CLOUDP-330236: Adds NewServiceAccountTransport (#4075)

cveticm · web-flow · commit 4d8005039c8a · 2025-08-01T17:31:05.000+01:00
diff --git a/build/ci/library_owners.json b/build/ci/library_owners.json
@@ -51,6 +51,7 @@
 	"go.uber.org/mock": "apix-2",
 	"golang.org/x/mod": "apix-2",
 	"golang.org/x/net": "apix-2",
+	"golang.org/x/oauth2": "apix-2",
 	"golang.org/x/sys": "apix-2",
 	"golang.org/x/tools": "apix-2",
 	"google.golang.org/api": "apix-2",
diff --git a/go.mod b/go.mod
@@ -174,7 +174,7 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
 	golang.org/x/crypto v0.40.0 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.16.0 // indirect
 	golang.org/x/term v0.33.0 // indirect
 	golang.org/x/text v0.27.0 // indirect
diff --git a/internal/transport/transport.go b/internal/transport/transport.go
@@ -15,14 +15,17 @@
 package transport
 
 import (
+	"context"
 	"net"
 	"net/http"
 	"time"
 
 	"github.com/mongodb-forks/digest"
 	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/config"
 	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/oauth"
+	"go.mongodb.org/atlas-sdk/v20250312005/auth/clientcredentials"
 	atlasauth "go.mongodb.org/atlas/auth"
+	"golang.org/x/oauth2"
 )
 
 const (
@@ -110,3 +113,18 @@ func (tr *tokenTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 
 	return tr.base.RoundTrip(req)
 }
+
+func NewServiceAccountTransport(clientID, clientSecret string, base http.RoundTripper) (http.RoundTripper, error) {
+	cfg := clientcredentials.NewConfig(clientID, clientSecret)
+	if config.OpsManagerURL() != "" {
+		cfg.RevokeURL = config.OpsManagerURL() + "api/oauth/revoke"
+		cfg.TokenURL = config.OpsManagerURL() + "api/oauth/token"
+	}
+
+	ctx := context.Background()
+
+	return &oauth2.Transport{
+		Base:   base,
+		Source: cfg.TokenSource(ctx),
+	}, nil
+}
diff --git a/internal/transport/transport_test.go b/internal/transport/transport_test.go
@@ -0,0 +1,88 @@
+// Copyright 2025 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build unit
+
+package transport
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/config"
+	"github.com/stretchr/testify/require"
+	"go.mongodb.org/atlas/auth"
+)
+
+func TestNewAccessTokenTransport(t *testing.T) {
+	mockToken := &auth.Token{
+		AccessToken:  "mock-access-token",
+		RefreshToken: "mock-refresh-token",
+	}
+
+	saveToken := func(_ *auth.Token) error { return nil }
+
+	base := Default()
+	accessTokenTransport, err := NewAccessTokenTransport(mockToken, base, saveToken)
+	require.NoError(t, err)
+	require.NotNil(t, accessTokenTransport)
+
+	req := httptest.NewRequest(http.MethodGet, "http://example.com", nil)
+	resp, err := accessTokenTransport.RoundTrip(req)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+
+	authHeader := req.Header.Get("Authorization")
+	expectedHeader := "Bearer " + mockToken.AccessToken
+	require.Equal(t, expectedHeader, authHeader)
+}
+
+func TestNewServiceAccountTransport(t *testing.T) {
+	// Mock the token endpoint since the actual endpoint requires a valid client ID and secret.
+	tokenServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		if _, err := w.Write([]byte(`{"access_token":"mock-token","token_type":"bearer","expires_in":3600}`)); err != nil {
+			t.Errorf("Failed to write response: %v", err)
+		}
+	}))
+	defer tokenServer.Close()
+
+	// Temporarily set OpsManagerURL to mock tokenServer URL
+	originalURL := config.OpsManagerURL()
+	config.SetOpsManagerURL(tokenServer.URL + "/")
+	defer func() { config.SetOpsManagerURL(originalURL) }()
+
+	clientID := "mock-client-id"
+	clientSecret := "mock-client-secret" //nolint:gosec
+	base := http.DefaultTransport
+
+	tr, err := NewServiceAccountTransport(clientID, clientSecret, base)
+	require.NoError(t, err)
+	require.NotNil(t, tr)
+
+	// Create request to check authentication header
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if got := r.Header.Get("Authorization"); got != "Bearer mock-token" {
+			t.Errorf("Expected Authorization header to be 'Bearer mock-token', but got: %v", got)
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	req := httptest.NewRequest(http.MethodGet, server.URL, nil)
+	resp, err := tr.RoundTrip(req)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+}
