Fix IsServicePrincipal() only working for workspace admins (#732)

## Changes

The latest rendition of isServicePrincipal no longer worked for
non-admin users as it used the "principals get" API.

This new version relies on the property that service principals always
have a UUID as their userName. This was tested with the eng-jaws
principal (8b948b2e-d2b5-4b9e-8274-11b596f3b652).

bundle/config/mutator/process_target_mode.go

@@ -160,10 +160,7 @@ func (m *processTargetMode) Apply(ctx context.Context, b *bundle.Bundle) error {
 		}
 		return transformDevelopmentMode(b)
 	case config.Production:
-		isPrincipal, err := auth.IsServicePrincipal(ctx, b.WorkspaceClient(), b.Config.Workspace.CurrentUser.Id)
+		isPrincipal := auth.IsServicePrincipal(b.Config.Workspace.CurrentUser.Id)
-		if err != nil {
-			return err
-		}
 		return validateProductionMode(ctx, b, isPrincipal)
 	case "":
 		// No action

libs/auth/service_principal.go

@@ -1,20 +1,15 @@
 package auth
 
 import (
-	"context"
+	"github.com/google/uuid"
-
-	"github.com/databricks/databricks-sdk-go"
-	"github.com/databricks/databricks-sdk-go/apierr"
 )
 
 // Determines whether a given user id is a service principal.
-// This function uses a heuristic: if no user exists with this id, we assume
+// This function uses a heuristic: if the user id is a UUID, then we assume
-// it's a service principal. Unfortunately, the standard service principal API is too
+// it's a service principal. Unfortunately, the service principal listing API is too
-// slow for our purposes.
+// slow for our purposes. And the "users" and "service principals get" APIs
-func IsServicePrincipal(ctx context.Context, ws *databricks.WorkspaceClient, userId string) (bool, error) {
+// only allow access by workspace admins.
-	_, err := ws.Users.GetById(ctx, userId)
+func IsServicePrincipal(userId string) bool {
-	if apierr.IsMissing(err) {
+	_, err := uuid.Parse(userId)
-		return true, nil
+	return err == nil
-	}
-	return false, err
 }

libs/auth/service_principal_test.go

@@ -0,0 +1,19 @@
+package auth
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsServicePrincipal_ValidUUID(t *testing.T) {
+	userId := "8b948b2e-d2b5-4b9e-8274-11b596f3b652"
+	isSP := IsServicePrincipal(userId)
+	assert.True(t, isSP, "Expected user ID to be recognized as a service principal")
+}
+
+func TestIsServicePrincipal_InvalidUUID(t *testing.T) {
+	userId := "invalid"
+	isSP := IsServicePrincipal(userId)
+	assert.False(t, isSP, "Expected user ID to not be recognized as a service principal")
+}

libs/template/helpers.go

@@ -104,10 +104,7 @@ func loadHelpers(ctx context.Context) template.FuncMap {
 					return false, err
 				}
 			}
-			result, err := auth.IsServicePrincipal(ctx, w, user.Id)
+			result := auth.IsServicePrincipal(user.Id)
-			if err != nil {
-				return false, err
-			}
 			is_service_principal = &result
 			return result, nil
 		},