Use typed UUIDs for silo user and group (#8803)

This commit changes SiloUser and SiloGroup to use typed UUIDs.

The biggest reason that this couldn't happen without a bunch of work was
the `lookup_resource` macro: for a resource like SshKey, it looked like

```
lookup_resource! {
    name = "SshKey",
    ancestors = [ "Silo", "SiloUser" ],
    lookup_by_name = true,
    soft_deletes = true,
    primary_key_columns = [ { column_name = "id", rust_type = Uuid } ]
}
```

One of the methods that the `lookup_resource` macro generates will
create a lookup for ancestors of the resource, and this was one using
the type returned from the corresponding authz resource's `id` method:

```
            quote! { .filter(dsl::#parent_id.eq(#parent_authz_name.id())) },
```

Changing SiloUser to use a typed UUID in the authz resource:

```
authz_resource! {
    name = "SiloUser",
    parent = "Silo",
    primary_key = { uuid_kind = SiloUserKind }, <-- here
    roles_allowed = false,
    polar_snippet = Custom,
}
```

and changing the `SiloUser` db model to use `DbTypedUuid` meant that a
call to `to_db_typed_uuid` was required. The lookup_resource macro has
no type information from the string "SiloUser", so this PR adds a check:
if the ancestor string is suffixed with a '*', then the lookup_resource
macro should assume that the `parent_id` is a typed UUID, and generate
the call to `to_db_typed_uuid`.

Most of the work after that was mechanical, changing Uuid to their typed
equivalent, changing method argument types, etc etc.

Some other related things made it into this PR:

- UserBuiltIn now also uses a typed UUID as well, distinguishing them
from silo users

- Actor no longer has the `actor_id` method, instead requiring call
sites to check which variant of Actor is being used

- AuthenticatedActor stores the full Actor instead of only the actor id,
leading to typed comparisons in its oso::PolarClass impl

- User and Group path params are now typed

Author: jmpesp

Cargo.lock

@@ -26,3 +26,4 @@ thiserror.workspace = true
 tokio = { workspace = true, features = [ "net" ] }
 uuid.workspace = true
 omicron-workspace-hack.workspace = true
+omicron-uuid-kinds.workspace = true

clients/oxide-client/Cargo.toml

@@ -10,6 +10,7 @@ use crate::authn;
 use crate::probes;
 use async_trait::async_trait;
 use authn::Reason;
+use omicron_uuid_kinds::SiloUserUuid;
 use slog::trace;
 use std::borrow::Borrow;
 use uuid::Uuid;
@@ -153,7 +154,10 @@ pub enum SchemeResult {
 /// A context that can look up a Silo user's Silo.
 #[async_trait]
 pub trait SiloUserSilo {
-    async fn silo_user_silo(&self, silo_user_id: Uuid) -> Result<Uuid, Reason>;
+    async fn silo_user_silo(
+        &self,
+        silo_user_id: SiloUserUuid,
+    ) -> Result<Uuid, Reason>;
 }
 
 #[cfg(test)]

nexus/auth/src/authn/external/mod.rs

@@ -14,6 +14,7 @@ use dropshot::HttpError;
 use http::HeaderValue;
 use nexus_types::authn::cookies::parse_cookies;
 use omicron_uuid_kinds::ConsoleSessionUuid;
+use omicron_uuid_kinds::SiloUserUuid;
 use slog::debug;
 use uuid::Uuid;
 
@@ -22,7 +23,7 @@ use uuid::Uuid;
 
 pub trait Session {
     fn id(&self) -> ConsoleSessionUuid;
-    fn silo_user_id(&self) -> Uuid;
+    fn silo_user_id(&self) -> SiloUserUuid;
     fn silo_id(&self) -> Uuid;
     fn time_last_used(&self) -> DateTime<Utc>;
     fn time_created(&self) -> DateTime<Utc>;
@@ -202,6 +203,7 @@ mod test {
     use chrono::{DateTime, Duration, Utc};
     use http;
     use omicron_uuid_kinds::ConsoleSessionUuid;
+    use omicron_uuid_kinds::SiloUserUuid;
     use slog;
     use std::sync::Mutex;
     use uuid::Uuid;
@@ -216,7 +218,7 @@ mod test {
     struct FakeSession {
         id: ConsoleSessionUuid,
         token: String,
-        silo_user_id: Uuid,
+        silo_user_id: SiloUserUuid,
         silo_id: Uuid,
         time_created: DateTime<Utc>,
         time_last_used: DateTime<Utc>,
@@ -226,7 +228,7 @@ mod test {
         fn id(&self) -> ConsoleSessionUuid {
             self.id
         }
-        fn silo_user_id(&self) -> Uuid {
+        fn silo_user_id(&self) -> SiloUserUuid {
             self.silo_user_id
         }
         fn silo_id(&self) -> Uuid {
@@ -331,7 +333,7 @@ mod test {
             sessions: Mutex::new(vec![FakeSession {
                 id: ConsoleSessionUuid::new_v4(),
                 token: "abc".to_string(),
-                silo_user_id: Uuid::new_v4(),
+                silo_user_id: SiloUserUuid::new_v4(),
                 silo_id: Uuid::new_v4(),
                 time_last_used: Utc::now() - Duration::hours(2),
                 time_created: Utc::now() - Duration::hours(2),
@@ -357,7 +359,7 @@ mod test {
             sessions: Mutex::new(vec![FakeSession {
                 id: ConsoleSessionUuid::new_v4(),
                 token: "abc".to_string(),
-                silo_user_id: Uuid::new_v4(),
+                silo_user_id: SiloUserUuid::new_v4(),
                 silo_id: Uuid::new_v4(),
                 time_last_used: Utc::now(),
                 time_created: Utc::now() - Duration::hours(20),
@@ -384,7 +386,7 @@ mod test {
             sessions: Mutex::new(vec![FakeSession {
                 id: ConsoleSessionUuid::new_v4(),
                 token: "abc".to_string(),
-                silo_user_id: Uuid::new_v4(),
+                silo_user_id: SiloUserUuid::new_v4(),
                 silo_id: Uuid::new_v4(),
                 time_last_used,
                 time_created: Utc::now(),

nexus/auth/src/authn/external/session_cookie.rs

@@ -18,8 +18,9 @@ use anyhow::anyhow;
 use async_trait::async_trait;
 use headers::HeaderMapExt;
 use headers::authorization::{Authorization, Bearer};
+use omicron_uuid_kinds::SiloUserUuid;
 use slog::debug;
-use uuid::Uuid;
+use std::str::FromStr;
 
 // This scheme is intended for demos, development, and testing until we have a
 // more automatable identity provider that can be used for those purposes.
@@ -118,7 +119,7 @@ where
 
 fn authn_spoof_parse_id(
     raw_value: Option<&Authorization<Bearer>>,
-) -> Result<Option<Uuid>, Reason> {
+) -> Result<Option<SiloUserUuid>, Reason> {
     let token = match raw_value {
         None => return Ok(None),
         Some(bearer) => bearer.token(),
@@ -142,15 +143,15 @@ fn authn_spoof_parse_id(
         });
     }
 
-    Uuid::parse_str(str_value)
+    SiloUserUuid::from_str(str_value)
         .context("parsing header value as UUID")
         .map(|silo_user_id| Some(silo_user_id))
         .map_err(|source| Reason::BadFormat { source })
 }
 
 /// Returns a value of the `Authorization` header for this actor that will be
 /// accepted using this scheme
-pub fn make_header_value(id: Uuid) -> Authorization<Bearer> {
+pub fn make_header_value<T: std::fmt::Display>(id: T) -> Authorization<Bearer> {
     make_header_value_str(&id.to_string()).unwrap()
 }
 
@@ -193,6 +194,7 @@ mod test {
     use headers::HeaderMapExt;
     use headers::authorization::Bearer;
     use headers::authorization::Credentials;
+    use omicron_uuid_kinds::SiloUserUuid;
     use uuid::Uuid;
 
     #[test]
@@ -243,14 +245,14 @@ mod test {
     #[test]
     fn test_spoof_header_valid() {
         let test_uuid_str = "37b56e4f-8c60-453b-a37e-99be6efe8a89";
-        let test_uuid = test_uuid_str.parse::<Uuid>().unwrap();
+        let test_uuid = test_uuid_str.parse::<SiloUserUuid>().unwrap();
         let test_header = make_header_value(test_uuid);
 
         // Success case: the client provided a valid uuid in the header.
         let success_case = authn_spoof_parse_id(Some(&test_header));
         match success_case {
-            Ok(Some(actor_id)) => {
-                assert_eq!(actor_id, test_uuid);
+            Ok(Some(silo_user_id)) => {
+                assert_eq!(silo_user_id, test_uuid);
             }
             _ => {
                 assert!(false);

nexus/auth/src/authn/external/spoof.rs

@@ -44,6 +44,8 @@ use nexus_types::external_api::shared::FleetRole;
 use nexus_types::external_api::shared::SiloRole;
 use nexus_types::identity::Asset;
 use omicron_common::api::external::LookupType;
+use omicron_uuid_kinds::BuiltInUserUuid;
+use omicron_uuid_kinds::SiloUserUuid;
 use serde::Deserialize;
 use serde::Serialize;
 use std::collections::BTreeMap;
@@ -197,7 +199,7 @@ impl Context {
         Context::context_for_builtin_user(USER_SERVICE_BALANCER.id)
     }
 
-    fn context_for_builtin_user(user_builtin_id: Uuid) -> Context {
+    fn context_for_builtin_user(user_builtin_id: BuiltInUserUuid) -> Context {
         Context {
             kind: Kind::Authenticated(
                 Details { actor: Actor::UserBuiltin { user_builtin_id } },
@@ -239,7 +241,7 @@ impl Context {
     /// Returns an authenticated context for the specific Silo user. Not marked
     /// as #[cfg(test)] so that this is available in integration tests.
     pub fn for_test_user(
-        silo_user_id: Uuid,
+        silo_user_id: SiloUserUuid,
         silo_id: Uuid,
         silo_authn_policy: SiloAuthnPolicy,
     ) -> Context {
@@ -311,35 +313,35 @@ mod test {
         // The privileges are (or will be) verified in authz tests.
         let authn = Context::privileged_test_user();
         let actor = authn.actor().unwrap();
-        assert_eq!(actor.actor_id(), USER_TEST_PRIVILEGED.id());
+        assert_eq!(actor.silo_user_id(), Some(USER_TEST_PRIVILEGED.id()));
 
         let authn = Context::unprivileged_test_user();
         let actor = authn.actor().unwrap();
-        assert_eq!(actor.actor_id(), USER_TEST_UNPRIVILEGED.id());
+        assert_eq!(actor.silo_user_id(), Some(USER_TEST_UNPRIVILEGED.id()));
 
         let authn = Context::internal_read();
         let actor = authn.actor().unwrap();
-        assert_eq!(actor.actor_id(), USER_INTERNAL_READ.id);
+        assert_eq!(actor.built_in_user_id(), Some(USER_INTERNAL_READ.id));
 
         let authn = Context::external_authn();
         let actor = authn.actor().unwrap();
-        assert_eq!(actor.actor_id(), USER_EXTERNAL_AUTHN.id);
+        assert_eq!(actor.built_in_user_id(), Some(USER_EXTERNAL_AUTHN.id));
 
         let authn = Context::internal_db_init();
         let actor = authn.actor().unwrap();
-        assert_eq!(actor.actor_id(), USER_DB_INIT.id);
+        assert_eq!(actor.built_in_user_id(), Some(USER_DB_INIT.id));
 
         let authn = Context::internal_service_balancer();
         let actor = authn.actor().unwrap();
-        assert_eq!(actor.actor_id(), USER_SERVICE_BALANCER.id);
+        assert_eq!(actor.built_in_user_id(), Some(USER_SERVICE_BALANCER.id));
 
         let authn = Context::internal_saga_recovery();
         let actor = authn.actor().unwrap();
-        assert_eq!(actor.actor_id(), USER_SAGA_RECOVERY.id);
+        assert_eq!(actor.built_in_user_id(), Some(USER_SAGA_RECOVERY.id));
 
         let authn = Context::internal_api();
         let actor = authn.actor().unwrap();
-        assert_eq!(actor.actor_id(), USER_INTERNAL_API.id);
+        assert_eq!(actor.built_in_user_id(), Some(USER_INTERNAL_API.id));
     }
 }
 
@@ -366,31 +368,31 @@ pub struct Details {
 /// Who is performing an operation
 #[derive(Clone, Copy, Deserialize, Eq, PartialEq, Serialize)]
 pub enum Actor {
-    UserBuiltin { user_builtin_id: Uuid },
-    SiloUser { silo_user_id: Uuid, silo_id: Uuid },
+    UserBuiltin { user_builtin_id: BuiltInUserUuid },
+    SiloUser { silo_user_id: SiloUserUuid, silo_id: Uuid },
 }
 
 impl Actor {
-    pub fn actor_id(&self) -> Uuid {
-        match self {
-            Actor::UserBuiltin { user_builtin_id, .. } => *user_builtin_id,
-            Actor::SiloUser { silo_user_id, .. } => *silo_user_id,
-        }
-    }
-
     pub fn silo_id(&self) -> Option<Uuid> {
         match self {
             Actor::UserBuiltin { .. } => None,
             Actor::SiloUser { silo_id, .. } => Some(*silo_id),
         }
     }
 
-    pub fn silo_user_id(&self) -> Option<Uuid> {
+    pub fn silo_user_id(&self) -> Option<SiloUserUuid> {
         match self {
             Actor::UserBuiltin { .. } => None,
             Actor::SiloUser { silo_user_id, .. } => Some(*silo_user_id),
         }
     }
+
+    pub fn built_in_user_id(&self) -> Option<BuiltInUserUuid> {
+        match self {
+            Actor::UserBuiltin { user_builtin_id } => Some(*user_builtin_id),
+            Actor::SiloUser { .. } => None,
+        }
+    }
 }
 
 impl From<&Actor> for nexus_db_model::IdentityType {

nexus/auth/src/authn/mod.rs

@@ -38,8 +38,7 @@ impl oso::PolarClass for AnyActor {
             })
             .add_attribute_getter("authn_actor", |a: &AnyActor| {
                 a.actor.map(|actor| AuthenticatedActor {
-                    actor_id: actor.actor_id(),
-                    silo_id: actor.silo_id(),
+                    actor,
                     roles: a.roles.clone(),
                     silo_policy: a.silo_policy.clone(),
                 })
@@ -50,8 +49,7 @@ impl oso::PolarClass for AnyActor {
 /// Represents an authenticated [`authn::Context`] for Polar
 #[derive(Clone, Debug)]
 pub struct AuthenticatedActor {
-    actor_id: Uuid,
-    silo_id: Option<Uuid>,
+    actor: authn::Actor,
     roles: RoleSet,
     silo_policy: Option<authn::SiloAuthnPolicy>,
 }
@@ -94,7 +92,7 @@ impl AuthenticatedActor {
 
 impl PartialEq for AuthenticatedActor {
     fn eq(&self, other: &Self) -> bool {
-        self.actor_id == other.actor_id
+        self.actor == other.actor
     }
 }
 
@@ -106,30 +104,36 @@ impl oso::PolarClass for AuthenticatedActor {
             .with_equality_check()
             .add_constant(
                 AuthenticatedActor {
-                    actor_id: authn::USER_DB_INIT.id,
-                    silo_id: None,
+                    actor: authn::Actor::UserBuiltin {
+                        user_builtin_id: authn::USER_DB_INIT.id,
+                    },
                     roles: RoleSet::new(),
                     silo_policy: None,
                 },
                 "USER_DB_INIT",
             )
             .add_constant(
                 AuthenticatedActor {
-                    actor_id: authn::USER_INTERNAL_API.id,
-                    silo_id: None,
+                    actor: authn::Actor::UserBuiltin {
+                        user_builtin_id: authn::USER_INTERNAL_API.id,
+                    },
                     roles: RoleSet::new(),
                     silo_policy: None,
                 },
                 "USER_INTERNAL_API",
             )
             .add_attribute_getter("silo", |a: &AuthenticatedActor| {
-                a.silo_id.map(|silo_id| {
-                    super::Silo::new(
-                        super::FLEET,
-                        silo_id,
-                        LookupType::ById(silo_id),
-                    )
-                })
+                match a.actor {
+                    authn::Actor::SiloUser { silo_id, .. } => {
+                        Some(super::Silo::new(
+                            super::FLEET,
+                            silo_id,
+                            LookupType::ById(silo_id),
+                        ))
+                    }
+
+                    authn::Actor::UserBuiltin { .. } => None,
+                }
             })
             .add_method(
                 "confers_fleet_role",
@@ -139,7 +143,13 @@ impl oso::PolarClass for AuthenticatedActor {
             )
             .add_method(
                 "equals_silo_user",
-                |a: &AuthenticatedActor, u: SiloUser| a.actor_id == u.id(),
+                |a: &AuthenticatedActor, u: SiloUser| match a.actor {
+                    authn::Actor::SiloUser { silo_user_id, .. } => {
+                        silo_user_id == u.id()
+                    }
+
+                    authn::Actor::UserBuiltin { .. } => false,
+                },
             )
     }
 }