MCP-5: Improve accesslist experience

Author: blva

README.md

@@ -374,12 +374,10 @@ To use the Atlas API tools, you'll need to create a service account in MongoDB A
 To learn more about Service Accounts, check the [MongoDB Atlas documentation](https://www.mongodb.com/docs/atlas/api/service-accounts-overview/).
 
 2. **Save Client Credentials:**
-
    - After creation, you'll be shown the Client ID and Client Secret
    - **Important:** Copy and save the Client Secret immediately as it won't be displayed again
 
 3. **Add Access List Entry:**
-
    - Add your IP address to the API access list
 
 4. **Configure the MCP Server:**

src/common/atlas/accessListUtils.ts

@@ -0,0 +1,44 @@
+import { ApiClient } from "./apiClient.js";
+import logger, { LogId } from "../logger.js";
+import { ApiClientError } from "./apiClientError.js";
+
+export async function makeCurrentIpAccessListEntry(
+    apiClient: ApiClient,
+    projectId: string,
+    comment: string = "Added by Atlas MCP"
+) {
+    const { currentIpv4Address } = await apiClient.getIpInfo();
+    return {
+        groupId: projectId,
+        ipAddress: currentIpv4Address,
+        comment,
+    };
+}
+
+/**
+ * Ensures the current public IP is in the access list for the given Atlas project.
+ * If the IP is already present, this is a no-op.
+ * @param apiClient The Atlas API client instance
+ * @param projectId The Atlas project ID
+ */
+export async function ensureCurrentIpInAccessList(apiClient: ApiClient, projectId: string): Promise<void> {
+    // Get the current public IP
+    const entry = await makeCurrentIpAccessListEntry(apiClient, projectId, "Added by MCP pre-run access list helper");
+    try {
+        await apiClient.createProjectIpAccessList({
+            params: { path: { groupId: projectId } },
+            body: [entry],
+        });
+        logger.debug(
+            LogId.atlasIpAccessListAdded,
+            "atlas-connect-cluster",
+            `IP access list created: ${JSON.stringify(entry)}`
+        );
+    } catch (err) {
+        if (err instanceof ApiClientError && err.response?.status === 409) {
+            // 409 Conflict: entry already exists, ignore
+            return;
+        }
+        throw err;
+    }
+}

src/common/atlas/ensureAccessList.ts

@@ -1,29 +1 @@
-import { ApiClientError } from "./apiClientError.js";
-
-/**
- * Ensures the current public IP is in the access list for the given Atlas project.
- * If the IP is already present, this is a no-op.
- * @param apiClient The Atlas API client instance
- * @param projectId The Atlas project ID
- */
-export async function ensureCurrentIpInAccessList(apiClient: any, projectId: string): Promise<void> {
-    // Get the current public IP
-    const { currentIpv4Address } = await apiClient.getIpInfo();
-    const entry = {
-        groupId: projectId,
-        ipAddress: currentIpv4Address,
-        comment: "Added by MCP pre-run access list helper",
-    };
-    try {
-        await apiClient.createProjectIpAccessList({
-            params: { path: { groupId: projectId } },
-            body: [entry],
-        });
-    } catch (err) {
-        if (err instanceof ApiClientError && err.response?.status === 409) {
-            // 409 Conflict: entry already exists, ignore
-            return;
-        }
-        throw err;
-    }
-}
+// This file has been migrated. ensureCurrentIpInAccessList is now in accessListUtils.ts

src/common/logger.ts

@@ -20,6 +20,7 @@ export const LogId = {
     atlasConnectAttempt: mongoLogId(1_001_005),
     atlasConnectSucceeded: mongoLogId(1_001_006),
     atlasApiRevokeFailure: mongoLogId(1_001_007),
+    atlasIpAccessListAdded: mongoLogId(1_001_008),
 
     telemetryDisabled: mongoLogId(1_002_001),
     telemetryEmitFailure: mongoLogId(1_002_002),

src/tools/atlas/connect/connectCluster.ts

@@ -5,7 +5,7 @@ import { ToolArgs, OperationType } from "../../tool.js";
 import { generateSecurePassword } from "../../../helpers/generatePassword.js";
 import logger, { LogId } from "../../../common/logger.js";
 import { inspectCluster } from "../../../common/atlas/cluster.js";
-import { ensureCurrentIpInAccessList } from "../../../common/atlas/ensureAccessList.js";
+import { ensureCurrentIpInAccessList } from "../../../common/atlas/accessListUtils.js";
 
 const EXPIRY_MS = 1000 * 60 * 60 * 12; // 12 hours
 
@@ -57,6 +57,19 @@ export class ConnectClusterTool extends AtlasToolBase {
                 "atlas-connect-cluster",
                 `error querying cluster: ${error.message}`
             );
+
+            // sometimes the error can be "error querying cluster: bad auth : Authentication failed."
+            // which just means it's still propagating permissions to the cluster
+            // in that case, we want to classify this as connecting.
+            if (error.message.includes("Authentication failed")) {
+                logger.debug(
+                    LogId.atlasConnectFailure,
+                    "atlas-connect-cluster",
+                    `assuming connecting to cluster: ${this.session.connectedAtlasCluster?.clusterName}`
+                );
+                return "connecting";
+            }
+
             return "unknown";
         }
     }

src/tools/atlas/create/createAccessList.ts

@@ -2,6 +2,7 @@ import { z } from "zod";
 import { CallToolResult } from "@modelcontextprotocol/sdk/types.js";
 import { AtlasToolBase } from "../atlasTool.js";
 import { ToolArgs, OperationType } from "../../tool.js";
+import { makeCurrentIpAccessListEntry } from "../../../common/atlas/accessListUtils.js";
 
 const DEFAULT_COMMENT = "Added by Atlas MCP";
 
@@ -38,12 +39,11 @@ export class CreateAccessListTool extends AtlasToolBase {
         }));
 
         if (currentIpAddress) {
-            const currentIp = await this.session.apiClient.getIpInfo();
-            const input = {
-                groupId: projectId,
-                ipAddress: currentIp.currentIpv4Address,
-                comment: comment || DEFAULT_COMMENT,
-            };
+            const input = await makeCurrentIpAccessListEntry(
+                this.session.apiClient,
+                projectId,
+                comment || DEFAULT_COMMENT
+            );
             ipInputs.push(input);
         }
 

src/tools/atlas/create/createDBUser.ts

@@ -4,7 +4,7 @@ import { AtlasToolBase } from "../atlasTool.js";
 import { ToolArgs, OperationType } from "../../tool.js";
 import { CloudDatabaseUser, DatabaseUserRole } from "../../../common/atlas/openapi.js";
 import { generateSecurePassword } from "../../../helpers/generatePassword.js";
-import { ensureCurrentIpInAccessList } from "../../../common/atlas/ensureAccessList.js";
+import { ensureCurrentIpInAccessList } from "../../../common/atlas/accessListUtils.js";
 
 export class CreateDBUserTool extends AtlasToolBase {
     public name = "atlas-create-db-user";

src/tools/atlas/create/createFreeCluster.ts

@@ -3,7 +3,7 @@ import { CallToolResult } from "@modelcontextprotocol/sdk/types.js";
 import { AtlasToolBase } from "../atlasTool.js";
 import { ToolArgs, OperationType } from "../../tool.js";
 import { ClusterDescription20240805 } from "../../../common/atlas/openapi.js";
-import { ensureCurrentIpInAccessList } from "../../../common/atlas/ensureAccessList.js";
+import { ensureCurrentIpInAccessList } from "../../../common/atlas/accessListUtils.js";
 
 export class CreateFreeClusterTool extends AtlasToolBase {
     public name = "atlas-create-free-cluster";

tests/integration/tools/atlas/accessLists.test.ts

@@ -1,7 +1,7 @@
 import { CallToolResult } from "@modelcontextprotocol/sdk/types.js";
 import { describeWithAtlas, withProject } from "./atlasHelpers.js";
 import { expectDefined } from "../../helpers.js";
-import { ensureCurrentIpInAccessList } from "../../../../src/common/atlas/ensureAccessList.js";
+import { ensureCurrentIpInAccessList } from "../../../../src/common/atlas/accessListUtils.js";
 
 function generateRandomIp() {
     const randomIp: number[] = [192];

tests/unit/accessListUtils.test.ts

@@ -0,0 +1,30 @@
+/* global jest */
+import { ApiClient } from "../../src/common/atlas/apiClient.js";
+import { ensureCurrentIpInAccessList } from "../../src/common/atlas/accessListUtils.js";
+import { jest } from "@jest/globals";
+
+describe("ensureCurrentIpInAccessList", () => {
+    it("should add the current IP to the access list", async () => {
+        const apiClient = {
+            getIpInfo: jest.fn().mockResolvedValue({ currentIpv4Address: "127.0.0.1" } as never),
+            createProjectIpAccessList: jest.fn().mockResolvedValue(undefined as never),
+        } as unknown as ApiClient;
+        await ensureCurrentIpInAccessList(apiClient, "projectId");
+        expect(apiClient.createProjectIpAccessList).toHaveBeenCalledWith({
+            params: { path: { groupId: "projectId" } },
+            body: [{ groupId: "projectId", ipAddress: "127.0.0.1", comment: "Added by MCP pre-run access list helper" }],
+        });
+    });
+
+    it("should not fail if the current IP is already in the access list", async () => {
+        const apiClient = {
+            getIpInfo: jest.fn().mockResolvedValue({ currentIpv4Address: "127.0.0.1" } as never),
+            createProjectIpAccessList: jest.fn().mockRejectedValue({ response: { status: 409 } } as never),
+        } as unknown as ApiClient;
+        await ensureCurrentIpInAccessList(apiClient, "projectId");
+        expect(apiClient.createProjectIpAccessList).toHaveBeenCalledWith({
+            params: { path: { groupId: "projectId" } },
+            body: [{ groupId: "projectId", ipAddress: "127.0.0.1", comment: "Added by MCP pre-run access list helper" }],
+        });
+    });
+});