Add boolean fleet_viewer and silo_admin to /v1/me response (#8861)

Dramatically simpler alternative to #8515. Rather than doing the
rigmarole required to get the actual specific role on the fleet and
silo, we just do little authz checks to get the specific things we care
about. The web console is the only consumer that cares about this
endpoint so it feels fine to do it that way.

Author: david-crespo

nexus/src/external_api/http_entrypoints.rs

@@ -7149,10 +7149,31 @@ impl NexusExternalApi for NexusExternalApiImpl {
             let opctx =
                 crate::context::op_context_for_external_api(&rqctx).await?;
             let user = nexus.silo_user_fetch_self(&opctx).await?;
-            let (_, silo) = nexus.current_silo_lookup(&opctx)?.fetch().await?;
+            let (authz_silo, silo) =
+                nexus.current_silo_lookup(&opctx)?.fetch().await?;
+
+            // only eat Forbidden errors indicating lack of perms. other errors
+            // blow up normally
+            let fleet_viewer =
+                match opctx.authorize(authz::Action::Read, &authz::FLEET).await
+                {
+                    Ok(()) => true,
+                    Err(Error::Forbidden) => false,
+                    Err(e) => return Err(e.into()),
+                };
+            let silo_admin =
+                match opctx.authorize(authz::Action::Modify, &authz_silo).await
+                {
+                    Ok(()) => true,
+                    Err(Error::Forbidden) => false,
+                    Err(e) => return Err(e.into()),
+                };
+
             Ok(HttpResponseOk(views::CurrentUser {
                 user: user.into(),
                 silo_name: silo.name().clone(),
+                fleet_viewer,
+                silo_admin,
             }))
         };
         apictx

nexus/tests/integration_tests/console_api.rs

@@ -24,7 +24,9 @@ use nexus_test_utils::resource_helpers::{
 use nexus_test_utils::{load_test_config, test_setup_with_config};
 use nexus_test_utils_macros::nexus_test;
 use nexus_types::external_api::params::{self, ProjectCreate};
-use nexus_types::external_api::shared::{SiloIdentityMode, SiloRole};
+use nexus_types::external_api::shared::{
+    FleetRole, SiloIdentityMode, SiloRole,
+};
 use nexus_types::external_api::{shared, views};
 use omicron_common::api::external::{Error, IdentityMetadataCreateParams};
 use omicron_sled_agent::sim;
@@ -437,7 +439,9 @@ async fn test_session_me(cptestctx: &ControlPlaneTestContext) {
                 display_name: USER_TEST_PRIVILEGED.external_id.clone(),
                 silo_id: DEFAULT_SILO.id(),
             },
-            silo_name: DEFAULT_SILO.name().clone()
+            silo_name: DEFAULT_SILO.name().clone(),
+            fleet_viewer: true,
+            silo_admin: true,
         }
     );
 
@@ -454,9 +458,45 @@ async fn test_session_me(cptestctx: &ControlPlaneTestContext) {
                 display_name: USER_TEST_UNPRIVILEGED.external_id.clone(),
                 silo_id: DEFAULT_SILO.id(),
             },
-            silo_name: DEFAULT_SILO.name().clone()
+            silo_name: DEFAULT_SILO.name().clone(),
+            fleet_viewer: false,
+            silo_admin: false,
         }
     );
+
+    // now make unpriv user silo admin and see it change
+    grant_iam(
+        testctx,
+        &format!("/v1/system/silos/{}", DEFAULT_SILO.identity().name),
+        SiloRole::Admin,
+        USER_TEST_UNPRIVILEGED.id(),
+        AuthnMode::PrivilegedUser,
+    )
+    .await;
+
+    let unpriv_user = NexusRequest::object_get(testctx, "/v1/me")
+        .authn_as(AuthnMode::UnprivilegedUser)
+        .execute_and_parse_unwrap::<views::CurrentUser>()
+        .await;
+    assert!(!unpriv_user.fleet_viewer);
+    assert!(unpriv_user.silo_admin);
+
+    // now grant fleet viewer and see that one change
+    grant_iam(
+        testctx,
+        "/v1/system",
+        FleetRole::Admin,
+        USER_TEST_UNPRIVILEGED.id(),
+        AuthnMode::PrivilegedUser,
+    )
+    .await;
+
+    let unpriv_user = NexusRequest::object_get(testctx, "/v1/me")
+        .authn_as(AuthnMode::UnprivilegedUser)
+        .execute_and_parse_unwrap::<views::CurrentUser>()
+        .await;
+    assert!(unpriv_user.fleet_viewer);
+    assert!(unpriv_user.silo_admin);
 }
 
 #[nexus_test]

nexus/types/src/external_api/views.rs

@@ -955,9 +955,18 @@ pub struct User {
 pub struct CurrentUser {
     #[serde(flatten)]
     pub user: User,
-
     /** Name of the silo to which this user belongs. */
     pub silo_name: Name,
+    /**
+     * Whether this user has the viewer role on the fleet. Used by the web
+     * console to determine whether to show system-level UI.
+     */
+    pub fleet_viewer: bool,
+    /**
+     * Whether this user has the admin role on their silo. Used by the web
+     * console to determine whether to show admin-only UI elements.
+     */
+    pub silo_admin: bool,
 }
 
 // SILO GROUPS

openapi/nexus.json

@@ -16819,10 +16819,18 @@
             "description": "Human-readable name that can identify the user",
             "type": "string"
           },
+          "fleet_viewer": {
+            "description": "Whether this user has the viewer role on the fleet. Used by the web console to determine whether to show system-level UI.",
+            "type": "boolean"
+          },
           "id": {
             "type": "string",
             "format": "uuid"
           },
+          "silo_admin": {
+            "description": "Whether this user has the admin role on their silo. Used by the web console to determine whether to show admin-only UI elements.",
+            "type": "boolean"
+          },
           "silo_id": {
             "description": "Uuid of the silo to which this user belongs",
             "type": "string",
@@ -16839,7 +16847,9 @@
         },
         "required": [
           "display_name",
+          "fleet_viewer",
           "id",
+          "silo_admin",
           "silo_id",
           "silo_name"
         ]