From a8ec3585a4cba79b6f13c1c3d6a32f7139db2b1c Mon Sep 17 00:00:00 2001
From: Wayne Werner <wwerner@vmware.com>
Date: Tue, 15 Feb 2022 15:42:34 -0600
Subject: [PATCH] Add ssl argument to mongo pillar

---
 salt/pillar/mongo.py                    | 13 +++++++++++++
 tests/pytests/unit/pillar/test_mongo.py | 20 ++++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/salt/pillar/mongo.py b/salt/pillar/mongo.py
index fc6d7cf8fc3..956fee078bb 100644
--- a/salt/pillar/mongo.py
+++ b/salt/pillar/mongo.py
@@ -129,12 +129,25 @@ def ext_pillar(
           careful with other fields in the document as they must be string
           serializable. Defaults to ``None``.
     """
+    host = __opts__["mongo.host"]
+    port = __opts__["mongo.port"]
+    ssl = __opts__.get("mongo.ssl") or False
+    log.info("connecting to %s:%s for mongo ext_pillar", host, port)
+    conn = pymongo.MongoClient(host=host, port=port, ssl=ssl)
+
+    log.debug("using database '%s'", __opts__["mongo.db"])
+    mdb = conn[__opts__["mongo.db"]]
 
     uri = __opts__.get("mongo.uri")
     host = __opts__.get("mongo.host")
     port = __opts__.get("mongo.port")
     user = __opts__.get("mongo.user")
     password = __opts__.get("mongo.password")
+
+    if user and password:
+        log.debug("authenticating as '%s'", user)
+        mdb.authenticate(user, password)
+
     db = __opts__.get("mongo.db")
 
     if uri:
diff --git a/tests/pytests/unit/pillar/test_mongo.py b/tests/pytests/unit/pillar/test_mongo.py
index 0f38f31cdc1..9e5072193ca 100644
--- a/tests/pytests/unit/pillar/test_mongo.py
+++ b/tests/pytests/unit/pillar/test_mongo.py
@@ -28,3 +28,23 @@ def test_config_exception():
     with patch.dict(mongo.__opts__, opts):
         with pytest.raises(salt.exceptions.SaltConfigurationError):
             mongo.ext_pillar("minion1", {})
+
+
+@pytest.mark.parametrize(
+    "expected_ssl, use_ssl",
+    [
+        (True, {"mongo.ssl": True}),
+        (False, {"mongo.ssl": False}),
+        (False, {"mongo.ssl": None}),
+        (False, {}),
+    ],
+)
+def test_mongo_pillar_should_use_ssl_when_set_in_opts(expected_ssl, use_ssl):
+    with patch.dict(
+        "salt.pillar.mongo.__opts__",
+        {**use_ssl, **{"mongo.host": "fnord", "mongo.port": "fnordport"}},
+    ), patch("salt.pillar.mongo.pymongo", create=True) as fake_mongo:
+        mongo.ext_pillar(minion_id="blarp", pillar=None)
+        fake_mongo.MongoClient.assert_called_with(
+            host="fnord", port="fnordport", ssl=expected_ssl
+        )