[nexus] Split authn/authz and db-fixed-data into new crates (#5849)

As a part of the ongoing effort to split Nexus into smaller pieces, this PR splits out two new crates: - `nexus-auth` takes the contents of `nexus/db-queries/src/auth{n,z}`, as well as `nexus/db-queries/src/context.rs`, and separates this logic into a new bespoke crate. Although this crate **does** have a dependency on the datastore itself, it only actually invokes a single method, and can be abstracted via a new trait, defined in `nexus/auth/storage`. - `nexus-db-fixed-data` takes the contents of `nexus/db-queries/src/db/fixed-data` and separates this logic into a new crate.
oxidecomputer · Jun 1, 2024 · 450f906 · 450f906
1 parent 8df03b3
commit 450f906
Show file tree

Hide file tree

Showing 69 changed files with 800 additions and 605 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -39,6 +39,8 @@ members = [
     "nexus",
     "nexus-config",
     "nexus/authz-macros",
+    "nexus/auth",
+    "nexus/db-fixed-data",
     "nexus/db-macros",
     "nexus/db-model",
     "nexus/db-queries",
@@ -123,9 +125,11 @@ default-members = [
     "nexus",
     "nexus-config",
     "nexus/authz-macros",
+    "nexus/auth",
     "nexus/macros-common",
     "nexus/metrics-producer-gc",
     "nexus/networking",
+    "nexus/db-fixed-data",
     "nexus/db-macros",
     "nexus/db-model",
     "nexus/db-queries",
@@ -317,8 +321,10 @@ newtype_derive = "0.1.6"
 mg-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "5630887d0373857f77cb264f84aa19bdec720ce3" }
 ddm-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "5630887d0373857f77cb264f84aa19bdec720ce3" }
 multimap = "0.10.0"
+nexus-auth = { path = "nexus/auth" }
 nexus-client = { path = "clients/nexus-client" }
 nexus-config = { path = "nexus-config" }
+nexus-db-fixed-data = { path = "nexus/db-fixed-data" }
 nexus-db-model = { path = "nexus/db-model" }
 nexus-db-queries = { path = "nexus/db-queries" }
 nexus-defaults = { path = "nexus/defaults" }

diff --git a/nexus/Cargo.toml b/nexus/Cargo.toml
@@ -86,6 +86,7 @@ tough.workspace = true
 trust-dns-resolver.workspace = true
 uuid.workspace = true
 
+nexus-auth.workspace = true
 nexus-defaults.workspace = true
 nexus-db-model.workspace = true
 nexus-db-queries.workspace = true

diff --git a/nexus/auth/Cargo.toml b/nexus/auth/Cargo.toml
@@ -0,0 +1,48 @@
+[package]
+name = "nexus-auth"
+version = "0.1.0"
+edition = "2021"
+license = "MPL-2.0"
+
+[lints]
+workspace = true
+
+[build-dependencies]
+omicron-rpaths.workspace = true
+
+[dependencies]
+anyhow.workspace = true
+async-trait.workspace = true
+base64.workspace = true
+chrono.workspace = true
+cookie.workspace = true
+dropshot.workspace = true
+futures.workspace = true
+headers.workspace = true
+http.workspace = true
+hyper.workspace = true
+newtype_derive.workspace = true
+# See omicron-rpaths for more about the "pq-sys" dependency.
+pq-sys = "*"
+once_cell.workspace = true
+openssl.workspace = true
+oso.workspace = true
+samael.workspace = true
+serde.workspace = true
+serde_urlencoded.workspace = true
+slog.workspace = true
+strum.workspace = true
+thiserror.workspace = true
+tokio = { workspace = true, features = ["full"] }
+uuid.workspace = true
+
+authz-macros.workspace = true
+nexus-db-fixed-data.workspace = true
+nexus-db-model.workspace = true
+nexus-types.workspace = true
+omicron-common.workspace = true
+omicron-uuid-kinds.workspace = true
+omicron-workspace-hack.workspace = true
+
+[dev-dependencies]
+omicron-test-utils.workspace = true
diff --git a/nexus/auth/build.rs b/nexus/auth/build.rs
@@ -0,0 +1,10 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// See omicron-rpaths for documentation.
+// NOTE: This file MUST be kept in sync with the other build.rs files in this
+// repository.
+fn main() {
+    omicron_rpaths::configure_default_omicron_rpaths();
+}
diff --git a/.../db-queries/src/authn/external/cookies.rs → nexus/auth/src/authn/external/cookies.rs b/.../db-queries/src/authn/external/cookies.rs → nexus/auth/src/authn/external/cookies.rs
@@ -9,6 +9,8 @@ use dropshot::{
     ApiEndpointBodyContentType, ExtensionMode, ExtractorMetadata, HttpError,
     RequestContext, ServerContext, SharedExtractor,
 };
+use newtype_derive::NewtypeDeref;
+use newtype_derive::NewtypeFrom;
 
 pub fn parse_cookies(
     headers: &http::HeaderMap<http::HeaderValue>,

diff --git a/nexus/db-queries/src/authn/external/mod.rs → nexus/auth/src/authn/external/mod.rs b/nexus/db-queries/src/authn/external/mod.rs → nexus/auth/src/authn/external/mod.rs
@@ -9,6 +9,7 @@ use super::SiloAuthnPolicy;
 use crate::authn;
 use async_trait::async_trait;
 use authn::Reason;
+use slog::trace;
 use std::borrow::Borrow;
 use uuid::Uuid;
 

diff --git a/...ries/src/authn/external/session_cookie.rs → ...auth/src/authn/external/session_cookie.rs b/...ries/src/authn/external/session_cookie.rs → ...auth/src/authn/external/session_cookie.rs
@@ -13,6 +13,7 @@ use async_trait::async_trait;
 use chrono::{DateTime, Duration, Utc};
 use dropshot::HttpError;
 use http::HeaderValue;
+use slog::debug;
 use uuid::Uuid;
 
 // many parts of the implementation will reference this OWASP guide

diff --git a/nexus/db-queries/src/authn/external/spoof.rs → nexus/auth/src/authn/external/spoof.rs b/nexus/db-queries/src/authn/external/spoof.rs → nexus/auth/src/authn/external/spoof.rs
@@ -17,6 +17,7 @@ use async_trait::async_trait;
 use headers::authorization::{Authorization, Bearer};
 use headers::HeaderMapExt;
 use once_cell::sync::Lazy;
+use slog::debug;
 use uuid::Uuid;
 
 // This scheme is intended for demos, development, and testing until we have a

diff --git a/nexus/db-queries/src/authn/external/token.rs → nexus/auth/src/authn/external/token.rs b/nexus/db-queries/src/authn/external/token.rs → nexus/auth/src/authn/external/token.rs
diff --git a/nexus/db-queries/src/authn/mod.rs → nexus/auth/src/authn/mod.rs b/nexus/db-queries/src/authn/mod.rs → nexus/auth/src/authn/mod.rs
@@ -28,22 +28,21 @@ pub mod external;
 pub mod saga;
 pub mod silos;
 
-pub use crate::db::fixed_data::silo_user::USER_TEST_PRIVILEGED;
-pub use crate::db::fixed_data::silo_user::USER_TEST_UNPRIVILEGED;
-pub use crate::db::fixed_data::user_builtin::USER_DB_INIT;
-pub use crate::db::fixed_data::user_builtin::USER_EXTERNAL_AUTHN;
-pub use crate::db::fixed_data::user_builtin::USER_INTERNAL_API;
-pub use crate::db::fixed_data::user_builtin::USER_INTERNAL_READ;
-pub use crate::db::fixed_data::user_builtin::USER_SAGA_RECOVERY;
-pub use crate::db::fixed_data::user_builtin::USER_SERVICE_BALANCER;
-use crate::db::model::ConsoleSession;
+pub use nexus_db_fixed_data::silo_user::USER_TEST_PRIVILEGED;
+pub use nexus_db_fixed_data::silo_user::USER_TEST_UNPRIVILEGED;
+pub use nexus_db_fixed_data::user_builtin::USER_DB_INIT;
+pub use nexus_db_fixed_data::user_builtin::USER_EXTERNAL_AUTHN;
+pub use nexus_db_fixed_data::user_builtin::USER_INTERNAL_API;
+pub use nexus_db_fixed_data::user_builtin::USER_INTERNAL_READ;
+pub use nexus_db_fixed_data::user_builtin::USER_SAGA_RECOVERY;
+pub use nexus_db_fixed_data::user_builtin::USER_SERVICE_BALANCER;
 
 use crate::authz;
-use crate::db;
-use crate::db::fixed_data::silo::DEFAULT_SILO;
-use crate::db::identity::Asset;
+use newtype_derive::NewtypeDisplay;
+use nexus_db_fixed_data::silo::DEFAULT_SILO;
 use nexus_types::external_api::shared::FleetRole;
 use nexus_types::external_api::shared::SiloRole;
+use nexus_types::identity::Asset;
 use omicron_common::api::external::LookupType;
 use serde::Deserialize;
 use serde::Serialize;
@@ -254,7 +253,6 @@ pub struct SiloAuthnPolicy {
 }
 
 impl SiloAuthnPolicy {
-    #[cfg(test)]
     pub fn new(
         mapped_fleet_roles: BTreeMap<SiloRole, BTreeSet<FleetRole>>,
     ) -> SiloAuthnPolicy {
@@ -290,8 +288,8 @@ mod test {
     use super::USER_SERVICE_BALANCER;
     use super::USER_TEST_PRIVILEGED;
     use super::USER_TEST_UNPRIVILEGED;
-    use crate::db::fixed_data::user_builtin::USER_EXTERNAL_AUTHN;
-    use crate::db::identity::Asset;
+    use nexus_db_fixed_data::user_builtin::USER_EXTERNAL_AUTHN;
+    use nexus_types::identity::Asset;
 
     #[test]
     fn test_internal_users() {
@@ -386,11 +384,13 @@ impl Actor {
     }
 }
 
-impl From<&Actor> for db::model::IdentityType {
-    fn from(actor: &Actor) -> db::model::IdentityType {
+impl From<&Actor> for nexus_db_model::IdentityType {
+    fn from(actor: &Actor) -> nexus_db_model::IdentityType {
         match actor {
-            Actor::UserBuiltin { .. } => db::model::IdentityType::UserBuiltin,
-            Actor::SiloUser { .. } => db::model::IdentityType::SiloUser,
+            Actor::UserBuiltin { .. } => {
+                nexus_db_model::IdentityType::UserBuiltin
+            }
+            Actor::SiloUser { .. } => nexus_db_model::IdentityType::SiloUser,
         }
     }
 }
@@ -421,7 +421,7 @@ impl std::fmt::Debug for Actor {
 /// A console session with the silo id of the authenticated user
 #[derive(Clone, Debug)]
 pub struct ConsoleSessionWithSiloId {
-    pub console_session: ConsoleSession,
+    pub console_session: nexus_db_model::ConsoleSession,
     pub silo_id: Uuid,
 }
 

diff --git a/nexus/db-queries/src/authn/saga.rs → nexus/auth/src/authn/saga.rs b/nexus/db-queries/src/authn/saga.rs → nexus/auth/src/authn/saga.rs