test: add API key authorization tests

SB159 · SB159 · commit 24ea26be3036 · 2026-03-18T12:08:39.000-05:00
Signed-off-by: Swati Mukund Bagal &lt;sbagal@redhat.com&gt;
diff --git a/tests/model_serving/maas_billing/maas_subscription/conftest.py b/tests/model_serving/maas_billing/maas_subscription/conftest.py
@@ -7,6 +7,7 @@
 import pytest
 import requests
 from kubernetes.dynamic import DynamicClient
+from ocp_resources.cluster_role_binding import ClusterRoleBinding
 from ocp_resources.data_science_cluster import DataScienceCluster
 from ocp_resources.deployment import Deployment
 from ocp_resources.llm_inference_service import LLMInferenceService
@@ -24,10 +25,12 @@
 from tests.model_serving.maas_billing.maas_subscription.utils import (
     MAAS_DB_NAMESPACE,
     MAAS_SUBSCRIPTION_NAMESPACE,
+    create_and_yield_api_key_id,
     create_api_key,
     create_maas_subscription,
     get_maas_postgres_resources,
     patch_llmisvc_with_maas_router_and_tiers,
+    resolve_api_key_username,
     revoke_api_key,
     wait_for_postgres_connection_log,
     wait_for_postgres_deployment_ready,
@@ -662,22 +665,87 @@ def active_api_key_id(
     """
     Create a single active API key and return its ID for revoke tests.
     """
-    key_name = f"e2e-fixture-key-{generate_random_name()}"
-    _, body = create_api_key(
+    yield from create_and_yield_api_key_id(
+        request_session_http=request_session_http,
         base_url=base_url,
         ocp_user_token=ocp_token_for_actor,
-        request_session_http=request_session_http,
-        api_key_name=key_name,
+        key_name_prefix="e2e-fixture-key",
     )
-    LOGGER.info(f"active_api_key_id: created key id={body['id']}")
-    yield body["id"]
-    LOGGER.info(f"Fixture teardown: revoking key {body['id']}")
-    revoke_api_key(
+
+
+@pytest.fixture(scope="function")
+def free_user_username(
+    request_session_http: requests.Session,
+    base_url: str,
+    ocp_token_for_actor: str,
+    active_api_key_id: str,
+) -> str:
+    """Resolve and return the free (non-admin) actor's username from their active API key."""
+    username = resolve_api_key_username(
         request_session_http=request_session_http,
         base_url=base_url,
-        key_id=body["id"],
+        key_id=active_api_key_id,
         ocp_user_token=ocp_token_for_actor,
     )
+    LOGGER.info(f"free_user_username: resolved username='{username}' from key id={active_api_key_id}")
+    return username
+
+
+@pytest.fixture(scope="function")
+def admin_username(
+    request_session_http: requests.Session,
+    base_url: str,
+    admin_ocp_token: str,
+    admin_active_api_key_id: str,
+) -> str:
+    """Resolve and return the admin actor's username from their active API key."""
+    username = resolve_api_key_username(
+        request_session_http=request_session_http,
+        base_url=base_url,
+        key_id=admin_active_api_key_id,
+        ocp_user_token=admin_ocp_token,
+    )
+    LOGGER.info(f"admin_username: resolved username='{username}' from key id={admin_active_api_key_id}")
+    return username
+
+
+@pytest.fixture(scope="function")
+def admin_active_api_key_id(
+    request_session_http: requests.Session,
+    base_url: str,
+    admin_ocp_token: str,
+) -> Generator[str, Any, Any]:
+    """Create an active API key as the admin user, yield its ID, and revoke on teardown."""
+    yield from create_and_yield_api_key_id(
+        request_session_http=request_session_http,
+        base_url=base_url,
+        ocp_user_token=admin_ocp_token,
+        key_name_prefix="e2e-authz-admin",
+    )
+
+
+@pytest.fixture(scope="class")
+def admin_ocp_token(admin_client: DynamicClient) -> Generator[str, Any, Any]:
+    """OCP bearer token for a dedicated SA with cluster-admin ClusterRole, recognised as admin by MaaS API."""
+    applications_namespace = py_config["applications_namespace"]
+    sa_name = f"maas-e2e-admin-{generate_random_name()}"
+
+    with ServiceAccount(
+        client=admin_client,
+        namespace=applications_namespace,
+        name=sa_name,
+        teardown=True,
+    ) as sa:
+        sa.wait(timeout=60)
+
+        with ClusterRoleBinding(
+            client=admin_client,
+            name=sa_name,
+            cluster_role="cluster-admin",
+            subjects=[{"kind": "ServiceAccount", "name": sa_name, "namespace": applications_namespace}],
+            teardown=True,
+        ):
+            yield create_inference_token(model_service_account=sa)
 
 
 @pytest.fixture(scope="function")
diff --git a/tests/model_serving/maas_billing/maas_subscription/test_api_key_authorization.py b/tests/model_serving/maas_billing/maas_subscription/test_api_key_authorization.py
@@ -0,0 +1,161 @@
+from __future__ import annotations
+
+import pytest
+import requests
+from simple_logger.logger import get_logger
+
+from tests.model_serving.maas_billing.maas_subscription.utils import (
+    list_api_keys,
+    get_api_key,
+    revoke_api_key,
+)
+
+LOGGER = get_logger(name=__name__)
+
+
+@pytest.mark.parametrize("ocp_token_for_actor", [{"type": "free"}], indirect=True)
+@pytest.mark.usefixtures(
+    "maas_subscription_controller_enabled_latest",
+    "maas_gateway_api",
+    "maas_api_gateway_reachable",
+)
+class TestAPIKeyAuthorization:
+    """Tests for MaaS API key admin and non-admin access control."""
+
+    @pytest.mark.tier1
+    def test_admin_manage_other_users_keys(
+        self,
+        request_session_http: requests.Session,
+        base_url: str,
+        admin_ocp_token: str,
+        active_api_key_id: str,
+        free_user_username: str,
+    ) -> None:
+        """Verify an admin can search for another user's keys by username and revoke them."""
+        list_resp, list_body = list_api_keys(
+            request_session_http=request_session_http,
+            base_url=base_url,
+            ocp_user_token=admin_ocp_token,
+            filters={"username": free_user_username, "status": ["active"]},
+            sort={"by": "created_at", "order": "desc"},
+            pagination={"limit": 50, "offset": 0},
+        )
+        assert list_resp.status_code == 200, (
+            f"Expected 200 on admin search for username='{free_user_username}', "
+            f"got {list_resp.status_code}: {list_resp.text[:200]}"
+        )
+        items: list[dict] = list_body.get("items") or list_body.get("data") or []
+        key_ids = [item["id"] for item in items]
+        assert active_api_key_id in key_ids, (
+            f"Expected free user's key id={active_api_key_id} in admin search results "
+            f"for username='{free_user_username}', found ids={key_ids}"
+        )
+        LOGGER.info(f"[authz] Admin found {len(items)} active key(s) for user='{free_user_username}'")
+
+        revoke_resp, revoke_body = revoke_api_key(
+            request_session_http=request_session_http,
+            base_url=base_url,
+            key_id=active_api_key_id,
+            ocp_user_token=admin_ocp_token,
+        )
+        assert revoke_resp.status_code == 200, (
+            f"Expected 200 on admin DELETE /v1/api-keys/{active_api_key_id}, "
+            f"got {revoke_resp.status_code}: {revoke_resp.text[:200]}"
+        )
+        assert revoke_body.get("status") == "revoked", (
+            f"Expected status='revoked' in admin revoke response, got: {revoke_body}"
+        )
+        LOGGER.info(f"[authz] Admin successfully revoked free user's key id={active_api_key_id}")
+
+    @pytest.mark.tier1
+    def test_non_admin_cannot_access_other_users_keys(
+        self,
+        request_session_http: requests.Session,
+        base_url: str,
+        ocp_token_for_actor: str,
+        admin_active_api_key_id: str,
+    ) -> None:
+        """Verify a non-admin user gets 404 when accessing another user's API key."""
+        get_resp, _ = get_api_key(
+            request_session_http=request_session_http,
+            base_url=base_url,
+            key_id=admin_active_api_key_id,
+            ocp_user_token=ocp_token_for_actor,
+        )
+        assert get_resp.status_code == 404, (
+            f"Expected 404 (IDOR protection) on free user GET of admin's key id={admin_active_api_key_id}, "
+            f"got {get_resp.status_code}: {get_resp.text[:200]}"
+        )
+        LOGGER.info(f"[authz] Free user correctly received 404 on GET of admin's key id={admin_active_api_key_id}")
+
+        revoke_resp, _ = revoke_api_key(
+            request_session_http=request_session_http,
+            base_url=base_url,
+            key_id=admin_active_api_key_id,
+            ocp_user_token=ocp_token_for_actor,
+        )
+        assert revoke_resp.status_code == 404, (
+            f"Expected 404 (IDOR protection) on free user DELETE of admin's key id={admin_active_api_key_id}, "
+            f"got {revoke_resp.status_code}: {revoke_resp.text[:200]}"
+        )
+        LOGGER.info(f"[authz] Free user correctly received 404 on DELETE of admin's key id={admin_active_api_key_id}")
+
+    @pytest.mark.tier1
+    def test_non_admin_search_only_returns_own_keys(
+        self,
+        request_session_http: requests.Session,
+        base_url: str,
+        ocp_token_for_actor: str,
+        active_api_key_id: str,
+        admin_active_api_key_id: str,
+    ) -> None:
+        """Verify a non-admin user's search results contain only their own keys."""
+        list_resp, list_body = list_api_keys(
+            request_session_http=request_session_http,
+            base_url=base_url,
+            ocp_user_token=ocp_token_for_actor,
+            filters={"status": ["active"]},
+            sort={"by": "created_at", "order": "desc"},
+            pagination={"limit": 50, "offset": 0},
+        )
+        assert list_resp.status_code == 200, (
+            f"Expected 200 on free user search, got {list_resp.status_code}: {list_resp.text[:200]}"
+        )
+        items: list[dict] = list_body.get("items") or list_body.get("data") or []
+        key_ids = [item["id"] for item in items]
+
+        assert active_api_key_id in key_ids, (
+            f"Expected free user's own key id={active_api_key_id} in results, found ids={key_ids}"
+        )
+        assert admin_active_api_key_id not in key_ids, (
+            f"Admin's key id={admin_active_api_key_id} must NOT appear in free user's search results"
+        )
+        LOGGER.info(
+            f"[authz] Free user search returned {len(items)} key(s) — "
+            f"own key present, admin's key correctly excluded"
+        )
+
+    @pytest.mark.tier1
+    def test_non_admin_cannot_search_by_other_username(
+        self,
+        request_session_http: requests.Session,
+        base_url: str,
+        ocp_token_for_actor: str,
+        admin_username: str,
+    ) -> None:
+        """Verify a non-admin user gets 403 when searching with another user's username as a filter."""
+        list_resp, _ = list_api_keys(
+            request_session_http=request_session_http,
+            base_url=base_url,
+            ocp_user_token=ocp_token_for_actor,
+            filters={"username": admin_username, "status": ["active"]},
+            sort={"by": "created_at", "order": "desc"},
+            pagination={"limit": 50, "offset": 0},
+        )
+        assert list_resp.status_code == 403, (
+            f"Expected 403 when free user searches by admin username='{admin_username}', "
+            f"got {list_resp.status_code}: {list_resp.text[:200]}"
+        )
+        LOGGER.info(
+            f"[authz] Free user correctly received 403 when searching by admin username='{admin_username}'"
+        )
diff --git a/tests/model_serving/maas_billing/maas_subscription/utils.py b/tests/model_serving/maas_billing/maas_subscription/utils.py
@@ -25,6 +25,7 @@
     MAAS_GATEWAY_NAMESPACE,
     ApiGroups,
 )
+from utilities.general import generate_random_name
 
 LOGGER = get_logger(name=__name__)
 MAAS_SUBSCRIPTION_NAMESPACE = "models-as-a-service"
@@ -282,6 +283,52 @@ def list_api_keys(
     return response, parsed_body
 
 
+def resolve_api_key_username(
+    request_session_http: requests.Session,
+    base_url: str,
+    key_id: str,
+    ocp_user_token: str,
+) -> str:
+    """Fetch an API key by ID and return the owner's username."""
+    get_resp, get_body = get_api_key(
+        request_session_http=request_session_http,
+        base_url=base_url,
+        key_id=key_id,
+        ocp_user_token=ocp_user_token,
+    )
+    assert get_resp.status_code == 200, (
+        f"Expected 200 on GET /v1/api-keys/{key_id}, got {get_resp.status_code}: {get_resp.text[:200]}"
+    )
+    username = get_body.get("username") or get_body.get("owner")
+    assert username, f"Expected 'username' or 'owner' field in GET response: {get_body}"
+    return username
+
+
+def create_and_yield_api_key_id(
+    request_session_http: requests.Session,
+    base_url: str,
+    ocp_user_token: str,
+    key_name_prefix: str,
+) -> Generator[str]:
+    """Create an API key, yield its ID, and revoke it on teardown."""
+    key_name = f"{key_name_prefix}-{generate_random_name()}"
+    _, body = create_api_key(
+        base_url=base_url,
+        ocp_user_token=ocp_user_token,
+        request_session_http=request_session_http,
+        api_key_name=key_name,
+    )
+    LOGGER.info(f"create_and_yield_api_key_id: created key id={body['id']} name={key_name}")
+    yield body["id"]
+    LOGGER.info(f"create_and_yield_api_key_id: teardown revoking key id={body['id']}")
+    revoke_api_key(
+        request_session_http=request_session_http,
+        base_url=base_url,
+        key_id=body["id"],
+        ocp_user_token=ocp_user_token,
+    )
+
+
 def revoke_api_key(
     request_session_http: requests.Session,
     base_url: str,
