Skip to main content

Rule

cellos_core::authority

Enum Rule

pub enum Rule {
Show 17 variants    RawSniObserved,
    RawHostHeaderObserved,
    RawH2AuthorityObserved,
    SniHostMatch,
    H2AuthorityHostMatch,
    SniCdnProviderMatch,
    JwsSignatureVerified,
    DaneTlsaBound,
    SvidChainVerified,
    EchDetected,
    EncryptedInnerSni,
    MitmHandshakeTerminated,
    GuestProcSpawnObserved,
    GuestProcExitObserved,
    GuestFsInotifyFired,
    GuestCapDenialObserved,
    GuestNetConnectAttempted,
}

Expand description

Named rules per docs/authority-derivation-graph.md. Adding a new rule requires updating that document AND canonical_class_for_rule.

Variants§

RawSniObserved

SNI parsed from ClientHello, no cross-check.

RawHostHeaderObserved

Host header parsed, no cross-check.

RawH2AuthorityObserved

h2 :authority parsed.

SniHostMatch

SNI value byte-equals Host value (post-IDN, post-port-strip).

H2AuthorityHostMatch

h2 :authority matches HTTP/1.x Host on the same flow.

SniCdnProviderMatch

SNI matches a declared cdnAuthority.providers[].hostnamePattern.

JwsSignatureVerified

Workload-signed authority claim verified against cell-ephemeral key.

DaneTlsaBound

Upstream cert chain matches DNSSEC-validated TLSA record.

SvidChainVerified

SPIFFE SVID chain verified (future).

EchDetected

encrypted_client_hello extension present.

EncryptedInnerSni

Successor to ECH_DETECTED when more state available.

MitmHandshakeTerminated

Stack 3 / M2 only.

GuestProcSpawnObserved

In-VM agent declared a process spawn (ADR-0006).

GuestProcExitObserved

In-VM agent declared a process exit (ADR-0006).

GuestFsInotifyFired

In-VM agent declared an inotify watch firing (ADR-0006).

GuestCapDenialObserved

In-VM agent declared a capability denial (ADR-0006).

GuestNetConnectAttempted

In-VM agent declared a connect() attempt (ADR-0006).

Trait Implementations§

impl Clone for Rule

fn clone(&self) -> Rule

Returns a duplicate of the value. Read more

1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more

impl Debug for Rule

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

impl<'de> Deserialize<'de> for Rule

fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more

impl Hash for Rule

fn hash<H: Hasher>(&self, state: &mut H)

Feeds this value into the given Hasher. Read more

1.3.0 · Source§

fn hash_slice<H>(data: &[Self], state: &mut H)
where H: Hasher, Self: Sized,

Feeds a slice of this type into the given Hasher. Read more

impl PartialEq for Rule

fn eq(&self, other: &Rule) -> bool

Tests for self and other values to be equal, and is used by ==.

1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for Rule

fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
where S: Serializer,

Serialize this value into the given Serde serializer. Read more

impl Copy for Rule

impl Eq for Rule

impl StructuralPartialEq for Rule

Auto Trait Implementations§

impl Freeze for Rule

impl RefUnwindSafe for Rule

impl Send for Rule

impl Sync for Rule

impl Unpin for Rule

impl UnsafeUnpin for Rule

impl UnwindSafe for Rule

Blanket Implementations§

impl<T> Any for T
where T: 'static + ?Sized,

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

impl<T> Borrow<T> for T
where T: ?Sized,

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

impl<T> BorrowMut<T> for T
where T: ?Sized,

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

impl<T> CloneToUninit for T
where T: Clone,

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)

Performs copy-assignment from self to dest. Read more

impl<T> From<T> for T

fn from(t: T) -> T

Returns the argument unchanged.

impl<T> Instrument for T

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more

impl<T, U> Into<U> for T
where U: From<T>,

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

impl<T> Same for T

type Output = T

Should always be Self

impl<T> ToOwned for T
where T: Clone,

type Owned = T

The resulting type after obtaining ownership.

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more

impl<T, U> TryFrom<U> for T
where U: Into<T>,

type Error = Infallible

The type returned in the event of a conversion error.

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.

impl<T> WithSubscriber for T

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,