3 files changed, 56 insertions, 0 deletions

diff --git a/crates/secd/src/auth/mod.rs b/crates/secd/src/auth/mod.rs
new file mode 100644
index 0000000..9275c79
--- /dev/null
+++ b/crates/secd/src/auth/mod.rs
@@ -0,0 +1,2 @@
+pub mod n;
+pub mod z;
diff --git a/crates/secd/src/command/authn.rs b/crates/secd/src/auth/n.rs
index 1d3b2d5..1d3b2d5 100644
--- a/crates/secd/src/command/authn.rs
+++ b/crates/secd/src/auth/n.rs
diff --git a/crates/secd/src/auth/z.rs b/crates/secd/src/auth/z.rs
new file mode 100644
index 0000000..81c3639
--- /dev/null
+++ b/crates/secd/src/auth/z.rs
@@ -0,0 +1,54 @@
+use uuid::Uuid;
+
+use crate::{client::spice::SpiceError, Secd};
+
+#[derive(Debug, thiserror::Error, derive_more::Display)]
+pub enum AuthZError {
+    SpiceClient(#[from] SpiceError),
+    Todo,
+}
+
+pub type Namespace = String;
+pub type Object = (Namespace, Uuid);
+pub type Relation = String;
+
+pub struct Relationship {
+    pub subject: Subject,
+    pub object: Object,
+    pub relation: String,
+}
+
+#[derive(Clone)]
+pub enum Subject {
+    User(Object),
+    UserSet { user: Object, relation: Relation },
+}
+
+impl Secd {
+    pub async fn check(&self, r: &Relationship) -> Result<bool, AuthZError> {
+        let spice = self
+            .spice
+            .clone()
+            .expect("TODO: only supports postgres right now");
+
+        Ok(spice.check_permission(r).await?)
+    }
+    pub async fn expand(&self) -> Result<(), AuthZError> {
+        todo!()
+    }
+    pub async fn read(&self) -> Result<(), AuthZError> {
+        todo!()
+    }
+    pub async fn watch(&self) -> Result<(), AuthZError> {
+        unimplemented!()
+    }
+    pub async fn write(&self, ts: &[Relationship]) -> Result<(), AuthZError> {
+        let spice = self
+            .spice
+            .clone()
+            .expect("TODO: only supports postgres right now");
+
+        spice.write_relationship(ts).await?;
+        Ok(())
+    }
+}