Add support for Silo groups (#1358)

Add the necessary logic to:

- provision an "admin" silo group when a silo is created, which is
  granted silo admin role.
- after successful authentication, create groups during silo user
  provision if the Silo's provision type is JIT.
- add a group's roles to a user's role set if they're part of that
  group.

Silos now have an optional admin_group_name that is configured at silo
provision time. If this is left out, users will currently have no way to
be granted roles when they first log in. In the future, this may be
selected and groups would be created another way.

SAML identity providers now have an optional group_attribute_name that
configures what attribute represents a group name. Groups can be passed
in multiple attribute values, or in one as a comma separated list.

Author: jmpesp

Cargo.lock

@@ -528,6 +528,7 @@ pub enum ResourceType {
     Fleet,
     Silo,
     SiloUser,
+    SiloGroup,
     IdentityProvider,
     SamlIdentityProvider,
     SshKey,

common/src/api/external/mod.rs

@@ -277,13 +277,50 @@ CREATE UNIQUE INDEX ON omicron.public.silo_user (
 ) WHERE
     time_deleted IS NULL;
 
-CREATE TYPE omicron.public.provider_type AS ENUM (
-  'saml'
+/*
+ * Silo groups
+ */
+
+CREATE TABLE omicron.public.silo_group (
+    id UUID PRIMARY KEY,
+    time_created TIMESTAMPTZ NOT NULL,
+    time_modified TIMESTAMPTZ NOT NULL,
+    time_deleted TIMESTAMPTZ,
+
+    silo_id UUID NOT NULL,
+    external_id TEXT NOT NULL
+);
+
+CREATE UNIQUE INDEX ON omicron.public.silo_group (
+    silo_id,
+    external_id
+) WHERE
+    time_deleted IS NULL;
+
+/*
+ * Silo group membership
+ */
+
+CREATE TABLE omicron.public.silo_group_membership (
+    silo_group_id UUID NOT NULL,
+    silo_user_id UUID NOT NULL,
+
+    PRIMARY KEY (silo_group_id, silo_user_id)
+);
+
+CREATE INDEX ON omicron.public.silo_group_membership (
+    silo_user_id,
+    silo_group_id
 );
 
 /*
  * Silo identity provider list
  */
+
+CREATE TYPE omicron.public.provider_type AS ENUM (
+  'saml'
+);
+
 CREATE TABLE omicron.public.identity_provider (
     /* Identity metadata */
     id UUID PRIMARY KEY,
@@ -332,7 +369,9 @@ CREATE TABLE omicron.public.saml_identity_provider (
     technical_contact_email TEXT NOT NULL,
 
     public_cert TEXT,
-    private_key TEXT
+    private_key TEXT,
+
+    group_attribute_name TEXT
 );
 
 CREATE INDEX ON omicron.public.saml_identity_provider (
@@ -1442,7 +1481,8 @@ CREATE TABLE omicron.public.role_builtin (
 
 CREATE TYPE omicron.public.identity_type AS ENUM (
   'user_builtin',
-  'silo_user'
+  'silo_user',
+  'silo_group'
 );
 
 CREATE TABLE omicron.public.role_assignment (

common/src/sql/dbinit.sql

@@ -9,7 +9,7 @@ path = "../rpaths"
 
 [dependencies]
 anyhow = "1.0"
-async-bb8-diesel = { git = "https://github.com/oxidecomputer/async-bb8-diesel", rev = "ab1f49e0b3f95557aa96bf593282199fafeef4bd" }
+async-bb8-diesel = { git = "https://github.com/oxidecomputer/async-bb8-diesel", rev = "51de79fe02b334899be5d5fd8b469f9d140ea887" }
 async-trait = "0.1.56"
 base64 = "0.13.0"
 bb8 = "0.8.0"

nexus/Cargo.toml

@@ -22,7 +22,7 @@ pub struct Input {
     /// Name of the resource
     ///
     /// This is taken as the name of the database model type in
-    /// `omicron_nexus::db::model`, the name of the authz type in
+    /// `omicron_nexus::db_model`, the name of the authz type in
     /// `omicron_nexus::authz`, and will be the name of the new type created by
     /// this macro.  The snake case version of the name is taken as the name of
     /// the Diesel table interface in `db::schema`.
@@ -537,6 +537,13 @@ fn generate_lookup_methods(config: &Config) -> TokenStream {
             self.fetch_for(authz::Action::Read).await
         }
 
+        /// Turn the Result<T, E> of [`fetch`] into a Result<Option<T>, E>.
+        pub async fn optional_fetch(
+            &self,
+        ) -> LookupResult<Option<(#(authz::#path_types,)* nexus_db_model::#resource_name)>> {
+            self.optional_fetch_for(authz::Action::Read).await
+        }
+
         /// Fetch the record corresponding to the selected resource and
         /// check whether the caller is allowed to do the specified `action`
         ///
@@ -571,6 +578,25 @@ fn generate_lookup_methods(config: &Config) -> TokenStream {
             #silo_check_fetch
         }
 
+        /// Turn the Result<T, E> of [`fetch_for`] into a Result<Option<T>, E>.
+        pub async fn optional_fetch_for(
+            &self,
+            action: authz::Action,
+        ) -> LookupResult<Option<(#(authz::#path_types,)* nexus_db_model::#resource_name)>> {
+            let result = self.fetch_for(action).await;
+
+            match result {
+                Err(Error::ObjectNotFound {
+                    type_name: _,
+                    lookup_type: _,
+                }) => Ok(None),
+
+                _ => {
+                    Ok(Some(result?))
+                }
+            }
+        }
+
         /// Fetch an `authz` object for the selected resource and check
         /// whether the caller is allowed to do the specified `action`
         ///
@@ -592,6 +618,25 @@ fn generate_lookup_methods(config: &Config) -> TokenStream {
             #silo_check_lookup
         }
 
+        /// Turn the Result<T, E> of [`lookup_for`] into a Result<Option<T>, E>.
+        pub async fn optional_lookup_for(
+            &self,
+            action: authz::Action,
+        ) -> LookupResult<Option<(#(authz::#path_types,)*)>> {
+            let result = self.lookup_for(action).await;
+
+            match result {
+                Err(Error::ObjectNotFound {
+                    type_name: _,
+                    lookup_type: _,
+                }) => Ok(None),
+
+                _ => {
+                    Ok(Some(result?))
+                }
+            }
+        }
+
         /// Fetch the "authz" objects for the selected resource and all its
         /// parents
         ///

nexus/db-macros/src/lookup.rs

@@ -60,15 +60,31 @@ pub struct SamlIdentityProvider {
 
     pub silo_id: Uuid,
 
+    /// idp descriptor
     pub idp_metadata_document_string: String,
 
+    /// idp's entity id
     pub idp_entity_id: String,
+
+    /// sp's client id
     pub sp_client_id: String,
+
+    /// service provider endpoint where the response will be sent
     pub acs_url: String,
+
+    /// service provider endpoint where the idp should send log out requests
     pub slo_url: String,
+
+    /// customer's technical contact for saml configuration
     pub technical_contact_email: String,
+
+    /// base64 encoded DER corresponding to X509 pair
     pub public_cert: Option<String>,
     pub private_key: Option<String>,
+
+    /// if set, attributes with this name will be considered to denote a user's
+    /// group membership, where the values will be the group names.
+    pub group_attribute_name: Option<String>,
 }
 
 impl From<SamlIdentityProvider> for views::SamlIdentityProvider {

nexus/db-model/src/identity_provider.rs

@@ -48,6 +48,7 @@ pub mod schema;
 mod service;
 mod service_kind;
 mod silo;
+mod silo_group;
 mod silo_user;
 mod sled;
 mod snapshot;
@@ -110,6 +111,7 @@ pub use role_builtin::*;
 pub use service::*;
 pub use service_kind::*;
 pub use silo::*;
+pub use silo_group::*;
 pub use silo_user::*;
 pub use sled::*;
 pub use snapshot::*;

nexus/db-model/src/lib.rs

@@ -30,12 +30,14 @@ impl_enum_type!(
     // Enum values
     UserBuiltin => b"user_builtin"
     SiloUser => b"silo_user"
+    SiloGroup => b"silo_group"
 );
 
 impl From<shared::IdentityType> for IdentityType {
     fn from(other: shared::IdentityType) -> Self {
         match other {
             shared::IdentityType::SiloUser => IdentityType::SiloUser,
+            shared::IdentityType::SiloGroup => IdentityType::SiloGroup,
         }
     }
 }
@@ -49,6 +51,7 @@ impl TryFrom<IdentityType> for shared::IdentityType {
                 Err(anyhow!("unsupported db identity type: {:?}", other))
             }
             IdentityType::SiloUser => Ok(shared::IdentityType::SiloUser),
+            IdentityType::SiloGroup => Ok(shared::IdentityType::SiloGroup),
         }
     }
 }

nexus/db-model/src/role_assignment.rs

@@ -193,6 +193,7 @@ table! {
 
         discoverable -> Bool,
         user_provision_type -> crate::UserProvisionTypeEnum,
+
         rcgen -> Int8,
     }
 }
@@ -209,6 +210,28 @@ table! {
     }
 }
 
+table! {
+    silo_group (id) {
+        id -> Uuid,
+        time_created -> Timestamptz,
+        time_modified -> Timestamptz,
+        time_deleted -> Nullable<Timestamptz>,
+
+        silo_id -> Uuid,
+        external_id -> Text,
+    }
+}
+
+table! {
+    silo_group_membership (silo_group_id, silo_user_id) {
+        silo_group_id -> Uuid,
+        silo_user_id -> Uuid,
+    }
+}
+
+allow_tables_to_appear_in_same_query!(silo_group, silo_group_membership);
+allow_tables_to_appear_in_same_query!(role_assignment, silo_group_membership);
+
 table! {
     identity_provider (silo_id, id) {
         id -> Uuid,
@@ -243,6 +266,7 @@ table! {
         technical_contact_email -> Text,
         public_cert -> Nullable<Text>,
         private_key -> Nullable<Text>,
+        group_attribute_name -> Nullable<Text>,
     }
 }
 

nexus/db-model/src/schema.rs

@@ -0,0 +1,40 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+use crate::schema::{silo_group, silo_group_membership};
+use db_macros::Asset;
+use uuid::Uuid;
+
+/// Describes a silo group within the database.
+#[derive(Asset, Queryable, Insertable, Debug, Selectable)]
+#[diesel(table_name = silo_group)]
+pub struct SiloGroup {
+    #[diesel(embed)]
+    identity: SiloGroupIdentity,
+
+    pub silo_id: Uuid,
+
+    /// The identity provider's name for this group.
+    pub external_id: String,
+}
+
+impl SiloGroup {
+    pub fn new(id: Uuid, silo_id: Uuid, external_id: String) -> Self {
+        Self { identity: SiloGroupIdentity::new(id), silo_id, external_id }
+    }
+}
+
+/// Describe which silo users belong to which silo groups
+#[derive(Queryable, Insertable, Debug, Selectable)]
+#[diesel(table_name = silo_group_membership)]
+pub struct SiloGroupMembership {
+    pub silo_group_id: Uuid,
+    pub silo_user_id: Uuid,
+}
+
+impl SiloGroupMembership {
+    pub fn new(silo_group_id: Uuid, silo_user_id: Uuid) -> Self {
+        Self { silo_group_id, silo_user_id }
+    }
+}