UserSessions -> SiloUserAuthnList

Author: david-crespo

nexus/auth/src/authz/api_resources.rs

@@ -668,14 +668,14 @@ impl AuthorizedResource for SiloUserList {
     }
 }
 
-// TODO: does it make sense to use a single authz resource to represent
-// both user sessions and tokens? seems silly to have two identical ones
+// TODO: does it make sense to use a single resource to represent both user
+// sessions and tokens? it seems silly to have two identical ones
 
 /// Synthetic resource for managing a user's sessions and tokens
 #[derive(Clone, Debug, Eq, PartialEq)]
-pub struct UserSessions(SiloUser);
+pub struct SiloUserAuthnList(SiloUser);
 
-impl UserSessions {
+impl SiloUserAuthnList {
     pub fn new(silo_user: SiloUser) -> Self {
         Self(silo_user)
     }
@@ -689,16 +689,18 @@ impl UserSessions {
     }
 }
 
-impl oso::PolarClass for UserSessions {
+impl oso::PolarClass for SiloUserAuthnList {
     fn get_polar_class_builder() -> oso::ClassBuilder<Self> {
         oso::Class::builder().with_equality_check().add_attribute_getter(
             "silo_user",
-            |user_sessions: &UserSessions| user_sessions.silo_user().clone(),
+            |user_sessions: &SiloUserAuthnList| {
+                user_sessions.silo_user().clone()
+            },
         )
     }
 }
 
-impl AuthorizedResource for UserSessions {
+impl AuthorizedResource for SiloUserAuthnList {
     fn load_roles<'fut>(
         &'fut self,
         opctx: &'fut OpContext,

nexus/auth/src/authz/omicron.polar

@@ -451,18 +451,18 @@ has_relation(fleet: Fleet, "parent_fleet", collection: ConsoleSessionList)
 	if collection.fleet = fleet;
 
 # Allow silo admins to delete user sessions
-resource UserSessions {
+resource SiloUserAuthnList {
     permissions = [ "modify" ];
     relations = { parent_silo: Silo };
 
     # A silo admin can modify (e.g., delete) a user's sessions.
     "modify" if "admin" on "parent_silo";
 }
-has_relation(silo: Silo, "parent_silo", sessions: UserSessions)
+has_relation(silo: Silo, "parent_silo", sessions: SiloUserAuthnList)
     if sessions.silo_user.silo = silo;
 
 # also give users 'modify' on their own sessions
-has_permission(actor: AuthenticatedActor, "modify", sessions: UserSessions)
+has_permission(actor: AuthenticatedActor, "modify", sessions: SiloUserAuthnList)
     if actor.equals_silo_user(sessions.silo_user);
 
 # Describes the policy for creating and managing device authorization requests.

nexus/auth/src/authz/oso_generic.rs

@@ -113,9 +113,9 @@ pub fn make_omicron_oso(log: &slog::Logger) -> Result<OsoInit, anyhow::Error> {
         DeviceAuthRequestList::get_polar_class(),
         SiloCertificateList::get_polar_class(),
         SiloIdentityProviderList::get_polar_class(),
+        SiloUserAuthnList::get_polar_class(),
         SiloUserList::get_polar_class(),
         UpdateTrustRootList::get_polar_class(),
-        UserSessions::get_polar_class(),
         TargetReleaseConfig::get_polar_class(),
         AlertClassList::get_polar_class(),
     ];

nexus/db-queries/src/policy_test/resource_builder.rs

@@ -346,7 +346,7 @@ impl DynAuthorizedResource for authz::SiloUserList {
     }
 }
 
-impl DynAuthorizedResource for authz::UserSessions {
+impl DynAuthorizedResource for authz::SiloUserAuthnList {
     fn do_authorize<'a, 'b>(
         &'a self,
         opctx: &'b OpContext,

nexus/db-queries/src/policy_test/resources.rs

@@ -281,7 +281,7 @@ async fn make_silo(
         silo_image_id,
         LookupType::ByName(format!("{}-silo-image", silo_name)),
     ));
-    builder.new_resource(authz::UserSessions::new(silo_user));
+    builder.new_resource(authz::SiloUserAuthnList::new(silo_user));
 
     // Image is a special case in that this resource is technically just a
     // pass-through for `SiloImage` and `ProjectImage` resources.

nexus/src/app/silo.rs

@@ -325,7 +325,7 @@ impl super::Nexus {
             .await?;
 
         let authz_user_sessions =
-            authz::UserSessions::new(authz_silo_user.clone());
+            authz::SiloUserAuthnList::new(authz_silo_user.clone());
         // TODO: would rather do this check in the datastore functions
         opctx.authorize(authz::Action::Modify, &authz_user_sessions).await?;