manta-server 2.0.0-beta.61

Manta HTTP server — single API that proxies to CSM / Ochami backends.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

//! Authentication service — proxies CLI credential exchange to the
//! configured CSM/OCHAMI backend.
//!
//! The CLI never talks to Keycloak directly; it POSTs username+password
//! to `manta-server /api/v1/auth/token`, which calls
//! `backend.get_api_token` on the user's behalf and returns the CSM
//! bearer token. `validate_api_token` exposes a lightweight
//! "is-this-token-still-valid" probe the CLI can call before sending
//! a long-running request that would otherwise fail mid-flight.

use std::time::Instant;

use manta_backend_dispatcher::error::Error;
use manta_backend_dispatcher::interfaces::authentication::AuthenticationTrait;

use crate::server::common::app_context::InfraContext;

/// Exchange `username` + `password` for a CSM bearer token via the
/// site's configured backend.
#[tracing::instrument(
  skip_all,
  fields(
    site = %infra.site_name,
    backend = %infra.backend_kind(),
    backend_url = %infra.shasta_base_url,
  )
)]
pub async fn get_api_token(
  infra: &InfraContext<'_>,
  username: &str,
  password: &str,
) -> Result<String, Error> {
  tracing::info!(user = %username, "backend: requesting token");
  let started = Instant::now();
  infra
    .backend
    .get_api_token(username, password)
    .await
    .inspect(|_| {
      tracing::debug!(
        user = %username,
        elapsed_ms = u64::try_from(started.elapsed().as_millis()).unwrap_or(u64::MAX),
        "backend: token issued"
      );
    })
    .inspect_err(|e| {
      tracing::warn!(
        user = %username,
        elapsed_ms = u64::try_from(started.elapsed().as_millis()).unwrap_or(u64::MAX),
        error = %e,
        "backend: token request rejected"
      );
    })
}

/// Verify that `token` is still accepted by the site's backend.
#[tracing::instrument(
  skip_all,
  fields(
    site = %infra.site_name,
    backend = %infra.backend_kind(),
    backend_url = %infra.shasta_base_url,
  )
)]
pub async fn validate_api_token(
  infra: &InfraContext<'_>,
  token: &str,
) -> Result<(), Error> {
  tracing::info!("backend: validating token");
  let started = Instant::now();
  infra
    .backend
    .validate_api_token(token)
    .await
    .inspect(|()| {
      tracing::debug!(
        elapsed_ms = u64::try_from(started.elapsed().as_millis()).unwrap_or(u64::MAX),
        "backend: token accepted"
      );
    })
    .inspect_err(|e| {
      tracing::warn!(
        elapsed_ms = u64::try_from(started.elapsed().as_millis()).unwrap_or(u64::MAX),
        error = %e,
        "backend: token validation rejected"
      );
    })
}