CLOUDP-329793: Replace L1 transport (#4096)

Author: cveticm

internal/api/executor.go

@@ -22,7 +22,8 @@ import (
 
 	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/config"
 	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/log"
-	storeTransport "github.com/mongodb/mongodb-atlas-cli/atlascli/internal/transport"
+	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/store"
+	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/transport"
 )
 
 var (
@@ -71,8 +72,9 @@ func NewExecutor(commandConverter CommandConverter, httpClient Doer, formatter R
 func NewDefaultExecutor(formatter ResponseFormatter) (*Executor, error) {
 	profile := config.Default()
 
-	client := &http.Client{
-		Transport: authenticatedTransport(profile, storeTransport.Default()),
+	client, err := store.HTTPClient(profile, transport.Default())
+	if err != nil {
+		return nil, err
 	}
 
 	configWrapper := NewAuthenticatedConfigWrapper(profile)

internal/api/transport.go

@@ -40,45 +40,39 @@ const (
 var errUnsupportedService = errors.New("unsupported service")
 
 type Store struct {
-	service      string
-	baseURL      string
-	telemetry    bool
-	authType     config.AuthMechanism
-	username     string
-	password     string
-	accessToken  *atlasauth.Token
-	clientID     string
-	clientSecret string
-	client       *atlas.Client
+	service    string
+	baseURL    string
+	telemetry  bool
+	httpClient *http.Client
+	client     *atlas.Client
 	// Latest release of the autogenerated Atlas V2 API Client
 	clientv2 *atlasv2.APIClient
 	// Pinnned version to the most recent version that's working for clusters
 	clientClusters *atlasClustersPinned.APIClient
 	ctx            context.Context
 }
 
-func (s *Store) httpClient(httpTransport http.RoundTripper) (*http.Client, error) {
-	switch s.authType {
+func HTTPClient(c CredentialsGetter, httpTransport http.RoundTripper) (*http.Client, error) {
+	switch c.AuthType() {
 	case config.APIKeys:
-		t := transport.NewDigestTransport(s.username, s.password, httpTransport)
+		t := transport.NewDigestTransport(c.PublicAPIKey(), c.PrivateAPIKey(), httpTransport)
 		return t.Client()
 	case config.UserAccount:
-		tr, err := transport.NewAccessTokenTransport(s.accessToken, httpTransport, func(t *atlasauth.Token) error {
+		token, err := c.Token()
+		if err != nil {
+			return nil, err
+		}
+		tr, err := transport.NewAccessTokenTransport(token, httpTransport, func(t *atlasauth.Token) error {
 			config.SetAccessToken(t.AccessToken)
 			config.SetRefreshToken(t.RefreshToken)
 			return config.Save()
 		})
 		if err != nil {
 			return nil, err
 		}
-
 		return &http.Client{Transport: tr}, nil
 	case config.ServiceAccount:
-		tr, err := transport.NewServiceAccountTransport(s.clientID, s.clientSecret, httpTransport)
-		if err != nil {
-			return nil, err
-		}
-		return &http.Client{Transport: tr}, nil
+		return transport.NewServiceAccountClient(c.ClientID(), c.ClientSecret()), nil
 	default:
 		return &http.Client{Transport: httpTransport}, nil
 	}
@@ -149,23 +143,11 @@ type CredentialsGetter interface {
 // WithAuthentication sets the store credentials.
 func WithAuthentication(c CredentialsGetter) Option {
 	return func(s *Store) error {
-		s.authType = c.AuthType()
-		switch s.authType {
-		case config.APIKeys:
-			s.username = c.PublicAPIKey()
-			s.password = c.PrivateAPIKey()
-		case config.ServiceAccount:
-			s.clientID = c.ClientID()
-			s.clientSecret = c.ClientSecret()
-		case config.UserAccount:
-			fallthrough
-		default:
-			t, err := c.Token()
-			if err != nil {
-				return err
-			}
-			s.accessToken = t
+		client, err := HTTPClient(c, s.transport())
+		if err != nil {
+			return err
 		}
+		s.httpClient = client
 		return nil
 	}
 }
@@ -179,25 +161,25 @@ func WithContext(ctx context.Context) Option {
 }
 
 // setAtlasClient sets the internal client to use an Atlas client and methods.
-func (s *Store) setAtlasClient(client *http.Client) error {
+func (s *Store) setAtlasClient() error {
 	opts := []atlas.ClientOpt{atlas.SetUserAgent(config.UserAgent)}
 	if s.baseURL != "" {
 		opts = append(opts, atlas.SetBaseURL(s.baseURL))
 	}
 	if log.IsDebugLevel() {
 		opts = append(opts, atlas.SetWithRaw())
 	}
-	c, err := atlas.New(client, opts...)
+	c, err := atlas.New(s.httpClient, opts...)
 	if err != nil {
 		return err
 	}
 
-	err = s.createV2Client(client)
+	err = s.createV2Client(s.httpClient)
 	if err != nil {
 		return err
 	}
 
-	err = s.createClustersClient(client)
+	err = s.createClustersClient(s.httpClient)
 	if err != nil {
 		return err
 	}
@@ -318,11 +300,7 @@ func New(opts ...Option) (*Store, error) {
 		}
 	}
 
-	client, err := store.httpClient(store.transport())
-	if err != nil {
-		return nil, err
-	}
-	if err = store.setAtlasClient(client); err != nil {
+	if err := store.setAtlasClient(); err != nil {
 		return nil, err
 	}
 

internal/store/store.go

@@ -151,11 +151,9 @@ func TestWithAuthentication(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			c, err := New(Service("cloud"), WithAuthentication(tt.a))
 			require.NoError(t, err)
-			require.Equal(t, c.username, tt.a.username)
-			require.Equal(t, c.password, tt.a.password)
-			require.Equal(t, c.clientID, tt.a.clientID)
-			require.Equal(t, c.clientSecret, tt.a.clientSecret)
-			require.Equal(t, c.accessToken, tt.a.accessToken)
+			require.NotNil(t, c.httpClient)
+			require.NotNil(t, c.httpClient.Transport)
+			require.NotEqual(t, c.transport(), c.httpClient.Transport) // Check transport is not default
 		})
 	}
 }

internal/store/store_test.go

@@ -25,7 +25,6 @@ import (
 	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/oauth"
 	"go.mongodb.org/atlas-sdk/v20250312005/auth/clientcredentials"
 	atlasauth "go.mongodb.org/atlas/auth"
-	"golang.org/x/oauth2"
 )
 
 const (
@@ -114,17 +113,13 @@ func (tr *tokenTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	return tr.base.RoundTrip(req)
 }
 
-func NewServiceAccountTransport(clientID, clientSecret string, base http.RoundTripper) (http.RoundTripper, error) {
+// NewServiceAccountClient creates a new HTTP client configured for service account authentication.
+// This function does not return http.RoundTripper as atlas-sdk already packages a transport with the client.
+func NewServiceAccountClient(clientID, clientSecret string) *http.Client {
 	cfg := clientcredentials.NewConfig(clientID, clientSecret)
 	if config.OpsManagerURL() != "" {
 		cfg.RevokeURL = config.OpsManagerURL() + "api/oauth/revoke"
 		cfg.TokenURL = config.OpsManagerURL() + "api/oauth/token"
 	}
-
-	ctx := context.Background()
-
-	return &oauth2.Transport{
-		Base:   base,
-		Source: cfg.TokenSource(ctx),
-	}, nil
+	return cfg.Client(context.Background())
 }

internal/transport/transport.go

@@ -66,11 +66,9 @@ func TestNewServiceAccountTransport(t *testing.T) {
 
 	clientID := "mock-client-id"
 	clientSecret := "mock-client-secret" //nolint:gosec
-	base := http.DefaultTransport
 
-	tr, err := NewServiceAccountTransport(clientID, clientSecret, base)
-	require.NoError(t, err)
-	require.NotNil(t, tr)
+	client := NewServiceAccountClient(clientID, clientSecret)
+	require.NotNil(t, client)
 
 	// Create request to check authentication header
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -82,7 +80,7 @@ func TestNewServiceAccountTransport(t *testing.T) {
 	defer server.Close()
 
 	req := httptest.NewRequest(http.MethodGet, server.URL, nil)
-	resp, err := tr.RoundTrip(req)
+	resp, err := client.Transport.RoundTrip(req)
 	require.NoError(t, err)
 	require.NotNil(t, resp)
 }