MongoDB Policies

These methods exist on the policy.mongo object as seen in the following example:

const MONGO = 'mongodb://mongo-01.example.org:27017/databaseName';
(policy) => {
  policy.mongo.allowConnect(MONGO)
  policy.mongo.allowReadDocument(MONGO, collection);
}

intrinsic.virtualizeLib('mongodb')

Note that to enable MongoDB we need to first call .virtualizeLib('mongodb'):

// Intrinsic for Lambda
module.exports = new IntrinsicLambda()
  .virtualizeLib('mongodb')
  // ...
  .run();

// Intrinsic for Node.js
intrinsic(__filename)
  .virtualizeLib('mongodb')
  // ...
  .run();

Calling this method allows your application to load the mongodb module and enable our policies for that module. Otherwise, the connection would be treated as an ordinary TCP connection without any inspection of the data being sent.

You will need to call this if you either see the following error, or if you otherwise want to enable MongoDB connections to be established from your Node.js application:

POLICY_VIOLATION sb: "/-[[GET]]"
  | tcp://mongo-01.example.org:27017 not in outbound net whitelist

policy.mongo.allowConnect(connection)

The allowConnect() method allows your application to make a connection to a MongoDB instance as described by the connection string. This string needs to contain the hostname and a database, as well as a port if it differs from the default 27017 value.

const connection = 'mongodb://mongo-01.example.org:27017/databaseName';
// ...
(policy) => {
  policy.mongo.allowConnect(connection);
}

Chances are your application will establish a connection when it first runs, not when an incoming request is made. For this reason it is usually most common to call the allowConnect() method from within the allRoutes policy.

This policy is required if you see the following violation:

[INTRINSIC (MONITOR)] MongoPolicyViolationError: POLICY_VIOLATION sb: "fallback"
  | mongo access violation: Unauthorized MongoDB host or database connection:
  localhost:27017/databaseName

Note: allowConnect() is implied by every other allow* method so it's usually not beneficial to add this policy to a specific route.

policy.mongo.allowReadDocument(conn, col)

The allowReadDocument() method allows your application to read a document located in the specified col collection string.

const connection = 'mongodb://mongo-01.example.org:27017/database';
const collection = 'users';
// ...
(policy) => {
  policy.mongo.allowReadDocument(connection, collection);
}

This policy is required if you see the following violation:

POLICY_VIOLATION sb: "/-[[GET]]"
  | mongo access violation: Invalid mongo document operation on "users": read fields

policy.mongo.allowInsertDocument(conn, col)

The allowInsertDocument() method allows your application to read a document located in the specified col collection string.

const connection = 'mongodb://mongo-01.example.org:27017/database';
const collection = 'users';
// ...
(policy) => {
  policy.mongo.allowInsertDocument(connection, collection);
}

This policy is required if you see the following violation:

POLICY_VIOLATION sb: "/-[[GET]]"
  | mongo access violation: Invalid mongo document operation on "users": insert document

policy.mongo.allowUpdateDocument(conn, col)

The allowUpdateDocument() method allows your application to update a document located in the specified col collection string.

const connection = 'mongodb://mongo-01.example.org:27017/database';
const collection = 'users';
// ...
(policy) => {
  policy.mongo.allowUpdateDocument(connection, collection);
}

This policy is required if you see the following violation:

POLICY_VIOLATION sb: "/-[[GET]]"
  | mongo access violation: Invalid mongo document operation on "users": write fields

policy.mongo.allowDeleteDocument(conn, col)

The allowDeleteDocument() method allows your application to delete a document located in the specified col collection string.

const connection = 'mongodb://mongo-01.example.org:27017/database';
const collection = 'users';
// ...
(policy) => {
  policy.mongo.allowDeleteDocument(connection, collection);
}

This policy is required if you see the following violation:

POLICY_VIOLATION sb: "/-[[GET]]"
  | mongo access violation: Invalid mongo document operation on "users": delete document