diff --git a/Cargo.lock b/Cargo.lock
index 085a315eb2888d6ff50a8c1ca73204a577a7cdf1..d8b36fb54209ceb8b1e7988b365877d08f5654dd 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1958,6 +1958,7 @@ dependencies = [
"rstest",
"serde",
"ssh-key",
+ "strum",
"testdir",
"testresult",
"thiserror 2.0.11",
diff --git a/Cargo.toml b/Cargo.toml
index 94dd3cb4ae8c60318fac35136abcb4ee9dfd8102..1fd969e3fa7471b51aa1050377117c1424b5c1ec 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -13,6 +13,7 @@ members = [
[workspace.dependencies]
chrono = "0.4.38"
clap = { version = "4.5.23", features = ["derive", "env"] }
+confy = "0.6.1"
ed25519-dalek = "2.1.1"
nethsm = { path = "nethsm", version = "0.7.3" }
nethsm-backup = { path = "nethsm-backup", version = "0.1.0" }
@@ -38,6 +39,7 @@ thiserror = "2.0.4"
tokio = { version = "1.42.0", features = ["macros"] }
ureq = "2.12.1"
uuid = { version = "1.11.0", features = ["v7"] }
+zeroize = { version = "1.8.1", features = ["zeroize_derive", "serde"] }
[workspace.package]
authors = [
diff --git a/nethsm-config/Cargo.toml b/nethsm-config/Cargo.toml
index c76a3a7730efe51f60a7fd75d45b2765d414acff..4d08c3582276bb0f612f1af8595f735c3e67ca2c 100644
--- a/nethsm-config/Cargo.toml
+++ b/nethsm-config/Cargo.toml
@@ -10,14 +10,15 @@ repository.workspace = true
version = "0.2.2"
[dependencies]
-confy = "0.6.1"
+confy.workspace = true
nethsm.workspace = true
rpassword = "7.3.1"
rprompt = "2.1.1"
serde.workspace = true
ssh-key = "0.6.7"
+strum.workspace = true
thiserror.workspace = true
-zeroize = { version = "1.8.1", features = ["zeroize_derive", "serde"] }
+zeroize.workspace = true
[dev-dependencies]
dirs = "6.0.0"
diff --git a/nethsm-config/src/config.rs b/nethsm-config/src/config.rs
index 3612a9b95f03ce427b1d331529ed817c94e7fd6b..58e5ef96d871139f8bdaf9f4b78ad0891d245c3b 100644
--- a/nethsm-config/src/config.rs
+++ b/nethsm-config/src/config.rs
@@ -10,7 +10,14 @@ use std::{
use nethsm::{ConnectionSecurity, Credentials, KeyId, NetHsm, Passphrase, Url, UserId, UserRole};
use serde::{Deserialize, Serialize};
-use crate::{ConfigCredentials, PassphrasePrompt, SystemUserId, UserMapping, UserPrompt};
+use crate::{
+ ConfigCredentials,
+ ExtendedUserMapping,
+ PassphrasePrompt,
+ SystemUserId,
+ UserMapping,
+ UserPrompt,
+};
/// Errors related to configuration
#[derive(Debug, thiserror::Error)]
@@ -54,6 +61,10 @@ pub enum Error {
#[error("No user matching one of the requested roles ({0:?}) exists")]
NoMatchingCredentials(Vec<UserRole>),
+ /// There is no mapping for a provided system user name.
+ #[error("No mapping found where a system user matches the name {name}")]
+ NoMatchingMappingForSystemUser { name: String },
+
/// Shamir's Secret Sharing (SSS) is not used for administrative secret handling, but users for
/// handling of secret shares are defined
#[error(
@@ -1521,8 +1532,20 @@ pub enum AdministrativeSecretHandling {
///
/// Non-administrative secrets represent passphrases for (non-Administrator) NetHSM users and may be
/// handled in different ways (e.g. encrypted or not encrypted).
-#[derive(Clone, Copy, Debug, Default, Deserialize, Eq, PartialEq, Serialize)]
+#[derive(
+ Clone,
+ Copy,
+ Debug,
+ Default,
+ Deserialize,
+ strum::Display,
+ strum::EnumString,
+ Eq,
+ PartialEq,
+ Serialize,
+)]
#[serde(rename_all = "kebab-case")]
+#[strum(serialize_all = "kebab-case")]
pub enum NonAdministrativeSecretHandling {
/// Each non-administrative secret is handled in a plaintext file in a non-volatile
/// directory.
@@ -2137,6 +2160,40 @@ impl HermeticParallelConfig {
self.users.iter()
}
+ /// Returns the [`AdministrativeSecretHandling`].
+ pub fn get_administrative_secret_handling(&self) -> AdministrativeSecretHandling {
+ self.admin_secret_handling
+ }
+
+ /// Returns the [`NonAdministrativeSecretHandling`].
+ pub fn get_non_administrative_secret_handling(&self) -> NonAdministrativeSecretHandling {
+ self.non_admin_secret_handling
+ }
+
+ /// Returns an [`ExtendedUserMapping`] for a system user of `name` if it exists.
+ ///
+ /// # Errors
+ ///
+ /// Returns an error if no [`UserMapping`] with a [`SystemUserId`] matching `name` is found.
+ pub fn get_extended_mapping_for_user(&self, name: &str) -> Result<ExtendedUserMapping, Error> {
+ for user_mapping in self.users.iter() {
+ if user_mapping
+ .get_system_user()
+ .is_some_and(|system_user| system_user.as_ref() == name)
+ {
+ return Ok(ExtendedUserMapping::new(
+ self.admin_secret_handling,
+ self.non_admin_secret_handling,
+ self.connections.clone(),
+ user_mapping.clone(),
+ ));
+ }
+ }
+ Err(Error::NoMatchingMappingForSystemUser {
+ name: name.to_string(),
+ })
+ }
+
/// Validates the components of the [`HermeticParallelConfig`].
fn validate(&self) -> Result<(), Error> {
// ensure there are no duplicate system users
diff --git a/nethsm-config/src/lib.rs b/nethsm-config/src/lib.rs
index 1c8e7d43bcf762f8dff8c3d383c0cb9e8e1f2d1e..ccccf4a8050ba75a75a78ee04175221cd130ef1e 100644
--- a/nethsm-config/src/lib.rs
+++ b/nethsm-config/src/lib.rs
@@ -73,5 +73,5 @@ pub use credentials::{
SystemUserId,
SystemWideUserId,
};
-pub use mapping::{NetHsmMetricsUsers, UserMapping};
+pub use mapping::{ExtendedUserMapping, NetHsmMetricsUsers, UserMapping};
pub use prompt::{PassphrasePrompt, UserPrompt};
diff --git a/nethsm-config/src/mapping.rs b/nethsm-config/src/mapping.rs
index 777ad4161de6af94e2942dee70b632406701ef1b..a1c893f3e549adadbbd5b5842ff9338aa125dbbd 100644
--- a/nethsm-config/src/mapping.rs
+++ b/nethsm-config/src/mapping.rs
@@ -1,7 +1,20 @@
+use std::collections::HashSet;
+
+#[cfg(doc)]
+use nethsm::NetHsm;
use nethsm::{KeyId, SigningKeySetup, UserId};
use serde::{Deserialize, Serialize};
-use crate::{AuthorizedKeyEntry, AuthorizedKeyEntryList, SystemUserId, SystemWideUserId};
+use crate::{
+ AdministrativeSecretHandling,
+ AuthorizedKeyEntry,
+ AuthorizedKeyEntryList,
+ Connection,
+ HermeticParallelConfig,
+ NonAdministrativeSecretHandling,
+ SystemUserId,
+ SystemWideUserId,
+};
/// Errors related to mapping
#[derive(Debug, thiserror::Error)]
@@ -616,4 +629,122 @@ impl UserMapping {
} => vec![],
}
}
+
+ /// Returns whether the mapping has both system and [`NetHsm`] users.
+ ///
+ /// Returns `true` if the `self` has at least one system and one [`NetHsm`] user, and `false`
+ /// otherwise.
+ pub fn has_system_and_nethsm_user(&self) -> bool {
+ match self {
+ UserMapping::SystemNetHsmOperatorSigning {
+ nethsm_user: _,
+ nethsm_key_setup: _,
+ system_user: _,
+ ssh_authorized_key: _,
+ tag: _,
+ }
+ | UserMapping::HermeticSystemNetHsmMetrics {
+ nethsm_users: _,
+ system_user: _,
+ }
+ | UserMapping::SystemNetHsmMetrics {
+ nethsm_users: _,
+ system_user: _,
+ ssh_authorized_key: _,
+ }
+ | UserMapping::SystemNetHsmBackup {
+ nethsm_user: _,
+ system_user: _,
+ ssh_authorized_key: _,
+ } => true,
+ UserMapping::SystemOnlyShareDownload {
+ system_user: _,
+ ssh_authorized_keys: _,
+ }
+ | UserMapping::SystemOnlyShareUpload {
+ system_user: _,
+ ssh_authorized_keys: _,
+ }
+ | UserMapping::SystemOnlyWireGuardDownload {
+ system_user: _,
+ ssh_authorized_keys: _,
+ }
+ | UserMapping::NetHsmOnlyAdmin(_) => false,
+ }
+ }
+}
+
+/// A [`UserMapping`] centric view of a [`HermeticParallelConfig`].
+///
+/// Wraps a single [`UserMapping`], as well as the system-wide [`AdministrativeSecretHandling`],
+/// [`NonAdministrativeSecretHandling`] and [`Connection`]s.
+#[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
+pub struct ExtendedUserMapping {
+ admin_secret_handling: AdministrativeSecretHandling,
+ non_admin_secret_handling: NonAdministrativeSecretHandling,
+ connections: HashSet<Connection>,
+ user_mapping: UserMapping,
+}
+
+impl ExtendedUserMapping {
+ /// Creates a new [`ExtendedUserMapping`].
+ pub fn new(
+ admin_secret_handling: AdministrativeSecretHandling,
+ non_admin_secret_handling: NonAdministrativeSecretHandling,
+ connections: HashSet<Connection>,
+ user_mapping: UserMapping,
+ ) -> Self {
+ Self {
+ admin_secret_handling,
+ non_admin_secret_handling,
+ connections,
+ user_mapping,
+ }
+ }
+
+ /// Returns the [`AdministrativeSecretHandling`].
+ pub fn get_admin_secret_handling(&self) -> AdministrativeSecretHandling {
+ self.admin_secret_handling
+ }
+
+ /// Returns the [`Connection`]s.
+ pub fn get_connections(&self) -> HashSet<Connection> {
+ self.connections.clone()
+ }
+
+ /// Returns the [`NonAdministrativeSecretHandling`].
+ pub fn get_non_admin_secret_handling(&self) -> NonAdministrativeSecretHandling {
+ self.non_admin_secret_handling
+ }
+
+ /// Returns the [`UserMapping`].
+ pub fn get_user_mapping(&self) -> &UserMapping {
+ &self.user_mapping
+ }
+}
+
+impl From<HermeticParallelConfig> for Vec<ExtendedUserMapping> {
+ /// Creates a `Vec` of [`ExtendedUserMapping`] from a [`HermeticParallelConfig`].
+ ///
+ /// A [`UserMapping`] can not be aware of credentials if it does not track at least one
+ /// [`SystemUserId`] and one [`UserId`]. Therefore only those [`UserMapping`]s for which
+ /// [`has_system_and_nethsm_user`](UserMapping::has_system_and_nethsm_user) returns `true` are
+ /// returned.
+ fn from(value: HermeticParallelConfig) -> Self {
+ value
+ .iter_user_mappings()
+ .filter_map(|mapping| {
+ if mapping.has_system_and_nethsm_user() {
+ Some(ExtendedUserMapping {
+ admin_secret_handling: value.get_administrative_secret_handling(),
+ non_admin_secret_handling: value.get_non_administrative_secret_handling(),
+ connections: value.iter_connections().cloned().collect(),
+ user_mapping: mapping.clone(),
+ })
+ } else {
+ None
+ }
+ })
+ .collect()
+ }
}