Merge "Implement system scoped RBAC for utility APIs"

2 files changed, 63 insertions, 8 deletions

diff --git a/ironic/common/policy.py b/ironic/common/policy.py
index 8c8631bda..465e3b4bc 100644
--- a/ironic/common/policy.py
+++ b/ironic/common/policy.py
@@ -95,6 +95,8 @@ default_policies = [
                        'role:admin or role:administrator',
                        description='Legacy rule for cloud admin access'),
     # is_public_api is set in the environment from AuthPublicRoutes
+    # TODO(TheJulia): Once legacy policy rules are removed, is_public_api
+    # can be removed from the code base.
     policy.RuleDefault('public_api',
                        'is_public_api:True',
                        description='Internal flag for public API routes'),
@@ -1023,17 +1025,41 @@ vendor_passthru_policies = [
     ),
 ]
 
+
+deprecated_ipa_heartbeat = policy.DeprecatedRule(
+    name='baremetal:node:ipa_heartbeat',
+    check_str='rule:public_api'
+)
+deprecated_ipa_lookup = policy.DeprecatedRule(
+    name='baremetal:driver:ipa_lookup',
+    check_str='rule:public_api'
+)
+deprecated_utility_reason = """
+The baremetal utility API is now aware of system scope and default
+roles.
+"""
+
+# NOTE(TheJulia): Empty check strings basically mean nothing to apply,
+# and the request is permitted.
 utility_policies = [
     policy.DocumentedRuleDefault(
-        'baremetal:node:ipa_heartbeat',
-        'rule:public_api',
-        'Send heartbeats from IPA ramdisk',
-        [{'path': '/heartbeat/{node_ident}', 'method': 'POST'}]),
+        name='baremetal:node:ipa_heartbeat',
+        check_str='',
+        description='Receive heartbeats from IPA ramdisk',
+        operations=[{'path': '/heartbeat/{node_ident}', 'method': 'POST'}],
+        deprecated_rule=deprecated_ipa_heartbeat,
+        deprecated_reason=deprecated_utility_reason,
+        deprecated_since=versionutils.deprecated.WALLABY
+    ),
     policy.DocumentedRuleDefault(
-        'baremetal:driver:ipa_lookup',
-        'rule:public_api',
-        'Access IPA ramdisk functions',
-        [{'path': '/lookup', 'method': 'GET'}]),
+        name='baremetal:driver:ipa_lookup',
+        check_str='',
+        description='Access IPA ramdisk functions',
+        operations=[{'path': '/lookup', 'method': 'GET'}],
+        deprecated_rule=deprecated_ipa_lookup,
+        deprecated_reason=deprecated_utility_reason,
+        deprecated_since=versionutils.deprecated.WALLABY
+    ),
 ]
 
 volume_policies = [
diff --git a/ironic/tests/unit/api/controllers/v1/test_ramdisk.py b/ironic/tests/unit/api/controllers/v1/test_ramdisk.py
index 063965754..51005b772 100644
--- a/ironic/tests/unit/api/controllers/v1/test_ramdisk.py
+++ b/ironic/tests/unit/api/controllers/v1/test_ramdisk.py
@@ -19,6 +19,7 @@ from http import client as http_client
 from unittest import mock
 
 import fixtures
+from keystonemiddleware import auth_token
 from oslo_config import cfg
 from oslo_utils import uuidutils
 
@@ -338,3 +339,31 @@ class TestHeartbeat(test_api_base.BaseApiTest):
             headers={api_base.Version.string: '1.67'},
             expect_errors=True)
         self.assertEqual(http_client.BAD_REQUEST, response.status_int)
+
+
+@mock.patch.object(auth_token.AuthProtocol, 'process_request',
+                   lambda *_: None)
+class TestLookupScopedRBAC(TestLookup):
+
+    """Test class to execute the Lookup tests with RBAC enforcement."""
+    def setUp(self):
+        super(TestLookupScopedRBAC, self).setUp()
+
+        cfg.CONF.set_override('enforce_scope', True, group='oslo_policy')
+        cfg.CONF.set_override('enforce_new_defaults', True,
+                              group='oslo_policy')
+        cfg.CONF.set_override('auth_strategy', 'keystone')
+
+
+@mock.patch.object(auth_token.AuthProtocol, 'process_request',
+                   lambda *_: None)
+class TestHeartbeatScopedRBAC(TestHeartbeat):
+
+    """Test class to execute the Heartbeat tests with RBAC enforcement."""
+    def setUp(self):
+        super(TestHeartbeatScopedRBAC, self).setUp()
+
+        cfg.CONF.set_override('enforce_scope', True, group='oslo_policy')
+        cfg.CONF.set_override('enforce_new_defaults', True,
+                              group='oslo_policy')
+        cfg.CONF.set_override('auth_strategy', 'keystone')