MongoDB: support username/password credentials

stscoundrel · stscoundrel · commit 3a4dfd7be899 · 2025-04-20T11:46:04.000+03:00
Previously MongoDB did not support passing credentials, although the underlying image does support them. However, as the current container implementation always sets up replication, auth gets a bit more complicated. A keyfile neds to be generated and a wait needs to be added for auth setup. In future major version, it would make sense to drop the automatic replication from constructor and move it to option like withReplication Closes testcontainers#988
diff --git a/packages/modules/mongodb/src/keyfile.ts b/packages/modules/mongodb/src/keyfile.ts
@@ -0,0 +1,14 @@
+import * as crypto from "crypto";
+import * as fs from "fs";
+import os from "os";
+import * as path from "path";
+
+export default function createKeyfile(): string {
+  const key = crypto.randomBytes(756).toString("base64"); // MongoDB requires at least 6 characters
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "mongo-keyfile-"));
+  const keyfilePath = path.join(tmpDir, "keyfile");
+
+  fs.writeFileSync(keyfilePath, key, { mode: 0o600 }); // Must be chmod 600
+
+  return keyfilePath;
+}
diff --git a/packages/modules/mongodb/src/mongodb-container.test.ts b/packages/modules/mongodb/src/mongodb-container.test.ts
@@ -61,4 +61,56 @@ describe("MongodbContainer", { timeout: 240_000 }, () => {
     await mongodbContainer.stop();
   });
   // }
+
+  it("uses custom credentials (Mongo4, old commands)", async () => {
+    const mongodbContainer = await new MongoDBContainer("mongo:4.0.1")
+      .withUsername("CustomUserName")
+      .withPassword("CustomPassword")
+      .start();
+
+    const db = mongoose.createConnection(mongodbContainer.getConnectionString(), { directConnection: true });
+
+    const fooCollection = db.collection("foo");
+    const obj = { value: 1 };
+
+    const session = await db.startSession();
+    await session.withTransaction(async () => {
+      await fooCollection.insertOne(obj);
+    });
+
+    expect(
+      await fooCollection.findOne({
+        value: 1,
+      })
+    ).toEqual(obj);
+
+    await mongoose.disconnect();
+    await mongodbContainer.stop();
+  });
+
+  it("uses custom credentials (Mongo8, new commands)", async () => {
+    const mongodbContainer = await new MongoDBContainer("mongo:8.0.8")
+      .withUsername("CustomUserName")
+      .withPassword("CustomPassword")
+      .start();
+
+    const db = mongoose.createConnection(mongodbContainer.getConnectionString(), { directConnection: true });
+
+    const fooCollection = db.collection("foo");
+    const obj = { value: 1 };
+
+    const session = await db.startSession();
+    await session.withTransaction(async () => {
+      await fooCollection.insertOne(obj);
+    });
+
+    expect(
+      await fooCollection.findOne({
+        value: 1,
+      })
+    ).toEqual(obj);
+
+    await mongoose.disconnect();
+    await mongodbContainer.stop();
+  });
 });
diff --git a/packages/modules/mongodb/src/mongodb-container.ts b/packages/modules/mongodb/src/mongodb-container.ts
@@ -1,8 +1,13 @@
 import { AbstractStartedContainer, ExecResult, GenericContainer, StartedTestContainer, Wait } from "testcontainers";
+import createKeyfile from "./keyfile";
 
 const MONGODB_PORT = 27017;
 
 export class MongoDBContainer extends GenericContainer {
+  private username: string | null = null;
+  private password: string | null = null;
+  private keyfilePath: string | null = null;
+
   constructor(image = "mongo:4.0.1") {
     super(image);
     this.withExposedPorts(MONGODB_PORT)
@@ -11,16 +16,46 @@ export class MongoDBContainer extends GenericContainer {
       .withStartupTimeout(120_000);
   }
 
+  public withUsername(username: string): this {
+    this.username = username;
+    return this;
+  }
+
+  public withPassword(rootPassword: string): this {
+    this.password = rootPassword;
+    return this;
+  }
+
   public override async start(): Promise<StartedMongoDBContainer> {
-    return new StartedMongoDBContainer(await super.start());
+    if (this.username && this.password) {
+      this.keyfilePath = createKeyfile();
+      const containerKeyfilePath = "/etc/mongo-keyfile";
+      this.withBindMounts([
+        {
+          source: this.keyfilePath,
+          target: containerKeyfilePath,
+          mode: "ro",
+        },
+      ]);
+      this.withCommand(["--replSet", "rs0", "--keyFile", containerKeyfilePath, "--bind_ip_all"]);
+      this.withEnvironment({ MONGO_INITDB_ROOT_USERNAME: this.username, MONGO_INITDB_ROOT_PASSWORD: this.password });
+    }
+
+    return new StartedMongoDBContainer(await super.start(), this.username, this.password);
   }
 
   protected override async containerStarted(startedTestContainer: StartedTestContainer): Promise<void> {
+    if (this.username && this.password) {
+      await this.waitForRootUser(startedTestContainer);
+    }
     await this.initReplicaSet(startedTestContainer);
   }
 
   private async initReplicaSet(startedTestContainer: StartedTestContainer) {
-    await this.executeMongoEvalCommand(startedTestContainer, "rs.initiate();");
+    await this.executeMongoEvalCommand(
+      startedTestContainer,
+      "rs.initiate({ _id: 'rs0', members: [ { _id: 0, host: '127.0.0.1:27017' } ] });"
+    );
     await this.executeMongoEvalCommand(startedTestContainer, this.buildMongoWaitCommand());
   }
 
@@ -30,7 +65,25 @@ export class MongoDBContainer extends GenericContainer {
   }
 
   private buildMongoEvalCommand(command: string) {
-    return [this.getMongoCmdBasedOnImageTag(), "--eval", command];
+    const cmd = [this.getMongoCmdBasedOnImageTag()];
+
+    if (this.username && this.password) {
+      cmd.push(
+        "admin",
+        "--port",
+        MONGODB_PORT.toString(),
+        "-u",
+        this.username,
+        "-p",
+        this.password,
+        "--authenticationDatabase",
+        "admin"
+      );
+    }
+
+    cmd.push("--eval", command);
+
+    return cmd;
   }
 
   private getMongoCmdBasedOnImageTag() {
@@ -44,6 +97,20 @@ export class MongoDBContainer extends GenericContainer {
     }
   }
 
+  private async waitForRootUser(startedTestContainer: StartedTestContainer) {
+    const checkCommand = this.buildMongoEvalCommand("db.runCommand({ connectionStatus: 1 })");
+
+    for (let i = 0; i < 30; i++) {
+      const result = await startedTestContainer.exec(checkCommand);
+      if (result.exitCode === 0 && result.output.includes(`${this.username}`)) {
+        return;
+      }
+      await new Promise((res) => setTimeout(res, 1000));
+    }
+
+    throw new Error("Root user not ready after 30s");
+  }
+
   private buildMongoWaitCommand() {
     return `
     var attempt = 0;
@@ -58,11 +125,19 @@ export class MongoDBContainer extends GenericContainer {
 }
 
 export class StartedMongoDBContainer extends AbstractStartedContainer {
-  constructor(startedTestContainer: StartedTestContainer) {
+  constructor(
+    startedTestContainer: StartedTestContainer,
+    private readonly username: string | null,
+    private readonly password: string | null
+  ) {
     super(startedTestContainer);
   }
 
   public getConnectionString(): string {
+    if (this.username !== null && this.password !== null) {
+      return `mongodb://${this.username}:${this.password}@${this.getHost()}:${this.getMappedPort(MONGODB_PORT)}`;
+    }
+
     return `mongodb://${this.getHost()}:${this.getMappedPort(MONGODB_PORT)}`;
   }
 }
