Add end-to-end OAuth tests (M2M and U2M)\n\nTask ID: task-4.3-end-to-end-tests

Author: vikrantpuppala

rust/CLAUDE.md

@@ -174,6 +174,7 @@ All files must have Apache 2.0 license headers:
 - Unit tests go in `#[cfg(test)] mod tests { }` at the bottom of each file
 - Integration tests go in `tests/` directory
 - Test names: `test_<function>_<scenario>`
+- E2E tests that require real Databricks connection should be marked with `#[ignore]`
 
 ### Error Handling
 

rust/docs/designs/oauth-u2m-m2m-design.md

@@ -726,8 +726,27 @@ Tests in `client/http.rs` `#[cfg(test)]` verifying the `OnceLock`-based auth pro
 
 ### End-to-End Tests
 
-- `test_m2m_end_to_end` -- real Databricks workspace with service principal credentials (requires env vars, `#[ignore]` by default)
-- `test_u2m_end_to_end` -- manual test only (`#[ignore]`), requires interactive browser
+End-to-end tests in `tests/oauth_e2e.rs` verify the complete OAuth implementation against real Databricks workspaces:
+
+**M2M (Service Principal) Test:**
+- `test_m2m_end_to_end` -- Connects to real Databricks workspace using service principal credentials
+- Requires environment variables: `DATABRICKS_HOST`, `DATABRICKS_CLIENT_ID`, `DATABRICKS_CLIENT_SECRET`, `DATABRICKS_WAREHOUSE_ID`
+- Marked with `#[ignore]` to prevent running in CI by default
+- Verifies: (1) Database config with mechanism=11, flow=1, (2) OIDC discovery, (3) Client credentials token exchange, (4) Connection creation, (5) Query execution (SELECT 1), (6) Result validation
+- Run with: `cargo test --test oauth_e2e test_m2m_end_to_end -- --ignored --nocapture`
+
+**U2M (Browser-Based) Test:**
+- `test_u2m_end_to_end` -- Manual test requiring interactive browser authentication
+- Requires environment variables: `DATABRICKS_HOST`, `DATABRICKS_WAREHOUSE_ID`, `DATABRICKS_CLIENT_ID` (optional, defaults to "databricks-cli")
+- Always marked with `#[ignore]` (manual test only)
+- Verifies: (1) Database config with mechanism=11, flow=2, (2) OIDC discovery, (3) Token cache check, (4) Browser launch (if needed), (5) Authorization code exchange, (6) Connection creation, (7) Query execution (SELECT 1), (8) Result validation, (9) Token caching to disk
+- Run with: `cargo test --test oauth_e2e test_u2m_end_to_end -- --ignored --nocapture`
+- Note: Will launch default web browser for user to complete authentication
+
+**Configuration Validation Test:**
+- `test_oauth_config_validation` -- Verifies proper error messages for missing/invalid OAuth configuration
+- Runs in standard test suite (not ignored)
+- Tests: missing auth.flow when mechanism=OAuth, missing client_secret for M2M, invalid mechanism/flow values
 
 ---
 

rust/src/auth/oauth/m2m.rs

@@ -188,7 +188,8 @@ impl ClientCredentialsProvider {
         token_endpoint_override: Option<String>,
     ) -> Result<Self> {
         // Discover OIDC endpoints or use override
-        let (token_endpoint, auth_endpoint) = if let Some(token_endpoint) = token_endpoint_override {
+        let (token_endpoint, auth_endpoint) = if let Some(token_endpoint) = token_endpoint_override
+        {
             // Use override for token endpoint, still discover auth endpoint
             // (auth endpoint is not typically overridden for M2M since it's not used)
             let endpoints = OidcEndpoints::discover(host, &http_client).await?;

rust/src/database.rs

@@ -554,25 +554,34 @@ impl adbc_core::Database for Database {
                     }
                     AuthFlow::ClientCredentials => {
                         // Client credentials flow (M2M) - create ClientCredentialsProvider
-                        let client_id = self.auth_client_id.as_ref()
+                        let client_id = self
+                            .auth_config
+                            .client_id
+                            .as_ref()
                             .expect("client_id should be validated above");
-                        let client_secret = self.auth_client_secret.as_ref()
+                        let client_secret = self
+                            .auth_config
+                            .client_secret
+                            .as_ref()
                             .expect("client_secret should be validated above");
 
                         // Default scope for M2M is "all-apis" (no offline_access since M2M has no refresh token)
-                        let scopes_str = self.auth_scopes.as_deref().unwrap_or("all-apis");
-                        let scopes: Vec<String> = scopes_str.split_whitespace().map(String::from).collect();
+                        let scopes_str = self.auth_config.scopes.as_deref().unwrap_or("all-apis");
+                        let scopes: Vec<String> =
+                            scopes_str.split_whitespace().map(String::from).collect();
 
                         // Create the provider (async operation - needs runtime)
                         let provider = runtime
-                            .block_on(crate::auth::ClientCredentialsProvider::new_with_full_config(
-                                host,
-                                client_id,
-                                client_secret,
-                                http_client.clone(),
-                                scopes,
-                                self.auth_token_endpoint.clone(),
-                            ))
+                            .block_on(
+                                crate::auth::ClientCredentialsProvider::new_with_full_config(
+                                    host,
+                                    client_id,
+                                    client_secret,
+                                    http_client.clone(),
+                                    scopes,
+                                    self.auth_config.token_endpoint.clone(),
+                                ),
+                            )
                             .map_err(|e| e.to_adbc())?;
 
                         Arc::new(provider)
@@ -1572,10 +1581,13 @@ mod tests {
         .unwrap();
 
         // Verify config is stored correctly
-        assert_eq!(db.auth_mechanism, Some(AuthMechanism::OAuth));
-        assert_eq!(db.auth_flow, Some(AuthFlow::ClientCredentials));
-        assert_eq!(db.auth_client_id, Some("test-client-id".to_string()));
-        assert_eq!(db.auth_client_secret, Some("test-secret".to_string()));
+        assert_eq!(db.auth_config.mechanism, Some(AuthMechanism::OAuth));
+        assert_eq!(db.auth_config.flow, Some(AuthFlow::ClientCredentials));
+        assert_eq!(db.auth_config.client_id, Some("test-client-id".to_string()));
+        assert_eq!(
+            db.auth_config.client_secret,
+            Some("test-secret".to_string())
+        );
     }
 
     #[test]
@@ -1620,7 +1632,7 @@ mod tests {
 
         // Verify custom scopes are stored
         assert_eq!(
-            db.auth_scopes,
+            db.auth_config.scopes,
             Some("custom-scope-1 custom-scope-2".to_string())
         );
     }
@@ -1667,7 +1679,7 @@ mod tests {
 
         // Verify token_endpoint override is stored
         assert_eq!(
-            db.auth_token_endpoint,
+            db.auth_config.token_endpoint,
             Some("https://custom.endpoint/token".to_string())
         );
     }