test: add MaaS subscription tests (opendatahub-io#1238)

SB159 · pre-commit-ci[bot] · dbasunag · ssaleem-rh · commit 7ea07f0b171b · 2026-03-23T11:23:26.000Z
* test: add MaaS subscription tests Signed-off-by: Swati Mukund Bagal <sbagal@redhat.com> * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * address review comments Signed-off-by: Swati Mukund Bagal <sbagal@redhat.com> * address review comments Signed-off-by: Swati Mukund Bagal <sbagal@redhat.com> --------- Signed-off-by: Swati Mukund Bagal <sbagal@redhat.com> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Debarati Basu-Nag <dbasunag@redhat.com> Signed-off-by: Shehan Saleem <ssaleem@redhat.com>
diff --git a/tests/model_serving/maas_billing/maas_subscription/conftest.py b/tests/model_serving/maas_billing/maas_subscription/conftest.py
@@ -556,3 +556,67 @@ def premium_system_authenticated_access(
         if extra_auth_policy.exists:
             LOGGER.info(f"Fixture teardown: ensuring AuthPolicy {extra_auth_policy.name} is removed")
             extra_auth_policy.clean_up(wait=True)
+
+
+@pytest.fixture(scope="function")
+def second_free_subscription(
+    admin_client: DynamicClient,
+    maas_free_group: str,
+    maas_model_tinyllama_free: MaaSModelRef,
+    maas_subscription_tinyllama_free: MaaSSubscription,
+) -> Generator[MaaSSubscription, Any, Any]:
+    """
+    Creates a second subscription for maas_free_group on the free model.
+    Used to simulate an ambiguous subscription selection (two qualifying subscriptions,
+    no x-maas-subscription header).
+    """
+    with create_maas_subscription(
+        admin_client=admin_client,
+        subscription_namespace=maas_subscription_tinyllama_free.namespace,
+        subscription_name="e2e-second-free-subscription",
+        owner_group_name=maas_free_group,
+        model_name=maas_model_tinyllama_free.name,
+        model_namespace=maas_model_tinyllama_free.namespace,
+        tokens_per_minute=500,
+        window="1m",
+        priority=5,
+        teardown=True,
+        wait_for_resource=True,
+    ) as second_subscription:
+        second_subscription.wait_for_condition(condition="Ready", status="True", timeout=300)
+        LOGGER.info(
+            f"Created second free subscription {second_subscription.name} for model {maas_model_tinyllama_free.name}"
+        )
+        yield second_subscription
+
+
+@pytest.fixture(scope="function")
+def free_actor_premium_subscription(
+    admin_client: DynamicClient,
+    maas_model_tinyllama_premium: MaaSModelRef,
+    maas_subscription_tinyllama_premium: MaaSSubscription,
+) -> Generator[MaaSSubscription, Any, Any]:
+    """
+    Creates a subscription for system:authenticated on the premium model.
+    Used to verify that having a subscription alone is not sufficient —
+    the actor must also be listed in the model's MaaSAuthPolicy.
+    """
+    with create_maas_subscription(
+        admin_client=admin_client,
+        subscription_namespace=maas_subscription_tinyllama_premium.namespace,
+        subscription_name="e2e-free-actor-premium-sub",
+        owner_group_name="system:authenticated",
+        model_name=maas_model_tinyllama_premium.name,
+        model_namespace=maas_model_tinyllama_premium.namespace,
+        tokens_per_minute=100,
+        window="1m",
+        priority=0,
+        teardown=True,
+        wait_for_resource=True,
+    ) as sub_for_free_actor:
+        sub_for_free_actor.wait_for_condition(condition="Ready", status="True", timeout=300)
+        LOGGER.info(
+            f"Created subscription {sub_for_free_actor.name} for system:authenticated "
+            f"on premium model {maas_model_tinyllama_premium.name}"
+        )
+        yield sub_for_free_actor
diff --git a/tests/model_serving/maas_billing/maas_subscription/test_multiple_subscriptions_no_header.py b/tests/model_serving/maas_billing/maas_subscription/test_multiple_subscriptions_no_header.py
@@ -0,0 +1,68 @@
+from __future__ import annotations
+
+import pytest
+import requests
+from ocp_resources.maas_subscription import MaaSSubscription
+from simple_logger.logger import get_logger
+
+from tests.model_serving.maas_billing.maas_subscription.utils import (
+    chat_payload_for_url,
+    poll_expected_status,
+)
+
+LOGGER = get_logger(name=__name__)
+
+
+@pytest.mark.usefixtures(
+    "maas_unprivileged_model_namespace",
+    "maas_subscription_controller_enabled_latest",
+    "maas_gateway_api",
+    "maas_api_gateway_reachable",
+    "maas_inference_service_tinyllama_free",
+    "maas_model_tinyllama_free",
+    "maas_auth_policy_tinyllama_free",
+    "maas_subscription_tinyllama_free",
+)
+class TestMultipleSubscriptionsNoHeader:
+    """
+    Validates that a token qualifying for multiple subscriptions on the same model
+    is denied when no x-maas-subscription header is provided to disambiguate.
+    """
+
+    @pytest.mark.tier1
+    @pytest.mark.parametrize("ocp_token_for_actor", [{"type": "free"}], indirect=True)
+    def test_multiple_matching_subscriptions_no_header_gets_403(
+        self,
+        request_session_http: requests.Session,
+        model_url_tinyllama_free: str,
+        maas_headers_for_actor_api_key: dict[str, str],
+        second_free_subscription: MaaSSubscription,
+    ) -> None:
+        """
+        Verify that a token qualifying for multiple subscriptions receives 403
+        when no x-maas-subscription header is provided.
+
+        Given two subscriptions for the same model that the free actor qualifies for,
+        when the actor sends a request without the x-maas-subscription header,
+        then the request should be denied with 403 because the subscription
+        selection is ambiguous.
+        """
+        LOGGER.info(
+            f"Testing: free actor has two subscriptions including '{second_free_subscription.name}' "
+            f"with no x-maas-subscription header — expecting 403"
+        )
+
+        payload = chat_payload_for_url(model_url=model_url_tinyllama_free)
+
+        response = poll_expected_status(
+            request_session_http=request_session_http,
+            model_url=model_url_tinyllama_free,
+            headers=maas_headers_for_actor_api_key,
+            payload=payload,
+            expected_statuses={403},
+        )
+
+        assert response.status_code == 403, (
+            f"Expected 403 when multiple subscriptions exist and no header is provided, "
+            f"got {response.status_code}: {(response.text or '')[:200]}"
+        )
diff --git a/tests/model_serving/maas_billing/maas_subscription/test_subscription_without_auth_policy.py b/tests/model_serving/maas_billing/maas_subscription/test_subscription_without_auth_policy.py
@@ -0,0 +1,72 @@
+from __future__ import annotations
+
+import pytest
+import requests
+from ocp_resources.maas_subscription import MaaSSubscription
+from simple_logger.logger import get_logger
+
+from tests.model_serving.maas_billing.maas_subscription.utils import (
+    chat_payload_for_url,
+    poll_expected_status,
+)
+
+LOGGER = get_logger(name=__name__)
+
+MAAS_SUBSCRIPTION_HEADER = "x-maas-subscription"
+
+
+@pytest.mark.usefixtures(
+    "maas_unprivileged_model_namespace",
+    "maas_subscription_controller_enabled_latest",
+    "maas_gateway_api",
+    "maas_api_gateway_reachable",
+    "maas_inference_service_tinyllama_premium",
+    "maas_model_tinyllama_premium",
+    "maas_auth_policy_tinyllama_premium",
+    "maas_subscription_tinyllama_premium",
+)
+class TestSubscriptionWithoutAuthPolicy:
+    """
+    Validates that holding a subscription is not sufficient for model access;
+    the token must also be listed in a MaaSAuthPolicy for the model.
+    """
+
+    @pytest.mark.tier1
+    @pytest.mark.parametrize("ocp_token_for_actor", [{"type": "free"}], indirect=True)
+    def test_subscription_without_auth_policy_gets_403(
+        self,
+        request_session_http: requests.Session,
+        model_url_tinyllama_premium: str,
+        maas_headers_for_actor_api_key: dict[str, str],
+        free_actor_premium_subscription: MaaSSubscription,
+    ) -> None:
+        """
+        Verify that a user with a subscription but without AuthPolicy access
+        to the model gets 403.
+
+        A free user is given a subscription for the premium model,
+        but since the user is not allowed by the model's MaaSAuthPolicy,
+        the request should be denied with 403.
+        """
+        LOGGER.info(
+            f"Testing: free actor has subscription '{free_actor_premium_subscription.name}' "
+            f"but is NOT in premium MaaSAuthPolicy — expecting 403"
+        )
+
+        headers = dict(maas_headers_for_actor_api_key)
+        headers[MAAS_SUBSCRIPTION_HEADER] = free_actor_premium_subscription.name
+
+        payload = chat_payload_for_url(model_url=model_url_tinyllama_premium)
+
+        response = poll_expected_status(
+            request_session_http=request_session_http,
+            model_url=model_url_tinyllama_premium,
+            headers=headers,
+            payload=payload,
+            expected_statuses={403},
+        )
+
+        assert response.status_code == 403, (
+            f"Expected 403 for token with subscription but not in MaaSAuthPolicy, "
+            f"got {response.status_code}: {(response.text or '')[:200]}"
+        )
