spiffe_rustls/error.rs
1use spiffe::SpiffeId;
2
3/// Result type used by this crate.
4pub type Result<T> = std::result::Result<T, Error>;
5
6/// Errors returned by `spiffe-rustls`.
7#[expect(clippy::error_impl_error, reason = "unfortunate public API")]
8#[derive(Debug, thiserror::Error)]
9#[non_exhaustive]
10pub enum Error {
11 /// The `X509Source` currently has no SVID.
12 #[error("x509 source has no current SVID")]
13 NoSvid,
14
15 /// The `X509Source` is closed or cancelled.
16 #[error("x509 source is closed")]
17 SourceClosed,
18
19 /// The `X509Source` currently has no bundle for the requested trust domain.
20 #[error("x509 source has no bundle for trust domain {0}")]
21 NoBundle(spiffe::TrustDomain),
22
23 /// The trust domain is not allowed by the trust domain policy.
24 #[error("trust domain {0} is not allowed by policy")]
25 TrustDomainNotAllowed(spiffe::TrustDomain),
26
27 /// Failed to construct an authorizer due to invalid configuration.
28 #[error("authorizer configuration error: {0}")]
29 AuthorizerConfig(#[from] AuthorizerConfigError),
30
31 /// Failed to create a `rustls::sign::CertifiedKey` from SVID material.
32 #[error("failed building rustls certified key: {0}")]
33 CertifiedKey(String),
34
35 /// Failed to parse a peer certificate.
36 #[error("failed parsing peer certificate: {0}")]
37 CertParse(String),
38
39 /// The peer certificate is missing a SPIFFE ID URI SAN.
40 #[error("peer is missing SPIFFE ID URI SAN")]
41 MissingSpiffeId,
42
43 /// The peer certificate has multiple SPIFFE ID URI SANs (invalid).
44 #[error("peer certificate has multiple SPIFFE ID URI SANs")]
45 MultipleSpiffeIds,
46
47 /// The peer certificate is not acceptable as an X509-SVID leaf.
48 ///
49 /// Signing-capable certificates (`cA=true`, `keyCertSign`, or `cRLSign`)
50 /// are validation material and must not be accepted as peer identities.
51 #[error("peer leaf certificate is not a valid X509-SVID leaf: {0}")]
52 InvalidLeaf(String),
53
54 /// The peer SPIFFE ID was rejected by the authorization hook.
55 #[error("peer SPIFFE ID is not authorized: {0}")]
56 UnauthorizedSpiffeId(SpiffeId),
57
58 /// Failed to build a rustls verifier.
59 #[error("rustls verifier builder error: {0}")]
60 VerifierBuilder(String),
61
62 /// A rustls error occurred.
63 #[error("rustls error: {0}")]
64 Rustls(#[from] rustls::Error),
65
66 /// An error from the underlying `X509Source`.
67 #[error("x509 source error: {0}")]
68 Source(#[from] spiffe::x509_source::X509SourceError),
69
70 /// Internal error.
71 #[error("internal: {0}")]
72 Internal(String),
73
74 /// Tokio runtime is required but not available in the current context.
75 #[error("tokio runtime is required but not available in the current context")]
76 NoTokioRuntime,
77
78 /// No root certificates were accepted into a root certificate store.
79 ///
80 /// This occurs when building a root certificate store from a trust bundle
81 /// and none of the provided certificates are valid or accepted by rustls.
82 #[error("no root certificates were accepted into root certificate store")]
83 EmptyRootStore,
84
85 /// No usable root certificate stores could be built from any trust domain bundle.
86 ///
87 /// This occurs when `build_material` iterates through all trust domain bundles
88 /// in the bundle set and fails to build a valid root certificate store for any of them.
89 /// This is distinct from `EmptyRootStore`, which indicates a failure for a single
90 /// trust domain bundle.
91 #[error("no usable root certificate stores could be built from any trust domain bundle")]
92 NoUsableRootStores,
93}
94
95/// Errors that occur when constructing an authorizer with invalid configuration.
96#[expect(unnameable_types, reason = "exposed as a source error")]
97#[derive(Debug, thiserror::Error)]
98#[non_exhaustive]
99pub enum AuthorizerConfigError {
100 /// A SPIFFE ID in the configuration is invalid.
101 #[error("invalid SPIFFE ID: {0}")]
102 InvalidSpiffeId(String),
103
104 /// A trust domain in the configuration is invalid.
105 #[error("invalid trust domain: {0}")]
106 InvalidTrustDomain(String),
107}