Allow silos to have restricted permissions for networking resources

nexus/auth/src/authn/mod.rs

@@ -276,7 +276,7 @@ impl Context {
                 Details { actor: Actor::Scim { silo_id } },
                 // This should never be non-empty, we don't want the SCIM user
                 // to ever have associated roles.
-                Some(SiloAuthnPolicy::new(BTreeMap::default())),
+                Some(SiloAuthnPolicy::new(BTreeMap::default(), false)),
             ),
             schemes_tried: Vec::new(),
         }
@@ -289,20 +289,28 @@ pub struct SiloAuthnPolicy {
     /// Describes which fleet-level roles are automatically conferred by which
     /// silo-level roles.
     mapped_fleet_roles: BTreeMap<SiloRole, BTreeSet<FleetRole>>,
+
+    /// When true, restricts networking actions to Silo Admins only
+    restrict_network_actions: bool,
 }
 
 impl SiloAuthnPolicy {
     pub fn new(
         mapped_fleet_roles: BTreeMap<SiloRole, BTreeSet<FleetRole>>,
+        restrict_network_actions: bool,
     ) -> SiloAuthnPolicy {
-        SiloAuthnPolicy { mapped_fleet_roles }
+        SiloAuthnPolicy { mapped_fleet_roles, restrict_network_actions }
     }
 
     pub fn mapped_fleet_roles(
         &self,
     ) -> &BTreeMap<SiloRole, BTreeSet<FleetRole>> {
         &self.mapped_fleet_roles
     }
+
+    pub fn restrict_network_actions(&self) -> bool {
+        self.restrict_network_actions
+    }
 }
 
 impl TryFrom<&nexus_db_model::Silo> for SiloAuthnPolicy {
@@ -311,9 +319,10 @@ impl TryFrom<&nexus_db_model::Silo> for SiloAuthnPolicy {
     fn try_from(
         value: &nexus_db_model::Silo,
     ) -> Result<Self, omicron_common::api::external::Error> {
-        value
-            .mapped_fleet_roles()
-            .map(|mapped_fleet_roles| SiloAuthnPolicy { mapped_fleet_roles })
+        value.mapped_fleet_roles().map(|mapped_fleet_roles| SiloAuthnPolicy {
+            mapped_fleet_roles,
+            restrict_network_actions: value.restrict_network_actions,
+        })
     }
 }
 

nexus/auth/src/authz/actor.rs

@@ -88,6 +88,15 @@ impl AuthenticatedActor {
             })
             .collect()
     }
+
+    /// Returns whether this actor's Silo restricts networking actions to Silo
+    /// Admins only
+    pub fn silo_restricts_networking(&self) -> bool {
+        self.silo_policy
+            .as_ref()
+            .map(|policy| policy.restrict_network_actions())
+            .unwrap_or(false)
+    }
 }
 
 impl PartialEq for AuthenticatedActor {
@@ -164,5 +173,9 @@ impl oso::PolarClass for AuthenticatedActor {
                     authn::Actor::Scim { .. } => false,
                 },
             )
+            .add_method(
+                "silo_restricts_networking",
+                |a: &AuthenticatedActor| a.silo_restricts_networking(),
+            )
     }
 }

nexus/auth/src/authz/api_resources.rs

@@ -1142,55 +1142,55 @@ authz_resource! {
     parent = "Project",
     primary_key = Uuid,
     roles_allowed = false,
-    polar_snippet = InProject,
+    polar_snippet = InProjectNetworking,
 }
 
 authz_resource! {
     name = "VpcRouter",
     parent = "Vpc",
     primary_key = Uuid,
     roles_allowed = false,
-    polar_snippet = InProject,
+    polar_snippet = InProjectNetworking,
 }
 
 authz_resource! {
     name = "RouterRoute",
     parent = "VpcRouter",
     primary_key = Uuid,
     roles_allowed = false,
-    polar_snippet = InProject,
+    polar_snippet = InProjectNetworking,
 }
 
 authz_resource! {
     name = "VpcSubnet",
     parent = "Vpc",
     primary_key = Uuid,
     roles_allowed = false,
-    polar_snippet = InProject,
+    polar_snippet = InProjectNetworking,
 }
 
 authz_resource! {
     name = "InternetGateway",
     parent = "Vpc",
     primary_key = Uuid,
     roles_allowed = false,
-    polar_snippet = InProject,
+    polar_snippet = InProjectNetworking,
 }
 
 authz_resource! {
     name = "InternetGatewayIpPool",
     parent = "InternetGateway",
     primary_key = Uuid,
     roles_allowed = false,
-    polar_snippet = InProject,
+    polar_snippet = InProjectNetworking,
 }
 
 authz_resource! {
     name = "InternetGatewayIpAddress",
     parent = "InternetGateway",
     primary_key = Uuid,
     roles_allowed = false,
-    polar_snippet = InProject,
+    polar_snippet = InProjectNetworking,
 }
 
 authz_resource! {

nexus/auth/src/authz/context.rs

@@ -235,6 +235,61 @@ mod test {
         Context::new(Arc::new(authn), Arc::new(authz), datastore)
     }
 
+    #[tokio::test]
+    async fn test_networking_restrictions_structure() {
+        // This test verifies that our networking restrictions compile and can be instantiated
+        let logctx =
+            dev::test_setup_log("test_networking_restrictions_structure");
+
+        // Test that SiloAuthnPolicy with networking restrictions can be created
+        let restricted_policy = authn::SiloAuthnPolicy::new(
+            std::collections::BTreeMap::new(),
+            true, // restrict_network_actions
+        );
+
+        let normal_policy = authn::SiloAuthnPolicy::new(
+            std::collections::BTreeMap::new(),
+            false, // restrict_network_actions
+        );
+
+        // Verify that the restricts_networking method works
+        assert_eq!(restricted_policy.restrict_network_actions(), true);
+        assert_eq!(normal_policy.restrict_network_actions(), false);
+
+        // Test that we can create auth contexts with these policies
+        let authn_restricted = authn::Context::for_test_user(
+            omicron_uuid_kinds::SiloUserUuid::new_v4(),
+            Uuid::new_v4(),
+            restricted_policy,
+        );
+        let authn_normal = authn::Context::for_test_user(
+            omicron_uuid_kinds::SiloUserUuid::new_v4(),
+            Uuid::new_v4(),
+            normal_policy,
+        );
+
+        // Verify the policies are accessible
+        assert_eq!(
+            authn_restricted
+                .silo_authn_policy()
+                .unwrap()
+                .restrict_network_actions(),
+            true
+        );
+        assert_eq!(
+            authn_normal
+                .silo_authn_policy()
+                .unwrap()
+                .restrict_network_actions(),
+            false
+        );
+
+        println!(
+            "Networking restrictions structure test completed successfully"
+        );
+        logctx.cleanup_successful();
+    }
+
     #[tokio::test]
     async fn test_unregistered_resource() {
         let logctx = dev::test_setup_log("test_unregistered_resource");

nexus/auth/src/authz/omicron.polar

@@ -748,3 +748,76 @@ has_relation(silo: Silo, "parent_silo", scim_client_bearer_token_list: ScimClien
 	if scim_client_bearer_token_list.silo = silo;
 has_relation(fleet: Fleet, "parent_fleet", collection: ScimClientBearerTokenList)
 	if collection.silo.fleet = fleet;
+
+# NETWORKING RESTRICTIONS BASED ON SILO SETTINGS
+#
+# These rules enforce networking restrictions when a silo has restrict_network_actions = true.
+# For silos with this restriction, only Silo Admins can perform networking create/modify/delete actions,
+# while read/list actions remain available to all project collaborators.
+
+# Determine if the actor has permissions to modify networking resources
+can_modify_networking_resource(actor: AuthenticatedActor, project: Project) if
+	# Always allow silo admins to update networking resources
+	has_role(actor, "admin", project.silo) or
+	# Allow project collaborators to update networking resources if the actor's silo allows it
+	# Note that the restriction is checked on the actor's silo, not embedded in the project
+    (has_role(actor, "collaborator", project) and not actor.silo_restricts_networking());
+
+# Helper predicates to reduce duplication across networking resources
+networking_write_perm(actor: AuthenticatedActor, action: String, project: Project) if
+    action in ["create_child", "modify", "delete"] and
+    can_modify_networking_resource(actor, project);
+
+networking_read_perm(actor: AuthenticatedActor, action: String, project: Project) if
+    action in ["read", "list_children"] and
+    has_role(actor, "viewer", project);
+
+# Apply networking restrictions to all networking resources
+# VPCs (project path: vpc.project)
+has_permission(actor: AuthenticatedActor, action: String, vpc: Vpc) if
+    networking_write_perm(actor, action, vpc.project);
+
+has_permission(actor: AuthenticatedActor, action: String, vpc: Vpc) if
+    networking_read_perm(actor, action, vpc.project);
+
+# VPC Routers (project path: router.vpc.project)
+has_permission(actor: AuthenticatedActor, action: String, router: VpcRouter) if
+    networking_write_perm(actor, action, router.vpc.project);
+
+has_permission(actor: AuthenticatedActor, action: String, router: VpcRouter) if
+    networking_read_perm(actor, action, router.vpc.project);
+
+# VPC Subnets (project path: subnet.vpc.project)
+has_permission(actor: AuthenticatedActor, action: String, subnet: VpcSubnet) if
+    networking_write_perm(actor, action, subnet.vpc.project);
+
+has_permission(actor: AuthenticatedActor, action: String, subnet: VpcSubnet) if
+    networking_read_perm(actor, action, subnet.vpc.project);
+
+# Internet Gateways (project path: gateway.vpc.project)
+has_permission(actor: AuthenticatedActor, action: String, gateway: InternetGateway) if
+    networking_write_perm(actor, action, gateway.vpc.project);
+
+has_permission(actor: AuthenticatedActor, action: String, gateway: InternetGateway) if
+    networking_read_perm(actor, action, gateway.vpc.project);
+
+# Router Routes (project path: route.vpc_router.vpc.project)
+has_permission(actor: AuthenticatedActor, action: String, route: RouterRoute) if
+    networking_write_perm(actor, action, route.vpc_router.vpc.project);
+
+has_permission(actor: AuthenticatedActor, action: String, route: RouterRoute) if
+    networking_read_perm(actor, action, route.vpc_router.vpc.project);
+
+# Internet Gateway IP Pool attachments (project path: pool.internet_gateway.vpc.project)
+has_permission(actor: AuthenticatedActor, action: String, pool: InternetGatewayIpPool) if
+    networking_write_perm(actor, action, pool.internet_gateway.vpc.project);
+
+has_permission(actor: AuthenticatedActor, action: String, pool: InternetGatewayIpPool) if
+    networking_read_perm(actor, action, pool.internet_gateway.vpc.project);
+
+# Internet Gateway IP Address attachments (project path: addr.internet_gateway.vpc.project)
+has_permission(actor: AuthenticatedActor, action: String, addr: InternetGatewayIpAddress) if
+    networking_write_perm(actor, action, addr.internet_gateway.vpc.project);
+
+has_permission(actor: AuthenticatedActor, action: String, addr: InternetGatewayIpAddress) if
+    networking_read_perm(actor, action, addr.internet_gateway.vpc.project);

nexus/authz-macros/src/lib.rs

@@ -265,6 +265,11 @@ enum PolarSnippet {
     /// Generate it as a resource nested within a Project (either directly or
     /// indirectly)
     InProject,
+
+    /// Generate it as a networking resource nested within a Project
+    /// (like InProject, but without default permission rules - all rules
+    /// defined in omicron.polar for networking restrictions)
+    InProjectNetworking,
 }
 
 /// Implementation of [`authz_resource!`]
@@ -433,6 +438,67 @@ fn do_authz_resource(
             resource_name,
             parent_as_snake,
         ),
+
+        // InProjectNetworking: Like InProject, but NO default permission rules.
+        // All permission rules are defined in omicron.polar to enforce
+        // networking restrictions. Only defines resource structure + relations.
+        (PolarSnippet::InProjectNetworking, "Project") => format!(
+            r#"
+                resource {} {{
+                    permissions = [
+                        "list_children",
+                        "modify",
+                        "read",
+                        "create_child",
+                        "delete",
+                    ];
+
+                    relations = {{ containing_project: Project }};
+                    # NOTE: No permission rules defined here!
+                    # All permissions controlled by custom networking restriction
+                    # rules in omicron.polar (can_modify_networking_resource)
+                }}
+
+                has_relation(parent: Project, "containing_project", child: {})
+                        if child.project = parent;
+            "#,
+            resource_name, resource_name,
+        ),
+
+        (PolarSnippet::InProjectNetworking, _) => format!(
+            r#"
+                resource {} {{
+                    permissions = [
+                        "list_children",
+                        "modify",
+                        "read",
+                        "create_child",
+                        "delete",
+                    ];
+
+                    relations = {{
+                        containing_project: Project,
+                        parent: {}
+                    }};
+                    # NOTE: No permission rules defined here!
+                    # All permissions controlled by custom networking restriction
+                    # rules in omicron.polar (can_modify_networking_resource)
+                }}
+
+                has_relation(project: Project, "containing_project", child: {})
+                    if has_relation(project, "containing_project", child.{});
+
+                has_relation(parent: {}, "parent", child: {})
+                    if child.{} = parent;
+            "#,
+            resource_name,
+            parent_resource_name,
+            resource_name,
+            parent_as_snake,
+            parent_resource_name,
+            resource_name,
+            parent_as_snake,
+        ),
     };
 
     let doc_struct = format!(

nexus/db-fixed-data/src/silo.rs

@@ -33,6 +33,7 @@ pub static DEFAULT_SILO: LazyLock<model::Silo> = LazyLock::new(|| {
             admin_group_name: None,
             tls_certificates: vec![],
             mapped_fleet_roles: Default::default(),
+            restrict_network_actions: None,
         },
     )
     .unwrap()
@@ -55,6 +56,7 @@ pub static INTERNAL_SILO: LazyLock<model::Silo> = LazyLock::new(|| {
             admin_group_name: None,
             tls_certificates: vec![],
             mapped_fleet_roles: Default::default(),
+            restrict_network_actions: None,
         },
     )
     .unwrap()

nexus/db-model/src/schema_versions.rs

@@ -16,7 +16,7 @@ use std::{collections::BTreeMap, sync::LazyLock};
 ///
 /// This must be updated when you change the database schema.  Refer to
 /// schema/crdb/README.adoc in the root of this repository for details.
-pub const SCHEMA_VERSION: Version = Version::new(201, 0, 0);
+pub const SCHEMA_VERSION: Version = Version::new(202, 0, 0);
 
 /// List of all past database schema versions, in *reverse* order
 ///
@@ -28,6 +28,7 @@ static KNOWN_VERSIONS: LazyLock<Vec<KnownVersion>> = LazyLock::new(|| {
         // |  leaving the first copy as an example for the next person.
         // v
         // KnownVersion::new(next_int, "unique-dirname-with-the-sql-files"),
+        KnownVersion::new(202, "restrict-network-actions"),
         KnownVersion::new(201, "scim-client-bearer-token"),
         KnownVersion::new(200, "dual-stack-network-interfaces"),
         KnownVersion::new(199, "multicast-pool-support"),