rebase

Created using jj-spr 0.1.0

Author: mergeconflict

Cargo.lock

@@ -284,8 +284,6 @@ impl TryFrom<String> for Name {
 }
 
 impl FromStr for Name {
-    // TODO: We should have better error types here.
-    // See https://github.com/oxidecomputer/omicron/issues/347
     type Err = String;
 
     fn from_str(value: &str) -> Result<Self, Self::Err> {
@@ -376,8 +374,6 @@ impl TryFrom<String> for NameOrId {
 }
 
 impl FromStr for NameOrId {
-    // TODO: We should have better error types here.
-    // See https://github.com/oxidecomputer/omicron/issues/347
     type Err = String;
 
     fn from_str(value: &str) -> Result<Self, Self::Err> {

common/src/api/external/mod.rs

@@ -18,4 +18,3 @@ thiserror.workspace = true
 tokio.workspace = true
 zeroize.workspace = true
 omicron-workspace-hack.workspace = true
-

key-manager/Cargo.toml

@@ -306,18 +306,23 @@ pub enum SecretRetrieverError {
 
     #[error("Bootstore error: {0}")]
     Bootstore(String),
+
+    #[error("Trust quorum error: {0}")]
+    TrustQuorum(String),
 }
 
 /// A mechanism for retrieving a secrets to use as input key material to HKDF-
 /// Extract.
 #[async_trait]
-pub trait SecretRetriever {
+pub trait SecretRetriever: Send + Sync + 'static {
     /// Return the latest secret
     ////
     /// This is useful when a new entity is being encrypted and there is no need
     /// for a reconfiguration. When an entity is already encrypted, and needs to
     /// be decrypted, the user should instead call the [`SecretRetriever::get`].
-    async fn get_latest(&self) -> Result<VersionedIkm, SecretRetrieverError>;
+    async fn get_latest(
+        &mut self,
+    ) -> Result<VersionedIkm, SecretRetrieverError>;
 
     /// Get the secret for the given epoch
     ///
@@ -331,7 +336,7 @@ pub trait SecretRetriever {
     /// Return an error if its not possible to recover the old secret given the
     /// latest secret.
     async fn get(
-        &self,
+        &mut self,
         epoch: u64,
     ) -> Result<SecretState, SecretRetrieverError>;
 }
@@ -363,15 +368,15 @@ mod tests {
     #[async_trait]
     impl SecretRetriever for TestSecretRetriever {
         async fn get_latest(
-            &self,
+            &mut self,
         ) -> Result<VersionedIkm, SecretRetrieverError> {
             let salt = [0u8; 32];
             let (epoch, bytes) = self.ikms.last_key_value().unwrap();
             Ok(VersionedIkm::new(*epoch, salt, bytes))
         }
 
         async fn get(
-            &self,
+            &mut self,
             epoch: u64,
         ) -> Result<SecretState, SecretRetrieverError> {
             let salt = [0u8; 32];

key-manager/src/lib.rs

@@ -237,6 +237,7 @@ mod test {
                 OK => SchemeResult::Authenticated(authn::Details {
                     actor: self.actor,
                     device_token_expiration: None,
+                    credential_id: None,
                 }),
                 FAIL => SchemeResult::Failed(Reason::BadCredentials {
                     actor: self.actor,

nexus/auth/src/authn/external/mod.rs

@@ -12,6 +12,7 @@ use crate::authn;
 use async_trait::async_trait;
 use headers::HeaderMapExt;
 use headers::authorization::{Authorization, Bearer};
+use uuid::Uuid;
 
 // This scheme is intended only for SCIM provisioning clients.
 //
@@ -66,9 +67,10 @@ where
             Ok(None) => SchemeResult::NotRequested,
             Ok(Some(token)) => match ctx.scim_token_actor(token).await {
                 Err(error) => SchemeResult::Failed(error),
-                Ok(actor) => SchemeResult::Authenticated(Details {
+                Ok((actor, token_id)) => SchemeResult::Authenticated(Details {
                     actor,
                     device_token_expiration: None,
+                    credential_id: Some(token_id),
                 }),
             },
         }
@@ -93,10 +95,11 @@ fn parse_token(
 }
 
 /// A context that can look up a Actor::Scim from a token.
+/// Returns the actor and the SCIM token ID.
 #[async_trait]
 pub trait ScimTokenContext {
     async fn scim_token_actor(
         &self,
         token: String,
-    ) -> Result<authn::Actor, Reason>;
+    ) -> Result<(authn::Actor, Uuid), Reason>;
 }

nexus/auth/src/authn/external/scim.rs

@@ -14,6 +14,7 @@ use dropshot::HttpError;
 use http::HeaderValue;
 use nexus_types::authn::cookies::parse_cookies;
 use omicron_uuid_kinds::ConsoleSessionUuid;
+use omicron_uuid_kinds::GenericUuid;
 use omicron_uuid_kinds::SiloUserUuid;
 use slog::debug;
 use uuid::Uuid;
@@ -183,6 +184,7 @@ where
         SchemeResult::Authenticated(Details {
             actor,
             device_token_expiration: None,
+            credential_id: Some(session.id().into_untyped_uuid()),
         })
     }
 }

nexus/auth/src/authn/external/session_cookie.rs

@@ -112,6 +112,7 @@ where
                         SchemeResult::Authenticated(Details {
                             actor,
                             device_token_expiration: None,
+                            credential_id: None, // spoof auth has no real credential
                         })
                     }
                 }

nexus/auth/src/authn/external/spoof.rs

@@ -14,6 +14,7 @@ use async_trait::async_trait;
 use chrono::{DateTime, Utc};
 use headers::HeaderMapExt;
 use headers::authorization::{Authorization, Bearer};
+use uuid::Uuid;
 
 // This scheme is intended for clients such as the API, CLI, etc.
 //
@@ -66,10 +67,11 @@ where
             Ok(None) => SchemeResult::NotRequested,
             Ok(Some(token)) => match ctx.authenticate_token(token).await {
                 Err(error) => SchemeResult::Failed(error),
-                Ok((actor, device_token_expiration)) => {
+                Ok((actor, device_token_expiration, token_id)) => {
                     SchemeResult::Authenticated(Details {
                         actor,
                         device_token_expiration,
+                        credential_id: Some(token_id),
                     })
                 }
             },
@@ -97,12 +99,12 @@ fn parse_token(
 /// A context that can look up a Silo user and client ID from a token.
 #[async_trait]
 pub trait TokenContext {
-    /// Returns the actor authenticated by the token and the token's expiration
-    /// time (if any).
+    /// Returns the actor authenticated by the token, the token's expiration
+    /// time (if any), and the token's ID.
     async fn authenticate_token(
         &self,
         token: String,
-    ) -> Result<(authn::Actor, Option<DateTime<Utc>>), Reason>;
+    ) -> Result<(authn::Actor, Option<DateTime<Utc>>, Uuid), Reason>;
 }
 
 #[cfg(test)]

nexus/auth/src/authn/external/token.rs

@@ -108,6 +108,20 @@ impl Context {
         }
     }
 
+    /// Returns the ID of the credential used to authenticate, if any.
+    ///
+    /// For session auth, this is the session ID. For access token auth, this is
+    /// the token ID. For SCIM auth, this is the SCIM token ID.
+    /// Not set for spoof auth, built-in users, or unauthenticated requests.
+    pub fn credential_id(&self) -> Option<Uuid> {
+        match &self.kind {
+            Kind::Authenticated(Details { credential_id, .. }, ..) => {
+                *credential_id
+            }
+            Kind::Unauthenticated => None,
+        }
+    }
+
     /// Returns the current actor's Silo if they have one or an appropriate
     /// error otherwise
     ///
@@ -234,6 +248,7 @@ impl Context {
                 Details {
                     actor: Actor::UserBuiltin { user_builtin_id },
                     device_token_expiration: None,
+                    credential_id: None,
                 },
                 None,
             ),
@@ -253,6 +268,7 @@ impl Context {
                         silo_id: USER_TEST_PRIVILEGED.silo_id,
                     },
                     device_token_expiration: None,
+                    credential_id: None,
                 },
                 Some(SiloAuthnPolicy::try_from(&*DEFAULT_SILO).unwrap()),
             ),
@@ -283,6 +299,7 @@ impl Context {
                 Details {
                     actor: Actor::SiloUser { silo_user_id, silo_id },
                     device_token_expiration: None,
+                    credential_id: None,
                 },
                 Some(silo_authn_policy),
             ),
@@ -298,6 +315,7 @@ impl Context {
                 Details {
                     actor: Actor::Scim { silo_id },
                     device_token_expiration: None,
+                    credential_id: None,
                 },
                 // This should never be non-empty, we don't want the SCIM user
                 // to ever have associated roles.
@@ -415,12 +433,15 @@ enum Kind {
 #[derive(Clone, Debug, Deserialize, Serialize)]
 pub struct Details {
     /// the actor performing the request
-    actor: Actor,
+    pub actor: Actor,
     /// When the device token expires. Present only when authenticating via
     /// a device token. This is a slightly awkward fit but is included here
     /// because we need to use this to clamp the expiration time when device
     /// tokens are confirmed using an existing device token.
-    device_token_expiration: Option<DateTime<Utc>>,
+    pub device_token_expiration: Option<DateTime<Utc>>,
+    /// ID of the credential used to authenticate (session ID, access token ID,
+    /// or SCIM token ID). Not set for spoof auth or built-in users.
+    pub credential_id: Option<Uuid>,
 }
 
 /// Who is performing an operation