Merge branch 'main' into sort_bug

Author: fege

tests/model_serving/maas_billing/maas_subscription/conftest.py

@@ -24,21 +24,25 @@
 from tests.model_serving.maas_billing.maas_subscription.utils import (
     MAAS_DB_NAMESPACE,
     MAAS_SUBSCRIPTION_NAMESPACE,
+    create_and_yield_api_key_id,
     create_api_key,
     create_maas_subscription,
     get_maas_postgres_resources,
     patch_llmisvc_with_maas_router_and_tiers,
+    resolve_api_key_username,
     revoke_api_key,
+    wait_for_auth_ready,
     wait_for_postgres_connection_log,
     wait_for_postgres_deployment_ready,
 )
 from tests.model_serving.maas_billing.utils import build_maas_headers
 from utilities.constants import DscComponents
 from utilities.general import generate_random_name
-from utilities.infra import create_inference_token, create_ns, login_with_user_password
+from utilities.infra import create_inference_token, create_ns, get_openshift_token, login_with_user_password
 from utilities.llmd_constants import ContainerImages, ModelStorage
 from utilities.llmd_utils import create_llmisvc
 from utilities.plugins.constant import OpenAIEnpoints
+from utilities.resources.auth import Auth
 
 LOGGER = get_logger(name=__name__)
 
@@ -662,22 +666,91 @@ def active_api_key_id(
     """
     Create a single active API key and return its ID for revoke tests.
     """
-    key_name = f"e2e-fixture-key-{generate_random_name()}"
-    _, body = create_api_key(
+    yield from create_and_yield_api_key_id(
+        request_session_http=request_session_http,
         base_url=base_url,
         ocp_user_token=ocp_token_for_actor,
-        request_session_http=request_session_http,
-        api_key_name=key_name,
+        key_name_prefix="e2e-fixture-key",
     )
-    LOGGER.info(f"active_api_key_id: created key id={body['id']}")
-    yield body["id"]
-    LOGGER.info(f"Fixture teardown: revoking key {body['id']}")
-    revoke_api_key(
+
+
+@pytest.fixture(scope="function")
+def free_user_username(
+    request_session_http: requests.Session,
+    base_url: str,
+    ocp_token_for_actor: str,
+    active_api_key_id: str,
+) -> str:
+    """Resolve and return the free (non-admin) actor's username from their active API key."""
+    username = resolve_api_key_username(
         request_session_http=request_session_http,
         base_url=base_url,
-        key_id=body["id"],
+        key_id=active_api_key_id,
         ocp_user_token=ocp_token_for_actor,
     )
+    LOGGER.info(f"free_user_username: resolved username from key id={active_api_key_id}")
+    return username
+
+
+@pytest.fixture(scope="function")
+def admin_username(
+    request_session_http: requests.Session,
+    base_url: str,
+    admin_ocp_token: str,
+    admin_active_api_key_id: str,
+) -> str:
+    """Resolve and return the admin actor's username from their active API key."""
+    username = resolve_api_key_username(
+        request_session_http=request_session_http,
+        base_url=base_url,
+        key_id=admin_active_api_key_id,
+        ocp_user_token=admin_ocp_token,
+    )
+    LOGGER.info(f"admin_username: resolved username from key id={admin_active_api_key_id}")
+    return username
+
+
+@pytest.fixture(scope="function")
+def admin_active_api_key_id(
+    request_session_http: requests.Session,
+    base_url: str,
+    admin_ocp_token: str,
+) -> Generator[str, Any, Any]:
+    """Create an active API key as the admin user, yield its ID, and revoke on teardown."""
+    yield from create_and_yield_api_key_id(
+        request_session_http=request_session_http,
+        base_url=base_url,
+        ocp_user_token=admin_ocp_token,
+        key_name_prefix="e2e-authz-admin",
+    )
+
+
+@pytest.fixture(scope="class")
+def admin_ocp_token(admin_client: DynamicClient) -> Generator[str, Any, Any]:
+    """Temporarily adds dedicated-admins to Auth CR adminGroups so the admin token is recognised by MaaS."""
+    auth = Auth(client=admin_client, name="auth")
+    current_groups: list[str] = list(auth.instance.spec.adminGroups or [])
+    patched_groups = list(set(current_groups + ["dedicated-admins"]))
+
+    auth_conditions = (auth.instance.status or {}).get("conditions") or []
+    ready_before = next(
+        (condition for condition in auth_conditions if condition.get("type") == "Ready"),
+        {},
+    )
+    baseline_time: str = ready_before.get("lastTransitionTime", "")
+
+    LOGGER.info(f"admin_ocp_token: patching Auth CR adminGroups to {patched_groups}")
+    with ResourceEditor(patches={auth: {"spec": {"adminGroups": patched_groups}}}):
+        wait_for_auth_ready(auth=auth, baseline_time=baseline_time)
+        auth_conditions_after = (auth.instance.status or {}).get("conditions") or []
+        ready_after = next(
+            (condition for condition in auth_conditions_after if condition.get("type") == "Ready"),
+            {},
+        )
+        cleanup_baseline_time: str = ready_after.get("lastTransitionTime", "")
+        yield get_openshift_token(client=admin_client)
+
+    wait_for_auth_ready(auth=auth, baseline_time=cleanup_baseline_time)
 
 
 @pytest.fixture(scope="function")

tests/model_serving/maas_billing/maas_subscription/test_api_key_authorization.py

@@ -0,0 +1,156 @@
+from __future__ import annotations
+
+import pytest
+import requests
+from simple_logger.logger import get_logger
+
+from tests.model_serving.maas_billing.maas_subscription.utils import (
+    get_api_key,
+    list_api_keys,
+    revoke_api_key,
+)
+
+LOGGER = get_logger(name=__name__)
+
+
+@pytest.mark.parametrize("ocp_token_for_actor", [{"type": "free"}], indirect=True)
+@pytest.mark.usefixtures(
+    "maas_subscription_controller_enabled_latest",
+    "maas_gateway_api",
+    "maas_api_gateway_reachable",
+)
+class TestAPIKeyAuthorization:
+    """Tests for MaaS API key admin and non-admin access control."""
+
+    @pytest.mark.tier1
+    def test_admin_manage_other_users_keys(
+        self,
+        request_session_http: requests.Session,
+        base_url: str,
+        admin_ocp_token: str,
+        active_api_key_id: str,
+        free_user_username: str,
+    ) -> None:
+        """Verify an admin can search for another user's keys by username and revoke them."""
+        list_resp, list_body = list_api_keys(
+            request_session_http=request_session_http,
+            base_url=base_url,
+            ocp_user_token=admin_ocp_token,
+            filters={"username": free_user_username, "status": ["active"]},
+            sort={"by": "created_at", "order": "desc"},
+            pagination={"limit": 50, "offset": 0},
+        )
+        assert list_resp.status_code == 200, (
+            f"Expected 200 on admin search by username, got {list_resp.status_code}: {list_resp.text[:200]}"
+        )
+        items: list[dict] = list_body.get("items") or list_body.get("data") or []
+        key_ids = [item["id"] for item in items]
+        assert active_api_key_id in key_ids, (
+            f"Expected free user's key id={active_api_key_id} in admin search results, found ids={key_ids}"
+        )
+        LOGGER.info(f"[authz] Admin found {len(items)} active key(s) for the free user")
+
+        revoke_resp, revoke_body = revoke_api_key(
+            request_session_http=request_session_http,
+            base_url=base_url,
+            key_id=active_api_key_id,
+            ocp_user_token=admin_ocp_token,
+        )
+        assert revoke_resp.status_code == 200, (
+            f"Expected 200 on admin DELETE /v1/api-keys/{active_api_key_id}, "
+            f"got {revoke_resp.status_code}: {revoke_resp.text[:200]}"
+        )
+        assert revoke_body.get("status") == "revoked", (
+            f"Expected status='revoked' in admin revoke response, got: {revoke_body}"
+        )
+        LOGGER.info(f"[authz] Admin successfully revoked free user's key id={active_api_key_id}")
+
+    @pytest.mark.tier1
+    def test_non_admin_cannot_access_other_users_keys(
+        self,
+        request_session_http: requests.Session,
+        base_url: str,
+        ocp_token_for_actor: str,
+        admin_active_api_key_id: str,
+    ) -> None:
+        """Verify a non-admin user gets 404 when accessing another user's API key."""
+        get_resp, _ = get_api_key(
+            request_session_http=request_session_http,
+            base_url=base_url,
+            key_id=admin_active_api_key_id,
+            ocp_user_token=ocp_token_for_actor,
+        )
+        assert get_resp.status_code == 404, (
+            f"Expected 404 (IDOR protection) on free user GET of admin's key id={admin_active_api_key_id}, "
+            f"got {get_resp.status_code}: {get_resp.text[:200]}"
+        )
+        LOGGER.info(f"[authz] Free user correctly received 404 on GET of admin's key id={admin_active_api_key_id}")
+
+        revoke_resp, _ = revoke_api_key(
+            request_session_http=request_session_http,
+            base_url=base_url,
+            key_id=admin_active_api_key_id,
+            ocp_user_token=ocp_token_for_actor,
+        )
+        assert revoke_resp.status_code == 404, (
+            f"Expected 404 (IDOR protection) on free user DELETE of admin's key id={admin_active_api_key_id}, "
+            f"got {revoke_resp.status_code}: {revoke_resp.text[:200]}"
+        )
+        LOGGER.info(f"[authz] Free user correctly received 404 on DELETE of admin's key id={admin_active_api_key_id}")
+
+    @pytest.mark.tier2
+    def test_non_admin_search_only_returns_own_keys(
+        self,
+        request_session_http: requests.Session,
+        base_url: str,
+        ocp_token_for_actor: str,
+        active_api_key_id: str,
+        admin_active_api_key_id: str,
+    ) -> None:
+        """Verify a non-admin user's search results contain only their own keys."""
+        list_resp, list_body = list_api_keys(
+            request_session_http=request_session_http,
+            base_url=base_url,
+            ocp_user_token=ocp_token_for_actor,
+            filters={"status": ["active"]},
+            sort={"by": "created_at", "order": "desc"},
+            pagination={"limit": 50, "offset": 0},
+        )
+        assert list_resp.status_code == 200, (
+            f"Expected 200 on free user search, got {list_resp.status_code}: {list_resp.text[:200]}"
+        )
+        items: list[dict] = list_body.get("items") or list_body.get("data") or []
+        key_ids = [item["id"] for item in items]
+
+        assert active_api_key_id in key_ids, (
+            f"Expected free user's own key id={active_api_key_id} in results, found ids={key_ids}"
+        )
+        assert admin_active_api_key_id not in key_ids, (
+            f"Admin's key id={admin_active_api_key_id} must NOT appear in free user's search results"
+        )
+        LOGGER.info(
+            f"[authz] Free user search returned {len(items)} key(s) — own key present, admin's key correctly excluded"
+        )
+
+    @pytest.mark.tier2
+    def test_non_admin_cannot_search_by_other_username(
+        self,
+        request_session_http: requests.Session,
+        base_url: str,
+        ocp_token_for_actor: str,
+        admin_username: str,
+    ) -> None:
+        """Verify a non-admin user gets 403 when searching with another user's username as a filter."""
+        list_resp, _ = list_api_keys(
+            request_session_http=request_session_http,
+            base_url=base_url,
+            ocp_user_token=ocp_token_for_actor,
+            filters={"username": admin_username, "status": ["active"]},
+            sort={"by": "created_at", "order": "desc"},
+            pagination={"limit": 50, "offset": 0},
+        )
+        assert list_resp.status_code == 403, (
+            f"Expected 403 when free user searches by another user's username, "
+            f"got {list_resp.status_code}: {list_resp.text[:200]}"
+        )
+        LOGGER.info("[authz] Free user correctly received 403 when searching by another user's username")

tests/model_serving/maas_billing/maas_subscription/utils.py

@@ -25,6 +25,8 @@
     MAAS_GATEWAY_NAMESPACE,
     ApiGroups,
 )
+from utilities.general import generate_random_name
+from utilities.resources.auth import Auth
 
 LOGGER = get_logger(name=__name__)
 MAAS_SUBSCRIPTION_NAMESPACE = "models-as-a-service"
@@ -282,6 +284,72 @@ def list_api_keys(
     return response, parsed_body
 
 
+def wait_for_auth_ready(auth: Auth, baseline_time: str, timeout: int = 60) -> None:
+    """Wait for Auth CR to reconcile after a patch."""
+    for instance in TimeoutSampler(wait_timeout=timeout, sleep=2, func=lambda: auth.instance):
+        auth_conditions = (instance.status or {}).get("conditions") or []
+        ready_condition = next(
+            (condition for condition in auth_conditions if condition.get("type") == "Ready"),
+            None,
+        )
+        if (
+            ready_condition
+            and ready_condition.get("lastTransitionTime") != baseline_time
+            and ready_condition.get("status") == "True"
+        ):
+            return
+
+
+def resolve_api_key_username(
+    request_session_http: requests.Session,
+    base_url: str,
+    key_id: str,
+    ocp_user_token: str,
+) -> str:
+    """Fetch an API key by ID and return the owner's username."""
+    get_resp, get_body = get_api_key(
+        request_session_http=request_session_http,
+        base_url=base_url,
+        key_id=key_id,
+        ocp_user_token=ocp_user_token,
+    )
+    assert get_resp.status_code == 200, (
+        f"Expected 200 on GET /v1/api-keys/{key_id}, got {get_resp.status_code}: {get_resp.text[:200]}"
+    )
+    username = get_body.get("username") or get_body.get("owner")
+    assert username, "Expected 'username' or 'owner' field in GET response"
+    return username
+
+
+def create_and_yield_api_key_id(
+    request_session_http: requests.Session,
+    base_url: str,
+    ocp_user_token: str,
+    key_name_prefix: str,
+) -> Generator[str]:
+    """Create an API key, yield its ID, and revoke it on teardown."""
+    key_name = f"{key_name_prefix}-{generate_random_name()}"
+    _, body = create_api_key(
+        base_url=base_url,
+        ocp_user_token=ocp_user_token,
+        request_session_http=request_session_http,
+        api_key_name=key_name,
+    )
+    LOGGER.info(f"create_and_yield_api_key_id: created key id={body['id']} name={key_name}")
+    yield body["id"]
+    LOGGER.info(f"create_and_yield_api_key_id: teardown revoking key id={body['id']}")
+    revoke_resp, _ = revoke_api_key(
+        request_session_http=request_session_http,
+        base_url=base_url,
+        key_id=body["id"],
+        ocp_user_token=ocp_user_token,
+    )
+    if revoke_resp.status_code not in (200, 404):
+        raise AssertionError(
+            f"Unexpected teardown status for key id={body['id']}: {revoke_resp.status_code} {revoke_resp.text[:200]}"
+        )
+
+
 def revoke_api_key(
     request_session_http: requests.Session,
     base_url: str,

utilities/constants.py

@@ -140,6 +140,7 @@ class ApiGroups:
     KSERVE: str = "serving.kserve.io"
     KUADRANT_IO: str = "kuadrant.io"
     MAAS_IO: str = "maas.opendatahub.io"
+    AUTH_IO: str = "SERVICES_PLATFORM_OPENDATAHUB_IO"
 
 
 class Annotations: