[3/n] /v1/me/access-tokens list and delete (#8227)

Built on top of #8137 and #8214.

This is only for a user to list and delete their own tokens. It doesn't
quite match RFD 570, which says `/v1/device-tokens` instead of
`/v1/me/access-tokens`, but it feels good under `/v1/me`, and after
trying to make the UI too, I think "access tokens" is much more
intuitive. If I stick with this, I will update RFD 570 to match.

~~I'm not sure about the path `/v1/device-tokens` — in the API we call
them `Device Access Tokens`. I think `/v1/access-tokens` might be more
intuitive because the `device` is sort of an implementation detail, it
refers to the OAuth device auth flow, which we are using. In practice,
the user just gets a token with the CLI and pastes a code into the web
UI and they don't have to think too much about it, so exposing that
detail in the name might not be worth it.~~ Went with
`/v1/me/access-tokens`.

- [x] Basic token list and delete
- [x] Basic integration tests
- [x] Finalize endpoint paths
- [x] Figure out authz story
  - Went with restricting datastore functions to current actor for now

Author: david-crespo

nexus/db-model/src/device_auth.rs

@@ -11,7 +11,7 @@ use nexus_db_schema::schema::{device_access_token, device_auth_request};
 
 use chrono::{DateTime, Duration, Utc};
 use nexus_types::external_api::views;
-use omicron_uuid_kinds::{AccessTokenKind, TypedUuid};
+use omicron_uuid_kinds::{AccessTokenKind, GenericUuid, TypedUuid};
 use rand::{Rng, RngCore, SeedableRng, distributions::Slice, rngs::StdRng};
 use uuid::Uuid;
 
@@ -173,6 +173,16 @@ impl From<DeviceAccessToken> for views::DeviceAccessTokenGrant {
     }
 }
 
+impl From<DeviceAccessToken> for views::DeviceAccessToken {
+    fn from(access_token: DeviceAccessToken) -> Self {
+        Self {
+            id: access_token.id.into_untyped_uuid(),
+            time_created: access_token.time_created,
+            time_expires: access_token.time_expires,
+        }
+    }
+}
+
 #[cfg(test)]
 mod test {
     use super::*;

nexus/db-queries/src/db/datastore/device_auth.rs

@@ -9,13 +9,18 @@ use crate::authz;
 use crate::context::OpContext;
 use crate::db::model::DeviceAccessToken;
 use crate::db::model::DeviceAuthRequest;
+use crate::db::pagination::paginated;
 use async_bb8_diesel::AsyncRunQueryDsl;
+use chrono::Utc;
 use diesel::prelude::*;
 use nexus_db_errors::ErrorHandler;
 use nexus_db_errors::public_error_from_diesel;
 use nexus_db_schema::schema::device_access_token;
 use omicron_common::api::external::CreateResult;
+use omicron_common::api::external::DataPageParams;
 use omicron_common::api::external::Error;
+use omicron_common::api::external::InternalContext;
+use omicron_common::api::external::ListResultVec;
 use omicron_common::api::external::LookupResult;
 use omicron_common::api::external::LookupType;
 use omicron_common::api::external::ResourceType;
@@ -176,4 +181,64 @@ impl DataStore {
                 )
             })
     }
+
+    // Similar to session hard delete and silo group list, we do not do a
+    // typical authz check, instead effectively encoding the policy here that
+    // any user is allowed to list and delete their own tokens. When we add the
+    // ability for silo admins to list and delete tokens from any user, we will
+    // have to model these permissions properly in the polar policy.
+
+    pub async fn current_user_token_list(
+        &self,
+        opctx: &OpContext,
+        pagparams: &DataPageParams<'_, Uuid>,
+    ) -> ListResultVec<DeviceAccessToken> {
+        let &actor = opctx
+            .authn
+            .actor_required()
+            .internal_context("listing current user's tokens")?;
+
+        use nexus_db_schema::schema::device_access_token::dsl;
+        paginated(dsl::device_access_token, dsl::id, &pagparams)
+            .filter(dsl::silo_user_id.eq(actor.actor_id()))
+            // we don't have time_deleted on tokens. unfortunately this is not
+            // indexed well. maybe it can be!
+            .filter(
+                dsl::time_expires
+                    .is_null()
+                    .or(dsl::time_expires.gt(Utc::now())),
+            )
+            .select(DeviceAccessToken::as_select())
+            .load_async(&*self.pool_connection_authorized(opctx).await?)
+            .await
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
+    }
+
+    pub async fn current_user_token_delete(
+        &self,
+        opctx: &OpContext,
+        token_id: Uuid,
+    ) -> Result<(), Error> {
+        let &actor = opctx
+            .authn
+            .actor_required()
+            .internal_context("deleting current user's token")?;
+
+        use nexus_db_schema::schema::device_access_token::dsl;
+        let num_deleted = diesel::delete(dsl::device_access_token)
+            .filter(dsl::silo_user_id.eq(actor.actor_id()))
+            .filter(dsl::id.eq(token_id))
+            .execute_async(&*self.pool_connection_authorized(opctx).await?)
+            .await
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))?;
+
+        if num_deleted == 0 {
+            return Err(Error::not_found_by_id(
+                ResourceType::DeviceAccessToken,
+                &token_id,
+            ));
+        }
+
+        Ok(())
+    }
 }

nexus/external-api/output/nexus_tags.txt

@@ -287,6 +287,11 @@ API operations found with tag "system/status"
 OPERATION ID                             METHOD   URL PATH
 ping                                     GET      /v1/ping
 
+API operations found with tag "tokens"
+OPERATION ID                             METHOD   URL PATH
+current_user_access_token_delete         DELETE   /v1/me/access-tokens/{token_id}
+current_user_access_token_list           GET      /v1/me/access-tokens
+
 API operations found with tag "vpcs"
 OPERATION ID                             METHOD   URL PATH
 internet_gateway_create                  POST     /v1/internet-gateways

nexus/external-api/src/lib.rs

@@ -162,6 +162,12 @@ const PUT_UPDATE_REPOSITORY_MAX_BYTES: usize = 4 * GIB;
                     url = "http://docs.oxide.computer/api/snapshots"
                 }
             },
+            "tokens" = {
+                description = "API clients use device access tokens for authentication.",
+                external_docs = {
+                    url = "http://docs.oxide.computer/api/tokens"
+                }
+            },
             "vpcs" = {
                 description = "Virtual Private Clouds (VPCs) provide isolated network environments for managing and deploying services.",
                 external_docs = {
@@ -3149,6 +3155,32 @@ pub trait NexusExternalApi {
         path_params: Path<params::SshKeyPath>,
     ) -> Result<HttpResponseDeleted, HttpError>;
 
+    /// List access tokens
+    ///
+    /// List device access tokens for the currently authenticated user.
+    #[endpoint {
+        method = GET,
+        path = "/v1/me/access-tokens",
+        tags = ["tokens"],
+    }]
+    async fn current_user_access_token_list(
+        rqctx: RequestContext<Self::Context>,
+        query_params: Query<PaginatedById>,
+    ) -> Result<HttpResponseOk<ResultsPage<views::DeviceAccessToken>>, HttpError>;
+
+    /// Delete access token
+    ///
+    /// Delete a device access token for the currently authenticated user.
+    #[endpoint {
+        method = DELETE,
+        path = "/v1/me/access-tokens/{token_id}",
+        tags = ["tokens"],
+    }]
+    async fn current_user_access_token_delete(
+        rqctx: RequestContext<Self::Context>,
+        path_params: Path<params::TokenPath>,
+    ) -> Result<HttpResponseDeleted, HttpError>;
+
     // Support bundles (experimental)
 
     /// List all support bundles

nexus/src/app/device_auth.rs

@@ -55,7 +55,9 @@ use nexus_db_queries::db::model::{DeviceAccessToken, DeviceAuthRequest};
 use anyhow::anyhow;
 use nexus_types::external_api::params::DeviceAccessTokenRequest;
 use nexus_types::external_api::views;
-use omicron_common::api::external::{CreateResult, Error};
+use omicron_common::api::external::{
+    CreateResult, DataPageParams, Error, ListResultVec,
+};
 
 use chrono::{Duration, Utc};
 use serde::Serialize;
@@ -291,4 +293,20 @@ impl super::Nexus {
             .header(header::CONTENT_TYPE, "application/json")
             .body(body.into())?)
     }
+
+    pub(crate) async fn current_user_token_list(
+        &self,
+        opctx: &OpContext,
+        pagparams: &DataPageParams<'_, Uuid>,
+    ) -> ListResultVec<DeviceAccessToken> {
+        self.db_datastore.current_user_token_list(opctx, pagparams).await
+    }
+
+    pub(crate) async fn current_user_token_delete(
+        &self,
+        opctx: &OpContext,
+        token_id: Uuid,
+    ) -> Result<(), Error> {
+        self.db_datastore.current_user_token_delete(opctx, token_id).await
+    }
 }

nexus/src/external_api/http_entrypoints.rs

@@ -7068,6 +7068,57 @@ impl NexusExternalApi for NexusExternalApiImpl {
             .await
     }
 
+    async fn current_user_access_token_list(
+        rqctx: RequestContext<Self::Context>,
+        query_params: Query<PaginatedById>,
+    ) -> Result<HttpResponseOk<ResultsPage<views::DeviceAccessToken>>, HttpError>
+    {
+        let apictx = rqctx.context();
+        let handler = async {
+            let opctx =
+                crate::context::op_context_for_external_api(&rqctx).await?;
+            let nexus = &apictx.context.nexus;
+            let query = query_params.into_inner();
+            let pag_params = data_page_params_for(&rqctx, &query)?;
+            let tokens = nexus
+                .current_user_token_list(&opctx, &pag_params)
+                .await?
+                .into_iter()
+                .map(views::DeviceAccessToken::from)
+                .collect();
+            Ok(HttpResponseOk(ScanById::results_page(
+                &query,
+                tokens,
+                &marker_for_id,
+            )?))
+        };
+        apictx
+            .context
+            .external_latencies
+            .instrument_dropshot_handler(&rqctx, handler)
+            .await
+    }
+
+    async fn current_user_access_token_delete(
+        rqctx: RequestContext<Self::Context>,
+        path_params: Path<params::TokenPath>,
+    ) -> Result<HttpResponseDeleted, HttpError> {
+        let apictx = rqctx.context();
+        let handler = async {
+            let opctx =
+                crate::context::op_context_for_external_api(&rqctx).await?;
+            let nexus = &apictx.context.nexus;
+            let path = path_params.into_inner();
+            nexus.current_user_token_delete(&opctx, path.token_id).await?;
+            Ok(HttpResponseDeleted())
+        };
+        apictx
+            .context
+            .external_latencies
+            .instrument_dropshot_handler(&rqctx, handler)
+            .await
+    }
+
     async fn support_bundle_list(
         rqctx: RequestContext<ApiContext>,
         query_params: Query<PaginatedById>,