impl authZ write and check (depends on spicedb for now)

2 files changed, 151 insertions, 0 deletions

diff --git a/crates/secd/proto/authzed/api/v1alpha1/schema.proto b/crates/secd/proto/authzed/api/v1alpha1/schema.proto
new file mode 100644
index 0000000..969ecdb
--- /dev/null
+++ b/crates/secd/proto/authzed/api/v1alpha1/schema.proto
@@ -0,0 +1,68 @@
+syntax = "proto3";
+package authzed.api.v1alpha1;
+
+option go_package = "github.com/authzed/authzed-go/proto/authzed/api/v1alpha1";
+option java_package = "com.authzed.api.v1alpha1";
+
+import "validate/validate.proto";
+
+// SchemaService implements operations on a Permissions System's Schema.
+service SchemaService {
+  // Read returns the current Object Definitions for a Permissions System.
+  //
+  // Errors include:
+  // - INVALID_ARGUMENT: a provided value has failed to semantically validate
+  // - NOT_FOUND: one of the Object Definitions being requested does not exist
+  rpc ReadSchema(ReadSchemaRequest)   returns (ReadSchemaResponse)  {}
+
+  // Write overwrites the current Object Definitions for a Permissions System.
+  //
+  // Any Object Definitions that exist, but are not included will be deleted.
+  rpc WriteSchema(WriteSchemaRequest) returns (WriteSchemaResponse) {}
+}
+
+// ReadSchemaRequest is the required data to read Object Definitions from
+// a Schema.
+message ReadSchemaRequest { 
+  // The list of names of the Object Definitions that are being requested.
+  //
+  // These names must be fully qualified with their namespace (e.g.
+  // myblog/post).
+  repeated string object_definitions_names = 1 [ (validate.rules).repeated .items.string = {
+    pattern: "^([a-z][a-z0-9_]{1,62}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$",
+    max_bytes: 128,
+  } ];
+}
+
+// ReadSchemaResponse is the resulting data after having read the Object
+// Definitions from a Schema.
+message ReadSchemaResponse {
+  // The Object Definitions that were requested.
+  repeated string object_definitions = 1;
+
+  // The computed revision of the returned object definitions.
+  string computed_definitions_revision = 2;
+}
+
+// WriteSchemaRequest is the required data used to "upsert" the Schema of a
+// Permissions System.
+message WriteSchemaRequest {
+  // The Schema containing one or more Object Definitions that will be written
+  // to the Permissions System.
+  string schema = 1 [ (validate.rules).string.max_bytes = 262144 ]; // 256KiB
+
+  // If specified, the existing revision of object definitions in the schema that must be present for
+  // the write to succeed. If the revision specified differs (i.e. the underlying schema has changed),
+  // the write call will fail with a FAILED_PRECONDITION error.
+  string optional_definitions_revision_precondition = 2;
+}
+
+// WriteSchemaResponse is the resulting data after having written a Schema to
+// a Permissions System.
+message WriteSchemaResponse {
+  // The names of the Object Definitions that were written.
+  repeated string object_definitions_names = 1;
+
+  // The computed revision of the written object definitions.
+  string computed_definitions_revision = 2;
+}
diff --git a/crates/secd/proto/authzed/api/v1alpha1/watchresources_service.proto b/crates/secd/proto/authzed/api/v1alpha1/watchresources_service.proto
new file mode 100644
index 0000000..27c028a
--- /dev/null
+++ b/crates/secd/proto/authzed/api/v1alpha1/watchresources_service.proto
@@ -0,0 +1,83 @@
+syntax = "proto3";
+package authzed.api.v1alpha1;
+
+option go_package = "github.com/authzed/authzed-go/proto/authzed/api/v1alpha1";
+option java_package = "com.authzed.api.v1alpha1";
+
+import "google/api/annotations.proto";
+import "validate/validate.proto";
+
+import "authzed/api/v1/core.proto";
+
+// WatchResourcesService is used to receive a stream of updates for resources of a
+// specific (resource type, permission, subject) combination.
+service WatchResourcesService {
+
+  // WatchResources initiates a watch for permission changes for the provided
+  // (resource type, permission, subject) pair.
+  rpc WatchResources(WatchResourcesRequest)
+    returns (stream WatchResourcesResponse) {
+      option (google.api.http) = {
+        post: "/v1alpha1/lookupwatch"
+        body: "*"
+      }; 
+    }
+}
+
+// WatchResourcesRequest starts a watch for specific permission updates
+// for the given resource and subject types.
+message WatchResourcesRequest {
+
+  // resource_object_type is the type of resource object for which we will
+  // watch for changes.
+  string resource_object_type = 1 [ (validate.rules).string = {
+    pattern : "^([a-z][a-z0-9_]{1,61}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$",
+    max_bytes : 128,
+  } ];
+
+  // permission is the name of the permission or relation for which we will
+  // watch for changes.
+  string permission = 2 [ (validate.rules).string = {
+    pattern : "^[a-z][a-z0-9_]{1,62}[a-z0-9]$",
+    max_bytes : 64,
+  } ];
+
+  // subject_object_type is the type of the subject resource for which we will
+  // watch for changes.
+  string subject_object_type = 3;
+
+  // optional_subject_relation allows you to specify a group of subjects to watch
+  // for a given subject type.
+  string optional_subject_relation = 4;
+
+  authzed.api.v1.ZedToken optional_start_cursor = 5;
+}
+
+// PermissionUpdate represents a single permission update for a specific
+// subject's permissions.
+message PermissionUpdate {
+  
+  // todo: work this into the v1 core API at some point since it's used
+  // across services.
+  enum Permissionship {
+    PERMISSIONSHIP_UNSPECIFIED = 0;
+    PERMISSIONSHIP_NO_PERMISSION = 1;
+    PERMISSIONSHIP_HAS_PERMISSION = 2;
+  }
+
+  // subject defines the subject resource whose permissions have changed.
+  authzed.api.v1.SubjectReference subject = 1;
+
+  // resource defines the specific object in the system.
+  authzed.api.v1.ObjectReference resource = 2;
+
+  string relation = 3;
+  Permissionship updated_permission = 4;
+}
+
+// WatchResourcesResponse enumerates the list of permission updates that have
+// occurred as a result of one or more relationship updates.
+message WatchResourcesResponse {
+  repeated PermissionUpdate updates = 1;
+  authzed.api.v1.ZedToken changes_through = 2;
+}
\ No newline at end of file