tracking issue for authz work

(moving some notes from a local text file for better visibility)

[x] initial authn infrastructure with "spoof" authentication (#314)
[x] initial authz infastructure with one protected endpoint (#346)
[x] flesh out authz policy (Polar file) and associated Rust types; prototype by protecting a project-level endpoint (DELETE disk) (#405)
[x] add users to the database (#486)
- [x] database schema
- [x] prepopulated users, at least for testing (and remove them from in-memory?)
- [x] API to list and fetch users (not create or update)
[x] implement predefined roles
- [x] database schema for predefined roles (#512)
- [x] prepopulate table of predefined roles (#512)
- [x] database schema for user <-> role mapping (#520)
- [x] prepopulate user <-> role mapping for predefined users and roles (#520)
- [x] load roles during the request (#520)
- [x] update authz implementation to use the loaded roles (#520)
[x] return 404s rather than 401 or 403 when the user can't read a resource (#600)
[x] get feedback from product/customers about reduced-scope authz model. (2022-01-31 update: we've spoken with two prospects and both were fine with a static set of roles in the MVP. Both felt they were going to need it to be more flexible later.)
[x] figure out authz from saga actions (e.g., need to construct an OpContext for the saga)
- [x] #672
[x] add protection for the remaining endpoints
- [x] top-level Organization endpoints (#346 (create), #405 (list), #592 (the rest))
- [x] #617
- [x] #646
- [x] #661
- [x] #662
- [x] #673 (blocked on #672)
- [x] #743
- [x] #754
- [x] #761
- [x] #775
- [x] #778
- [x] #780
- [x] #782
- [x] #790
- [x] #936
[x] all new external endpoints should be authn/authz-protected (see #785)
- [x] #885
[x] #832
[x] #798 consistent ways to look up resources by name and return the db::model type and the associated authz type (some discussion of this in 2021-11-22 review for #405)
[x] transition to new lookup API
- [x] #839
- [x] #840
- [x] #842
- [x] #843
- [x] #855
- [x] #845 (depends on #846, #847, #848)
  - [x] #908
- [x] #873
[x] #1123
[x] #846
[x] #1096
[ ] various cleanup
- [ ] maybe: convert built-in users to service accounts
- [x] #882
- [x] #644
- [x] #652
- [ ] all datastore.rs methods should accept OpContext
- [ ] there should be no more uses of Datastore::pool() -- it should all be Datastore::pool_authorized
- [ ] there should probably be no more uses of dropshot's make_request() family of functions in the test suite because everything requires authn except for the unauthorized test.
- [ ] review use of public_error_from_diesel_pool -- that seems a lot less necessary post-authz because there's an authz variant
- [ ] #1374
- [ ] related to this: there may be a lot of code paths today that need to assign roles to things that currently don't. e.g., when you create a Project, you should get a role on it.
- [ ] an end-to-end test that every API call bails correctly for every permission that it checks? see #1609
- [ ] #665
- [x] #848
- [ ] *_refetch() functions in datastore.rs could be provided by the lookup API (macro) instead (e.g., top-level functions on LookupPath that take the authz object and work basically the same way as a by-id lookup, but use the lookup_type of the original authz object for a not-found error and preserve the original authz object)
- [ ] review TODO-security
- [ ] review endpoints not tested by unauthorized.rs/unauthorized_coverage.rs. Currently that includes /session/me, /login, /logout, which are all somewhat special cases. For example, "logout" succeeds even if your authn failed. And "/session/me" will work even for unprivileged users. Maybe they should have their own separate tests?
- [ ] lookup_resource! macro could be simplified
  - [x] #1547
  - [ ] harder: figure out what parts of it could be impl'd in common code using a trait instead of a macro
- [ ] #1277

oxidecomputer / omicron

tracking issue for authz work #419