|
19 | 19 | _default_text_input, |
20 | 20 | _default_thing_input, |
21 | 21 | ) |
| 22 | +from linodecli.configuration.auth import _check_full_access |
22 | 23 |
|
23 | 24 |
|
24 | 25 | class TestConfiguration: |
@@ -676,3 +677,41 @@ def test_custom_config_path(self, monkeypatch, tmp_path): |
676 | 677 |
|
677 | 678 | for i, _ in enumerate(expected_configs): |
678 | 679 | assert expected_configs[i] == configs[i] |
| 680 | + |
| 681 | + |
| 682 | +class TestCheckFullAccess: |
| 683 | + """ |
| 684 | + Unit tests for _check_full_access |
| 685 | + """ |
| 686 | + |
| 687 | + base_url = "https://linode-test.com" |
| 688 | + test_token = "cli-dev-token" |
| 689 | + |
| 690 | + def test_full_access_returns_true(self): |
| 691 | + """ |
| 692 | + 204 No Content means the token has full (unrestricted) access. |
| 693 | + """ |
| 694 | + with requests_mock.Mocker() as m: |
| 695 | + m.get(f"{self.base_url}/profile/grants", status_code=204) |
| 696 | + assert _check_full_access(self.base_url, self.test_token) is True |
| 697 | + |
| 698 | + def test_restricted_access_returns_false(self): |
| 699 | + """ |
| 700 | + 200 with a grants body means the token has restricted access. |
| 701 | + """ |
| 702 | + with requests_mock.Mocker() as m: |
| 703 | + m.get( |
| 704 | + f"{self.base_url}/profile/grants", |
| 705 | + status_code=200, |
| 706 | + json={"linode": []}, |
| 707 | + ) |
| 708 | + assert _check_full_access(self.base_url, self.test_token) is False |
| 709 | + |
| 710 | + def test_iam_user_403_returns_false(self): |
| 711 | + """ |
| 712 | + IAM-enrolled users receive a 403 from /profile/grants. |
| 713 | + This should be treated as "not full access" rather than a fatal error. |
| 714 | + """ |
| 715 | + with requests_mock.Mocker() as m: |
| 716 | + m.get(f"{self.base_url}/profile/grants", status_code=403) |
| 717 | + assert _check_full_access(self.base_url, self.test_token) is False |
0 commit comments