impl authZ write and check (depends on spicedb for now)

4 files changed, 460 insertions, 0 deletions

diff --git a/crates/secd/proto/google/iam/v1/iam_policy.proto b/crates/secd/proto/google/iam/v1/iam_policy.proto
new file mode 100644
index 0000000..7072854
--- /dev/null
+++ b/crates/secd/proto/google/iam/v1/iam_policy.proto
@@ -0,0 +1,145 @@
+// Copyright 2019 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+syntax = "proto3";
+
+package google.iam.v1;
+
+import "google/iam/v1/options.proto";
+import "google/iam/v1/policy.proto";
+import "google/api/annotations.proto";
+import "google/api/client.proto";
+import "google/api/field_behavior.proto";
+import "google/api/resource.proto";
+
+option cc_enable_arenas = true;
+option csharp_namespace = "Google.Cloud.Iam.V1";
+option go_package = "google.golang.org/genproto/googleapis/iam/v1;iam";
+option java_multiple_files = true;
+option java_outer_classname = "IamPolicyProto";
+option java_package = "com.google.iam.v1";
+option php_namespace = "Google\\Cloud\\Iam\\V1";
+
+// ## API Overview
+//
+// Manages Identity and Access Management (IAM) policies.
+//
+// Any implementation of an API that offers access control features
+// implements the google.iam.v1.IAMPolicy interface.
+//
+// ## Data model
+//
+// Access control is applied when a principal (user or service account), takes
+// some action on a resource exposed by a service. Resources, identified by
+// URI-like names, are the unit of access control specification. Service
+// implementations can choose the granularity of access control and the
+// supported permissions for their resources.
+// For example one database service may allow access control to be
+// specified only at the Table level, whereas another might allow access control
+// to also be specified at the Column level.
+//
+// ## Policy Structure
+//
+// See google.iam.v1.Policy
+//
+// This is intentionally not a CRUD style API because access control policies
+// are created and deleted implicitly with the resources to which they are
+// attached.
+service IAMPolicy {
+  option (google.api.default_host) = "iam-meta-api.googleapis.com";
+
+  // Sets the access control policy on the specified resource. Replaces any
+  // existing policy.
+  rpc SetIamPolicy(SetIamPolicyRequest) returns (Policy) {
+    option (google.api.http) = {
+      post: "/v1/{resource=**}:setIamPolicy"
+      body: "*"
+    };
+  }
+
+  // Gets the access control policy for a resource.
+  // Returns an empty policy if the resource exists and does not have a policy
+  // set.
+  rpc GetIamPolicy(GetIamPolicyRequest) returns (Policy) {
+    option (google.api.http) = {
+      post: "/v1/{resource=**}:getIamPolicy"
+      body: "*"
+    };
+  }
+
+  // Returns permissions that a caller has on the specified resource.
+  // If the resource does not exist, this will return an empty set of
+  // permissions, not a NOT_FOUND error.
+  //
+  // Note: This operation is designed to be used for building permission-aware
+  // UIs and command-line tools, not for authorization checking. This operation
+  // may "fail open" without warning.
+  rpc TestIamPermissions(TestIamPermissionsRequest) returns (TestIamPermissionsResponse) {
+    option (google.api.http) = {
+      post: "/v1/{resource=**}:testIamPermissions"
+      body: "*"
+    };
+  }
+}
+
+// Request message for `SetIamPolicy` method.
+message SetIamPolicyRequest {
+  // REQUIRED: The resource for which the policy is being specified.
+  // See the operation documentation for the appropriate value for this field.
+  string resource = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference).type = "*"];
+
+  // REQUIRED: The complete policy to be applied to the `resource`. The size of
+  // the policy is limited to a few 10s of KB. An empty policy is a
+  // valid policy but certain Cloud Platform services (such as Projects)
+  // might reject them.
+  Policy policy = 2 [(google.api.field_behavior) = REQUIRED];
+}
+
+// Request message for `GetIamPolicy` method.
+message GetIamPolicyRequest {
+  // REQUIRED: The resource for which the policy is being requested.
+  // See the operation documentation for the appropriate value for this field.
+  string resource = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference).type = "*"];
+
+  // OPTIONAL: A `GetPolicyOptions` object for specifying options to
+  // `GetIamPolicy`. This field is only used by Cloud IAM.
+  GetPolicyOptions options = 2;
+}
+
+// Request message for `TestIamPermissions` method.
+message TestIamPermissionsRequest {
+  // REQUIRED: The resource for which the policy detail is being requested.
+  // See the operation documentation for the appropriate value for this field.
+  string resource = 1[
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference).type = "*"];
+
+  // The set of permissions to check for the `resource`. Permissions with
+  // wildcards (such as '*' or 'storage.*') are not allowed. For more
+  // information see
+  // [IAM Overview](https://cloud.google.com/iam/docs/overview#permissions).
+  repeated string permissions = 2 [(google.api.field_behavior) = REQUIRED];
+}
+
+// Response message for `TestIamPermissions` method.
+message TestIamPermissionsResponse {
+  // A subset of `TestPermissionsRequest.permissions` that the caller is
+  // allowed.
+  repeated string permissions = 1;
+}
diff --git a/crates/secd/proto/google/iam/v1/logging/audit_data.proto b/crates/secd/proto/google/iam/v1/logging/audit_data.proto
new file mode 100644
index 0000000..dfe441b
--- /dev/null
+++ b/crates/secd/proto/google/iam/v1/logging/audit_data.proto
@@ -0,0 +1,34 @@
+// Copyright 2017 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.iam.v1.logging;
+
+import "google/api/annotations.proto";
+import "google/iam/v1/policy.proto";
+
+option csharp_namespace = "Google.Cloud.Iam.V1.Logging";
+option go_package = "google.golang.org/genproto/googleapis/iam/v1/logging;logging";
+option java_multiple_files = true;
+option java_outer_classname = "AuditDataProto";
+option java_package = "com.google.iam.v1.logging";
+
+// Audit log information specific to Cloud IAM. This message is serialized
+// as an `Any` type in the `ServiceData` message of an
+// `AuditLog` message.
+message AuditData {
+  // Policy delta between the original policy and the newly set policy.
+  google.iam.v1.PolicyDelta policy_delta = 2;
+}
diff --git a/crates/secd/proto/google/iam/v1/options.proto b/crates/secd/proto/google/iam/v1/options.proto
new file mode 100644
index 0000000..a4e17e5
--- /dev/null
+++ b/crates/secd/proto/google/iam/v1/options.proto
@@ -0,0 +1,41 @@
+// Copyright 2019 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+syntax = "proto3";
+
+package google.iam.v1;
+
+import "google/api/annotations.proto";
+
+option cc_enable_arenas = true;
+option csharp_namespace = "Google.Cloud.Iam.V1";
+option go_package = "google.golang.org/genproto/googleapis/iam/v1;iam";
+option java_multiple_files = true;
+option java_outer_classname = "OptionsProto";
+option java_package = "com.google.iam.v1";
+option php_namespace = "Google\\Cloud\\Iam\\V1";
+
+// Encapsulates settings provided to GetIamPolicy.
+message GetPolicyOptions {
+  // Optional. The policy format version to be returned.
+  //
+  // Valid values are 0, 1, and 3. Requests specifying an invalid value will be
+  // rejected.
+  //
+  // Requests for policies with any conditional bindings must specify version 3.
+  // Policies without any conditional bindings may specify any valid value or
+  // leave the field unset.
+  int32 requested_policy_version = 1;
+}
diff --git a/crates/secd/proto/google/iam/v1/policy.proto b/crates/secd/proto/google/iam/v1/policy.proto
new file mode 100644
index 0000000..e3aba47
--- /dev/null
+++ b/crates/secd/proto/google/iam/v1/policy.proto
@@ -0,0 +1,240 @@
+// Copyright 2019 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+syntax = "proto3";
+
+package google.iam.v1;
+
+import "google/type/expr.proto";
+import "google/api/annotations.proto";
+
+option cc_enable_arenas = true;
+option csharp_namespace = "Google.Cloud.Iam.V1";
+option go_package = "google.golang.org/genproto/googleapis/iam/v1;iam";
+option java_multiple_files = true;
+option java_outer_classname = "PolicyProto";
+option java_package = "com.google.iam.v1";
+option php_namespace = "Google\\Cloud\\Iam\\V1";
+
+// Defines an Identity and Access Management (IAM) policy. It is used to
+// specify access control policies for Cloud Platform resources.
+//
+//
+// A `Policy` is a collection of `bindings`. A `binding` binds one or more
+// `members` to a single `role`. Members can be user accounts, service accounts,
+// Google groups, and domains (such as G Suite). A `role` is a named list of
+// permissions (defined by IAM or configured by users). A `binding` can
+// optionally specify a `condition`, which is a logic expression that further
+// constrains the role binding based on attributes about the request and/or
+// target resource.
+//
+// **JSON Example**
+//
+//     {
+//       "bindings": [
+//         {
+//           "role": "roles/resourcemanager.organizationAdmin",
+//           "members": [
+//             "user:mike@example.com",
+//             "group:admins@example.com",
+//             "domain:google.com",
+//             "serviceAccount:my-project-id@appspot.gserviceaccount.com"
+//           ]
+//         },
+//         {
+//           "role": "roles/resourcemanager.organizationViewer",
+//           "members": ["user:eve@example.com"],
+//           "condition": {
+//             "title": "expirable access",
+//             "description": "Does not grant access after Sep 2020",
+//             "expression": "request.time <
+//             timestamp('2020-10-01T00:00:00.000Z')",
+//           }
+//         }
+//       ]
+//     }
+//
+// **YAML Example**
+//
+//     bindings:
+//     - members:
+//       - user:mike@example.com
+//       - group:admins@example.com
+//       - domain:google.com
+//       - serviceAccount:my-project-id@appspot.gserviceaccount.com
+//       role: roles/resourcemanager.organizationAdmin
+//     - members:
+//       - user:eve@example.com
+//       role: roles/resourcemanager.organizationViewer
+//       condition:
+//         title: expirable access
+//         description: Does not grant access after Sep 2020
+//         expression: request.time < timestamp('2020-10-01T00:00:00.000Z')
+//
+// For a description of IAM and its features, see the
+// [IAM developer's guide](https://cloud.google.com/iam/docs).
+message Policy {
+  // Specifies the format of the policy.
+  //
+  // Valid values are 0, 1, and 3. Requests specifying an invalid value will be
+  // rejected.
+  //
+  // Operations affecting conditional bindings must specify version 3. This can
+  // be either setting a conditional policy, modifying a conditional binding,
+  // or removing a binding (conditional or unconditional) from the stored
+  // conditional policy.
+  // Operations on non-conditional policies may specify any valid value or
+  // leave the field unset.
+  //
+  // If no etag is provided in the call to `setIamPolicy`, version compliance
+  // checks against the stored policy is skipped.
+  int32 version = 1;
+
+  // Associates a list of `members` to a `role`. Optionally may specify a
+  // `condition` that determines when binding is in effect.
+  // `bindings` with no members will result in an error.
+  repeated Binding bindings = 4;
+
+  // `etag` is used for optimistic concurrency control as a way to help
+  // prevent simultaneous updates of a policy from overwriting each other.
+  // It is strongly suggested that systems make use of the `etag` in the
+  // read-modify-write cycle to perform policy updates in order to avoid race
+  // conditions: An `etag` is returned in the response to `getIamPolicy`, and
+  // systems are expected to put that etag in the request to `setIamPolicy` to
+  // ensure that their change will be applied to the same version of the policy.
+  //
+  // If no `etag` is provided in the call to `setIamPolicy`, then the existing
+  // policy is overwritten. Due to blind-set semantics of an etag-less policy,
+  // 'setIamPolicy' will not fail even if the incoming policy version does not
+  // meet the requirements for modifying the stored policy.
+  bytes etag = 3;
+}
+
+// Associates `members` with a `role`.
+message Binding {
+  // Role that is assigned to `members`.
+  // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+  string role = 1;
+
+  // Specifies the identities requesting access for a Cloud Platform resource.
+  // `members` can have the following values:
+  //
+  // * `allUsers`: A special identifier that represents anyone who is
+  //    on the internet; with or without a Google account.
+  //
+  // * `allAuthenticatedUsers`: A special identifier that represents anyone
+  //    who is authenticated with a Google account or a service account.
+  //
+  // * `user:{emailid}`: An email address that represents a specific Google
+  //    account. For example, `alice@example.com` .
+  //
+  //
+  // * `serviceAccount:{emailid}`: An email address that represents a service
+  //    account. For example, `my-other-app@appspot.gserviceaccount.com`.
+  //
+  // * `group:{emailid}`: An email address that represents a Google group.
+  //    For example, `admins@example.com`.
+  //
+  //
+  // * `domain:{domain}`: The G Suite domain (primary) that represents all the
+  //    users of that domain. For example, `google.com` or `example.com`.
+  //
+  //
+  repeated string members = 2;
+
+  // The condition that is associated with this binding.
+  // NOTE: An unsatisfied condition will not allow user access via current
+  // binding. Different bindings, including their conditions, are examined
+  // independently.
+  google.type.Expr condition = 3;
+}
+
+// The difference delta between two policies.
+message PolicyDelta {
+  // The delta for Bindings between two policies.
+  repeated BindingDelta binding_deltas = 1;
+
+  // The delta for AuditConfigs between two policies.
+  repeated AuditConfigDelta audit_config_deltas = 2;
+}
+
+// One delta entry for Binding. Each individual change (only one member in each
+// entry) to a binding will be a separate entry.
+message BindingDelta {
+  // The type of action performed on a Binding in a policy.
+  enum Action {
+    // Unspecified.
+    ACTION_UNSPECIFIED = 0;
+
+    // Addition of a Binding.
+    ADD = 1;
+
+    // Removal of a Binding.
+    REMOVE = 2;
+  }
+
+  // The action that was performed on a Binding.
+  // Required
+  Action action = 1;
+
+  // Role that is assigned to `members`.
+  // For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
+  // Required
+  string role = 2;
+
+  // A single identity requesting access for a Cloud Platform resource.
+  // Follows the same format of Binding.members.
+  // Required
+  string member = 3;
+
+  // The condition that is associated with this binding.
+  google.type.Expr condition = 4;
+}
+
+// One delta entry for AuditConfig. Each individual change (only one
+// exempted_member in each entry) to a AuditConfig will be a separate entry.
+message AuditConfigDelta {
+  // The type of action performed on an audit configuration in a policy.
+  enum Action {
+    // Unspecified.
+    ACTION_UNSPECIFIED = 0;
+
+    // Addition of an audit configuration.
+    ADD = 1;
+
+    // Removal of an audit configuration.
+    REMOVE = 2;
+  }
+
+  // The action that was performed on an audit configuration in a policy.
+  // Required
+  Action action = 1;
+
+  // Specifies a service that was configured for Cloud Audit Logging.
+  // For example, `storage.googleapis.com`, `cloudsql.googleapis.com`.
+  // `allServices` is a special value that covers all services.
+  // Required
+  string service = 2;
+
+  // A single identity that is exempted from "data access" audit
+  // logging for the `service` specified above.
+  // Follows the same format of Binding.members.
+  string exempted_member = 3;
+
+  // Specifies the log_type that was be enabled. ADMIN_ACTIVITY is always
+  // enabled, and cannot be configured.
+  // Required
+  string log_type = 4;
+}