Skip to content

Commit 041313d

Browse files
committed
UserSessions -> SiloUserAuthnList
1 parent 0419e33 commit 041313d

File tree

6 files changed

+16
-14
lines changed

6 files changed

+16
-14
lines changed

nexus/auth/src/authz/api_resources.rs

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -668,14 +668,14 @@ impl AuthorizedResource for SiloUserList {
668668
}
669669
}
670670

671-
// TODO: does it make sense to use a single authz resource to represent
672-
// both user sessions and tokens? seems silly to have two identical ones
671+
// TODO: does it make sense to use a single resource to represent both user
672+
// sessions and tokens? it seems silly to have two identical ones
673673

674674
/// Synthetic resource for managing a user's sessions and tokens
675675
#[derive(Clone, Debug, Eq, PartialEq)]
676-
pub struct UserSessions(SiloUser);
676+
pub struct SiloUserAuthnList(SiloUser);
677677

678-
impl UserSessions {
678+
impl SiloUserAuthnList {
679679
pub fn new(silo_user: SiloUser) -> Self {
680680
Self(silo_user)
681681
}
@@ -689,16 +689,18 @@ impl UserSessions {
689689
}
690690
}
691691

692-
impl oso::PolarClass for UserSessions {
692+
impl oso::PolarClass for SiloUserAuthnList {
693693
fn get_polar_class_builder() -> oso::ClassBuilder<Self> {
694694
oso::Class::builder().with_equality_check().add_attribute_getter(
695695
"silo_user",
696-
|user_sessions: &UserSessions| user_sessions.silo_user().clone(),
696+
|user_sessions: &SiloUserAuthnList| {
697+
user_sessions.silo_user().clone()
698+
},
697699
)
698700
}
699701
}
700702

701-
impl AuthorizedResource for UserSessions {
703+
impl AuthorizedResource for SiloUserAuthnList {
702704
fn load_roles<'fut>(
703705
&'fut self,
704706
opctx: &'fut OpContext,

nexus/auth/src/authz/omicron.polar

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -451,18 +451,18 @@ has_relation(fleet: Fleet, "parent_fleet", collection: ConsoleSessionList)
451451
if collection.fleet = fleet;
452452

453453
# Allow silo admins to delete user sessions
454-
resource UserSessions {
454+
resource SiloUserAuthnList {
455455
permissions = [ "modify" ];
456456
relations = { parent_silo: Silo };
457457

458458
# A silo admin can modify (e.g., delete) a user's sessions.
459459
"modify" if "admin" on "parent_silo";
460460
}
461-
has_relation(silo: Silo, "parent_silo", sessions: UserSessions)
461+
has_relation(silo: Silo, "parent_silo", sessions: SiloUserAuthnList)
462462
if sessions.silo_user.silo = silo;
463463

464464
# also give users 'modify' on their own sessions
465-
has_permission(actor: AuthenticatedActor, "modify", sessions: UserSessions)
465+
has_permission(actor: AuthenticatedActor, "modify", sessions: SiloUserAuthnList)
466466
if actor.equals_silo_user(sessions.silo_user);
467467

468468
# Describes the policy for creating and managing device authorization requests.

nexus/auth/src/authz/oso_generic.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -113,9 +113,9 @@ pub fn make_omicron_oso(log: &slog::Logger) -> Result<OsoInit, anyhow::Error> {
113113
DeviceAuthRequestList::get_polar_class(),
114114
SiloCertificateList::get_polar_class(),
115115
SiloIdentityProviderList::get_polar_class(),
116+
SiloUserAuthnList::get_polar_class(),
116117
SiloUserList::get_polar_class(),
117118
UpdateTrustRootList::get_polar_class(),
118-
UserSessions::get_polar_class(),
119119
TargetReleaseConfig::get_polar_class(),
120120
AlertClassList::get_polar_class(),
121121
];

nexus/db-queries/src/policy_test/resource_builder.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -346,7 +346,7 @@ impl DynAuthorizedResource for authz::SiloUserList {
346346
}
347347
}
348348

349-
impl DynAuthorizedResource for authz::UserSessions {
349+
impl DynAuthorizedResource for authz::SiloUserAuthnList {
350350
fn do_authorize<'a, 'b>(
351351
&'a self,
352352
opctx: &'b OpContext,

nexus/db-queries/src/policy_test/resources.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -281,7 +281,7 @@ async fn make_silo(
281281
silo_image_id,
282282
LookupType::ByName(format!("{}-silo-image", silo_name)),
283283
));
284-
builder.new_resource(authz::UserSessions::new(silo_user));
284+
builder.new_resource(authz::SiloUserAuthnList::new(silo_user));
285285

286286
// Image is a special case in that this resource is technically just a
287287
// pass-through for `SiloImage` and `ProjectImage` resources.

nexus/src/app/silo.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -325,7 +325,7 @@ impl super::Nexus {
325325
.await?;
326326

327327
let authz_user_sessions =
328-
authz::UserSessions::new(authz_silo_user.clone());
328+
authz::SiloUserAuthnList::new(authz_silo_user.clone());
329329
// TODO: would rather do this check in the datastore functions
330330
opctx.authorize(authz::Action::Modify, &authz_user_sessions).await?;
331331

0 commit comments

Comments
 (0)