addressed comments

jrobertboos · jrobertboos · commit 4a9a186ee30d · 2026-03-30T08:07:48.000-04:00
diff --git a/tests/e2e-prow/rhoai/configs/lightspeed-stack-tls.yaml b/tests/e2e-prow/rhoai/configs/lightspeed-stack-tls.yaml
@@ -0,0 +1,22 @@
+name: Lightspeed Core Service (LCS)
+service:
+  host: 0.0.0.0
+  port: 8080
+  auth_enabled: false
+  workers: 1
+  color_log: true
+  access_log: true
+llama_stack:
+  use_as_library_client: false
+  url: http://${env.E2E_LLAMA_HOSTNAME}:8321
+  api_key: xyzzy
+user_data_collection:
+  feedback_enabled: true
+  feedback_storage: "/tmp/data/feedback"
+  transcripts_enabled: true
+  transcripts_storage: "/tmp/data/transcripts"
+authentication:
+  module: "noop"
+inference:
+  default_provider: tls-openai
+  default_model: mock-tls-model
diff --git a/tests/e2e/features/environment.py b/tests/e2e/features/environment.py
@@ -552,14 +552,14 @@ def after_feature(context: Context, feature: Feature) -> None:
         restart_container("lightspeed-stack")
         remove_config_backup(context.default_config_backup)
 
-    # Restore Lightspeed Stack config if TLS Background step switched it
-    if getattr(context, "tls_config_active", False):
-        switch_config(context.default_config_backup)
-        remove_config_backup(context.default_config_backup)
+    # Restore Lightspeed Stack config if the generic configure_service step switched it
+    backup_path = "lightspeed-stack.yaml.backup"
+    if os.path.exists(backup_path):
+        switch_config(backup_path)
+        remove_config_backup(backup_path)
         if not context.is_library_mode:
             restart_container("llama-stack")
         restart_container("lightspeed-stack")
-        context.tls_config_active = False
 
     # Clean up any proxy servers left from the last scenario
     if hasattr(context, "tunnel_proxy") or hasattr(context, "interception_proxy"):
diff --git a/tests/e2e/features/steps/tls.py b/tests/e2e/features/steps/tls.py
@@ -12,43 +12,17 @@
 import os
 import shutil
 
-import yaml
 from behave import given  # pyright: ignore[reportAttributeAccessIssue]
 from behave.runner import Context
 
-from tests.e2e.utils.utils import (
-    create_config_backup,
-    restart_container,
-    switch_config,
+from tests.e2e.features.steps.proxy import (
+    _LLAMA_STACK_CONFIG,
+    _load_llama_config,
+    _write_config,
 )
 
-# Llama Stack config — mounted into the container from the host
-_LLAMA_STACK_CONFIG = "run.yaml"
 _LLAMA_STACK_CONFIG_BACKUP = "run.yaml.tls-backup"
 
-_LIGHTSPEED_STACK_CONFIG = "lightspeed-stack.yaml"
-
-
-def _load_llama_config() -> dict:
-    """Load the base Llama Stack run config.
-
-    Returns:
-        The parsed YAML configuration as a dictionary.
-    """
-    with open(_LLAMA_STACK_CONFIG, encoding="utf-8") as f:
-        return yaml.safe_load(f)
-
-
-def _write_config(config: dict, path: str) -> None:
-    """Write a YAML config file.
-
-    Parameters:
-        config: The configuration dictionary to write.
-        path: The file path to write to.
-    """
-    with open(path, "w", encoding="utf-8") as f:
-        yaml.dump(config, f, default_flow_style=False)
-
 
 _TLS_PROVIDER_BASE: dict = {
     "provider_id": "tls-openai",
@@ -124,28 +98,6 @@ def _prepare_tls_provider() -> tuple[dict, dict]:
 # proxy.py and shared across features by behave.
 
 
-@given("Lightspeed Stack is configured for TLS testing")
-def configure_lightspeed_for_tls(context: Context) -> None:
-    """Switch lightspeed-stack.yaml to the TLS test configuration.
-
-    Backs up the current config and switches to the TLS variant that sets
-    default_provider to tls-openai and default_model to mock-tls-model.
-    The backup is restored in after_scenario via the shared restore step.
-
-    Parameters:
-        context: Behave test context.
-    """
-    mode_dir = "library-mode" if context.is_library_mode else "server-mode"
-    tls_config = f"tests/e2e/configuration/{mode_dir}/lightspeed-stack-tls.yaml"
-
-    if not hasattr(context, "default_config_backup"):
-        context.default_config_backup = create_config_backup(_LIGHTSPEED_STACK_CONFIG)
-
-    switch_config(tls_config)
-    restart_container("lightspeed-stack")
-    context.tls_config_active = True
-
-
 # --- TLS Configuration Steps ---
 
 
@@ -210,6 +162,54 @@ def configure_tls_mtls(context: Context) -> None:
     _write_config(config, _LLAMA_STACK_CONFIG)
 
 
+@given('Llama Stack is configured with CA certificate path "{path}"')
+def configure_tls_verify_ca_path(context: Context, path: str) -> None:
+    """Configure run.yaml with TLS verify pointing to a specific CA cert path.
+
+    Parameters:
+        context: Behave test context.
+        path: Path to the CA certificate file.
+    """
+    config, provider = _prepare_tls_provider()
+    provider["config"]["network"]["tls"] = {"verify": path}
+    _write_config(config, _LLAMA_STACK_CONFIG)
+
+
+@given("Llama Stack is configured for mTLS without client certificate")
+def configure_mtls_no_client_cert(context: Context) -> None:
+    """Configure run.yaml for mTLS port but without providing client certificate.
+
+    This should fail because the mTLS server requires a client certificate.
+
+    Parameters:
+        context: Behave test context.
+    """
+    config, provider = _prepare_tls_provider()
+    provider["config"]["base_url"] = "https://mock-tls-inference:8444/v1"
+    provider["config"]["network"]["tls"] = {"verify": "/certs/ca.crt"}
+    _write_config(config, _LLAMA_STACK_CONFIG)
+
+
+@given("Llama Stack is configured for mTLS with wrong client certificate")
+def configure_mtls_wrong_client_cert(context: Context) -> None:
+    """Configure run.yaml for mTLS with a certificate not issued by the server's CA.
+
+    Uses the CA cert itself as the client cert, which is not a valid client
+    identity certificate, causing the mTLS handshake to fail.
+
+    Parameters:
+        context: Behave test context.
+    """
+    config, provider = _prepare_tls_provider()
+    provider["config"]["base_url"] = "https://mock-tls-inference:8444/v1"
+    provider["config"]["network"]["tls"] = {
+        "verify": "/certs/ca.crt",
+        "client_cert": "/certs/ca.crt",
+        "client_key": "/certs/client.key",
+    }
+    _write_config(config, _LLAMA_STACK_CONFIG)
+
+
 @given('Llama Stack is configured with TLS minimum version "{version}"')
 def configure_tls_min_version(context: Context, version: str) -> None:
     """Configure run.yaml with TLS minimum version.
diff --git a/tests/e2e/features/tls.feature b/tests/e2e/features/tls.feature
@@ -6,7 +6,7 @@ Feature: TLS configuration for remote inference providers
   Background:
     Given The service is started locally
       And REST API service prefix is /v1
-      And Lightspeed Stack is configured for TLS testing
+      And The service uses the lightspeed-stack-tls.yaml configuration
       And The original Llama Stack config is restored if modified
 
   Scenario: Inference succeeds with TLS verification disabled
@@ -50,6 +50,39 @@ Feature: TLS configuration for remote inference providers
     """
      Then The status code of the response is 200
 
+  Scenario: Inference fails with invalid CA certificate path
+    Given Llama Stack is configured with CA certificate path "/certs/nonexistent.crt"
+      And Llama Stack is restarted
+      And Lightspeed Stack is restarted
+     When I use "query" to ask question
+    """
+    {"query": "Say hello", "model": "mock-tls-model", "provider": "tls-openai"}
+    """
+     Then The status code of the response is 500
+      And The body of the response does not contain Hello from the TLS mock inference server
+
+  Scenario: Inference fails when mTLS is required but no client certificate is provided
+    Given Llama Stack is configured for mTLS without client certificate
+      And Llama Stack is restarted
+      And Lightspeed Stack is restarted
+     When I use "query" to ask question
+    """
+    {"query": "Say hello", "model": "mock-tls-model", "provider": "tls-openai"}
+    """
+     Then The status code of the response is 500
+      And The body of the response does not contain Hello from the TLS mock inference server
+
+  Scenario: Inference fails when mTLS is required but wrong client certificate is provided
+    Given Llama Stack is configured for mTLS with wrong client certificate
+      And Llama Stack is restarted
+      And Lightspeed Stack is restarted
+     When I use "query" to ask question
+    """
+    {"query": "Say hello", "model": "mock-tls-model", "provider": "tls-openai"}
+    """
+     Then The status code of the response is 500
+      And The body of the response does not contain Hello from the TLS mock inference server
+
   Scenario: Inference succeeds with TLS minimum version TLSv1.3
     Given Llama Stack is configured with TLS minimum version "TLSv1.3"
       And Llama Stack is restarted
diff --git a/tests/e2e/test_list.txt b/tests/e2e/test_list.txt
@@ -1,23 +1 @@
-features/faiss.feature
-features/inline_rag.feature
-features/smoketests.feature
-features/authorized_noop.feature
-features/authorized_noop_token.feature
-features/authorized_rh_identity.feature
-features/rbac.feature
-features/conversations.feature
-features/conversation_cache_v2.feature
-features/feedback.feature
-features/health.feature
-features/info.feature
-features/responses.feature
-features/responses_streaming.feature
-features/query.feature
-features/rlsapi_v1.feature
-features/rlsapi_v1_errors.feature
-features/streaming_query.feature
-features/rest_api.feature
-features/mcp.feature
-features/models.feature
-features/proxy.feature
 features/tls.feature
