Skip to main content

Crate zerodds_security_runtime

Crate zerodds_security_runtime 

Source
Expand description

Crate zerodds-security-runtime. Safety classification: SAFE (reiner Adapter ohne eigene Crypto-Primitiven — delegiert an security-crypto + security-rtps).

Security-Runtime: Governance-driven Plugin-Lifecycle, Peer-Capabilities-Cache, Outbound-/Inbound-Verdict-Engine, Built-in DataTagging, Anti-Squatter, Heterogeneous-Mesh-Gateway-Bridge. Adapter-Schicht zwischen Governance-XML-Policy und dem Secure-Submessage-Wrapper.

§Schichten-Position

Layer 4 — Core Services. Konsumiert zerodds-security (SPI) + zerodds-security-crypto + -permissions + -pki + -rtps + zerodds-rtps + zerodds-qos. Wird vom DCPS-Runtime via Box<dyn ...>-Plugins gefuettert (Feature security).

§Public API (Stand 1.0.0-rc.1)

  • SecurityGate — High-Level-Adapter zwischen Governance + Crypto + RTPS-Wrap.
  • engine::*GovernancePolicyEngine-Default-Impl + PolicyEngine-Trait.
  • policy::*PolicyDecision mit Suite, Receiver-MACs, Topic-Class.
  • caps::*PeerCapabilities + PeerCapabilitiesCache.
  • caps_wire::* — SPDP-Mapping fuer Peer-Capabilities (Wire-Codec).
  • peer_class::*<peer_class>-Match (CIDR, Subject-Patterns).
  • endpoint::* — Endpoint-Slot-Lookup.
  • data_tagging::* — Built-in DataTaggingPlugin (Spec §8.7).
  • builtin_topics::* — DCPSParticipantStatelessMessage + DCPSParticipantVolatileMessageSecure.
  • anti_squatter::* — Spec §8.5.3 Anti-Squatter-Logik.
  • gateway_bridge::* — Heterogeneous-Mesh-Gateway-Bridge (Edge ↔ Backend).
  • shared::* — Shared-Inbound/Outbound-Verdict-Types.

§Beispiel

use zerodds_security_crypto::AesGcmCryptoPlugin;
use zerodds_security_permissions::parse_governance_xml;
use zerodds_security_runtime::SecurityGate;

let governance = parse_governance_xml(GOVERNANCE_XML).unwrap();
let mut crypto = AesGcmCryptoPlugin::new();
let mut gate = SecurityGate::new(0, governance, &mut crypto);

// Outbound:
let wire = gate.encode_outbound("Chatter", b"hello").unwrap();

// Inbound (am Peer):
let plain = gate.decode_inbound("Chatter", &wire).unwrap();

Re-exports§

pub use anti_squatter::BindingDecision;
pub use anti_squatter::GuidPrefixBytes;
pub use anti_squatter::IdentityBindingCache;
pub use caps::PeerCache;
pub use caps::PeerCapabilities;
pub use caps::Validity;
pub use caps_wire::advertise_security_caps;
pub use caps_wire::parse_peer_caps;
pub use data_tagging::BuiltinDataTaggingPlugin;
pub use data_tagging::TAG_PROPERTY_PREFIX;
pub use endpoint::EndpointMatch;
pub use endpoint::EndpointProtection;
pub use endpoint::MatchRejectReason;
pub use endpoint::match_endpoints;
pub use gateway_bridge::GatewayBridge;
pub use gateway_bridge::GatewayBridgeConfig;
pub use gateway_bridge::GatewayBridgeError;
pub use gateway_bridge::GatewayBridgeResult;
pub use peer_class::interface_accepts_class;
pub use peer_class::peer_matches_class;
pub use peer_class::resolve_peer_class;
pub use peer_class::resolve_protection;
pub use policy::InboundCtx;
pub use policy::InterfaceConfig;
pub use policy::IpRange;
pub use policy::NetInterface;
pub use policy::OutboundCtx;
pub use policy::PolicyDecision;
pub use policy::PolicyEngine;
pub use policy::ProtectionLevel;
pub use policy::SuiteHint;
pub use policy::classify_interface;

Modules§

anti_squatter
GUID-zu-Identity-Bindings-Cache (C3.8).
builtin_topics
C3.4-b — API-Bridge fuer die DDS-Security 1.2 §7.5.3/§7.5.4 Builtin- Topics (DCPSParticipantStatelessMessage + DCPSParticipantVolatileMessage- Secure). Wraps das Spec-Datenmodell aus zerodds_security::generic_message in eine DCPS-fertige Form:
caps
Peer-Capabilities und -Cache.
caps_wire
SPDP-Mapping fuer PeerCapabilities.
data_tagging
Builtin DataTagging-Plugin (OMG DDS-Security 1.2 §12).
endpoint
Endpoint-Level-Protection Abstraktion.
gateway_bridge
Gateway-Bridge-Helper.
peer_class
Peer-Class-Matching-Engine.
policy
Heterogeneous-Security — PolicyEngine-Trait und Datentypen .

Structs§

GovernancePolicyEngine
Governance-XML-getriebene PolicyEngine-Default-Implementation.
SecurityGate
Entscheidet pro Topic ob/wie ausgehende Submessages verschluesselt oder signiert werden muessen.
SharedSecurityGate
Thread-sicherer Security-Gate. Clone gibt eine zweite Referenz auf die gleiche Plugin-Instance — alle Clones operieren auf gleichem Key-Store.

Enums§

InboundVerdict
Ergebnis einer classify_inbound-Entscheidung.
LogLevel
Severity eines Security-Events (Spec §8.6.3 Tabelle 36).
SecurityGateError
Fehler-Klasse fuer das Gate.

Traits§

LoggingPlugin
Logging-Plugin (Spec §8.6.2.1).

Type Aliases§

PeerKey
Opaker Peer-Identifier. In RTPS-Umgebungen mappt der Caller typisch GuidPrefix (12 byte) darauf — [u8; 12] passt genau.