## Setup

[![Lab Documentation and Solutions](https://img.shields.io/badge/Setup%20Instructions-darkgreen)](https://mongodb-developer.github.io/security-basics-lab/docs/setup)

### 1. Install the Atlas CLI in the notebook environment

In [1]:
# Install the Atlas CLI

!wget https://fastdl.mongodb.org/mongocli/mongodb-atlas-cli_1.46.3_linux_x86_64.deb
!sudo dpkg -i mongodb-atlas-cli_1.46.3_linux_x86_64.deb

!atlas --version

# silence warnings about updates
!atlas config set skip_update_check true

--2025-09-17 19:43:29--  https://fastdl.mongodb.org/mongocli/mongodb-atlas-cli_1.46.3_linux_x86_64.deb
Resolving fastdl.mongodb.org (fastdl.mongodb.org)... 18.154.101.124, 18.154.101.57, 18.154.101.72, ...
Connecting to fastdl.mongodb.org (fastdl.mongodb.org)|18.154.101.124|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15677562 (15M) [application/x-gzip]
Saving to: ‘mongodb-atlas-cli_1.46.3_linux_x86_64.deb’


2025-09-17 19:43:29 (111 MB/s) - ‘mongodb-atlas-cli_1.46.3_linux_x86_64.deb’ saved [15677562/15677562]

Selecting previously unselected package mongodb-atlas-cli.
(Reading database ... 126435 files and directories currently installed.)
Preparing to unpack mongodb-atlas-cli_1.46.3_linux_x86_64.deb ...
Unpacking mongodb-atlas-cli (1.46.3) ...
Setting up mongodb-atlas-cli (1.46.3) ...
atlascli version: 1.46.3
git version: 6975ed91e49a4d16c5b6bd845cb81dbdb9d8a828
Go version: go1.24.6
   os: linux
   arch: amd64
   compiler: gc
Updated property 'skip_update

### 2. Authenticate the CLI against your Atlas organization

`atlas auth login` typically enters interactive mode.
We are piping a new line character so that it selects a default organization for you.

In [2]:
# log out just in case we need to troubleshoot the login process / want to switch Atlas accounts
!atlas auth logout --force

# Authenticate with Atlas CLI
!echo -e "\n" | atlas auth login --noBrowser

Error: not logged in with an Atlas account or API key

To verify your account, copy your one-time verification code:
XDD3-7WPK

Paste the code in the browser when prompted to activate your Atlas CLI. Your code will expire after 3 minutes.

To continue, go to https://account.mongodb.com/account/connect
Successfully logged in as michael@ualett.com.
[KSelect one default organization and one default project.
7[?25l8[0G[2K[0;1;92m? [0m[0;1;99mChoose a default organization:[0m  [0;36m[Use arrows to move, type to filter][0m
[0;1;36m> 5eb415563809d65b198b495f - [0;36mCabicash Solutions, Inc[0m
[0;39m  68cb0ec10948dd2ea05d505b - [0;36mMichaelAll[0m
7[1A[0G[1A[0G8[?25h8[0G[2K[1A[0G[2K[1A[0G[2K[1A[0G[2K[0;1;92m? [0m[0;1;99mChoose a default organization:[0m[0;36m 5eb415563809d65b198b495f[0m
[K7[?25l8[0G[2K[0;1;92m? [0m[0;1;99mChoose a default project:[0m  [0;36m[Use arrows to move, type to filter][0m
[0;1;36m> 5efb17f345505271a0b0073f - [0;3

#### 2.1 Get the Organization ID (run this for accounts with just one organization)

In [3]:
# show all organizations in the account
!atlas organization list

ID                         NAME
5eb415563809d65b198b495f   Cabicash Solutions, Inc
68cb0ec10948dd2ea05d505b   MichaelAll


### 3. Create a new project called \"MySecureProj\"

Replace `<ORGANIZATION_ID>` with the Organization ID from the previous step.

In [5]:
# Retain the quotes ("") when pasting the Organization ID
org_id = "68cb0ec10948dd2ea05d505b"
!atlas projects create MySecureProj --orgId {org_id}

Project '68cb0fddb580b71efb8e6780' created.


### 4. Create your challenge cluster

Replace `<PROJECT_ID>` with the ID of the "MySecureProj" organization from the previous step.

In [8]:
# Retain the quotes ("") when pasting the Project ID
project_id = "68cb0fddb580b71efb8e6780"
# You may select a region closer to you instead of "US_EAST_1"
!atlas clusters create MyNewCluster --provider AWS --region US_EAST_1 --tier M0 --projectId {project_id}

Cluster 'MyNewCluster' is being created.


## Network Challenge

[![Lab Documentation and Solutions](https://img.shields.io/badge/Network%20Challenge-darkgreen)](https://mongodb-developer.github.io/security-basics-lab/docs/challenge/network)

### 5. Allow your current IP address to access the Atlas project temporarily

Refer to the documentation: [atlas accessLists](https://www.mongodb.com/docs/atlas/cli/current/command/atlas-accessLists-create/).

In [16]:
from datetime import datetime, timedelta
from zoneinfo import ZoneInfo  # Python 3.9+

# Calculate the date and time 24 hours from now
delete_after = (datetime.now(ZoneInfo('UTC')) + timedelta(hours=24)).isoformat()

!atlas accessLists create --currentIp --projectId {project_id} --deleteAfter {delete_after}

Created a new IP access list.


### 6. Check that the IP address was added succesfully

In [17]:
!atlas accessLists list --output json --projectId {project_id}

{
  "links": [
    {
      "href": "https://cloud.mongodb.com/api/atlas/v2/groups/68cb0fddb580b71efb8e6780/accessList?includeCount=true\u0026pageNum=1\u0026itemsPerPage=100",
      "rel": "self"
    }
  ],
  "results": [
    {
      "cidrBlock": "34.106.100.100/32",
      "comment": "",
      "deleteAfterDate": "2025-09-18T20:00:34Z",
      "groupId": "68cb0fddb580b71efb8e6780",
      "ipAddress": "34.106.100.100",
      "links": [
        {
          "href": "https://cloud.mongodb.com/api/atlas/v2/groups/68cb0fddb580b71efb8e6780/accessList/34.106.100.100%2F32",
          "rel": "self"
        }
      ]
    }
  ],
  "totalCount": 1
}


## Authentication Challenge

[![Lab Documentation and Solutions](https://img.shields.io/badge/Authentication%20Challenge-darkgreen)](https://mongodb-developer.github.io/security-basics-lab/docs/challenge/authentication)

### 7. Create a SCRAM user

Assign the `readWriteAnyDatabase` role to the user.
Use username and password authentication.

Refer to the documentation: [atlas dbusers](https://www.mongodb.com/docs/atlas/cli/current/command/atlas-dbusers-create/).

In [18]:
username = "myUser"
password = "mySecurePassword"

!atlas dbusers create --username {username} --password {password} --role readWriteAnyDatabase --projectId {project_id}

Database user 'myUser' successfully created.


### 8. Authenticate the SCRAM user

In [19]:
!pip install pymongo dnspython

Collecting pymongo
  Downloading pymongo-4.15.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (22 kB)
Collecting dnspython
  Downloading dnspython-2.8.0-py3-none-any.whl.metadata (5.7 kB)
Downloading pymongo-4.15.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (1.7 MB)
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m1.7/1.7 MB[0m [31m19.2 MB/s[0m eta [36m0:00:00[0m
[?25hDownloading dnspython-2.8.0-py3-none-any.whl (331 kB)
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m331.1/331.1 kB[0m [31m31.8 MB/s[0m eta [36m0:00:00[0m
[?25hInstalling collected packages: dnspython, pymongo
Successfully installed dnspython-2.8.0 pymongo-4.15.1


In [None]:
# retrieve connection string
connection = !atlas clusters connectionStrings describe  MyNewCluster --projectId {project_id}

# add username and password to connection string
new_connection = connection[1].replace('mongodb+srv://', f'mongodb+srv://{username}:{password}@')
print(new_connection)

#make the connection get the list of databases
from pymongo import MongoClient
client = MongoClient(new_connection)
client.list_database_names()

### 10. Create a X509 user and certificate

Create an **Atlas-managed** **X509** user with username: `myX509User` and role `readAnyDatabase`.

Refer to the documentation: [atlas dbusers](https://www.mongodb.com/docs/atlas/cli/current/command/atlas-dbusers-create/).

In [None]:
!atlas dbusers create <CODE_BLOCK> --projectId {project_id}

Create a new Atlas-managed X.509 certificate for the database user.

Refer to the documentation: [atlas dbusers certs](https://www.mongodb.com/docs/atlas/cli/current/command/atlas-dbusers-certs-create/).

In [None]:
# Generate a certification for "myX509user", set monthsUntilExpiration to 1, and save it to /tmp/cert.pem
!atlas dbusers certs create <CODE_BLOCK> --projectId {project_id} > /tmp/cert.pem

#show the certificate file
!cat /tmp/cert.pem

### 11. Authenticate the X509 user

In [None]:
# Get connection string
connection = !atlas clusters connectionStrings describe MyNewCluster --projectId {project_id}

# Modify connection string to use X509 as authentication mechanism
new_connection = connection[1].replace('.net', '.net?authSource=%24external&authMechanism=MONGODB-X509')
print(new_connection)

# Connect using the certificate
from pymongo import MongoClient
client = MongoClient(new_connection,
                     tlsCertificateKeyFile='/tmp/cert.pem')

# Access the database
client.list_database_names()

## RBAC Challenge

[![Lab Documentation and Solutions](https://img.shields.io/badge/RBAC%20Challenge%20Instructions-darkgreen)](https://mongodb-developer.github.io/security-basics-lab/docs/challenge/rbac)

### 12. Create a user with role-based access


Create a new user with the role `readWriteAnyDatabase` and the username and password below.

The user access should be scoped to the `myNewCluster` cluster. Use the `--scope` option.

Refer to the documentation: https://www.mongodb.com/docs/atlas/cli/current/command/atlas-dbusers-create/.

In [None]:
newClusterAdminUser = 'myNewClusterAdmin'
newClusterAdminPass = 'myNewClusterAdminPass'
!atlas dbusers create <CODE_BLOCK> --scope <CLUSTER_NAME> --projectId {project_id}

### 13. Create user with read-only access to the 'salesDB' database

Create a role `salesRead` with read-only access to the `salesDB` database.

Refer to the documentation: [atlas customDbRoles](https://www.mongodb.com/docs/atlas/cli/current/command/atlas-customDbRoles-create).

In [None]:
!atlas customDbRoles create <CODE_BLOCK>

Create a new user with the username and password below, which has the custom role `salesReadRole` you just created.

Refer to the documentation: [atlas dbusers](https://www.mongodb.com/docs/atlas/cli/current/command/atlas-dbusers-create/).

In [None]:
# Create a user "salesReadUser" with password "salesReadPass" which has the "salesRead" role
salesReadUser = 'salesReadUser'
salesReadPass = 'salesReadPass'
!atlas dbusers create <CODE_BLOCK> --projectId {project_id}

### 14. Test that 'salesReadUser' can't insert data into the 'salesDB' database

In [None]:
# Get connection string
connection = !atlas clusters connectionStrings describe MyNewCluster --projectId {project_id}

# Replace connection string with username and password
new_connection = connection[1].replace('mongodb+srv://', f'mongodb+srv://{salesReadUser}:{salesReadPass}@')

# Attempt to insert data
client = MongoClient(new_connection)
db = client['salesDB']
collection = db['mycollection']
try:
  data = {'name': 'John Doe', 'age': 30}
  result = collection.insert_one(data)
  print(f"Inserted document with ID: {result.inserted_id}")
except Exception as e:
  print(f"Error inserting data: {e}")

### 15. Test that 'myNewClusterAdmin' can insert data into the 'salesDB' database

In [None]:
# Get connection string
connection = !atlas clusters connectionStrings describe MyNewCluster --projectId {project_id}

# Replace
new_connection = connection[1].replace('mongodb+srv://', f'mongodb+srv://{username}:{password}@')
client = MongoClient(new_connection)
db = client['salesDB']
collection = db['mycollection']
try:
  data = {'name': 'John Doe', 'age': 30}
  result = collection.insert_one(data)
  print(f"Inserted document with ID: {result.inserted_id}")
except Exception as e:
  print(f"Error inserting data: {e}")

## Encryption Challenge

[![Lab Documentation and Solutions](https://img.shields.io/badge/Queryable%20Encryption%20Challenge-darkgreen)](https://mongodb-developer.github.io/security-basics-lab/docs/challenge/queryable-encryption)

### 16. Install the required packages

In [None]:
!pip install pymongo[encryption]
!pip install pymongo
!pip install requests

### 17. Set up the crypt_shared library

In [None]:
import os
from pymongo import MongoClient
from pymongo.encryption import Algorithm, ClientEncryption, QueryType
from pymongo.encryption_options import AutoEncryptionOpts
from bson.codec_options import CodecOptions
from bson import json_util
import json
import requests
import platform
import tempfile
def setup_crypt_shared():
    system = platform.system().lower()
    if system == "linux":
        url = "https://downloads.mongodb.com/linux/mongo_crypt_shared_v1-linux-x86_64-enterprise-ubuntu2004-6.0.6.tgz"
        filename = "mongo_crypt_shared_v1-linux-x86_64-enterprise-ubuntu2004-6.0.6.tgz"
    elif system == "darwin":
        url = "https://downloads.mongodb.com/osx/mongo_crypt_shared_v1-macos-x86_64-enterprise-6.0.6.tgz"
        filename = "mongo_crypt_shared_v1-macos-x86_64-enterprise-6.0.6.tgz"
    elif system == "windows":
        url = "https://downloads.mongodb.com/windows/mongo_crypt_shared_v1-windows-x86_64-enterprise-6.0.6.zip"
        filename = "mongo_crypt_shared_v1-windows-x86_64-enterprise-6.0.6.zip"
    else:
        raise OSError("Unsupported operating system")
    response = requests.get(url)
    response.raise_for_status()
    with tempfile.NamedTemporaryFile(delete=False, suffix=".tgz" if system != "windows" else ".zip") as tmp_file:
        tmp_file.write(response.content)
        tmp_file_path = tmp_file.name
    extract_dir = tempfile.mkdtemp()
    if system != "windows":
        os.system(f"tar -xzf {tmp_file_path} -C {extract_dir}")
        lib_path = os.path.join(extract_dir, "lib", "mongo_crypt_v1.so")
    else:
        os.system(f"powershell Expand-Archive -Path {tmp_file_path} -DestinationPath {extract_dir}")
        lib_path = os.path.join(extract_dir, "bin", "mongo_crypt_v1.dll")
    return lib_path
crypt_shared_lib_path = setup_crypt_shared()
print(f"Crypt shared library path: {crypt_shared_lib_path}")

### 18. Connect to your Atlas cluster

In [None]:
connection = !atlas clusters connectionStrings describe  MyNewCluster --projectId {project_id}
new_connection = connection[1].replace('mongodb+srv://', f'mongodb+srv://{username}:{password}@')
print(new_connection)
from pymongo import MongoClient
client = MongoClient(new_connection)

### 19. Set up an encrypted client with a local KMS provider

In [None]:
# generate a random 96 byte key
local_master_key = os.urandom(96)

# configure encryption options
kms_providers = {"local": {"key": local_master_key}}
key_vault_namespace = "encryption.__keyVault"
key_vault_database_name = "encryption"
key_vault_collection_name = "__keyVault"
key_vault_namespace = f"{key_vault_database_name}.{key_vault_collection_name}"

auto_encryption_options = AutoEncryptionOpts(
    kms_providers,
    key_vault_namespace,
    crypt_shared_lib_path=crypt_shared_lib_path
)

# set up client and encryption
encrypted_client = MongoClient(
    new_connection, auto_encryption_opts=auto_encryption_options)


client_encryption = ClientEncryption(
    kms_providers=kms_providers,
    key_vault_namespace=key_vault_namespace,
    key_vault_client=encrypted_client,
    codec_options=CodecOptions()
)

### 20. Consider the following sample 'patient' document

In [None]:
patient_document = {
    "patientName": "Jon Doe",
    "patientId": 12345678,
    "patientRecord": {
        "ssn": "987-65-4320",
        "billing": {
            "type": "Visa",
            "number": "4111111111111111",
        },
    },
}

### 21. Create an encrypted collection based on the following requirements

- 'patientRecord.ssn' and 'patientRecord.billing' must be encrypted
- patients will be queried by 'patientRecord.ssn'

In [None]:
# Create encrypted fields map, remeber that type is "string" and not "String" and "object" and not "Object"
encrypted_fields_map = {
    'fields': [
        {
            'path': <SSN_FIELD_CODE_BLOCK>,
            'bsonType': 'string',
            'queries': [{'queryType': 'equality'}]
        },
        {
            'path': <BILLING_FIELD_CODE_BLOCK>,
            'bsonType': 'object'
        }
    ]
}

encrypted_database_name = 'medicalRecords'
encrypted_collection_name = 'patients'
kms_provider_name = 'local'
client_encryption.create_encrypted_collection(
    encrypted_client[encrypted_database_name],
    encrypted_collection_name,
    encrypted_fields_map,
    kms_provider_name,
    {},
)

### 22. Insert the sample 'patient' document

Refer to the documentation: [collection.insert_one()](https://pymongo.readthedocs.io/en/stable/api/pymongo/collection.html#pymongo.collection.Collection.insert_one).

In [None]:
encrypted_collection = encrypted_client[encrypted_database_name][encrypted_collection_name]
result = <CODE_BLOCK>
print(f"Inserted document ID: {result.inserted_id}")

### 22. Find the patient by their SSN

Refer to the documentation: [collection.find_one()](https://pymongo.readthedocs.io/en/stable/api/pymongo/collection.html#pymongo.collection.Collection.find_one).

In [None]:
find_result = <CODE_BLOCK>
print(find_result)

### 23. Make the same query the collection without encryption/decryption

In [None]:
reg_mongoclient = MongoClient(new_connection)
reg_collection = reg_mongoclient[encrypted_database_name][encrypted_collection_name]
find_result = reg_collection.find_one({"patientRecord.ssn": "987-65-4320"})
print(find_result)

### 24. Read all documents in the collection without encryption/decryption

In [None]:
all_docs = reg_mongoclient[encrypted_database_name][encrypted_collection_name].find()
print("\nAll documents in the collection:")
for doc in all_docs:
    print(doc)