opendatahub-io
diff --git a/‎tests/model_serving/model_server/maas_billing/maas_subscription/__init__.py‎ b/‎tests/model_serving/model_server/maas_billing/maas_subscription/__init__.py‎
diff --git a/‎tests/model_serving/model_server/maas_billing/maas_subscription/conftest.py‎
Lines changed: 287 additions & 0 deletions b/‎tests/model_serving/model_server/maas_billing/maas_subscription/conftest.py‎
Lines changed: 287 additions & 0 deletions
diff --git a/‎tests/model_serving/model_server/maas_billing/maas_subscription/test_maas_auth_enforcement.py‎
Lines changed: 101 additions & 0 deletions b/‎tests/model_serving/model_server/maas_billing/maas_subscription/test_maas_auth_enforcement.py‎
Lines changed: 101 additions & 0 deletions
@@ -0,0 +1,287 @@
+from collections.abc import Generator
+from typing import Any
+
+import pytest
+from kubernetes.dynamic import DynamicClient
+from ocp_resources.llm_inference_service import LLMInferenceService
+from ocp_resources.namespace import Namespace
+from ocp_resources.service_account import ServiceAccount
+from pytest_testconfig import config as py_config
+from simple_logger.logger import get_logger
+
+from tests.model_serving.model_server.maas_billing.maas_subscription.utils import (
+    patch_llmisvc_with_maas_router_and_tiers,
+)
+from tests.model_serving.model_server.maas_billing.utils import build_maas_headers
+from utilities.infra import create_inference_token, login_with_user_password
+from utilities.llmd_constants import ContainerImages, ModelStorage
+from utilities.llmd_utils import create_llmisvc
+from utilities.plugins.constant import OpenAIEnpoints
+from utilities.resources.maa_s_auth_policy import MaaSAuthPolicy
+from utilities.resources.maa_s_model import MaaSModel
+from utilities.resources.maa_s_subscription import MaaSSubscription
+
+LOGGER = get_logger(name=__name__)
+
+CHAT_COMPLETIONS = OpenAIEnpoints.CHAT_COMPLETIONS
+
+
+@pytest.fixture(scope="class")
+def maas_inference_service_tinyllama_free(
+    admin_client: DynamicClient,
+    maas_unprivileged_model_namespace: Namespace,
+    maas_model_service_account: ServiceAccount,
+    maas_gateway_api: None,
+) -> Generator[LLMInferenceService, Any, Any]:
+    with (
+        create_llmisvc(
+            client=admin_client,
+            name="llm-s3-tinyllama-free",
+            namespace=maas_unprivileged_model_namespace.name,
+            storage_uri=ModelStorage.TINYLLAMA_S3,
+            container_image=ContainerImages.VLLM_CPU,
+            container_resources={
+                "limits": {"cpu": "2", "memory": "12Gi"},
+                "requests": {"cpu": "1", "memory": "8Gi"},
+            },
+            service_account=maas_model_service_account.name,
+            wait=False,
+            timeout=900,
+        ) as llm_service,
+        patch_llmisvc_with_maas_router_and_tiers(llm_service=llm_service, tiers=[]),
+    ):
+        llm_service.wait_for_condition(condition="Ready", status="True", timeout=900)
+        yield llm_service
+
+
+@pytest.fixture(scope="class")
+def maas_inference_service_tinyllama_premium(
+    admin_client: DynamicClient,
+    maas_unprivileged_model_namespace: Namespace,
+    maas_model_service_account: ServiceAccount,
+    maas_gateway_api: None,
+) -> Generator[LLMInferenceService, Any, Any]:
+    with (
+        create_llmisvc(
+            client=admin_client,
+            name="llm-s3-tinyllama-premium",
+            namespace=maas_unprivileged_model_namespace.name,
+            storage_uri=ModelStorage.TINYLLAMA_S3,
+            container_image=ContainerImages.VLLM_CPU,
+            container_resources={
+                "limits": {"cpu": "2", "memory": "12Gi"},
+                "requests": {"cpu": "1", "memory": "8Gi"},
+            },
+            service_account=maas_model_service_account.name,
+            wait=False,
+            timeout=900,
+        ) as llm_service,
+        patch_llmisvc_with_maas_router_and_tiers(llm_service=llm_service, tiers=["premium"]),
+    ):
+        llm_service.wait_for_condition(condition="Ready", status="True", timeout=900)
+        yield llm_service
+
+
+@pytest.fixture(scope="class")
+def maas_model_tinyllama_free(
+    admin_client: DynamicClient,
+    maas_inference_service_tinyllama_free: LLMInferenceService,
+) -> Generator[MaaSModel]:
+    applications_namespace = py_config["applications_namespace"]
+
+    with MaaSModel(
+        client=admin_client,
+        name=maas_inference_service_tinyllama_free.name,
+        namespace=applications_namespace,
+        model_ref={
+            "name": maas_inference_service_tinyllama_free.name,
+            "namespace": maas_inference_service_tinyllama_free.namespace,
+            "kind": "LLMInferenceService",
+            "apiGroup": "serving.kserve.io",
+            "group": "serving.kserve.io",
+        },
+        teardown=True,
+        wait_for_resource=True,
+    ) as m:
+        yield m
+
+
+@pytest.fixture(scope="class")
+def maas_model_tinyllama_premium(
+    admin_client: DynamicClient,
+    maas_inference_service_tinyllama_premium: LLMInferenceService,
+) -> Generator[MaaSModel]:
+    applications_namespace = py_config["applications_namespace"]
+
+    with MaaSModel(
+        client=admin_client,
+        name=maas_inference_service_tinyllama_premium.name,
+        namespace=applications_namespace,
+        model_ref={
+            "name": maas_inference_service_tinyllama_premium.name,
+            "namespace": maas_inference_service_tinyllama_premium.namespace,
+            "kind": "LLMInferenceService",
+            "apiGroup": "serving.kserve.io",
+            "group": "serving.kserve.io",
+        },
+        teardown=True,
+        wait_for_resource=True,
+    ) as m:
+        yield m
+
+
+@pytest.fixture(scope="class")
+def maas_auth_policy_tinyllama_free(
+    admin_client: DynamicClient,
+    maas_free_group: str,
+    maas_model_tinyllama_free: MaaSModel,
+) -> Generator[MaaSAuthPolicy]:
+    applications_namespace = py_config["applications_namespace"]
+
+    with MaaSAuthPolicy(
+        client=admin_client,
+        name="tinyllama-free-access",
+        namespace=applications_namespace,
+        model_refs=[maas_model_tinyllama_free.name],
+        subjects={
+            "groups": [
+                {"name": "system:authenticated"},
+                {"name": maas_free_group},
+            ],
+        },
+        teardown=True,
+        wait_for_resource=True,
+    ) as maas_auth_policy_free:
+        yield maas_auth_policy_free
+
+
+@pytest.fixture(scope="class")
+def maas_auth_policy_tinyllama_premium(
+    admin_client: DynamicClient,
+    maas_premium_group: str,
+    maas_model_tinyllama_premium: MaaSModel,
+) -> Generator[MaaSAuthPolicy]:
+    applications_namespace = py_config["applications_namespace"]
+
+    with MaaSAuthPolicy(
+        client=admin_client,
+        name="tinyllama-premium-access",
+        namespace=applications_namespace,
+        model_refs=[maas_model_tinyllama_premium.name],
+        subjects={
+            "groups": [{"name": maas_premium_group}],
+        },
+        teardown=True,
+        wait_for_resource=True,
+    ) as maas_auth_policy_premium:
+        yield maas_auth_policy_premium
+
+
+@pytest.fixture(scope="class")
+def maas_subscription_tinyllama_free(
+    admin_client: DynamicClient,
+    maas_free_group: str,
+    maas_model_tinyllama_free: MaaSModel,
+) -> Generator[MaaSSubscription]:
+    applications_namespace = py_config["applications_namespace"]
+
+    with MaaSSubscription(
+        client=admin_client,
+        name="tinyllama-free-subscription",
+        namespace=applications_namespace,
+        owner={
+            "kind": "Group",
+            "name": maas_free_group,
+        },
+        model_refs=[
+            {
+                "name": maas_model_tinyllama_free.name,
+                "tokensPerMinute": 100,
+            }
+        ],
+        priority=0,
+        teardown=True,
+        wait_for_resource=True,
+    ) as maas_subscription_free:
+        yield maas_subscription_free
+
+
+@pytest.fixture(scope="class")
+def maas_subscription_tinyllama_premium(
+    admin_client: DynamicClient,
+    maas_premium_group: str,
+    maas_model_tinyllama_premium: MaaSModel,
+) -> Generator[MaaSSubscription]:
+    applications_namespace = py_config["applications_namespace"]
+
+    with MaaSSubscription(
+        client=admin_client,
+        name="tinyllama-premium-subscription",
+        namespace=applications_namespace,
+        owner={
+            "kind": "Group",
+            "name": maas_premium_group,
+        },
+        model_refs=[
+            {
+                "name": maas_model_tinyllama_premium.name,
+                "tokensPerMinute": 1000,
+            }
+        ],
+        priority=0,
+        teardown=True,
+        wait_for_resource=True,
+    ) as maas_subscription_premium:
+        yield maas_subscription_premium
+
+
+@pytest.fixture(scope="class")
+def model_url_tinyllama_free(
+    maas_scheme: str,
+    maas_host: str,
+    maas_inference_service_tinyllama_free: LLMInferenceService,
+) -> str:
+    deployment_name = maas_inference_service_tinyllama_free.name
+    url = f"{maas_scheme}://{maas_host}/llm/{deployment_name}{CHAT_COMPLETIONS}"
+    LOGGER.info("MaaS: constructed model_url=%s (deployment=%s)", url, deployment_name)
+    return url
+
+
+@pytest.fixture(scope="class")
+def model_url_tinyllama_premium(
+    maas_scheme: str,
+    maas_host: str,
+    maas_inference_service_tinyllama_premium: LLMInferenceService,
+) -> str:
+    deployment_name = maas_inference_service_tinyllama_premium.name
+    url = f"{maas_scheme}://{maas_host}/llm/{deployment_name}{CHAT_COMPLETIONS}"
+    LOGGER.info("MaaS: constructed model_url=%s (deployment=%s)", url, deployment_name)
+    return url
+
+
+@pytest.fixture(scope="class")
+def maas_wrong_group_service_account_token(
+    maas_api_server_url: str,
+    original_user: str,
+    admin_client: DynamicClient,
+) -> Generator[str]:
+    applications_namespace = py_config["applications_namespace"]
+
+    with ServiceAccount(
+        client=admin_client,
+        namespace=applications_namespace,
+        name="e2e-wrong-group-sa",
+        teardown=True,
+    ) as sa:
+        sa.wait(timeout=60)
+
+        ok = login_with_user_password(api_address=maas_api_server_url, user=original_user)
+        assert ok, f"Failed to login as original_user={original_user}"
+
+        raw_token = create_inference_token(model_service_account=sa)
+        yield raw_token
+
+
+@pytest.fixture(scope="class")
+def maas_headers_for_wrong_group_sa(maas_wrong_group_service_account_token: str) -> dict:
+    return build_maas_headers(token=maas_wrong_group_service_account_token)
@@ -0,0 +1,101 @@
+from __future__ import annotations
+
+import pytest
+import requests
+from simple_logger.logger import get_logger
+
+from tests.model_serving.model_server.maas_billing.maas_subscription.utils import chat_payload_for_url
+from tests.model_serving.model_server.maas_billing.utils import build_maas_headers
+from utilities.plugins.constant import RestHeader
+
+LOGGER = get_logger(name=__name__)
+
+
+@pytest.mark.usefixtures(
+    "maas_unprivileged_model_namespace",
+    "maas_controller_enabled_latest",
+    "maas_gateway_api",
+    "maas_api_gateway_reachable",
+    "maas_model_tinyllama_free",
+    "maas_model_tinyllama_premium",
+    "maas_auth_policy_tinyllama_free",
+    "maas_auth_policy_tinyllama_premium",
+    "maas_subscription_tinyllama_free",
+    "maas_subscription_tinyllama_premium",
+)
+class TestMaaSAuthPolicyEnforcementTinyLlama:
+    @pytest.mark.sanity
+    @pytest.mark.parametrize("ocp_token_for_actor", [{"type": "free"}], indirect=True)
+    def test_authorized_user_gets_200(
+        self,
+        request_session_http: requests.Session,
+        model_url_tinyllama_free: str,
+        ocp_token_for_actor: str,
+    ) -> None:
+        headers = build_maas_headers(token=ocp_token_for_actor)
+        payload = chat_payload_for_url(model_url=model_url_tinyllama_free)
+
+        resp = request_session_http.post(
+            url=model_url_tinyllama_free,
+            headers=headers,
+            json=payload,
+            timeout=60,
+        )
+        LOGGER.info(f"test_authorized_user_gets_200 -> POST {model_url_tinyllama_free} returned {resp.status_code}")
+        assert resp.status_code == 200, f"Expected 200, got {resp.status_code}: {resp.text[:200]}"
+
+    @pytest.mark.sanity
+    def test_no_auth_header_gets_401(
+        self,
+        request_session_http: requests.Session,
+        model_url_tinyllama_free: str,
+    ) -> None:
+        payload = chat_payload_for_url(model_url=model_url_tinyllama_free)
+
+        resp = request_session_http.post(
+            url=model_url_tinyllama_free,
+            headers=RestHeader.HEADERS,
+            json=payload,
+            timeout=60,
+        )
+        LOGGER.info(f"test_no_auth_header_gets_401 -> POST {model_url_tinyllama_free} returned {resp.status_code}")
+        assert resp.status_code == 401, f"Expected 401, got {resp.status_code}: {resp.text[:200]}"
+
+    @pytest.mark.sanity
+    def test_invalid_token_gets_401(
+        self,
+        request_session_http: requests.Session,
+        model_url_tinyllama_free: str,
+    ) -> None:
+        headers = build_maas_headers(token="totally-invalid-garbage-token")
+        payload = chat_payload_for_url(model_url=model_url_tinyllama_free)
+
+        resp = request_session_http.post(
+            url=model_url_tinyllama_free,
+            headers=headers,
+            json=payload,
+            timeout=60,
+        )
+        LOGGER.info(f"test_invalid_token_gets_401 -> POST {model_url_tinyllama_free} returned {resp.status_code}")
+        assert resp.status_code == 401, f"Expected 401, got {resp.status_code}: {resp.text[:200]}"
+
+    @pytest.mark.sanity
+    def test_wrong_group_sa_denied_on_premium_model(
+        self,
+        request_session_http: requests.Session,
+        model_url_tinyllama_premium: str,
+        maas_headers_for_wrong_group_sa: dict,
+    ) -> None:
+        payload = chat_payload_for_url(model_url=model_url_tinyllama_premium)
+
+        resp = request_session_http.post(
+            url=model_url_tinyllama_premium,
+            headers=maas_headers_for_wrong_group_sa,
+            json=payload,
+            timeout=60,
+        )
+        LOGGER.info(
+            "test_wrong_group_sa_denied_on_premium_model -> "
+            f"POST {model_url_tinyllama_premium} returned {resp.status_code}"
+        )
+        assert resp.status_code == 403, f"Expected 403, got {resp.status_code}: {resp.text[:200]}"