rename access_method to auth_method

david-crespo · david-crespo · commit c4ec694d0b71 · 2025-08-08T13:47:48.000-05:00
diff --git a/nexus/db-model/src/audit_log.rs b/nexus/db-model/src/audit_log.rs
@@ -34,7 +34,7 @@ pub struct AuditLogEntryInitParams {
     pub source_ip: IpAddr,
     pub user_agent: Option<String>,
     pub actor: AuditLogActor,
-    pub access_method: Option<String>,
+    pub auth_method: Option<String>,
 }
 
 impl_enum_type!(
@@ -110,7 +110,7 @@ pub struct AuditLogEntryInit {
 
     /// API token or session cookie. Optional because it will not be defined
     /// on unauthenticated requests like login attempts.
-    pub access_method: Option<String>,
+    pub auth_method: Option<String>,
 }
 
 impl From<AuditLogEntryInitParams> for AuditLogEntryInit {
@@ -122,7 +122,7 @@ impl From<AuditLogEntryInitParams> for AuditLogEntryInit {
             source_ip,
             user_agent,
             actor,
-            access_method,
+            auth_method,
         } = params;
 
         let (actor_id, actor_silo_id, actor_kind) = match actor {
@@ -148,7 +148,7 @@ impl From<AuditLogEntryInitParams> for AuditLogEntryInit {
             actor_kind,
             source_ip: source_ip.into(),
             user_agent,
-            access_method,
+            auth_method,
         }
     }
 }
@@ -171,7 +171,7 @@ pub struct AuditLogEntry {
     pub actor_kind: AuditLogActorKind,
 
     /// The name of the authn scheme used. None if unauthenticated.
-    pub access_method: Option<String>,
+    pub auth_method: Option<String>,
 
     // Fields that are not present on init
     /// Time log entry was completed with info about result of operation
@@ -294,7 +294,7 @@ impl TryFrom<AuditLogEntry> for views::AuditLogEntry {
                     views::AuditLogEntryActor::Unauthenticated
                 }
             },
-            access_method: entry.access_method,
+            auth_method: entry.auth_method,
             time_completed: entry.time_completed,
             result: match entry.result_kind {
                 AuditLogResultKind::Success => {
diff --git a/nexus/db-queries/src/db/datastore/audit_log.rs b/nexus/db-queries/src/db/datastore/audit_log.rs
@@ -171,7 +171,7 @@ mod tests {
             source_ip: "1.1.1.1".parse().unwrap(),
             user_agent: Some("Firefox or whatever".to_string()),
             actor: AuditLogActor::Unauthenticated,
-            access_method: None,
+            auth_method: None,
         };
         let entry1 = datastore
             .audit_log_entry_init(opctx, entry1_params.clone().into())
@@ -204,7 +204,7 @@ mod tests {
             source_ip: "1.1.1.1".parse().unwrap(),
             user_agent: Some("Chrome???".to_string()),
             actor: AuditLogActor::Unauthenticated,
-            access_method: None,
+            auth_method: None,
         };
         let entry2 = datastore
             .audit_log_entry_init(opctx, entry2_params.clone().into())
@@ -302,7 +302,7 @@ mod tests {
             source_ip: "1.1.1.1".parse().unwrap(),
             user_agent: Some("Fake-User-Agent".to_string()),
             actor: AuditLogActor::Unauthenticated,
-            access_method: None,
+            auth_method: None,
         };
         // we have to do the from() out here because that's what sets
         // time_completed, and we need them to all have the same time
diff --git a/nexus/db-schema/src/schema.rs b/nexus/db-schema/src/schema.rs
@@ -2698,7 +2698,7 @@ table! {
         actor_id -> Nullable<Uuid>,
         actor_silo_id -> Nullable<Uuid>,
         actor_kind -> crate::enums::AuditLogActorKindEnum,
-        access_method -> Nullable<Text>,
+        auth_method -> Nullable<Text>,
         time_completed -> Nullable<Timestamptz>,
         http_status_code -> Nullable<Int4>, // SqlU16
         error_code -> Nullable<Text>,
@@ -2719,7 +2719,7 @@ table! {
         actor_id -> Nullable<Uuid>,
         actor_silo_id -> Nullable<Uuid>,
         actor_kind -> crate::enums::AuditLogActorKindEnum,
-        access_method -> Nullable<Text>,
+        auth_method -> Nullable<Text>,
         time_completed -> Timestamptz,
         http_status_code -> Nullable<Int4>, // SqlU16
         error_code -> Nullable<Text>,
diff --git a/nexus/src/app/audit_log.rs b/nexus/src/app/audit_log.rs
@@ -106,7 +106,7 @@ impl super::Nexus {
             source_ip: rqctx.request.remote_addr().ip(),
             user_agent,
             actor,
-            access_method: opctx.authn.scheme_used().map(|s| s.to_string()),
+            auth_method: opctx.authn.scheme_used().map(|s| s.to_string()),
         };
         self.db_datastore.audit_log_entry_init(opctx, entry_params.into()).await
     }
diff --git a/nexus/tests/integration_tests/audit_log.rs b/nexus/tests/integration_tests/audit_log.rs
@@ -66,7 +66,7 @@ async fn test_audit_log_list(ctx: &ControlPlaneTestContext) {
 
     // we have to do this rigmarole instead of using create_project in order to
     // get the user agent header in there and to use a session cookie to test
-    // the access_method field
+    // the auth_method field
     let body = &params::ProjectCreate {
         identity: IdentityMetadataCreateParams {
             name: "test-proj2".parse().unwrap(),
@@ -95,7 +95,7 @@ async fn test_audit_log_list(ctx: &ControlPlaneTestContext) {
     assert_eq!(e1.operation_id, "project_create");
     assert_eq!(e1.source_ip.to_string(), "127.0.0.1");
     assert_eq!(e1.user_agent, None); // no user agent passed by default
-    assert_eq!(e1.access_method, Some("spoof".to_string()));
+    assert_eq!(e1.auth_method, Some("spoof".to_string()));
     assert!(e1.time_started >= t1 && e1.time_started <= t2);
     assert!(e1.time_completed > e1.time_started);
     assert_eq!(
@@ -111,7 +111,7 @@ async fn test_audit_log_list(ctx: &ControlPlaneTestContext) {
     assert_eq!(e2.operation_id, "login_local");
     assert_eq!(e2.source_ip.to_string(), "127.0.0.1");
     assert_eq!(e2.user_agent, None); // no user agent passed by default
-    assert_eq!(e2.access_method, None);
+    assert_eq!(e2.auth_method, None);
     assert!(e2.time_started >= t2 && e2.time_started <= t3);
     assert!(e2.time_completed > e2.time_started);
 
@@ -131,12 +131,12 @@ async fn test_audit_log_list(ctx: &ControlPlaneTestContext) {
         .parsed_body::<views::CurrentUser>()
         .unwrap();
 
-    // third one was done with the session cookie, reflected in access_method
+    // third one was done with the session cookie, reflected in auth_method
     assert_eq!(e3.request_uri, "/v1/projects");
     assert_eq!(e3.operation_id, "project_create");
     assert_eq!(e3.source_ip.to_string(), "127.0.0.1");
     assert_eq!(e3.user_agent.as_ref().unwrap(), "A pretend user agent string");
-    assert_eq!(e3.access_method, Some("session_cookie".to_string()));
+    assert_eq!(e3.auth_method, Some("session_cookie".to_string()));
     assert!(e3.time_started >= t3 && e3.time_started <= t4);
     assert!(e3.time_completed > e3.time_started);
     assert_eq!(
@@ -385,6 +385,6 @@ fn verify_entry(
         }
     );
     assert_eq!(entry.source_ip.to_string(), "127.0.0.1");
-    assert_eq!(entry.access_method, Some("spoof".to_string()));
+    assert_eq!(entry.auth_method, Some("spoof".to_string()));
     assert!(entry.time_completed > entry.time_started);
 }
diff --git a/nexus/types/src/external_api/views.rs b/nexus/types/src/external_api/views.rs
@@ -1634,10 +1634,10 @@ pub struct AuditLogEntry {
 
     pub actor: AuditLogEntryActor,
 
-    /// Indicates whether request was made with an API token or session cookie.
-    /// Optional because it will not be defined on unauthenticated requests like
-    /// login attempts.
-    pub access_method: Option<String>,
+    /// How the user authenticated the request. Possible values are
+    /// "session_cookie" and "access_token". Optional because it will not be
+    /// defined on unauthenticated requests like login attempts.
+    pub auth_method: Option<String>,
 
     // Fields that are optional because they get filled in after the action completes
     /// Time operation completed
diff --git a/openapi/nexus.json b/openapi/nexus.json
@@ -14563,14 +14563,14 @@
         "description": "Audit log entry",
         "type": "object",
         "properties": {
-          "access_method": {
-            "nullable": true,
-            "description": "Indicates whether request was made with an API token or session cookie. Optional because it will not be defined on unauthenticated requests like login attempts.",
-            "type": "string"
-          },
           "actor": {
             "$ref": "#/components/schemas/AuditLogEntryActor"
           },
+          "auth_method": {
+            "nullable": true,
+            "description": "How the user authenticated the request. Possible values are \"session_cookie\" and \"access_token\". Optional because it will not be defined on unauthenticated requests like login attempts.",
+            "type": "string"
+          },
           "id": {
             "description": "Unique identifier for the audit log entry",
             "type": "string",
diff --git a/schema/crdb/audit-log/up03.sql b/schema/crdb/audit-log/up03.sql
@@ -17,7 +17,7 @@ CREATE TABLE IF NOT EXISTS omicron.public.audit_log (
     -- actor kind indicating builtin user, silo user, or unauthenticated
     actor_kind omicron.public.audit_log_actor_kind NOT NULL,
     -- The name of the authn scheme used
-    access_method STRING,
+    auth_method STRING,
 
     -- below are fields we can only fill in after the operation
 
@@ -63,4 +63,4 @@ CREATE TABLE IF NOT EXISTS omicron.public.audit_log (
         -- For unauthenticated: must not have actor_id or actor_silo_id
         (actor_kind = 'unauthenticated' AND actor_id IS NULL AND actor_silo_id IS NULL)
     )
-);
+);
diff --git a/schema/crdb/audit-log/up05.sql b/schema/crdb/audit-log/up05.sql
@@ -10,7 +10,7 @@ SELECT
     actor_id,
     actor_silo_id,
     actor_kind,
-    access_method,
+    auth_method,
     time_completed,
     http_status_code,
     error_code,
@@ -19,4 +19,4 @@ SELECT
 FROM omicron.public.audit_log
 WHERE
    time_completed IS NOT NULL
-   AND result_kind IS NOT NULL;
+   AND result_kind IS NOT NULL;
diff --git a/schema/crdb/dbinit.sql b/schema/crdb/dbinit.sql
@@ -5775,7 +5775,7 @@ CREATE TYPE IF NOT EXISTS omicron.public.audit_log_actor_kind AS ENUM (
 
 CREATE TYPE IF NOT EXISTS omicron.public.audit_log_result_kind AS ENUM (
     'success',
-    'error', 
+    'error',
     -- represents the case where we had to clean up a row and artificially
     -- complete it in order to get it into the log (because entries don't show
     -- up in the log until they're completed)
@@ -5801,7 +5801,7 @@ CREATE TABLE IF NOT EXISTS omicron.public.audit_log (
     -- actor kind indicating builtin user, silo user, or unauthenticated
     actor_kind omicron.public.audit_log_actor_kind NOT NULL,
     -- The name of the authn scheme used
-    access_method STRING,
+    auth_method STRING,
 
     -- below are fields we can only fill in after the operation
 
@@ -5811,7 +5811,7 @@ CREATE TABLE IF NOT EXISTS omicron.public.audit_log (
     -- only present on errors
     error_code STRING,
     error_message STRING,
-    
+
     -- result kind indicating success, error, or timeout
     result_kind omicron.public.audit_log_result_kind,
 
@@ -5878,7 +5878,7 @@ SELECT
     actor_id,
     actor_silo_id,
     actor_kind,
-    access_method,
+    auth_method,
     time_completed,
     http_status_code,
     error_code,

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ impl super::Nexus {`
`106`	`106`	`source_ip: rqctx.request.remote_addr().ip(),`
`107`	`107`	`user_agent,`
`108`	`108`	`actor,`
`109`		`- access_method: opctx.authn.scheme_used().map(\|s\| s.to_string()),`
	`109`	`+ auth_method: opctx.authn.scheme_used().map(\|s\| s.to_string()),`
`110`	`110`	`};`
`111`	`111`	`self.db_datastore.audit_log_entry_init(opctx, entry_params.into()).await`
`112`	`112`	`}`