user token list endpoint

Author: david-crespo

nexus/auth/src/authz/omicron.polar

@@ -450,21 +450,27 @@ resource ConsoleSessionList {
 has_relation(fleet: Fleet, "parent_fleet", collection: ConsoleSessionList)
 	if collection.fleet = fleet;
 
-# Allow silo admins to delete user sessions
+# Allow silo admins to delete user sessions and list user tokens
 resource SiloUserAuthnList {
-    permissions = [ "modify" ];
+    permissions = [ "modify", "list_children" ];
     relations = { parent_silo: Silo };
 
     # A silo admin can modify (e.g., delete) a user's sessions.
     "modify" if "admin" on "parent_silo";
+
+    # A silo admin can list a user's tokens and sessions.
+    "list_children" if "admin" on "parent_silo";
 }
 has_relation(silo: Silo, "parent_silo", sessions: SiloUserAuthnList)
     if sessions.silo_user.silo = silo;
 
-# also give users 'modify' on their own sessions
+# also give users 'modify' and 'list_children' on their own sessions
 has_permission(actor: AuthenticatedActor, "modify", sessions: SiloUserAuthnList)
     if actor.equals_silo_user(sessions.silo_user);
 
+has_permission(actor: AuthenticatedActor, "list_children", sessions: SiloUserAuthnList)
+    if actor.equals_silo_user(sessions.silo_user);
+
 # Describes the policy for creating and managing device authorization requests.
 resource DeviceAuthRequestList {
 	permissions = [ "create_child" ];

nexus/db-queries/src/db/datastore/device_auth.rs

@@ -214,6 +214,33 @@ impl DataStore {
             .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
     }
 
+    /// List device access tokens for a specific user
+    pub async fn silo_user_token_list(
+        &self,
+        opctx: &OpContext,
+        user_authn_list: authz::SiloUserAuthnList,
+        pagparams: &DataPageParams<'_, Uuid>,
+    ) -> ListResultVec<DeviceAccessToken> {
+        opctx.authorize(authz::Action::ListChildren, &user_authn_list).await?;
+
+        let silo_user_id = user_authn_list.silo_user().id();
+
+        use nexus_db_schema::schema::device_access_token::dsl;
+        paginated(dsl::device_access_token, dsl::id, &pagparams)
+            .filter(dsl::silo_user_id.eq(silo_user_id))
+            // we don't have time_deleted on tokens. unfortunately this is not
+            // indexed well. maybe it can be!
+            .filter(
+                dsl::time_expires
+                    .is_null()
+                    .or(dsl::time_expires.gt(Utc::now())),
+            )
+            .select(DeviceAccessToken::as_select())
+            .load_async(&*self.pool_connection_authorized(opctx).await?)
+            .await
+            .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))
+    }
+
     pub async fn current_user_token_delete(
         &self,
         opctx: &OpContext,

nexus/external-api/output/nexus_tags.txt

@@ -158,6 +158,7 @@ policy_update                            PUT      /v1/policy
 policy_view                              GET      /v1/policy
 user_list                                GET      /v1/users
 user_logout                              POST     /v1/users/{user_id}/logout
+user_token_list                          GET      /v1/users/{user_id}/access-tokens
 user_view                                GET      /v1/users/{user_id}
 utilization_view                         GET      /v1/utilization
 

nexus/external-api/src/lib.rs

@@ -3087,6 +3087,18 @@ pub trait NexusExternalApi {
         path_params: Path<params::UserPath>,
     ) -> Result<HttpResponseOk<views::User>, HttpError>;
 
+    /// List user's device access tokens
+    #[endpoint {
+        method = GET,
+        path = "/v1/users/{user_id}/access-tokens",
+        tags = ["silos"],
+    }]
+    async fn user_token_list(
+        rqctx: RequestContext<Self::Context>,
+        path_params: Path<params::UserPath>,
+        query_params: Query<PaginatedById>,
+    ) -> Result<HttpResponseOk<ResultsPage<views::DeviceAccessToken>>, HttpError>;
+
     /// Expire all of user's tokens and sessions
     #[endpoint {
         method = POST,

nexus/src/app/silo.rs

@@ -353,6 +353,26 @@ impl super::Nexus {
         Ok((authz_silo_user, db_silo_user))
     }
 
+    /// List device access tokens for a user in a Silo
+    pub(crate) async fn silo_user_token_list(
+        &self,
+        opctx: &OpContext,
+        silo_user_id: Uuid,
+        pagparams: &DataPageParams<'_, Uuid>,
+    ) -> ListResultVec<db::model::DeviceAccessToken> {
+        let (_, authz_silo_user, _db_silo_user) =
+            LookupPath::new(opctx, self.datastore())
+                .silo_user_id(silo_user_id)
+                .fetch_for(authz::Action::Read)
+                .await?;
+
+        let user_authn_list = authz::SiloUserAuthnList::new(authz_silo_user);
+
+        self.datastore()
+            .silo_user_token_list(opctx, user_authn_list, pagparams)
+            .await
+    }
+
     // The "local" identity provider (available only in `LocalOnly` Silos)
 
     /// Helper function for looking up a LocalOnly Silo by name

nexus/src/external_api/http_entrypoints.rs

@@ -6882,6 +6882,38 @@ impl NexusExternalApi for NexusExternalApiImpl {
             .await
     }
 
+    async fn user_token_list(
+        rqctx: RequestContext<Self::Context>,
+        path_params: Path<params::UserPath>,
+        query_params: Query<PaginatedById>,
+    ) -> Result<HttpResponseOk<ResultsPage<views::DeviceAccessToken>>, HttpError> {
+        let apictx = rqctx.context();
+        let handler = async {
+            let nexus = &apictx.context.nexus;
+            let path = path_params.into_inner();
+            let query = query_params.into_inner();
+            let pag_params = data_page_params_for(&rqctx, &query)?;
+            let opctx =
+                crate::context::op_context_for_external_api(&rqctx).await?;
+            let tokens = nexus
+                .silo_user_token_list(&opctx, path.user_id, &pag_params)
+                .await?
+                .into_iter()
+                .map(views::DeviceAccessToken::from)
+                .collect();
+            Ok(HttpResponseOk(ScanById::results_page(
+                &query,
+                tokens,
+                &marker_for_id,
+            )?))
+        };
+        apictx
+            .context
+            .external_latencies
+            .instrument_dropshot_handler(&rqctx, handler)
+            .await
+    }
+
     async fn user_logout(
         rqctx: RequestContext<Self::Context>,
         path_params: Path<params::UserPath>,

nexus/tests/integration_tests/endpoints.rs

@@ -141,6 +141,8 @@ pub static DEMO_SILO_USER_ID_GET_URL: LazyLock<String> = LazyLock::new(|| {
 });
 pub static DEMO_SILO_USER_ID_IN_SILO_URL: LazyLock<String> =
     LazyLock::new(|| "/v1/users/{id}".to_string());
+pub static DEMO_SILO_USER_TOKEN_LIST_URL: LazyLock<String> =
+    LazyLock::new(|| "/v1/users/{id}/access-tokens".to_string());
 pub static DEMO_SILO_USER_LOGOUT_URL: LazyLock<String> =
     LazyLock::new(|| "/v1/users/{id}/logout".to_string());
 
@@ -1686,6 +1688,12 @@ pub static VERIFY_ENDPOINTS: LazyLock<Vec<VerifyEndpoint>> =
                 unprivileged_access: UnprivilegedAccess::ReadOnly,
                 allowed_methods: vec![AllowedMethod::Get],
             },
+            VerifyEndpoint {
+                url: &DEMO_SILO_USER_TOKEN_LIST_URL,
+                visibility: Visibility::Public,
+                unprivileged_access: UnprivilegedAccess::None,
+                allowed_methods: vec![AllowedMethod::Get],
+            },
             VerifyEndpoint {
                 url: &DEMO_SILO_USER_LOGOUT_URL,
                 visibility: Visibility::Public,

nexus/tests/integration_tests/unauthorized.rs

@@ -251,6 +251,7 @@ static SETUP_REQUESTS: LazyLock<Vec<SetupReq>> = LazyLock::new(|| {
                 &*DEMO_SILO_USER_ID_DELETE_URL,
                 &*DEMO_SILO_USER_ID_SET_PASSWORD_URL,
                 &*DEMO_SILO_USER_ID_IN_SILO_URL,
+                &*DEMO_SILO_USER_TOKEN_LIST_URL,
                 &*DEMO_SILO_USER_LOGOUT_URL,
             ],
         },

openapi/nexus.json

@@ -11616,6 +11616,75 @@
         }
       }
     },
+    "/v1/users/{user_id}/access-tokens": {
+      "get": {
+        "tags": [
+          "silos"
+        ],
+        "summary": "List user's device access tokens",
+        "operationId": "user_token_list",
+        "parameters": [
+          {
+            "in": "path",
+            "name": "user_id",
+            "description": "ID of the user",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "format": "uuid"
+            }
+          },
+          {
+            "in": "query",
+            "name": "limit",
+            "description": "Maximum number of items returned by a single call",
+            "schema": {
+              "nullable": true,
+              "type": "integer",
+              "format": "uint32",
+              "minimum": 1
+            }
+          },
+          {
+            "in": "query",
+            "name": "page_token",
+            "description": "Token returned by previous call to retrieve the subsequent page",
+            "schema": {
+              "nullable": true,
+              "type": "string"
+            }
+          },
+          {
+            "in": "query",
+            "name": "sort_by",
+            "schema": {
+              "$ref": "#/components/schemas/IdSortMode"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "successful operation",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/DeviceAccessTokenResultsPage"
+                }
+              }
+            }
+          },
+          "4XX": {
+            "$ref": "#/components/responses/Error"
+          },
+          "5XX": {
+            "$ref": "#/components/responses/Error"
+          }
+        },
+        "x-dropshot-pagination": {
+          "required": []
+        }
+      }
+    },
     "/v1/users/{user_id}/logout": {
       "post": {
         "tags": [