fix: replace x-maas-subscription header with subscription-bound API keys in MaaS tests(pr 584)

[SB159]

Pull Request

Summary

update test for pr 584

Related Issues

• Fixes:
• JIRA:

Please review and indicate how it has been tested

• Locally
• Jenkins

Additional Requirements

• If this PR introduces a new test image, did you create a PR to mirror it in disconnected environment?
• If this PR introduces new marker(s)/adds a new component, was relevant ticket created to update relevant Jenkins job?

Summary by CodeRabbit

• Tests
  • Refactored MaaS subscription test fixtures with improved API key minting and revocation handling across multiple subscription scenarios.
  • Simplified authentication policy tests by removing manual header manipulation and using improved request header construction.
  • Updated subscription selection tests to use fixture-based approach for cleaner test implementation.

[github-actions]

The following are automatically added/executed:

• PR size label.
• Run pre-commit
• Run tox
• Add PR author as the PR assignee
• Build image based on the PR

Available user actions:

• To mark a PR as WIP, add /wip in a comment. To remove it from the PR comment /wip cancel to the PR.
• To block merging of a PR, add /hold in a comment. To un-block merging of PR comment /hold cancel.
• To mark a PR as approved, add /lgtm in a comment. To remove, add /lgtm cancel.
  lgtm label removed on each new commit push.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To Cherry-pick a merged PR /cherry-pick <target_branch_name> to the PR. If <target_branch_name> is valid,
  and the current PR is merged, a cherry-picked PR would be created and linked to the current PR.
• To build and push image to quay, add /build-push-pr-image in a comment. This would create an image with tag
  pr-<pr_number> to quay repository. This image tag, however would be deleted on PR merge or close action.

Supported labels

{'/build-push-pr-image', '/verified', '/wip', '/hold', '/cherry-pick', '/lgtm'}

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This pull request refactors MaaS billing tests by introducing three new pytest fixtures for managing API key lifecycle (minting and revocation), replacing manual header/subscription header manipulation with fixture-based patterns and consolidated build_maas_headers utility calls.

Changes

Cohort / File(s)	Summary
Fixture Setup tests/model_serving/maas_billing/maas_subscription/conftest.py	Added three function-scoped fixtures: extra_subscription_with_api_key, high_tier_subscription_with_api_key, and api_key_bound_to_system_auth_subscription. Each fixture mints an API key and revokes it during teardown. Updated premium_system_authenticated_access to set priority=1 instead of priority=0 for system:authenticated subscription.
Auth Policy Tests tests/model_serving/maas_billing/maas_subscription/test_multiple_auth_policies_per_model.py	Removed module-level MAAS_SUBSCRIPTION_HEADER constant and all manual header mutation. Three test functions now accept api_key_bound_to_system_auth_subscription fixture parameter and build headers via build_maas_headers(token=...). Added import for build_maas_headers utility.
Multi-Subscription Tests tests/model_serving/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py	Removed module-level MAAS_SUBSCRIPTION_HEADER constant and inline subscription creation. Three test functions now use extra_subscription_with_api_key and high_tier_subscription_with_api_key fixtures with build_maas_headers for header construction. One test expanded acceptable rejection statuses from {403, 429} to {401, 403, 429} and changed premium subscription priority from 0 to 2.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	Description is incomplete: summary only says 'update test for pr 584' without explaining what the PR actually changes, why, or how it addresses pr 584; testing and additional requirements remain unchecked.	Expand summary to explicitly describe the x-maas-subscription header replacement with API key binding, explain the rationale, reference pr 584, and check appropriate testing boxes or confirm testing was performed.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title describes the main change: replacing x-maas-subscription header with subscription-bound API keys in MaaS tests, which aligns with the substantial fixture additions and test modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

tests/model_serving/maas_billing/maas_subscription/utils.py (1)

216-235: Retry logic is functional; consider logging retry count for observability.

The retry handles transient 500s from DB sync correctly. The fixed 10-second interval is acceptable for test infrastructure. One improvement: log how many retries occurred before success/failure to aid debugging slow syncs.

     _retry_deadline = time.monotonic() + 300
+    _retry_count = 0
     while True:
         response = request_session_http.post(
             url=api_keys_url,
             headers={
                 "Authorization": f"Bearer {ocp_user_token}",
                 "Content-Type": "application/json",
             },
             json=payload,
             timeout=request_timeout_seconds,
         )
         if response.status_code != 500 or time.monotonic() >= _retry_deadline:
             break
+        _retry_count += 1
         LOGGER.warning(
-            f"create_api_key: url={api_keys_url} status=500 (DB not synced yet), retrying in 10s"
+            f"create_api_key: url={api_keys_url} status=500 (DB not synced yet), retry #{_retry_count} in 10s"
         )
         time.sleep(10)
 
-    LOGGER.info(f"create_api_key: url={api_keys_url} status={response.status_code}")
+    LOGGER.info(f"create_api_key: url={api_keys_url} status={response.status_code} retries={_retry_count}")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/model_serving/maas_billing/maas_subscription/utils.py` around lines 216
- 235, Add a retry counter around the existing retry loop in the create_api_key
flow: initialize retry_count = 0 before the while True, increment retry_count
each time you hit a 500 and log it in the existing LOGGER.warning (include
retry_count and perhaps elapsed time), and after the loop (once you break) emit
a final log with the total retry_count and final response.status_code so callers
can see how many retries occurred; refer to the variables and symbols in the
snippet such as _retry_deadline, request_session_http.post, api_keys_url,
ocp_user_token, response, and LOGGER to locate where to update logs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@tests/model_serving/maas_billing/maas_subscription/utils.py`:
- Around line 216-235: Add a retry counter around the existing retry loop in the
create_api_key flow: initialize retry_count = 0 before the while True, increment
retry_count each time you hit a 500 and log it in the existing LOGGER.warning
(include retry_count and perhaps elapsed time), and after the loop (once you
break) emit a final log with the total retry_count and final
response.status_code so callers can see how many retries occurred; refer to the
variables and symbols in the snippet such as _retry_deadline,
request_session_http.post, api_keys_url, ocp_user_token, response, and LOGGER to
locate where to update logs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 75f8152f-b3c6-4893-b958-fe71a8133ca9

📥 Commits

Reviewing files that changed from the base of the PR and between 48088ee and 2db10b1.

📒 Files selected for processing (5)

• tests/model_serving/maas_billing/conftest.py
• tests/model_serving/maas_billing/maas_subscription/conftest.py
• tests/model_serving/maas_billing/maas_subscription/test_multiple_auth_policies_per_model.py
• tests/model_serving/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py
• tests/model_serving/maas_billing/maas_subscription/utils.py

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/model_serving/maas_billing/maas_subscription/test_multiple_auth_policies_per_model.py (1)

56-79: ⚠️ Potential issue | 🟠 Major

Add an unbound-key control in the OR-policy test to catch authorization bypass regressions.

Line 77 validates only the bound-key success path. There is no assertion that an unbound FREE actor key is still denied under the same premium_system_authenticated_access state, so this test can miss an access-control widening (CWE-863).

Suggested patch

 def test_two_auth_policies_or_logic_allows_access(
     self,
     request_session_http: requests.Session,
     model_url_tinyllama_premium: str,
     premium_system_authenticated_access,
+    maas_headers_for_actor_api_key: dict[str, str],
     api_key_bound_to_system_auth_subscription: str,
 ) -> None:
@@
+    denied_response = poll_expected_status(
+        request_session_http=request_session_http,
+        model_url=model_url_tinyllama_premium,
+        headers=maas_headers_for_actor_api_key,
+        payload=chat_payload_for_url(model_url=model_url_tinyllama_premium),
+        expected_statuses={403},
+    )
+    assert denied_response.status_code == 403
+
     response = poll_expected_status(
         request_session_http=request_session_http,
         model_url=model_url_tinyllama_premium,
         headers=build_maas_headers(token=api_key_bound_to_system_auth_subscription),
         payload=chat_payload_for_url(model_url=model_url_tinyllama_premium),
         expected_statuses={200},
     )

As per coding guidelines "Focus on security, test structure and coding style adherence in new code introduced".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@tests/model_serving/maas_billing/maas_subscription/test_multiple_auth_policies_per_model.py`
around lines 56 - 79, Add a negative control using an unbound FREE actor key
inside test_two_auth_policies_or_logic_allows_access: after the existing
successful poll_expected_status call (which uses
api_key_bound_to_system_auth_subscription), call poll_expected_status again
against the same model_url_tinyllama_premium and chat_payload_for_url but with
headers from build_maas_headers(token=api_key_free_unbound) (or create a one-off
unbound/free API key fixture) and assert the request is denied
(expected_statuses set to a non-200 like {403} or {401}); ensure you reference
premium_system_authenticated_access to keep the same OR-policy state and reuse
the same helper functions (poll_expected_status, build_maas_headers,
chat_payload_for_url) so the test covers both bound-success and unbound-deny
paths.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In
`@tests/model_serving/maas_billing/maas_subscription/test_multiple_auth_policies_per_model.py`:
- Around line 56-79: Add a negative control using an unbound FREE actor key
inside test_two_auth_policies_or_logic_allows_access: after the existing
successful poll_expected_status call (which uses
api_key_bound_to_system_auth_subscription), call poll_expected_status again
against the same model_url_tinyllama_premium and chat_payload_for_url but with
headers from build_maas_headers(token=api_key_free_unbound) (or create a one-off
unbound/free API key fixture) and assert the request is denied
(expected_statuses set to a non-200 like {403} or {401}); ensure you reference
premium_system_authenticated_access to keep the same OR-policy state and reuse
the same helper functions (poll_expected_status, build_maas_headers,
chat_payload_for_url) so the test covers both bound-success and unbound-deny
paths.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 97cf05a8-acce-43c6-bf8b-8c709be8559d

📥 Commits

Reviewing files that changed from the base of the PR and between e3f8bb1 and ba1009a.

📒 Files selected for processing (5)

• tests/model_serving/maas_billing/conftest.py
• tests/model_serving/maas_billing/maas_subscription/conftest.py
• tests/model_serving/maas_billing/maas_subscription/test_multiple_auth_policies_per_model.py
• tests/model_serving/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py
• tests/model_serving/maas_billing/maas_subscription/utils.py

✅ Files skipped from review due to trivial changes (1)

• tests/model_serving/maas_billing/conftest.py

🚧 Files skipped from review as they are similar to previous changes (3)

• tests/model_serving/maas_billing/maas_subscription/utils.py
• tests/model_serving/maas_billing/maas_subscription/conftest.py
• tests/model_serving/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py

[sheltoncyril]

/lgtm

[github-actions]

Status of building tag latest: success.
Status of pushing tag latest to image registry: success.