Merge branch 'main' into cosign_binary

Author: dbasunag

.github/workflows/scripts/pr_workflow.py

@@ -109,7 +109,7 @@ def verify_allowed_user(self) -> bool:
             # check if the user is a member of opendatahub-tests-contributors
             membership = team.get_team_membership(member=self.user_login)
             LOGGER.info(f"User {self.user_login} is a member of the test contributor team. {membership}")
-            return True  # noqa: TRY300
+            return True
         except UnknownObjectException:
             LOGGER.error(f"User {self.user_login} is not allowed for this action. Exiting.")
             return False

.pre-commit-config.yaml

@@ -36,7 +36,7 @@ repos:
         exclude: .*/__snapshots__/.*|.*-input\.json$|^semgrep\.yaml$
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.5
+    rev: v0.15.6
     hooks:
       - id: ruff
       - id: ruff-format
@@ -50,7 +50,7 @@ repos:
   #     - id: renovate-config-validator
 
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.30.0
+    rev: v8.30.1
     hooks:
       - id: gitleaks
 

tests/conftest.py

@@ -167,7 +167,7 @@ def registry_pull_secret(pytestconfig: Config) -> list[str]:
     try:
         for secret in registry_pull_secret:
             base64.b64decode(s=secret, validate=True)
-        return registry_pull_secret  # noqa: TRY300
+        return registry_pull_secret
     except binascii.Error:
         raise ValueError("Registry pull secret is not a valid base64 encoded string")
 
@@ -253,7 +253,7 @@ def modelcar_yaml_config(pytestconfig: pytest.Config) -> dict[str, Any] | None:
             modelcar_yaml = yaml.safe_load(file)
             if not isinstance(modelcar_yaml, dict):
                 raise ValueError("modelcar.yaml should contain a dictionary.")  # noqa: TRY004
-            return modelcar_yaml  # noqa: TRY300
+            return modelcar_yaml
         except yaml.YAMLError as e:
             raise ValueError(f"Error parsing modelcar.yaml: {e}") from e
 

tests/llama_stack/safety/conftest.py

@@ -48,7 +48,7 @@ def guardrails_orchestrator_ssl_cert(guardrails_orchestrator_route: Route):
         with open(filepath, "w") as f:
             f.write("\n".join(cert_lines))
 
-        return filepath  # noqa: TRY300
+        return filepath
 
     except Exception as e:  # noqa: BLE001
         raise RuntimeError(f"Could not get certificate from {hostname}: {e}")

tests/llama_stack/utils.py

@@ -98,7 +98,7 @@ def wait_for_llama_stack_client_ready(client: LlamaStackClient) -> bool:
             f"vector_stores:{len(vector_stores.data)} "
             f"files:{len(files.data)})"
         )
-        return True  # noqa: TRY300
+        return True
 
     except (APIConnectionError, InternalServerError) as error:
         LOGGER.debug(f"Llama Stack server not ready yet: {error}")

tests/model_registry/model_catalog/huggingface/utils.py

@@ -57,7 +57,7 @@ def get_huggingface_nested_attributes(obj, attr_path) -> Any:
                 if not hasattr(current_obj, attr):
                     return None
                 current_obj = getattr(current_obj, attr)
-        return current_obj  # noqa: TRY300
+        return current_obj
     except AttributeError as e:
         LOGGER.error(f"AttributeError getting '{attr_path}': {e}")
         return None

tests/model_registry/model_catalog/metadata/utils.py

@@ -294,7 +294,7 @@ def get_metadata_from_catalog_pod(model_catalog_pod: Pod, model_name: str) -> di
         metadata_json = model_catalog_pod.execute(command=["cat", metadata_path], container=CATALOG_CONTAINER)
         metadata = json.loads(metadata_json)
         LOGGER.info(f"Successfully loaded metadata.json for model '{model_name}'")
-        return metadata  # noqa: TRY300
+        return metadata
     except Exception as e:
         LOGGER.error(f"Failed to read metadata.json for model '{model_name}': {e}")
         raise

tests/model_registry/model_registry/conftest.py

@@ -135,7 +135,7 @@ def sa_token(service_account: ServiceAccount) -> str:
             raise ValueError("Retrieved token is empty after successful command execution.")
 
         LOGGER.info(f"Successfully retrieved token for SA '{sa_name}'")
-        return token  # noqa: TRY300
+        return token
 
     except Exception as e:  # Catch all exceptions from the try block
         error_type = type(e).__name__

tests/model_serving/maas_billing/maas_subscription/conftest.py

@@ -556,3 +556,67 @@ def premium_system_authenticated_access(
         if extra_auth_policy.exists:
             LOGGER.info(f"Fixture teardown: ensuring AuthPolicy {extra_auth_policy.name} is removed")
             extra_auth_policy.clean_up(wait=True)
+
+
+@pytest.fixture(scope="function")
+def second_free_subscription(
+    admin_client: DynamicClient,
+    maas_free_group: str,
+    maas_model_tinyllama_free: MaaSModelRef,
+    maas_subscription_tinyllama_free: MaaSSubscription,
+) -> Generator[MaaSSubscription, Any, Any]:
+    """
+    Creates a second subscription for maas_free_group on the free model.
+    Used to simulate an ambiguous subscription selection (two qualifying subscriptions,
+    no x-maas-subscription header).
+    """
+    with create_maas_subscription(
+        admin_client=admin_client,
+        subscription_namespace=maas_subscription_tinyllama_free.namespace,
+        subscription_name="e2e-second-free-subscription",
+        owner_group_name=maas_free_group,
+        model_name=maas_model_tinyllama_free.name,
+        model_namespace=maas_model_tinyllama_free.namespace,
+        tokens_per_minute=500,
+        window="1m",
+        priority=5,
+        teardown=True,
+        wait_for_resource=True,
+    ) as second_subscription:
+        second_subscription.wait_for_condition(condition="Ready", status="True", timeout=300)
+        LOGGER.info(
+            f"Created second free subscription {second_subscription.name} for model {maas_model_tinyllama_free.name}"
+        )
+        yield second_subscription
+
+
+@pytest.fixture(scope="function")
+def free_actor_premium_subscription(
+    admin_client: DynamicClient,
+    maas_model_tinyllama_premium: MaaSModelRef,
+    maas_subscription_tinyllama_premium: MaaSSubscription,
+) -> Generator[MaaSSubscription, Any, Any]:
+    """
+    Creates a subscription for system:authenticated on the premium model.
+    Used to verify that having a subscription alone is not sufficient —
+    the actor must also be listed in the model's MaaSAuthPolicy.
+    """
+    with create_maas_subscription(
+        admin_client=admin_client,
+        subscription_namespace=maas_subscription_tinyllama_premium.namespace,
+        subscription_name="e2e-free-actor-premium-sub",
+        owner_group_name="system:authenticated",
+        model_name=maas_model_tinyllama_premium.name,
+        model_namespace=maas_model_tinyllama_premium.namespace,
+        tokens_per_minute=100,
+        window="1m",
+        priority=0,
+        teardown=True,
+        wait_for_resource=True,
+    ) as sub_for_free_actor:
+        sub_for_free_actor.wait_for_condition(condition="Ready", status="True", timeout=300)
+        LOGGER.info(
+            f"Created subscription {sub_for_free_actor.name} for system:authenticated "
+            f"on premium model {maas_model_tinyllama_premium.name}"
+        )
+        yield sub_for_free_actor

tests/model_serving/maas_billing/maas_subscription/test_multiple_subscriptions_no_header.py

@@ -0,0 +1,68 @@
+from __future__ import annotations
+
+import pytest
+import requests
+from ocp_resources.maas_subscription import MaaSSubscription
+from simple_logger.logger import get_logger
+
+from tests.model_serving.maas_billing.maas_subscription.utils import (
+    chat_payload_for_url,
+    poll_expected_status,
+)
+
+LOGGER = get_logger(name=__name__)
+
+
+@pytest.mark.usefixtures(
+    "maas_unprivileged_model_namespace",
+    "maas_subscription_controller_enabled_latest",
+    "maas_gateway_api",
+    "maas_api_gateway_reachable",
+    "maas_inference_service_tinyllama_free",
+    "maas_model_tinyllama_free",
+    "maas_auth_policy_tinyllama_free",
+    "maas_subscription_tinyllama_free",
+)
+class TestMultipleSubscriptionsNoHeader:
+    """
+    Validates that a token qualifying for multiple subscriptions on the same model
+    is denied when no x-maas-subscription header is provided to disambiguate.
+    """
+
+    @pytest.mark.tier1
+    @pytest.mark.parametrize("ocp_token_for_actor", [{"type": "free"}], indirect=True)
+    def test_multiple_matching_subscriptions_no_header_gets_403(
+        self,
+        request_session_http: requests.Session,
+        model_url_tinyllama_free: str,
+        maas_headers_for_actor_api_key: dict[str, str],
+        second_free_subscription: MaaSSubscription,
+    ) -> None:
+        """
+        Verify that a token qualifying for multiple subscriptions receives 403
+        when no x-maas-subscription header is provided.
+
+        Given two subscriptions for the same model that the free actor qualifies for,
+        when the actor sends a request without the x-maas-subscription header,
+        then the request should be denied with 403 because the subscription
+        selection is ambiguous.
+        """
+        LOGGER.info(
+            f"Testing: free actor has two subscriptions including '{second_free_subscription.name}' "
+            f"with no x-maas-subscription header — expecting 403"
+        )
+
+        payload = chat_payload_for_url(model_url=model_url_tinyllama_free)
+
+        response = poll_expected_status(
+            request_session_http=request_session_http,
+            model_url=model_url_tinyllama_free,
+            headers=maas_headers_for_actor_api_key,
+            payload=payload,
+            expected_statuses={403},
+        )
+
+        assert response.status_code == 403, (
+            f"Expected 403 when multiple subscriptions exist and no header is provided, "
+            f"got {response.status_code}: {(response.text or '')[:200]}"
+        )