safely handle refresh attempt on datadog pat

Author: srest2021

src/sentry/seer/endpoints/seer_rpc.py

@@ -49,6 +49,7 @@
 from sentry.hybridcloud.rpc.service import RpcAuthenticationSetupException, RpcResolutionException
 from sentry.hybridcloud.rpc.sig import SerializableFunctionValueException
 from sentry.identity import default_manager as identity_manager
+from sentry.identity.oauth2 import OAuth2Provider
 from sentry.identity.services.identity import identity_service
 from sentry.integrations.github_enterprise.integration import GitHubEnterpriseIntegration
 from sentry.integrations.services.integration import integration_service
@@ -949,8 +950,12 @@ def refresh_monitoring_provider_token(
     if idp is None or idp.type not in MONITORING_PROVIDERS:
         return RefreshMonitoringProviderTokenErrorResponse(error="identity_not_found")
 
+    provider = identity_manager.get(idp.type)
+    if not isinstance(provider, OAuth2Provider):
+        # Static-token providers (e.g. Datadog PAT) have no refresh flow.
+        return RefreshMonitoringProviderTokenErrorResponse(error="refresh_not_supported")
+
     try:
-        provider = identity_manager.get(idp.type)
         provider.refresh_identity(identity)
     except IdentityNotValid:
         return RefreshMonitoringProviderTokenErrorResponse(error="identity_not_valid")

src/sentry/seer/sentry_data_models.py

@@ -885,7 +885,7 @@ def __contains__(self, key: object) -> bool:
 
 
 class RefreshMonitoringProviderTokenErrorResponse(BaseModel):
-    """`refresh_monitoring_provider_token` error: `{"error": <code>}`. The four
+    """`refresh_monitoring_provider_token` error: `{"error": <code>}`. The
     error codes the function emits — one per refusal branch — encoded as a
     Literal so the seer-side caller can switch on them safely."""
 
@@ -894,6 +894,7 @@ class RefreshMonitoringProviderTokenErrorResponse(BaseModel):
         "identity_not_found",
         "identity_not_valid",
         "refresh_failed",
+        "refresh_not_supported",
     ]
 
     def __getitem__(self, key: str) -> Any:

tests/sentry/seer/endpoints/test_seer_rpc.py

@@ -1825,6 +1825,20 @@ def test_missing_access_token_after_refresh(self) -> None:
         # Not "identity_not_valid" due to KeyError from get_oauth_data before reaching the .get() guard
         assert result == {"error": "refresh_failed"}
 
+    def test_pat_provider_not_refreshable(self) -> None:
+        # Static-token providers (Datadog PAT) have no refresh flow.
+        pat_idp = self.create_identity_provider(type="datadog_pat", external_id="dd-org-pat")
+        pat_identity = self.create_identity(
+            user=self.user,
+            identity_provider=pat_idp,
+            external_id="dd-user-pat",
+            data={"access_token": "pat-tok", "site": "datadoghq.com"},
+        )
+
+        result = refresh_monitoring_provider_token(identity_id=pat_identity.id)
+
+        assert result == {"error": "refresh_not_supported"}
+
 
 @with_feature("organizations:pr-metrics-attribution")
 @cell_silo_test