[nexus] Split authn/authz and db-fixed-data into new crates (#5849)

As a part of the ongoing effort to split Nexus into smaller pieces, this
PR splits out two new crates:

- `nexus-auth` takes the contents of `nexus/db-queries/src/auth{n,z}`,
as well as `nexus/db-queries/src/context.rs`, and separates this logic
into a new bespoke crate. Although this crate **does** have a dependency
on the datastore itself, it only actually invokes a single method, and
can be abstracted via a new trait, defined in `nexus/auth/storage`.
- `nexus-db-fixed-data` takes the contents of
`nexus/db-queries/src/db/fixed-data` and separates this logic into a new
crate.

Author: smklein

Cargo.lock

@@ -39,6 +39,8 @@ members = [
     "nexus",
     "nexus-config",
     "nexus/authz-macros",
+    "nexus/auth",
+    "nexus/db-fixed-data",
     "nexus/db-macros",
     "nexus/db-model",
     "nexus/db-queries",
@@ -123,9 +125,11 @@ default-members = [
     "nexus",
     "nexus-config",
     "nexus/authz-macros",
+    "nexus/auth",
     "nexus/macros-common",
     "nexus/metrics-producer-gc",
     "nexus/networking",
+    "nexus/db-fixed-data",
     "nexus/db-macros",
     "nexus/db-model",
     "nexus/db-queries",
@@ -317,8 +321,10 @@ newtype_derive = "0.1.6"
 mg-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "5630887d0373857f77cb264f84aa19bdec720ce3" }
 ddm-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "5630887d0373857f77cb264f84aa19bdec720ce3" }
 multimap = "0.10.0"
+nexus-auth = { path = "nexus/auth" }
 nexus-client = { path = "clients/nexus-client" }
 nexus-config = { path = "nexus-config" }
+nexus-db-fixed-data = { path = "nexus/db-fixed-data" }
 nexus-db-model = { path = "nexus/db-model" }
 nexus-db-queries = { path = "nexus/db-queries" }
 nexus-defaults = { path = "nexus/defaults" }

Cargo.toml

@@ -86,6 +86,7 @@ tough.workspace = true
 trust-dns-resolver.workspace = true
 uuid.workspace = true
 
+nexus-auth.workspace = true
 nexus-defaults.workspace = true
 nexus-db-model.workspace = true
 nexus-db-queries.workspace = true

nexus/Cargo.toml

@@ -0,0 +1,48 @@
+[package]
+name = "nexus-auth"
+version = "0.1.0"
+edition = "2021"
+license = "MPL-2.0"
+
+[lints]
+workspace = true
+
+[build-dependencies]
+omicron-rpaths.workspace = true
+
+[dependencies]
+anyhow.workspace = true
+async-trait.workspace = true
+base64.workspace = true
+chrono.workspace = true
+cookie.workspace = true
+dropshot.workspace = true
+futures.workspace = true
+headers.workspace = true
+http.workspace = true
+hyper.workspace = true
+newtype_derive.workspace = true
+# See omicron-rpaths for more about the "pq-sys" dependency.
+pq-sys = "*"
+once_cell.workspace = true
+openssl.workspace = true
+oso.workspace = true
+samael.workspace = true
+serde.workspace = true
+serde_urlencoded.workspace = true
+slog.workspace = true
+strum.workspace = true
+thiserror.workspace = true
+tokio = { workspace = true, features = ["full"] }
+uuid.workspace = true
+
+authz-macros.workspace = true
+nexus-db-fixed-data.workspace = true
+nexus-db-model.workspace = true
+nexus-types.workspace = true
+omicron-common.workspace = true
+omicron-uuid-kinds.workspace = true
+omicron-workspace-hack.workspace = true
+
+[dev-dependencies]
+omicron-test-utils.workspace = true

nexus/auth/Cargo.toml

@@ -0,0 +1,10 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// See omicron-rpaths for documentation.
+// NOTE: This file MUST be kept in sync with the other build.rs files in this
+// repository.
+fn main() {
+    omicron_rpaths::configure_default_omicron_rpaths();
+}

nexus/auth/build.rs

@@ -9,6 +9,8 @@ use dropshot::{
     ApiEndpointBodyContentType, ExtensionMode, ExtractorMetadata, HttpError,
     RequestContext, ServerContext, SharedExtractor,
 };
+use newtype_derive::NewtypeDeref;
+use newtype_derive::NewtypeFrom;
 
 pub fn parse_cookies(
     headers: &http::HeaderMap<http::HeaderValue>,

nexus/db-queries/src/authn/external/cookies.rs renamed to nexus/auth/src/authn/external/cookies.rs

@@ -9,6 +9,7 @@ use super::SiloAuthnPolicy;
 use crate::authn;
 use async_trait::async_trait;
 use authn::Reason;
+use slog::trace;
 use std::borrow::Borrow;
 use uuid::Uuid;
 

nexus/db-queries/src/authn/external/mod.rs renamed to nexus/auth/src/authn/external/mod.rs

@@ -13,6 +13,7 @@ use async_trait::async_trait;
 use chrono::{DateTime, Duration, Utc};
 use dropshot::HttpError;
 use http::HeaderValue;
+use slog::debug;
 use uuid::Uuid;
 
 // many parts of the implementation will reference this OWASP guide

nexus/db-queries/src/authn/external/session_cookie.rs renamed to nexus/auth/src/authn/external/session_cookie.rs

@@ -17,6 +17,7 @@ use async_trait::async_trait;
 use headers::authorization::{Authorization, Bearer};
 use headers::HeaderMapExt;
 use once_cell::sync::Lazy;
+use slog::debug;
 use uuid::Uuid;
 
 // This scheme is intended for demos, development, and testing until we have a

nexus/db-queries/src/authn/external/spoof.rs renamed to nexus/auth/src/authn/external/spoof.rs

@@ -28,22 +28,21 @@ pub mod external;
 pub mod saga;
 pub mod silos;
 
-pub use crate::db::fixed_data::silo_user::USER_TEST_PRIVILEGED;
-pub use crate::db::fixed_data::silo_user::USER_TEST_UNPRIVILEGED;
-pub use crate::db::fixed_data::user_builtin::USER_DB_INIT;
-pub use crate::db::fixed_data::user_builtin::USER_EXTERNAL_AUTHN;
-pub use crate::db::fixed_data::user_builtin::USER_INTERNAL_API;
-pub use crate::db::fixed_data::user_builtin::USER_INTERNAL_READ;
-pub use crate::db::fixed_data::user_builtin::USER_SAGA_RECOVERY;
-pub use crate::db::fixed_data::user_builtin::USER_SERVICE_BALANCER;
-use crate::db::model::ConsoleSession;
+pub use nexus_db_fixed_data::silo_user::USER_TEST_PRIVILEGED;
+pub use nexus_db_fixed_data::silo_user::USER_TEST_UNPRIVILEGED;
+pub use nexus_db_fixed_data::user_builtin::USER_DB_INIT;
+pub use nexus_db_fixed_data::user_builtin::USER_EXTERNAL_AUTHN;
+pub use nexus_db_fixed_data::user_builtin::USER_INTERNAL_API;
+pub use nexus_db_fixed_data::user_builtin::USER_INTERNAL_READ;
+pub use nexus_db_fixed_data::user_builtin::USER_SAGA_RECOVERY;
+pub use nexus_db_fixed_data::user_builtin::USER_SERVICE_BALANCER;
 
 use crate::authz;
-use crate::db;
-use crate::db::fixed_data::silo::DEFAULT_SILO;
-use crate::db::identity::Asset;
+use newtype_derive::NewtypeDisplay;
+use nexus_db_fixed_data::silo::DEFAULT_SILO;
 use nexus_types::external_api::shared::FleetRole;
 use nexus_types::external_api::shared::SiloRole;
+use nexus_types::identity::Asset;
 use omicron_common::api::external::LookupType;
 use serde::Deserialize;
 use serde::Serialize;
@@ -254,7 +253,6 @@ pub struct SiloAuthnPolicy {
 }
 
 impl SiloAuthnPolicy {
-    #[cfg(test)]
     pub fn new(
         mapped_fleet_roles: BTreeMap<SiloRole, BTreeSet<FleetRole>>,
     ) -> SiloAuthnPolicy {
@@ -290,8 +288,8 @@ mod test {
     use super::USER_SERVICE_BALANCER;
     use super::USER_TEST_PRIVILEGED;
     use super::USER_TEST_UNPRIVILEGED;
-    use crate::db::fixed_data::user_builtin::USER_EXTERNAL_AUTHN;
-    use crate::db::identity::Asset;
+    use nexus_db_fixed_data::user_builtin::USER_EXTERNAL_AUTHN;
+    use nexus_types::identity::Asset;
 
     #[test]
     fn test_internal_users() {
@@ -386,11 +384,13 @@ impl Actor {
     }
 }
 
-impl From<&Actor> for db::model::IdentityType {
-    fn from(actor: &Actor) -> db::model::IdentityType {
+impl From<&Actor> for nexus_db_model::IdentityType {
+    fn from(actor: &Actor) -> nexus_db_model::IdentityType {
         match actor {
-            Actor::UserBuiltin { .. } => db::model::IdentityType::UserBuiltin,
-            Actor::SiloUser { .. } => db::model::IdentityType::SiloUser,
+            Actor::UserBuiltin { .. } => {
+                nexus_db_model::IdentityType::UserBuiltin
+            }
+            Actor::SiloUser { .. } => nexus_db_model::IdentityType::SiloUser,
         }
     }
 }
@@ -421,7 +421,7 @@ impl std::fmt::Debug for Actor {
 /// A console session with the silo id of the authenticated user
 #[derive(Clone, Debug)]
 pub struct ConsoleSessionWithSiloId {
-    pub console_session: ConsoleSession,
+    pub console_session: nexus_db_model::ConsoleSession,
     pub silo_id: Uuid,
 }