Silo admin endpoints for user logout + listing tokens and sessions

[david-crespo]

The idea here is that to disable a user's access to the system, admins first disable that user's ability to log in on the IdP side and then hit this endpoint to remove all of their existing credentials on our end. The centerpiece is the logout endpoint, but I added the endpoints for listing sessions and tokens because someone pointed out you really want to see those come back empty after logout. They're also kind of useful anyway. Then I added user_view just because it wouldn't make sense to have token and session list endpoints hanging off /v1/users/{user_id} without having that defined.

• Add /v1/users/{user_id}/logout that deletes all of the user's tokens and sessions
• Add new authz resource SiloUserAuthnList letting us authorize that action for silo admins specifically (can't use silo modify because fleet collaborator and admin get that on all silos)
• Update IAM policy test
• Test that logout deletes tokens and the right perms are enforced
• Test that logout deletes sessions and the right perms are enforced
• Add user_view and user_token_list and user_session_list endpoints for symmetry and to give the admin a warm fuzzy feeling when they see that the tokens and sessions are in fact gone (also makes testing a little cleaner)
• Fix session list including expired sessions (and test it)
• Think about whether we need to do something about dueling admins issues, i.e., what if the person you're trying to disable are themselves a silo admin and they log everyone else out of the silo. The only solution I can think of off the top of my head is an operator-level version of this endpoint that can be used by a user outside of the silo in question.

[david-crespo]

This is the major outstanding issue. I will probably make the fix a separate PR on top of this one because it's an actual change, not just an addition.

[hawkw]

Mm, I like the idea of the proposed refactor --- generally it seems nicer to represent things as deadlines, I think. I agree that it's a big enough change that it could be done subsequently. In the meantime, might we want to cruft together a thing that filters such sessions out of the returned Vec in Rust code?

Do you think it's worth opening an issue to track that, in addition to/instead of the TODO comment?

[david-crespo]

I don't think we need to filter them out of the Vec for the quick fix — we can get the expiration cutoffs based on the idle and absolute session timeouts in the Nexus config and stick them right in the SQL query.

I'm going to attempt the proper fix in a separate PR and if it's easy enough I'll put it underneath this one. If it's too hard, I'll make the quick fix here and make and issue for the real fix.

[david-crespo]

I did the hack fix in 13af0ac, complete with beautiful test. Issue for real fix in #8625 — I intend to get that in for v16, so the hack will not have to actually be in the wild. But I think it is fine if it has to wait for v17.

[hawkw]

Hmm, how would that work? Is that a question you want to answer before merging this branch?

[david-crespo]

Status quo is the single resource version (I meant resource from the POV of authz). I think it would be simple to have two instead, I would just make a second one and name one tokens and one sessions, and use each as appropriate. Since that can be done any time we need to distinguish the two (we may never have to) I am inclined to solve this by deleting the comment.

[david-crespo]

In c3c070e and 0e5a179 I ended up going the other way, namely splitting the authz resource into two: one for sessions and one for tokens. While doing that I realized that there is existing authz resource for the session list, which we use to give the external authenticator user permission to create sessions for users. Tokens, work a little differently -- apparently tokens are children of the user, so we check create_child on the user (which seems a bit weird). Made #8628 about merging the two session list concepts.

omicron/nexus/db-queries/src/db/datastore/device_auth.rs

Lines 96 to 97 in 464e168

	opctx.authorize(authz::Action::Delete, authz_request).await?;
	opctx.authorize(authz::Action::CreateChild, authz_user).await?;

The session and token lists are identical for now, but they would probably diverge if I eventually did the work to merge them with the existing session and token list authz concepts.

[hawkw]

Mm, I like the idea of the proposed refactor --- generally it seems nicer to represent things as deadlines, I think. I agree that it's a big enough change that it could be done subsequently. In the meantime, might we want to cruft together a thing that filters such sessions out of the returned Vec in Rust code?

Do you think it's worth opening an issue to track that, in addition to/instead of the TODO comment?

[hawkw]

I had one last nitpick about positional args, which you are welcome to ignore --- i know that's kind of pedantic. Otherwise, this looks good to me, regardless of whether you end up changing that bit or not.

[hawkw]

nitpicky, sorry: I really don't like when a function has two or more positional arguments of the same type, because when you call the function, you have to remember which is which, and it's easy to transpose them etc by mistake. It might be nicer to have a quick

#[derive(Copy, Clone)]
pub struct SessionTtls {
    pub idle: TimeDelta,
    pub abs: TimeDelta,
}

so they're distinguished by name at the call site instead of by which order they're passed in?

[david-crespo]

Yeah, I thought about doing this to make it all less sketchy-feeling. Will do (maybe in a followup PR so I can get this merged ASAP).

[hawkw]

The new comment makes me less sad about the POST, thank you!