endpoint for silo admin to expire all user's tokens and sessions

Author: david-crespo

nexus/db-queries/src/db/datastore/console_session.rs

@@ -12,6 +12,8 @@ use crate::db::model::ConsoleSession;
 use async_bb8_diesel::AsyncRunQueryDsl;
 use chrono::Utc;
 use diesel::prelude::*;
+use nexus_db_errors::ErrorHandler;
+use nexus_db_errors::public_error_from_diesel;
 use nexus_db_lookup::LookupPath;
 use nexus_db_schema::schema::console_session;
 use omicron_common::api::external::CreateResult;
@@ -154,4 +156,23 @@ impl DataStore {
                 ))
             })
     }
+
+    /// Delete all session for the user
+    pub async fn silo_user_sessions_delete(
+        &self,
+        opctx: &OpContext,
+        user: &authz::SiloUser,
+    ) -> Result<(), Error> {
+        // TODO: check for silo admin on opctx
+        // TODO: ensure this can only be used in current silo
+        // TODO: think about dueling admins problem
+
+        use nexus_db_schema::schema::console_session;
+        diesel::delete(console_session::table)
+            .filter(console_session::silo_user_id.eq(user.id()))
+            .execute_async(&*self.pool_connection_authorized(opctx).await?)
+            .await
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
+            .map(|_x| ())
+    }
 }

nexus/db-queries/src/db/datastore/device_auth.rs

@@ -241,4 +241,23 @@ impl DataStore {
 
         Ok(())
     }
+
+    /// Delete all tokens for the user
+    pub async fn silo_user_tokens_delete(
+        &self,
+        opctx: &OpContext,
+        user: &authz::SiloUser,
+    ) -> Result<(), Error> {
+        // TODO: check for silo admin on opctx
+        // TODO: ensure this can only be used in current silo
+        // TODO: think about dueling admins problem
+
+        use nexus_db_schema::schema::device_access_token;
+        diesel::delete(device_access_token::table)
+            .filter(device_access_token::silo_user_id.eq(user.id()))
+            .execute_async(&*self.pool_connection_authorized(opctx).await?)
+            .await
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
+            .map(|_x| ())
+    }
 }

nexus/external-api/src/lib.rs

@@ -3008,6 +3008,17 @@ pub trait NexusExternalApi {
         query_params: Query<PaginatedById<params::OptionalGroupSelector>>,
     ) -> Result<HttpResponseOk<ResultsPage<views::User>>, HttpError>;
 
+    /// Expire all user's tokens and sessions
+    #[endpoint {
+        method = POST,
+        path = "/v1/users/{user_id}/logout",
+        tags = ["silos"],
+    }]
+    async fn user_logout(
+        rqctx: RequestContext<Self::Context>,
+        path_params: Path<params::UserPath>,
+    ) -> Result<HttpResponseUpdatedNoContent, HttpError>;
+
     // Silo groups
 
     /// List groups

nexus/src/app/silo.rs

@@ -313,6 +313,28 @@ impl super::Nexus {
         Ok(db_silo_user)
     }
 
+    /// Fetch a user in a Silo
+    pub(crate) async fn current_silo_user_logout(
+        &self,
+        opctx: &OpContext,
+        silo_user_id: Uuid,
+    ) -> UpdateResult<()> {
+        let (_, authz_silo_user, _) = LookupPath::new(opctx, self.datastore())
+            .silo_user_id(silo_user_id)
+            .fetch()
+            .await?;
+
+        self.datastore()
+            .silo_user_tokens_delete(opctx, &authz_silo_user)
+            .await?;
+
+        self.datastore()
+            .silo_user_sessions_delete(opctx, &authz_silo_user)
+            .await?;
+
+        Ok(())
+    }
+
     // The "local" identity provider (available only in `LocalOnly` Silos)
 
     /// Helper function for looking up a LocalOnly Silo by name

nexus/src/external_api/http_entrypoints.rs

@@ -6705,6 +6705,26 @@ impl NexusExternalApi for NexusExternalApiImpl {
             .await
     }
 
+    async fn user_logout(
+        rqctx: RequestContext<Self::Context>,
+        path_params: Path<params::UserPath>,
+    ) -> Result<HttpResponseUpdatedNoContent, HttpError> {
+        let apictx = rqctx.context();
+        let handler = async {
+            let nexus = &apictx.context.nexus;
+            let path = path_params.into_inner();
+            let opctx =
+                crate::context::op_context_for_external_api(&rqctx).await?;
+            nexus.current_silo_user_logout(&opctx, path.user_id).await?;
+            Ok(HttpResponseUpdatedNoContent())
+        };
+        apictx
+            .context
+            .external_latencies
+            .instrument_dropshot_handler(&rqctx, handler)
+            .await
+    }
+
     // Silo groups
 
     async fn group_list(

nexus/types/src/external_api/params.rs

@@ -96,6 +96,7 @@ path_param!(CertificatePath, certificate, "certificate");
 
 id_path_param!(SupportBundlePath, bundle_id, "support bundle");
 id_path_param!(GroupPath, group_id, "group");
+id_path_param!(UserPath, user_id, "user");
 id_path_param!(TokenPath, token_id, "token");
 
 // TODO: The hardware resources should be represented by its UUID or a hardware