test: parameterize REST catalog env-var auth tests for google/entra scopes and edge cases

Gayathri Srividya Rajavarapu · Gayathri Srividya Rajavarapu · commit ff875816566b · 2026-05-29T17:12:07.000+05:30
diff --git a/tests/catalog/test_rest.py b/tests/catalog/test_rest.py
@@ -3285,33 +3285,105 @@ def test_rest_catalog_with_basic_auth_flat_properties(rest_mock: Mocker) -> None
     assert rest_mock.last_request.headers["Authorization"] == expected_auth_header
 
 
-def test_rest_catalog_with_oauth2_auth_flat_properties(requests_mock: Mocker) -> None:
-    """OAuth2 auth configured via flattened env-var properties should work correctly.
 
-    PYICEBERG_CATALOG__<NAME>__AUTH__OAUTH2__CLIENT_ID maps to 'auth.oauth2.client-id'.
-    The dash is normalised to an underscore ('client_id') when forwarding to OAuth2AuthManager.
-    """
-    requests_mock.post(
-        f"{TEST_URI}oauth2/token",
-        json={
-            "access_token": "MTQ0NjJkZmQ5OTM2NDE1ZTZjNGZmZjI3",
-            "token_type": "Bearer",
-            "expires_in": 3600,
-        },
-        status_code=200,
-    )
-    requests_mock.get(
-        f"{TEST_URI}v1/config",
-        json={"defaults": {}, "overrides": {}},
-        status_code=200,
-    )
-    catalog_properties = {
-        "uri": TEST_URI,
-        # Flat properties as produced by the env-var config parser (note: kebab-case keys)
-        "auth.type": "oauth2",
-        "auth.oauth2.client-id": "some_client_id",
-        "auth.oauth2.client-secret": "some_client_secret",
-        "auth.oauth2.token-url": f"{TEST_URI}oauth2/token",
-    }
-    catalog = RestCatalog("rest", **catalog_properties)
-    assert catalog.uri == TEST_URI
+import pytest
+
+@pytest.mark.parametrize(
+    "catalog_properties, token_response, expected_scopes",
+    [
+        # OAuth2 with string scope
+        (
+            {
+                "uri": TEST_URI,
+                "auth.type": "oauth2",
+                "auth.oauth2.client-id": "some_client_id",
+                "auth.oauth2.client-secret": "some_client_secret",
+                "auth.oauth2.token-url": f"{TEST_URI}oauth2/token",
+                "auth.oauth2.scope": "read",
+            },
+            {"access_token": "token", "token_type": "Bearer", "expires_in": 3600, "scope": "read"},
+            "read",
+        ),
+        # OAuth2 with list[str] scope
+        (
+            {
+                "uri": TEST_URI,
+                "auth.type": "oauth2",
+                "auth.oauth2.client-id": "id",
+                "auth.oauth2.client-secret": "secret",
+                "auth.oauth2.token-url": f"{TEST_URI}oauth2/token",
+                "auth.oauth2.scope": ["openid", "profile"],
+            },
+            {"access_token": "token", "token_type": "Bearer", "expires_in": 3600, "scope": "openid profile"},
+            ["openid", "profile"],
+        ),
+        # Google with list[str] scopes
+        (
+            {
+                "uri": TEST_URI,
+                "auth.type": "google",
+                "auth.google.credentials_path": "/fake/path.json",
+                "auth.google.scopes": ["scope1", "scope2"],
+            },
+            None,
+            ["scope1", "scope2"],
+        ),
+        # Entra with list[str] scopes
+        (
+            {
+                "uri": TEST_URI,
+                "auth.type": "entra",
+                "auth.entra.client-id": "entra_id",
+                "auth.entra.client-secret": "entra_secret",
+                "auth.entra.tenant-id": "entra_tenant",
+                "auth.entra.scopes": ["scopeA", "scopeB"],
+            },
+            None,
+            ["scopeA", "scopeB"],
+        ),
+    ]
+)
+def test_rest_catalog_with_flat_properties_edge_cases(requests_mock, rest_mock, catalog_properties, token_response, expected_scopes):
+    """Test flat property env-var style for OAuth2, Google, Entra with list[str] scopes and edge cases."""
+    if catalog_properties["auth.type"] == "oauth2":
+        requests_mock.post(
+            f"{TEST_URI}oauth2/token",
+            json=token_response,
+            status_code=200,
+        )
+        requests_mock.get(
+            f"{TEST_URI}v1/config",
+            json={"defaults": {}, "overrides": {}},
+            status_code=200,
+        )
+        catalog = RestCatalog("rest", **catalog_properties)
+        assert catalog.uri == TEST_URI
+        # If scope is a list, ensure it is handled as a space-separated string
+        if isinstance(expected_scopes, list):
+            assert any(scope in token_response["scope"] for scope in expected_scopes)
+        else:
+            assert token_response["scope"] == expected_scopes
+    elif catalog_properties["auth.type"] == "google":
+        # Patch google.auth.load_credentials_from_file and google.auth.transport.requests.Request
+        with mock.patch("google.auth.load_credentials_from_file") as mock_load_creds, \
+             mock.patch("google.auth.transport.requests.Request") as mock_google_request:
+            mock_credentials = mock.MagicMock()
+            mock_credentials.token = "file_token"
+            mock_load_creds.return_value = (mock_credentials, "test_project_file")
+            rest_mock.get(
+                f"{TEST_URI}v1/config",
+                json={"defaults": {}, "overrides": {}},
+                status_code=200,
+            )
+            catalog = RestCatalog("rest", **catalog_properties)
+            assert catalog.uri == TEST_URI
+            mock_load_creds.assert_called_with("/fake/path.json", scopes=expected_scopes)
+    elif catalog_properties["auth.type"] == "entra":
+        # Just check that the catalog can be constructed and scopes are passed
+        rest_mock.get(
+            f"{TEST_URI}v1/config",
+            json={"defaults": {}, "overrides": {}},
+            status_code=200,
+        )
+        catalog = RestCatalog("rest", **catalog_properties)
+        assert catalog.uri == TEST_URI
