osproxy-spi 1.0.0

Public SPI traits implementers provide. Depends only on osproxy-core.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

//! The error type an SPI implementation returns.
//!
//! Every variant maps to a stable [`ErrorCode`] and carries shape-only context
//! (which sources were tried, which partition id) so a failure is diagnosable
//! from telemetry without reading source (NFR-T5, `docs/02` §4). It never
//! carries tenant *values*.

use osproxy_core::{ErrorCode, PartitionId};
use thiserror::Error;

use crate::rules::PartitionKeySpecKind;

/// A failure returned by [`RoutingSpi`] or [`TenancySpi`].
///
/// [`RoutingSpi`]: crate::RoutingSpi
/// [`TenancySpi`]: crate::TenancySpi
///
/// # Examples
///
/// ```
/// use osproxy_spi::SpiError;
/// use osproxy_spi::core::ErrorCode;
///
/// let err = SpiError::PlacementBackend { retryable: true };
/// assert_eq!(err.code(), ErrorCode::PlacementBackendUnavailable);
/// assert!(err.retryable());
/// ```
#[non_exhaustive]
#[derive(Debug, Error)]
pub enum SpiError {
    /// The partition could not be resolved from the request. Reports which
    /// source kinds were attempted (shape only).
    #[error("partition could not be resolved (tried: {tried:?})")]
    PartitionUnresolved {
        /// The source kinds tried, in order, before giving up.
        tried: Vec<PartitionKeySpecKind>,
    },

    /// No placement exists for the resolved partition.
    #[error("no placement exists for partition")]
    PlacementMissing {
        /// The unresolved partition (an id, safe in telemetry).
        partition: PartitionId,
    },

    /// The placement-lookup backend was unavailable.
    #[error("placement lookup backend unavailable (retryable={retryable})")]
    PlacementBackend {
        /// Whether the caller may retry the lookup.
        retryable: bool,
    },

    /// The request endpoint is not supported for tenancy rewriting in this mode.
    #[error("endpoint not supported for tenancy rewrite")]
    UnsupportedEndpoint {
        /// The endpoint classification that was rejected.
        endpoint: osproxy_core::EndpointKind,
    },

    /// An injected field draws its value from a principal attribute that the
    /// authenticated principal does not carry. A configuration/identity
    /// mismatch, surfaced as a routing failure rather than silently injecting a
    /// null (which would corrupt isolation).
    #[error("principal is missing an attribute required by an injected field")]
    PrincipalAttrMissing {
        /// The missing attribute name.
        attr: String,
    },

    /// An injected field draws its value from a request header the request does
    /// not carry. Surfaced as a routing failure rather than injecting a null.
    #[error("request is missing a header required by an injected field")]
    HeaderMissing {
        /// The missing header name.
        header: String,
    },

    /// A `SharedIndex` placement was configured with a doc-id rule that does not
    /// include the partition id, which would allow cross-tenant id collisions
    /// (`docs/03`). A configuration error, surfaced as a routing failure.
    #[error("shared-index doc-id rule must reference the partition id")]
    IdRuleMissingPartition,
}

impl SpiError {
    /// The stable [`ErrorCode`] for this failure, for trace attributes and
    /// `/debug/explain`.
    #[must_use]
    pub fn code(&self) -> ErrorCode {
        match self {
            Self::PartitionUnresolved { .. } => ErrorCode::PartitionUnresolved,
            Self::PlacementMissing { .. } => ErrorCode::PlacementMissing,
            Self::PlacementBackend { .. } => ErrorCode::PlacementBackendUnavailable,
            // IdRuleMissingPartition is a misconfiguration that prevents safe
            // routing; reuse the unsupported-endpoint contract code until a
            // dedicated config code is added (additive, see docs/08 §7).
            Self::UnsupportedEndpoint { .. }
            | Self::IdRuleMissingPartition
            | Self::PrincipalAttrMissing { .. }
            | Self::HeaderMissing { .. } => ErrorCode::UnsupportedEndpoint,
        }
    }

    /// Whether the caller may retry, possibly after re-resolving placement.
    #[must_use]
    pub fn retryable(&self) -> bool {
        matches!(self, Self::PlacementBackend { retryable: true })
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn codes_map_to_core_taxonomy() {
        assert_eq!(
            SpiError::PartitionUnresolved { tried: vec![] }.code(),
            ErrorCode::PartitionUnresolved
        );
        assert_eq!(
            SpiError::PlacementMissing {
                partition: PartitionId::from("p")
            }
            .code(),
            ErrorCode::PlacementMissing
        );
    }

    #[test]
    fn only_backend_unavailable_is_retryable() {
        assert!(SpiError::PlacementBackend { retryable: true }.retryable());
        assert!(!SpiError::PlacementBackend { retryable: false }.retryable());
        assert!(!SpiError::PlacementMissing {
            partition: PartitionId::from("p")
        }
        .retryable());
    }
}