open-edge-platform
diff --git a/‎apiv2/Makefile‎
Lines changed: 7 additions & 4 deletions b/‎apiv2/Makefile‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎apiv2/VERSION‎
Lines changed: 1 addition & 1 deletion b/‎apiv2/VERSION‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎apiv2/cmd/api/main.go‎
Lines changed: 1 addition & 0 deletions b/‎apiv2/cmd/api/main.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apiv2/internal/common/config.go‎
Lines changed: 5 additions & 0 deletions b/‎apiv2/internal/common/config.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎apiv2/internal/common/utils.go‎
Lines changed: 38 additions & 0 deletions b/‎apiv2/internal/common/utils.go‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎apiv2/internal/common/utils_test.go‎
Lines changed: 141 additions & 0 deletions b/‎apiv2/internal/common/utils_test.go‎
Lines changed: 141 additions & 0 deletions
diff --git a/‎apiv2/internal/proxy/server.go‎
Lines changed: 50 additions & 26 deletions b/‎apiv2/internal/proxy/server.go‎
Lines changed: 50 additions & 26 deletions
@@ -87,7 +87,7 @@ COPYRIGHT_BANNER := '1i---\n\# SPDX-FileCopyrightText: (C) 2025 Intel Corporatio
 # Security config for Go builds
 GOEXTRAFLAGS := $(COMMON_GOEXTRAFLAGS)
 
-generate: buf-gen generate-api ## generate protos, types, server and client
+generate: buf-gen generate-api gen-allowed-services ## generate protos, types, server and client
 
 lint: $(OUT_DIR) generate buf-breaking validate-openapi license yamllint go-lint hadolint mdlint ## Run all lint
 
@@ -234,14 +234,14 @@ buf-update: common-buf-update ## Update buf modules
 
 buf-gen-api: $(VENV_NAME) ## Compile protoc api files into code
 	set +u; . ./$</bin/activate; set -u ;\
-  buf --version ;\
-  HUMAN=true buf generate
+  	buf --version ;\
+  	HUMAN=true buf generate
 
 buf-gen: buf-gen-api oapi-patch oapi-banner ## compile protoc files
 
 buf-lint: ## Lint and format protobuf files
 	buf --version
-	# TODO: currently failing buf format and buf lint - need to be fixed
+	# TODO: currently failing buf format and buf lint - needs to be fixed
 
 buf-breaking: common-buf-breaking
 
@@ -250,3 +250,6 @@ oasdiff-breaking: # Check for breaking changes in openapi using oasdiff
 	mkdir -p ${TEMP_BASE_OPENAPI_DIR}
 	git archive origin/${BASE_BRANCH} ${OPENAPI_PATH} | tar -x -C ${TEMP_BASE_OPENAPI_DIR}
 	oasdiff breaking --composed "${TEMP_BASE_OPENAPI_DIR}/${OPENAPI_PATH}"  "${OPENAPI_PATH}" --fail-on ERR
+
+gen-allowed-services: ## Generate allowed services list for EIM scenarios
+	go run ./tools/allowedservicesgen
@@ -1 +1 @@
-2.9.1
+2.9.2
@@ -136,6 +136,7 @@ func main() {
 			cfg.Inventory.CertPath,
 			cfg.Inventory.KeyPath,
 			cfg.RestServer.Authentication,
+			cfg.Scenario,
 		)
 	}()
 
 
@@ -38,6 +38,7 @@ const (
 	WstDefaultMaxConnectionsDescription = "The maximum number of concurrent websocket connections"
 	EnableAuditing                      = "enableAuditing"
 	EnableAuditingDescription           = "Flag to enable audit logs for REST API calls."
+	DefaultScenario                     = "fulleim"
 )
 
 type Traces struct {
@@ -83,6 +84,7 @@ type GlobalConfig struct {
 	Inventory      Southbound
 	Websocket      Websocket
 	EnableAuditing bool
+	Scenario       string
 }
 
 type Websocket struct {
@@ -124,6 +126,7 @@ func DefaultConfig() *GlobalConfig {
 		EnableAuditing: true,
 		GRPCAddress:    "0.0.0.0:8090",
 		GRPCEndpoint:   "localhost:8090",
+		Scenario:       DefaultScenario,
 	}
 }
 
@@ -162,6 +165,7 @@ func Config() (*GlobalConfig, error) {
 	enableAuditing := flag.Bool(EnableAuditing, defaultCfg.EnableAuditing, EnableAuditingDescription)
 	gRPCEndpoint := flag.String("grpcEndpoint", defaultCfg.GRPCEndpoint, "The endpoint of the gRPC server")
 	gRPCAddress := flag.String("grpcAddress", defaultCfg.GRPCEndpoint, "The gRPC server address")
+	scenario := flag.String("scenario", defaultCfg.Scenario, "The deployment scenario name (e.g., 'fulleim', 'vpro')")
 	flag.Parse()
 
 	return &GlobalConfig{
@@ -199,5 +203,6 @@ func Config() (*GlobalConfig, error) {
 		EnableAuditing: *enableAuditing,
 		GRPCEndpoint:   *gRPCEndpoint,
 		GRPCAddress:    *gRPCAddress,
+		Scenario:       *scenario,
 	}, nil
 }
@@ -0,0 +1,38 @@
+// SPDX-FileCopyrightText: (C) 2026 Intel Corporation
+// SPDX-License-Identifier: Apache-2.0
+
+package common
+
+import (
+	"fmt"
+	"strings"
+)
+
+// BuildAllowedHandlersList builds a map of allowed services based on the scenario.
+func BuildAllowedHandlersList(scenarioName string, allowlist map[string][]string,
+	knownServices map[string]interface{},
+) (allowed map[string]struct{}, unknown []string, err error) {
+	allowedServices, ok := allowlist[scenarioName]
+	if !ok {
+		err := fmt.Errorf("unknown scenario %q", scenarioName)
+		return nil, nil, err
+	}
+
+	allowed = make(map[string]struct{}, len(allowedServices))
+	unknown = []string{}
+	for _, serviceName := range allowedServices {
+		serviceName = strings.TrimSpace(serviceName)
+		if serviceName == "" {
+			continue
+		}
+
+		// validate against the list of known services
+		if _, exists := knownServices[serviceName]; !exists {
+			unknown = append(unknown, serviceName)
+		} else {
+			allowed[serviceName] = struct{}{}
+		}
+	}
+
+	return allowed, unknown, nil
+}
@@ -0,0 +1,141 @@
+// SPDX-FileCopyrightText: (C) 2026 Intel Corporation
+// SPDX-License-Identifier: Apache-2.0
+
+package common_test
+
+import (
+	"testing"
+
+	"github.com/open-edge-platform/infra-core/apiv2/v2/internal/common"
+)
+
+func TestBuildAllowedHandlersList(t *testing.T) {
+	tests := []struct {
+		name          string
+		scenarioName  string
+		allowlist     map[string][]string
+		knownServices map[string]interface{}
+		wantLen       int
+		wantErr       bool
+		wantServices  []string
+	}{
+		{
+			name:         "valid scenario with services",
+			scenarioName: "test-scenario-full",
+			allowlist: map[string][]string{
+				"test-scenario-full": {"HostService", "LocationService", "ProviderService"},
+			},
+			knownServices: map[string]interface{}{
+				"HostService":     nil,
+				"LocationService": nil,
+				"ProviderService": nil,
+			},
+			wantLen:      3,
+			wantErr:      false,
+			wantServices: []string{"HostService", "LocationService", "ProviderService"},
+		},
+		{
+			name:         "unknown scenario",
+			scenarioName: "test-scenario-unknown",
+			allowlist: map[string][]string{
+				"test-scenario-full": {"HostService"},
+			},
+			knownServices: map[string]interface{}{
+				"HostService": nil,
+			},
+			wantLen: 0,
+			wantErr: true,
+		},
+		{
+			name:         "scenario with empty service names",
+			scenarioName: "test-scenario-empty",
+			allowlist: map[string][]string{
+				"test-scenario-empty": {"HostService", "  ", "", "LocationService"},
+			},
+			knownServices: map[string]interface{}{
+				"HostService":     nil,
+				"LocationService": nil,
+			},
+			wantLen:      2,
+			wantErr:      false,
+			wantServices: []string{"HostService", "LocationService"},
+		},
+		{
+			name:         "scenario with no services",
+			scenarioName: "test-scenario-minimal",
+			allowlist: map[string][]string{
+				"test-scenario-minimal": {},
+			},
+			knownServices: map[string]interface{}{},
+			wantLen:       0,
+			wantErr:       false,
+		},
+		{
+			name:         "scenario with whitespace in service names",
+			scenarioName: "test-scenario-whitespace",
+			allowlist: map[string][]string{
+				"test-scenario-whitespace": {"  HostService  ", "LocationService "},
+			},
+			knownServices: map[string]interface{}{
+				"HostService":     nil,
+				"LocationService": nil,
+			},
+			wantLen:      2,
+			wantErr:      false,
+			wantServices: []string{"HostService", "LocationService"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, _, err := common.BuildAllowedHandlersList(tt.scenarioName, tt.allowlist, tt.knownServices)
+
+			if (err != nil) != tt.wantErr {
+				t.Errorf("BuildAllowedHandlersList() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			if err != nil {
+				return
+			}
+
+			if len(got) != tt.wantLen {
+				t.Errorf("BuildAllowedHandlersList() got map length %d, want %d", len(got), tt.wantLen)
+			}
+
+			for _, service := range tt.wantServices {
+				if _, exists := got[service]; !exists {
+					t.Errorf("BuildAllowedHandlersList() missing service %q in result", service)
+				}
+			}
+		})
+	}
+}
+
+func TestBuildAllowedHandlersList_UnregisteredService(t *testing.T) {
+	allowlist := map[string][]string{
+		"test-scenario-unregistered": {"HostService", "UnknownService"},
+	}
+
+	knownServices := map[string]interface{}{
+		"HostService": nil,
+		// UnknownService is not in the knownServices map
+	}
+
+	list, _, err := common.BuildAllowedHandlersList("test-scenario-unregistered", allowlist, knownServices)
+	if err != nil {
+		t.Errorf("BuildAllowedHandlersList() unexpected error: %v", err)
+	}
+
+	if len(list) != 1 {
+		t.Errorf("BuildAllowedHandlersList() got map length %d, want 1", len(list))
+	}
+
+	// Only known services should be in the allowed map
+	if _, exists := list["HostService"]; !exists {
+		t.Error("BuildAllowedHandlersList() missing HostService in result")
+	}
+	if _, exists := list["UnknownService"]; exists {
+		t.Error("BuildAllowedHandlersList() should not include UnknownService in result")
+	}
+}
@@ -17,6 +17,7 @@ import (
 
 	"github.com/open-edge-platform/infra-core/apiv2/v2/internal/common"
 	restv1 "github.com/open-edge-platform/infra-core/apiv2/v2/internal/pbapi/services/v1"
+	"github.com/open-edge-platform/infra-core/apiv2/v2/internal/scenario"
 	api "github.com/open-edge-platform/infra-core/apiv2/v2/pkg/api/v2"
 	inv_client "github.com/open-edge-platform/infra-core/inventory/v2/pkg/client"
 	"github.com/open-edge-platform/infra-core/inventory/v2/pkg/logging"
@@ -32,27 +33,26 @@ type serviceClientsSignature func(
 	endpoint string,
 	opts []grpc.DialOption) (err error)
 
-// servicesClients defines a list of all gRPC service clients that must be
-// registered to serve REST API.
-var servicesClients = []serviceClientsSignature{
-	restv1.RegisterRegionServiceHandlerFromEndpoint,
-	restv1.RegisterSiteServiceHandlerFromEndpoint,
-	restv1.RegisterLocationServiceHandlerFromEndpoint,
-	restv1.RegisterHostServiceHandlerFromEndpoint,
-	restv1.RegisterOperatingSystemServiceHandlerFromEndpoint,
-	restv1.RegisterInstanceServiceHandlerFromEndpoint,
-	restv1.RegisterScheduleServiceHandlerFromEndpoint,
-	restv1.RegisterWorkloadServiceHandlerFromEndpoint,
-	restv1.RegisterWorkloadMemberServiceHandlerFromEndpoint,
-	restv1.RegisterProviderServiceHandlerFromEndpoint,
-	restv1.RegisterTelemetryLogsGroupServiceHandlerFromEndpoint,
-	restv1.RegisterTelemetryMetricsGroupServiceHandlerFromEndpoint,
-	restv1.RegisterTelemetryMetricsProfileServiceHandlerFromEndpoint,
-	restv1.RegisterTelemetryLogsProfileServiceHandlerFromEndpoint,
-	restv1.RegisterLocalAccountServiceHandlerFromEndpoint,
-	restv1.RegisterCustomConfigServiceHandlerFromEndpoint,
-	restv1.RegisterOSUpdatePolicyHandlerFromEndpoint,
-	restv1.RegisterOSUpdateRunHandlerFromEndpoint,
+// servicesClients maps gRPC service names to their grpc-gateway registration functions.
+var servicesClients = map[string]serviceClientsSignature{
+	"RegionService":                  restv1.RegisterRegionServiceHandlerFromEndpoint,
+	"SiteService":                    restv1.RegisterSiteServiceHandlerFromEndpoint,
+	"LocationService":                restv1.RegisterLocationServiceHandlerFromEndpoint,
+	"HostService":                    restv1.RegisterHostServiceHandlerFromEndpoint,
+	"OperatingSystemService":         restv1.RegisterOperatingSystemServiceHandlerFromEndpoint,
+	"InstanceService":                restv1.RegisterInstanceServiceHandlerFromEndpoint,
+	"ScheduleService":                restv1.RegisterScheduleServiceHandlerFromEndpoint,
+	"WorkloadService":                restv1.RegisterWorkloadServiceHandlerFromEndpoint,
+	"WorkloadMemberService":          restv1.RegisterWorkloadMemberServiceHandlerFromEndpoint,
+	"ProviderService":                restv1.RegisterProviderServiceHandlerFromEndpoint,
+	"TelemetryLogsGroupService":      restv1.RegisterTelemetryLogsGroupServiceHandlerFromEndpoint,
+	"TelemetryMetricsGroupService":   restv1.RegisterTelemetryMetricsGroupServiceHandlerFromEndpoint,
+	"TelemetryMetricsProfileService": restv1.RegisterTelemetryMetricsProfileServiceHandlerFromEndpoint,
+	"TelemetryLogsProfileService":    restv1.RegisterTelemetryLogsProfileServiceHandlerFromEndpoint,
+	"LocalAccountService":            restv1.RegisterLocalAccountServiceHandlerFromEndpoint,
+	"CustomConfigService":            restv1.RegisterCustomConfigServiceHandlerFromEndpoint,
+	"OSUpdatePolicyService":          restv1.RegisterOSUpdatePolicyHandlerFromEndpoint,
+	"OSUpdateRunService":             restv1.RegisterOSUpdateRunHandlerFromEndpoint,
 }
 
 const (
@@ -90,18 +90,42 @@ func WrapH(h http.Handler) echo.HandlerFunc {
 }
 
 func (m *Manager) setupClients(mux *runtime.ServeMux) error {
-	for _, serviceClient := range servicesClients {
-		err := serviceClient(m.ctx, mux, m.cfg.GRPCEndpoint,
+	scenarioName := m.cfg.Scenario
+	if scenarioName == "" {
+		return fmt.Errorf("scenario is not set in config")
+	}
+
+	// build a map of allowed services for quick lookup
+	allowed, err := BuildAllowedClientList(scenarioName, scenario.Allowlist)
+	if err != nil {
+		return err
+	}
+
+	for serviceName, serviceClient := range servicesClients {
+		if _, isAllowed := allowed[serviceName]; !isAllowed {
+			zlog.Debug().Str("service", serviceName).Str("scenario", scenarioName).
+				Msg("skipping service client not allowed for scenario")
+			continue
+		}
+
+		if err := serviceClient(
+			m.ctx,
+			mux,
+			m.cfg.GRPCEndpoint,
 			[]grpc.DialOption{
 				grpc.WithTransportCredentials(insecure.NewCredentials()),
 				// Use Inventory client max message size, to keep Inventory and API consistent.
 				grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(inv_client.MaxMessageSize)),
-			})
-		if err != nil {
-			zlog.InfraErr(err).Msgf("failed to set service client %v", serviceClient)
+			},
+		); err != nil {
+			zlog.InfraErr(err).Str("service", serviceName).Str("scenario", scenarioName).
+				Msg("failed to set service client")
 			return err
 		}
+
+		zlog.Info().Str("service", serviceName).Str("scenario", scenarioName).Msg("registered gRPC client")
 	}
+
 	return nil
 }
Original file line number	Diff line number	Diff line change
`@@ -136,6 +136,7 @@ func main() {`
`136`	`136`	`cfg.Inventory.CertPath,`
`137`	`137`	`cfg.Inventory.KeyPath,`
`138`	`138`	`cfg.RestServer.Authentication,`
	`139`	`+ cfg.Scenario,`
`139`	`140`	`)`
`140`	`141`	`}()`
`141`	`142`