Skip to main content

capsec_core/
error.rs

1//! Error types for the capsec capability system.
2
3/// Errors that can occur when using capsec capabilities.
4///
5/// Most commonly seen when an [`Attenuated`](crate::attenuate::Attenuated) capability
6/// rejects an operation that falls outside its scope.
7#[derive(Debug, thiserror::Error)]
8#[non_exhaustive]
9pub enum CapSecError {
10    /// The target of a capability operation is outside the granted scope.
11    ///
12    /// For example, trying to read `/etc/passwd` with a `DirScope` restricted to `/tmp`.
13    #[error("capability target '{target}' is outside scope: {scope}")]
14    OutOfScope {
15        /// The path or address that was rejected.
16        target: String,
17        /// Description of the allowed scope.
18        scope: String,
19    },
20
21    /// An I/O error from the underlying `std` operation.
22    #[error(transparent)]
23    Io(#[from] std::io::Error),
24
25    /// The capability was revoked via its associated `Revoker`.
26    #[error("capability has been revoked")]
27    Revoked,
28
29    /// The capability has expired (TTL elapsed).
30    #[error("capability has expired")]
31    Expired,
32}