fix: replace x-maas-subscription header with subscription-bound API keys in MaaS tests(pr 584)#1320
Merged
sheltoncyril merged 3 commits intoopendatahub-io:mainfrom Mar 30, 2026
Conversation
|
The following are automatically added/executed:
Available user actions:
Supported labels{'/build-push-pr-image', '/verified', '/wip', '/hold', '/cherry-pick', '/lgtm'} |
Contributor
|
Caution Review failedPull request was closed or merged during review 📝 WalkthroughWalkthroughThis pull request refactors MaaS billing tests by introducing three new pytest fixtures for managing API key lifecycle (minting and revocation), replacing manual header/subscription header manipulation with fixture-based patterns and consolidated Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes 🚥 Pre-merge checks | ✅ 1 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
tests/model_serving/maas_billing/maas_subscription/utils.py (1)
216-235: Retry logic is functional; consider logging retry count for observability.The retry handles transient 500s from DB sync correctly. The fixed 10-second interval is acceptable for test infrastructure. One improvement: log how many retries occurred before success/failure to aid debugging slow syncs.
_retry_deadline = time.monotonic() + 300 + _retry_count = 0 while True: response = request_session_http.post( url=api_keys_url, headers={ "Authorization": f"Bearer {ocp_user_token}", "Content-Type": "application/json", }, json=payload, timeout=request_timeout_seconds, ) if response.status_code != 500 or time.monotonic() >= _retry_deadline: break + _retry_count += 1 LOGGER.warning( - f"create_api_key: url={api_keys_url} status=500 (DB not synced yet), retrying in 10s" + f"create_api_key: url={api_keys_url} status=500 (DB not synced yet), retry #{_retry_count} in 10s" ) time.sleep(10) - LOGGER.info(f"create_api_key: url={api_keys_url} status={response.status_code}") + LOGGER.info(f"create_api_key: url={api_keys_url} status={response.status_code} retries={_retry_count}")🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@tests/model_serving/maas_billing/maas_subscription/utils.py` around lines 216 - 235, Add a retry counter around the existing retry loop in the create_api_key flow: initialize retry_count = 0 before the while True, increment retry_count each time you hit a 500 and log it in the existing LOGGER.warning (include retry_count and perhaps elapsed time), and after the loop (once you break) emit a final log with the total retry_count and final response.status_code so callers can see how many retries occurred; refer to the variables and symbols in the snippet such as _retry_deadline, request_session_http.post, api_keys_url, ocp_user_token, response, and LOGGER to locate where to update logs.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@tests/model_serving/maas_billing/maas_subscription/utils.py`:
- Around line 216-235: Add a retry counter around the existing retry loop in the
create_api_key flow: initialize retry_count = 0 before the while True, increment
retry_count each time you hit a 500 and log it in the existing LOGGER.warning
(include retry_count and perhaps elapsed time), and after the loop (once you
break) emit a final log with the total retry_count and final
response.status_code so callers can see how many retries occurred; refer to the
variables and symbols in the snippet such as _retry_deadline,
request_session_http.post, api_keys_url, ocp_user_token, response, and LOGGER to
locate where to update logs.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 75f8152f-b3c6-4893-b958-fe71a8133ca9
📒 Files selected for processing (5)
tests/model_serving/maas_billing/conftest.pytests/model_serving/maas_billing/maas_subscription/conftest.pytests/model_serving/maas_billing/maas_subscription/test_multiple_auth_policies_per_model.pytests/model_serving/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.pytests/model_serving/maas_billing/maas_subscription/utils.py
SB159
force-pushed
the
fix/update-tests-for-pr584
branch
from
e3f8bb1 to
ba1009a
Compare
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
tests/model_serving/maas_billing/maas_subscription/test_multiple_auth_policies_per_model.py (1)
56-79:⚠️ Potential issue | 🟠 MajorAdd an unbound-key control in the OR-policy test to catch authorization bypass regressions.
Line 77 validates only the bound-key success path. There is no assertion that an unbound FREE actor key is still denied under the same
premium_system_authenticated_accessstate, so this test can miss an access-control widening (CWE-863).Suggested patch
def test_two_auth_policies_or_logic_allows_access( self, request_session_http: requests.Session, model_url_tinyllama_premium: str, premium_system_authenticated_access, + maas_headers_for_actor_api_key: dict[str, str], api_key_bound_to_system_auth_subscription: str, ) -> None: @@ + denied_response = poll_expected_status( + request_session_http=request_session_http, + model_url=model_url_tinyllama_premium, + headers=maas_headers_for_actor_api_key, + payload=chat_payload_for_url(model_url=model_url_tinyllama_premium), + expected_statuses={403}, + ) + assert denied_response.status_code == 403 + response = poll_expected_status( request_session_http=request_session_http, model_url=model_url_tinyllama_premium, headers=build_maas_headers(token=api_key_bound_to_system_auth_subscription), payload=chat_payload_for_url(model_url=model_url_tinyllama_premium), expected_statuses={200}, )As per coding guidelines "Focus on security, test structure and coding style adherence in new code introduced".
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@tests/model_serving/maas_billing/maas_subscription/test_multiple_auth_policies_per_model.py` around lines 56 - 79, Add a negative control using an unbound FREE actor key inside test_two_auth_policies_or_logic_allows_access: after the existing successful poll_expected_status call (which uses api_key_bound_to_system_auth_subscription), call poll_expected_status again against the same model_url_tinyllama_premium and chat_payload_for_url but with headers from build_maas_headers(token=api_key_free_unbound) (or create a one-off unbound/free API key fixture) and assert the request is denied (expected_statuses set to a non-200 like {403} or {401}); ensure you reference premium_system_authenticated_access to keep the same OR-policy state and reuse the same helper functions (poll_expected_status, build_maas_headers, chat_payload_for_url) so the test covers both bound-success and unbound-deny paths.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In
`@tests/model_serving/maas_billing/maas_subscription/test_multiple_auth_policies_per_model.py`:
- Around line 56-79: Add a negative control using an unbound FREE actor key
inside test_two_auth_policies_or_logic_allows_access: after the existing
successful poll_expected_status call (which uses
api_key_bound_to_system_auth_subscription), call poll_expected_status again
against the same model_url_tinyllama_premium and chat_payload_for_url but with
headers from build_maas_headers(token=api_key_free_unbound) (or create a one-off
unbound/free API key fixture) and assert the request is denied
(expected_statuses set to a non-200 like {403} or {401}); ensure you reference
premium_system_authenticated_access to keep the same OR-policy state and reuse
the same helper functions (poll_expected_status, build_maas_headers,
chat_payload_for_url) so the test covers both bound-success and unbound-deny
paths.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 97cf05a8-acce-43c6-bf8b-8c709be8559d
📒 Files selected for processing (5)
tests/model_serving/maas_billing/conftest.pytests/model_serving/maas_billing/maas_subscription/conftest.pytests/model_serving/maas_billing/maas_subscription/test_multiple_auth_policies_per_model.pytests/model_serving/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.pytests/model_serving/maas_billing/maas_subscription/utils.py
✅ Files skipped from review due to trivial changes (1)
- tests/model_serving/maas_billing/conftest.py
🚧 Files skipped from review as they are similar to previous changes (3)
- tests/model_serving/maas_billing/maas_subscription/utils.py
- tests/model_serving/maas_billing/maas_subscription/conftest.py
- tests/model_serving/maas_billing/maas_subscription/test_multiple_subscriptions_per_model.py
Signed-off-by: Swati Mukund Bagal <sbagal@redhat.com>
SB159
force-pushed
the
fix/update-tests-for-pr584
branch
from
e6684be to
cd15c72
Compare
for more information, see https://pre-commit.ci
dbasunag
approved these changes
Mar 30, 2026
SB159
changed the title
|
Status of building tag latest: success. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Summary
update test for pr 584
Related Issues
Please review and indicate how it has been tested
Additional Requirements
Summary by CodeRabbit