From 0bc7bf00cd596ca4c819da3141832693b0fee5da Mon Sep 17 00:00:00 2001
From: David Pacheco <dap@oxidecomputer.com>
Date: Tue, 22 Aug 2023 21:24:19 -0700
Subject: [PATCH] service IP pool lookup returns wrong authz error (#3933)

---
 nexus/db-queries/src/db/datastore/ip_pool.rs | 11 +----------
 nexus/tests/integration_tests/endpoints.rs   |  8 ++++----
 2 files changed, 5 insertions(+), 14 deletions(-)

diff --git a/nexus/db-queries/src/db/datastore/ip_pool.rs b/nexus/db-queries/src/db/datastore/ip_pool.rs
index 68e1f0403c..eb486d38f6 100644
--- a/nexus/db-queries/src/db/datastore/ip_pool.rs
+++ b/nexus/db-queries/src/db/datastore/ip_pool.rs
@@ -114,18 +114,9 @@ impl DataStore {
     ) -> LookupResult<(authz::IpPool, IpPool)> {
         use db::schema::ip_pool::dsl;
 
-        // Ensure the caller has the ability to look up these IP pools.
-        // If they don't, return "not found" instead of "forbidden".
         opctx
             .authorize(authz::Action::ListChildren, &authz::IP_POOL_LIST)
-            .await
-            .map_err(|e| match e {
-                Error::Forbidden => {
-                    LookupType::ByCompositeId("Service IP Pool".to_string())
-                        .into_not_found(ResourceType::IpPool)
-                }
-                _ => e,
-            })?;
+            .await?;
 
         // Look up this IP pool by rack ID.
         let (authz_pool, pool) = dsl::ip_pool
diff --git a/nexus/tests/integration_tests/endpoints.rs b/nexus/tests/integration_tests/endpoints.rs
index c512a5859b..ff299d61e8 100644
--- a/nexus/tests/integration_tests/endpoints.rs
+++ b/nexus/tests/integration_tests/endpoints.rs
@@ -802,7 +802,7 @@ lazy_static! {
         // IP Pool endpoint (Oxide services)
         VerifyEndpoint {
             url: &DEMO_IP_POOL_SERVICE_URL,
-            visibility: Visibility::Protected,
+            visibility: Visibility::Public,
             unprivileged_access: UnprivilegedAccess::None,
             allowed_methods: vec![
                 AllowedMethod::Get
@@ -812,7 +812,7 @@ lazy_static! {
         // IP Pool ranges endpoint (Oxide services)
         VerifyEndpoint {
             url: &DEMO_IP_POOL_SERVICE_RANGES_URL,
-            visibility: Visibility::Protected,
+            visibility: Visibility::Public,
             unprivileged_access: UnprivilegedAccess::None,
             allowed_methods: vec![
                 AllowedMethod::Get
@@ -822,7 +822,7 @@ lazy_static! {
         // IP Pool ranges/add endpoint (Oxide services)
         VerifyEndpoint {
             url: &DEMO_IP_POOL_SERVICE_RANGES_ADD_URL,
-            visibility: Visibility::Protected,
+            visibility: Visibility::Public,
             unprivileged_access: UnprivilegedAccess::None,
             allowed_methods: vec![
                 AllowedMethod::Post(
@@ -834,7 +834,7 @@ lazy_static! {
         // IP Pool ranges/delete endpoint (Oxide services)
         VerifyEndpoint {
             url: &DEMO_IP_POOL_SERVICE_RANGES_DEL_URL,
-            visibility: Visibility::Protected,
+            visibility: Visibility::Public,
             unprivileged_access: UnprivilegedAccess::None,
             allowed_methods: vec![
                 AllowedMethod::Post(