fix: update MaaS tests for subscription binding and fix gateway 500 error

Signed-off-by: Swati Mukund Bagal <sbagal@redhat.com>

Author: SB159

tests/model_serving/maas_billing/conftest.py

@@ -828,7 +828,10 @@ def maas_gateway_api(
     if gw.exists:
         LOGGER.info(f"Reusing existing gateway {MAAS_GATEWAY_NAMESPACE}/{MAAS_GATEWAY_NAME}")
         gw.wait_for_condition(condition="Programmed", status="True", timeout=300)
-        yield
+        with ResourceEditor(
+            patches={gw: {"metadata": {"annotations": {"security.opendatahub.io/authorino-tls-bootstrap": "true"}}}}
+        ):
+            yield
     else:
         LOGGER.info(f"Creating gateway {MAAS_GATEWAY_NAMESPACE}/{MAAS_GATEWAY_NAME}")
         with Gateway(
@@ -837,7 +840,10 @@ def maas_gateway_api(
             namespace=MAAS_GATEWAY_NAMESPACE,
             gateway_class_name="openshift-default",
             listeners=maas_gateway_listeners(hostname=maas_gateway_api_hostname),
-            annotations={"opendatahub.io/managed": "false"},
+            annotations={
+                "opendatahub.io/managed": "false",
+                "security.opendatahub.io/authorino-tls-bootstrap": "true",
+            },
             label={
                 "app.kubernetes.io/name": "maas",
                 "app.kubernetes.io/instance": MAAS_GATEWAY_NAME,

tests/model_serving/maas_billing/maas_subscription/conftest.py

@@ -1,5 +1,6 @@
 import secrets
 import string
+import time
 from collections.abc import Generator
 from contextlib import ExitStack
 from typing import Any
@@ -388,12 +389,14 @@ def maas_api_key_for_actor(
     maas_subscription_controller_enabled_latest: None,
     maas_gateway_api: None,
     maas_api_gateway_reachable: None,
+    maas_subscription_tinyllama_free: Any,
 ) -> str:
     """
     Create an API key for the current actor (admin/free/premium).
 
     Flow:
     - Use OpenShift token (ocp_token_for_actor) to create an API key via MaaS API.
+    - Bind the key to the free subscription at mint time (required for model inference).
     - Use the plaintext API key for gateway inference: Authorization: Bearer <sk-...>.
     """
     api_key_name = f"odh-sub-tests-{generate_random_name()}"
@@ -404,6 +407,7 @@ def maas_api_key_for_actor(
         request_session_http=request_session_http,
         api_key_name=api_key_name,
         request_timeout_seconds=60,
+        subscription=maas_subscription_tinyllama_free.name,
     )
 
     return body["key"]
@@ -535,7 +539,7 @@ def premium_system_authenticated_access(
             model_namespace=maas_model_tinyllama_premium.namespace,
             tokens_per_minute=100,
             window="1m",
-            priority=0,
+            priority=1,
             teardown=True,
             wait_for_resource=True,
         ) as system_authenticated_subscription,
@@ -547,6 +551,24 @@ def premium_system_authenticated_access(
             timeout=300,
         )
 
+        # Wait for the underlying Kuadrant AuthPolicy to be accepted and enforced.
+        # The MaaS CR being "Ready" does not guarantee Kuadrant has propagated the update.
+        kuadrant_wait_timeout = 600
+        deadline = time.monotonic() + kuadrant_wait_timeout
+        while time.monotonic() < deadline:
+            auth_policies = (extra_auth_policy.instance.status or {}).get("authPolicies", [])
+            if auth_policies and all(
+                ap.get("accepted") == "True" and ap.get("enforced") == "True" for ap in auth_policies
+            ):
+                LOGGER.info(f"Kuadrant AuthPolicy enforced for {extra_auth_policy.name}")
+                break
+            time.sleep(5)
+        else:
+            LOGGER.warning(
+                f"Kuadrant AuthPolicy for {extra_auth_policy.name} did not become "
+                f"enforced within {kuadrant_wait_timeout}s — proceeding anyway"
+            )
+
         LOGGER.info(
             f"Created extra AuthPolicy {extra_auth_policy.name} and subscription "
             f"{system_authenticated_subscription.name} for premium model "

tests/model_serving/maas_billing/maas_subscription/test_maas_auth_enforcement.py

@@ -6,9 +6,12 @@
 
 from tests.model_serving.maas_billing.maas_subscription.utils import (
     chat_payload_for_url,
+    create_api_key,
     poll_expected_status,
+    revoke_api_key,
 )
 from tests.model_serving.maas_billing.utils import build_maas_headers
+from utilities.general import generate_random_name
 from utilities.plugins.constant import RestHeader
 
 LOGGER = structlog.get_logger(name=__name__)
@@ -32,21 +35,41 @@ class TestMaaSAuthPolicyEnforcementTinyLlama:
     def test_authorized_user_gets_200(
         self,
         request_session_http: requests.Session,
+        base_url: str,
+        ocp_token_for_actor: str,
         model_url_tinyllama_free: str,
-        maas_headers_for_actor_api_key: dict[str, str],
+        maas_subscription_tinyllama_free,
     ) -> None:
-        payload = chat_payload_for_url(model_url=model_url_tinyllama_free)
-
-        resp = poll_expected_status(
+        """
+        Verify a free user with a subscription-bound API key can access the free model.
+        """
+        _, body = create_api_key(
+            base_url=base_url,
+            ocp_user_token=ocp_token_for_actor,
             request_session_http=request_session_http,
-            model_url=model_url_tinyllama_free,
-            headers=maas_headers_for_actor_api_key,
-            payload=payload,
-            expected_statuses={200},
+            api_key_name=f"e2e-auth-enforce-{generate_random_name()}",
+            subscription=maas_subscription_tinyllama_free.name,
         )
+        api_key = body["key"]
+        key_id = body["id"]
 
-        LOGGER.info(f"test_authorized_user_gets_200 -> POST {model_url_tinyllama_free} returned {resp.status_code}")
-        assert resp.status_code == 200, f"Expected 200, got {resp.status_code}: {resp.text[:200]}"
+        try:
+            resp = poll_expected_status(
+                request_session_http=request_session_http,
+                model_url=model_url_tinyllama_free,
+                headers=build_maas_headers(token=api_key),
+                payload=chat_payload_for_url(model_url=model_url_tinyllama_free),
+                expected_statuses={200},
+            )
+            LOGGER.info(f"test_authorized_user_gets_200 -> POST {model_url_tinyllama_free} returned {resp.status_code}")
+            assert resp.status_code == 200, f"Expected 200, got {resp.status_code}: {resp.text[:200]}"
+        finally:
+            revoke_api_key(
+                request_session_http=request_session_http,
+                base_url=base_url,
+                key_id=key_id,
+                ocp_user_token=ocp_token_for_actor,
+            )
 
     @pytest.mark.smoke
     def test_no_auth_header_gets_401(
@@ -99,10 +122,12 @@ def test_wrong_group_sa_denied_on_premium_model(
             model_url=model_url_tinyllama_premium,
             headers=maas_headers_for_wrong_group_sa,
             payload=payload,
-            expected_statuses={403},
+            expected_statuses={401, 403},
         )
         LOGGER.info(
             "test_wrong_group_sa_denied_on_premium_model -> "
             f"POST {model_url_tinyllama_premium} returned {resp.status_code}"
         )
-        assert resp.status_code == 403, f"Expected 403, got {resp.status_code}: {resp.text[:200]}"
+        assert resp.status_code in (401, 403), (
+            f"Expected 401 or 403 (wrong group denied), got {resp.status_code}: {resp.text[:200]}"
+        )

tests/model_serving/maas_billing/maas_subscription/test_maas_sub_enforcement.py

@@ -4,7 +4,13 @@
 import requests
 import structlog
 
-from tests.model_serving.maas_billing.maas_subscription.utils import chat_payload_for_url
+from tests.model_serving.maas_billing.maas_subscription.utils import (
+    chat_payload_for_url,
+    create_api_key,
+    revoke_api_key,
+)
+from tests.model_serving.maas_billing.utils import build_maas_headers
+from utilities.general import generate_random_name
 
 LOGGER = structlog.get_logger(name=__name__)
 
@@ -30,19 +36,41 @@ class TestSubscriptionEnforcementTinyLlama:
     def test_subscribed_user_gets_200(
         self,
         request_session_http: requests.Session,
+        base_url: str,
+        ocp_token_for_actor: str,
         model_url_tinyllama_premium: str,
-        maas_headers_for_actor_api_key: dict[str, str],
+        maas_subscription_tinyllama_premium,
     ) -> None:
-        resp = request_session_http.post(
-            url=model_url_tinyllama_premium,
-            headers=maas_headers_for_actor_api_key,
-            json=chat_payload_for_url(model_url=model_url_tinyllama_premium),
-            timeout=60,
+        """
+        Verify a premium user with a subscription-bound API key can access the premium model.
+        """
+        _, body = create_api_key(
+            base_url=base_url,
+            ocp_user_token=ocp_token_for_actor,
+            request_session_http=request_session_http,
+            api_key_name=f"e2e-sub-enforce-{generate_random_name()}",
+            subscription=maas_subscription_tinyllama_premium.name,
         )
-        LOGGER.info(f"test_subscribed_user_gets_200 -> {resp.status_code}")
-        assert resp.status_code == 200, f"Expected 200, got {resp.status_code}: {resp.text[:200]}"
+        api_key = body["key"]
+        key_id = body["id"]
+
+        try:
+            resp = request_session_http.post(
+                url=model_url_tinyllama_premium,
+                headers=build_maas_headers(token=api_key),
+                json=chat_payload_for_url(model_url=model_url_tinyllama_premium),
+                timeout=60,
+            )
+            LOGGER.info(f"test_subscribed_user_gets_200 -> {resp.status_code}")
+            assert resp.status_code == 200, f"Expected 200, got {resp.status_code}: {resp.text[:200]}"
+        finally:
+            revoke_api_key(
+                request_session_http=request_session_http,
+                base_url=base_url,
+                key_id=key_id,
+                ocp_user_token=ocp_token_for_actor,
+            )
 
-    @pytest.mark.tier1
     @pytest.mark.parametrize("ocp_token_for_actor", [{"type": "premium"}], indirect=True)
     def test_explicit_subscription_header_works(
         self,

tests/model_serving/maas_billing/maas_subscription/utils.py

@@ -187,6 +187,7 @@ def create_api_key(
     request_timeout_seconds: int = 60,
     expires_in: str | None = None,
     raise_on_error: bool = True,
+    subscription: str | None = None,
 ) -> tuple[Response, dict[str, Any]]:
     """
     Create an API key via MaaS API and return (response, parsed_body).
@@ -199,12 +200,17 @@ def create_api_key(
             When None, no expiresIn field is sent and the key does not expire.
         raise_on_error: When True (default), raises AssertionError for non-200/201
             responses. Set to False when testing error cases (e.g. 400 rejection).
+        subscription: Optional MaaSSubscription name to bind at mint time.
+            When provided, the key is bound to this subscription for inference.
+            When None, the API auto-selects the highest-priority subscription.
     """
     api_keys_url = f"{base_url}/v1/api-keys"
 
     payload: dict[str, Any] = {"name": api_key_name}
     if expires_in is not None:
         payload["expiresIn"] = expires_in
+    if subscription is not None:
+        payload["subscription"] = subscription
 
     response = request_session_http.post(
         url=api_keys_url,