session list endpoint

Author: david-crespo

nexus/db-model/src/console_session.rs

@@ -4,8 +4,8 @@
 
 use chrono::{DateTime, Utc};
 use nexus_db_schema::schema::console_session;
-use omicron_uuid_kinds::ConsoleSessionKind;
-use omicron_uuid_kinds::ConsoleSessionUuid;
+use nexus_types::external_api::views;
+use omicron_uuid_kinds::{ConsoleSessionKind, ConsoleSessionUuid, GenericUuid};
 use uuid::Uuid;
 
 use crate::typed_uuid::DbTypedUuid;
@@ -38,3 +38,13 @@ impl ConsoleSession {
         self.id.0
     }
 }
+
+impl From<ConsoleSession> for views::ConsoleSession {
+    fn from(session: ConsoleSession) -> Self {
+        Self {
+            id: session.id.into_untyped_uuid(),
+            time_created: session.time_created,
+            time_last_used: session.time_last_used,
+        }
+    }
+}

nexus/db-queries/src/db/datastore/console_session.rs

@@ -9,6 +9,7 @@ use crate::authn;
 use crate::authz;
 use crate::context::OpContext;
 use crate::db::model::ConsoleSession;
+use crate::db::pagination::paginated;
 use async_bb8_diesel::AsyncRunQueryDsl;
 use chrono::Utc;
 use diesel::prelude::*;
@@ -17,13 +18,16 @@ use nexus_db_errors::public_error_from_diesel;
 use nexus_db_lookup::LookupPath;
 use nexus_db_schema::schema::console_session;
 use omicron_common::api::external::CreateResult;
+use omicron_common::api::external::DataPageParams;
 use omicron_common::api::external::DeleteResult;
 use omicron_common::api::external::Error;
+use omicron_common::api::external::ListResultVec;
 use omicron_common::api::external::LookupResult;
 use omicron_common::api::external::LookupType;
 use omicron_common::api::external::ResourceType;
 use omicron_common::api::external::UpdateResult;
 use omicron_uuid_kinds::GenericUuid;
+use uuid::Uuid;
 
 impl DataStore {
     /// Look up session by token. The token is a kind of password, so simply
@@ -157,6 +161,26 @@ impl DataStore {
             })
     }
 
+    /// List console sessions for a specific user
+    pub async fn silo_user_session_list(
+        &self,
+        opctx: &OpContext,
+        user_authn_list: authz::SiloUserAuthnList,
+        pagparams: &DataPageParams<'_, Uuid>,
+    ) -> ListResultVec<ConsoleSession> {
+        opctx.authorize(authz::Action::ListChildren, &user_authn_list).await?;
+
+        let silo_user_id = user_authn_list.silo_user().id();
+
+        use nexus_db_schema::schema::console_session::dsl;
+        paginated(dsl::console_session, dsl::id, &pagparams)
+            .filter(dsl::silo_user_id.eq(silo_user_id))
+            .select(ConsoleSession::as_select())
+            .load_async(&*self.pool_connection_authorized(opctx).await?)
+            .await
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
+    }
+
     /// Delete all session for the user
     pub async fn silo_user_sessions_delete(
         &self,

nexus/external-api/output/nexus_tags.txt

@@ -159,6 +159,7 @@ policy_update                            PUT      /v1/policy
 policy_view                              GET      /v1/policy
 user_list                                GET      /v1/users
 user_logout                              POST     /v1/users/{user_id}/logout
+user_session_list                        GET      /v1/users/{user_id}/sessions
 user_token_list                          GET      /v1/users/{user_id}/access-tokens
 user_view                                GET      /v1/users/{user_id}
 utilization_view                         GET      /v1/utilization

nexus/external-api/src/lib.rs

@@ -3031,6 +3031,18 @@ pub trait NexusExternalApi {
         query_params: Query<PaginatedById>,
     ) -> Result<HttpResponseOk<ResultsPage<views::DeviceAccessToken>>, HttpError>;
 
+    /// List user's console sessions
+    #[endpoint {
+        method = GET,
+        path = "/v1/users/{user_id}/sessions",
+        tags = ["silos"],
+    }]
+    async fn user_session_list(
+        rqctx: RequestContext<Self::Context>,
+        path_params: Path<params::UserPath>,
+        query_params: Query<PaginatedById>,
+    ) -> Result<HttpResponseOk<ResultsPage<views::ConsoleSession>>, HttpError>;
+
     /// Expire all of user's tokens and sessions
     #[endpoint {
         method = POST,

nexus/src/app/silo.rs

@@ -373,6 +373,26 @@ impl super::Nexus {
             .await
     }
 
+    /// List console sessions for a user in a Silo
+    pub(crate) async fn silo_user_session_list(
+        &self,
+        opctx: &OpContext,
+        silo_user_id: Uuid,
+        pagparams: &DataPageParams<'_, Uuid>,
+    ) -> ListResultVec<db::model::ConsoleSession> {
+        let (_, authz_silo_user, _db_silo_user) =
+            LookupPath::new(opctx, self.datastore())
+                .silo_user_id(silo_user_id)
+                .fetch_for(authz::Action::Read)
+                .await?;
+
+        let user_authn_list = authz::SiloUserAuthnList::new(authz_silo_user);
+
+        self.datastore()
+            .silo_user_session_list(opctx, user_authn_list, pagparams)
+            .await
+    }
+
     // The "local" identity provider (available only in `LocalOnly` Silos)
 
     /// Helper function for looking up a LocalOnly Silo by name

nexus/src/external_api/http_entrypoints.rs

@@ -6759,6 +6759,38 @@ impl NexusExternalApi for NexusExternalApiImpl {
             .await
     }
 
+    async fn user_session_list(
+        rqctx: RequestContext<Self::Context>,
+        path_params: Path<params::UserPath>,
+        query_params: Query<PaginatedById>,
+    ) -> Result<HttpResponseOk<ResultsPage<views::ConsoleSession>>, HttpError> {
+        let apictx = rqctx.context();
+        let handler = async {
+            let nexus = &apictx.context.nexus;
+            let path = path_params.into_inner();
+            let query = query_params.into_inner();
+            let pag_params = data_page_params_for(&rqctx, &query)?;
+            let opctx =
+                crate::context::op_context_for_external_api(&rqctx).await?;
+            let sessions = nexus
+                .silo_user_session_list(&opctx, path.user_id, &pag_params)
+                .await?
+                .into_iter()
+                .map(views::ConsoleSession::from)
+                .collect();
+            Ok(HttpResponseOk(ScanById::results_page(
+                &query,
+                sessions,
+                &marker_for_id,
+            )?))
+        };
+        apictx
+            .context
+            .external_latencies
+            .instrument_dropshot_handler(&rqctx, handler)
+            .await
+    }
+
     async fn user_logout(
         rqctx: RequestContext<Self::Context>,
         path_params: Path<params::UserPath>,

nexus/tests/integration_tests/endpoints.rs

@@ -142,6 +142,8 @@ pub static DEMO_SILO_USER_ID_IN_SILO_URL: LazyLock<String> =
     LazyLock::new(|| "/v1/users/{id}".to_string());
 pub static DEMO_SILO_USER_TOKEN_LIST_URL: LazyLock<String> =
     LazyLock::new(|| "/v1/users/{id}/access-tokens".to_string());
+pub static DEMO_SILO_USER_SESSION_LIST_URL: LazyLock<String> =
+    LazyLock::new(|| "/v1/users/{id}/sessions".to_string());
 pub static DEMO_SILO_USER_LOGOUT_URL: LazyLock<String> =
     LazyLock::new(|| "/v1/users/{id}/logout".to_string());
 
@@ -1675,6 +1677,12 @@ pub static VERIFY_ENDPOINTS: LazyLock<Vec<VerifyEndpoint>> =
                 unprivileged_access: UnprivilegedAccess::None,
                 allowed_methods: vec![AllowedMethod::Get],
             },
+            VerifyEndpoint {
+                url: &DEMO_SILO_USER_SESSION_LIST_URL,
+                visibility: Visibility::Public,
+                unprivileged_access: UnprivilegedAccess::None,
+                allowed_methods: vec![AllowedMethod::Get],
+            },
             VerifyEndpoint {
                 url: &DEMO_SILO_USER_LOGOUT_URL,
                 visibility: Visibility::Public,

nexus/tests/integration_tests/unauthorized.rs

@@ -226,6 +226,7 @@ static SETUP_REQUESTS: LazyLock<Vec<SetupReq>> = LazyLock::new(|| {
                 &*DEMO_SILO_USER_ID_SET_PASSWORD_URL,
                 &*DEMO_SILO_USER_ID_IN_SILO_URL,
                 &*DEMO_SILO_USER_TOKEN_LIST_URL,
+                &*DEMO_SILO_USER_SESSION_LIST_URL,
                 &*DEMO_SILO_USER_LOGOUT_URL,
             ],
         },

nexus/types/src/external_api/views.rs

@@ -1008,6 +1008,21 @@ impl SimpleIdentity for DeviceAccessToken {
     }
 }
 
+/// View of a console session
+#[derive(Clone, Debug, Deserialize, Serialize, JsonSchema, PartialEq)]
+pub struct ConsoleSession {
+    /// A unique, immutable, system-controlled identifier for the session
+    pub id: Uuid,
+    pub time_created: DateTime<Utc>,
+    pub time_last_used: DateTime<Utc>,
+}
+
+impl SimpleIdentity for ConsoleSession {
+    fn id(&self) -> Uuid {
+        self.id
+    }
+}
+
 // OAUTH 2.0 DEVICE AUTHORIZATION REQUESTS & TOKENS
 
 /// Response to an initial device authorization request.

openapi/nexus.json

@@ -11589,6 +11589,75 @@
         }
       }
     },
+    "/v1/users/{user_id}/sessions": {
+      "get": {
+        "tags": [
+          "silos"
+        ],
+        "summary": "List user's console sessions",
+        "operationId": "user_session_list",
+        "parameters": [
+          {
+            "in": "path",
+            "name": "user_id",
+            "description": "ID of the user",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "format": "uuid"
+            }
+          },
+          {
+            "in": "query",
+            "name": "limit",
+            "description": "Maximum number of items returned by a single call",
+            "schema": {
+              "nullable": true,
+              "type": "integer",
+              "format": "uint32",
+              "minimum": 1
+            }
+          },
+          {
+            "in": "query",
+            "name": "page_token",
+            "description": "Token returned by previous call to retrieve the subsequent page",
+            "schema": {
+              "nullable": true,
+              "type": "string"
+            }
+          },
+          {
+            "in": "query",
+            "name": "sort_by",
+            "schema": {
+              "$ref": "#/components/schemas/IdSortMode"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "successful operation",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ConsoleSessionResultsPage"
+                }
+              }
+            }
+          },
+          "4XX": {
+            "$ref": "#/components/responses/Error"
+          },
+          "5XX": {
+            "$ref": "#/components/responses/Error"
+          }
+        },
+        "x-dropshot-pagination": {
+          "required": []
+        }
+      }
+    },
     "/v1/utilization": {
       "get": {
         "tags": [
@@ -16177,6 +16246,51 @@
           "items"
         ]
       },
+      "ConsoleSession": {
+        "description": "View of a console session",
+        "type": "object",
+        "properties": {
+          "id": {
+            "description": "A unique, immutable, system-controlled identifier for the session",
+            "type": "string",
+            "format": "uuid"
+          },
+          "time_created": {
+            "type": "string",
+            "format": "date-time"
+          },
+          "time_last_used": {
+            "type": "string",
+            "format": "date-time"
+          }
+        },
+        "required": [
+          "id",
+          "time_created",
+          "time_last_used"
+        ]
+      },
+      "ConsoleSessionResultsPage": {
+        "description": "A single page of results",
+        "type": "object",
+        "properties": {
+          "items": {
+            "description": "list of items on this page of results",
+            "type": "array",
+            "items": {
+              "$ref": "#/components/schemas/ConsoleSession"
+            }
+          },
+          "next_page": {
+            "nullable": true,
+            "description": "token used to fetch the next page of results (if any)",
+            "type": "string"
+          }
+        },
+        "required": [
+          "items"
+        ]
+      },
       "Cumulativedouble": {
         "description": "A cumulative or counter data type.",
         "type": "object",