epics-ca-rs 0.16.2

EPICS Channel Access protocol client and server
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

//! Round 44 — CA-side type-state ACF gate.
//!
//! The CA `tcp.rs` handles every wire op (READ / WRITE / EVENT_ADD /
//! PUT_ACKT) as an inline arm of a single `match hdr.cmmd { … }`.
//! Pre-Round 44, each arm had to *remember* to look up the cached
//! [`epics_base_rs::server::access_security::AccessLevel`] in
//! `state.channel_access` and compare it against the op's
//! requirement — five separate rounds of self-review (rounds 38, 39)
//! caught arms that forgot to do this for READ, EVENT_ADD, and
//! PUT_ACKT.
//!
//! This module introduces a type-state layer mirroring the PVA
//! `AccessChecked` invariant from rounds 40-43:
//!
//! * [`CaAccessChecked`] wraps the cached level. Its only public
//!   surface is `require_read` / `require_write` — direct access to
//!   the underlying [`AccessLevel`] is sealed.
//! * [`ReadGranted`] / [`WriteGranted`] are zero-sized witness types
//!   produced by those methods. Op handlers that take one as a
//!   parameter (today via the `let _ = …?` shape) cannot compile
//!   without it.
//! * [`AccessDenied`] carries the appropriate ECA error code so the
//!   caller's `?` propagation lands on the matching wire reply
//!   (`ECA_NORDACCESS` for READ-class ops, `ECA_NOWTACCESS` for
//!   WRITE-class).
//!
//! A new wire op that forgets to consult `CaAccessChecked` would
//! still compile (the match arms aren't separate functions), but the
//! convention is now "every op opens with
//! `state.lookup_access(sid).require_<read|write>()?`" — a single
//! shape that's grep-auditable and visually consistent across all
//! arms. The Round 43 PVA refactor that *was* trait-driven made
//! "forgetting" a compile error; this CA shape requires the author
//! to actively bypass the helper.

use epics_base_rs::server::access_security::AccessLevel;

use crate::protocol::{ECA_NORDACCESS, ECA_NOWTACCESS};

/// Opaque proof that an access-level lookup has been performed for
/// a CA channel (SID). Construction is via
/// [`crate::server::tcp::ClientState::lookup_access`] only; the
/// private `_seal` field blocks external struct-literal builds.
#[derive(Debug, Clone, Copy)]
pub struct CaAccessChecked {
    level: AccessLevel,
    _seal: AccessSeal,
}

#[derive(Debug, Clone, Copy)]
struct AccessSeal;

/// Witness type returned by [`CaAccessChecked::require_read`]. Op
/// handlers may bind one (`let _read = …?`) at function entry; the
/// existence of the binding documents that the check fired.
#[derive(Debug, Clone, Copy)]
pub struct ReadGranted {
    _seal: AccessSeal,
}

/// Witness type returned by [`CaAccessChecked::require_write`].
#[derive(Debug, Clone, Copy)]
pub struct WriteGranted {
    _seal: AccessSeal,
}

/// Denial reason carrying the matching ECA wire code. Op handlers
/// usually map this with `?` after sending the appropriate CA error
/// frame.
#[derive(Debug, Clone, Copy)]
pub enum AccessDenied {
    /// Channel lacks READ — surfaces as `ECA_NORDACCESS`.
    NoRead,
    /// Channel lacks WRITE — surfaces as `ECA_NOWTACCESS`.
    NoWrite,
}

impl AccessDenied {
    /// Wire-level ECA status code for this denial.
    pub fn eca_code(&self) -> u32 {
        match self {
            AccessDenied::NoRead => ECA_NORDACCESS,
            AccessDenied::NoWrite => ECA_NOWTACCESS,
        }
    }
}

impl CaAccessChecked {
    /// Construct from a cached level. Crate-internal — the wire
    /// dispatcher in `tcp.rs` is the only place that mints these
    /// (via `ClientState::lookup_access`). External callers cannot
    /// produce a `CaAccessChecked` and therefore cannot fabricate
    /// `ReadGranted` / `WriteGranted` witnesses.
    pub(crate) fn from_level(level: AccessLevel) -> Self {
        Self {
            level,
            _seal: AccessSeal,
        }
    }

    /// "Denied" token used when no channel_access cache entry
    /// exists. Surfaces NoRead / NoWrite on require_*.
    pub(crate) fn denied() -> Self {
        Self::from_level(AccessLevel::NoAccess)
    }

    /// Returns `Ok(ReadGranted)` iff the level grants at least
    /// READ; else `Err(NoRead)` carrying `ECA_NORDACCESS`.
    pub fn require_read(&self) -> Result<ReadGranted, AccessDenied> {
        if matches!(self.level, AccessLevel::NoAccess) {
            Err(AccessDenied::NoRead)
        } else {
            Ok(ReadGranted { _seal: AccessSeal })
        }
    }

    /// Returns `Ok(WriteGranted)` iff the level is `ReadWrite`;
    /// else `Err(NoWrite)` carrying `ECA_NOWTACCESS`.
    pub fn require_write(&self) -> Result<WriteGranted, AccessDenied> {
        if matches!(self.level, AccessLevel::ReadWrite) {
            Ok(WriteGranted { _seal: AccessSeal })
        } else {
            Err(AccessDenied::NoWrite)
        }
    }

    /// Raw level — exposed for diagnostics (compute_access wire
    /// frame builder needs the integer mask 0/1/3). Should NOT be
    /// used as a substitute for `require_*` in op handlers.
    pub fn level(&self) -> AccessLevel {
        self.level
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn no_access_denies_read_and_write() {
        let c = CaAccessChecked::from_level(AccessLevel::NoAccess);
        assert!(matches!(c.require_read(), Err(AccessDenied::NoRead)));
        assert!(matches!(c.require_write(), Err(AccessDenied::NoWrite)));
    }

    #[test]
    fn read_grants_read_denies_write() {
        let c = CaAccessChecked::from_level(AccessLevel::Read);
        assert!(c.require_read().is_ok());
        assert!(matches!(c.require_write(), Err(AccessDenied::NoWrite)));
    }

    #[test]
    fn read_write_grants_both() {
        let c = CaAccessChecked::from_level(AccessLevel::ReadWrite);
        assert!(c.require_read().is_ok());
        assert!(c.require_write().is_ok());
    }

    #[test]
    fn denied_helper_returns_no_access_token() {
        let c = CaAccessChecked::denied();
        assert!(matches!(c.require_read(), Err(AccessDenied::NoRead)));
        assert!(matches!(c.require_write(), Err(AccessDenied::NoWrite)));
    }

    #[test]
    fn eca_codes_match_wire_constants() {
        assert_eq!(AccessDenied::NoRead.eca_code(), ECA_NORDACCESS);
        assert_eq!(AccessDenied::NoWrite.eca_code(), ECA_NOWTACCESS);
    }
}