Merge branch 'main' into gpu-skip

Author: mwaykole

tests/model_registry/conftest.py

@@ -414,6 +414,42 @@ def sa_namespace(request: pytest.FixtureRequest, admin_client: DynamicClient) ->
         yield ns
 
 
+@pytest.fixture()
+def login_as_test_user(
+    is_byoidc: bool, api_server_url: str, original_user: str, test_idp_user
+) -> Generator[None, None, None]:
+    """
+    Fixture to log in as a test user and restore original user after test.
+
+    This fixture is used for RBAC tests to switch context to a non-admin test user.
+    Used by both model registry and model catalog RBAC tests.
+    """
+    if is_byoidc:
+        yield
+    else:
+        from utilities.user_utils import UserTestSession
+
+        if isinstance(test_idp_user, UserTestSession):
+            username = test_idp_user.username
+            password = test_idp_user.password
+        else:
+            username = test_idp_user
+            password = None
+
+        LOGGER.info(f"Logging in as {username}")
+        login_with_user_password(
+            api_address=api_server_url,
+            user=username,
+            password=password,
+        )
+        yield
+        LOGGER.info(f"Logging in as {original_user}")
+        login_with_user_password(
+            api_address=api_server_url,
+            user=original_user,
+        )
+
+
 @pytest.fixture(scope="class")
 def service_account(admin_client: DynamicClient, sa_namespace: Namespace) -> Generator[Any, None, None]:
     """

tests/model_registry/model_catalog/catalog_config/test_catalog_rbac.py

@@ -0,0 +1,102 @@
+"""
+Test suite for verifying RBAC permissions for Model Catalog ConfigMaps.
+"""
+
+import pytest
+from simple_logger.logger import get_logger
+
+from kubernetes.dynamic import DynamicClient
+from kubernetes.client.rest import ApiException
+from ocp_resources.config_map import ConfigMap
+from ocp_resources.resource import get_client
+
+from tests.model_registry.constants import DEFAULT_CUSTOM_MODEL_CATALOG, DEFAULT_MODEL_CATALOG_CM
+
+LOGGER = get_logger(name=__name__)
+
+pytestmark = [
+    pytest.mark.usefixtures(
+        "updated_dsc_component_state_scope_session",
+        "model_registry_namespace",
+    )
+]
+
+
+@pytest.mark.skip_must_gather
+class TestCatalogRBAC:
+    """Test suite for catalog ConfigMap RBAC"""
+
+    @pytest.mark.smoke
+    @pytest.mark.pre_upgrade
+    @pytest.mark.post_upgrade
+    @pytest.mark.install
+    @pytest.mark.parametrize("configmap_name", [DEFAULT_MODEL_CATALOG_CM, DEFAULT_CUSTOM_MODEL_CATALOG])
+    def test_admin_can_read_catalog_configmaps(
+        self,
+        admin_client: DynamicClient,
+        model_registry_namespace: str,
+        configmap_name: str,
+    ):
+        """
+        RHOAIENG-41850: Verify that admin users can read both catalog ConfigMaps.
+
+        Admins should have:
+        - get/watch on model-catalog-default-sources (read-only)
+        - get/watch/update/patch on model-catalog-sources (read/write)
+
+        Note: Admin write access to model-catalog-sources is already tested by existing tests
+        (test_custom_model_catalog.py, test_catalog_source_merge.py) which use admin_client
+        to successfully update ConfigMaps via ResourceEditor.
+        """
+        catalog_cm = ConfigMap(
+            name=configmap_name,
+            namespace=model_registry_namespace,
+            client=admin_client,
+        )
+
+        assert catalog_cm.exists, f"ConfigMap '{configmap_name}' not found in namespace '{model_registry_namespace}'"
+
+        data = catalog_cm.instance.data
+        assert data is not None, f"Admin should be able to read ConfigMap '{configmap_name}' data"
+
+        sources_yaml = data.get("sources.yaml")
+        assert sources_yaml is not None, f"ConfigMap '{configmap_name}' should contain 'sources.yaml' key"
+
+        LOGGER.info(f"Admin successfully read ConfigMap '{configmap_name}'")
+
+    @pytest.mark.smoke
+    @pytest.mark.parametrize("configmap_name", [DEFAULT_MODEL_CATALOG_CM, DEFAULT_CUSTOM_MODEL_CATALOG])
+    def test_non_admin_cannot_access_catalog_configmaps(
+        self,
+        is_byoidc: bool,
+        model_registry_namespace: str,
+        user_credentials_rbac: dict[str, str],
+        login_as_test_user: None,
+        configmap_name: str,
+    ):
+        """
+        RHOAIENG-41850: Verify that non-admin users cannot access catalog ConfigMaps,
+        receiving a 403 Forbidden error.
+        """
+        if is_byoidc:
+            pytest.skip(reason="BYOIDC test users may have pre-configured group memberships")
+
+        # get_client() uses the current kubeconfig context (set by login_as_test_user fixture)
+        user_client = get_client()
+
+        with pytest.raises(ApiException) as exc_info:
+            catalog_cm = ConfigMap(
+                name=configmap_name,
+                namespace=model_registry_namespace,
+                client=user_client,
+            )
+            _ = catalog_cm.instance  # Access the ConfigMap instance to trigger the API call
+
+        assert exc_info.value.status == 403, (
+            f"Expected HTTP 403 Forbidden for non-admin user accessing '{configmap_name}', "
+            f"but got {exc_info.value.status}: {exc_info.value.reason}"
+        )
+        LOGGER.info(
+            f"Non-admin user '{user_credentials_rbac['username']}' correctly denied access "
+            f"to ConfigMap '{configmap_name}'"
+        )

tests/model_registry/model_catalog/huggingface/test_huggingface_negative.py

@@ -115,6 +115,20 @@ class TestHuggingFaceNegative:
                 "failed to expand model patterns: no models found",
                 id="test_hf_source_non_existent_allowed_organization",
             ),
+            pytest.param(
+                """
+catalogs:
+    - name: HuggingFace Hub
+      id: error_catalog
+      type: hf
+      enabled: true
+      includedModels:
+      - 'microsoft/phi-3-abc-random'
+""",
+                "Failed to fetch some models, ensure models exist and are accessible with given credentials. "
+                "Failed models: [microsoft/phi-3-abc-random]",
+                id="test_hf_bad_model_name",
+            ),
         ],
         indirect=["updated_catalog_config_map_scope_function"],
     )

tests/model_registry/model_registry/rbac/conftest.py

@@ -20,7 +20,6 @@
 
 from tests.model_registry.model_registry.rbac.utils import create_role_binding
 from utilities.user_utils import UserTestSession
-from utilities.infra import login_with_user_password
 from tests.model_registry.model_registry.rbac.group_utils import create_group
 from tests.model_registry.constants import (
     MR_INSTANCE_NAME,
@@ -238,27 +237,6 @@ def model_registry_instance_parametrized(
         yield model_registry_instances
 
 
-@pytest.fixture()
-def login_as_test_user(
-    is_byoidc: bool, api_server_url: str, original_user: str, test_idp_user: UserTestSession
-) -> Generator[None, None, None]:
-    if is_byoidc:
-        yield
-    else:
-        LOGGER.info(f"Logging in as {test_idp_user.username}")
-        login_with_user_password(
-            api_address=api_server_url,
-            user=test_idp_user.username,
-            password=test_idp_user.password,
-        )
-        yield
-        LOGGER.info(f"Logging in as {original_user}")
-        login_with_user_password(
-            api_address=api_server_url,
-            user=original_user,
-        )
-
-
 @pytest.fixture()
 def skip_test_on_byoidc(is_byoidc: bool) -> None:
     if is_byoidc: