[nexus] Safer project deletion

nexus/Cargo.toml

@@ -45,6 +45,7 @@ oso = "0.26"
 oximeter-client = { path = "../oximeter-client" }
 oximeter-db = { path = "../oximeter/db/" }
 parse-display = "0.7.0"
+paste = "1.0"
 # See omicron-rpaths for more about the "pq-sys" dependency.
 pq-sys = "*"
 propolis-client = { git = "https://github.com/oxidecomputer/propolis", rev = "b596e72b6b93bc412d675358f782ae7d53f8bf7a", features = [ "generated" ] }

nexus/src/app/project.rs

@@ -201,7 +201,7 @@ impl super::Nexus {
             LookupPath::new(opctx, &self.db_datastore)
                 .organization_name(organization_name)
                 .project_name(project_name)
-                .fetch()
+                .fetch_for(authz::Action::Delete)
                 .await?;
         self.db_datastore
             .project_delete(opctx, &authz_project, &db_project)

nexus/src/app/sagas/disk_create.rs

@@ -200,9 +200,15 @@ async fn sdc_create_disk_record(
         ActionError::action_failed(Error::invalid_request(&e.to_string()))
     })?;
 
+    let (.., authz_project) = LookupPath::new(&opctx, &osagactx.datastore())
+        .project_id(params.project_id)
+        .lookup_for(authz::Action::CreateChild)
+        .await
+        .map_err(ActionError::action_failed)?;
+
     let disk_created = osagactx
         .datastore()
-        .project_create_disk(disk)
+        .project_create_disk(&opctx, &authz_project, disk)
         .await
         .map_err(ActionError::action_failed)?;
 

nexus/src/app/sagas/instance_create.rs

@@ -819,6 +819,7 @@ async fn sic_create_instance_record(
 ) -> Result<db::model::Name, ActionError> {
     let osagactx = sagactx.user_data();
     let params = sagactx.saga_params::<Params>()?;
+    let opctx = OpContext::for_saga_action(&sagactx, &params.serialized_authn);
     let sled_uuid = sagactx.lookup::<Uuid>("server_id")?;
     let instance_id = sagactx.lookup::<Uuid>("instance_id")?;
     let propolis_uuid = sagactx.lookup::<Uuid>("propolis_id")?;
@@ -848,9 +849,15 @@ async fn sic_create_instance_record(
         runtime.into(),
     );
 
+    let (.., authz_project) = LookupPath::new(&opctx, &osagactx.datastore())
+        .project_id(params.project_id)
+        .lookup_for(authz::Action::CreateChild)
+        .await
+        .map_err(ActionError::action_failed)?;
+
     let instance = osagactx
         .datastore()
-        .project_create_instance(new_instance)
+        .project_create_instance(&opctx, &authz_project, new_instance)
         .await
         .map_err(ActionError::action_failed)?;
 

nexus/src/app/sagas/snapshot_create.rs

@@ -465,15 +465,15 @@ async fn ssc_create_snapshot_record(
         size: disk.size,
     };
 
-    let (authz_silo, ..) = LookupPath::new(&opctx, &osagactx.datastore())
-        .silo_id(params.silo_id)
-        .fetch()
+    let (.., authz_project) = LookupPath::new(&opctx, &osagactx.datastore())
+        .project_id(params.project_id)
+        .lookup_for(authz::Action::CreateChild)
         .await
         .map_err(ActionError::action_failed)?;
 
     let snapshot_created = osagactx
         .datastore()
-        .project_ensure_snapshot(&opctx, &authz_silo, snapshot)
+        .project_ensure_snapshot(&opctx, &authz_project, snapshot)
         .await
         .map_err(ActionError::action_failed)?;
 

nexus/src/db/datastore/disk.rs

@@ -62,9 +62,16 @@ impl DataStore {
             .map_err(|e| public_error_from_diesel_pool(e, ErrorHandler::Server))
     }
 
-    pub async fn project_create_disk(&self, disk: Disk) -> CreateResult<Disk> {
+    pub async fn project_create_disk(
+        &self,
+        opctx: &OpContext,
+        authz_project: &authz::Project,
+        disk: Disk,
+    ) -> CreateResult<Disk> {
         use db::schema::disk::dsl;
 
+        opctx.authorize(authz::Action::CreateChild, authz_project).await?;
+
         let gen = disk.runtime().gen;
         let name = disk.name().clone();
         let project_id = disk.project_id;
@@ -76,13 +83,10 @@ impl DataStore {
                 .on_conflict(dsl::id)
                 .do_nothing(),
         )
-        .insert_and_get_result_async(self.pool())
+        .insert_and_get_result_async(self.pool_authorized(opctx).await?)
         .await
         .map_err(|e| match e {
-            AsyncInsertError::CollectionNotFound => Error::ObjectNotFound {
-                type_name: ResourceType::Project,
-                lookup_type: LookupType::ById(project_id),
-            },
+            AsyncInsertError::CollectionNotFound => authz_project.not_found(),
             AsyncInsertError::DatabaseError(e) => {
                 public_error_from_diesel_pool(
                     e,

nexus/src/db/datastore/instance.rs

@@ -63,10 +63,14 @@ impl DataStore {
     // what this function does under the hood).
     pub async fn project_create_instance(
         &self,
+        opctx: &OpContext,
+        authz_project: &authz::Project,
         instance: Instance,
     ) -> CreateResult<Instance> {
         use db::schema::instance::dsl;
 
+        opctx.authorize(authz::Action::CreateChild, authz_project).await?;
+
         let gen = instance.runtime().gen;
         let name = instance.name().clone();
         let project_id = instance.project_id;
@@ -78,13 +82,10 @@ impl DataStore {
                 .on_conflict(dsl::id)
                 .do_nothing(),
         )
-        .insert_and_get_result_async(self.pool())
+        .insert_and_get_result_async(self.pool_authorized(opctx).await?)
         .await
         .map_err(|e| match e {
-            AsyncInsertError::CollectionNotFound => Error::ObjectNotFound {
-                type_name: ResourceType::Project,
-                lookup_type: LookupType::ById(project_id),
-            },
+            AsyncInsertError::CollectionNotFound => authz_project.not_found(),
             AsyncInsertError::DatabaseError(e) => {
                 public_error_from_diesel_pool(
                     e,

nexus/src/db/datastore/ip_pool.rs

@@ -6,6 +6,7 @@
 
 use super::DataStore;
 use crate::authz;
+use crate::authz::ApiResource;
 use crate::context::OpContext;
 use crate::db;
 use crate::db::collection_insert::AsyncInsertError;
@@ -140,7 +141,7 @@ impl DataStore {
         opctx
             .authorize(authz::Action::CreateChild, &authz::IP_POOL_LIST)
             .await?;
-        let project_id = match new_pool.project.clone() {
+        let maybe_authz_project = match new_pool.project.clone() {
             None => None,
             Some(project) => {
                 if let Some(_) = &rack_id {
@@ -152,26 +153,30 @@ impl DataStore {
                 let (.., authz_project) = LookupPath::new(opctx, self)
                     .organization_name(&Name(project.organization))
                     .project_name(&Name(project.project))
-                    .lookup_for(authz::Action::Read)
+                    .lookup_for(authz::Action::CreateChild)
                     .await?;
-                Some(authz_project.id())
+                Some(authz_project)
             }
         };
-        let pool = IpPool::new(&new_pool.identity, project_id, rack_id);
+
+        let maybe_project_id = maybe_authz_project
+            .as_ref()
+            .map(|authz_project| authz_project.id());
+        let pool = IpPool::new(&new_pool.identity, maybe_project_id, rack_id);
         let pool_name = pool.name().as_str().to_string();
 
-        if let Some(project_id) = project_id {
+        if let Some(authz_project) = maybe_authz_project {
+            opctx.authorize(authz::Action::CreateChild, &authz_project).await?;
             Project::insert_resource(
-                project_id,
+                authz_project.id(),
                 diesel::insert_into(dsl::ip_pool).values(pool),
             )
             .insert_and_get_result_async(self.pool_authorized(opctx).await?)
             .await
             .map_err(|e| match e {
-                AsyncInsertError::CollectionNotFound => Error::ObjectNotFound {
-                    type_name: ResourceType::Project,
-                    lookup_type: LookupType::ById(project_id),
-                },
+                AsyncInsertError::CollectionNotFound => {
+                    authz_project.not_found()
+                }
                 AsyncInsertError::DatabaseError(e) => {
                     public_error_from_diesel_pool(
                         e,