osproxy-core 1.0.0

Core data model, identifier newtypes, and error taxonomy for osproxy. No I/O.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

//! Strongly-typed identifier newtypes.
//!
//! Bare `String`/`u64` identifiers must never cross an API boundary: they are
//! trivially mixed up and they make traces ambiguous. Every identifier in the
//! system is a distinct type so the compiler catches misuse and so telemetry
//! can label each value precisely (`docs/08` §7, `docs/05`).

use std::fmt;

/// Defines a string-backed identifier newtype with `Display`, `From<String>`,
/// `From<&str>`, and an `as_str` accessor. Keeps each id a distinct type while
/// avoiding repetitive boilerplate.
macro_rules! string_id {
    ($(#[$meta:meta])* $name:ident) => {
        $(#[$meta])*
        #[derive(Clone, PartialEq, Eq, Hash, PartialOrd, Ord)]
        pub struct $name(String);

        impl $name {
            /// Borrows the underlying string.
            #[must_use]
            pub fn as_str(&self) -> &str {
                &self.0
            }

            /// Consumes the id, returning the owned string.
            #[must_use]
            pub fn into_string(self) -> String {
                self.0
            }
        }

        impl From<String> for $name {
            fn from(value: String) -> Self {
                Self(value)
            }
        }

        impl From<&str> for $name {
            fn from(value: &str) -> Self {
                Self(value.to_owned())
            }
        }

        impl fmt::Display for $name {
            fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
                f.write_str(&self.0)
            }
        }

        // Identifiers are safe to render in telemetry (they are ids, not
        // tenant *values*); a precise Debug aids the `/debug/explain` story.
        impl fmt::Debug for $name {
            fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
                write!(f, concat!(stringify!($name), "({:?})"), self.0)
            }
        }
    };
}

string_id! {
    /// The tenancy/placement unit. Everything routes by this (`docs/03` §1).
    PartitionId
}

string_id! {
    /// Identifies a physical OpenSearch cluster.
    ClusterId
}

string_id! {
    /// A concrete (physical) OpenSearch index name.
    IndexName
}

string_id! {
    /// The authenticated principal's stable id. Never the raw token (`docs/05`).
    PrincipalId
}

string_id! {
    /// Correlates all telemetry for a single request (`docs/05` §6).
    RequestId
}

string_id! {
    /// The name of a document field. Used both for fields the proxy injects on
    /// ingest and the fields it strips on read, so the two stay symmetric
    /// (`docs/02` §2, `docs/03`). A name, never a value, safe in telemetry.
    FieldName
}

/// The placement-table generation a routing decision was resolved against.
///
/// Monotonically increasing. Stamped on every routed write so the sink can
/// reject a stale-epoch write for a migrating partition (`docs/06` §2).
#[derive(Clone, Copy, PartialEq, Eq, Hash, PartialOrd, Ord, Debug)]
pub struct Epoch(u64);

impl Epoch {
    /// The initial epoch.
    pub const ZERO: Self = Self(0);

    /// Constructs an epoch from a raw generation number.
    #[must_use]
    pub fn new(generation: u64) -> Self {
        Self(generation)
    }

    /// Returns the raw generation number.
    #[must_use]
    pub fn get(self) -> u64 {
        self.0
    }

    /// Returns the next epoch. Saturates at `u64::MAX` rather than wrapping, so
    /// monotonicity (relied on by migration cutover, `docs/06` INV-M2) can
    /// never be violated by overflow.
    #[must_use]
    pub fn next(self) -> Self {
        Self(self.0.saturating_add(1))
    }
}

impl fmt::Display for Epoch {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "{}", self.0)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn string_id_roundtrips_through_str_and_string() {
        let from_str = PartitionId::from("tenant-7");
        let from_string = PartitionId::from("tenant-7".to_owned());
        assert_eq!(from_str, from_string);
        assert_eq!(from_str.as_str(), "tenant-7");
        assert_eq!(from_str.clone().into_string(), "tenant-7");
    }

    #[test]
    fn distinct_id_types_do_not_compare_but_display_plainly() {
        let cluster = ClusterId::from("eu-1");
        assert_eq!(cluster.to_string(), "eu-1");
        // Debug is labelled so traces are unambiguous.
        assert_eq!(format!("{cluster:?}"), r#"ClusterId("eu-1")"#);
    }

    #[test]
    fn epoch_is_monotonic_and_saturates() {
        assert_eq!(Epoch::ZERO.get(), 0);
        assert_eq!(Epoch::ZERO.next(), Epoch::new(1));
        assert!(Epoch::new(1) > Epoch::ZERO);
        assert_eq!(Epoch::new(u64::MAX).next(), Epoch::new(u64::MAX));
        // Display renders the bare generation number (used in trace attributes).
        assert_eq!(Epoch::new(42).to_string(), "42");
    }
}