Fix authentication tests for InferenceService (#1175)

threcc · web-flow · commit 41a3ab161562 · 2026-03-09T17:00:13.000Z
* update authentication tests
* skip test with bug
* precommit fixes
diff --git a/tests/model_serving/model_server/kserve/authentication/conftest.py b/tests/model_serving/model_server/kserve/authentication/conftest.py
@@ -13,6 +13,7 @@
 from ocp_resources.secret import Secret
 from ocp_resources.service_account import ServiceAccount
 from ocp_resources.serving_runtime import ServingRuntime
+from simple_logger.logger import get_logger
 
 from utilities.constants import (
     Annotations,
@@ -32,6 +33,8 @@
 from utilities.logger import RedactedString
 from utilities.serving_runtime import ServingRuntimeFromTemplate
 
+LOGGER = get_logger(name=__name__)
+
 
 # HTTP/REST model serving
 @pytest.fixture(scope="class")
@@ -92,7 +95,8 @@ def patched_remove_raw_authentication_isvc(
             }
         }
     ):
-        if is_jira_open(jira_id="RHOAIENG-19275", admin_client=admin_client):
+        if is_jira_open(jira_id="RHOAIENG-52129", admin_client=admin_client):
+            LOGGER.info("RHOAIENG-52129 is open; waiting for predictor pod rollout after auth toggle")
             predictor_pod.wait_deleted()
 
         yield http_s3_ovms_raw_inference_service
diff --git a/tests/model_serving/model_server/kserve/authentication/test_kserve_token_authentication_raw.py b/tests/model_serving/model_server/kserve/authentication/test_kserve_token_authentication_raw.py
@@ -3,9 +3,8 @@
 
 from tests.model_serving.model_server.utils import verify_inference_response
 from utilities.constants import Annotations, Protocols
-from utilities.inference_utils import Inference, UserInference
+from utilities.inference_utils import Inference
 from utilities.infra import check_pod_status_in_time, get_pods_by_isvc_label
-from utilities.jira import is_jira_open
 from utilities.manifests.onnx import ONNX_INFERENCE_CONFIG
 
 pytestmark = pytest.mark.usefixtures("valid_aws_config")
@@ -50,7 +49,7 @@ def test_disabled_raw_model_authentication(self, patched_remove_raw_authenticati
         )
 
     @pytest.mark.sanity
-    @pytest.mark.jira("RHOAIENG-19275", run=False)
+    @pytest.mark.jira("RHOAIENG-52129", run=False)
     def test_raw_disable_enable_authentication_no_pod_rollout(self, http_s3_ovms_raw_inference_service):
         """Verify no pod rollout when disabling and enabling authentication"""
         pod = get_pods_by_isvc_label(
@@ -100,38 +99,14 @@ def test_re_enabled_raw_model_authentication(self, http_s3_ovms_raw_inference_se
         indirect=True,
     )
     @pytest.mark.dependency(name="test_cross_model_authentication_raw")
-    def test_cross_model_authentication_raw(
-        self, http_s3_ovms_raw_inference_service_2, http_raw_inference_token, admin_client
-    ):
+    def test_cross_model_authentication_raw(self, http_s3_ovms_raw_inference_service_2, http_raw_inference_token):
         """Verify model with another model token"""
-        if is_jira_open(jira_id="RHOAIENG-19645", admin_client=admin_client):
-            inference = UserInference(
-                inference_service=http_s3_ovms_raw_inference_service_2,
-                inference_config=ONNX_INFERENCE_CONFIG,
-                inference_type=Inference.INFER,
-                protocol=Protocols.HTTPS,
-            )
-
-            res = inference.run_inference_flow(
-                model_name=http_s3_ovms_raw_inference_service_2.name,
-                use_default_query=True,
-                token=http_raw_inference_token,
-                insecure=False,
-            )
-            output = res.get("output", res)
-            if isinstance(output, dict):
-                output = str(output)
-            status_line = output.splitlines()[0]
-            # Updated: Now expecting 403 Forbidden for cross-model authentication
-            # (token from service 1 cannot access service 2)
-            assert "403 Forbidden" in status_line, f"Expected '403 Forbidden' in status line, got: {status_line}"
-        else:
-            verify_inference_response(
-                inference_service=http_s3_ovms_raw_inference_service_2,
-                inference_config=ONNX_INFERENCE_CONFIG,
-                inference_type=Inference.INFER,
-                protocol=Protocols.HTTPS,
-                use_default_query=True,
-                token=http_raw_inference_token,
-                authorized_user=False,
-            )
+        verify_inference_response(
+            inference_service=http_s3_ovms_raw_inference_service_2,
+            inference_config=ONNX_INFERENCE_CONFIG,
+            inference_type=Inference.INFER,
+            protocol=Protocols.HTTPS,
+            use_default_query=True,
+            token=http_raw_inference_token,
+            authorized_user=False,
+        )
diff --git a/tests/model_serving/model_server/utils.py b/tests/model_serving/model_server/utils.py
@@ -92,6 +92,10 @@ def verify_inference_response(
         ):
             assert "x-forbidden-reason: Access to the InferenceGraph is not allowed" in res["output"]
 
+        elif "403 Forbidden" in res["output"]:
+            resource = f"{inference_service.kind.lower()}s"
+            assert re.search(rf"Forbidden \(user=.*verb=get.*resource={resource}", res["output"])
+
         else:
             raise ValueError(f"Auth header {auth_header} not found in response. Response: {res['output']}")
 
