Skip to content

fix: replace x-maas-subscription header with subscription-bound API keys in MaaS tests(pr 584) #1320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sheltoncyril merged 3 commits into from
Mar 30, 2026
+174 −115
Merged

fix: replace x-maas-subscription header with subscription-bound API keys in MaaS tests(pr 584) #1320

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cd15c72
update test for pr 584
SB159 Mar 27, 2026
b73b79d
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Mar 28, 2026
15deab3
Merge branch 'main' into fix/update-tests-for-pr584
dbasunag Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
129 changes: 128 additions & 1 deletion tests/model_serving/maas_billing/maas_subscription/conftest.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,133 @@ def maas_headers_for_actor_api_key(maas_api_key_for_actor: str) -> dict[str, str
return build_maas_headers(token=maas_api_key_for_actor)


@pytest.fixture(scope="function")
def extra_subscription_with_api_key(
request_session_http: requests.Session,
base_url: str,
ocp_token_for_actor: str,
admin_client: DynamicClient,
maas_free_group: str,
maas_model_tinyllama_free: MaaSModelRef,
maas_subscription_namespace: Namespace,
maas_subscription_tinyllama_free: MaaSSubscription,
maas_subscription_controller_enabled_latest: None,
maas_gateway_api: None,
maas_api_gateway_reachable: None,
) -> Generator[str, Any, Any]:
"""
Creates an extra subscription (for nonexistent-group, priority=1) and an API key
bound to the original free subscription. Verifies the user's key still works even
with a second subscription present (OR-logic fix). Revokes key on teardown.
"""
with create_maas_subscription(
admin_client=admin_client,
subscription_namespace=maas_subscription_namespace.name,
subscription_name="extra-subscription",
owner_group_name="nonexistent-group-xyz",
model_name=maas_model_tinyllama_free.name,
model_namespace=maas_model_tinyllama_free.namespace,
tokens_per_minute=999,
window="1m",
priority=1,
teardown=True,
wait_for_resource=True,
) as extra_subscription:
extra_subscription.wait_for_condition(condition="Ready", status="True", timeout=300)
_, body = create_api_key(
base_url=base_url,
ocp_user_token=ocp_token_for_actor,
request_session_http=request_session_http,
api_key_name=f"e2e-one-of-two-{generate_random_name()}",
subscription=maas_subscription_tinyllama_free.name,
)
yield body["key"]
revoke_api_key(
request_session_http=request_session_http,
base_url=base_url,
key_id=body["id"],
ocp_user_token=ocp_token_for_actor,
)


@pytest.fixture(scope="function")
def high_tier_subscription_with_api_key(
request_session_http: requests.Session,
base_url: str,
ocp_token_for_actor: str,
admin_client: DynamicClient,
maas_free_group: str,
maas_model_tinyllama_free: MaaSModelRef,
maas_subscription_namespace: Namespace,
maas_subscription_tinyllama_free: MaaSSubscription,
maas_subscription_controller_enabled_latest: None,
maas_gateway_api: None,
maas_api_gateway_reachable: None,
) -> Generator[str, Any, Any]:
"""
Creates a high-priority subscription (priority=10) for the free group and an API key
bound to it. Returns the API key. Revokes key and cleans up subscription on teardown.
"""
with create_maas_subscription(
admin_client=admin_client,
subscription_namespace=maas_subscription_namespace.name,
subscription_name="high-tier-subscription",
owner_group_name=maas_free_group,
model_name=maas_model_tinyllama_free.name,
model_namespace=maas_model_tinyllama_free.namespace,
tokens_per_minute=9999,
window="1m",
priority=10,
teardown=True,
wait_for_resource=True,
) as high_tier_subscription:
high_tier_subscription.wait_for_condition(condition="Ready", status="True", timeout=300)
_, body = create_api_key(
base_url=base_url,
ocp_user_token=ocp_token_for_actor,
request_session_http=request_session_http,
api_key_name=f"e2e-high-tier-{generate_random_name()}",
subscription=high_tier_subscription.name,
)
yield body["key"]
revoke_api_key(
request_session_http=request_session_http,
base_url=base_url,
key_id=body["id"],
ocp_user_token=ocp_token_for_actor,
)


@pytest.fixture(scope="function")
def api_key_bound_to_system_auth_subscription(
request_session_http: requests.Session,
base_url: str,
ocp_token_for_actor: str,
premium_system_authenticated_access: dict,
maas_subscription_controller_enabled_latest: None,
maas_gateway_api: None,
maas_api_gateway_reachable: None,
) -> Generator[str, Any, Any]:
"""
API key bound to the system:authenticated subscription on the premium model.
Used for tests that verify OR-logic auth policy access. Revoked on teardown.
"""
_, body = create_api_key(
base_url=base_url,
ocp_user_token=ocp_token_for_actor,
request_session_http=request_session_http,
api_key_name=f"e2e-system-auth-{generate_random_name()}",
subscription=premium_system_authenticated_access["subscription"].name,
)
yield body["key"]
revoke_api_key(
request_session_http=request_session_http,
base_url=base_url,
key_id=body["id"],
ocp_user_token=ocp_token_for_actor,
)


@pytest.fixture(scope="class")
def api_key_bound_to_free_subscription(
request_session_http: requests.Session,
Expand Down Expand Up @@ -369,7 +496,7 @@ def premium_system_authenticated_access(
model_namespace=maas_model_tinyllama_premium.namespace,
tokens_per_minute=100,
window="1m",
priority=0,
priority=1,
teardown=True,
wait_for_resource=True,
) as system_authenticated_subscription,
Expand Down
34 changes: 12 additions & 22 deletions tests/model_serving/maas_billing/maas_subscription/test_multiple_auth_policies_per_model.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,10 @@
chat_payload_for_url,
poll_expected_status,
)
from tests.model_serving.maas_billing.utils import build_maas_headers

LOGGER = structlog.get_logger(name=__name__)

MAAS_SUBSCRIPTION_HEADER = "x-maas-subscription"


@pytest.mark.usefixtures(
"maas_unprivileged_model_namespace",
Expand All @@ -31,21 +30,18 @@ def test_premium_model_denies_free_actor_by_default(
self,
request_session_http: requests.Session,
model_url_tinyllama_premium: str,
maas_subscription_tinyllama_premium,
maas_headers_for_actor_api_key: dict[str, str],
) -> None:
"""
Verify FREE actor is denied by default on the premium model.
The API key is not bound to the premium subscription, and auth policy denies the free group.
"""

baseline_headers = dict(maas_headers_for_actor_api_key)
baseline_headers[MAAS_SUBSCRIPTION_HEADER] = maas_subscription_tinyllama_premium.name
baseline_payload = chat_payload_for_url(model_url=model_url_tinyllama_premium)

baseline_response = poll_expected_status(
request_session_http=request_session_http,
model_url=model_url_tinyllama_premium,
headers=baseline_headers,
headers=maas_headers_for_actor_api_key,
payload=baseline_payload,
expected_statuses={403},
)
Expand All @@ -61,18 +57,14 @@ def test_two_auth_policies_or_logic_allows_access(
self,
request_session_http: requests.Session,
model_url_tinyllama_premium: str,
maas_headers_for_actor_api_key: dict[str, str],
premium_system_authenticated_access,
api_key_bound_to_system_auth_subscription: str,
) -> None:
"""
Verify FREE actor can access the premium model when an extra AuthPolicy
and matching subscription for system:authenticated exist.
API key is minted and bound to the system:authenticated subscription at creation time.
"""

payload = chat_payload_for_url(model_url=model_url_tinyllama_premium)
explicit_headers = dict(maas_headers_for_actor_api_key)
explicit_headers[MAAS_SUBSCRIPTION_HEADER] = premium_system_authenticated_access["subscription"].name

LOGGER.info(
f"Polling for 200 on premium model with OR auth policy: "
f"auth_policy={premium_system_authenticated_access['auth_policy'].name}, "
Expand All @@ -82,11 +74,10 @@ def test_two_auth_policies_or_logic_allows_access(
response = poll_expected_status(
request_session_http=request_session_http,
model_url=model_url_tinyllama_premium,
headers=explicit_headers,
payload=payload,
headers=build_maas_headers(token=api_key_bound_to_system_auth_subscription),
payload=chat_payload_for_url(model_url=model_url_tinyllama_premium),
expected_statuses={200},
)

assert response.status_code == 200, (
f"Expected 200 with second AuthPolicy (OR logic), got {response.status_code}: {(response.text or '')[:200]}"
)
Expand All @@ -97,21 +88,20 @@ def test_delete_extra_auth_policy_denies_access_on_premium_model(
self,
request_session_http: requests.Session,
model_url_tinyllama_premium: str,
maas_headers_for_actor_api_key: dict[str, str],
premium_system_authenticated_access,
api_key_bound_to_system_auth_subscription: str,
) -> None:
"""
Verify FREE actor loses access again after the extra AuthPolicy is deleted.
API key is minted and bound to the system:authenticated subscription at creation time.
"""

headers = build_maas_headers(token=api_key_bound_to_system_auth_subscription)
payload = chat_payload_for_url(model_url=model_url_tinyllama_premium)
explicit_headers = dict(maas_headers_for_actor_api_key)
explicit_headers[MAAS_SUBSCRIPTION_HEADER] = premium_system_authenticated_access["subscription"].name

poll_expected_status(
request_session_http=request_session_http,
model_url=model_url_tinyllama_premium,
headers=explicit_headers,
headers=headers,
payload=payload,
expected_statuses={200},
)
Expand All @@ -121,7 +111,7 @@ def test_delete_extra_auth_policy_denies_access_on_premium_model(
response = poll_expected_status(
request_session_http=request_session_http,
model_url=model_url_tinyllama_premium,
headers=explicit_headers,
headers=headers,
payload=payload,
expected_statuses={403},
)
Expand Down
Loading
Loading