github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-10 07:58:15 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4889 from Infisical/feature/mongodb-secret-rotation

Browse Source 
feature(secret-rotation): add mongodb app connection and secret rotation
This commit is contained in:
Victor Hugo dos Santos
2025-12-08 18:48:43 -03:00
committed by GitHub
parent 8c7c36e989 8c3b36f15c
commit 29eaa64a1b
64 changed files with 1447 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
backend/src/ee/routes/v2/secret-rotation-v2-routers/index.ts
View File

@@ -4,6 +4,7 @@ import { registerAuth0ClientSecretRotationRouter } from "./auth0-client-secret-r
import { registerAwsIamUserSecretRotationRouter } from "./aws-iam-user-secret-rotation-router";
import { registerAzureClientSecretRotationRouter } from "./azure-client-secret-rotation-router";
import { registerLdapPasswordRotationRouter } from "./ldap-password-rotation-router";
import { registerMongoDBCredentialsRotationRouter } from "./mongodb-credentials-rotation-router";
import { registerMsSqlCredentialsRotationRouter } from "./mssql-credentials-rotation-router";
import { registerMySqlCredentialsRotationRouter } from "./mysql-credentials-rotation-router";
import { registerOktaClientSecretRotationRouter } from "./okta-client-secret-rotation-router";
@@ -26,5 +27,6 @@ export const SECRET_ROTATION_REGISTER_ROUTER_MAP: Record<
[SecretRotation.AwsIamUserSecret]: registerAwsIamUserSecretRotationRouter,
[SecretRotation.LdapPassword]: registerLdapPasswordRotationRouter,
[SecretRotation.OktaClientSecret]: registerOktaClientSecretRotationRouter,
[SecretRotation.RedisCredentials]: registerRedisCredentialsRotationRouter
[SecretRotation.RedisCredentials]: registerRedisCredentialsRotationRouter,
[SecretRotation.MongoDBCredentials]: registerMongoDBCredentialsRotationRouter
};

19
backend/src/ee/routes/v2/secret-rotation-v2-routers/mongodb-credentials-rotation-router.ts Normal file
View File

@@ -0,0 +1,19 @@
import {
CreateMongoDBCredentialsRotationSchema,
MongoDBCredentialsRotationGeneratedCredentialsSchema,
MongoDBCredentialsRotationSchema,
UpdateMongoDBCredentialsRotationSchema
} from "@app/ee/services/secret-rotation-v2/mongodb-credentials";
import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
import { registerSecretRotationEndpoints } from "./secret-rotation-v2-endpoints";
export const registerMongoDBCredentialsRotationRouter = async (server: FastifyZodProvider) =>
registerSecretRotationEndpoints({
type: SecretRotation.MongoDBCredentials,
server,
responseSchema: MongoDBCredentialsRotationSchema,
createSchema: CreateMongoDBCredentialsRotationSchema,
updateSchema: UpdateMongoDBCredentialsRotationSchema,
generatedCredentialsSchema: MongoDBCredentialsRotationGeneratedCredentialsSchema
});

4
backend/src/ee/routes/v2/secret-rotation-v2-routers/secret-rotation-v2-router.ts
View File

@@ -5,6 +5,7 @@ import { Auth0ClientSecretRotationListItemSchema } from "@app/ee/services/secret
import { AwsIamUserSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/aws-iam-user-secret";
import { AzureClientSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/azure-client-secret";
import { LdapPasswordRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
import { MongoDBCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mongodb-credentials";
import { MsSqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
import { MySqlCredentialsRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
import { OktaClientSecretRotationListItemSchema } from "@app/ee/services/secret-rotation-v2/okta-client-secret";
@@ -27,7 +28,8 @@ const SecretRotationV2OptionsSchema = z.discriminatedUnion("type", [
AwsIamUserSecretRotationListItemSchema,
LdapPasswordRotationListItemSchema,
OktaClientSecretRotationListItemSchema,
RedisCredentialsRotationListItemSchema
RedisCredentialsRotationListItemSchema,
MongoDBCredentialsRotationListItemSchema
]);
export const registerSecretRotationV2Router = async (server: FastifyZodProvider) => {

4
backend/src/ee/services/secret-rotation-v2/mongodb-credentials/index.ts Normal file
View File

@@ -0,0 +1,4 @@
export * from "./mongodb-credentials-rotation-constants";
export * from "./mongodb-credentials-rotation-fns";
export * from "./mongodb-credentials-rotation-schemas";
export * from "./mongodb-credentials-rotation-types";

27
backend/src/ee/services/secret-rotation-v2/mongodb-credentials/mongodb-credentials-rotation-constants.ts Normal file
View File

@@ -0,0 +1,27 @@
import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
import { TSecretRotationV2ListItem } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
export const MONGODB_CREDENTIALS_ROTATION_LIST_OPTION: TSecretRotationV2ListItem = {
name: "MongoDB Credentials",
type: SecretRotation.MongoDBCredentials,
connection: AppConnection.MongoDB,
template: {
createUserStatement: `use [DATABASE_NAME]
db.createUser({
user: "infisical_user_1",
pwd: "temporary_password",
roles: [{ role: "readWrite", db: "[DATABASE_NAME]" }]
})
db.createUser({
user: "infisical_user_2",
pwd: "temporary_password",
roles: [{ role: "readWrite", db: "[DATABASE_NAME]" }]
})`,
secretsMapping: {
username: "MONGODB_DB_USERNAME",
password: "MONGODB_DB_PASSWORD"
}
}
};

191
backend/src/ee/services/secret-rotation-v2/mongodb-credentials/mongodb-credentials-rotation-fns.ts Normal file
View File

@@ -0,0 +1,191 @@
/* eslint-disable no-await-in-loop */
import { MongoClient } from "mongodb";
import {
TRotationFactory,
TRotationFactoryGetSecretsPayload,
TRotationFactoryIssueCredentials,
TRotationFactoryRevokeCredentials,
TRotationFactoryRotateCredentials
} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-types";
import { createMongoClient } from "@app/services/app-connection/mongodb/mongodb-connection-fns";
import { DEFAULT_PASSWORD_REQUIREMENTS, generatePassword } from "../shared/utils";
import {
TMongoDBCredentialsRotationGeneratedCredentials,
TMongoDBCredentialsRotationWithConnection
} from "./mongodb-credentials-rotation-types";
const redactPasswords = (e: unknown, credentials: TMongoDBCredentialsRotationGeneratedCredentials) => {
const error = e as Error;
if (!error?.message) return "Unknown error";
let redactedMessage = error.message;
credentials.forEach(({ password }) => {
redactedMessage = redactedMessage.replaceAll(password, "*******************");
});
return redactedMessage;
};
export const mongodbCredentialsRotationFactory: TRotationFactory<
TMongoDBCredentialsRotationWithConnection,
TMongoDBCredentialsRotationGeneratedCredentials
> = (secretRotation) => {
const {
connection,
parameters: { username1, username2 },
activeIndex,
secretsMapping
} = secretRotation;
const passwordRequirement = DEFAULT_PASSWORD_REQUIREMENTS;
const $getClient = async () => {
let client: MongoClient | null = null;
try {
client = await createMongoClient(connection.credentials, { validateConnection: true });
return client;
} catch (err) {
if (client) await client.close();
throw err;
}
};
const $validateCredentials = async (credentials: TMongoDBCredentialsRotationGeneratedCredentials[number]) => {
let client: MongoClient | null = null;
try {
client = await createMongoClient(connection.credentials, {
authCredentials: {
username: credentials.username,
password: credentials.password
},
validateConnection: true
});
} catch (error) {
throw new Error(redactPasswords(error, [credentials]));
} finally {
if (client) await client.close();
}
};
const issueCredentials: TRotationFactoryIssueCredentials<TMongoDBCredentialsRotationGeneratedCredentials> = async (
callback
) => {
// For MongoDB, since we get existing users, we change both their passwords
// on issue to invalidate their existing passwords
const credentialsSet = [
{ username: username1, password: generatePassword(passwordRequirement) },
{ username: username2, password: generatePassword(passwordRequirement) }
];
let client: MongoClient | null = null;
try {
client = await $getClient();
const db = client.db(connection.credentials.database);
for (const credentials of credentialsSet) {
await db.command({
updateUser: credentials.username,
pwd: credentials.password
});
}
} catch (error) {
throw new Error(redactPasswords(error, credentialsSet));
} finally {
if (client) await client.close();
}
for (const credentials of credentialsSet) {
await $validateCredentials(credentials);
}
return callback(credentialsSet[0]);
};
const revokeCredentials: TRotationFactoryRevokeCredentials<TMongoDBCredentialsRotationGeneratedCredentials> = async (
credentialsToRevoke,
callback
) => {
const revokedCredentials = credentialsToRevoke.map(({ username }) => ({
username,
password: generatePassword(passwordRequirement)
}));
let client: MongoClient | null = null;
try {
client = await $getClient();
const db = client.db(connection.credentials.database);
for (const credentials of revokedCredentials) {
await db.command({
updateUser: credentials.username,
pwd: credentials.password
});
}
} catch (error) {
throw new Error(redactPasswords(error, revokedCredentials));
} finally {
if (client) await client.close();
}
return callback();
};
const rotateCredentials: TRotationFactoryRotateCredentials<TMongoDBCredentialsRotationGeneratedCredentials> = async (
_,
callback
) => {
const credentials = {
username: activeIndex === 0 ? username2 : username1,
password: generatePassword(passwordRequirement)
};
let client: MongoClient | null = null;
try {
client = await $getClient();
const db = client.db(connection.credentials.database);
await db.command({
updateUser: credentials.username,
pwd: credentials.password
});
} catch (error) {
throw new Error(redactPasswords(error, [credentials]));
} finally {
if (client) await client.close();
}
await $validateCredentials(credentials);
return callback(credentials);
};
const getSecretsPayload: TRotationFactoryGetSecretsPayload<TMongoDBCredentialsRotationGeneratedCredentials> = (
generatedCredentials
) => {
const { username, password } = secretsMapping;
const secrets = [
{
key: username,
value: generatedCredentials.username
},
{
key: password,
value: generatedCredentials.password
}
];
return secrets;
};
return {
issueCredentials,
revokeCredentials,
rotateCredentials,
getSecretsPayload
};
};

52
backend/src/ee/services/secret-rotation-v2/mongodb-credentials/mongodb-credentials-rotation-schemas.ts Normal file
View File

@@ -0,0 +1,52 @@
import { z } from "zod";
import { SecretRotation } from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-enums";
import {
BaseCreateSecretRotationSchema,
BaseSecretRotationSchema,
BaseUpdateSecretRotationSchema
} from "@app/ee/services/secret-rotation-v2/secret-rotation-v2-schemas";
import {
SqlCredentialsRotationGeneratedCredentialsSchema,
SqlCredentialsRotationParametersSchema,
SqlCredentialsRotationTemplateSchema
} from "@app/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-schemas";
import { SecretRotations } from "@app/lib/api-docs";
import { SecretNameSchema } from "@app/server/lib/schemas";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
export const MongoDBCredentialsRotationGeneratedCredentialsSchema = SqlCredentialsRotationGeneratedCredentialsSchema;
export const MongoDBCredentialsRotationParametersSchema = SqlCredentialsRotationParametersSchema;
export const MongoDBCredentialsRotationTemplateSchema = SqlCredentialsRotationTemplateSchema;
const MongoDBCredentialsRotationSecretsMappingSchema = z.object({
username: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.MONGODB_CREDENTIALS.username),
password: SecretNameSchema.describe(SecretRotations.SECRETS_MAPPING.MONGODB_CREDENTIALS.password)
});
export const MongoDBCredentialsRotationSchema = BaseSecretRotationSchema(SecretRotation.MongoDBCredentials).extend({
type: z.literal(SecretRotation.MongoDBCredentials),
parameters: MongoDBCredentialsRotationParametersSchema,
secretsMapping: MongoDBCredentialsRotationSecretsMappingSchema
});
export const CreateMongoDBCredentialsRotationSchema = BaseCreateSecretRotationSchema(
SecretRotation.MongoDBCredentials
).extend({
parameters: MongoDBCredentialsRotationParametersSchema,
secretsMapping: MongoDBCredentialsRotationSecretsMappingSchema
});
export const UpdateMongoDBCredentialsRotationSchema = BaseUpdateSecretRotationSchema(
SecretRotation.MongoDBCredentials
).extend({
parameters: MongoDBCredentialsRotationParametersSchema.optional(),
secretsMapping: MongoDBCredentialsRotationSecretsMappingSchema.optional()
});
export const MongoDBCredentialsRotationListItemSchema = z.object({
name: z.literal("MongoDB Credentials"),
connection: z.literal(AppConnection.MongoDB),
type: z.literal(SecretRotation.MongoDBCredentials),
template: MongoDBCredentialsRotationTemplateSchema
});

24
backend/src/ee/services/secret-rotation-v2/mongodb-credentials/mongodb-credentials-rotation-types.ts Normal file
View File

@@ -0,0 +1,24 @@
import { z } from "zod";
import { TMongoDBConnection } from "@app/services/app-connection/mongodb";
import {
CreateMongoDBCredentialsRotationSchema,
MongoDBCredentialsRotationGeneratedCredentialsSchema,
MongoDBCredentialsRotationListItemSchema,
MongoDBCredentialsRotationSchema
} from "./mongodb-credentials-rotation-schemas";
export type TMongoDBCredentialsRotation = z.infer<typeof MongoDBCredentialsRotationSchema>;
export type TMongoDBCredentialsRotationInput = z.infer<typeof CreateMongoDBCredentialsRotationSchema>;
export type TMongoDBCredentialsRotationListItem = z.infer<typeof MongoDBCredentialsRotationListItemSchema>;
export type TMongoDBCredentialsRotationWithConnection = TMongoDBCredentialsRotation & {
connection: TMongoDBConnection;
};
export type TMongoDBCredentialsRotationGeneratedCredentials = z.infer<
typeof MongoDBCredentialsRotationGeneratedCredentialsSchema
>;

3
backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-enums.ts
View File

@@ -8,7 +8,8 @@ export enum SecretRotation {
AwsIamUserSecret = "aws-iam-user-secret",
LdapPassword = "ldap-password",
OktaClientSecret = "okta-client-secret",
RedisCredentials = "redis-credentials"
RedisCredentials = "redis-credentials",
MongoDBCredentials = "mongodb-credentials"
}
export enum SecretRotationStatus {

4
backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-fns.ts
View File

@@ -9,6 +9,7 @@ import { AUTH0_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./auth0-client-secret"
import { AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION } from "./aws-iam-user-secret";
import { AZURE_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./azure-client-secret";
import { LDAP_PASSWORD_ROTATION_LIST_OPTION, TLdapPasswordRotation } from "./ldap-password";
import { MONGODB_CREDENTIALS_ROTATION_LIST_OPTION } from "./mongodb-credentials";
import { MSSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mssql-credentials";
import { MYSQL_CREDENTIALS_ROTATION_LIST_OPTION } from "./mysql-credentials";
import { OKTA_CLIENT_SECRET_ROTATION_LIST_OPTION } from "./okta-client-secret";
@@ -37,7 +38,8 @@ const SECRET_ROTATION_LIST_OPTIONS: Record<SecretRotation, TSecretRotationV2List
[SecretRotation.AwsIamUserSecret]: AWS_IAM_USER_SECRET_ROTATION_LIST_OPTION,
[SecretRotation.LdapPassword]: LDAP_PASSWORD_ROTATION_LIST_OPTION,
[SecretRotation.OktaClientSecret]: OKTA_CLIENT_SECRET_ROTATION_LIST_OPTION,
[SecretRotation.RedisCredentials]: REDIS_CREDENTIALS_ROTATION_LIST_OPTION
[SecretRotation.RedisCredentials]: REDIS_CREDENTIALS_ROTATION_LIST_OPTION,
[SecretRotation.MongoDBCredentials]: MONGODB_CREDENTIALS_ROTATION_LIST_OPTION
};
export const listSecretRotationOptions = () => {

6
backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-maps.ts
View File

@@ -11,7 +11,8 @@ export const SECRET_ROTATION_NAME_MAP: Record<SecretRotation, string> = {
[SecretRotation.AwsIamUserSecret]: "AWS IAM User Secret",
[SecretRotation.LdapPassword]: "LDAP Password",
[SecretRotation.OktaClientSecret]: "Okta Client Secret",
[SecretRotation.RedisCredentials]: "Redis Credentials"
[SecretRotation.RedisCredentials]: "Redis Credentials",
[SecretRotation.MongoDBCredentials]: "MongoDB Credentials"
};
export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnection> = {
@@ -24,5 +25,6 @@ export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnectio
[SecretRotation.AwsIamUserSecret]: AppConnection.AWS,
[SecretRotation.LdapPassword]: AppConnection.LDAP,
[SecretRotation.OktaClientSecret]: AppConnection.Okta,
[SecretRotation.RedisCredentials]: AppConnection.Redis
[SecretRotation.RedisCredentials]: AppConnection.Redis,
[SecretRotation.MongoDBCredentials]: AppConnection.MongoDB
};

4
backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts
View File

@@ -84,6 +84,7 @@ import { TSecretVersionV2TagDALFactory } from "@app/services/secret-v2-bridge/se
import { TGatewayV2ServiceFactory } from "../gateway-v2/gateway-v2-service";
import { awsIamUserSecretRotationFactory } from "./aws-iam-user-secret/aws-iam-user-secret-rotation-fns";
import { mongodbCredentialsRotationFactory } from "./mongodb-credentials/mongodb-credentials-rotation-fns";
import { oktaClientSecretRotationFactory } from "./okta-client-secret/okta-client-secret-rotation-fns";
import { redisCredentialsRotationFactory } from "./redis-credentials/redis-credentials-rotation-fns";
import { TSecretRotationV2DALFactory } from "./secret-rotation-v2-dal";
@@ -134,7 +135,8 @@ const SECRET_ROTATION_FACTORY_MAP: Record<SecretRotation, TRotationFactoryImplem
[SecretRotation.AwsIamUserSecret]: awsIamUserSecretRotationFactory as TRotationFactoryImplementation,
[SecretRotation.LdapPassword]: ldapPasswordRotationFactory as TRotationFactoryImplementation,
[SecretRotation.OktaClientSecret]: oktaClientSecretRotationFactory as TRotationFactoryImplementation,
[SecretRotation.RedisCredentials]: redisCredentialsRotationFactory as TRotationFactoryImplementation
[SecretRotation.RedisCredentials]: redisCredentialsRotationFactory as TRotationFactoryImplementation,
[SecretRotation.MongoDBCredentials]: mongodbCredentialsRotationFactory as TRotationFactoryImplementation
};
export const secretRotationV2ServiceFactory = ({

18
backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-types.ts
View File

@@ -35,6 +35,12 @@ import {
TLdapPasswordRotationListItem,
TLdapPasswordRotationWithConnection
} from "./ldap-password";
import {
TMongoDBCredentialsRotation,
TMongoDBCredentialsRotationInput,
TMongoDBCredentialsRotationListItem,
TMongoDBCredentialsRotationWithConnection
} from "./mongodb-credentials";
import {
TMsSqlCredentialsRotation,
TMsSqlCredentialsRotationInput,
@@ -86,7 +92,8 @@ export type TSecretRotationV2 =
| TLdapPasswordRotation
| TAwsIamUserSecretRotation
| TOktaClientSecretRotation
| TRedisCredentialsRotation;
| TRedisCredentialsRotation
| TMongoDBCredentialsRotation;
export type TSecretRotationV2WithConnection =
| TPostgresCredentialsRotationWithConnection
@@ -98,7 +105,8 @@ export type TSecretRotationV2WithConnection =
| TLdapPasswordRotationWithConnection
| TAwsIamUserSecretRotationWithConnection
| TOktaClientSecretRotationWithConnection
| TRedisCredentialsRotationWithConnection;
| TRedisCredentialsRotationWithConnection
| TMongoDBCredentialsRotationWithConnection;
export type TSecretRotationV2GeneratedCredentials =
| TSqlCredentialsRotationGeneratedCredentials
@@ -119,7 +127,8 @@ export type TSecretRotationV2Input =
| TLdapPasswordRotationInput
| TAwsIamUserSecretRotationInput
| TOktaClientSecretRotationInput
| TRedisCredentialsRotationInput;
| TRedisCredentialsRotationInput
| TMongoDBCredentialsRotationInput;
export type TSecretRotationV2ListItem =
| TPostgresCredentialsRotationListItem
@@ -131,7 +140,8 @@ export type TSecretRotationV2ListItem =
| TLdapPasswordRotationListItem
| TAwsIamUserSecretRotationListItem
| TOktaClientSecretRotationListItem
| TRedisCredentialsRotationListItem;
| TRedisCredentialsRotationListItem
| TMongoDBCredentialsRotationListItem;
export type TSecretRotationV2TemporaryParameters = TLdapPasswordRotationInput["temporaryParameters"] | undefined;

4
backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-union-schema.ts
View File

@@ -4,6 +4,7 @@ import { Auth0ClientSecretRotationSchema } from "@app/ee/services/secret-rotatio
import { AwsIamUserSecretRotationSchema } from "@app/ee/services/secret-rotation-v2/aws-iam-user-secret";
import { AzureClientSecretRotationSchema } from "@app/ee/services/secret-rotation-v2/azure-client-secret";
import { LdapPasswordRotationSchema } from "@app/ee/services/secret-rotation-v2/ldap-password";
import { MongoDBCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mongodb-credentials";
import { MsSqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mssql-credentials";
import { MySqlCredentialsRotationSchema } from "@app/ee/services/secret-rotation-v2/mysql-credentials";
import { OktaClientSecretRotationSchema } from "@app/ee/services/secret-rotation-v2/okta-client-secret";
@@ -21,5 +22,6 @@ export const SecretRotationV2Schema = z.discriminatedUnion("type", [
LdapPasswordRotationSchema,
AwsIamUserSecretRotationSchema,
OktaClientSecretRotationSchema,
RedisCredentialsRotationSchema
RedisCredentialsRotationSchema,
MongoDBCredentialsRotationSchema
]);

2
backend/src/ee/services/secret-rotation-v2/shared/sql-credentials/sql-credentials-rotation-fns.ts
View File

@@ -85,8 +85,6 @@ export const sqlCredentialsRotationFactory: TRotationFactory<
const issueCredentials: TRotationFactoryIssueCredentials<TSqlCredentialsRotationGeneratedCredentials> = async (
callback
) => {
// For SQL, since we get existing users, we change both their passwords
// on issue to invalidate their existing passwords
// For SQL, since we get existing users, we change both their passwords
// on issue to invalidate their existing passwords
const credentialsSet = [

10
backend/src/lib/api-docs/constants.ts
View File

@@ -2860,6 +2860,12 @@ export const SecretRotations = {
},
REDIS_CREDENTIALS: {
permissionScope: "The ACL permission scope to assign to the issued Redis users."
},
MONGODB_CREDENTIALS: {
username1:
"The username of the first MongoDB user to rotate passwords for. This user must already exist in your database.",
username2:
"The username of the second MongoDB user to rotate passwords for. This user must already exist in your database."
}
},
SECRETS_MAPPING: {
@@ -2890,6 +2896,10 @@ export const SecretRotations = {
OKTA_CLIENT_SECRET: {
clientId: "The name of the secret that the client ID will be mapped to.",
clientSecret: "The name of the secret that the rotated client secret will be mapped to."
},
MONGODB_CREDENTIALS: {
username: "The name of the secret that the active username will be mapped to.",
password: "The name of the secret that the generated password will be mapped to."
}
}
};

6
backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
View File

@@ -87,6 +87,10 @@ import {
SanitizedLaravelForgeConnectionSchema
} from "@app/services/app-connection/laravel-forge";
import { LdapConnectionListItemSchema, SanitizedLdapConnectionSchema } from "@app/services/app-connection/ldap";
import {
MongoDBConnectionListItemSchema,
SanitizedMongoDBConnectionSchema
} from "@app/services/app-connection/mongodb";
import { MsSqlConnectionListItemSchema, SanitizedMsSqlConnectionSchema } from "@app/services/app-connection/mssql";
import { MySqlConnectionListItemSchema, SanitizedMySqlConnectionSchema } from "@app/services/app-connection/mysql";
import {
@@ -173,6 +177,7 @@ const SanitizedAppConnectionSchema = z.union([
...SanitizedOktaConnectionSchema.options,
...SanitizedAzureADCSConnectionSchema.options,
...SanitizedRedisConnectionSchema.options,
...SanitizedMongoDBConnectionSchema.options,
...SanitizedLaravelForgeConnectionSchema.options,
...SanitizedChefConnectionSchema.options,
...SanitizedDNSMadeEasyConnectionSchema.options
@@ -219,6 +224,7 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
OktaConnectionListItemSchema,
AzureADCSConnectionListItemSchema,
RedisConnectionListItemSchema,
MongoDBConnectionListItemSchema,
LaravelForgeConnectionListItemSchema,
ChefConnectionListItemSchema,
DNSMadeEasyConnectionListItemSchema

2
backend/src/server/routes/v1/app-connection-routers/index.ts
View File

@@ -28,6 +28,7 @@ import { registerHerokuConnectionRouter } from "./heroku-connection-router";
import { registerHumanitecConnectionRouter } from "./humanitec-connection-router";
import { registerLaravelForgeConnectionRouter } from "./laravel-forge-connection-router";
import { registerLdapConnectionRouter } from "./ldap-connection-router";
import { registerMongoDBConnectionRouter } from "./mongodb-connection-router";
import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
import { registerMySqlConnectionRouter } from "./mysql-connection-router";
import { registerNetlifyConnectionRouter } from "./netlify-connection-router";
@@ -90,5 +91,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
[AppConnection.Northflank]: registerNorthflankConnectionRouter,
[AppConnection.Okta]: registerOktaConnectionRouter,
[AppConnection.Redis]: registerRedisConnectionRouter,
[AppConnection.MongoDB]: registerMongoDBConnectionRouter,
[AppConnection.Chef]: registerChefConnectionRouter
};

18
backend/src/server/routes/v1/app-connection-routers/mongodb-connection-router.ts Normal file
View File

@@ -0,0 +1,18 @@
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import {
CreateMongoDBConnectionSchema,
SanitizedMongoDBConnectionSchema,
UpdateMongoDBConnectionSchema
} from "@app/services/app-connection/mongodb";
import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
export const registerMongoDBConnectionRouter = async (server: FastifyZodProvider) => {
registerAppConnectionEndpoints({
app: AppConnection.MongoDB,
server,
sanitizedResponseSchema: SanitizedMongoDBConnectionSchema,
createSchema: CreateMongoDBConnectionSchema,
updateSchema: UpdateMongoDBConnectionSchema
});
};

1
backend/src/services/app-connection/app-connection-enums.ts
View File

@@ -39,6 +39,7 @@ export enum AppConnection {
Netlify = "netlify",
Okta = "okta",
Redis = "redis",
MongoDB = "mongodb",
LaravelForge = "laravel-forge",
Chef = "chef",
Northflank = "northflank"

7
backend/src/services/app-connection/app-connection-fns.ts
View File

@@ -119,6 +119,7 @@ import {
validateLaravelForgeConnectionCredentials
} from "./laravel-forge";
import { getLdapConnectionListItem, LdapConnectionMethod, validateLdapConnectionCredentials } from "./ldap";
import { getMongoDBConnectionListItem, MongoDBConnectionMethod, validateMongoDBConnectionCredentials } from "./mongodb";
import { getMsSqlConnectionListItem, MsSqlConnectionMethod } from "./mssql";
import { MySqlConnectionMethod } from "./mysql/mysql-connection-enums";
import { getMySqlConnectionListItem } from "./mysql/mysql-connection-fns";
@@ -224,6 +225,7 @@ export const listAppConnectionOptions = (projectType?: ProjectType) => {
getNorthflankConnectionListItem(),
getOktaConnectionListItem(),
getRedisConnectionListItem(),
getMongoDBConnectionListItem(),
getChefConnectionListItem()
]
.filter((option) => {
@@ -357,7 +359,8 @@ export const validateAppConnectionCredentials = async (
[AppConnection.Northflank]: validateNorthflankConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.Okta]: validateOktaConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.Chef]: validateChefConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.Redis]: validateRedisConnectionCredentials as TAppConnectionCredentialsValidator
[AppConnection.Redis]: validateRedisConnectionCredentials as TAppConnectionCredentialsValidator,
[AppConnection.MongoDB]: validateMongoDBConnectionCredentials as TAppConnectionCredentialsValidator
};
return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection, gatewayService, gatewayV2Service);
@@ -411,6 +414,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
case OracleDBConnectionMethod.UsernameAndPassword:
case AzureADCSConnectionMethod.UsernamePassword:
case RedisConnectionMethod.UsernameAndPassword:
case MongoDBConnectionMethod.UsernameAndPassword:
return "Username & Password";
case WindmillConnectionMethod.AccessToken:
case HCVaultConnectionMethod.AccessToken:
@@ -504,6 +508,7 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
[AppConnection.Northflank]: platformManagedCredentialsNotSupported,
[AppConnection.Okta]: platformManagedCredentialsNotSupported,
[AppConnection.Redis]: platformManagedCredentialsNotSupported,
[AppConnection.MongoDB]: platformManagedCredentialsNotSupported,
[AppConnection.LaravelForge]: platformManagedCredentialsNotSupported,
[AppConnection.Chef]: platformManagedCredentialsNotSupported
};

2
backend/src/services/app-connection/app-connection-maps.ts
View File

@@ -42,6 +42,7 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
[AppConnection.Netlify]: "Netlify",
[AppConnection.Okta]: "Okta",
[AppConnection.Redis]: "Redis",
[AppConnection.MongoDB]: "MongoDB",
[AppConnection.Chef]: "Chef",
[AppConnection.Northflank]: "Northflank"
};
@@ -88,6 +89,7 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
[AppConnection.Netlify]: AppConnectionPlanType.Regular,
[AppConnection.Okta]: AppConnectionPlanType.Regular,
[AppConnection.Redis]: AppConnectionPlanType.Regular,
[AppConnection.MongoDB]: AppConnectionPlanType.Regular,
[AppConnection.Chef]: AppConnectionPlanType.Enterprise,
[AppConnection.Northflank]: AppConnectionPlanType.Regular
};

2
backend/src/services/app-connection/app-connection-service.ts
View File

@@ -96,6 +96,7 @@ import { humanitecConnectionService } from "./humanitec/humanitec-connection-ser
import { ValidateLaravelForgeConnectionCredentialsSchema } from "./laravel-forge";
import { laravelForgeConnectionService } from "./laravel-forge/laravel-forge-connection-service";
import { ValidateLdapConnectionCredentialsSchema } from "./ldap";
import { ValidateMongoDBConnectionCredentialsSchema } from "./mongodb";
import { ValidateMsSqlConnectionCredentialsSchema } from "./mssql";
import { ValidateMySqlConnectionCredentialsSchema } from "./mysql";
import { ValidateNetlifyConnectionCredentialsSchema } from "./netlify";
@@ -180,6 +181,7 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
[AppConnection.Northflank]: ValidateNorthflankConnectionCredentialsSchema,
[AppConnection.Okta]: ValidateOktaConnectionCredentialsSchema,
[AppConnection.Redis]: ValidateRedisConnectionCredentialsSchema,
[AppConnection.MongoDB]: ValidateMongoDBConnectionCredentialsSchema,
[AppConnection.Chef]: ValidateChefConnectionCredentialsSchema
};

10
backend/src/services/app-connection/app-connection-types.ts
View File

@@ -172,6 +172,12 @@ import {
TLdapConnectionInput,
TValidateLdapConnectionCredentialsSchema
} from "./ldap";
import {
TMongoDBConnection,
TMongoDBConnectionConfig,
TMongoDBConnectionInput,
TValidateMongoDBConnectionCredentialsSchema
} from "./mongodb";
import { TMsSqlConnection, TMsSqlConnectionInput, TValidateMsSqlConnectionCredentialsSchema } from "./mssql";
import { TMySqlConnection, TMySqlConnectionInput, TValidateMySqlConnectionCredentialsSchema } from "./mysql";
import {
@@ -295,6 +301,7 @@ export type TAppConnection = { id: string } & (
| TNorthflankConnection
| TOktaConnection
| TRedisConnection
| TMongoDBConnection
| TChefConnection
);
@@ -345,6 +352,7 @@ export type TAppConnectionInput = { id: string } & (
| TNorthflankConnectionInput
| TOktaConnectionInput
| TRedisConnectionInput
| TMongoDBConnectionInput
| TChefConnectionInput
);
@@ -413,6 +421,7 @@ export type TAppConnectionConfig =
| TNorthflankConnectionConfig
| TOktaConnectionConfig
| TRedisConnectionConfig
| TMongoDBConnectionConfig
| TChefConnectionConfig;
export type TValidateAppConnectionCredentialsSchema =
@@ -458,6 +467,7 @@ export type TValidateAppConnectionCredentialsSchema =
| TValidateNorthflankConnectionCredentialsSchema
| TValidateOktaConnectionCredentialsSchema
| TValidateRedisConnectionCredentialsSchema
| TValidateMongoDBConnectionCredentialsSchema
| TValidateChefConnectionCredentialsSchema;
export type TListAwsConnectionKmsKeys = {

4
backend/src/services/app-connection/mongodb/index.ts Normal file
View File

@@ -0,0 +1,4 @@
export * from "./mongodb-connection-enums";
export * from "./mongodb-connection-fns";
export * from "./mongodb-connection-schemas";
export * from "./mongodb-connection-types";

3
backend/src/services/app-connection/mongodb/mongodb-connection-enums.ts Normal file
View File

@@ -0,0 +1,3 @@
export enum MongoDBConnectionMethod {
UsernameAndPassword = "username-and-password"
}

123
backend/src/services/app-connection/mongodb/mongodb-connection-fns.ts Normal file
View File

@@ -0,0 +1,123 @@
import { MongoClient } from "mongodb";
import RE2 from "re2";
import { verifyHostInputValidity } from "@app/ee/services/dynamic-secret/dynamic-secret-fns";
import { BadRequestError } from "@app/lib/errors";
import { AppConnection } from "@app/services/app-connection/app-connection-enums";
import { MongoDBConnectionMethod } from "./mongodb-connection-enums";
import { TMongoDBConnectionConfig } from "./mongodb-connection-types";
export const getMongoDBConnectionListItem = () => {
return {
name: "MongoDB" as const,
app: AppConnection.MongoDB as const,
methods: Object.values(MongoDBConnectionMethod) as [MongoDBConnectionMethod.UsernameAndPassword],
supportsPlatformManagement: false as const
};
};
export type TMongoDBConnectionCredentials = {
host: string;
port?: number;
database: string;
username: string;
password: string;
tlsEnabled?: boolean;
tlsRejectUnauthorized?: boolean;
tlsCertificate?: string;
};
export type TCreateMongoClientOptions = {
authCredentials?: { username: string; password: string };
validateConnection?: boolean;
};
const DEFAULT_CONNECTION_TIMEOUT_MS = 10_000;
export const createMongoClient = async (
credentials: TMongoDBConnectionCredentials,
options?: TCreateMongoClientOptions
): Promise<MongoClient> => {
const srvRegex = new RE2("^mongodb\\+srv:\\/\\/");
const protocolRegex = new RE2("^mongodb:\\/\\/");
let normalizedHost = credentials.host.trim();
const isSrvFromHost = srvRegex.test(normalizedHost);
if (isSrvFromHost) {
normalizedHost = srvRegex.replace(normalizedHost, "");
} else if (protocolRegex.test(normalizedHost)) {
normalizedHost = protocolRegex.replace(normalizedHost, "");
}
const [hostIp] = await verifyHostInputValidity(normalizedHost);
const isSrv = !credentials.port || isSrvFromHost;
const uri = isSrv ? `mongodb+srv://${hostIp}` : `mongodb://${hostIp}:${credentials.port}`;
const authCredentials = options?.authCredentials ?? {
username: credentials.username,
password: credentials.password
};
const clientOptions: {
auth?: { username: string; password?: string };
authSource?: string;
tls?: boolean;
tlsInsecure?: boolean;
ca?: string;
directConnection?: boolean;
connectTimeoutMS?: number;
serverSelectionTimeoutMS?: number;
socketTimeoutMS?: number;
} = {
auth: {
username: authCredentials.username,
password: authCredentials.password
},
authSource: isSrv ? undefined : credentials.database,
directConnection: !isSrv,
connectTimeoutMS: DEFAULT_CONNECTION_TIMEOUT_MS,
serverSelectionTimeoutMS: DEFAULT_CONNECTION_TIMEOUT_MS,
socketTimeoutMS: DEFAULT_CONNECTION_TIMEOUT_MS
};
if (credentials.tlsEnabled) {
clientOptions.tls = true;
clientOptions.tlsInsecure = !credentials.tlsRejectUnauthorized;
if (credentials.tlsCertificate) {
clientOptions.ca = credentials.tlsCertificate;
}
}
const client = new MongoClient(uri, clientOptions);
if (options?.validateConnection) {
await client
.db(credentials.database)
.command({ ping: 1 })
.then(() => true);
}
return client;
};
export const validateMongoDBConnectionCredentials = async (config: TMongoDBConnectionConfig) => {
let client: MongoClient | null = null;
try {
client = await createMongoClient(config.credentials, { validateConnection: true });
if (client) await client.close();
return config.credentials;
} catch (err) {
if (err instanceof BadRequestError) {
throw err;
}
throw new BadRequestError({
message: `Unable to validate connection: ${(err as Error)?.message || "verify credentials"}`
});
} finally {
if (client) await client.close();
}
};

89
backend/src/services/app-connection/mongodb/mongodb-connection-schemas.ts Normal file
View File

@@ -0,0 +1,89 @@
import z from "zod";
import { AppConnections } from "@app/lib/api-docs";
import {
BaseAppConnectionSchema,
GenericCreateAppConnectionFieldsSchema,
GenericUpdateAppConnectionFieldsSchema
} from "@app/services/app-connection/app-connection-schemas";
import { AppConnection } from "../app-connection-enums";
import { MongoDBConnectionMethod } from "./mongodb-connection-enums";
export const BaseMongoDBUsernameAndPasswordConnectionSchema = z.object({
host: z.string().toLowerCase().min(1),
port: z.coerce.number(),
username: z.string().min(1),
password: z.string().min(1),
database: z.string().min(1).trim(),
tlsRejectUnauthorized: z.boolean(),
tlsEnabled: z.boolean(),
tlsCertificate: z
.string()
.trim()
.transform((value) => value || undefined)
.optional()
});
export const MongoDBConnectionAccessTokenCredentialsSchema = BaseMongoDBUsernameAndPasswordConnectionSchema;
const BaseMongoDBConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.MongoDB) });
export const MongoDBConnectionSchema = BaseMongoDBConnectionSchema.extend({
method: z.literal(MongoDBConnectionMethod.UsernameAndPassword),
credentials: MongoDBConnectionAccessTokenCredentialsSchema
});
export const SanitizedMongoDBConnectionSchema = z.discriminatedUnion("method", [
BaseMongoDBConnectionSchema.extend({
method: z.literal(MongoDBConnectionMethod.UsernameAndPassword),
credentials: MongoDBConnectionAccessTokenCredentialsSchema.pick({
host: true,
port: true,
username: true,
database: true,
tlsEnabled: true,
tlsRejectUnauthorized: true,
tlsCertificate: true
})
})
]);
export const ValidateMongoDBConnectionCredentialsSchema = z.discriminatedUnion("method", [
z.object({
method: z
.literal(MongoDBConnectionMethod.UsernameAndPassword)
.describe(AppConnections.CREATE(AppConnection.MongoDB).method),
credentials: MongoDBConnectionAccessTokenCredentialsSchema.describe(
AppConnections.CREATE(AppConnection.MongoDB).credentials
)
})
]);
export const CreateMongoDBConnectionSchema = ValidateMongoDBConnectionCredentialsSchema.and(
GenericCreateAppConnectionFieldsSchema(AppConnection.MongoDB, {
supportsPlatformManagedCredentials: false,
supportsGateways: false
})
);
export const UpdateMongoDBConnectionSchema = z
.object({
credentials: MongoDBConnectionAccessTokenCredentialsSchema.optional().describe(
AppConnections.UPDATE(AppConnection.MongoDB).credentials
)
})
.and(
GenericUpdateAppConnectionFieldsSchema(AppConnection.MongoDB, {
supportsPlatformManagedCredentials: false,
supportsGateways: false
})
);
export const MongoDBConnectionListItemSchema = z.object({
name: z.literal("MongoDB"),
app: z.literal(AppConnection.MongoDB),
methods: z.nativeEnum(MongoDBConnectionMethod).array(),
supportsPlatformManagement: z.literal(false)
});

22
backend/src/services/app-connection/mongodb/mongodb-connection-types.ts Normal file
View File

@@ -0,0 +1,22 @@
import z from "zod";
import { DiscriminativePick } from "@app/lib/types";
import { AppConnection } from "../app-connection-enums";
import {
CreateMongoDBConnectionSchema,
MongoDBConnectionSchema,
ValidateMongoDBConnectionCredentialsSchema
} from "./mongodb-connection-schemas";
export type TMongoDBConnection = z.infer<typeof MongoDBConnectionSchema>;
export type TMongoDBConnectionInput = z.infer<typeof CreateMongoDBConnectionSchema> & {
app: AppConnection.MongoDB;
};
export type TValidateMongoDBConnectionCredentialsSchema = typeof ValidateMongoDBConnectionCredentialsSchema;
export type TMongoDBConnectionConfig = DiscriminativePick<TMongoDBConnectionInput, "method" | "app" | "credentials"> & {
orgId: string;
};

27
docs/docs.json
View File

@@ -130,6 +130,7 @@
"integrations/app-connections/laravel-forge",
"integrations/app-connections/ldap",
"integrations/app-connections/mssql",
"integrations/app-connections/mongodb",
"integrations/app-connections/mysql",
"integrations/app-connections/netlify",
"integrations/app-connections/northflank",
@@ -444,6 +445,7 @@
"documentation/platform/secret-rotation/aws-iam-user-secret",
"documentation/platform/secret-rotation/azure-client-secret",
"documentation/platform/secret-rotation/ldap-password",
"documentation/platform/secret-rotation/mongodb-credentials",
"documentation/platform/secret-rotation/mssql-credentials",
"documentation/platform/secret-rotation/mysql-credentials",
"documentation/platform/secret-rotation/okta-client-secret",
@@ -1393,6 +1395,18 @@
"api-reference/endpoints/app-connections/mssql/delete"
]
},
{
"group": "MongoDB",
"pages": [
"api-reference/endpoints/app-connections/mongodb/list",
"api-reference/endpoints/app-connections/mongodb/available",
"api-reference/endpoints/app-connections/mongodb/get-by-id",
"api-reference/endpoints/app-connections/mongodb/get-by-name",
"api-reference/endpoints/app-connections/mongodb/create",
"api-reference/endpoints/app-connections/mongodb/update",
"api-reference/endpoints/app-connections/mongodb/delete"
]
},
{
"group": "MySQL",
"pages": [
@@ -1929,6 +1943,19 @@
"api-reference/endpoints/secret-rotations/mssql-credentials/update"
]
},
{
"group": "MongoDB Credentials",
"pages": [
"api-reference/endpoints/secret-rotations/mongodb-credentials/create",
"api-reference/endpoints/secret-rotations/mongodb-credentials/delete",
"api-reference/endpoints/secret-rotations/mongodb-credentials/get-by-id",
"api-reference/endpoints/secret-rotations/mongodb-credentials/get-by-name",
"api-reference/endpoints/secret-rotations/mongodb-credentials/get-generated-credentials-by-id",
"api-reference/endpoints/secret-rotations/mongodb-credentials/list",
"api-reference/endpoints/secret-rotations/mongodb-credentials/rotate-secrets",
"api-reference/endpoints/secret-rotations/mongodb-credentials/update"
]
},
{
"group": "MySQL Credentials",
"pages": [

177
docs/documentation/platform/secret-rotation/mongodb-credentials.mdx Normal file
View File

@@ -0,0 +1,177 @@
---
title: "MongoDB Credentials Rotation"
description: "Learn how to automatically rotate MongoDB credentials."
---
## Prerequisites
1. Create a [MongoDB Connection](/integrations/app-connections/mongodb) with the required **Secret Rotation** permissions
2. Create two designated database users for Infisical to rotate the credentials for. Be sure to grant each user login permissions for the desired database with the necessary privileges their use case will require.
An example creation statement might look like:
```bash
// Switch to the target database
use my_database
// Create first user
db.createUser({
user: "infisical_user_1",
pwd: "temporary_password",
roles: []
})
// Create second user
db.createUser({
user: "infisical_user_2",
pwd: "temporary_password",
roles: []
})
// Grant necessary permissions to both users
db.grantRolesToUser("infisical_user_1", [
{ role: "readWrite", db: "my_database" }
])
db.grantRolesToUser("infisical_user_2", [
{ role: "readWrite", db: "my_database" }
])
```
<Tip>
To learn more about MongoDB's permission system, please visit their [documentation](https://www.mongodb.com/docs/manual/core/security-built-in-roles/).
</Tip>
3. Ensure your network security policies allow incoming requests from Infisical to this rotation provider, if network restrictions apply.
## Create a MongoDB Credentials Rotation in Infisical
<Tabs>
<Tab title="Infisical UI">
1. Navigate to your Secret Manager Project's Dashboard and select **Add Secret Rotation** from the actions dropdown.
![Secret Manager Dashboard](/images/secret-rotations-v2/generic/add-secret-rotation.png)
2. Select the **MongoDB Credentials** option.
![Select MongoDB Credentials](/images/secret-rotations-v2/mongodb-credentials/select-mongodb-credentials-option.png)
3. Select the **MongoDB Connection** to use and configure the rotation behavior. Then click **Next**.
![Rotation Configuration](/images/secret-rotations-v2/mongodb-credentials/mongodb-credentials-configuration.png)
- **MongoDB Connection** - the connection that will perform the rotation of the configured database user credentials.
- **Rotation Interval** - the interval, in days, that once elapsed will trigger a rotation.
- **Rotate At** - the local time of day when rotation should occur once the interval has elapsed.
- **Auto-Rotation Enabled** - whether secrets should automatically be rotated once the rotation interval has elapsed. Disable this option to manually rotate secrets or pause secret rotation.
4. Input the usernames of the database users created above that will be used for rotation. Then click **Next**.
![Rotation Parameters](/images/secret-rotations-v2/mongodb-credentials/mongodb-credentials-parameters.png)
- **Database Username 1** - the username of the first user that will be used for rotation.
- **Database Username 2** - the username of the second user that will be used for rotation.
5. Specify the secret names that the active credentials should be mapped to. Then click **Next**.
![Rotation Secrets Mapping](/images/secret-rotations-v2/mongodb-credentials/mongodb-credentials-secrets-mapping.png)
- **Username** - the name of the secret that the active username will be mapped to.
- **Password** - the name of the secret that the active password will be mapped to.
6. Give your rotation a name and description (optional). Then click **Next**.
![Rotation Details](/images/secret-rotations-v2/mongodb-credentials/mongodb-credentials-details.png)
- **Name** - the name of the secret rotation configuration. Must be slug-friendly.
- **Description** (optional) - a description of this rotation configuration.
7. Review your configuration, then click **Create Secret Rotation**.
![Rotation Review](/images/secret-rotations-v2/mongodb-credentials/mongodb-credentials-confirm.png)
8. Your **MongoDB Credentials** are now available for use via the mapped secrets.
![Rotation Created](/images/secret-rotations-v2/mongodb-credentials/mongodb-credentials-created.png)
</Tab>
<Tab title="API">
To create a MongoDB Credentials Rotation, make an API request to the [Create MongoDB
Credentials Rotation](/api-reference/endpoints/secret-rotations/mongodb-credentials/create) API endpoint.
### Sample request
```bash Request
curl --request POST \
--url https://us.infisical.com/api/v2/secret-rotations/mongodb-credentials \
--header 'Content-Type: application/json' \
--data '{
"name": "my-mongodb-rotation",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "my database credentials rotation",
"connectionId": "11c76f38-cd13-4137-b1a3-ecd6a429952c",
"environment": "dev",
"secretPath": "/",
"isAutoRotationEnabled": true,
"rotationInterval": 30,
"rotateAtUtc": {
"hours": 0,
"minutes": 0
},
"parameters": {
"username1": "infisical_user_1",
"username2": "infisical_user_2"
},
"secretsMapping": {
"username": "MONGODB_DB_USERNAME",
"password": "MONGODB_DB_PASSWORD"
}
}'
```
### Sample response
```bash Response
{
"secretRotation": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-mongodb-rotation",
"description": "my database credentials rotation",
"secretsMapping": {
"username": "MONGODB_DB_USERNAME",
"password": "MONGODB_DB_PASSWORD"
},
"isAutoRotationEnabled": true,
"activeIndex": 0,
"folderId": "b3257e1f-8d32-4e86-8bfd-b1f1bc1bf2c3",
"connectionId": "11c76f38-cd13-4137-b1a3-ecd6a429952c",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"rotationInterval": 30,
"rotationStatus": "success",
"lastRotationAttemptedAt": "2023-11-07T05:31:56Z",
"lastRotatedAt": "2023-11-07T05:31:56Z",
"lastRotationJobId": null,
"nextRotationAt": "2023-11-07T05:31:56Z",
"isLastRotationManual": true,
"connection": {
"app": "mongodb",
"name": "my-mongodb-connection",
"id": "11c76f38-cd13-4137-b1a3-ecd6a429952c"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "170a40f1-1b48-4cc7-addf-e563aa9fbe37"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"folder": {
"id": "b3257e1f-8d32-4e86-8bfd-b1f1bc1bf2c3",
"path": "/"
},
"rotateAtUtc": {
"hours": 0,
"minutes": 0
},
"lastRotationMessage": null,
"type": "mongodb-credentials",
"parameters": {
"username1": "infisical_user_1",
"username2": "infisical_user_2"
}
}
}
```
</Tab>
</Tabs>

BIN
docs/images/app-connections/general/add-connection.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 930 KiB

After

Width:  |  Height:  |  Size: 97 KiB

BIN
docs/images/app-connections/mongodb/mongodb-app-connection-form.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 132 KiB

BIN
docs/images/app-connections/mongodb/mongodb-app-connection-generated.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 97 KiB

BIN
docs/images/app-connections/mongodb/mongodb-app-connection-option.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 161 KiB

BIN
docs/images/secret-rotations-v2/generic/add-secret-rotation.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.2 MiB

After

Width:  |  Height:  |  Size: 103 KiB

BIN
docs/images/secret-rotations-v2/mongodb-credentials/mongodb-credentials-configuration.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 132 KiB

BIN
docs/images/secret-rotations-v2/mongodb-credentials/mongodb-credentials-confirm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 132 KiB

BIN
docs/images/secret-rotations-v2/mongodb-credentials/mongodb-credentials-created.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 103 KiB

BIN
docs/images/secret-rotations-v2/mongodb-credentials/mongodb-credentials-details.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 112 KiB

BIN
docs/images/secret-rotations-v2/mongodb-credentials/mongodb-credentials-parameters.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 161 KiB

BIN
docs/images/secret-rotations-v2/mongodb-credentials/mongodb-credentials-secrets-mapping.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 124 KiB

BIN
docs/images/secret-rotations-v2/mongodb-credentials/select-mongodb-credentials-option.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 142 KiB

141
docs/integrations/app-connections/mongodb.mdx Normal file
View File

@@ -0,0 +1,141 @@
---
title: "MongoDB Connection"
description: "Learn how to configure a MongoDB Connection for Infisical."
---
Infisical supports the use of Username & Password authentication to connect with MongoDB databases.
## Configure a MongoDB user for Infisical
<Steps>
<Step title="Create a MongoDB user">
Infisical recommends creating a designated user in your MongoDB database for your connection.
```bash
use [TARGET-DATABASE]
db.createUser({
user: "infisical_manager",
pwd: "[ENTER-YOUR-USER-PASSWORD]",
roles: []
})
```
</Step>
<Step title="Grant Relevant Permissions">
Depending on how you intend to use your MongoDB connection, you'll need to grant one or more of the following permissions.
<Tip>
To learn more about MongoDB's permission system, please visit their [documentation](https://www.mongodb.com/docs/manual/core/security-built-in-roles/).
</Tip>
<Tabs>
<Tab title="Secret Rotation">
For Secret Rotations, your Infisical user will require the ability to create, update, and delete users in the target database:
```bash
use [TARGET-DATABASE]
db.grantRolesToUser("infisical_manager", [
{ role: "userAdmin", db: "[TARGET-DATABASE]" }
])
```
<Note>
The `userAdmin` role allows managing users (create, update passwords, delete) within the specified database.
</Note>
</Tab>
</Tabs>
</Step>
</Steps>
## Create MongoDB Connection in Infisical
<Tabs>
<Tab title="Infisical UI">
<Steps>
<Step title="Navigate to App Connections">
In your Infisical dashboard, navigate to the **App Connections** page in the desired project.
![App Connections Tab](/images/app-connections/general/add-connection.png)
</Step>
<Step title="Select MongoDB Connection">
Click the **+ Add Connection** button and select the **MongoDB Connection** option from the available integrations.
![Select MongoDB Connection](/images/app-connections/mongodb/mongodb-app-connection-option.png)
</Step>
<Step title="Fill out the MongoDB Connection Modal">
Complete the MongoDB Connection form by entering:
- A descriptive name for the connection
- An optional description for future reference
- The MongoDB host URL for your database
- The MongoDB port for your database
- The MongoDB username for your database
- The MongoDB password for your database
- The MongoDB database name to connect to
You can optionally configure SSL/TLS for your MongoDB connection in the **SSL** section.
![MongoDB Connection Modal](/images/app-connections/mongodb/mongodb-app-connection-form.png)
</Step>
<Step title="Connection Created">
After clicking Create, your **MongoDB Connection** is established and ready to use with your Infisical project.
![MongoDB Connection Created](/images/app-connections/mongodb/mongodb-app-connection-generated.png)
</Step>
</Steps>
</Tab>
<Tab title="API">
To create a MongoDB Connection, make an API request to the [Create MongoDB Connection](/api-reference/endpoints/app-connections/mongodb/create) API endpoint.
### Sample request
```bash Request
curl --request POST \
--url https://app.infisical.com/api/v1/app-connections/mongodb \
--header 'Content-Type: application/json' \
--data '{
"name": "my-mongodb-connection",
"method": "username-and-password",
"projectId": "7ffbb072-2575-495a-b5b0-127f88caef78",
"credentials": {
"host": "[MONGODB HOST]",
"port": 27017,
"username": "[MONGODB USERNAME]",
"password": "[MONGODB PASSWORD]",
"database": "[MONGODB DATABASE]"
}
}'
```
### Sample response
```bash Response
{
"appConnection": {
"id": "e5d18aca-86f7-4026-a95e-efb8aeb0d8e6",
"name": "my-mongodb-connection",
"projectId": "7ffbb072-2575-495a-b5b0-127f88caef78",
"description": null,
"version": 1,
"orgId": "6f03caa1-a5de-43ce-b127-95a145d3464c",
"createdAt": "2025-04-23T19:46:34.831Z",
"updatedAt": "2025-04-23T19:46:34.831Z",
"isPlatformManagedCredentials": false,
"credentialsHash": "7c2d371dec195f82a6a0d5b41c970a229cfcaf88e894a5b6395e2dbd0280661f",
"app": "mongodb",
"method": "username-and-password",
"credentials": {
"host": "[MONGODB HOST]",
"port": 27017,
"username": "[MONGODB USERNAME]",
"database": "[MONGODB DATABASE]",
"sslEnabled": false,
"sslRejectUnauthorized": false,
"sslCertificate": ""
}
}
}
```
</Tab>
</Tabs>

7
docs/snippets/AppConnectionsBrowser.jsx
View File

@@ -362,6 +362,13 @@ export const AppConnectionsBrowser = () => {
"Learn how to connect your Northflank projects to pull secrets from Infisical.",
category: "Hosting",
},
{
name: "MongoDB",
slug: "mongodb",
path: "/integrations/app-connections/mongodb",
description: "Learn how to connect your MongoDB to pull secrets from Infisical.",
category: "Databases"
}
].sort(function (a, b) {
return a.name.toLowerCase().localeCompare(b.name.toLowerCase());
});

3
docs/snippets/RotationsBrowser.jsx
View File

@@ -16,7 +16,8 @@ export const RotationsBrowser = () => {
{"name": "PostgreSQL", "slug": "postgres-credentials", "path": "/documentation/platform/secret-rotation/postgres-credentials", "description": "Learn how to automatically rotate PostgreSQL database credentials.", "category": "Databases"},
{"name": "Redis", "slug": "redis-credentials", "path": "/documentation/platform/secret-rotation/redis-credentials", "description": "Learn how to automatically rotate Redis database credentials.", "category": "Databases"},
{"name": "Microsoft SQL Server", "slug": "mssql-credentials", "path": "/documentation/platform/secret-rotation/mssql-credentials", "description": "Learn how to automatically rotate Microsoft SQL Server credentials.", "category": "Databases"},
{"name": "Oracle Database", "slug": "oracledb-credentials", "path": "/documentation/platform/secret-rotation/oracledb-credentials", "description": "Learn how to automatically rotate Oracle Database credentials.", "category": "Databases"}
{"name": "Oracle Database", "slug": "oracledb-credentials", "path": "/documentation/platform/secret-rotation/oracledb-credentials", "description": "Learn how to automatically rotate Oracle Database credentials.", "category": "Databases"},
{"name": "MongoDB Credentials", "slug": "mongodb-credentials", "path": "/documentation/platform/secret-rotation/mongodb-credentials", "description": "Learn how to automatically rotate MongoDB credentials.", "category": "Databases"}
].sort(function(a, b) {
return a.name.toLowerCase().localeCompare(b.name.toLowerCase());
});

1
frontend/src/components/secret-rotations-v2/ViewSecretRotationV2GeneratedCredentials/ViewSecretRotationV2GeneratedCredentials.tsx
View File

@@ -67,6 +67,7 @@ const Content = ({ secretRotation }: ContentProps) => {
case SecretRotation.MySqlCredentials:
case SecretRotation.MsSqlCredentials:
case SecretRotation.OracleDBCredentials:
case SecretRotation.MongoDBCredentials:
Component = (
<ViewSqlCredentialsRotationGeneratedCredentials
generatedCredentialsResponse={generatedCredentialsResponse}

4
frontend/src/components/secret-rotations-v2/ViewSecretRotationV2GeneratedCredentials/shared/ViewSqlCredentialsRotationGeneratedCredentials.tsx
View File

@@ -1,5 +1,6 @@
import { CredentialDisplay } from "@app/components/secret-rotations-v2/ViewSecretRotationV2GeneratedCredentials/shared/CredentialDisplay";
import { ViewRotationGeneratedCredentialsDisplay } from "@app/components/secret-rotations-v2/ViewSecretRotationV2GeneratedCredentials/shared/ViewRotationGeneratedCredentialsDisplay";
import { TMongoDBCredentialsRotationGeneratedCredentialsResponse } from "@app/hooks/api/secretRotationsV2/types/mongodb-credentials-rotation";
import { TMsSqlCredentialsRotationGeneratedCredentialsResponse } from "@app/hooks/api/secretRotationsV2/types/mssql-credentials-rotation";
import { TMySqlCredentialsRotationGeneratedCredentialsResponse } from "@app/hooks/api/secretRotationsV2/types/mysql-credentials-rotation";
import { TOracleDBCredentialsRotationGeneratedCredentialsResponse } from "@app/hooks/api/secretRotationsV2/types/oracledb-credentials-rotation";
@@ -10,7 +11,8 @@ type Props = {
| TMsSqlCredentialsRotationGeneratedCredentialsResponse
| TMySqlCredentialsRotationGeneratedCredentialsResponse
| TOracleDBCredentialsRotationGeneratedCredentialsResponse
| TPostgresCredentialsRotationGeneratedCredentialsResponse;
| TPostgresCredentialsRotationGeneratedCredentialsResponse
| TMongoDBCredentialsRotationGeneratedCredentialsResponse;
};
export const ViewSqlCredentialsRotationGeneratedCredentials = ({

3
frontend/src/components/secret-rotations-v2/forms/SecretRotationV2ParametersFields/SecretRotationV2ParametersFields.tsx
View File

@@ -21,7 +21,8 @@ const COMPONENT_MAP: Record<SecretRotation, React.FC> = {
[SecretRotation.LdapPassword]: LdapPasswordRotationParametersFields,
[SecretRotation.AwsIamUserSecret]: AwsIamUserSecretRotationParametersFields,
[SecretRotation.OktaClientSecret]: OktaClientSecretRotationParametersFields,
[SecretRotation.RedisCredentials]: RedisCredentialsRotationParametersFields
[SecretRotation.RedisCredentials]: RedisCredentialsRotationParametersFields,
[SecretRotation.MongoDBCredentials]: SqlCredentialsRotationParametersFields
};
export const SecretRotationV2ParametersFields = () => {

3
frontend/src/components/secret-rotations-v2/forms/SecretRotationV2ReviewFields/SecretRotationReviewFields.tsx
View File

@@ -24,7 +24,8 @@ const COMPONENT_MAP: Record<SecretRotation, React.FC> = {
[SecretRotation.LdapPassword]: LdapPasswordRotationReviewFields,
[SecretRotation.AwsIamUserSecret]: AwsIamUserSecretRotationReviewFields,
[SecretRotation.OktaClientSecret]: OktaClientSecretRotationReviewFields,
[SecretRotation.RedisCredentials]: RedisCredentialsRotationReviewFields
[SecretRotation.RedisCredentials]: RedisCredentialsRotationReviewFields,
[SecretRotation.MongoDBCredentials]: SqlCredentialsRotationReviewFields
};
export const SecretRotationV2ReviewFields = () => {

3
frontend/src/components/secret-rotations-v2/forms/SecretRotationV2SecretsMappingFields/SecretRotationV2SecretsMappingFields.tsx
View File

@@ -21,7 +21,8 @@ const COMPONENT_MAP: Record<SecretRotation, React.FC> = {
[SecretRotation.LdapPassword]: LdapPasswordRotationSecretsMappingFields,
[SecretRotation.AwsIamUserSecret]: AwsIamUserSecretRotationSecretsMappingFields,
[SecretRotation.OktaClientSecret]: OktaClientSecretRotationSecretsMappingFields,
[SecretRotation.RedisCredentials]: RedisCredentialsRotationSecretsMappingFields
[SecretRotation.RedisCredentials]: RedisCredentialsRotationSecretsMappingFields,
[SecretRotation.MongoDBCredentials]: SqlCredentialsRotationSecretsMappingFields
};
export const SecretRotationV2SecretsMappingFields = () => {

4
frontend/src/components/secret-rotations-v2/forms/schemas/index.ts
View File

@@ -4,6 +4,7 @@ import { Auth0ClientSecretRotationSchema } from "@app/components/secret-rotation
import { AwsIamUserSecretRotationSchema } from "@app/components/secret-rotations-v2/forms/schemas/aws-iam-user-secret-rotation-schema";
import { AzureClientSecretRotationSchema } from "@app/components/secret-rotations-v2/forms/schemas/azure-client-secret-rotation-schema";
import { LdapPasswordRotationSchema } from "@app/components/secret-rotations-v2/forms/schemas/ldap-password-rotation-schema";
import { MongoDBCredentialsRotationSchema } from "@app/components/secret-rotations-v2/forms/schemas/mongodb-credentials-rotation-schema";
import { MsSqlCredentialsRotationSchema } from "@app/components/secret-rotations-v2/forms/schemas/mssql-credentials-rotation-schema";
import { MySqlCredentialsRotationSchema } from "@app/components/secret-rotations-v2/forms/schemas/mysql-credentials-rotation-schema";
import { PostgresCredentialsRotationSchema } from "@app/components/secret-rotations-v2/forms/schemas/postgres-credentials-rotation-schema";
@@ -27,7 +28,8 @@ export const SecretRotationV2FormSchema = (isUpdate: boolean) =>
LdapPasswordRotationSchema,
AwsIamUserSecretRotationSchema,
OktaClientSecretRotationSchema,
RedisCredentialsRotationSchema
RedisCredentialsRotationSchema,
MongoDBCredentialsRotationSchema
]),
z.object({ id: z.string().optional() })
)

12
frontend/src/components/secret-rotations-v2/forms/schemas/mongodb-credentials-rotation-schema.ts Normal file
View File

@@ -0,0 +1,12 @@
import { z } from "zod";
import { BaseSecretRotationSchema } from "@app/components/secret-rotations-v2/forms/schemas/base-secret-rotation-v2-schema";
import { SqlCredentialsRotationSchema } from "@app/components/secret-rotations-v2/forms/schemas/shared";
import { SecretRotation } from "@app/hooks/api/secretRotationsV2";
export const MongoDBCredentialsRotationSchema = z
.object({
type: z.literal(SecretRotation.MongoDBCredentials)
})
.merge(SqlCredentialsRotationSchema)
.merge(BaseSecretRotationSchema);

3
frontend/src/helpers/appConnections.ts
View File

@@ -31,6 +31,7 @@ import {
HCVaultConnectionMethod,
HumanitecConnectionMethod,
LdapConnectionMethod,
MongoDBConnectionMethod,
MsSqlConnectionMethod,
MySqlConnectionMethod,
OktaConnectionMethod,
@@ -129,6 +130,7 @@ export const APP_CONNECTION_MAP: Record<
[AppConnection.Northflank]: { name: "Northflank", image: "Northflank.png" },
[AppConnection.Okta]: { name: "Okta", image: "Okta.png" },
[AppConnection.Redis]: { name: "Redis", image: "Redis.png" },
[AppConnection.MongoDB]: { name: "MongoDB", image: "MongoDB.png" },
[AppConnection.LaravelForge]: {
name: "Laravel Forge",
image: "Laravel Forge.png",
@@ -181,6 +183,7 @@ export const getAppConnectionMethodDetails = (method: TAppConnection["method"])
case OracleDBConnectionMethod.UsernameAndPassword:
case AzureADCSConnectionMethod.UsernamePassword:
case RedisConnectionMethod.UsernameAndPassword:
case MongoDBConnectionMethod.UsernameAndPassword:
return { name: "Username & Password", icon: faLock };
case HCVaultConnectionMethod.AccessToken:
case TeamCityConnectionMethod.AccessToken:

11
frontend/src/helpers/secretRotationsV2.ts
View File

@@ -54,6 +54,11 @@ export const SECRET_ROTATION_MAP: Record<
name: "Redis Credentials",
image: "Redis.png",
size: 50
},
[SecretRotation.MongoDBCredentials]: {
name: "MongoDB Credentials",
image: "MongoDB.png",
size: 50
}
};
@@ -67,7 +72,8 @@ export const SECRET_ROTATION_CONNECTION_MAP: Record<SecretRotation, AppConnectio
[SecretRotation.LdapPassword]: AppConnection.LDAP,
[SecretRotation.AwsIamUserSecret]: AppConnection.AWS,
[SecretRotation.OktaClientSecret]: AppConnection.Okta,
[SecretRotation.RedisCredentials]: AppConnection.Redis
[SecretRotation.RedisCredentials]: AppConnection.Redis,
[SecretRotation.MongoDBCredentials]: AppConnection.MongoDB
};
// if a rotation can potentially have downtime due to rotating a single credential set this to false
@@ -81,7 +87,8 @@ export const IS_ROTATION_DUAL_CREDENTIALS: Record<SecretRotation, boolean> = {
[SecretRotation.LdapPassword]: false,
[SecretRotation.AwsIamUserSecret]: true,
[SecretRotation.OktaClientSecret]: true,
[SecretRotation.RedisCredentials]: true
[SecretRotation.RedisCredentials]: true,
[SecretRotation.MongoDBCredentials]: true
};
export const getRotateAtLocal = ({ hours, minutes }: TSecretRotationV2["rotateAtUtc"]) => {

1
frontend/src/hooks/api/appConnections/enums.ts
View File

@@ -40,6 +40,7 @@ export enum AppConnection {
Northflank = "northflank",
Okta = "okta",
Redis = "redis",
MongoDB = "mongodb",
LaravelForge = "laravel-forge",
Chef = "chef"
}

7
frontend/src/hooks/api/appConnections/types/app-options.ts
View File

@@ -184,6 +184,10 @@ export type TRedisConnectionOption = TAppConnectionOptionBase & {
app: AppConnection.Redis;
};
export type TMongoDBConnectionOption = TAppConnectionOptionBase & {
app: AppConnection.MongoDB;
};
export type TDNSMadeEasyConnectionOption = TAppConnectionOptionBase & {
app: AppConnection.DNSMadeEasy;
};
@@ -229,6 +233,8 @@ export type TAppConnectionOption =
| TOktaConnectionOption
| TAzureAdCsConnectionOption
| TLaravelForgeConnectionOption
| TRedisConnectionOption
| TMongoDBConnectionOption
| TChefConnectionOption
| TDNSMadeEasyConnectionOption;
@@ -274,6 +280,7 @@ export type TAppConnectionOptionMap = {
[AppConnection.Okta]: TOktaConnectionOption;
[AppConnection.AzureADCS]: TAzureAdCsConnectionOption;
[AppConnection.Redis]: TRedisConnectionOption;
[AppConnection.MongoDB]: TMongoDBConnectionOption;
[AppConnection.LaravelForge]: TLaravelForgeConnectionOption;
[AppConnection.Chef]: TChefConnectionOption;
};

3
frontend/src/hooks/api/appConnections/types/index.ts
View File

@@ -26,6 +26,7 @@ import { THerokuConnection } from "./heroku-connection";
import { THumanitecConnection } from "./humanitec-connection";
import { TLaravelForgeConnection } from "./laravel-forge-connection";
import { TLdapConnection } from "./ldap-connection";
import { TMongoDBConnection } from "./mongodb-connection";
import { TMsSqlConnection } from "./mssql-connection";
import { TMySqlConnection } from "./mysql-connection";
import { TNetlifyConnection } from "./netlify-connection";
@@ -69,6 +70,7 @@ export * from "./heroku-connection";
export * from "./humanitec-connection";
export * from "./laravel-forge-connection";
export * from "./ldap-connection";
export * from "./mongodb-connection";
export * from "./mssql-connection";
export * from "./mysql-connection";
export * from "./netlify-connection";
@@ -129,6 +131,7 @@ export type TAppConnection =
| TNorthflankConnection
| TOktaConnection
| TRedisConnection
| TMongoDBConnection
| TChefConnection
| TDNSMadeEasyConnection;

22
frontend/src/hooks/api/appConnections/types/mongodb-connection.ts Normal file
View File

@@ -0,0 +1,22 @@
import { AppConnection } from "@app/hooks/api/appConnections/enums";
import { TRootAppConnection } from "@app/hooks/api/appConnections/types/root-connection";
export enum MongoDBConnectionMethod {
UsernameAndPassword = "username-and-password"
}
export type TMongoDBConnectionCredentials = {
host: string;
port: number;
username: string;
password: string;
database: string;
tlsEnabled: boolean;
tlsRejectUnauthorized: boolean;
tlsCertificate?: string;
};
export type TMongoDBConnection = TRootAppConnection & { app: AppConnection.MongoDB } & {
method: MongoDBConnectionMethod.UsernameAndPassword;
credentials: TMongoDBConnectionCredentials;
};

3
frontend/src/hooks/api/secretRotationsV2/enums.ts
View File

@@ -8,7 +8,8 @@ export enum SecretRotation {
LdapPassword = "ldap-password",
AwsIamUserSecret = "aws-iam-user-secret",
OktaClientSecret = "okta-client-secret",
RedisCredentials = "redis-credentials"
RedisCredentials = "redis-credentials",
MongoDBCredentials = "mongodb-credentials"
}
export enum SecretRotationStatus {

14
frontend/src/hooks/api/secretRotationsV2/types/index.ts
View File

@@ -31,6 +31,11 @@ import { TSqlCredentialsRotationOption } from "@app/hooks/api/secretRotationsV2/
import { SecretV3RawSanitized } from "@app/hooks/api/secrets/types";
import { DiscriminativePick } from "@app/types";
import {
TMongoDBCredentialsRotation,
TMongoDBCredentialsRotationGeneratedCredentialsResponse,
TMongoDBCredentialsRotationOption
} from "./mongodb-credentials-rotation";
import {
TMySqlCredentialsRotation,
TMySqlCredentialsRotationGeneratedCredentialsResponse
@@ -61,6 +66,7 @@ export type TSecretRotationV2 = (
| TAwsIamUserSecretRotation
| TOktaClientSecretRotation
| TRedisCredentialsRotation
| TMongoDBCredentialsRotation
) & {
secrets: (SecretV3RawSanitized | null)[];
};
@@ -72,7 +78,8 @@ export type TSecretRotationV2Option =
| TLdapPasswordRotationOption
| TAwsIamUserSecretRotationOption
| TOktaClientSecretRotationOption
| TRedisCredentialsRotationOption;
| TRedisCredentialsRotationOption
| TMongoDBCredentialsRotationOption;
export type TListSecretRotationV2Options = { secretRotationOptions: TSecretRotationV2Option[] };
@@ -88,7 +95,8 @@ export type TViewSecretRotationGeneratedCredentialsResponse =
| TLdapPasswordRotationGeneratedCredentialsResponse
| TAwsIamUserSecretRotationGeneratedCredentialsResponse
| TOktaClientSecretRotationGeneratedCredentialsResponse
| TRedisCredentialsRotationGeneratedCredentialsResponse;
| TRedisCredentialsRotationGeneratedCredentialsResponse
| TMongoDBCredentialsRotationGeneratedCredentialsResponse;
export type TCreateSecretRotationV2DTO = DiscriminativePick<
TSecretRotationV2,
@@ -142,6 +150,7 @@ export type TSecretRotationOptionMap = {
[SecretRotation.AwsIamUserSecret]: TAwsIamUserSecretRotationOption;
[SecretRotation.OktaClientSecret]: TOktaClientSecretRotationOption;
[SecretRotation.RedisCredentials]: TRedisCredentialsRotationOption;
[SecretRotation.MongoDBCredentials]: TMongoDBCredentialsRotationOption;
};
export type TSecretRotationGeneratedCredentialsResponseMap = {
@@ -155,4 +164,5 @@ export type TSecretRotationGeneratedCredentialsResponseMap = {
[SecretRotation.AwsIamUserSecret]: TAwsIamUserSecretRotationGeneratedCredentialsResponse;
[SecretRotation.OktaClientSecret]: TOktaClientSecretRotationGeneratedCredentialsResponse;
[SecretRotation.RedisCredentials]: TRedisCredentialsRotationGeneratedCredentialsResponse;
[SecretRotation.MongoDBCredentials]: TMongoDBCredentialsRotationGeneratedCredentialsResponse;
};

28
frontend/src/hooks/api/secretRotationsV2/types/mongodb-credentials-rotation.ts Normal file
View File

@@ -0,0 +1,28 @@
import { AppConnection } from "@app/hooks/api/appConnections/enums";
import { SecretRotation } from "@app/hooks/api/secretRotationsV2";
import {
TSecretRotationV2Base,
TSecretRotationV2GeneratedCredentialsResponseBase,
TSqlCredentialsRotationGeneratedCredentials,
TSqlCredentialsRotationProperties
} from "@app/hooks/api/secretRotationsV2/types/shared";
export type TMongoDBCredentialsRotation = TSecretRotationV2Base & {
type: SecretRotation.MongoDBCredentials;
} & TSqlCredentialsRotationProperties;
export type TMongoDBCredentialsRotationGeneratedCredentialsResponse =
TSecretRotationV2GeneratedCredentialsResponseBase<
SecretRotation.MongoDBCredentials,
TSqlCredentialsRotationGeneratedCredentials
>;
export type TMongoDBCredentialsRotationOption = {
name: string;
type: SecretRotation.MongoDBCredentials;
connection: AppConnection.MongoDB;
template: {
createUserStatement: string;
secretsMapping: TMongoDBCredentialsRotation["secretsMapping"];
};
};

5
frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/AppConnectionForm.tsx
View File

@@ -35,6 +35,7 @@ import { HerokuConnectionForm } from "./HerokuAppConnectionForm";
import { HumanitecConnectionForm } from "./HumanitecConnectionForm";
import { LaravelForgeConnectionForm } from "./LaravelForgeConnectionForm";
import { LdapConnectionForm } from "./LdapConnectionForm";
import { MongoDBConnectionForm } from "./MongoDBConnectionForm";
import { MsSqlConnectionForm } from "./MsSqlConnectionForm";
import { MySqlConnectionForm } from "./MySqlConnectionForm";
import { NetlifyConnectionForm } from "./NetlifyConnectionForm";
@@ -173,6 +174,8 @@ const CreateForm = ({ app, onComplete, projectId }: CreateFormProps) => {
return <OktaConnectionForm onSubmit={onSubmit} />;
case AppConnection.Redis:
return <RedisConnectionForm onSubmit={onSubmit} />;
case AppConnection.MongoDB:
return <MongoDBConnectionForm onSubmit={onSubmit} />;
default:
throw new Error(`Unhandled App ${app}`);
}
@@ -331,6 +334,8 @@ const UpdateForm = ({ appConnection, onComplete }: UpdateFormProps) => {
return <OktaConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
case AppConnection.Redis:
return <RedisConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
case AppConnection.MongoDB:
return <MongoDBConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
default:
throw new Error(`Unhandled App ${(appConnection as TAppConnection).app}`);
}

326
frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/MongoDBConnectionForm.tsx Normal file
View File

@@ -0,0 +1,326 @@
import { useState } from "react";
import { Controller, FormProvider, useForm } from "react-hook-form";
import { faQuestionCircle } from "@fortawesome/free-solid-svg-icons";
import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
import { Tab } from "@headlessui/react";
import { zodResolver } from "@hookform/resolvers/zod";
import { z } from "zod";
import {
Button,
FormControl,
Input,
ModalClose,
SecretInput,
Select,
SelectItem,
Switch,
TextArea,
Tooltip
} from "@app/components/v2";
import { APP_CONNECTION_MAP, getAppConnectionMethodDetails } from "@app/helpers/appConnections";
import { MongoDBConnectionMethod, TMongoDBConnection } from "@app/hooks/api/appConnections";
import { AppConnection } from "@app/hooks/api/appConnections/enums";
import {
genericAppConnectionFieldsSchema,
GenericAppConnectionsFields
} from "./GenericAppConnectionFields";
type Props = {
appConnection?: TMongoDBConnection;
onSubmit: (formData: FormData) => Promise<void>;
};
const rootSchema = genericAppConnectionFieldsSchema.extend({
app: z.literal(AppConnection.MongoDB)
});
const formSchema = z.discriminatedUnion("method", [
rootSchema.extend({
method: z.literal(MongoDBConnectionMethod.UsernameAndPassword),
credentials: z.object({
host: z.string().trim().min(1, "Host required"),
port: z.coerce.number().default(27017),
username: z.string().trim().min(1, "Username required"),
password: z.string().trim().min(1, "Password required"),
database: z.string().trim().min(1, "Database required"),
tlsEnabled: z.boolean().default(false),
tlsRejectUnauthorized: z.boolean().default(true),
tlsCertificate: z
.string()
.trim()
.transform((value) => value || undefined)
.optional()
})
})
]);
type FormData = z.infer<typeof formSchema>;
export const MongoDBConnectionForm = ({ appConnection, onSubmit }: Props) => {
const isUpdate = Boolean(appConnection);
const [selectedTabIndex, setSelectedTabIndex] = useState(0);
const form = useForm<FormData>({
resolver: zodResolver(formSchema),
defaultValues: appConnection ?? {
app: AppConnection.MongoDB,
method: MongoDBConnectionMethod.UsernameAndPassword,
credentials: {
host: "",
port: 27017,
username: "",
password: "",
database: "",
tlsEnabled: false,
tlsRejectUnauthorized: true,
tlsCertificate: undefined
}
}
});
const {
handleSubmit,
watch,
control,
formState: { isSubmitting, isDirty }
} = form;
const tlsEnabled = watch("credentials.tlsEnabled");
return (
<FormProvider {...form}>
<form onSubmit={handleSubmit(onSubmit)}>
{!isUpdate && <GenericAppConnectionsFields />}
<Controller
name="method"
control={control}
render={({ field: { value, onChange }, fieldState: { error } }) => (
<FormControl
tooltipText={`The method you would like to use to connect with ${
APP_CONNECTION_MAP[AppConnection.MongoDB].name
}. This field cannot be changed after creation.`}
errorText={error?.message}
isError={Boolean(error?.message)}
label="Method"
>
<Select
isDisabled={isUpdate}
value={value}
onValueChange={(val) => onChange(val)}
className="w-full border border-mineshaft-500"
position="popper"
dropdownContainerClassName="max-w-none"
>
{Object.values(MongoDBConnectionMethod).map((method) => {
return (
<SelectItem value={method} key={method}>
{getAppConnectionMethodDetails(method).name}{" "}
</SelectItem>
);
})}
</Select>
</FormControl>
)}
/>
<Tab.Group selectedIndex={selectedTabIndex} onChange={setSelectedTabIndex}>
<Tab.List className="-pb-1 mb-6 w-full border-b-2 border-mineshaft-600">
<Tab
className={({ selected }) =>
`-mb-[0.14rem] px-4 py-2 text-sm font-medium whitespace-nowrap outline-hidden disabled:opacity-60 ${
selected
? "border-b-2 border-mineshaft-300 text-mineshaft-200"
: "text-bunker-300"
}`
}
>
Configuration
</Tab>
<Tab
className={({ selected }) =>
`-mb-[0.14rem] px-4 py-2 text-sm font-medium whitespace-nowrap outline-hidden disabled:opacity-60 ${
selected
? "border-b-2 border-mineshaft-300 text-mineshaft-200"
: "text-bunker-300"
}`
}
>
TLS ({tlsEnabled ? "Enabled" : "Disabled"})
</Tab>
</Tab.List>
<Tab.Panels className="mb-4 rounded-sm border border-mineshaft-600 bg-mineshaft-700/70 p-3 pb-0">
<Tab.Panel>
<div className="mt-[0.675rem] flex items-start gap-2">
<Controller
name="credentials.host"
control={control}
render={({ field, fieldState: { error } }) => (
<FormControl
className="flex-1"
errorText={error?.message}
isError={Boolean(error?.message)}
label="Host"
>
<Input {...field} />
</FormControl>
)}
/>
<Controller
name="credentials.database"
control={control}
render={({ field, fieldState: { error } }) => (
<FormControl
className="flex-1"
errorText={error?.message}
isError={Boolean(error?.message)}
label="Database"
>
<Input {...field} />
</FormControl>
)}
/>
<Controller
name="credentials.port"
control={control}
render={({ field, fieldState: { error } }) => (
<FormControl
className="w-28"
errorText={error?.message}
isError={Boolean(error?.message)}
label="Port"
>
<Input type="number" {...field} />
</FormControl>
)}
/>
</div>
<div className="mb-[0.675rem] flex items-start gap-2">
<Controller
name="credentials.username"
control={control}
render={({ field, fieldState: { error } }) => (
<FormControl
errorText={error?.message}
isError={Boolean(error?.message)}
label="Username"
className="flex-1"
>
<Input {...field} />
</FormControl>
)}
/>
<Controller
name="credentials.password"
control={control}
render={({ field: { value, onChange }, fieldState: { error } }) => (
<FormControl
errorText={error?.message}
isError={Boolean(error?.message)}
label="Password"
className="flex-1"
>
<SecretInput
containerClassName="text-gray-400 w-full group-focus-within:border-primary-400/50! border border-mineshaft-500 bg-mineshaft-900 px-2.5 py-1.5"
value={value}
onChange={(e) => onChange(e.target.value)}
/>
</FormControl>
)}
/>
</div>
</Tab.Panel>
<Tab.Panel>
<Controller
name="credentials.tlsEnabled"
control={control}
render={({ field: { value, onChange }, fieldState: { error } }) => (
<FormControl isError={Boolean(error?.message)} errorText={error?.message}>
<Switch
className="bg-mineshaft-400/50 shadow-inner data-[state=checked]:bg-green/80"
id="tls-enabled"
thumbClassName="bg-mineshaft-800"
isChecked={value}
onCheckedChange={onChange}
>
Enable TLS
</Switch>
</FormControl>
)}
/>
<Controller
name="credentials.tlsCertificate"
control={control}
render={({ field, fieldState: { error } }) => (
<FormControl
errorText={error?.message}
isError={Boolean(error?.message)}
className={tlsEnabled ? "" : "opacity-50"}
label="TLS Certificate"
isOptional
>
<TextArea className="h-14 resize-none!" {...field} isDisabled={!tlsEnabled} />
</FormControl>
)}
/>
<Controller
name="credentials.tlsRejectUnauthorized"
control={control}
render={({ field: { value, onChange }, fieldState: { error } }) => (
<FormControl
className={tlsEnabled ? "" : "opacity-50"}
isError={Boolean(error?.message)}
errorText={error?.message}
>
<Switch
className="bg-mineshaft-400/50 shadow-inner data-[state=checked]:bg-green/80"
id="tls-reject-unauthorized"
thumbClassName="bg-mineshaft-800"
isChecked={tlsEnabled ? value : false}
onCheckedChange={onChange}
isDisabled={!tlsEnabled}
>
<p className="w-38">
Reject Unauthorized
<Tooltip
className="max-w-md"
content={
<p>
If enabled, Infisical will only connect to the server if it has a
valid, trusted TLS certificate.
</p>
}
>
<FontAwesomeIcon icon={faQuestionCircle} size="sm" className="ml-1" />
</Tooltip>
</p>
</Switch>
</FormControl>
)}
/>
</Tab.Panel>
</Tab.Panels>
</Tab.Group>
<div className="mt-6 flex items-center">
<Button
className="mr-4"
size="sm"
type="submit"
colorSchema="secondary"
isLoading={isSubmitting}
isDisabled={isSubmitting || !isDirty}
>
{isUpdate ? "Update Credentials" : "Connect to Database"}
</Button>
<ModalClose asChild>
<Button colorSchema="secondary" variant="plain">
Cancel
</Button>
</ModalClose>
</div>
</form>
</FormProvider>
);
};