auth: improve error handling (#109)

- return the result of a login failure
- use the correct user-agent for auth http requests

Signed-off-by: Nick Santos <[email protected]>

Author: nicks

internal/auth/token.go

@@ -21,6 +21,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"sync"
 	"time"
@@ -40,12 +41,15 @@ type LoginTokenProvider struct {
 }
 
 // NewLoginTokenProvider creates a token provider that uses username/password
-func NewLoginTokenProvider(username, password, baseURL string) *LoginTokenProvider {
+func NewLoginTokenProvider(username, password, baseURL string, transport http.RoundTripper) *LoginTokenProvider {
 	return &LoginTokenProvider{
-		username:   username,
-		password:   password,
-		baseURL:    baseURL,
-		httpClient: http.DefaultClient,
+		username: username,
+		password: password,
+		baseURL:  baseURL,
+		httpClient: &http.Client{
+			Timeout:   10 * time.Second,
+			Transport: transport,
+		},
 	}
 }
 
@@ -87,6 +91,12 @@ func (p *LoginTokenProvider) EnsureToken(ctx context.Context) (string, error) {
 	defer res.Body.Close()
 
 	if res.StatusCode < http.StatusOK || res.StatusCode >= http.StatusBadRequest {
+		// Read the response body to get more details on the error
+		body, _ := io.ReadAll(res.Body)
+		if len(body) > 0 {
+			return "", fmt.Errorf("login failed: %s - %s", res.Status, string(body))
+		}
+
 		return "", fmt.Errorf("login failed: %s", res.Status)
 	}
 
@@ -170,7 +180,7 @@ func NewAccessTokenProviderFromStore(configStore *ConfigStore, configKey string)
 }
 
 // NewLoginTokenProviderFromStore creates a LoginTokenProvider from pull credentials in the ConfigStore
-func NewLoginTokenProviderFromStore(configStore *ConfigStore, configKey, baseURL string) (*LoginTokenProvider, error) {
+func NewLoginTokenProviderFromStore(configStore *ConfigStore, configKey, baseURL string, transport http.RoundTripper) (*LoginTokenProvider, error) {
 	username, password, err := configStore.GetCredentialStorePullTokens(configKey)
 	if err != nil {
 		return nil, fmt.Errorf("no pull credentials available: %v", err)
@@ -184,5 +194,5 @@ func NewLoginTokenProviderFromStore(configStore *ConfigStore, configKey, baseURL
 		return nil, fmt.Errorf("empty password found in store")
 	}
 
-	return NewLoginTokenProvider(username, password, baseURL), nil
+	return NewLoginTokenProvider(username, password, baseURL, transport), nil
 }

internal/hubclient/client.go

@@ -44,37 +44,17 @@ type Client struct {
 	maxPageResults int64
 }
 
-type userAgentTransport struct {
-	userAgent string
-	transport http.RoundTripper
-}
-
-func (uat *userAgentTransport) RoundTrip(req *http.Request) (*http.Response, error) {
-	req.Header.Set("User-Agent", uat.userAgent)
-	return uat.transport.RoundTrip(req)
-}
-
 type Config struct {
-	BaseURL          string
-	TokenProvider    TokenProvider
-	UserAgentVersion string
-	MaxPageResults   int64
+	BaseURL        string
+	TokenProvider  TokenProvider
+	Transport      http.RoundTripper
+	MaxPageResults int64
 }
 
 func NewClient(config Config) *Client {
-	version := config.UserAgentVersion
-	if version == "" {
-		version = "dev"
-	}
-
-	userAgentTransport := &userAgentTransport{
-		userAgent: fmt.Sprintf("terraform-provider-docker/%s", version),
-		transport: http.DefaultTransport,
-	}
-
 	baseClient := &http.Client{
 		Timeout:   time.Minute,
-		Transport: userAgentTransport,
+		Transport: config.Transport,
 	}
 	retryClient := retryablehttp.NewClient()
 	retryClient.HTTPClient = baseClient

internal/hubhttp/transport.go

@@ -0,0 +1,44 @@
+/*
+   Copyright 2024 Docker Terraform Provider authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package hubhttp
+
+import (
+	"fmt"
+	"net/http"
+)
+
+type userAgentTransport struct {
+	userAgent string
+	transport http.RoundTripper
+}
+
+func (uat *userAgentTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	req.Header.Set("User-Agent", uat.userAgent)
+	return uat.transport.RoundTrip(req)
+}
+
+// NewUserAgentTransport creates a RoundTripper that adds a User-Agent header
+func NewUserAgentTransport(version string) http.RoundTripper {
+	if version == "" {
+		version = "dev"
+	}
+
+	return &userAgentTransport{
+		userAgent: fmt.Sprintf("terraform-provider-docker/%s", version),
+		transport: http.DefaultTransport,
+	}
+}

internal/provider/provider.go

@@ -24,6 +24,7 @@ import (
 
 	"github.com/docker/terraform-provider-docker/internal/auth"
 	"github.com/docker/terraform-provider-docker/internal/hubclient"
+	"github.com/docker/terraform-provider-docker/internal/hubhttp"
 	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/datasource"
 	"github.com/hashicorp/terraform-plugin-framework/function"
@@ -289,6 +290,9 @@ func (p *DockerProvider) Configure(ctx context.Context, req provider.ConfigureRe
 		})
 	}
 
+	// Create a shared transport with user agent
+	sharedTransport := hubhttp.NewUserAgentTransport(p.version)
+
 	// Determine the authentication method
 	var tokenProvider hubclient.TokenProvider
 	var err error
@@ -297,7 +301,7 @@ func (p *DockerProvider) Configure(ctx context.Context, req provider.ConfigureRe
 	// If username and password are provided, use login auth
 	if username != "" && password != "" {
 		tflog.Info(ctx, "Using login authentication from configuration")
-		tokenProvider = auth.NewLoginTokenProvider(username, password, baseURL)
+		tokenProvider = auth.NewLoginTokenProvider(username, password, baseURL, sharedTransport)
 	} else {
 		// Try credential store - prefer access tokens, fallback to pull credentials
 		configfileKey := getConfigfileKey(host)
@@ -307,7 +311,7 @@ func (p *DockerProvider) Configure(ctx context.Context, req provider.ConfigureRe
 		tokenProvider, err = auth.NewAccessTokenProviderFromStore(configStore, configfileKey)
 		if err != nil {
 			// Fallback to pull credentials (username/password or PAT)
-			tokenProvider, err = auth.NewLoginTokenProviderFromStore(configStore, configfileKey, baseURL)
+			tokenProvider, err = auth.NewLoginTokenProviderFromStore(configStore, configfileKey, baseURL, sharedTransport)
 			if err != nil {
 				resp.Diagnostics.AddError("Credential Store Error",
 					fmt.Sprintf("Failed to retrieve valid credentials from the Docker config file: %v", err))
@@ -353,10 +357,10 @@ func (p *DockerProvider) Configure(ctx context.Context, req provider.ConfigureRe
 	tflog.Debug(ctx, "Creating Docker Hub client")
 
 	client := hubclient.NewClient(hubclient.Config{
-		BaseURL:          baseURL,
-		TokenProvider:    tokenProvider,
-		UserAgentVersion: p.version,
-		MaxPageResults:   maxPageResults,
+		BaseURL:        baseURL,
+		TokenProvider:  tokenProvider,
+		Transport:      sharedTransport,
+		MaxPageResults: maxPageResults,
 	})
 
 	resp.DataSourceData = client