Crate zerodds_security_permissions 

Crate zerodds-security-permissions. Safety classification: SAFE (a pure XML parser + topic match; signature validation is delegated to the [cms] module, which uses rustls-webpki).

Permissions/governance XML parser + AccessControlPlugin implementation for DDS-Security 1.1 §9.4 (“Builtin Access Control Plugin”).

Layer position

Layer 4 — Core Services. Consumes zerodds-security (SPI).

Public API (as of 1.0.0-rc.1)

• PermissionsAccessControl — AccessControlPlugin implementation.
• [xml] module — parser for the permissions XML (<grant> → <allow_rule> → <publish>/<subscribe> → <topic>).
• [governance] module — parser for the governance XML (<topic_access_rule> with enable_discovery_protection/enable_liveliness_protection/metadata_protection_kind/data_protection_kind).
• [signature] module — XmlSignatureVerifier trait + NoOpVerifier (dev) + EnvelopeCheckVerifier + open_signed_permissions.
• [cms] module — production CMS/PKCS#7 verifier (RFC 5751/5652/5280) based on rustls-webpki.
• topic_match module — wildcard match */?.
• delegation_check module — permissions delegation chain (sub-CA validation).
• psk_access module — pre-shared-key access control for out-of-band setups.

Re-exports

pub use delegation_check::DelegationCheckError;

pub use delegation_check::DelegationCheckResult;

pub use delegation_check::DelegationProfile;

pub use delegation_check::TrustAnchor;

pub use delegation_check::TrustPolicy;

pub use delegation_check::ValidatedChain;

pub use delegation_check::scope_intersect;

pub use delegation_check::validate_chain;

pub use psk_access::CLASS_ID_PSK_PERMISSIONS;

pub use psk_access::PROP_PSK_GOVERNANCE_XML;

pub use psk_access::PROP_PSK_PERMISSIONS_ID;

pub use psk_access::PROP_PSK_PERMISSIONS_XML;

pub use psk_access::PROP_PSK_SUBJECT_NAME;

pub use psk_access::PskPermissionsAccessControl;

pub use psk_access::PskProfile;

Modules

delegation_check

Delegation chain validation for permissions sub-CAs.

psk_access

Built-in pre-shared-key access-control plugin (spec §10.8).

Structs

CmsPkcs7Verifier

Verifier for S/MIME PKCS#7-signed permissions/governance XML.

DomainFilter

Domain filter: list of (min, max) ranges. A single id is stored as min == max.

DomainRule

A domain rule in the governance XML.

EdgeIdentityConfig

Edge identity configuration from <zerodds:edge_identities>.

EnvelopeCheckVerifier

Simple envelope verifier for tests and a pseudo-signature.

Governance

Complete governance config.

Grant

A grant entry: which topics are allowed per subject.

InterfaceBindingRule

Interface-specific rule from <zerodds:interface_bindings>.

NoOpVerifier

No-op verifier for development — accepts any input as valid and treats it as plaintext XML. NEVER use in production.

PeerClass

Peer class from <zerodds:peer_class> (RC1, spec: architecture doc §5).

PeerClassMatch

Match criteria of a peer class. All set fields must be met (AND combination). None/default values are ignored.

Permissions

Complete permissions file.

PermissionsAccessControl

Access-control plugin: allows topics only if they match in the permissions XML for the subject name.

TopicRule

Rule for a topic class (or wildcard).

Validity

Validity period: not_before <= now < not_after. Values are ISO-8601 strings from the XML; the parser converts them to Unix epoch seconds (u64). Spec §9.4.1.3.2.2.

Enums

EdgeIdentityMode

Edge identity mode.

PermissionsError

Parse error.

ProtectionKind

Topic protection kind (spec §9.4.1.2 table 48).

Constants

DEFAULT_EPHEMERAL_LIFETIME_SECS

Default lifetime for ephemeral edge identities (seconds).

PROP_PERMISSIONS_CA

Property key for the PEM CA bundle of the permissions CA. Spec-conform per Table 63 (DDS-Security 1.2).

ZERODDS_NS

XML namespace URI for ZeroDDS extensions in Governance.xml.

Traits

XmlSignatureVerifier

Abstraction over the S/MIME verify step.

Functions

cn_pattern_match

Wildcard matcher for cert-CN patterns. The only joker is *, matching any number of characters (incl. .). An empty pattern matches only empty strings. For *.fast.example: "w1.fast.example" → true, "fast.example" → false.

open_signed_permissions

High-level wrapper: verifies the signature, parses the permissions XML.

parse_governance_xml

Parses a governance XML document.

parse_permissions_xml

Parses a permissions XML document.

topic_match

Glob match. Purely iterative/DP, no regex-engine overhead.