E2E Test for Token Authentication (opendatahub-io#4572)

* add E2E test to validate token authentication

* copy tokens from UI

* remove comment

Author: katieperry4

frontend/src/__tests__/cypress/cypress/fixtures/e2e/dataScienceProjects/testModelTokenAuth.yaml

@@ -0,0 +1,6 @@
+# testModelTokenAuth.cy.ts Test Data #
+projectResourceName: 'test-model-token-auth'
+projectDisplayName: 'Test Model Token Auth'
+singleModelName: 'test-model'
+modelOpenVinoExamplePath: 'kserve-openvino-test/openvino-example-model/'
+

frontend/src/__tests__/cypress/cypress/pages/modelServing.ts

@@ -108,6 +108,13 @@ class ModelServingGlobal {
   findServingRuntime(name: string) {
     return this.findModelsTable().find(`[data-label=Serving Runtime]`).contains(name);
   }
+
+  findTokenCopyButton(index: number) {
+    if (index === 0) {
+      return cy.findAllByTestId('token-secret').findAllByRole('button').eq(0);
+    }
+    return cy.findAllByTestId('token-secret').eq(index).findAllByRole('button').eq(0);
+  }
 }
 
 class ServingRuntimeGroup extends Contextual<HTMLElement> {}
@@ -243,6 +250,14 @@ class InferenceServiceModal extends ServingModal {
     return this.find().findByTestId('service-account-form-name');
   }
 
+  findServiceAccountIndex(index: number) {
+    return this.find().findAllByTestId('service-account-form-name').eq(index);
+  }
+
+  findAddServiceAccountButton() {
+    return this.find().findByTestId('add-service-account-button');
+  }
+
   findExistingConnectionSelect() {
     return this.find().findByTestId('typeahead-menu-toggle');
   }

frontend/src/__tests__/cypress/cypress/tests/e2e/dataScienceProjects/models/testModelTokenAuth.cy.ts

@@ -0,0 +1,165 @@
+import { projectListPage, projectDetails } from '#~/__tests__/cypress/cypress/pages/projects';
+import {
+  modelServingGlobal,
+  inferenceServiceModal,
+  modelServingSection,
+  kserveModalEdit,
+} from '#~/__tests__/cypress/cypress/pages/modelServing';
+import type { DataScienceProjectData } from '#~/__tests__/cypress/cypress/types';
+import { loadDSPFixture } from '#~/__tests__/cypress/cypress/utils/dataLoader';
+import { retryableBefore } from '#~/__tests__/cypress/cypress/utils/retryableHooks';
+import { generateTestUUID } from '#~/__tests__/cypress/cypress/utils/uuidGenerator';
+import {
+  checkInferenceServiceState,
+  modelExternalTester,
+  provisionProjectForModelServing,
+  verifyModelExternalToken,
+} from '#~/__tests__/cypress/cypress/utils/oc_commands/modelServing';
+import { deleteOpenShiftProject } from '#~/__tests__/cypress/cypress/utils/oc_commands/project';
+import { HTPASSWD_CLUSTER_ADMIN_USER } from '#~/__tests__/cypress/cypress/utils/e2eUsers';
+
+let testData: DataScienceProjectData;
+let projectName: string;
+let modelName: string;
+let modelFilePath: string;
+const awsBucket = 'BUCKET_1' as const;
+const uuid = generateTestUUID();
+
+describe('A model can be deployed with token auth', () => {
+  retryableBefore(() => {
+    cy.log('Loading test data');
+    return loadDSPFixture('e2e/dataScienceProjects/testModelTokenAuth.yaml').then(
+      (fixtureData: DataScienceProjectData) => {
+        testData = fixtureData;
+        projectName = `${testData.projectResourceName}-${uuid}`;
+        modelName = testData.singleModelName;
+        modelFilePath = testData.modelOpenVinoExamplePath;
+
+        if (!projectName) {
+          throw new Error('Project name is undefined or empty in the loaded fixture');
+        }
+        cy.log(`Loaded project name: ${projectName}`);
+        // Create a Project
+        provisionProjectForModelServing(
+          projectName,
+          awsBucket,
+          'resources/yaml/data_connection_model_serving.yaml',
+        );
+      },
+    );
+  });
+  after(() => {
+    // Delete provisioned Project - wait for completion due to RHOAIENG-19969 to support test retries, 5 minute timeout
+    // TODO: Review this timeout once RHOAIENG-19969 is resolved
+    deleteOpenShiftProject(projectName, { wait: true, ignoreNotFound: true, timeout: 300000 });
+  });
+
+  it(
+    'Verify that a model can be deployed with token auth',
+    { tags: ['@Smoke', '@SmokeSet3', '@Dashboard', '@ModelServing'] },
+    () => {
+      cy.log('Model Name:', modelName);
+      cy.step(`Log into the application with ${HTPASSWD_CLUSTER_ADMIN_USER.USERNAME}`);
+      cy.visitWithLogin('/', HTPASSWD_CLUSTER_ADMIN_USER);
+
+      // Project navigation
+      cy.step(`Navigate to the Project list tab and search for ${projectName}`);
+      projectListPage.navigate();
+      projectListPage.filterProjectByName(projectName);
+      projectListPage.findProjectLink(projectName).click();
+
+      // Navigate to Model Serving tab and Deploy a model
+      cy.step('Navigate to Model Serving and click to Deploy a model');
+      projectDetails.findSectionTab('model-server').click();
+      modelServingGlobal.findSingleServingModelButton().click();
+      modelServingGlobal.findDeployModelButton().click();
+
+      // Launch a model
+      cy.step('Launch a Single Serving Model using Openvino');
+      inferenceServiceModal.findModelNameInput().type(testData.singleModelName);
+      inferenceServiceModal.findServingRuntimeTemplateSearchSelector().click();
+      inferenceServiceModal.findGlobalScopedTemplateOption('OpenVINO Model Server').click();
+      inferenceServiceModal.findModelFrameworkSelect().click();
+      inferenceServiceModal.findOpenVinoIROpSet13().click();
+
+      // Enable Model access through an external route
+      cy.step('Enable Model access through an external route');
+      inferenceServiceModal.findDeployedModelRouteCheckbox().click();
+      inferenceServiceModal.findDeployedModelRouteCheckbox().should('be.checked');
+      inferenceServiceModal.findServiceAccountIndex(0).clear();
+      inferenceServiceModal.findServiceAccountIndex(0).type('secret');
+      inferenceServiceModal.findAddServiceAccountButton().click();
+      inferenceServiceModal.findServiceAccountIndex(1).clear();
+      inferenceServiceModal.findServiceAccountIndex(1).type('secret2');
+      inferenceServiceModal.findLocationPathInput().type(modelFilePath);
+      inferenceServiceModal.findSubmitButton().click();
+      inferenceServiceModal.shouldBeOpen(false);
+
+      // Verify the model created
+      cy.step('Verify that the Model is running');
+      checkInferenceServiceState(testData.singleModelName, projectName, {
+        checkReady: true,
+        checkLatestDeploymentReady: true,
+      });
+
+      // Verify the model is not accessible without a token
+      cy.step('Verify the model is not accessible without a token');
+      modelExternalTester(modelName, projectName).then(({ response }) => {
+        expect(response.status).to.equal(401);
+      });
+
+      // Get the tokens from the UI
+      cy.step('Get the tokens from the UI');
+      const kserveRow = modelServingSection.getKServeRow(testData.singleModelName);
+      kserveRow.findToggleButton().click();
+
+      cy.window().then((win) => {
+        const copied: string[] = [];
+        cy.wrap(copied).as('copiedTokens');
+
+        cy.stub(win.navigator.clipboard, 'writeText').callsFake((text: string) => {
+          copied.push(text);
+          return Promise.resolve();
+        });
+      });
+
+      // Click the two copy buttons
+      modelServingGlobal.findTokenCopyButton(0).click();
+      modelServingGlobal.findTokenCopyButton(1).click();
+
+      // Use the copied tokens
+      cy.get<string[]>('@copiedTokens')
+        .should('have.length.at.least', 2)
+        .then((tokens) => {
+          const [token1, token2] = tokens;
+          verifyModelExternalToken(modelName, projectName, token1).then((r) =>
+            expect(r.status).to.equal(200),
+          );
+          verifyModelExternalToken(modelName, projectName, token2).then((r) =>
+            expect(r.status).to.equal(200),
+          );
+        });
+
+      // Remove the token
+      cy.step('Remove the token');
+      modelServingSection
+        .getKServeRow(testData.singleModelName)
+        .find()
+        .findKebabAction('Edit')
+        .click();
+      // Check the service accounts are showing up in the UI
+      kserveModalEdit.findServiceAccountIndex(0).should('have.value', 'secret');
+      kserveModalEdit.findServiceAccountIndex(1).should('have.value', 'secret2');
+      kserveModalEdit.findTokenAuthenticationCheckbox().click();
+      kserveModalEdit.findTokenAuthenticationCheckbox().should('not.be.checked');
+      kserveModalEdit.findSubmitButton().click();
+      kserveModalEdit.shouldBeOpen(false);
+
+      // Verify the model is accessible without a token
+      cy.step('Verify the model is accessible without a token');
+      verifyModelExternalToken(modelName, projectName).then((response) => {
+        expect(response.status).to.equal(200);
+      });
+    },
+  );
+});

frontend/src/__tests__/cypress/cypress/utils/oc_commands/modelServing.ts

@@ -277,6 +277,7 @@ export const checkInferenceServiceState = (
 export const modelExternalTester = (
   modelName: string,
   namespace: string,
+  token?: string,
 ): Cypress.Chainable<{ url: string; response: Cypress.Response<unknown> }> => {
   return cy.exec(`oc get inferenceService ${modelName} -n ${namespace} -o json`).then((result) => {
     const inferenceService = JSON.parse(result.stdout);
@@ -294,7 +295,12 @@ export const modelExternalTester = (
       cy.log(`Request attempt ${attemptNumber} of ${maxAttempts}`);
       cy.log(`Request URL: ${url}/v2/models/${modelName}/infer`);
       cy.log(`Request method: POST`);
-      cy.log(`Request headers: ${JSON.stringify({ 'Content-Type': 'application/json' })}`);
+      cy.log(
+        `Request headers: ${JSON.stringify({
+          'Content-Type': 'application/json',
+          ...(token && { Authorization: `Bearer ${token}` }),
+        })}`,
+      );
       cy.log(
         `Request body: ${JSON.stringify({
           inputs: [
@@ -314,6 +320,7 @@ export const modelExternalTester = (
           url: `${url}/v2/models/${modelName}/infer`,
           headers: {
             'Content-Type': 'application/json',
+            ...(token && { Authorization: `Bearer ${token}` }),
           },
           body: {
             inputs: [
@@ -452,3 +459,60 @@ export const verifyS3CopyCompleted = (
       }
     });
 };
+/**
+ * Retrieve the token for a given service account and model
+ *
+ * @param namespace The namespace where the InferenceService is deployed.
+ * @param serviceAccountName The name of the service account to get the token for.
+ * @param modelName The name of the model to get the token for.
+ * @returns Cypress.Chainable<string> that resolves after validation.
+ */
+export const getModelExternalToken = (
+  namespace: string,
+  serviceAccountName: string,
+  modelName: string,
+): Cypress.Chainable<string> => {
+  return cy
+    .exec(
+      `oc get secret ${serviceAccountName}-${modelName}-sa -n ${namespace} -o jsonpath='{.data.token}' | base64 -d`,
+    )
+    .then((result) => {
+      return result.stdout;
+    });
+};
+
+/**
+ * Verify the model is accessible with a token
+ *
+ * @param modelName The name of the model to test.
+ * @param namespace The namespace where the model is deployed.
+ * @param token The (optional) token to use for the request.
+ * @returns Cypress.Chainable<Cypress.Response<unknown>> that resolves after validation.
+ */
+export const verifyModelExternalToken = (
+  modelName: string,
+  namespace: string,
+  token?: string,
+): Cypress.Chainable<Cypress.Response<unknown>> => {
+  return cy.exec(`oc get inferenceService ${modelName} -n ${namespace} -o json`).then((result) => {
+    const inferenceService = JSON.parse(result.stdout);
+    const { url } = inferenceService.status;
+
+    if (!url) {
+      throw new Error('External URL not found in InferenceService');
+    }
+
+    return cy
+      .request({
+        method: 'GET',
+        url: `${url}/v2/models/${modelName}`,
+        headers: {
+          ...(token && { Authorization: `Bearer ${token}` }),
+        },
+      })
+      .then((response) => {
+        cy.log('Model metadata:', JSON.stringify(response.body));
+        return cy.wrap(response);
+      });
+  });
+};

frontend/src/pages/modelServing/screens/projects/ServingRuntimeModal/ServingRuntimeTokenSection.tsx

@@ -74,6 +74,7 @@ const ServingRuntimeTokenSection = <D extends CreatingModelServingObjectCommon>(
                   variant="link"
                   icon={<PlusCircleIcon />}
                   isDisabled={!allowCreate}
+                  data-testid="add-service-account-button"
                 >
                   Add a service account
                 </Button>