Skip to main content

Crate zerodds_security_runtime

Crate zerodds_security_runtime 

Source
Expand description

Crate zerodds-security-runtime. Safety classification: SAFE (pure adapter without its own crypto primitives — delegates to security-crypto + security-rtps).

Security runtime: governance-driven plugin lifecycle, peer-capabilities cache, outbound/inbound verdict engine, built-in data tagging, anti-squatter, heterogeneous-mesh gateway bridge. Adapter layer between the governance-XML policy and the secure-submessage wrapper.

§Layer position

Layer 4 — core services. Consumes zerodds-security (SPI) + zerodds-security-crypto + -permissions + -pki + -rtps + zerodds-rtps + zerodds-qos. Fed by the DCPS runtime via Box<dyn ...> plugins (feature security).

§Public API (as of 1.0.0-rc.1)

  • SecurityGate — high-level adapter between governance + crypto + RTPS wrap.
  • engine::*GovernancePolicyEngine default impl + PolicyEngine trait.
  • policy::*PolicyDecision with suite, receiver MACs, topic class.
  • caps::*PeerCapabilities + PeerCapabilitiesCache.
  • caps_wire::* — SPDP mapping for peer capabilities (wire codec).
  • peer_class::*<peer_class> match (CIDR, subject patterns).
  • endpoint::* — endpoint slot lookup.
  • data_tagging::* — built-in DataTaggingPlugin (spec §8.7).
  • builtin_topics::* — DCPSParticipantStatelessMessage + DCPSParticipantVolatileMessageSecure.
  • anti_squatter::* — spec §8.5.3 anti-squatter logic.
  • gateway_bridge::* — heterogeneous-mesh gateway bridge (edge ↔ backend).
  • shared::* — shared inbound/outbound verdict types.

§Example

use zerodds_security_crypto::AesGcmCryptoPlugin;
use zerodds_security_permissions::parse_governance_xml;
use zerodds_security_runtime::SecurityGate;

let governance = parse_governance_xml(GOVERNANCE_XML).unwrap();
let mut crypto = AesGcmCryptoPlugin::new();
let mut gate = SecurityGate::new(0, governance, &mut crypto);

// Outbound:
let wire = gate.encode_outbound("Chatter", b"hello").unwrap();

// Inbound (at the peer):
let plain = gate.decode_inbound("Chatter", &wire).unwrap();

Re-exports§

pub use anti_squatter::BindingDecision;
pub use anti_squatter::GuidPrefixBytes;
pub use anti_squatter::IdentityBindingCache;
pub use bundle::SecurityBundle;
pub use bundle::SecurityBundleBuilder;
pub use caps::PeerCache;
pub use caps::PeerCapabilities;
pub use caps::Validity;
pub use caps_wire::advertise_security_caps;
pub use caps_wire::parse_peer_caps;
pub use data_tagging::BuiltinDataTaggingPlugin;
pub use data_tagging::TAG_PROPERTY_PREFIX;
pub use endpoint::EndpointMatch;
pub use endpoint::EndpointProtection;
pub use endpoint::MatchRejectReason;
pub use endpoint::match_endpoints;
pub use gateway_bridge::GatewayBridge;
pub use gateway_bridge::GatewayBridgeConfig;
pub use gateway_bridge::GatewayBridgeError;
pub use gateway_bridge::GatewayBridgeResult;
pub use peer_class::interface_accepts_class;
pub use peer_class::peer_matches_class;
pub use peer_class::resolve_peer_class;
pub use peer_class::resolve_protection;
pub use policy::InboundCtx;
pub use policy::InterfaceConfig;
pub use policy::IpRange;
pub use policy::NetInterface;
pub use policy::OutboundCtx;
pub use policy::PolicyDecision;
pub use policy::PolicyEngine;
pub use policy::ProtectionLevel;
pub use policy::SuiteHint;
pub use policy::classify_interface;
pub use profile::SecurityProfile;
pub use profile::SecurityProfileConfig;
pub use profile::SecurityProfileError;
pub use profile::strip_file_url;

Modules§

anti_squatter
GUID-to-identity bindings cache (C3.8).
builtin_topics
C3.4-b — API bridge for the DDS-Security 1.2 §7.5.3/§7.5.4 builtin topics (DCPSParticipantStatelessMessage + DCPSParticipantVolatileMessage- Secure). Wraps the spec data model from zerodds_security::generic_message into a DCPS-ready form:
bundle
One-stop security configuration facade for a participant.
caps
Peer capabilities and cache.
caps_wire
SPDP mapping for PeerCapabilities.
data_tagging
Builtin DataTagging plugin (OMG DDS-Security 1.2 §12).
endpoint
Endpoint-level protection abstraction.
gateway_bridge
Gateway-bridge helper.
peer_class
Peer-class matching engine.
policy
Heterogeneous security — PolicyEngine trait and data types .
profile
Vendor-style-conform “from-paths” builder for DDS-Security 1.2 setups.

Structs§

GovernancePolicyEngine
Governance-XML-driven PolicyEngine default implementation.
SecurityGate
Decides per topic whether/how outgoing submessages must be encrypted or signed.
SharedSecurityGate
Thread-safe security gate. Clone gives a second reference to the same plugin instance — all clones operate on the same key store.

Enums§

InboundVerdict
Result of a classify_inbound decision.
LogLevel
Severity of a security event (spec §8.6.3 table 36).
SecurityGateError
Error class for the gate.

Traits§

LoggingPlugin
Logging plugin (spec §8.6.2.1).

Type Aliases§

PeerKey
Opaque peer identifier. In RTPS environments the caller typically maps GuidPrefix (12 bytes) onto it — [u8; 12] fits exactly.