Skip to content

fix: atlas connectCluster defaults to readOnly DB roles - MCP-125 #471

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Aug 22, 2025
Merged

fix: atlas connectCluster defaults to readOnly DB roles - MCP-125 #471

merged 12 commits into from
Aug 22, 2025

Conversation

blva
Copy link
Collaborator

@blva blva commented Aug 22, 2025
edited
Loading

Proposed changes

  • Defaults to readOnly DB user role unless all tools are enabled

Checklist

@blva blva marked this pull request as ready for review August 22, 2025 14:36
@Copilot Copilot AI review requested due to automatic review settings August 22, 2025 14:36
@blva blva requested a review from a team as a code owner August 22, 2025 14:36
Copilot
Copilot AI reviewed Aug 22, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR extracts role determination logic from the ConnectClusterTool into a reusable function that defaults to read-only database roles unless all tools are enabled. The change improves security by being more restrictive with database permissions.

  • Extracted role determination logic into a reusable getDefaultRoleFromConfig function
  • Changed default behavior to assign read-only roles when any write tools are disabled
  • Added comprehensive unit tests for the new role determination logic

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
src/common/atlas/roles.ts New module containing the extracted role determination logic
src/tools/atlas/connect/connectCluster.ts Refactored to use the new role determination function
tests/unit/common/roles.test.ts Unit tests covering various role determination scenarios

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@blva blva changed the title fix: atlas connectCluster defaults to readOnly DB roles fix: atlas connectCluster defaults to readOnly DB roles - [MCP-125] Aug 22, 2025
@blva blva changed the title fix: atlas connectCluster defaults to readOnly DB roles - [MCP-125] fix: atlas connectCluster defaults to readOnly DB roles - MCP-125 Aug 22, 2025
@coveralls
Copy link
Collaborator

coveralls commented Aug 22, 2025
edited
Loading

Pull Request Test Coverage Report for Build 17161333946

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 25 of 25 (100.0%) changed or added relevant lines in 2 files are covered.
  • 49 unchanged lines in 10 files lost coverage.
  • Overall coverage decreased (-0.1%) to 81.909%
Files with Coverage Reduction New Missed Lines %
src/tools/mongodb/metadata/listDatabases.ts 1 92.0%
src/tools/mongodb/read/collectionIndexes.ts 1 95.83%
src/tools/atlas/read/listAlerts.ts 3 64.1%
src/tools/atlas/read/listOrgs.ts 3 84.85%
src/tools/atlas/read/inspectAccessList.ts 4 85.71%
src/common/session.ts 6 79.31%
src/tools/mongodb/mongodbTool.ts 6 84.85%
src/tools/atlas/read/listDBUsers.ts 7 79.37%
src/tools/atlas/read/listClusters.ts 8 56.07%
src/tools/atlas/read/listProjects.ts 10 65.57%
Totals Coverage Status
Change from base Build 17159232873: -0.1%
Covered Lines: 4360
Relevant Lines: 5298
💛 - Coveralls

nirinchev
nirinchev reviewed Aug 22, 2025
View reviewed changes
src/common/atlas/roles.ts Outdated
};
}

// If all write tools are enabled, use readWriteAnyDatabase
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bit hard to follow due to the double negation, but I don't think this is the right condition to check - if any write tool is enabled, we should default to readWrite, otherwise we're risking some tools to not work as intended. For example, if I want to be able to insert new data, but not delete existing documents, I may disable delete tools, but I'll still need the readWriteAnyDatabase user.

Copy link
Collaborator Author

@blva blva Aug 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bit hard to follow due to the double negation, but I don't think this is the right condition to check - if any write tool is enabled, we should default to readWrite, otherwise we're risking some tools to not work as intended.

Oh, got it! I thought that we were trying to avoid any writes if any of them are disabled.

For example, if I want to be able to insert new data, but not delete existing documents, I may disable delete tools, but I'll still need the readWriteAnyDatabase user.

Fair, I thought we wanted to be more strict, but I agree that this would just cause people to enable all tools

@blva blva requested a review from nirinchev August 22, 2025 15:57
nirinchev
nirinchev approved these changes Aug 22, 2025
View reviewed changes
Copy link
Collaborator

@nirinchev nirinchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Final nits from me, otherwise looks good.

@blva blva enabled auto-merge (squash) August 22, 2025 17:06
@blva blva merged commit 46a93cc into main Aug 22, 2025
17 checks passed
@blva blva deleted the MCP-125 branch August 22, 2025 17:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@nirinchev nirinchev nirinchev approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@blva @coveralls @nirinchev