1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401

//! Check yourself before you wreck yourself.
//!
//! This is a small utility library inspired by the ideas of "Parse, don't validate"<sup>[1]</sup>
//! and its follow-up, "Names are not type safety"<sup>[2]</sup>. Its goal is to extend the idea to
//! checking invariants more generally.
//!
//! [1]: https://lexi-lambda.github.io/blog/2019/11/05/parse-don-t-validate/
//! [2]: https://lexi-lambda.github.io/blog/2020/11/01/names-are-not-type-safety/
//!
//! # Motivating example
//!
//! The motivating use-case for this crate was validating signed messages. Consider a `Signed`
//! struct like the following:
//!
//! ```
//! # struct PublicKey;
//! # struct Signature;
//! struct Signed {
//!     payload: Vec<u8>,
//!     public_key: PublicKey,
//!     signature: Signature,
//! }
//! ```
//!
//! The struct contains a payload, a public key, and a signature. Let's give the struct a `validate`
//! method that we could use to check for validity:
//!
//! ```
//! # struct PublicKey;
//! # type Error = ();
//! # impl PublicKey {
//! #     fn verify(&self, payload: &[u8], signature: &Signature) -> Result<(), Error> {
//! #         todo!()
//! #     }
//! # }
//! # struct Signature;
//! # struct Signed {
//! #     payload: Vec<u8>,
//! #     public_key: PublicKey,
//! #     signature: Signature,
//! # }
//! impl Signed {
//!     fn validate(&self) -> Result<(), Error> {
//!         self.public_key.verify(&self.payload, &self.signature)
//!     }
//! }
//! ```
//!
//! Now when we find a `Signed` we're able to verify it. Of course, whenever we see a `Signed` in
//! our code, it may not immediately be clear whether it has been checked yet. In particular, if
//! `Signed` appears in another struct, or as a signature to some method, has it already been
//! checked? Should we check it anyway?
//!
//! It's possible to manage this with disciplined use of documentation and convention, making it
//! clear where signatures should be validated and relying on that being the case later in the call
//! stack. However discipline is not always a reliable tool, particularly in an evolving codebase
//! with multiple contributors. Perhaps we can do something better?
//!
//! ## Parse, don't validate
//!
//! This is where the ideas from "Parse, don't validate" come in. Specifically, rather than
//! validating a `Signed` instance, we could 'parse' it into something else, such as
//! `CheckedSigned`:
//!
//! ```
//! # struct PublicKey;
//! # type Error = ();
//! # impl PublicKey {
//! #     fn verify(&self, payload: &[u8], signature: &Signature) -> Result<(), Error> {
//! #         todo!()
//! #     }
//! # }
//! # struct Signature;
//! # struct Signed {
//! #     payload: Vec<u8>,
//! #     public_key: PublicKey,
//! #     signature: Signature,
//! # }
//! /// A [`Signed`] that has been checked and confirmed to be valid.
//! struct CheckedSigned(Signed);
//!
//! impl CheckedSigned {
//!     fn try_from(signed: Signed) -> Result<Self, Error> {
//!         signed.public_key.verify(&signed.payload, &signed.signature)?;
//!         Ok(Self(signed))
//!     }
//! }
//! ```
//!
//! By having `CheckedSigned` in its own module, and keeping its field private, we can guarantee
//! that the only way to construct one is via the `try_from` method, which performs the check. This
//! means that structs and functions can use `CheckedSigned` and safely assume that the signature is
//! valid.
//!
//! ```
//! # struct CheckedSigned;
//! fn process_message(message: CheckedSigned) {
//!     /* ... */
//! }
//!
//! // Or
//!
//! struct ProcessMessage {
//!     message: CheckedSigned,
//! }
//! ```
//!
//! It's immediately clear in both cases that `message` has already been checked, and is known to be
//! valid.
//!
//! So far so good, but since `CheckedSigned`'s field is private, we've lost direct access to the
//! inner value. Rust makes it easy to recover some functionality here by implementing
//! [`Deref`](core::ops::Deref) for `CheckedSigned`:
//!
//! ```
//! # struct Signed;
//! # struct CheckedSigned(Signed);
//! impl core::ops::Deref for CheckedSigned {
//!     type Target = Signed;
//!     fn deref(&self) -> &Self::Target {
//!         &self.0
//!     }
//! }
//! ```
//!
//! This allows `Signed` methods with the `&self` receiver to be called directly on `CheckedSigned`
//! instances.
//!
//! ## So what about this library...?
//!
//! Creating a `Checked*` newtype for every type that needs checked would be a lot of boilerplate,
//! and there are many ways to skin this cat, so to speak. `check_mate` exists to offer a consistent
//! pattern, with minimal boilerplate.
//!
//! # How to use
//!
//! Let's start again from our original `Signed` struct above:
//!
//! ```
//! # struct PublicKey;
//! # struct Signature;
//! struct Signed {
//!     payload: Vec<u8>,
//!     public_key: PublicKey,
//!     signature: Signature,
//! }
//! ```
//!
//! We can use `check_mate` to achieve the same guarantees as `CheckedSigned` by implementing
//! [`Check`]:
//!
//! ```
//! # struct PublicKey;
//! # impl PublicKey {
//! #     fn verify(&self, payload: &[u8], signature: &Signature) -> Result<(), Error> {
//! #         todo!()
//! #     }
//! # }
//! # struct Signature;
//! # type Error = ();
//! # struct Signed {
//! #     payload: Vec<u8>,
//! #     public_key: PublicKey,
//! #     signature: Signature,
//! # }
//! impl check_mate::Check for Signed {
//!     type Ok = Self;
//!     type Err = Error;
//!
//!     fn check(self) -> Result<Self::Ok, Self::Err> {
//!         self.public_key.verify(&self.payload, &self.signature)?;
//!         Ok(self)
//!     }
//! }
//! ```
//!
//! Now we can obtain a [`Checked`]`<Signed>` using [`try_from`](Checked::try_from):
//!
//! ```no_run
//! # struct PublicKey;
//! # impl PublicKey {
//! #     fn verify(&self, payload: &[u8], signature: &Signature) -> Result<(), Error> {
//! #         todo!()
//! #     }
//! # }
//! # struct Signature;
//! # type Error = ();
//! # struct Signed {
//! #     payload: Vec<u8>,
//! #     public_key: PublicKey,
//! #     signature: Signature,
//! # }
//! # impl check_mate::Check for Signed {
//! #     type Ok = Self;
//! #     type Err = Error;
//! #
//! #     fn check(self) -> Result<Self::Ok, Self::Err> {
//! #         self.public_key.verify(&self.payload, &self.signature)?;
//! #         Ok(self)
//! #     }
//! # }
//! # let signed: Signed = todo!();
//! let _ = check_mate::Checked::try_from(signed);
//! ```
//!
//! `Checked<T>` implements `Deref<Target = T>`, and can be converted back to the inner value with
//! [`into_inner`](Checked::into_inner).
//!
//! With the `serde` feature enabled, `Checked<T>` will also implement `Serialize` if
//! `T: Serialize`, and `Deserialize` if `T: Deserialize` **and** there's a `Check<Ok = T>` impl to
//! use for the check (unconstrained type parameter limitations prevent a blanket `Deserialize` impl
//! for any `U: Check<Ok = T>` – it must be `T` itself).
//!
//! # When (not) to use this
//!
//! It's hoped that `check_mate` will be useful for getting started with this 'parsing' style of
//! maintaining invariants, and for internal APIs where churn is likely, so reducing the amount of
//! code involved is desired.
//!
//! However, `Checked<T>` can't be as ergonomic or featureful as a custom checked type could. For
//! example, if it's known that some fields don't affect validity they could be made public, or
//! methods that don't affect validity could take `&mut self`. Neither of these are possible with
//! `Checked<T>` since the inner value is only exposed immutably.
//!
//! It may also be unsuitable when you want a great deal of customisation over how validation is
//! performed. This *could* be achieved either by including configuration in the type that
//! implements `Check`, or otherwise by implementing `Check` on wrappers that can tailor the
//! behaviour, but it would likely be a bit clunky to use.
//!
//! Finally, as discussed in "Names are not type safety", it's always preferable to design types
//! that simply cannot represent invalid states, though it may not always be possible.
//!
//! # What's next?
//!
//! I want to try and use this to get a sense of whether or not it's actually useful, and what the
//! pain points are. Some things I could imagine adding:
//!
//! - Implement additional common traits (`AsRef<T>`, `Borrow<T>`).
//! - Implement additional common indirection methods (`as_deref`, `cloned`).

#![warn(clippy::pedantic)]
#![cfg_attr(not(test), no_std)]

/// A checked value.
///
/// The wrapped value is guaranteed to be valid with respect to its implementation of [`Check`].
#[derive(Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
#[cfg_attr(feature = "serde", derive(serde::Serialize))]
#[cfg_attr(feature = "serde", serde(transparent))]
pub struct Checked<T>(T);

impl<T> Checked<T> {
    /// Check a value.
    ///
    /// # Errors
    ///
    /// This will return the error from [`Check::check`] verbatim if the check fails.
    pub fn try_from<U: Check<Ok = T>>(value: U) -> Result<Self, U::Err> {
        value.check().map(Checked)
    }
}

impl<T: Check<Err = core::convert::Infallible>> Checked<T> {
    /// Construct a checked value.
    ///
    /// Rather than generating a value known to be valid, then having to check it, this can be used
    /// to immediately construct a valid value, so long as the [`Check`] implementation doesn't
    /// fail.
    pub fn from(value: T) -> Checked<T::Ok> {
        value.check().map(Checked).expect("infallible")
    }
}

impl<T> Checked<T> {
    /// Retrieve the inner value, dropping the 'proof' that it was checked.
    pub fn into_inner(self) -> T {
        self.0
    }
}

impl<T> core::ops::Deref for Checked<T> {
    type Target = T;

    fn deref(&self) -> &Self::Target {
        &self.0
    }
}

#[cfg(feature = "serde")]
impl<'de, T> serde::Deserialize<'de> for Checked<T>
where
    T: serde::Deserialize<'de> + Check<Ok = T>,
    T::Err: core::fmt::Display,
{
    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
    where
        D: serde::Deserializer<'de>,
    {
        use serde::de::Error;

        let value = T::deserialize(deserializer)?;
        Self::try_from(value).map_err(D::Error::custom)
    }
}

/// Checked values.
pub trait Check {
    /// The value returned when the check passes.
    ///
    /// This will often be `Self`, but it's specified as an associated type to allow for information
    /// to be lost from the checked value.
    type Ok;

    /// The error returned when the check fails.
    type Err;

    /// Check `self`.
    ///
    /// # Errors
    ///
    /// If `self` is valid this should return `Ok(Self::Ok)`, and otherwise `Err(Self::Err)`.
    fn check(self) -> Result<Self::Ok, Self::Err>;
}

#[cfg(test)]
mod tests {
    #[derive(Debug, PartialEq)]
    #[cfg_attr(feature = "serde", derive(serde::Deserialize, serde::Serialize))]
    struct LessThan10(usize);

    impl Check for LessThan10 {
        type Ok = Self;
        type Err = &'static str;

        fn check(self) -> Result<Self::Ok, Self::Err> {
            if self.0 < 10 {
                Ok(self)
            } else {
                Err("too big")
            }
        }
    }

    struct GenLessThan10;

    impl Check for GenLessThan10 {
        type Ok = LessThan10;
        type Err = core::convert::Infallible;

        fn check(self) -> Result<Self::Ok, Self::Err> {
            Ok(LessThan10(3))
        }
    }

    use super::{Check, Checked};

    #[test]
    fn try_from() {
        assert_eq!(
            Checked::try_from(LessThan10(9)).as_deref(),
            Ok(&LessThan10(9))
        );

        assert_eq!(
            Checked::try_from(LessThan10(11)).as_deref(),
            Err(&"too big")
        );
    }

    #[test]
    fn from() {
        assert_eq!(&*Checked::from(GenLessThan10), &LessThan10(3));
    }

    #[cfg(feature = "serde")]
    #[test]
    fn deserialize() {
        assert_eq!(
            serde_json::from_str::<Checked<LessThan10>>("3")
                .ok()
                .as_deref(),
            Some(&LessThan10(3))
        );

        assert_eq!(
            serde_json::from_str::<Checked<LessThan10>>("10")
                .err()
                .map(|error| error.to_string()),
            Some("too big".to_string())
        );
    }

    #[cfg(feature = "serde")]
    #[test]
    fn serialize() {
        assert_eq!(
            serde_json::to_string(&Checked::from(GenLessThan10)).unwrap(),
            serde_json::to_string(&LessThan10(3)).unwrap()
        );
    }
}