From 1a74a84e4fcc4557d2b10371948e501d7d1642b6 Mon Sep 17 00:00:00 2001
From: kari Barry <kezzsim@gmail.com>
Date: Wed, 2 Oct 2024 15:41:58 -0400
Subject: [PATCH] =?UTF-8?q?=F0=9F=93=8B=EF=B8=8F=20Check=20off=20all=20tes?=
 =?UTF-8?q?ting=20and=20renaming=20revisions?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 tiled/_tests/test_authentication.py | 34 +++++++++++++++--------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/tiled/_tests/test_authentication.py b/tiled/_tests/test_authentication.py
index 5521f0f7e..89c6e350c 100644
--- a/tiled/_tests/test_authentication.py
+++ b/tiled/_tests/test_authentication.py
@@ -655,30 +655,32 @@ def test_api_key_bypass_scopes(enter_password, principals_context):
                     ).raise_for_status()
 
 
-@pytest.mark.parametrize(
-    "username, scopes, resource",
-    (
-        ("alice", ["read:principals"], "/api/v1/auth/principal"),
-        ("bob", ["read:data"], "/api/v1/array/full/A1"),
-    ),
-)
 def test_admin_delete_principal_apikey(
-    enter_password, principals_context, username, scopes, resource
+    enter_password,
+    principals_context,
 ):
     """
     Admin can delete API keys for any prinicipal, revoking access.
     """
     with principals_context["context"] as context:
-        # Log in as Alice
+        # Log in as Bob (Ordinary user)
+        with enter_password("secret2"):
+            context.authenticate(username="bob")
+
+        # Create an ordinary user API Key
+        principal_uuid = principals_context["uuid"]["bob"]
+        api_key_info = context.create_api_key(scopes=["read:data"])
+        context.logout()
+
+        # Log in as Alice (Admin)
         with enter_password("secret1"):
             context.authenticate(username="alice")
 
-        # Create the API Key
-        principal_uuid = principals_context["uuid"][username]
-        api_key_info = context.admin.create_api_key(principal_uuid, scopes=scopes)
         # Delete the created API Key via service principal
-        context.admin.revoke_api_key(
-            principal_uuid, api_key_info["first_eight"]
-        )
+        context.admin.revoke_api_key(principal_uuid, api_key_info["first_eight"])
+        context.logout()
 
-        # Test passes if there are no HTTP Errors.
+        # Try to use the revoked API Key
+        context.api_key = api_key_info["secret"]
+        with fail_with_status_code(HTTP_401_UNAUTHORIZED):
+            context.whoami()