oxidecomputer · david-crespo · Nov 24, 2021 · Nov 12, 2021 · Nov 12, 2021 · Nov 12, 2021
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/nexus/Cargo.toml b/nexus/Cargo.toml
@@ -23,6 +23,7 @@ ipnetwork = "0.18"
 lazy_static = "1.4.0"
 libc = "0.2.108"
 macaddr = { version = "1.0.1", features = [ "serde_std" ]}
+mime_guess = "2.0.3"
 newtype_derive = "0.1.6"
 oso = "0.23"
 oximeter-client = { path = "../oximeter-client" }

diff --git a/nexus/examples/config-file.toml b/nexus/examples/config-file.toml
@@ -5,15 +5,20 @@
 # Identifier for this instance of Nexus
 id = "e6bff1ff-24fb-49dc-a54e-c6a350cd4d6c"
 
+[console]
+# Directory of static assets for the console. Relative to nexus/.
+assets_directory = "tests/fixtures" # TODO: figure out value
+cache_control_max_age_minutes = 10
+session_idle_timeout_minutes = 60
+session_absolute_timeout_minutes = 480
+
 # List of authentication schemes to support.
 #
 # This is not fleshed out yet and the only reason to change it now is for
 # working on authentication or authorization.  Neither is really implemented
 # yet.
 [authn]
 schemes_external = []
-session_idle_timeout_minutes = 60
-session_absolute_timeout_minutes = 480
 
 [database]
 # URL for connecting to the database

diff --git a/nexus/examples/config.toml b/nexus/examples/config.toml
@@ -5,16 +5,21 @@
 # Identifier for this instance of Nexus
 id = "e6bff1ff-24fb-49dc-a54e-c6a350cd4d6c"
 
+[console]
+# Directory of static assets for the console. Relative to nexus/.
+assets_directory = "tests/fixtures" # TODO: figure out value
+cache_control_max_age_minutes = 10
+session_idle_timeout_minutes = 60
+session_absolute_timeout_minutes = 480
+
 # List of authentication schemes to support.
 #
 # This is not fleshed out yet and the only reason to change it now is for
 # working on authentication or authorization.  Neither is really implemented
 # yet.
 [authn]
 # TODO(https://github.com/oxidecomputer/omicron/issues/372): Remove "spoof".
-schemes_external = ["spoof"]
-session_idle_timeout_minutes = 60
-session_absolute_timeout_minutes = 480
+schemes_external = ["spoof", "session_cookie"]
 
 [database]
 # URL for connecting to the database

diff --git a/nexus/src/authn/external/cookies.rs b/nexus/src/authn/external/cookies.rs
@@ -1,5 +1,10 @@
 use anyhow::Context;
+use async_trait::async_trait;
 use cookie::{Cookie, CookieJar, ParseError};
+use dropshot::{
+    Extractor, ExtractorMetadata, HttpError, RequestContext, ServerContext,
+};
+use std::sync::Arc;
 
 pub fn parse_cookies(
     headers: &http::HeaderMap<http::HeaderValue>,
@@ -19,6 +24,26 @@ pub fn parse_cookies(
     }
     Ok(cookies)
 }
+pub struct Cookies(pub CookieJar);
+
+NewtypeFrom! { () pub struct Cookies(pub CookieJar); }
+NewtypeDeref! { () pub struct Cookies(pub CookieJar); }
+
+#[async_trait]
+impl Extractor for Cookies {
+    async fn from_request<Context: ServerContext>(
+        rqctx: Arc<RequestContext<Context>>,
+    ) -> Result<Self, HttpError> {
+        let request = &rqctx.request.lock().await;
+        let cookies = parse_cookies(request.headers())
+            .unwrap_or_else(|_| CookieJar::new());
+        Ok(cookies.into())
+    }
+
+    fn metadata() -> ExtractorMetadata {
+        ExtractorMetadata { paginated: false, parameters: vec![] }
+    }
+}
 
 #[cfg(test)]
 mod test {

diff --git a/nexus/src/authn/external/mod.rs b/nexus/src/authn/external/mod.rs
@@ -4,7 +4,7 @@ use crate::authn;
 use async_trait::async_trait;
 use authn::Reason;
 
-mod cookies;
+pub mod cookies;
 pub mod session_cookie;
 pub mod spoof;
 

diff --git a/nexus/src/authn/external/session_cookie.rs b/nexus/src/authn/external/session_cookie.rs
@@ -49,6 +49,21 @@ pub const SESSION_COOKIE_COOKIE_NAME: &str = "session";
 pub const SESSION_COOKIE_SCHEME_NAME: authn::SchemeName =
     authn::SchemeName("session_cookie");
 
+/// Generate session cookie header
+pub fn session_cookie_header_value(token: &str, max_age: Duration) -> String {
+    format!(
+        "{}={}; Secure; HttpOnly; SameSite=Lax; Max-Age={}",
+        SESSION_COOKIE_COOKIE_NAME,
+        token,
+        max_age.num_seconds()
+    )
+}
+
+/// Generate session cookie with empty token and max-age=0 so browser deletes it
+pub fn clear_session_cookie_header_value() -> String {
+    session_cookie_header_value("", Duration::zero())
+}
+
 /// Implements an authentication scheme where we check the DB to see if we have
 /// a session matching the token in a cookie ([`SESSION_COOKIE_COOKIE_NAME`]) on
 /// the request. This is meant to be used by the web console.
@@ -148,8 +163,9 @@ fn get_token_from_cookie(
 #[cfg(test)]
 mod test {
     use super::{
-        get_token_from_cookie, Details, HttpAuthnScheme,
-        HttpAuthnSessionCookie, Reason, SchemeResult, Session, SessionStore,
+        get_token_from_cookie, session_cookie_header_value, Details,
+        HttpAuthnScheme, HttpAuthnSessionCookie, Reason, SchemeResult, Session,
+        SessionStore,
     };
     use async_trait::async_trait;
     use chrono::{DateTime, Duration, Utc};
@@ -355,4 +371,22 @@ mod test {
         let token = get_token_from_cookie(&headers);
         assert_eq!(token, None);
     }
+
+    #[test]
+    fn test_session_cookie_value() {
+        assert_eq!(
+            session_cookie_header_value("abc", Duration::seconds(5)),
+            "session=abc; Secure; HttpOnly; SameSite=Lax; Max-Age=5"
+        );
+
+        assert_eq!(
+            session_cookie_header_value("abc", Duration::seconds(-5)),
+            "session=abc; Secure; HttpOnly; SameSite=Lax; Max-Age=-5"
+        );
+
+        assert_eq!(
+            session_cookie_header_value("", Duration::zero()),
+            "session=; Secure; HttpOnly; SameSite=Lax; Max-Age=0"
+        );
+    }
 }
diff --git a/nexus/src/config.rs b/nexus/src/config.rs
@@ -23,6 +23,13 @@ use std::path::{Path, PathBuf};
 pub struct AuthnConfig {
     /** allowed authentication schemes for external HTTP server */
     pub schemes_external: Vec<SchemeName>,
+}
+
+#[derive(Clone, Debug, Deserialize, PartialEq, Serialize)]
+pub struct ConsoleConfig {
+    pub assets_directory: PathBuf,
+    /** how long the browser can cache static assets */
+    pub cache_control_max_age_minutes: u32,
     /** how long a session can be idle before expiring */
     pub session_idle_timeout_minutes: u32,
     /** how long a session can exist before expiring */
@@ -40,6 +47,8 @@ pub struct Config {
     pub dropshot_internal: ConfigDropshot,
     /** Identifier for this instance of Nexus */
     pub id: uuid::Uuid,
+    /** Console-related tunables */
+    pub console: ConsoleConfig,
     /** Server-wide logging configuration. */
     pub log: ConfigLogging,
     /** Database parameters */
@@ -149,7 +158,10 @@ impl Config {
 
 #[cfg(test)]
 mod test {
-    use super::{AuthnConfig, Config, LoadError, LoadErrorKind, SchemeName};
+    use super::{
+        AuthnConfig, Config, ConsoleConfig, LoadError, LoadErrorKind,
+        SchemeName,
+    };
     use crate::db;
     use dropshot::ConfigDropshot;
     use dropshot::ConfigLogging;
@@ -257,10 +269,13 @@ mod test {
             "valid",
             r##"
             id = "28b90dc4-c22a-65ba-f49a-f051fe01208f"
-            [authn]
-            schemes_external = []
+            [console]
+            assets_directory = "tests/fixtures"
+            cache_control_max_age_minutes = 10
             session_idle_timeout_minutes = 60
             session_absolute_timeout_minutes = 480
+            [authn]
+            schemes_external = []
             [dropshot_external]
             bind_address = "10.1.2.3:4567"
             request_body_max_bytes = 1024
@@ -282,11 +297,13 @@ mod test {
             config,
             Config {
                 id: "28b90dc4-c22a-65ba-f49a-f051fe01208f".parse().unwrap(),
-                authn: AuthnConfig {
-                    schemes_external: Vec::new(),
+                console: ConsoleConfig {
+                    assets_directory: "tests/fixtures".parse().unwrap(),
+                    cache_control_max_age_minutes: 10,
                     session_idle_timeout_minutes: 60,
                     session_absolute_timeout_minutes: 480
                 },
+                authn: AuthnConfig { schemes_external: Vec::new() },
                 dropshot_external: ConfigDropshot {
                     bind_address: "10.1.2.3:4567"
                         .parse::<SocketAddr>()
@@ -316,10 +333,13 @@ mod test {
             "valid",
             r##"
             id = "28b90dc4-c22a-65ba-f49a-f051fe01208f"
-            [authn]
-            schemes_external = [ "spoof", "session_cookie" ]
+            [console]
+            assets_directory = "tests/fixtures"
+            cache_control_max_age_minutes = 10
             session_idle_timeout_minutes = 60
             session_absolute_timeout_minutes = 480
+            [authn]
+            schemes_external = [ "spoof", "session_cookie" ]
             [dropshot_external]
             bind_address = "10.1.2.3:4567"
             request_body_max_bytes = 1024
@@ -351,10 +371,13 @@ mod test {
             "bad authn.schemes_external",
             r##"
             id = "28b90dc4-c22a-65ba-f49a-f051fe01208f"
-            [authn]
-            schemes_external = ["trust-me"]
+            [console]
+            assets_directory = "tests/fixtures"
+            cache_control_max_age_minutes = 10
             session_idle_timeout_minutes = 60
             session_absolute_timeout_minutes = 480
+            [authn]
+            schemes_external = ["trust-me"]
             [dropshot_external]
             bind_address = "10.1.2.3:4567"
             request_body_max_bytes = 1024