update Silo APIs for RFD 321 #1768
Conversation
|
Meant to CC @smklein because of the Remote Access Preview procedure change. |
|
Heads up: I'm going to go ahead and rebase on top of "main" because the dependency on #1757 is very minimal and we may as well keep these separately. That's going to involve a force push to this branch so you may want to defer review until I've done that. |
davepacheco
force-pushed
the
silo-idp-routes-rfd-321
branch
from
527b660 to
a98dced
Compare
|
This is ready for review now. |
|
One thing I want to call out: per RFD 321, the A consequence of all this is that it's possible to store Silo configurations that aren't valid. The only time this will cause a problem is if someone tries to fetch a Silo with an invalid config (either by listing Silos or fetching it explicitly). In that case, the request will fail to convert the In an ideal world, I think |
This will break our test SAML config(s), yeah. But the URL can be updated as soon as this lands (or before in order to test?) |
nexus/src/app/silo.rs
Outdated
| // If the user provision type is fixed, do not a new user if | ||
| // one does not exist. | ||
| db::model::UserProvisionType::Fixed => { | ||
| // If the user provision type is ApiOnly, do not a new user |
There was a problem hiding this comment.
this doesn't look right - maybe it should be "do not create a new user"
| #[endpoint { | ||
| method = POST, | ||
| path = "/login/{silo_name}/{provider_name}", | ||
| path = "/login/{silo_name}/saml/{provider_name}", |
There was a problem hiding this comment.
This is the URL that will have to change in the Keycloak configuration, it's the path the IdP POSTs to.
There was a problem hiding this comment.
Let's also maybe update the remote access docs to use a different name for the provider instead of saml, lest we end up with the repetitive /login/mercury/saml/saml 😅
|
|
||
| const SILO_NAME: &str = "saml-silo"; | ||
| create_silo(&client, SILO_NAME, true, shared::UserProvisionType::Fixed) | ||
| create_silo(&client, SILO_NAME, true, shared::SiloIdentityMode::LocalOnly) |
There was a problem hiding this comment.
this shouldn't be LocalOnly, right? one of the future planned changes is to reject configuring an identity provider if it doesn't match the identity mode, which means this test will be broken.
There was a problem hiding this comment.
Yeah, good call. I was separately trying to sneak in one more change that validates that and updates several of these tests accordingly. That's coming shortly.
| let nexus = &cptestctx.server.apictx.nexus; | ||
|
|
||
| let test_cases: Vec<TestSiloUserProvisionTypes> = vec
|
I didn't review in detail, but I'm standing by to update the console once this is merged. |
Crucible changes are: update to latest `vergen` (#1770) Update rand dependencies, and fallout from that. (#1764) [crucible-downstairs] migrate to API traits (#1768) [crucible-agent] migrate to API trait (#1766) [crucible-pantry] migrate to API trait (#1767) Add back job delays in the downstairs with the --lossy flag (#1761) Propolis changes are: Crucible update plus a few other dependency changes. (#948) [2/n] [propolis-server] switch to API trait (#946) [1/n] add a temporary indent to propolis server APIs (#945) Handle Intel CPUID leaves 4 and 18h, specialize CPUID for VM shape (#941) Increase viona receive queue length to 2048 (#935) Expand viona header pad to account for options (#937) fix linux p9fs multi message reads (#932) add a D script to report VMs' CPUID queries (#934) Update GH actions Re-enable viona packet data loaning
Crucible changes are: update to latest `vergen` (#1770) Update rand dependencies, and fallout from that. (#1764) [crucible-downstairs] migrate to API traits (#1768) [crucible-agent] migrate to API trait (#1766) [crucible-pantry] migrate to API trait (#1767) Add back job delays in the downstairs with the --lossy flag (#1761) Propolis changes are: Crucible update plus a few other dependency changes. (#948) [2/n] [propolis-server] switch to API trait (#946) [1/n] add a temporary indent to propolis server APIs (#945) Handle Intel CPUID leaves 4 and 18h, specialize CPUID for VM shape (#941) Increase viona receive queue length to 2048 (#935) Expand viona header pad to account for options (#937) fix linux p9fs multi message reads (#932) add a D script to report VMs' CPUID queries (#934) Update GH actions Re-enable viona packet data loaning --------- Co-authored-by: Alan Hanson <alan@oxide.computer> Co-authored-by: Sean Klein <sean@oxide.computer> Co-authored-by: Rain <rain@oxide.computer> Co-authored-by: John Gallagher <john@oxidecomputer.com> Co-authored-by: iliana etaoin <iliana@oxide.computer> Co-authored-by: Sean Klein <sean@oxidecomputer.com> Co-authored-by: Alex Plotnick <alex@oxidecomputer.com> Co-authored-by: David Pacheco <dap@oxidecomputer.com> Co-authored-by: Andrew J. Stone <andrew@oxidecomputer.com>
This makes a few changes based on the determinations of RFD 321 in preparation for support for password-based login. I hope there are no surprises here!
Changes here:
/system/silos/:silo_name/saml-identity-providersto/system/silos/:silo_name/identity-providers/saml/login/:silo_name/:provider_nameto/login/:silo_name/saml/:provider_nameuser_provision_type/UserProvisionTypehas turned intosilo_identity_mode/SiloIdentityMode, which encapsulates both the authentication mode and the user provision type.This also renames
UserProvisionType::FixedtoUserProvisionType::ApiOnlyfor clarity.This does not implement the "local" identity provider tyep, CRUD for local users, or password login -- those will be in follow-up PRs.
This will be a breaking change to the API because of the change to
params::SiloCreate,views::Silo, and the change in route structure. CC @david-crespo @zephraph @karencfv.This will be a breaking change to the Remote Access Preview procedure (both Mercury and Pluto) for the same reason. (Those procedures use these APIs directly.) Further, if you have a Silo that's already set up with an identity provider (like saml.eng), I'm not sure if it will continue to work because the login URL that the IdP POSTs back to has changed. I'm not sure if this is recorded anywhere though. If this is a problem for anyone, I'm happy to dig in further.