feat: Authenticator protocol — auth_check/auth_refresh (v0.3.0)

Implement the Authenticator capability protocol for `reeln plugins auth`.
auth_check() validates R2 endpoint, bucket, and credentials.
auth_refresh() reports that R2 credentials are env-var based.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: JRemitz

CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
+## [0.3.0] - 2026-04-07
+
+### Added
+
+- `auth_check()` and `auth_refresh()` methods implementing the `Authenticator` protocol — enables `reeln plugins auth cloudflare` for R2 credential verification
+
 ## [0.2.0] - 2026-03-25
 
 ### Added

reeln_cloudflare_plugin/__init__.py

@@ -2,7 +2,7 @@
 
 from __future__ import annotations
 
-__version__ = "0.2.0"
+__version__ = "0.3.0"
 
 from reeln_cloudflare_plugin.plugin import CloudflarePlugin
 

reeln_cloudflare_plugin/plugin.py

@@ -6,6 +6,7 @@
 import os
 from typing import Any
 
+from reeln.models.auth import AuthCheckResult, AuthStatus
 from reeln.models.plugin_schema import ConfigField, PluginConfigSchema
 from reeln.plugins.hooks import Hook, HookContext
 from reeln.plugins.registry import HookRegistry
@@ -24,7 +25,7 @@ class CloudflarePlugin:
     """
 
     name: str = "cloudflare"
-    version: str = "0.2.0"
+    version: str = "0.3.0"
     api_version: int = 1
 
     config_schema: PluginConfigSchema = PluginConfigSchema(
@@ -195,6 +196,78 @@ def _resolve_credentials(self) -> tuple[str, str] | None:
 
         return access_key_id, secret_access_key
 
+    def auth_check(self) -> list[AuthCheckResult]:
+        """Validate R2 credentials by connecting to the bucket."""
+        endpoint = self._config.get("r2_endpoint", "")
+        bucket = self._config.get("r2_bucket", "")
+        if not endpoint or not bucket:
+            return [AuthCheckResult(
+                service="Cloudflare R2",
+                status=AuthStatus.NOT_CONFIGURED,
+                message="r2_endpoint and r2_bucket must be configured",
+                hint="Set r2_endpoint and r2_bucket in plugin config",
+            )]
+
+        creds = self._resolve_credentials()
+        if creds is None:
+            access_key_env = self._config.get("r2_access_key_env", "")
+            secret_key_env = self._config.get("r2_secret_key_env", "")
+            return [AuthCheckResult(
+                service="Cloudflare R2",
+                status=AuthStatus.FAIL,
+                message=(
+                    f"Environment variables {access_key_env} and/or "
+                    f"{secret_key_env} are empty or not set"
+                ),
+                hint=(
+                    f"Set {access_key_env} and {secret_key_env} "
+                    f"environment variables"
+                ),
+            )]
+
+        access_key_id, secret_access_key = creds
+        config = r2.R2Config(
+            endpoint=endpoint,
+            bucket=bucket,
+            access_key_id=access_key_id,
+            secret_access_key=secret_access_key,
+            public_url_base=self._config.get("public_url_base", ""),
+            region=self._config.get("r2_region", "auto"),
+        )
+
+        try:
+            client = r2._create_client(config)
+            client.head_bucket(Bucket=bucket)
+        except Exception as exc:
+            return [AuthCheckResult(
+                service="Cloudflare R2",
+                status=AuthStatus.FAIL,
+                message=f"R2 connection failed: {exc}",
+                hint="Verify R2 credentials and endpoint",
+            )]
+
+        return [AuthCheckResult(
+            service="Cloudflare R2",
+            status=AuthStatus.OK,
+            message="Connected",
+            identity=f"bucket: {bucket}",
+        )]
+
+    def auth_refresh(self) -> list[AuthCheckResult]:
+        """R2 credentials are env-var based and cannot be refreshed."""
+        return [AuthCheckResult(
+            service="Cloudflare R2",
+            status=AuthStatus.FAIL,
+            message=(
+                "R2 credentials are set via environment variables "
+                "and cannot be refreshed automatically"
+            ),
+            hint=(
+                "Update the environment variables referenced in "
+                "r2_access_key_env and r2_secret_key_env"
+            ),
+        )]
+
     def on_game_finish(self, context: HookContext) -> None:
         """Handle ``ON_GAME_FINISH`` — reset uploaded keys list."""
         self._uploaded_keys = []

tests/unit/test_plugin.py

@@ -625,3 +625,153 @@ def test_empty_config(self) -> None:
     def test_none_config(self) -> None:
         plugin = CloudflarePlugin(None)
         assert plugin._config == {}
+
+
+# ------------------------------------------------------------------
+# auth_check
+# ------------------------------------------------------------------
+
+
+class TestAuthCheckNotConfigured:
+    def test_missing_endpoint(self) -> None:
+        plugin = CloudflarePlugin({"r2_endpoint": "", "r2_bucket": "b"})
+        results = plugin.auth_check()
+        assert len(results) == 1
+        assert results[0].service == "Cloudflare R2"
+        assert results[0].status.value == "not_configured"
+        assert "r2_endpoint" in results[0].message
+
+    def test_missing_bucket(self) -> None:
+        plugin = CloudflarePlugin({"r2_endpoint": "https://x.r2.cloudflarestorage.com", "r2_bucket": ""})
+        results = plugin.auth_check()
+        assert len(results) == 1
+        assert results[0].status.value == "not_configured"
+        assert "r2_bucket" in results[0].message
+
+    def test_both_missing(self) -> None:
+        plugin = CloudflarePlugin({})
+        results = plugin.auth_check()
+        assert len(results) == 1
+        assert results[0].status.value == "not_configured"
+        assert "r2_endpoint" in results[0].hint
+
+
+class TestAuthCheckEnvVarsNotSet:
+    def test_env_vars_missing(
+        self,
+        plugin_config: dict[str, Any],
+        monkeypatch: pytest.MonkeyPatch,
+    ) -> None:
+        monkeypatch.delenv("R2_ACCESS_KEY_ID", raising=False)
+        monkeypatch.delenv("R2_SECRET_ACCESS_KEY", raising=False)
+        plugin = CloudflarePlugin(plugin_config)
+        results = plugin.auth_check()
+        assert len(results) == 1
+        assert results[0].service == "Cloudflare R2"
+        assert results[0].status.value == "fail"
+        assert "R2_ACCESS_KEY_ID" in results[0].message
+        assert "R2_SECRET_ACCESS_KEY" in results[0].message
+
+    def test_env_var_names_in_hint(
+        self,
+        plugin_config: dict[str, Any],
+        monkeypatch: pytest.MonkeyPatch,
+    ) -> None:
+        monkeypatch.delenv("R2_ACCESS_KEY_ID", raising=False)
+        monkeypatch.delenv("R2_SECRET_ACCESS_KEY", raising=False)
+        plugin = CloudflarePlugin(plugin_config)
+        results = plugin.auth_check()
+        assert "R2_ACCESS_KEY_ID" in results[0].hint
+        assert "R2_SECRET_ACCESS_KEY" in results[0].hint
+
+
+class TestAuthCheckHeadBucketFails:
+    @patch("reeln_cloudflare_plugin.r2._create_client")
+    def test_head_bucket_client_error(
+        self,
+        mock_create: Any,
+        plugin_config: dict[str, Any],
+        r2_env: None,
+    ) -> None:
+        from botocore.exceptions import ClientError
+
+        mock_client = mock_create.return_value
+        mock_client.head_bucket.side_effect = ClientError(
+            {"Error": {"Code": "403", "Message": "Forbidden"}},
+            "HeadBucket",
+        )
+        plugin = CloudflarePlugin(plugin_config)
+        results = plugin.auth_check()
+        assert len(results) == 1
+        assert results[0].status.value == "fail"
+        assert "R2 connection failed" in results[0].message
+        assert "Verify R2 credentials" in results[0].hint
+
+    @patch("reeln_cloudflare_plugin.r2._create_client")
+    def test_head_bucket_generic_exception(
+        self,
+        mock_create: Any,
+        plugin_config: dict[str, Any],
+        r2_env: None,
+    ) -> None:
+        mock_client = mock_create.return_value
+        mock_client.head_bucket.side_effect = RuntimeError("timeout")
+        plugin = CloudflarePlugin(plugin_config)
+        results = plugin.auth_check()
+        assert len(results) == 1
+        assert results[0].status.value == "fail"
+        assert "timeout" in results[0].message
+
+
+class TestAuthCheckSuccess:
+    @patch("reeln_cloudflare_plugin.r2._create_client")
+    def test_connected_ok(
+        self,
+        mock_create: Any,
+        plugin_config: dict[str, Any],
+        r2_env: None,
+    ) -> None:
+        mock_client = mock_create.return_value
+        mock_client.head_bucket.return_value = {}
+        plugin = CloudflarePlugin(plugin_config)
+        results = plugin.auth_check()
+        assert len(results) == 1
+        assert results[0].service == "Cloudflare R2"
+        assert results[0].status.value == "ok"
+        assert results[0].message == "Connected"
+        assert results[0].identity == "bucket: test-bucket"
+
+    @patch("reeln_cloudflare_plugin.r2._create_client")
+    def test_head_bucket_called_with_correct_bucket(
+        self,
+        mock_create: Any,
+        plugin_config: dict[str, Any],
+        r2_env: None,
+    ) -> None:
+        mock_client = mock_create.return_value
+        mock_client.head_bucket.return_value = {}
+        plugin = CloudflarePlugin(plugin_config)
+        plugin.auth_check()
+        mock_client.head_bucket.assert_called_once_with(Bucket="test-bucket")
+
+
+# ------------------------------------------------------------------
+# auth_refresh
+# ------------------------------------------------------------------
+
+
+class TestAuthRefresh:
+    def test_always_returns_fail(self) -> None:
+        plugin = CloudflarePlugin()
+        results = plugin.auth_refresh()
+        assert len(results) == 1
+        assert results[0].service == "Cloudflare R2"
+        assert results[0].status.value == "fail"
+        assert "cannot be refreshed" in results[0].message
+
+    def test_hint_mentions_env_vars(self) -> None:
+        plugin = CloudflarePlugin()
+        results = plugin.auth_refresh()
+        assert "environment variables" in results[0].hint
+        assert "r2_access_key_env" in results[0].hint
+        assert "r2_secret_key_env" in results[0].hint