ADD test for cross model auth and enable token and verify (#126)

mwaykole · Milind Waykole · pre-commit-ci[bot] · web-flow · commit 4793604386df · 2025-02-20T21:03:09.000+05:30
* ADD test for cross model auth and enable token and verify Signed-off-by: Milind Waykole <mwaykole@mwaykole-thinkpadp1gen4i.bengluru.csb> * ADD test for cross model auth and enable token and verify Signed-off-by: Milind Waykole <mwaykole@mwaykole-thinkpadp1gen4i.bengluru.csb> * ADD test for cross model auth and enable token and verify Signed-off-by: Milind Waykole <mwaykole@mwaykole-thinkpadp1gen4i.bengluru.csb> * ADD test for cross model auth and enable token and verify Signed-off-by: Milind Waykole <mwaykole@mwaykole-thinkpadp1gen4i.bengluru.csb> * ADD test for cross model auth and enable token and verify Signed-off-by: Milind Waykole <mwaykole@mwaykole-thinkpadp1gen4i.bengluru.csb> * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * ADD test for cross model auth and enable token and verify Signed-off-by: Milind Waykole <mwaykole@mwaykole-thinkpadp1gen4i.bengluru.csb> * ADD test for cross model auth and enable token and verify Signed-off-by: Milind Waykole <mwaykole@mwaykole-thinkpadp1gen4i.bengluru.csb> * ADD test for cross model auth and enable token and verify Signed-off-by: Milind Waykole <mwaykole@mwaykole-thinkpadp1gen4i.bengluru.csb> * ADD test for cross model auth and enable token and verify Signed-off-by: Milind Waykole <mwaykole@mwaykole-thinkpadp1gen4i.bengluru.csb> * ADD test for cross model auth and enable token and verify Signed-off-by: Milind Waykole <mwaykole@mwaykole-thinkpadp1gen4i.bengluru.csb> --------- Signed-off-by: Milind Waykole <mwaykole@mwaykole-thinkpadp1gen4i.bengluru.csb> Co-authored-by: Milind Waykole <mwaykole@mwaykole-thinkpadp1gen4i.bengluru.csb> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
diff --git a/tests/model_serving/model_server/authentication/conftest.py b/tests/model_serving/model_server/authentication/conftest.py
@@ -208,6 +208,19 @@ def patched_remove_raw_authentication_isvc(
         yield http_s3_caikit_raw_inference_service
 
 
+@pytest.fixture(scope="class")
+def model_service_account_2(
+    admin_client: DynamicClient, models_endpoint_s3_secret: Secret
+) -> Generator[ServiceAccount, Any, Any]:
+    with ServiceAccount(
+        client=admin_client,
+        namespace=models_endpoint_s3_secret.namespace,
+        name="models-bucket-sa-2",
+        secrets=[{"name": models_endpoint_s3_secret.name}],
+    ) as sa:
+        yield sa
+
+
 @pytest.fixture(scope="class")
 def grpc_view_role(
     admin_client: DynamicClient, grpc_s3_inference_service: InferenceService
@@ -298,6 +311,30 @@ def http_s3_caikit_raw_inference_service(
         yield isvc
 
 
+@pytest.fixture(scope="class")
+def http_s3_caikit_raw_inference_service_2(
+    request: FixtureRequest,
+    admin_client: DynamicClient,
+    model_namespace: Namespace,
+    http_s3_caikit_tgis_serving_runtime: ServingRuntime,
+    s3_models_storage_uri: str,
+    model_service_account_2: ServiceAccount,
+) -> InferenceService:
+    with create_isvc(
+        client=admin_client,
+        name=f"{Protocols.HTTP}-{ModelFormat.CAIKIT}-2",
+        namespace=model_namespace.name,
+        runtime=http_s3_caikit_tgis_serving_runtime.name,
+        storage_uri=s3_models_storage_uri,
+        model_format=http_s3_caikit_tgis_serving_runtime.instance.spec.supportedModelFormats[0].name,
+        deployment_mode=KServeDeploymentType.RAW_DEPLOYMENT,
+        model_service_account=model_service_account_2.name,
+        enable_auth=True,
+        external_route=True,
+    ) as isvc:
+        yield isvc
+
+
 # Unprivileged user tests
 @pytest.fixture(scope="class")
 def unprivileged_model_namespace(
diff --git a/tests/model_serving/model_server/authentication/test_kserve_token_authentication_raw.py b/tests/model_serving/model_server/authentication/test_kserve_token_authentication_raw.py
@@ -2,9 +2,11 @@
 from ocp_resources.resource import ResourceEditor
 
 from tests.model_serving.model_server.utils import verify_inference_response
-from utilities.constants import Labels, ModelFormat, ModelStoragePath, Protocols
-from utilities.inference_utils import Inference
+from utilities.constants import ModelFormat, ModelStoragePath, Protocols
+from utilities.constants import Labels
+from utilities.inference_utils import Inference, UserInference
 from utilities.infra import check_pod_status_in_time, get_pods_by_isvc_label
+from utilities.jira import is_jira_open
 from utilities.manifests.caikit_tgis import CAIKIT_TGIS_INFERENCE_CONFIG
 
 pytestmark = pytest.mark.usefixtures("valid_aws_config")
@@ -80,3 +82,46 @@ def test_raw_disable_enable_authentication_no_pod_rollout(self, http_s3_caikit_r
         ).update()
 
         check_pod_status_in_time(pod=pod, status={pod.Status.RUNNING})
+
+    @pytest.mark.dependency(depends=["test_disabled_raw_model_authentication"])
+    def test_re_enabled_raw_model_authentication(self, http_s3_caikit_raw_inference_service, http_raw_inference_token):
+        """Verify model query after authentication is re-enabled"""
+        verify_inference_response(
+            inference_service=http_s3_caikit_raw_inference_service,
+            inference_config=CAIKIT_TGIS_INFERENCE_CONFIG,
+            inference_type=Inference.ALL_TOKENS,
+            protocol=Protocols.HTTPS,
+            model_name=ModelFormat.CAIKIT,
+            use_default_query=True,
+            token=http_raw_inference_token,
+        )
+
+    @pytest.mark.dependency(name="test_cross_model_authentication_raw")
+    def test_cross_model_authentication_raw(
+        self, http_s3_caikit_raw_inference_service_2, http_raw_inference_token, admin_client
+    ):
+        """Verify model with another model token"""
+        if is_jira_open(jira_id="RHOAIENG-19645", admin_client=admin_client):
+            inference = UserInference(
+                inference_service=http_s3_caikit_raw_inference_service_2,
+                inference_config=CAIKIT_TGIS_INFERENCE_CONFIG,
+                inference_type=Inference.ALL_TOKENS,
+                protocol=Protocols.HTTPS,
+            )
+
+            res = inference.run_inference_flow(
+                model_name=ModelFormat.CAIKIT, use_default_query=True, token=http_raw_inference_token, insecure=False
+            )
+            status_line = res["output"].splitlines()[0]
+            assert "302 Found" in status_line, f"Expected '302 Found' in status line, got: {status_line}"
+        else:
+            verify_inference_response(
+                inference_service=http_s3_caikit_raw_inference_service_2,
+                inference_config=CAIKIT_TGIS_INFERENCE_CONFIG,
+                inference_type=Inference.ALL_TOKENS,
+                protocol=Protocols.HTTPS,
+                model_name=ModelFormat.CAIKIT,
+                use_default_query=True,
+                token=http_raw_inference_token,
+                authorized_user=False,
+            )
