Auth: Implement identity deletion

client/interfaces.go

@@ -445,6 +445,7 @@ type InstanceServer interface {
 	GetIdentity(authenticationMethod string, nameOrIdentifier string) (identity *api.Identity, ETag string, err error)
 	GetCurrentIdentityInfo() (identityInfo *api.IdentityInfo, ETag string, err error)
 	UpdateIdentity(authenticationMethod string, nameOrIdentifier string, identityPut api.IdentityPut, ETag string) error
+	DeleteIdentity(authenticationMethod string, nameOrIdentifier string) error
 	GetIdentityProviderGroupNames() (identityProviderGroupNames []string, err error)
 	GetIdentityProviderGroups() (identityProviderGroups []api.IdentityProviderGroup, err error)
 	GetIdentityProviderGroup(identityProviderGroupName string) (identityProviderGroup *api.IdentityProviderGroup, ETag string, err error)

client/lxd_auth.go

@@ -261,6 +261,21 @@ func (r *ProtocolLXD) UpdateIdentity(authenticationMethod string, nameOrIdentife
 	return nil
 }
 
+// DeleteIdentity deletes the identity with the given authentication method and identifier (or name, if unique).
+func (r *ProtocolLXD) DeleteIdentity(authenticationMethod string, nameOrIdentifier string) error {
+	err := r.CheckExtension("access_management_tls")
+	if err != nil {
+		return err
+	}
+
+	_, _, err = r.query(http.MethodDelete, api.NewURL().Path("auth", "identities", authenticationMethod, nameOrIdentifier).String(), nil, "")
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // GetIdentityProviderGroupNames returns a list of identity provider group names.
 func (r *ProtocolLXD) GetIdentityProviderGroupNames() ([]string, error) {
 	err := r.CheckExtension("access_management")

doc/api-extensions.md

@@ -2480,3 +2480,24 @@ When set to `on`, if the host has guest attachment enabled, the guest can reques
 
 This adds entity type metadata to `GET /1.0/metadata/configuration`.
 The entity type metadata is a JSON object under the `entities` key.
+
+## `access_management_tls`
+
+Expands APIs under `/1.0/auth` to include:
+
+1. Creation of fine-grained TLS identities, whose permissions are managed via group membership.
+  This is performed via `POST /1.0/auth/identities/tls`.
+  If the request body contains `{"token": true}`, a token will be returned that may be used by a non-authenticated caller to gain trust with the LXD server (the caller must send their certificate during the TLS handshake).
+  If the request body contains `{"certificate": "<base64 encoded x509 certificate>"}"`, the identity will be created directly.
+  The request body may also specify an array of group names.
+  The caller must have `can_create_identities` on `server`.
+1. Deletion of OIDC and fine-grained TLS identities.
+  This is performed via `DELETE /1.0/auth/identities/tls/{nameOrFingerprint}` or `DELETE /1.0/auth/identities/oidc/{nameOrEmailAddress}`.
+  The caller must have `can_delete` on the identity. All identities may delete their own identity.
+  For OIDC identities this revokes all access but does not revoke trust (authentication is performed by the identity provider).
+  For fine-grained TLS identities, this revokes all access and revokes trust.
+1. Functionality to update the certificate of a fine-grained TLS identity.
+  This is performed via `PUT /1.0/auth/identities/tls/{nameOrFingerprint}` or `PATCH /1.0/auth/identities/tls/{nameOrFingerprint}`.
+  The caller must provide a base64 encoded x509 certificate in the `certificate` field of the request body.
+  Fine-grained TLS identities may update their own certificate.
+  To update the certificate of another identity, the caller must have `can_edit` on the identity.