fix(iam): tolerate partial Session response when caller lacks sessionsAcl:LIST (#2617)

ebrattli · web-flow · commit 754fbc676766 · 2026-05-08T17:01:10.000Z
diff --git a/cognite/client/_api/iam/sessions.py b/cognite/client/_api/iam/sessions.py
@@ -7,7 +7,14 @@
 from cognite.client._constants import DEFAULT_LIMIT_READ
 from cognite.client.config import ClientConfig
 from cognite.client.credentials import OAuthClientCredentials
-from cognite.client.data_classes import ClientCredentials, CreatedSession, Session, SessionList
+from cognite.client.data_classes import (
+    ClientCredentials,
+    CreatedSession,
+    RevokedSession,
+    RevokedSessionList,
+    Session,
+    SessionList,
+)
 from cognite.client.data_classes.iam import SessionStatus, SessionType
 from cognite.client.utils._identifier import IdentifierSequence
 
@@ -77,12 +84,12 @@ async def create(
         return CreatedSession.load(response.json()["items"][0])
 
     @overload
-    async def revoke(self, id: int) -> Session: ...
+    async def revoke(self, id: int) -> RevokedSession: ...
 
     @overload
-    async def revoke(self, id: Sequence[int]) -> SessionList: ...
+    async def revoke(self, id: Sequence[int]) -> RevokedSessionList: ...
 
-    async def revoke(self, id: int | Sequence[int]) -> Session | SessionList:
+    async def revoke(self, id: int | Sequence[int]) -> RevokedSession | RevokedSessionList:
         """`Revoke access to a session <https://api-docs.cognite.com/20230101/tag/Sessions/operation/revokeSessions>`_.
 
         Revocation of a session may in some cases take up to 1 hour to take effect.
@@ -91,7 +98,8 @@ async def revoke(self, id: int | Sequence[int]) -> Session | SessionList:
             id (int | Sequence[int]): Id or list of session ids
 
         Returns:
-            Session | SessionList: List of revoked sessions. If the user does not have the sessionsAcl:LIST capability, then only the session IDs will be present in the response.
+            RevokedSession | RevokedSessionList: Revoked session(s). If the caller lacks sessionsAcl:LIST, only the
+                session ID will be present; all other fields will be None.
         """
 
         ident_sequence = IdentifierSequence.load(ids=id, external_ids=None)
@@ -106,7 +114,7 @@ async def revoke(self, id: int | Sequence[int]) -> Session | SessionList:
             ),
         )
 
-        revoked_sessions = SessionList._load(revoked_sessions_res)
+        revoked_sessions = RevokedSessionList._load(revoked_sessions_res)
         return revoked_sessions[0] if ident_sequence.is_singleton() else revoked_sessions
 
     @overload
diff --git a/cognite/client/_sync_api/iam/sessions.py b/cognite/client/_sync_api/iam/sessions.py
@@ -1,6 +1,6 @@
 """
 ===============================================================================
-6ed1f4c4630f2ef966184b94bd0c2e50
+66ef20c6bf5b2e991efb781b993720f0
 This file is auto-generated from the Async API modules, - do not edit manually!
 ===============================================================================
 """
@@ -13,7 +13,14 @@
 from cognite.client import AsyncCogniteClient
 from cognite.client._constants import DEFAULT_LIMIT_READ
 from cognite.client._sync_api_client import SyncAPIClient
-from cognite.client.data_classes import ClientCredentials, CreatedSession, Session, SessionList
+from cognite.client.data_classes import (
+    ClientCredentials,
+    CreatedSession,
+    RevokedSession,
+    RevokedSessionList,
+    Session,
+    SessionList,
+)
 from cognite.client.data_classes.iam import SessionStatus, SessionType
 from cognite.client.utils._async_helpers import run_sync
 
@@ -58,12 +65,12 @@ def create(
         )
 
     @overload
-    def revoke(self, id: int) -> Session: ...
+    def revoke(self, id: int) -> RevokedSession: ...
 
     @overload
-    def revoke(self, id: Sequence[int]) -> SessionList: ...
+    def revoke(self, id: Sequence[int]) -> RevokedSessionList: ...
 
-    def revoke(self, id: int | Sequence[int]) -> Session | SessionList:
+    def revoke(self, id: int | Sequence[int]) -> RevokedSession | RevokedSessionList:
         """
         `Revoke access to a session <https://api-docs.cognite.com/20230101/tag/Sessions/operation/revokeSessions>`_.
 
@@ -73,7 +80,8 @@ def revoke(self, id: int | Sequence[int]) -> Session | SessionList:
             id (int | Sequence[int]): Id or list of session ids
 
         Returns:
-            Session | SessionList: List of revoked sessions. If the user does not have the sessionsAcl:LIST capability, then only the session IDs will be present in the response.
+            RevokedSession | RevokedSessionList: Revoked session(s). If the caller lacks sessionsAcl:LIST, only the
+                session ID will be present; all other fields will be None.
         """
         return run_sync(self.__async_client.iam.sessions.revoke(id=id))
 
diff --git a/cognite/client/data_classes/__init__.py b/cognite/client/data_classes/__init__.py
@@ -143,6 +143,8 @@
     GroupList,
     GroupWrite,
     GroupWriteList,
+    RevokedSession,
+    RevokedSessionList,
     SecurityCategory,
     SecurityCategoryList,
     SecurityCategoryWrite,
@@ -459,6 +461,8 @@
     "RelationshipWrite",
     "RelationshipWriteList",
     "RevisionCameraProperties",
+    "RevokedSession",
+    "RevokedSessionList",
     "Row",
     "RowList",
     "RowWrite",
diff --git a/cognite/client/data_classes/iam.py b/cognite/client/data_classes/iam.py
@@ -523,6 +523,54 @@ class SessionList(CogniteResourceList[Session], IdTransformerMixin):
     _RESOURCE = Session
 
 
+class RevokedSession(CogniteResource):
+    """A session that has been revoked.
+
+    When the caller lacks sessionsAcl:LIST, the revoke API returns only the session ID.
+    All other fields are present only when the caller has sessionsAcl:LIST.
+
+    Args:
+        id (int): ID of the revoked session.
+        type (SessionType | None): Credentials kind used to create the session.
+        status (SessionStatus | None): Current status of the session.
+        creation_time (int | None): Session creation time, in milliseconds since 1970.
+        expiration_time (int | None): Session expiry time, in milliseconds since 1970. This value is updated on
+            refreshing a token.
+        client_id (str | None): Client ID in identity provider.
+    """
+
+    def __init__(
+        self,
+        id: int,
+        type: SessionType | None = None,
+        status: SessionStatus | None = None,
+        creation_time: int | None = None,
+        expiration_time: int | None = None,
+        client_id: str | None = None,
+    ) -> None:
+        self.id = id
+        self.type = type
+        self.status = status
+        self.creation_time = creation_time
+        self.expiration_time = expiration_time
+        self.client_id = client_id
+
+    @classmethod
+    def _load(cls, resource: dict[str, Any]) -> Self:
+        return cls(
+            id=resource["id"],
+            type=resource.get("type"),
+            status=resource.get("status"),
+            creation_time=resource.get("creationTime"),
+            expiration_time=resource.get("expirationTime"),
+            client_id=resource.get("clientId"),
+        )
+
+
+class RevokedSessionList(CogniteResourceList[RevokedSession], IdTransformerMixin):
+    _RESOURCE = RevokedSession
+
+
 class ClientCredentials(CogniteResource):
     """Client credentials for session creation
 
