CLOUDP-329787: Make Service Account transport available in httpClient() (#4090)

cveticm · web-flow · commit 4a49db9ba266 · 2025-08-06T11:08:11.000+01:00
diff --git a/docs/command/atlas-setup.txt b/docs/command/atlas-setup.txt
@@ -14,11 +14,6 @@ atlas setup
 
 Login, authenticate, create, and access an Atlas cluster.
 
-Public Preview: The atlas api sub-command, automatically generated from the MongoDB Atlas Admin API, offers full coverage of the Admin API and is currently in Public Preview (please provide feedback at https://feedback.mongodb.com/forums/930808-atlas-cli).
-Admin API capabilities have their own release lifecycle, which you can check via the provided API endpoint documentation link.
-
-
-
 This command takes you through login, default profile creation, creating your first free tier cluster and connecting to it using MongoDB Shell.
 
 Syntax
diff --git a/internal/cli/auth/whoami.go b/internal/cli/auth/whoami.go
@@ -36,22 +36,16 @@ func (opts *whoOpts) Run() error {
 	return nil
 }
 
-var ErrUnauthenticated = errors.New("not logged in with an Atlas account or API key")
-
-func AccountWithAccessToken() (string, error) {
-	if config.AccessToken() == "" {
-		return "", ErrUnauthenticated
-	}
-
-	return config.AccessTokenSubject()
-}
+var ErrUnauthenticated = errors.New("not logged in with an Atlas account, Service Account or API key")
 
 func authTypeAndSubject() (string, string, error) {
-	if config.PublicAPIKey() != "" {
+	switch config.AuthType() {
+	case config.APIKeys:
 		return "key", config.PublicAPIKey(), nil
-	}
-
-	if subject, err := AccountWithAccessToken(); err == nil {
+	case config.ServiceAccount:
+		return "service account", config.ClientID(), nil
+	case config.UserAccount:
+		subject, _ := config.AccessTokenSubject()
 		return "account", subject, nil
 	}
 
diff --git a/internal/cli/commonerrors/errors.go b/internal/cli/commonerrors/errors.go
@@ -21,6 +21,7 @@ import (
 	atlasClustersPinned "go.mongodb.org/atlas-sdk/v20240530005/admin"
 	atlasv2 "go.mongodb.org/atlas-sdk/v20250312005/admin"
 	atlas "go.mongodb.org/atlas/mongodbatlas"
+	"golang.org/x/oauth2"
 )
 
 var (
@@ -44,6 +45,7 @@ const (
 	globalUserOutsideSubnetErrorCode        = "GLOBAL_USER_OUTSIDE_SUBNET"
 	unauthorizedErrorCode                   = "UNAUTHORIZED"
 	invalidRefreshTokenErrorCode            = "INVALID_REFRESH_TOKEN"
+	invalidServiceAccountClient             = "invalid_client"
 )
 
 // Check checks the error and returns a more user-friendly error message if applicable.
@@ -65,6 +67,8 @@ func Check(err error) error {
 		return errOutsideVPN
 	case asymmetricShardUnsupportedErrorCode:
 		return errAsymmetricShardUnsupported
+	case invalidServiceAccountClient: // oauth2 error
+		return ErrUnauthorized
 	}
 
 	apiError := getError(err) // some `Unauthorized` errors do not have an error code, so we check the HTTP status code
@@ -77,8 +81,9 @@ func Check(err error) error {
 }
 
 // getErrorCode extracts the error code from the error if it is an Atlas error.
-// This function checks for v2 SDK, the pinned clusters SDK and the old SDK errors.
-// If the error is not any of these Atlas errors, it returns "UNKNOWN_ERROR".
+// This function checks for v2 SDK, the pinned clusters SDK, the old SDK errors
+// and oauth2 errors.
+// If the error is not any of these errors, it returns "UNKNOWN_ERROR".
 func getErrorCode(err error) string {
 	if err == nil {
 		return unknownErrorCode
@@ -94,6 +99,10 @@ func getErrorCode(err error) string {
 	if sdkPinnedError, ok := atlasClustersPinned.AsError(err); ok {
 		return sdkPinnedError.GetErrorCode()
 	}
+	var oauth2Err *oauth2.RetrieveError
+	if errors.As(err, &oauth2Err) {
+		return oauth2Err.ErrorCode
+	}
 
 	return unknownErrorCode
 }
diff --git a/internal/cli/setup/setup_cmd.go b/internal/cli/setup/setup_cmd.go
@@ -579,16 +579,10 @@ func (opts *Opts) promptConnect() error {
 func (opts *Opts) PreRun(ctx context.Context) error {
 	opts.skipLogin = true
 
-	if err := validate.NoAPIKeys(); err != nil {
-		// Why are we ignoring the error?
-		// Because if the user has API keys, we just want to proceed with the flow
-		// Then why not remove the error?
-		// The error is useful in other components that call `validate.NoAPIKeys()`
+	switch config.AuthType() {
+	case config.APIKeys, config.ServiceAccount:
 		return nil
-	}
-
-	// if profile has access token and refresh token is valid, we can skip login
-	if _, err := auth.AccountWithAccessToken(); err == nil {
+	case config.UserAccount:
 		if err := opts.login.RefreshAccessToken(ctx); !commonerrors.IsInvalidRefreshToken(err) {
 			return nil
 		}
diff --git a/internal/mocks/mock_store.go b/internal/mocks/mock_store.go
diff --git a/internal/store/store.go b/internal/store/store.go
@@ -40,14 +40,16 @@ const (
 var errUnsupportedService = errors.New("unsupported service")
 
 type Store struct {
-	service     string
-	baseURL     string
-	telemetry   bool
-	authType    config.AuthMechanism
-	username    string
-	password    string
-	accessToken *atlasauth.Token
-	client      *atlas.Client
+	service      string
+	baseURL      string
+	telemetry    bool
+	authType     config.AuthMechanism
+	username     string
+	password     string
+	accessToken  *atlasauth.Token
+	clientID     string
+	clientSecret string
+	client       *atlas.Client
 	// Latest release of the autogenerated Atlas V2 API Client
 	clientv2 *atlasv2.APIClient
 	// Pinnned version to the most recent version that's working for clusters
@@ -72,13 +74,14 @@ func (s *Store) httpClient(httpTransport http.RoundTripper) (*http.Client, error
 
 		return &http.Client{Transport: tr}, nil
 	case config.ServiceAccount:
-		// TODO: serviceAccount will be implemented in CLOUDP-329787
-		return &http.Client{Transport: httpTransport}, nil
+		tr, err := transport.NewServiceAccountTransport(s.clientID, s.clientSecret, httpTransport)
+		if err != nil {
+			return nil, err
+		}
+		return &http.Client{Transport: tr}, nil
 	default:
 		return &http.Client{Transport: httpTransport}, nil
 	}
-
-	return &http.Client{Transport: httpTransport}, nil
 }
 
 func (s *Store) transport() *http.Transport {
@@ -137,6 +140,8 @@ func Telemetry() Option {
 type CredentialsGetter interface {
 	PublicAPIKey() string
 	PrivateAPIKey() string
+	ClientID() string
+	ClientSecret() string
 	Token() (*atlasauth.Token, error)
 	AuthType() config.AuthMechanism
 }
@@ -145,10 +150,16 @@ type CredentialsGetter interface {
 func WithAuthentication(c CredentialsGetter) Option {
 	return func(s *Store) error {
 		s.authType = c.AuthType()
-		if s.authType == config.APIKeys {
+		switch s.authType {
+		case config.APIKeys:
 			s.username = c.PublicAPIKey()
 			s.password = c.PrivateAPIKey()
-		} else {
+		case config.ServiceAccount:
+			s.clientID = c.ClientID()
+			s.clientSecret = c.ClientSecret()
+		case config.UserAccount:
+			fallthrough
+		default:
 			t, err := c.Token()
 			if err != nil {
 				return err
diff --git a/internal/store/store_test.go b/internal/store/store_test.go
@@ -12,32 +12,32 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-//go:build unit
-
 package store
 
 import (
 	"context"
 	"testing"
 
 	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/config"
+	"github.com/stretchr/testify/require"
 	atlasauth "go.mongodb.org/atlas/auth"
 )
 
 type auth struct {
 	username     string
 	password     string
-	token        string
+	refreshToken string
 	clientID     string
 	clientSecret string
+	accessToken  *atlasauth.Token
 }
 
-func (auth) Token() (*atlasauth.Token, error) {
-	return nil, nil
+func (a auth) Token() (*atlasauth.Token, error) {
+	return a.accessToken, nil
 }
 
 func (a auth) RefreshToken() string {
-	return a.token
+	return a.refreshToken
 }
 
 func (a auth) PublicAPIKey() string {
@@ -60,7 +60,7 @@ func (a auth) AuthType() config.AuthMechanism {
 	if a.username != "" {
 		return config.APIKeys
 	}
-	if a.token != "" {
+	if a.accessToken != nil {
 		return config.UserAccount
 	}
 	if a.clientID != "" {
@@ -117,21 +117,46 @@ func (c testConfig) OpsManagerURL() string {
 var _ AuthenticatedConfig = &testConfig{}
 
 func TestWithAuthentication(t *testing.T) {
-	a := auth{
-		username: "username",
-		password: "password",
-	}
-	c, err := New(Service("cloud"), WithAuthentication(a))
-
-	if err != nil {
-		t.Fatalf("New() unexpected error: %v", err)
+	tests := []struct {
+		name string
+		a    auth
+	}{
+		{
+			name: "api keys",
+			a: auth{
+				username: "username",
+				password: "password",
+			},
+		},
+		{
+			name: "service account",
+			a: auth{
+				clientID:     "id",
+				clientSecret: "secret",
+			},
+		},
+		{
+			name: "user account",
+			a: auth{
+				refreshToken: "token",
+				accessToken: &atlasauth.Token{
+					AccessToken:  "access",
+					RefreshToken: "refresh",
+				},
+			},
+		},
 	}
 
-	if c.username != a.username {
-		t.Errorf("New() username = %s; expected %s", c.username, a.username)
-	}
-	if c.password != a.password {
-		t.Errorf("New() password = %s; expected %s", c.password, a.password)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c, err := New(Service("cloud"), WithAuthentication(tt.a))
+			require.NoError(t, err)
+			require.Equal(t, c.username, tt.a.username)
+			require.Equal(t, c.password, tt.a.password)
+			require.Equal(t, c.clientID, tt.a.clientID)
+			require.Equal(t, c.clientSecret, tt.a.clientSecret)
+			require.Equal(t, c.accessToken, tt.a.accessToken)
+		})
 	}
 }
 
