Skip to main content

zerodds_security_permissions/
lib.rs

1// SPDX-License-Identifier: Apache-2.0
2// Copyright 2026 ZeroDDS Contributors
3
4//! Crate `zerodds-security-permissions`. Safety classification: **SAFE** (reiner XML-Parser + Topic-Match; Signatur-Validierung delegiert an [`cms`]-Modul, das `rustls-webpki` nutzt).
5//!
6//! Permissions/Governance-XML-Parser + `AccessControlPlugin`-Implementation
7//! fuer DDS-Security 1.1 §9.4 ("Builtin Access Control Plugin").
8//!
9//! ## Schichten-Position
10//!
11//! Layer 4 — Core Services. Konsumiert `zerodds-security` (SPI).
12//!
13//! ## Public API (Stand 1.0.0-rc.1)
14//!
15//! - [`PermissionsAccessControl`] — `AccessControlPlugin`-Implementation.
16//! - [`xml`]-Modul — Parser fuer Permissions-XML (`<grant>` → `<allow_rule>` → `<publish>`/`<subscribe>` → `<topic>`).
17//! - [`governance`]-Modul — Parser fuer Governance-XML (`<topic_access_rule>` mit `enable_discovery_protection`/`enable_liveliness_protection`/`metadata_protection_kind`/`data_protection_kind`).
18//! - [`signature`]-Modul — `XmlSignatureVerifier`-Trait + `NoOpVerifier` (Dev) + `EnvelopeCheckVerifier` + `open_signed_permissions`.
19//! - [`cms`]-Modul — produktiver CMS/PKCS#7-Verifier (RFC 5751/5652/5280) auf `rustls-webpki`-Basis.
20//! - [`topic_match`]-Modul — Wildcard-Match `*`/`?`.
21//! - [`delegation_check`]-Modul — Permissions-Delegation-Chain (Sub-CA-Validation).
22//! - [`psk_access`]-Modul — Pre-Shared-Key-Access-Control fuer Out-of-Band-Setups.
23
24#![cfg_attr(not(feature = "std"), no_std)]
25#![forbid(unsafe_code)]
26#![warn(missing_docs)]
27
28extern crate alloc;
29
30mod cms;
31pub mod delegation_check;
32mod governance;
33mod plugin;
34pub mod psk_access;
35mod signature;
36mod topic_match;
37mod xml;
38
39pub use cms::{CmsPkcs7Verifier, PROP_PERMISSIONS_CA};
40pub use delegation_check::{
41    DelegationCheckError, DelegationCheckResult, DelegationProfile, TrustAnchor, TrustPolicy,
42    ValidatedChain, scope_intersect, validate_chain,
43};
44pub use governance::{
45    DEFAULT_EPHEMERAL_LIFETIME_SECS, DomainFilter, DomainRule, EdgeIdentityConfig,
46    EdgeIdentityMode, Governance, InterfaceBindingRule, PeerClass, PeerClassMatch, ProtectionKind,
47    TopicRule, ZERODDS_NS, cn_pattern_match, parse_governance_xml,
48};
49pub use plugin::PermissionsAccessControl;
50pub use psk_access::{
51    CLASS_ID_PSK_PERMISSIONS, PROP_PSK_GOVERNANCE_XML, PROP_PSK_PERMISSIONS_ID,
52    PROP_PSK_PERMISSIONS_XML, PROP_PSK_SUBJECT_NAME, PskPermissionsAccessControl, PskProfile,
53};
54pub use signature::{
55    EnvelopeCheckVerifier, NoOpVerifier, XmlSignatureVerifier, open_signed_permissions,
56};
57pub use topic_match::topic_match;
58pub use xml::{Grant, Permissions, PermissionsError, Validity, parse_permissions_xml};