Add protections for password handling in Nexus (#8093)

This wraps uses of user passwords in `secrecy` types that:

1. make an effort to not accidentally expose passwords (via Debug,
serialization, etc.)
2. zeroize memory when a password is no longer used.

The Nexus external API parameter type for passwords kept a local String
copy of user passwords in addition to the internal password type, the
former of which was used only for testing purposes. This removes that,
ensuring that passwords in Nexus are always wrapped in `secrecy`, but it
has the unfortunate requirement now that test code needs to use slightly
different parameter types than those exposed by the external Nexus API.
I've tried to make it clear where that happens in code and why in the
code comments, but happy to take suggestions on different approaches.

Author: inickles

Cargo.lock

@@ -394,19 +394,53 @@ pub async fn create_silo(
     .await
 }
 
+/// This contains slight variations of Nexus external API types that are to be
+/// used for testing purposes only. These new types are needed because we want
+/// special protections for how passwords are handled in the Nexus server,
+/// including protections against user passwords accidentally becoming
+/// serialized.
+pub mod test_params {
+    /// Testing only version of the the create-time parameters for a `User`
+    #[derive(Clone, serde::Serialize)]
+    pub struct UserCreate {
+        /// username used to log in
+        pub external_id: super::UserId,
+        /// how to set the user's login password
+        pub password: UserPassword,
+    }
+
+    /// Testing only version of parameters for setting a user's password
+    #[derive(Clone, serde::Serialize)]
+    #[serde(rename_all = "snake_case")]
+    #[serde(tag = "mode", content = "value")]
+    pub enum UserPassword {
+        /// Sets the user's password to the provided value
+        Password(String),
+        /// Invalidates any current password (disabling password authentication)
+        LoginDisallowed,
+    }
+
+    /// Testing only credentials for local user login
+    #[derive(Clone, serde::Serialize)]
+    pub struct UsernamePasswordCredentials {
+        pub username: super::UserId,
+        pub password: String,
+    }
+}
+
 pub async fn create_local_user(
     client: &ClientTestContext,
     silo: &views::Silo,
     username: &UserId,
-    password: params::UserPassword,
+    password: test_params::UserPassword,
 ) -> User {
     let silo_name = &silo.identity.name;
     let url =
         format!("/v1/system/identity-providers/local/users?silo={}", silo_name);
     object_create(
         client,
         &url,
-        &params::UserCreate { external_id: username.to_owned(), password },
+        &test_params::UserCreate { external_id: username.to_owned(), password },
     )
     .await
 }

nexus/test-utils/src/resource_helpers.rs

@@ -5,6 +5,7 @@
 //! Tests for authz policy not covered in the set of unauthorized tests
 
 use nexus_test_utils::http_testing::{AuthnMode, NexusRequest, RequestBuilder};
+use nexus_test_utils::resource_helpers::test_params;
 use nexus_test_utils_macros::nexus_test;
 
 use nexus_types::external_api::params;
@@ -38,15 +39,15 @@ async fn test_cannot_read_others_ssh_keys(cptestctx: &ControlPlaneTestContext) {
         client,
         &silo,
         &"user1".parse().unwrap(),
-        params::UserPassword::LoginDisallowed,
+        test_params::UserPassword::LoginDisallowed,
     )
     .await
     .id;
     let user2 = create_local_user(
         client,
         &silo,
         &"user2".parse().unwrap(),
-        params::UserPassword::LoginDisallowed,
+        test_params::UserPassword::LoginDisallowed,
     )
     .await
     .id;
@@ -144,7 +145,7 @@ async fn test_list_silo_users_for_unpriv(cptestctx: &ControlPlaneTestContext) {
         client,
         &silo,
         &"unpriv".parse().unwrap(),
-        params::UserPassword::LoginDisallowed,
+        test_params::UserPassword::LoginDisallowed,
     )
     .await
     .id;
@@ -162,7 +163,7 @@ async fn test_list_silo_users_for_unpriv(cptestctx: &ControlPlaneTestContext) {
         client,
         &silo,
         &"otheruser".parse().unwrap(),
-        params::UserPassword::LoginDisallowed,
+        test_params::UserPassword::LoginDisallowed,
     )
     .await;
 
@@ -200,7 +201,7 @@ async fn test_list_silo_idps_for_unpriv(cptestctx: &ControlPlaneTestContext) {
         client,
         &silo,
         &"unpriv".parse().unwrap(),
-        params::UserPassword::LoginDisallowed,
+        test_params::UserPassword::LoginDisallowed,
     )
     .await
     .id;
@@ -236,7 +237,7 @@ async fn test_session_me_for_unpriv(cptestctx: &ControlPlaneTestContext) {
         client,
         &silo,
         &"unpriv".parse().unwrap(),
-        params::UserPassword::LoginDisallowed,
+        test_params::UserPassword::LoginDisallowed,
     )
     .await
     .id;
@@ -266,7 +267,7 @@ async fn test_silo_read_for_unpriv(cptestctx: &ControlPlaneTestContext) {
         client,
         &silo,
         &"unpriv".parse().unwrap(),
-        params::UserPassword::LoginDisallowed,
+        test_params::UserPassword::LoginDisallowed,
     )
     .await
     .id;

nexus/tests/integration_tests/authz.rs

@@ -19,16 +19,15 @@ use nexus_db_queries::db::identity::{Asset, Resource};
 use nexus_test_utils::http_testing::{
     AuthnMode, NexusRequest, RequestBuilder, TestResponse,
 };
+use nexus_test_utils::resource_helpers::test_params;
 use nexus_test_utils::resource_helpers::{
     create_silo, grant_iam, object_create,
 };
 use nexus_test_utils::{
     TEST_SUITE_PASSWORD, load_test_config, test_setup_with_config,
 };
 use nexus_test_utils_macros::nexus_test;
-use nexus_types::external_api::params::{
-    self, ProjectCreate, UsernamePasswordCredentials,
-};
+use nexus_types::external_api::params::{self, ProjectCreate};
 use nexus_types::external_api::shared::{SiloIdentityMode, SiloRole};
 use nexus_types::external_api::{shared, views};
 use omicron_common::api::external::IdentityMetadataCreateParams;
@@ -878,9 +877,9 @@ async fn log_in_and_extract_token(
 ) -> String {
     let testctx = &cptestctx.external_client;
     let url = format!("/v1/login/{}/local", cptestctx.silo_name);
-    let credentials = UsernamePasswordCredentials {
+    let credentials = test_params::UsernamePasswordCredentials {
         username: cptestctx.user_name.as_ref().parse().unwrap(),
-        password: TEST_SUITE_PASSWORD.parse().unwrap(),
+        password: TEST_SUITE_PASSWORD.to_string(),
     };
     let login = RequestBuilder::new(&testctx, Method::POST, &url)
         .body(Some(&credentials))

nexus/tests/integration_tests/console_api.rs

@@ -18,6 +18,7 @@ use nexus_test_utils::PHYSICAL_DISK_UUID;
 use nexus_test_utils::RACK_UUID;
 use nexus_test_utils::SLED_AGENT_UUID;
 use nexus_test_utils::SWITCH_UUID;
+use nexus_test_utils::resource_helpers::test_params;
 use nexus_types::external_api::params;
 use nexus_types::external_api::shared;
 use nexus_types::external_api::shared::IpRange;
@@ -1140,10 +1141,10 @@ pub static DEMO_TIMESERIES_QUERY: LazyLock<params::TimeseriesQuery> =
     });
 
 // Users
-pub static DEMO_USER_CREATE: LazyLock<params::UserCreate> =
-    LazyLock::new(|| params::UserCreate {
+pub static DEMO_USER_CREATE: LazyLock<test_params::UserCreate> =
+    LazyLock::new(|| test_params::UserCreate {
         external_id: UserId::from_str("dummy-user").unwrap(),
-        password: params::UserPassword::LoginDisallowed,
+        password: test_params::UserPassword::LoginDisallowed,
     });
 
 // Allowlist for user-facing services.
@@ -1689,8 +1690,10 @@ pub static VERIFY_ENDPOINTS: LazyLock<Vec<VerifyEndpoint>> =
                 visibility: Visibility::Public,
                 unprivileged_access: UnprivilegedAccess::ReadOnly,
                 allowed_methods: vec![AllowedMethod::Post(
-                    serde_json::to_value(params::UserPassword::LoginDisallowed)
-                        .unwrap(),
+                    serde_json::to_value(
+                        test_params::UserPassword::LoginDisallowed,
+                    )
+                    .unwrap(),
                 )],
             },
             /* Projects */

nexus/tests/integration_tests/endpoints.rs

@@ -34,6 +34,7 @@ use nexus_test_utils::resource_helpers::object_delete;
 use nexus_test_utils::resource_helpers::object_delete_error;
 use nexus_test_utils::resource_helpers::object_get;
 use nexus_test_utils::resource_helpers::object_put;
+use nexus_test_utils::resource_helpers::test_params;
 use nexus_test_utils_macros::nexus_test;
 use nexus_types::external_api::params;
 use nexus_types::external_api::shared;
@@ -297,7 +298,7 @@ async fn test_floating_ip_create_non_admin(
         client,
         &silo,
         &"user".parse().unwrap(),
-        params::UserPassword::LoginDisallowed,
+        test_params::UserPassword::LoginDisallowed,
     )
     .await;
 

nexus/tests/integration_tests/external_ips.rs

@@ -37,6 +37,7 @@ use nexus_test_utils::resource_helpers::object_get;
 use nexus_test_utils::resource_helpers::object_put;
 use nexus_test_utils::resource_helpers::object_put_error;
 use nexus_test_utils::resource_helpers::objects_list_page_authz;
+use nexus_test_utils::resource_helpers::test_params;
 use nexus_test_utils::wait_for_producer;
 use nexus_types::external_api::params::SshKeyCreate;
 use nexus_types::external_api::shared::IpKind;
@@ -6593,7 +6594,7 @@ async fn test_instance_create_in_silo(cptestctx: &ControlPlaneTestContext) {
         client,
         &silo,
         &"unpriv".parse().unwrap(),
-        params::UserPassword::LoginDisallowed,
+        test_params::UserPassword::LoginDisallowed,
     )
     .await
     .id;

nexus/tests/integration_tests/instances.rs

@@ -13,6 +13,7 @@ use nexus_test_utils::{
         create_local_user, create_project, create_route, create_router,
         create_vpc, delete_internet_gateway, detach_ip_address_from_igw,
         detach_ip_pool_from_igw, link_ip_pool, objects_list_page_authz,
+        test_params,
     },
 };
 use nexus_test_utils_macros::nexus_test;
@@ -271,7 +272,7 @@ async fn test_igw_ip_pool_attach_silo_user(ctx: &ControlPlaneTestContext) {
         c,
         &silo,
         &"user".parse().unwrap(),
-        params::UserPassword::LoginDisallowed,
+        test_params::UserPassword::LoginDisallowed,
     )
     .await;
 

nexus/tests/integration_tests/internet_gateway.rs

@@ -36,6 +36,7 @@ use nexus_test_utils::resource_helpers::object_get_error;
 use nexus_test_utils::resource_helpers::object_put;
 use nexus_test_utils::resource_helpers::object_put_error;
 use nexus_test_utils::resource_helpers::objects_list_page_authz;
+use nexus_test_utils::resource_helpers::test_params;
 use nexus_test_utils_macros::nexus_test;
 use nexus_types::external_api::params;
 use nexus_types::external_api::params::IpPoolCreate;
@@ -1183,7 +1184,7 @@ async fn test_ip_pool_list_in_silo(cptestctx: &ControlPlaneTestContext) {
         client,
         &silo,
         &"user".parse().unwrap(),
-        params::UserPassword::LoginDisallowed,
+        test_params::UserPassword::LoginDisallowed,
     )
     .await;