Joseph Doherty
cf9dbaf568
rust / build / test / clippy / fmt (push) Has been cancelled
New module crates/mxaccess-rpc/src/com_objref_provider.rs gated on cfg(all(windows, feature = "windows-com")). Pulls windows = "0.59" (features Win32_Foundation + Win32_System_Com + Win32_System_Com_Marshal + Win32_System_Com_StructuredStorage + Win32_System_Memory) as an optional dep behind the existing windows-com feature; default footprint stays slim. Public API mirrors ComObjRefProvider.cs 1:1: MarshalContext enum (InProcess / Local / DifferentMachine wrapping the MSHCTX_* newtype constants), clsid_from_prog_id, marshal_activated_iunknown_objref (activates via CoCreateInstance with INPROC | LOCAL | REMOTE then marshals), marshal_iunknown_objref (uses IUnknown::IID), marshal_interface_objref (CoMarshalInterface over an HGlobal-backed IStream). All `unsafe` is internal to the module — public API exposes only typed Rust values (Vec<u8>, GUID, ProviderError), no raw pointers / HRESULTs / lifetime-bound interface pointers leak. Each unsafe block carries an inline SAFETY comment naming the invariants being upheld. Per-thread COM init via thread-local OnceLock<()>: lazy CoInitializeEx(MULTITHREADED) on first call; S_FALSE (already initialised) and RPC_E_CHANGED_MODE (thread is STA) treated as success — matches the .NET runtime's tolerant apartment behaviour. ProviderError enumerates the four documented failure modes plus the apartment-init pre-check: UnknownProgId / ActivationFailed / MarshalFailed / GlobalLockFailed / ApartmentInitFailed. 4 offline tests: MarshalContext → MSHCTX_* mapping, ensure_apartment idempotence, clsid_from_prog_id returns UnknownProgId for fake ProgIDs, marshal_activated short-circuits at the resolution stage. 1 live test (#[ignore], gated on MX_LIVE): activates the real NmxSvc.NmxService, marshals the proxy's IUnknown via CoMarshalInterface, then parses the resulting blob via ComObjRef::parse and asserts non-zero OXID + IPID. Passes against the AVEVA install on this host. Workspace tests: mxaccess-rpc went 179 → 183 (+4). All other crates unchanged. Unblocks F12 (NmxClient::create — the auto-resolving COM-activation factory): the underlying primitive (marshal_activated_iunknown_objref) now exists; remaining work is threading the windows-com feature through mxaccess-nmx and chaining ComObjRef::parse → resolve_oxid_with_managed_ntlm_packet_integrity → RemQueryInterface. design/followups.md F12 updated with a revised "Resolves when" reflecting that F6's blocker is gone. Closes F6 in design/followups.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
33 lines
1.2 KiB
Rust
33 lines
1.2 KiB
Rust
//! `mxaccess-rpc` — DCE/RPC + NTLMv2 + OBJREF + OXID + IRemUnknown::RemQueryInterface.
|
|
//!
|
|
//! - M2 wave 1 (landed): `ntlm`, `pdu`, `objref`.
|
|
//! - M2 wave 2 (landed): `guid` + `error` (shared types — resolves F7+F8),
|
|
//! `orpc` (ORPC framing), `object_exporter` (OXID resolution body codec),
|
|
//! `rem_unknown` (`IRemUnknown::RemQueryInterface` body codec).
|
|
//! - M2 wave 3 (next): callback exporter — see `design/60-roadmap.md` and
|
|
//! `design/dependencies.md`.
|
|
//!
|
|
//! Internal `unsafe` is permitted only for `windows-rs` COM activation paths
|
|
//! (per `design/00-overview.md` principle 3); all such calls must be wrapped
|
|
//! in safe abstractions at the crate boundary. All modules to date are
|
|
//! pure-Rust and contain no `unsafe`.
|
|
|
|
// `mxaccess-rpc` is the only crate where internal unsafe is permitted (for
|
|
// windows-rs COM calls). Public API stays safe.
|
|
|
|
#[cfg(all(windows, feature = "windows-com"))]
|
|
pub mod com_objref_provider;
|
|
pub mod error;
|
|
pub mod guid;
|
|
pub mod nmx_callback_messages;
|
|
pub mod nmx_metadata;
|
|
pub mod nmx_service2_messages;
|
|
pub mod ntlm;
|
|
pub mod object_exporter;
|
|
pub mod object_exporter_client;
|
|
pub mod objref;
|
|
pub mod orpc;
|
|
pub mod pdu;
|
|
pub mod rem_unknown;
|
|
pub mod transport;
|