improve u2m flow testing by refactoring

Author: tejaskochar-db

config/auth_u2m.go

@@ -12,12 +12,18 @@ import (
 	"golang.org/x/oauth2"
 )
 
+// PersistentAuthFactory is a function that creates a token source for U2M
+// authentication. It can be replaced in tests to spy on the options passed.
+type PersistentAuthFactory func(ctx context.Context, opts ...u2m.PersistentAuthOption) (oauth2.TokenSource, error)
+
 // u2mCredentials is a credentials strategy that uses the U2M OAuth flow to
 // authenticate with Databricks. It loads a token from the token cache for the
 // given workspace or account, refreshing it using the associated refresh token
 // if needed.
 type u2mCredentials struct {
-	testTokenSource oauth2.TokenSource // replace u2m token source
+	// newPersistentAuth is the factory function to create a PersistentAuth.
+	// If nil, the default u2m.NewPersistentAuth is used.
+	newPersistentAuth PersistentAuthFactory
 }
 
 // Name implements CredentialsStrategy.
@@ -38,20 +44,21 @@ func (u u2mCredentials) Configure(ctx context.Context, cfg *Config) (credentials
 		return nil, err
 	}
 
-	var ts oauth2.TokenSource
-	if u.testTokenSource != nil {
-		ts = u.testTokenSource
-	} else {
-		ts, err = u2m.NewPersistentAuth(ctx,
-			u2m.WithOAuthArgument(arg),
-			u2m.WithPort(cfg.OAuthCallbackPort),
-			u2m.WithScopes(cfg.GetScopes()),
-			u2m.WithDisableOfflineAccess(cfg.DisableOAuthRefreshToken),
-		)
-		if err != nil {
-			return nil, err
+	factory := u.newPersistentAuth
+	if factory == nil {
+		factory = func(ctx context.Context, opts ...u2m.PersistentAuthOption) (oauth2.TokenSource, error) {
+			return u2m.NewPersistentAuth(ctx, opts...)
 		}
 	}
+	ts, err := factory(ctx,
+		u2m.WithOAuthArgument(arg),
+		u2m.WithPort(cfg.OAuthCallbackPort),
+		u2m.WithScopes(cfg.GetScopes()),
+		u2m.WithDisableOfflineAccess(cfg.DisableOAuthRefreshToken),
+	)
+	if err != nil {
+		return nil, err
+	}
 
 	// TODO: Having to handle the CLI error here is not ideal as it couples the
 	// SDK logic with the CLI's. Remove this wrapping logic as soon as the CLI

config/auth_u2m_test.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"sort"
 	"strings"
 	"testing"
 	"time"
@@ -53,14 +54,50 @@ var (
 	errInvalidRefreshToken = &u2m.InvalidRefreshTokenError{}
 )
 
+// mockPersistentAuthFactory returns a PersistentAuthFactory that returns ts.
+func mockPersistentAuthFactory(ts oauth2.TokenSource) PersistentAuthFactory {
+	return func(ctx context.Context, opts ...u2m.PersistentAuthOption) (oauth2.TokenSource, error) {
+		return ts, nil
+	}
+}
+
+// capturingPersistentAuthFactory returns a PersistentAuthFactory that applies
+// options to a real PersistentAuth and calls onCapture, allowing tests to spy
+// on the options passed. It returns ts for token operations.
+func capturingPersistentAuthFactory(ts oauth2.TokenSource, onCapture func(*u2m.PersistentAuth)) PersistentAuthFactory {
+	return func(ctx context.Context, opts ...u2m.PersistentAuthOption) (oauth2.TokenSource, error) {
+		pa, err := u2m.NewPersistentAuth(ctx, opts...)
+		if err != nil {
+			return nil, err
+		}
+		if onCapture != nil {
+			onCapture(pa)
+		}
+		return ts, nil
+	}
+}
+
+// equalStringSlices compares two string slices for equality.
+func equalStringSlices(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := range a {
+		if a[i] != b[i] {
+			return false
+		}
+	}
+	return true
+}
+
 func TestU2MCredentials_Configure(t *testing.T) {
 	testCases := []struct {
-		desc            string
-		cfg             *Config
-		testTokenSource *testTokenSource
-		wantConfigErr   string // error message from Configure()
-		wantHeaderErr   string // error message from SetHeaders()
-		wantAuthHeader  string // expected Authorization header
+		desc           string
+		cfg            *Config
+		tokenSource    *testTokenSource
+		wantConfigErr  string // error message from Configure()
+		wantHeaderErr  string // error message from SetHeaders()
+		wantAuthHeader string // expected Authorization header
 	}{
 		{
 			desc: "missing host returns error",
@@ -74,7 +111,7 @@ func TestU2MCredentials_Configure(t *testing.T) {
 			cfg: &Config{
 				Host: "https://workspace.cloud.databricks.com",
 			},
-			testTokenSource: &testTokenSource{
+			tokenSource: &testTokenSource{
 				token: testValidToken,
 			},
 			wantAuthHeader: "Bearer valid-access-token",
@@ -85,7 +122,7 @@ func TestU2MCredentials_Configure(t *testing.T) {
 				Host:      "https://accounts.cloud.databricks.com",
 				AccountID: "abc-123",
 			},
-			testTokenSource: &testTokenSource{
+			tokenSource: &testTokenSource{
 				token: testValidToken,
 			},
 			wantAuthHeader: "Bearer valid-access-token",
@@ -95,7 +132,7 @@ func TestU2MCredentials_Configure(t *testing.T) {
 			cfg: &Config{
 				Host: "https://workspace.cloud.databricks.com",
 			},
-			testTokenSource: &testTokenSource{
+			tokenSource: &testTokenSource{
 				token: testExpiredToken,
 			},
 			wantAuthHeader: "Bearer expired-access-token",
@@ -105,7 +142,7 @@ func TestU2MCredentials_Configure(t *testing.T) {
 			cfg: &Config{
 				Host: "https://workspace.cloud.databricks.com",
 			},
-			testTokenSource: &testTokenSource{
+			tokenSource: &testTokenSource{
 				err: errNetwork,
 			},
 			wantHeaderErr: "network timeout",
@@ -115,7 +152,7 @@ func TestU2MCredentials_Configure(t *testing.T) {
 			cfg: &Config{
 				Host: "https://workspace.cloud.databricks.com",
 			},
-			testTokenSource: &testTokenSource{
+			tokenSource: &testTokenSource{
 				err: errAuthentication,
 			},
 			wantHeaderErr: "authentication failed",
@@ -127,7 +164,7 @@ func TestU2MCredentials_Configure(t *testing.T) {
 				Profile:  "my-workspace",
 				resolved: true,
 			},
-			testTokenSource: &testTokenSource{
+			tokenSource: &testTokenSource{
 				err: errInvalidRefreshToken,
 			},
 			wantHeaderErr: "databricks auth login --profile my-workspace",
@@ -138,7 +175,7 @@ func TestU2MCredentials_Configure(t *testing.T) {
 				Host:     "https://workspace.cloud.databricks.com",
 				resolved: true,
 			},
-			testTokenSource: &testTokenSource{
+			tokenSource: &testTokenSource{
 				err: errInvalidRefreshToken,
 			},
 			wantHeaderErr: "databricks auth login --host https://workspace.cloud.databricks.com",
@@ -151,7 +188,7 @@ func TestU2MCredentials_Configure(t *testing.T) {
 				Profile:   "prod-account",
 				resolved:  true,
 			},
-			testTokenSource: &testTokenSource{
+			tokenSource: &testTokenSource{
 				err: errInvalidRefreshToken,
 			},
 			wantHeaderErr: "databricks auth login --profile prod-account",
@@ -163,7 +200,7 @@ func TestU2MCredentials_Configure(t *testing.T) {
 				AccountID: "abc-123",
 				resolved:  true,
 			},
-			testTokenSource: &testTokenSource{
+			tokenSource: &testTokenSource{
 				err: errInvalidRefreshToken,
 			},
 			wantHeaderErr: "databricks auth login --host https://accounts.cloud.databricks.com --account-id abc-123",
@@ -175,7 +212,7 @@ func TestU2MCredentials_Configure(t *testing.T) {
 				Profile:  "test",
 				resolved: true,
 			},
-			testTokenSource: &testTokenSource{
+			tokenSource: &testTokenSource{
 				err: fmt.Errorf("oauth2: %w", errInvalidRefreshToken),
 			},
 			wantHeaderErr: "databricks auth login --profile test",
@@ -187,7 +224,7 @@ func TestU2MCredentials_Configure(t *testing.T) {
 				AccountID: "abc-456",
 				resolved:  true,
 			},
-			testTokenSource: &testTokenSource{
+			tokenSource: &testTokenSource{
 				err: errInvalidRefreshToken,
 			},
 			wantHeaderErr: "databricks auth login --host https://accounts.azure.databricks.net --account-id abc-456",
@@ -197,7 +234,9 @@ func TestU2MCredentials_Configure(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.desc, func(t *testing.T) {
 			ctx := context.Background()
-			u := u2mCredentials{testTokenSource: tc.testTokenSource}
+			u := u2mCredentials{
+				newPersistentAuth: mockPersistentAuthFactory(tc.tokenSource),
+			}
 
 			cp, gotConfigErr := u.Configure(ctx, tc.cfg)
 
@@ -238,7 +277,9 @@ func TestU2MCredentials_Configure(t *testing.T) {
 func TestU2MCredentials_Configure_TokenCaching(t *testing.T) {
 	ts := &testTokenSource{token: testValidToken}
 
-	u := u2mCredentials{testTokenSource: ts}
+	u := u2mCredentials{
+		newPersistentAuth: mockPersistentAuthFactory(ts),
+	}
 	cfg := &Config{
 		Host: "https://workspace.cloud.databricks.com",
 	}
@@ -261,3 +302,54 @@ func TestU2MCredentials_Configure_TokenCaching(t *testing.T) {
 		t.Errorf("token source call count = %d, want 1 (should use cache)", ts.counts)
 	}
 }
+
+func TestU2MCredentials_Configure_DefaultScopes(t *testing.T) {
+	ts := &testTokenSource{token: testValidToken}
+	var capturedScopes []string
+
+	u := u2mCredentials{
+		newPersistentAuth: capturingPersistentAuthFactory(ts, func(pa *u2m.PersistentAuth) {
+			capturedScopes = pa.GetScopes()
+		}),
+	}
+	cfg := &Config{
+		Host: "https://workspace.cloud.databricks.com",
+	}
+
+	_, err := u.Configure(context.Background(), cfg)
+	if err != nil {
+		t.Fatalf("Configure() error = %v", err)
+	}
+
+	expectedScopes := []string{"all-apis"}
+	if !equalStringSlices(capturedScopes, expectedScopes) {
+		t.Errorf("scopes = %v, want %v", capturedScopes, expectedScopes)
+	}
+}
+
+func TestU2MCredentials_Configure_CustomScopes(t *testing.T) {
+	ts := &testTokenSource{token: testValidToken}
+	var capturedScopes []string
+
+	u := u2mCredentials{
+		newPersistentAuth: capturingPersistentAuthFactory(ts, func(pa *u2m.PersistentAuth) {
+			capturedScopes = pa.GetScopes()
+		}),
+	}
+	cfg := &Config{
+		Host:   "https://workspace.cloud.databricks.com",
+		Scopes: []string{"sql", "clusters"},
+	}
+
+	_, err := u.Configure(context.Background(), cfg)
+	if err != nil {
+		t.Fatalf("Configure() error = %v", err)
+	}
+
+	// Scopes are sorted during config resolution.
+	expectedScopes := []string{"clusters", "sql"}
+	sort.Strings(capturedScopes)
+	if !equalStringSlices(capturedScopes, expectedScopes) {
+		t.Errorf("scopes = %v, want %v", capturedScopes, expectedScopes)
+	}
+}

credentials/u2m/persistent_auth.go

@@ -158,6 +158,11 @@ func WithDisableOfflineAccess(disable bool) PersistentAuthOption {
 	}
 }
 
+// GetScopes returns the OAuth scopes configured for this PersistentAuth.
+func (a *PersistentAuth) GetScopes() []string {
+	return a.scopes
+}
+
 // NewPersistentAuth creates a new PersistentAuth with the provided options.
 func NewPersistentAuth(ctx context.Context, opts ...PersistentAuthOption) (*PersistentAuth, error) {
 	p := &PersistentAuth{}