Silo admin endpoints for user logout + listing tokens and sessions (#8479)

The idea here is that to disable a user's access to the system, admins
first disable that user's ability to log in on the IdP side and then hit
this endpoint to remove all of their existing credentials on our end.
The centerpiece is the logout endpoint, but I added the endpoints for
listing sessions and tokens because someone pointed out you really want
to see those come back empty after logout. They're also kind of useful
anyway. Then I added `user_view` just because it wouldn't make sense to
have token and session list endpoints hanging off `/v1/users/{user_id}`
without having that defined.

- [x] Add `/v1/users/{user_id}/logout` that deletes all of the user's
tokens and sessions
- [x] Add new authz resource `SiloUserAuthnList` letting us authorize
that action for silo admins specifically (can't use silo modify because
fleet collaborator and admin get that on all silos)
- [x] Update IAM policy test
- [x] Test that logout deletes tokens and the right perms are enforced
- [x] Test that logout deletes sessions and the right perms are enforced
- [x] Add `user_view` and `user_token_list` and `user_session_list`
endpoints for symmetry and to give the admin a warm fuzzy feeling when
they see that the tokens and sessions are in fact gone (also makes
testing a little cleaner)
- [x] Fix session list including expired sessions (and test it)
- [ ] Think about whether we need to do something about dueling admins
issues, i.e., what if the person you're trying to disable are themselves
a silo admin and they log everyone else out of the silo. The only
solution I can think of off the top of my head is an operator-level
version of this endpoint that can be used by a user outside of the silo
in question.

Author: david-crespo

nexus/auth/src/authz/api_resources.rs

@@ -668,6 +668,118 @@ impl AuthorizedResource for SiloUserList {
     }
 }
 
+// Note the session list and the token list have exactly the same behavior
+
+/// Synthetic resource for managing a user's sessions
+#[derive(Clone, Debug, Eq, PartialEq)]
+pub struct SiloUserSessionList(SiloUser);
+
+impl SiloUserSessionList {
+    pub fn new(silo_user: SiloUser) -> Self {
+        Self(silo_user)
+    }
+
+    pub fn silo_user(&self) -> &SiloUser {
+        &self.0
+    }
+
+    pub fn silo(&self) -> &Silo {
+        &self.0.parent
+    }
+}
+
+impl oso::PolarClass for SiloUserSessionList {
+    fn get_polar_class_builder() -> oso::ClassBuilder<Self> {
+        oso::Class::builder().with_equality_check().add_attribute_getter(
+            "silo_user",
+            |user_sessions: &SiloUserSessionList| {
+                user_sessions.silo_user().clone()
+            },
+        )
+    }
+}
+
+impl AuthorizedResource for SiloUserSessionList {
+    fn load_roles<'fut>(
+        &'fut self,
+        opctx: &'fut OpContext,
+        authn: &'fut authn::Context,
+        roleset: &'fut mut RoleSet,
+    ) -> futures::future::BoxFuture<'fut, Result<(), Error>> {
+        // To check for silo admin, we need to load roles from the parent silo.
+        self.silo_user().parent.load_roles(opctx, authn, roleset)
+    }
+
+    fn on_unauthorized(
+        &self,
+        _: &Authz,
+        error: Error,
+        _: AnyActor,
+        _: Action,
+    ) -> Error {
+        error
+    }
+
+    fn polar_class(&self) -> oso::Class {
+        Self::get_polar_class()
+    }
+}
+
+/// Synthetic resource for managing a user's tokens
+#[derive(Clone, Debug, Eq, PartialEq)]
+pub struct SiloUserTokenList(SiloUser);
+
+impl SiloUserTokenList {
+    pub fn new(silo_user: SiloUser) -> Self {
+        Self(silo_user)
+    }
+
+    pub fn silo_user(&self) -> &SiloUser {
+        &self.0
+    }
+
+    pub fn silo(&self) -> &Silo {
+        &self.0.parent
+    }
+}
+
+impl oso::PolarClass for SiloUserTokenList {
+    fn get_polar_class_builder() -> oso::ClassBuilder<Self> {
+        oso::Class::builder().with_equality_check().add_attribute_getter(
+            "silo_user",
+            |user_sessions: &SiloUserTokenList| {
+                user_sessions.silo_user().clone()
+            },
+        )
+    }
+}
+
+impl AuthorizedResource for SiloUserTokenList {
+    fn load_roles<'fut>(
+        &'fut self,
+        opctx: &'fut OpContext,
+        authn: &'fut authn::Context,
+        roleset: &'fut mut RoleSet,
+    ) -> futures::future::BoxFuture<'fut, Result<(), Error>> {
+        // To check for silo admin, we need to load roles from the parent silo.
+        self.silo_user().parent.load_roles(opctx, authn, roleset)
+    }
+
+    fn on_unauthorized(
+        &self,
+        _: &Authz,
+        error: Error,
+        _: AnyActor,
+        _: Action,
+    ) -> Error {
+        error
+    }
+
+    fn polar_class(&self) -> oso::Class {
+        Self::get_polar_class()
+    }
+}
+
 #[derive(Clone, Copy, Debug)]
 pub struct UpdateTrustRootList;
 

nexus/auth/src/authz/omicron.polar

@@ -450,6 +450,46 @@ resource ConsoleSessionList {
 has_relation(fleet: Fleet, "parent_fleet", collection: ConsoleSessionList)
 	if collection.fleet = fleet;
 
+# Allow silo admins to delete and list user sessions
+resource SiloUserSessionList {
+    permissions = [ "modify", "list_children" ];
+    relations = { parent_silo: Silo };
+
+    # A silo admin can modify (e.g., delete) a user's sessions.
+    "modify" if "admin" on "parent_silo";
+
+    # A silo admin can list a user's sessions.
+    "list_children" if "admin" on "parent_silo";
+}
+has_relation(silo: Silo, "parent_silo", authn_list: SiloUserSessionList)
+    if authn_list.silo_user.silo = silo;
+
+# give users 'modify' and 'list_children' on their own sessions
+has_permission(actor: AuthenticatedActor, "modify", authn_list: SiloUserSessionList)
+    if actor.equals_silo_user(authn_list.silo_user);
+has_permission(actor: AuthenticatedActor, "list_children", authn_list: SiloUserSessionList)
+    if actor.equals_silo_user(authn_list.silo_user);
+
+# Allow silo admins to delete and list user access tokens
+resource SiloUserTokenList {
+    permissions = [ "modify", "list_children" ];
+    relations = { parent_silo: Silo };
+
+    # A silo admin can modify (e.g., delete) a user's tokens.
+    "modify" if "admin" on "parent_silo";
+
+    # A silo admin can list a user's tokens.
+    "list_children" if "admin" on "parent_silo";
+}
+has_relation(silo: Silo, "parent_silo", authn_list: SiloUserTokenList)
+    if authn_list.silo_user.silo = silo;
+
+# give users 'modify' and 'list_children' on their own tokens
+has_permission(actor: AuthenticatedActor, "modify", authn_list: SiloUserTokenList)
+    if actor.equals_silo_user(authn_list.silo_user);
+has_permission(actor: AuthenticatedActor, "list_children", authn_list: SiloUserTokenList)
+    if actor.equals_silo_user(authn_list.silo_user);
+
 # Describes the policy for creating and managing device authorization requests.
 resource DeviceAuthRequestList {
 	permissions = [ "create_child" ];

nexus/auth/src/authz/oso_generic.rs

@@ -114,6 +114,8 @@ pub fn make_omicron_oso(log: &slog::Logger) -> Result<OsoInit, anyhow::Error> {
         SiloCertificateList::get_polar_class(),
         SiloIdentityProviderList::get_polar_class(),
         SiloUserList::get_polar_class(),
+        SiloUserSessionList::get_polar_class(),
+        SiloUserTokenList::get_polar_class(),
         UpdateTrustRootList::get_polar_class(),
         TargetReleaseConfig::get_polar_class(),
         AlertClassList::get_polar_class(),

nexus/db-model/src/console_session.rs

@@ -4,8 +4,8 @@
 
 use chrono::{DateTime, Utc};
 use nexus_db_schema::schema::console_session;
-use omicron_uuid_kinds::ConsoleSessionKind;
-use omicron_uuid_kinds::ConsoleSessionUuid;
+use nexus_types::external_api::views;
+use omicron_uuid_kinds::{ConsoleSessionKind, ConsoleSessionUuid, GenericUuid};
 use uuid::Uuid;
 
 use crate::typed_uuid::DbTypedUuid;
@@ -38,3 +38,13 @@ impl ConsoleSession {
         self.id.0
     }
 }
+
+impl From<ConsoleSession> for views::ConsoleSession {
+    fn from(session: ConsoleSession) -> Self {
+        Self {
+            id: session.id.into_untyped_uuid(),
+            time_created: session.time_created,
+            time_last_used: session.time_last_used,
+        }
+    }
+}

nexus/db-queries/src/db/datastore/console_session.rs

@@ -9,19 +9,26 @@ use crate::authn;
 use crate::authz;
 use crate::context::OpContext;
 use crate::db::model::ConsoleSession;
+use crate::db::pagination::paginated;
 use async_bb8_diesel::AsyncRunQueryDsl;
+use chrono::TimeDelta;
 use chrono::Utc;
 use diesel::prelude::*;
+use nexus_db_errors::ErrorHandler;
+use nexus_db_errors::public_error_from_diesel;
 use nexus_db_lookup::LookupPath;
 use nexus_db_schema::schema::console_session;
 use omicron_common::api::external::CreateResult;
+use omicron_common::api::external::DataPageParams;
 use omicron_common::api::external::DeleteResult;
 use omicron_common::api::external::Error;
+use omicron_common::api::external::ListResultVec;
 use omicron_common::api::external::LookupResult;
 use omicron_common::api::external::LookupType;
 use omicron_common::api::external::ResourceType;
 use omicron_common::api::external::UpdateResult;
 use omicron_uuid_kinds::GenericUuid;
+use uuid::Uuid;
 
 impl DataStore {
     /// Look up session by token. The token is a kind of password, so simply
@@ -154,4 +161,60 @@ impl DataStore {
                 ))
             })
     }
+
+    /// List console sessions for a specific user
+    ///
+    /// Have to pass down TTLs because they come from the nexus server config.
+    pub async fn silo_user_session_list(
+        &self,
+        opctx: &OpContext,
+        authn_list: authz::SiloUserSessionList,
+        pagparams: &DataPageParams<'_, Uuid>,
+        idle_ttl: TimeDelta,
+        abs_ttl: TimeDelta,
+    ) -> ListResultVec<ConsoleSession> {
+        opctx.authorize(authz::Action::ListChildren, &authn_list).await?;
+
+        let user_id = authn_list.silo_user().id();
+
+        // HACK: unlike with tokens, we do not have expiration time here,
+        // so we can't filter out expired sessions by comparing to now. The
+        // real way to do this would be to change this to time_expires_idle
+        // and time_expires_abs and just compare them to now directly. Then
+        // we would not have to pass the TTLs down from the handler.
+        let now = Utc::now();
+
+        use nexus_db_schema::schema::console_session::dsl;
+        paginated(dsl::console_session, dsl::id, &pagparams)
+            .filter(dsl::silo_user_id.eq(user_id))
+            // session is not expired according to abs timeout
+            .filter(dsl::time_created.ge(now - abs_ttl))
+            // session is also not expired according to idle timeout
+            .filter(dsl::time_last_used.ge(now - idle_ttl))
+            .select(ConsoleSession::as_select())
+            .load_async(&*self.pool_connection_authorized(opctx).await?)
+            .await
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
+    }
+
+    /// Delete all session for the user
+    pub async fn silo_user_sessions_delete(
+        &self,
+        opctx: &OpContext,
+        authn_list: &authz::SiloUserSessionList,
+    ) -> Result<(), Error> {
+        // authz policy enforces that the opctx actor is a silo admin on the
+        // target user's own silo in particular
+        opctx.authorize(authz::Action::Modify, authn_list).await?;
+
+        let user_id = authn_list.silo_user().id();
+
+        use nexus_db_schema::schema::console_session;
+        diesel::delete(console_session::table)
+            .filter(console_session::silo_user_id.eq(user_id))
+            .execute_async(&*self.pool_connection_authorized(opctx).await?)
+            .await
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
+            .map(|_x| ())
+    }
 }

nexus/db-queries/src/db/datastore/device_auth.rs

@@ -214,6 +214,33 @@ impl DataStore {
             .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
     }
 
+    /// List device access tokens for a specific user
+    pub async fn silo_user_token_list(
+        &self,
+        opctx: &OpContext,
+        authz_token_list: authz::SiloUserTokenList,
+        pagparams: &DataPageParams<'_, Uuid>,
+    ) -> ListResultVec<DeviceAccessToken> {
+        opctx.authorize(authz::Action::ListChildren, &authz_token_list).await?;
+
+        let silo_user_id = authz_token_list.silo_user().id();
+
+        use nexus_db_schema::schema::device_access_token::dsl;
+        paginated(dsl::device_access_token, dsl::id, &pagparams)
+            .filter(dsl::silo_user_id.eq(silo_user_id))
+            // we don't have time_deleted on tokens. unfortunately this is not
+            // indexed well. maybe it can be!
+            .filter(
+                dsl::time_expires
+                    .is_null()
+                    .or(dsl::time_expires.gt(Utc::now())),
+            )
+            .select(DeviceAccessToken::as_select())
+            .load_async(&*self.pool_connection_authorized(opctx).await?)
+            .await
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
+    }
+
     pub async fn current_user_token_delete(
         &self,
         opctx: &OpContext,
@@ -241,4 +268,26 @@ impl DataStore {
 
         Ok(())
     }
+
+    /// Delete all tokens for the user
+    pub async fn silo_user_tokens_delete(
+        &self,
+        opctx: &OpContext,
+        authz_token_list: &authz::SiloUserTokenList,
+    ) -> Result<(), Error> {
+        // authz policy enforces that the opctx actor is a silo admin on the
+        // target user's own silo in particular
+        opctx.authorize(authz::Action::Modify, authz_token_list).await?;
+
+        use nexus_db_schema::schema::device_access_token;
+        diesel::delete(device_access_token::table)
+            .filter(
+                device_access_token::silo_user_id
+                    .eq(authz_token_list.silo_user().id()),
+            )
+            .execute_async(&*self.pool_connection_authorized(opctx).await?)
+            .await
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
+            .map(|_x| ())
+    }
 }

nexus/db-queries/src/policy_test/resource_builder.rs

@@ -345,3 +345,37 @@ impl DynAuthorizedResource for authz::SiloUserList {
         format!("{}: user list", self.silo().resource_name())
     }
 }
+
+impl DynAuthorizedResource for authz::SiloUserSessionList {
+    fn do_authorize<'a, 'b>(
+        &'a self,
+        opctx: &'b OpContext,
+        action: authz::Action,
+    ) -> BoxFuture<'a, Result<(), Error>>
+    where
+        'b: 'a,
+    {
+        opctx.authorize(action, self).boxed()
+    }
+
+    fn resource_name(&self) -> String {
+        format!("{}: session list", self.silo_user().resource_name())
+    }
+}
+
+impl DynAuthorizedResource for authz::SiloUserTokenList {
+    fn do_authorize<'a, 'b>(
+        &'a self,
+        opctx: &'b OpContext,
+        action: authz::Action,
+    ) -> BoxFuture<'a, Result<(), Error>>
+    where
+        'b: 'a,
+    {
+        opctx.authorize(action, self).boxed()
+    }
+
+    fn resource_name(&self) -> String {
+        format!("{}: token list", self.silo_user().resource_name())
+    }
+}