cerbos 0.6.0 → 0.7.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e21f0359fb0e125e0e3a6d4ecf9ac0c12e254ab464b4ad67e8d6213fd2974ed5
4
- data.tar.gz: a959dfdc08af3b960b58cd78c953925fba3b88b5db915bb30f94d3f32b810cb9
3
+ metadata.gz: '09d04980a1c08690efeeac6d04608e47e18def9b0f2ab6a5c256b4b22576464d'
4
+ data.tar.gz: 61968be4473d1a480979d9e2d2af05f0911f1d8b4a8c90947d8dce72910565f7
5
5
  SHA512:
6
- metadata.gz: 7e89b9ec5168b7215d9b9c1ad86ed8a34404f3cd3db2b6bf44889b319fc3ab5520d2ea5eb74f22e99d955e544cfb43ca925dc597763c8ae782a645ee5b086c4b
7
- data.tar.gz: e7ddf0d6071cd1ac4f607617b95e0987d11d72d34feeda6742d034f2ff212ca01dd0ef57abb94e2d54e578cd5bd5929e0ff2dab3844835cad557b9b9b062b10e
6
+ metadata.gz: 788ca1b6ff6c4e3a1ea71c791fef64f5802a89423d21dba5da7f91f7fc697ff91f1aa7ebcedab4d4bde807c531b3b13b4ac5e95a53b93d76c79077e214ecd54b
7
+ data.tar.gz: 2115919d8cb958b0c347c09710d780d7748fec5933f65f4e91d2af7c937ec0e151ad7cfa808526213a788839ea8360fcfa153b94b9574d9ce6facabdca56fab1
data/CHANGELOG.md CHANGED
@@ -1,42 +1,76 @@
1
1
  ## [Unreleased]
2
+
2
3
  No notable changes.
3
4
 
5
+ ## [0.7.0] - 2023-06-07
6
+
7
+ ### Added
8
+
9
+ - Support for user-defined policy rule outputs ([#100](https://github.com/cerbos/cerbos-sdk-ruby/pull/100))
10
+
11
+ Requires a policy decision point server running Cerbos 0.27+.
12
+
13
+ ### Removed
14
+
15
+ - Support for Ruby 2.7 ([#90](https://github.com/cerbos/cerbos-sdk-ruby/pull/90))
16
+
17
+ ## [0.6.1] - 2023-03-23
18
+
19
+ ### Removed
20
+
21
+ - Unused generated code ([#83](https://github.com/cerbos/cerbos-sdk-ruby/pull/83))
22
+
4
23
  ## [0.6.0] - 2022-07-01
24
+
5
25
  ### Added
26
+
6
27
  - Support for schema validation in `Cerbos::Client#plan_resources` ([#32](https://github.com/cerbos/cerbos-sdk-ruby/pull/32))
7
28
 
8
- Requires Cerbos 0.19+.
29
+ Requires a policy decision point server running Cerbos 0.19+.
9
30
  `Cerbos::Output::PlanResources#validation_errors` will always return an empty array if the client is connected to an earlier version of Cerbos.
10
31
 
11
32
  As a result, `Cerbos::Output::CheckResources::Result::ValidationError` has moved to `Cerbos::Output::ValidationError`.
12
33
  Attempting to access the class via the old namespace will print a deprecation warning and return the new class.
13
34
 
14
35
  ## [0.5.0] - 2022-06-09
36
+
15
37
  ### Added
38
+
16
39
  - Allow symbol keys in nested attributes hashes ([#28](https://github.com/cerbos/cerbos-sdk-ruby/pull/28))
17
40
 
18
41
  ## [0.4.0] - 2022-06-03
42
+
19
43
  ### Added
44
+
20
45
  - `on_validation_error` option to `Cerbos::Client#initialize` ([#22](https://github.com/cerbos/cerbos-sdk-ruby/pull/22))
21
46
 
22
47
  ### Changed
48
+
23
49
  - Minor documentation fixes ([#21](https://github.com/cerbos/cerbos-sdk-ruby/pull/21))
24
50
 
25
51
  ## [0.3.0] - 2022-05-13
52
+
26
53
  ### Added
54
+
27
55
  - More helper methods ([#11](https://github.com/cerbos/cerbos-sdk-ruby/pull/11))
28
56
  - `Cerbos::Client#allow?` for checking a single action on a resource
29
57
  - `Cerbos::Output::CheckResources#allow_all?` and `Cerbos::Output::CheckResources::Result#allow_all?` for checking if all input actions were allowed
30
58
 
31
59
  ## [0.2.0] - 2022-05-12
60
+
32
61
  ### Changed
62
+
33
63
  - Increased `grpc` version requirement to 1.46+ to avoid [installing a native gem compiled for `x86_64-darwin` on `arm64-darwin`](https://github.com/grpc/grpc/issues/29100) ([#8](https://github.com/cerbos/cerbos-sdk-ruby/pull/8))
34
64
 
35
65
  ## [0.1.0] - 2022-05-12
66
+
36
67
  ### Added
68
+
37
69
  - Initial implementation of `Cerbos::Client` ([#2](https://github.com/cerbos/cerbos-sdk-ruby/pull/2))
38
70
 
39
- [Unreleased]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.0...HEAD
71
+ [Unreleased]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.7.0...HEAD
72
+ [0.7.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.1...v0.7.0
73
+ [0.6.1]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.0...v0.6.1
40
74
  [0.6.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.5.0...v0.6.0
41
75
  [0.5.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.4.0...v0.5.0
42
76
  [0.4.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.3.0...v0.4.0
data/README.md CHANGED
@@ -12,7 +12,7 @@ The Cerbos Ruby SDK makes it easy to interact with the Cerbos PDP from your Ruby
12
12
  ## Prerequisites
13
13
 
14
14
  - Cerbos 0.16+
15
- - Ruby 2.7+
15
+ - Ruby 3.0+
16
16
 
17
17
  ## Installation
18
18
 
data/cerbos.gemspec CHANGED
@@ -31,6 +31,6 @@ Gem::Specification.new do |spec|
31
31
  "yard_extensions.rb"
32
32
  ]
33
33
 
34
- spec.required_ruby_version = ">= 2.7.0"
34
+ spec.required_ruby_version = ">= 3.0.0"
35
35
  spec.add_dependency "grpc", "~> 1.46"
36
36
  end
@@ -73,7 +73,7 @@ module Cerbos
73
73
  end
74
74
 
75
75
  # The outcome of checking a principal's permissions on single resource.
76
- CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata) do
76
+ CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata, :outputs) do
77
77
  # @!attribute [r] resource
78
78
  # The resource that was checked.
79
79
  #
@@ -95,6 +95,11 @@ module Cerbos
95
95
  # @return [Metadata]
96
96
  # @return [nil] if `include_metadata` was `false`.
97
97
 
98
+ # @!attribute [r] outputs
99
+ # User-defined outputs from policy rule evaluations.
100
+ #
101
+ # @return [Array<Output>]
102
+
98
103
  # @private
99
104
  def self.const_missing(const)
100
105
  if const == :ValidationError
@@ -110,7 +115,8 @@ module Cerbos
110
115
  resource: CheckResources::Result::Resource.from_protobuf(entry.resource),
111
116
  actions: entry.actions.to_h,
112
117
  validation_errors: (entry.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
113
- metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta)
118
+ metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta),
119
+ outputs: (entry.outputs || []).map { |output_entry| CheckResources::Result::Output.from_protobuf(output_entry) }
114
120
  )
115
121
  end
116
122
 
@@ -126,7 +132,7 @@ module Cerbos
126
132
  #
127
133
  # @return [Boolean]
128
134
  def allow_all?
129
- actions.each_value.all? { |effect| effect == :EFFECT_ALLOW }
135
+ actions.each_value.all?(:EFFECT_ALLOW)
130
136
  end
131
137
 
132
138
  # List the actions that should be allowed for the resource.
@@ -135,6 +141,15 @@ module Cerbos
135
141
  def allowed_actions
136
142
  actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
137
143
  end
144
+
145
+ # Find the value of the user-defined output for a particular policy rule.
146
+ #
147
+ # @param source [String] the identifier of the policy rule that produced the output.
148
+ # @return [String, Numeric, Boolean, Array, Hash, nil]
149
+ # @return [nil] if the result does not include an output for the source.
150
+ def output(source)
151
+ outputs.find { |output| output.source == source }&.value
152
+ end
138
153
  end
139
154
 
140
155
  # A resource that was checked.
@@ -216,5 +231,25 @@ module Cerbos
216
231
  )
217
232
  end
218
233
  end
234
+
235
+ # User-defined output from a policy rule evaluation.
236
+ CheckResources::Result::Output = Output.new_class(:source, :value) do
237
+ # @!attribute [r] source
238
+ # The identifier of the policy rule that produced the output.
239
+ #
240
+ # @return [String]
241
+
242
+ # @!attribute [r] value
243
+ # The result of evaluating the output expression.
244
+ #
245
+ # @return [String, Numeric, Boolean, Array, Hash, nil]
246
+
247
+ def self.from_protobuf(output_entry)
248
+ new(
249
+ source: output_entry.src,
250
+ value: output_entry.val&.to_ruby(true)
251
+ )
252
+ end
253
+ end
219
254
  end
220
255
  end
@@ -1,17 +1,34 @@
1
+ # frozen_string_literal: true
1
2
  # Generated by the protocol buffer compiler. DO NOT EDIT!
2
3
  # source: cerbos/effect/v1/effect.proto
3
4
 
4
5
  require 'google/protobuf'
5
6
 
6
- Google::Protobuf::DescriptorPool.generated_pool.build do
7
- add_file("cerbos/effect/v1/effect.proto", :syntax => :proto3) do
8
- add_enum "cerbos.effect.v1.Effect" do
9
- value :EFFECT_UNSPECIFIED, 0
10
- value :EFFECT_ALLOW, 1
11
- value :EFFECT_DENY, 2
12
- value :EFFECT_NO_MATCH, 3
7
+
8
+ descriptor_data = "\n\x1d\x63\x65rbos/effect/v1/effect.proto\x12\x10\x63\x65rbos.effect.v1*X\n\x06\x45\x66\x66\x65\x63t\x12\x16\n\x12\x45\x46\x46\x45\x43T_UNSPECIFIED\x10\x00\x12\x10\n\x0c\x45\x46\x46\x45\x43T_ALLOW\x10\x01\x12\x0f\n\x0b\x45\x46\x46\x45\x43T_DENY\x10\x02\x12\x13\n\x0f\x45\x46\x46\x45\x43T_NO_MATCH\x10\x03\x42o\n\x18\x64\x65v.cerbos.api.v1.effectZ<github.com/cerbos/cerbos/api/genpb/cerbos/effect/v1;effectv1\xaa\x02\x14\x43\x65rbos.Api.V1.Effectb\x06proto3"
9
+
10
+ pool = Google::Protobuf::DescriptorPool.generated_pool
11
+
12
+ begin
13
+ pool.add_serialized_file(descriptor_data)
14
+ rescue TypeError => e
15
+ # Compatibility code: will be removed in the next major version.
16
+ require 'google/protobuf/descriptor_pb'
17
+ parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
18
+ parsed.clear_dependency
19
+ serialized = parsed.class.encode(parsed)
20
+ file = pool.add_serialized_file(serialized)
21
+ warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
22
+ imports = [
23
+ ]
24
+ imports.each do |type_name, expected_filename|
25
+ import_file = pool.lookup(type_name).file_descriptor
26
+ if import_file.name != expected_filename
27
+ warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
13
28
  end
14
29
  end
30
+ warn "Each proto file must use a consistent fully-qualified name."
31
+ warn "This will become an error in the next major version."
15
32
  end
16
33
 
17
34
  module Cerbos::Protobuf::Cerbos
@@ -1,169 +1,38 @@
1
+ # frozen_string_literal: true
1
2
  # Generated by the protocol buffer compiler. DO NOT EDIT!
2
3
  # source: cerbos/engine/v1/engine.proto
3
4
 
4
5
  require 'google/protobuf'
5
6
 
6
- require 'cerbos/protobuf/cerbos/effect/v1/effect_pb'
7
- require 'cerbos/protobuf/cerbos/schema/v1/schema_pb'
8
- require 'cerbos/protobuf/google/api/expr/v1alpha1/checked_pb'
9
- require 'cerbos/protobuf/google/api/field_behavior_pb'
10
7
  require 'google/protobuf/struct_pb'
11
8
  require 'cerbos/protobuf/protoc-gen-openapiv2/options/annotations_pb'
12
- require 'cerbos/protobuf/validate/validate_pb'
13
9
 
14
- Google::Protobuf::DescriptorPool.generated_pool.build do
15
- add_file("cerbos/engine/v1/engine.proto", :syntax => :proto3) do
16
- add_message "cerbos.engine.v1.PlanResourcesInput" do
17
- optional :request_id, :string, 1, json_name: "requestId"
18
- optional :action, :string, 2, json_name: "action"
19
- optional :principal, :message, 3, "cerbos.engine.v1.Principal", json_name: "principal"
20
- optional :resource, :message, 4, "cerbos.engine.v1.PlanResourcesInput.Resource", json_name: "resource"
21
- optional :aux_data, :message, 5, "cerbos.engine.v1.AuxData", json_name: "auxData"
22
- optional :include_meta, :bool, 6, json_name: "includeMeta"
23
- end
24
- add_message "cerbos.engine.v1.PlanResourcesInput.Resource" do
25
- optional :kind, :string, 1, json_name: "kind"
26
- map :attr, :string, :message, 2, "google.protobuf.Value"
27
- optional :policy_version, :string, 3, json_name: "policyVersion"
28
- optional :scope, :string, 4, json_name: "scope"
29
- end
30
- add_message "cerbos.engine.v1.PlanResourcesAst" do
31
- optional :filter_ast, :message, 1, "cerbos.engine.v1.PlanResourcesAst.Node", json_name: "filterAst"
32
- end
33
- add_message "cerbos.engine.v1.PlanResourcesAst.Node" do
34
- oneof :node do
35
- optional :logical_operation, :message, 1, "cerbos.engine.v1.PlanResourcesAst.LogicalOperation", json_name: "logicalOperation"
36
- optional :expression, :message, 2, "google.api.expr.v1alpha1.CheckedExpr", json_name: "expression"
37
- end
38
- end
39
- add_message "cerbos.engine.v1.PlanResourcesAst.LogicalOperation" do
40
- optional :operator, :enum, 1, "cerbos.engine.v1.PlanResourcesAst.LogicalOperation.Operator", json_name: "operator"
41
- repeated :nodes, :message, 2, "cerbos.engine.v1.PlanResourcesAst.Node", json_name: "nodes"
42
- end
43
- add_enum "cerbos.engine.v1.PlanResourcesAst.LogicalOperation.Operator" do
44
- value :OPERATOR_UNSPECIFIED, 0
45
- value :OPERATOR_AND, 1
46
- value :OPERATOR_OR, 2
47
- value :OPERATOR_NOT, 3
48
- end
49
- add_message "cerbos.engine.v1.PlanResourcesFilter" do
50
- optional :kind, :enum, 1, "cerbos.engine.v1.PlanResourcesFilter.Kind", json_name: "kind"
51
- optional :condition, :message, 2, "cerbos.engine.v1.PlanResourcesFilter.Expression.Operand", json_name: "condition"
52
- end
53
- add_message "cerbos.engine.v1.PlanResourcesFilter.Expression" do
54
- optional :operator, :string, 1, json_name: "operator"
55
- repeated :operands, :message, 2, "cerbos.engine.v1.PlanResourcesFilter.Expression.Operand", json_name: "operands"
56
- end
57
- add_message "cerbos.engine.v1.PlanResourcesFilter.Expression.Operand" do
58
- oneof :node do
59
- optional :value, :message, 1, "google.protobuf.Value", json_name: "value"
60
- optional :expression, :message, 2, "cerbos.engine.v1.PlanResourcesFilter.Expression", json_name: "expression"
61
- optional :variable, :string, 3, json_name: "variable"
62
- end
63
- end
64
- add_enum "cerbos.engine.v1.PlanResourcesFilter.Kind" do
65
- value :KIND_UNSPECIFIED, 0
66
- value :KIND_ALWAYS_ALLOWED, 1
67
- value :KIND_ALWAYS_DENIED, 2
68
- value :KIND_CONDITIONAL, 3
69
- end
70
- add_message "cerbos.engine.v1.PlanResourcesOutput" do
71
- optional :request_id, :string, 1, json_name: "requestId"
72
- optional :action, :string, 2, json_name: "action"
73
- optional :kind, :string, 3, json_name: "kind"
74
- optional :policy_version, :string, 4, json_name: "policyVersion"
75
- optional :scope, :string, 5, json_name: "scope"
76
- optional :filter, :message, 6, "cerbos.engine.v1.PlanResourcesFilter", json_name: "filter"
77
- optional :filter_debug, :string, 7, json_name: "filterDebug"
78
- repeated :validation_errors, :message, 8, "cerbos.schema.v1.ValidationError", json_name: "validationErrors"
79
- end
80
- add_message "cerbos.engine.v1.CheckInput" do
81
- optional :request_id, :string, 1, json_name: "requestId"
82
- optional :resource, :message, 2, "cerbos.engine.v1.Resource", json_name: "resource"
83
- optional :principal, :message, 3, "cerbos.engine.v1.Principal", json_name: "principal"
84
- repeated :actions, :string, 4, json_name: "actions"
85
- optional :aux_data, :message, 5, "cerbos.engine.v1.AuxData", json_name: "auxData"
86
- end
87
- add_message "cerbos.engine.v1.CheckOutput" do
88
- optional :request_id, :string, 1, json_name: "requestId"
89
- optional :resource_id, :string, 2, json_name: "resourceId"
90
- map :actions, :string, :message, 3, "cerbos.engine.v1.CheckOutput.ActionEffect"
91
- repeated :effective_derived_roles, :string, 4, json_name: "effectiveDerivedRoles"
92
- repeated :validation_errors, :message, 5, "cerbos.schema.v1.ValidationError", json_name: "validationErrors"
93
- end
94
- add_message "cerbos.engine.v1.CheckOutput.ActionEffect" do
95
- optional :effect, :enum, 1, "cerbos.effect.v1.Effect", json_name: "effect"
96
- optional :policy, :string, 2, json_name: "policy"
97
- optional :scope, :string, 3, json_name: "scope"
98
- end
99
- add_message "cerbos.engine.v1.Resource" do
100
- optional :kind, :string, 1, json_name: "kind"
101
- optional :policy_version, :string, 2, json_name: "policyVersion"
102
- optional :id, :string, 3, json_name: "id"
103
- map :attr, :string, :message, 4, "google.protobuf.Value"
104
- optional :scope, :string, 5, json_name: "scope"
105
- end
106
- add_message "cerbos.engine.v1.Principal" do
107
- optional :id, :string, 1, json_name: "id"
108
- optional :policy_version, :string, 2, json_name: "policyVersion"
109
- repeated :roles, :string, 3, json_name: "roles"
110
- map :attr, :string, :message, 4, "google.protobuf.Value"
111
- optional :scope, :string, 5, json_name: "scope"
112
- end
113
- add_message "cerbos.engine.v1.AuxData" do
114
- map :jwt, :string, :message, 1, "google.protobuf.Value"
115
- end
116
- add_message "cerbos.engine.v1.Trace" do
117
- repeated :components, :message, 1, "cerbos.engine.v1.Trace.Component", json_name: "components"
118
- optional :event, :message, 2, "cerbos.engine.v1.Trace.Event", json_name: "event"
119
- end
120
- add_message "cerbos.engine.v1.Trace.Component" do
121
- optional :kind, :enum, 1, "cerbos.engine.v1.Trace.Component.Kind", json_name: "kind"
122
- oneof :details do
123
- optional :action, :string, 2, json_name: "action"
124
- optional :derived_role, :string, 3, json_name: "derivedRole"
125
- optional :expr, :string, 4, json_name: "expr"
126
- optional :index, :uint32, 5, json_name: "index"
127
- optional :policy, :string, 6, json_name: "policy"
128
- optional :resource, :string, 7, json_name: "resource"
129
- optional :rule, :string, 8, json_name: "rule"
130
- optional :scope, :string, 9, json_name: "scope"
131
- optional :variable, :message, 10, "cerbos.engine.v1.Trace.Component.Variable", json_name: "variable"
132
- end
133
- end
134
- add_message "cerbos.engine.v1.Trace.Component.Variable" do
135
- optional :name, :string, 1, json_name: "name"
136
- optional :expr, :string, 2, json_name: "expr"
137
- end
138
- add_enum "cerbos.engine.v1.Trace.Component.Kind" do
139
- value :KIND_UNSPECIFIED, 0
140
- value :KIND_ACTION, 1
141
- value :KIND_CONDITION_ALL, 2
142
- value :KIND_CONDITION_ANY, 3
143
- value :KIND_CONDITION_NONE, 4
144
- value :KIND_CONDITION, 5
145
- value :KIND_DERIVED_ROLE, 6
146
- value :KIND_EXPR, 7
147
- value :KIND_POLICY, 8
148
- value :KIND_RESOURCE, 9
149
- value :KIND_RULE, 10
150
- value :KIND_SCOPE, 11
151
- value :KIND_VARIABLE, 12
152
- value :KIND_VARIABLES, 13
153
- end
154
- add_message "cerbos.engine.v1.Trace.Event" do
155
- optional :status, :enum, 1, "cerbos.engine.v1.Trace.Event.Status", json_name: "status"
156
- optional :effect, :enum, 2, "cerbos.effect.v1.Effect", json_name: "effect"
157
- optional :error, :string, 3, json_name: "error"
158
- optional :message, :string, 4, json_name: "message"
159
- optional :result, :message, 5, "google.protobuf.Value", json_name: "result"
160
- end
161
- add_enum "cerbos.engine.v1.Trace.Event.Status" do
162
- value :STATUS_UNSPECIFIED, 0
163
- value :STATUS_ACTIVATED, 1
164
- value :STATUS_SKIPPED, 2
10
+
11
+ descriptor_data = "\n\x1d\x63\x65rbos/engine/v1/engine.proto\x12\x10\x63\x65rbos.engine.v1\x1a\x1cgoogle/protobuf/struct.proto\x1a.protoc-gen-openapiv2/options/annotations.proto\"\xde\x07\n\x12PlanResourcesInput\x1a\xc7\x07\n\x08Resource\x12\xc7\x01\n\x04kind\x18\x01 \x01(\tB\xb2\x01\x92\x41\x62\x32\x0eResource kind.J\x0e\"album:object\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xb8\x01\n\x04\x61ttr\x18\x02 \x03(\x0b\x32\x37.cerbos.engine.v1.PlanResourcesInput.Resource.AttrEntryBk\x92\x41`2^Key-value pairs of contextual data about the resource that are known at a time of the request.\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\xdc\x01\n\x0epolicy_version\x18\x03 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\x85\x02\n\x05scope\x18\x04 \x01(\tB\xee\x01\x92\x41\xb1\x01\x32}A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01\"\xa4\x06\n\x13PlanResourcesFilter\x12\xad\x01\n\x04kind\x18\x01 \x01(\x0e\x32*.cerbos.engine.v1.PlanResourcesFilter.KindBm\x92\x41j2hFilter kind. Defines whether the given action is always allowed, always denied or allowed conditionally.R\x04kind\x12\x9a\x01\n\tcondition\x18\x02 \x01(\x0b\x32\x38.cerbos.engine.v1.PlanResourcesFilter.Expression.OperandBB\x92\x41?2=Filter condition. Only populated if kind is KIND_CONDITIONAL.R\tcondition\x1a\xda\x02\n\nExpression\x12)\n\x08operator\x18\x01 \x01(\tB\r\x92\x41\n2\x08OperatorR\x08operator\x12T\n\x08operands\x18\x02 \x03(\x0b\x32\x38.cerbos.engine.v1.PlanResourcesFilter.Expression.OperandR\x08operands\x1a\xb3\x01\n\x07Operand\x12.\n\x05value\x18\x01 \x01(\x0b\x32\x16.google.protobuf.ValueH\x00R\x05value\x12R\n\nexpression\x18\x02 \x01(\x0b\x32\x30.cerbos.engine.v1.PlanResourcesFilter.ExpressionH\x00R\nexpression\x12\x1c\n\x08variable\x18\x03 \x01(\tH\x00R\x08variableB\x06\n\x04node:\x15\x92\x41\x12\n\x10\x32\x0e\x43\x45L expression\"c\n\x04Kind\x12\x14\n\x10KIND_UNSPECIFIED\x10\x00\x12\x17\n\x13KIND_ALWAYS_ALLOWED\x10\x01\x12\x16\n\x12KIND_ALWAYS_DENIED\x10\x02\x12\x14\n\x10KIND_CONDITIONAL\x10\x03\"\xeb\x01\n\x0bOutputEntry\x12\x65\n\x03src\x18\x01 \x01(\tBS\x92\x41P2)Rule that matched to produce this output.J#\"resource.expense.v1/acme#rule-001\"R\x03src\x12u\n\x03val\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueBK\x92\x41H27Dynamic output, determined by user defined rule output.J\r\"some_string\"R\x03val\"\xc0\x08\n\x08Resource\x12\xe1\x01\n\x04kind\x18\x01 \x01(\tB\xcc\x01\x92\x41|2)Name of the resource kind being accessed.J\r\"album:photo\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\x43\n\x02id\x18\x03 \x01(\tB3\x92\x41&2\x1bID of the resource instanceJ\x07\"XX125\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x02id\x12\xc5\x01\n\x04\x61ttr\x18\x04 \x03(\x0b\x32$.cerbos.engine.v1.Resource.AttrEntryB\x8a\x01\x92\x41\x7f\x32\x64Kay-value pairs of contextual data about this resource that should be used during policy evaluation.J\x17{\"owner\": \"bugs_bunny\"}\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\x92\x02\n\x05scope\x18\x05 \x01(\tB\xfb\x01\x92\x41\xbe\x01\x32}A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.J\x0b\"acme.corp\"\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01\"\xe3\x08\n\tPrincipal\x12@\n\x02id\x18\x01 \x01(\tB0\x92\x41#2\x13ID of the principalJ\x0c\"bugs_bunny\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x02id\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\xaa\x01\n\x05roles\x18\x03 \x03(\tB\x93\x01\x92\x41l2FRoles assigned to this principal from your identity management system.J\x08[\"user\"]\x8a\x01\x11^[[:word:]\\-\\.]+$\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\x1e\x92\x01\x1b\x08\x01\x18\x01\"\x15r\x13\x32\x11^[[:word:]\\-\\.]+$R\x05roles\x12\xc5\x01\n\x04\x61ttr\x18\x04 \x03(\x0b\x32%.cerbos.engine.v1.Principal.AttrEntryB\x89\x01\x92\x41~2eKey-value pairs of contextual data about this principal that should be used during policy evaluation.J\x15{\"beta_tester\": true}\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\x93\x02\n\x05scope\x18\x05 \x01(\tB\xfc\x01\x92\x41\xbf\x01\x32~A dot-separated scope that describes the hierarchy this principal belongs to. This is used for determining policy inheritance.J\x0b\"acme.corp\"\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01:Y\x92\x41V\nT2RA person or application attempting to perform the actions on the set of resources.Bo\n\x18\x64\x65v.cerbos.api.v1.engineZ<github.com/cerbos/cerbos/api/genpb/cerbos/engine/v1;enginev1\xaa\x02\x14\x43\x65rbos.Api.V1.Engineb\x06proto3"
12
+
13
+ pool = Google::Protobuf::DescriptorPool.generated_pool
14
+
15
+ begin
16
+ pool.add_serialized_file(descriptor_data)
17
+ rescue TypeError => e
18
+ # Compatibility code: will be removed in the next major version.
19
+ require 'google/protobuf/descriptor_pb'
20
+ parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
21
+ parsed.clear_dependency
22
+ serialized = parsed.class.encode(parsed)
23
+ file = pool.add_serialized_file(serialized)
24
+ warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
25
+ imports = [
26
+ ["google.protobuf.Value", "google/protobuf/struct.proto"],
27
+ ]
28
+ imports.each do |type_name, expected_filename|
29
+ import_file = pool.lookup(type_name).file_descriptor
30
+ if import_file.name != expected_filename
31
+ warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
165
32
  end
166
33
  end
34
+ warn "Each proto file must use a consistent fully-qualified name."
35
+ warn "This will become an error in the next major version."
167
36
  end
168
37
 
169
38
  module Cerbos::Protobuf::Cerbos
@@ -171,27 +40,13 @@ module Cerbos::Protobuf::Cerbos
171
40
  module V1
172
41
  PlanResourcesInput = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesInput").msgclass
173
42
  PlanResourcesInput::Resource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesInput.Resource").msgclass
174
- PlanResourcesAst = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesAst").msgclass
175
- PlanResourcesAst::Node = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesAst.Node").msgclass
176
- PlanResourcesAst::LogicalOperation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesAst.LogicalOperation").msgclass
177
- PlanResourcesAst::LogicalOperation::Operator = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesAst.LogicalOperation.Operator").enummodule
178
43
  PlanResourcesFilter = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter").msgclass
179
44
  PlanResourcesFilter::Expression = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Expression").msgclass
180
45
  PlanResourcesFilter::Expression::Operand = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Expression.Operand").msgclass
181
46
  PlanResourcesFilter::Kind = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Kind").enummodule
182
- PlanResourcesOutput = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesOutput").msgclass
183
- CheckInput = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.CheckInput").msgclass
184
- CheckOutput = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.CheckOutput").msgclass
185
- CheckOutput::ActionEffect = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.CheckOutput.ActionEffect").msgclass
47
+ OutputEntry = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.OutputEntry").msgclass
186
48
  Resource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Resource").msgclass
187
49
  Principal = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Principal").msgclass
188
- AuxData = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.AuxData").msgclass
189
- Trace = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Trace").msgclass
190
- Trace::Component = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Trace.Component").msgclass
191
- Trace::Component::Variable = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Trace.Component.Variable").msgclass
192
- Trace::Component::Kind = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Trace.Component.Kind").enummodule
193
- Trace::Event = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Trace.Event").msgclass
194
- Trace::Event::Status = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Trace.Event.Status").enummodule
195
50
  end
196
51
  end
197
52
  end