|
15 | 15 | ShinyappsServer, |
16 | 16 | ShinyappsService, |
17 | 17 | SPCSConnectServer, |
| 18 | + verify_api_key, |
18 | 19 | ) |
19 | 20 | from rsconnect.exception import DeploymentFailedException, RSConnectException |
20 | 21 |
|
@@ -99,6 +100,100 @@ def test_client_system_caches_runtime_list(self): |
99 | 100 | result = ce.runtime_caches |
100 | 101 | self.assertDictEqual(result, mocked_response) |
101 | 102 |
|
| 103 | + @httpretty.activate(verbose=True, allow_net_connect=False) |
| 104 | + def test_verify_api_key_user(self): |
| 105 | + ce = RSConnectExecutor(None, None, "http://test-server/", "api_key") |
| 106 | + httpretty.register_uri( |
| 107 | + httpretty.GET, |
| 108 | + "http://test-server/__api__/v1/user", |
| 109 | + body=json.dumps({"username": "alice"}), |
| 110 | + status=200, |
| 111 | + forcing_headers={"Content-Type": "application/json"}, |
| 112 | + ) |
| 113 | + # Returns the executor without raising for a regular user. |
| 114 | + self.assertIs(ce.verify_api_key(), ce) |
| 115 | + |
| 116 | + @httpretty.activate(verbose=True, allow_net_connect=False) |
| 117 | + def test_verify_api_key_service_principal(self): |
| 118 | + # A service principal (e.g. for trusted publishing) authenticates but is not a |
| 119 | + # user, so v1/user returns 403 / code 22. The credential is still valid, so |
| 120 | + # verification should succeed instead of raising. |
| 121 | + ce = RSConnectExecutor(None, None, "http://test-server/", "api_key") |
| 122 | + httpretty.register_uri( |
| 123 | + httpretty.GET, |
| 124 | + "http://test-server/__api__/v1/user", |
| 125 | + body=json.dumps({"code": 22, "error": "You don't have permission to perform this operation."}), |
| 126 | + status=403, |
| 127 | + forcing_headers={"Content-Type": "application/json"}, |
| 128 | + ) |
| 129 | + self.assertIs(ce.verify_api_key(), ce) |
| 130 | + |
| 131 | + @httpretty.activate(verbose=True, allow_net_connect=False) |
| 132 | + def test_verify_api_key_invalid(self): |
| 133 | + ce = RSConnectExecutor(None, None, "http://test-server/", "api_key") |
| 134 | + httpretty.register_uri( |
| 135 | + httpretty.GET, |
| 136 | + "http://test-server/__api__/v1/user", |
| 137 | + body=json.dumps({"code": 30, "error": "Invalid login."}), |
| 138 | + status=401, |
| 139 | + forcing_headers={"Content-Type": "application/json"}, |
| 140 | + ) |
| 141 | + with self.assertRaises(RSConnectException) as cm: |
| 142 | + ce.verify_api_key() |
| 143 | + self.assertIn("not valid", str(cm.exception)) |
| 144 | + |
| 145 | + def test_verify_api_key_connection_error(self): |
| 146 | + # A transport-layer failure yields an HTTPResponse with no status/reason, only |
| 147 | + # an exception. Verification should surface a clean RSConnectException rather |
| 148 | + # than an AttributeError from reading the missing status. |
| 149 | + from rsconnect.http_support import HTTPResponse |
| 150 | + |
| 151 | + ce = RSConnectExecutor(None, None, "http://test-server/", "api_key") |
| 152 | + failed_response = HTTPResponse("http://test-server/__api__/v1/user", exception=OSError("connection refused")) |
| 153 | + with patch.object(RSConnectClient, "get", return_value=failed_response): |
| 154 | + with self.assertRaises(RSConnectException) as cm: |
| 155 | + ce.verify_api_key() |
| 156 | + self.assertIn("connection refused", str(cm.exception)) |
| 157 | + |
| 158 | + # The deprecated module-level verify_api_key() is reached via actions.test_api_key() |
| 159 | + # during `rsconnect add`, so it must accept the same credentials as the executor path. |
| 160 | + @httpretty.activate(verbose=True, allow_net_connect=False) |
| 161 | + def test_module_verify_api_key_user(self): |
| 162 | + httpretty.register_uri( |
| 163 | + httpretty.GET, |
| 164 | + "http://test-server/__api__/v1/user", |
| 165 | + body=json.dumps({"username": "alice"}), |
| 166 | + status=200, |
| 167 | + forcing_headers={"Content-Type": "application/json"}, |
| 168 | + ) |
| 169 | + self.assertEqual(verify_api_key(RSConnectServer("http://test-server", "api_key")), "alice") |
| 170 | + |
| 171 | + @httpretty.activate(verbose=True, allow_net_connect=False) |
| 172 | + def test_module_verify_api_key_service_principal(self): |
| 173 | + # A service principal authenticates but is not a user (403 / code 22); the |
| 174 | + # credential is valid, so this returns an empty username instead of raising. |
| 175 | + httpretty.register_uri( |
| 176 | + httpretty.GET, |
| 177 | + "http://test-server/__api__/v1/user", |
| 178 | + body=json.dumps({"code": 22, "error": "You don't have permission to perform this operation."}), |
| 179 | + status=403, |
| 180 | + forcing_headers={"Content-Type": "application/json"}, |
| 181 | + ) |
| 182 | + self.assertEqual(verify_api_key(RSConnectServer("http://test-server", "api_key")), "") |
| 183 | + |
| 184 | + @httpretty.activate(verbose=True, allow_net_connect=False) |
| 185 | + def test_module_verify_api_key_invalid(self): |
| 186 | + httpretty.register_uri( |
| 187 | + httpretty.GET, |
| 188 | + "http://test-server/__api__/v1/user", |
| 189 | + body=json.dumps({"code": 30, "error": "Invalid login."}), |
| 190 | + status=401, |
| 191 | + forcing_headers={"Content-Type": "application/json"}, |
| 192 | + ) |
| 193 | + with self.assertRaises(RSConnectException) as cm: |
| 194 | + verify_api_key(RSConnectServer("http://test-server", "api_key")) |
| 195 | + self.assertIn("not valid", str(cm.exception)) |
| 196 | + |
102 | 197 | # RSConnectExecutor.delete_runtime_cache() dry run returns expected request |
103 | 198 | # RSConnectExecutor.delete_runtime_cache() dry run prints expected messages |
104 | 199 | @httpretty.activate(verbose=True, allow_net_connect=False) |
|
0 commit comments