Merge pull request #1556 from keboola/jirka/dmd-339-test-ro-for-qs-user

jirkasemmler · web-flow · commit 235db3f3970d · 2025-08-19T13:33:51.000+02:00
DMD-339 Add tests to check that credentials have access to RO
diff --git a/tests/Backend/Workspaces/WorkspacesCredentialsTest.php b/tests/Backend/Workspaces/WorkspacesCredentialsTest.php
@@ -5,7 +5,7 @@
 namespace Keboola\Test\Backend\Workspaces;
 
 use Exception;
-use Keboola\StorageApi\BranchAwareClient;
+use Keboola\Csv\CsvFile;
 use Keboola\StorageApi\Workspaces;
 use Keboola\TableBackendUtils\Escaping\Snowflake\SnowflakeQuote;
 use Keboola\Test\Backend\WorkspaceConnectionTrait;
@@ -102,7 +102,7 @@ public function testConnectByCredentials(): void
         $workspaceCredentialsRefreshed = $workspaces->getCredentials($workspace['id'], $credentialsId);
         $this->assertEventWithRetries($this->_client, $assertCallback, $query);
         $this->assertEquals($workspaceCredentials['connection']['privateKey'], $workspaceCredentialsRefreshed['connection']['privateKey']);
-        $workspaceBackendRefreshed = WOrkspaceBackendFactory::createWorkspaceBackend($workspaceCredentialsRefreshed, true);
+        $workspaceBackendRefreshed = WorkspaceBackendFactory::createWorkspaceBackend($workspaceCredentialsRefreshed, true);
 
         $dbResultRefreshed = $workspaceBackendRefreshed->fetchAll('test_Languages');
 
@@ -126,4 +126,67 @@ public function testConnectByCredentials(): void
             $this->assertTrue(str_contains($e->getMessage(), 'JWT token is invalid.'));
         }
     }
+
+    public function testCredentialsWithROAccess(): void
+    {
+        $this->expectNotToPerformAssertions();
+        $workspace = $this->initTestWorkspace(
+            options: ['backend' => 'snowflake', 'readOnlyStorageAccess' => true],
+            forceRecreate: true,
+        );
+        $workspaces = new Workspaces($this->workspaceSapiClient);
+        $retrievedCredentials = $workspaces->createCredentials($workspace['id']);
+
+        // Create table in storage
+        $bucketId = $this->getTestBucketId(self::STAGE_IN);
+        $bucketDetail = $this->_client->getBucket($bucketId);
+        $this->_client->createTableAsync(
+            $bucketId,
+            'test-table',
+            new CsvFile(__DIR__ . '/../../_data/languages.csv'),
+        );
+
+        $backend = WorkspaceBackendFactory::createWorkspaceBackend($retrievedCredentials, true);
+        $backend->executeQuery(
+            sprintf(
+                'SELECT * FROM %s.%s',
+                SnowflakeQuote::quoteSingleIdentifier($bucketDetail['path']),
+                SnowflakeQuote::quoteSingleIdentifier('test-table'),
+            ),
+        );
+    }
+
+    public function testCredentialsWithoutROAccess(): void
+    {
+        $workspace = $this->initTestWorkspace(
+            options: ['backend' => 'snowflake', 'readOnlyStorageAccess' => false],
+            forceRecreate: true,
+        );
+        $workspaces = new Workspaces($this->workspaceSapiClient);
+        $retrievedCredentials = $workspaces->createCredentials($workspace['id']);
+
+        // Create table in storage
+        $bucketId = $this->getTestBucketId(self::STAGE_IN);
+        $bucketDetail = $this->_client->getBucket($bucketId);
+        $this->_client->createTableAsync(
+            $bucketId,
+            'test-table',
+            new CsvFile(__DIR__ . '/../../_data/languages.csv'),
+        );
+
+        $backend = WorkspaceBackendFactory::createWorkspaceBackend($retrievedCredentials, true);
+
+        try {
+            $backend->executeQuery(
+                sprintf(
+                    'SELECT * FROM %s.%s',
+                    SnowflakeQuote::quoteSingleIdentifier($bucketDetail['path']),
+                    SnowflakeQuote::quoteSingleIdentifier('test-table'),
+                ),
+            );
+            $this->fail('Expected exception to be thrown.');
+        } catch (Exception $e) {
+            $this->assertStringContainsString('does not exist or not authorized', $e->getMessage());
+        }
+    }
 }
