convert audit_log auth_method column to an enum

Author: david-crespo

nexus/db-model/src/audit_log.rs

@@ -38,7 +38,7 @@ pub struct AuditLogEntryInitParams {
     pub source_ip: IpAddr,
     pub user_agent: Option<String>,
     pub actor: AuditLogActor,
-    pub auth_method: Option<String>,
+    pub auth_method: Option<AuditLogAuthMethod>,
 }
 
 impl_enum_type!(
@@ -86,6 +86,54 @@ impl_enum_type!(
     Timeout => b"timeout"
 );
 
+impl_enum_type!(
+    AuditLogAuthMethodEnum:
+
+    #[derive(
+        Clone,
+        Copy,
+        Debug,
+        AsExpression,
+        FromSqlRow,
+        Serialize,
+        Deserialize,
+        PartialEq,
+        Eq,
+    )]
+    pub enum AuditLogAuthMethod;
+
+    // Enum values
+    SessionCookie => b"session_cookie"
+    AccessToken => b"access_token"
+    ScimToken => b"scim_token"
+    Spoof => b"spoof"
+);
+
+impl From<AuditLogAuthMethod> for views::AuthMethod {
+    fn from(m: AuditLogAuthMethod) -> Self {
+        match m {
+            AuditLogAuthMethod::SessionCookie => {
+                views::AuthMethod::SessionCookie
+            }
+            AuditLogAuthMethod::AccessToken => views::AuthMethod::AccessToken,
+            AuditLogAuthMethod::ScimToken => views::AuthMethod::ScimToken,
+            AuditLogAuthMethod::Spoof => views::AuthMethod::Spoof,
+        }
+    }
+}
+
+impl From<&nexus_types::authn::SchemeName> for AuditLogAuthMethod {
+    fn from(s: &nexus_types::authn::SchemeName) -> Self {
+        use nexus_types::authn::SchemeName;
+        match s {
+            SchemeName::SessionCookie => AuditLogAuthMethod::SessionCookie,
+            SchemeName::AccessToken => AuditLogAuthMethod::AccessToken,
+            SchemeName::ScimToken => AuditLogAuthMethod::ScimToken,
+            SchemeName::Spoof => AuditLogAuthMethod::Spoof,
+        }
+    }
+}
+
 #[derive(Queryable, Insertable, Selectable, Clone, Debug)]
 #[diesel(table_name = audit_log)]
 pub struct AuditLogEntryInit {
@@ -115,7 +163,7 @@ pub struct AuditLogEntryInit {
 
     /// API token or session cookie. Optional because it will not be defined
     /// on unauthenticated requests like login attempts.
-    pub auth_method: Option<String>,
+    pub auth_method: Option<AuditLogAuthMethod>,
 }
 
 impl From<AuditLogEntryInitParams> for AuditLogEntryInit {
@@ -182,20 +230,20 @@ pub struct AuditLogEntry {
     /// Actor kind indicating builtin user, silo user, or unauthenticated
     pub actor_kind: AuditLogActorKind,
 
-    /// The name of the authn scheme used. None if unauthenticated.
-    pub auth_method: Option<String>,
-
     // Fields that are not present on init
     /// Time log entry was completed with info about result of operation
     pub time_completed: DateTime<Utc>,
-    /// Result kind indicating success, error, or timeout
-    pub result_kind: AuditLogResultKind,
     /// Optional because not present for timeout result
     pub http_status_code: Option<SqlU16>,
     /// Optional even if result is an error
     pub error_code: Option<String>,
     /// Always present if result is an error
     pub error_message: Option<String>,
+    /// Result kind indicating success, error, or timeout
+    pub result_kind: AuditLogResultKind,
+
+    /// The authn scheme used. None if unauthenticated.
+    pub auth_method: Option<AuditLogAuthMethod>,
 }
 
 /// Struct that we can use as a kind of constructor arg for our actual audit
@@ -320,7 +368,7 @@ impl TryFrom<AuditLogEntry> for views::AuditLogEntry {
                     views::AuditLogEntryActor::Unauthenticated
                 }
             },
-            auth_method: entry.auth_method,
+            auth_method: entry.auth_method.map(Into::into),
             time_completed: entry.time_completed,
             result: match entry.result_kind {
                 AuditLogResultKind::Success => {

nexus/db-model/src/schema_versions.rs

@@ -16,7 +16,7 @@ use std::{collections::BTreeMap, sync::LazyLock};
 ///
 /// This must be updated when you change the database schema.  Refer to
 /// schema/crdb/README.adoc in the root of this repository for details.
-pub const SCHEMA_VERSION: Version = Version::new(220, 0, 0);
+pub const SCHEMA_VERSION: Version = Version::new(221, 0, 0);
 
 /// List of all past database schema versions, in *reverse* order
 ///
@@ -28,6 +28,7 @@ static KNOWN_VERSIONS: LazyLock<Vec<KnownVersion>> = LazyLock::new(|| {
         // |  leaving the first copy as an example for the next person.
         // v
         // KnownVersion::new(next_int, "unique-dirname-with-the-sql-files"),
+        KnownVersion::new(221, "audit-log-auth-method-enum"),
         KnownVersion::new(220, "multicast-implicit-lifecycle"),
         KnownVersion::new(219, "blueprint-sled-last-used-ip"),
         KnownVersion::new(218, "measurements"),

nexus/db-schema/src/enums.rs

@@ -24,6 +24,7 @@ define_enums! {
     AffinityPolicyEnum => "affinity_policy",
     AlertClassEnum => "alert_class",
     AuditLogActorKindEnum => "audit_log_actor_kind",
+    AuditLogAuthMethodEnum => "audit_log_auth_method",
     AuditLogResultKindEnum => "audit_log_result_kind",
     AlertDeliveryTriggerEnum => "alert_delivery_trigger",
     AlertDeliveryStateEnum => "alert_delivery_state",

nexus/db-schema/src/schema.rs

@@ -2885,12 +2885,12 @@ table! {
         actor_id -> Nullable<Uuid>,
         actor_silo_id -> Nullable<Uuid>,
         actor_kind -> crate::enums::AuditLogActorKindEnum,
-        auth_method -> Nullable<Text>,
         time_completed -> Nullable<Timestamptz>,
         http_status_code -> Nullable<Int4>, // SqlU16
         error_code -> Nullable<Text>,
         error_message -> Nullable<Text>,
         result_kind -> Nullable<crate::enums::AuditLogResultKindEnum>,
+        auth_method -> Nullable<crate::enums::AuditLogAuthMethodEnum>,
     }
 }
 
@@ -2906,12 +2906,12 @@ table! {
         actor_id -> Nullable<Uuid>,
         actor_silo_id -> Nullable<Uuid>,
         actor_kind -> crate::enums::AuditLogActorKindEnum,
-        auth_method -> Nullable<Text>,
         time_completed -> Timestamptz,
         http_status_code -> Nullable<Int4>, // SqlU16
         error_code -> Nullable<Text>,
         error_message -> Nullable<Text>,
         result_kind -> crate::enums::AuditLogResultKindEnum,
+        auth_method -> Nullable<crate::enums::AuditLogAuthMethodEnum>,
     }
 }
 

nexus/external-api/src/lib.rs

@@ -70,6 +70,7 @@ api_versions!([
     // |  date-based version should be at the top of the list.
     // v
     // (next_yyyymmddnn, IDENT),
+    (2026011500, AUDIT_LOG_AUTH_METHOD_ENUM),
     (2026011300, DOC_LINT_SUMMARY_TRAILING_PERIOD),
     (2026011100, MULTICAST_JOIN_LEAVE_DOCS),
     (2026010800, MULTICAST_IMPLICIT_LIFECYCLE_UPDATES),

nexus/src/app/audit_log.rs

@@ -126,7 +126,7 @@ impl super::Nexus {
             AuditLogActor::UserBuiltin { .. }
             | AuditLogActor::SiloUser { .. }
             | AuditLogActor::Scim { .. } => {
-                opctx.authn.scheme_used().map(|s| s.to_string())
+                opctx.authn.scheme_used().map(Into::into)
             }
             // if we tried to pull it off the opctx this would be None anyway,
             // but it's better to be explicit

nexus/tests/integration_tests/audit_log.rs

@@ -101,7 +101,7 @@ async fn test_audit_log_list(ctx: &ControlPlaneTestContext) {
     assert_eq!(e1.operation_id, "project_create");
     assert_eq!(e1.source_ip.to_string(), "127.0.0.1");
     assert_eq!(e1.user_agent, None); // no user agent passed by default
-    assert_eq!(e1.auth_method, Some("spoof".to_string()));
+    assert_eq!(e1.auth_method, Some(views::AuthMethod::Spoof));
     assert!(e1.time_started >= t1 && e1.time_started <= t2);
     assert!(e1.time_completed > e1.time_started);
     assert_eq!(
@@ -145,7 +145,7 @@ async fn test_audit_log_list(ctx: &ControlPlaneTestContext) {
     assert_eq!(e3.operation_id, "project_create");
     assert_eq!(e3.source_ip.to_string(), "127.0.0.1");
     assert_eq!(e3.user_agent.clone().unwrap(), "A".repeat(256));
-    assert_eq!(e3.auth_method, Some("session_cookie".to_string()));
+    assert_eq!(e3.auth_method, Some(views::AuthMethod::SessionCookie));
     assert!(e3.time_started >= t3 && e3.time_started <= t4);
     assert!(e3.time_completed > e3.time_started);
     assert_eq!(
@@ -396,6 +396,6 @@ fn verify_entry(
         }
     );
     assert_eq!(entry.source_ip.to_string(), "127.0.0.1");
-    assert_eq!(entry.auth_method, Some("spoof".to_string()));
+    assert_eq!(entry.auth_method, Some(views::AuthMethod::Spoof));
     assert!(entry.time_completed > entry.time_started);
 }

nexus/types/src/external_api/views.rs

@@ -1799,6 +1799,23 @@ pub enum AuditLogEntryActor {
     Unauthenticated,
 }
 
+/// Authentication method used for a request
+#[derive(
+    Debug, Clone, Copy, Deserialize, Serialize, JsonSchema, PartialEq, Eq,
+)]
+#[serde(rename_all = "snake_case")]
+pub enum AuthMethod {
+    /// Console session cookie
+    SessionCookie,
+    /// Device access token (OAuth 2.0 device authorization flow)
+    AccessToken,
+    /// SCIM client bearer token
+    ScimToken,
+    /// Spoof authentication (test only)
+    #[schemars(skip)]
+    Spoof,
+}
+
 /// Result of an audit log entry
 #[derive(Debug, Deserialize, Serialize, JsonSchema, PartialEq, Eq)]
 #[serde(tag = "kind", rename_all = "snake_case")]
@@ -1851,10 +1868,9 @@ pub struct AuditLogEntry {
 
     pub actor: AuditLogEntryActor,
 
-    /// How the user authenticated the request. Possible values are
-    /// "session_cookie" and "access_token". Optional because it will not be
-    /// defined on unauthenticated requests like login attempts.
-    pub auth_method: Option<String>,
+    /// How the user authenticated the request (access token, session, or SCIM
+    /// token). Null for unauthenticated requests like login attempts.
+    pub auth_method: Option<AuthMethod>,
 
     // Fields that are optional because they get filled in after the action completes
     /// Time operation completed