This repository has been archived by the owner on Feb 23, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
api_auth0_fga.go
4139 lines (3645 loc) · 153 KB
/
api_auth0_fga.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/**
* Go SDK for Auth0 Fine Grained Authorization (FGA)
*
* API version: 0.1
* Website: <https://fga.dev>
* Documentation: <https://docs.fga.dev>
* Support: <https://discord.gg/8naAwJfWN6>
* License: [MIT](https://github.com/auth0-lab/fga-go-sdk/blob/main/LICENSE)
*
* NOTE: This file was auto generated by [OpenAPI Generator](https://openapi-generator.tech). DO NOT EDIT.
*/
package auth0fga
import (
"bytes"
_context "context"
_ioutil "io/ioutil"
_math "math"
_rand "math/rand"
_nethttp "net/http"
_neturl "net/url"
"strings"
"time"
)
// Linger please
var (
_ _context.Context
)
type Auth0FgaApi interface {
/*
* Check Check whether a user is authorized to access an object
* The Check API queries to check if the user has a certain relationship with an object in a certain store.
A `contextual_tuples` object may also be included in the body of the request. This object contains one field `tuple_keys`, which is an array of tuple keys.
You may also provide an `authorization_model_id` in the body. This will be used to assert that the input `tuple_key` is valid for the model specified. If not specified, the assertion will be made against the latest authorization model ID.
The response will return whether the relationship exists in the field `allowed`.
## Example
In order to check if user `user:anne` of type `user` has a `reader` relationship with object `document:2021-budget` given the following contextual tuple
```json
{
"user": "user:anne",
"relation": "member",
"object": "time_slot:office_hours"
}
```
the Check API can be used with the following request body:
```json
{
"tuple_key": {
"user": "user:anne",
"relation": "reader",
"object": "document:2021-budget"
},
"contextual_tuples": {
"tuple_keys": [
{
"user": "user:anne",
"relation": "member",
"object": "time_slot:office_hours"
}
]
}
}
```
Auth0 FGA's response will include `{ "allowed": true }` if there is a relationship and `{ "allowed": false }` if there isn't.
* @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
* @return ApiCheckRequest
*/
Check(ctx _context.Context) ApiCheckRequest
/*
* CheckExecute executes the request
* @return CheckResponse
*/
CheckExecute(r ApiCheckRequest) (CheckResponse, *_nethttp.Response, error)
/*
* Expand Expand all relationships in userset tree format, and following userset rewrite rules. Useful to reason about and debug a certain relationship
* The Expand API will return all users and usersets that have certain relationship with an object in a certain store.
This is different from the `/stores/{store_id}/read` API in that both users and computed usersets are returned.
Body parameters `tuple_key.object` and `tuple_key.relation` are all required.
The response will return a tree whose leaves are the specific users and usersets. Union, intersection and difference operator are located in the intermediate nodes.
## Example
To expand all users that have the `reader` relationship with object `document:2021-budget`, use the Expand API with the following request body
```json
{
"tuple_key": {
"object": "document:2021-budget",
"relation": "reader"
}
}
```
Auth0 FGA's response will be a userset tree of the users and computed usersets that have read access to the document.
```json
{
"tree":{
"root":{
"type":"document:2021-budget#reader",
"union":{
"nodes":[
{
"type":"document:2021-budget#reader",
"leaf":{
"users":{
"users":[
"user:bob"
]
}
}
},
{
"type":"document:2021-budget#reader",
"leaf":{
"computed":{
"userset":"document:2021-budget#writer"
}
}
}
]
}
}
}
}
```
The caller can then call expand API for the `writer` relationship for the `document:2021-budget`.
* @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
* @return ApiExpandRequest
*/
Expand(ctx _context.Context) ApiExpandRequest
/*
* ExpandExecute executes the request
* @return ExpandResponse
*/
ExpandExecute(r ApiExpandRequest) (ExpandResponse, *_nethttp.Response, error)
/*
* ListObjects [EXPERIMENTAL] Get all objects of the given type that the user has a relation with
* The ListObjects API returns a list of all the objects of the given type that the user has a relation with. To achieve this, both the store tuples and the authorization model are used.
An `authorization_model_id` may be specified in the body. If it is, it will be used to decide the underlying implementation used. If it is not specified, the latest authorization model ID will be used.
You may also specify `contextual_tuples` that will be treated as regular tuples.
The response will contain the related objects in an array in the "objects" field of the response and they will be strings in the object format `<type>:<id>` (e.g. "document:roadmap")
## Example
In order to list the objects of type document that user `user:anne` has a `reader` relationship with, while passing the Anne is an editor of the marketing folder in the contextual tuples, You can issue a ListObjects API request that includes the contextual tuples:
```json
{
"authorization_model_id": "01G5JAVJ41T49E9TT3SKVS7X1J",
"user": "user:anne",
"relation": "reader",
"type": "document"
"contextual_tuples": {
"tuple_keys": [
{
"user": "user:anne",
"relation": "editor",
"object": "folder:marketing"
}
]
}
}
```
Auth0 FGA's response will be of the format: `{ "objects": ["document:roadmap"] }` and include document Anne is related to as reader
* @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
* @return ApiListObjectsRequest
*/
ListObjects(ctx _context.Context) ApiListObjectsRequest
/*
* ListObjectsExecute executes the request
* @return ListObjectsResponse
*/
ListObjectsExecute(r ApiListObjectsRequest) (ListObjectsResponse, *_nethttp.Response, error)
/*
* Read Get tuples from the store that matches a query, without following userset rewrite rules
* The Read API will return the tuples for a certain store that match a query filter specified in the body of the request. It is different from the `/stores/{store_id}/expand` API in that it only returns relationship tuples that are stored in the system and satisfy the query.
In the body:
1. `tuple_key.object` is mandatory. It can be a full object (e.g., `type:object_id`) or type only (e.g., `type:`).
2. `tuple_key.user` is mandatory in the case the `tuple_key.object` is a type only.
3. `authorization_model_id` is optional. If specified, it will be used to assert that the input `tuple_key` is valid for the model specified. If not specified, the latest authorization model ID will be used.
## Examples
### Query for all objects in a type definition
To query for all objects that `user:bob` has `reader` relationship in the document type definition, call read API with body of
```json
{
"tuple_key": {
"user": "user:bob",
"relation": "reader",
"object": "document:"
}
}
```
The API will return tuples and an optional continuation token, something like
```json
{
"tuples": [
{
"key": {
"user": "user:bob",
"relation": "reader",
"object": "document:2021-budget"
},
"timestamp": "2021-10-06T15:32:11.128Z"
}
]
}
```
This means that `user:bob` has a `reader` relationship with 1 document `document:2021-budget`.
### Query for all stored relationship tuples that have a particular relation and object
To query for all users that have `reader` relationship with `document:2021-budget`, call read API with body of
```json
{
"tuple_key": {
"object": "document:2021-budget",
"relation": "reader"
}
}
```
The API will return something like
```json
{
"tuples": [
{
"key": {
"user": "user:bob",
"relation": "reader",
"object": "document:2021-budget"
},
"timestamp": "2021-10-06T15:32:11.128Z"
}
]
}
```
This means that `document:2021-budget` has 1 `reader` (`user:bob`). Note that the API will not return writers such as `user:anne` even when all writers are readers. This is because only direct relationship are returned for the READ API.
### Query for all users with all relationships for a particular document
To query for all users that have any relationship with `document:2021-budget`, call read API with body of
```json
{
"tuple_key": {
"object": "document:2021-budget"
}
}
```
The API will return something like
```json
{
"tuples": [
{
"key": {
"user": "user:anne",
"relation": "writer",
"object": "document:2021-budget"
},
"timestamp": "2021-10-05T13:42:12.356Z"
},
{
"key": {
"user": "user:bob",
"relation": "reader",
"object": "document:2021-budget"
},
"timestamp": "2021-10-06T15:32:11.128Z"
}
]
}
```
This means that `document:2021-budget` has 1 `reader` (`user:bob`) and 1 `writer` (`user:anne`).
* @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
* @return ApiReadRequest
*/
Read(ctx _context.Context) ApiReadRequest
/*
* ReadExecute executes the request
* @return ReadResponse
*/
ReadExecute(r ApiReadRequest) (ReadResponse, *_nethttp.Response, error)
/*
* ReadAssertions Read assertions for an authorization model ID
* The ReadAssertions API will return, for a given authorization model id, all the assertions stored for it. An assertion is an object that contains a tuple key, and the expectation of whether a call to the Check API of that tuple key will return true or false.
* @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
* @param authorizationModelId
* @return ApiReadAssertionsRequest
*/
ReadAssertions(ctx _context.Context, authorizationModelId string) ApiReadAssertionsRequest
/*
* ReadAssertionsExecute executes the request
* @return ReadAssertionsResponse
*/
ReadAssertionsExecute(r ApiReadAssertionsRequest) (ReadAssertionsResponse, *_nethttp.Response, error)
/*
* ReadAuthorizationModel Return a particular version of an authorization model
* The ReadAuthorizationModel API returns an authorization model by its identifier.
The response will return the authorization model for the particular version.
## Example
To retrieve the authorization model with ID `01G5JAVJ41T49E9TT3SKVS7X1J` for the store, call the GET authorization-models by ID API with `01G5JAVJ41T49E9TT3SKVS7X1J` as the `id` path parameter. The API will return:
```json
{
"authorization_model":{
"id":"01G5JAVJ41T49E9TT3SKVS7X1J",
"type_definitions":[
{
"type":"user"
},
{
"type":"document",
"relations":{
"reader":{
"union":{
"child":[
{
"this":{}
},
{
"computedUserset":{
"object":"",
"relation":"writer"
}
}
]
}
},
"writer":{
"this":{}
}
}
}
]
}
}
```
In the above example, there are 2 types (`user` and `document`). The `document` type has 2 relations (`writer` and `reader`).
* @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
* @param id
* @return ApiReadAuthorizationModelRequest
*/
ReadAuthorizationModel(ctx _context.Context, id string) ApiReadAuthorizationModelRequest
/*
* ReadAuthorizationModelExecute executes the request
* @return ReadAuthorizationModelResponse
*/
ReadAuthorizationModelExecute(r ApiReadAuthorizationModelRequest) (ReadAuthorizationModelResponse, *_nethttp.Response, error)
/*
* ReadAuthorizationModels Return all the authorization models for a particular store
* The ReadAuthorizationModels API will return all the authorization models for a certain store.
Auth0 FGA's response will contain an array of all authorization models, sorted in descending order of creation.
## [Limits](https://docs.fga.dev/intro/dashboard#limitations)
- Each response can contain up to **50** authorization model IDs.
## Example
Assume that a store's authorization model has been configured twice. To get all the authorization models that have been created in this store, call GET authorization-models. The API will return a response that looks like:
```json
{
"authorization_models": [
{
"id": "01G50QVV17PECNVAHX1GG4Y5NC",
"type_definitions": [...]
},
{
"id": "01G4ZW8F4A07AKQ8RHSVG9RW04",
"type_definitions": [...]
},
]
}
```
If there are more authorization models available, the response will contain an extra field `continuation_token`:
```json
{
"authorization_models": [
{
"id": "01G50QVV17PECNVAHX1GG4Y5NC",
"type_definitions": [...]
},
{
"id": "01G4ZW8F4A07AKQ8RHSVG9RW04",
"type_definitions": [...]
},
],
"continuation_token": "eyJwayI6IkxBVEVTVF9OU0NPTkZJR19hdXRoMHN0b3JlIiwic2siOiIxem1qbXF3MWZLZExTcUoyN01MdTdqTjh0cWgifQ=="
}
```
* @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
* @return ApiReadAuthorizationModelsRequest
*/
ReadAuthorizationModels(ctx _context.Context) ApiReadAuthorizationModelsRequest
/*
* ReadAuthorizationModelsExecute executes the request
* @return ReadAuthorizationModelsResponse
*/
ReadAuthorizationModelsExecute(r ApiReadAuthorizationModelsRequest) (ReadAuthorizationModelsResponse, *_nethttp.Response, error)
/*
* ReadChanges Return a list of all the tuple changes
* The ReadChanges API will return a paginated list of tuple changes (additions and deletions) that occurred in a given store, sorted by ascending time. The response will include a continuation token that is used to get the next set of changes. If there are no changes after the provided continuation token, the same token will be returned in order for it to be used when new changes are recorded. If the store never had any tuples added or removed, this token will be empty.
You can use the `type` parameter to only get the list of tuple changes that affect objects of that type.
## [Limits](https://docs.fga.dev/intro/dashboard#limitations)
- Each store has a limit of **5** requests per second (RPS).
* @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
* @return ApiReadChangesRequest
*/
ReadChanges(ctx _context.Context) ApiReadChangesRequest
/*
* ReadChangesExecute executes the request
* @return ReadChangesResponse
*/
ReadChangesExecute(r ApiReadChangesRequest) (ReadChangesResponse, *_nethttp.Response, error)
/*
* Write Add or delete tuples from the store
* The Write API will update the tuples for a certain store. Tuples and type definitions allow Auth0 FGA to determine whether a relationship exists between an object and an user.
In the body, `writes` adds new tuples while `deletes` removes existing tuples.
An `authorization_model_id` may be specified in the body. If it is, it will be used to assert that each written tuple (not deleted) is valid for the model specified. If it is not specified, the latest authorization model ID will be used.
## [Limits](https://docs.fga.dev/intro/dashboard#limitations)
- Each write API call allows at most **10** tuples.
- Each store has a limit of **50000** tuples.
## Example
### Adding relationships
To add `user:anne` as a `writer` for `document:2021-budget`, call write API with the following
```json
{
"writes": {
"tuple_keys": [
{
"user": "user:anne",
"relation": "writer",
"object": "document:2021-budget"
}
]
}
}
```
### Removing relationships
To remove `user:bob` as a `reader` for `document:2021-budget`, use the Write API with the following request body
```json
{
"deletes": {
"tuple_keys": [
{
"user": "user:bob",
"relation": "reader",
"object": "document:2021-budget"
}
]
}
}
```
* @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
* @return ApiWriteRequest
*/
Write(ctx _context.Context) ApiWriteRequest
/*
* WriteExecute executes the request
* @return map[string]interface{}
*/
WriteExecute(r ApiWriteRequest) (map[string]interface{}, *_nethttp.Response, error)
/*
* WriteAssertions Upsert assertions for an authorization model ID
* The WriteAssertions API will upsert new assertions for an authorization model id, or overwrite the existing ones. An assertion is an object that contains a tuple key, and the expectation of whether a call to the Check API of that tuple key will return true or false.
* @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
* @param authorizationModelId
* @return ApiWriteAssertionsRequest
*/
WriteAssertions(ctx _context.Context, authorizationModelId string) ApiWriteAssertionsRequest
/*
* WriteAssertionsExecute executes the request
*/
WriteAssertionsExecute(r ApiWriteAssertionsRequest) (*_nethttp.Response, error)
/*
* WriteAuthorizationModel Create a new authorization model
* The WriteAuthorizationModel API will add a new authorization model to a store.
Each item in the `type_definitions` array is a type definition as specified in the field `type_definition`.
The response will return the authorization model's ID in the `id` field.
## Example
To add an authorization model with `user` and `document` type definitions, call POST authorization-models API with the body:
```json
{
"type_definitions":[
{
"type":"user"
},
{
"type":"document",
"relations":{
"reader":{
"union":{
"child":[
{
"this":{}
},
{
"computedUserset":{
"object":"",
"relation":"writer"
}
}
]
}
},
"writer":{
"this":{}
}
}
}
]
}
```
Auth0 FGA's response will include the version id for this authorization model, which will look like
```
{"authorization_model_id": "01G50QVV17PECNVAHX1GG4Y5NC"}
```
* @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
* @return ApiWriteAuthorizationModelRequest
*/
WriteAuthorizationModel(ctx _context.Context) ApiWriteAuthorizationModelRequest
/*
* WriteAuthorizationModelExecute executes the request
* @return WriteAuthorizationModelResponse
*/
WriteAuthorizationModelExecute(r ApiWriteAuthorizationModelRequest) (WriteAuthorizationModelResponse, *_nethttp.Response, error)
}
// Auth0FgaApiService Auth0FgaApi service
type Auth0FgaApiService service
func getMaximumRateUnit(api string) string {
switch api {
case "Check":
return "second"
case "Read":
return "second"
case "Write":
return "second"
default:
return "minute"
}
}
func randomTime(loopCount int, minWaitInMs int) int {
min := int(_math.Pow(2, float64(loopCount))) * minWaitInMs
max := int(_math.Pow(2, float64(loopCount+1))) * minWaitInMs
return _rand.Intn(max-min+1) + min
}
type ApiCheckRequest struct {
ctx _context.Context
ApiService Auth0FgaApi
body *CheckRequest
}
func (r ApiCheckRequest) Body(body CheckRequest) ApiCheckRequest {
r.body = &body
return r
}
func (r ApiCheckRequest) Execute() (CheckResponse, *_nethttp.Response, error) {
return r.ApiService.CheckExecute(r)
}
/*
- Check Check whether a user is authorized to access an object
- The Check API queries to check if the user has a certain relationship with an object in a certain store.
A `contextual_tuples` object may also be included in the body of the request. This object contains one field `tuple_keys`, which is an array of tuple keys.
You may also provide an `authorization_model_id` in the body. This will be used to assert that the input `tuple_key` is valid for the model specified. If not specified, the assertion will be made against the latest authorization model ID.
The response will return whether the relationship exists in the field `allowed`.
## Example
In order to check if user `user:anne` of type `user` has a `reader` relationship with object `document:2021-budget` given the following contextual tuple
```json
{
"user": "user:anne",
"relation": "member",
"object": "time_slot:office_hours"
}
```
the Check API can be used with the following request body:
```json
{
"tuple_key": {
"user": "user:anne",
"relation": "reader",
"object": "document:2021-budget"
},
"contextual_tuples": {
"tuple_keys": [
{
"user": "user:anne",
"relation": "member",
"object": "time_slot:office_hours"
}
]
}
}
```
Auth0 FGA's response will include `{ "allowed": true }` if there is a relationship and `{ "allowed": false }` if there isn't.
- @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
- @return ApiCheckRequest
*/
func (a *Auth0FgaApiService) Check(ctx _context.Context) ApiCheckRequest {
return ApiCheckRequest{
ApiService: a,
ctx: ctx,
}
}
/*
* Execute executes the request
* @return CheckResponse
*/
func (a *Auth0FgaApiService) CheckExecute(r ApiCheckRequest) (CheckResponse, *_nethttp.Response, error) {
var maxRetry int
var minWaitInMs int
if a.RetryParams != nil {
maxRetry = a.RetryParams.MinWaitInMs
minWaitInMs = a.RetryParams.MinWaitInMs
} else {
maxRetry = 0
minWaitInMs = 0
}
for i := 0; i < maxRetry+1; i++ {
var (
localVarHTTPMethod = _nethttp.MethodPost
localVarPostBody interface{}
localVarFormFileName string
localVarFileName string
localVarFileBytes []byte
localVarReturnValue CheckResponse
)
localVarPath := "/stores/{store_id}/check"
localVarPath = strings.Replace(localVarPath, "{"+"store_id"+"}", _neturl.PathEscape(a.client.cfg.StoreId), -1)
localVarHeaderParams := make(map[string]string)
localVarQueryParams := _neturl.Values{}
localVarFormParams := _neturl.Values{}
if r.body == nil {
return localVarReturnValue, nil, reportError("body is required and must be specified")
}
// to determine the Content-Type header
localVarHTTPContentTypes := []string{"application/json"}
// set Content-Type header
localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes)
if localVarHTTPContentType != "" {
localVarHeaderParams["Content-Type"] = localVarHTTPContentType
}
// to determine the Accept header
localVarHTTPHeaderAccepts := []string{"application/json"}
// set Accept header
localVarHTTPHeaderAccept := selectHeaderAccept(localVarHTTPHeaderAccepts)
if localVarHTTPHeaderAccept != "" {
localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept
}
// body params
localVarPostBody = r.body
req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes)
if err != nil {
return localVarReturnValue, nil, err
}
localVarHTTPResponse, err := a.client.callAPI(req)
if err != nil || localVarHTTPResponse == nil {
return localVarReturnValue, localVarHTTPResponse, err
}
localVarBody, err := _ioutil.ReadAll(localVarHTTPResponse.Body)
localVarHTTPResponse.Body.Close()
localVarHTTPResponse.Body = _ioutil.NopCloser(bytes.NewBuffer(localVarBody))
if err != nil {
return localVarReturnValue, localVarHTTPResponse, err
}
if localVarHTTPResponse.StatusCode >= 300 {
if localVarHTTPResponse.StatusCode == 400 || localVarHTTPResponse.StatusCode == 422 {
newErr := FgaApiValidationError{
body: localVarBody,
storeId: a.client.cfg.StoreId,
endpointCategory: "Check",
requestBody: localVarPostBody,
requestMethod: localVarHTTPMethod,
responseStatusCode: localVarHTTPResponse.StatusCode,
responseHeader: localVarHTTPResponse.Header,
}
// Due to CanonicalHeaderKey, header name is case-insensitive.
newErr.requestId = localVarHTTPResponse.Header.Get("Fga-Request-Id")
newErr.error = "Check validation error for " + localVarHTTPMethod + " Check with body " + string(localVarBody)
var v ValidationErrorMessageResponse
err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type"))
if err != nil {
newErr.modelDecodeError = err
return localVarReturnValue, localVarHTTPResponse, newErr
}
newErr.model = v
newErr.responseCode = v.GetCode()
newErr.error += " with error code " + string(v.GetCode()) + " error message: " + v.GetMessage()
return localVarReturnValue, localVarHTTPResponse, newErr
}
if localVarHTTPResponse.StatusCode == 401 || localVarHTTPResponse.StatusCode == 403 {
newErr := FgaApiAuthenticationError{
body: localVarBody,
storeId: a.client.cfg.StoreId,
endpointCategory: "Check",
responseStatusCode: localVarHTTPResponse.StatusCode,
responseHeader: localVarHTTPResponse.Header,
}
// Due to CanonicalHeaderKey, header name is case-insensitive.
newErr.requestId = localVarHTTPResponse.Header.Get("Fga-Request-Id")
newErr.error = "Check authentication error for " + localVarHTTPMethod + " Check with body " + string(localVarBody)
var v AuthenticationErrorMessageResponse
err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type"))
if err != nil {
newErr.modelDecodeError = err
return localVarReturnValue, localVarHTTPResponse, newErr
}
newErr.model = v
newErr.responseCode = v.GetCode()
newErr.error += " with error code " + string(v.GetCode()) + " error message: " + v.GetMessage()
return localVarReturnValue, localVarHTTPResponse, newErr
}
if localVarHTTPResponse.StatusCode == 404 {
newErr := FgaApiNotFoundError{
body: localVarBody,
storeId: a.client.cfg.StoreId,
endpointCategory: "Check",
requestBody: localVarPostBody,
requestMethod: localVarHTTPMethod,
responseStatusCode: localVarHTTPResponse.StatusCode,
responseHeader: localVarHTTPResponse.Header,
}
// Due to CanonicalHeaderKey, header name is case-insensitive.
newErr.requestId = localVarHTTPResponse.Header.Get("Fga-Request-Id")
newErr.error = "Check validation error for " + localVarHTTPMethod + " Check with body " + string(localVarBody)
var v PathUnknownErrorMessageResponse
err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type"))
if err != nil {
newErr.modelDecodeError = err
return localVarReturnValue, localVarHTTPResponse, newErr
}
newErr.model = v
newErr.responseCode = v.GetCode()
newErr.error += " with error code " + string(v.GetCode()) + " error message: " + v.GetMessage()
return localVarReturnValue, localVarHTTPResponse, newErr
}
if localVarHTTPResponse.StatusCode == 429 {
if i < maxRetry {
time.Sleep(time.Duration(randomTime(i, minWaitInMs)) * time.Millisecond)
continue
}
// maximum number of retries reached
newErr := FgaApiRateLimitExceededError{
body: localVarBody,
storeId: a.client.cfg.StoreId,
endpointCategory: "Check",
requestBody: localVarPostBody,
requestMethod: localVarHTTPMethod,
responseStatusCode: localVarHTTPResponse.StatusCode,
responseHeader: localVarHTTPResponse.Header,
}
newErr.error = "Check rate limit error for " + localVarHTTPMethod + " Check with body " + string(localVarBody)
// Due to CanonicalHeaderKey, header name is case-insensitive.
newErr.requestId = localVarHTTPResponse.Header.Get("Fga-Request-Id")
newErr.rateLimit, _ = atoi(localVarHTTPResponse.Header.Get("X-Ratelimit-Limit"))
newErr.rateUnit = getMaximumRateUnit("Check")
newErr.rateLimitResetEpoch = localVarHTTPResponse.Header.Get("X-Ratelimit-Reset")
var v ResourceExhaustedErrorMessageResponse
err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type"))
if err != nil {
newErr.modelDecodeError = err
return localVarReturnValue, localVarHTTPResponse, newErr
}
newErr.model = v
newErr.responseCode = v.GetCode()
newErr.error += " with error code " + string(v.GetCode()) + " error message: " + v.GetMessage()
return localVarReturnValue, localVarHTTPResponse, newErr
}
if localVarHTTPResponse.StatusCode >= 500 {
if i < maxRetry {
time.Sleep(time.Duration(randomTime(i, minWaitInMs)) * time.Millisecond)
continue
}
// maximum number of retries reached
newErr := FgaApiInternalError{
body: localVarBody,
storeId: a.client.cfg.StoreId,
endpointCategory: "Check",
requestBody: localVarPostBody,
requestMethod: localVarHTTPMethod,
responseStatusCode: localVarHTTPResponse.StatusCode,
responseHeader: localVarHTTPResponse.Header,
}
newErr.error = "Check internal error for " + localVarHTTPMethod + " Check with body " + string(localVarBody)
newErr.requestId = localVarHTTPResponse.Header.Get("Fga-Request-Id")
var v InternalErrorMessageResponse
err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type"))
if err != nil {
newErr.modelDecodeError = err
return localVarReturnValue, localVarHTTPResponse, newErr
}
newErr.model = v
newErr.responseCode = v.GetCode()
newErr.error += " with error code " + string(v.GetCode()) + " error message: " + v.GetMessage()
return localVarReturnValue, localVarHTTPResponse, newErr
}
newErr := FgaApiError{
body: localVarBody,
storeId: a.client.cfg.StoreId,
endpointCategory: "Check",
requestBody: localVarPostBody,
requestMethod: localVarHTTPMethod,
responseStatusCode: localVarHTTPResponse.StatusCode,
responseHeader: localVarHTTPResponse.Header,
}
newErr.error = "Check error for " + localVarHTTPMethod + " Check with body " + string(localVarBody)
newErr.requestId = localVarHTTPResponse.Header.Get("Fga-Request-Id")
var v ErrorResponse
err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type"))
if err != nil {
newErr.modelDecodeError = err
return localVarReturnValue, localVarHTTPResponse, newErr
}
newErr.model = v
newErr.responseCode = v.Code
newErr.error += " with error code " + v.Code + " error message: " + v.Message
return localVarReturnValue, localVarHTTPResponse, newErr
}
err = a.client.decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type"))
if err != nil {
newErr := GenericOpenAPIError{
body: localVarBody,
error: err.Error(),
}
return localVarReturnValue, localVarHTTPResponse, newErr
}
return localVarReturnValue, localVarHTTPResponse, nil
}
// should never have reached this
var localVarReturnValue CheckResponse
return localVarReturnValue, nil, reportError("RateLimitError not handled properly")
}
type ApiExpandRequest struct {
ctx _context.Context
ApiService Auth0FgaApi
body *ExpandRequest
}
func (r ApiExpandRequest) Body(body ExpandRequest) ApiExpandRequest {
r.body = &body
return r
}
func (r ApiExpandRequest) Execute() (ExpandResponse, *_nethttp.Response, error) {
return r.ApiService.ExpandExecute(r)
}
/*
- Expand Expand all relationships in userset tree format, and following userset rewrite rules. Useful to reason about and debug a certain relationship
- The Expand API will return all users and usersets that have certain relationship with an object in a certain store.
This is different from the `/stores/{store_id}/read` API in that both users and computed usersets are returned.
Body parameters `tuple_key.object` and `tuple_key.relation` are all required.
The response will return a tree whose leaves are the specific users and usersets. Union, intersection and difference operator are located in the intermediate nodes.
## Example
To expand all users that have the `reader` relationship with object `document:2021-budget`, use the Expand API with the following request body
```json
{
"tuple_key": {
"object": "document:2021-budget",
"relation": "reader"
}
}
```
Auth0 FGA's response will be a userset tree of the users and computed usersets that have read access to the document.
```json
{
"tree":{
"root":{
"type":"document:2021-budget#reader",
"union":{
"nodes":[
{
"type":"document:2021-budget#reader",
"leaf":{
"users":{
"users":[
"user:bob"
]
}
}
},
{
"type":"document:2021-budget#reader",
"leaf":{
"computed":{
"userset":"document:2021-budget#writer"
}
}
}
]
}
}
}
}
```
The caller can then call expand API for the `writer` relationship for the `document:2021-budget`.
- @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
- @return ApiExpandRequest
*/
func (a *Auth0FgaApiService) Expand(ctx _context.Context) ApiExpandRequest {
return ApiExpandRequest{
ApiService: a,
ctx: ctx,
}
}
/*
* Execute executes the request
* @return ExpandResponse
*/
func (a *Auth0FgaApiService) ExpandExecute(r ApiExpandRequest) (ExpandResponse, *_nethttp.Response, error) {
var maxRetry int
var minWaitInMs int
if a.RetryParams != nil {
maxRetry = a.RetryParams.MinWaitInMs
minWaitInMs = a.RetryParams.MinWaitInMs
} else {
maxRetry = 0
minWaitInMs = 0
}
for i := 0; i < maxRetry+1; i++ {
var (
localVarHTTPMethod = _nethttp.MethodPost
localVarPostBody interface{}
localVarFormFileName string
localVarFileName string
localVarFileBytes []byte
localVarReturnValue ExpandResponse
)