spiffe_rustls/
error.rs

1use spiffe::SpiffeId;
2
3/// Result type used by this crate.
4pub type Result<T> = std::result::Result<T, Error>;
5
6/// Errors returned by `spiffe-rustls`.
7#[derive(Debug, thiserror::Error)]
8#[non_exhaustive]
9pub enum Error {
10    /// The `X509Source` currently has no SVID.
11    #[error("x509 source has no current SVID")]
12    NoSvid,
13
14    /// The `X509Source` is closed or cancelled.
15    #[error("x509 source is closed")]
16    SourceClosed,
17
18    /// The `X509Source` currently has no bundle for the requested trust domain.
19    #[error("x509 source has no bundle for trust domain {0}")]
20    NoBundle(spiffe::TrustDomain),
21
22    /// The trust domain is not allowed by the trust domain policy.
23    #[error("trust domain {0} is not allowed by policy")]
24    TrustDomainNotAllowed(spiffe::TrustDomain),
25
26    /// Failed to construct an authorizer due to invalid configuration.
27    #[error("authorizer configuration error: {0}")]
28    AuthorizerConfig(#[from] AuthorizerConfigError),
29
30    /// Failed to create a `rustls::sign::CertifiedKey` from SVID material.
31    #[error("failed building rustls certified key: {0}")]
32    CertifiedKey(String),
33
34    /// Failed to parse a peer certificate.
35    #[error("failed parsing peer certificate: {0}")]
36    CertParse(String),
37
38    /// The peer certificate is missing a SPIFFE ID URI SAN.
39    #[error("peer is missing SPIFFE ID URI SAN")]
40    MissingSpiffeId,
41
42    /// The peer certificate has multiple SPIFFE ID URI SANs (invalid).
43    #[error("peer certificate has multiple SPIFFE ID URI SANs")]
44    MultipleSpiffeIds,
45
46    /// The peer SPIFFE ID was rejected by the authorization hook.
47    #[error("peer SPIFFE ID is not authorized: {0}")]
48    UnauthorizedSpiffeId(SpiffeId),
49
50    /// Failed to build a rustls verifier.
51    #[error("rustls verifier builder error: {0}")]
52    VerifierBuilder(String),
53
54    /// A rustls error occurred.
55    #[error("rustls error: {0}")]
56    Rustls(#[from] rustls::Error),
57
58    /// An error from the underlying `X509Source`.
59    #[error("x509 source error: {0}")]
60    Source(#[from] spiffe::x509_source::X509SourceError),
61
62    /// Internal error.
63    #[error("internal: {0}")]
64    Internal(String),
65
66    /// Tokio runtime is required but not available in the current context.
67    #[error("tokio runtime is required but not available in the current context")]
68    NoTokioRuntime,
69
70    /// No root certificates were accepted into a root certificate store.
71    ///
72    /// This occurs when building a root certificate store from a trust bundle
73    /// and none of the provided certificates are valid or accepted by rustls.
74    #[error("no root certificates were accepted into root certificate store")]
75    EmptyRootStore,
76
77    /// No usable root certificate stores could be built from any trust domain bundle.
78    ///
79    /// This occurs when `build_material` iterates through all trust domain bundles
80    /// in the bundle set and fails to build a valid root certificate store for any of them.
81    /// This is distinct from `EmptyRootStore`, which indicates a failure for a single
82    /// trust domain bundle.
83    #[error("no usable root certificate stores could be built from any trust domain bundle")]
84    NoUsableRootStores,
85}
86
87/// Errors that occur when constructing an authorizer with invalid configuration.
88#[derive(Debug, thiserror::Error)]
89#[non_exhaustive]
90pub enum AuthorizerConfigError {
91    /// A SPIFFE ID in the configuration is invalid.
92    #[error("invalid SPIFFE ID: {0}")]
93    InvalidSpiffeId(String),
94
95    /// A trust domain in the configuration is invalid.
96    #[error("invalid trust domain: {0}")]
97    InvalidTrustDomain(String),
98}