self = <test_api_keys.TestAPIKeySubscriptionFilter object at 0x7f009d5fc670> api_keys_base_url = 'https://maas.apps.08258af1-1d51-4b71-b0a5-3050798004eb.prod.konfluxeaas.com/maas-api/v1/api-keys' headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkFxdGlBMlJMeWRsUkFYUlR2cmRQODZKd2NlbjRuSzNKcTlSclg0UkZJcDQifQ.e...PMxlBz8e6ENYZbLgpVj9zbcnPUatiJ6wdhxG013vhyWiPfyg9iy_ELqAuyRAoYOjc1zmedZm8924QEGNg', 'Content-Type': 'application/json'} def test_search_filters_by_subscription(self, api_keys_base_url: str, headers: dict): """Search with subscription filter returns only keys bound to that subscription.""" sub_a = f"e2e-filter-sub-a-{os.urandom(4).hex()}" sub_b = f"e2e-filter-sub-b-{os.urandom(4).hex()}" ns = _ns() sa_name = f"e2e-filter-sa-{os.urandom(4).hex()}" key_ids_a = [] key_ids_b = [] try: # Create one SA authorized for both subscriptions so that # exclusion in search results is attributable to the subscription # filter, not user-scoping. oc_token = _create_sa_token(sa_name, namespace=MODEL_NAMESPACE) sa_user = _sa_to_user(sa_name, namespace=MODEL_NAMESPACE) sa_headers = {"Authorization": f"Bearer {oc_token}", "Content-Type": "application/json"} _create_test_auth_policy(f"{sub_a}-auth", MODEL_REF, users=[sa_user]) _create_test_subscription(sub_a, MODEL_REF, users=[sa_user]) _wait_for_maas_subscription_phase(sub_a, namespace=ns) _create_test_auth_policy(f"{sub_b}-auth", MODEL_REF, users=[sa_user]) _create_test_subscription(sub_b, MODEL_REF, users=[sa_user]) _wait_for_maas_subscription_phase(sub_b, namespace=ns) # Create 2 keys bound to sub_a for i in range(2): r = requests.post( api_keys_base_url, headers=sa_headers, json={"name": f"e2e-filter-a-{i}", "subscription": sub_a}, timeout=TIMEOUT, verify=TLS_VERIFY, ) > assert r.status_code in (200, 201), f"Failed to create key for {sub_a}: {r.text}" E AssertionError: Failed to create key for e2e-filter-sub-a-21b3759a: E assert 500 in (200, 201) E + where 500 = <Response [500]>.status_code test/e2e/tests/test_api_keys.py:1510: AssertionErrorself = <test_subscription.TestMultipleAuthPoliciesPerModel object at 0x7f009d5fc3d0> def test_two_auth_policies_or_logic(self): """Two auth policies for the premium model with OR logic: user matching either gets access.""" ns = _ns() try: # Create a 2nd auth policy that allows system:authenticated (user's actual group) _apply_cr({ "apiVersion": "maas.opendatahub.io/v1alpha1", "kind": "MaaSAuthPolicy", "metadata": {"name": "e2e-premium-sa-auth", "namespace": ns}, "spec": { "modelRefs": [{"name": PREMIUM_MODEL_REF, "namespace": MODEL_NAMESPACE}], "subjects": {"groups": [{"name": "system:authenticated"}]}, }, }) # Create a subscription for system:authenticated on premium model _apply_cr({ "apiVersion": "maas.opendatahub.io/v1alpha1", "kind": "MaaSSubscription", "metadata": {"name": "e2e-premium-sa-sub", "namespace": ns}, "spec": { "owner": {"groups": [{"name": "system:authenticated"}]}, "modelRefs": [{"name": PREMIUM_MODEL_REF, "namespace": MODEL_NAMESPACE, "tokenRateLimits": [{"limit": 100, "window": "1m"}]}], }, }) _wait_reconcile() # Key must be minted for the premium subscription > api_key = _create_api_key( _get_cluster_token(), name=f"e2e-premium-sa-{uuid.uuid4().hex[:8]}", subscription="e2e-premium-sa-sub", ) test/e2e/tests/test_subscription.py:720: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ oc_token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IkFxdGlBMlJMeWRsUkFYUlR2cmRQODZKd2NlbjRuSzNKcTlSclg0UkZJcDQifQ.eyJhdWQiOlsiaHR0cHM6Ly9wcm...eouWt2L7aoQATtZh9z8kfqLUHyIE4uJzadJqdPMxlBz8e6ENYZbLgpVj9zbcnPUatiJ6wdhxG013vhyWiPfyg9iy_ELqAuyRAoYOjc1zmedZm8924QEGNg' name = 'e2e-premium-sa-7e27ca83', subscription = 'e2e-premium-sa-sub' def _create_api_key(oc_token: str, name: str = None, subscription: str = None) -> str: """Create an API key using the MaaS API and return the plaintext key. Args: oc_token: OC token for authentication with maas-api name: Optional name for the key (auto-generated if not provided) subscription: Optional MaaSSubscription name to bind (highest-priority auto-bind if omitted) Returns: The plaintext API key (sk-oai-xxx format) """ r = _create_api_key_raw(oc_token, name, subscription) if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_helper.py:243: RuntimeErrorself = <test_subscription.TestE2ESubscriptionFlow object at 0x7f009d683490> def test_e2e_with_both_access_and_subscription_gets_200(self): """ Full E2E test: Create MaaSModelRef, MaaSAuthPolicy, and MaaSSubscription from scratch. API key with both access and subscription should get 200 OK. This is the comprehensive test that validates the complete E2E flow including MaaSModelRef creation and reconciliation. Other tests use existing models for speed. """ ns = _ns() model_ref = "e2e-test-model-success" auth_policy_name = "e2e-test-auth-success" subscription_name = "e2e-test-subscription-success" sa_name = "e2e-sa-success" try: # Create service account and get OC token for maas-api oc_token = _create_sa_token(sa_name, namespace=ns) sa_user = _sa_to_user(sa_name, namespace=ns) # Create model and governance resources together so the model # can reach Ready (requires MaaSSubscription + MaaSAuthPolicy). _create_test_maas_model(model_ref) _create_test_auth_policy(auth_policy_name, model_ref, users=[sa_user]) _create_test_subscription(subscription_name, model_ref, users=[sa_user]) endpoint = _wait_for_maas_model_ready(model_ref, timeout=120) # Extract path from endpoint (e.g., https://maas.../llm/facebook-opt-125m-simulated -> /llm/facebook-opt-125m-simulated) model_path = urlparse(endpoint).path # API key bound to this subscription at mint (inference does not send x-maas-subscription) > api_key = _create_api_key( oc_token, name=f"{sa_name}-key", subscription=subscription_name ) test/e2e/tests/test_subscription.py:1320: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ oc_token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IkFxdGlBMlJMeWRsUkFYUlR2cmRQODZKd2NlbjRuSzNKcTlSclg0UkZJcDQifQ.eyJhdWQiOlsiaHR0cHM6Ly9wcm...6_BSkHct53OLf_eElMHUEG7NVo_PprxEUPskGwPShS15Mim50btaJNLM02sVKz65yZtTLQw9RpCOY3Qu6lHY08bPKi0NXZAm-pxpZFXCWLFOpIbQECN8gw' name = 'e2e-sa-success-key', subscription = 'e2e-test-subscription-success' def _create_api_key(oc_token: str, name: str = None, subscription: str = None) -> str: """Create an API key using the MaaS API and return the plaintext key. Args: oc_token: OC token for authentication with maas-api name: Optional name for the key (auto-generated if not provided) subscription: Optional MaaSSubscription name to bind (highest-priority auto-bind if omitted) Returns: The plaintext API key (sk-oai-xxx format) """ r = _create_api_key_raw(oc_token, name, subscription) if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_helper.py:243: RuntimeErrorself = <test_subscription.TestE2ESubscriptionFlow object at 0x7f009d683190> def test_e2e_with_access_but_no_subscription_gets_403(self): """ Test: User with access (MaaSAuthPolicy) but not in any subscription gets 403. Uses existing model (facebook-opt-125m-simulated) for faster execution. Note: We temporarily remove simulator-subscription to ensure the test user has auth but no matching subscriptions. """ ns = _ns() auth_policy_name = "e2e-test-auth-no-sub" sa_name = "e2e-sa-no-sub" # Snapshot existing subscription to restore later original_sim = _snapshot_cr("maassubscription", SIMULATOR_SUBSCRIPTION) try: # Create service account and get OC token for maas-api oc_token = _create_sa_token(sa_name, namespace=ns) sa_user = _sa_to_user(sa_name, namespace=ns) # Create auth policy for this specific user _create_test_auth_policy(auth_policy_name, MODEL_REF, users=[sa_user]) # Bind simulator subscription on the key while the CR still exists, then remove it > api_key = _create_api_key( oc_token, name=f"{sa_name}-key", subscription=SIMULATOR_SUBSCRIPTION, ) test/e2e/tests/test_subscription.py:1360: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ oc_token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IkFxdGlBMlJMeWRsUkFYUlR2cmRQODZKd2NlbjRuSzNKcTlSclg0UkZJcDQifQ.eyJhdWQiOlsiaHR0cHM6Ly9wcm...CFpFOifpt2DZhCCgXk8Okfx8VZyibAbTEdUW5F-TAHXFDCDJ5avmoB8E6WOwq9RqUrMl9-v65kI2Jxr3U4wuJEKN841ZKehoH2NPSsOS_Q0cSeAdvub-8A' name = 'e2e-sa-no-sub-key', subscription = 'simulator-subscription' def _create_api_key(oc_token: str, name: str = None, subscription: str = None) -> str: """Create an API key using the MaaS API and return the plaintext key. Args: oc_token: OC token for authentication with maas-api name: Optional name for the key (auto-generated if not provided) subscription: Optional MaaSSubscription name to bind (highest-priority auto-bind if omitted) Returns: The plaintext API key (sk-oai-xxx format) """ r = _create_api_key_raw(oc_token, name, subscription) if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_helper.py:243: RuntimeErrorself = <test_subscription.TestE2ESubscriptionFlow object at 0x7f009d683760> def test_e2e_with_subscription_but_no_access_gets_403(self): """ Test: User with subscription but not in auth policy gets 403 Forbidden. Uses existing model (facebook-opt-125m-simulated) for faster execution. Note: Temporarily removes simulator-access to ensure the test user truly has no auth (otherwise they'd match via system:authenticated group). """ ns = _ns() auth_policy_name = "e2e-test-auth-no-access" subscription_name = "e2e-test-subscription-no-access" sa_with_auth = "e2e-sa-with-auth" sa_with_sub = "e2e-sa-with-sub" # Snapshot existing auth policy to restore later original_access = _snapshot_cr("maasauthpolicy", SIMULATOR_ACCESS_POLICY) try: # Create two service accounts: # - sa_with_auth: in auth policy (so the policy exists) # - sa_with_sub: in subscription but NOT in auth policy _ = _create_sa_token(sa_with_auth, namespace=ns) # SA creation only - token unused oc_token_with_sub = _create_sa_token(sa_with_sub, namespace=MODEL_NAMESPACE) # Different namespace sa_with_auth_user = _sa_to_user(sa_with_auth, namespace=ns) sa_with_sub_user = _sa_to_user(sa_with_sub, namespace=MODEL_NAMESPACE) # Delete simulator-access so system:authenticated doesn't grant auth _delete_cr("maasauthpolicy", SIMULATOR_ACCESS_POLICY) # Create test-specific auth/subscription _create_test_auth_policy(auth_policy_name, MODEL_REF, users=[sa_with_auth_user]) _create_test_subscription(subscription_name, MODEL_REF, users=[sa_with_sub_user]) _wait_reconcile() > api_key_with_sub = _create_api_key( oc_token_with_sub, name=f"{sa_with_sub}-key", subscription=subscription_name, ) test/e2e/tests/test_subscription.py:1417: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ oc_token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IkFxdGlBMlJMeWRsUkFYUlR2cmRQODZKd2NlbjRuSzNKcTlSclg0UkZJcDQifQ.eyJhdWQiOlsiaHR0cHM6Ly9wcm...TelwCVyZJUAH2p6XsYaacoJDjkxKuv7QssUH4bceZpV-LJPxTKZrn0UhNC-CNHAiP6PLpEHCs1meQ9KvPr2KbWyZMjSGcLp4ndF4LbCbwg9vpXONCH0LUA' name = 'e2e-sa-with-sub-key', subscription = 'e2e-test-subscription-no-access' def _create_api_key(oc_token: str, name: str = None, subscription: str = None) -> str: """Create an API key using the MaaS API and return the plaintext key. Args: oc_token: OC token for authentication with maas-api name: Optional name for the key (auto-generated if not provided) subscription: Optional MaaSSubscription name to bind (highest-priority auto-bind if omitted) Returns: The plaintext API key (sk-oai-xxx format) """ r = _create_api_key_raw(oc_token, name, subscription) if r.status_code not in (200, 201): > raise RuntimeError(f"Failed to create API key: {r.status_code} {r.text}") E RuntimeError: Failed to create API key: 500 test/e2e/tests/test_helper.py:243: RuntimeError