cerbos 0.6.0 → 0.7.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +36 -2
- data/README.md +1 -1
- data/cerbos.gemspec +1 -1
- data/lib/cerbos/output/check_resources.rb +38 -3
- data/lib/cerbos/protobuf/cerbos/effect/v1/effect_pb.rb +24 -7
- data/lib/cerbos/protobuf/cerbos/engine/v1/engine_pb.rb +26 -171
- data/lib/cerbos/protobuf/cerbos/request/v1/request_pb.rb +26 -146
- data/lib/cerbos/protobuf/cerbos/response/v1/response_pb.rb +26 -171
- data/lib/cerbos/protobuf/cerbos/schema/v1/schema_pb.rb +23 -19
- data/lib/cerbos/protobuf/cerbos/svc/v1/svc_pb.rb +27 -2
- data/lib/cerbos/protobuf/cerbos/svc/v1/svc_services_pb.rb +1 -40
- data/lib/cerbos/protobuf/google/api/annotations_pb.rb +26 -2
- data/lib/cerbos/protobuf/google/api/field_behavior_pb.rb +24 -11
- data/lib/cerbos/protobuf/google/api/http_pb.rb +24 -24
- data/lib/cerbos/protobuf/protoc-gen-openapiv2/options/annotations_pb.rb +26 -2
- data/lib/cerbos/protobuf/protoc-gen-openapiv2/options/openapiv2_pb.rb +29 -160
- data/lib/cerbos/protobuf/validate/validate_pb.rb +26 -254
- data/lib/cerbos/version.rb +1 -1
- metadata +5 -10
- data/lib/cerbos/protobuf/cerbos/audit/v1/audit_pb.rb +0 -64
- data/lib/cerbos/protobuf/cerbos/policy/v1/policy_pb.rb +0 -247
- data/lib/cerbos/protobuf/cerbos/telemetry/v1/telemetry_pb.rb +0 -123
- data/lib/cerbos/protobuf/google/api/expr/v1alpha1/checked_pb.rb +0 -117
- data/lib/cerbos/protobuf/google/api/expr/v1alpha1/syntax_pb.rb +0 -113
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: '09d04980a1c08690efeeac6d04608e47e18def9b0f2ab6a5c256b4b22576464d'
|
4
|
+
data.tar.gz: 61968be4473d1a480979d9e2d2af05f0911f1d8b4a8c90947d8dce72910565f7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 788ca1b6ff6c4e3a1ea71c791fef64f5802a89423d21dba5da7f91f7fc697ff91f1aa7ebcedab4d4bde807c531b3b13b4ac5e95a53b93d76c79077e214ecd54b
|
7
|
+
data.tar.gz: 2115919d8cb958b0c347c09710d780d7748fec5933f65f4e91d2af7c937ec0e151ad7cfa808526213a788839ea8360fcfa153b94b9574d9ce6facabdca56fab1
|
data/CHANGELOG.md
CHANGED
@@ -1,42 +1,76 @@
|
|
1
1
|
## [Unreleased]
|
2
|
+
|
2
3
|
No notable changes.
|
3
4
|
|
5
|
+
## [0.7.0] - 2023-06-07
|
6
|
+
|
7
|
+
### Added
|
8
|
+
|
9
|
+
- Support for user-defined policy rule outputs ([#100](https://github.com/cerbos/cerbos-sdk-ruby/pull/100))
|
10
|
+
|
11
|
+
Requires a policy decision point server running Cerbos 0.27+.
|
12
|
+
|
13
|
+
### Removed
|
14
|
+
|
15
|
+
- Support for Ruby 2.7 ([#90](https://github.com/cerbos/cerbos-sdk-ruby/pull/90))
|
16
|
+
|
17
|
+
## [0.6.1] - 2023-03-23
|
18
|
+
|
19
|
+
### Removed
|
20
|
+
|
21
|
+
- Unused generated code ([#83](https://github.com/cerbos/cerbos-sdk-ruby/pull/83))
|
22
|
+
|
4
23
|
## [0.6.0] - 2022-07-01
|
24
|
+
|
5
25
|
### Added
|
26
|
+
|
6
27
|
- Support for schema validation in `Cerbos::Client#plan_resources` ([#32](https://github.com/cerbos/cerbos-sdk-ruby/pull/32))
|
7
28
|
|
8
|
-
Requires Cerbos 0.19+.
|
29
|
+
Requires a policy decision point server running Cerbos 0.19+.
|
9
30
|
`Cerbos::Output::PlanResources#validation_errors` will always return an empty array if the client is connected to an earlier version of Cerbos.
|
10
31
|
|
11
32
|
As a result, `Cerbos::Output::CheckResources::Result::ValidationError` has moved to `Cerbos::Output::ValidationError`.
|
12
33
|
Attempting to access the class via the old namespace will print a deprecation warning and return the new class.
|
13
34
|
|
14
35
|
## [0.5.0] - 2022-06-09
|
36
|
+
|
15
37
|
### Added
|
38
|
+
|
16
39
|
- Allow symbol keys in nested attributes hashes ([#28](https://github.com/cerbos/cerbos-sdk-ruby/pull/28))
|
17
40
|
|
18
41
|
## [0.4.0] - 2022-06-03
|
42
|
+
|
19
43
|
### Added
|
44
|
+
|
20
45
|
- `on_validation_error` option to `Cerbos::Client#initialize` ([#22](https://github.com/cerbos/cerbos-sdk-ruby/pull/22))
|
21
46
|
|
22
47
|
### Changed
|
48
|
+
|
23
49
|
- Minor documentation fixes ([#21](https://github.com/cerbos/cerbos-sdk-ruby/pull/21))
|
24
50
|
|
25
51
|
## [0.3.0] - 2022-05-13
|
52
|
+
|
26
53
|
### Added
|
54
|
+
|
27
55
|
- More helper methods ([#11](https://github.com/cerbos/cerbos-sdk-ruby/pull/11))
|
28
56
|
- `Cerbos::Client#allow?` for checking a single action on a resource
|
29
57
|
- `Cerbos::Output::CheckResources#allow_all?` and `Cerbos::Output::CheckResources::Result#allow_all?` for checking if all input actions were allowed
|
30
58
|
|
31
59
|
## [0.2.0] - 2022-05-12
|
60
|
+
|
32
61
|
### Changed
|
62
|
+
|
33
63
|
- Increased `grpc` version requirement to 1.46+ to avoid [installing a native gem compiled for `x86_64-darwin` on `arm64-darwin`](https://github.com/grpc/grpc/issues/29100) ([#8](https://github.com/cerbos/cerbos-sdk-ruby/pull/8))
|
34
64
|
|
35
65
|
## [0.1.0] - 2022-05-12
|
66
|
+
|
36
67
|
### Added
|
68
|
+
|
37
69
|
- Initial implementation of `Cerbos::Client` ([#2](https://github.com/cerbos/cerbos-sdk-ruby/pull/2))
|
38
70
|
|
39
|
-
[Unreleased]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.
|
71
|
+
[Unreleased]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.7.0...HEAD
|
72
|
+
[0.7.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.1...v0.7.0
|
73
|
+
[0.6.1]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.0...v0.6.1
|
40
74
|
[0.6.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.5.0...v0.6.0
|
41
75
|
[0.5.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.4.0...v0.5.0
|
42
76
|
[0.4.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.3.0...v0.4.0
|
data/README.md
CHANGED
data/cerbos.gemspec
CHANGED
@@ -73,7 +73,7 @@ module Cerbos
|
|
73
73
|
end
|
74
74
|
|
75
75
|
# The outcome of checking a principal's permissions on single resource.
|
76
|
-
CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata) do
|
76
|
+
CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata, :outputs) do
|
77
77
|
# @!attribute [r] resource
|
78
78
|
# The resource that was checked.
|
79
79
|
#
|
@@ -95,6 +95,11 @@ module Cerbos
|
|
95
95
|
# @return [Metadata]
|
96
96
|
# @return [nil] if `include_metadata` was `false`.
|
97
97
|
|
98
|
+
# @!attribute [r] outputs
|
99
|
+
# User-defined outputs from policy rule evaluations.
|
100
|
+
#
|
101
|
+
# @return [Array<Output>]
|
102
|
+
|
98
103
|
# @private
|
99
104
|
def self.const_missing(const)
|
100
105
|
if const == :ValidationError
|
@@ -110,7 +115,8 @@ module Cerbos
|
|
110
115
|
resource: CheckResources::Result::Resource.from_protobuf(entry.resource),
|
111
116
|
actions: entry.actions.to_h,
|
112
117
|
validation_errors: (entry.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
|
113
|
-
metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta)
|
118
|
+
metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta),
|
119
|
+
outputs: (entry.outputs || []).map { |output_entry| CheckResources::Result::Output.from_protobuf(output_entry) }
|
114
120
|
)
|
115
121
|
end
|
116
122
|
|
@@ -126,7 +132,7 @@ module Cerbos
|
|
126
132
|
#
|
127
133
|
# @return [Boolean]
|
128
134
|
def allow_all?
|
129
|
-
actions.each_value.all?
|
135
|
+
actions.each_value.all?(:EFFECT_ALLOW)
|
130
136
|
end
|
131
137
|
|
132
138
|
# List the actions that should be allowed for the resource.
|
@@ -135,6 +141,15 @@ module Cerbos
|
|
135
141
|
def allowed_actions
|
136
142
|
actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
|
137
143
|
end
|
144
|
+
|
145
|
+
# Find the value of the user-defined output for a particular policy rule.
|
146
|
+
#
|
147
|
+
# @param source [String] the identifier of the policy rule that produced the output.
|
148
|
+
# @return [String, Numeric, Boolean, Array, Hash, nil]
|
149
|
+
# @return [nil] if the result does not include an output for the source.
|
150
|
+
def output(source)
|
151
|
+
outputs.find { |output| output.source == source }&.value
|
152
|
+
end
|
138
153
|
end
|
139
154
|
|
140
155
|
# A resource that was checked.
|
@@ -216,5 +231,25 @@ module Cerbos
|
|
216
231
|
)
|
217
232
|
end
|
218
233
|
end
|
234
|
+
|
235
|
+
# User-defined output from a policy rule evaluation.
|
236
|
+
CheckResources::Result::Output = Output.new_class(:source, :value) do
|
237
|
+
# @!attribute [r] source
|
238
|
+
# The identifier of the policy rule that produced the output.
|
239
|
+
#
|
240
|
+
# @return [String]
|
241
|
+
|
242
|
+
# @!attribute [r] value
|
243
|
+
# The result of evaluating the output expression.
|
244
|
+
#
|
245
|
+
# @return [String, Numeric, Boolean, Array, Hash, nil]
|
246
|
+
|
247
|
+
def self.from_protobuf(output_entry)
|
248
|
+
new(
|
249
|
+
source: output_entry.src,
|
250
|
+
value: output_entry.val&.to_ruby(true)
|
251
|
+
)
|
252
|
+
end
|
253
|
+
end
|
219
254
|
end
|
220
255
|
end
|
@@ -1,17 +1,34 @@
|
|
1
|
+
# frozen_string_literal: true
|
1
2
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
3
|
# source: cerbos/effect/v1/effect.proto
|
3
4
|
|
4
5
|
require 'google/protobuf'
|
5
6
|
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
7
|
+
|
8
|
+
descriptor_data = "\n\x1d\x63\x65rbos/effect/v1/effect.proto\x12\x10\x63\x65rbos.effect.v1*X\n\x06\x45\x66\x66\x65\x63t\x12\x16\n\x12\x45\x46\x46\x45\x43T_UNSPECIFIED\x10\x00\x12\x10\n\x0c\x45\x46\x46\x45\x43T_ALLOW\x10\x01\x12\x0f\n\x0b\x45\x46\x46\x45\x43T_DENY\x10\x02\x12\x13\n\x0f\x45\x46\x46\x45\x43T_NO_MATCH\x10\x03\x42o\n\x18\x64\x65v.cerbos.api.v1.effectZ<github.com/cerbos/cerbos/api/genpb/cerbos/effect/v1;effectv1\xaa\x02\x14\x43\x65rbos.Api.V1.Effectb\x06proto3"
|
9
|
+
|
10
|
+
pool = Google::Protobuf::DescriptorPool.generated_pool
|
11
|
+
|
12
|
+
begin
|
13
|
+
pool.add_serialized_file(descriptor_data)
|
14
|
+
rescue TypeError => e
|
15
|
+
# Compatibility code: will be removed in the next major version.
|
16
|
+
require 'google/protobuf/descriptor_pb'
|
17
|
+
parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
|
18
|
+
parsed.clear_dependency
|
19
|
+
serialized = parsed.class.encode(parsed)
|
20
|
+
file = pool.add_serialized_file(serialized)
|
21
|
+
warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
|
22
|
+
imports = [
|
23
|
+
]
|
24
|
+
imports.each do |type_name, expected_filename|
|
25
|
+
import_file = pool.lookup(type_name).file_descriptor
|
26
|
+
if import_file.name != expected_filename
|
27
|
+
warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
|
13
28
|
end
|
14
29
|
end
|
30
|
+
warn "Each proto file must use a consistent fully-qualified name."
|
31
|
+
warn "This will become an error in the next major version."
|
15
32
|
end
|
16
33
|
|
17
34
|
module Cerbos::Protobuf::Cerbos
|
@@ -1,169 +1,38 @@
|
|
1
|
+
# frozen_string_literal: true
|
1
2
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
3
|
# source: cerbos/engine/v1/engine.proto
|
3
4
|
|
4
5
|
require 'google/protobuf'
|
5
6
|
|
6
|
-
require 'cerbos/protobuf/cerbos/effect/v1/effect_pb'
|
7
|
-
require 'cerbos/protobuf/cerbos/schema/v1/schema_pb'
|
8
|
-
require 'cerbos/protobuf/google/api/expr/v1alpha1/checked_pb'
|
9
|
-
require 'cerbos/protobuf/google/api/field_behavior_pb'
|
10
7
|
require 'google/protobuf/struct_pb'
|
11
8
|
require 'cerbos/protobuf/protoc-gen-openapiv2/options/annotations_pb'
|
12
|
-
require 'cerbos/protobuf/validate/validate_pb'
|
13
9
|
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
optional :expression, :message, 2, "google.api.expr.v1alpha1.CheckedExpr", json_name: "expression"
|
37
|
-
end
|
38
|
-
end
|
39
|
-
add_message "cerbos.engine.v1.PlanResourcesAst.LogicalOperation" do
|
40
|
-
optional :operator, :enum, 1, "cerbos.engine.v1.PlanResourcesAst.LogicalOperation.Operator", json_name: "operator"
|
41
|
-
repeated :nodes, :message, 2, "cerbos.engine.v1.PlanResourcesAst.Node", json_name: "nodes"
|
42
|
-
end
|
43
|
-
add_enum "cerbos.engine.v1.PlanResourcesAst.LogicalOperation.Operator" do
|
44
|
-
value :OPERATOR_UNSPECIFIED, 0
|
45
|
-
value :OPERATOR_AND, 1
|
46
|
-
value :OPERATOR_OR, 2
|
47
|
-
value :OPERATOR_NOT, 3
|
48
|
-
end
|
49
|
-
add_message "cerbos.engine.v1.PlanResourcesFilter" do
|
50
|
-
optional :kind, :enum, 1, "cerbos.engine.v1.PlanResourcesFilter.Kind", json_name: "kind"
|
51
|
-
optional :condition, :message, 2, "cerbos.engine.v1.PlanResourcesFilter.Expression.Operand", json_name: "condition"
|
52
|
-
end
|
53
|
-
add_message "cerbos.engine.v1.PlanResourcesFilter.Expression" do
|
54
|
-
optional :operator, :string, 1, json_name: "operator"
|
55
|
-
repeated :operands, :message, 2, "cerbos.engine.v1.PlanResourcesFilter.Expression.Operand", json_name: "operands"
|
56
|
-
end
|
57
|
-
add_message "cerbos.engine.v1.PlanResourcesFilter.Expression.Operand" do
|
58
|
-
oneof :node do
|
59
|
-
optional :value, :message, 1, "google.protobuf.Value", json_name: "value"
|
60
|
-
optional :expression, :message, 2, "cerbos.engine.v1.PlanResourcesFilter.Expression", json_name: "expression"
|
61
|
-
optional :variable, :string, 3, json_name: "variable"
|
62
|
-
end
|
63
|
-
end
|
64
|
-
add_enum "cerbos.engine.v1.PlanResourcesFilter.Kind" do
|
65
|
-
value :KIND_UNSPECIFIED, 0
|
66
|
-
value :KIND_ALWAYS_ALLOWED, 1
|
67
|
-
value :KIND_ALWAYS_DENIED, 2
|
68
|
-
value :KIND_CONDITIONAL, 3
|
69
|
-
end
|
70
|
-
add_message "cerbos.engine.v1.PlanResourcesOutput" do
|
71
|
-
optional :request_id, :string, 1, json_name: "requestId"
|
72
|
-
optional :action, :string, 2, json_name: "action"
|
73
|
-
optional :kind, :string, 3, json_name: "kind"
|
74
|
-
optional :policy_version, :string, 4, json_name: "policyVersion"
|
75
|
-
optional :scope, :string, 5, json_name: "scope"
|
76
|
-
optional :filter, :message, 6, "cerbos.engine.v1.PlanResourcesFilter", json_name: "filter"
|
77
|
-
optional :filter_debug, :string, 7, json_name: "filterDebug"
|
78
|
-
repeated :validation_errors, :message, 8, "cerbos.schema.v1.ValidationError", json_name: "validationErrors"
|
79
|
-
end
|
80
|
-
add_message "cerbos.engine.v1.CheckInput" do
|
81
|
-
optional :request_id, :string, 1, json_name: "requestId"
|
82
|
-
optional :resource, :message, 2, "cerbos.engine.v1.Resource", json_name: "resource"
|
83
|
-
optional :principal, :message, 3, "cerbos.engine.v1.Principal", json_name: "principal"
|
84
|
-
repeated :actions, :string, 4, json_name: "actions"
|
85
|
-
optional :aux_data, :message, 5, "cerbos.engine.v1.AuxData", json_name: "auxData"
|
86
|
-
end
|
87
|
-
add_message "cerbos.engine.v1.CheckOutput" do
|
88
|
-
optional :request_id, :string, 1, json_name: "requestId"
|
89
|
-
optional :resource_id, :string, 2, json_name: "resourceId"
|
90
|
-
map :actions, :string, :message, 3, "cerbos.engine.v1.CheckOutput.ActionEffect"
|
91
|
-
repeated :effective_derived_roles, :string, 4, json_name: "effectiveDerivedRoles"
|
92
|
-
repeated :validation_errors, :message, 5, "cerbos.schema.v1.ValidationError", json_name: "validationErrors"
|
93
|
-
end
|
94
|
-
add_message "cerbos.engine.v1.CheckOutput.ActionEffect" do
|
95
|
-
optional :effect, :enum, 1, "cerbos.effect.v1.Effect", json_name: "effect"
|
96
|
-
optional :policy, :string, 2, json_name: "policy"
|
97
|
-
optional :scope, :string, 3, json_name: "scope"
|
98
|
-
end
|
99
|
-
add_message "cerbos.engine.v1.Resource" do
|
100
|
-
optional :kind, :string, 1, json_name: "kind"
|
101
|
-
optional :policy_version, :string, 2, json_name: "policyVersion"
|
102
|
-
optional :id, :string, 3, json_name: "id"
|
103
|
-
map :attr, :string, :message, 4, "google.protobuf.Value"
|
104
|
-
optional :scope, :string, 5, json_name: "scope"
|
105
|
-
end
|
106
|
-
add_message "cerbos.engine.v1.Principal" do
|
107
|
-
optional :id, :string, 1, json_name: "id"
|
108
|
-
optional :policy_version, :string, 2, json_name: "policyVersion"
|
109
|
-
repeated :roles, :string, 3, json_name: "roles"
|
110
|
-
map :attr, :string, :message, 4, "google.protobuf.Value"
|
111
|
-
optional :scope, :string, 5, json_name: "scope"
|
112
|
-
end
|
113
|
-
add_message "cerbos.engine.v1.AuxData" do
|
114
|
-
map :jwt, :string, :message, 1, "google.protobuf.Value"
|
115
|
-
end
|
116
|
-
add_message "cerbos.engine.v1.Trace" do
|
117
|
-
repeated :components, :message, 1, "cerbos.engine.v1.Trace.Component", json_name: "components"
|
118
|
-
optional :event, :message, 2, "cerbos.engine.v1.Trace.Event", json_name: "event"
|
119
|
-
end
|
120
|
-
add_message "cerbos.engine.v1.Trace.Component" do
|
121
|
-
optional :kind, :enum, 1, "cerbos.engine.v1.Trace.Component.Kind", json_name: "kind"
|
122
|
-
oneof :details do
|
123
|
-
optional :action, :string, 2, json_name: "action"
|
124
|
-
optional :derived_role, :string, 3, json_name: "derivedRole"
|
125
|
-
optional :expr, :string, 4, json_name: "expr"
|
126
|
-
optional :index, :uint32, 5, json_name: "index"
|
127
|
-
optional :policy, :string, 6, json_name: "policy"
|
128
|
-
optional :resource, :string, 7, json_name: "resource"
|
129
|
-
optional :rule, :string, 8, json_name: "rule"
|
130
|
-
optional :scope, :string, 9, json_name: "scope"
|
131
|
-
optional :variable, :message, 10, "cerbos.engine.v1.Trace.Component.Variable", json_name: "variable"
|
132
|
-
end
|
133
|
-
end
|
134
|
-
add_message "cerbos.engine.v1.Trace.Component.Variable" do
|
135
|
-
optional :name, :string, 1, json_name: "name"
|
136
|
-
optional :expr, :string, 2, json_name: "expr"
|
137
|
-
end
|
138
|
-
add_enum "cerbos.engine.v1.Trace.Component.Kind" do
|
139
|
-
value :KIND_UNSPECIFIED, 0
|
140
|
-
value :KIND_ACTION, 1
|
141
|
-
value :KIND_CONDITION_ALL, 2
|
142
|
-
value :KIND_CONDITION_ANY, 3
|
143
|
-
value :KIND_CONDITION_NONE, 4
|
144
|
-
value :KIND_CONDITION, 5
|
145
|
-
value :KIND_DERIVED_ROLE, 6
|
146
|
-
value :KIND_EXPR, 7
|
147
|
-
value :KIND_POLICY, 8
|
148
|
-
value :KIND_RESOURCE, 9
|
149
|
-
value :KIND_RULE, 10
|
150
|
-
value :KIND_SCOPE, 11
|
151
|
-
value :KIND_VARIABLE, 12
|
152
|
-
value :KIND_VARIABLES, 13
|
153
|
-
end
|
154
|
-
add_message "cerbos.engine.v1.Trace.Event" do
|
155
|
-
optional :status, :enum, 1, "cerbos.engine.v1.Trace.Event.Status", json_name: "status"
|
156
|
-
optional :effect, :enum, 2, "cerbos.effect.v1.Effect", json_name: "effect"
|
157
|
-
optional :error, :string, 3, json_name: "error"
|
158
|
-
optional :message, :string, 4, json_name: "message"
|
159
|
-
optional :result, :message, 5, "google.protobuf.Value", json_name: "result"
|
160
|
-
end
|
161
|
-
add_enum "cerbos.engine.v1.Trace.Event.Status" do
|
162
|
-
value :STATUS_UNSPECIFIED, 0
|
163
|
-
value :STATUS_ACTIVATED, 1
|
164
|
-
value :STATUS_SKIPPED, 2
|
10
|
+
|
11
|
+
descriptor_data = "\n\x1d\x63\x65rbos/engine/v1/engine.proto\x12\x10\x63\x65rbos.engine.v1\x1a\x1cgoogle/protobuf/struct.proto\x1a.protoc-gen-openapiv2/options/annotations.proto\"\xde\x07\n\x12PlanResourcesInput\x1a\xc7\x07\n\x08Resource\x12\xc7\x01\n\x04kind\x18\x01 \x01(\tB\xb2\x01\x92\x41\x62\x32\x0eResource kind.J\x0e\"album:object\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xb8\x01\n\x04\x61ttr\x18\x02 \x03(\x0b\x32\x37.cerbos.engine.v1.PlanResourcesInput.Resource.AttrEntryBk\x92\x41`2^Key-value pairs of contextual data about the resource that are known at a time of the request.\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\xdc\x01\n\x0epolicy_version\x18\x03 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\x85\x02\n\x05scope\x18\x04 \x01(\tB\xee\x01\x92\x41\xb1\x01\x32}A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01\"\xa4\x06\n\x13PlanResourcesFilter\x12\xad\x01\n\x04kind\x18\x01 \x01(\x0e\x32*.cerbos.engine.v1.PlanResourcesFilter.KindBm\x92\x41j2hFilter kind. Defines whether the given action is always allowed, always denied or allowed conditionally.R\x04kind\x12\x9a\x01\n\tcondition\x18\x02 \x01(\x0b\x32\x38.cerbos.engine.v1.PlanResourcesFilter.Expression.OperandBB\x92\x41?2=Filter condition. Only populated if kind is KIND_CONDITIONAL.R\tcondition\x1a\xda\x02\n\nExpression\x12)\n\x08operator\x18\x01 \x01(\tB\r\x92\x41\n2\x08OperatorR\x08operator\x12T\n\x08operands\x18\x02 \x03(\x0b\x32\x38.cerbos.engine.v1.PlanResourcesFilter.Expression.OperandR\x08operands\x1a\xb3\x01\n\x07Operand\x12.\n\x05value\x18\x01 \x01(\x0b\x32\x16.google.protobuf.ValueH\x00R\x05value\x12R\n\nexpression\x18\x02 \x01(\x0b\x32\x30.cerbos.engine.v1.PlanResourcesFilter.ExpressionH\x00R\nexpression\x12\x1c\n\x08variable\x18\x03 \x01(\tH\x00R\x08variableB\x06\n\x04node:\x15\x92\x41\x12\n\x10\x32\x0e\x43\x45L expression\"c\n\x04Kind\x12\x14\n\x10KIND_UNSPECIFIED\x10\x00\x12\x17\n\x13KIND_ALWAYS_ALLOWED\x10\x01\x12\x16\n\x12KIND_ALWAYS_DENIED\x10\x02\x12\x14\n\x10KIND_CONDITIONAL\x10\x03\"\xeb\x01\n\x0bOutputEntry\x12\x65\n\x03src\x18\x01 \x01(\tBS\x92\x41P2)Rule that matched to produce this output.J#\"resource.expense.v1/acme#rule-001\"R\x03src\x12u\n\x03val\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueBK\x92\x41H27Dynamic output, determined by user defined rule output.J\r\"some_string\"R\x03val\"\xc0\x08\n\x08Resource\x12\xe1\x01\n\x04kind\x18\x01 \x01(\tB\xcc\x01\x92\x41|2)Name of the resource kind being accessed.J\r\"album:photo\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\x43\n\x02id\x18\x03 \x01(\tB3\x92\x41&2\x1bID of the resource instanceJ\x07\"XX125\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x02id\x12\xc5\x01\n\x04\x61ttr\x18\x04 \x03(\x0b\x32$.cerbos.engine.v1.Resource.AttrEntryB\x8a\x01\x92\x41\x7f\x32\x64Kay-value pairs of contextual data about this resource that should be used during policy evaluation.J\x17{\"owner\": \"bugs_bunny\"}\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\x92\x02\n\x05scope\x18\x05 \x01(\tB\xfb\x01\x92\x41\xbe\x01\x32}A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.J\x0b\"acme.corp\"\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01\"\xe3\x08\n\tPrincipal\x12@\n\x02id\x18\x01 \x01(\tB0\x92\x41#2\x13ID of the principalJ\x0c\"bugs_bunny\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x02id\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\xaa\x01\n\x05roles\x18\x03 \x03(\tB\x93\x01\x92\x41l2FRoles assigned to this principal from your identity management system.J\x08[\"user\"]\x8a\x01\x11^[[:word:]\\-\\.]+$\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\x1e\x92\x01\x1b\x08\x01\x18\x01\"\x15r\x13\x32\x11^[[:word:]\\-\\.]+$R\x05roles\x12\xc5\x01\n\x04\x61ttr\x18\x04 \x03(\x0b\x32%.cerbos.engine.v1.Principal.AttrEntryB\x89\x01\x92\x41~2eKey-value pairs of contextual data about this principal that should be used during policy evaluation.J\x15{\"beta_tester\": true}\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\x93\x02\n\x05scope\x18\x05 \x01(\tB\xfc\x01\x92\x41\xbf\x01\x32~A dot-separated scope that describes the hierarchy this principal belongs to. This is used for determining policy inheritance.J\x0b\"acme.corp\"\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01:Y\x92\x41V\nT2RA person or application attempting to perform the actions on the set of resources.Bo\n\x18\x64\x65v.cerbos.api.v1.engineZ<github.com/cerbos/cerbos/api/genpb/cerbos/engine/v1;enginev1\xaa\x02\x14\x43\x65rbos.Api.V1.Engineb\x06proto3"
|
12
|
+
|
13
|
+
pool = Google::Protobuf::DescriptorPool.generated_pool
|
14
|
+
|
15
|
+
begin
|
16
|
+
pool.add_serialized_file(descriptor_data)
|
17
|
+
rescue TypeError => e
|
18
|
+
# Compatibility code: will be removed in the next major version.
|
19
|
+
require 'google/protobuf/descriptor_pb'
|
20
|
+
parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
|
21
|
+
parsed.clear_dependency
|
22
|
+
serialized = parsed.class.encode(parsed)
|
23
|
+
file = pool.add_serialized_file(serialized)
|
24
|
+
warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
|
25
|
+
imports = [
|
26
|
+
["google.protobuf.Value", "google/protobuf/struct.proto"],
|
27
|
+
]
|
28
|
+
imports.each do |type_name, expected_filename|
|
29
|
+
import_file = pool.lookup(type_name).file_descriptor
|
30
|
+
if import_file.name != expected_filename
|
31
|
+
warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
|
165
32
|
end
|
166
33
|
end
|
34
|
+
warn "Each proto file must use a consistent fully-qualified name."
|
35
|
+
warn "This will become an error in the next major version."
|
167
36
|
end
|
168
37
|
|
169
38
|
module Cerbos::Protobuf::Cerbos
|
@@ -171,27 +40,13 @@ module Cerbos::Protobuf::Cerbos
|
|
171
40
|
module V1
|
172
41
|
PlanResourcesInput = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesInput").msgclass
|
173
42
|
PlanResourcesInput::Resource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesInput.Resource").msgclass
|
174
|
-
PlanResourcesAst = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesAst").msgclass
|
175
|
-
PlanResourcesAst::Node = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesAst.Node").msgclass
|
176
|
-
PlanResourcesAst::LogicalOperation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesAst.LogicalOperation").msgclass
|
177
|
-
PlanResourcesAst::LogicalOperation::Operator = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesAst.LogicalOperation.Operator").enummodule
|
178
43
|
PlanResourcesFilter = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter").msgclass
|
179
44
|
PlanResourcesFilter::Expression = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Expression").msgclass
|
180
45
|
PlanResourcesFilter::Expression::Operand = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Expression.Operand").msgclass
|
181
46
|
PlanResourcesFilter::Kind = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Kind").enummodule
|
182
|
-
|
183
|
-
CheckInput = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.CheckInput").msgclass
|
184
|
-
CheckOutput = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.CheckOutput").msgclass
|
185
|
-
CheckOutput::ActionEffect = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.CheckOutput.ActionEffect").msgclass
|
47
|
+
OutputEntry = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.OutputEntry").msgclass
|
186
48
|
Resource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Resource").msgclass
|
187
49
|
Principal = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Principal").msgclass
|
188
|
-
AuxData = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.AuxData").msgclass
|
189
|
-
Trace = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Trace").msgclass
|
190
|
-
Trace::Component = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Trace.Component").msgclass
|
191
|
-
Trace::Component::Variable = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Trace.Component.Variable").msgclass
|
192
|
-
Trace::Component::Kind = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Trace.Component.Kind").enummodule
|
193
|
-
Trace::Event = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Trace.Event").msgclass
|
194
|
-
Trace::Event::Status = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Trace.Event.Status").enummodule
|
195
50
|
end
|
196
51
|
end
|
197
52
|
end
|