Add the server kind to the Nexus API context (#5751)

- Adds a server kind enum, used to distinguish which API server is
running any particular handler.
- Wraps the existing `ServerContext` into a higher-level `ApiContext`
type, which includes the former in addition to the kind of server
handling the request.
- Fixes #5735

dev-tools/reconfigurator-cli/tests/test_basic.rs

@@ -56,7 +56,7 @@ type ControlPlaneTestContext =
 #[nexus_test]
 async fn test_blueprint_edit(cptestctx: &ControlPlaneTestContext) {
     // Setup
-    let nexus = &cptestctx.server.apictx().nexus;
+    let nexus = &cptestctx.server.server_context().nexus;
     let datastore = nexus.datastore();
     let log = &cptestctx.logctx.log;
     let opctx = OpContext::for_background(

nexus/reconfigurator/execution/src/datasets.rs

@@ -147,7 +147,7 @@ mod tests {
         const TEST_NAME: &str = "test_ensure_crucible_dataset_records_exist";
 
         // Set up.
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),

nexus/reconfigurator/execution/src/dns.rs

@@ -1126,7 +1126,7 @@ mod test {
     async fn test_silos_external_dns_end_to_end(
         cptestctx: &ControlPlaneTestContext,
     ) {
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let log = &cptestctx.logctx.log;
         let opctx = OpContext::for_background(

nexus/reconfigurator/execution/src/external_networking.rs

@@ -883,7 +883,7 @@ mod tests {
         cptestctx: &ControlPlaneTestContext,
     ) {
         // Set up.
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),
@@ -1141,7 +1141,7 @@ mod tests {
         cptestctx: &ControlPlaneTestContext,
     ) {
         // Set up.
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),

nexus/reconfigurator/execution/src/omicron_physical_disks.rs

@@ -149,7 +149,7 @@ mod test {
 
     #[nexus_test]
     async fn test_deploy_omicron_disks(cptestctx: &ControlPlaneTestContext) {
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),

nexus/reconfigurator/execution/src/omicron_zones.rs

@@ -139,7 +139,7 @@ mod test {
 
     #[nexus_test]
     async fn test_deploy_omicron_zones(cptestctx: &ControlPlaneTestContext) {
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),

nexus/src/app/allow_list.rs

@@ -13,6 +13,8 @@ use omicron_common::api::external;
 use omicron_common::api::external::Error;
 use std::net::IpAddr;
 
+use crate::context::ServerKind;
+
 impl super::Nexus {
     /// Fetch the allowlist of source IPs that can reach user-facing services.
     pub async fn allow_list_view(
@@ -30,6 +32,7 @@ impl super::Nexus {
         &self,
         opctx: &OpContext,
         remote_addr: IpAddr,
+        server_kind: ServerKind,
         params: params::AllowListUpdate,
     ) -> Result<AllowList, Error> {
         if let external::AllowedSourceIps::List(list) = &params.allowed_ips {
@@ -50,6 +53,14 @@ impl super::Nexus {
             // the request came from is on the allowlist. This is our only real
             // guardrail to prevent accidentally preventing any future access to
             // the rack!
+            //
+            // Note that we elide this check when handling a request proxied
+            // from `wicketd`. This is intentional and used as a safety
+            // mechanism in the even of lockout or other recovery scenarios.
+            let check_remote_addr = match server_kind {
+                ServerKind::External => true,
+                ServerKind::Techport | ServerKind::Internal => false,
+            };
             let mut contains_remote = false;
             for entry in list.iter() {
                 contains_remote |= entry.contains(remote_addr);
@@ -67,7 +78,7 @@ impl super::Nexus {
                     ));
                 }
             }
-            if !contains_remote {
+            if check_remote_addr && !contains_remote {
                 return Err(Error::invalid_request(
                     "The source IP allow list would prevent access \
                     from the current client! Ensure that the allowlist \

nexus/src/app/background/blueprint_execution.rs

@@ -178,7 +178,7 @@ mod test {
     #[nexus_test(server = crate::Server)]
     async fn test_deploy_omicron_zones(cptestctx: &ControlPlaneTestContext) {
         // Set up the test.
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_background(
             cptestctx.logctx.log.clone(),

nexus/src/app/background/blueprint_load.rs

@@ -233,7 +233,7 @@ mod test {
 
     #[nexus_test(server = crate::Server)]
     async fn test_load_blueprints(cptestctx: &ControlPlaneTestContext) {
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),

nexus/src/app/background/common.rs

@@ -533,7 +533,7 @@ mod test {
     // activated
     #[nexus_test(server = crate::Server)]
     async fn test_driver_basic(cptestctx: &ControlPlaneTestContext) {
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),
@@ -698,7 +698,7 @@ mod test {
     // activated.
     #[nexus_test(server = crate::Server)]
     async fn test_activation_in_progress(cptestctx: &ControlPlaneTestContext) {
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),
@@ -843,7 +843,7 @@ mod test {
 
     #[nexus_test(server = crate::Server)]
     async fn test_saga_request_flow(cptestctx: &ControlPlaneTestContext) {
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),

nexus/src/app/background/dns_config.rs

@@ -175,7 +175,7 @@ mod test {
 
     #[nexus_test(server = crate::Server)]
     async fn test_basic(cptestctx: &ControlPlaneTestContext) {
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),

nexus/src/app/background/dns_propagation.rs

@@ -196,7 +196,7 @@ mod test {
 
     #[nexus_test(server = crate::Server)]
     async fn test_basic(cptestctx: &ControlPlaneTestContext) {
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),

nexus/src/app/background/external_endpoints.rs

@@ -131,7 +131,7 @@ mod test {
 
     #[nexus_test(server = crate::Server)]
     async fn test_basic(cptestctx: &ControlPlaneTestContext) {
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),

nexus/src/app/background/init.rs

@@ -503,7 +503,7 @@ pub mod test {
     //     the new DNS configuration
     #[nexus_test(server = crate::Server)]
     async fn test_dns_propagation_basic(cptestctx: &ControlPlaneTestContext) {
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),

nexus/src/app/background/inventory_collection.rs

@@ -214,7 +214,7 @@ mod test {
     // collections, too.
     #[nexus_test(server = crate::Server)]
     async fn test_basic(cptestctx: &ControlPlaneTestContext) {
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),
@@ -328,7 +328,7 @@ mod test {
 
     #[nexus_test(server = crate::Server)]
     async fn test_db_sled_enumerator(cptestctx: &ControlPlaneTestContext) {
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),

nexus/src/app/background/metrics_producer_gc.rs

@@ -170,7 +170,7 @@ mod tests {
 
     #[nexus_test(server = crate::Server)]
     async fn test_pruning(cptestctx: &ControlPlaneTestContext) {
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let datastore = nexus.datastore();
         let opctx = OpContext::for_tests(
             cptestctx.logctx.log.clone(),

nexus/src/app/external_endpoints.rs

@@ -26,7 +26,7 @@
 //! "certificate resolver" object that impls
 //! [`rustls::server::ResolvesServerCert`].  See [`NexusCertResolver`].
 
-use crate::ServerContext;
+use crate::context::ApiContext;
 use anyhow::anyhow;
 use anyhow::bail;
 use anyhow::Context;
@@ -674,7 +674,7 @@ impl super::Nexus {
     /// case, we'll choose an arbitrary Silo.
     pub fn endpoint_for_request(
         &self,
-        rqctx: &dropshot::RequestContext<Arc<ServerContext>>,
+        rqctx: &dropshot::RequestContext<ApiContext>,
     ) -> Result<Arc<ExternalEndpoint>, Error> {
         let log = &rqctx.log;
         let rqinfo = &rqctx.request;

nexus/src/app/mod.rs

@@ -657,6 +657,16 @@ impl Nexus {
             .map(|server| server.local_addr())
     }
 
+    pub(crate) async fn get_techport_server_address(
+        &self,
+    ) -> Option<std::net::SocketAddr> {
+        self.techport_external_server
+            .lock()
+            .unwrap()
+            .as_ref()
+            .map(|server| server.local_addr())
+    }
+
     pub(crate) async fn get_internal_server_address(
         &self,
     ) -> Option<std::net::SocketAddr> {

nexus/src/app/sagas/disk_create.rs

@@ -882,7 +882,7 @@ pub(crate) mod test {
     pub fn test_opctx(cptestctx: &ControlPlaneTestContext) -> OpContext {
         OpContext::for_tests(
             cptestctx.logctx.log.new(o!()),
-            cptestctx.server.apictx().nexus.datastore().clone(),
+            cptestctx.server.server_context().nexus.datastore().clone(),
         )
     }
 
@@ -893,7 +893,7 @@ pub(crate) mod test {
         DiskTest::new(cptestctx).await;
 
         let client = &cptestctx.external_client;
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let project_id =
             create_project(&client, PROJECT_NAME).await.identity.id;
 
@@ -1033,7 +1033,7 @@ pub(crate) mod test {
         test: &DiskTest,
     ) {
         let sled_agent = &cptestctx.sled_agent.sled_agent;
-        let datastore = cptestctx.server.apictx().nexus.datastore();
+        let datastore = cptestctx.server.server_context().nexus.datastore();
 
         crate::app::sagas::test_helpers::assert_no_failed_undo_steps(
             &cptestctx.logctx.log,
@@ -1063,7 +1063,7 @@ pub(crate) mod test {
         let log = &cptestctx.logctx.log;
 
         let client = &cptestctx.external_client;
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let project_id =
             create_project(&client, PROJECT_NAME).await.identity.id;
         let opctx = test_opctx(cptestctx);
@@ -1093,7 +1093,7 @@ pub(crate) mod test {
         let log = &cptestctx.logctx.log;
 
         let client = &cptestctx.external_client;
-        let nexus = &cptestctx.server.apictx.nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let project_id =
             create_project(&client, PROJECT_NAME).await.identity.id;
         let opctx = test_opctx(&cptestctx);
@@ -1111,7 +1111,7 @@ pub(crate) mod test {
     }
 
     async fn destroy_disk(cptestctx: &ControlPlaneTestContext) {
-        let nexus = &cptestctx.server.apictx.nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let opctx = test_opctx(&cptestctx);
         let disk_selector = params::DiskSelector {
             project: Some(
@@ -1134,7 +1134,7 @@ pub(crate) mod test {
         let test = DiskTest::new(cptestctx).await;
 
         let client = &cptestctx.external_client;
-        let nexus = &cptestctx.server.apictx.nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let project_id =
             create_project(&client, PROJECT_NAME).await.identity.id;
 

nexus/src/app/sagas/disk_delete.rs

@@ -201,12 +201,12 @@ pub(crate) mod test {
     pub fn test_opctx(cptestctx: &ControlPlaneTestContext) -> OpContext {
         OpContext::for_tests(
             cptestctx.logctx.log.new(o!()),
-            cptestctx.server.apictx.nexus.datastore().clone(),
+            cptestctx.server.server_context().nexus.datastore().clone(),
         )
     }
 
     async fn create_disk(cptestctx: &ControlPlaneTestContext) -> Disk {
-        let nexus = &cptestctx.server.apictx.nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let opctx = test_opctx(&cptestctx);
 
         let project_selector = params::ProjectSelector {
@@ -232,7 +232,7 @@ pub(crate) mod test {
         DiskTest::new(cptestctx).await;
 
         let client = &cptestctx.external_client;
-        let nexus = &cptestctx.server.apictx.nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let project_id = create_project(client, PROJECT_NAME).await.identity.id;
         let disk = create_disk(&cptestctx).await;
 
@@ -258,7 +258,7 @@ pub(crate) mod test {
         let test = DiskTest::new(cptestctx).await;
 
         let client = &cptestctx.external_client;
-        let nexus = &cptestctx.server.apictx.nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let project_id = create_project(client, PROJECT_NAME).await.identity.id;
         let disk = create_disk(&cptestctx).await;
 

nexus/src/app/sagas/instance_create.rs

@@ -1137,7 +1137,7 @@ pub mod test {
     ) {
         DiskTest::new(cptestctx).await;
         let client = &cptestctx.external_client;
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let project_id = create_org_project_and_disk(&client).await;
 
         // Build the saga DAG with the provided test parameters
@@ -1264,7 +1264,7 @@ pub mod test {
         cptestctx: &ControlPlaneTestContext,
     ) {
         let sled_agent = &cptestctx.sled_agent.sled_agent;
-        let datastore = cptestctx.server.apictx().nexus.datastore();
+        let datastore = cptestctx.server.server_context().nexus.datastore();
 
         // Check that no partial artifacts of instance creation exist
         assert!(no_instance_records_exist(datastore).await);
@@ -1300,7 +1300,7 @@ pub mod test {
         let log = &cptestctx.logctx.log;
 
         let client = &cptestctx.external_client;
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let project_id = create_org_project_and_disk(&client).await;
 
         // Build the saga DAG with the provided test parameters
@@ -1329,7 +1329,7 @@ pub mod test {
         let log = &cptestctx.logctx.log;
 
         let client = &cptestctx.external_client;
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let project_id = create_org_project_and_disk(&client).await;
         let opctx = test_helpers::test_opctx(&cptestctx);
 
@@ -1353,7 +1353,7 @@ pub mod test {
         DiskTest::new(cptestctx).await;
 
         let client = &cptestctx.external_client;
-        let nexus = &cptestctx.server.apictx().nexus;
+        let nexus = &cptestctx.server.server_context().nexus;
         let project_id = create_org_project_and_disk(&client).await;
 
         // Build the saga DAG with the provided test parameters