test(maas): update auth enforcement tests for API key flow

[SB159]

Pull Request

Summary

Update MaaS auth enforcement tests to use API key flow

Related Issues

• Fixes:
• JIRA:

How it has been tested

• Locally
• Jenkins

Additional Requirements

• If this PR introduces a new test image, did you create a PR to mirror it in disconnected environment?
• If this PR introduces new marker(s)/adds a new component, was relevant ticket created to update relevant Jenkins job?

Summary by CodeRabbit

• Tests
  • Improved test infrastructure for authentication enforcement validation, enhancing test reliability and consistency across API authentication scenarios.

[github-actions]

The following are automatically added/executed:

• PR size label.
• Run pre-commit
• Run tox
• Add PR author as the PR assignee
• Build image based on the PR

Available user actions:

• To mark a PR as WIP, add /wip in a comment. To remove it from the PR comment /wip cancel to the PR.
• To block merging of a PR, add /hold in a comment. To un-block merging of PR comment /hold cancel.
• To mark a PR as approved, add /lgtm in a comment. To remove, add /lgtm cancel.
  lgtm label removed on each new commit push.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To Cherry-pick a merged PR /cherry-pick <target_branch_name> to the PR. If <target_branch_name> is valid,
  and the current PR is merged, a cherry-picked PR would be created and linked to the current PR.
• To build and push image to quay, add /build-push-pr-image in a comment. This would create an image with tag
  pr-<pr_number> to quay repository. This image tag, however would be deleted on PR merge or close action.

Supported labels

{'/hold', '/cherry-pick', '/wip', '/build-push-pr-image', '/verified', '/lgtm'}

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request refactors authentication enforcement tests to standardize HTTP response polling using a common utility function, replaces authentication parameter construction with a dedicated helper, updates test markers from sanity to smoke, and modifies the poll_expected_status function signature by removing its keyword-only parameter constraint.

Changes

Cohort / File(s)	Summary
Test Polling Standardization tests/model_serving/model_server/maas_billing/maas_subscription/test_maas_auth_enforcement.py	Replaced direct HTTP POST calls with poll_expected_status across multiple test cases; changed ocp_token_for_actor parameter to maas_headers_for_actor_api_key; updated test markers from sanity to smoke; refactored status expectations into sets (e.g., {200}, {401}, {403}).
Function Signature Modification tests/model_serving/model_server/maas_billing/maas_subscription/utils.py	Removed keyword-only marker (*) from poll_expected_status function, converting all parameters to positional-or-keyword, enabling positional argument passing.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating MaaS auth enforcement tests to use API key flow, which aligns with the actual code modifications.
Description check	✅ Passed	The description covers the Summary section with relevant details about updating tests to use API key flow and indicates local testing was performed, but lacks detail on specific changes and implementation approach.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

tests/model_serving/model_server/maas_billing/maas_subscription/test_maas_auth_enforcement.py (3)

78-86: Inconsistent HTTP call pattern.

This test uses direct request_session_http.post() while the other three tests use poll_expected_status. If immediate failure is expected for invalid tokens (no retry needed), this is fine. Otherwise, consider using poll_expected_status for consistency with the rest of the class.

♻️ Proposed change for consistency

-        resp = request_session_http.post(
-            url=model_url_tinyllama_free,
-            headers=headers,
-            json=payload,
-            timeout=60,
-        )
-
-        LOGGER.info(f"test_invalid_token_gets_401 -> POST {model_url_tinyllama_free} returned {resp.status_code}")
-        assert resp.status_code in (401, 403), f"Expected 401 or 403, got {resp.status_code}: {(resp.text or '')[:200]}"
+        resp = poll_expected_status(
+            request_session_http=request_session_http,
+            model_url=model_url_tinyllama_free,
+            headers=headers,
+            payload=payload,
+            expected_statuses={401, 403},
+        )
+
+        LOGGER.info(f"test_invalid_token_gets_401 -> POST {model_url_tinyllama_free} returned {resp.status_code}")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@tests/model_serving/model_server/maas_billing/maas_subscription/test_maas_auth_enforcement.py`
around lines 78 - 86, The test explicitly calls request_session_http.post(...)
for model_url_tinyllama_free while other tests use poll_expected_status; make
the call pattern consistent by replacing the direct request with
poll_expected_status(...) (or vice versa if immediate no-retry behavior is
intended) so all tests use the same helper; locate the call to
request_session_http.post in this test and use the poll_expected_status helper
with the same url, headers, payload, timeout and expected status set to (401,
403) (or document why a direct post is required and leave as-is).

---

93-93: Type annotation inconsistency.

maas_headers_for_wrong_group_sa: dict at line 93 vs maas_headers_for_actor_api_key: dict[str, str] at line 36. Use consistent parameterized type hints.

♻️ Fix type annotation

-        maas_headers_for_wrong_group_sa: dict,
+        maas_headers_for_wrong_group_sa: dict[str, str],

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@tests/model_serving/model_server/maas_billing/maas_subscription/test_maas_auth_enforcement.py`
at line 93, The test fixture parameter maas_headers_for_wrong_group_sa uses a
bare dict type while maas_headers_for_actor_api_key uses dict[str, str]; update
the annotation for maas_headers_for_wrong_group_sa to dict[str, str] to make
type hints consistent across the test (locate the parameter in the test function
or fixture definition and change its annotation to match
maas_headers_for_actor_api_key).

---

40-49: Redundant assertion after poll_expected_status.

poll_expected_status already guarantees the returned response has a status code in expected_statuses, otherwise it calls pytest.fail(). The assertion at line 49 is therefore redundant.

Same applies to tests at lines 67, 86, and 108.

♻️ Optional: Remove redundant assertion

         resp = poll_expected_status(
             request_session_http=request_session_http,
             model_url=model_url_tinyllama_free,
             headers=maas_headers_for_actor_api_key,
             payload=payload,
             expected_statuses={200},
         )
 
         LOGGER.info(f"test_authorized_user_gets_200 -> POST {model_url_tinyllama_free} returned {resp.status_code}")
-        assert resp.status_code == 200, f"Expected 200, got {resp.status_code}: {resp.text[:200]}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@tests/model_serving/model_server/maas_billing/maas_subscription/test_maas_auth_enforcement.py`
around lines 40 - 49, Remove the redundant explicit status-code assertions that
follow poll_expected_status in the test functions (e.g., the assert
resp.status_code == 200 after calling poll_expected_status).
poll_expected_status already fails the test if the response status is not in
expected_statuses, so delete those asserts in the tests where
poll_expected_status is used (refer to uses of poll_expected_status and
variables like resp, model_url_tinyllama_free, maas_headers_for_actor_api_key,
and LOGGER); keep the logging lines and any other checks that are not
duplicative of poll_expected_status's behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@tests/model_serving/model_server/maas_billing/maas_subscription/test_maas_auth_enforcement.py`:
- Around line 78-86: The test explicitly calls request_session_http.post(...)
for model_url_tinyllama_free while other tests use poll_expected_status; make
the call pattern consistent by replacing the direct request with
poll_expected_status(...) (or vice versa if immediate no-retry behavior is
intended) so all tests use the same helper; locate the call to
request_session_http.post in this test and use the poll_expected_status helper
with the same url, headers, payload, timeout and expected status set to (401,
403) (or document why a direct post is required and leave as-is).
- Line 93: The test fixture parameter maas_headers_for_wrong_group_sa uses a
bare dict type while maas_headers_for_actor_api_key uses dict[str, str]; update
the annotation for maas_headers_for_wrong_group_sa to dict[str, str] to make
type hints consistent across the test (locate the parameter in the test function
or fixture definition and change its annotation to match
maas_headers_for_actor_api_key).
- Around line 40-49: Remove the redundant explicit status-code assertions that
follow poll_expected_status in the test functions (e.g., the assert
resp.status_code == 200 after calling poll_expected_status).
poll_expected_status already fails the test if the response status is not in
expected_statuses, so delete those asserts in the tests where
poll_expected_status is used (refer to uses of poll_expected_status and
variables like resp, model_url_tinyllama_free, maas_headers_for_actor_api_key,
and LOGGER); keep the logging lines and any other checks that are not
duplicative of poll_expected_status's behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: d1a6c3a7-3dcb-4b96-9362-d712bebb8bfb

📥 Commits

Reviewing files that changed from the base of the PR and between cdabbf3 and c213abc.

📒 Files selected for processing (2)

• tests/model_serving/model_server/maas_billing/maas_subscription/test_maas_auth_enforcement.py
• tests/model_serving/model_server/maas_billing/maas_subscription/utils.py

💤 Files with no reviewable changes (1)

• tests/model_serving/model_server/maas_billing/maas_subscription/utils.py

[brettmthompson]

/lgtm

[github-actions]

Status of building tag latest: success.
Status of pushing tag latest to image registry: success.