self = <test_api_keys.TestAPIKeyModelInference object at 0x7f3ddfb173d0> model_completions_url = 'https://maas.apps.70c1295a-0a72-4501-89fb-a280a599275a.prod.konfluxeaas.com/llm/facebook-opt-125m-simulated/v1/completions' api_key_headers = {'Authorization': 'Bearer sk-oai-1TiIDlmZtkl9J9Va6_af3OD4F1rjR4ekW7t6Bx4AgeNURglimDoCrQfZzpLjg', 'Content-Type': 'application/json'} inference_model_name = 'facebook/opt-125m' def test_api_key_model_access_success( self, model_completions_url: str, api_key_headers: dict, inference_model_name: str, ): """Test 11: Valid API key can access model endpoint - verify 200 response. Subscription is bound on the key at mint (see conftest ``api_key`` fixture). """ r = requests.post( model_completions_url, headers=api_key_headers, json={ "model": inference_model_name, "prompt": "Hello world", "max_tokens": 10, }, timeout=60, verify=TLS_VERIFY, ) > assert r.status_code == 200, f"Expected 200, got {r.status_code}: {r.text}" E AssertionError: Expected 200, got 403: E assert 403 == 200 E + where 403 = <Response [403]>.status_code test/e2e/tests/test_api_keys.py:541: AssertionErrorself = <test_api_keys.TestAPIKeyModelInference object at 0x7f3ddfb17d90> model_completions_url = 'https://maas.apps.70c1295a-0a72-4501-89fb-a280a599275a.prod.konfluxeaas.com/llm/facebook-opt-125m-simulated/v1/completions' inference_model_name = 'facebook/opt-125m' def test_no_auth_header_rejected( self, model_completions_url: str, inference_model_name: str, ): """Test 13: Missing Authorization header should be rejected with 401.""" no_auth_headers = {"Content-Type": "application/json"} r = requests.post( model_completions_url, headers=no_auth_headers, json={ "model": inference_model_name, "prompt": "Test", "max_tokens": 5, }, timeout=30, verify=TLS_VERIFY, ) > assert r.status_code == 401, f"Expected 401 for missing auth, got {r.status_code}: {r.text}" E AssertionError: Expected 401 for missing auth, got 403: E assert 403 == 401 E + where 403 = <Response [403]>.status_code test/e2e/tests/test_api_keys.py:597: AssertionError/workspace/source/test/e2e/tests/test_api_keys.py:693: Chat completions returned 403self = <test_api_keys.TestAPIKeyRevocationE2E object at 0x7f3ddfac8a30> api_keys_base_url = 'https://maas.apps.70c1295a-0a72-4501-89fb-a280a599275a.prod.konfluxeaas.com/maas-api/v1/api-keys' model_completions_url = 'https://maas.apps.70c1295a-0a72-4501-89fb-a280a599275a.prod.konfluxeaas.com/llm/facebook-opt-125m-simulated/v1/completions' headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyZ1JnRjdOQlh6cXF1RHhETVAwS1ZVVHIyVUQzbTN4X0Rlc281M1lLcmcifQ.e...3dYR3GKGY1_yPh9OAqlkauC-h2Vio8ghDBkieOh5yjJkYychEvO-mWriAFwTV5wzAzJVOtNtGM6aQ2a4g', 'Content-Type': 'application/json'} inference_model_name = 'facebook/opt-125m' def test_revoke_then_create_new_key_works( self, api_keys_base_url: str, model_completions_url: str, headers: dict, inference_model_name: str, ): """After revoking a key, a newly created key should still work for inference.""" designated = SIMULATOR_SUBSCRIPTION # Create key A r_a = requests.post( api_keys_base_url, headers=headers, json={"name": "test-revoke-remint-a", "subscription": designated}, timeout=30, verify=TLS_VERIFY, ) assert r_a.status_code in (200, 201), f"Failed to create key A: {r_a.text}" key_a = r_a.json()["key"] key_a_id = r_a.json()["id"] # Revoke key A r_revoke = requests.delete(f"{api_keys_base_url}/{key_a_id}", headers=headers, timeout=30, verify=TLS_VERIFY) assert r_revoke.status_code == 200 # Create key B (new key after revocation) r_b = requests.post( api_keys_base_url, headers=headers, json={"name": "test-revoke-remint-b", "subscription": designated}, timeout=30, verify=TLS_VERIFY, ) assert r_b.status_code in (200, 201), f"Failed to create key B: {r_b.text}" key_b = r_b.json()["key"] # Poll until revoked key A is rejected (revocation may take time to propagate) max_wait = 30 poll_interval = 0.5 deadline = time.monotonic() + max_wait while True: remaining = deadline - time.monotonic() if remaining <= 0: break r_a_inf = requests.post( model_completions_url, headers={"Authorization": f"Bearer {key_a}", "Content-Type": "application/json"}, json={"model": inference_model_name, "prompt": "Test", "max_tokens": 5}, timeout=min(remaining, 10), verify=TLS_VERIFY, ) if r_a_inf.status_code == 403: break time.sleep(poll_interval) assert r_a_inf.status_code == 403, ( f"Revoked key A should be rejected within {max_wait}s, got {r_a_inf.status_code}" ) # Key B should work (200) r_b_inf = requests.post( model_completions_url, headers={"Authorization": f"Bearer {key_b}", "Content-Type": "application/json"}, json={"model": inference_model_name, "prompt": "Test", "max_tokens": 5}, timeout=60, verify=TLS_VERIFY, ) > assert r_b_inf.status_code == 200, f"New key B should work, got {r_b_inf.status_code}: {r_b_inf.text}" E AssertionError: New key B should work, got 403: E assert 403 == 200 E + where 403 = <Response [403]>.status_code test/e2e/tests/test_api_keys.py:793: AssertionErrorself = <test_api_keys.TestAPIKeyRevocationE2E object at 0x7f3ddfae40a0> api_keys_base_url = 'https://maas.apps.70c1295a-0a72-4501-89fb-a280a599275a.prod.konfluxeaas.com/maas-api/v1/api-keys' model_completions_url = 'https://maas.apps.70c1295a-0a72-4501-89fb-a280a599275a.prod.konfluxeaas.com/llm/facebook-opt-125m-simulated/v1/completions' headers = {'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImsyZ1JnRjdOQlh6cXF1RHhETVAwS1ZVVHIyVUQzbTN4X0Rlc281M1lLcmcifQ.e...3dYR3GKGY1_yPh9OAqlkauC-h2Vio8ghDBkieOh5yjJkYychEvO-mWriAFwTV5wzAzJVOtNtGM6aQ2a4g', 'Content-Type': 'application/json'} inference_model_name = 'facebook/opt-125m' def test_revoke_keys_rejected_at_gateway( self, api_keys_base_url: str, model_completions_url: str, headers: dict, inference_model_name: str, ): """After individually revoking keys, they should be rejected at the gateway.""" designated = SIMULATOR_SUBSCRIPTION # Create 3 keys, capturing plaintext and IDs keys = [] for i in range(3): r = requests.post( api_keys_base_url, headers=headers, json={"name": f"test-revoke-gw-{i}", "subscription": designated}, timeout=30, verify=TLS_VERIFY, ) assert r.status_code in (200, 201), f"Failed to create key {i}: {r.text}" keys.append({"id": r.json()["id"], "key": r.json()["key"]}) # Smoke-test: verify at least one key works before revocation r_smoke = requests.post( model_completions_url, headers={"Authorization": f"Bearer {keys[0]['key']}", "Content-Type": "application/json"}, json={"model": inference_model_name, "prompt": "Test", "max_tokens": 5}, timeout=60, verify=TLS_VERIFY, ) > assert r_smoke.status_code == 200, ( f"Key should work before revoke, got {r_smoke.status_code}: {r_smoke.text}" ) E AssertionError: Key should work before revoke, got 403: E assert 403 == 200 E + where 403 = <Response [403]>.status_code test/e2e/tests/test_api_keys.py:851: AssertionErrorself = <test_negative_security.TestHeaderSpoofing object at 0x7f3ddffe9700> def test_injected_identity_headers_ignored(self): """Client injects X-MaaS-Username/Group/Key-Id — platform ignores them. Validates that Authorino strips attacker-controlled identity headers. The request should succeed (200) using the real key-derived identity, proving the spoofed headers had no effect on authorization. """ api_key = _create_api_key(_get_cluster_token(), subscription=SIMULATOR_SUBSCRIPTION) spoofed_headers = { "X-MaaS-Username": "cluster-admin", "X-MaaS-Group": "system:cluster-admins,system:masters", "X-MaaS-Key-Id": "fake-key-id-00000", } r = _inference(api_key, extra_headers=spoofed_headers) # Request succeeds with the REAL identity (API key owner), not the spoofed one. # If spoofed headers were honored, the test user would gain cluster-admin access. log.info("Spoofed identity headers -> %s", r.status_code) > assert r.status_code == 200, ( f"Expected 200 (spoofed headers stripped, real identity used), " f"got {r.status_code}: {r.text[:500]}" ) E AssertionError: Expected 200 (spoofed headers stripped, real identity used), got 403: E assert 403 == 200 E + where 403 = <Response [403]>.status_code test/e2e/tests/test_negative_security.py:95: AssertionError