Revert "Add token validation to GET command endpoints"

dtantsur · openstack-gerrit · commit 39687159085f · 2025-02-17T13:40:19.000Z
This reverts commit 6f86099. Reason for revert: the change has broken virtually everyone who has not updated Ironic before IPA. To make the matter worse, the attached release note is not descriptive and does not explain the upgrade impact. The reverted change should be reworked to allow a graceful period. Change-Id: I2a2a03dd8409af900b938494ceafd45a89e0c197
diff --git a/ironic_python_agent/api/app.py b/ironic_python_agent/api/app.py
@@ -84,14 +84,6 @@ def format_exception(value):
 
 class Application(object):
 
-    def require_agent_token(func):
-        def wrapper(self, request, *args, **kwargs):
-            token = request.args.get('agent_token', None)
-            if not self.agent.validate_agent_token(token):
-                raise http_exc.Unauthorized('Token invalid.')
-            return func(self, request, *args, **kwargs)
-        return wrapper
-
     def __init__(self, agent, conf):
         """Set up the API app.
 
@@ -207,13 +199,11 @@ def api_status(self, request):
             status = self.agent.get_status()
             return jsonify(status)
 
-    @require_agent_token
     def api_list_commands(self, request):
         with metrics_utils.get_metrics_logger(__name__).timer('list_commands'):
             results = self.agent.list_command_results()
             return jsonify({'commands': results})
 
-    @require_agent_token
     def api_get_command(self, request, cmd):
         with metrics_utils.get_metrics_logger(__name__).timer('get_command'):
             result = self.agent.get_command_result(cmd)
@@ -224,13 +214,16 @@ def api_get_command(self, request, cmd):
 
             return jsonify(result)
 
-    @require_agent_token
     def api_run_command(self, request):
         body = request.get_json(force=True)
         if ('name' not in body or 'params' not in body
                 or not isinstance(body['params'], dict)):
             raise http_exc.BadRequest('Missing or invalid name or params')
 
+        token = request.args.get('agent_token', None)
+        if not self.agent.validate_agent_token(token):
+            raise http_exc.Unauthorized(
+                'Token invalid.')
         with metrics_utils.get_metrics_logger(__name__).timer('run_command'):
             result = self.agent.execute_command(body['name'], **body['params'])
             wait = request.args.get('wait')
diff --git a/ironic_python_agent/tests/unit/test_api.py b/ironic_python_agent/tests/unit/test_api.py
@@ -274,61 +274,6 @@ def test_get_command_result(self):
         data = response.json
         self.assertEqual(serialized_cmd_result, data)
 
-    def test_list_commands_with_token(self):
-        agent_token = str('0123456789' * 10)
-        cmd_result = base.SyncCommandResult('do_things',
-                                            {'key': 'value'},
-                                            True,
-                                            {'test': 'result'})
-        self.mock_agent.list_command_results.return_value = [cmd_result]
-        self.mock_agent.validate_agent_token.return_value = True
-
-        response = self.get_json('/commands?agent_token=%s' % agent_token)
-
-        self.assertEqual(200, response.status_code)
-        self.assertEqual(1, self.mock_agent.validate_agent_token.call_count)
-        self.assertEqual(1, self.mock_agent.list_command_results.call_count)
-
-    def test_get_command_with_token(self):
-        agent_token = str('0123456789' * 10)
-        cmd_result = base.SyncCommandResult('do_things',
-                                            {'key': 'value'},
-                                            True,
-                                            {'test': 'result'})
-        self.mock_agent.get_command_result.return_value = cmd_result
-        self.mock_agent.validate_agent_token.return_value = True
-
-        response = self.get_json(
-            '/commands/abc123?agent_token=%s' % agent_token)
-
-        self.assertEqual(200, response.status_code)
-        self.assertEqual(cmd_result.serialize(), response.json)
-        self.assertEqual(1, self.mock_agent.validate_agent_token.call_count)
-        self.assertEqual(1, self.mock_agent.get_command_result.call_count)
-
-    def test_list_commands_with_token_invalid(self):
-        agent_token = str('0123456789' * 10)
-        self.mock_agent.validate_agent_token.return_value = False
-
-        response = self.get_json('/commands?agent_token=%s' % agent_token,
-                                 expect_errors=True)
-
-        self.assertEqual(401, response.status_code)
-        self.assertEqual(1, self.mock_agent.validate_agent_token.call_count)
-        self.assertEqual(0, self.mock_agent.list_command_results.call_count)
-
-    def test_get_command_with_token_invalid(self):
-        agent_token = str('0123456789' * 10)
-        self.mock_agent.validate_agent_token.return_value = False
-
-        response = self.get_json(
-            '/commands/abc123?agent_token=%s' % agent_token,
-            expect_errors=True)
-
-        self.assertEqual(401, response.status_code)
-        self.assertEqual(1, self.mock_agent.validate_agent_token.call_count)
-        self.assertEqual(0, self.mock_agent.get_command_result.call_count)
-
     def test_execute_agent_command_with_token(self):
         agent_token = str('0123456789' * 10)
         command = {
diff --git a/releasenotes/notes/prevent-restart-in-rescue-state-1c5d2ecf174ece63.yaml b/releasenotes/notes/prevent-restart-in-rescue-state-1c5d2ecf174ece63.yaml
