Pre-shared agent token

In order to improve security of the lookup/heartbeat
endpoints, we need to generate and provide temporary tokens
to the initial callers, if supported, to facilitate the
verification of commands.

This is the first patch in an entire series which utimately
enables the endpoint communication to be better secured.

The idea behind this started in private story 2006634 which
is locked as a security related filing covering multiple
aspects of ironic/ironic-python-agent interaction centered
around miss-use and generally exposed endpoints. That story
will remain marked as a private bug because it has several
different items covered, some of which did not prove to be
actually exploitable, but spawned stories 2006777, 2006773,
2007025, and is ultimately similar to Story 1526748.

Operationally this is a minimally invasive security
enhancement to lay the foundation to harden interactions
with the agent. This will take place over a series of
patches to both Ironic and the Ironic-Python-Agent.

Also see "Security of /heartbeat and /lookup endpoints"
in http://lists.openstack.org/pipermail/openstack-discuss/2019-November/010789.html

Story: 2007025
Task: 37818

Change-Id: I0118007cac3d6548e9d41c5e615a819150b6ef1a

1 files changed, 5 insertions, 0 deletions

diff --git a/ironic/api/controllers/v1/utils.py b/ironic/api/controllers/v1/utils.py
index 28b6c9174..7a77378e7 100644
--- a/ironic/api/controllers/v1/utils.py
+++ b/ironic/api/controllers/v1/utils.py
@@ -1316,3 +1316,8 @@ def allow_allocation_owner():
     Version 1.60 of the API added the owner field to the allocation object.
     """
     return api.request.version.minor >= versions.MINOR_60_ALLOCATION_OWNER
+
+
+def allow_agent_token():
+    """Check if agent token is available."""
+    return api.request.version.minor >= versions.MINOR_62_AGENT_TOKEN