osproxy-spi 1.0.0

Public SPI traits implementers provide. Depends only on osproxy-core.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315

//! Declarative tenancy rules an implementer provides through [`TenancySpi`].
//!
//! These types are pure data: how to find the partition id, how to build the
//! document `_id`, which fields to inject, and which to treat as sensitive. The
//! [`crate::TenancySpi`] returns them; `osproxy-tenancy` interprets them. The
//! interpretation is symmetric, a field injected on ingest is stripped on read
//! (`docs/02` §2, `docs/03`).
//!
//! [`TenancySpi`]: crate::TenancySpi

use osproxy_core::FieldName;
use serde_json::Value as JsonValue;

/// A dotted path into a JSON document, e.g. `tenant_id` or `meta.tenant`.
///
/// A deliberately small subset of JSONPath: a sequence of object keys. It does
/// not support array indexing or wildcards in M1, the partition key is a
/// scalar field on the document root or a nested object. The supported grammar
/// is version-tracked in `docs/specs/opensearch-endpoints.md`.
///
/// # Examples
///
/// ```
/// use osproxy_spi::JsonPath;
///
/// let p = JsonPath::new("meta.tenant");
/// assert_eq!(p.segments().collect::<Vec<_>>(), ["meta", "tenant"]);
/// ```
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct JsonPath(String);

impl JsonPath {
    /// Constructs a path from a dotted string.
    pub fn new(path: impl Into<String>) -> Self {
        Self(path.into())
    }

    /// The dotted path as written.
    #[must_use]
    pub fn as_str(&self) -> &str {
        &self.0
    }

    /// Iterates the path's object-key segments in order.
    pub fn segments(&self) -> impl Iterator<Item = &str> {
        self.0.split('.')
    }
}

/// How to find the partition id in a request.
///
/// Not `#[non_exhaustive]`: the resolver must handle every source kind, so a new
/// source should force the resolver to be updated rather than silently fail to
/// resolve.
#[derive(Clone, PartialEq, Eq, Debug)]
pub enum PartitionKeySpec {
    /// A JSON path into the document body (ingest path).
    BodyField(JsonPath),
    /// A request header carries it (e.g. set by an upstream auth gateway).
    Header(String),
    /// Derived from a [`crate::Principal`] attribute of this name.
    PrincipalAttr(String),
    /// Try each in order until one resolves.
    AnyOf(Vec<PartitionKeySpec>),
}

/// The kind tag of a [`PartitionKeySpec`], without its payload.
///
/// Returned in [`crate::SpiError::PartitionUnresolved`] to report *which*
/// sources were tried, as shape-only telemetry (never the values looked for).
#[non_exhaustive]
#[derive(Clone, Copy, PartialEq, Eq, Debug)]
pub enum PartitionKeySpecKind {
    /// Corresponds to [`PartitionKeySpec::BodyField`].
    BodyField,
    /// Corresponds to [`PartitionKeySpec::Header`].
    Header,
    /// Corresponds to [`PartitionKeySpec::PrincipalAttr`].
    PrincipalAttr,
}

/// Rule to construct a document `_id`.
///
/// In `SharedIndex` placement the partition id MUST appear in the template so
/// ids cannot collide across tenants sharing one physical index (`docs/03`).
/// `osproxy-tenancy` enforces this.
///
/// # Examples
///
/// ```
/// use osproxy_spi::{DocIdRule, IdTemplate};
///
/// let rule = DocIdRule::new(IdTemplate::new("{partition}:{body.order_id}"))
///     .with_routing(true);
/// assert!(rule.set_routing);
/// assert!(rule.template.references_partition());
/// ```
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct DocIdRule {
    /// The id template, e.g. `{partition}:{body.natural_key}`.
    pub template: IdTemplate,
    /// Also set OpenSearch `_routing` to the partition id, so the document
    /// lands on a deterministic shard for the partition.
    pub set_routing: bool,
}

impl DocIdRule {
    /// Constructs a rule from a template, with routing off.
    #[must_use]
    pub fn new(template: IdTemplate) -> Self {
        Self {
            template,
            set_routing: false,
        }
    }

    /// Sets `set_routing` (builder style).
    #[must_use]
    pub fn with_routing(mut self, set_routing: bool) -> Self {
        self.set_routing = set_routing;
        self
    }
}

/// A document-`_id` template with `{partition}` and `{body.<path>}` placeholders.
///
/// Interpretation lives in `osproxy-rewrite`; this is just the parsed-on-demand
/// source string. `{partition}` expands to the resolved partition id;
/// `{body.<path>}` expands to a scalar pulled from the document at `<path>`.
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct IdTemplate(String);

impl IdTemplate {
    /// Constructs a template from its source string.
    pub fn new(template: impl Into<String>) -> Self {
        Self(template.into())
    }

    /// The template source.
    #[must_use]
    pub fn as_str(&self) -> &str {
        &self.0
    }

    /// Whether the template references the partition id placeholder. Used to
    /// reject a `SharedIndex` rule that would allow cross-tenant id collisions.
    #[must_use]
    pub fn references_partition(&self) -> bool {
        self.0.contains("{partition}")
    }
}

/// A field the proxy injects into every ingested document (and strips on read).
///
/// The field *name* is chosen by the implementer (per the requirement that the
/// SPI decides injected field names). The value is computed per-document from
/// [`InjectedValue`].
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct InjectedField {
    /// The name of the field to inject.
    pub name: FieldName,
    /// How to compute the field's value.
    pub value: InjectedValue,
}

impl InjectedField {
    /// Constructs an injected field.
    #[must_use]
    pub fn new(name: FieldName, value: InjectedValue) -> Self {
        Self { name, value }
    }
}

/// How an [`InjectedField`]'s value is computed for a document.
///
/// Not `#[non_exhaustive]`: the proxy must resolve every value kind to inject a
/// concrete value, so a new kind should force the resolver to be updated.
#[derive(Clone, PartialEq, Eq, Debug)]
pub enum InjectedValue {
    /// The resolved partition id. This is the **isolation** value: the read path
    /// filters on it, so it must be deterministic (the partition), not
    /// context-derived. Exactly the fields whose value is `PartitionId` drive
    /// read isolation.
    PartitionId,
    /// A fixed JSON value, the same for every document.
    Constant(JsonValue),
    /// A named attribute of the authenticated principal, resolved per request.
    /// A *decorative* value: injected on write and stripped on read, never used
    /// as a read filter (its value can differ between the write and the read).
    FromPrincipal(String),
    /// A named request header, resolved per request. Decorative like
    /// [`InjectedValue::FromPrincipal`]: injected and stripped, never filtered.
    /// Lets injection be dynamic from request context (e.g. a `_region` field
    /// taken from an `x-region` header set by an upstream gateway).
    FromHeader(String),
}

/// Declares which document field *values* observability may capture.
///
/// Drives value-suppression so observability never leaks tenant values (NFR-S2).
/// The model is **deny-by-default (opt-out)**: every field is treated as
/// sensitive unless explicitly allow-listed as safe. A field added to your
/// documents tomorrow is protected automatically, you opt specific, known-safe
/// fields *out* of redaction rather than remembering to opt every risky one in.
///
/// Use [`SensitivitySpec::allowing`] to name the shape-only, non-tenant fields
/// that are safe to capture; [`SensitivitySpec::all_sensitive`] (the default)
/// redacts everything; [`SensitivitySpec::nothing_sensitive`] is the explicit
/// opt-out for data that carries no tenant values at all (e.g. test fixtures).
#[derive(Clone, PartialEq, Eq, Debug)]
pub struct SensitivitySpec {
    /// Fields explicitly safe to capture. Consulted only in deny-by-default mode.
    safe: Vec<FieldName>,
    /// When `true` (default), every field not in `safe` is sensitive. When
    /// `false`, nothing is sensitive (the explicit opt-out).
    deny_by_default: bool,
}

impl Default for SensitivitySpec {
    fn default() -> Self {
        Self::all_sensitive()
    }
}

impl SensitivitySpec {
    /// Deny by default: every field's value is sensitive. The safe default.
    #[must_use]
    pub fn all_sensitive() -> Self {
        Self {
            safe: Vec::new(),
            deny_by_default: true,
        }
    }

    /// Deny by default, except the `safe` fields (known shape-only / non-tenant
    /// values) which observability may capture.
    #[must_use]
    pub fn allowing(safe: Vec<FieldName>) -> Self {
        Self {
            safe,
            deny_by_default: true,
        }
    }

    /// Treat nothing as sensitive. An explicit opt-out for data that carries no
    /// tenant values (e.g. test fixtures); never appropriate for tenant payloads.
    #[must_use]
    pub fn nothing_sensitive() -> Self {
        Self {
            safe: Vec::new(),
            deny_by_default: false,
        }
    }

    /// Alias for [`SensitivitySpec::nothing_sensitive`].
    #[must_use]
    pub fn none() -> Self {
        Self::nothing_sensitive()
    }

    /// Whether `field`'s value is sensitive (deny-by-default: sensitive unless
    /// explicitly allow-listed as safe).
    #[must_use]
    pub fn is_sensitive(&self, field: &FieldName) -> bool {
        if self.deny_by_default {
            !self.safe.contains(field)
        } else {
            false
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn json_path_splits_into_segments() {
        assert_eq!(
            JsonPath::new("a.b.c").segments().collect::<Vec<_>>(),
            ["a", "b", "c"]
        );
        assert_eq!(
            JsonPath::new("flat").segments().collect::<Vec<_>>(),
            ["flat"]
        );
    }

    #[test]
    fn id_template_detects_partition_reference() {
        assert!(IdTemplate::new("{partition}:{body.k}").references_partition());
        assert!(!IdTemplate::new("{body.k}").references_partition());
    }

    #[test]
    fn sensitivity_is_deny_by_default_with_an_allow_list() {
        // Deny-by-default: an unknown field is sensitive, even one never named.
        let spec = SensitivitySpec::allowing(vec![FieldName::from("status")]);
        assert!(
            spec.is_sensitive(&FieldName::from("ssn")),
            "unknown ⇒ sensitive"
        );
        assert!(spec.is_sensitive(&FieldName::from("brand_new_field")));
        assert!(
            !spec.is_sensitive(&FieldName::from("status")),
            "explicitly allow-listed ⇒ safe"
        );
        // `all_sensitive` (the default) redacts everything.
        assert!(SensitivitySpec::all_sensitive().is_sensitive(&FieldName::from("anything")));
        assert_eq!(SensitivitySpec::default(), SensitivitySpec::all_sensitive());
        // The explicit opt-out treats nothing as sensitive.
        assert!(!SensitivitySpec::nothing_sensitive().is_sensitive(&FieldName::from("ssn")));
        assert!(!SensitivitySpec::none().is_sensitive(&FieldName::from("ssn")));
    }
}