Add SPOG integration tests for explicit auth types (#1341)

## Summary

Add integration tests that verify workspace and account operations
against unified (SPOG) hosts using explicit auth types. These tests
ensure that each auth flow works end-to-end when parameters are passed
directly to the client constructor, without relying on environment
variable auto-detection.

## Motivation

Existing integration tests (`test_workspace_operations`,
`test_account_operations`) use a pre-built `unified_config` fixture
which inherits auth from the environment. This doesn't validate that
explicit auth type configuration works correctly against unified hosts.
We need per-auth-type coverage to catch regressions in the SPOG auth
path for each credential strategy.

## Changes

### New `isolated_env` fixture (`tests/integration/conftest.py`)
A factory fixture that takes a debug-env key (for IDE support) and
returns a callable for reading env vars. Before returning, it snapshots
`os.environ`, then removes every env var that `Config` reads (discovered
dynamically from `ConfigAttribute` fields). This ensures `Config` only
sees explicitly passed parameters — no env var leakage between auth
strategies. Uses `monkeypatch` so the environment is restored after each
test.

### `workspace_id` parameter on `WorkspaceClient`
(`databricks/sdk/__init__.py`)
`WorkspaceClient.__init__` was missing `workspace_id` as an explicit
parameter (it was only available via `Config`). Added it to the
signature and forwarded it to `Config(...)`.

### SPOG integration tests (`tests/integration/test_unified_profile.py`)

| Test | Auth type | Environment | Status |
|------|-----------|-------------|--------|
| `test_spog_workspace_pat` | PAT | azure-prod-pat | ✅ |
| `test_spog_workspace_oauth_m2m` | OAuth M2M | azure-prod-ucws | ✅ |
| `test_spog_workspace_azure_client_secret` | Azure Client Secret |
azure-prod-ucws | ✅ |
| `test_spog_workspace_google_credentials` | Google Credentials |
gcp-prod-ucacct | ⏭️ Skipped |
| `test_spog_account_oauth_m2m` | OAuth M2M | azure-prod-acct | ✅ |
| `test_spog_account_azure_client_secret` | Azure Client Secret |
azure-prod-acct | ✅ |
| `test_spog_account_google_credentials` | Google Credentials |
gcp-prod-ucacct | ✅ |

**`test_spog_workspace_google_credentials` is skipped**: The
`google-credentials` strategy uses a GCP ID token with
`target_audience=cfg.host`. On the unified host, this produces the same
token for both account and workspace requests. Account-level APIs accept
this token, but workspace-level APIs return 401. Investigation shows the
GCP service principal exists in workspace assignments (account-level
API) with ADMIN permissions but is not present in
`ac.service_principals.list()` — it appears to be a workspace-local SP
not federated at the account level.

### Collection hook update (`conftest.py`)
Added `unified_config` and `isolated_env` to
`pytest_collection_modifyitems` so tests using these fixtures are
automatically marked as `integration` and collected by CI (which filters
with `-m 'integration'`).

## Test plan
- [ ] Verify tests are collected (not silently excluded) in CI runs
- [ ] Verify tests pass or skip (if env vars missing) in each
environment listed above

NO_CHANGELOG=true

Author: hectorcast-db

databricks/sdk/__init__.py

@@ -8,6 +8,7 @@
 import pytest
 
 from databricks.sdk import AccountClient, FilesAPI, FilesExt, WorkspaceClient
+from databricks.sdk.config import ConfigAttribute
 from databricks.sdk.core import Config
 from databricks.sdk.environments import Cloud
 from databricks.sdk.service.catalog import VolumeType
@@ -46,7 +47,7 @@ def pytest_configure(config):
 
 def pytest_collection_modifyitems(items):
     # safer to refer to fixture fns instead of strings
-    client_fixtures = [x.__name__ for x in [a, w, ucws, ucacct]]
+    client_fixtures = [x.__name__ for x in [a, w, ucws, ucacct, unified_config, isolated_env]]
     for item in items:
         current_fixtures = getattr(item, "fixturenames", ())
         for requires_client in client_fixtures:
@@ -92,8 +93,10 @@ def unified_config(env_or_skip) -> Config:
     _load_debug_env_if_runs_from_ide("account")
     env_or_skip("CLOUD_ENV")
     config = Config()
+    config.host = env_or_skip("UNIFIED_HOST")
     config.workspace_id = env_or_skip("TEST_WORKSPACE_ID")
     config.experimental_is_unified_host = True
+    config._fix_host_if_needed()
     return config
 
 
@@ -117,6 +120,39 @@ def ucws(env_or_skip) -> WorkspaceClient:
     return WorkspaceClient()
 
 
+@pytest.fixture
+def isolated_env(monkeypatch):
+    """Fixture for tests that need to construct a client with explicit parameters
+    only, without Config picking up env vars automatically.
+
+    Usage:
+        def test_something(isolated_env):
+            env = isolated_env("workspace")  # loads debug-env key when running from IDE
+            host = env("UNIFIED_HOST")
+
+    The first call takes a debug-env key (used only when running from an IDE).
+    Returns a callable that looks up vars from the original environment snapshot
+    (skipping the test if missing). All Config-related env vars are removed so
+    the client only sees explicitly passed parameters."""
+
+    def init(debug_env_key: str):
+        _load_debug_env_if_runs_from_ide(debug_env_key)
+        original_env = os.environ.copy()
+
+        for attr in vars(Config).values():
+            if isinstance(attr, ConfigAttribute) and attr.env:
+                monkeypatch.delenv(attr.env, raising=False)
+
+        def get(var: str) -> str:
+            if var not in original_env:
+                pytest.skip(f"Environment variable {var} is missing")
+            return original_env[var]
+
+        return get
+
+    return init
+
+
 @pytest.fixture(scope="session")
 def env_or_skip():
 

tests/integration/conftest.py

@@ -1,7 +1,17 @@
+import pytest
+
 from databricks.sdk import AccountClient, WorkspaceClient
+from databricks.sdk.environments import Cloud
+
+from .conftest import _is_cloud
 
 
 def test_workspace_operations(unified_config):
+    # GCP google-credentials auth produces a workspace-local SP that is not
+    # federated at the account level. Workspace APIs via the unified host
+    # return 401 for this SP. See test_spog_workspace_google_credentials.
+    if _is_cloud(Cloud.GCP):
+        pytest.skip("google-credentials workspace ops not supported on unified hosts (workspace-local SP)")
     client = WorkspaceClient(config=unified_config)
     user = client.current_user.me()
     assert user is not None
@@ -11,3 +21,151 @@ def test_account_operations(unified_config):
     client = AccountClient(config=unified_config)
     groups = client.groups.list()
     assert groups is not None
+
+
+# SPOG/W — Workspace operations on unified host with explicit auth
+
+
+# Environment: azure-prod-pat
+def test_spog_workspace_pat(isolated_env):
+    env = isolated_env("workspace")
+    host = env("UNIFIED_HOST")
+    workspace_id = env("TEST_WORKSPACE_ID")
+    account_id = env("TEST_ACCOUNT_ID")
+    token = env("DATABRICKS_TOKEN")
+    ws = WorkspaceClient(
+        host=host,
+        workspace_id=workspace_id,
+        account_id=account_id,
+        token=token,
+    )
+    me = ws.current_user.me()
+    assert me.user_name
+
+
+# Environment: azure-prod-ucws
+def test_spog_workspace_oauth_m2m(isolated_env):
+    env = isolated_env("ucws")
+    host = env("UNIFIED_HOST")
+    client_id = env("TEST_DATABRICKS_CLIENT_ID")
+    client_secret = env("TEST_DATABRICKS_CLIENT_SECRET")
+    workspace_id = env("THIS_WORKSPACE_ID")
+    account_id = env("TEST_ACCOUNT_ID")
+    ws = WorkspaceClient(
+        host=host,
+        client_id=client_id,
+        client_secret=client_secret,
+        workspace_id=workspace_id,
+        account_id=account_id,
+        auth_type="oauth-m2m",
+    )
+    me = ws.current_user.me()
+    assert me.user_name
+
+
+# Environment: azure-prod-ucws
+def test_spog_workspace_azure_client_secret(isolated_env):
+    env = isolated_env("ucws")
+    host = env("UNIFIED_HOST")
+    workspace_id = env("THIS_WORKSPACE_ID")
+    account_id = env("TEST_ACCOUNT_ID")
+    azure_client_id = env("ARM_CLIENT_ID")
+    azure_client_secret = env("ARM_CLIENT_SECRET")
+    azure_tenant_id = env("ARM_TENANT_ID")
+    ws = WorkspaceClient(
+        host=host,
+        workspace_id=workspace_id,
+        account_id=account_id,
+        azure_client_id=azure_client_id,
+        azure_client_secret=azure_client_secret,
+        azure_tenant_id=azure_tenant_id,
+        auth_type="azure-client-secret",
+    )
+    me = ws.current_user.me()
+    assert me.user_name
+
+
+# Environment: gcp-prod-ucacct
+def test_spog_workspace_google_credentials(isolated_env):
+    # google-credentials uses a GCP ID token with target_audience=cfg.host.
+    # On the unified host this produces the same token for both account and workspace
+    # requests (identical OIDC exchange, identical audience). Account-level APIs accept
+    # this token, but workspace-level APIs return 401. The X-Databricks-Org-Id header
+    # is set correctly. This appears to be a server-side limitation on unified hosts.
+    pytest.skip("google-credentials ID token is rejected for workspace operations on unified hosts")
+    env = isolated_env("ucacct")
+    host = env("UNIFIED_HOST")
+    account_id = env("DATABRICKS_ACCOUNT_ID")
+    google_credentials = env("GOOGLE_CREDENTIALS")
+    google_service_account = env("DATABRICKS_GOOGLE_SERVICE_ACCOUNT")
+    workspace_id = env("TEST_WORKSPACE_ID")
+
+    ws = WorkspaceClient(
+        host=host,
+        workspace_id=workspace_id,
+        account_id=account_id,
+        google_credentials=google_credentials,
+        google_service_account=google_service_account,
+        auth_type="google-credentials",
+    )
+    me = ws.current_user.me()
+    assert me.user_name
+
+
+# SPOG/A — Account operations on unified host with explicit auth
+
+
+# Environment: azure-prod-acct
+def test_spog_account_oauth_m2m(isolated_env):
+    env = isolated_env("ucacct")
+    host = env("UNIFIED_HOST")
+    account_id = env("DATABRICKS_ACCOUNT_ID")
+    client_id = env("TEST_DATABRICKS_CLIENT_ID")
+    client_secret = env("TEST_DATABRICKS_CLIENT_SECRET")
+    ac = AccountClient(
+        host=host,
+        account_id=account_id,
+        client_id=client_id,
+        client_secret=client_secret,
+        auth_type="oauth-m2m",
+    )
+    sps = ac.service_principals.list()
+    next(sps)
+
+
+# Environment: azure-prod-acct
+def test_spog_account_azure_client_secret(isolated_env):
+    env = isolated_env("ucacct")
+    host = env("UNIFIED_HOST")
+    account_id = env("DATABRICKS_ACCOUNT_ID")
+    azure_client_id = env("ARM_CLIENT_ID")
+    azure_client_secret = env("ARM_CLIENT_SECRET")
+    azure_tenant_id = env("ARM_TENANT_ID")
+    ac = AccountClient(
+        host=host,
+        account_id=account_id,
+        azure_client_id=azure_client_id,
+        azure_client_secret=azure_client_secret,
+        azure_tenant_id=azure_tenant_id,
+        auth_type="azure-client-secret",
+    )
+    sps = ac.service_principals.list()
+    next(sps)
+
+
+# Environment: gcp-prod-ucacct
+def test_spog_account_google_credentials(isolated_env):
+    env = isolated_env("ucacct")
+    host = env("UNIFIED_HOST")
+    account_id = env("DATABRICKS_ACCOUNT_ID")
+    google_credentials = env("GOOGLE_CREDENTIALS")
+    google_service_account = env("DATABRICKS_GOOGLE_SERVICE_ACCOUNT")
+    ac = AccountClient(
+        host=host,
+        account_id=account_id,
+        google_credentials=google_credentials,
+        google_service_account=google_service_account,
+        auth_type="google-credentials",
+    )
+    sps = ac.service_principals.list()
+    next(sps)