feat: Add RBAC authorization integration tests and enhance authentication exception handling

Author: mpartipilo

src/Weaviate.Client.Tests/Integration/TestAuth.cs

@@ -1,10 +1,8 @@
 namespace Weaviate.Client.Tests.Integration;
 
-using System;
 using System.Net.Http;
 using System.Threading.Tasks;
 using Weaviate.Client;
-using Xunit;
 
 public class TestAuth : IntegrationTests
 {
@@ -208,4 +206,21 @@ await client
 
         // TODO Needs a finalized way to inject a logger and check that no warnings were logged
     }
+
+    [Fact]
+    public async Task TestAuthenticationFailure()
+    {
+        string clientSecret = "invalid-secret";
+        Assert.True(await IsAuthEnabled($"localhost:{OKTA_PORT_CC}"));
+
+        await Assert.ThrowsAsync<WeaviateAuthenticationException>(async () =>
+        {
+            await Connect.Local(
+                hostname: "localhost",
+                restPort: OKTA_PORT_CC,
+                credentials: Auth.ClientCredentials(clientSecret, "some_scope"),
+                httpMessageHandler: _httpMessageHandler
+            );
+        });
+    }
 }

src/Weaviate.Client.Tests/Integration/TestRbacAuthorization.cs

@@ -0,0 +1,86 @@
+namespace Weaviate.Client.Tests.Integration;
+
+using System.Linq;
+using Weaviate.Client;
+using Weaviate.Client.Models;
+using Xunit;
+
+/// <summary>
+/// RBAC Groups integration tests (Rest:8092 gRPC:50063). Authorization checks for various operations.
+/// </summary>
+public class TestRbacAuthorization : IntegrationTests
+{
+    public override ushort RestPort => 8092;
+    public override ushort GrpcPort => 50063;
+    private const string ADMIN_API_KEY = "admin-key";
+
+    public override async ValueTask InitializeAsync()
+    {
+        await base.InitializeAsync();
+
+        RequireVersion("1.32.0");
+    }
+
+    public override ICredentials? Credentials => Auth.ApiKey(ADMIN_API_KEY);
+
+    [Fact, Trait("Category", "RBAC")]
+    public async Task TestAuthorizationFailure()
+    {
+        // Generate random names for collection and user
+        var collectionName = $"AuthorizationTest";
+        var userId = Helpers.GenerateUniqueIdentifier("user");
+
+        // Create collection
+        var collectionConfig = new CollectionConfig
+        {
+            Name = collectionName,
+            Properties = new[]
+            {
+                new Property { Name = "name", DataType = new[] { "string" } },
+            },
+        };
+
+        var client = await CollectionFactory<object>(collectionConfig);
+
+        // Create a role with only read permission for this collection
+        var readOnlyRole = await _weaviate.Roles.Create(
+            "read-only-role",
+            [
+                new Permissions.Collections(collectionName) { Read = true },
+                new Permissions.Data(collectionName, null, null) { Read = true },
+            ],
+            TestContext.Current.CancellationToken
+        );
+
+        // Create a user and assign the read-only role
+        var apiKey = await _weaviate.Users.Db.Create(
+            userId,
+            cancellationToken: TestContext.Current.CancellationToken
+        );
+        await _weaviate.Users.Db.AssignRoles(
+            userId,
+            new[] { readOnlyRole.Name },
+            cancellationToken: TestContext.Current.CancellationToken
+        );
+
+        // Create a new client with the user's API key
+        var userClient = await new WeaviateClientBuilder()
+            .WithRestEndpoint("localhost")
+            .WithRestPort(RestPort)
+            .WithGrpcEndpoint("localhost")
+            .WithGrpcPort(GrpcPort)
+            .WithCredentials(Auth.ApiKey(apiKey))
+            .BuildAsync();
+
+        var userCollection = userClient.Collections.Use(collectionName);
+
+        // Try to insert data and assert that authorization exception is thrown
+        await Assert.ThrowsAsync<WeaviateAuthorizationException>(async () =>
+        {
+            await userCollection.Data.Insert(
+                new { name = "should fail" },
+                cancellationToken: TestContext.Current.CancellationToken
+            );
+        });
+    }
+}

src/Weaviate.Client.Tests/Unit/TestTypedDataClient.cs

@@ -61,6 +61,7 @@ public async Task Insert_WithValidData_CallsUnderlyingDataClient()
         // Actual insertion would require a mock/fake HTTP client
         // For now, we just verify the method signature is correct
         Assert.NotNull(typedDataClient);
+        await Task.CompletedTask;
     }
 
     [Fact]
@@ -91,6 +92,7 @@ public async Task InsertMany_WithEnumerableOfT_AcceptsCorrectType()
         // Verify the method accepts IEnumerable<T>
         Assert.NotNull(typedDataClient);
         Assert.Equal(2, articles.Count);
+        await Task.CompletedTask;
     }
 
     [Fact]
@@ -111,6 +113,7 @@ public async Task InsertMany_WithTuplesOfDataAndId_AcceptsCorrectType()
         // Verify the method accepts tuples of (T, Guid)
         Assert.NotNull(typedDataClient);
         Assert.Equal(2, requests.Count);
+        await Task.CompletedTask;
     }
 
     [Fact]
@@ -131,6 +134,7 @@ public async Task InsertMany_WithTuplesOfDataAndVectors_AcceptsCorrectType()
         // Verify the method accepts tuples of (T, Vectors)
         Assert.NotNull(typedDataClient);
         Assert.Single(requests);
+        await Task.CompletedTask;
     }
 
     [Fact]
@@ -154,6 +158,7 @@ public async Task InsertMany_WithTuplesOfDataAndReferences_AcceptsCorrectType()
         // Verify the method accepts tuples of (T, IEnumerable<ObjectReference>)
         Assert.NotNull(typedDataClient);
         Assert.Single(requests);
+        await Task.CompletedTask;
     }
 
     [Fact]

src/Weaviate.Client.Tests/Unit/TimeoutEdgeCaseTests.cs

@@ -247,6 +247,7 @@ public async Task ZeroTimeout_ClearsContext()
         // Assert - Context should be cleared
         Assert.Null(TimeoutHelper.GetTimeout());
         Assert.Null(TimeoutHelper.GetOperation());
+        await Task.CompletedTask;
     }
 
     [Fact]
@@ -298,6 +299,7 @@ public async Task RapidSequentialTimeouts_EachMaintainsOwnContext()
             Assert.Equal(TimeSpan.FromMilliseconds(10 + i * 5), results[i].timeout);
             Assert.Equal($"Rapid {i}", results[i].operation);
         }
+        await Task.CompletedTask;
     }
 
     [Fact]

src/Weaviate.Client/OIDC.cs

@@ -175,7 +175,7 @@ private async Task AuthenticateAsync()
                 tokenResponse.Error,
                 tokenResponse.ErrorDescription
             );
-            throw new AuthenticationException(
+            throw new WeaviateAuthenticationException(
                 $"OAuth authentication failed: {tokenResponse.Error}"
             );
         }