test: add MaaS API key bulk revoke tests

[SB159]

Pull Request

Summary

add MaaS API key bulk revoke tests

Related Issues

• Fixes:
• JIRA:

How it has been tested

• Locally
• Jenkins

Additional Requirements

• If this PR introduces a new test image, did you create a PR to mirror it in disconnected environment?
• If this PR introduces new marker(s)/adds a new component, was relevant ticket created to update relevant Jenkins job?

Summary by CodeRabbit

• Tests
  • Added end-to-end tests for bulk API-key revocation covering self-revoke, forbidden revoke by non-admins, and admin revocation of other users.
  • Added a function-scoped fixture that creates three active API keys and performs validated teardown revocation.
  • Added helper utilities to perform bulk-revoke requests, assert success thresholds, and improve logging and response validation.

[github-actions]

The following are automatically added/executed:

• PR size label.
• Run pre-commit
• Run tox
• Add PR author as the PR assignee
• Build image based on the PR

Available user actions:

• To mark a PR as WIP, add /wip in a comment. To remove it from the PR comment /wip cancel to the PR.
• To block merging of a PR, add /hold in a comment. To un-block merging of PR comment /hold cancel.
• To mark a PR as approved, add /lgtm in a comment. To remove, add /lgtm cancel.
  lgtm label removed on each new commit push.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To Cherry-pick a merged PR /cherry-pick <target_branch_name> to the PR. If <target_branch_name> is valid,
  and the current PR is merged, a cherry-picked PR would be created and linked to the current PR.
• To build and push image to quay, add /build-push-pr-image in a comment. This would create an image with tag
  pr-<pr_number> to quay repository. This image tag, however would be deleted on PR merge or close action.

Supported labels

{'/cherry-pick', '/wip', '/build-push-pr-image', '/hold', '/verified', '/lgtm'}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 5bc5c68e-9c4f-4d8d-8858-bfd941e8719a

📥 Commits

Reviewing files that changed from the base of the PR and between 9a7b99c and 58a913f.

📒 Files selected for processing (1)

• tests/model_serving/maas_billing/maas_subscription/test_api_key_bulk_operations.py

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/model_serving/maas_billing/maas_subscription/test_api_key_bulk_operations.py

---

📝 Walkthrough

Walkthrough

Adds a function-scoped pytest fixture that creates three active MaaS API keys and revokes them on teardown; adds two helper functions to perform and assert bulk API-key revocations; and adds a new test module with three Tier1 tests covering self, forbidden cross-user, and admin cross-user bulk-revoke scenarios.

Changes

Cohort / File(s)	Summary
Test Fixtures tests/model_serving/maas_billing/maas_subscription/conftest.py	Adds three_active_api_key_ids fixture (function scope) that creates three active MaaS API keys, logs created IDs, yields the list, and revokes each key during teardown while asserting revocation responses are HTTP 200 or 404.
Test Utilities tests/model_serving/maas_billing/maas_subscription/utils.py	Adds bulk_revoke_api_keys(...) to POST {"username": username} to /v1/api-keys/bulk-revoke with Bearer auth, log request/response metadata, parse JSON (raises AssertionError with response snippet on parse failure), and return (response, parsed_body); adds assert_bulk_revoke_success(...) to assert 200 and that revokedCount >= min_revoked_count.
Test Suite tests/model_serving/maas_billing/maas_subscription/test_api_key_bulk_operations.py	New TestAPIKeyBulkOperations with three tests: test_bulk_revoke_own_keys (bulk-revoke own keys and assert each key's status is revoked), test_bulk_revoke_other_user_forbidden (non-admin token receives 403 when revoking another user), and test_bulk_revoke_admin_can_revoke_any_user (admin token can revoke another user's keys and meets minimum revoked count).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Security flagging

• CWE-532 (Insertion of Sensitive Information into Log File): code logs request URL and username; ensure Bearer tokens and sensitive headers are never logged. Action: redact/suppress tokens and Authorization headers in logs; avoid logging full URLs that may include tokens.

• CWE-209 (Information Exposure Through an Error Message): bulk_revoke_api_keys includes first 200 chars of response.text in assertion on JSON decode failure, which may leak sensitive data. Action: remove raw response snippets from assertion messages or redact sensitive parts; replace with safe summaries (status code + truncated/hashed indicator).

• CWE-285 / CWE-862 (Improper Authorization / Missing Authorization Validation): tests assume admin can revoke other users and non-admins are forbidden by status codes. Action: confirm server enforces JWT subject/claims vs. username payload server-side; add explicit authorization-negative tests that attempt token/username substitution to ensure no horizontal privilege escalation.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding tests for MaaS API key bulk revoke operations, which is reflected across all modified files.
Description check	✅ Passed	The description follows the required template structure but lacks substantive content in the Summary section beyond merely repeating the title.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

tests/model_serving/maas_billing/maas_subscription/test_api_key_bulk_operations.py (1)

88-111: Missing post-revoke verification.

Unlike test_bulk_revoke_own_keys, this test doesn't verify the key's status is actually "revoked" after the bulk operation. Consider adding a get_api_key check to confirm the active_api_key_id key has status == "revoked".

Proposed addition

        # After the assert for revoked_count, add:
        get_resp, get_body = get_api_key(
            request_session_http=request_session_http,
            base_url=base_url,
            key_id=active_api_key_id,
            ocp_user_token=admin_ocp_token,
        )
        assert get_resp.status_code == 200, (
            f"Expected 200 on GET /v1/api-keys/{active_api_key_id}, got {get_resp.status_code}"
        )
        assert get_body.get("status") == "revoked", (
            f"Expected key id={active_api_key_id} to have status='revoked', got: {get_body.get('status')}"
        )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@tests/model_serving/maas_billing/maas_subscription/test_api_key_bulk_operations.py`
around lines 88 - 111, The test test_bulk_revoke_admin_can_revoke_any_user
currently asserts revokedCount but doesn't verify the actual key status; after
the revoked_count assert, call get_api_key with request_session_http, base_url,
key_id=active_api_key_id and ocp_user_token=admin_ocp_token, assert the GET
response status_code is 200 and that the returned body has "status" == "revoked"
to confirm the key (active_api_key_id) was actually revoked; use the existing
helper get_api_key and keep this check immediately after the revoked_count
assertion.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/model_serving/maas_billing/maas_subscription/conftest.py`:
- Around line 678-685: The teardown loop calling revoke_api_key for each key_id
can fail if keys were already bulk-revoked (non-2xx/404 responses); update the
teardown in the three_active_api_key_ids fixture to handle and ignore
404/"already revoked" responses the same way create_and_yield_api_key_id does by
catching the API response/exception from revoke_api_key and treating 404 or an
"already revoked" error as success (log and continue) while still raising on
other errors.

In
`@tests/model_serving/maas_billing/maas_subscription/test_api_key_bulk_operations.py`:
- Around line 54-65: The loop over three_active_api_key_ids silently skips
verification when get_api_key returns non-200; update the loop that calls
get_api_key (using request_session_http, base_url, ocp_token_for_actor) to
assert the response is 200 (e.g., assert get_resp.status_code == 200 with a
helpful message including key_id and get_resp.status_code) before checking
get_body.get("status") == "revoked", and log or fail explicitly if the response
is not 200 so deletions or missing keys aren't masked; keep the final
LOGGER.info after successful confirmations.

---

Nitpick comments:
In
`@tests/model_serving/maas_billing/maas_subscription/test_api_key_bulk_operations.py`:
- Around line 88-111: The test test_bulk_revoke_admin_can_revoke_any_user
currently asserts revokedCount but doesn't verify the actual key status; after
the revoked_count assert, call get_api_key with request_session_http, base_url,
key_id=active_api_key_id and ocp_user_token=admin_ocp_token, assert the GET
response status_code is 200 and that the returned body has "status" == "revoked"
to confirm the key (active_api_key_id) was actually revoked; use the existing
helper get_api_key and keep this check immediately after the revoked_count
assertion.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 3a179567-65c1-42c4-8b9c-70d8bdb1a222

📥 Commits

Reviewing files that changed from the base of the PR and between 70a5608 and 6ba20be.

📒 Files selected for processing (3)

• tests/model_serving/maas_billing/maas_subscription/conftest.py
• tests/model_serving/maas_billing/maas_subscription/test_api_key_bulk_operations.py
• tests/model_serving/maas_billing/maas_subscription/utils.py

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@tests/model_serving/maas_billing/maas_subscription/test_api_key_bulk_operations.py`:
- Around line 25-33: The test_bulk_revoke_own_keys test currently forces an
admin principal by passing ocp_token_for_actor={"type": "admin"}, which
validates admin behavior not self-service; change that param to use a non-admin
principal (e.g., ocp_token_for_actor={"type": "user"} or another non-admin role
your fixture supports) so the test exercises ordinary-user self-service bulk
revoke paths and update any related docstring if needed.
- Around line 102-118: The test currently only checks revoked_count from
assert_bulk_revoke_success but never verifies the specific active_api_key_id was
revoked; after calling assert_bulk_revoke_success (or wherever revoked_count is
returned), call get_api_key(request_session_http=..., base_url=...,
ocp_user_token=admin_ocp_token, username=free_user_username,
api_key_id=active_api_key_id) and assert the returned key's status == "revoked"
(or equivalent field), failing the test if it is not; reference
active_api_key_id, assert_bulk_revoke_success (or bulk_revoke_api_keys if
reverted), and get_api_key to locate where to add this assertion.
- Around line 49-56: Resolve the merge markers and pick one consistent
implementation: prefer the bulk_revoke_api_keys() style that returns (bulk_resp,
bulk_body), remove all <<<<>>>> markers, restore the HEAD assertions that check
bulk_resp.status_code == 200 and compute revoked_count =
bulk_body.get("revokedCount", 0), and update any callers that were changed to
expect a single revoked_count (e.g., replace calls to
assert_bulk_revoke_success() with the tuple-returning bulk_revoke_api_keys()
usage or adapt their logic to read revoked_count from bulk_body); ensure
revoked_count is defined before it is referenced and that function signatures
for bulk_revoke_api_keys and any helper assert_* are consistent across the file.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 39e76174-7c2a-4737-93a2-7ae4b9f18949

📥 Commits

Reviewing files that changed from the base of the PR and between 6ba20be and 9a7b99c.

📒 Files selected for processing (3)

• tests/model_serving/maas_billing/maas_subscription/conftest.py
• tests/model_serving/maas_billing/maas_subscription/test_api_key_bulk_operations.py
• tests/model_serving/maas_billing/maas_subscription/utils.py

🚧 Files skipped from review as they are similar to previous changes (2)

• tests/model_serving/maas_billing/maas_subscription/conftest.py
• tests/model_serving/maas_billing/maas_subscription/utils.py

[github-actions]

Status of building tag latest: success.
Status of pushing tag latest to image registry: success.