From c6defffeb160760aaf21b82f40f1cb745e0a494e Mon Sep 17 00:00:00 2001
From: Enbiya <100806254+enbiyagoral@users.noreply.github.com>
Date: Sat, 6 Sep 2025 23:38:12 +0300
Subject: [PATCH 1/8] feat(mongo): add mongo for boundary cli
---
CHANGELOG.md | 4 +
internal/cmd/commands.go | 6 +
internal/cmd/commands/connect/connect.go | 20 +++
internal/cmd/commands/connect/mongo.go | 129 +++++++++++++++
testing/internal/e2e/infra/docker.go | 45 +++++-
.../base/target_tcp_connect_mongo_test.go | 148 ++++++++++++++++++
.../content/docs/commands/connect/index.mdx | 2 +
.../content/docs/commands/connect/mongo.mdx | 79 ++++++++++
website/data/docs-nav-data.json | 4 +
9 files changed, 433 insertions(+), 4 deletions(-)
create mode 100644 internal/cmd/commands/connect/mongo.go
create mode 100644 testing/internal/e2e/tests/base/target_tcp_connect_mongo_test.go
create mode 100644 website/content/docs/commands/connect/mongo.mdx
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3241fa99e9..07397536e7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,10 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
This new helper command allows users to authorize sessions against MySQL
targets and automatically invoke a MySQL client with the appropriate
connection parameters and credentials.
+* cli: Added `boundary connect mongo` command for connecting to MongoDB targets.
+ This new helper command allows users to authorize sessions against MongoDB
+ targets and automatically invoke a MongoDB client with the appropriate
+ connection parameters and credentials.
* Adds support to parse User-Agent headers and emit them in telemetry events
([PR](https://github.com/hashicorp/boundary/pull/5645)).
* cli: Added `boundary connect cassandra` command for connecting to Cassandra targets.
diff --git a/internal/cmd/commands.go b/internal/cmd/commands.go
index 8bbecdddc6..5e164240c0 100644
--- a/internal/cmd/commands.go
+++ b/internal/cmd/commands.go
@@ -417,6 +417,12 @@ func initCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions) {
Func: "mysql",
}
}),
+ "connect mongo": wrapper.Wrap(func() wrapper.WrappableCommand {
+ return &connect.Command{
+ Command: base.NewCommand(ui, opts...),
+ Func: "mongo",
+ }
+ }),
"connect cassandra": wrapper.Wrap(func() wrapper.WrappableCommand {
return &connect.Command{
Command: base.NewCommand(ui, opts...),
diff --git a/internal/cmd/commands/connect/connect.go b/internal/cmd/commands/connect/connect.go
index b48c345f83..e84553cb17 100644
--- a/internal/cmd/commands/connect/connect.go
+++ b/internal/cmd/commands/connect/connect.go
@@ -80,6 +80,9 @@ type Command struct {
// MySQL
mysqlFlags
+ // MongoDB
+ mongoFlags
+
// Cassandra
cassandraFlags
@@ -111,6 +114,8 @@ func (c *Command) Synopsis() string {
return postgresSynopsis
case "mysql":
return mysqlSynopsis
+ case "mongo":
+ return mongoSynopsis
case "cassandra":
return cassandraSynopsis
case "rdp":
@@ -235,6 +240,9 @@ func (c *Command) Flags() *base.FlagSets {
case "mysql":
mysqlOptions(c, set)
+ case "mongo":
+ mongoOptions(c, set)
+
case "cassandra":
cassandraOptions(c, set)
@@ -327,6 +335,8 @@ func (c *Command) Run(args []string) (retCode int) {
c.flagExec = c.postgresFlags.defaultExec()
case "mysql":
c.flagExec = c.mysqlFlags.defaultExec()
+ case "mongo":
+ c.flagExec = c.mongoFlags.defaultExec()
case "cassandra":
c.flagExec = c.cassandraFlags.defaultExec()
case "rdp":
@@ -683,6 +693,16 @@ func (c *Command) handleExec(clientProxy *apiproxy.ClientProxy, passthroughArgs
envs = append(envs, mysqlEnvs...)
creds = mysqlCreds
+ case "mongo":
+ mongoArgs, mongoEnvs, mongoCreds, mongoErr := c.mongoFlags.buildArgs(c, port, host, addr, creds)
+ if mongoErr != nil {
+ argsErr = mongoErr
+ break
+ }
+ args = append(args, mongoArgs...)
+ envs = append(envs, mongoEnvs...)
+ creds = mongoCreds
+
case "cassandra":
cassandraArgs, cassandraEnvs, cassandraCreds, cassandraErr := c.cassandraFlags.buildArgs(c, port, host, addr, creds)
if cassandraErr != nil {
diff --git a/internal/cmd/commands/connect/mongo.go b/internal/cmd/commands/connect/mongo.go
new file mode 100644
index 0000000000..ee754b45e1
--- /dev/null
+++ b/internal/cmd/commands/connect/mongo.go
@@ -0,0 +1,129 @@
+package connect
+
+import (
+ "fmt"
+ "os"
+ "strings"
+
+ "github.com/hashicorp/boundary/api/proxy"
+ "github.com/hashicorp/boundary/internal/cmd/base"
+ "github.com/posener/complete"
+)
+
+const (
+ mongoSynopsis = "Authorize a session against a target and invoke a MongoDB client to connect"
+)
+
+func mongoOptions(c *Command, set *base.FlagSets) {
+ f := set.NewFlagSet("MongoDB Options")
+
+ f.StringVar(&base.StringVar{
+ Name: "style",
+ Target: &c.flagMongoStyle,
+ EnvVar: "BOUNDARY_CONNECT_MONGO_STYLE",
+ Completion: complete.PredictSet("mongo"),
+ Default: "mongo",
+ Usage: `Specifies how the CLI will attempt to invoke a MongoDB client. This will also set a suitable default for -exec if a value was not specified. Currently-understood values are "mongo".`,
+ })
+
+ f.StringVar(&base.StringVar{
+ Name: "username",
+ Target: &c.flagUsername,
+ EnvVar: "BOUNDARY_CONNECT_USERNAME",
+ Completion: complete.PredictNothing,
+ Usage: `Specifies the username to pass through to the client. May be overridden by credentials sourced from a credential store.`,
+ })
+
+ f.StringVar(&base.StringVar{
+ Name: "dbname",
+ Target: &c.flagDbname,
+ EnvVar: "BOUNDARY_CONNECT_DBNAME",
+ Completion: complete.PredictNothing,
+ Usage: `Specifies the database name to pass through to the client.`,
+ })
+}
+
+type mongoFlags struct {
+ flagMongoStyle string
+}
+
+func (m *mongoFlags) defaultExec() string {
+ return strings.ToLower(m.flagMongoStyle)
+}
+
+func (m *mongoFlags) buildArgs(c *Command, port, ip, _ string, creds proxy.Credentials) (args, envs []string, retCreds proxy.Credentials, retErr error) {
+ var username, password string
+
+ retCreds = creds
+ if len(retCreds.UsernamePassword) > 0 {
+ // Mark credential as consumed so it is not printed to user
+ retCreds.UsernamePassword[0].Consumed = true
+
+ // For now just grab the first username password credential brokered
+ username = retCreds.UsernamePassword[0].Username
+ password = retCreds.UsernamePassword[0].Password
+ }
+
+ switch m.flagMongoStyle {
+ case "mongo":
+ // Handle password first - create a temporary file for MongoDB connection string
+ if password != "" {
+ passfile, err := os.CreateTemp("", "*")
+ if err != nil {
+ return nil, nil, proxy.Credentials{}, fmt.Errorf("Error saving MongoDB password to tmp file: %w", err)
+ }
+ c.cleanupFuncs = append(c.cleanupFuncs, func() error {
+ if err := os.Remove(passfile.Name()); err != nil {
+ return fmt.Errorf("Error removing temporary password file; consider removing %s manually: %w", passfile.Name(), err)
+ }
+ return nil
+ })
+ _, err = passfile.Write([]byte(password))
+ if err != nil {
+ _ = passfile.Close()
+ return nil, nil, proxy.Credentials{}, fmt.Errorf("Error writing password file to %s: %w", passfile.Name(), err)
+ }
+ if err := passfile.Close(); err != nil {
+ return nil, nil, proxy.Credentials{}, fmt.Errorf("Error closing password file after writing to %s: %w", passfile.Name(), err)
+ }
+ // Set password file as environment variable for MongoDB client
+ envs = append(envs, "MONGODB_PASSWORD_FILE="+passfile.Name())
+
+ if c.flagDbname == "" {
+ c.UI.Warn("Credentials are being brokered but no -dbname parameter provided. mongo may misinterpret another parameter as the database name.")
+ }
+ }
+
+ // Build MongoDB connection string
+ connectionString := "mongodb://"
+
+ // Add username and password to connection string
+ if username != "" {
+ connectionString += username
+ if password != "" {
+ connectionString += ":" + password
+ }
+ connectionString += "@"
+ } else if c.flagUsername != "" {
+ connectionString += c.flagUsername
+ if password != "" {
+ connectionString += ":" + password
+ }
+ connectionString += "@"
+ }
+
+ // Add host and port
+ connectionString += ip
+ if port != "" {
+ connectionString += ":" + port
+ }
+
+ // Add database name
+ if c.flagDbname != "" {
+ connectionString += "/" + c.flagDbname
+ }
+
+ args = append(args, connectionString)
+ }
+ return
+}
diff --git a/testing/internal/e2e/infra/docker.go b/testing/internal/e2e/infra/docker.go
index f84efb8f19..23bd489da3 100644
--- a/testing/internal/e2e/infra/docker.go
+++ b/testing/internal/e2e/infra/docker.go
@@ -52,19 +52,16 @@ func StartBoundaryDatabase(t testing.TB, pool *dockertest.Pool, network *dockert
postgresDb := "e2eboundarydb"
postgresUser := "e2eboundary"
postgresPassword := "e2eboundary"
- postgresConfigFilePath, err := filepath.Abs("testdata/postgresql.conf")
- require.NoError(t, err)
+ // Use default Postgres configuration to avoid host mount issues on some environments
resource, err := pool.RunWithOptions(&dockertest.RunOptions{
Repository: fmt.Sprintf("%s/%s", c.DockerMirror, repository),
Tag: tag,
- Cmd: []string{"postgres", "-c", "config_file=/etc/postgresql/postgresql.conf"},
Env: []string{
"POSTGRES_DB=" + postgresDb,
"POSTGRES_USER=" + postgresUser,
"POSTGRES_PASSWORD=" + postgresPassword,
},
- Mounts: []string{path.Dir(postgresConfigFilePath) + ":/etc/postgresql/"},
ExposedPorts: []string{"5432/tcp"},
Name: networkAlias,
Networks: []*dockertest.Network{network},
@@ -354,6 +351,46 @@ func StartMysql(t testing.TB, pool *dockertest.Pool, network *dockertest.Network
}
}
+// StartMongo starts a MongoDB database in a docker container.
+// Returns information about the container
+func StartMongo(t testing.TB, pool *dockertest.Pool, network *dockertest.Network, repository, tag string) *Container {
+ t.Log("Starting MongoDB database...")
+ c, err := LoadConfig()
+ require.NoError(t, err)
+
+ err = pool.Client.PullImage(docker.PullImageOptions{
+ Repository: fmt.Sprintf("%s/%s", c.DockerMirror, repository),
+ Tag: tag,
+ }, docker.AuthConfiguration{})
+ require.NoError(t, err)
+
+ networkAlias := "e2emongo"
+ mongoDb := "e2eboundarydb"
+ mongoUser := "e2eboundary"
+ mongoPassword := "e2eboundary"
+
+ resource, err := pool.RunWithOptions(&dockertest.RunOptions{
+ Repository: fmt.Sprintf("%s/%s", c.DockerMirror, repository),
+ Tag: tag,
+ Env: []string{
+ "MONGO_INITDB_ROOT_USERNAME=" + mongoUser,
+ "MONGO_INITDB_ROOT_PASSWORD=" + mongoPassword,
+ "MONGO_INITDB_DATABASE=" + mongoDb,
+ },
+ ExposedPorts: []string{"27017/tcp"},
+ Name: networkAlias,
+ Networks: []*dockertest.Network{network},
+ })
+ require.NoError(t, err)
+
+ return &Container{
+ Resource: resource,
+ // Root user authenticates against the admin database by default
+ UriLocalhost: fmt.Sprintf("mongodb://%s:%s@localhost:27017/%s?authSource=admin", mongoUser, mongoPassword, mongoDb),
+ UriNetwork: fmt.Sprintf("mongodb://%s:%s@%s:27017/%s?authSource=admin", mongoUser, mongoPassword, networkAlias, mongoDb),
+ }
+}
+
// StartCassandra starts a Cassandra database in a docker container.
// Returns information about the container
func StartCassandra(t testing.TB, pool *dockertest.Pool, network *dockertest.Network, repository, tag string) *Container {
diff --git a/testing/internal/e2e/tests/base/target_tcp_connect_mongo_test.go b/testing/internal/e2e/tests/base/target_tcp_connect_mongo_test.go
new file mode 100644
index 0000000000..e63a0cd352
--- /dev/null
+++ b/testing/internal/e2e/tests/base/target_tcp_connect_mongo_test.go
@@ -0,0 +1,148 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package base_test
+
+import (
+ "bytes"
+ "context"
+ "io"
+ "net/url"
+ "os/exec"
+ "testing"
+
+ "github.com/creack/pty"
+ "github.com/hashicorp/boundary/internal/target"
+ "github.com/hashicorp/boundary/testing/internal/e2e"
+ "github.com/hashicorp/boundary/testing/internal/e2e/boundary"
+ "github.com/hashicorp/boundary/testing/internal/e2e/infra"
+ "github.com/ory/dockertest/v3"
+ "github.com/stretchr/testify/require"
+)
+
+// TestCliTcpTargetConnectMongo uses the boundary cli to connect to a
+// target using `connect mongo`
+func TestCliTcpTargetConnectMongo(t *testing.T) {
+ e2e.MaybeSkipTest(t)
+ ctx := context.Background()
+
+ pool, err := dockertest.NewPool("")
+ require.NoError(t, err)
+
+ // e2e_cluster network is created by the e2e infra setup
+ network, err := pool.NetworksByName("e2e_cluster")
+ require.NoError(t, err, "Failed to get e2e_cluster network")
+
+ c := infra.StartMongo(t, pool, &network[0], "mongo", "7.0")
+ require.NotNil(t, c, "MongoDB container should not be nil")
+ t.Cleanup(func() {
+ if err := pool.Purge(c.Resource); err != nil {
+ t.Logf("Failed to purge MongoDB container: %v", err)
+ }
+ })
+
+ u, err := url.Parse(c.UriNetwork)
+ require.NoError(t, err, "Failed to parse MongoDB URL")
+
+ user, hostname, port, db := u.User.Username(), u.Hostname(), u.Port(), u.Path[1:]
+ pw, pwSet := u.User.Password()
+ t.Logf("MongoDB info: user=%s, db=%s, host=%s, port=%s, password-set:%t",
+ user, db, hostname, port, pwSet)
+
+ // Wait for MongoDB to be ready
+ err = pool.Retry(func() error {
+ return exec.CommandContext(ctx, "docker", "exec", hostname,
+ "mongosh", "--eval", "db.runCommand('ping')").Run()
+ })
+ require.NoError(t, err, "MongoDB container failed to start")
+
+ // Start Boundary database
+ boundaryDb := infra.StartBoundaryDatabase(t, pool, &network[0], "postgres", "15")
+ require.NotNil(t, boundaryDb, "Boundary database container should not be nil")
+ t.Cleanup(func() {
+ if err := pool.Purge(boundaryDb.Resource); err != nil {
+ t.Logf("Failed to purge Boundary database container: %v", err)
+ }
+ })
+
+ // Initialize Boundary database
+ _ = infra.GetDbInitInfoFromContainer(t, pool, boundaryDb)
+
+ // Start Boundary server
+ boundaryContainer := infra.StartBoundary(t, pool, &network[0], "boundary", "latest", boundaryDb.UriNetwork)
+ require.NotNil(t, boundaryContainer, "Boundary container should not be nil")
+ t.Cleanup(func() {
+ if err := pool.Purge(boundaryContainer.Resource); err != nil {
+ t.Logf("Failed to purge Boundary container: %v", err)
+ }
+ })
+
+ boundary.AuthenticateAdminCli(t, ctx)
+
+ orgId, err := boundary.CreateOrgCli(t, ctx)
+ require.NoError(t, err)
+ t.Cleanup(func() {
+ ctx := context.Background()
+ boundary.AuthenticateAdminCli(t, ctx)
+ output := e2e.RunCommand(ctx, "boundary", e2e.WithArgs("scopes", "delete", "-id", orgId))
+ require.NoError(t, output.Err, string(output.Stderr))
+ })
+
+ projectId, err := boundary.CreateProjectCli(t, ctx, orgId)
+ require.NoError(t, err)
+
+ targetId, err := boundary.CreateTargetCli(
+ t,
+ ctx,
+ projectId,
+ port,
+ target.WithAddress(hostname),
+ )
+ require.NoError(t, err)
+
+ storeId, err := boundary.CreateCredentialStoreStaticCli(t, ctx, projectId)
+ require.NoError(t, err)
+
+ credentialId, err := boundary.CreateStaticCredentialPasswordCli(
+ t,
+ ctx,
+ storeId,
+ user,
+ pw,
+ )
+ require.NoError(t, err)
+
+ err = boundary.AddBrokeredCredentialSourceToTargetCli(t, ctx, targetId, credentialId)
+ require.NoError(t, err)
+
+ cmd := exec.CommandContext(ctx,
+ "boundary",
+ "connect", "mongo",
+ "-target-id", targetId,
+ "-dbname", db,
+ )
+ f, err := pty.Start(cmd)
+ require.NoError(t, err)
+ t.Cleanup(func() {
+ err := f.Close()
+ require.NoError(t, err)
+ })
+
+ _, err = f.Write([]byte("show collections\n"))
+ require.NoError(t, err)
+ _, err = f.Write([]byte("db.getName()\n"))
+ require.NoError(t, err)
+ _, err = f.Write([]byte("exit\n"))
+ require.NoError(t, err)
+ _, err = f.Write([]byte{4})
+ require.NoError(t, err)
+
+ var buf bytes.Buffer
+ _, _ = io.Copy(&buf, f)
+
+ output := buf.String()
+ t.Logf("MongoDB session output: %s", output)
+
+ require.Contains(t, output, db, "Session did not return expected database query result")
+ t.Log("Successfully connected to MongoDB target")
+}
diff --git a/website/content/docs/commands/connect/index.mdx b/website/content/docs/commands/connect/index.mdx
index 42ed579f9f..8a469f164c 100644
--- a/website/content/docs/commands/connect/index.mdx
+++ b/website/content/docs/commands/connect/index.mdx
@@ -43,6 +43,7 @@ Subcommands:
kube Authorize a session against a target and invoke a Kubernetes client to connect
cassandra Authorize a session against a target and invoke a Cassandra client to connect
mysql Authorize a session against a target and invoke a MySQL client to connect
+ mongo Authorize a session against a target and invoke a MongoDB client to connect
postgres Authorize a session against a target and invoke a Postgres client to connect
rdp Authorize a session against a target and invoke an RDP client to connect
ssh Authorize a session against a target and invoke an SSH client to connect
@@ -57,6 +58,7 @@ of the subcommand in the sidebar or one of the links below:
- [kube](/boundary/docs/commands/connect/kube)
- [cassandra](/boundary/docs/commands/connect/cassandra)
- [mysql](/boundary/docs/commands/connect/mysql)
+- [mongo](/boundary/docs/commands/connect/mongo)
- [postgres](/boundary/docs/commands/connect/postgres)
- [rdp](/boundary/docs/commands/connect/rdp)
- [ssh](/boundary/docs/commands/connect/ssh)
diff --git a/website/content/docs/commands/connect/mongo.mdx b/website/content/docs/commands/connect/mongo.mdx
new file mode 100644
index 0000000000..dfed4981b0
--- /dev/null
+++ b/website/content/docs/commands/connect/mongo.mdx
@@ -0,0 +1,79 @@
+---
+layout: docs
+page_title: connect mongo - Command
+description: >-
+ The "connect mongo" command performs a target authorization or consumes an existing authorization token, and then launches a proxied MongoDB connection.
+---
+
+# connect mongo
+
+Command: `boundary connect mongo`
+
+The `connect mongo` command authorizes a session against a target and invokes a MongoDB client for the connection.
+The command fills in the local address and port.
+
+@include 'cmd-connect-env-vars.mdx'
+
+
+## Examples
+
+The following example shows how to connect to a target with the ID `ttcp_eTcMueUYv` using a MongoDB helper:
+
+```shell-session
+$ boundary connect mongo -target-id=ttcp_eTcZMueUYv \
+ -dbname=northwind \
+ -username=superuser \
+ -format=table
+```
+
+When prompted, you must enter the password for the user, "superuser":
+
+
+
+```plaintext
+Enter password:
+Current Mongosh Log ID: 64a1b2c3d4e5f6789012345
+Connecting to: mongodb://127.0.0.1:12345/northwind?authSource=admin
+Using MongoDB: 7.0.0
+Using Mongosh: 2.0.0
+
+northwind> show collections
+orders
+products
+customers
+
+northwind> db.products.count()
+77
+
+northwind>
+```
+
+
+
+## Usage
+
+
+
+```shell-session
+$ boundary connect mongo [options] [args]
+```
+
+
+
+@include 'cmd-connect-command-options.mdx'
+
+### MongoDB options:
+
+- `-dbname` `(string: "")` - The database name you want to pass through to the client.
+You can also specify the database name using the **BOUNDARY_CONNECT_DBNAME** environment variable.
+
+- `-style` `(string: "")` - How the CLI attempts to invoke a MongoDB client.
+This value also sets a suitable default for `-exec`, if you did not specify a value.
+The default and currently-understood value is `mongo`.
+You can also specify how the CLI attempts to invoke a MongoDB client using the **BOUNDARY_CONNECT_MONGO_STYLE** environment variable.
+
+- `-username` `(string: "")` - The username you want to pass through to the client.
+This value may be overridden by credentials sourced from a credential store.
+You can also specify a username using the **BOUNDARY_CONNECT_USERNAME** environment variable.
+
+@include 'cmd-option-note.mdx'
\ No newline at end of file
diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json
index 535d032ac2..48aee01dfc 100644
--- a/website/data/docs-nav-data.json
+++ b/website/data/docs-nav-data.json
@@ -1233,6 +1233,10 @@
"title": "mysql",
"path": "commands/connect/mysql"
},
+ {
+ "title": "mongo",
+ "path": "commands/connect/mongo"
+ },
{
"title": "postgres",
"path": "commands/connect/postgres"
From 3c4dc64bb7e4d26285f6da035058af18d0771a71 Mon Sep 17 00:00:00 2001
From: Enbiya <100806254+enbiyagoral@users.noreply.github.com>
Date: Mon, 8 Sep 2025 22:20:49 +0300
Subject: [PATCH 2/8] Fix: remove changes added by mistake during testing
---
testing/internal/e2e/infra/docker.go | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/testing/internal/e2e/infra/docker.go b/testing/internal/e2e/infra/docker.go
index 23bd489da3..ea0f97b430 100644
--- a/testing/internal/e2e/infra/docker.go
+++ b/testing/internal/e2e/infra/docker.go
@@ -52,16 +52,19 @@ func StartBoundaryDatabase(t testing.TB, pool *dockertest.Pool, network *dockert
postgresDb := "e2eboundarydb"
postgresUser := "e2eboundary"
postgresPassword := "e2eboundary"
- // Use default Postgres configuration to avoid host mount issues on some environments
+ postgresConfigFilePath, err := filepath.Abs("testdata/postgresql.conf")
+ require.NoError(t, err)
resource, err := pool.RunWithOptions(&dockertest.RunOptions{
Repository: fmt.Sprintf("%s/%s", c.DockerMirror, repository),
Tag: tag,
+ Cmd: []string{"postgres", "-c", "config_file=/etc/postgresql/postgresql.conf"},
Env: []string{
"POSTGRES_DB=" + postgresDb,
"POSTGRES_USER=" + postgresUser,
"POSTGRES_PASSWORD=" + postgresPassword,
},
+ Mounts: []string{path.Dir(postgresConfigFilePath) + ":/etc/postgresql/"},
ExposedPorts: []string{"5432/tcp"},
Name: networkAlias,
Networks: []*dockertest.Network{network},
From 64e6c8e31491530c7937b6d77baf84de98a1e2e9 Mon Sep 17 00:00:00 2001
From: Enbiya <100806254+enbiyagoral@users.noreply.github.com>
Date: Mon, 8 Sep 2025 23:00:48 +0300
Subject: [PATCH 3/8] feat(enos): install MongoDB client (mongosh) in e2e
Docker test runtime
---
enos/modules/test_e2e_docker/test.sh | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/enos/modules/test_e2e_docker/test.sh b/enos/modules/test_e2e_docker/test.sh
index 56e2e6b0ac..8951870645 100755
--- a/enos/modules/test_e2e_docker/test.sh
+++ b/enos/modules/test_e2e_docker/test.sh
@@ -17,7 +17,8 @@ apt update
# default-mysql-client is used for mysql tests
# wget is used for downloading external dependencies and repository keys
# apt-transport-https enables HTTPS transport for APT repositories
-apt install unzip pass lsb-release postgresql-client default-mysql-client wget apt-transport-https -y
+# curl and ca-certificates are required for some repository setups (e.g., MongoDB)
+apt install unzip pass lsb-release postgresql-client default-mysql-client wget apt-transport-https curl ca-certificates -y
# Function to install Cassandra
install_cassandra() {
@@ -116,6 +117,13 @@ echo \
apt update
apt install docker-ce-cli -y
+# Install MongoDB client (mongosh)
+# Reference: https://www.mongodb.com/docs/mongodb-shell/install/#debian
+curl -fsSL https://pgp.mongodb.com/server-7.0.asc | gpg --dearmor -o /usr/share/keyrings/mongodb-server-7.0.gpg
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] https://repo.mongodb.org/apt/debian bookworm/mongodb-org/7.0 main" | tee /etc/apt/sources.list.d/mongodb-org-7.0.list
+apt update
+apt install -y mongodb-mongosh
+
# Run Tests
unzip /boundary.zip -d /usr/local/bin/
cd /src/boundary
From eae0cb157303c4a046a04eaf41b80f907e1e0f61 Mon Sep 17 00:00:00 2001
From: Enbiya <100806254+enbiyagoral@users.noreply.github.com>
Date: Mon, 8 Sep 2025 23:07:17 +0300
Subject: [PATCH 4/8] Remove explicit Boundary DB/server startup from
target_tcp_connect_mongo_test.go
---
.../base/target_tcp_connect_mongo_test.go | 21 -------------------
1 file changed, 21 deletions(-)
diff --git a/testing/internal/e2e/tests/base/target_tcp_connect_mongo_test.go b/testing/internal/e2e/tests/base/target_tcp_connect_mongo_test.go
index e63a0cd352..d10d68bbd6 100644
--- a/testing/internal/e2e/tests/base/target_tcp_connect_mongo_test.go
+++ b/testing/internal/e2e/tests/base/target_tcp_connect_mongo_test.go
@@ -56,27 +56,6 @@ func TestCliTcpTargetConnectMongo(t *testing.T) {
})
require.NoError(t, err, "MongoDB container failed to start")
- // Start Boundary database
- boundaryDb := infra.StartBoundaryDatabase(t, pool, &network[0], "postgres", "15")
- require.NotNil(t, boundaryDb, "Boundary database container should not be nil")
- t.Cleanup(func() {
- if err := pool.Purge(boundaryDb.Resource); err != nil {
- t.Logf("Failed to purge Boundary database container: %v", err)
- }
- })
-
- // Initialize Boundary database
- _ = infra.GetDbInitInfoFromContainer(t, pool, boundaryDb)
-
- // Start Boundary server
- boundaryContainer := infra.StartBoundary(t, pool, &network[0], "boundary", "latest", boundaryDb.UriNetwork)
- require.NotNil(t, boundaryContainer, "Boundary container should not be nil")
- t.Cleanup(func() {
- if err := pool.Purge(boundaryContainer.Resource); err != nil {
- t.Logf("Failed to purge Boundary container: %v", err)
- }
- })
-
boundary.AuthenticateAdminCli(t, ctx)
orgId, err := boundary.CreateOrgCli(t, ctx)
From e447b459432272b92271beb6fdcecb47715dff82 Mon Sep 17 00:00:00 2001
From: Johan Brandhorst-Satzkorn
Date: Mon, 8 Sep 2025 13:36:27 -0700
Subject: [PATCH 5/8] Add a full stop and trigger CI
---
enos/modules/test_e2e_docker/test.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/enos/modules/test_e2e_docker/test.sh b/enos/modules/test_e2e_docker/test.sh
index 8951870645..e05c8d0a48 100755
--- a/enos/modules/test_e2e_docker/test.sh
+++ b/enos/modules/test_e2e_docker/test.sh
@@ -17,7 +17,7 @@ apt update
# default-mysql-client is used for mysql tests
# wget is used for downloading external dependencies and repository keys
# apt-transport-https enables HTTPS transport for APT repositories
-# curl and ca-certificates are required for some repository setups (e.g., MongoDB)
+# curl and ca-certificates are required for some repository setups (e.g., MongoDB).
apt install unzip pass lsb-release postgresql-client default-mysql-client wget apt-transport-https curl ca-certificates -y
# Function to install Cassandra
From c6e29544b346a1436a1971d526c9675690ee0bc2 Mon Sep 17 00:00:00 2001
From: Enbiya <100806254+enbiyagoral@users.noreply.github.com>
Date: Tue, 9 Sep 2025 00:34:41 +0300
Subject: [PATCH 6/8] feat: add mongosh support to boundary connect mongo
---
internal/cmd/commands/connect/mongo.go | 49 +++++++++++++++++++++-----
1 file changed, 41 insertions(+), 8 deletions(-)
diff --git a/internal/cmd/commands/connect/mongo.go b/internal/cmd/commands/connect/mongo.go
index ee754b45e1..e2396fabb9 100644
--- a/internal/cmd/commands/connect/mongo.go
+++ b/internal/cmd/commands/connect/mongo.go
@@ -21,9 +21,9 @@ func mongoOptions(c *Command, set *base.FlagSets) {
Name: "style",
Target: &c.flagMongoStyle,
EnvVar: "BOUNDARY_CONNECT_MONGO_STYLE",
- Completion: complete.PredictSet("mongo"),
- Default: "mongo",
- Usage: `Specifies how the CLI will attempt to invoke a MongoDB client. This will also set a suitable default for -exec if a value was not specified. Currently-understood values are "mongo".`,
+ Completion: complete.PredictSet("mongo", "mongosh"),
+ Default: "mongosh",
+ Usage: `Specifies how the CLI will attempt to invoke a MongoDB client. This will also set a suitable default for -exec if a value was not specified. Currently-understood values are "mongo" and "mongosh".`,
})
f.StringVar(&base.StringVar{
@@ -70,21 +70,21 @@ func (m *mongoFlags) buildArgs(c *Command, port, ip, _ string, creds proxy.Crede
if password != "" {
passfile, err := os.CreateTemp("", "*")
if err != nil {
- return nil, nil, proxy.Credentials{}, fmt.Errorf("Error saving MongoDB password to tmp file: %w", err)
+ return nil, nil, proxy.Credentials{}, fmt.Errorf("error saving MongoDB password to tmp file: %w", err)
}
c.cleanupFuncs = append(c.cleanupFuncs, func() error {
if err := os.Remove(passfile.Name()); err != nil {
- return fmt.Errorf("Error removing temporary password file; consider removing %s manually: %w", passfile.Name(), err)
+ return fmt.Errorf("error removing temporary password file; consider removing %s manually: %w", passfile.Name(), err)
}
return nil
})
_, err = passfile.Write([]byte(password))
if err != nil {
_ = passfile.Close()
- return nil, nil, proxy.Credentials{}, fmt.Errorf("Error writing password file to %s: %w", passfile.Name(), err)
+ return nil, nil, proxy.Credentials{}, fmt.Errorf("error writing password file to %s: %w", passfile.Name(), err)
}
if err := passfile.Close(); err != nil {
- return nil, nil, proxy.Credentials{}, fmt.Errorf("Error closing password file after writing to %s: %w", passfile.Name(), err)
+ return nil, nil, proxy.Credentials{}, fmt.Errorf("error closing password file after writing to %s: %w", passfile.Name(), err)
}
// Set password file as environment variable for MongoDB client
envs = append(envs, "MONGODB_PASSWORD_FILE="+passfile.Name())
@@ -96,7 +96,38 @@ func (m *mongoFlags) buildArgs(c *Command, port, ip, _ string, creds proxy.Crede
// Build MongoDB connection string
connectionString := "mongodb://"
-
+
+ // Add username and password to connection string
+ if username != "" {
+ connectionString += username
+ if password != "" {
+ connectionString += ":" + password
+ }
+ connectionString += "@"
+ } else if c.flagUsername != "" {
+ connectionString += c.flagUsername
+ if password != "" {
+ connectionString += ":" + password
+ }
+ connectionString += "@"
+ }
+
+ // Add host and port
+ connectionString += ip
+ if port != "" {
+ connectionString += ":" + port
+ }
+
+ // Add database name
+ if c.flagDbname != "" {
+ connectionString += "/" + c.flagDbname
+ }
+
+ args = append(args, connectionString)
+ case "mongosh":
+ // Build MongoDB connection string for mongosh
+ connectionString := "mongodb://"
+
// Add username and password to connection string
if username != "" {
connectionString += username
@@ -124,6 +155,8 @@ func (m *mongoFlags) buildArgs(c *Command, port, ip, _ string, creds proxy.Crede
}
args = append(args, connectionString)
+ default:
+ return nil, nil, proxy.Credentials{}, fmt.Errorf("unsupported MongoDB style: %s", m.flagMongoStyle)
}
return
}
From e23eecd369f799da5f66a144bc3b3b09bf43011e Mon Sep 17 00:00:00 2001
From: Enbiya <100806254+enbiyagoral@users.noreply.github.com>
Date: Tue, 9 Sep 2025 00:41:19 +0300
Subject: [PATCH 7/8] feat: add mongosh support to boundary connect mongo
---
internal/cmd/commands/connect/mongo.go | 64 +-------------------------
1 file changed, 2 insertions(+), 62 deletions(-)
diff --git a/internal/cmd/commands/connect/mongo.go b/internal/cmd/commands/connect/mongo.go
index e2396fabb9..16eb44ec97 100644
--- a/internal/cmd/commands/connect/mongo.go
+++ b/internal/cmd/commands/connect/mongo.go
@@ -2,7 +2,6 @@ package connect
import (
"fmt"
- "os"
"strings"
"github.com/hashicorp/boundary/api/proxy"
@@ -21,9 +20,9 @@ func mongoOptions(c *Command, set *base.FlagSets) {
Name: "style",
Target: &c.flagMongoStyle,
EnvVar: "BOUNDARY_CONNECT_MONGO_STYLE",
- Completion: complete.PredictSet("mongo", "mongosh"),
+ Completion: complete.PredictSet("mongosh"),
Default: "mongosh",
- Usage: `Specifies how the CLI will attempt to invoke a MongoDB client. This will also set a suitable default for -exec if a value was not specified. Currently-understood values are "mongo" and "mongosh".`,
+ Usage: `Specifies how the CLI will attempt to invoke a MongoDB client. Currently only "mongosh" is supported.`,
})
f.StringVar(&base.StringVar{
@@ -65,65 +64,6 @@ func (m *mongoFlags) buildArgs(c *Command, port, ip, _ string, creds proxy.Crede
}
switch m.flagMongoStyle {
- case "mongo":
- // Handle password first - create a temporary file for MongoDB connection string
- if password != "" {
- passfile, err := os.CreateTemp("", "*")
- if err != nil {
- return nil, nil, proxy.Credentials{}, fmt.Errorf("error saving MongoDB password to tmp file: %w", err)
- }
- c.cleanupFuncs = append(c.cleanupFuncs, func() error {
- if err := os.Remove(passfile.Name()); err != nil {
- return fmt.Errorf("error removing temporary password file; consider removing %s manually: %w", passfile.Name(), err)
- }
- return nil
- })
- _, err = passfile.Write([]byte(password))
- if err != nil {
- _ = passfile.Close()
- return nil, nil, proxy.Credentials{}, fmt.Errorf("error writing password file to %s: %w", passfile.Name(), err)
- }
- if err := passfile.Close(); err != nil {
- return nil, nil, proxy.Credentials{}, fmt.Errorf("error closing password file after writing to %s: %w", passfile.Name(), err)
- }
- // Set password file as environment variable for MongoDB client
- envs = append(envs, "MONGODB_PASSWORD_FILE="+passfile.Name())
-
- if c.flagDbname == "" {
- c.UI.Warn("Credentials are being brokered but no -dbname parameter provided. mongo may misinterpret another parameter as the database name.")
- }
- }
-
- // Build MongoDB connection string
- connectionString := "mongodb://"
-
- // Add username and password to connection string
- if username != "" {
- connectionString += username
- if password != "" {
- connectionString += ":" + password
- }
- connectionString += "@"
- } else if c.flagUsername != "" {
- connectionString += c.flagUsername
- if password != "" {
- connectionString += ":" + password
- }
- connectionString += "@"
- }
-
- // Add host and port
- connectionString += ip
- if port != "" {
- connectionString += ":" + port
- }
-
- // Add database name
- if c.flagDbname != "" {
- connectionString += "/" + c.flagDbname
- }
-
- args = append(args, connectionString)
case "mongosh":
// Build MongoDB connection string for mongosh
connectionString := "mongodb://"
From 5b6883b13003e5823f4c9b08cb3fa8aeb8cb6c7f Mon Sep 17 00:00:00 2001
From: Enbiya <100806254+enbiyagoral@users.noreply.github.com>
Date: Fri, 12 Sep 2025 21:31:00 +0300
Subject: [PATCH 8/8] feat: add auth-source flag for MongoDB connect command
- Add -auth-source flag with default value 'admin' for root users
- Add BOUNDARY_CONNECT_MONGO_AUTH_SOURCE environment variable support
- Update documentation with new flag and correct mongosh default
- Improve MongoDB test with explicit auth-source parameter
- Fix Docker configuration formatting for better readability
This ensures MongoDB root users authenticate against the admin database
by default while allowing flexibility for custom authentication databases.
---
internal/cmd/commands/connect/connect.go | 1 +
internal/cmd/commands/connect/mongo.go | 18 ++++++++++
testing/internal/e2e/infra/docker.go | 33 ++++++++++++-------
.../base/target_tcp_connect_mongo_test.go | 23 +++++++++----
.../content/docs/commands/connect/mongo.mdx | 9 +++--
5 files changed, 65 insertions(+), 19 deletions(-)
diff --git a/internal/cmd/commands/connect/connect.go b/internal/cmd/commands/connect/connect.go
index e84553cb17..24dea2a37f 100644
--- a/internal/cmd/commands/connect/connect.go
+++ b/internal/cmd/commands/connect/connect.go
@@ -67,6 +67,7 @@ type Command struct {
flagExec string
flagUsername string
flagDbname string
+ flagAuthSource string
// HTTP
httpFlags
diff --git a/internal/cmd/commands/connect/mongo.go b/internal/cmd/commands/connect/mongo.go
index 16eb44ec97..f1db661ffe 100644
--- a/internal/cmd/commands/connect/mongo.go
+++ b/internal/cmd/commands/connect/mongo.go
@@ -40,6 +40,15 @@ func mongoOptions(c *Command, set *base.FlagSets) {
Completion: complete.PredictNothing,
Usage: `Specifies the database name to pass through to the client.`,
})
+
+ f.StringVar(&base.StringVar{
+ Name: "auth-source",
+ Target: &c.flagAuthSource,
+ EnvVar: "BOUNDARY_CONNECT_MONGO_AUTH_SOURCE",
+ Completion: complete.PredictNothing,
+ Default: "admin",
+ Usage: `Specifies the authentication database for MongoDB. Defaults to "admin" for root-style users.`,
+ })
}
type mongoFlags struct {
@@ -94,6 +103,15 @@ func (m *mongoFlags) buildArgs(c *Command, port, ip, _ string, creds proxy.Crede
connectionString += "/" + c.flagDbname
}
+ // Add authSource parameter if not already present
+ authSource := c.flagAuthSource
+
+ if !strings.Contains(connectionString, "?") {
+ connectionString += "?authSource=" + authSource
+ } else if !strings.Contains(strings.ToLower(connectionString), "authsource=") {
+ connectionString += "&authSource=" + authSource
+ }
+
args = append(args, connectionString)
default:
return nil, nil, proxy.Credentials{}, fmt.Errorf("unsupported MongoDB style: %s", m.flagMongoStyle)
diff --git a/testing/internal/e2e/infra/docker.go b/testing/internal/e2e/infra/docker.go
index ea0f97b430..7250980a7f 100644
--- a/testing/internal/e2e/infra/docker.go
+++ b/testing/internal/e2e/infra/docker.go
@@ -364,7 +364,7 @@ func StartMongo(t testing.TB, pool *dockertest.Pool, network *dockertest.Network
err = pool.Client.PullImage(docker.PullImageOptions{
Repository: fmt.Sprintf("%s/%s", c.DockerMirror, repository),
Tag: tag,
- }, docker.AuthConfiguration{})
+ }, docker.AuthConfiguration{})
require.NoError(t, err)
networkAlias := "e2emongo"
@@ -379,19 +379,30 @@ func StartMongo(t testing.TB, pool *dockertest.Pool, network *dockertest.Network
"MONGO_INITDB_ROOT_USERNAME=" + mongoUser,
"MONGO_INITDB_ROOT_PASSWORD=" + mongoPassword,
"MONGO_INITDB_DATABASE=" + mongoDb,
- },
- ExposedPorts: []string{"27017/tcp"},
- Name: networkAlias,
- Networks: []*dockertest.Network{network},
- })
+ },
+ ExposedPorts: []string{"27017/tcp"},
+ Name: networkAlias,
+ Networks: []*dockertest.Network{network},
+ })
require.NoError(t, err)
return &Container{
- Resource: resource,
- // Root user authenticates against the admin database by default
- UriLocalhost: fmt.Sprintf("mongodb://%s:%s@localhost:27017/%s?authSource=admin", mongoUser, mongoPassword, mongoDb),
- UriNetwork: fmt.Sprintf("mongodb://%s:%s@%s:27017/%s?authSource=admin", mongoUser, mongoPassword, networkAlias, mongoDb),
- }
+ Resource: resource,
+ UriLocalhost: fmt.Sprintf(
+ "mongodb://%s:%s@%s/%s?authSource=admin",
+ mongoUser,
+ mongoPassword,
+ resource.GetHostPort("27017/tcp"),
+ mongoDb,
+ ),
+ UriNetwork: fmt.Sprintf(
+ "mongodb://%s:%s@%s:27017/%s?authSource=admin",
+ mongoUser,
+ mongoPassword,
+ networkAlias,
+ mongoDb,
+ ),
+ }
}
// StartCassandra starts a Cassandra database in a docker container.
diff --git a/testing/internal/e2e/tests/base/target_tcp_connect_mongo_test.go b/testing/internal/e2e/tests/base/target_tcp_connect_mongo_test.go
index d10d68bbd6..de11c5cd40 100644
--- a/testing/internal/e2e/tests/base/target_tcp_connect_mongo_test.go
+++ b/testing/internal/e2e/tests/base/target_tcp_connect_mongo_test.go
@@ -41,7 +41,7 @@ func TestCliTcpTargetConnectMongo(t *testing.T) {
}
})
- u, err := url.Parse(c.UriNetwork)
+ u, err := url.Parse(c.UriLocalhost)
require.NoError(t, err, "Failed to parse MongoDB URL")
user, hostname, port, db := u.User.Username(), u.Hostname(), u.Port(), u.Path[1:]
@@ -49,10 +49,15 @@ func TestCliTcpTargetConnectMongo(t *testing.T) {
t.Logf("MongoDB info: user=%s, db=%s, host=%s, port=%s, password-set:%t",
user, db, hostname, port, pwSet)
- // Wait for MongoDB to be ready
+ networkUrl, err := url.Parse(c.UriNetwork)
+ require.NoError(t, err)
+ containerName := networkUrl.Hostname()
+
err = pool.Retry(func() error {
- return exec.CommandContext(ctx, "docker", "exec", hostname,
- "mongosh", "--eval", "db.runCommand('ping')").Run()
+ cmd := exec.CommandContext(ctx, "docker", "exec", containerName,
+ "mongosh", "-u", user, "-p", pw, "--authenticationDatabase", "admin",
+ "--eval", "db.runCommand('ping')")
+ return cmd.Run()
})
require.NoError(t, err, "MongoDB container failed to start")
@@ -99,6 +104,7 @@ func TestCliTcpTargetConnectMongo(t *testing.T) {
"connect", "mongo",
"-target-id", targetId,
"-dbname", db,
+ "-auth-source", "admin",
)
f, err := pty.Start(cmd)
require.NoError(t, err)
@@ -107,10 +113,12 @@ func TestCliTcpTargetConnectMongo(t *testing.T) {
require.NoError(t, err)
})
- _, err = f.Write([]byte("show collections\n"))
+ _, err = f.Write([]byte("db.runCommand('ping')\n"))
require.NoError(t, err)
+
_, err = f.Write([]byte("db.getName()\n"))
require.NoError(t, err)
+
_, err = f.Write([]byte("exit\n"))
require.NoError(t, err)
_, err = f.Write([]byte{4})
@@ -122,6 +130,9 @@ func TestCliTcpTargetConnectMongo(t *testing.T) {
output := buf.String()
t.Logf("MongoDB session output: %s", output)
- require.Contains(t, output, db, "Session did not return expected database query result")
+ require.Contains(t, output, `ok:`, "MongoDB ping command should succeed")
+ require.Contains(t, output, `1`, "MongoDB ping should return ok: 1")
+ require.Contains(t, output, db, "Database name should appear in the session")
+ require.NotContains(t, output, "MongoServerSelectionError", "Should not have connection errors")
t.Log("Successfully connected to MongoDB target")
}
diff --git a/website/content/docs/commands/connect/mongo.mdx b/website/content/docs/commands/connect/mongo.mdx
index dfed4981b0..78b83440ae 100644
--- a/website/content/docs/commands/connect/mongo.mdx
+++ b/website/content/docs/commands/connect/mongo.mdx
@@ -23,6 +23,7 @@ The following example shows how to connect to a target with the ID `ttcp_eTcMueU
$ boundary connect mongo -target-id=ttcp_eTcZMueUYv \
-dbname=northwind \
-username=superuser \
+ -auth-source=admin \
-format=table
```
@@ -67,13 +68,17 @@ $ boundary connect mongo [options] [args]
- `-dbname` `(string: "")` - The database name you want to pass through to the client.
You can also specify the database name using the **BOUNDARY_CONNECT_DBNAME** environment variable.
-- `-style` `(string: "")` - How the CLI attempts to invoke a MongoDB client.
+- `-style` `(string: "mongosh")` - How the CLI attempts to invoke a MongoDB client.
This value also sets a suitable default for `-exec`, if you did not specify a value.
-The default and currently-understood value is `mongo`.
+The default and currently-understood value is `mongosh`.
You can also specify how the CLI attempts to invoke a MongoDB client using the **BOUNDARY_CONNECT_MONGO_STYLE** environment variable.
- `-username` `(string: "")` - The username you want to pass through to the client.
This value may be overridden by credentials sourced from a credential store.
You can also specify a username using the **BOUNDARY_CONNECT_USERNAME** environment variable.
+- `-auth-source` `(string: "admin")` - The authentication database for MongoDB.
+Defaults to "admin" for root-style users initialized via MONGO_INITDB_ROOT_USERNAME.
+You can also specify the authentication database using the **BOUNDARY_CONNECT_MONGO_AUTH_SOURCE** environment variable.
+
@include 'cmd-option-note.mdx'
\ No newline at end of file