS
+        mongodb_user {'testuser':
+          ensure        => present,
+          password_hash => mongodb_password('testuser', 'passw0rd'),
+          database      => 'testdb',
+          roles         => ['readWrite', 'dbAdmin'],
+        }
+      EOS
+
+      apply_manifest_on(hosts, pp, catch_failures: true)
+      apply_manifest_on(hosts, pp, catch_changes: true)
+    end
   end
 
   describe 'mongodb::server with replset_members' do