user_view endpoint

david-crespo · david-crespo · commit d80a4d6cb3b4 · 2025-07-15T11:17:13.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -18,3 +18,4 @@ tags
 .img/*
 connectivity-report.json
 *.local
+CLAUDE.md
diff --git a/nexus/external-api/output/nexus_tags.txt b/nexus/external-api/output/nexus_tags.txt
@@ -158,6 +158,7 @@ policy_update                            PUT      /v1/policy
 policy_view                              GET      /v1/policy
 user_list                                GET      /v1/users
 user_logout                              POST     /v1/users/{user_id}/logout
+user_view                                GET      /v1/users/{user_id}
 utilization_view                         GET      /v1/utilization
 
 API operations found with tag "snapshots"
diff --git a/nexus/external-api/src/lib.rs b/nexus/external-api/src/lib.rs
@@ -3076,6 +3076,17 @@ pub trait NexusExternalApi {
         query_params: Query<PaginatedById<params::OptionalGroupSelector>>,
     ) -> Result<HttpResponseOk<ResultsPage<views::User>>, HttpError>;
 
+    /// Fetch user
+    #[endpoint {
+        method = GET,
+        path = "/v1/users/{user_id}",
+        tags = ["silos"],
+    }]
+    async fn user_view(
+        rqctx: RequestContext<Self::Context>,
+        path_params: Path<params::UserPath>,
+    ) -> Result<HttpResponseOk<views::User>, HttpError>;
+
     /// Expire all of user's tokens and sessions
     #[endpoint {
         method = POST,
diff --git a/nexus/src/app/silo.rs b/nexus/src/app/silo.rs
@@ -313,7 +313,7 @@ impl super::Nexus {
         Ok(db_silo_user)
     }
 
-    /// Fetch a user in a Silo
+    /// Delete all of user's tokens and sessions
     pub(crate) async fn current_silo_user_logout(
         &self,
         opctx: &OpContext,
@@ -338,6 +338,21 @@ impl super::Nexus {
         Ok(())
     }
 
+    /// Fetch a user in a Silo
+    pub(crate) async fn current_silo_user_lookup(
+        &self,
+        opctx: &OpContext,
+        silo_user_id: Uuid,
+    ) -> LookupResult<(authz::SiloUser, db::model::SiloUser)> {
+        let (_, authz_silo_user, db_silo_user) =
+            LookupPath::new(opctx, self.datastore())
+                .silo_user_id(silo_user_id)
+                .fetch_for(authz::Action::Read)
+                .await?;
+
+        Ok((authz_silo_user, db_silo_user))
+    }
+
     // The "local" identity provider (available only in `LocalOnly` Silos)
 
     /// Helper function for looking up a LocalOnly Silo by name
diff --git a/nexus/src/external_api/http_entrypoints.rs b/nexus/src/external_api/http_entrypoints.rs
@@ -6860,6 +6860,28 @@ impl NexusExternalApi for NexusExternalApiImpl {
             .await
     }
 
+    async fn user_view(
+        rqctx: RequestContext<Self::Context>,
+        path_params: Path<params::UserPath>,
+    ) -> Result<HttpResponseOk<views::User>, HttpError> {
+        let apictx = rqctx.context();
+        let handler = async {
+            let nexus = &apictx.context.nexus;
+            let path = path_params.into_inner();
+            let opctx =
+                crate::context::op_context_for_external_api(&rqctx).await?;
+            let (.., user) = nexus
+                .current_silo_user_lookup(&opctx, path.user_id)
+                .await?;
+            Ok(HttpResponseOk(user.into()))
+        };
+        apictx
+            .context
+            .external_latencies
+            .instrument_dropshot_handler(&rqctx, handler)
+            .await
+    }
+
     async fn user_logout(
         rqctx: RequestContext<Self::Context>,
         path_params: Path<params::UserPath>,
diff --git a/nexus/tests/integration_tests/endpoints.rs b/nexus/tests/integration_tests/endpoints.rs
@@ -139,6 +139,11 @@ pub static DEMO_SILO_USERS_LIST_URL: LazyLock<String> = LazyLock::new(|| {
 pub static DEMO_SILO_USER_ID_GET_URL: LazyLock<String> = LazyLock::new(|| {
     format!("/v1/system/users/{{id}}?silo={}", DEFAULT_SILO.identity().name,)
 });
+pub static DEMO_SILO_USER_ID_IN_SILO_URL: LazyLock<String> =
+    LazyLock::new(|| "/v1/users/{id}".to_string());
+pub static DEMO_SILO_USER_LOGOUT_URL: LazyLock<String> =
+    LazyLock::new(|| "/v1/users/{id}/logout".to_string());
+
 pub static DEMO_SILO_USER_ID_DELETE_URL: LazyLock<String> =
     LazyLock::new(|| {
         format!(
@@ -1676,8 +1681,14 @@ pub static VERIFY_ENDPOINTS: LazyLock<Vec<VerifyEndpoint>> =
                 allowed_methods: vec![AllowedMethod::Get],
             },
             VerifyEndpoint {
-                url: "/v1/users/af47bf12-2eab-4892-8a2f-c064a812c884/logout",
+                url: &DEMO_SILO_USER_ID_IN_SILO_URL,
                 visibility: Visibility::Protected,
+                unprivileged_access: UnprivilegedAccess::ReadOnly,
+                allowed_methods: vec![AllowedMethod::Get],
+            },
+            VerifyEndpoint {
+                url: &DEMO_SILO_USER_LOGOUT_URL,
+                visibility: Visibility::Public,
                 unprivileged_access: UnprivilegedAccess::None,
                 allowed_methods: vec![AllowedMethod::Post(serde_json::json!(
                     {}
diff --git a/nexus/tests/integration_tests/unauthorized.rs b/nexus/tests/integration_tests/unauthorized.rs
@@ -250,6 +250,8 @@ static SETUP_REQUESTS: LazyLock<Vec<SetupReq>> = LazyLock::new(|| {
                 &*DEMO_SILO_USER_ID_GET_URL,
                 &*DEMO_SILO_USER_ID_DELETE_URL,
                 &*DEMO_SILO_USER_ID_SET_PASSWORD_URL,
+                &*DEMO_SILO_USER_ID_IN_SILO_URL,
+                &*DEMO_SILO_USER_LOGOUT_URL,
             ],
         },
         // Create the default IP pool
diff --git a/openapi/nexus.json b/openapi/nexus.json
@@ -11577,6 +11577,45 @@
         }
       }
     },
+    "/v1/users/{user_id}": {
+      "get": {
+        "tags": [
+          "silos"
+        ],
+        "summary": "Fetch user",
+        "operationId": "user_view",
+        "parameters": [
+          {
+            "in": "path",
+            "name": "user_id",
+            "description": "ID of the user",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "format": "uuid"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "successful operation",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/User"
+                }
+              }
+            }
+          },
+          "4XX": {
+            "$ref": "#/components/responses/Error"
+          },
+          "5XX": {
+            "$ref": "#/components/responses/Error"
+          }
+        }
+      }
+    },
     "/v1/users/{user_id}/logout": {
       "post": {
         "tags": [
