CLOUDP-304203: Add support to Service Accounts (#4130)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Melanija Cvetic <[email protected]>
Co-authored-by: Jeroen Vervaeke <[email protected]>
Co-authored-by: Wesley Nabo <[email protected]>
Co-authored-by: Filipe Constantinov Menezes <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: apix-bot[bot] <168195273+apix-bot[bot]@users.noreply.github.com>
Co-authored-by: Jeroen Vervaeke <[email protected]>

Author: 7 people

.golangci.yml

@@ -145,6 +145,8 @@ linters:
           alias: storeTransport
         - pkg: github.com/mongodb/mongodb-atlas-cli/atlascli/tools/shared/api
           alias: shared_api
+        - pkg: github.com/mongodb/atlas-cli-core/mocks
+          alias: coreMocks
       no-extra-aliases: true
     misspell:
       locale: US

SECURITY.md

@@ -2,7 +2,47 @@
 
 ## Reporting a Vulnerability
 
-Any security concerns or vulnerabilities discovered in one of MongoDB’s products or hosted services 
+Any security concerns or vulnerabilities discovered in one of MongoDB's products or hosted services 
 can be responsibly disclosed by utilizing one of the methods described in our [create a vulnerability report](https://docs.mongodb.com/manual/tutorial/create-a-vulnerability-report/) docs page.
 
 While we greatly appreciate community reports regarding security issues, at this time MongoDB does not provide compensation for vulnerability reports.
+
+## Credential Storage
+
+The MongoDB Atlas CLI uses a hybrid approach to store sensitive credentials, prioritizing security while maintaining compatibility across different environments and systems.
+
+### Secure Storage (Preferred)
+
+When available, the CLI uses your operating system's native keyring services to securely store sensitive credentials. This provides the highest level of security by leveraging OS-level encryption and access controls.
+
+**Credentials stored securely include:**
+- API Keys (public and private)
+- Access Tokens
+- Refresh Tokens  
+- Client ID and Client Secret
+
+**Supported platforms:**
+- **macOS**: Uses Keychain Services for secure credential storage
+- **Windows**: Integrates with Windows Credential Manager
+- **Linux**: Works with desktop [Secret Service](https://specifications.freedesktop.org/secret-service-spec/latest/) dbus interface
+
+### Insecure Storage (Fallback)
+
+If the operating system's keyring services are unavailable, the CLI automatically falls back to storing credentials in a local configuration file (`config.toml`). This ensures the CLI remains functional even in restricted environments.
+
+**Important security considerations for fallback storage:**
+- Credentials are stored in plain text in the configuration file
+
+### Checking Your Storage Method
+
+You can verify whether your CLI is using secure storage by running any `atlas` command. You'll see the message `Warning: Secure storage is not available, falling back to insecure storage`, when secure storage is not available.
+
+### Technical Implementation
+
+The CLI uses the [go-keyring](https://github.com/zalando/go-keyring) library to interface with OS keyring services. Each profile's credentials are stored under a service name prefixed with `atlascli_` (e.g., `atlascli_default` for the default profile).
+
+For detailed information about how your operating system manages keyring encryption and security:
+
+- **macOS Keychain**: [Apple Keychain Services Documentation](https://developer.apple.com/documentation/security/keychain_services)
+- **Windows Credential Manager**: [Windows Credential Manager Documentation](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/)
+- **Linux GNOME Keyring**: [GNOME Keyring Documentation](https://wiki.gnome.org/Projects/GnomeKeyring)

build/ci/evergreen.yml

@@ -685,6 +685,18 @@ tasks:
       - func: "e2e test"
         vars:
           E2E_TEST_PACKAGES: ./test/e2e/atlas/serverless/instance/...
+  - name: atlas_service_account_e2e
+    tags: ["e2e","generic","atlas"]
+    must_have_test_results: true
+    depends_on:
+      - name: compile
+        variant: "code_health"
+        patch_optional: true
+    commands:
+      - func: "install gotestsum"
+      - func: "e2e test"
+        vars:
+          E2E_TEST_PACKAGES: ./test/e2e/atlas/serviceAccount/...
   - name: atlas_gov_clusters_flags_e2e
     tags: ["e2e","clusters","atlasgov","foliage_check_task_only"]
     must_have_test_results: true
@@ -1365,6 +1377,25 @@ tasks:
               -e SNYK_CFG_ORG=${SNYK_ORG} \
               -v ${workdir}/src/github.com/mongodb/mongodb-atlas-cli:/app \
               snyk/snyk:golang snyk monitor
+  # 
+  - name: atlas_config_migration_e2e
+    tags: ["e2e","config-migration"]
+    must_have_test_results: true
+    depends_on:
+      - name: compile
+        variant: "code_health"
+        patch_optional: true
+    commands:
+      - func: "install gotestsum"
+      - func: "e2e test"
+        vars:
+          MONGODB_ATLAS_ORG_ID: ${atlas_org_id}
+          MONGODB_ATLAS_PROJECT_ID: ${atlas_project_id}
+          MONGODB_ATLAS_PRIVATE_API_KEY: ${atlas_private_api_key}
+          MONGODB_ATLAS_PUBLIC_API_KEY: ${atlas_public_api_key}
+          MONGODB_ATLAS_OPS_MANAGER_URL: ${mcli_ops_manager_url}
+          MONGODB_ATLAS_SERVICE: cloud
+          E2E_TEST_PACKAGES: ./test/e2e/config/migration/...
 task_groups:
   - name: atlas_deployments_windows_group
     setup_task:
@@ -1683,6 +1714,18 @@ buildvariants:
       - ubuntu2204-small
     tasks:
       - name: ".snyk"
+  - name: e2e_config_migration_macos_14
+    display_name: "E2E Config Migration Tests"
+    allowed_requesters: ["patch", "ad_hoc", "github_pr"]
+    tags:
+      - config-migration
+      - foliage_health
+    run_on:
+      - macos-14-arm64-docker
+    expansions:
+      <<: *go_linux_version
+    tasks:
+      - name: ".e2e .config-migration"
 patch_aliases:
   - alias: "localdev"
     variant_tags: ["localdev cron"]
@@ -1707,4 +1750,4 @@ git_tag_aliases:
     task: ".*"
 github_checks_aliases:
  - variant: ".*"
-   task: ".*"
+   task: ".*"

build/ci/library_owners.json

@@ -26,6 +26,7 @@
 	"github.com/mholt/archives": "apix-2",
 	"github.com/mongodb-forks/digest": "apix-2",
 	"github.com/mongodb-labs/cobra2snooty": "apix-2",
+	"github.com/mongodb/atlas-cli-core": "apix-2",
 	"github.com/Netflix/go-expect": "apix-2",
 	"github.com/PaesslerAG/jsonpath": "apix-2",
 	"github.com/pelletier/go-toml": "apix-2",
@@ -40,6 +41,7 @@
 	"github.com/stretchr/testify": "apix-2",
 	"github.com/tangzero/inflector": "apix-2",
 	"github.com/yuin/goldmark": "apix-2",
+	"github.com/zalando/go-keyring": "apix-2",
 	"go.mongodb.org/atlas-sdk/v20240530005": "apix-2",
 	"go.mongodb.org/atlas-sdk/v20250312006": "apix-2",
 	"go.mongodb.org/atlas": "apix-2",
@@ -50,6 +52,7 @@
 	"go.uber.org/mock": "apix-2",
 	"golang.org/x/mod": "apix-2",
 	"golang.org/x/net": "apix-2",
+	"golang.org/x/oauth2": "apix-2",
 	"golang.org/x/sys": "apix-2",
 	"golang.org/x/tools": "apix-2",
 	"google.golang.org/api": "apix-2",

build/package/purls.txt

@@ -1,3 +1,4 @@
+pkg:golang/al.essio.dev/pkg/[email protected]
 pkg:golang/cloud.google.com/go/auth/[email protected]
 pkg:golang/cloud.google.com/go/[email protected]
 pkg:golang/cloud.google.com/go/compute/[email protected]
@@ -38,16 +39,18 @@ pkg:golang/github.com/briandowns/[email protected]
 pkg:golang/github.com/cli/go-gh/[email protected]
 pkg:golang/github.com/cli/[email protected]
 pkg:golang/github.com/cloudflare/[email protected]
+pkg:golang/github.com/danieljoos/[email protected]
 pkg:golang/github.com/denisbrodbeck/[email protected]
 pkg:golang/github.com/dsnet/[email protected]
 pkg:golang/github.com/ebitengine/[email protected]
 pkg:golang/github.com/fatih/[email protected]
 pkg:golang/github.com/felixge/[email protected]
-pkg:golang/github.com/fsnotify/fsnotify@v1.8.0
+pkg:golang/github.com/fsnotify/fsnotify@v1.9.0
 pkg:golang/github.com/go-logr/[email protected]
 pkg:golang/github.com/go-logr/[email protected]
 pkg:golang/github.com/go-ole/[email protected]
 pkg:golang/github.com/go-viper/mapstructure/[email protected]
+pkg:golang/github.com/godbus/dbus/[email protected]
 pkg:golang/github.com/golang-jwt/jwt/[email protected]
 pkg:golang/github.com/golang/[email protected]
 pkg:golang/github.com/google/go-github/[email protected]
@@ -72,6 +75,7 @@ pkg:golang/github.com/mholt/[email protected]
 pkg:golang/github.com/mikelolasagasti/[email protected]
 pkg:golang/github.com/minio/[email protected]
 pkg:golang/github.com/mongodb-forks/[email protected]
+pkg:golang/github.com/mongodb/[email protected]
 pkg:golang/github.com/montanaflynn/[email protected]
 pkg:golang/github.com/nwaples/rardecode/[email protected]
 pkg:golang/github.com/pelletier/go-toml/[email protected]
@@ -97,6 +101,7 @@ pkg:golang/github.com/xdg-go/[email protected]
 pkg:golang/github.com/xdg-go/[email protected]
 pkg:golang/github.com/youmark/[email protected]
 pkg:golang/github.com/yusufpapurcu/[email protected]
+pkg:golang/github.com/zalando/[email protected]
 pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
 pkg:golang/go.mongodb.org/atlas-sdk/[email protected]
 pkg:golang/go.mongodb.org/[email protected]

cmd/atlas/atlas.go

@@ -15,27 +15,31 @@
 package main
 
 import (
+	"context"
 	"fmt"
 	"log"
 	"os"
 	"strings"
 
 	"github.com/AlecAivazis/survey/v2/core"
+	"github.com/mongodb/atlas-cli-core/config"
+	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/cli/commonerrors"
 	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/cli/root"
-	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/config"
+	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/config/migrations"
 	"github.com/mongodb/mongodb-atlas-cli/atlascli/internal/telemetry"
 	"github.com/spf13/cobra"
 )
 
 // Execute adds all child commands to the root command and sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
-func execute(rootCmd *cobra.Command) {
-	ctx := telemetry.NewContext()
+func execute(ctx context.Context, rootCmd *cobra.Command) {
 	// append here to avoid a recursive link on generated docs
 	rootCmd.Long += `
 
 To learn more, see our documentation: https://www.mongodb.com/docs/atlas/cli/stable/connect-atlas-cli/`
 	if cmd, err := rootCmd.ExecuteContextC(ctx); err != nil {
+		err := commonerrors.Check(err)
+		rootCmd.PrintErrln(rootCmd.ErrPrefix(), err)
 		if !telemetry.StartedTrackingCommand() {
 			telemetry.StartTrackingCommand(cmd, os.Args[1:])
 		}
@@ -48,12 +52,27 @@ To learn more, see our documentation: https://www.mongodb.com/docs/atlas/cli/sta
 }
 
 // loadConfig reads in config file and ENV variables if set.
-func loadConfig() error {
-	if err := config.LoadAtlasCLIConfig(); err != nil {
-		return fmt.Errorf("error loading config: %w. Please run `atlas config init` to reconfigure your profile", err)
+func loadConfig() (*config.Profile, error) {
+	// Migrate config to the latest version.
+	migrator := migrations.NewDefaultMigrator()
+	if err := migrator.Migrate(); err != nil {
+		return nil, fmt.Errorf("error migrating config: %w", err)
+	}
+
+	configStore, initErr := config.NewDefaultStore()
+
+	if initErr != nil {
+		return nil, fmt.Errorf("error loading config: %w. Please run `atlas auth login` to reconfigure your profile", initErr)
+	}
+
+	if !configStore.IsSecure() {
+		fmt.Fprintf(os.Stderr, "Warning: Secure storage is not available, falling back to insecure storage\n")
 	}
 
-	return nil
+	profile := config.NewProfile(config.DefaultProfile, configStore)
+	config.SetProfile(profile)
+
+	return profile, nil
 }
 
 func trackInitError(e error, rootCmd *cobra.Command) {
@@ -82,9 +101,18 @@ func main() {
 		core.DisableColor = true
 	}
 
+	// Load config
+	profile, loadProfileErr := loadConfig()
+
 	rootCmd := root.Builder()
 	initTrack(rootCmd)
-	trackInitError(loadConfig(), rootCmd)
+	trackInitError(loadProfileErr, rootCmd)
+
+	// Initialize context, attach
+	// - telemetry
+	// - profile
+	ctx := telemetry.NewContext()
+	config.WithProfile(ctx, profile)
 
-	execute(rootCmd)
+	execute(ctx, rootCmd)
 }

docs/command/atlas-auth-login.txt

@@ -14,6 +14,8 @@ atlas auth login
 
 Authenticate with MongoDB Atlas.
 
+This command allows you to authenticate with MongoDB Atlas using User Account, Service Account, or API Key authentication methods.
+
 Syntax
 ------
 
@@ -46,7 +48,7 @@ Options
    * - --noBrowser
      - 
      - false
-     - Don't try to open a browser session.
+     - Don't automatically open a browser session.
 
 Inherited Options
 -----------------