Skip to main content

zerodds_security/
lib.rs

1// SPDX-License-Identifier: Apache-2.0
2// Copyright 2026 ZeroDDS Contributors
3
4//! Crate `zerodds-security`. Safety classification: **SAFE** (die
5//! Security-Plugins werden gegen Produktions-Vertrauensgrenzen
6//! ausgefuehrt; der SPI-Layer selbst ist trust-neutral).
7//!
8//! DDS-Security 1.1 (formal/2018-04-01) Plugin-SPI: definiert die
9//! abstrakten Plugin-Traits + Datentypen + Generic-Message-Topics;
10//! Produktions-Implementationen leben in Schwester-Crates.
11//!
12//! ## Schichten-Position
13//!
14//! Layer 4 — Core Services (SPI-Crate). Pure-Rust + `alloc`, **keine**
15//! ZeroDDS-Crate-Deps.
16//!
17//! ## Public API (Stand 1.0.0-rc.1)
18//!
19//! | Spec                  | Trait / Modul                                       | Konkrete Impl |
20//! |-----------------------|-----------------------------------------------------|---------------|
21//! | §8.3 Authentication   | [`AuthenticationPlugin`] in [`authentication`]      | `zerodds-security-pki` (X.509 + RSA-PSS + ECDSA + OCSP/CRL) |
22//! | §8.4 Access Control   | [`AccessControlPlugin`] in [`access_control`]       | `zerodds-security-permissions` (Governance + Permissions-XML) |
23//! | §8.5 Cryptographic    | [`CryptographicPlugin`] in [`crypto`]               | `zerodds-security-crypto` (AES-GCM 128/256 + HMAC-SHA256 + Receiver-Specific-MACs) |
24//! | §8.6 Logging          | [`LoggingPlugin`] in [`logging`]                    | `zerodds-security-logging` |
25//! | §8.7 Data Tagging     | [`DataTaggingPlugin`] in [`data_tagging`]           | `zerodds-security-runtime` (Built-in DataTagging) |
26//!
27//! Plus Querschnitt:
28//! - [`token`] — `IdentityToken`, `PermissionsToken`, `CryptoToken`, `DataHolder`, `BinaryProperty`.
29//! - [`generic_message`] — `ParticipantGenericMessage`, `MessageIdentity` + Topic-Konstanten fuer DCPSParticipantStatelessMessage / DCPSParticipantVolatileMessageSecure.
30//! - [`properties`] — `Property` / `PropertyList` fuer Plugin-Konfiguration.
31//! - [`security_topic_qos`] — Built-in-Security-Topic-QoS-Profile.
32//! - [`error`] — `SecurityError`.
33//! - [`mock`] (Feature `std`) — Test-Mock-Plugins, niemals produktiv.
34//!
35//! ## Architektur
36//!
37//! Das SPI ist Trait-basiert + `Box<dyn Plugin>`-erasable, damit
38//! verschiedene Backends (rustls vs. ring vs. mbedtls) ohne Crate-
39//! Wiring austauschbar sind. Jeder Plugin-Trait ist in sich geschlossen
40//! — keine Cross-References — damit Erweiterungen in einem Plugin nicht
41//! andere brechen.
42//!
43//! ## API-Stability-Pledge
44//!
45//! Dieses Interface ist **API-frozen** ab `1.0.0-rc.1`. Breaking
46//! Changes erfordern ein v2.0-Major-Bump. Semver-Patch + Minor duerfen
47//! nur neue Methoden mit Default-Body oder non-breaking Enum-Varianten
48//! hinzufuegen.
49
50#![cfg_attr(not(feature = "std"), no_std)]
51#![forbid(unsafe_code)]
52#![warn(missing_docs)]
53
54// zerodds-lint: allow no_dyn_in_safe
55// Plugin-SPI benötigt `Box<dyn Plugin>` für austauschbare Backends
56// (rustls/ring/mbedtls). Dies ist architektur-bedingt und keine Speicher-
57// Sicherheits-Schwäche.
58
59#[cfg(feature = "alloc")]
60extern crate alloc;
61
62pub mod access_control;
63pub mod authentication;
64pub mod crypto;
65pub mod data_tagging;
66pub mod error;
67pub mod generic_message;
68pub mod logging;
69pub mod properties;
70pub mod security_topic_qos;
71pub mod token;
72
73#[cfg(feature = "std")]
74pub mod mock;
75
76pub use access_control::AccessControlPlugin;
77pub use authentication::AuthenticationPlugin;
78pub use crypto::CryptographicPlugin;
79pub use data_tagging::DataTaggingPlugin;
80pub use error::SecurityError;
81pub use generic_message::{
82    MessageIdentity, ParticipantGenericMessage, TOPIC_STATELESS_MESSAGE,
83    TOPIC_VOLATILE_MESSAGE_SECURE, TYPE_NAME_GENERIC_MESSAGE,
84};
85pub use logging::{LogLevel, LoggingPlugin};
86pub use properties::{Property, PropertyList};
87pub use token::{
88    BinaryProperty, CryptoToken, DataHolder, IdentityStatusToken, IdentityToken, PermissionsToken,
89    WireProperty,
90};
91
92#[cfg(test)]
93#[allow(clippy::expect_used)]
94mod tests {
95    #[test]
96    fn plugin_trait_objects_are_object_safe() {
97        // Smoketest: jeder Plugin-Trait ist object-safe (`dyn Plugin`
98        // konstruierbar). Faellt an Compile-Zeit wenn jemand versehentlich
99        // `Self: Sized` oder generische Methoden einfuegt.
100        fn _assert_object_safe<T: ?Sized>() {}
101        _assert_object_safe::<dyn super::AuthenticationPlugin>();
102        _assert_object_safe::<dyn super::AccessControlPlugin>();
103        _assert_object_safe::<dyn super::CryptographicPlugin>();
104        _assert_object_safe::<dyn super::LoggingPlugin>();
105        _assert_object_safe::<dyn super::DataTaggingPlugin>();
106    }
107}