fix the problem

nexus/src/app/external_ip.rs

@@ -114,7 +114,11 @@ impl super::Nexus {
         let pool = match pool {
             Some(pool) => Some(
                 self.ip_pool_lookup(opctx, &pool)?
-                    .lookup_for(authz::Action::Read)
+                    // every authenticated user has CreateChild on IP pools
+                    // because they need to be able to allocate IPs from them.
+                    // The check that the pool is linked to the current silo
+                    // happens inside allocate_floating_ip
+                    .lookup_for(authz::Action::CreateChild)
                     .await?
                     .0,
             ),

nexus/tests/integration_tests/external_ips.rs

@@ -302,8 +302,8 @@ async fn test_floating_ip_create_non_admin(
     )
     .await;
 
-    // create project as user
-    let result = NexusRequest::objects_post(
+    // create project as user (i.e., in their silo)
+    NexusRequest::objects_post(
         client,
         "/v1/projects",
         &params::ProjectCreate {
@@ -315,7 +315,8 @@ async fn test_floating_ip_create_non_admin(
     )
     .authn_as(AuthnMode::SiloUser(user.id))
     .execute()
-    .await;
+    .await
+    .expect("Failed to create project");
 
     let create_url = get_floating_ips_url(PROJECT_NAME);
 
@@ -325,36 +326,54 @@ async fn test_floating_ip_create_non_admin(
             name: "root-beer".parse().unwrap(),
             description: String::from("a floating ip"),
         },
-        ip: None,
         pool: None,
+        ip: None,
     };
-    let _: views::FloatingIp =
+    let fip: views::FloatingIp =
         NexusRequest::objects_post(client, &create_url, &body)
             .authn_as(AuthnMode::SiloUser(user.id))
             .execute_and_parse_unwrap()
             .await;
+    assert_eq!(fip.identity.name.to_string(), "root-beer");
 
     // now with other pool linked to my silo
     let body = params::FloatingIpCreate {
+        identity: IdentityMetadataCreateParams {
+            name: "another-soda".parse().unwrap(),
+            description: String::from("a floating ip"),
+        },
         pool: Some(NameOrId::Name("other-pool".parse().unwrap())),
-        ..body
+        ip: None,
     };
-    let _: views::FloatingIp =
+    let fip: views::FloatingIp =
         NexusRequest::objects_post(client, &create_url, &body)
             .authn_as(AuthnMode::SiloUser(user.id))
             .execute_and_parse_unwrap()
             .await;
+    assert_eq!(fip.identity.name.to_string(), "another-soda");
 
     // now with pool not linked to my silo (fails with 404)
     let body = params::FloatingIpCreate {
+        identity: IdentityMetadataCreateParams {
+            name: "secret-third-soda".parse().unwrap(),
+            description: String::from("a floating ip"),
+        },
         pool: Some(NameOrId::Name("unlinked-pool".parse().unwrap())),
-        ..body
+        ip: None,
     };
-    let _: views::FloatingIp =
-        NexusRequest::objects_post(client, &create_url, &body)
-            .authn_as(AuthnMode::SiloUser(user.id))
-            .execute_and_parse_unwrap()
-            .await;
+    let error = NexusRequest::new(
+        RequestBuilder::new(client, Method::POST, &create_url)
+            .body(Some(&body))
+            .expect_status(Some(StatusCode::NOT_FOUND)),
+    )
+    .authn_as(AuthnMode::SiloUser(user.id))
+    .execute()
+    .await
+    .unwrap()
+    .parsed_body::<HttpErrorResponseBody>()
+    .unwrap();
+
+    assert_eq!(error.message, "not found: ip-pool with name \"unlinked-pool\"");
 }
 
 #[nexus_test]