diff --git a/Makefile b/Makefile index 12d4ba5b0..fbc829877 100644 --- a/Makefile +++ b/Makefile @@ -64,6 +64,31 @@ docker: deps rm keto packr clean -.PHONY: gen-protobuf -gen-protobuf: - protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative relationtuple/*.proto +# +# Generate APIs and client stubs from the definitions +# +.PHONY: buf-gen +buf-gen: + buf generate \ + --config buf/api/buf.yaml \ + --template buf/api/buf.gen.yaml \ + && \ + echo "TODO: generate gapic client at ./client" \ + && \ + echo "All code was generated successfully!" + +# +# Lint API definitions +# +.PHONY: buf-lint +buf-lint: + buf check lint \ + --config buf/api/buf.yaml \ + && \ + echo "All lint checks passed successfully!" + +# +# Generate after linting succeeded +# +.PHONY: buf +buf: buf-lint buf-gen diff --git a/api/keto/README.md b/api/keto/README.md new file mode 100644 index 000000000..3b492025a --- /dev/null +++ b/api/keto/README.md @@ -0,0 +1,35 @@ +# Notes + +> ORY Keto is still a `sandbox` project and +the included APIs are unstable until we reach `v1` +and release `v1.0.0` of Keto! +> +> Older API versions, such as `v1alpha1`, will still +> get support for a reasonable amount of time after release +> of `v1`! + +This directory contains the ProtoBuf & gRPC definitions +for the Access Control APIs. + +**ACL is the flexible and scalable "base system" +all other access control schemes built upon.** + +## Directory layout + +```shell script +keto +└── acl / rbac / ... +    ├── node +    │   └── v1 - Intercommunication API (cluster internal) +    ├── admin +    │   └── v1 - Admin API definitions +    └── v1 - "Base" API definitions +``` + +- `admin` - API for critical administrative tasks + - namespace config management + - retrieval of cluster system statistics / analysis + - etc. +- `base/v1` - Base APIs / models + - read/write/watch/... services +- `node` - Intercommunication of cluster nodes \ No newline at end of file diff --git a/api/keto/acl/admin/v1alpha1/admin_service.pb.go b/api/keto/acl/admin/v1alpha1/admin_service.pb.go new file mode 100644 index 000000000..a2e7dbffd --- /dev/null +++ b/api/keto/acl/admin/v1alpha1/admin_service.pb.go @@ -0,0 +1,80 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.25.0 +// protoc v3.13.0 +// source: keto/acl/admin/v1alpha1/admin_service.proto + +package admin + +import ( + proto "github.com/golang/protobuf/proto" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// This is a compile-time assertion that a sufficiently up-to-date version +// of the legacy proto package is being used. +const _ = proto.ProtoPackageIsVersion4 + +var File_keto_acl_admin_v1alpha1_admin_service_proto protoreflect.FileDescriptor + +var file_keto_acl_admin_v1alpha1_admin_service_proto_rawDesc = []byte{ + 0x0a, 0x2b, 0x6b, 0x65, 0x74, 0x6f, 0x2f, 0x61, 0x63, 0x6c, 0x2f, 0x61, 0x64, 0x6d, 0x69, 0x6e, + 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x5f, + 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x17, 0x6b, + 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x2e, 0x76, 0x31, + 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x32, 0x0e, 0x0a, 0x0c, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x53, + 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x42, 0xa8, 0x01, 0x0a, 0x1e, 0x73, 0x68, 0x2e, 0x6f, 0x72, + 0x79, 0x2e, 0x6b, 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, 0x61, 0x64, 0x6d, 0x69, 0x6e, + 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x42, 0x11, 0x41, 0x64, 0x6d, 0x69, 0x6e, + 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x35, + 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x72, 0x79, 0x2f, 0x6b, + 0x65, 0x74, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6b, 0x65, 0x74, 0x6f, 0x2f, 0x61, 0x63, 0x6c, + 0x2f, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, + 0x61, 0x64, 0x6d, 0x69, 0x6e, 0xaa, 0x02, 0x1b, 0x4f, 0x72, 0x79, 0x2e, 0x4b, 0x65, 0x74, 0x6f, + 0x2e, 0x41, 0x63, 0x6c, 0x2e, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x2e, 0x56, 0x31, 0x41, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0xca, 0x02, 0x1b, 0x4f, 0x72, 0x79, 0x5c, 0x4b, 0x65, 0x74, 0x6f, 0x5c, 0x41, + 0x63, 0x6c, 0x5c, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var file_keto_acl_admin_v1alpha1_admin_service_proto_goTypes = []interface{}{} +var file_keto_acl_admin_v1alpha1_admin_service_proto_depIdxs = []int32{ + 0, // [0:0] is the sub-list for method output_type + 0, // [0:0] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_keto_acl_admin_v1alpha1_admin_service_proto_init() } +func file_keto_acl_admin_v1alpha1_admin_service_proto_init() { + if File_keto_acl_admin_v1alpha1_admin_service_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_keto_acl_admin_v1alpha1_admin_service_proto_rawDesc, + NumEnums: 0, + NumMessages: 0, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_keto_acl_admin_v1alpha1_admin_service_proto_goTypes, + DependencyIndexes: file_keto_acl_admin_v1alpha1_admin_service_proto_depIdxs, + }.Build() + File_keto_acl_admin_v1alpha1_admin_service_proto = out.File + file_keto_acl_admin_v1alpha1_admin_service_proto_rawDesc = nil + file_keto_acl_admin_v1alpha1_admin_service_proto_goTypes = nil + file_keto_acl_admin_v1alpha1_admin_service_proto_depIdxs = nil +} diff --git a/api/keto/acl/admin/v1alpha1/admin_service.proto b/api/keto/acl/admin/v1alpha1/admin_service.proto new file mode 100644 index 000000000..2273a65b3 --- /dev/null +++ b/api/keto/acl/admin/v1alpha1/admin_service.proto @@ -0,0 +1,16 @@ +syntax = "proto3"; + +package keto.acl.admin.v1alpha1; + +option go_package = "github.com/ory/keto/api/keto/acl/admin/v1alpha1;admin"; +option csharp_namespace = "Ory.Keto.Acl.Admin.V1Alpha1"; +option java_multiple_files = true; +option java_outer_classname = "AdminServiceProto"; +option java_package = "sh.ory.keto.acl.admin.v1alpha1"; +option php_namespace = "Ory\\Keto\\Acl\\Admin\\V1alpha1"; + +// The admin service for administrative tasks in the ACL system. +service AdminService { + // ...RPCs are coming here in (near) future... +} + diff --git a/api/keto/acl/admin/v1alpha1/admin_service_grpc.pb.go b/api/keto/acl/admin/v1alpha1/admin_service_grpc.pb.go new file mode 100644 index 000000000..6b06582e2 --- /dev/null +++ b/api/keto/acl/admin/v1alpha1/admin_service_grpc.pb.go @@ -0,0 +1,54 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. + +package admin + +import ( + grpc "google.golang.org/grpc" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +const _ = grpc.SupportPackageIsVersion7 + +// AdminServiceClient is the client API for AdminService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +type AdminServiceClient interface { +} + +type adminServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewAdminServiceClient(cc grpc.ClientConnInterface) AdminServiceClient { + return &adminServiceClient{cc} +} + +// AdminServiceServer is the server API for AdminService service. +// All implementations should embed UnimplementedAdminServiceServer +// for forward compatibility +type AdminServiceServer interface { +} + +// UnimplementedAdminServiceServer should be embedded to have forward compatible implementations. +type UnimplementedAdminServiceServer struct { +} + +// UnsafeAdminServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to AdminServiceServer will +// result in compilation errors. +type UnsafeAdminServiceServer interface { + mustEmbedUnimplementedAdminServiceServer() +} + +func RegisterAdminServiceServer(s grpc.ServiceRegistrar, srv AdminServiceServer) { + s.RegisterService(&_AdminService_serviceDesc, srv) +} + +var _AdminService_serviceDesc = grpc.ServiceDesc{ + ServiceName: "keto.acl.admin.v1alpha1.AdminService", + HandlerType: (*AdminServiceServer)(nil), + Methods: []grpc.MethodDesc{}, + Streams: []grpc.StreamDesc{}, + Metadata: "keto/acl/admin/v1alpha1/admin_service.proto", +} diff --git a/api/keto/acl/node/v1alpha1/node_service.pb.go b/api/keto/acl/node/v1alpha1/node_service.pb.go new file mode 100644 index 000000000..72ba49ad0 --- /dev/null +++ b/api/keto/acl/node/v1alpha1/node_service.pb.go @@ -0,0 +1,79 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.25.0 +// protoc v3.13.0 +// source: keto/acl/node/v1alpha1/node_service.proto + +package node + +import ( + proto "github.com/golang/protobuf/proto" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// This is a compile-time assertion that a sufficiently up-to-date version +// of the legacy proto package is being used. +const _ = proto.ProtoPackageIsVersion4 + +var File_keto_acl_node_v1alpha1_node_service_proto protoreflect.FileDescriptor + +var file_keto_acl_node_v1alpha1_node_service_proto_rawDesc = []byte{ + 0x0a, 0x29, 0x6b, 0x65, 0x74, 0x6f, 0x2f, 0x61, 0x63, 0x6c, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x73, 0x65, + 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x16, 0x6b, 0x65, 0x74, + 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, 0x6e, 0x6f, 0x64, 0x65, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0x32, 0x0d, 0x0a, 0x0b, 0x4e, 0x6f, 0x64, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x42, 0xa2, 0x01, 0x0a, 0x1d, 0x73, 0x68, 0x2e, 0x6f, 0x72, 0x79, 0x2e, 0x6b, 0x65, + 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, 0x6e, 0x6f, 0x64, 0x65, 0x2e, 0x76, 0x31, 0x61, 0x6c, + 0x70, 0x68, 0x61, 0x31, 0x42, 0x10, 0x4e, 0x6f, 0x64, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, + 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x33, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x72, 0x79, 0x2f, 0x6b, 0x65, 0x74, 0x6f, 0x2f, 0x61, 0x70, + 0x69, 0x2f, 0x6b, 0x65, 0x74, 0x6f, 0x2f, 0x61, 0x63, 0x6c, 0x2f, 0x6e, 0x6f, 0x64, 0x65, 0x2f, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x6e, 0x6f, 0x64, 0x65, 0xaa, 0x02, 0x1a, + 0x4f, 0x72, 0x79, 0x2e, 0x4b, 0x65, 0x74, 0x6f, 0x2e, 0x41, 0x63, 0x6c, 0x2e, 0x4e, 0x6f, 0x64, + 0x65, 0x2e, 0x56, 0x31, 0x41, 0x6c, 0x70, 0x68, 0x61, 0x31, 0xca, 0x02, 0x1a, 0x4f, 0x72, 0x79, + 0x5c, 0x4b, 0x65, 0x74, 0x6f, 0x5c, 0x41, 0x63, 0x6c, 0x5c, 0x4e, 0x6f, 0x64, 0x65, 0x5c, 0x56, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var file_keto_acl_node_v1alpha1_node_service_proto_goTypes = []interface{}{} +var file_keto_acl_node_v1alpha1_node_service_proto_depIdxs = []int32{ + 0, // [0:0] is the sub-list for method output_type + 0, // [0:0] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_keto_acl_node_v1alpha1_node_service_proto_init() } +func file_keto_acl_node_v1alpha1_node_service_proto_init() { + if File_keto_acl_node_v1alpha1_node_service_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_keto_acl_node_v1alpha1_node_service_proto_rawDesc, + NumEnums: 0, + NumMessages: 0, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_keto_acl_node_v1alpha1_node_service_proto_goTypes, + DependencyIndexes: file_keto_acl_node_v1alpha1_node_service_proto_depIdxs, + }.Build() + File_keto_acl_node_v1alpha1_node_service_proto = out.File + file_keto_acl_node_v1alpha1_node_service_proto_rawDesc = nil + file_keto_acl_node_v1alpha1_node_service_proto_goTypes = nil + file_keto_acl_node_v1alpha1_node_service_proto_depIdxs = nil +} diff --git a/api/keto/acl/node/v1alpha1/node_service.proto b/api/keto/acl/node/v1alpha1/node_service.proto new file mode 100644 index 000000000..00db52aa9 --- /dev/null +++ b/api/keto/acl/node/v1alpha1/node_service.proto @@ -0,0 +1,28 @@ +syntax = "proto3"; + +package keto.acl.node.v1alpha1; + +option go_package = "github.com/ory/keto/api/keto/acl/node/v1alpha1;node"; +option csharp_namespace = "Ory.Keto.Acl.Node.V1Alpha1"; +option java_multiple_files = true; +option java_outer_classname = "NodeServiceProto"; +option java_package = "sh.ory.keto.acl.node.v1alpha1"; +option php_namespace = "Ory\\Keto\\Acl\\Node\\V1alpha1"; + +// The internal service for intercommunication +// between ACL servers in a cluster. +// +// Implementing this service principally allows any program +// in the network to participate as a node in an ACL cluster. +service NodeService { + // ...RPCs for inter-node-communication are coming here... + // + // e.g.: + // - the expand API to load off deep checks to other nodes + // - we can attach meta to CheckResponses to gain greater knowledge of relationships + // and measure statistics to integrate with Prometheus and Grafana + // - schema node election + // - replace groupcache's normal http server with protobuf grpc protocol!!! + // - https://github.com/mailgun/groupcache/blob/8672aac324c41ba3909ad69e1a76b678894d378b/http.go#L160 +} + diff --git a/api/keto/acl/node/v1alpha1/node_service_grpc.pb.go b/api/keto/acl/node/v1alpha1/node_service_grpc.pb.go new file mode 100644 index 000000000..bffeae44c --- /dev/null +++ b/api/keto/acl/node/v1alpha1/node_service_grpc.pb.go @@ -0,0 +1,54 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. + +package node + +import ( + grpc "google.golang.org/grpc" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +const _ = grpc.SupportPackageIsVersion7 + +// NodeServiceClient is the client API for NodeService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +type NodeServiceClient interface { +} + +type nodeServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewNodeServiceClient(cc grpc.ClientConnInterface) NodeServiceClient { + return &nodeServiceClient{cc} +} + +// NodeServiceServer is the server API for NodeService service. +// All implementations should embed UnimplementedNodeServiceServer +// for forward compatibility +type NodeServiceServer interface { +} + +// UnimplementedNodeServiceServer should be embedded to have forward compatible implementations. +type UnimplementedNodeServiceServer struct { +} + +// UnsafeNodeServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to NodeServiceServer will +// result in compilation errors. +type UnsafeNodeServiceServer interface { + mustEmbedUnimplementedNodeServiceServer() +} + +func RegisterNodeServiceServer(s grpc.ServiceRegistrar, srv NodeServiceServer) { + s.RegisterService(&_NodeService_serviceDesc, srv) +} + +var _NodeService_serviceDesc = grpc.ServiceDesc{ + ServiceName: "keto.acl.node.v1alpha1.NodeService", + HandlerType: (*NodeServiceServer)(nil), + Methods: []grpc.MethodDesc{}, + Streams: []grpc.StreamDesc{}, + Metadata: "keto/acl/node/v1alpha1/node_service.proto", +} diff --git a/api/keto/acl/v1alpha1/acl.pb.go b/api/keto/acl/v1alpha1/acl.pb.go new file mode 100644 index 000000000..e4ffe1730 --- /dev/null +++ b/api/keto/acl/v1alpha1/acl.pb.go @@ -0,0 +1,399 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.25.0 +// protoc v3.13.0 +// source: keto/acl/v1alpha1/acl.proto + +package acl + +import ( + proto "github.com/golang/protobuf/proto" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// This is a compile-time assertion that a sufficiently up-to-date version +// of the legacy proto package is being used. +const _ = proto.ProtoPackageIsVersion4 + +// RelationTuple relates an Object with a Subject. +// +// While a tuple reflects a relationship between Object +// and Subject, they do not completely define the effective ACLs. +type RelationTuple struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The namespace this relation tuple lives in. + Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` + // The object related by this tuple. + // It is naturally in the namespace of the tuple. + Object string `protobuf:"bytes,2,opt,name=object,proto3" json:"object,omitempty"` + // The relation between an Object and a Subject. + Relation string `protobuf:"bytes,3,opt,name=relation,proto3" json:"relation,omitempty"` + // The subject related by this tuple. + // A Subject either represents a concrete subject id or + // a SubjectSet that expands to more Subjects. + Subject *Subject `protobuf:"bytes,4,opt,name=subject,proto3" json:"subject,omitempty"` +} + +func (x *RelationTuple) Reset() { + *x = RelationTuple{} + if protoimpl.UnsafeEnabled { + mi := &file_keto_acl_v1alpha1_acl_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *RelationTuple) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RelationTuple) ProtoMessage() {} + +func (x *RelationTuple) ProtoReflect() protoreflect.Message { + mi := &file_keto_acl_v1alpha1_acl_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RelationTuple.ProtoReflect.Descriptor instead. +func (*RelationTuple) Descriptor() ([]byte, []int) { + return file_keto_acl_v1alpha1_acl_proto_rawDescGZIP(), []int{0} +} + +func (x *RelationTuple) GetNamespace() string { + if x != nil { + return x.Namespace + } + return "" +} + +func (x *RelationTuple) GetObject() string { + if x != nil { + return x.Object + } + return "" +} + +func (x *RelationTuple) GetRelation() string { + if x != nil { + return x.Relation + } + return "" +} + +func (x *RelationTuple) GetSubject() *Subject { + if x != nil { + return x.Subject + } + return nil +} + +// Subject is either a concrete subject id or +// a subject set expanding to more Subjects. +type Subject struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The reference of this abstract subject. + // + // Types that are assignable to Ref: + // *Subject_Id + // *Subject_Set + Ref isSubject_Ref `protobuf_oneof:"ref"` +} + +func (x *Subject) Reset() { + *x = Subject{} + if protoimpl.UnsafeEnabled { + mi := &file_keto_acl_v1alpha1_acl_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *Subject) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Subject) ProtoMessage() {} + +func (x *Subject) ProtoReflect() protoreflect.Message { + mi := &file_keto_acl_v1alpha1_acl_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Subject.ProtoReflect.Descriptor instead. +func (*Subject) Descriptor() ([]byte, []int) { + return file_keto_acl_v1alpha1_acl_proto_rawDescGZIP(), []int{1} +} + +func (m *Subject) GetRef() isSubject_Ref { + if m != nil { + return m.Ref + } + return nil +} + +func (x *Subject) GetId() string { + if x, ok := x.GetRef().(*Subject_Id); ok { + return x.Id + } + return "" +} + +func (x *Subject) GetSet() *SubjectSet { + if x, ok := x.GetRef().(*Subject_Set); ok { + return x.Set + } + return nil +} + +type isSubject_Ref interface { + isSubject_Ref() +} + +type Subject_Id struct { + // A concrete id of the subject. + Id string `protobuf:"bytes,1,opt,name=id,proto3,oneof"` +} + +type Subject_Set struct { + // A subject set that expands to more Subjects + // (used for inheritance). + Set *SubjectSet `protobuf:"bytes,2,opt,name=set,proto3,oneof"` +} + +func (*Subject_Id) isSubject_Ref() {} + +func (*Subject_Set) isSubject_Ref() {} + +// SubjectSet refers to all subjects which have +// the same `relation` to an `object`. +// It is also used for inheritance. +type SubjectSet struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The namespace of the object and relation + // referenced in this subject set. + Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` + // The object selected by the subjects. + Object string `protobuf:"bytes,2,opt,name=object,proto3" json:"object,omitempty"` + // The relation to the object by the subjects. + Relation string `protobuf:"bytes,3,opt,name=relation,proto3" json:"relation,omitempty"` +} + +func (x *SubjectSet) Reset() { + *x = SubjectSet{} + if protoimpl.UnsafeEnabled { + mi := &file_keto_acl_v1alpha1_acl_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *SubjectSet) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SubjectSet) ProtoMessage() {} + +func (x *SubjectSet) ProtoReflect() protoreflect.Message { + mi := &file_keto_acl_v1alpha1_acl_proto_msgTypes[2] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SubjectSet.ProtoReflect.Descriptor instead. +func (*SubjectSet) Descriptor() ([]byte, []int) { + return file_keto_acl_v1alpha1_acl_proto_rawDescGZIP(), []int{2} +} + +func (x *SubjectSet) GetNamespace() string { + if x != nil { + return x.Namespace + } + return "" +} + +func (x *SubjectSet) GetObject() string { + if x != nil { + return x.Object + } + return "" +} + +func (x *SubjectSet) GetRelation() string { + if x != nil { + return x.Relation + } + return "" +} + +var File_keto_acl_v1alpha1_acl_proto protoreflect.FileDescriptor + +var file_keto_acl_v1alpha1_acl_proto_rawDesc = []byte{ + 0x0a, 0x1b, 0x6b, 0x65, 0x74, 0x6f, 0x2f, 0x61, 0x63, 0x6c, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0x2f, 0x61, 0x63, 0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x11, 0x6b, + 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, + 0x22, 0x97, 0x01, 0x0a, 0x0d, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x75, 0x70, + 0x6c, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, + 0x12, 0x16, 0x0a, 0x06, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x06, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x6c, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x72, 0x65, 0x6c, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, + 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6b, 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, + 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x52, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x22, 0x55, 0x0a, 0x07, 0x53, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x10, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x48, 0x00, 0x52, 0x02, 0x69, 0x64, 0x12, 0x31, 0x0a, 0x03, 0x73, 0x65, 0x74, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x6b, 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x53, 0x65, 0x74, 0x48, 0x00, 0x52, 0x03, 0x73, 0x65, 0x74, 0x42, 0x05, 0x0a, 0x03, 0x72, 0x65, + 0x66, 0x22, 0x5e, 0x0a, 0x0a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x53, 0x65, 0x74, 0x12, + 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x16, 0x0a, + 0x06, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6f, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x72, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x42, 0x85, 0x01, 0x0a, 0x18, 0x73, 0x68, 0x2e, 0x6f, 0x72, 0x79, 0x2e, 0x6b, 0x65, 0x74, + 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x42, 0x08, + 0x41, 0x63, 0x6c, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2d, 0x67, 0x69, 0x74, 0x68, + 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x72, 0x79, 0x2f, 0x6b, 0x65, 0x74, 0x6f, 0x2f, + 0x61, 0x70, 0x69, 0x2f, 0x6b, 0x65, 0x74, 0x6f, 0x2f, 0x61, 0x63, 0x6c, 0x2f, 0x76, 0x31, 0x61, + 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x61, 0x63, 0x6c, 0xaa, 0x02, 0x15, 0x4f, 0x72, 0x79, 0x2e, + 0x4b, 0x65, 0x74, 0x6f, 0x2e, 0x41, 0x63, 0x6c, 0x2e, 0x56, 0x31, 0x41, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0xca, 0x02, 0x15, 0x4f, 0x72, 0x79, 0x5c, 0x4b, 0x65, 0x74, 0x6f, 0x5c, 0x41, 0x63, 0x6c, + 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x33, +} + +var ( + file_keto_acl_v1alpha1_acl_proto_rawDescOnce sync.Once + file_keto_acl_v1alpha1_acl_proto_rawDescData = file_keto_acl_v1alpha1_acl_proto_rawDesc +) + +func file_keto_acl_v1alpha1_acl_proto_rawDescGZIP() []byte { + file_keto_acl_v1alpha1_acl_proto_rawDescOnce.Do(func() { + file_keto_acl_v1alpha1_acl_proto_rawDescData = protoimpl.X.CompressGZIP(file_keto_acl_v1alpha1_acl_proto_rawDescData) + }) + return file_keto_acl_v1alpha1_acl_proto_rawDescData +} + +var file_keto_acl_v1alpha1_acl_proto_msgTypes = make([]protoimpl.MessageInfo, 3) +var file_keto_acl_v1alpha1_acl_proto_goTypes = []interface{}{ + (*RelationTuple)(nil), // 0: keto.acl.v1alpha1.RelationTuple + (*Subject)(nil), // 1: keto.acl.v1alpha1.Subject + (*SubjectSet)(nil), // 2: keto.acl.v1alpha1.SubjectSet +} +var file_keto_acl_v1alpha1_acl_proto_depIdxs = []int32{ + 1, // 0: keto.acl.v1alpha1.RelationTuple.subject:type_name -> keto.acl.v1alpha1.Subject + 2, // 1: keto.acl.v1alpha1.Subject.set:type_name -> keto.acl.v1alpha1.SubjectSet + 2, // [2:2] is the sub-list for method output_type + 2, // [2:2] is the sub-list for method input_type + 2, // [2:2] is the sub-list for extension type_name + 2, // [2:2] is the sub-list for extension extendee + 0, // [0:2] is the sub-list for field type_name +} + +func init() { file_keto_acl_v1alpha1_acl_proto_init() } +func file_keto_acl_v1alpha1_acl_proto_init() { + if File_keto_acl_v1alpha1_acl_proto != nil { + return + } + if !protoimpl.UnsafeEnabled { + file_keto_acl_v1alpha1_acl_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*RelationTuple); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keto_acl_v1alpha1_acl_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*Subject); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keto_acl_v1alpha1_acl_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*SubjectSet); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + file_keto_acl_v1alpha1_acl_proto_msgTypes[1].OneofWrappers = []interface{}{ + (*Subject_Id)(nil), + (*Subject_Set)(nil), + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_keto_acl_v1alpha1_acl_proto_rawDesc, + NumEnums: 0, + NumMessages: 3, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_keto_acl_v1alpha1_acl_proto_goTypes, + DependencyIndexes: file_keto_acl_v1alpha1_acl_proto_depIdxs, + MessageInfos: file_keto_acl_v1alpha1_acl_proto_msgTypes, + }.Build() + File_keto_acl_v1alpha1_acl_proto = out.File + file_keto_acl_v1alpha1_acl_proto_rawDesc = nil + file_keto_acl_v1alpha1_acl_proto_goTypes = nil + file_keto_acl_v1alpha1_acl_proto_depIdxs = nil +} diff --git a/api/keto/acl/v1alpha1/acl.proto b/api/keto/acl/v1alpha1/acl.proto new file mode 100644 index 000000000..89ac980a7 --- /dev/null +++ b/api/keto/acl/v1alpha1/acl.proto @@ -0,0 +1,55 @@ +syntax = "proto3"; + +package keto.acl.v1alpha1; + +option go_package = "github.com/ory/keto/api/keto/acl/v1alpha1;acl"; +option csharp_namespace = "Ory.Keto.Acl.V1Alpha1"; +option java_multiple_files = true; +option java_outer_classname = "AclProto"; +option java_package = "sh.ory.keto.acl.v1alpha1"; +option php_namespace = "Ory\\Keto\\Acl\\V1alpha1"; + + +// RelationTuple relates an Object with a Subject. +// +// While a tuple reflects a relationship between Object +// and Subject, they do not completely define the effective ACLs. +message RelationTuple { + // The namespace this relation tuple lives in. + string namespace = 1; + // The object related by this tuple. + // It is naturally in the namespace of the tuple. + string object = 2; + // The relation between an Object and a Subject. + string relation = 3; + // The subject related by this tuple. + // A Subject either represents a concrete subject id or + // a SubjectSet that expands to more Subjects. + Subject subject = 4; +} + +// Subject is either a concrete subject id or +// a subject set expanding to more Subjects. +message Subject { + // The reference of this abstract subject. + oneof ref { + // A concrete id of the subject. + string id = 1; + // A subject set that expands to more Subjects + // (used for inheritance). + SubjectSet set = 2; + } +} + +// SubjectSet refers to all subjects which have +// the same `relation` to an `object`. +// It is also used for inheritance. +message SubjectSet { + // The namespace of the object and relation + // referenced in this subject set. + string namespace = 1; + // The object selected by the subjects. + string object = 2; + // The relation to the object by the subjects. + string relation = 3; +} diff --git a/api/keto/acl/v1alpha1/check_service.pb.go b/api/keto/acl/v1alpha1/check_service.pb.go new file mode 100644 index 000000000..07623835d --- /dev/null +++ b/api/keto/acl/v1alpha1/check_service.pb.go @@ -0,0 +1,348 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.25.0 +// protoc v3.13.0 +// source: keto/acl/v1alpha1/check_service.proto + +package acl + +import ( + proto "github.com/golang/protobuf/proto" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// This is a compile-time assertion that a sufficiently up-to-date version +// of the legacy proto package is being used. +const _ = proto.ProtoPackageIsVersion4 + +// The request for a CheckService.Check rpc. +// Checks whether a specific subject is related to an object. +type CheckRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The namespace to evaluate the check. + // + // Note: If you use the expand API and the check + // evaluates a RelationTuple specifying a SubjectSet as + // subject or due to a rewrite rule in a namespace config + // this check request may involve other namespaces automatically. + Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` + // The related object in this check. + Object string `protobuf:"bytes,2,opt,name=object,proto3" json:"object,omitempty"` + // The relation between the Object and the Subject. + Relation string `protobuf:"bytes,3,opt,name=relation,proto3" json:"relation,omitempty"` + // The related subject to check against. + Subject *Subject `protobuf:"bytes,4,opt,name=subject,proto3" json:"subject,omitempty"` + // Set this field to `true` in case your application + // needs to authorize depending on up to date ACLs, + // also called a "content-change check". + // + // If set to `true` the `snaptoken` field is ignored, + // the check is evaluated at the latest snapshot + // (globally consistent) and the response includes a + // snaptoken for clients to store along with object + // contents that can be used for subsequent checks + // of the same content version. + // + // Example use case: + // - You need to authorize a user to modify/delete some resource + // and it is unacceptable that if the permission to do that had + // just been revoked some seconds ago so that the change had not + // yet been fully replicated to all availability zones. + Latest bool `protobuf:"varint,5,opt,name=latest,proto3" json:"latest,omitempty"` + // Optional. Like reads, a check is always evaluated at a + // consistent snapshot no earlier than the given snaptoken. + // + // Leave this field blank if you want to evaluate the check + // based on eventually consistent ACLs, benefiting from very + // low latency, but possibly slightly stale results. + // + // If the specified token is too old and no longer known, + // the server falls back as if no snaptoken had been specified. + // + // If not specified the server tries to evaluate the check + // on the best snapshot version where it is very likely that + // ACLs had already been replicated to all availability zones. + Snaptoken string `protobuf:"bytes,6,opt,name=snaptoken,proto3" json:"snaptoken,omitempty"` +} + +func (x *CheckRequest) Reset() { + *x = CheckRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_keto_acl_v1alpha1_check_service_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *CheckRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CheckRequest) ProtoMessage() {} + +func (x *CheckRequest) ProtoReflect() protoreflect.Message { + mi := &file_keto_acl_v1alpha1_check_service_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CheckRequest.ProtoReflect.Descriptor instead. +func (*CheckRequest) Descriptor() ([]byte, []int) { + return file_keto_acl_v1alpha1_check_service_proto_rawDescGZIP(), []int{0} +} + +func (x *CheckRequest) GetNamespace() string { + if x != nil { + return x.Namespace + } + return "" +} + +func (x *CheckRequest) GetObject() string { + if x != nil { + return x.Object + } + return "" +} + +func (x *CheckRequest) GetRelation() string { + if x != nil { + return x.Relation + } + return "" +} + +func (x *CheckRequest) GetSubject() *Subject { + if x != nil { + return x.Subject + } + return nil +} + +func (x *CheckRequest) GetLatest() bool { + if x != nil { + return x.Latest + } + return false +} + +func (x *CheckRequest) GetSnaptoken() string { + if x != nil { + return x.Snaptoken + } + return "" +} + +// The response for a CheckService.Check rpc. +type CheckResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Whether the specified subject (id) + // is related to the requested object. + // + // It is false by default if no ACL matches. + Allowed bool `protobuf:"varint,1,opt,name=allowed,proto3" json:"allowed,omitempty"` + // The last known snapshot token ONLY specified if + // the request had not specified a snaptoken, + // since this performed a "content-change request" + // and consistently fetched the last known snapshot token. + // + // This field is not set if the request had specified a snaptoken! + // + // If set, clients should cache and use this token + // for subsequent requests to have minimal latency, + // but allow slightly stale responses (only some milliseconds or seconds). + Snaptoken string `protobuf:"bytes,2,opt,name=snaptoken,proto3" json:"snaptoken,omitempty"` +} + +func (x *CheckResponse) Reset() { + *x = CheckResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_keto_acl_v1alpha1_check_service_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *CheckResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CheckResponse) ProtoMessage() {} + +func (x *CheckResponse) ProtoReflect() protoreflect.Message { + mi := &file_keto_acl_v1alpha1_check_service_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CheckResponse.ProtoReflect.Descriptor instead. +func (*CheckResponse) Descriptor() ([]byte, []int) { + return file_keto_acl_v1alpha1_check_service_proto_rawDescGZIP(), []int{1} +} + +func (x *CheckResponse) GetAllowed() bool { + if x != nil { + return x.Allowed + } + return false +} + +func (x *CheckResponse) GetSnaptoken() string { + if x != nil { + return x.Snaptoken + } + return "" +} + +var File_keto_acl_v1alpha1_check_service_proto protoreflect.FileDescriptor + +var file_keto_acl_v1alpha1_check_service_proto_rawDesc = []byte{ + 0x0a, 0x25, 0x6b, 0x65, 0x74, 0x6f, 0x2f, 0x61, 0x63, 0x6c, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0x2f, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, + 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x11, 0x6b, 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, + 0x6c, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1b, 0x6b, 0x65, 0x74, 0x6f, + 0x2f, 0x61, 0x63, 0x6c, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x61, 0x63, + 0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xcc, 0x01, 0x0a, 0x0c, 0x43, 0x68, 0x65, 0x63, + 0x6b, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, + 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, + 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x1a, + 0x0a, 0x08, 0x72, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x08, 0x72, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x07, 0x73, 0x75, + 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6b, 0x65, + 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, + 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x52, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x61, 0x74, 0x65, 0x73, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, + 0x52, 0x06, 0x6c, 0x61, 0x74, 0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x6e, 0x61, 0x70, + 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x6e, 0x61, + 0x70, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0x47, 0x0a, 0x0d, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, + 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x6c, 0x6c, 0x6f, 0x77, + 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, + 0x64, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x6e, 0x61, 0x70, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x6e, 0x61, 0x70, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x32, + 0x5a, 0x0a, 0x0c, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, + 0x4a, 0x0a, 0x05, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x12, 0x1f, 0x2e, 0x6b, 0x65, 0x74, 0x6f, 0x2e, + 0x61, 0x63, 0x6c, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x68, 0x65, + 0x63, 0x6b, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e, 0x6b, 0x65, 0x74, 0x6f, + 0x2e, 0x61, 0x63, 0x6c, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x68, + 0x65, 0x63, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x8e, 0x01, 0x0a, 0x18, + 0x73, 0x68, 0x2e, 0x6f, 0x72, 0x79, 0x2e, 0x6b, 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x42, 0x11, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x53, + 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2d, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x72, 0x79, 0x2f, 0x6b, 0x65, + 0x74, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6b, 0x65, 0x74, 0x6f, 0x2f, 0x61, 0x63, 0x6c, 0x2f, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x61, 0x63, 0x6c, 0xaa, 0x02, 0x15, 0x4f, + 0x72, 0x79, 0x2e, 0x4b, 0x65, 0x74, 0x6f, 0x2e, 0x41, 0x63, 0x6c, 0x2e, 0x56, 0x31, 0x41, 0x6c, + 0x70, 0x68, 0x61, 0x31, 0xca, 0x02, 0x15, 0x4f, 0x72, 0x79, 0x5c, 0x4b, 0x65, 0x74, 0x6f, 0x5c, + 0x41, 0x63, 0x6c, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_keto_acl_v1alpha1_check_service_proto_rawDescOnce sync.Once + file_keto_acl_v1alpha1_check_service_proto_rawDescData = file_keto_acl_v1alpha1_check_service_proto_rawDesc +) + +func file_keto_acl_v1alpha1_check_service_proto_rawDescGZIP() []byte { + file_keto_acl_v1alpha1_check_service_proto_rawDescOnce.Do(func() { + file_keto_acl_v1alpha1_check_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_keto_acl_v1alpha1_check_service_proto_rawDescData) + }) + return file_keto_acl_v1alpha1_check_service_proto_rawDescData +} + +var file_keto_acl_v1alpha1_check_service_proto_msgTypes = make([]protoimpl.MessageInfo, 2) +var file_keto_acl_v1alpha1_check_service_proto_goTypes = []interface{}{ + (*CheckRequest)(nil), // 0: keto.acl.v1alpha1.CheckRequest + (*CheckResponse)(nil), // 1: keto.acl.v1alpha1.CheckResponse + (*Subject)(nil), // 2: keto.acl.v1alpha1.Subject +} +var file_keto_acl_v1alpha1_check_service_proto_depIdxs = []int32{ + 2, // 0: keto.acl.v1alpha1.CheckRequest.subject:type_name -> keto.acl.v1alpha1.Subject + 0, // 1: keto.acl.v1alpha1.CheckService.Check:input_type -> keto.acl.v1alpha1.CheckRequest + 1, // 2: keto.acl.v1alpha1.CheckService.Check:output_type -> keto.acl.v1alpha1.CheckResponse + 2, // [2:3] is the sub-list for method output_type + 1, // [1:2] is the sub-list for method input_type + 1, // [1:1] is the sub-list for extension type_name + 1, // [1:1] is the sub-list for extension extendee + 0, // [0:1] is the sub-list for field type_name +} + +func init() { file_keto_acl_v1alpha1_check_service_proto_init() } +func file_keto_acl_v1alpha1_check_service_proto_init() { + if File_keto_acl_v1alpha1_check_service_proto != nil { + return + } + file_keto_acl_v1alpha1_acl_proto_init() + if !protoimpl.UnsafeEnabled { + file_keto_acl_v1alpha1_check_service_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*CheckRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keto_acl_v1alpha1_check_service_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*CheckResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_keto_acl_v1alpha1_check_service_proto_rawDesc, + NumEnums: 0, + NumMessages: 2, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_keto_acl_v1alpha1_check_service_proto_goTypes, + DependencyIndexes: file_keto_acl_v1alpha1_check_service_proto_depIdxs, + MessageInfos: file_keto_acl_v1alpha1_check_service_proto_msgTypes, + }.Build() + File_keto_acl_v1alpha1_check_service_proto = out.File + file_keto_acl_v1alpha1_check_service_proto_rawDesc = nil + file_keto_acl_v1alpha1_check_service_proto_goTypes = nil + file_keto_acl_v1alpha1_check_service_proto_depIdxs = nil +} diff --git a/api/keto/acl/v1alpha1/check_service.proto b/api/keto/acl/v1alpha1/check_service.proto new file mode 100644 index 000000000..d5a5563d8 --- /dev/null +++ b/api/keto/acl/v1alpha1/check_service.proto @@ -0,0 +1,88 @@ +syntax = "proto3"; + +package keto.acl.v1alpha1; + +import "keto/acl/v1alpha1/acl.proto"; + +option go_package = "github.com/ory/keto/api/keto/acl/v1alpha1;acl"; +option csharp_namespace = "Ory.Keto.Acl.V1Alpha1"; +option java_multiple_files = true; +option java_outer_classname = "CheckServiceProto"; +option java_package = "sh.ory.keto.acl.v1alpha1"; +option php_namespace = "Ory\\Keto\\Acl\\V1alpha1"; + +// The service that performs authorization checks +// based on the stored Access Control Lists. +service CheckService { + // Check performs an authorization check. + rpc Check(CheckRequest) returns (CheckResponse); +} + +// The request for a CheckService.Check rpc. +// Checks whether a specific subject is related to an object. +message CheckRequest { + // The namespace to evaluate the check. + // + // Note: If you use the expand API and the check + // evaluates a RelationTuple specifying a SubjectSet as + // subject or due to a rewrite rule in a namespace config + // this check request may involve other namespaces automatically. + string namespace = 1; + // The related object in this check. + string object = 2; + // The relation between the Object and the Subject. + string relation = 3; + // The related subject to check against. + Subject subject = 4; + // Set this field to `true` in case your application + // needs to authorize depending on up to date ACLs, + // also called a "content-change check". + // + // If set to `true` the `snaptoken` field is ignored, + // the check is evaluated at the latest snapshot + // (globally consistent) and the response includes a + // snaptoken for clients to store along with object + // contents that can be used for subsequent checks + // of the same content version. + // + // Example use case: + // - You need to authorize a user to modify/delete some resource + // and it is unacceptable that if the permission to do that had + // just been revoked some seconds ago so that the change had not + // yet been fully replicated to all availability zones. + bool latest = 5; + // Optional. Like reads, a check is always evaluated at a + // consistent snapshot no earlier than the given snaptoken. + // + // Leave this field blank if you want to evaluate the check + // based on eventually consistent ACLs, benefiting from very + // low latency, but possibly slightly stale results. + // + // If the specified token is too old and no longer known, + // the server falls back as if no snaptoken had been specified. + // + // If not specified the server tries to evaluate the check + // on the best snapshot version where it is very likely that + // ACLs had already been replicated to all availability zones. + string snaptoken = 6; +} + +// The response for a CheckService.Check rpc. +message CheckResponse { + // Whether the specified subject (id) + // is related to the requested object. + // + // It is false by default if no ACL matches. + bool allowed = 1; + // The last known snapshot token ONLY specified if + // the request had not specified a snaptoken, + // since this performed a "content-change request" + // and consistently fetched the last known snapshot token. + // + // This field is not set if the request had specified a snaptoken! + // + // If set, clients should cache and use this token + // for subsequent requests to have minimal latency, + // but allow slightly stale responses (only some milliseconds or seconds). + string snaptoken = 2; +} diff --git a/api/keto/acl/v1alpha1/check_service_grpc.pb.go b/api/keto/acl/v1alpha1/check_service_grpc.pb.go new file mode 100644 index 000000000..593b106e4 --- /dev/null +++ b/api/keto/acl/v1alpha1/check_service_grpc.pb.go @@ -0,0 +1,97 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. + +package acl + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +const _ = grpc.SupportPackageIsVersion7 + +// CheckServiceClient is the client API for CheckService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +type CheckServiceClient interface { + // Check performs an authorization check. + Check(ctx context.Context, in *CheckRequest, opts ...grpc.CallOption) (*CheckResponse, error) +} + +type checkServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewCheckServiceClient(cc grpc.ClientConnInterface) CheckServiceClient { + return &checkServiceClient{cc} +} + +func (c *checkServiceClient) Check(ctx context.Context, in *CheckRequest, opts ...grpc.CallOption) (*CheckResponse, error) { + out := new(CheckResponse) + err := c.cc.Invoke(ctx, "/keto.acl.v1alpha1.CheckService/Check", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +// CheckServiceServer is the server API for CheckService service. +// All implementations should embed UnimplementedCheckServiceServer +// for forward compatibility +type CheckServiceServer interface { + // Check performs an authorization check. + Check(context.Context, *CheckRequest) (*CheckResponse, error) +} + +// UnimplementedCheckServiceServer should be embedded to have forward compatible implementations. +type UnimplementedCheckServiceServer struct { +} + +func (UnimplementedCheckServiceServer) Check(context.Context, *CheckRequest) (*CheckResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Check not implemented") +} + +// UnsafeCheckServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to CheckServiceServer will +// result in compilation errors. +type UnsafeCheckServiceServer interface { + mustEmbedUnimplementedCheckServiceServer() +} + +func RegisterCheckServiceServer(s grpc.ServiceRegistrar, srv CheckServiceServer) { + s.RegisterService(&_CheckService_serviceDesc, srv) +} + +func _CheckService_Check_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(CheckRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(CheckServiceServer).Check(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/keto.acl.v1alpha1.CheckService/Check", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(CheckServiceServer).Check(ctx, req.(*CheckRequest)) + } + return interceptor(ctx, in, info, handler) +} + +var _CheckService_serviceDesc = grpc.ServiceDesc{ + ServiceName: "keto.acl.v1alpha1.CheckService", + HandlerType: (*CheckServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "Check", + Handler: _CheckService_Check_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "keto/acl/v1alpha1/check_service.proto", +} diff --git a/api/keto/acl/v1alpha1/read_service.pb.go b/api/keto/acl/v1alpha1/read_service.pb.go new file mode 100644 index 000000000..45e21e0cc --- /dev/null +++ b/api/keto/acl/v1alpha1/read_service.pb.go @@ -0,0 +1,440 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.25.0 +// protoc v3.13.0 +// source: keto/acl/v1alpha1/read_service.proto + +package acl + +import ( + proto "github.com/golang/protobuf/proto" + field_mask "google.golang.org/genproto/protobuf/field_mask" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// This is a compile-time assertion that a sufficiently up-to-date version +// of the legacy proto package is being used. +const _ = proto.ProtoPackageIsVersion4 + +// Request for ReadService.ListRelationTuples rpc. +// See ListRelationTuplesRequest_Query for more querying details. +type ListRelationTuplesRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // All field constraints are concatenated + // with a logical AND operator. + // + // The RelationTuple list from ListRelationTuplesResponse + // is ordered from the newest RelationTuple to the oldest. + Query *ListRelationTuplesRequest_Query `protobuf:"bytes,1,opt,name=query,proto3" json:"query,omitempty"` + // Optional. The list of fields to be expanded + // in the RelationTuple list returned in `ListRelationTuplesResponse`. + // Leaving this field unspecified means all fields are expanded. + // + // Available fields: + // "object", "relation", "subject", + // "object.namespace","object.id", + // "subject.id", "subject.set" + ExpandMask *field_mask.FieldMask `protobuf:"bytes,2,opt,name=expand_mask,json=expandMask,proto3" json:"expand_mask,omitempty"` + // Optional. The snapshot token for this read. + Snaptoken string `protobuf:"bytes,3,opt,name=snaptoken,proto3" json:"snaptoken,omitempty"` + // Optional. The maximum number of + // RelationTuples to return in the response. + PageSize int32 `protobuf:"varint,4,opt,name=page_size,json=pageSize,proto3" json:"page_size,omitempty"` + // Optional. A pagination token returned from + // a previous call to `ListRelationTuples` that + // indicates where this listing should continue from. + PageToken string `protobuf:"bytes,5,opt,name=page_token,json=pageToken,proto3" json:"page_token,omitempty"` +} + +func (x *ListRelationTuplesRequest) Reset() { + *x = ListRelationTuplesRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_keto_acl_v1alpha1_read_service_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ListRelationTuplesRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListRelationTuplesRequest) ProtoMessage() {} + +func (x *ListRelationTuplesRequest) ProtoReflect() protoreflect.Message { + mi := &file_keto_acl_v1alpha1_read_service_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListRelationTuplesRequest.ProtoReflect.Descriptor instead. +func (*ListRelationTuplesRequest) Descriptor() ([]byte, []int) { + return file_keto_acl_v1alpha1_read_service_proto_rawDescGZIP(), []int{0} +} + +func (x *ListRelationTuplesRequest) GetQuery() *ListRelationTuplesRequest_Query { + if x != nil { + return x.Query + } + return nil +} + +func (x *ListRelationTuplesRequest) GetExpandMask() *field_mask.FieldMask { + if x != nil { + return x.ExpandMask + } + return nil +} + +func (x *ListRelationTuplesRequest) GetSnaptoken() string { + if x != nil { + return x.Snaptoken + } + return "" +} + +func (x *ListRelationTuplesRequest) GetPageSize() int32 { + if x != nil { + return x.PageSize + } + return 0 +} + +func (x *ListRelationTuplesRequest) GetPageToken() string { + if x != nil { + return x.PageToken + } + return "" +} + +// The response of a ReadService.ListRelationTuples rpc. +type ListRelationTuplesResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The relation tuples matching the list request. + RelationTuples []*RelationTuple `protobuf:"bytes,1,rep,name=relation_tuples,json=relationTuples,proto3" json:"relation_tuples,omitempty"` + // Optional. A pagination token returned from a previous call to `ListRelationTuples` + // that indicates where this listing should continue from. + // + // All fields of the subsequent ListRelationTuplesRequest request + // using this `next_page_token` as the `page_token` are ignored and + // CAN be left blank, since the request's data is baked in this `next_page_token`. + NextPageToken string `protobuf:"bytes,2,opt,name=next_page_token,json=nextPageToken,proto3" json:"next_page_token,omitempty"` +} + +func (x *ListRelationTuplesResponse) Reset() { + *x = ListRelationTuplesResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_keto_acl_v1alpha1_read_service_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ListRelationTuplesResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListRelationTuplesResponse) ProtoMessage() {} + +func (x *ListRelationTuplesResponse) ProtoReflect() protoreflect.Message { + mi := &file_keto_acl_v1alpha1_read_service_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListRelationTuplesResponse.ProtoReflect.Descriptor instead. +func (*ListRelationTuplesResponse) Descriptor() ([]byte, []int) { + return file_keto_acl_v1alpha1_read_service_proto_rawDescGZIP(), []int{1} +} + +func (x *ListRelationTuplesResponse) GetRelationTuples() []*RelationTuple { + if x != nil { + return x.RelationTuples + } + return nil +} + +func (x *ListRelationTuplesResponse) GetNextPageToken() string { + if x != nil { + return x.NextPageToken + } + return "" +} + +// The query for listing relation tuples. +// Clients can specify any optional field to +// partially filter for specific relation tuples. +// +// Example use cases: +// - object only: display a list of all rules of one object +// - relation only: get all groups that have members; e.g. get all directories that have content +// - object & relation: display all subjects that have e.g. write relation +// - subject & relation: display all groups a subject belongs to/display all objects a subject has access to +// - object & relation & subject: check whether the relation tuple already exists, before writing it +// +type ListRelationTuplesRequest_Query struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Required. The namespace to query. + Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` + // Optional. + Object string `protobuf:"bytes,2,opt,name=object,proto3" json:"object,omitempty"` + // Optional. + Relation string `protobuf:"bytes,3,opt,name=relation,proto3" json:"relation,omitempty"` + // Optional. + Subject *Subject `protobuf:"bytes,4,opt,name=subject,proto3" json:"subject,omitempty"` +} + +func (x *ListRelationTuplesRequest_Query) Reset() { + *x = ListRelationTuplesRequest_Query{} + if protoimpl.UnsafeEnabled { + mi := &file_keto_acl_v1alpha1_read_service_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ListRelationTuplesRequest_Query) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ListRelationTuplesRequest_Query) ProtoMessage() {} + +func (x *ListRelationTuplesRequest_Query) ProtoReflect() protoreflect.Message { + mi := &file_keto_acl_v1alpha1_read_service_proto_msgTypes[2] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ListRelationTuplesRequest_Query.ProtoReflect.Descriptor instead. +func (*ListRelationTuplesRequest_Query) Descriptor() ([]byte, []int) { + return file_keto_acl_v1alpha1_read_service_proto_rawDescGZIP(), []int{0, 0} +} + +func (x *ListRelationTuplesRequest_Query) GetNamespace() string { + if x != nil { + return x.Namespace + } + return "" +} + +func (x *ListRelationTuplesRequest_Query) GetObject() string { + if x != nil { + return x.Object + } + return "" +} + +func (x *ListRelationTuplesRequest_Query) GetRelation() string { + if x != nil { + return x.Relation + } + return "" +} + +func (x *ListRelationTuplesRequest_Query) GetSubject() *Subject { + if x != nil { + return x.Subject + } + return nil +} + +var File_keto_acl_v1alpha1_read_service_proto protoreflect.FileDescriptor + +var file_keto_acl_v1alpha1_read_service_proto_rawDesc = []byte{ + 0x0a, 0x24, 0x6b, 0x65, 0x74, 0x6f, 0x2f, 0x61, 0x63, 0x6c, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0x2f, 0x72, 0x65, 0x61, 0x64, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x11, 0x6b, 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, + 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1b, 0x6b, 0x65, 0x74, 0x6f, 0x2f, + 0x61, 0x63, 0x6c, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x61, 0x63, 0x6c, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x6d, 0x61, + 0x73, 0x6b, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x8e, 0x03, 0x0a, 0x19, 0x4c, 0x69, 0x73, + 0x74, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x75, 0x70, 0x6c, 0x65, 0x73, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x48, 0x0a, 0x05, 0x71, 0x75, 0x65, 0x72, 0x79, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x6b, 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, + 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x52, 0x65, + 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x75, 0x70, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x2e, 0x51, 0x75, 0x65, 0x72, 0x79, 0x52, 0x05, 0x71, 0x75, 0x65, 0x72, 0x79, + 0x12, 0x3b, 0x0a, 0x0b, 0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x5f, 0x6d, 0x61, 0x73, 0x6b, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69, 0x65, 0x6c, 0x64, 0x4d, 0x61, 0x73, + 0x6b, 0x52, 0x0a, 0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x4d, 0x61, 0x73, 0x6b, 0x12, 0x1c, 0x0a, + 0x09, 0x73, 0x6e, 0x61, 0x70, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x09, 0x73, 0x6e, 0x61, 0x70, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x1b, 0x0a, 0x09, 0x70, + 0x61, 0x67, 0x65, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x05, 0x52, 0x08, + 0x70, 0x61, 0x67, 0x65, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x65, + 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x70, 0x61, + 0x67, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x1a, 0x8f, 0x01, 0x0a, 0x05, 0x51, 0x75, 0x65, 0x72, + 0x79, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, + 0x16, 0x0a, 0x06, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x06, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x6c, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x72, 0x65, 0x6c, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6b, 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x52, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x22, 0x8f, 0x01, 0x0a, 0x1a, 0x4c, 0x69, + 0x73, 0x74, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x75, 0x70, 0x6c, 0x65, 0x73, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x49, 0x0a, 0x0f, 0x72, 0x65, 0x6c, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x75, 0x70, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, + 0x0b, 0x32, 0x20, 0x2e, 0x6b, 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, 0x76, 0x31, 0x61, + 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x75, + 0x70, 0x6c, 0x65, 0x52, 0x0e, 0x72, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x75, 0x70, + 0x6c, 0x65, 0x73, 0x12, 0x26, 0x0a, 0x0f, 0x6e, 0x65, 0x78, 0x74, 0x5f, 0x70, 0x61, 0x67, 0x65, + 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6e, 0x65, + 0x78, 0x74, 0x50, 0x61, 0x67, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x32, 0x80, 0x01, 0x0a, 0x0b, + 0x52, 0x65, 0x61, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x71, 0x0a, 0x12, 0x4c, + 0x69, 0x73, 0x74, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x75, 0x70, 0x6c, 0x65, + 0x73, 0x12, 0x2c, 0x2e, 0x6b, 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, 0x76, 0x31, 0x61, + 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x54, 0x75, 0x70, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x2d, 0x2e, 0x6b, 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x54, 0x75, 0x70, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x8d, + 0x01, 0x0a, 0x18, 0x73, 0x68, 0x2e, 0x6f, 0x72, 0x79, 0x2e, 0x6b, 0x65, 0x74, 0x6f, 0x2e, 0x61, + 0x63, 0x6c, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x42, 0x10, 0x52, 0x65, 0x61, + 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, + 0x2d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x72, 0x79, 0x2f, + 0x6b, 0x65, 0x74, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6b, 0x65, 0x74, 0x6f, 0x2f, 0x61, 0x63, + 0x6c, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x61, 0x63, 0x6c, 0xaa, 0x02, + 0x15, 0x4f, 0x72, 0x79, 0x2e, 0x4b, 0x65, 0x74, 0x6f, 0x2e, 0x41, 0x63, 0x6c, 0x2e, 0x56, 0x31, + 0x41, 0x6c, 0x70, 0x68, 0x61, 0x31, 0xca, 0x02, 0x15, 0x4f, 0x72, 0x79, 0x5c, 0x4b, 0x65, 0x74, + 0x6f, 0x5c, 0x41, 0x63, 0x6c, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_keto_acl_v1alpha1_read_service_proto_rawDescOnce sync.Once + file_keto_acl_v1alpha1_read_service_proto_rawDescData = file_keto_acl_v1alpha1_read_service_proto_rawDesc +) + +func file_keto_acl_v1alpha1_read_service_proto_rawDescGZIP() []byte { + file_keto_acl_v1alpha1_read_service_proto_rawDescOnce.Do(func() { + file_keto_acl_v1alpha1_read_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_keto_acl_v1alpha1_read_service_proto_rawDescData) + }) + return file_keto_acl_v1alpha1_read_service_proto_rawDescData +} + +var file_keto_acl_v1alpha1_read_service_proto_msgTypes = make([]protoimpl.MessageInfo, 3) +var file_keto_acl_v1alpha1_read_service_proto_goTypes = []interface{}{ + (*ListRelationTuplesRequest)(nil), // 0: keto.acl.v1alpha1.ListRelationTuplesRequest + (*ListRelationTuplesResponse)(nil), // 1: keto.acl.v1alpha1.ListRelationTuplesResponse + (*ListRelationTuplesRequest_Query)(nil), // 2: keto.acl.v1alpha1.ListRelationTuplesRequest.Query + (*field_mask.FieldMask)(nil), // 3: google.protobuf.FieldMask + (*RelationTuple)(nil), // 4: keto.acl.v1alpha1.RelationTuple + (*Subject)(nil), // 5: keto.acl.v1alpha1.Subject +} +var file_keto_acl_v1alpha1_read_service_proto_depIdxs = []int32{ + 2, // 0: keto.acl.v1alpha1.ListRelationTuplesRequest.query:type_name -> keto.acl.v1alpha1.ListRelationTuplesRequest.Query + 3, // 1: keto.acl.v1alpha1.ListRelationTuplesRequest.expand_mask:type_name -> google.protobuf.FieldMask + 4, // 2: keto.acl.v1alpha1.ListRelationTuplesResponse.relation_tuples:type_name -> keto.acl.v1alpha1.RelationTuple + 5, // 3: keto.acl.v1alpha1.ListRelationTuplesRequest.Query.subject:type_name -> keto.acl.v1alpha1.Subject + 0, // 4: keto.acl.v1alpha1.ReadService.ListRelationTuples:input_type -> keto.acl.v1alpha1.ListRelationTuplesRequest + 1, // 5: keto.acl.v1alpha1.ReadService.ListRelationTuples:output_type -> keto.acl.v1alpha1.ListRelationTuplesResponse + 5, // [5:6] is the sub-list for method output_type + 4, // [4:5] is the sub-list for method input_type + 4, // [4:4] is the sub-list for extension type_name + 4, // [4:4] is the sub-list for extension extendee + 0, // [0:4] is the sub-list for field type_name +} + +func init() { file_keto_acl_v1alpha1_read_service_proto_init() } +func file_keto_acl_v1alpha1_read_service_proto_init() { + if File_keto_acl_v1alpha1_read_service_proto != nil { + return + } + file_keto_acl_v1alpha1_acl_proto_init() + if !protoimpl.UnsafeEnabled { + file_keto_acl_v1alpha1_read_service_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListRelationTuplesRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keto_acl_v1alpha1_read_service_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListRelationTuplesResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keto_acl_v1alpha1_read_service_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ListRelationTuplesRequest_Query); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_keto_acl_v1alpha1_read_service_proto_rawDesc, + NumEnums: 0, + NumMessages: 3, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_keto_acl_v1alpha1_read_service_proto_goTypes, + DependencyIndexes: file_keto_acl_v1alpha1_read_service_proto_depIdxs, + MessageInfos: file_keto_acl_v1alpha1_read_service_proto_msgTypes, + }.Build() + File_keto_acl_v1alpha1_read_service_proto = out.File + file_keto_acl_v1alpha1_read_service_proto_rawDesc = nil + file_keto_acl_v1alpha1_read_service_proto_goTypes = nil + file_keto_acl_v1alpha1_read_service_proto_depIdxs = nil +} diff --git a/api/keto/acl/v1alpha1/read_service.proto b/api/keto/acl/v1alpha1/read_service.proto new file mode 100644 index 000000000..d4c22271c --- /dev/null +++ b/api/keto/acl/v1alpha1/read_service.proto @@ -0,0 +1,82 @@ +syntax = "proto3"; + +package keto.acl.v1alpha1; + +import "keto/acl/v1alpha1/acl.proto"; +import "google/protobuf/field_mask.proto"; + +option go_package = "github.com/ory/keto/api/keto/acl/v1alpha1;acl"; +option csharp_namespace = "Ory.Keto.Acl.V1Alpha1"; +option java_multiple_files = true; +option java_outer_classname = "ReadServiceProto"; +option java_package = "sh.ory.keto.acl.v1alpha1"; +option php_namespace = "Ory\\Keto\\Acl\\V1alpha1"; + +// The service to query Access Control Lists. +service ReadService { + // Lists ACL relation tuples. + rpc ListRelationTuples(ListRelationTuplesRequest) returns (ListRelationTuplesResponse); +} + +// Request for ReadService.ListRelationTuples rpc. +// See ListRelationTuplesRequest_Query for more querying details. +message ListRelationTuplesRequest { + // The query for listing relation tuples. + // Clients can specify any optional field to + // partially filter for specific relation tuples. + // + // Example use cases: + // - object only: display a list of all rules of one object + // - relation only: get all groups that have members; e.g. get all directories that have content + // - object & relation: display all subjects that have e.g. write relation + // - subject & relation: display all groups a subject belongs to/display all objects a subject has access to + // - object & relation & subject: check whether the relation tuple already exists, before writing it + // + message Query { + // Required. The namespace to query. + string namespace = 1; + // Optional. + string object = 2; + // Optional. + string relation = 3; + // Optional. + Subject subject = 4; + } + // All field constraints are concatenated + // with a logical AND operator. + // + // The RelationTuple list from ListRelationTuplesResponse + // is ordered from the newest RelationTuple to the oldest. + Query query = 1; + // Optional. The list of fields to be expanded + // in the RelationTuple list returned in `ListRelationTuplesResponse`. + // Leaving this field unspecified means all fields are expanded. + // + // Available fields: + // "object", "relation", "subject", + // "namespace", "subject.id", "subject.namespace", + // "subject.object", "subject.relation" + google.protobuf.FieldMask expand_mask = 2; + // Optional. The snapshot token for this read. + string snaptoken = 3; + // Optional. The maximum number of + // RelationTuples to return in the response. + int32 page_size = 4; + // Optional. A pagination token returned from + // a previous call to `ListRelationTuples` that + // indicates where the page should start at. + string page_token = 5; +} + +// The response of a ReadService.ListRelationTuples rpc. +message ListRelationTuplesResponse { + // The relation tuples matching the list request. + repeated RelationTuple relation_tuples = 1; + // Optional. A pagination token returned from a previous call to `ListRelationTuples` + // that indicates where this listing should continue from. + // + // All fields of the subsequent ListRelationTuplesRequest request + // using this `next_page_token` as the `page_token` are ignored and + // CAN be left blank, since the request's data is baked in this `next_page_token`. + string next_page_token = 2; +} diff --git a/api/keto/acl/v1alpha1/read_service_grpc.pb.go b/api/keto/acl/v1alpha1/read_service_grpc.pb.go new file mode 100644 index 000000000..d1d3bd601 --- /dev/null +++ b/api/keto/acl/v1alpha1/read_service_grpc.pb.go @@ -0,0 +1,97 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. + +package acl + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +const _ = grpc.SupportPackageIsVersion7 + +// ReadServiceClient is the client API for ReadService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +type ReadServiceClient interface { + // Lists ACL relation tuples. + ListRelationTuples(ctx context.Context, in *ListRelationTuplesRequest, opts ...grpc.CallOption) (*ListRelationTuplesResponse, error) +} + +type readServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewReadServiceClient(cc grpc.ClientConnInterface) ReadServiceClient { + return &readServiceClient{cc} +} + +func (c *readServiceClient) ListRelationTuples(ctx context.Context, in *ListRelationTuplesRequest, opts ...grpc.CallOption) (*ListRelationTuplesResponse, error) { + out := new(ListRelationTuplesResponse) + err := c.cc.Invoke(ctx, "/keto.acl.v1alpha1.ReadService/ListRelationTuples", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +// ReadServiceServer is the server API for ReadService service. +// All implementations should embed UnimplementedReadServiceServer +// for forward compatibility +type ReadServiceServer interface { + // Lists ACL relation tuples. + ListRelationTuples(context.Context, *ListRelationTuplesRequest) (*ListRelationTuplesResponse, error) +} + +// UnimplementedReadServiceServer should be embedded to have forward compatible implementations. +type UnimplementedReadServiceServer struct { +} + +func (UnimplementedReadServiceServer) ListRelationTuples(context.Context, *ListRelationTuplesRequest) (*ListRelationTuplesResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method ListRelationTuples not implemented") +} + +// UnsafeReadServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to ReadServiceServer will +// result in compilation errors. +type UnsafeReadServiceServer interface { + mustEmbedUnimplementedReadServiceServer() +} + +func RegisterReadServiceServer(s grpc.ServiceRegistrar, srv ReadServiceServer) { + s.RegisterService(&_ReadService_serviceDesc, srv) +} + +func _ReadService_ListRelationTuples_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(ListRelationTuplesRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(ReadServiceServer).ListRelationTuples(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/keto.acl.v1alpha1.ReadService/ListRelationTuples", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(ReadServiceServer).ListRelationTuples(ctx, req.(*ListRelationTuplesRequest)) + } + return interceptor(ctx, in, info, handler) +} + +var _ReadService_serviceDesc = grpc.ServiceDesc{ + ServiceName: "keto.acl.v1alpha1.ReadService", + HandlerType: (*ReadServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "ListRelationTuples", + Handler: _ReadService_ListRelationTuples_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "keto/acl/v1alpha1/read_service.proto", +} diff --git a/api/keto/acl/v1alpha1/write_service.pb.go b/api/keto/acl/v1alpha1/write_service.pb.go new file mode 100644 index 000000000..15f846d86 --- /dev/null +++ b/api/keto/acl/v1alpha1/write_service.pb.go @@ -0,0 +1,388 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.25.0 +// protoc v3.13.0 +// source: keto/acl/v1alpha1/write_service.proto + +package acl + +import ( + proto "github.com/golang/protobuf/proto" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// This is a compile-time assertion that a sufficiently up-to-date version +// of the legacy proto package is being used. +const _ = proto.ProtoPackageIsVersion4 + +type RelationTupleWriteDelta_Action int32 + +const ( + // Unspecified. + // The `WriteRelationTuples` rpc ignores this + // RelationTupleWriteDelta if an action was unspecified. + RelationTupleWriteDelta_ACTION_UNSPECIFIED RelationTupleWriteDelta_Action = 0 + // Insertion of a new RelationTuple. + // It is ignored if already existing. + RelationTupleWriteDelta_INSERT RelationTupleWriteDelta_Action = 1 + // Deletion of the RelationTuple. + // It is ignored if it does not exist. + RelationTupleWriteDelta_DELETE RelationTupleWriteDelta_Action = 4 +) + +// Enum value maps for RelationTupleWriteDelta_Action. +var ( + RelationTupleWriteDelta_Action_name = map[int32]string{ + 0: "ACTION_UNSPECIFIED", + 1: "INSERT", + 4: "DELETE", + } + RelationTupleWriteDelta_Action_value = map[string]int32{ + "ACTION_UNSPECIFIED": 0, + "INSERT": 1, + "DELETE": 4, + } +) + +func (x RelationTupleWriteDelta_Action) Enum() *RelationTupleWriteDelta_Action { + p := new(RelationTupleWriteDelta_Action) + *p = x + return p +} + +func (x RelationTupleWriteDelta_Action) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (RelationTupleWriteDelta_Action) Descriptor() protoreflect.EnumDescriptor { + return file_keto_acl_v1alpha1_write_service_proto_enumTypes[0].Descriptor() +} + +func (RelationTupleWriteDelta_Action) Type() protoreflect.EnumType { + return &file_keto_acl_v1alpha1_write_service_proto_enumTypes[0] +} + +func (x RelationTupleWriteDelta_Action) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use RelationTupleWriteDelta_Action.Descriptor instead. +func (RelationTupleWriteDelta_Action) EnumDescriptor() ([]byte, []int) { + return file_keto_acl_v1alpha1_write_service_proto_rawDescGZIP(), []int{1, 0} +} + +// The request of a WriteService.WriteRelationTuples rpc. +type WriteRelationTuplesRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The write delta for the relation tuples operated in one single transaction. + // Either all actions commit or no change takes effect on error. + // + // The tuple's etag is used for a consistent read-modify-write request flow. + // If the etag is not present, the tuple is not validated against the state + // of the serverside tuple and get operated anyway. + RelationTupleDeltas []*RelationTupleWriteDelta `protobuf:"bytes,1,rep,name=relation_tuple_deltas,json=relationTupleDeltas,proto3" json:"relation_tuple_deltas,omitempty"` +} + +func (x *WriteRelationTuplesRequest) Reset() { + *x = WriteRelationTuplesRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_keto_acl_v1alpha1_write_service_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *WriteRelationTuplesRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*WriteRelationTuplesRequest) ProtoMessage() {} + +func (x *WriteRelationTuplesRequest) ProtoReflect() protoreflect.Message { + mi := &file_keto_acl_v1alpha1_write_service_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use WriteRelationTuplesRequest.ProtoReflect.Descriptor instead. +func (*WriteRelationTuplesRequest) Descriptor() ([]byte, []int) { + return file_keto_acl_v1alpha1_write_service_proto_rawDescGZIP(), []int{0} +} + +func (x *WriteRelationTuplesRequest) GetRelationTupleDeltas() []*RelationTupleWriteDelta { + if x != nil { + return x.RelationTupleDeltas + } + return nil +} + +// Write-delta for a WriteRelationTuplesRequest. +type RelationTupleWriteDelta struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The target RelationTuple. + RelationTuple *RelationTuple `protobuf:"bytes,1,opt,name=relation_tuple,json=relationTuple,proto3" json:"relation_tuple,omitempty"` +} + +func (x *RelationTupleWriteDelta) Reset() { + *x = RelationTupleWriteDelta{} + if protoimpl.UnsafeEnabled { + mi := &file_keto_acl_v1alpha1_write_service_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *RelationTupleWriteDelta) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RelationTupleWriteDelta) ProtoMessage() {} + +func (x *RelationTupleWriteDelta) ProtoReflect() protoreflect.Message { + mi := &file_keto_acl_v1alpha1_write_service_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RelationTupleWriteDelta.ProtoReflect.Descriptor instead. +func (*RelationTupleWriteDelta) Descriptor() ([]byte, []int) { + return file_keto_acl_v1alpha1_write_service_proto_rawDescGZIP(), []int{1} +} + +func (x *RelationTupleWriteDelta) GetRelationTuple() *RelationTuple { + if x != nil { + return x.RelationTuple + } + return nil +} + +// The response of a WriteService.WriteRelationTuples rpc. +type WriteRelationTuplesResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The list of the new latest snapshot tokens of the affected RelationTuple, + // with the same index as specified in the `relation_tuple_deltas` field of + // the WriteRelationTuplesRequest request. + // + // The snaptoken is nil at the same index + // if the RelationTupleWriteDelta_Action was DELETE. + Snaptokens []string `protobuf:"bytes,1,rep,name=snaptokens,proto3" json:"snaptokens,omitempty"` +} + +func (x *WriteRelationTuplesResponse) Reset() { + *x = WriteRelationTuplesResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_keto_acl_v1alpha1_write_service_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *WriteRelationTuplesResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*WriteRelationTuplesResponse) ProtoMessage() {} + +func (x *WriteRelationTuplesResponse) ProtoReflect() protoreflect.Message { + mi := &file_keto_acl_v1alpha1_write_service_proto_msgTypes[2] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use WriteRelationTuplesResponse.ProtoReflect.Descriptor instead. +func (*WriteRelationTuplesResponse) Descriptor() ([]byte, []int) { + return file_keto_acl_v1alpha1_write_service_proto_rawDescGZIP(), []int{2} +} + +func (x *WriteRelationTuplesResponse) GetSnaptokens() []string { + if x != nil { + return x.Snaptokens + } + return nil +} + +var File_keto_acl_v1alpha1_write_service_proto protoreflect.FileDescriptor + +var file_keto_acl_v1alpha1_write_service_proto_rawDesc = []byte{ + 0x0a, 0x25, 0x6b, 0x65, 0x74, 0x6f, 0x2f, 0x61, 0x63, 0x6c, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0x2f, 0x77, 0x72, 0x69, 0x74, 0x65, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, + 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x11, 0x6b, 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, + 0x6c, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1b, 0x6b, 0x65, 0x74, 0x6f, + 0x2f, 0x61, 0x63, 0x6c, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x61, 0x63, + 0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x7c, 0x0a, 0x1a, 0x57, 0x72, 0x69, 0x74, 0x65, + 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x75, 0x70, 0x6c, 0x65, 0x73, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x5e, 0x0a, 0x15, 0x72, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x5f, 0x74, 0x75, 0x70, 0x6c, 0x65, 0x5f, 0x64, 0x65, 0x6c, 0x74, 0x61, 0x73, 0x18, 0x01, + 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x6b, 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x54, 0x75, 0x70, 0x6c, 0x65, 0x57, 0x72, 0x69, 0x74, 0x65, 0x44, 0x65, 0x6c, 0x74, 0x61, + 0x52, 0x13, 0x72, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x75, 0x70, 0x6c, 0x65, 0x44, + 0x65, 0x6c, 0x74, 0x61, 0x73, 0x22, 0x9c, 0x01, 0x0a, 0x17, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x54, 0x75, 0x70, 0x6c, 0x65, 0x57, 0x72, 0x69, 0x74, 0x65, 0x44, 0x65, 0x6c, 0x74, + 0x61, 0x12, 0x47, 0x0a, 0x0e, 0x72, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x75, + 0x70, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x6b, 0x65, 0x74, 0x6f, + 0x2e, 0x61, 0x63, 0x6c, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, + 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x75, 0x70, 0x6c, 0x65, 0x52, 0x0d, 0x72, 0x65, 0x6c, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x75, 0x70, 0x6c, 0x65, 0x22, 0x38, 0x0a, 0x06, 0x41, 0x63, + 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x16, 0x0a, 0x12, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, + 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, + 0x49, 0x4e, 0x53, 0x45, 0x52, 0x54, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x44, 0x45, 0x4c, 0x45, + 0x54, 0x45, 0x10, 0x04, 0x22, 0x3d, 0x0a, 0x1b, 0x57, 0x72, 0x69, 0x74, 0x65, 0x52, 0x65, 0x6c, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x75, 0x70, 0x6c, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x73, 0x6e, 0x61, 0x70, 0x74, 0x6f, 0x6b, 0x65, 0x6e, + 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x6e, 0x61, 0x70, 0x74, 0x6f, 0x6b, + 0x65, 0x6e, 0x73, 0x32, 0x84, 0x01, 0x0a, 0x0c, 0x57, 0x72, 0x69, 0x74, 0x65, 0x53, 0x65, 0x72, + 0x76, 0x69, 0x63, 0x65, 0x12, 0x74, 0x0a, 0x13, 0x57, 0x72, 0x69, 0x74, 0x65, 0x52, 0x65, 0x6c, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x75, 0x70, 0x6c, 0x65, 0x73, 0x12, 0x2d, 0x2e, 0x6b, 0x65, + 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, + 0x57, 0x72, 0x69, 0x74, 0x65, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x75, 0x70, + 0x6c, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2e, 0x2e, 0x6b, 0x65, 0x74, + 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x57, + 0x72, 0x69, 0x74, 0x65, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x75, 0x70, 0x6c, + 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x8e, 0x01, 0x0a, 0x18, 0x73, + 0x68, 0x2e, 0x6f, 0x72, 0x79, 0x2e, 0x6b, 0x65, 0x74, 0x6f, 0x2e, 0x61, 0x63, 0x6c, 0x2e, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x42, 0x11, 0x57, 0x61, 0x74, 0x63, 0x68, 0x53, 0x65, + 0x72, 0x76, 0x69, 0x63, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2d, 0x67, 0x69, + 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x72, 0x79, 0x2f, 0x6b, 0x65, 0x74, + 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6b, 0x65, 0x74, 0x6f, 0x2f, 0x61, 0x63, 0x6c, 0x2f, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x61, 0x63, 0x6c, 0xaa, 0x02, 0x15, 0x4f, 0x72, + 0x79, 0x2e, 0x4b, 0x65, 0x74, 0x6f, 0x2e, 0x41, 0x63, 0x6c, 0x2e, 0x56, 0x31, 0x41, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0xca, 0x02, 0x15, 0x4f, 0x72, 0x79, 0x5c, 0x4b, 0x65, 0x74, 0x6f, 0x5c, 0x41, + 0x63, 0x6c, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, +} + +var ( + file_keto_acl_v1alpha1_write_service_proto_rawDescOnce sync.Once + file_keto_acl_v1alpha1_write_service_proto_rawDescData = file_keto_acl_v1alpha1_write_service_proto_rawDesc +) + +func file_keto_acl_v1alpha1_write_service_proto_rawDescGZIP() []byte { + file_keto_acl_v1alpha1_write_service_proto_rawDescOnce.Do(func() { + file_keto_acl_v1alpha1_write_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_keto_acl_v1alpha1_write_service_proto_rawDescData) + }) + return file_keto_acl_v1alpha1_write_service_proto_rawDescData +} + +var file_keto_acl_v1alpha1_write_service_proto_enumTypes = make([]protoimpl.EnumInfo, 1) +var file_keto_acl_v1alpha1_write_service_proto_msgTypes = make([]protoimpl.MessageInfo, 3) +var file_keto_acl_v1alpha1_write_service_proto_goTypes = []interface{}{ + (RelationTupleWriteDelta_Action)(0), // 0: keto.acl.v1alpha1.RelationTupleWriteDelta.Action + (*WriteRelationTuplesRequest)(nil), // 1: keto.acl.v1alpha1.WriteRelationTuplesRequest + (*RelationTupleWriteDelta)(nil), // 2: keto.acl.v1alpha1.RelationTupleWriteDelta + (*WriteRelationTuplesResponse)(nil), // 3: keto.acl.v1alpha1.WriteRelationTuplesResponse + (*RelationTuple)(nil), // 4: keto.acl.v1alpha1.RelationTuple +} +var file_keto_acl_v1alpha1_write_service_proto_depIdxs = []int32{ + 2, // 0: keto.acl.v1alpha1.WriteRelationTuplesRequest.relation_tuple_deltas:type_name -> keto.acl.v1alpha1.RelationTupleWriteDelta + 4, // 1: keto.acl.v1alpha1.RelationTupleWriteDelta.relation_tuple:type_name -> keto.acl.v1alpha1.RelationTuple + 1, // 2: keto.acl.v1alpha1.WriteService.WriteRelationTuples:input_type -> keto.acl.v1alpha1.WriteRelationTuplesRequest + 3, // 3: keto.acl.v1alpha1.WriteService.WriteRelationTuples:output_type -> keto.acl.v1alpha1.WriteRelationTuplesResponse + 3, // [3:4] is the sub-list for method output_type + 2, // [2:3] is the sub-list for method input_type + 2, // [2:2] is the sub-list for extension type_name + 2, // [2:2] is the sub-list for extension extendee + 0, // [0:2] is the sub-list for field type_name +} + +func init() { file_keto_acl_v1alpha1_write_service_proto_init() } +func file_keto_acl_v1alpha1_write_service_proto_init() { + if File_keto_acl_v1alpha1_write_service_proto != nil { + return + } + file_keto_acl_v1alpha1_acl_proto_init() + if !protoimpl.UnsafeEnabled { + file_keto_acl_v1alpha1_write_service_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*WriteRelationTuplesRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keto_acl_v1alpha1_write_service_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*RelationTupleWriteDelta); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_keto_acl_v1alpha1_write_service_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*WriteRelationTuplesResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_keto_acl_v1alpha1_write_service_proto_rawDesc, + NumEnums: 1, + NumMessages: 3, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_keto_acl_v1alpha1_write_service_proto_goTypes, + DependencyIndexes: file_keto_acl_v1alpha1_write_service_proto_depIdxs, + EnumInfos: file_keto_acl_v1alpha1_write_service_proto_enumTypes, + MessageInfos: file_keto_acl_v1alpha1_write_service_proto_msgTypes, + }.Build() + File_keto_acl_v1alpha1_write_service_proto = out.File + file_keto_acl_v1alpha1_write_service_proto_rawDesc = nil + file_keto_acl_v1alpha1_write_service_proto_goTypes = nil + file_keto_acl_v1alpha1_write_service_proto_depIdxs = nil +} diff --git a/api/keto/acl/v1alpha1/write_service.proto b/api/keto/acl/v1alpha1/write_service.proto new file mode 100644 index 000000000..c74e19a0d --- /dev/null +++ b/api/keto/acl/v1alpha1/write_service.proto @@ -0,0 +1,60 @@ +syntax = "proto3"; + +package keto.acl.v1alpha1; + +import "keto/acl/v1alpha1/acl.proto"; + +option go_package = "github.com/ory/keto/api/keto/acl/v1alpha1;acl"; +option csharp_namespace = "Ory.Keto.Acl.V1Alpha1"; +option java_multiple_files = true; +option java_outer_classname = "WatchServiceProto"; +option java_package = "sh.ory.keto.acl.v1alpha1"; +option php_namespace = "Ory\\Keto\\Acl\\V1alpha1"; + +// The write service to create and delete Access Control Lists. +service WriteService { + // Writes one or more relation tuples in a single transaction. + rpc WriteRelationTuples(WriteRelationTuplesRequest) returns (WriteRelationTuplesResponse); +} + +// The request of a WriteService.WriteRelationTuples rpc. +message WriteRelationTuplesRequest { + // The write delta for the relation tuples operated in one single transaction. + // Either all actions commit or no change takes effect on error. + // + // The tuple's etag is used for a consistent read-modify-write request flow. + // If the etag is not present, the tuple is not validated against the state + // of the serverside tuple and get operated anyway. + repeated RelationTupleWriteDelta relation_tuple_deltas = 1; +} + +// Write-delta for a WriteRelationTuplesRequest. +message RelationTupleWriteDelta { + enum Action { + // Unspecified. + // The `WriteRelationTuples` rpc ignores this + // RelationTupleWriteDelta if an action was unspecified. + ACTION_UNSPECIFIED = 0; + + // Insertion of a new RelationTuple. + // It is ignored if already existing. + INSERT = 1; + + // Deletion of the RelationTuple. + // It is ignored if it does not exist. + DELETE = 4; + } + // The target RelationTuple. + RelationTuple relation_tuple = 1; +} + +// The response of a WriteService.WriteRelationTuples rpc. +message WriteRelationTuplesResponse { + // The list of the new latest snapshot tokens of the affected RelationTuple, + // with the same index as specified in the `relation_tuple_deltas` field of + // the WriteRelationTuplesRequest request. + // + // The snaptoken is nil at the same index + // if the RelationTupleWriteDelta_Action was DELETE. + repeated string snaptokens = 1; +} diff --git a/api/keto/acl/v1alpha1/write_service_grpc.pb.go b/api/keto/acl/v1alpha1/write_service_grpc.pb.go new file mode 100644 index 000000000..958c194e1 --- /dev/null +++ b/api/keto/acl/v1alpha1/write_service_grpc.pb.go @@ -0,0 +1,97 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. + +package acl + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +const _ = grpc.SupportPackageIsVersion7 + +// WriteServiceClient is the client API for WriteService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +type WriteServiceClient interface { + // Writes one or more relation tuples in a single transaction. + WriteRelationTuples(ctx context.Context, in *WriteRelationTuplesRequest, opts ...grpc.CallOption) (*WriteRelationTuplesResponse, error) +} + +type writeServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewWriteServiceClient(cc grpc.ClientConnInterface) WriteServiceClient { + return &writeServiceClient{cc} +} + +func (c *writeServiceClient) WriteRelationTuples(ctx context.Context, in *WriteRelationTuplesRequest, opts ...grpc.CallOption) (*WriteRelationTuplesResponse, error) { + out := new(WriteRelationTuplesResponse) + err := c.cc.Invoke(ctx, "/keto.acl.v1alpha1.WriteService/WriteRelationTuples", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +// WriteServiceServer is the server API for WriteService service. +// All implementations should embed UnimplementedWriteServiceServer +// for forward compatibility +type WriteServiceServer interface { + // Writes one or more relation tuples in a single transaction. + WriteRelationTuples(context.Context, *WriteRelationTuplesRequest) (*WriteRelationTuplesResponse, error) +} + +// UnimplementedWriteServiceServer should be embedded to have forward compatible implementations. +type UnimplementedWriteServiceServer struct { +} + +func (UnimplementedWriteServiceServer) WriteRelationTuples(context.Context, *WriteRelationTuplesRequest) (*WriteRelationTuplesResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method WriteRelationTuples not implemented") +} + +// UnsafeWriteServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to WriteServiceServer will +// result in compilation errors. +type UnsafeWriteServiceServer interface { + mustEmbedUnimplementedWriteServiceServer() +} + +func RegisterWriteServiceServer(s grpc.ServiceRegistrar, srv WriteServiceServer) { + s.RegisterService(&_WriteService_serviceDesc, srv) +} + +func _WriteService_WriteRelationTuples_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(WriteRelationTuplesRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(WriteServiceServer).WriteRelationTuples(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/keto.acl.v1alpha1.WriteService/WriteRelationTuples", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(WriteServiceServer).WriteRelationTuples(ctx, req.(*WriteRelationTuplesRequest)) + } + return interceptor(ctx, in, info, handler) +} + +var _WriteService_serviceDesc = grpc.ServiceDesc{ + ServiceName: "keto.acl.v1alpha1.WriteService", + HandlerType: (*WriteServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "WriteRelationTuples", + Handler: _WriteService_WriteRelationTuples_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "keto/acl/v1alpha1/write_service.proto", +} diff --git a/api/keto/rbac/README.md b/api/keto/rbac/README.md new file mode 100644 index 000000000..028d95b5f --- /dev/null +++ b/api/keto/rbac/README.md @@ -0,0 +1,2 @@ +# Maybe coming soon +Built upon [ACL](../acl). \ No newline at end of file diff --git a/buf/api/buf.gen.yaml b/buf/api/buf.gen.yaml new file mode 100644 index 000000000..31849f68d --- /dev/null +++ b/buf/api/buf.gen.yaml @@ -0,0 +1,8 @@ +version: v1beta1 +plugins: + - name: go + out: api + opt: paths=source_relative + - name: go-grpc + out: api + opt: paths=source_relative,require_unimplemented_servers=false diff --git a/buf/api/buf.yaml b/buf/api/buf.yaml new file mode 100644 index 000000000..7bb1f0d75 --- /dev/null +++ b/buf/api/buf.yaml @@ -0,0 +1,15 @@ +version: v1beta1 +build: + roots: + - api +lint: + use: + - DEFAULT + ignore: + - google + ignore_only: + ENUM_VALUE_PREFIX: + - keto/acl/v1alpha1/write_service.proto +breaking: + use: + - PACKAGE diff --git a/cmd/relationtuple/create.go b/cmd/relationtuple/create.go index 58a571b35..5662cf4b7 100644 --- a/cmd/relationtuple/create.go +++ b/cmd/relationtuple/create.go @@ -7,7 +7,7 @@ import ( "io" "os" - "github.com/ory/keto/relationtuple" + "github.com/ory/keto/internal/relationtuple" "github.com/spf13/cobra" diff --git a/cmd/relationtuple/get.go b/cmd/relationtuple/get.go index c93a1fd79..25be4750e 100644 --- a/cmd/relationtuple/get.go +++ b/cmd/relationtuple/get.go @@ -5,7 +5,7 @@ import ( "fmt" "strings" - "github.com/ory/keto/relationtuple" + "github.com/ory/keto/internal/relationtuple" "github.com/spf13/pflag" diff --git a/cmd/serve.go b/cmd/serve.go index 4a0cb7311..52d05400d 100644 --- a/cmd/serve.go +++ b/cmd/serve.go @@ -21,9 +21,9 @@ import ( "os" "sync" - "github.com/ory/keto/expand" + "github.com/ory/keto/internal/expand" - "github.com/ory/keto/check" + "github.com/ory/keto/internal/check" "github.com/julienschmidt/httprouter" "github.com/spf13/cobra" @@ -31,8 +31,8 @@ import ( "github.com/ory/graceful" - "github.com/ory/keto/driver" - "github.com/ory/keto/relationtuple" + "github.com/ory/keto/internal/driver" + "github.com/ory/keto/internal/relationtuple" "github.com/ory/x/viperx" diff --git a/check/engine.go b/internal/check/engine.go similarity index 97% rename from check/engine.go rename to internal/check/engine.go index 6ac859d22..8c5f14380 100644 --- a/check/engine.go +++ b/internal/check/engine.go @@ -5,7 +5,7 @@ import ( "fmt" "os" - "github.com/ory/keto/relationtuple" + "github.com/ory/keto/internal/relationtuple" ) type ( diff --git a/check/engine_test.go b/internal/check/engine_test.go similarity index 98% rename from check/engine_test.go rename to internal/check/engine_test.go index 383660189..c31eb4610 100644 --- a/check/engine_test.go +++ b/internal/check/engine_test.go @@ -4,14 +4,14 @@ import ( "context" "testing" - "github.com/ory/keto/relationtuple" + "github.com/ory/keto/internal/relationtuple" - "github.com/ory/keto/check" + "github.com/ory/keto/internal/check" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/ory/keto/driver" + "github.com/ory/keto/internal/driver" ) func TestEngine(t *testing.T) { diff --git a/check/handler.go b/internal/check/handler.go similarity index 93% rename from check/handler.go rename to internal/check/handler.go index d8e3fb839..b3c2ccb07 100644 --- a/check/handler.go +++ b/internal/check/handler.go @@ -3,11 +3,11 @@ package check import ( "net/http" - "github.com/ory/keto/relationtuple" + "github.com/ory/keto/internal/relationtuple" "github.com/julienschmidt/httprouter" - "github.com/ory/keto/x" + "github.com/ory/keto/internal/x" ) type ( diff --git a/driver/configuration/provider.go b/internal/driver/configuration/provider.go similarity index 100% rename from driver/configuration/provider.go rename to internal/driver/configuration/provider.go diff --git a/driver/configuration/provider_viper.go b/internal/driver/configuration/provider_viper.go similarity index 100% rename from driver/configuration/provider_viper.go rename to internal/driver/configuration/provider_viper.go diff --git a/driver/driver.go b/internal/driver/driver.go similarity index 63% rename from driver/driver.go rename to internal/driver/driver.go index f36494844..7cef9b5e0 100644 --- a/driver/driver.go +++ b/internal/driver/driver.go @@ -1,6 +1,6 @@ package driver -import "github.com/ory/keto/driver/configuration" +import "github.com/ory/keto/internal/driver/configuration" type Driver interface { Configuration() configuration.Provider diff --git a/driver/driver_default.go b/internal/driver/driver_default.go similarity index 93% rename from driver/driver_default.go rename to internal/driver/driver_default.go index 50afc7a34..a3a546d3c 100644 --- a/driver/driver_default.go +++ b/internal/driver/driver_default.go @@ -3,7 +3,7 @@ package driver import ( "github.com/ory/x/logrusx" - "github.com/ory/keto/driver/configuration" + "github.com/ory/keto/internal/driver/configuration" ) type DefaultDriver struct { diff --git a/driver/registry.go b/internal/driver/registry.go similarity index 91% rename from driver/registry.go rename to internal/driver/registry.go index 9f4c54f39..5f4f45bea 100644 --- a/driver/registry.go +++ b/internal/driver/registry.go @@ -8,8 +8,8 @@ import ( "github.com/ory/x/logrusx" "github.com/ory/x/tracing" - "github.com/ory/keto/driver/configuration" - "github.com/ory/keto/x" + "github.com/ory/keto/internal/driver/configuration" + "github.com/ory/keto/internal/x" ) type Registry interface { diff --git a/driver/registry_default.go b/internal/driver/registry_default.go similarity index 79% rename from driver/registry_default.go rename to internal/driver/registry_default.go index ef6355033..d01f68d34 100644 --- a/driver/registry_default.go +++ b/internal/driver/registry_default.go @@ -4,15 +4,15 @@ import ( "github.com/ory/herodot" "github.com/ory/x/logrusx" - "github.com/ory/keto/persistence" + "github.com/ory/keto/internal/persistence" - "github.com/ory/keto/expand" + "github.com/ory/keto/internal/expand" - "github.com/ory/keto/check" + "github.com/ory/keto/internal/check" - "github.com/ory/keto/persistence/memory" - "github.com/ory/keto/relationtuple" - "github.com/ory/keto/x" + "github.com/ory/keto/internal/persistence/memory" + "github.com/ory/keto/internal/relationtuple" + "github.com/ory/keto/internal/x" ) var _ relationtuple.ManagerProvider = &RegistryDefault{} diff --git a/expand/engine.go b/internal/expand/engine.go similarity index 96% rename from expand/engine.go rename to internal/expand/engine.go index 6db3fecda..39a014666 100644 --- a/expand/engine.go +++ b/internal/expand/engine.go @@ -3,7 +3,7 @@ package expand import ( "context" - "github.com/ory/keto/relationtuple" + "github.com/ory/keto/internal/relationtuple" ) type ( diff --git a/expand/engine_test.go b/internal/expand/engine_test.go similarity index 97% rename from expand/engine_test.go rename to internal/expand/engine_test.go index 7c218840b..d1d7bc44f 100644 --- a/expand/engine_test.go +++ b/internal/expand/engine_test.go @@ -4,14 +4,14 @@ import ( "context" "testing" - "github.com/ory/keto/relationtuple" + "github.com/ory/keto/internal/relationtuple" - "github.com/ory/keto/expand" + "github.com/ory/keto/internal/expand" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/ory/keto/driver" + "github.com/ory/keto/internal/driver" ) func newTestEngine(_ *testing.T) (*driver.RegistryDefault, *expand.Engine) { diff --git a/expand/handler.go b/internal/expand/handler.go similarity index 92% rename from expand/handler.go rename to internal/expand/handler.go index cc4728b7a..f1452f3f7 100644 --- a/expand/handler.go +++ b/internal/expand/handler.go @@ -4,11 +4,11 @@ import ( "net/http" "strconv" - "github.com/ory/keto/relationtuple" + "github.com/ory/keto/internal/relationtuple" "github.com/julienschmidt/httprouter" - "github.com/ory/keto/x" + "github.com/ory/keto/internal/x" ) type ( diff --git a/expand/tree.go b/internal/expand/tree.go similarity index 95% rename from expand/tree.go rename to internal/expand/tree.go index 4dad3ad73..17ae3c4f2 100644 --- a/expand/tree.go +++ b/internal/expand/tree.go @@ -3,7 +3,7 @@ package expand import ( "errors" - "github.com/ory/keto/relationtuple" + "github.com/ory/keto/internal/relationtuple" ) type ( diff --git a/persistence/definitions.go b/internal/persistence/definitions.go similarity index 64% rename from persistence/definitions.go rename to internal/persistence/definitions.go index 425f0cf0a..245b09fc1 100644 --- a/persistence/definitions.go +++ b/internal/persistence/definitions.go @@ -1,7 +1,7 @@ package persistence import ( - "github.com/ory/keto/relationtuple" + "github.com/ory/keto/internal/relationtuple" ) type Persister interface { diff --git a/persistence/memory/definitions.go b/internal/persistence/memory/definitions.go similarity index 84% rename from persistence/memory/definitions.go rename to internal/persistence/memory/definitions.go index 83bf9d26e..0fa3810b6 100644 --- a/persistence/memory/definitions.go +++ b/internal/persistence/memory/definitions.go @@ -3,7 +3,7 @@ package memory import ( "sync" - "github.com/ory/keto/relationtuple" + "github.com/ory/keto/internal/relationtuple" ) type Persister struct { diff --git a/persistence/memory/relationtuples.go b/internal/persistence/memory/relationtuples.go similarity index 96% rename from persistence/memory/relationtuples.go rename to internal/persistence/memory/relationtuples.go index 0635c618e..2a15d2695 100644 --- a/persistence/memory/relationtuples.go +++ b/internal/persistence/memory/relationtuples.go @@ -3,9 +3,9 @@ package memory import ( "context" - "github.com/ory/keto/x" + "github.com/ory/keto/internal/x" - "github.com/ory/keto/relationtuple" + "github.com/ory/keto/internal/relationtuple" ) type ( diff --git a/persistence/memory/relationtuples_test.go b/internal/persistence/memory/relationtuples_test.go similarity index 98% rename from persistence/memory/relationtuples_test.go rename to internal/persistence/memory/relationtuples_test.go index b0e210778..d94335be9 100644 --- a/persistence/memory/relationtuples_test.go +++ b/internal/persistence/memory/relationtuples_test.go @@ -5,7 +5,7 @@ import ( "fmt" "testing" - "github.com/ory/keto/relationtuple" + "github.com/ory/keto/internal/relationtuple" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/relationtuple/REQUIREMENTS.md b/internal/relationtuple/REQUIREMENTS.md similarity index 100% rename from relationtuple/REQUIREMENTS.md rename to internal/relationtuple/REQUIREMENTS.md diff --git a/relationtuple/definitions.go b/internal/relationtuple/definitions.go similarity index 99% rename from relationtuple/definitions.go rename to internal/relationtuple/definitions.go index 1a36a569e..49b501645 100644 --- a/relationtuple/definitions.go +++ b/internal/relationtuple/definitions.go @@ -5,7 +5,7 @@ import ( "fmt" "strings" - "github.com/ory/keto/x" + "github.com/ory/keto/internal/x" "github.com/tidwall/gjson" diff --git a/relationtuple/grpc_server.go b/internal/relationtuple/grpc_server.go similarity index 97% rename from relationtuple/grpc_server.go rename to internal/relationtuple/grpc_server.go index ff6d4dfed..b62ad12c7 100644 --- a/relationtuple/grpc_server.go +++ b/internal/relationtuple/grpc_server.go @@ -3,7 +3,7 @@ package relationtuple import ( "context" - "github.com/ory/keto/x" + "github.com/ory/keto/internal/x" ) var _ RelationTupleServiceServer = &Server{} diff --git a/relationtuple/handler.go b/internal/relationtuple/handler.go similarity index 97% rename from relationtuple/handler.go rename to internal/relationtuple/handler.go index 8917c7f17..0b8fb1cc5 100644 --- a/relationtuple/handler.go +++ b/internal/relationtuple/handler.go @@ -9,7 +9,7 @@ import ( "github.com/ory/herodot" - "github.com/ory/keto/x" + "github.com/ory/keto/internal/x" ) type ( diff --git a/relationtuple/relationtuple.pb.go b/internal/relationtuple/relationtuple.pb.go similarity index 100% rename from relationtuple/relationtuple.pb.go rename to internal/relationtuple/relationtuple.pb.go diff --git a/relationtuple/relationtuple.proto b/internal/relationtuple/relationtuple.proto similarity index 100% rename from relationtuple/relationtuple.proto rename to internal/relationtuple/relationtuple.proto diff --git a/relationtuple/relationtuple_grpc.pb.go b/internal/relationtuple/relationtuple_grpc.pb.go similarity index 100% rename from relationtuple/relationtuple_grpc.pb.go rename to internal/relationtuple/relationtuple_grpc.pb.go diff --git a/x/pagination.go b/internal/x/pagination.go similarity index 100% rename from x/pagination.go rename to internal/x/pagination.go diff --git a/x/registry.go b/internal/x/registry.go similarity index 100% rename from x/registry.go rename to internal/x/registry.go