Module inspector

Expand description

Bucket inspector: aggregates read-only bucket properties in parallel.

§Design

Each bucket property is fetched as an independent S3 API call via tokio::join!. Every call is classified into one of four outcomes:

SectionResult::Value(T) — the call succeeded and returned a value.
SectionResult::Denied { iam_action } — AccessDenied; also recorded into CapabilityCache so the UI can render “Requires s3:GetBucketX”.
SectionResult::Unsupported { reason } — the provider does not implement this API (e.g. LocalStack free-tier, MinIO, R2).
SectionResult::Deferred { reason } — intentionally omitted from v1 (currently only bucket_policy).

Any error that does not map to Denied or Unsupported is treated as a critical failure and bubbles up as Err(AppError) for the whole call. In practice, only NoSuchBucket (bucket deleted mid-inspect) is a hard failure; all capability errors degrade gracefully at the section level.

§OCP

Adding a new section: one new field on BucketInspectorReport + one parallel arm inside inspect_bucket. No existing sections change.
Adding a new SectionResult discriminator: one variant + one arm in consumer match blocks. Existing variants are untouched.
Capability cache writes happen automatically from Denied outcomes; the frontend never needs to call capability_get explicitly.

Structs§

AclSummary: ACL summary: owner display name + total grant count.
BucketInspectorReport: Aggregated read-only properties of a bucket.
CorsRule: A single CORS rule summary.
EncryptionConfig: Summary of server-side encryption configuration (read-only in v1).
LifecycleRule: A single lifecycle rule summary.
LoggingConfig: Bucket logging configuration.
NotificationConfig: S3 event notification configuration summary.
ObjectHead: All properties returned by HeadObject for a single S3 object.
ObjectInspectorReport: Aggregated read-only properties for a single S3 object.
ObjectLockConfig: Object-lock configuration summary.
OwnershipControls: Bucket ownership controls.
PublicAccessBlockConfig: Public access block configuration.
ReplicationConfig: Replication configuration summary.
RestoreStatus: Glacier / Deep Archive restore status for an object.
WebsiteConfig: Static website hosting configuration summary.

Enums§

SectionResult: The result of fetching one bucket property section.
VersioningStatus: Bucket versioning state.

Functions§

classify_service_error 🔒: Classify a generic service-error code into SectionResult.
fetch_cors 🔒: Fetch CORS rules via GetBucketCors.
fetch_encryption 🔒: Fetch SSE configuration via GetBucketEncryption.
fetch_lifecycle 🔒: Fetch lifecycle rules via GetBucketLifecycleConfiguration.
fetch_logging 🔒: Fetch logging configuration via GetBucketLogging.
fetch_notifications 🔒: Fetch S3 event notification configuration via GetBucketNotificationConfiguration.
fetch_object_acl 🔒: Fetch object ACL summary via GetObjectAcl.
fetch_object_lock 🔒: Fetch object-lock configuration via GetObjectLockConfiguration.
fetch_object_tags 🔒: Fetch object tags via GetObjectTagging.
fetch_ownership_controls 🔒: Fetch ownership controls via GetBucketOwnershipControls.
fetch_public_access_block 🔒: Fetch public access block configuration via GetPublicAccessBlock.
fetch_region 🔒: Fetch the bucket region via GetBucketLocation.
fetch_replication 🔒: Fetch replication configuration via GetBucketReplication.
fetch_requester_pays 🔒: Fetch requester-pays status via GetBucketRequestPayment.
fetch_tags 🔒: Fetch bucket tags via GetBucketTagging.
fetch_versioning 🔒: Fetch versioning state via GetBucketVersioning.
fetch_website 🔒: Fetch static website configuration via GetBucketWebsite.
head_object: Fetch only HeadObject for a single S3 object, returning an ObjectHead.
inspect_bucket: Fetch all supported bucket properties in parallel and return an aggregated BucketInspectorReport.
inspect_object: Fetch all object properties in parallel and return an ObjectInspectorReport.
is_glacier_class 🔒: Glacier-class storage class codes recognised for restore-status parsing.
is_unsupported_code 🔒: Return true for codes that indicate the API is not supported by this provider (LocalStack free-tier, MinIO, R2, …).
parse_expiry_date 🔒: Attempt to parse a Glacier restore expiry date to a Unix timestamp.
parse_restore_header 🔒: Parse the Glacier restore header string into a RestoreStatus.
record_denied 🔒: Record a Denied capability into the cache when the section is Denied.