greentic-deploy-spec 0.1.27231730823

Greentic deployment object-model schemas (Environment, Revision, TrafficSplit, BundleDeployment, Credentials, PackConfig, RuntimeConfig)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356

//! URI-shaped reference newtypes.
//!
//! - [`SecretRef`] wraps a `secret://<env>/<...>` URI. The runtime resolves the
//!   reference through the env's secrets env-pack; the actual material never
//!   appears in the deployment object model.
//! - [`RuntimeRef`] wraps a `runtime://<env>/discovered/<...>` URI. Values are
//!   resolved through [`EnvironmentRuntime::discovered`](crate::EnvironmentRuntime).
//! - [`ExtensionRef`] wraps an `ext://<descriptor-path>[/<instance>]` URI. It
//!   carries **no env segment** (the env is implicit in the resolving
//!   workload's context) and resolves through
//!   [`Environment::extension_for_ref`](crate::Environment::extension_for_ref)
//!   to the bound [`ExtensionBinding`](crate::ExtensionBinding).

use crate::capability_slot::descriptor_path_char_ok;
use serde::{Deserialize, Serialize};
use std::fmt;
use std::str::FromStr;
use thiserror::Error;

const SECRET_SCHEME: &str = "secret://";
const RUNTIME_SCHEME: &str = "runtime://";
const EXTENSION_SCHEME: &str = "ext://";

macro_rules! uri_ref {
    ($(#[$meta:meta])* $name:ident, $err:ident, $scheme:expr) => {
        $(#[$meta])*
        #[derive(Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
        #[serde(try_from = "String", into = "String")]
        pub struct $name(String);

        impl $name {
            pub fn try_new(raw: impl Into<String>) -> Result<Self, $err> {
                let raw = raw.into();
                if !raw.starts_with($scheme) {
                    return Err($err::MissingScheme);
                }
                if raw.len() == $scheme.len() {
                    return Err($err::EmptyPath);
                }
                // First segment after the scheme is the env identifier; refs
                // are documented as `<scheme>://<env>/<path...>`. The env
                // segment must be present and non-empty so callers can scope
                // a ref to its owning environment.
                let after_scheme = &raw[$scheme.len()..];
                let env_seg = match after_scheme.find('/') {
                    Some(idx) => &after_scheme[..idx],
                    None => after_scheme,
                };
                if env_seg.is_empty() {
                    return Err($err::EmptyEnvSegment);
                }
                Ok(Self(raw))
            }

            pub fn as_str(&self) -> &str {
                &self.0
            }

            /// First path segment after the scheme — the env id the ref is
            /// scoped to. Returns `None` if the ref was constructed by a
            /// future version of this crate that bypassed [`Self::try_new`]
            /// (current invariant: `Self::try_new` always populates this).
            pub fn env_segment(&self) -> &str {
                let after_scheme = &self.0[$scheme.len()..];
                match after_scheme.find('/') {
                    Some(idx) => &after_scheme[..idx],
                    None => after_scheme,
                }
            }
        }

        impl fmt::Display for $name {
            fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
                f.write_str(&self.0)
            }
        }

        impl FromStr for $name {
            type Err = $err;

            fn from_str(s: &str) -> Result<Self, Self::Err> {
                Self::try_new(s)
            }
        }

        impl TryFrom<String> for $name {
            type Error = $err;

            fn try_from(value: String) -> Result<Self, Self::Error> {
                Self::try_new(value)
            }
        }

        impl From<$name> for String {
            fn from(value: $name) -> Self {
                value.0
            }
        }
    };
}

uri_ref!(
    /// Reference into the env's secrets env-pack: `secret://<env>/<path>`.
    SecretRef, SecretRefParseError, SECRET_SCHEME
);

uri_ref!(
    /// Reference into [`EnvironmentRuntime::discovered`](crate::EnvironmentRuntime):
    /// `runtime://<env>/discovered/<path>`.
    RuntimeRef, RuntimeRefParseError, RUNTIME_SCHEME
);

/// Charset permitted in an [`ExtensionRef`] / [`ExtensionBinding`](crate::ExtensionBinding)
/// instance id: ASCII lowercase, digits, `-`. Notably excludes `.` and `/` so
/// an instance id can never be confused with a descriptor path segment or
/// inject a second `ext://` path component.
pub(crate) fn instance_id_char_ok(ch: char) -> bool {
    ch.is_ascii_lowercase() || ch.is_ascii_digit() || ch == '-'
}

/// Reference to an env extension binding: `ext://<descriptor-path>[/<instance>]`.
///
/// Unlike [`SecretRef`] / [`RuntimeRef`], an extension ref carries **no env
/// segment** — extensions are resolved within the already-known env context of
/// the workload that names them. `<descriptor-path>` is a
/// [`PackDescriptor`](crate::PackDescriptor) path (version-independent — the
/// binding owns the concrete version); the optional `<instance>` selects one of
/// N instances of the same extension type. Lookup is by `(path, instance_id)`
/// against [`Environment::extensions`](crate::Environment), the same key its
/// uniqueness invariant enforces.
#[derive(Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(try_from = "String", into = "String")]
pub struct ExtensionRef {
    raw: String,
    path: String,
    instance_id: Option<String>,
}

impl ExtensionRef {
    pub fn try_new(raw: impl Into<String>) -> Result<Self, ExtensionRefParseError> {
        let raw = raw.into();
        let body = raw
            .strip_prefix(EXTENSION_SCHEME)
            .ok_or(ExtensionRefParseError::MissingScheme)?;
        // Split on the FIRST `/` only: everything before is the descriptor
        // path, everything after is the instance id. A second `/` therefore
        // lands inside the instance id and is rejected by its charset, so an
        // extension ref is always exactly two segments.
        let (path, instance) = match body.split_once('/') {
            Some((p, inst)) => (p, Some(inst)),
            None => (body, None),
        };
        if path.is_empty() {
            return Err(ExtensionRefParseError::EmptyPath);
        }
        if !path.contains('.') {
            return Err(ExtensionRefParseError::PathMissingDot);
        }
        if let Some(ch) = path.chars().find(|c| !descriptor_path_char_ok(*c)) {
            return Err(ExtensionRefParseError::InvalidPathChar(ch));
        }
        // Own everything borrowed from `raw` before moving `raw` into `Self`.
        let path = path.to_string();
        let instance_id = instance
            .map(|inst| validate_instance_id(inst).map(str::to_string))
            .transpose()?;
        Ok(Self {
            raw,
            path,
            instance_id,
        })
    }

    pub fn as_str(&self) -> &str {
        &self.raw
    }

    /// Version-independent descriptor path the ref selects.
    pub fn path(&self) -> &str {
        &self.path
    }

    /// Instance selector, or `None` for the default (unnamed) instance.
    pub fn instance_id(&self) -> Option<&str> {
        self.instance_id.as_deref()
    }
}

/// Validate an extension instance id against [`instance_id_char_ok`], returning
/// it unchanged on success. Shared by [`ExtensionRef`] parsing and
/// [`ExtensionBinding`](crate::ExtensionBinding) validation so a stored binding
/// and a ref that selects it agree on the legal charset.
pub(crate) fn validate_instance_id(inst: &str) -> Result<&str, ExtensionRefParseError> {
    if inst.is_empty() {
        return Err(ExtensionRefParseError::EmptyInstance);
    }
    if let Some(ch) = inst.chars().find(|c| !instance_id_char_ok(*c)) {
        return Err(ExtensionRefParseError::InvalidInstanceChar(ch));
    }
    Ok(inst)
}

impl fmt::Display for ExtensionRef {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.write_str(&self.raw)
    }
}

impl FromStr for ExtensionRef {
    type Err = ExtensionRefParseError;

    fn from_str(s: &str) -> Result<Self, Self::Err> {
        Self::try_new(s)
    }
}

impl TryFrom<String> for ExtensionRef {
    type Error = ExtensionRefParseError;

    fn try_from(value: String) -> Result<Self, Self::Error> {
        Self::try_new(value)
    }
}

impl From<ExtensionRef> for String {
    fn from(value: ExtensionRef) -> Self {
        value.raw
    }
}

#[derive(Debug, Error, PartialEq, Eq)]
pub enum ExtensionRefParseError {
    #[error("extension-ref must start with `ext://`")]
    MissingScheme,
    #[error("extension-ref path is empty")]
    EmptyPath,
    #[error("extension-ref path must contain at least one `.`")]
    PathMissingDot,
    #[error("extension-ref path contains invalid character `{0}`")]
    InvalidPathChar(char),
    #[error("extension-ref instance id is empty")]
    EmptyInstance,
    #[error("extension-ref instance id contains invalid character `{0}`")]
    InvalidInstanceChar(char),
}

#[derive(Debug, Error, PartialEq, Eq)]
pub enum SecretRefParseError {
    #[error("secret-ref must start with `secret://`")]
    MissingScheme,
    #[error("secret-ref path is empty")]
    EmptyPath,
    #[error("secret-ref must carry an env segment: `secret://<env>/<path>`")]
    EmptyEnvSegment,
}

#[derive(Debug, Error, PartialEq, Eq)]
pub enum RuntimeRefParseError {
    #[error("runtime-ref must start with `runtime://`")]
    MissingScheme,
    #[error("runtime-ref path is empty")]
    EmptyPath,
    #[error("runtime-ref must carry an env segment: `runtime://<env>/<path>`")]
    EmptyEnvSegment,
}

#[cfg(test)]
mod extension_ref_tests {
    use super::*;

    #[test]
    fn parses_path_only() {
        let r = ExtensionRef::try_new("ext://acme.oauth.auth0").unwrap();
        assert_eq!(r.path(), "acme.oauth.auth0");
        assert_eq!(r.instance_id(), None);
        assert_eq!(r.as_str(), "ext://acme.oauth.auth0");
    }

    #[test]
    fn parses_path_with_instance() {
        let r = ExtensionRef::try_new("ext://acme.oauth.auth0/primary").unwrap();
        assert_eq!(r.path(), "acme.oauth.auth0");
        assert_eq!(r.instance_id(), Some("primary"));
    }

    #[test]
    fn rejects_missing_scheme() {
        assert_eq!(
            ExtensionRef::try_new("acme.oauth.auth0").unwrap_err(),
            ExtensionRefParseError::MissingScheme
        );
    }

    #[test]
    fn rejects_empty_path() {
        assert_eq!(
            ExtensionRef::try_new("ext://").unwrap_err(),
            ExtensionRefParseError::EmptyPath
        );
        assert_eq!(
            ExtensionRef::try_new("ext:///primary").unwrap_err(),
            ExtensionRefParseError::EmptyPath
        );
    }

    #[test]
    fn rejects_path_without_dot() {
        assert_eq!(
            ExtensionRef::try_new("ext://oauth").unwrap_err(),
            ExtensionRefParseError::PathMissingDot
        );
    }

    #[test]
    fn rejects_invalid_path_char() {
        assert_eq!(
            ExtensionRef::try_new("ext://Acme.Oauth").unwrap_err(),
            ExtensionRefParseError::InvalidPathChar('A')
        );
    }

    #[test]
    fn rejects_empty_instance() {
        assert_eq!(
            ExtensionRef::try_new("ext://acme.oauth/").unwrap_err(),
            ExtensionRefParseError::EmptyInstance
        );
    }

    #[test]
    fn rejects_second_path_segment_via_instance_charset() {
        // A second `/` lands inside the instance id and is rejected — an
        // extension ref is always exactly two segments.
        assert_eq!(
            ExtensionRef::try_new("ext://acme.oauth/inst/extra").unwrap_err(),
            ExtensionRefParseError::InvalidInstanceChar('/')
        );
    }

    #[test]
    fn rejects_dot_in_instance() {
        assert_eq!(
            ExtensionRef::try_new("ext://acme.oauth/inst.bad").unwrap_err(),
            ExtensionRefParseError::InvalidInstanceChar('.')
        );
    }

    #[test]
    fn serde_round_trips_through_string() {
        let r = ExtensionRef::try_new("ext://acme.oauth.auth0/primary").unwrap();
        let json = serde_json::to_string(&r).unwrap();
        assert_eq!(json, "\"ext://acme.oauth.auth0/primary\"");
        let back: ExtensionRef = serde_json::from_str(&json).unwrap();
        assert_eq!(back, r);
    }
}