[DRAFT] Add support for Silo groups

common/src/api/external/mod.rs

@@ -528,6 +528,7 @@ pub enum ResourceType {
     Fleet,
     Silo,
     SiloUser,
+    SiloGroup,
     IdentityProvider,
     SamlIdentityProvider,
     SshKey,

common/src/sql/dbinit.sql

@@ -274,13 +274,50 @@ CREATE UNIQUE INDEX ON omicron.public.silo_user (
 ) WHERE
     time_deleted IS NULL;
 
-CREATE TYPE omicron.public.provider_type AS ENUM (
-  'saml'
+/*
+ * Silo groups
+ */
+
+CREATE TABLE omicron.public.silo_group (
+    id UUID PRIMARY KEY,
+    time_created TIMESTAMPTZ NOT NULL,
+    time_modified TIMESTAMPTZ NOT NULL,
+    time_deleted TIMESTAMPTZ,
+
+    silo_id UUID NOT NULL,
+    external_id TEXT NOT NULL
+);
+
+CREATE UNIQUE INDEX ON omicron.public.silo_group (
+    silo_id,
+    external_id
+) WHERE
+    time_deleted IS NULL;
+
+/*
+ * Silo group membership
+ */
+
+CREATE TABLE omicron.public.silo_group_membership (
+    silo_group_id UUID NOT NULL,
+    silo_user_id UUID NOT NULL,
+
+    PRIMARY KEY (silo_group_id, silo_user_id)
+);
+
+CREATE INDEX ON omicron.public.silo_group_membership (
+    silo_user_id,
+    silo_group_id
 );
 
 /*
  * Silo identity provider list
  */
+
+CREATE TYPE omicron.public.provider_type AS ENUM (
+  'saml'
+);
+
 CREATE TABLE omicron.public.identity_provider (
     /* Identity metadata */
     id UUID PRIMARY KEY,
@@ -329,7 +366,9 @@ CREATE TABLE omicron.public.saml_identity_provider (
     technical_contact_email TEXT NOT NULL,
 
     public_cert TEXT,
-    private_key TEXT
+    private_key TEXT,
+
+    group_attribute_name TEXT
 );
 
 CREATE INDEX ON omicron.public.saml_identity_provider (
@@ -1422,7 +1461,8 @@ CREATE TABLE omicron.public.role_builtin (
 
 CREATE TYPE omicron.public.identity_type AS ENUM (
   'user_builtin',
-  'silo_user'
+  'silo_user',
+  'silo_group'
 );
 
 CREATE TABLE omicron.public.role_assignment (

nexus/Cargo.toml

@@ -9,7 +9,7 @@ path = "../rpaths"
 
 [dependencies]
 anyhow = "1.0"
-async-bb8-diesel = { git = "https://github.com/oxidecomputer/async-bb8-diesel", rev = "ab1f49e0b3f95557aa96bf593282199fafeef4bd" }
+async-bb8-diesel = { git = "https://github.com/oxidecomputer/async-bb8-diesel", rev = "51de79fe02b334899be5d5fd8b469f9d140ea887" }
 async-trait = "0.1.56"
 base64 = "0.13.0"
 bb8 = "0.8.0"

nexus/db-macros/src/lookup.rs

@@ -22,7 +22,7 @@ pub struct Input {
     /// Name of the resource
     ///
     /// This is taken as the name of the database model type in
-    /// `omicron_nexus::db::model`, the name of the authz type in
+    /// `omicron_nexus::db_model`, the name of the authz type in
     /// `omicron_nexus::authz`, and will be the name of the new type created by
     /// this macro.  The snake case version of the name is taken as the name of
     /// the Diesel table interface in `db::schema`.
@@ -537,6 +537,13 @@ fn generate_lookup_methods(config: &Config) -> TokenStream {
             self.fetch_for(authz::Action::Read).await
         }
 
+        /// Turn the Result<T, E> of [`fetch`] into a Result<Option<T>, E>.
+        pub async fn optional_fetch(
+            &self,
+        ) -> LookupResult<Option<(#(authz::#path_types,)* nexus_db_model::#resource_name)>> {
+            self.optional_fetch_for(authz::Action::Read).await
+        }
+
         /// Fetch the record corresponding to the selected resource and
         /// check whether the caller is allowed to do the specified `action`
         ///
@@ -571,6 +578,25 @@ fn generate_lookup_methods(config: &Config) -> TokenStream {
             #silo_check_fetch
         }
 
+        /// Turn the Result<T, E> of [`fetch_for`] into a Result<Option<T>, E>.
+        pub async fn optional_fetch_for(
+            &self,
+            action: authz::Action,
+        ) -> LookupResult<Option<(#(authz::#path_types,)* nexus_db_model::#resource_name)>> {
+            let result = self.fetch_for(action).await;
+
+            match result {
+                Err(Error::ObjectNotFound {
+                    type_name: _,
+                    lookup_type: _,
+                }) => Ok(None),
+
+                _ => {
+                    Ok(Some(result?))
+                }
+            }
+        }
+
         /// Fetch an `authz` object for the selected resource and check
         /// whether the caller is allowed to do the specified `action`
         ///
@@ -592,6 +618,25 @@ fn generate_lookup_methods(config: &Config) -> TokenStream {
             #silo_check_lookup
         }
 
+        /// Turn the Result<T, E> of [`lookup_for`] into a Result<Option<T>, E>.
+        pub async fn optional_lookup_for(
+            &self,
+            action: authz::Action,
+        ) -> LookupResult<Option<(#(authz::#path_types,)*)>> {
+            let result = self.lookup_for(action).await;
+
+            match result {
+                Err(Error::ObjectNotFound {
+                    type_name: _,
+                    lookup_type: _,
+                }) => Ok(None),
+
+                _ => {
+                    Ok(Some(result?))
+                }
+            }
+        }
+
         /// Fetch the "authz" objects for the selected resource and all its
         /// parents
         ///

nexus/db-model/src/identity_provider.rs

@@ -60,15 +60,31 @@ pub struct SamlIdentityProvider {
 
     pub silo_id: Uuid,
 
+    /// idp descriptor
     pub idp_metadata_document_string: String,
 
+    /// idp's entity id
     pub idp_entity_id: String,
+
+    /// sp's client id
     pub sp_client_id: String,
+
+    /// service provider endpoint where the response will be sent
     pub acs_url: String,
+
+    /// service provider endpoint where the idp should send log out requests
     pub slo_url: String,
+
+    /// customer's technical contact for saml configuration
     pub technical_contact_email: String,
+
+    /// base64 encoded DER corresponding to X509 pair
     pub public_cert: Option<String>,
     pub private_key: Option<String>,
+
+    /// if set, attributes with this name will be considered to denote a user's
+    /// group membership, where the values will be the group names.
+    pub group_attribute_name: Option<String>,
 }
 
 impl From<SamlIdentityProvider> for views::SamlIdentityProvider {

nexus/db-model/src/lib.rs

@@ -48,6 +48,7 @@ pub mod schema;
 mod service;
 mod service_kind;
 mod silo;
+mod silo_group;
 mod silo_user;
 mod sled;
 mod snapshot;
@@ -110,6 +111,7 @@ pub use role_builtin::*;
 pub use service::*;
 pub use service_kind::*;
 pub use silo::*;
+pub use silo_group::*;
 pub use silo_user::*;
 pub use sled::*;
 pub use snapshot::*;

nexus/db-model/src/role_assignment.rs

@@ -30,12 +30,14 @@ impl_enum_type!(
     // Enum values
     UserBuiltin => b"user_builtin"
     SiloUser => b"silo_user"
+    SiloGroup => b"silo_group"
 );
 
 impl From<shared::IdentityType> for IdentityType {
     fn from(other: shared::IdentityType) -> Self {
         match other {
             shared::IdentityType::SiloUser => IdentityType::SiloUser,
+            shared::IdentityType::SiloGroup => IdentityType::SiloGroup,
         }
     }
 }
@@ -49,6 +51,7 @@ impl TryFrom<IdentityType> for shared::IdentityType {
                 Err(anyhow!("unsupported db identity type: {:?}", other))
             }
             IdentityType::SiloUser => Ok(shared::IdentityType::SiloUser),
+            IdentityType::SiloGroup => Ok(shared::IdentityType::SiloGroup),
         }
     }
 }

nexus/db-model/src/schema.rs

@@ -192,6 +192,7 @@ table! {
 
         discoverable -> Bool,
         user_provision_type -> crate::UserProvisionTypeEnum,
+
         rcgen -> Int8,
     }
 }
@@ -208,6 +209,28 @@ table! {
     }
 }
 
+table! {
+    silo_group (id) {
+        id -> Uuid,
+        time_created -> Timestamptz,
+        time_modified -> Timestamptz,
+        time_deleted -> Nullable<Timestamptz>,
+
+        silo_id -> Uuid,
+        external_id -> Text,
+    }
+}
+
+table! {
+    silo_group_membership (silo_group_id, silo_user_id) {
+        silo_group_id -> Uuid,
+        silo_user_id -> Uuid,
+    }
+}
+
+allow_tables_to_appear_in_same_query!(silo_group, silo_group_membership);
+allow_tables_to_appear_in_same_query!(role_assignment, silo_group_membership);
+
 table! {
     identity_provider (silo_id, id) {
         id -> Uuid,
@@ -242,6 +265,7 @@ table! {
         technical_contact_email -> Text,
         public_cert -> Nullable<Text>,
         private_key -> Nullable<Text>,
+        group_attribute_name -> Nullable<Text>,
     }
 }
 

nexus/db-model/src/silo_group.rs

@@ -0,0 +1,40 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+use crate::schema::{silo_group, silo_group_membership};
+use db_macros::Asset;
+use uuid::Uuid;
+
+/// Describes a silo group within the database.
+#[derive(Asset, Queryable, Insertable, Debug, Selectable)]
+#[diesel(table_name = silo_group)]
+pub struct SiloGroup {
+    #[diesel(embed)]
+    identity: SiloGroupIdentity,
+
+    pub silo_id: Uuid,
+
+    /// The identity provider's name for this group.
+    pub external_id: String,
+}
+
+impl SiloGroup {
+    pub fn new(id: Uuid, silo_id: Uuid, external_id: String) -> Self {
+        Self { identity: SiloGroupIdentity::new(id), silo_id, external_id }
+    }
+}
+
+/// Describe which silo users belong to which silo groups
+#[derive(Queryable, Insertable, Debug, Selectable)]
+#[diesel(table_name = silo_group_membership)]
+pub struct SiloGroupMembership {
+    pub silo_group_id: Uuid,
+    pub silo_user_id: Uuid,
+}
+
+impl SiloGroupMembership {
+    pub fn new(silo_group_id: Uuid, silo_user_id: Uuid) -> Self {
+        Self { silo_group_id, silo_user_id }
+    }
+}