DELETE /v1/me/tokens/{token_id}

Author: david-crespo

nexus/db-queries/src/db/datastore/device_auth.rs

@@ -209,4 +209,31 @@ impl DataStore {
             .await
             .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
     }
+
+    pub async fn device_access_token_delete(
+        &self,
+        opctx: &OpContext,
+        authz_user: &authz::SiloUser,
+        token_id: Uuid,
+    ) -> Result<(), Error> {
+        // TODO: surely this is the wrong permission
+        opctx.authorize(authz::Action::Modify, authz_user).await?;
+
+        use nexus_db_schema::schema::device_access_token::dsl;
+        let num_deleted = diesel::delete(dsl::device_access_token)
+            .filter(dsl::id.eq(token_id))
+            .filter(dsl::silo_user_id.eq(authz_user.id()))
+            .execute_async(&*self.pool_connection_authorized(opctx).await?)
+            .await
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))?;
+
+        if num_deleted == 0 {
+            return Err(Error::not_found_by_id(
+                ResourceType::DeviceAccessToken,
+                &token_id,
+            ));
+        }
+
+        Ok(())
+    }
 }

nexus/external-api/output/nexus_tags.txt

@@ -289,6 +289,7 @@ ping                                     GET      /v1/ping
 
 API operations found with tag "tokens"
 OPERATION ID                             METHOD   URL PATH
+current_user_token_delete                DELETE   /v1/me/tokens/{token_id}
 current_user_token_list                  GET      /v1/me/tokens
 
 API operations found with tag "vpcs"

nexus/external-api/src/lib.rs

@@ -3165,6 +3165,19 @@ pub trait NexusExternalApi {
         query_params: Query<PaginatedById>,
     ) -> Result<HttpResponseOk<ResultsPage<views::DeviceAccessToken>>, HttpError>;
 
+    /// Delete device access token
+    ///
+    /// Delete a device access token for the currently authenticated user.
+    #[endpoint {
+        method = DELETE,
+        path = "/v1/me/tokens/{token_id}",
+        tags = ["tokens"],
+    }]
+    async fn current_user_token_delete(
+        rqctx: RequestContext<Self::Context>,
+        path_params: Path<params::TokenPath>,
+    ) -> Result<HttpResponseDeleted, HttpError>;
+
     // Support bundles (experimental)
 
     /// List all support bundles

nexus/src/app/device_auth.rs

@@ -309,4 +309,22 @@ impl super::Nexus {
             .device_access_tokens_list(opctx, &authz_user, pagparams)
             .await
     }
+
+    pub(crate) async fn current_user_token_delete(
+        &self,
+        opctx: &OpContext,
+        token_id: Uuid,
+    ) -> Result<(), Error> {
+        let &actor = opctx
+            .authn
+            .actor_required()
+            .internal_context("loading current user to delete token")?;
+        let (.., authz_user) = LookupPath::new(opctx, self.datastore())
+            .silo_user_id(actor.actor_id())
+            .lookup_for(authz::Action::Modify)
+            .await?;
+        self.db_datastore
+            .device_access_token_delete(opctx, &authz_user, token_id)
+            .await
+    }
 }

nexus/src/external_api/http_entrypoints.rs

@@ -7098,6 +7098,26 @@ impl NexusExternalApi for NexusExternalApiImpl {
             .await
     }
 
+    async fn current_user_token_delete(
+        rqctx: RequestContext<Self::Context>,
+        path_params: Path<params::TokenPath>,
+    ) -> Result<HttpResponseDeleted, HttpError> {
+        let apictx = rqctx.context();
+        let handler = async {
+            let opctx =
+                crate::context::op_context_for_external_api(&rqctx).await?;
+            let nexus = &apictx.context.nexus;
+            let path = path_params.into_inner();
+            nexus.current_user_token_delete(&opctx, path.token_id).await?;
+            Ok(HttpResponseDeleted())
+        };
+        apictx
+            .context
+            .external_latencies
+            .instrument_dropshot_handler(&rqctx, handler)
+            .await
+    }
+
     async fn support_bundle_list(
         rqctx: RequestContext<ApiContext>,
         query_params: Query<PaginatedById>,

nexus/tests/integration_tests/device_auth.rs

@@ -179,11 +179,6 @@ async fn test_device_auth_flow(cptestctx: &ControlPlaneTestContext) {
     assert_eq!(tokens_unpriv_after.len(), 1);
     assert_eq!(tokens_unpriv_after[0].time_expires, None);
 
-    // now make a request with the token. it 403s because unpriv user has no roles
-    project_list(&testctx, &token.access_token, StatusCode::FORBIDDEN)
-        .await
-        .expect("projects list should 403 with no roles");
-
     // make sure it also fails with a nonsense token
     project_list(&testctx, "oxide-token-xyz", StatusCode::UNAUTHORIZED)
         .await
@@ -203,6 +198,45 @@ async fn test_device_auth_flow(cptestctx: &ControlPlaneTestContext) {
     project_list(&testctx, &token.access_token, StatusCode::OK)
         .await
         .expect("failed to get projects with token");
+
+    let token_id = tokens_unpriv_after[0].id;
+
+    // Test that privileged user cannot delete unpriv's token through this
+    // endpoint, though it will probably be able to do it via a different one
+    let token_url = format!("/v1/me/tokens/{}", token_id);
+    NexusRequest::new(
+        RequestBuilder::new(testctx, Method::DELETE, &token_url)
+            .expect_status(Some(StatusCode::NOT_FOUND)),
+    )
+    .authn_as(AuthnMode::PrivilegedUser)
+    .execute()
+    .await
+    .expect("privileged user should get a 404 when trying to delete another user's token");
+
+    // Test deleting the token as the owner
+    NexusRequest::object_delete(testctx, &token_url)
+        .authn_as(AuthnMode::UnprivilegedUser)
+        .execute()
+        .await
+        .expect("failed to delete token");
+
+    // Verify token is gone from the list
+    assert_eq!(get_tokens_unpriv(testctx).await.len(), 0);
+
+    // Token should no longer work for API calls
+    project_list(&testctx, &token.access_token, StatusCode::UNAUTHORIZED)
+        .await
+        .expect("deleted token should be unauthorized");
+
+    // Trying to delete the same token again should 404
+    NexusRequest::new(
+        RequestBuilder::new(testctx, Method::DELETE, &token_url)
+            .expect_status(Some(StatusCode::NOT_FOUND)),
+    )
+    .authn_as(AuthnMode::UnprivilegedUser)
+    .execute()
+    .await
+    .expect("double delete should 404");
 }
 
 /// Helper to make the test cute. Goes through the whole flow, returns the token

nexus/types/src/external_api/params.rs

@@ -97,6 +97,7 @@ path_param!(CertificatePath, certificate, "certificate");
 
 id_path_param!(SupportBundlePath, bundle_id, "support bundle");
 id_path_param!(GroupPath, group_id, "group");
+id_path_param!(TokenPath, token_id, "token");
 
 // TODO: The hardware resources should be represented by its UUID or a hardware
 // ID that can be used to deterministically generate the UUID.

openapi/nexus.json

@@ -5702,6 +5702,39 @@
         }
       }
     },
+    "/v1/me/tokens/{token_id}": {
+      "delete": {
+        "tags": [
+          "tokens"
+        ],
+        "summary": "Delete device access token",
+        "description": "Delete a device access token for the currently authenticated user.",
+        "operationId": "current_user_token_delete",
+        "parameters": [
+          {
+            "in": "path",
+            "name": "token_id",
+            "description": "ID of the token",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "format": "uuid"
+            }
+          }
+        ],
+        "responses": {
+          "204": {
+            "description": "successful deletion"
+          },
+          "4XX": {
+            "$ref": "#/components/responses/Error"
+          },
+          "5XX": {
+            "$ref": "#/components/responses/Error"
+          }
+        }
+      }
+    },
     "/v1/metrics/{metric_name}": {
       "get": {
         "tags": [