let's try GET /v1/me/tokens

Author: david-crespo

nexus/db-model/src/device_auth.rs

@@ -11,7 +11,7 @@ use nexus_db_schema::schema::{device_access_token, device_auth_request};
 
 use chrono::{DateTime, Duration, Utc};
 use nexus_types::external_api::views;
-use omicron_uuid_kinds::{AccessTokenKind, TypedUuid};
+use omicron_uuid_kinds::{AccessTokenKind, GenericUuid, TypedUuid};
 use rand::{Rng, RngCore, SeedableRng, distributions::Slice, rngs::StdRng};
 use uuid::Uuid;
 
@@ -173,6 +173,16 @@ impl From<DeviceAccessToken> for views::DeviceAccessTokenGrant {
     }
 }
 
+impl From<DeviceAccessToken> for views::DeviceAccessToken {
+    fn from(access_token: DeviceAccessToken) -> Self {
+        Self {
+            id: access_token.id.into_untyped_uuid(),
+            time_created: access_token.time_created,
+            time_expires: access_token.time_expires,
+        }
+    }
+}
+
 #[cfg(test)]
 mod test {
     use super::*;

nexus/db-queries/src/db/datastore/device_auth.rs

@@ -9,13 +9,17 @@ use crate::authz;
 use crate::context::OpContext;
 use crate::db::model::DeviceAccessToken;
 use crate::db::model::DeviceAuthRequest;
+use crate::db::pagination::paginated;
 use async_bb8_diesel::AsyncRunQueryDsl;
+use chrono::Utc;
 use diesel::prelude::*;
 use nexus_db_errors::ErrorHandler;
 use nexus_db_errors::public_error_from_diesel;
 use nexus_db_schema::schema::device_access_token;
 use omicron_common::api::external::CreateResult;
+use omicron_common::api::external::DataPageParams;
 use omicron_common::api::external::Error;
+use omicron_common::api::external::ListResultVec;
 use omicron_common::api::external::LookupResult;
 use omicron_common::api::external::LookupType;
 use omicron_common::api::external::ResourceType;
@@ -176,4 +180,33 @@ impl DataStore {
                 )
             })
     }
+
+    pub async fn device_access_tokens_list(
+        &self,
+        opctx: &OpContext,
+        authz_user: &authz::SiloUser,
+        pagparams: &DataPageParams<'_, Uuid>,
+    ) -> ListResultVec<DeviceAccessToken> {
+        // TODO: this authz check can't be right can it? or at least, we
+        // should probably handle this explicitly at the policy level
+        opctx.authorize(authz::Action::ListChildren, authz_user).await?;
+
+        use nexus_db_schema::schema::device_access_token::dsl;
+        paginated(dsl::device_access_token, dsl::id, &pagparams)
+            .filter(dsl::silo_user_id.eq(authz_user.id()))
+            // we don't have time_deleted on tokens. unfortunately this is not
+            // indexed well. maybe it can be!
+            .filter(
+                dsl::time_expires
+                    .is_null()
+                    .or(dsl::time_expires.gt(Utc::now())),
+            )
+            // TODO: what if we used a different model struct here so we're not
+            // pulling less out of the DB and it's harder to accidentally return
+            // the token itself
+            .select(DeviceAccessToken::as_select())
+            .load_async(&*self.pool_connection_authorized(opctx).await?)
+            .await
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
+    }
 }

nexus/external-api/output/nexus_tags.txt

@@ -287,6 +287,10 @@ API operations found with tag "system/status"
 OPERATION ID                             METHOD   URL PATH
 ping                                     GET      /v1/ping
 
+API operations found with tag "tokens"
+OPERATION ID                             METHOD   URL PATH
+current_user_token_list                  GET      /v1/me/tokens
+
 API operations found with tag "vpcs"
 OPERATION ID                             METHOD   URL PATH
 internet_gateway_create                  POST     /v1/internet-gateways

nexus/external-api/src/lib.rs

@@ -162,6 +162,12 @@ const PUT_UPDATE_REPOSITORY_MAX_BYTES: usize = 4 * GIB;
                     url = "http://docs.oxide.computer/api/snapshots"
                 }
             },
+            "tokens" = {
+                description = "API clients use device access tokens for authentication.",
+                external_docs = {
+                    url = "http://docs.oxide.computer/api/tokens"
+                }
+            },
             "vpcs" = {
                 description = "Virtual Private Clouds (VPCs) provide isolated network environments for managing and deploying services.",
                 external_docs = {
@@ -3146,6 +3152,19 @@ pub trait NexusExternalApi {
         path_params: Path<params::SshKeyPath>,
     ) -> Result<HttpResponseDeleted, HttpError>;
 
+    /// List device access tokens
+    ///
+    /// List device access tokens for the currently authenticated user.
+    #[endpoint {
+        method = GET,
+        path = "/v1/me/tokens",
+        tags = ["tokens"],
+    }]
+    async fn current_user_token_list(
+        rqctx: RequestContext<Self::Context>,
+        query_params: Query<PaginatedById>,
+    ) -> Result<HttpResponseOk<ResultsPage<views::DeviceAccessToken>>, HttpError>;
+
     // Support bundles (experimental)
 
     /// List all support bundles

nexus/src/app/device_auth.rs

@@ -55,7 +55,9 @@ use nexus_db_queries::db::model::{DeviceAccessToken, DeviceAuthRequest};
 use anyhow::anyhow;
 use nexus_types::external_api::params::DeviceAccessTokenRequest;
 use nexus_types::external_api::views;
-use omicron_common::api::external::{CreateResult, Error};
+use omicron_common::api::external::{
+    CreateResult, DataPageParams, Error, InternalContext, ListResultVec,
+};
 
 use chrono::{Duration, Utc};
 use serde::Serialize;
@@ -289,4 +291,22 @@ impl super::Nexus {
             .header(header::CONTENT_TYPE, "application/json")
             .body(body.into())?)
     }
+
+    pub(crate) async fn current_user_token_list(
+        &self,
+        opctx: &OpContext,
+        pagparams: &DataPageParams<'_, Uuid>,
+    ) -> ListResultVec<DeviceAccessToken> {
+        let &actor = opctx
+            .authn
+            .actor_required()
+            .internal_context("loading current user to list tokens")?;
+        let (.., authz_user) = LookupPath::new(opctx, self.datastore())
+            .silo_user_id(actor.actor_id())
+            .lookup_for(authz::Action::ListChildren)
+            .await?;
+        self.db_datastore
+            .device_access_tokens_list(opctx, &authz_user, pagparams)
+            .await
+    }
 }

nexus/src/external_api/http_entrypoints.rs

@@ -7067,6 +7067,37 @@ impl NexusExternalApi for NexusExternalApiImpl {
             .await
     }
 
+    async fn current_user_token_list(
+        rqctx: RequestContext<Self::Context>,
+        query_params: Query<PaginatedById>,
+    ) -> Result<HttpResponseOk<ResultsPage<views::DeviceAccessToken>>, HttpError>
+    {
+        let apictx = rqctx.context();
+        let handler = async {
+            let opctx =
+                crate::context::op_context_for_external_api(&rqctx).await?;
+            let nexus = &apictx.context.nexus;
+            let query = query_params.into_inner();
+            let pag_params = data_page_params_for(&rqctx, &query)?;
+            let tokens = nexus
+                .current_user_token_list(&opctx, &pag_params)
+                .await?
+                .into_iter()
+                .map(views::DeviceAccessToken::from)
+                .collect();
+            Ok(HttpResponseOk(ScanById::results_page(
+                &query,
+                tokens,
+                &marker_for_id,
+            )?))
+        };
+        apictx
+            .context
+            .external_latencies
+            .instrument_dropshot_handler(&rqctx, handler)
+            .await
+    }
+
     async fn support_bundle_list(
         rqctx: RequestContext<ApiContext>,
         query_params: Query<PaginatedById>,

nexus/tests/integration_tests/device_auth.rs

@@ -4,6 +4,8 @@
 
 use std::num::NonZeroU32;
 
+use chrono::Utc;
+use dropshot::ResultsPage;
 use dropshot::test_util::ClientTestContext;
 use nexus_auth::authn::USER_TEST_UNPRIVILEGED;
 use nexus_db_queries::db::fixed_data::silo::DEFAULT_SILO;
@@ -138,6 +140,10 @@ async fn test_device_auth_flow(cptestctx: &ControlPlaneTestContext) {
             .expect("failed to deserialize OAuth error");
     assert_eq!(&error.error, "authorization_pending");
 
+    // Check tokens before creating the device token
+    assert_eq!(get_tokens_priv(testctx).await.len(), 0);
+    assert_eq!(get_tokens_unpriv(testctx).await.len(), 0);
+
     // Authenticated confirmation should succeed.
     NexusRequest::new(
         RequestBuilder::new(testctx, Method::POST, "/device/confirm")
@@ -162,10 +168,17 @@ async fn test_device_auth_flow(cptestctx: &ControlPlaneTestContext) {
     .expect("failed to get token")
     .parsed_body()
     .expect("failed to deserialize token response");
+
     assert_eq!(token.token_type, DeviceAccessTokenType::Bearer);
     assert_eq!(token.access_token.len(), 52);
     assert!(token.access_token.starts_with("oxide-token-"));
 
+    // Check token list endpoints after creating the device token
+    assert_eq!(get_tokens_priv(testctx).await.len(), 0);
+    let tokens_unpriv_after = get_tokens_unpriv(testctx).await;
+    assert_eq!(tokens_unpriv_after.len(), 1);
+    assert_eq!(tokens_unpriv_after[0].time_expires, None);
+
     // now make a request with the token. it 403s because unpriv user has no roles
     project_list(&testctx, &token.access_token, StatusCode::FORBIDDEN)
         .await
@@ -257,10 +270,18 @@ async fn test_device_token_expiration(cptestctx: &ControlPlaneTestContext) {
         object_get(testctx, "/v1/settings").await;
     assert_eq!(settings.device_token_max_ttl_seconds, None);
 
+    // no tokens in the list
+    assert_eq!(get_tokens_priv(testctx).await.len(), 0);
+
     // get a token for the privileged user. default silo max token expiration
     // is null, so tokens don't expire
     let initial_token = get_device_token(testctx).await;
 
+    // now there is a token in the list
+    let tokens = get_tokens_priv(testctx).await;
+    assert_eq!(tokens.len(), 1);
+    assert_eq!(tokens[0].time_expires, None);
+
     // test token works on project list
     project_list(&testctx, &initial_token, StatusCode::OK)
         .await
@@ -299,6 +320,21 @@ async fn test_device_token_expiration(cptestctx: &ControlPlaneTestContext) {
     // create token again (this one will have the 3-second expiration)
     let expiring_token = get_device_token(testctx).await;
 
+    // use a block so we don't touch expiring_token
+    {
+        // now there are two tokens in the list
+        let tokens = get_tokens_priv(testctx).await;
+        assert_eq!(tokens.len(), 2);
+
+        let permanent_token =
+            tokens.iter().find(|t| t.time_expires.is_none()).unwrap();
+        let expiring_token =
+            tokens.iter().find(|t| t.time_expires.is_some()).unwrap();
+
+        assert_eq!(permanent_token.time_expires, None);
+        assert!(expiring_token.time_expires.unwrap() > Utc::now());
+    }
+
     // immediately use token, it should work
     project_list(&testctx, &expiring_token, StatusCode::OK)
         .await
@@ -316,6 +352,31 @@ async fn test_device_token_expiration(cptestctx: &ControlPlaneTestContext) {
     project_list(&testctx, &initial_token, StatusCode::OK)
         .await
         .expect("initial token should still work");
+
+    // back down to one non-expiring token
+    let tokens = get_tokens_priv(testctx).await;
+    assert_eq!(tokens.len(), 1);
+    assert_eq!(tokens[0].time_expires, None);
+}
+
+async fn get_tokens_priv(
+    testctx: &ClientTestContext,
+) -> Vec<views::DeviceAccessToken> {
+    NexusRequest::object_get(testctx, "/v1/me/tokens")
+        .authn_as(AuthnMode::PrivilegedUser)
+        .execute_and_parse_unwrap::<ResultsPage<views::DeviceAccessToken>>()
+        .await
+        .items
+}
+
+async fn get_tokens_unpriv(
+    testctx: &ClientTestContext,
+) -> Vec<views::DeviceAccessToken> {
+    NexusRequest::object_get(testctx, "/v1/me/tokens")
+        .authn_as(AuthnMode::UnprivilegedUser)
+        .execute_and_parse_unwrap::<ResultsPage<views::DeviceAccessToken>>()
+        .await
+        .items
 }
 
 async fn project_list(

nexus/types/src/external_api/views.rs

@@ -15,7 +15,7 @@ use daft::Diffable;
 use omicron_common::api::external::{
     AffinityPolicy, AllowedSourceIps as ExternalAllowedSourceIps, ByteCount,
     Digest, Error, FailureDomain, IdentityMetadata, InstanceState, Name,
-    ObjectIdentity, RoleName, SimpleIdentityOrName,
+    ObjectIdentity, RoleName, SimpleIdentity, SimpleIdentityOrName,
 };
 use omicron_uuid_kinds::{AlertReceiverUuid, AlertUuid};
 use oxnet::{Ipv4Net, Ipv6Net};
@@ -987,6 +987,23 @@ pub struct SshKey {
     pub public_key: String,
 }
 
+/// View of a device access token
+#[derive(Clone, Debug, Deserialize, Serialize, JsonSchema, PartialEq)]
+pub struct DeviceAccessToken {
+    /// A unique, immutable, system-controlled identifier for the token.
+    /// Note that this ID is not the bearer token itself, which starts with
+    /// "oxide-token-"
+    pub id: Uuid,
+    pub time_created: DateTime<Utc>,
+    pub time_expires: Option<DateTime<Utc>>,
+}
+
+impl SimpleIdentity for DeviceAccessToken {
+    fn id(&self) -> Uuid {
+        self.id
+    }
+}
+
 // OAUTH 2.0 DEVICE AUTHORIZATION REQUESTS & TOKENS
 
 /// Response to an initial device authorization request.