self = <test_api_keys.TestAPIKeyAuthorization object at 0x7fb774a09cd0> api_keys_base_url = 'https://maas.apps.eeb8827a-1dd0-4b97-976f-c65409b72f82.prod.konfluxeaas.com/maas-api/v1/api-keys' headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkpzM2xHLVZfSWEwSzJBdUZXS3dvcmFHTW44S0g1R2RKT3JfTDBqdGZWXzAifQ.e...BnKCGXuf-sRYhd-UXaAvBymro-78YUAG5DbX1MKbsz_ByR_OT6yMxJGzP14p4IjIUC1pmnUvr7rZKj25Q', 'Content-Type': 'application/json'} admin_headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkpzM2xHLVZfSWEwSzJBdUZXS3dvcmFHTW44S0g1R2RKT3JfTDBqdGZWXzAifQ.e...tzrCD8Ecy3vBZ9VIYE9q7GM86mHMHDMMxG0dHEaRD4jirGWbyZyhQ_aIp2A-lgZTUajB4LKxu35efRN3w', 'Content-Type': 'application/json'} def test_admin_manage_other_users_keys(self, api_keys_base_url: str, headers: dict, admin_headers: dict): """Test 4: Admin can manage other user's keys - list and revoke.""" if not admin_headers: pytest.skip("ADMIN_OC_TOKEN not set") # Create key as regular user r_create = requests.post(api_keys_base_url, headers=headers, json={"name": "regular-user-key"}, timeout=30, verify=TLS_VERIFY) > assert r_create.status_code in (200, 201) E assert 500 in (200, 201) E + where 500 = <Response [500]>.status_code test/e2e/tests/test_api_keys.py:239: AssertionErrorself = <test_api_keys.TestAPIKeyAuthorization object at 0x7fb774a09490> api_keys_base_url = 'https://maas.apps.eeb8827a-1dd0-4b97-976f-c65409b72f82.prod.konfluxeaas.com/maas-api/v1/api-keys' headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkpzM2xHLVZfSWEwSzJBdUZXS3dvcmFHTW44S0g1R2RKT3JfTDBqdGZWXzAifQ.e...BnKCGXuf-sRYhd-UXaAvBymro-78YUAG5DbX1MKbsz_ByR_OT6yMxJGzP14p4IjIUC1pmnUvr7rZKj25Q', 'Content-Type': 'application/json'} admin_headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkpzM2xHLVZfSWEwSzJBdUZXS3dvcmFHTW44S0g1R2RKT3JfTDBqdGZWXzAifQ.e...tzrCD8Ecy3vBZ9VIYE9q7GM86mHMHDMMxG0dHEaRD4jirGWbyZyhQ_aIp2A-lgZTUajB4LKxu35efRN3w', 'Content-Type': 'application/json'} def test_non_admin_cannot_access_other_users_keys(self, api_keys_base_url: str, headers: dict, admin_headers: dict): """Test 5: Non-admin cannot access other user's keys - verify denial. Note: API returns 404 instead of 403 for IDOR protection (prevents key enumeration). This is a security best practice - returning 403 would reveal the key exists. """ if not admin_headers: pytest.skip("ADMIN_OC_TOKEN not set") # Admin creates a key r_admin = requests.post(api_keys_base_url, headers=admin_headers, json={"name": "admin-only-key"}, timeout=30, verify=TLS_VERIFY) > assert r_admin.status_code in (200, 201) E assert 500 in (200, 201) E + where 500 = <Response [500]>.status_code test/e2e/tests/test_api_keys.py:284: AssertionErrorself = <test_api_keys.TestAPIKeyBulkOperations object at 0x7fb774a09100> api_keys_base_url = 'https://maas.apps.eeb8827a-1dd0-4b97-976f-c65409b72f82.prod.konfluxeaas.com/maas-api/v1/api-keys' headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkpzM2xHLVZfSWEwSzJBdUZXS3dvcmFHTW44S0g1R2RKT3JfTDBqdGZWXzAifQ.e...BnKCGXuf-sRYhd-UXaAvBymro-78YUAG5DbX1MKbsz_ByR_OT6yMxJGzP14p4IjIUC1pmnUvr7rZKj25Q', 'Content-Type': 'application/json'} def test_bulk_revoke_own_keys(self, api_keys_base_url: str, headers: dict): """Test 8: Bulk revoke - user can bulk revoke their own keys.""" # Create multiple keys key_ids = [] for i in range(3): r = requests.post(api_keys_base_url, headers=headers, json={"name": f"bulk-test-{i}"}, timeout=30, verify=TLS_VERIFY) > assert r.status_code in (200, 201) E assert 500 in (200, 201) E + where 500 = <Response [500]>.status_code test/e2e/tests/test_api_keys.py:306: AssertionErrorself = <test_api_keys.TestAPIKeyBulkOperations object at 0x7fb774a094c0> api_keys_base_url = 'https://maas.apps.eeb8827a-1dd0-4b97-976f-c65409b72f82.prod.konfluxeaas.com/maas-api/v1/api-keys' headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkpzM2xHLVZfSWEwSzJBdUZXS3dvcmFHTW44S0g1R2RKT3JfTDBqdGZWXzAifQ.e...BnKCGXuf-sRYhd-UXaAvBymro-78YUAG5DbX1MKbsz_ByR_OT6yMxJGzP14p4IjIUC1pmnUvr7rZKj25Q', 'Content-Type': 'application/json'} def test_bulk_revoke_other_user_forbidden(self, api_keys_base_url: str, headers: dict): """Test 9: Bulk revoke - non-admin cannot bulk revoke other user's keys.""" # Try to bulk revoke another user's keys (should fail with 403) r_bulk = requests.post( f"{api_keys_base_url}/bulk-revoke", headers=headers, json={"username": "someotheruser"}, timeout=30, verify=TLS_VERIFY ) > assert r_bulk.status_code == 403, f"Expected 403, got {r_bulk.status_code}: {r_bulk.text}" E AssertionError: Expected 403, got 500: E assert 500 == 403 E + where 500 = <Response [500]>.status_code test/e2e/tests/test_api_keys.py:343: AssertionErrorself = <test_api_keys.TestAPIKeyBulkOperations object at 0x7fb774a09f70> api_keys_base_url = 'https://maas.apps.eeb8827a-1dd0-4b97-976f-c65409b72f82.prod.konfluxeaas.com/maas-api/v1/api-keys' headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkpzM2xHLVZfSWEwSzJBdUZXS3dvcmFHTW44S0g1R2RKT3JfTDBqdGZWXzAifQ.e...BnKCGXuf-sRYhd-UXaAvBymro-78YUAG5DbX1MKbsz_ByR_OT6yMxJGzP14p4IjIUC1pmnUvr7rZKj25Q', 'Content-Type': 'application/json'} admin_headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkpzM2xHLVZfSWEwSzJBdUZXS3dvcmFHTW44S0g1R2RKT3JfTDBqdGZWXzAifQ.e...tzrCD8Ecy3vBZ9VIYE9q7GM86mHMHDMMxG0dHEaRD4jirGWbyZyhQ_aIp2A-lgZTUajB4LKxu35efRN3w', 'Content-Type': 'application/json'} def test_bulk_revoke_admin_can_revoke_any_user(self, api_keys_base_url: str, headers: dict, admin_headers: dict): """Test 10: Bulk revoke - admin can bulk revoke any user's keys.""" if not admin_headers: pytest.skip("ADMIN_OC_TOKEN not set") # Create a key as regular user r = requests.post(api_keys_base_url, headers=headers, json={"name": "admin-bulk-revoke-test"}, timeout=30, verify=TLS_VERIFY) > assert r.status_code in (200, 201) E assert 500 in (200, 201) E + where 500 = <Response [500]>.status_code test/e2e/tests/test_api_keys.py:353: AssertionError