Add model mesh authentication tests (#115)

* Create size-labeler.yml

* Delete .github/workflows/size-labeler.yml

* model mesh - add auth tests

* model mesh - add auth tests

* fix code

* update

* use isvc as role

* update runtime kwargs

* use serevice for mm auth

* fix svc

* fix: address comments

* fix: resolve reivew comments

* fix: removed bug that will not be fixed

Author: rnetser

tests/model_serving/model_server/authentication/conftest.py

@@ -1,4 +1,3 @@
-import shlex
 from typing import Any, Generator
 from urllib.parse import urlparse
 
@@ -13,12 +12,11 @@
 from ocp_resources.secret import Secret
 from ocp_resources.service_account import ServiceAccount
 from ocp_resources.serving_runtime import ServingRuntime
-from pyhelper_utils.shell import run_command
 
 from utilities.inference_utils import create_isvc
 from utilities.infra import (
-    create_isvc_view_role,
     create_ns,
+    create_isvc_view_role,
     get_pods_by_isvc_label,
     s3_endpoint_secret,
     create_inference_token,
@@ -255,11 +253,7 @@ def grpc_role_binding(
 
 @pytest.fixture(scope="class")
 def grpc_inference_token(grpc_model_service_account: ServiceAccount, grpc_role_binding: RoleBinding) -> str:
-    return run_command(
-        command=shlex.split(
-            f"oc create token -n {grpc_model_service_account.namespace} {grpc_model_service_account.name}"
-        )
-    )[1].strip()
+    return create_inference_token(model_service_account=grpc_model_service_account)
 
 
 @pytest.fixture(scope="class")
@@ -444,3 +438,62 @@ def unprivileged_s3_caikit_raw_inference_service(
         storage_path=ModelStoragePath.FLAN_T5_SMALL_CAIKIT,
     ) as isvc:
         yield isvc
+
+
+@pytest.fixture()
+def patched_remove_authentication_model_mesh_runtime(
+    admin_client: DynamicClient,
+    http_s3_ovms_model_mesh_serving_runtime: ServingRuntime,
+) -> Generator[ServingRuntime, Any, Any]:
+    with ResourceEditor(
+        patches={
+            http_s3_ovms_model_mesh_serving_runtime: {
+                "metadata": {
+                    "annotations": {"enable-auth": "false"},
+                }
+            }
+        }
+    ):
+        yield http_s3_ovms_model_mesh_serving_runtime
+
+
+@pytest.fixture(scope="class")
+def http_model_mesh_view_role(
+    admin_client: DynamicClient,
+    http_s3_openvino_model_mesh_inference_service: InferenceService,
+    http_s3_ovms_model_mesh_serving_runtime: ServingRuntime,
+) -> Generator[Role, Any, Any]:
+    with Role(
+        client=admin_client,
+        name=f"{http_s3_openvino_model_mesh_inference_service.name}-view",
+        namespace=http_s3_openvino_model_mesh_inference_service.namespace,
+        rules=[
+            {"apiGroups": [""], "resources": ["services"], "verbs": ["get"]},
+        ],
+    ) as role:
+        yield role
+
+
+@pytest.fixture(scope="class")
+def http_model_mesh_role_binding(
+    admin_client: DynamicClient,
+    http_model_mesh_view_role: Role,
+    ci_service_account: ServiceAccount,
+) -> Generator[RoleBinding, Any, Any]:
+    with RoleBinding(
+        client=admin_client,
+        namespace=ci_service_account.namespace,
+        name=f"{Protocols.HTTP}-{ci_service_account.name}-view",
+        role_ref_name=http_model_mesh_view_role.name,
+        role_ref_kind=http_model_mesh_view_role.kind,
+        subjects_kind=ci_service_account.kind,
+        subjects_name=ci_service_account.name,
+    ) as rb:
+        yield rb
+
+
+@pytest.fixture(scope="class")
+def http_model_mesh_inference_token(
+    ci_service_account: ServiceAccount, http_model_mesh_role_binding: RoleBinding
+) -> str:
+    return create_inference_token(model_service_account=ci_service_account)

tests/model_serving/model_server/authentication/test_kserve_token_authentication_serverless.py

@@ -20,7 +20,7 @@
     ],
     indirect=True,
 )
-class TestKserveTokenAuthentication:
+class TestKserveServerlessTokenAuthentication:
     @pytest.mark.smoke
     @pytest.mark.dependency(name="test_model_authentication_using_rest")
     def test_model_authentication_using_rest(self, http_s3_caikit_serverless_inference_service, http_inference_token):

tests/model_serving/model_server/authentication/test_model_mesh_authentication.py

@@ -0,0 +1,98 @@
+import pytest
+
+from tests.model_serving.model_server.utils import verify_inference_response
+from utilities.constants import (
+    ModelStoragePath,
+    Protocols,
+)
+from utilities.inference_utils import Inference
+from utilities.manifests.openvino import OPENVINO_INFERENCE_CONFIG
+
+pytestmark = [pytest.mark.modelmesh, pytest.mark.sanity]
+
+
+@pytest.mark.parametrize(
+    "model_namespace, http_s3_ovms_model_mesh_serving_runtime, http_s3_openvino_model_mesh_inference_service",
+    [
+        pytest.param(
+            {"name": "model-mesh-authentication", "modelmesh-enabled": True},
+            {"enable-auth": True, "enable-external-route": True},
+            {"model-path": ModelStoragePath.OPENVINO_EXAMPLE_MODEL},
+        )
+    ],
+    indirect=True,
+)
+class TestModelMeshAuthentication:
+    """Model Mesh Authentication is based on the created Service; cross-model authentication is not blocked"""
+
+    @pytest.mark.dependency(name="test_model_mesh_model_authentication_openvino_inference_with_tensorflow")
+    def test_model_mesh_model_authentication_openvino_inference_with_tensorflow(
+        self,
+        http_s3_openvino_model_mesh_inference_service,
+        http_model_mesh_inference_token,
+    ):
+        """Verify model query with token using REST"""
+        verify_inference_response(
+            inference_service=http_s3_openvino_model_mesh_inference_service,
+            inference_config=OPENVINO_INFERENCE_CONFIG,
+            inference_type=Inference.INFER,
+            protocol=Protocols.HTTPS,
+            use_default_query=True,
+            token=http_model_mesh_inference_token,
+        )
+
+    @pytest.mark.dependency(name="test_model_mesh_disabled_model_authentication")
+    def test_model_mesh_disabled_model_authentication(
+        self,
+        patched_remove_authentication_model_mesh_runtime,
+        http_s3_openvino_model_mesh_inference_service,
+    ):
+        """Verify model query after authentication is disabled"""
+        verify_inference_response(
+            inference_service=http_s3_openvino_model_mesh_inference_service,
+            inference_config=OPENVINO_INFERENCE_CONFIG,
+            inference_type=Inference.INFER,
+            protocol=Protocols.HTTPS,
+            use_default_query=True,
+        )
+
+    @pytest.mark.dependency(depends=["test_model_mesh_disabled_model_authentication"])
+    def test_model_mesh_re_enabled_model_authentication(
+        self,
+        http_s3_openvino_model_mesh_inference_service,
+        http_model_mesh_inference_token,
+    ):
+        """Verify model query after authentication is re-enabled"""
+        verify_inference_response(
+            inference_service=http_s3_openvino_model_mesh_inference_service,
+            inference_config=OPENVINO_INFERENCE_CONFIG,
+            inference_type=Inference.INFER,
+            protocol=Protocols.HTTPS,
+            use_default_query=True,
+            token=http_model_mesh_inference_token,
+        )
+
+    @pytest.mark.dependency(depends=["test_model_mesh_model_authentication_openvino_inference_with_tensorflow"])
+    def test_model_mesh_model_authentication_using_invalid_token(self, http_s3_openvino_model_mesh_inference_service):
+        """Verify model query with an invalid token"""
+        verify_inference_response(
+            inference_service=http_s3_openvino_model_mesh_inference_service,
+            inference_config=OPENVINO_INFERENCE_CONFIG,
+            inference_type=Inference.INFER,
+            protocol=Protocols.HTTPS,
+            use_default_query=True,
+            token="dummy",
+            authorized_user=False,
+        )
+
+    @pytest.mark.dependency(depends=["test_model_mesh_model_authentication_openvino_inference_with_tensorflow"])
+    def test_model_mesh_model_authentication_without_token(self, http_s3_openvino_model_mesh_inference_service):
+        """Verify model query without providing a token"""
+        verify_inference_response(
+            inference_service=http_s3_openvino_model_mesh_inference_service,
+            inference_config=OPENVINO_INFERENCE_CONFIG,
+            inference_type=Inference.INFER,
+            protocol=Protocols.HTTPS,
+            use_default_query=True,
+            authorized_user=False,
+        )

tests/model_serving/model_server/components/kserve_dsc_deployment_mode/test_kserve_dsc_default_deployment_mode.py

@@ -170,7 +170,7 @@ def test_isvc_on_dsc_default_deployment_mode_change_to_serverless(
         ],
         indirect=True,
     )
-    def test_restarted_pod_is_serverless(
+    def test_restarted_pod_is_raw(
         self,
         patched_default_deployment_mode_in_dsc,
         restarted_inference_pod,