vault-client-rs 0.8.0

A Rust client for the HashiCorp Vault HTTP API
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

use std::sync::Mutex;
use std::time::{Duration, Instant};

use crate::types::error::VaultError;

/// Configuration for the client-side circuit breaker
///
/// When enabled, the circuit breaker tracks consecutive failures and
/// short-circuits requests during prolonged outages, reducing latency
/// and load on an unreachable Vault server
#[derive(Debug, Clone)]
pub struct CircuitBreakerConfig {
    /// Consecutive failures required to trip the circuit (default: 5)
    pub failure_threshold: u32,
    /// Time in Open state before allowing a probe request (default: 30s)
    pub reset_timeout: Duration,
}

impl Default for CircuitBreakerConfig {
    fn default() -> Self {
        Self {
            failure_threshold: 5,
            reset_timeout: Duration::from_secs(30),
        }
    }
}

enum State {
    Closed { consecutive_failures: u32 },
    Open { since: Instant },
    HalfOpen,
}

pub(crate) struct CircuitBreaker {
    config: CircuitBreakerConfig,
    state: Mutex<State>,
}

impl CircuitBreaker {
    pub fn new(config: CircuitBreakerConfig) -> Self {
        Self {
            config,
            state: Mutex::new(State::Closed {
                consecutive_failures: 0,
            }),
        }
    }

    /// Returns `Ok(())` if a request may proceed, or
    /// `Err(VaultError::CircuitOpen)` if the circuit is open
    pub fn check(&self) -> Result<(), VaultError> {
        let mut state = self.state.lock().map_err(|_| VaultError::LockPoisoned)?;
        match *state {
            State::Closed { .. } => Ok(()),
            State::Open { since } => {
                if since.elapsed() >= self.config.reset_timeout {
                    *state = State::HalfOpen;
                    Ok(())
                } else {
                    Err(VaultError::CircuitOpen)
                }
            }
            State::HalfOpen => {
                // Only one probe at a time; subsequent requests while
                // half-open are rejected until the probe completes
                Err(VaultError::CircuitOpen)
            }
        }
    }

    /// Record a successful response, resetting the circuit to Closed
    pub fn record_success(&self) {
        if let Ok(mut state) = self.state.lock() {
            *state = State::Closed {
                consecutive_failures: 0,
            };
        }
    }

    /// Record a failure, incrementing the counter and potentially
    /// transitioning to Open
    pub fn record_failure(&self) {
        if let Ok(mut state) = self.state.lock() {
            match *state {
                State::Closed {
                    consecutive_failures,
                } => {
                    let new_count = consecutive_failures + 1;
                    if new_count >= self.config.failure_threshold {
                        *state = State::Open {
                            since: Instant::now(),
                        };
                    } else {
                        *state = State::Closed {
                            consecutive_failures: new_count,
                        };
                    }
                }
                State::HalfOpen => {
                    // Probe failed, back to Open
                    *state = State::Open {
                        since: Instant::now(),
                    };
                }
                State::Open { .. } => {
                    // Already open, nothing to do
                }
            }
        }
    }
}