fixup! fixup! fixup! MultiBackendJobManager: refresh bearer before _JobStartTask #817

soxofaan · soxofaan · commit 15e72464272a · 2025-10-15T15:09:16.000+02:00
diff --git a/openeo/rest/auth/testing.py b/openeo/rest/auth/testing.py
@@ -143,6 +143,11 @@ def token_callback_resource_owner_password_credentials(self, params: dict, conte
         assert params["scope"] == self.expected_fields["scope"]
         return self._build_token_response()
 
+    def token_callback_block_400(self, params: dict, context):
+        """Failing callback with 400 Bad Request"""
+        context.status_code = 400
+        return "block_400"
+
     def device_code_callback(self, request: requests_mock.request._RequestObjectProxy, context):
         params = self._get_query_params(query=request.text)
         assert params["client_id"] == self.expected_client_id
diff --git a/tests/rest/test_connection.py b/tests/rest/test_connection.py
@@ -2365,30 +2365,31 @@ def test_authenticate_oidc_auto_renew_expired_access_token_initial_client_creden
     requests_mock.get(API_URL, json={"api_version": "1.0.0"})
     client_id = "myclient"
     client_secret = "$3cr3t"
-    issuer = "https://oidc.test"
+    oidc_issuer = "https://oidc.test"
     requests_mock.get(
         API_URL + "credentials/oidc",
-        json={"providers": [{"id": "oi", "issuer": issuer, "title": "example", "scopes": ["openid"]}]},
+        json={"providers": [{"id": "oi", "issuer": oidc_issuer, "title": "example", "scopes": ["openid"]}]},
     )
     oidc_mock = OidcMock(
         requests_mock=requests_mock,
         expected_grant_type="client_credentials",
         expected_client_id=client_id,
         expected_fields={"client_secret": client_secret, "scope": "openid"},
-        oidc_issuer=issuer,
+        oidc_issuer=oidc_issuer,
     )
 
     _setup_get_me_handler(
         requests_mock=requests_mock, oidc_mock=oidc_mock, token_invalid_status_code=token_invalid_status_code
     )
     caplog.set_level(logging.INFO)
 
-    # Explicit authentication with `authenticate_oidc_refresh_token`
+    # Initial authentication with `authenticate_oidc_client_credentials`
     conn = Connection(API_URL, refresh_token_store=refresh_token_store)
     assert isinstance(conn.auth, NullAuth)
     conn.authenticate_oidc_client_credentials(client_id=client_id, client_secret=client_secret)
     assert isinstance(conn.auth, BearerAuth)
     assert conn.auth.bearer == "oidc/oi/" + oidc_mock.state["access_token"]
+
     # Just one "client_credentials" auth request so far
     assert [h["grant_type"] for h in oidc_mock.grant_request_history] == ["client_credentials"]
     access_token1 = oidc_mock.state["access_token"]
@@ -2460,7 +2461,7 @@ def test_authenticate_oidc_auto_renew_expired_access_token_initial_client_creden
     )
     caplog.set_level(logging.INFO)
 
-    # Explicit authentication with `authenticate_oidc_refresh_token`
+    # Initial authentication with `authenticate_oidc_client_credentials`
     conn = Connection(API_URL, refresh_token_store=refresh_token_store)
     assert isinstance(conn.auth, NullAuth)
     conn.authenticate_oidc_client_credentials(client_id=client_id, client_secret=client_secret)
@@ -2477,9 +2478,9 @@ def test_authenticate_oidc_auto_renew_expired_access_token_initial_client_creden
         "_used_access_token": access_token1,
     }
 
-    # Expire access token don't accept client credentials anymore
+    # Expire access token, and don't accept client credentials anymore
     oidc_mock.invalidate_access_token()
-    requests_mock.post(oidc_mock.token_endpoint, status_code=401, text="nope")
+    oidc_mock.token_callback_client_credentials = oidc_mock.token_callback_block_400
     # Do request that requires auth headers and might trigger re-authentication
     assert f"{token_invalid_status_code} TokenInvalid" not in caplog.text
     with pytest.raises(
@@ -2508,16 +2509,7 @@ def test_try_access_token_refresh_initial_refresh_token(
     oidc_issuer = "https://oidc.test"
     requests_mock.get(
         API_URL + "credentials/oidc",
-        json={
-            "providers": [
-                {
-                    "id": "oi",
-                    "issuer": oidc_issuer,
-                    "title": "example",
-                    "scopes": ["openid"],
-                }
-            ]
-        },
+        json={"providers": [{"id": "oi", "issuer": oidc_issuer, "title": "example", "scopes": ["openid"]}]},
     )
     oidc_mock = OidcMock(
         requests_mock=requests_mock,
@@ -2593,16 +2585,7 @@ def test_try_access_token_refresh_initial_device_code(
     oidc_issuer = "https://oidc.test"
     requests_mock.get(
         API_URL + "credentials/oidc",
-        json={
-            "providers": [
-                {
-                    "id": "oi",
-                    "issuer": oidc_issuer,
-                    "title": "example",
-                    "scopes": ["openid"],
-                }
-            ]
-        },
+        json={"providers": [{"id": "oi", "issuer": oidc_issuer, "title": "example", "scopes": ["openid"]}]},
     )
     oidc_mock = OidcMock(
         requests_mock=requests_mock,
@@ -2680,6 +2663,88 @@ def test_try_access_token_refresh_initial_device_code(
     }
 
 
+@pytest.mark.parametrize(
+    ["block_token_endpoint", "expect_refresh"],
+    [
+        (False, True),
+        (True, False),
+    ],
+)
+def test_try_access_token_refresh_initial_client_credentials(
+    requests_mock, refresh_token_store, caplog, block_token_endpoint, expect_refresh, oidc_device_code_flow_checker
+):
+    requests_mock.get(API_URL, json={"api_version": "1.0.0"})
+    client_id = "myclient"
+    client_secret = "$3cr3t"
+    oidc_issuer = "https://oidc.test"
+    requests_mock.get(
+        API_URL + "credentials/oidc",
+        json={"providers": [{"id": "oi", "issuer": oidc_issuer, "title": "example", "scopes": ["openid"]}]},
+    )
+    oidc_mock = OidcMock(
+        requests_mock=requests_mock,
+        expected_grant_type="client_credentials",
+        expected_client_id=client_id,
+        expected_fields={"client_secret": client_secret, "scope": "openid"},
+        oidc_issuer=oidc_issuer,
+    )
+    _setup_get_me_handler(requests_mock=requests_mock, oidc_mock=oidc_mock)
+    caplog.set_level(logging.WARNING)
+
+    # Initial authentication with `authenticate_oidc_client_credentials`
+    conn = Connection(API_URL, refresh_token_store=refresh_token_store)
+    assert isinstance(conn.auth, NullAuth)
+    conn.authenticate_oidc_client_credentials(client_id=client_id, client_secret=client_secret)
+    assert isinstance(conn.auth, BearerAuth) and conn.auth.bearer == "oidc/oi/" + oidc_mock.state["access_token"]
+
+    # Just one "refresh_token" auth request so far
+    assert [h["grant_type"] for h in oidc_mock.grant_request_history] == [
+        "client_credentials",
+    ]
+    access_token1 = oidc_mock.state["access_token"]
+
+    # Do request that requires auth headers
+    assert conn.describe_account() == {
+        "user_id": "john",
+        "_used_oidc_provider": "oi",
+        "_used_access_token": access_token1,
+    }
+
+    # Prepare for refresh attempt
+    if block_token_endpoint:
+        oidc_mock.token_callback_client_credentials = oidc_mock.token_callback_block_400
+
+    # Trigger refresh
+    refreshed = conn.try_access_token_refresh(reason="Can I Haz Fresh")
+
+    # Two "refresh_token" auth request attempts should have happened now
+    assert [h["grant_type"] for h in oidc_mock.grant_request_history] == [
+        "client_credentials",
+        "client_credentials",
+    ]
+    access_token2 = oidc_mock.state["access_token"]
+
+    if expect_refresh:
+        assert refreshed == True
+        assert access_token2 != access_token1
+        assert caplog.messages == []
+    else:
+        assert refreshed == False
+        assert access_token2 == access_token1
+        assert caplog.messages == [
+            dirty_equals.IsStr(
+                regex="Failed to obtain new access token.*grant 'client_credentials'.*block_400.*Reason: Can I Haz Fresh"
+            )
+        ]
+
+    # New request with fresh token?
+    assert conn.describe_account() == {
+        "user_id": "john",
+        "_used_oidc_provider": "oi",
+        "_used_access_token": access_token2,
+    }
+
+
 class TestAuthenticateOidcAccessToken:
     @pytest.fixture(autouse=True)
     def _setup(self, requests_mock):
