rename authn list to session list

david-crespo · david-crespo · commit 0e5a17925539 · 2025-07-16T18:47:53.000-05:00
diff --git a/nexus/auth/src/authz/api_resources.rs b/nexus/auth/src/authz/api_resources.rs
@@ -672,9 +672,9 @@ impl AuthorizedResource for SiloUserList {
 
 /// Synthetic resource for managing a user's sessions
 #[derive(Clone, Debug, Eq, PartialEq)]
-pub struct SiloUserAuthnList(SiloUser);
+pub struct SiloUserSessionList(SiloUser);
 
-impl SiloUserAuthnList {
+impl SiloUserSessionList {
     pub fn new(silo_user: SiloUser) -> Self {
         Self(silo_user)
     }
@@ -688,18 +688,18 @@ impl SiloUserAuthnList {
     }
 }
 
-impl oso::PolarClass for SiloUserAuthnList {
+impl oso::PolarClass for SiloUserSessionList {
     fn get_polar_class_builder() -> oso::ClassBuilder<Self> {
         oso::Class::builder().with_equality_check().add_attribute_getter(
             "silo_user",
-            |user_sessions: &SiloUserAuthnList| {
+            |user_sessions: &SiloUserSessionList| {
                 user_sessions.silo_user().clone()
             },
         )
     }
 }
 
-impl AuthorizedResource for SiloUserAuthnList {
+impl AuthorizedResource for SiloUserSessionList {
     fn load_roles<'fut>(
         &'fut self,
         opctx: &'fut OpContext,
diff --git a/nexus/auth/src/authz/omicron.polar b/nexus/auth/src/authz/omicron.polar
@@ -450,24 +450,24 @@ resource ConsoleSessionList {
 has_relation(fleet: Fleet, "parent_fleet", collection: ConsoleSessionList)
 	if collection.fleet = fleet;
 
-# Allow silo admins to delete user sessions and list user tokens
-resource SiloUserAuthnList {
+# Allow silo admins to delete and list user sessions
+resource SiloUserSessionList {
     permissions = [ "modify", "list_children" ];
     relations = { parent_silo: Silo };
 
     # A silo admin can modify (e.g., delete) a user's sessions.
     "modify" if "admin" on "parent_silo";
 
-    # A silo admin can list a user's tokens and sessions.
+    # A silo admin can list a user's sessions.
     "list_children" if "admin" on "parent_silo";
 }
-has_relation(silo: Silo, "parent_silo", authn_list: SiloUserAuthnList)
+has_relation(silo: Silo, "parent_silo", authn_list: SiloUserSessionList)
     if authn_list.silo_user.silo = silo;
 
-# give users 'modify' and 'list_children' on their own tokens and sessions
-has_permission(actor: AuthenticatedActor, "modify", authn_list: SiloUserAuthnList)
+# give users 'modify' and 'list_children' on their own sessions
+has_permission(actor: AuthenticatedActor, "modify", authn_list: SiloUserSessionList)
     if actor.equals_silo_user(authn_list.silo_user);
-has_permission(actor: AuthenticatedActor, "list_children", authn_list: SiloUserAuthnList)
+has_permission(actor: AuthenticatedActor, "list_children", authn_list: SiloUserSessionList)
     if actor.equals_silo_user(authn_list.silo_user);
 
 # Allow silo admins to delete and list user access tokens
diff --git a/nexus/auth/src/authz/oso_generic.rs b/nexus/auth/src/authz/oso_generic.rs
@@ -113,8 +113,8 @@ pub fn make_omicron_oso(log: &slog::Logger) -> Result<OsoInit, anyhow::Error> {
         DeviceAuthRequestList::get_polar_class(),
         SiloCertificateList::get_polar_class(),
         SiloIdentityProviderList::get_polar_class(),
-        SiloUserAuthnList::get_polar_class(),
         SiloUserList::get_polar_class(),
+        SiloUserSessionList::get_polar_class(),
         SiloUserTokenList::get_polar_class(),
         UpdateTrustRootList::get_polar_class(),
         TargetReleaseConfig::get_polar_class(),
diff --git a/nexus/db-queries/src/db/datastore/console_session.rs b/nexus/db-queries/src/db/datastore/console_session.rs
@@ -165,7 +165,7 @@ impl DataStore {
     pub async fn silo_user_session_list(
         &self,
         opctx: &OpContext,
-        authn_list: authz::SiloUserAuthnList,
+        authn_list: authz::SiloUserSessionList,
         pagparams: &DataPageParams<'_, Uuid>,
     ) -> ListResultVec<ConsoleSession> {
         opctx.authorize(authz::Action::ListChildren, &authn_list).await?;
@@ -192,7 +192,7 @@ impl DataStore {
     pub async fn silo_user_sessions_delete(
         &self,
         opctx: &OpContext,
-        authn_list: &authz::SiloUserAuthnList,
+        authn_list: &authz::SiloUserSessionList,
     ) -> Result<(), Error> {
         // authz policy enforces that the opctx actor is a silo admin on the
         // target user's own silo in particular
diff --git a/nexus/db-queries/src/policy_test/resource_builder.rs b/nexus/db-queries/src/policy_test/resource_builder.rs
@@ -346,7 +346,7 @@ impl DynAuthorizedResource for authz::SiloUserList {
     }
 }
 
-impl DynAuthorizedResource for authz::SiloUserAuthnList {
+impl DynAuthorizedResource for authz::SiloUserSessionList {
     fn do_authorize<'a, 'b>(
         &'a self,
         opctx: &'b OpContext,
@@ -359,7 +359,7 @@ impl DynAuthorizedResource for authz::SiloUserAuthnList {
     }
 
     fn resource_name(&self) -> String {
-        format!("{}: authn list", self.silo_user().resource_name())
+        format!("{}: session list", self.silo_user().resource_name())
     }
 }
 
diff --git a/nexus/db-queries/src/policy_test/resources.rs b/nexus/db-queries/src/policy_test/resources.rs
@@ -281,7 +281,7 @@ async fn make_silo(
         silo_image_id,
         LookupType::ByName(format!("{}-silo-image", silo_name)),
     ));
-    builder.new_resource(authz::SiloUserAuthnList::new(silo_user.clone()));
+    builder.new_resource(authz::SiloUserSessionList::new(silo_user.clone()));
     builder.new_resource(authz::SiloUserTokenList::new(silo_user));
 
     // Image is a special case in that this resource is technically just a
diff --git a/nexus/db-queries/tests/output/authz-roles.out b/nexus/db-queries/tests/output/authz-roles.out
@@ -306,7 +306,7 @@ resource: SiloImage "silo1-silo-image"
   silo1-proj1-viewer               ✘  ✘  ✘  ✘  ✘  ✘  ✘  ✘
   unauthenticated                  !  !  !  !  !  !  !  !
 
-resource: SiloUser "silo1-user": authn list
+resource: SiloUser "silo1-user": session list
 
   USER                             Q  R LC RP  M MP CC  D
   fleet-admin                      ✘  ✘  ✘  ✘  ✘  ✘  ✘  ✘
@@ -894,7 +894,7 @@ resource: SiloImage "silo2-silo-image"
   silo1-proj1-viewer               ✘  ✘  ✘  ✘  ✘  ✘  ✘  ✘
   unauthenticated                  !  !  !  !  !  !  !  !
 
-resource: SiloUser "silo2-user": authn list
+resource: SiloUser "silo2-user": session list
 
   USER                             Q  R LC RP  M MP CC  D
   fleet-admin                      ✘  ✘  ✘  ✘  ✘  ✘  ✘  ✘
diff --git a/nexus/src/app/silo.rs b/nexus/src/app/silo.rs
@@ -331,7 +331,7 @@ impl super::Nexus {
             .await?;
 
         let authz_authn_list =
-            authz::SiloUserAuthnList::new(authz_silo_user.clone());
+            authz::SiloUserSessionList::new(authz_silo_user.clone());
         self.datastore()
             .silo_user_sessions_delete(opctx, &authz_authn_list)
             .await?;
@@ -387,7 +387,7 @@ impl super::Nexus {
                 .fetch()
                 .await?;
 
-        let user_authn_list = authz::SiloUserAuthnList::new(authz_silo_user);
+        let user_authn_list = authz::SiloUserSessionList::new(authz_silo_user);
 
         self.datastore()
             .silo_user_session_list(opctx, user_authn_list, pagparams)

Original file line number	Diff line number	Diff line change
`@@ -672,9 +672,9 @@ impl AuthorizedResource for SiloUserList {`
`672`	`672`
`673`	`673`	`/// Synthetic resource for managing a user's sessions`
`674`	`674`	`#[derive(Clone, Debug, Eq, PartialEq)]`
`675`		`-pub struct SiloUserAuthnList(SiloUser);`
	`675`	`+pub struct SiloUserSessionList(SiloUser);`
`676`	`676`
`677`		`-impl SiloUserAuthnList {`
	`677`	`+impl SiloUserSessionList {`
`678`	`678`	`pub fn new(silo_user: SiloUser) -> Self {`
`679`	`679`	`Self(silo_user)`
`680`	`680`	`}`
`@@ -688,18 +688,18 @@ impl SiloUserAuthnList {`
`688`	`688`	`}`
`689`	`689`	`}`
`690`	`690`
`691`		`-impl oso::PolarClass for SiloUserAuthnList {`
	`691`	`+impl oso::PolarClass for SiloUserSessionList {`
`692`	`692`	`fn get_polar_class_builder() -> oso::ClassBuilder<Self> {`
`693`	`693`	`oso::Class::builder().with_equality_check().add_attribute_getter(`
`694`	`694`	`"silo_user",`
`695`		`- \|user_sessions: &SiloUserAuthnList\| {`
	`695`	`+ \|user_sessions: &SiloUserSessionList\| {`
`696`	`696`	`user_sessions.silo_user().clone()`
`697`	`697`	`},`
`698`	`698`	`)`
`699`	`699`	`}`
`700`	`700`	`}`
`701`	`701`
`702`		`-impl AuthorizedResource for SiloUserAuthnList {`
	`702`	`+impl AuthorizedResource for SiloUserSessionList {`
`703`	`703`	`fn load_roles<'fut>(`
`704`	`704`	`&'fut self,`
`705`	`705`	`opctx: &'fut OpContext,`
Original file line number	Diff line number	Diff line change
`@@ -346,7 +346,7 @@ impl DynAuthorizedResource for authz::SiloUserList {`
`346`	`346`	`}`
`347`	`347`	`}`
`348`	`348`
`349`		`-impl DynAuthorizedResource for authz::SiloUserAuthnList {`
	`349`	`+impl DynAuthorizedResource for authz::SiloUserSessionList {`
`350`	`350`	`fn do_authorize<'a, 'b>(`
`351`	`351`	`&'a self,`
`352`	`352`	`opctx: &'b OpContext,`
`@@ -359,7 +359,7 @@ impl DynAuthorizedResource for authz::SiloUserAuthnList {`
`359`	`359`	`}`
`360`	`360`
`361`	`361`	`fn resource_name(&self) -> String {`
`362`		`- format!("{}: authn list", self.silo_user().resource_name())`
	`362`	`+ format!("{}: session list", self.silo_user().resource_name())`
`363`	`363`	`}`
`364`	`364`	`}`
`365`	`365`