fix: update MaaS tests for subscription binding and fix gateway 500 e…

[SB159]

…rror

Pull Request

Summary

update MaaS tests for subscription binding and fix gateway 500 error

Related Issues

• Fixes:
• JIRA:

Please review and indicate how it has been tested

• Locally
• Jenkins

Additional Requirements

• If this PR introduces a new test image, did you create a PR to mirror it in disconnected environment?
• If this PR introduces new marker(s)/adds a new component, was relevant ticket created to update relevant Jenkins job?

Summary by CodeRabbit

• Tests
  • Enhanced authorization and subscription binding validation tests to ensure proper API key access control across subscription tiers.

[github-actions]

The following are automatically added/executed:

• PR size label.
• Run pre-commit
• Run tox
• Add PR author as the PR assignee
• Build image based on the PR

Available user actions:

• To mark a PR as WIP, add /wip in a comment. To remove it from the PR comment /wip cancel to the PR.
• To block merging of a PR, add /hold in a comment. To un-block merging of PR comment /hold cancel.
• To mark a PR as approved, add /lgtm in a comment. To remove, add /lgtm cancel.
  lgtm label removed on each new commit push.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To Cherry-pick a merged PR /cherry-pick <target_branch_name> to the PR. If <target_branch_name> is valid,
  and the current PR is merged, a cherry-picked PR would be created and linked to the current PR.
• To build and push image to quay, add /build-push-pr-image in a comment. This would create an image with tag
  pr-<pr_number> to quay repository. This image tag, however would be deleted on PR merge or close action.

Supported labels

{'/build-push-pr-image', '/cherry-pick', '/wip', '/lgtm', '/verified', '/hold'}

[coderabbitai]

📝 Walkthrough

Walkthrough

PR refactors MaaS authentication tests to dynamically construct request headers from subscription-bound API keys rather than using pre-built header fixtures. Adds two new class-scoped fixtures that mint API keys explicitly bound to free and premium subscription tiers, with automatic cleanup via key revocation. Updates create_api_key() utility to accept an optional subscription parameter for binding keys at creation time.

Changes

Cohort / File(s)	Summary
Auth Test Refactoring tests/model_serving/maas_billing/maas_subscription/test_maas_auth_enforcement.py, test_maas_sub_enforcement.py	Parameter injection updated from maas_headers_for_actor_api_key fixture to subscription-bound API key fixtures (api_key_bound_to_free_subscription, api_key_bound_to_premium_subscription). Headers now dynamically constructed via build_maas_headers(token=...). Expected HTTP status code changed from {403} to {401} in auth enforcement test. Removed @pytest.mark.tier1 marker from subscription enforcement test.
Subscription-Bound Fixtures tests/model_serving/maas_billing/maas_subscription/conftest.py	Added two new class-scoped fixtures that mint API keys bound to specific subscription tiers (maas_subscription_tinyllama_free, maas_subscription_tinyllama_premium) at creation time. Each fixture performs explicit cleanup via revoke_api_key during teardown. Fixtures inject request session, base URL, actor token, and subscription context fixtures.
API Key Utility Enhancement tests/model_serving/maas_billing/maas_subscription/utils.py	Extended create_api_key() signature with optional `subscription: str

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title is partially related to the changeset, referring to subscription binding updates in MaaS tests, but it is truncated ('e…') and does not fully convey the complete message or primary change.	Complete the truncated title with the full message about the gateway 500 error fix, ensuring clarity about all primary changes included in the changeset.
Description check	⚠️ Warning	The description is largely incomplete with placeholder text and unchecked checklist items; the summary is vague ('update MaaS tests...') without specifics on subscription binding implementation or the gateway error fix.	Complete all sections: explain what subscription binding changes were made, detail the gateway 500 error fix, fill in issue/JIRA links, and indicate which testing methods were actually used.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

tests/model_serving/maas_billing/maas_subscription/utils.py (1)

190-213: ⚠️ Potential issue | 🟠 Major

Assert that the requested subscription was actually persisted.

Sending payload["subscription"] is not enough to prove the binding path works. The new happy-path tests only assert a 200 after inference, so they will still pass if /v1/api-keys silently ignores this field and falls back to normal subscription selection. Validate the stored subscription in the create response or with a follow-up GET /v1/api-keys/{id} before returning.

As per coding guidelines, "Focus on security, test structure and coding style adherence in new code introduced."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/model_serving/maas_billing/maas_subscription/utils.py` around lines 190
- 213, The create API-key helper currently only sends payload["subscription"] to
api_keys_url but does not verify it was persisted; update the function that
builds payload (using api_key_name, expires_in, subscription) to validate the
stored subscription by parsing the create response body (ensure it contains the
created key id and stored subscription) or by performing a follow-up GET to
/v1/api-keys/{id} and comparing the returned "subscription" field to the
requested subscription; if raise_on_error is True assert the values match (or
raise AssertionError) and if False return the response and parsed body so tests
can inspect the mismatch.

tests/model_serving/maas_billing/maas_subscription/conftest.py (1)

389-410: ⚠️ Potential issue | 🟠 Major

This shared fixture is now free-subscription-specific and leaves a live key behind.

maas_headers_for_actor_api_key is still used by the premium-path consumer in tests/model_serving/maas_billing/maas_subscription/test_maas_sub_enforcement.py Lines 75-97, so pinning every key here to maas_subscription_tinyllama_free.name changes the fixture contract from “actor-scoped” to “free-subscription-scoped”. Because the fixture returns instead of yielding, each class also leaves an active API key behind after teardown (CWE-459). Parameterize the target subscription per consumer and revoke it in fixture teardown.

As per coding guidelines, "Focus on security, test structure and coding style adherence in new code introduced."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/model_serving/maas_billing/maas_subscription/conftest.py` around lines
389 - 410, The fixture maas_headers_for_actor_api_key currently hardcodes
subscription=maas_subscription_tinyllama_free.name and returns a live API key,
which changes its contract and leaks keys; change the fixture to accept a
parameter (e.g., target_subscription) and pass that into the create_api_key call
instead of maas_subscription_tinyllama_free.name, convert the fixture to yield
so you can perform teardown, capture the created API key identifier from
create_api_key, and revoke it in the teardown using the existing revoke API
helper (or appropriate revoke function) so consumers like
tests/model_serving/maas_billing/maas_subscription/test_maas_sub_enforcement.py
can parametrize the fixture for free vs premium paths and no keys are left
active after tests.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/model_serving/maas_billing/maas_subscription/conftest.py`:
- Around line 554-570: The loop waiting for Kuadrant AuthPolicy enforcement
(using extra_auth_policy, auth_policies, kuadrant_wait_timeout, LOGGER) must
fail the fixture on timeout instead of logging a warning and proceeding; replace
the else-case after the while with raising an AssertionError (or pytest.fail)
that includes the name and timeout so the test aborts when authPolicies are not
both accepted and enforced, ensuring downstream tests don't run on an invalid
precondition.

In
`@tests/model_serving/maas_billing/maas_subscription/test_maas_auth_enforcement.py`:
- Around line 125-133: The test currently treats both 401 and 403 as acceptable
results which lets an authentication failure mask an authorization check; in the
test function (test_wrong_group_sa_denied_on_premium_model) change the assertion
to require resp.status_code == 403 (and update any expected_statuses passed into
the request helper so it no longer includes 401) so the test only accepts an
authenticated-but-forbidden response; alternatively, if you need to validate
authentication failures separately, split into a second test that asserts
resp.status_code == 401 for authn-negative cases using the same request helper
and resp variable.

---

Outside diff comments:
In `@tests/model_serving/maas_billing/maas_subscription/conftest.py`:
- Around line 389-410: The fixture maas_headers_for_actor_api_key currently
hardcodes subscription=maas_subscription_tinyllama_free.name and returns a live
API key, which changes its contract and leaks keys; change the fixture to accept
a parameter (e.g., target_subscription) and pass that into the create_api_key
call instead of maas_subscription_tinyllama_free.name, convert the fixture to
yield so you can perform teardown, capture the created API key identifier from
create_api_key, and revoke it in the teardown using the existing revoke API
helper (or appropriate revoke function) so consumers like
tests/model_serving/maas_billing/maas_subscription/test_maas_sub_enforcement.py
can parametrize the fixture for free vs premium paths and no keys are left
active after tests.

In `@tests/model_serving/maas_billing/maas_subscription/utils.py`:
- Around line 190-213: The create API-key helper currently only sends
payload["subscription"] to api_keys_url but does not verify it was persisted;
update the function that builds payload (using api_key_name, expires_in,
subscription) to validate the stored subscription by parsing the create response
body (ensure it contains the created key id and stored subscription) or by
performing a follow-up GET to /v1/api-keys/{id} and comparing the returned
"subscription" field to the requested subscription; if raise_on_error is True
assert the values match (or raise AssertionError) and if False return the
response and parsed body so tests can inspect the mismatch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 07d8592d-9573-40d5-a366-0ac364b3e638

📥 Commits

Reviewing files that changed from the base of the PR and between 8a67a44 and a95386b.

📒 Files selected for processing (5)

• tests/model_serving/maas_billing/conftest.py
• tests/model_serving/maas_billing/maas_subscription/conftest.py
• tests/model_serving/maas_billing/maas_subscription/test_maas_auth_enforcement.py
• tests/model_serving/maas_billing/maas_subscription/test_maas_sub_enforcement.py
• tests/model_serving/maas_billing/maas_subscription/utils.py

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@tests/model_serving/maas_billing/maas_subscription/test_maas_sub_enforcement.py`:
- Line 42: Add a missing type annotation for the test fixture parameter: update
the test function signature to annotate maas_subscription_tinyllama_premium with
MaaSSubscription, and add the corresponding import for MaaSSubscription at the
top of the test file so the type is resolved; modify the function that
references maas_subscription_tinyllama_premium (e.g., the test in
test_maas_sub_enforcement.py) to use the annotated parameter.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: d09cd165-946e-48d8-a75c-b5906fb73a3e

📥 Commits

Reviewing files that changed from the base of the PR and between a95386b and 1ba2154.

📒 Files selected for processing (4)

• tests/model_serving/maas_billing/conftest.py
• tests/model_serving/maas_billing/maas_subscription/test_maas_auth_enforcement.py
• tests/model_serving/maas_billing/maas_subscription/test_maas_sub_enforcement.py
• tests/model_serving/maas_billing/maas_subscription/utils.py

🚧 Files skipped from review as they are similar to previous changes (3)

• tests/model_serving/maas_billing/conftest.py
• tests/model_serving/maas_billing/maas_subscription/utils.py
• tests/model_serving/maas_billing/maas_subscription/test_maas_auth_enforcement.py

[coderabbitai]

🧹 Nitpick comments (1)

tests/model_serving/maas_billing/maas_subscription/conftest.py (1)

227-232: Teardown ignores revoke_api_key failures silently.

The existing three_active_api_key_ids fixture (lines 514-521) validates revoke responses and raises on unexpected status codes. These new fixtures discard the response entirely, masking cleanup failures (e.g., 500 from gateway, network timeouts) that could indicate environment instability.

Add status checks consistent with the established pattern:

Proposed fix

     yield body["key"]
-    revoke_api_key(
+    revoke_resp, _ = revoke_api_key(
         request_session_http=request_session_http,
         base_url=base_url,
         key_id=body["id"],
         ocp_user_token=ocp_token_for_actor,
     )
+    if revoke_resp.status_code not in (200, 404):
+        LOGGER.warning(
+            f"Unexpected status {revoke_resp.status_code} revoking key id={body['id']}"
+        )

Apply the same change to both api_key_bound_to_free_subscription (lines 227-232) and api_key_bound_to_premium_subscription (lines 256-261).

Also applies to: 256-261

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/model_serving/maas_billing/maas_subscription/conftest.py` around lines
227 - 232, The teardown currently calls revoke_api_key and discards its result,
hiding failures; update the fixtures api_key_bound_to_free_subscription and
api_key_bound_to_premium_subscription to capture the response from
revoke_api_key, verify the HTTP status (matching the pattern used in
three_active_api_key_ids), and raise or assert if the status is not the expected
success code so cleanup failures (500s, timeouts) surface; locate the
revoke_api_key calls in those fixtures and add the same status check/raise logic
used in three_active_api_key_ids.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@tests/model_serving/maas_billing/maas_subscription/conftest.py`:
- Around line 227-232: The teardown currently calls revoke_api_key and discards
its result, hiding failures; update the fixtures
api_key_bound_to_free_subscription and api_key_bound_to_premium_subscription to
capture the response from revoke_api_key, verify the HTTP status (matching the
pattern used in three_active_api_key_ids), and raise or assert if the status is
not the expected success code so cleanup failures (500s, timeouts) surface;
locate the revoke_api_key calls in those fixtures and add the same status
check/raise logic used in three_active_api_key_ids.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 5115e710-8f66-4184-b614-9582a3c84fbe

📥 Commits

Reviewing files that changed from the base of the PR and between 1ba2154 and 44f83de.

📒 Files selected for processing (4)

• tests/model_serving/maas_billing/maas_subscription/conftest.py
• tests/model_serving/maas_billing/maas_subscription/test_maas_auth_enforcement.py
• tests/model_serving/maas_billing/maas_subscription/test_maas_sub_enforcement.py
• tests/model_serving/maas_billing/maas_subscription/utils.py

✅ Files skipped from review due to trivial changes (1)

• tests/model_serving/maas_billing/maas_subscription/utils.py

🚧 Files skipped from review as they are similar to previous changes (2)

• tests/model_serving/maas_billing/maas_subscription/test_maas_sub_enforcement.py
• tests/model_serving/maas_billing/maas_subscription/test_maas_auth_enforcement.py

[github-actions]

Status of building tag latest: success.
Status of pushing tag latest to image registry: success.

[SB159]

/cherry-pick 3.4ea2

[rhods-ci-bot]

Error cherry-picking.

Auto-merging tests/model_serving/maas_billing/maas_subscription/conftest.py
Auto-merging tests/model_serving/maas_billing/maas_subscription/test_maas_auth_enforcement.py
Auto-merging tests/model_serving/maas_billing/maas_subscription/test_maas_sub_enforcement.py
Auto-merging tests/model_serving/maas_billing/maas_subscription/utils.py
CONFLICT (content): Merge conflict in tests/model_serving/maas_billing/maas_subscription/utils.py
error: could not apply 2f23786... fix: update MaaS tests for subscription binding and fix gateway 500 e… (#1303)
hint: After resolving the conflicts, mark them with
hint: "git add/rm ", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".
hint: Disable this message with "git config set advice.mergeConflict false"

[rhods-ci-bot]

‼️ cherry pick action failed.
See: https://github.com/opendatahub-io/opendatahub-tests/actions/runs/23649608208