diff options
Diffstat (limited to 'crates/secd/proto/authzed/api/v1/core.proto')
| -rw-r--r-- | crates/secd/proto/authzed/api/v1/core.proto | 145 |
1 files changed, 145 insertions, 0 deletions
diff --git a/crates/secd/proto/authzed/api/v1/core.proto b/crates/secd/proto/authzed/api/v1/core.proto new file mode 100644 index 0000000..25bf78b --- /dev/null +++ b/crates/secd/proto/authzed/api/v1/core.proto @@ -0,0 +1,145 @@ +syntax = "proto3"; +package authzed.api.v1; + +option go_package = "github.com/authzed/authzed-go/proto/authzed/api/v1"; +option java_package = "com.authzed.api.v1"; + +import "google/protobuf/struct.proto"; +import "validate/validate.proto"; + +// Relationship specifies how a resource relates to a subject. Relationships +// form the data for the graph over which all permissions questions are +// answered. +message Relationship { + // resource is the resource to which the subject is related, in some manner + ObjectReference resource = 1 [ (validate.rules).message.required = true ]; + + // relation is how the resource and subject are related. + string relation = 2 [ (validate.rules).string = { + pattern : "^[a-z][a-z0-9_]{1,62}[a-z0-9]$", + max_bytes : 64, + } ]; + + // subject is the subject to which the resource is related, in some manner. + SubjectReference subject = 3 [ (validate.rules).message.required = true ]; + + // optional_caveat is a reference to a the caveat that must be enforced over the relationship + ContextualizedCaveat optional_caveat = 4 [ (validate.rules).message.required = false ]; +} + +/** + * ContextualizedCaveat represents a reference to a caveat to be used by caveated relationships. + * The context consists of key-value pairs that will be injected at evaluation time. + * The keys must match the arguments defined on the caveat in the schema. + */ +message ContextualizedCaveat { + /** caveat_name is the name of the caveat expression to use, as defined in the schema **/ + string caveat_name = 1 [ (validate.rules).string = { + pattern : "^([a-zA-Z0-9_][a-zA-Z0-9/_|-]{0,127})$", + max_bytes : 128, + } ]; + + /** context consists of any named values that are defined at write time for the caveat expression **/ + google.protobuf.Struct context = 2 [ (validate.rules).message.required = false ]; +} + +// SubjectReference is used for referring to the subject portion of a +// Relationship. The relation component is optional and is used for defining a +// sub-relation on the subject, e.g. group:123#members +message SubjectReference { + ObjectReference object = 1 [ (validate.rules).message.required = true ]; + string optional_relation = 2 [ (validate.rules).string = { + pattern : "^([a-z][a-z0-9_]{1,62}[a-z0-9])?$", + max_bytes : 64, + } ]; +} + +// ObjectReference is used to refer to a specific object in the system. +message ObjectReference { + string object_type = 1 [ (validate.rules).string = { + pattern : "^([a-z][a-z0-9_]{1,61}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$", + max_bytes : 128, + } ]; + string object_id = 2 [ (validate.rules).string = { + pattern : "^(([a-zA-Z0-9_][a-zA-Z0-9/_|-]{0,127})|\\*)$", + max_bytes : 128, + } ]; +} + +// ZedToken is used to provide causality metadata between Write and Check +// requests. +// +// See the authzed.api.v1.Consistency message for more information. +message ZedToken { + string token = 1 [ (validate.rules).string = { + min_bytes : 1, + } ]; +} + +// RelationshipUpdate is used for mutating a single relationship within the +// service. +// +// CREATE will create the relationship only if it doesn't exist, and error +// otherwise. +// +// TOUCH will upsert the relationship, and will not error if it +// already exists. +// +// DELETE will delete the relationship and error if it doesn't +// exist. +message RelationshipUpdate { + enum Operation { + OPERATION_UNSPECIFIED = 0; + OPERATION_CREATE = 1; + OPERATION_TOUCH = 2; + OPERATION_DELETE = 3; + } + Operation operation = 1 [ (validate.rules).enum = {defined_only: true, not_in: [0]} ]; + Relationship relationship = 2 [ (validate.rules).message.required = true ]; +} + +// PermissionRelationshipTree is used for representing a tree of a resource and +// its permission relationships with other objects. +message PermissionRelationshipTree { + oneof tree_type { + option (validate.required) = true; + + AlgebraicSubjectSet intermediate = 1; + DirectSubjectSet leaf = 2; + } + ObjectReference expanded_object = 3; + string expanded_relation = 4; +} + +// AlgebraicSubjectSet is a subject set which is computed based on applying the +// specified operation to the operands according to the algebra of sets. +// +// UNION is a logical set containing the subject members from all operands. +// +// INTERSECTION is a logical set containing only the subject members which are +// present in all operands. +// +// EXCLUSION is a logical set containing only the subject members which are +// present in the first operand, and none of the other operands. +message AlgebraicSubjectSet { + enum Operation { + OPERATION_UNSPECIFIED = 0; + OPERATION_UNION = 1; + OPERATION_INTERSECTION = 2; + OPERATION_EXCLUSION = 3; + } + + Operation operation = 1 [ (validate.rules).enum = {defined_only: true, not_in: [0]} ]; + repeated PermissionRelationshipTree children = 2 [ (validate.rules).repeated.items.message.required = true ]; +} + +// DirectSubjectSet is a subject set which is simply a collection of subjects. +message DirectSubjectSet { repeated SubjectReference subjects = 1; } + +// PartialCaveatInfo carries information necessary for the client to take action +// in the event a response contains a partially evaluated caveat +message PartialCaveatInfo { + // missing_required_context is a list of one or more fields that were missing and prevented caveats + // from being fully evaluated + repeated string missing_required_context = 1 [(validate.rules).repeated.min_items = 1]; +} |