self = <test_api_keys.TestAPIKeySubscriptionPhases object at 0x7f63717f1d90> def test_create_key_for_pending_subscription(self): """API key creation succeeds for Pending subscription.""" ns = _ns() subscription_name = "e2e-apikey-pending-sub" auth_name = "e2e-apikey-pending-auth" sa_name = "e2e-apikey-pending-sa" try: oc_token = _create_sa_token(sa_name, namespace=MODEL_NAMESPACE) sa_user = _sa_to_user(sa_name, namespace=MODEL_NAMESPACE) _create_test_auth_policy(auth_name, MODEL_REF, users=[sa_user]) _create_test_subscription(subscription_name, MODEL_REF, users=[sa_user]) _wait_reconcile(seconds=10) # Patch to Pending phase patch_data = { "status": { "phase": "Pending", "conditions": [{ "type": "Ready", "status": "False", "reason": "Pending", "message": "Reconciliation in progress", "lastTransitionTime": datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ") }], } } cmd = [ "kubectl", "patch", "maassubscription", subscription_name, "-n", ns, "--type=merge", "--subresource=status", "-p", json.dumps(patch_data) ] result = subprocess.run(cmd, capture_output=True, text=True) assert result.returncode == 0, f"Failed to patch: {result.stderr}" cr = _get_cr("maassubscription", subscription_name, namespace=ns) phase = cr.get("status", {}).get("phase") assert phase == "Pending", f"Expected Pending, got {phase}" # Create API key (should succeed) > api_key = _create_api_key( oc_token, name="pending-sub-test", subscription=subscription_name ) test/e2e/tests/test_api_keys.py:1334: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ oc_token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IlVWalJWR0tBQlo3c2FlWGNDVjAtemE3ZmNpQkgwY21LZDM4ODlpb21nR1kifQ.eyJhdWQiOlsiaHR0cHM6Ly9wcm...S-arJeu-tOPdwdRECCMdAu3qbe9dLRGdWLsBx9iuJZKHMlONagj5H7SAfQyvO1kN9_y5_kXlRKm_plexGrksn0_tBMVMhbGZ-HQ-zvl_GxI6NsaDXgUDCQ' name = 'pending-sub-test', subscription = 'e2e-apikey-pending-sub' def _create_api_key(oc_token: str, name: str = None, subscription: str = None) -> str: """Create an API key using the MaaS API and return the plaintext key. Args: oc_token: OC token for authentication with maas-api name: Optional name for the key (auto-generated if not provided) subscription: Optional MaaSSubscription name to bind (highest-priority auto-bind if omitted) Returns: The plaintext API key (sk-oai-xxx format) """ r = _create_api_key_raw(oc_token, name, subscription) if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_helper.py:246: RuntimeErrorself = <test_api_keys.TestAPIKeySubscriptionPhases object at 0x7f63717f1d60> def test_reject_key_for_unreconciled_subscription(self): """ API key creation is rejected for unreconciled subscription (empty phase). Note: Temporarily sets webhook failurePolicy to Ignore to allow creating resources while controller is down, then restores to Fail. """ ns = _ns() subscription_name = "e2e-apikey-unreconciled-sub" auth_name = "e2e-apikey-unreconciled-auth" sa_name = "e2e-apikey-unreconciled-sa" webhook_name = "maas-validating-webhook-configuration" try: # Create service account and get token oc_token = _create_sa_token(sa_name, namespace=MODEL_NAMESPACE) sa_user = _sa_to_user(sa_name, namespace=MODEL_NAMESPACE) # Temporarily set webhook failurePolicy to Ignore # This allows creates to succeed when controller/webhook is unavailable # Find webhook indices dynamically by name to avoid brittleness result = subprocess.run( ["oc", "get", "validatingwebhookconfiguration", webhook_name, "-o", "json"], capture_output=True, text=True, check=True ) webhook_config = json.loads(result.stdout) patch_ops = [] for idx, webhook in enumerate(webhook_config.get("webhooks", [])): if webhook.get("name") in ["vmaassubscription.kb.io", "vmaasauthpolicy.kb.io"]: patch_ops.append({"op": "replace", "path": f"/webhooks/{idx}/failurePolicy", "value": "Ignore"}) subprocess.run( ["oc", "patch", "validatingwebhookconfiguration", webhook_name, "--type=json", "-p", json.dumps(patch_ops)], capture_output=True, text=True, check=True ) # Scale down controller to prevent reconciliation _scale_controller_down() # Create resources (webhook unavailable but Ignore policy allows creates) _create_test_auth_policy(auth_name, MODEL_REF, users=[sa_user]) _create_test_subscription(subscription_name, MODEL_REF, users=[sa_user]) # Verify subscription is unreconciled (empty phase) cr = _get_cr("maassubscription", subscription_name, namespace=ns) phase = cr.get("status", {}).get("phase", "") assert phase == "", f"Expected empty phase, got: {phase}" log.info("✅ Subscription is unreconciled (empty phase)") # Try to create API key (should fail with 400) response = requests.post( f"{_maas_api_url()}/v1/api-keys", headers={ "Authorization": f"Bearer {oc_token}", "Content-Type": "application/json" }, json={ "name": "unreconciled-sub-test", "subscription": subscription_name }, timeout=TIMEOUT, verify=TLS_VERIFY, ) > assert response.status_code == 400, \ f"Expected 400 for unreconciled subscription, got {response.status_code}: {response.text}" E AssertionError: Expected 400 for unreconciled subscription, got 500: E assert 500 == 400 E + where 500 = <Response [500]>.status_code test/e2e/tests/test_api_keys.py:1414: AssertionErrorself = <test_negative_security.TestHeaderSpoofing object at 0x7f63713f68e0> def test_injected_identity_headers_ignored(self): """Client injects X-MaaS-Username/Group/Key-Id — platform ignores them. Validates that Authorino strips attacker-controlled identity headers. The request should succeed (200) using the real key-derived identity, proving the spoofed headers had no effect on authorization. """ > api_key = _create_api_key(_get_cluster_token(), subscription=SIMULATOR_SUBSCRIPTION) test/e2e/tests/test_negative_security.py:83: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ oc_token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IlVWalJWR0tBQlo3c2FlWGNDVjAtemE3ZmNpQkgwY21LZDM4ODlpb21nR1kifQ.eyJhdWQiOlsiaHR0cHM6Ly9wcm...dHJW02kAuKd2oLkTYCp8_A5eEYLPJgRz3s2cJJ95S3I1D6M8VRLuSX0ooRfgdyF_TEwXiuBlHBQ8vY77cAzZ4UaWuINQ6c7gOgd5kuoGvueiAzC1C2eHmA' name = None, subscription = 'simulator-subscription' def _create_api_key(oc_token: str, name: str = None, subscription: str = None) -> str: """Create an API key using the MaaS API and return the plaintext key. Args: oc_token: OC token for authentication with maas-api name: Optional name for the key (auto-generated if not provided) subscription: Optional MaaSSubscription name to bind (highest-priority auto-bind if omitted) Returns: The plaintext API key (sk-oai-xxx format) """ r = _create_api_key_raw(oc_token, name, subscription) if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_helper.py:246: RuntimeErrorself = <test_negative_security.TestHeaderSpoofing object at 0x7f63713f6b80> def test_duplicate_subscription_headers_ignored(self): """Client sends multiple X-MaaS-Subscription headers — API key binding wins. For API key requests, the subscription is fixed at mint time. Duplicate or conflicting X-MaaS-Subscription headers must not override the key-derived subscription. """ > api_key = _create_api_key(_get_cluster_token(), subscription=SIMULATOR_SUBSCRIPTION) test/e2e/tests/test_negative_security.py:108: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ oc_token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IlVWalJWR0tBQlo3c2FlWGNDVjAtemE3ZmNpQkgwY21LZDM4ODlpb21nR1kifQ.eyJhdWQiOlsiaHR0cHM6Ly9wcm...dHJW02kAuKd2oLkTYCp8_A5eEYLPJgRz3s2cJJ95S3I1D6M8VRLuSX0ooRfgdyF_TEwXiuBlHBQ8vY77cAzZ4UaWuINQ6c7gOgd5kuoGvueiAzC1C2eHmA' name = None, subscription = 'simulator-subscription' def _create_api_key(oc_token: str, name: str = None, subscription: str = None) -> str: """Create an API key using the MaaS API and return the plaintext key. Args: oc_token: OC token for authentication with maas-api name: Optional name for the key (auto-generated if not provided) subscription: Optional MaaSSubscription name to bind (highest-priority auto-bind if omitted) Returns: The plaintext API key (sk-oai-xxx format) """ r = _create_api_key_raw(oc_token, name, subscription) if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_helper.py:246: RuntimeError/workspace/source/test/e2e/tests/test_negative_security.py:188: Could not create short-lived key: 500self = <test_negative_security.TestCrossModelAccess object at 0x7f63713f6fa0> def test_key_cannot_access_model_outside_subscription(self): """Key for model A cannot infer on model B outside its subscription. Uses the pre-deployed unconfigured model (a model with no subscription granting access to it) to test cross-model access denial. """ > api_key = _create_api_key(_get_cluster_token(), subscription=SIMULATOR_SUBSCRIPTION) test/e2e/tests/test_negative_security.py:222: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ oc_token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IlVWalJWR0tBQlo3c2FlWGNDVjAtemE3ZmNpQkgwY21LZDM4ODlpb21nR1kifQ.eyJhdWQiOlsiaHR0cHM6Ly9wcm...dHJW02kAuKd2oLkTYCp8_A5eEYLPJgRz3s2cJJ95S3I1D6M8VRLuSX0ooRfgdyF_TEwXiuBlHBQ8vY77cAzZ4UaWuINQ6c7gOgd5kuoGvueiAzC1C2eHmA' name = None, subscription = 'simulator-subscription' def _create_api_key(oc_token: str, name: str = None, subscription: str = None) -> str: """Create an API key using the MaaS API and return the plaintext key. Args: oc_token: OC token for authentication with maas-api name: Optional name for the key (auto-generated if not provided) subscription: Optional MaaSSubscription name to bind (highest-priority auto-bind if omitted) Returns: The plaintext API key (sk-oai-xxx format) """ r = _create_api_key_raw(oc_token, name, subscription) if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_helper.py:246: RuntimeError