From 53c01e48a3b5800f6be79f0f78d00b478bc682d1 Mon Sep 17 00:00:00 2001
From: Steve Baker <sbaker@redhat.com>
Date: Wed, 17 Nov 2021 14:46:02 +1300
Subject: [PATCH] Fix redfish-virtual-media file permission

When not using swift with the redfish virtual media boot interface,
in other words local file storage, the file permissions for the
/httpboot/redfish folder was incorrect upon initially being created,
and new file ISOs were being created with permissions based upon the
conductor process umask value which is OS environment dependent.

Change-Id: I038ca335efa9b5443469ab8c8af12863deea0e38
(cherry picked from commit af6cd1093d7b4be25a8bfbbdf1fb13226f6bfa7e)
(cherry picked from commit b1c8976d4bed3ab818fa7dd5b16e24a7507333aa)
---
 ironic/conf/redfish.py                        |  8 ++++++
 ironic/drivers/modules/redfish/boot.py        |  4 ++-
 .../unit/drivers/modules/redfish/test_boot.py | 13 +++++++---
 ...media-permission-fix-1909b9cdbbbf9fd1.yaml | 25 +++++++++++++++++++
 4 files changed, 45 insertions(+), 5 deletions(-)
 create mode 100644 releasenotes/notes/redfish-virtual-media-permission-fix-1909b9cdbbbf9fd1.yaml

diff --git a/ironic/conf/redfish.py b/ironic/conf/redfish.py
index b67f51315a..4ef2aa42ec 100644
--- a/ironic/conf/redfish.py
+++ b/ironic/conf/redfish.py
@@ -64,6 +64,14 @@ opts = [
                default='nofb nomodeset vga=normal',
                help=_('Additional kernel parameters for baremetal '
                       'Virtual Media boot.')),
+    cfg.IntOpt('file_permission',
+               default=0o644,
+               help=_('File permission for swift-less image hosting with the '
+                      'octal permission representation of file access '
+                      'permissions. This setting defaults to ``644``, '
+                      'or as the octal number ``0o644`` in Python. '
+                      'This setting must be set to the octal number '
+                      'representation, meaning starting with ``0o``.')),
 ]
 
 
diff --git a/ironic/drivers/modules/redfish/boot.py b/ironic/drivers/modules/redfish/boot.py
index 755f91bd67..75b04564fd 100644
--- a/ironic/drivers/modules/redfish/boot.py
+++ b/ironic/drivers/modules/redfish/boot.py
@@ -266,12 +266,13 @@ class RedfishVirtualMediaBoot(base.BootInterface):
             public_dir = os.path.join(CONF.deploy.http_root, cls.IMAGE_SUBDIR)
 
             if not os.path.exists(public_dir):
-                os.mkdir(public_dir, 0x755)
+                os.mkdir(public_dir, 0o755)
 
             published_file = os.path.join(public_dir, object_name)
 
             try:
                 os.link(image_file, published_file)
+                os.chmod(image_file, CONF.redfish.file_permission)
 
             except OSError as exc:
                 LOG.debug(
@@ -282,6 +283,7 @@ class RedfishVirtualMediaBoot(base.BootInterface):
                                   'error': exc})
 
                 shutil.copyfile(image_file, published_file)
+                os.chmod(published_file, CONF.redfish.file_permission)
 
             image_url = os.path.join(
                 CONF.deploy.http_url, cls.IMAGE_SUBDIR, object_name)
diff --git a/ironic/tests/unit/drivers/modules/redfish/test_boot.py b/ironic/tests/unit/drivers/modules/redfish/test_boot.py
index 09d294041a..25717ef01b 100644
--- a/ironic/tests/unit/drivers/modules/redfish/test_boot.py
+++ b/ironic/tests/unit/drivers/modules/redfish/test_boot.py
@@ -235,11 +235,12 @@ class RedfishVirtualMediaBootTestCase(db_base.DbTestCase):
             mock_swift_api.delete_object.assert_called_once_with(
                 'ironic_redfish_container', object_name)
 
+    @mock.patch.object(os, 'chmod', autospec=True)
     @mock.patch.object(redfish_boot, 'shutil', autospec=True)
     @mock.patch.object(os, 'link', autospec=True)
     @mock.patch.object(os, 'mkdir', autospec=True)
     def test__publish_image_local_link(
-            self, mock_mkdir, mock_link, mock_shutil):
+            self, mock_mkdir, mock_link, mock_shutil, mock_chmod):
         self.config(use_swift=False, group='redfish')
         self.config(http_url='http://localhost', group='deploy')
 
@@ -251,15 +252,17 @@ class RedfishVirtualMediaBootTestCase(db_base.DbTestCase):
             self.assertEqual(
                 'http://localhost/redfish/boot.iso?filename=file.iso', url)
 
-            mock_mkdir.assert_called_once_with('/httpboot/redfish', 0x755)
+            mock_mkdir.assert_called_once_with('/httpboot/redfish', 0o755)
             mock_link.assert_called_once_with(
                 'file.iso', '/httpboot/redfish/boot.iso')
+            mock_chmod.assert_called_once_with('file.iso', 0o644)
 
+    @mock.patch.object(os, 'chmod', autospec=True)
     @mock.patch.object(redfish_boot, 'shutil', autospec=True)
     @mock.patch.object(os, 'link', autospec=True)
     @mock.patch.object(os, 'mkdir', autospec=True)
     def test__publish_image_local_copy(
-            self, mock_mkdir, mock_link, mock_shutil):
+            self, mock_mkdir, mock_link, mock_shutil, mock_chmod):
         self.config(use_swift=False, group='redfish')
         self.config(http_url='http://localhost', group='deploy')
 
@@ -273,10 +276,12 @@ class RedfishVirtualMediaBootTestCase(db_base.DbTestCase):
             self.assertEqual(
                 'http://localhost/redfish/boot.iso?filename=file.iso', url)
 
-            mock_mkdir.assert_called_once_with('/httpboot/redfish', 0x755)
+            mock_mkdir.assert_called_once_with('/httpboot/redfish', 0o755)
 
             mock_shutil.copyfile.assert_called_once_with(
                 'file.iso', '/httpboot/redfish/boot.iso')
+            mock_chmod.assert_called_once_with('/httpboot/redfish/boot.iso',
+                                               0o644)
 
     @mock.patch.object(redfish_boot, 'ironic_utils', autospec=True)
     def test__unpublish_image_local(self, mock_ironic_utils):
diff --git a/releasenotes/notes/redfish-virtual-media-permission-fix-1909b9cdbbbf9fd1.yaml b/releasenotes/notes/redfish-virtual-media-permission-fix-1909b9cdbbbf9fd1.yaml
new file mode 100644
index 0000000000..6e0afab9b0
--- /dev/null
+++ b/releasenotes/notes/redfish-virtual-media-permission-fix-1909b9cdbbbf9fd1.yaml
@@ -0,0 +1,25 @@
+---
+upgrade:
+  - |
+    Operators may need to check their ``/httpboot/redfish`` folder permissions
+    if using ``redfish-virtual-media``. The conductor was previously creating
+    the folder with incorrect permissions.
+  - |
+    A permission setting has been added for ``redfish-virtual-media`` boot
+    interface, which allows for explicit file permission setting when the
+    driver is being used. The default for the new ``[redfish]file_permission
+    setting is ``0u644``, or 644 if manually changed using ``chmod`` on the
+    command line. Operators MAY need to adjust this if they were running the
+    conductor with a specific ``umask`` to work around the permission setting
+    defect.
+fixes:
+  - |
+    Fixes the ``redfish-virtual-media`` and related based drivers to utilize
+    an explicit file permission instead of rely upon the ironic-conductor
+    umask, which may be incorrect. This can be tuned with the
+    ``[redfish]file_permission`` setting.
+  - |
+    Fixes an issue where the default folder permission for the
+    ``redfish-virtual-media`` driver where the folder permissions for the
+    ``/httpboot/redfish`` folder was being created with incorrect
+    permissions.