From 367fdb74b1aca811a15e4b09f6f120b14d832adb Mon Sep 17 00:00:00 2001
From: Thomas Morris <thomasmorris@princeton.edu>
Date: Tue, 12 Dec 2023 17:40:07 -0500
Subject: [PATCH] add service account from context

---
 tiled/_tests/test_authentication.py | 23 +++++++++++++++++++++++
 tiled/client/context.py             | 20 ++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/tiled/_tests/test_authentication.py b/tiled/_tests/test_authentication.py
index 089509375..2ee98e3ce 100644
--- a/tiled/_tests/test_authentication.py
+++ b/tiled/_tests/test_authentication.py
@@ -554,6 +554,29 @@ def test_admin_api_key_any_principal(
             context.http_client.get(resource).raise_for_status()
 
 
+def test_admin_create_service_principal(enter_password, principals_context):
+    """
+    Admin can create service accounts with API keys.
+    """
+    with principals_context["context"] as context:
+        # Log in as Alice, create and use API key after logout
+        with enter_password("secret1"):
+            context.authenticate(username="alice")
+
+        assert context.whoami()["type"] == "user"
+
+        principal_info = context.admin.create_service_principal(role="user")
+        principal_uuid = principal_info["uuid"]
+
+        service_api_key_info = context.admin.create_api_key_other_principal(
+            principal_uuid
+        )
+        context.logout()
+
+        context.api_key = service_api_key_info["secret"]
+        assert context.whoami()["type"] == "service"
+
+
 def test_admin_api_key_any_principal_exceeds_scopes(enter_password, principals_context):
     """
     Admin cannot create API key that exceeds scopes for another principal.
diff --git a/tiled/client/context.py b/tiled/client/context.py
index a10259edd..9c0d12c0d 100644
--- a/tiled/client/context.py
+++ b/tiled/client/context.py
@@ -793,6 +793,26 @@ def create_api_key_other_principal(
             )
         ).json()
 
+    def create_service_principal(
+        self,
+        role,
+    ):
+        """
+        Generate a new service principal.
+
+        Parameters
+        ----------
+        role : str
+            Specify the role (e.g. user or admin)
+        """
+        return handle_error(
+            self.context.http_client.post(
+                f"{self.base_url}/auth/principal",
+                headers={"Accept": MSGPACK_MIME_TYPE},
+                params={"role": role},
+            )
+        ).json()
+
 
 class CannotPrompt(Exception):
     pass