store role assignments in the database (#520)

Author: davepacheco

common/src/sql/dbinit.sql

@@ -663,7 +663,10 @@ CREATE INDEX ON omicron.public.console_session (
 /*******************************************************************/
 
 /*
- * IAM
+ * Identity and Access Management (IAM)
+ *
+ * **For more details and a worked example using the tables here, see the
+ * documentation for the omicron_nexus crate, "authz" module.**
  */
 
 /*
@@ -757,6 +760,36 @@ CREATE TABLE omicron.public.role_builtin (
     PRIMARY KEY(resource_type, role_name)
 );
 
+/*
+ * Assignments between users, roles, and resources
+ *
+ * A built-in user has role on a resource if there's a record in this table that
+ * points to that user, role, and resource.
+ *
+ * For more details and a worked example, see the omicron_nexus::authz
+ * module-level documentation.
+ */
+
+CREATE TABLE omicron.public.role_assignment_builtin (
+    /* Composite foreign key into "role_builtin" table */
+    resource_type STRING(63) NOT NULL,
+    role_name STRING(63) NOT NULL,
+
+    /*
+     * Foreign key into some other resource table.  Which table?  This is
+     * identified implicitly by "resource_type" above.
+     */
+    resource_id UUID NOT NULL,
+
+    /*
+     * Foreign key into table of built-in users.
+     */
+    user_builtin_id UUID NOT NULL,
+
+    /* The entire row is the primary key. */
+    PRIMARY KEY(user_builtin_id, resource_type, resource_id, role_name)
+);
+
 /*******************************************************************/
 
 /*

nexus/src/authz/actor.rs

@@ -0,0 +1,84 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! Oso integration for Actor types
+
+use super::roles::RoleSet;
+use crate::authn;
+use omicron_common::api::external::ResourceType;
+use uuid::Uuid;
+
+/// Represents [`authn::Context`] (which is either an authenticated or
+/// unauthenticated actor) for Polar
+#[derive(Clone, Debug)]
+pub struct AnyActor {
+    authenticated: bool,
+    actor_id: Option<Uuid>,
+    roles: RoleSet,
+}
+
+impl AnyActor {
+    pub fn new(authn: &authn::Context, roles: RoleSet) -> Self {
+        let actor = authn.actor();
+        AnyActor {
+            authenticated: actor.is_some(),
+            actor_id: actor.map(|a| a.0),
+            roles,
+        }
+    }
+}
+
+impl oso::PolarClass for AnyActor {
+    fn get_polar_class_builder() -> oso::ClassBuilder<Self> {
+        oso::Class::builder()
+            .add_attribute_getter("authenticated", |a: &AnyActor| {
+                a.authenticated
+            })
+            .add_attribute_getter("authn_actor", |a: &AnyActor| {
+                a.actor_id.map(|actor_id| AuthenticatedActor {
+                    actor_id,
+                    roles: a.roles.clone(),
+                })
+            })
+    }
+}
+
+/// Represents an authenticated [`authn::Context`] for Polar
+#[derive(Clone, Debug)]
+pub struct AuthenticatedActor {
+    actor_id: Uuid,
+    roles: RoleSet,
+}
+
+impl AuthenticatedActor {
+    /// Returns whether this actor has the given role for the given resource
+    pub fn has_role_resource(
+        &self,
+        resource_type: ResourceType,
+        resource_id: Uuid,
+        role: &str,
+    ) -> bool {
+        self.roles.has_role(resource_type, resource_id, role)
+    }
+}
+
+impl PartialEq for AuthenticatedActor {
+    fn eq(&self, other: &Self) -> bool {
+        self.actor_id == other.actor_id
+    }
+}
+
+impl Eq for AuthenticatedActor {}
+
+impl oso::PolarClass for AuthenticatedActor {
+    fn get_polar_class_builder() -> oso::ClassBuilder<Self> {
+        oso::Class::builder().with_equality_check().add_constant(
+            AuthenticatedActor {
+                actor_id: authn::USER_DB_INIT.id,
+                roles: RoleSet::new(),
+            },
+            "USER_DB_INIT",
+        )
+    }
+}