[nexus] Split authn/authz and db-fixed-data into new crates

[smklein]

As a part of the ongoing effort to split Nexus into smaller pieces, this PR splits out two new crates:

• nexus-auth takes the contents of nexus/db-queries/src/auth{n,z}, as well as nexus/db-queries/src/context.rs, and separates this logic into a new bespoke crate. Although this crate does have a dependency on the datastore itself, it only actually invokes a single method, and can be abstracted via a new trait, defined in nexus/auth/storage.
• nexus-db-fixed-data takes the contents of nexus/db-queries/src/db/fixed-data and separates this logic into a new crate.

[smklein]

This method was moved into nexus/db-queries/src/db/datastore/identity_provider.rs - it doesn't need to be defined here, and is tightly coupled with the datastore, not auth logic.

[smklein]

The policy_test (look for the files changed in this PR) was previously a "unit test" in db-queries that used auth and datastore methods extensively.

It has stayed in db-queries to access the database methods, but still needs to access methods defined in nexus-auth. As a result, some cfg(test) methods are exposed as pub to make this work. This is one such example.

[smklein]

This is another common pattern through this PR: Wherever nexus/auth depends on the DataStore, I basically use dependency injection via dyn Storage to not directly depend on the datastore. Then, the implementation of Storage allows nexus/auth to access a very limited subset of the datastore.

Turns out, that "limited interface" is only a single method. See: nexus/auth/src/storage.rs

[smklein]

This is an example of a test that actively does not need access to the database, and can be replaced by a stub.

[smklein]

Another example of a test that previously required a whole database, but actually, never queries anything from the database

[smklein]

I'd be interested in figuring out a way to make this not use async-trait.

I basically went down this route because:

• authz::Context contains one of these objects
• If it uses generics, then OpContext also needs a generic parameter
• That changes a lot of code
• ... so I went down the dyn Storage route instead, as the DataStore is already wrapped in an Arc

[smklein]

This is just moved, not new

[smklein]

This method was moved exactly from nexus/db-queries/src/db/datastore/role.rs

[andrewjstone]

nit: could spell out assign, but I also understand not wanting to introduce that to the diff if this is used in a lot of places.

[smklein]

Grepping for role_asgn, this appears to be a pattern used beyond this method. I agree with you that I'd rather it be fully spelled out, but I'm gonna punt on this to avoid touching several files that aren't currently part of this PR?

[andrewjstone]

That works for me

[smklein]

This method was moved exactly from IdentityProvider::lookup to here (and DataStore is now a &self parameter instead of the first argument)

[hawkw]

Overall, this seems good to me, although I had a few small style suggestions --- take them or leave them! And, I've mostly tried to avoid commenting on the code that was moved around but hasn't actually changed.

[hawkw]

i'm assuming this is because there used to be a `#[macro_use] somewhere?

[smklein]

Exactly:

omicron/nexus/db-queries/src/lib.rs

Lines 14 to 17 in b0dfd53

	#[macro_use]
	extern crate slog;
	#[macro_use]
	extern crate newtype_derive;

[hawkw]

We could, potentially, make the strum dependency optional and make this:

#[cfg_attr(feature = "strum", derive(strum::EnumIter)]

and then have policy_test enable the strum feature in its dev-dependency on authz...but i'm not sure if that's really worth the effort, up to you.

[andrewjstone]

Looks great!

[andrewjstone]

nit: could spell out assign, but I also understand not wanting to introduce that to the diff if this is used in a lot of places.

[andrewjstone]

Nifty :)