hsm available now comes from keycloak https://jira.cscs.ch/browse/PSI…

…CSCS-155

Cargo.toml

@@ -15,8 +15,8 @@ publish = false # cargo dist --> Avoid publishing to crates.io
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-mesa = "0.16.5"
-# mesa = { path = "../mesa" } # Only for development purposes
+# mesa = "0.16.5"
+mesa = { path = "../mesa" } # Only for development purposes
 chrono = "0.4.31"
 anyhow = "1.0.44"
 reqwest = { version = "0.11", features = ["blocking", "json", "rustls-tls", "socks"] }

build.rs

@@ -9,7 +9,7 @@ fn main() -> Result<(), Error> {
         Some(outdir) => outdir,
     };
 
-    let mut cmd = build_cli(None, Vec::new());
+    let mut cmd = build_cli(None, &Vec::new());
     let path = generate_to(
         Bash, &mut cmd, // We need to specify what generator to use
         "manta",  // We need to specify the bin name manually

src/cli/build.rs

@@ -2,7 +2,7 @@ use clap::{arg, value_parser, ArgAction, ArgGroup, Command};
 
 use std::path::PathBuf;
 
-pub fn build_cli(hsm_group: Option<&String>, hsm_available_vec: Vec<String>) -> Command {
+pub fn build_cli(hsm_group: Option<&String>, hsm_available_vec: &[String]) -> Command {
     Command::new(env!("CARGO_PKG_NAME"))
         .term_width(100)
         .version(env!("CARGO_PKG_VERSION"))
@@ -78,7 +78,7 @@ pub fn build_cli(hsm_group: Option<&String>, hsm_available_vec: Vec<String>) ->
         .subcommand(subcommand_config(hsm_available_vec))
 }
 
-pub fn subcommand_config(hsm_available_opt: Vec<String>) -> Command {
+pub fn subcommand_config(hsm_available_opt: &[String]) -> Command {
     // Enforce user to chose a HSM group is hsm_available config param is not empty. This is to
     // make sure tenants like PSI won't unset parameter hsm_group and take over all HSM groups.
     // NOTE: by default 'manta config set hsm' will unset the hsm_group config value and the user

src/cli/commands/config_set.rs

@@ -8,6 +8,7 @@ pub async fn exec(
     shasta_base_url: &str,
     shasta_root_cert: &[u8],
     new_hsm_opt: Option<&String>,
+    all_hsm_available_vec: &[String],
 ) {
     // Read configuration file
 
@@ -35,33 +36,14 @@ pub async fn exec(
         .expect("ERROR: could not parse configuration file to TOML");
 
     // VALIDATION
-    let hsm_available_vec;
-    if doc.get("hsm_available").is_some()
-        && doc["hsm_available"].as_array().is_some()
-        && !doc["hsm_available"].as_array().unwrap().is_empty()
-    {
+    if !all_hsm_available_vec.is_empty() {
         // If hsm_available config param has values, then a tenant is running manta ==> enfore
         // config param 'hsm_group' has a value from 'hsm_available' because tenants can't unset
         // 'hsm_group' otherwise they will be able to operate on any HSM group in the system.
         // Note: tenants can't modify the configuration file directly because of manta runs as
         // manta user using sticky bit
-        hsm_available_vec = doc["hsm_available"]
-            .as_array()
-            .unwrap()
-            .iter()
-            .map(|hsm_group_value| hsm_group_value.as_str().unwrap().to_string())
-            .collect::<Vec<String>>();
-
-        /* if new_hsm_opt.is_none() {
-            println!("new hsm is empty!");
-            eprintln!(
-                "Please provide one of the following HSM values {:?}",
-                hsm_available_vec
-            );
-            std::process::exit(1);
-        } */
-
-        validate_hsm_group_and_hsm_available_config_params(new_hsm_opt.unwrap(), hsm_available_vec);
+
+        validate_hsm_group_and_hsm_available_config_params(new_hsm_opt.unwrap(), all_hsm_available_vec);
 
         // All goot, we are safe to update 'hsm_group' config param
         log::info!(
@@ -74,13 +56,13 @@ pub async fn exec(
         // 'hsm_available' config param is empty or does not exists, then an admin user is running
         // manta and 'hsm_group' config param is empty or does not exists, then it is safe to remove
         // this param from the config file
-        log::info!("New HSM value not provided. Unset 'hsm_group' config param");
-        doc.remove("hsm_group");
+        //
+        // NOTHING TO DO
     } else {
         // 'hsm_available' config param is empty or does not exists (an admin user is running manta)
         // and 'hsm_group' has a value, then we fetch all HSM groups from CSM and check the user is
         // asking to put a valid HSM group in the configuration file
-        hsm_available_vec = mesa::shasta::hsm::http_client::get_all_hsm_groups(
+        let all_hsm_available_vec = mesa::shasta::hsm::http_client::get_all_hsm_groups(
             shasta_token,
             shasta_base_url,
             shasta_root_cert,
@@ -91,7 +73,7 @@ pub async fn exec(
         .map(|hsm_group_value| hsm_group_value["label"].as_str().unwrap().to_string())
         .collect::<Vec<String>>();
 
-        validate_hsm_group_and_hsm_available_config_params(new_hsm_opt.unwrap(), hsm_available_vec);
+        validate_hsm_group_and_hsm_available_config_params(new_hsm_opt.unwrap(), &all_hsm_available_vec);
 
         // All goot, we are safe to update 'hsm_group' config param
         log::info!(
@@ -125,7 +107,7 @@ pub async fn exec(
 
 pub fn validate_hsm_group_and_hsm_available_config_params(
     hsm_group: &String,
-    hsm_available_vec: Vec<String>,
+    hsm_available_vec: &[String],
 ) {
     if !hsm_available_vec.contains(hsm_group) {
         eprintln!(

src/cli/commands/config_show.rs

@@ -1,4 +1,4 @@
-use crate::common::config_ops;
+use crate::common::{config_ops, jwt_ops};
 
 /// Prints Manta's configuration on screen
 pub async fn exec(shasta_token: &str, shasta_base_url: &str, shasta_root_cert: &[u8]) {
@@ -14,15 +14,28 @@ pub async fn exec(shasta_token: &str, shasta_base_url: &str, shasta_root_cert: &
     let k8s_api_url = settings.get_string("k8s_api_url").unwrap();
     let log_level = settings.get_string("log").unwrap_or("error".to_string()); */
     let settings_hsm_group = settings.get_string("hsm_group").unwrap_or("".to_string());
-    let settings_hsm_group_available_value_rslt = settings.get_array("hsm_available");
+    // let settings_hsm_group_available_value_rslt = settings.get_array("hsm_available");
+
+    let mut realm_access_role_vec = jwt_ops::get_claims_from_jwt_token(&shasta_token)
+        .unwrap()
+        .pointer("/realm_access/roles")
+        .unwrap()
+        .as_array()
+        .unwrap_or(&Vec::new())
+        .iter()
+        .map(|role_value| role_value.as_str().unwrap().to_string())
+        .collect::<Vec<String>>();
+
+    realm_access_role_vec
+        .retain(|role| !role.eq("offline_access") && !role.eq("uma_authorization"));
+
+    // println!("JWT token resour_access:\n{:?}", realm_access_role_vec);
+
+    let settings_hsm_available_vec = realm_access_role_vec;
 
     let hsm_group_available: String =
-        if let Ok(hsm_group_available_value) = settings_hsm_group_available_value_rslt {
-            hsm_group_available_value
-                .into_iter()
-                .map(|hsm_group| hsm_group.into_string().unwrap())
-                .collect::<Vec<String>>()
-                .join(", ")
+        if !settings_hsm_available_vec.is_empty() {
+           settings_hsm_available_vec.join(", ")
         } else {
             mesa::shasta::hsm::http_client::get_all_hsm_groups(
                 shasta_token,