initial audit log endpoints, data model, tests

Author: david-crespo

Cargo.lock

@@ -957,6 +957,7 @@ pub enum ResourceType {
     AntiAffinityGroup,
     AntiAffinityGroupMember,
     AllowList,
+    AuditLogEntry,
     BackgroundTask,
     BgpConfig,
     BgpAnnounceSet,

common/src/api/external/mod.rs

@@ -151,6 +151,15 @@ impl Context {
         &self.schemes_tried
     }
 
+    /// If the user is authenticated, return the last scheme in the list of
+    /// schemes tried, which is the one that worked.
+    pub fn scheme_used(&self) -> Option<&SchemeName> {
+        match &self.kind {
+            Kind::Authenticated(..) => self.schemes_tried().last(),
+            Kind::Unauthenticated => None,
+        }
+    }
+
     /// Returns an unauthenticated context for use internally
     pub fn internal_unauthenticated() -> Context {
         Context { kind: Kind::Unauthenticated, schemes_tried: vec![] }

nexus/auth/src/authn/mod.rs

@@ -407,8 +407,66 @@ impl AuthorizedResource for IpPoolList {
         roleset: &'fut mut RoleSet,
     ) -> futures::future::BoxFuture<'fut, Result<(), Error>> {
         // There are no roles on the IpPoolList, only permissions. But we still
-        // need to load the Fleet-related roles to verify that the actor has the
-        // "admin" role on the Fleet (possibly conferred from a Silo role).
+        // need to load the Fleet-related roles to verify that the actor's role
+        // on the Fleet (possibly conferred from a Silo role).
+        load_roles_for_resource_tree(&FLEET, opctx, authn, roleset).boxed()
+    }
+
+    fn on_unauthorized(
+        &self,
+        _: &Authz,
+        error: Error,
+        _: AnyActor,
+        _: Action,
+    ) -> Error {
+        error
+    }
+
+    fn polar_class(&self) -> oso::Class {
+        Self::get_polar_class()
+    }
+}
+
+// Similar to IpPoolList, the audit log is a collection that doesn't exist in
+// the database as an entity distinct from its children (IP pools, or in this
+// case, audit log entries). We need a dummy resource here because we need
+// something to hang permissions off of. We need to be able to create audit log
+// children (entries) for login attempts, when there is no authenticated user,
+// as well as for normal requests with an authenticated user. For retrieval, we
+// want (to start out) to allow only fleet viewers to list children.
+
+#[derive(Clone, Copy, Debug)]
+pub struct AuditLog;
+
+/// Singleton representing the [`AuditLog`] for authz purposes
+pub const AUDIT_LOG: AuditLog = AuditLog;
+
+impl Eq for AuditLog {}
+
+impl PartialEq for AuditLog {
+    fn eq(&self, _: &Self) -> bool {
+        true
+    }
+}
+
+impl oso::PolarClass for AuditLog {
+    fn get_polar_class_builder() -> oso::ClassBuilder<Self> {
+        oso::Class::builder()
+            .with_equality_check()
+            .add_attribute_getter("fleet", |_: &AuditLog| FLEET)
+    }
+}
+
+impl AuthorizedResource for AuditLog {
+    fn load_roles<'fut>(
+        &'fut self,
+        opctx: &'fut OpContext,
+        authn: &'fut authn::Context,
+        roleset: &'fut mut RoleSet,
+    ) -> futures::future::BoxFuture<'fut, Result<(), Error>> {
+        // There are no roles on the AuditLog, only permissions. But we still
+        // need to load the Fleet-related roles to verify that the actor's role
+        // on the Fleet (possibly conferred from a Silo role).
         load_roles_for_resource_tree(&FLEET, opctx, authn, roleset).boxed()
     }
 

nexus/auth/src/authz/api_resources.rs

@@ -431,6 +431,25 @@ has_relation(fleet: Fleet, "parent_fleet", ip_pool_list: IpPoolList)
 has_permission(actor: AuthenticatedActor, "create_child", ip_pool: IpPool)
 	if silo in actor.silo and silo.fleet = ip_pool.fleet;
 
+# Describes the policy for reading and writing the audit log 
+resource AuditLog {
+	permissions = [
+	    "list_children", # retrieve audit log
+	    "create_child",  # create audit log entry
+	];
+
+	relations = { parent_fleet: Fleet };
+
+	# Fleet viewers can read the audit log
+	"list_children" if "viewer" on "parent_fleet";
+}
+# TODO: is this right? any op context should be able to write to the audit log?
+# feels weird though
+has_permission(_actor: AuthenticatedActor, "create_child", _audit_log: AuditLog);
+
+has_relation(fleet: Fleet, "parent_fleet", audit_log: AuditLog)
+	if audit_log.fleet = fleet;
+
 # Describes the policy for creating and managing web console sessions.
 resource ConsoleSessionList {
 	permissions = [ "create_child" ];

nexus/auth/src/authz/omicron.polar

@@ -101,6 +101,7 @@ pub fn make_omicron_oso(log: &slog::Logger) -> Result<OsoInit, anyhow::Error> {
     let classes = [
         // Hand-written classes
         Action::get_polar_class(),
+        AuditLog::get_polar_class(),
         AnyActor::get_polar_class(),
         AuthenticatedActor::get_polar_class(),
         BlueprintConfig::get_polar_class(),

nexus/auth/src/authz/oso_generic.rs

@@ -0,0 +1,155 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/5.0/.
+
+// Copyright 2025 Oxide Computer Company
+
+use std::net::IpAddr;
+
+use crate::SqlU16;
+use crate::schema::{audit_log, audit_log_complete};
+use chrono::{DateTime, Utc};
+use diesel::prelude::*;
+use ipnetwork::IpNetwork;
+use nexus_types::external_api::views;
+use uuid::Uuid;
+
+#[derive(Queryable, Insertable, Selectable, Clone, Debug)]
+#[diesel(table_name = audit_log)]
+pub struct AuditLogEntryInit {
+    pub id: Uuid,
+    pub timestamp: DateTime<Utc>,
+    pub request_id: String,
+    /// The API endpoint being logged, e.g., `project_create`
+    pub request_uri: String,
+    pub operation_id: String,
+    pub source_ip: IpNetwork,
+    // TODO: we probably want a dedicated enum for these columns and for that
+    // we need a fancier set of columns. For example, we may want to initialize
+    // the row with a _potential_ actor (probably a different field), like the
+    // username or whatever is being used for login. This should probably be
+    // preserved even after authentication determines an actual actor ID. See
+    // the Actor struct in nexus/auth/src/authn/mod.ts
+
+    // these are optional because of requests like login attempts, where there
+    // is no actor until after the operation.
+    pub actor_id: Option<Uuid>,
+    pub actor_silo_id: Option<Uuid>,
+
+    // TODO: fancier type for access method capturing possibility of login
+    // attempts. might make sense to roll this all into the actor enum because
+    // we have an access method if and only if we have an actor (I think)
+    /// API token or session cookie. Optional because it will not be defined
+    /// on unauthenticated requests like login attempts.
+    pub access_method: Option<String>,
+}
+
+// TODO: doc comments
+// TODO: figure out how this relates to the other struct. currently we're not
+// retrieving partial entries at all, but I think we will probably want to have
+// that capability
+#[derive(Queryable, Selectable, Clone, Debug)]
+#[diesel(table_name = audit_log_complete)]
+pub struct AuditLogEntry {
+    pub id: Uuid,
+    pub timestamp: DateTime<Utc>,
+    pub request_id: String,
+    pub request_uri: String,
+    pub operation_id: String,
+    pub source_ip: IpNetwork,
+    pub actor_id: Option<Uuid>,
+    pub actor_silo_id: Option<Uuid>,
+    pub access_method: Option<String>,
+
+    // TODO: RFD 523 says: "Additionally, the response (or error) data should be
+    // included in the same log entry as the original request data. Separating
+    // the response from the request into two different log entries is extremely
+    // expensive for customers to identify which requests correspond to which
+    // responses." I guess the typical thing is to include a duration of the
+    // request rather than a second timestamp.
+
+    // Seems like it has to be optional because at the beginning of the
+    // operation, we have not yet resolved the resource selector to an ID
+    pub resource_id: Option<Uuid>,
+
+    // Fields that are not present on init
+    /// Time log entry was completed with info about result of operation
+    pub time_completed: DateTime<Utc>,
+    pub http_status_code: SqlU16,
+
+    // Error information if the action failed
+    pub error_code: Option<String>,
+    pub error_message: Option<String>,
+    // TODO: including a real response complicates things
+    // Response data on success (if applicable)
+    // pub success_response: Option<Value>,
+}
+
+impl AuditLogEntryInit {
+    pub fn new(
+        request_id: String,
+        operation_id: String,
+        request_uri: String,
+        source_ip: IpAddr,
+        actor_id: Option<Uuid>,
+        actor_silo_id: Option<Uuid>,
+        access_method: Option<String>,
+    ) -> Self {
+        Self {
+            id: Uuid::new_v4(),
+            timestamp: Utc::now(),
+            request_id,
+            request_uri,
+            operation_id,
+            actor_id,
+            actor_silo_id,
+            source_ip: source_ip.into(),
+            access_method,
+        }
+    }
+}
+
+#[derive(AsChangeset, Clone)]
+#[diesel(table_name = audit_log)]
+pub struct AuditLogCompletion {
+    pub time_completed: DateTime<Utc>,
+    pub http_status_code: SqlU16,
+}
+
+impl AuditLogCompletion {
+    pub fn new(http_status_code: u16) -> Self {
+        Self {
+            time_completed: Utc::now(),
+            http_status_code: SqlU16(http_status_code),
+        }
+    }
+}
+
+// TODO: AuditLogActor
+// pub enum AuditLogActor {
+//     UserBuiltin { user_builtin_id: Uuid },
+//     TODO: include info about computed roles at runtime?
+//     SiloUser { silo_user_id: Uuid, silo_id: Uuid },
+//     Unauthenticated,
+// }
+
+impl From<AuditLogEntry> for views::AuditLogEntry {
+    fn from(entry: AuditLogEntry) -> Self {
+        Self {
+            id: entry.id,
+            timestamp: entry.timestamp,
+            request_id: entry.request_id,
+            request_uri: entry.request_uri,
+            operation_id: entry.operation_id,
+            source_ip: entry.source_ip.ip(),
+            resource_id: entry.resource_id,
+            actor_id: entry.actor_id,
+            actor_silo_id: entry.actor_silo_id,
+            access_method: entry.access_method,
+            time_completed: entry.time_completed,
+            http_status_code: entry.http_status_code.0,
+            error_code: entry.error_code,
+            error_message: entry.error_message,
+        }
+    }
+}

nexus/db-model/src/audit_log.rs

@@ -12,6 +12,7 @@ extern crate newtype_derive;
 mod address_lot;
 mod affinity;
 mod allow_list;
+mod audit_log;
 mod bfd;
 mod bgp;
 mod block_size;
@@ -133,6 +134,7 @@ pub use self::unsigned::*;
 pub use address_lot::*;
 pub use affinity::*;
 pub use allow_list::*;
+pub use audit_log::*;
 pub use bfd::*;
 pub use bgp::*;
 pub use block_size::*;

nexus/db-model/src/lib.rs

@@ -2164,3 +2164,42 @@ table! {
         region_snapshot_snapshot_id -> Nullable<Uuid>,
     }
 }
+
+table! {
+    audit_log (id) {
+        id -> Uuid,
+        timestamp -> Timestamptz,
+        request_id -> Text,
+        request_uri -> Text,
+        operation_id -> Text,
+        source_ip -> Inet,
+        resource_type -> Text,
+        actor_id -> Nullable<Uuid>,
+        actor_silo_id -> Nullable<Uuid>,
+        access_method -> Nullable<Text>,
+        resource_id -> Nullable<Uuid>,
+        time_completed -> Nullable<Timestamptz>,
+        http_status_code -> Nullable<Int4>, // SqlU16
+        error_code -> Nullable<Text>,
+        error_message -> Nullable<Text>
+    }
+}
+
+table! {
+    audit_log_complete (id) {
+        id -> Uuid,
+        timestamp -> Timestamptz,
+        request_id -> Text,
+        request_uri -> Text,
+        operation_id -> Text,
+        source_ip -> Inet,
+        actor_id -> Nullable<Uuid>,
+        actor_silo_id -> Nullable<Uuid>,
+        access_method -> Nullable<Text>,
+        resource_id -> Nullable<Uuid>,
+        time_completed -> Timestamptz,
+        http_status_code -> Int4, // SqlU16
+        error_code -> Nullable<Text>,
+        error_message -> Nullable<Text>
+    }
+}

nexus/db-model/src/schema.rs

@@ -16,7 +16,7 @@ use std::{collections::BTreeMap, sync::LazyLock};
 ///
 /// This must be updated when you change the database schema.  Refer to
 /// schema/crdb/README.adoc in the root of this repository for details.
-pub const SCHEMA_VERSION: Version = Version::new(130, 0, 0);
+pub const SCHEMA_VERSION: Version = Version::new(131, 0, 0);
 
 /// List of all past database schema versions, in *reverse* order
 ///
@@ -28,6 +28,7 @@ static KNOWN_VERSIONS: LazyLock<Vec<KnownVersion>> = LazyLock::new(|| {
         // |  leaving the first copy as an example for the next person.
         // v
         // KnownVersion::new(next_int, "unique-dirname-with-the-sql-files"),
+        KnownVersion::new(131, "audit-log"),
         KnownVersion::new(130, "bp-sled-agent-generation"),
         KnownVersion::new(129, "create-target-release"),
         KnownVersion::new(128, "sled-resource-for-vmm"),