impl authZ write and check (depends on spicedb for now)

1 files changed, 240 insertions, 0 deletions

diff --git a/crates/secd/proto/google/iam/v1/policy.proto b/crates/secd/proto/google/iam/v1/policy.proto
new file mode 100644
index 0000000..e3aba47
--- /dev/null
+++ b/crates/secd/proto/google/iam/v1/policy.proto
@@ -0,0 +1,240 @@
+// Copyright 2019 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+syntax = "proto3";
+
+package google.iam.v1;
+
+import "google/type/expr.proto";
+import "google/api/annotations.proto";
+
+option cc_enable_arenas = true;
+option csharp_namespace = "Google.Cloud.Iam.V1";
+option go_package = "google.golang.org/genproto/googleapis/iam/v1;iam";
+option java_multiple_files = true;
+option java_outer_classname = "PolicyProto";
+option java_package = "com.google.iam.v1";
+option php_namespace = "Google\\Cloud\\Iam\\V1";
+
+// Defines an Identity and Access Management (IAM) policy. It is used to
+// specify access control policies for Cloud Platform resources.
+//
+//
+// A `Policy` is a collection of `bindings`. A `binding` binds one or more
+// `members` to a single `role`. Members can be user accounts, service accounts,
+// Google groups, and domains (such as G Suite). A `role` is a named list of
+// permissions (defined by IAM or configured by users). A `binding` can
+// optionally specify a `condition`, which is a logic expression that further
+// constrains the role binding based on attributes about the request and/or
+// target resource.
+//
+// **JSON Example**
+//
+//     {
+//       "bindings": [
+//         {
+//           "role": "roles/resourcemanager.organizationAdmin",
+//           "members": [
+//             "user:mike@example.com",
+//             "group:admins@example.com",
+//             "domain:google.com",
+//             "serviceAccount:my-project-id@appspot.gserviceaccount.com"
+//           ]
+//         },
+//         {
+//           "role": "roles/resourcemanager.organizationViewer",
+//           "members": ["user:eve@example.com"],
+//           "condition": {
+//             "title": "expirable access",
+//             "description": "Does not grant access after Sep 2020",
+//             "expression": "request.time <
+//             timestamp('2020-10-01T00:00:00.000Z')",
+//           }
+//         }
+//       ]
+//     }
+//
+// **YAML Example**
+//
+//     bindings:
+//     - members:
+//       - user:mike@example.com
+//       - group:admins@example.com
+//       - domain:google.com
+//       - serviceAccount:my-project-id@appspot.gserviceaccount.com
+//       role: roles/resourcemanager.organizationAdmin
+//     - members:
+//       - user:eve@example.com
+//       role: roles/resourcemanager.organizationViewer
+//       condition:
+//         title: expirable access
+//         description: Does not grant access after Sep 2020
+//         expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
+//
+// For a description of IAM and its features, see the
+// [IAM developer's guide](https://cloud.google.com/iam/docs).
+message Policy {
+  // Specifies the format of the policy.
+  //
+  // Valid values are 0, 1, and 3. Requests specifying an invalid value will be
+  // rejected.
+  //
+  // Operations affecting conditional bindings must specify version 3. This can
+  // be either setting a conditional policy, modifying a conditional binding,
+  // or removing a binding (conditional or unconditional) from the stored
+  // conditional policy.
+  // Operations on non-conditional policies may specify any valid value or
+  // leave the field unset.
+  //
+  // If no etag is provided in the call to `setIamPolicy`, version compliance
+  // checks against the stored policy is skipped.
+  int32 version = 1;
+
+  // Associates a list of `members` to a `role`. Optionally may specify a
+  // `condition` that determines when binding is in effect.
+  // `bindings` with no members will result in an error.
+  repeated Binding bindings = 4;
+
+  // `etag` is used for optimistic concurrency control as a way to help
+  // prevent simultaneous updates of a policy from overwriting each other.
+  // It is strongly suggested that systems make use of the `etag` in the
+  // read-modify-write cycle to perform policy updates in order to avoid race
+  // conditions: An `etag` is returned in the response to `getIamPolicy`, and
+  // systems are expected to put that etag in the request to `setIamPolicy` to
+  // ensure that their change will be applied to the same version of the policy.
+  //
+  // If no `etag` is provided in the call to `setIamPolicy`, then the existing
+  // policy is overwritten. Due to blind-set semantics of an etag-less policy,
+  // 'setIamPolicy' will not fail even if the incoming policy version does not
+  // meet the requirements for modifying the stored policy.
+  bytes etag = 3;
+}
+
+// Associates `members` with a `role`.
+message Binding {
+  // Role that is assigned to `members`.
+  // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+  string role = 1;
+
+  // Specifies the identities requesting access for a Cloud Platform resource.
+  // `members` can have the following values:
+  //
+  // * `allUsers`: A special identifier that represents anyone who is
+  //    on the internet; with or without a Google account.
+  //
+  // * `allAuthenticatedUsers`: A special identifier that represents anyone
+  //    who is authenticated with a Google account or a service account.
+  //
+  // * `user:{emailid}`: An email address that represents a specific Google
+  //    account. For example, `alice@example.com` .
+  //
+  //
+  // * `serviceAccount:{emailid}`: An email address that represents a service
+  //    account. For example, `my-other-app@appspot.gserviceaccount.com`.
+  //
+  // * `group:{emailid}`: An email address that represents a Google group.
+  //    For example, `admins@example.com`.
+  //
+  //
+  // * `domain:{domain}`: The G Suite domain (primary) that represents all the
+  //    users of that domain. For example, `google.com` or `example.com`.
+  //
+  //
+  repeated string members = 2;
+
+  // The condition that is associated with this binding.
+  // NOTE: An unsatisfied condition will not allow user access via current
+  // binding. Different bindings, including their conditions, are examined
+  // independently.
+  google.type.Expr condition = 3;
+}
+
+// The difference delta between two policies.
+message PolicyDelta {
+  // The delta for Bindings between two policies.
+  repeated BindingDelta binding_deltas = 1;
+
+  // The delta for AuditConfigs between two policies.
+  repeated AuditConfigDelta audit_config_deltas = 2;
+}
+
+// One delta entry for Binding. Each individual change (only one member in each
+// entry) to a binding will be a separate entry.
+message BindingDelta {
+  // The type of action performed on a Binding in a policy.
+  enum Action {
+    // Unspecified.
+    ACTION_UNSPECIFIED = 0;
+
+    // Addition of a Binding.
+    ADD = 1;
+
+    // Removal of a Binding.
+    REMOVE = 2;
+  }
+
+  // The action that was performed on a Binding.
+  // Required
+  Action action = 1;
+
+  // Role that is assigned to `members`.
+  // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+  // Required
+  string role = 2;
+
+  // A single identity requesting access for a Cloud Platform resource.
+  // Follows the same format of Binding.members.
+  // Required
+  string member = 3;
+
+  // The condition that is associated with this binding.
+  google.type.Expr condition = 4;
+}
+
+// One delta entry for AuditConfig. Each individual change (only one
+// exempted_member in each entry) to a AuditConfig will be a separate entry.
+message AuditConfigDelta {
+  // The type of action performed on an audit configuration in a policy.
+  enum Action {
+    // Unspecified.
+    ACTION_UNSPECIFIED = 0;
+
+    // Addition of an audit configuration.
+    ADD = 1;
+
+    // Removal of an audit configuration.
+    REMOVE = 2;
+  }
+
+  // The action that was performed on an audit configuration in a policy.
+  // Required
+  Action action = 1;
+
+  // Specifies a service that was configured for Cloud Audit Logging.
+  // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+  // `allServices` is a special value that covers all services.
+  // Required
+  string service = 2;
+
+  // A single identity that is exempted from "data access" audit
+  // logging for the `service` specified above.
+  // Follows the same format of Binding.members.
+  string exempted_member = 3;
+
+  // Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always
+  // enabled, and cannot be configured.
+  // Required
+  string log_type = 4;
+}