WIP

blva · blva · commit 3d079c6a3aea · 2025-07-14T17:57:17.000+01:00
diff --git a/README.md b/README.md
@@ -374,10 +374,12 @@ To use the Atlas API tools, you'll need to create a service account in MongoDB A
 To learn more about Service Accounts, check the [MongoDB Atlas documentation](https://www.mongodb.com/docs/atlas/api/service-accounts-overview/).
 
 2. **Save Client Credentials:**
+
    - After creation, you'll be shown the Client ID and Client Secret
    - **Important:** Copy and save the Client Secret immediately as it won't be displayed again
 
 3. **Add Access List Entry:**
+
    - Add your IP address to the API access list
 
 4. **Configure the MCP Server:**
diff --git a/src/common/atlas/ensureAccessList.ts b/src/common/atlas/ensureAccessList.ts
@@ -0,0 +1,29 @@
+import { ApiClientError } from "./apiClientError.js";
+
+/**
+ * Ensures the current public IP is in the access list for the given Atlas project.
+ * If the IP is already present, this is a no-op.
+ * @param apiClient The Atlas API client instance
+ * @param projectId The Atlas project ID
+ */
+export async function ensureCurrentIpInAccessList(apiClient: any, projectId: string): Promise<void> {
+    // Get the current public IP
+    const { currentIpv4Address } = await apiClient.getIpInfo();
+    const entry = {
+        groupId: projectId,
+        ipAddress: currentIpv4Address,
+        comment: "Added by MCP pre-run access list helper",
+    };
+    try {
+        await apiClient.createProjectIpAccessList({
+            params: { path: { groupId: projectId } },
+            body: [entry],
+        });
+    } catch (err) {
+        if (err instanceof ApiClientError && err.response?.status === 409) {
+            // 409 Conflict: entry already exists, ignore
+            return;
+        }
+        throw err;
+    }
+}
diff --git a/src/tools/atlas/connect/connectCluster.ts b/src/tools/atlas/connect/connectCluster.ts
@@ -5,6 +5,7 @@ import { ToolArgs, OperationType } from "../../tool.js";
 import { generateSecurePassword } from "../../../helpers/generatePassword.js";
 import logger, { LogId } from "../../../common/logger.js";
 import { inspectCluster } from "../../../common/atlas/cluster.js";
+import { ensureCurrentIpInAccessList } from "../../../common/atlas/ensureAccessList.js";
 
 const EXPIRY_MS = 1000 * 60 * 60 * 12; // 12 hours
 
@@ -198,6 +199,7 @@ export class ConnectClusterTool extends AtlasToolBase {
     }
 
     protected async execute({ projectId, clusterName }: ToolArgs<typeof this.argsShape>): Promise<CallToolResult> {
+        await ensureCurrentIpInAccessList(this.session.apiClient, projectId);
         for (let i = 0; i < 60; i++) {
             const state = await this.queryConnection(projectId, clusterName);
             switch (state) {
diff --git a/src/tools/atlas/create/createDBUser.ts b/src/tools/atlas/create/createDBUser.ts
@@ -4,6 +4,7 @@ import { AtlasToolBase } from "../atlasTool.js";
 import { ToolArgs, OperationType } from "../../tool.js";
 import { CloudDatabaseUser, DatabaseUserRole } from "../../../common/atlas/openapi.js";
 import { generateSecurePassword } from "../../../helpers/generatePassword.js";
+import { ensureCurrentIpInAccessList } from "../../../common/atlas/ensureAccessList.js";
 
 export class CreateDBUserTool extends AtlasToolBase {
     public name = "atlas-create-db-user";
@@ -44,6 +45,7 @@ export class CreateDBUserTool extends AtlasToolBase {
         roles,
         clusters,
     }: ToolArgs<typeof this.argsShape>): Promise<CallToolResult> {
+        await ensureCurrentIpInAccessList(this.session.apiClient, projectId);
         const shouldGeneratePassword = !password;
         if (shouldGeneratePassword) {
             password = await generateSecurePassword();
diff --git a/src/tools/atlas/create/createFreeCluster.ts b/src/tools/atlas/create/createFreeCluster.ts
@@ -3,6 +3,7 @@ import { CallToolResult } from "@modelcontextprotocol/sdk/types.js";
 import { AtlasToolBase } from "../atlasTool.js";
 import { ToolArgs, OperationType } from "../../tool.js";
 import { ClusterDescription20240805 } from "../../../common/atlas/openapi.js";
+import { ensureCurrentIpInAccessList } from "../../../common/atlas/ensureAccessList.js";
 
 export class CreateFreeClusterTool extends AtlasToolBase {
     public name = "atlas-create-free-cluster";
@@ -37,6 +38,7 @@ export class CreateFreeClusterTool extends AtlasToolBase {
             terminationProtectionEnabled: false,
         } as unknown as ClusterDescription20240805;
 
+        await ensureCurrentIpInAccessList(this.session.apiClient, projectId);
         await this.session.apiClient.createCluster({
             params: {
                 path: {
diff --git a/tests/integration/tools/atlas/accessLists.test.ts b/tests/integration/tools/atlas/accessLists.test.ts
@@ -1,6 +1,7 @@
 import { CallToolResult } from "@modelcontextprotocol/sdk/types.js";
 import { describeWithAtlas, withProject } from "./atlasHelpers.js";
 import { expectDefined } from "../../helpers.js";
+import { ensureCurrentIpInAccessList } from "../../../../src/common/atlas/ensureAccessList.js";
 
 function generateRandomIp() {
     const randomIp: number[] = [192];
@@ -94,5 +95,23 @@ describeWithAtlas("ip access lists", (integration) => {
                 }
             });
         });
+
+        describe("ensureCurrentIpInAccessList helper", () => {
+            it("should add the current IP to the access list and be idempotent", async () => {
+                const apiClient = integration.mcpServer().session.apiClient;
+                const projectId = getProjectId();
+                const ipInfo = await apiClient.getIpInfo();
+                // First call should add the IP
+                await expect(ensureCurrentIpInAccessList(apiClient, projectId)).resolves.not.toThrow();
+                // Second call should be a no-op (idempotent)
+                await expect(ensureCurrentIpInAccessList(apiClient, projectId)).resolves.not.toThrow();
+                // Check that the IP is present in the access list
+                const accessList = await apiClient.listProjectIpAccessLists({
+                    params: { path: { groupId: projectId } },
+                });
+                const found = accessList.results?.some((entry) => entry.ipAddress === ipInfo.currentIpv4Address);
+                expect(found).toBe(true);
+            });
+        });
     });
 });
diff --git a/tests/integration/tools/atlas/clusters.test.ts b/tests/integration/tools/atlas/clusters.test.ts
@@ -81,20 +81,28 @@ describeWithAtlas("clusters", (integration) => {
                 expect(createFreeCluster.inputSchema.properties).toHaveProperty("region");
             });
 
-            it("should create a free cluster", async () => {
+            it("should create a free cluster and add current IP to access list", async () => {
                 const projectId = getProjectId();
+                const session = integration.mcpServer().session;
+                const ipInfo = await session.apiClient.getIpInfo();
 
                 const response = (await integration.mcpClient().callTool({
                     name: "atlas-create-free-cluster",
                     arguments: {
                         projectId,
-                        name: clusterName,
+                        name: clusterName + "-iptest",
                         region: "US_EAST_1",
                     },
                 })) as CallToolResult;
                 expect(response.content).toBeArray();
-                expect(response.content).toHaveLength(2);
                 expect(response.content[0]?.text).toContain("has been created");
+
+                // Check that the current IP is present in the access list
+                const accessList = await session.apiClient.listProjectIpAccessLists({
+                    params: { path: { groupId: projectId } },
+                });
+                const found = accessList.results?.some((entry) => entry.ipAddress === ipInfo.currentIpv4Address);
+                expect(found).toBe(true);
             });
         });
 
diff --git a/tests/integration/tools/atlas/dbUsers.test.ts b/tests/integration/tools/atlas/dbUsers.test.ts
@@ -78,6 +78,18 @@ describeWithAtlas("db users", (integration) => {
                 expect(elements[0]?.text).toContain(userName);
                 expect(elements[0]?.text).toContain("with password: `");
             });
+
+            it("should add current IP to access list when creating a database user", async () => {
+                const projectId = getProjectId();
+                const session = integration.mcpServer().session;
+                const ipInfo = await session.apiClient.getIpInfo();
+                await createUserWithMCP();
+                const accessList = await session.apiClient.listProjectIpAccessLists({
+                    params: { path: { groupId: projectId } },
+                });
+                const found = accessList.results?.some((entry) => entry.ipAddress === ipInfo.currentIpv4Address);
+                expect(found).toBe(true);
+            });
         });
         describe("atlas-list-db-users", () => {
             it("should have correct metadata", async () => {
diff --git a/tests/unit/ensureAccessList.test.ts b/tests/unit/ensureAccessList.test.ts
@@ -0,0 +1,48 @@
+import { ensureCurrentIpInAccessList } from "../../src/common/atlas/ensureAccessList.js";
+import { ApiClientError } from "../../src/common/atlas/apiClientError.js";
+
+describe("ensureCurrentIpInAccessList", () => {
+    const projectId = "test-project-id";
+    const ip = "1.2.3.4";
+    let apiClient: any;
+
+    beforeEach(() => {
+        apiClient = {
+            getIpInfo: jest.fn().mockResolvedValue({ currentIpv4Address: ip }),
+            createProjectIpAccessList: jest.fn().mockResolvedValue(undefined),
+        };
+    });
+
+    it("adds the current IP to the access list", async () => {
+        await expect(ensureCurrentIpInAccessList(apiClient, projectId)).resolves.not.toThrow();
+        expect(apiClient.getIpInfo).toHaveBeenCalled();
+        expect(apiClient.createProjectIpAccessList).toHaveBeenCalledWith({
+            params: { path: { groupId: projectId } },
+            body: [
+                {
+                    groupId: projectId,
+                    ipAddress: ip,
+                    comment: expect.any(String),
+                },
+            ],
+        });
+    });
+
+    it("is idempotent if the IP is already present (409 error)", async () => {
+        apiClient.createProjectIpAccessList.mockRejectedValueOnce(
+            Object.assign(new ApiClientError("Conflict", { status: 409, statusText: "Conflict" } as any), {
+                response: { status: 409 },
+            })
+        );
+        await expect(ensureCurrentIpInAccessList(apiClient, projectId)).resolves.not.toThrow();
+    });
+
+    it("throws for other errors", async () => {
+        apiClient.createProjectIpAccessList.mockRejectedValueOnce(
+            Object.assign(new ApiClientError("Other", { status: 500, statusText: "Server Error" } as any), {
+                response: { status: 500 },
+            })
+        );
+        await expect(ensureCurrentIpInAccessList(apiClient, projectId)).rejects.toThrow();
+    });
+});
