update authentication tests

threcc · threcc · commit 35fca5ddaf72 · 2026-03-06T09:48:55.000+01:00
diff --git a/tests/model_serving/model_server/kserve/authentication/conftest.py b/tests/model_serving/model_server/kserve/authentication/conftest.py
@@ -28,7 +28,6 @@
     create_isvc_view_role,
     get_pods_by_isvc_label,
 )
-from utilities.jira import is_jira_open
 from utilities.logger import RedactedString
 from utilities.serving_runtime import ServingRuntimeFromTemplate
 
@@ -74,7 +73,6 @@ def http_raw_inference_token(model_service_account: ServiceAccount, http_raw_rol
 
 @pytest.fixture()
 def patched_remove_raw_authentication_isvc(
-    admin_client: DynamicClient,
     unprivileged_client: DynamicClient,
     http_s3_ovms_raw_inference_service: InferenceService,
 ) -> Generator[InferenceService, Any, Any]:
@@ -92,8 +90,7 @@ def patched_remove_raw_authentication_isvc(
             }
         }
     ):
-        if is_jira_open(jira_id="RHOAIENG-19275", admin_client=admin_client):
-            predictor_pod.wait_deleted()
+        predictor_pod.wait_deleted()
 
         yield http_s3_ovms_raw_inference_service
 
diff --git a/tests/model_serving/model_server/kserve/authentication/test_kserve_token_authentication_raw.py b/tests/model_serving/model_server/kserve/authentication/test_kserve_token_authentication_raw.py
@@ -3,9 +3,8 @@
 
 from tests.model_serving.model_server.utils import verify_inference_response
 from utilities.constants import Annotations, Protocols
-from utilities.inference_utils import Inference, UserInference
+from utilities.inference_utils import Inference
 from utilities.infra import check_pod_status_in_time, get_pods_by_isvc_label
-from utilities.jira import is_jira_open
 from utilities.manifests.onnx import ONNX_INFERENCE_CONFIG
 
 pytestmark = pytest.mark.usefixtures("valid_aws_config")
@@ -50,14 +49,15 @@ def test_disabled_raw_model_authentication(self, patched_remove_raw_authenticati
         )
 
     @pytest.mark.sanity
-    @pytest.mark.jira("RHOAIENG-19275", run=False)
     def test_raw_disable_enable_authentication_no_pod_rollout(self, http_s3_ovms_raw_inference_service):
         """Verify no pod rollout when disabling and enabling authentication"""
         pod = get_pods_by_isvc_label(
             client=http_s3_ovms_raw_inference_service.client,
             isvc=http_s3_ovms_raw_inference_service,
         )[0]
 
+        import pdb; pdb.set_trace()
+
         ResourceEditor(
             patches={
                 http_s3_ovms_raw_inference_service: {
@@ -101,37 +101,15 @@ def test_re_enabled_raw_model_authentication(self, http_s3_ovms_raw_inference_se
     )
     @pytest.mark.dependency(name="test_cross_model_authentication_raw")
     def test_cross_model_authentication_raw(
-        self, http_s3_ovms_raw_inference_service_2, http_raw_inference_token, admin_client
+        self, http_s3_ovms_raw_inference_service_2, http_raw_inference_token
     ):
         """Verify model with another model token"""
-        if is_jira_open(jira_id="RHOAIENG-19645", admin_client=admin_client):
-            inference = UserInference(
-                inference_service=http_s3_ovms_raw_inference_service_2,
-                inference_config=ONNX_INFERENCE_CONFIG,
-                inference_type=Inference.INFER,
-                protocol=Protocols.HTTPS,
-            )
-
-            res = inference.run_inference_flow(
-                model_name=http_s3_ovms_raw_inference_service_2.name,
-                use_default_query=True,
-                token=http_raw_inference_token,
-                insecure=False,
-            )
-            output = res.get("output", res)
-            if isinstance(output, dict):
-                output = str(output)
-            status_line = output.splitlines()[0]
-            # Updated: Now expecting 403 Forbidden for cross-model authentication
-            # (token from service 1 cannot access service 2)
-            assert "403 Forbidden" in status_line, f"Expected '403 Forbidden' in status line, got: {status_line}"
-        else:
-            verify_inference_response(
-                inference_service=http_s3_ovms_raw_inference_service_2,
-                inference_config=ONNX_INFERENCE_CONFIG,
-                inference_type=Inference.INFER,
-                protocol=Protocols.HTTPS,
-                use_default_query=True,
-                token=http_raw_inference_token,
-                authorized_user=False,
-            )
+        verify_inference_response(
+            inference_service=http_s3_ovms_raw_inference_service_2,
+            inference_config=ONNX_INFERENCE_CONFIG,
+            inference_type=Inference.INFER,
+            protocol=Protocols.HTTPS,
+            use_default_query=True,
+            token=http_raw_inference_token,
+            authorized_user=False,
+        )
diff --git a/tests/model_serving/model_server/utils.py b/tests/model_serving/model_server/utils.py
@@ -92,6 +92,9 @@ def verify_inference_response(
         ):
             assert "x-forbidden-reason: Access to the InferenceGraph is not allowed" in res["output"]
 
+        elif "403 Forbidden" in res["output"]:
+            assert re.search(r"Forbidden \(user=.*verb=get.*resource=inferenceservices", res["output"])
+
         else:
             raise ValueError(f"Auth header {auth_header} not found in response. Response: {res['output']}")
 
