Add auth to mongo db container

modules/mongodb/src/main/java/org/testcontainers/containers/MongoDBContainer.java

@@ -1,6 +1,8 @@
 package org.testcontainers.containers;
 
 import com.github.dockerjava.api.command.InspectContainerResponse;
+import lombok.Builder;
+import lombok.Getter;
 import lombok.NonNull;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
@@ -10,7 +12,7 @@
 import java.io.IOException;
 
 /**
- * Constructs a single node MongoDB replica set for testing transactions.
+ * Constructs a single node MongoDB replica set for testing transactions etc. Please, use MongoDBContainer's methods to construct a URL connection string.
  * <p>To construct a multi-node MongoDB cluster, consider the <a href="https://github.com/silaev/mongodb-replica-set/">mongodb-replica-set project on GitHub</a>
  * <p>Tested on a MongoDB version 4.0.10+ (that is the default version if not specified).
  */
@@ -27,7 +29,22 @@ public class MongoDBContainer extends GenericContainer<MongoDBContainer> {
 
     private static final int AWAIT_INIT_REPLICA_SET_ATTEMPTS = 60;
 
-    private static final String MONGODB_DATABASE_NAME_DEFAULT = "test";
+    static final String DEFAULT_DATABASE_NAME = "test";
+
+    private static final String DEFAULT_USER = "test";
+
+    private static final String DEFAULT_PASSWORD = "test";
+
+    static final String DEFAULT_AUTHENTICATION_DATABASE_NAME = "admin";
+
+    private static final String AUTHENTICATION_KEY_FILE_NAME = "keyFile.key";
+
+    private static final String AUTHENTICATION_KEY_FILE_NAME_CONTAINER_PATH =
+        "/usr/local/bin/" + AUTHENTICATION_KEY_FILE_NAME;
+
+    private String username = DEFAULT_USER;
+
+    private String password = DEFAULT_PASSWORD;
 
     /**
      * @deprecated use {@link MongoDBContainer(DockerImageName)} instead
@@ -44,10 +61,40 @@ public MongoDBContainer(@NonNull final String dockerImageName) {
     public MongoDBContainer(final DockerImageName dockerImageName) {
         super(dockerImageName);
         dockerImageName.assertCompatibleWith(DEFAULT_IMAGE_NAME);
-
         withExposedPorts(MONGODB_INTERNAL_PORT);
-        withCommand("--replSet", "docker-rs");
-        waitingFor(Wait.forLogMessage("(?i).*waiting for connections.*", 1));
+        withClasspathResourceMapping(
+            AUTHENTICATION_KEY_FILE_NAME,
+            AUTHENTICATION_KEY_FILE_NAME_CONTAINER_PATH,
+            BindMode.READ_ONLY
+        );
+        waitingFor(Wait.forLogMessage("(?i).*waiting for connections.*", 2));
+    }
+
+    @Override
+    protected void configure() {
+        addEnv("MONGO_INITDB_ROOT_USERNAME", this.username);
+        addEnv("MONGO_INITDB_ROOT_PASSWORD", this.password);
+        withCreateContainerCmdModifier(it -> it.withEntrypoint("bash"));
+        setCommand(
+            "-c",
+            "chown mongodb " +
+            AUTHENTICATION_KEY_FILE_NAME_CONTAINER_PATH +
+            ";chmod 400 " +
+            AUTHENTICATION_KEY_FILE_NAME_CONTAINER_PATH +
+            ";/usr/local/bin/docker-entrypoint.sh --keyFile " +
+            AUTHENTICATION_KEY_FILE_NAME_CONTAINER_PATH +
+            " --replSet docker-rs"
+        );
+    }
+
+    public MongoDBContainer withUsername(final String username) {
+        this.username = username;
+        return self();
+    }
+
+    public MongoDBContainer withPassword(final String password) {
+        this.password = password;
+        return self();
     }
 
     /**
@@ -56,16 +103,18 @@ public MongoDBContainer(final DockerImageName dockerImageName) {
      * @return a connection url pointing to a mongodb instance
      */
     public String getConnectionString() {
-        return String.format("mongodb://%s:%d", getHost(), getMappedPort(MONGODB_INTERNAL_PORT));
+        return constructConnectionString(
+            ConnectionString.builder().username(this.username).password(this.password).build()
+        );
     }
 
     /**
-     * Gets a replica set url for the default {@value #MONGODB_DATABASE_NAME_DEFAULT} database.
+     * Gets a replica set url for the default {@value #DEFAULT_DATABASE_NAME} database.
      *
      * @return a replica set url.
      */
     public String getReplicaSetUrl() {
-        return getReplicaSetUrl(MONGODB_DATABASE_NAME_DEFAULT);
+        return getReplicaSetUrl(ConnectionString.builder().username(this.username).password(this.password).build());
     }
 
     /**
@@ -78,7 +127,27 @@ public String getReplicaSetUrl(final String databaseName) {
         if (!isRunning()) {
             throw new IllegalStateException("MongoDBContainer should be started first");
         }
-        return getConnectionString() + "/" + databaseName;
+        return constructConnectionString(
+            ConnectionString
+                .builder()
+                .databaseName(databaseName)
+                .username(this.username)
+                .password(this.password)
+                .build()
+        );
+    }
+
+    /**
+     * Gets a replica set url for a provided {@link org.testcontainers.containers.MongoDBContainer.ConnectionString}.
+     *
+     * @param connectionString an object describing a connection string.
+     * @return a replica set url.
+     */
+    public String getReplicaSetUrl(final ConnectionString connectionString) {
+        if (!isRunning()) {
+            throw new IllegalStateException("MongoDBContainer should be started first");
+        }
+        return constructConnectionString(connectionString);
     }
 
     @Override
@@ -91,10 +160,25 @@ protected void containerIsStarted(InspectContainerResponse containerInfo, boolea
     }
 
     private String[] buildMongoEvalCommand(final String command) {
+        final String authOptions =
+            " -u " +
+            this.username +
+            " -p " +
+            this.password +
+            " --authenticationDatabase " +
+            DEFAULT_AUTHENTICATION_DATABASE_NAME;
         return new String[] {
             "sh",
             "-c",
-            "mongosh mongo --eval \"" + command + "\"  || mongo --eval \"" + command + "\"",
+            "mongosh " +
+            authOptions +
+            " --eval \"" +
+            command +
+            "\"  || mongo " +
+            authOptions +
+            " --eval \"" +
+            command +
+            "\"",
         };
     }
 
@@ -149,6 +233,18 @@ private void initReplicaSet() {
         checkMongoNodeExitCodeAfterWaiting(execResultWaitForMaster);
     }
 
+    private String constructConnectionString(final ConnectionString connectionString) {
+        return String.format(
+            "mongodb://%s:%s@%s:%d/%s?authSource=%s",
+            connectionString.getUsername(),
+            connectionString.getPassword(),
+            getHost(),
+            getMappedPort(MONGODB_INTERNAL_PORT),
+            connectionString.getDatabaseName(),
+            DEFAULT_AUTHENTICATION_DATABASE_NAME
+        );
+    }
+
     public static class ReplicaSetInitializationException extends RuntimeException {
 
         ReplicaSetInitializationException(final String errorMessage) {
@@ -164,4 +260,16 @@ private boolean isReplicationSetAlreadyInitialized() {
         );
         return execCheckRsInit.getExitCode() == CONTAINER_EXIT_CODE_OK;
     }
+
+    @Builder
+    @Getter
+    public static class ConnectionString {
+
+        @Builder.Default
+        private final String databaseName = DEFAULT_DATABASE_NAME;
+
+        private final String username;
+
+        private final String password;
+    }
 }

modules/mongodb/src/main/resources/keyFile.key

@@ -0,0 +1,16 @@
+privateOldE8+8pPloNORolrRpGU6E6Ps8rh6GAcThtIfnh0Nfiy+fGvROwqlEtFmAY4Xb6
+aDjb/cFoYSNIxh5DZaBD4hmllCkoAAl15WDKWEv+ELxj124KiyuzJUbu50iXYG+/
+g6oWzElAdnckXCj+9CVhuw1dq9LgaIOd3n7NsrKK4rG7BgrdRl3HSpexBgd4WPva
+jtIcvg+eKBvUysACGSpCubFQa1VoRiU7G0h5TYPXVBpmvN7cFHKANNKyggDPKlih
+SfnMuXPGaecBm9UkmpHJoPUuzrE5wXStbho6SQzlbSBoxxgOCAHaAPtn7d3scP1i
+lk8hoIyNjbq37D2b15VP9+JxBgkqywjcm3Z7D5m+NSI22xYD44kNBxvAIFUtE1RS
+qgTFizA2ORb73TGfhhy2vuIJdsn97dZAMFOayiJvdzyIQJ9027d5eAVUE/U9UQjP
+7BrHrJ+iV+PwggmIvwXDjFP7n0gs6tGmghfG/13y3lwpD+Xs84hcEbXitdns+8dE
+lpnTkqUpGMexeuEuL4O5yfX46mVyT6+qvD+jb6y5oB1ydP/n3dmuWfoE3hv2rvVn
+pFbPzuTF2mvIj0HTTmkNBCBh8Rq7McZ2vNW5nx3jdf8A+ICw6O9KlkemhHORIsIY
+/HbsL1xjPs+gizMOddFwgfLovkQ9Oap7fAed+yl8JxqTWe5OMHZCDxyssZEOscnZ
+xSWEXKWsWv2LLqtIdc++ZqrkvMWHNVqILcpe2upb7DbCVMjrsv5htXrYL7lgaItm
+MpyP20q4ut7ja0YRwPITJyHNacJygAE/TViTL3K1JNXKHXCLWfIHGkVhYzc/9uv7
+0nu5el6crurO57rQFC3T14huEQvouZl9SmHflkBFF7/kQeAJj10bmZWYae8mhdhb
+zaJ2tUcsEgxEaZGrVK4f1NRAwBBY5t5AZMwLcYyIY1F1YZxw2BmrnPqr3GgSCcQ5
+eMo3u9jKXXYJ6Eb3xwNpFXaGFPS1TmTK9y1CU8fXfDOsr7ln

modules/mongodb/src/test/java/org/testcontainers/containers/MongoDBContainerTest.java

@@ -1,5 +1,8 @@
 package org.testcontainers.containers;
 
+import com.mongodb.BasicDBObject;
+import com.mongodb.ConnectionString;
+import com.mongodb.MongoCommandException;
 import com.mongodb.ReadConcern;
 import com.mongodb.ReadPreference;
 import com.mongodb.TransactionOptions;
@@ -8,12 +11,17 @@
 import com.mongodb.client.MongoClient;
 import com.mongodb.client.MongoClients;
 import com.mongodb.client.MongoCollection;
+import com.mongodb.client.MongoDatabase;
 import com.mongodb.client.TransactionBody;
 import org.bson.Document;
 import org.junit.Test;
 import org.testcontainers.utility.DockerImageName;
 
+import java.util.Collections;
+import java.util.Objects;
+
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 public class MongoDBContainerTest {
 
@@ -98,7 +106,8 @@ public void shouldTestDatabaseName() {
         try (final MongoDBContainer mongoDBContainer = new MongoDBContainer(DockerImageName.parse("mongo:4.0.10"))) {
             mongoDBContainer.start();
             final String databaseName = "my-db";
-            assertThat(mongoDBContainer.getReplicaSetUrl(databaseName)).endsWith(databaseName);
+            assertThat(databaseName)
+                .isEqualTo(new ConnectionString(mongoDBContainer.getReplicaSetUrl(databaseName)).getDatabase());
         }
     }
 
@@ -109,4 +118,73 @@ public void supportsMongoDB_6() {
             executeTx(mongoDBContainer);
         }
     }
+
+    @Test
+    public void shouldTestAuthenticationAccessControl() {
+        final String usernameFullAccess = "my-name";
+        final String passwordFullAccess = "my-pass";
+        try (
+            final MongoDBContainer mongoDBContainer = new MongoDBContainer(DockerImageName.parse("mongo:4.4"))
+                .withUsername(usernameFullAccess)
+                .withPassword(passwordFullAccess)
+        ) {
+            mongoDBContainer.start();
+            final ConnectionString connectionStringFullAccess = new ConnectionString(
+                mongoDBContainer.getReplicaSetUrl()
+            );
+            try (final MongoClient mongoSyncClientFullAccess = MongoClients.create(connectionStringFullAccess)) {
+                final MongoDatabase adminDatabase = mongoSyncClientFullAccess.getDatabase(
+                    MongoDBContainer.DEFAULT_AUTHENTICATION_DATABASE_NAME
+                );
+                final MongoDatabase testDatabaseFullAccess = mongoSyncClientFullAccess.getDatabase(
+                    MongoDBContainer.DEFAULT_DATABASE_NAME
+                );
+                final String collectionName = "my-collection";
+                final Document document1 = new Document("abc", 1);
+                testDatabaseFullAccess.getCollection(collectionName).insertOne(document1);
+                final String usernameRestrictedAccess = usernameFullAccess + "-restricted";
+                final String passwordRestrictedAccess = passwordFullAccess + "-restricted";
+                runCommand(
+                    adminDatabase,
+                    new BasicDBObject("createUser", usernameRestrictedAccess).append("pwd", passwordRestrictedAccess),
+                    "read"
+                );
+                try (
+                    final MongoClient mongoSyncRestrictedAccess = MongoClients.create(
+                        mongoDBContainer.getReplicaSetUrl(
+                            MongoDBContainer.ConnectionString
+                                .builder()
+                                .username(usernameRestrictedAccess)
+                                .password(passwordRestrictedAccess)
+                                .build()
+                        )
+                    )
+                ) {
+                    final MongoCollection<Document> collection = mongoSyncRestrictedAccess
+                        .getDatabase(MongoDBContainer.DEFAULT_DATABASE_NAME)
+                        .getCollection(collectionName);
+                    assertThat(collection.find().first()).isEqualTo(document1);
+                    final Document document2 = new Document("abc", 2);
+                    assertThatThrownBy(() -> collection.insertOne(document2)).isInstanceOf(MongoCommandException.class);
+                    runCommand(adminDatabase, new BasicDBObject("updateUser", usernameRestrictedAccess), "readWrite");
+                    collection.insertOne(document2);
+                    assertThat(collection.countDocuments()).isEqualTo(2);
+                    assertThat(connectionStringFullAccess.getUsername()).isEqualTo(usernameFullAccess);
+                    assertThat(new String(Objects.requireNonNull(connectionStringFullAccess.getPassword())))
+                        .isEqualTo(passwordFullAccess);
+                }
+            }
+        }
+    }
+
+    private void runCommand(MongoDatabase adminDatabase, BasicDBObject command, String role) {
+        adminDatabase.runCommand(
+            command.append(
+                "roles",
+                Collections.singletonList(
+                    new BasicDBObject("role", role).append("db", MongoDBContainer.DEFAULT_DATABASE_NAME)
+                )
+            )
+        );
+    }
 }