rebase on #9669 (indirectly via #9634) and update comment to address @david-crespo's feedback

Created using jj-spr 0.1.0

Author: mergeconflict

Cargo.lock

@@ -678,10 +678,10 @@ progenitor-client = "0.10.0"
 # NOTE: if you change the pinned revision of the `bhyve_api` and propolis
 # dependencies, you must also update the references in package-manifest.toml to
 # match the new revision.
-bhyve_api = { git = "https://github.com/oxidecomputer/propolis", rev = "2dc643742f82d2e072a1281dab23ba2bfdcee440" }
-propolis_api_types = { git = "https://github.com/oxidecomputer/propolis", rev = "2dc643742f82d2e072a1281dab23ba2bfdcee440" }
-propolis-client = { git = "https://github.com/oxidecomputer/propolis", rev = "2dc643742f82d2e072a1281dab23ba2bfdcee440" }
-propolis-mock-server = { git = "https://github.com/oxidecomputer/propolis", rev = "2dc643742f82d2e072a1281dab23ba2bfdcee440" }
+bhyve_api = { git = "https://github.com/oxidecomputer/propolis", rev = "ff31c527515d65886e599fc07eb41240aeb767c6" }
+propolis_api_types = { git = "https://github.com/oxidecomputer/propolis", rev = "ff31c527515d65886e599fc07eb41240aeb767c6" }
+propolis-client = { git = "https://github.com/oxidecomputer/propolis", rev = "ff31c527515d65886e599fc07eb41240aeb767c6" }
+propolis-mock-server = { git = "https://github.com/oxidecomputer/propolis", rev = "ff31c527515d65886e599fc07eb41240aeb767c6" }
 # NOTE: see above!
 proptest = "1.7.0"
 qorb = "0.4.1"

Cargo.toml

@@ -38,7 +38,7 @@ pub struct AuditLogEntryInitParams {
     pub source_ip: IpAddr,
     pub user_agent: Option<String>,
     pub actor: AuditLogActor,
-    pub auth_method: Option<String>,
+    pub auth_method: Option<AuditLogAuthMethod>,
 }
 
 impl_enum_type!(
@@ -86,6 +86,54 @@ impl_enum_type!(
     Timeout => b"timeout"
 );
 
+impl_enum_type!(
+    AuditLogAuthMethodEnum:
+
+    #[derive(
+        Clone,
+        Copy,
+        Debug,
+        AsExpression,
+        FromSqlRow,
+        Serialize,
+        Deserialize,
+        PartialEq,
+        Eq,
+    )]
+    pub enum AuditLogAuthMethod;
+
+    // Enum values
+    SessionCookie => b"session_cookie"
+    AccessToken => b"access_token"
+    ScimToken => b"scim_token"
+    Spoof => b"spoof"
+);
+
+impl From<AuditLogAuthMethod> for views::AuthMethod {
+    fn from(m: AuditLogAuthMethod) -> Self {
+        match m {
+            AuditLogAuthMethod::SessionCookie => {
+                views::AuthMethod::SessionCookie
+            }
+            AuditLogAuthMethod::AccessToken => views::AuthMethod::AccessToken,
+            AuditLogAuthMethod::ScimToken => views::AuthMethod::ScimToken,
+            AuditLogAuthMethod::Spoof => views::AuthMethod::Spoof,
+        }
+    }
+}
+
+impl From<&nexus_types::authn::SchemeName> for AuditLogAuthMethod {
+    fn from(s: &nexus_types::authn::SchemeName) -> Self {
+        use nexus_types::authn::SchemeName;
+        match s {
+            SchemeName::SessionCookie => AuditLogAuthMethod::SessionCookie,
+            SchemeName::AccessToken => AuditLogAuthMethod::AccessToken,
+            SchemeName::ScimToken => AuditLogAuthMethod::ScimToken,
+            SchemeName::Spoof => AuditLogAuthMethod::Spoof,
+        }
+    }
+}
+
 #[derive(Queryable, Insertable, Selectable, Clone, Debug)]
 #[diesel(table_name = audit_log)]
 pub struct AuditLogEntryInit {
@@ -115,7 +163,7 @@ pub struct AuditLogEntryInit {
 
     /// API token or session cookie. Optional because it will not be defined
     /// on unauthenticated requests like login attempts.
-    pub auth_method: Option<String>,
+    pub auth_method: Option<AuditLogAuthMethod>,
 }
 
 impl From<AuditLogEntryInitParams> for AuditLogEntryInit {
@@ -182,20 +230,20 @@ pub struct AuditLogEntry {
     /// Actor kind indicating builtin user, silo user, or unauthenticated
     pub actor_kind: AuditLogActorKind,
 
-    /// The name of the authn scheme used. None if unauthenticated.
-    pub auth_method: Option<String>,
-
     // Fields that are not present on init
     /// Time log entry was completed with info about result of operation
     pub time_completed: DateTime<Utc>,
-    /// Result kind indicating success, error, or timeout
-    pub result_kind: AuditLogResultKind,
     /// Optional because not present for timeout result
     pub http_status_code: Option<SqlU16>,
     /// Optional even if result is an error
     pub error_code: Option<String>,
     /// Always present if result is an error
     pub error_message: Option<String>,
+    /// Result kind indicating success, error, or timeout
+    pub result_kind: AuditLogResultKind,
+
+    /// The authn scheme used. None if unauthenticated.
+    pub auth_method: Option<AuditLogAuthMethod>,
 }
 
 /// Struct that we can use as a kind of constructor arg for our actual audit
@@ -320,7 +368,7 @@ impl TryFrom<AuditLogEntry> for views::AuditLogEntry {
                     views::AuditLogEntryActor::Unauthenticated
                 }
             },
-            auth_method: entry.auth_method,
+            auth_method: entry.auth_method.map(Into::into),
             time_completed: entry.time_completed,
             result: match entry.result_kind {
                 AuditLogResultKind::Success => {

nexus/db-model/src/audit_log.rs

@@ -16,7 +16,7 @@ use std::{collections::BTreeMap, sync::LazyLock};
 ///
 /// This must be updated when you change the database schema.  Refer to
 /// schema/crdb/README.adoc in the root of this repository for details.
-pub const SCHEMA_VERSION: Version = Version::new(220, 0, 0);
+pub const SCHEMA_VERSION: Version = Version::new(221, 0, 0);
 
 /// List of all past database schema versions, in *reverse* order
 ///
@@ -28,6 +28,7 @@ static KNOWN_VERSIONS: LazyLock<Vec<KnownVersion>> = LazyLock::new(|| {
         // |  leaving the first copy as an example for the next person.
         // v
         // KnownVersion::new(next_int, "unique-dirname-with-the-sql-files"),
+        KnownVersion::new(221, "audit-log-auth-method-enum"),
         KnownVersion::new(220, "multicast-implicit-lifecycle"),
         KnownVersion::new(219, "blueprint-sled-last-used-ip"),
         KnownVersion::new(218, "measurements"),

nexus/db-model/src/schema_versions.rs

@@ -24,6 +24,7 @@ define_enums! {
     AffinityPolicyEnum => "affinity_policy",
     AlertClassEnum => "alert_class",
     AuditLogActorKindEnum => "audit_log_actor_kind",
+    AuditLogAuthMethodEnum => "audit_log_auth_method",
     AuditLogResultKindEnum => "audit_log_result_kind",
     AlertDeliveryTriggerEnum => "alert_delivery_trigger",
     AlertDeliveryStateEnum => "alert_delivery_state",

nexus/db-schema/src/enums.rs

@@ -2885,12 +2885,12 @@ table! {
         actor_id -> Nullable<Uuid>,
         actor_silo_id -> Nullable<Uuid>,
         actor_kind -> crate::enums::AuditLogActorKindEnum,
-        auth_method -> Nullable<Text>,
         time_completed -> Nullable<Timestamptz>,
         http_status_code -> Nullable<Int4>, // SqlU16
         error_code -> Nullable<Text>,
         error_message -> Nullable<Text>,
         result_kind -> Nullable<crate::enums::AuditLogResultKindEnum>,
+        auth_method -> Nullable<crate::enums::AuditLogAuthMethodEnum>,
     }
 }
 
@@ -2906,12 +2906,12 @@ table! {
         actor_id -> Nullable<Uuid>,
         actor_silo_id -> Nullable<Uuid>,
         actor_kind -> crate::enums::AuditLogActorKindEnum,
-        auth_method -> Nullable<Text>,
         time_completed -> Timestamptz,
         http_status_code -> Nullable<Int4>, // SqlU16
         error_code -> Nullable<Text>,
         error_message -> Nullable<Text>,
         result_kind -> crate::enums::AuditLogResultKindEnum,
+        auth_method -> Nullable<crate::enums::AuditLogAuthMethodEnum>,
     }
 }
 

nexus/db-schema/src/schema.rs

@@ -31,3 +31,7 @@ scim2-rs.workspace = true
 serde.workspace = true
 tufaceous-artifact.workspace = true
 uuid.workspace = true
+
+[dev-dependencies]
+proptest.workspace = true
+test-strategy.workspace = true

nexus/external-api/Cargo.toml

@@ -319,12 +319,12 @@ OPERATION ID                             METHOD   URL PATH
 subnet_pool_create                       POST     /v1/system/subnet-pools
 subnet_pool_delete                       DELETE   /v1/system/subnet-pools/{pool}
 subnet_pool_list                         GET      /v1/system/subnet-pools
+subnet_pool_member_list                  GET      /v1/system/subnet-pools/{pool}/subnets
 subnet_pool_silo_link                    POST     /v1/system/subnet-pools/{pool}/silos
 subnet_pool_silo_list                    GET      /v1/system/subnet-pools/{pool}/silos
 subnet_pool_silo_unlink                  DELETE   /v1/system/subnet-pools/{pool}/silos/{silo}
 subnet_pool_silo_update                  PUT      /v1/system/subnet-pools/{pool}/silos/{silo}
 subnet_pool_subnet_add                   POST     /v1/system/subnet-pools/{pool}/subnets/add
-subnet_pool_subnet_list                  GET      /v1/system/subnet-pools/{pool}/subnets
 subnet_pool_subnet_remove                POST     /v1/system/subnet-pools/{pool}/subnets/remove
 subnet_pool_update                       PUT      /v1/system/subnet-pools/{pool}
 subnet_pool_utilization_view             GET      /v1/system/subnet-pools/{pool}/utilization