From c6bd001c832ba4c39db1ff9adcf72db85706b917 Mon Sep 17 00:00:00 2001
From: Jethro van Ginkel <j.v.ginkel@itshosted.nl>
Date: Wed, 25 Jan 2023 16:01:12 +0100
Subject: [PATCH] Set correct auth_mechanism for updateUser

Currently the mongodb command `updateUser` defaults to SCRAM-SHA-256 but you can't update these passwords.

And also show an error when the update goes wrong.
---
 lib/puppet/provider/mongodb_user/mongodb.rb            | 6 ++++--
 spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb | 5 +++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/lib/puppet/provider/mongodb_user/mongodb.rb b/lib/puppet/provider/mongodb_user/mongodb.rb
index 07762fd57..2d367e4b3 100644
--- a/lib/puppet/provider/mongodb_user/mongodb.rb
+++ b/lib/puppet/provider/mongodb_user/mongodb.rb
@@ -101,10 +101,12 @@ def password_hash=(_value)
       command = {
         updateUser: @resource[:username],
         pwd: @resource[:password_hash],
-        digestPassword: false
+        digestPassword: false,
+        mechanisms: @resource[:auth_mechanism] == :scram_sha_1 ? ['SCRAM-SHA-1'] : ['SCRAM-SHA-256'],
       }
 
-      mongo_eval("db.runCommand(#{command.to_json})", @resource[:database])
+      out = JSON.parse(mongo_eval("db.runCommand(#{command.to_json})", @resource[:database]))
+      raise "Failed update User password for user '#{@resource[:username]}'\n#{out}" if out['ok'].zero?
     else
       Puppet.warning 'User password operations are available only from master host'
     end
diff --git a/spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb b/spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb
index 197605108..268a052bd 100644
--- a/spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb
+++ b/spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb
@@ -93,11 +93,12 @@
       {
           "updateUser":"new_user",
           "pwd":"pass",
-          "digestPassword":false
+          "digestPassword":false,
+          "mechanisms":["SCRAM-SHA-1"]
       }
       EOS
       allow(provider).to receive(:mongo_eval).
-        with("db.runCommand(#{cmd_json})", 'new_database')
+        with("db.runCommand(#{cmd_json})", 'new_database').and_return('{"ok": 1}')
       provider.password_hash = 'newpass'
       expect(provider).to have_received(:mongo_eval)
     end