1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
syntax = "proto3";
package authzed.api.v1;
option go_package = "github.com/authzed/authzed-go/proto/authzed/api/v1";
option java_package = "com.authzed.api.v1";
import "google/protobuf/struct.proto";
import "validate/validate.proto";
// Relationship specifies how a resource relates to a subject. Relationships
// form the data for the graph over which all permissions questions are
// answered.
message Relationship {
// resource is the resource to which the subject is related, in some manner
ObjectReference resource = 1 [ (validate.rules).message.required = true ];
// relation is how the resource and subject are related.
string relation = 2 [ (validate.rules).string = {
pattern : "^[a-z][a-z0-9_]{1,62}[a-z0-9]$",
max_bytes : 64,
} ];
// subject is the subject to which the resource is related, in some manner.
SubjectReference subject = 3 [ (validate.rules).message.required = true ];
// optional_caveat is a reference to a the caveat that must be enforced over the relationship
ContextualizedCaveat optional_caveat = 4 [ (validate.rules).message.required = false ];
}
/**
* ContextualizedCaveat represents a reference to a caveat to be used by caveated relationships.
* The context consists of key-value pairs that will be injected at evaluation time.
* The keys must match the arguments defined on the caveat in the schema.
*/
message ContextualizedCaveat {
/** caveat_name is the name of the caveat expression to use, as defined in the schema **/
string caveat_name = 1 [ (validate.rules).string = {
pattern : "^([a-zA-Z0-9_][a-zA-Z0-9/_|-]{0,127})$",
max_bytes : 128,
} ];
/** context consists of any named values that are defined at write time for the caveat expression **/
google.protobuf.Struct context = 2 [ (validate.rules).message.required = false ];
}
// SubjectReference is used for referring to the subject portion of a
// Relationship. The relation component is optional and is used for defining a
// sub-relation on the subject, e.g. group:123#members
message SubjectReference {
ObjectReference object = 1 [ (validate.rules).message.required = true ];
string optional_relation = 2 [ (validate.rules).string = {
pattern : "^([a-z][a-z0-9_]{1,62}[a-z0-9])?$",
max_bytes : 64,
} ];
}
// ObjectReference is used to refer to a specific object in the system.
message ObjectReference {
string object_type = 1 [ (validate.rules).string = {
pattern : "^([a-z][a-z0-9_]{1,61}[a-z0-9]/)?[a-z][a-z0-9_]{1,62}[a-z0-9]$",
max_bytes : 128,
} ];
string object_id = 2 [ (validate.rules).string = {
pattern : "^(([a-zA-Z0-9_][a-zA-Z0-9/_|-]{0,127})|\\*)$",
max_bytes : 128,
} ];
}
// ZedToken is used to provide causality metadata between Write and Check
// requests.
//
// See the authzed.api.v1.Consistency message for more information.
message ZedToken {
string token = 1 [ (validate.rules).string = {
min_bytes : 1,
} ];
}
// RelationshipUpdate is used for mutating a single relationship within the
// service.
//
// CREATE will create the relationship only if it doesn't exist, and error
// otherwise.
//
// TOUCH will upsert the relationship, and will not error if it
// already exists.
//
// DELETE will delete the relationship and error if it doesn't
// exist.
message RelationshipUpdate {
enum Operation {
OPERATION_UNSPECIFIED = 0;
OPERATION_CREATE = 1;
OPERATION_TOUCH = 2;
OPERATION_DELETE = 3;
}
Operation operation = 1 [ (validate.rules).enum = {defined_only: true, not_in: [0]} ];
Relationship relationship = 2 [ (validate.rules).message.required = true ];
}
// PermissionRelationshipTree is used for representing a tree of a resource and
// its permission relationships with other objects.
message PermissionRelationshipTree {
oneof tree_type {
option (validate.required) = true;
AlgebraicSubjectSet intermediate = 1;
DirectSubjectSet leaf = 2;
}
ObjectReference expanded_object = 3;
string expanded_relation = 4;
}
// AlgebraicSubjectSet is a subject set which is computed based on applying the
// specified operation to the operands according to the algebra of sets.
//
// UNION is a logical set containing the subject members from all operands.
//
// INTERSECTION is a logical set containing only the subject members which are
// present in all operands.
//
// EXCLUSION is a logical set containing only the subject members which are
// present in the first operand, and none of the other operands.
message AlgebraicSubjectSet {
enum Operation {
OPERATION_UNSPECIFIED = 0;
OPERATION_UNION = 1;
OPERATION_INTERSECTION = 2;
OPERATION_EXCLUSION = 3;
}
Operation operation = 1 [ (validate.rules).enum = {defined_only: true, not_in: [0]} ];
repeated PermissionRelationshipTree children = 2 [ (validate.rules).repeated.items.message.required = true ];
}
// DirectSubjectSet is a subject set which is simply a collection of subjects.
message DirectSubjectSet { repeated SubjectReference subjects = 1; }
// PartialCaveatInfo carries information necessary for the client to take action
// in the event a response contains a partially evaluated caveat
message PartialCaveatInfo {
// missing_required_context is a list of one or more fields that were missing and prevented caveats
// from being fully evaluated
repeated string missing_required_context = 1 [(validate.rules).repeated.min_items = 1];
}
|
