Skip to main content

RepairError

s4_server::repair

Enum RepairError 

Source 
pub enum RepairError {
    Backend {
        op: &'static str,
        bucket: String,
        key: String,
        cause: String,
    },
    FrameScan {
        bucket: String,
        key: String,
        cause: String,
    },
    BodyTooLarge {
        size: u64,
        cap: u64,
    },
    MissingContentLength {
        bucket: String,
        key: String,
    },
    OverwrittenDuringRepair {
        bucket: String,
        key: String,
        head_etag: String,
    },
    SidecarTooLarge {
        bucket: String,
        key: String,
        size: u64,
        cap: u64,
    },
    NotFramed {
        bucket: String,
        key: String,
    },
    EncryptedSidecarUnsupported {
        bucket: String,
        key: String,
        message: String,
    },
}

Variants§

§

Backend

Fields

§op: &'static str
§bucket: String
§key: String
§cause: String
§

FrameScan

Fields

§bucket: String
§key: String
§cause: String
§

BodyTooLarge

Fields

§size: u64
§cap: u64
§

MissingContentLength

HEAD on {bucket}/{key} returned no Content-Length header. The body-size cap that prevents OOM on a runaway repair relies on this being available, so the tool fails closed rather than treating a missing length as zero (which would silently bypass the cap).

Fields

§bucket: String
§key: String
§

OverwrittenDuringRepair

If-Match race detector: the object was overwritten between the initial HEAD (whose ETag we stamped into the sidecar) and the GET. Returned by repair_sidecar so the operator can re-run instead of writing a sidecar that’s immediately stale.

Fields

§bucket: String
§key: String
§head_etag: String
§

SidecarTooLarge

v0.9 #106-audit-R5 P2-R5 (Codex): the <key>.s4index body the backend reports exceeds MAX_SIDECAR_BODY_BYTES, which exceeds the codec spec’s max legitimate sidecar (~512 MiB). Surfaced before the GET to avoid loading a multi-GiB corrupt or attacker-supplied .s4index blob into the operator’s repair process (DoS hardening). Operators with anomalously large legitimate sidecars (multi-million-frame objects) can raise the cap by changing the constant — but the practical answer is “treat the underlying object as not-sidecared (the GET path already falls back to a full read in that case)” rather than chasing larger sidecars.

Fields

§bucket: String
§key: String
§size: u64
§cap: u64
§

NotFramed

v0.9 #106-audit-R3 P2-R3: the object body has no S4F2 frame magic — it’s a passthrough / raw-bytes object the server intentionally never sidecared (service.rs::put_object only builds a sidecar when is_framed && !will_encrypt). Writing an empty <key>.s4index would silently break Range GET: FrameIndex::lookup_range over zero entries returns None, the GET path falls into the “invalid range” branch instead of the correct passthrough-range fallback that exists for sidecar-less objects. Surface as a typed error so the operator knows the object isn’t a candidate for sidecar repair (and verify-sidecar will already classify it as MissingHarmless with frame_count=0).

Fields

§bucket: String
§key: String
§

EncryptedSidecarUnsupported

v0.9 #106-audit-R2 P2-INT-1: the object body the backend returned is an SSE-S4 (S4E1/S4E2/S4E3/S4E4/S4E5/S4E6) encrypted envelope. repair_sidecar runs against the BACKEND (not the gateway), so the body it sees is ciphertext — feeding that to the frame scanner would surface as a confusing FrameScan because the S4F2 frame magic is hidden inside the encrypted payload. Worse, the v3 sidecar’s sse_v3 binding (key_id / salt / chunk_size etc.) cannot be reconstructed from the backend bytes alone — it requires the SSE keyring to decrypt the body and walk the chunk layout. The CLI does not (yet) accept --sse-s4-key; v0.10 roadmap is to plumb that through. Until then, surface a clean typed error so the operator can route the repair through a server-mode rebuild path (re-PUT the object) instead of receiving a misleading frame-scan failure.

Fields

§bucket: String
§key: String
§message: String

Trait Implementations§

Source§

impl Debug for RepairError

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Display for RepairError

Source§

fn fmt(&self, __formatter: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Error for RepairError

1.30.0 · Source§

fn source(&self) -> Option<&(dyn Error + 'static)>

Returns the lower-level source of this error, if any. Read more
1.0.0 · Source§

fn description(&self) -> &str

👎Deprecated since 1.42.0:

use the Display impl or to_string()

Read more
1.0.0 · Source§

fn cause(&self) -> Option<&dyn Error>

👎Deprecated since 1.33.0:

replaced by Error::source, which can support downcasting

Source§

fn provide<'a>(&'a self, request: &mut Request<'a>)

🔬This is a nightly-only experimental API. (error_generic_member_access)
Provides type-based access to context intended for error reports. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<'a, T, E> AsTaggedExplicit<'a, E> for T
where T: 'a,

Source§

fn explicit(self, class: Class, tag: u32) -> TaggedParser<'a, Explicit, Self, E>

Source§

impl<'a, T, E> AsTaggedImplicit<'a, E> for T
where T: 'a,

Source§

fn implicit( self, class: Class, constructed: bool, tag: u32, ) -> TaggedParser<'a, Implicit, Self, E>

Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<ST, DT> CastableFrom<ST, Initialized, Initialized> for DT
where ST: ?Sized, DT: ?Sized,

Source§

impl<ST, DT> CastableFrom<ST, Uninit, Uninit> for DT
where ST: ?Sized, DT: ?Sized,

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> FromExt for T

Source§

fn from_<T>(t: T) -> Self
where Self: From<T>,

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> IntoExt for T

Source§

fn into_<T>(self) -> T
where Self: Into<T>,

Source§

impl<Unshared, Shared> IntoShared<Shared> for Unshared
where Shared: FromUnshared<Unshared>,

Source§

fn into_shared(self) -> Shared

Creates a shared type from an unshared type.
Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Sized + Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Sized + Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Read<Exclusive, BecauseExclusive> for T
where T: ?Sized,

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T> TryFromExt for T

Source§

fn try_from_<T>(t: T) -> Result<Self, Self::Error>
where Self: TryFrom<T>,

Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> TryIntoExt for T

Source§

fn try_into_<T>(self) -> Result<T, Self::Error>
where Self: TryInto<T>,

Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more