self = <test_api_keys.TestAPIKeySubscriptionFilter object at 0x7f4e8ebde3a0> api_keys_base_url = 'https://maas.apps.54a17485-d670-447e-b26c-658967c15186.prod.konfluxeaas.com/maas-api/v1/api-keys' headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjNERk5GWi1KWm51VUMwWEdDY1VfX1dLSzZxZzg0RHU3dHkyME9XdXEzT0kifQ.e...4ouZhzrjcCJLbCZcrmachzeOzpakuAPYkPAcKdBJnxC6klbvoVtQRqFvvDqULkLzcxE1uoty8DQEPq98w', 'Content-Type': 'application/json'} def test_search_filters_by_subscription(self, api_keys_base_url: str, headers: dict): """Search with subscription filter returns only keys bound to that subscription.""" sub_a = f"e2e-filter-sub-a-{os.urandom(4).hex()}" sub_b = f"e2e-filter-sub-b-{os.urandom(4).hex()}" ns = _ns() sa_name = f"e2e-filter-sa-{os.urandom(4).hex()}" key_ids_a = [] key_ids_b = [] try: # Create one SA authorized for both subscriptions so that # exclusion in search results is attributable to the subscription # filter, not user-scoping. oc_token = _create_sa_token(sa_name, namespace=MODEL_NAMESPACE) sa_user = _sa_to_user(sa_name, namespace=MODEL_NAMESPACE) sa_headers = {"Authorization": f"Bearer {oc_token}", "Content-Type": "application/json"} _create_test_auth_policy(f"{sub_a}-auth", MODEL_REF, users=[sa_user]) _create_test_subscription(sub_a, MODEL_REF, users=[sa_user]) _wait_for_maas_subscription_phase(sub_a, namespace=ns) _create_test_auth_policy(f"{sub_b}-auth", MODEL_REF, users=[sa_user]) _create_test_subscription(sub_b, MODEL_REF, users=[sa_user]) _wait_for_maas_subscription_phase(sub_b, namespace=ns) # Create 2 keys bound to sub_a for i in range(2): r = requests.post( api_keys_base_url, headers=sa_headers, json={"name": f"e2e-filter-a-{i}", "subscription": sub_a}, timeout=TIMEOUT, verify=TLS_VERIFY, ) > assert r.status_code in (200, 201), f"Failed to create key for {sub_a}: {r.text}" E AssertionError: Failed to create key for e2e-filter-sub-a-ccf152d5: E assert 500 in (200, 201) E + where 500 = <Response [500]>.status_code test/e2e/tests/test_api_keys.py:1516: AssertionErrorself = <test_api_keys.TestAPIKeySubscriptionFilter object at 0x7f4e8ebdec70> api_keys_base_url = 'https://maas.apps.54a17485-d670-447e-b26c-658967c15186.prod.konfluxeaas.com/maas-api/v1/api-keys' headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjNERk5GWi1KWm51VUMwWEdDY1VfX1dLSzZxZzg0RHU3dHkyME9XdXEzT0kifQ.e...4ouZhzrjcCJLbCZcrmachzeOzpakuAPYkPAcKdBJnxC6klbvoVtQRqFvvDqULkLzcxE1uoty8DQEPq98w', 'Content-Type': 'application/json'} def test_search_without_subscription_returns_all(self, api_keys_base_url: str, headers: dict): """Search without subscription filter returns keys across all subscriptions.""" key_ids = [] try: # Create keys with explicit subscription binding for i in range(2): r = requests.post( api_keys_base_url, headers=headers, json={"name": f"e2e-nofilter-{i}", "subscription": SIMULATOR_SUBSCRIPTION}, timeout=TIMEOUT, verify=TLS_VERIFY, ) > assert r.status_code in (200, 201), f"Failed to create key: {r.text}" E AssertionError: Failed to create key: E assert 500 in (200, 201) E + where 500 = <Response [500]>.status_code test/e2e/tests/test_api_keys.py:1583: AssertionError@pytest.fixture(scope="module") def api_key(): """Create an API key for tests.""" > key_id, key = _create_ns_api_key("e2e-ns-scoping-key") test/e2e/tests/test_namespace_scoping.py:185: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ name = 'e2e-ns-scoping-key' def _create_ns_api_key(name: str = None) -> tuple[str, str]: """Create an API key and return (key_id, plaintext_key). Retries on empty 403 from gateway propagation delay (Envoy may not have loaded the AuthPolicy yet). """ token = _get_token() url = f"{_maas_api_url()}/v1/api-keys" key_name = name or f"e2e-ns-test-{uuid.uuid4().hex[:8]}" retries = 6 delay = 5 for attempt in range(1, retries + 1): r = requests.post( url, headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"}, json={"name": key_name}, timeout=TIMEOUT, verify=TLS_VERIFY, ) if r.status_code == 403 and not r.text.strip(): if attempt < retries: log.info("Gateway returned empty 403 (attempt %d/%d), retrying in %ds...", attempt, retries, delay) time.sleep(delay) continue break if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_namespace_scoping.py:91: RuntimeError@pytest.fixture(scope="module") def api_key(): """Create an API key for tests.""" > key_id, key = _create_ns_api_key("e2e-ns-scoping-key") test/e2e/tests/test_namespace_scoping.py:185: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ name = 'e2e-ns-scoping-key' def _create_ns_api_key(name: str = None) -> tuple[str, str]: """Create an API key and return (key_id, plaintext_key). Retries on empty 403 from gateway propagation delay (Envoy may not have loaded the AuthPolicy yet). """ token = _get_token() url = f"{_maas_api_url()}/v1/api-keys" key_name = name or f"e2e-ns-test-{uuid.uuid4().hex[:8]}" retries = 6 delay = 5 for attempt in range(1, retries + 1): r = requests.post( url, headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"}, json={"name": key_name}, timeout=TIMEOUT, verify=TLS_VERIFY, ) if r.status_code == 403 and not r.text.strip(): if attempt < retries: log.info("Gateway returned empty 403 (attempt %d/%d), retrying in %ds...", attempt, retries, delay) time.sleep(delay) continue break if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_namespace_scoping.py:91: RuntimeErrorself = <test_negative_security.TestHeaderSpoofing object at 0x7f4e8ec9f3a0> def test_injected_identity_headers_ignored(self): """Client injects X-MaaS-Username/Group/Key-Id — platform ignores them. Validates that Authorino strips attacker-controlled identity headers. The request should succeed (200) using the real key-derived identity, proving the spoofed headers had no effect on authorization. """ > api_key = _create_api_key(_get_cluster_token(), subscription=SIMULATOR_SUBSCRIPTION) test/e2e/tests/test_negative_security.py:83: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ oc_token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IjNERk5GWi1KWm51VUMwWEdDY1VfX1dLSzZxZzg0RHU3dHkyME9XdXEzT0kifQ.eyJhdWQiOlsiaHR0cHM6Ly9wcm...x7mMP_CuQnO3auYIAL7Ko4j2jbypFV5VHqWZ54ouZhzrjcCJLbCZcrmachzeOzpakuAPYkPAcKdBJnxC6klbvoVtQRqFvvDqULkLzcxE1uoty8DQEPq98w' name = None, subscription = 'simulator-subscription' def _create_api_key(oc_token: str, name: str = None, subscription: str = None) -> str: """Create an API key using the MaaS API and return the plaintext key. Args: oc_token: OC token for authentication with maas-api name: Optional name for the key (auto-generated if not provided) subscription: Optional MaaSSubscription name to bind (highest-priority auto-bind if omitted) Returns: The plaintext API key (sk-oai-xxx format) """ r = _create_api_key_raw(oc_token, name, subscription) if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_helper.py:246: RuntimeError