pytest-neon 2.3.0__tar.gz → 2.3.2__tar.gz

{pytest_neon-2.3.0 → pytest_neon-2.3.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pytest-neon
-Version: 2.3.0
+Version: 2.3.2
 Summary: Pytest plugin for Neon database branch isolation in tests
 Project-URL: Homepage, https://github.com/ZainRizvi/pytest-neon
 Project-URL: Repository, https://github.com/ZainRizvi/pytest-neon

{pytest_neon-2.3.0 → pytest_neon-2.3.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "pytest-neon"
-version = "2.3.0"
+version = "2.3.2"
 description = "Pytest plugin for Neon database branch isolation in tests"
 readme = "README.md"
 license = "MIT"

{pytest_neon-2.3.0 → pytest_neon-2.3.2}/src/pytest_neon/__init__.py

@@ -9,7 +9,7 @@ from pytest_neon.plugin import (
     neon_engine,
 )
 
-__version__ = "2.3.0"
+__version__ = "2.3.2"
 __all__ = [
     "NeonBranch",
     "neon_branch",

{pytest_neon-2.3.0 → pytest_neon-2.3.2}/src/pytest_neon/plugin.py

@@ -295,6 +295,48 @@ def _get_git_branch_name() -> str | None:
     return None
 
 
+def _extract_password_from_connection_string(connection_string: str) -> str:
+    """Extract password from a PostgreSQL connection string."""
+    # Format: postgresql://user:password@host/db?params
+    from urllib.parse import urlparse
+
+    parsed = urlparse(connection_string)
+    if parsed.password:
+        return parsed.password
+    raise ValueError(f"No password found in connection string: {connection_string}")
+
+
+def _reveal_role_password(
+    api_key: str, project_id: str, branch_id: str, role_name: str
+) -> str:
+    """
+    Get the password for a role WITHOUT resetting it.
+
+    Uses Neon's reveal_password API endpoint (GET request).
+
+    Note: The neon-api library has a bug where it uses POST instead of GET,
+    so we make the request directly.
+    """
+    url = (
+        f"https://console.neon.tech/api/v2/projects/{project_id}"
+        f"/branches/{branch_id}/roles/{role_name}/reveal_password"
+    )
+    headers = {
+        "Authorization": f"Bearer {api_key}",
+        "Accept": "application/json",
+    }
+
+    response = requests.get(url, headers=headers, timeout=30)
+    try:
+        response.raise_for_status()
+    except requests.exceptions.HTTPError:
+        # Wrap in NeonAPIError for consistent error handling
+        raise NeonAPIError(response.text) from None
+
+    data = response.json()
+    return data["password"]
+
+
 def _get_schema_fingerprint(connection_string: str) -> tuple[tuple[Any, ...], ...]:
     """
     Get a fingerprint of the database schema for change detection.
@@ -497,7 +539,7 @@ class NeonBranchManager:
             )
 
         # Get password
-        connection_string = self._reset_password_and_build_connection_string(
+        connection_string = self._get_password_and_build_connection_string(
             branch.id, host
         )
 
@@ -537,9 +579,15 @@ class NeonBranchManager:
         endpoint_id = result.endpoint.id
         host = self._wait_for_endpoint(endpoint_id)
 
-        # Get password for the read_only endpoint
-        connection_string = self._reset_password_and_build_connection_string(
-            branch.branch_id, host
+        # Reuse the password from the parent branch's connection string.
+        # DO NOT call role_password_reset here - it would invalidate the
+        # password used by the parent branch's read_write endpoint, breaking
+        # any existing connections (especially in xdist where other workers
+        # may be using the cached connection string).
+        password = _extract_password_from_connection_string(branch.connection_string)
+        connection_string = (
+            f"postgresql://{self.config.role_name}:{password}@{host}/"
+            f"{self.config.database_name}?sslmode=require"
         )
 
         return NeonBranch(
@@ -615,19 +663,19 @@ class NeonBranchManager:
             time.sleep(poll_interval)
             waited += poll_interval
 
-    def _reset_password_and_build_connection_string(
+    def _get_password_and_build_connection_string(
         self, branch_id: str, host: str
     ) -> str:
-        """Reset role password and build connection string."""
-        password_response = _retry_on_rate_limit(
-            lambda: self._neon.role_password_reset(
+        """Get role password (without resetting) and build connection string."""
+        password = _retry_on_rate_limit(
+            lambda: _reveal_role_password(
+                api_key=self.config.api_key,
                 project_id=self.config.project_id,
                 branch_id=branch_id,
                 role_name=self.config.role_name,
             ),
-            operation_name="role_password_reset",
+            operation_name="role_password_reveal",
         )
-        password = password_response.role.password
 
         return (
             f"postgresql://{self.config.role_name}:{password}@{host}/"
@@ -1030,31 +1078,17 @@ def _create_neon_branch(
 
     host = endpoint.host
 
-    # SAFETY CHECK: Ensure we never reset password on the default/production branch
-    # This should be impossible since we just created this branch, but we check
-    # defensively to prevent catastrophic mistakes if there's ever a bug
-    default_branch_id = getattr(config, "_neon_default_branch_id", None)
-    if default_branch_id and branch.id == default_branch_id:
-        raise RuntimeError(
-            f"SAFETY CHECK FAILED: Attempted to reset password on default branch "
-            f"{branch.id}. This should never happen - the plugin creates new "
-            f"branches and should never operate on the default branch. "
-            f"Please report this bug at https://github.com/ZainRizvi/pytest-neon/issues"
-        )
-
-    # Reset password to get the password value
-    # (newly created branches don't expose password)
-    # Wrap in retry logic to handle rate limits
-    # See: https://api-docs.neon.tech/reference/api-rate-limiting
-    password_response = _retry_on_rate_limit(
-        lambda: neon.role_password_reset(
+    # Get password using reveal (not reset) to avoid invalidating existing connections
+    # See: https://api-docs.neon.tech/reference/getprojectbranchrolepassword
+    password = _retry_on_rate_limit(
+        lambda: _reveal_role_password(
+            api_key=api_key,
             project_id=project_id,
             branch_id=branch.id,
             role_name=role_name,
         ),
-        operation_name="role_password_reset",
+        operation_name="role_password_reveal",
     )
-    password = password_response.role.password
 
     # Build connection string
     connection_string = (
@@ -1170,16 +1204,10 @@ def _create_readonly_endpoint(
 
     host = endpoint.host
 
-    # Reset password to get the password value for this endpoint
-    password_response = _retry_on_rate_limit(
-        lambda: neon.role_password_reset(
-            project_id=branch.project_id,
-            branch_id=branch.branch_id,
-            role_name=role_name,
-        ),
-        operation_name="role_password_reset_readonly",
-    )
-    password = password_response.role.password
+    # Reuse the password from the parent branch's connection string.
+    # DO NOT call role_password_reset here - it would invalidate the
+    # password used by the parent branch's read_write endpoint.
+    password = _extract_password_from_connection_string(branch.connection_string)
 
     # Build connection string for the read_only endpoint
     connection_string = (

{pytest_neon-2.3.0 → pytest_neon-2.3.2}/tests/test_branch_name_prefix.py

@@ -136,9 +136,11 @@ class TestBranchNameWithGitBranch:
         with (
             patch("pytest_neon.plugin.NeonAPI") as mock_neon_cls,
             patch("pytest_neon.plugin._get_git_branch_name") as mock_git,
+            patch("pytest_neon.plugin._reveal_role_password") as mock_reveal,
         ):
             # _get_git_branch_name returns sanitized value (slashes -> hyphens)
             mock_git.return_value = "feature-my-branch"
+            mock_reveal.return_value = "testpass"
 
             mock_api = MagicMock()
             mock_neon_cls.return_value = mock_api
@@ -163,10 +165,6 @@ class TestBranchNameWithGitBranch:
             mock_endpoint_response.endpoint.host = "test.neon.tech"
             mock_api.endpoint.return_value = mock_endpoint_response
 
-            mock_password = MagicMock()
-            mock_password.role.password = "testpass"
-            mock_api.role_password_reset.return_value = mock_password
-
             gen = _create_neon_branch(mock_request, branch_name_suffix="-migrated")
             with contextlib.suppress(StopIteration):
                 next(gen)
@@ -210,9 +208,11 @@ class TestBranchNameWithGitBranch:
         with (
             patch("pytest_neon.plugin.NeonAPI") as mock_neon_cls,
             patch("pytest_neon.plugin._get_git_branch_name") as mock_git,
+            patch("pytest_neon.plugin._reveal_role_password") as mock_reveal,
         ):
             # _get_git_branch_name returns sanitized value
             mock_git.return_value = "feature-very-long-branch-name-truncated"
+            mock_reveal.return_value = "testpass"
 
             mock_api = MagicMock()
             mock_neon_cls.return_value = mock_api
@@ -237,10 +237,6 @@ class TestBranchNameWithGitBranch:
             mock_endpoint_response.endpoint.host = "test.neon.tech"
             mock_api.endpoint.return_value = mock_endpoint_response
 
-            mock_password = MagicMock()
-            mock_password.role.password = "testpass"
-            mock_api.role_password_reset.return_value = mock_password
-
             gen = _create_neon_branch(mock_request, branch_name_suffix="-migrated")
             with contextlib.suppress(StopIteration):
                 next(gen)
@@ -284,8 +280,10 @@ class TestBranchNameWithGitBranch:
         with (
             patch("pytest_neon.plugin.NeonAPI") as mock_neon_cls,
             patch("pytest_neon.plugin._get_git_branch_name") as mock_git,
+            patch("pytest_neon.plugin._reveal_role_password") as mock_reveal,
         ):
             mock_git.return_value = None  # Not in a git repo
+            mock_reveal.return_value = "testpass"
 
             mock_api = MagicMock()
             mock_neon_cls.return_value = mock_api
@@ -310,10 +308,6 @@ class TestBranchNameWithGitBranch:
             mock_endpoint_response.endpoint.host = "test.neon.tech"
             mock_api.endpoint.return_value = mock_endpoint_response
 
-            mock_password = MagicMock()
-            mock_password.role.password = "testpass"
-            mock_api.role_password_reset.return_value = mock_password
-
             gen = _create_neon_branch(mock_request, branch_name_suffix="-migrated")
             with contextlib.suppress(StopIteration):
                 next(gen)

{pytest_neon-2.3.0 → pytest_neon-2.3.2}/uv.lock

@@ -1212,7 +1212,7 @@ wheels = [
 
 [[package]]
 name = "pytest-neon"
-version = "2.3.0"
+version = "2.3.2"
 source = { editable = "." }
 dependencies = [
     { name = "filelock", version = "3.19.1", source = { registry = "https://pypi.org/simple" }, marker = "python_full_version < '3.10'" },