3 files changed, 85 insertions, 13 deletions

diff --git a/tests/functional/api/test_gitlab.py b/tests/functional/api/test_gitlab.py
index ced77c2..bde64d3 100644
--- a/tests/functional/api/test_gitlab.py
+++ b/tests/functional/api/test_gitlab.py
@@ -2,6 +2,7 @@ import pytest
 import requests
 
 import gitlab
+from gitlab.oauth import PasswordCredentials
 
 
 @pytest.fixture(
@@ -22,6 +23,13 @@ def test_auth_from_config(gl, gitlab_config, temp_dir):
     assert isinstance(test_gitlab.user, gitlab.v4.objects.CurrentUser)
 
 
+def test_auth_with_ropc_flow(gl, temp_dir):
+    oauth_credentials = PasswordCredentials("root", "5iveL!fe")
+    test_gitlab = gitlab.Gitlab(gl.url, oauth_credentials=oauth_credentials)
+    test_gitlab.auth()
+    assert isinstance(test_gitlab.user, gitlab.v4.objects.CurrentUser)
+
+
 def test_no_custom_session(gl, temp_dir):
     """Test no custom session"""
     custom_session = requests.Session()
diff --git a/tests/unit/test_gitlab_auth.py b/tests/unit/test_gitlab_auth.py
index 8d6677f..3e0c87d 100644
--- a/tests/unit/test_gitlab_auth.py
+++ b/tests/unit/test_gitlab_auth.py
@@ -1,8 +1,35 @@
 import pytest
-import requests
+import responses
 
 from gitlab import Gitlab
 from gitlab.config import GitlabConfigParser
+from gitlab.oauth import PasswordCredentials
+
+
+# /oauth/token endpoint might be missing correct content-type header
+@pytest.fixture(params=["application/json", None])
+def resp_oauth_token(gl: Gitlab, request: pytest.FixtureRequest):
+    ropc_payload = {
+        "username": "foo",
+        "password": "bar",
+        "grant_type": "password",
+        "scope": "api",
+    }
+    ropc_response = {
+        "access_token": "test-token",
+        "token_type": "bearer",
+        "expires_in": 7200,
+    }
+    with responses.RequestsMock() as rsps:
+        rsps.add(
+            method=responses.POST,
+            url=f"{gl._base_url}/oauth/token",
+            status=201,
+            match=[responses.matchers.json_params_matcher(ropc_payload)],
+            json=ropc_response,
+            content_type=request.param,
+        )
+        yield rsps
 
 
 def test_invalid_auth_args():
@@ -42,7 +69,6 @@ def test_private_token_auth():
     assert gl.private_token == "private_token"
     assert gl.oauth_token is None
     assert gl.job_token is None
-    assert gl._http_auth is None
     assert "Authorization" not in gl.headers
     assert gl.headers["PRIVATE-TOKEN"] == "private_token"
     assert "JOB-TOKEN" not in gl.headers
@@ -53,7 +79,6 @@ def test_oauth_token_auth():
     assert gl.private_token is None
     assert gl.oauth_token == "oauth_token"
     assert gl.job_token is None
-    assert gl._http_auth is None
     assert gl.headers["Authorization"] == "Bearer oauth_token"
     assert "PRIVATE-TOKEN" not in gl.headers
     assert "JOB-TOKEN" not in gl.headers
@@ -64,26 +89,38 @@ def test_job_token_auth():
     assert gl.private_token is None
     assert gl.oauth_token is None
     assert gl.job_token == "CI_JOB_TOKEN"
-    assert gl._http_auth is None
     assert "Authorization" not in gl.headers
     assert "PRIVATE-TOKEN" not in gl.headers
     assert gl.headers["JOB-TOKEN"] == "CI_JOB_TOKEN"
 
 
-def test_http_auth():
+def test_oauth_resource_password_auth(resp_oauth_token):
+    oauth_credentials = PasswordCredentials("foo", "bar")
     gl = Gitlab(
         "http://localhost",
-        private_token="private_token",
-        http_username="foo",
-        http_password="bar",
         api_version="4",
+        oauth_credentials=oauth_credentials,
     )
-    assert gl.private_token == "private_token"
-    assert gl.oauth_token is None
+    assert gl.oauth_token == "test-token"
+    assert gl.private_token is None
     assert gl.job_token is None
-    assert isinstance(gl._http_auth, requests.auth.HTTPBasicAuth)
-    assert gl.headers["PRIVATE-TOKEN"] == "private_token"
-    assert "Authorization" not in gl.headers
+    assert "Authorization" in gl.headers
+    assert "PRIVATE-TOKEN" not in gl.headers
+
+
+def test_oauth_resource_password_auth_with_legacy_params_warns(resp_oauth_token):
+    with pytest.warns(DeprecationWarning, match="use the OAuth ROPC flow"):
+        gl = Gitlab(
+            "http://localhost",
+            http_username="foo",
+            http_password="bar",
+            api_version="4",
+        )
+    assert gl.oauth_token == "test-token"
+    assert gl.private_token is None
+    assert gl.job_token is None
+    assert "Authorization" in gl.headers
+    assert "PRIVATE-TOKEN" not in gl.headers
 
 
 @pytest.mark.parametrize(
diff --git a/tests/unit/test_oauth.py b/tests/unit/test_oauth.py
new file mode 100644
index 0000000..ecc256b
--- /dev/null
+++ b/tests/unit/test_oauth.py
@@ -0,0 +1,27 @@
+import pytest
+
+from gitlab.oauth import PasswordCredentials
+
+
+def test_password_credentials_without_password_raises():
+    with pytest.raises(TypeError, match="missing 1 required positional argument"):
+        PasswordCredentials("username")
+
+
+def test_password_credentials_with_client_id_without_client_secret_raises():
+    with pytest.raises(TypeError, match="client_id and client_secret must be defined"):
+        PasswordCredentials(
+            "username",
+            "password",
+            client_id="abcdef123456",
+        )
+
+
+def test_password_credentials_with_client_credentials_sets_basic_auth():
+    credentials = PasswordCredentials(
+        "username",
+        "password",
+        client_id="abcdef123456",
+        client_secret="123456abcdef",
+    )
+    assert credentials.basic_auth == ("abcdef123456", "123456abcdef")