Skip to main content

spiffe_rustls/
error.rs

1use spiffe::SpiffeId;
2
3/// Result type used by this crate.
4pub type Result<T> = std::result::Result<T, Error>;
5
6/// Errors returned by `spiffe-rustls`.
7#[expect(clippy::error_impl_error, reason = "unfortunate public API")]
8#[derive(Debug, thiserror::Error)]
9#[non_exhaustive]
10pub enum Error {
11    /// The `X509Source` currently has no SVID.
12    #[error("x509 source has no current SVID")]
13    NoSvid,
14
15    /// The `X509Source` is closed or cancelled.
16    #[error("x509 source is closed")]
17    SourceClosed,
18
19    /// The `X509Source` currently has no bundle for the requested trust domain.
20    #[error("x509 source has no bundle for trust domain {0}")]
21    NoBundle(spiffe::TrustDomain),
22
23    /// The trust domain is not allowed by the trust domain policy.
24    #[error("trust domain {0} is not allowed by policy")]
25    TrustDomainNotAllowed(spiffe::TrustDomain),
26
27    /// Failed to construct an authorizer due to invalid configuration.
28    #[error("authorizer configuration error: {0}")]
29    AuthorizerConfig(#[from] AuthorizerConfigError),
30
31    /// Failed to create a `rustls::sign::CertifiedKey` from SVID material.
32    #[error("failed building rustls certified key: {0}")]
33    CertifiedKey(String),
34
35    /// Failed to parse a peer certificate.
36    #[error("failed parsing peer certificate: {0}")]
37    CertParse(String),
38
39    /// The peer certificate is missing a SPIFFE ID URI SAN.
40    #[error("peer is missing SPIFFE ID URI SAN")]
41    MissingSpiffeId,
42
43    /// The peer certificate has multiple SPIFFE ID URI SANs (invalid).
44    #[error("peer certificate has multiple SPIFFE ID URI SANs")]
45    MultipleSpiffeIds,
46
47    /// The peer SPIFFE ID was rejected by the authorization hook.
48    #[error("peer SPIFFE ID is not authorized: {0}")]
49    UnauthorizedSpiffeId(SpiffeId),
50
51    /// Failed to build a rustls verifier.
52    #[error("rustls verifier builder error: {0}")]
53    VerifierBuilder(String),
54
55    /// A rustls error occurred.
56    #[error("rustls error: {0}")]
57    Rustls(#[from] rustls::Error),
58
59    /// An error from the underlying `X509Source`.
60    #[error("x509 source error: {0}")]
61    Source(#[from] spiffe::x509_source::X509SourceError),
62
63    /// Internal error.
64    #[error("internal: {0}")]
65    Internal(String),
66
67    /// Tokio runtime is required but not available in the current context.
68    #[error("tokio runtime is required but not available in the current context")]
69    NoTokioRuntime,
70
71    /// No root certificates were accepted into a root certificate store.
72    ///
73    /// This occurs when building a root certificate store from a trust bundle
74    /// and none of the provided certificates are valid or accepted by rustls.
75    #[error("no root certificates were accepted into root certificate store")]
76    EmptyRootStore,
77
78    /// No usable root certificate stores could be built from any trust domain bundle.
79    ///
80    /// This occurs when `build_material` iterates through all trust domain bundles
81    /// in the bundle set and fails to build a valid root certificate store for any of them.
82    /// This is distinct from `EmptyRootStore`, which indicates a failure for a single
83    /// trust domain bundle.
84    #[error("no usable root certificate stores could be built from any trust domain bundle")]
85    NoUsableRootStores,
86}
87
88/// Errors that occur when constructing an authorizer with invalid configuration.
89#[expect(unnameable_types, reason = "exposed as a source error")]
90#[derive(Debug, thiserror::Error)]
91#[non_exhaustive]
92pub enum AuthorizerConfigError {
93    /// A SPIFFE ID in the configuration is invalid.
94    #[error("invalid SPIFFE ID: {0}")]
95    InvalidSpiffeId(String),
96
97    /// A trust domain in the configuration is invalid.
98    #[error("invalid trust domain: {0}")]
99    InvalidTrustDomain(String),
100}