cerbos 0.6.1 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +31 -2
- data/README.md +1 -1
- data/cerbos.gemspec +1 -1
- data/lib/cerbos/output/check_resources.rb +38 -3
- data/lib/cerbos/protobuf/cerbos/effect/v1/effect_pb.rb +24 -7
- data/lib/cerbos/protobuf/cerbos/engine/v1/engine_pb.rb +26 -44
- data/lib/cerbos/protobuf/cerbos/request/v1/request_pb.rb +26 -56
- data/lib/cerbos/protobuf/cerbos/response/v1/response_pb.rb +26 -72
- data/lib/cerbos/protobuf/cerbos/schema/v1/schema_pb.rb +24 -11
- data/lib/cerbos/protobuf/cerbos/svc/v1/svc_pb.rb +25 -2
- data/lib/cerbos/protobuf/cerbos/svc/v1/svc_services_pb.rb +4 -0
- data/lib/cerbos/protobuf/google/api/annotations_pb.rb +26 -2
- data/lib/cerbos/protobuf/google/api/field_behavior_pb.rb +24 -11
- data/lib/cerbos/protobuf/google/api/http_pb.rb +24 -19
- data/lib/cerbos/protobuf/protoc-gen-openapiv2/options/annotations_pb.rb +26 -2
- data/lib/cerbos/protobuf/protoc-gen-openapiv2/options/openapiv2_pb.rb +28 -165
- data/lib/cerbos/protobuf/validate/validate_pb.rb +26 -254
- data/lib/cerbos/version.rb +1 -1
- metadata +5 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: '09d04980a1c08690efeeac6d04608e47e18def9b0f2ab6a5c256b4b22576464d'
|
4
|
+
data.tar.gz: 61968be4473d1a480979d9e2d2af05f0911f1d8b4a8c90947d8dce72910565f7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 788ca1b6ff6c4e3a1ea71c791fef64f5802a89423d21dba5da7f91f7fc697ff91f1aa7ebcedab4d4bde807c531b3b13b4ac5e95a53b93d76c79077e214ecd54b
|
7
|
+
data.tar.gz: 2115919d8cb958b0c347c09710d780d7748fec5933f65f4e91d2af7c937ec0e151ad7cfa808526213a788839ea8360fcfa153b94b9574d9ce6facabdca56fab1
|
data/CHANGELOG.md
CHANGED
@@ -1,46 +1,75 @@
|
|
1
1
|
## [Unreleased]
|
2
|
+
|
2
3
|
No notable changes.
|
3
4
|
|
5
|
+
## [0.7.0] - 2023-06-07
|
6
|
+
|
7
|
+
### Added
|
8
|
+
|
9
|
+
- Support for user-defined policy rule outputs ([#100](https://github.com/cerbos/cerbos-sdk-ruby/pull/100))
|
10
|
+
|
11
|
+
Requires a policy decision point server running Cerbos 0.27+.
|
12
|
+
|
13
|
+
### Removed
|
14
|
+
|
15
|
+
- Support for Ruby 2.7 ([#90](https://github.com/cerbos/cerbos-sdk-ruby/pull/90))
|
16
|
+
|
4
17
|
## [0.6.1] - 2023-03-23
|
18
|
+
|
5
19
|
### Removed
|
20
|
+
|
6
21
|
- Unused generated code ([#83](https://github.com/cerbos/cerbos-sdk-ruby/pull/83))
|
7
22
|
|
8
23
|
## [0.6.0] - 2022-07-01
|
24
|
+
|
9
25
|
### Added
|
26
|
+
|
10
27
|
- Support for schema validation in `Cerbos::Client#plan_resources` ([#32](https://github.com/cerbos/cerbos-sdk-ruby/pull/32))
|
11
28
|
|
12
|
-
Requires Cerbos 0.19+.
|
29
|
+
Requires a policy decision point server running Cerbos 0.19+.
|
13
30
|
`Cerbos::Output::PlanResources#validation_errors` will always return an empty array if the client is connected to an earlier version of Cerbos.
|
14
31
|
|
15
32
|
As a result, `Cerbos::Output::CheckResources::Result::ValidationError` has moved to `Cerbos::Output::ValidationError`.
|
16
33
|
Attempting to access the class via the old namespace will print a deprecation warning and return the new class.
|
17
34
|
|
18
35
|
## [0.5.0] - 2022-06-09
|
36
|
+
|
19
37
|
### Added
|
38
|
+
|
20
39
|
- Allow symbol keys in nested attributes hashes ([#28](https://github.com/cerbos/cerbos-sdk-ruby/pull/28))
|
21
40
|
|
22
41
|
## [0.4.0] - 2022-06-03
|
42
|
+
|
23
43
|
### Added
|
44
|
+
|
24
45
|
- `on_validation_error` option to `Cerbos::Client#initialize` ([#22](https://github.com/cerbos/cerbos-sdk-ruby/pull/22))
|
25
46
|
|
26
47
|
### Changed
|
48
|
+
|
27
49
|
- Minor documentation fixes ([#21](https://github.com/cerbos/cerbos-sdk-ruby/pull/21))
|
28
50
|
|
29
51
|
## [0.3.0] - 2022-05-13
|
52
|
+
|
30
53
|
### Added
|
54
|
+
|
31
55
|
- More helper methods ([#11](https://github.com/cerbos/cerbos-sdk-ruby/pull/11))
|
32
56
|
- `Cerbos::Client#allow?` for checking a single action on a resource
|
33
57
|
- `Cerbos::Output::CheckResources#allow_all?` and `Cerbos::Output::CheckResources::Result#allow_all?` for checking if all input actions were allowed
|
34
58
|
|
35
59
|
## [0.2.0] - 2022-05-12
|
60
|
+
|
36
61
|
### Changed
|
62
|
+
|
37
63
|
- Increased `grpc` version requirement to 1.46+ to avoid [installing a native gem compiled for `x86_64-darwin` on `arm64-darwin`](https://github.com/grpc/grpc/issues/29100) ([#8](https://github.com/cerbos/cerbos-sdk-ruby/pull/8))
|
38
64
|
|
39
65
|
## [0.1.0] - 2022-05-12
|
66
|
+
|
40
67
|
### Added
|
68
|
+
|
41
69
|
- Initial implementation of `Cerbos::Client` ([#2](https://github.com/cerbos/cerbos-sdk-ruby/pull/2))
|
42
70
|
|
43
|
-
[Unreleased]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.
|
71
|
+
[Unreleased]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.7.0...HEAD
|
72
|
+
[0.7.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.1...v0.7.0
|
44
73
|
[0.6.1]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.0...v0.6.1
|
45
74
|
[0.6.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.5.0...v0.6.0
|
46
75
|
[0.5.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.4.0...v0.5.0
|
data/README.md
CHANGED
data/cerbos.gemspec
CHANGED
@@ -73,7 +73,7 @@ module Cerbos
|
|
73
73
|
end
|
74
74
|
|
75
75
|
# The outcome of checking a principal's permissions on single resource.
|
76
|
-
CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata) do
|
76
|
+
CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata, :outputs) do
|
77
77
|
# @!attribute [r] resource
|
78
78
|
# The resource that was checked.
|
79
79
|
#
|
@@ -95,6 +95,11 @@ module Cerbos
|
|
95
95
|
# @return [Metadata]
|
96
96
|
# @return [nil] if `include_metadata` was `false`.
|
97
97
|
|
98
|
+
# @!attribute [r] outputs
|
99
|
+
# User-defined outputs from policy rule evaluations.
|
100
|
+
#
|
101
|
+
# @return [Array<Output>]
|
102
|
+
|
98
103
|
# @private
|
99
104
|
def self.const_missing(const)
|
100
105
|
if const == :ValidationError
|
@@ -110,7 +115,8 @@ module Cerbos
|
|
110
115
|
resource: CheckResources::Result::Resource.from_protobuf(entry.resource),
|
111
116
|
actions: entry.actions.to_h,
|
112
117
|
validation_errors: (entry.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
|
113
|
-
metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta)
|
118
|
+
metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta),
|
119
|
+
outputs: (entry.outputs || []).map { |output_entry| CheckResources::Result::Output.from_protobuf(output_entry) }
|
114
120
|
)
|
115
121
|
end
|
116
122
|
|
@@ -126,7 +132,7 @@ module Cerbos
|
|
126
132
|
#
|
127
133
|
# @return [Boolean]
|
128
134
|
def allow_all?
|
129
|
-
actions.each_value.all?
|
135
|
+
actions.each_value.all?(:EFFECT_ALLOW)
|
130
136
|
end
|
131
137
|
|
132
138
|
# List the actions that should be allowed for the resource.
|
@@ -135,6 +141,15 @@ module Cerbos
|
|
135
141
|
def allowed_actions
|
136
142
|
actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
|
137
143
|
end
|
144
|
+
|
145
|
+
# Find the value of the user-defined output for a particular policy rule.
|
146
|
+
#
|
147
|
+
# @param source [String] the identifier of the policy rule that produced the output.
|
148
|
+
# @return [String, Numeric, Boolean, Array, Hash, nil]
|
149
|
+
# @return [nil] if the result does not include an output for the source.
|
150
|
+
def output(source)
|
151
|
+
outputs.find { |output| output.source == source }&.value
|
152
|
+
end
|
138
153
|
end
|
139
154
|
|
140
155
|
# A resource that was checked.
|
@@ -216,5 +231,25 @@ module Cerbos
|
|
216
231
|
)
|
217
232
|
end
|
218
233
|
end
|
234
|
+
|
235
|
+
# User-defined output from a policy rule evaluation.
|
236
|
+
CheckResources::Result::Output = Output.new_class(:source, :value) do
|
237
|
+
# @!attribute [r] source
|
238
|
+
# The identifier of the policy rule that produced the output.
|
239
|
+
#
|
240
|
+
# @return [String]
|
241
|
+
|
242
|
+
# @!attribute [r] value
|
243
|
+
# The result of evaluating the output expression.
|
244
|
+
#
|
245
|
+
# @return [String, Numeric, Boolean, Array, Hash, nil]
|
246
|
+
|
247
|
+
def self.from_protobuf(output_entry)
|
248
|
+
new(
|
249
|
+
source: output_entry.src,
|
250
|
+
value: output_entry.val&.to_ruby(true)
|
251
|
+
)
|
252
|
+
end
|
253
|
+
end
|
219
254
|
end
|
220
255
|
end
|
@@ -1,17 +1,34 @@
|
|
1
|
+
# frozen_string_literal: true
|
1
2
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
3
|
# source: cerbos/effect/v1/effect.proto
|
3
4
|
|
4
5
|
require 'google/protobuf'
|
5
6
|
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
7
|
+
|
8
|
+
descriptor_data = "\n\x1d\x63\x65rbos/effect/v1/effect.proto\x12\x10\x63\x65rbos.effect.v1*X\n\x06\x45\x66\x66\x65\x63t\x12\x16\n\x12\x45\x46\x46\x45\x43T_UNSPECIFIED\x10\x00\x12\x10\n\x0c\x45\x46\x46\x45\x43T_ALLOW\x10\x01\x12\x0f\n\x0b\x45\x46\x46\x45\x43T_DENY\x10\x02\x12\x13\n\x0f\x45\x46\x46\x45\x43T_NO_MATCH\x10\x03\x42o\n\x18\x64\x65v.cerbos.api.v1.effectZ<github.com/cerbos/cerbos/api/genpb/cerbos/effect/v1;effectv1\xaa\x02\x14\x43\x65rbos.Api.V1.Effectb\x06proto3"
|
9
|
+
|
10
|
+
pool = Google::Protobuf::DescriptorPool.generated_pool
|
11
|
+
|
12
|
+
begin
|
13
|
+
pool.add_serialized_file(descriptor_data)
|
14
|
+
rescue TypeError => e
|
15
|
+
# Compatibility code: will be removed in the next major version.
|
16
|
+
require 'google/protobuf/descriptor_pb'
|
17
|
+
parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
|
18
|
+
parsed.clear_dependency
|
19
|
+
serialized = parsed.class.encode(parsed)
|
20
|
+
file = pool.add_serialized_file(serialized)
|
21
|
+
warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
|
22
|
+
imports = [
|
23
|
+
]
|
24
|
+
imports.each do |type_name, expected_filename|
|
25
|
+
import_file = pool.lookup(type_name).file_descriptor
|
26
|
+
if import_file.name != expected_filename
|
27
|
+
warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
|
13
28
|
end
|
14
29
|
end
|
30
|
+
warn "Each proto file must use a consistent fully-qualified name."
|
31
|
+
warn "This will become an error in the next major version."
|
15
32
|
end
|
16
33
|
|
17
34
|
module Cerbos::Protobuf::Cerbos
|
@@ -1,3 +1,4 @@
|
|
1
|
+
# frozen_string_literal: true
|
1
2
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
3
|
# source: cerbos/engine/v1/engine.proto
|
3
4
|
|
@@ -6,52 +7,32 @@ require 'google/protobuf'
|
|
6
7
|
require 'google/protobuf/struct_pb'
|
7
8
|
require 'cerbos/protobuf/protoc-gen-openapiv2/options/annotations_pb'
|
8
9
|
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
optional :variable, :string, 3, json_name: "variable"
|
32
|
-
end
|
33
|
-
end
|
34
|
-
add_enum "cerbos.engine.v1.PlanResourcesFilter.Kind" do
|
35
|
-
value :KIND_UNSPECIFIED, 0
|
36
|
-
value :KIND_ALWAYS_ALLOWED, 1
|
37
|
-
value :KIND_ALWAYS_DENIED, 2
|
38
|
-
value :KIND_CONDITIONAL, 3
|
39
|
-
end
|
40
|
-
add_message "cerbos.engine.v1.Resource" do
|
41
|
-
optional :kind, :string, 1, json_name: "kind"
|
42
|
-
optional :policy_version, :string, 2, json_name: "policyVersion"
|
43
|
-
optional :id, :string, 3, json_name: "id"
|
44
|
-
map :attr, :string, :message, 4, "google.protobuf.Value"
|
45
|
-
optional :scope, :string, 5, json_name: "scope"
|
46
|
-
end
|
47
|
-
add_message "cerbos.engine.v1.Principal" do
|
48
|
-
optional :id, :string, 1, json_name: "id"
|
49
|
-
optional :policy_version, :string, 2, json_name: "policyVersion"
|
50
|
-
repeated :roles, :string, 3, json_name: "roles"
|
51
|
-
map :attr, :string, :message, 4, "google.protobuf.Value"
|
52
|
-
optional :scope, :string, 5, json_name: "scope"
|
10
|
+
|
11
|
+
descriptor_data = "\n\x1d\x63\x65rbos/engine/v1/engine.proto\x12\x10\x63\x65rbos.engine.v1\x1a\x1cgoogle/protobuf/struct.proto\x1a.protoc-gen-openapiv2/options/annotations.proto\"\xde\x07\n\x12PlanResourcesInput\x1a\xc7\x07\n\x08Resource\x12\xc7\x01\n\x04kind\x18\x01 \x01(\tB\xb2\x01\x92\x41\x62\x32\x0eResource kind.J\x0e\"album:object\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xb8\x01\n\x04\x61ttr\x18\x02 \x03(\x0b\x32\x37.cerbos.engine.v1.PlanResourcesInput.Resource.AttrEntryBk\x92\x41`2^Key-value pairs of contextual data about the resource that are known at a time of the request.\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\xdc\x01\n\x0epolicy_version\x18\x03 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\x85\x02\n\x05scope\x18\x04 \x01(\tB\xee\x01\x92\x41\xb1\x01\x32}A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01\"\xa4\x06\n\x13PlanResourcesFilter\x12\xad\x01\n\x04kind\x18\x01 \x01(\x0e\x32*.cerbos.engine.v1.PlanResourcesFilter.KindBm\x92\x41j2hFilter kind. Defines whether the given action is always allowed, always denied or allowed conditionally.R\x04kind\x12\x9a\x01\n\tcondition\x18\x02 \x01(\x0b\x32\x38.cerbos.engine.v1.PlanResourcesFilter.Expression.OperandBB\x92\x41?2=Filter condition. Only populated if kind is KIND_CONDITIONAL.R\tcondition\x1a\xda\x02\n\nExpression\x12)\n\x08operator\x18\x01 \x01(\tB\r\x92\x41\n2\x08OperatorR\x08operator\x12T\n\x08operands\x18\x02 \x03(\x0b\x32\x38.cerbos.engine.v1.PlanResourcesFilter.Expression.OperandR\x08operands\x1a\xb3\x01\n\x07Operand\x12.\n\x05value\x18\x01 \x01(\x0b\x32\x16.google.protobuf.ValueH\x00R\x05value\x12R\n\nexpression\x18\x02 \x01(\x0b\x32\x30.cerbos.engine.v1.PlanResourcesFilter.ExpressionH\x00R\nexpression\x12\x1c\n\x08variable\x18\x03 \x01(\tH\x00R\x08variableB\x06\n\x04node:\x15\x92\x41\x12\n\x10\x32\x0e\x43\x45L expression\"c\n\x04Kind\x12\x14\n\x10KIND_UNSPECIFIED\x10\x00\x12\x17\n\x13KIND_ALWAYS_ALLOWED\x10\x01\x12\x16\n\x12KIND_ALWAYS_DENIED\x10\x02\x12\x14\n\x10KIND_CONDITIONAL\x10\x03\"\xeb\x01\n\x0bOutputEntry\x12\x65\n\x03src\x18\x01 \x01(\tBS\x92\x41P2)Rule that matched to produce this output.J#\"resource.expense.v1/acme#rule-001\"R\x03src\x12u\n\x03val\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueBK\x92\x41H27Dynamic output, determined by user defined rule output.J\r\"some_string\"R\x03val\"\xc0\x08\n\x08Resource\x12\xe1\x01\n\x04kind\x18\x01 \x01(\tB\xcc\x01\x92\x41|2)Name of the resource kind being accessed.J\r\"album:photo\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\x43\n\x02id\x18\x03 \x01(\tB3\x92\x41&2\x1bID of the resource instanceJ\x07\"XX125\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x02id\x12\xc5\x01\n\x04\x61ttr\x18\x04 \x03(\x0b\x32$.cerbos.engine.v1.Resource.AttrEntryB\x8a\x01\x92\x41\x7f\x32\x64Kay-value pairs of contextual data about this resource that should be used during policy evaluation.J\x17{\"owner\": \"bugs_bunny\"}\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\x92\x02\n\x05scope\x18\x05 \x01(\tB\xfb\x01\x92\x41\xbe\x01\x32}A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.J\x0b\"acme.corp\"\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01\"\xe3\x08\n\tPrincipal\x12@\n\x02id\x18\x01 \x01(\tB0\x92\x41#2\x13ID of the principalJ\x0c\"bugs_bunny\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x02id\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\xaa\x01\n\x05roles\x18\x03 \x03(\tB\x93\x01\x92\x41l2FRoles assigned to this principal from your identity management system.J\x08[\"user\"]\x8a\x01\x11^[[:word:]\\-\\.]+$\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\x1e\x92\x01\x1b\x08\x01\x18\x01\"\x15r\x13\x32\x11^[[:word:]\\-\\.]+$R\x05roles\x12\xc5\x01\n\x04\x61ttr\x18\x04 \x03(\x0b\x32%.cerbos.engine.v1.Principal.AttrEntryB\x89\x01\x92\x41~2eKey-value pairs of contextual data about this principal that should be used during policy evaluation.J\x15{\"beta_tester\": true}\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\x93\x02\n\x05scope\x18\x05 \x01(\tB\xfc\x01\x92\x41\xbf\x01\x32~A dot-separated scope that describes the hierarchy this principal belongs to. This is used for determining policy inheritance.J\x0b\"acme.corp\"\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01:Y\x92\x41V\nT2RA person or application attempting to perform the actions on the set of resources.Bo\n\x18\x64\x65v.cerbos.api.v1.engineZ<github.com/cerbos/cerbos/api/genpb/cerbos/engine/v1;enginev1\xaa\x02\x14\x43\x65rbos.Api.V1.Engineb\x06proto3"
|
12
|
+
|
13
|
+
pool = Google::Protobuf::DescriptorPool.generated_pool
|
14
|
+
|
15
|
+
begin
|
16
|
+
pool.add_serialized_file(descriptor_data)
|
17
|
+
rescue TypeError => e
|
18
|
+
# Compatibility code: will be removed in the next major version.
|
19
|
+
require 'google/protobuf/descriptor_pb'
|
20
|
+
parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
|
21
|
+
parsed.clear_dependency
|
22
|
+
serialized = parsed.class.encode(parsed)
|
23
|
+
file = pool.add_serialized_file(serialized)
|
24
|
+
warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
|
25
|
+
imports = [
|
26
|
+
["google.protobuf.Value", "google/protobuf/struct.proto"],
|
27
|
+
]
|
28
|
+
imports.each do |type_name, expected_filename|
|
29
|
+
import_file = pool.lookup(type_name).file_descriptor
|
30
|
+
if import_file.name != expected_filename
|
31
|
+
warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
|
53
32
|
end
|
54
33
|
end
|
34
|
+
warn "Each proto file must use a consistent fully-qualified name."
|
35
|
+
warn "This will become an error in the next major version."
|
55
36
|
end
|
56
37
|
|
57
38
|
module Cerbos::Protobuf::Cerbos
|
@@ -63,6 +44,7 @@ module Cerbos::Protobuf::Cerbos
|
|
63
44
|
PlanResourcesFilter::Expression = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Expression").msgclass
|
64
45
|
PlanResourcesFilter::Expression::Operand = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Expression.Operand").msgclass
|
65
46
|
PlanResourcesFilter::Kind = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Kind").enummodule
|
47
|
+
OutputEntry = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.OutputEntry").msgclass
|
66
48
|
Resource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Resource").msgclass
|
67
49
|
Principal = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Principal").msgclass
|
68
50
|
end
|
@@ -1,3 +1,4 @@
|
|
1
|
+
# frozen_string_literal: true
|
1
2
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
3
|
# source: cerbos/request/v1/request.proto
|
3
4
|
|
@@ -9,64 +10,33 @@ require 'google/protobuf/struct_pb'
|
|
9
10
|
require 'cerbos/protobuf/protoc-gen-openapiv2/options/annotations_pb'
|
10
11
|
require 'cerbos/protobuf/validate/validate_pb'
|
11
12
|
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
end
|
36
|
-
add_message "cerbos.request.v1.AttributesMap" do
|
37
|
-
map :attr, :string, :message, 1, "google.protobuf.Value"
|
38
|
-
end
|
39
|
-
add_message "cerbos.request.v1.CheckResourceBatchRequest" do
|
40
|
-
optional :request_id, :string, 1, json_name: "requestId"
|
41
|
-
optional :principal, :message, 2, "cerbos.engine.v1.Principal", json_name: "principal"
|
42
|
-
repeated :resources, :message, 3, "cerbos.request.v1.CheckResourceBatchRequest.BatchEntry", json_name: "resources"
|
43
|
-
optional :aux_data, :message, 4, "cerbos.request.v1.AuxData", json_name: "auxData"
|
44
|
-
end
|
45
|
-
add_message "cerbos.request.v1.CheckResourceBatchRequest.BatchEntry" do
|
46
|
-
repeated :actions, :string, 1, json_name: "actions"
|
47
|
-
optional :resource, :message, 2, "cerbos.engine.v1.Resource", json_name: "resource"
|
48
|
-
end
|
49
|
-
add_message "cerbos.request.v1.CheckResourcesRequest" do
|
50
|
-
optional :request_id, :string, 1, json_name: "requestId"
|
51
|
-
optional :include_meta, :bool, 2, json_name: "includeMeta"
|
52
|
-
optional :principal, :message, 3, "cerbos.engine.v1.Principal", json_name: "principal"
|
53
|
-
repeated :resources, :message, 4, "cerbos.request.v1.CheckResourcesRequest.ResourceEntry", json_name: "resources"
|
54
|
-
optional :aux_data, :message, 5, "cerbos.request.v1.AuxData", json_name: "auxData"
|
55
|
-
end
|
56
|
-
add_message "cerbos.request.v1.CheckResourcesRequest.ResourceEntry" do
|
57
|
-
repeated :actions, :string, 1, json_name: "actions"
|
58
|
-
optional :resource, :message, 2, "cerbos.engine.v1.Resource", json_name: "resource"
|
59
|
-
end
|
60
|
-
add_message "cerbos.request.v1.AuxData" do
|
61
|
-
optional :jwt, :message, 1, "cerbos.request.v1.AuxData.JWT", json_name: "jwt"
|
62
|
-
end
|
63
|
-
add_message "cerbos.request.v1.AuxData.JWT" do
|
64
|
-
optional :token, :string, 1, json_name: "token"
|
65
|
-
optional :key_set_id, :string, 2, json_name: "keySetId"
|
66
|
-
end
|
67
|
-
add_message "cerbos.request.v1.ServerInfoRequest" do
|
13
|
+
|
14
|
+
descriptor_data = "\n\x1f\x63\x65rbos/request/v1/request.proto\x12\x11\x63\x65rbos.request.v1\x1a\x1d\x63\x65rbos/engine/v1/engine.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a.protoc-gen-openapiv2/options/annotations.proto\x1a\x17validate/validate.proto\"\x83\x05\n\x14PlanResourcesRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12h\n\x06\x61\x63tion\x18\x02 \x01(\tBP\x92\x41\x43\x32\x32\x41\x63tion to be applied to each resource in the list.J\r\"view:public\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x06\x61\x63tion\x12\x46\n\tprincipal\x18\x03 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12V\n\x08resource\x18\x04 \x01(\x0b\x32-.cerbos.engine.v1.PlanResourcesInput.ResourceB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource\x12:\n\x08\x61ux_data\x18\x05 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataB\x03\xe0\x41\x01R\x07\x61uxData\x12\x63\n\x0cinclude_meta\x18\x06 \x01(\x08\x42@\x92\x41=2;Opt to receive request processing metadata in the response.R\x0bincludeMeta:\'\x92\x41$\n\"2 PDP Resources Query Plan Request\"\x87\x05\n\x17\x43heckResourceSetRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\x8c\x01\n\x07\x61\x63tions\x18\x02 \x03(\tBr\x92\x41\\28List of actions being performed on the set of resources.J\x1a[\"view:public\", \"comment\"]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\r\x92\x01\n\x08\x01\x18\x01\"\x04r\x02\x10\x01R\x07\x61\x63tions\x12\x46\n\tprincipal\x18\x03 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12G\n\x08resource\x18\x04 \x01(\x0b\x32\x1e.cerbos.request.v1.ResourceSetB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource\x12\x63\n\x0cinclude_meta\x18\x05 \x01(\x08\x42@\x92\x41=2;Opt to receive request processing metadata in the response.R\x0bincludeMeta\x12:\n\x08\x61ux_data\x18\x06 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataB\x03\xe0\x41\x01R\x07\x61uxData:\x12\x92\x41\x0f\n\r2\x0bPDP Request\"\xaf\t\n\x0bResourceSet\x12\xc7\x01\n\x04kind\x18\x01 \x01(\tB\xb2\x01\x92\x41\x62\x32\x0eResource kind.J\x0e\"album:object\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\xeb\x02\n\tinstances\x18\x03 \x03(\x0b\x32-.cerbos.request.v1.ResourceSet.InstancesEntryB\x9d\x02\x92\x41\x8c\x02\x32mSet of resource instances to check. Each instance must be keyed by an application-specific unique identifier.J\x97\x01{\"XX125\":{\"attr\":{\"owner\":\"bugs_bunny\", \"public\": false, \"flagged\": false}}, \"XX225\":{\"attr\":{\"owner\":\"daffy_duck\", \"public\": true, \"flagged\": false}}}\xc8\x01\x01\xe0\x41\x02\xfa\x42\x07\x9a\x01\x04\x08\x01\x18\x01R\tinstances\x12\x86\x02\n\x05scope\x18\x04 \x01(\tB\xef\x01\x92\x41\xb2\x01\x32~A dot-separated scope that describes the hierarchy these resources belong to. This is used for determining policy inheritance.\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1a^\n\x0eInstancesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x36\n\x05value\x18\x02 \x01(\x0b\x32 .cerbos.request.v1.AttributesMapR\x05value:\x02\x38\x01: \x92\x41\x1d\n\x1b\x32\x19Set of resources to check\"\xc9\x02\n\rAttributesMap\x12\xb1\x01\n\x04\x61ttr\x18\x01 \x03(\x0b\x32*.cerbos.request.v1.AttributesMap.AttrEntryBq\x92\x41\x66\x32\x64Key-value pairs of contextual data about this instance that should be used during policy evaluation.\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01:3\x92\x41\x30\n.2,Unique identifier for the resource instance.\"\xe1\x06\n\x19\x43heckResourceBatchRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\x46\n\tprincipal\x18\x02 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12\xbc\x02\n\tresources\x18\x03 \x03(\x0b\x32\x37.cerbos.request.v1.CheckResourceBatchRequest.BatchEntryB\xe4\x01\x92\x41\xd5\x01\x32\x1eList of resources and actions.J\xac\x01[{\"actions\":[\"view\",\"comment\"], \"resource\":{\"kind\":\"album:object\",\"policyVersion\":\"default\",\"id\":\"XX125\",\"attr\":{\"owner\":\"bugs_bunny\", \"public\": false, \"flagged\": false}}}]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\x05\x92\x01\x02\x08\x01R\tresources\x12\x35\n\x08\x61ux_data\x18\x04 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataR\x07\x61uxData\x1a\xd8\x01\n\nBatchEntry\x12\x84\x01\n\x07\x61\x63tions\x18\x01 \x03(\tBj\x92\x41T20List of actions being performed on the resource.J\x1a[\"view:public\", \"comment\"]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\r\x92\x01\n\x08\x01\x18\x01\"\x04r\x02\x10\x01R\x07\x61\x63tions\x12\x43\n\x08resource\x18\x02 \x01(\x0b\x32\x1a.cerbos.engine.v1.ResourceB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource:\x12\x92\x41\x0f\n\r2\x0bPDP Request\"\xc5\x07\n\x15\x43heckResourcesRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12X\n\x0cinclude_meta\x18\x02 \x01(\x08\x42\x35\x92\x41\x32\x32\x30\x41\x64\x64 request processing metadata to the response.R\x0bincludeMeta\x12\x46\n\tprincipal\x18\x03 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12\xbb\x02\n\tresources\x18\x04 \x03(\x0b\x32\x36.cerbos.request.v1.CheckResourcesRequest.ResourceEntryB\xe4\x01\x92\x41\xd5\x01\x32\x1eList of resources and actions.J\xac\x01[{\"actions\":[\"view\",\"comment\"], \"resource\":{\"kind\":\"album:object\",\"policyVersion\":\"default\",\"id\":\"XX125\",\"attr\":{\"owner\":\"bugs_bunny\", \"public\": false, \"flagged\": false}}}]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\x05\x92\x01\x02\x08\x01R\tresources\x12\x35\n\x08\x61ux_data\x18\x05 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataR\x07\x61uxData\x1a\xdb\x01\n\rResourceEntry\x12\x84\x01\n\x07\x61\x63tions\x18\x01 \x03(\tBj\x92\x41T20List of actions being performed on the resource.J\x1a[\"view:public\", \"comment\"]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\r\x92\x01\n\x08\x01\x18\x01\"\x04r\x02\x10\x01R\x07\x61\x63tions\x12\x43\n\x08resource\x18\x02 \x01(\x0b\x32\x1a.cerbos.engine.v1.ResourceB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource:\x1e\x92\x41\x1b\n\x19\x32\x17\x43heck resources request\"\xc5\x06\n\x07\x41uxData\x12\x30\n\x03jwt\x18\x01 \x01(\x0b\x32\x1e.cerbos.request.v1.AuxData.JWTR\x03jwt\x1a\xc3\x05\n\x03JWT\x12\x90\x04\n\x05token\x18\x01 \x01(\tB\xf9\x03\x92\x41\xeb\x03\x32\x1dJWT from the original requestJ\xc9\x03\"eyJhbGciOiJFUzM4NCIsImtpZCI6IjE5TGZaYXRFZGc4M1lOYzVyMjNndU1KcXJuND0iLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiY2VyYm9zLWp3dC10ZXN0cyJdLCJjdXN0b21BcnJheSI6WyJBIiwiQiIsIkMiXSwiY3VzdG9tSW50Ijo0MiwiY3VzdG9tTWFwIjp7IkEiOiJBQSIsIkIiOiJCQiIsIkMiOiJDQyJ9LCJjdXN0b21TdHJpbmciOiJmb29iYXIiLCJleHAiOjE5NDk5MzQwMzksImlzcyI6ImNlcmJvcy10ZXN0LXN1aXRlIn0.WN_tOScSpd_EI-P5EI1YlagxEgExSfBjAtcrgcF6lyWj1lGpR_GKx9goZEp2p_t5AVWXN_bjz_sMUmJdJa4cVd55Qm1miR-FKu6oNRHnSEWdMFmnArwPw-YDJWfylLFX\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x05token\x12\x82\x01\n\nkey_set_id\x18\x02 \x01(\tBd\x92\x41\x61\x32RKey ID to use when decoding the token (defined in the Cerbos server configuration)J\x0b\"my-keyset\"R\x08keySetId:$\x92\x41!\n\x1f\x32\x1dJWT from the original request:B\x92\x41?\n=2;Structured auxiliary data useful for evaluating the request\"/\n\x11ServerInfoRequest:\x1a\x92\x41\x17\n\x15\x32\x13Server info requestBs\n\x19\x64\x65v.cerbos.api.v1.requestZ>github.com/cerbos/cerbos/api/genpb/cerbos/request/v1;requestv1\xaa\x02\x15\x43\x65rbos.Api.V1.Requestb\x06proto3"
|
15
|
+
|
16
|
+
pool = Google::Protobuf::DescriptorPool.generated_pool
|
17
|
+
|
18
|
+
begin
|
19
|
+
pool.add_serialized_file(descriptor_data)
|
20
|
+
rescue TypeError => e
|
21
|
+
# Compatibility code: will be removed in the next major version.
|
22
|
+
require 'google/protobuf/descriptor_pb'
|
23
|
+
parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
|
24
|
+
parsed.clear_dependency
|
25
|
+
serialized = parsed.class.encode(parsed)
|
26
|
+
file = pool.add_serialized_file(serialized)
|
27
|
+
warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
|
28
|
+
imports = [
|
29
|
+
["cerbos.engine.v1.Principal", "cerbos/engine/v1/engine.proto"],
|
30
|
+
["google.protobuf.Value", "google/protobuf/struct.proto"],
|
31
|
+
]
|
32
|
+
imports.each do |type_name, expected_filename|
|
33
|
+
import_file = pool.lookup(type_name).file_descriptor
|
34
|
+
if import_file.name != expected_filename
|
35
|
+
warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
|
68
36
|
end
|
69
37
|
end
|
38
|
+
warn "Each proto file must use a consistent fully-qualified name."
|
39
|
+
warn "This will become an error in the next major version."
|
70
40
|
end
|
71
41
|
|
72
42
|
module Cerbos::Protobuf::Cerbos
|
@@ -1,3 +1,4 @@
|
|
1
|
+
# frozen_string_literal: true
|
1
2
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
3
|
# source: cerbos/response/v1/response.proto
|
3
4
|
|
@@ -8,80 +9,33 @@ require 'cerbos/protobuf/cerbos/engine/v1/engine_pb'
|
|
8
9
|
require 'cerbos/protobuf/cerbos/schema/v1/schema_pb'
|
9
10
|
require 'cerbos/protobuf/protoc-gen-openapiv2/options/annotations_pb'
|
10
11
|
|
11
|
-
|
12
|
-
add_file("cerbos/response/v1/response.proto", :syntax => :proto3) do
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
end
|
35
|
-
add_message "cerbos.response.v1.CheckResourceSetResponse.Meta" do
|
36
|
-
map :resource_instances, :string, :message, 1, "cerbos.response.v1.CheckResourceSetResponse.Meta.ActionMeta"
|
37
|
-
end
|
38
|
-
add_message "cerbos.response.v1.CheckResourceSetResponse.Meta.EffectMeta" do
|
39
|
-
optional :matched_policy, :string, 1, json_name: "matchedPolicy"
|
40
|
-
optional :matched_scope, :string, 2, json_name: "matchedScope"
|
41
|
-
end
|
42
|
-
add_message "cerbos.response.v1.CheckResourceSetResponse.Meta.ActionMeta" do
|
43
|
-
map :actions, :string, :message, 1, "cerbos.response.v1.CheckResourceSetResponse.Meta.EffectMeta"
|
44
|
-
repeated :effective_derived_roles, :string, 2, json_name: "effectiveDerivedRoles"
|
45
|
-
end
|
46
|
-
add_message "cerbos.response.v1.CheckResourceBatchResponse" do
|
47
|
-
optional :request_id, :string, 1, json_name: "requestId"
|
48
|
-
repeated :results, :message, 2, "cerbos.response.v1.CheckResourceBatchResponse.ActionEffectMap", json_name: "results"
|
49
|
-
end
|
50
|
-
add_message "cerbos.response.v1.CheckResourceBatchResponse.ActionEffectMap" do
|
51
|
-
optional :resource_id, :string, 1, json_name: "resourceId"
|
52
|
-
map :actions, :string, :enum, 2, "cerbos.effect.v1.Effect"
|
53
|
-
repeated :validation_errors, :message, 3, "cerbos.schema.v1.ValidationError", json_name: "validationErrors"
|
54
|
-
end
|
55
|
-
add_message "cerbos.response.v1.CheckResourcesResponse" do
|
56
|
-
optional :request_id, :string, 1, json_name: "requestId"
|
57
|
-
repeated :results, :message, 2, "cerbos.response.v1.CheckResourcesResponse.ResultEntry", json_name: "results"
|
58
|
-
end
|
59
|
-
add_message "cerbos.response.v1.CheckResourcesResponse.ResultEntry" do
|
60
|
-
optional :resource, :message, 1, "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Resource", json_name: "resource"
|
61
|
-
map :actions, :string, :enum, 2, "cerbos.effect.v1.Effect"
|
62
|
-
repeated :validation_errors, :message, 3, "cerbos.schema.v1.ValidationError", json_name: "validationErrors"
|
63
|
-
optional :meta, :message, 4, "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta", json_name: "meta"
|
64
|
-
end
|
65
|
-
add_message "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Resource" do
|
66
|
-
optional :id, :string, 1, json_name: "id"
|
67
|
-
optional :kind, :string, 2, json_name: "kind"
|
68
|
-
optional :policy_version, :string, 3, json_name: "policyVersion"
|
69
|
-
optional :scope, :string, 4, json_name: "scope"
|
70
|
-
end
|
71
|
-
add_message "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta" do
|
72
|
-
map :actions, :string, :message, 1, "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta.EffectMeta"
|
73
|
-
repeated :effective_derived_roles, :string, 2, json_name: "effectiveDerivedRoles"
|
74
|
-
end
|
75
|
-
add_message "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta.EffectMeta" do
|
76
|
-
optional :matched_policy, :string, 1, json_name: "matchedPolicy"
|
77
|
-
optional :matched_scope, :string, 2, json_name: "matchedScope"
|
78
|
-
end
|
79
|
-
add_message "cerbos.response.v1.ServerInfoResponse" do
|
80
|
-
optional :version, :string, 1, json_name: "version"
|
81
|
-
optional :commit, :string, 2, json_name: "commit"
|
82
|
-
optional :build_date, :string, 3, json_name: "buildDate"
|
12
|
+
|
13
|
+
descriptor_data = "\n!cerbos/response/v1/response.proto\x12\x12\x63\x65rbos.response.v1\x1a\x1d\x63\x65rbos/effect/v1/effect.proto\x1a\x1d\x63\x65rbos/engine/v1/engine.proto\x1a\x1d\x63\x65rbos/schema/v1/schema.proto\x1a.protoc-gen-openapiv2/options/annotations.proto\"\xb5\x08\n\x15PlanResourcesResponse\x12o\n\nrequest_id\x18\x01 \x01(\tBP\x92\x41M2#Request ID provided in the request.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\x32\n\x06\x61\x63tion\x18\x02 \x01(\tB\x1a\x92\x41\x17\x32\x06\x41\x63tionJ\r\"view:public\"R\x06\x61\x63tion\x12\x8a\x01\n\rresource_kind\x18\x03 \x01(\tBe\x92\x41\x62\x32\x0eResource kind.J\x0e\"album:object\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$R\x0cresourceKind\x12J\n\x0epolicy_version\x18\x04 \x01(\tB#\x92\x41 2\x13The policy version.J\t\"default\"R\rpolicyVersion\x12J\n\x06\x66ilter\x18\x05 \x01(\x0b\x32%.cerbos.engine.v1.PlanResourcesFilterB\x0b\x92\x41\x08\x32\x06\x46ilterR\x06\x66ilter\x12\x7f\n\x04meta\x18\x06 \x01(\x0b\x32..cerbos.response.v1.PlanResourcesResponse.MetaB;\x92\x41\x38\x32\x36Optional metadata about the request evaluation processR\x04meta\x12\x90\x01\n\x11validation_errors\x18\x07 \x03(\x0b\x32!.cerbos.schema.v1.ValidationErrorB@\x92\x41=2;List of validation errors (if schema validation is enabled)R\x10validationErrors\x1a\xff\x01\n\x04Meta\x12]\n\x0c\x66ilter_debug\x18\x01 \x01(\tB:\x92\x41\x37\x32\x35\x46ilter textual representation for debugging purposes.R\x0b\x66ilterDebug\x12m\n\rmatched_scope\x18\x02 \x01(\tBH\x92\x41\x45\x32\x31Policy scope that matched to produce this effect.J\x10\"acme.corp.base\"R\x0cmatchedScope:)\x92\x41&\n$2\"Metadata about request evaluation.:<\x92\x41\x39\n725Resources query plan response for a set of resources.\"\xc8\x15\n\x18\x43heckResourceSetResponse\x12o\n\nrequest_id\x18\x01 \x01(\tBP\x92\x41M2#Request ID provided in the request.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\xdb\x02\n\x12resource_instances\x18\x02 \x03(\x0b\x32\x43.cerbos.response.v1.CheckResourceSetResponse.ResourceInstancesEntryB\xe6\x01\x92\x41\xe2\x01\x32KResults for each resource instance, keyed by the ID supplied in the requestJ\x92\x01{\"XX125\":{\"actions\":{\"view:*\":\"EFFECT_ALLOW\", \"comment\": \"EFFECT_ALLOW\"}}, \"XX225\":{\"actions\":{\"view:*\":\"EFFECT_DENY\", \"comment\": \"EFFECT_DENY\"}}}R\x11resourceInstances\x12\x82\x01\n\x04meta\x18\x03 \x01(\x0b\x32\x31.cerbos.response.v1.CheckResourceSetResponse.MetaB;\x92\x41\x38\x32\x36Optional metadata about the request evaluation processR\x04meta\x1a\x8b\x03\n\x0f\x41\x63tionEffectMap\x12\x8e\x01\n\x07\x61\x63tions\x18\x01 \x03(\x0b\x32I.cerbos.response.v1.CheckResourceSetResponse.ActionEffectMap.ActionsEntryB)\x92\x41&2$Mapping of each action to an effect.R\x07\x61\x63tions\x12\x90\x01\n\x11validation_errors\x18\x02 \x03(\x0b\x32!.cerbos.schema.v1.ValidationErrorB@\x92\x41=2;List of validation errors (if schema validation is enabled)R\x10validationErrors\x1aT\n\x0c\x41\x63tionsEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12.\n\x05value\x18\x02 \x01(\x0e\x32\x18.cerbos.effect.v1.EffectR\x05value:\x02\x38\x01\x1a\x89\x0c\n\x04Meta\x12\xcf\x03\n\x12resource_instances\x18\x01 \x03(\x0b\x32H.cerbos.response.v1.CheckResourceSetResponse.Meta.ResourceInstancesEntryB\xd5\x02\x92\x41\xd1\x02\x32\"Metadata about resource instances.J\xaa\x02{\"XX125\": {\"actions\": {\"view:*\":{\"matched_policy\": \"album:object:default\"},\"comment\":{\"matched_policy\": \"album:object:default\"}}, \"effective_derived_roles\": [\"owner\"]}, \"XX225\": {\"actions\": {\"view:*\":{\"matched_policy\": \"album:object:default\"},\"comment\":{\"matched_policy\": \"album:object:default\"}}}}R\x11resourceInstances\x1a\x88\x02\n\nEffectMeta\x12o\n\x0ematched_policy\x18\x01 \x01(\tBH\x92\x41\x45\x32+Policy that matched to produce this effect.J\x16\"album:object:default\"R\rmatchedPolicy\x12m\n\rmatched_scope\x18\x02 \x01(\tBH\x92\x41\x45\x32\x31Policy scope that matched to produce this effect.J\x10\"acme.corp.base\"R\x0cmatchedScope:\x1a\x92\x41\x17\n\x15\x32\x13Name of the action.\x1a\xf3\x04\n\nActionMeta\x12\xa7\x02\n\x07\x61\x63tions\x18\x01 \x03(\x0b\x32I.cerbos.response.v1.CheckResourceSetResponse.Meta.ActionMeta.ActionsEntryB\xc1\x01\x92\x41\xbd\x01\x32OMetadata about the effect calculated for each action on this resource instance.Jj{\"view:*\":{\"matched_policy\": \"album:object:default\"},\"comment\":{\"matched_policy\": \"album:object:default\"}}R\x07\x61\x63tions\x12\x83\x01\n\x17\x65\x66\x66\x65\x63tive_derived_roles\x18\x02 \x03(\tBK\x92\x41H2;Derived roles that were effective during policy evaluation.J\t[\"owner\"]R\x15\x65\x66\x66\x65\x63tiveDerivedRoles\x1ax\n\x0c\x41\x63tionsEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12R\n\x05value\x18\x02 \x01(\x0b\x32<.cerbos.response.v1.CheckResourceSetResponse.Meta.EffectMetaR\x05value:\x02\x38\x01:;\x92\x41\x38\n624Unique resource instance ID supplied in the request.\x1a\x82\x01\n\x16ResourceInstancesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12R\n\x05value\x18\x02 \x01(\x0b\x32<.cerbos.response.v1.CheckResourceSetResponse.Meta.ActionMetaR\x05value:\x02\x38\x01:)\x92\x41&\n$2\"Metadata about request evaluation.\x1a\x82\x01\n\x16ResourceInstancesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12R\n\x05value\x18\x02 \x01(\x0b\x32<.cerbos.response.v1.CheckResourceSetResponse.ActionEffectMapR\x05value:\x02\x38\x01:9\x92\x41\x36\n422Policy evaluation response for a set of resources.\"\xe5\x06\n\x1a\x43heckResourceBatchResponse\x12o\n\nrequest_id\x18\x01 \x01(\tBP\x92\x41M2#Request ID provided in the request.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\xb3\x01\n\x07results\x18\x02 \x03(\x0b\x32>.cerbos.response.v1.CheckResourceBatchResponse.ActionEffectMapBY\x92\x41V2\x18Result for each resourceJ:[{\"resourceId\":\"XX125\",\"actions\":{\"view\":\"EFFECT_ALLOW\"}}]R\x07results\x1a\xe2\x03\n\x0f\x41\x63tionEffectMap\x12:\n\x0bresource_id\x18\x01 \x01(\tB\x19\x92\x41\x16\x32\x0bResource IDJ\x07\"XX125\"R\nresourceId\x12\xa9\x01\n\x07\x61\x63tions\x18\x02 \x03(\x0b\x32K.cerbos.response.v1.CheckResourceBatchResponse.ActionEffectMap.ActionsEntryBB\x92\x41?2$Mapping of each action to an effect.J\x17{\"view\":\"EFFECT_ALLOW\"}R\x07\x61\x63tions\x12\x90\x01\n\x11validation_errors\x18\x03 \x03(\x0b\x32!.cerbos.schema.v1.ValidationErrorB@\x92\x41=2;List of validation errors (if schema validation is enabled)R\x10validationErrors\x1aT\n\x0c\x41\x63tionsEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12.\n\x05value\x18\x02 \x01(\x0e\x32\x18.cerbos.effect.v1.EffectR\x05value:\x02\x38\x01:;\x92\x41\x38\n624Policy evaluation response for a batch of resources.\"\xa6\x17\n\x16\x43heckResourcesResponse\x12o\n\nrequest_id\x18\x01 \x01(\tBP\x92\x41M2#Request ID provided in the request.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\xe3\x01\n\x07results\x18\x02 \x03(\x0b\x32\x36.cerbos.response.v1.CheckResourcesResponse.ResultEntryB\x90\x01\x92\x41\x8c\x01\x32\x18Result for each resourceJp[{\"resource\": {\"Id\":\"XX125\", \"kind\":\"album:object\"}, \"actions\":{\"view\":\"EFFECT_ALLOW\",\"comment\":\"EFFECT_DENY\"}}]R\x07results\x1a\x80\x14\n\x0bResultEntry\x12[\n\x08resource\x18\x01 \x01(\x0b\x32?.cerbos.response.v1.CheckResourcesResponse.ResultEntry.ResourceR\x08resource\x12\xa1\x01\n\x07\x61\x63tions\x18\x02 \x03(\x0b\x32\x43.cerbos.response.v1.CheckResourcesResponse.ResultEntry.ActionsEntryBB\x92\x41?2$Mapping of each action to an effect.J\x17{\"view\":\"EFFECT_ALLOW\"}R\x07\x61\x63tions\x12\x90\x01\n\x11validation_errors\x18\x03 \x03(\x0b\x32!.cerbos.schema.v1.ValidationErrorB@\x92\x41=2;List of validation errors (if schema validation is enabled)R\x10validationErrors\x12\x98\x02\n\x04meta\x18\x04 \x01(\x0b\x32;.cerbos.response.v1.CheckResourcesResponse.ResultEntry.MetaB\xc6\x01\x92\x41\xc2\x01\x32 Metadata about policy evaluationJ\x9d\x01{\"actions\": {\"view:*\":{\"matched_policy\": \"album:object:default\"},\"comment\":{\"matched_policy\": \"album:object:default\"}}, \"effective_derived_roles\": [\"owner\"]}R\x04meta\x12\xf6\x01\n\x07outputs\x18\x05 \x03(\x0b\x32\x1d.cerbos.engine.v1.OutputEntryB\xbc\x01\x92\x41\xb8\x01\x32,Output for each rule with outputs configuredJ\x87\x01[{\"src\": \"resource.expense.v1/acme#rule-001\", \"val\": \"view_allowed:alice\"}, {\"src\": \"resource.expense.v1/acme#rule-002\", \"val\": \"foo\"}]R\x07outputs\x1a\xff\x04\n\x08Resource\x12\x39\n\x02id\x18\x01 \x01(\tB)\x92\x41&2\x1bID of the resource instanceJ\x07\"XX125\"R\x02id\x12\x93\x01\n\x04kind\x18\x02 \x01(\tB\x7f\x92\x41|2)Name of the resource kind being accessed.J\r\"album:photo\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$R\x04kind\x12\xc5\x01\n\x0epolicy_version\x18\x03 \x01(\tB\x9d\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$R\rpolicyVersion\x12\xd9\x01\n\x05scope\x18\x04 \x01(\tB\xc2\x01\x92\x41\xbe\x01\x32}A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.J\x0b\"acme.corp\"\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1a\xf0\x06\n\x04Meta\x12\xa6\x02\n\x07\x61\x63tions\x18\x01 \x03(\x0b\x32H.cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta.ActionsEntryB\xc1\x01\x92\x41\xbd\x01\x32OMetadata about the effect calculated for each action on this resource instance.Jj{\"view:*\":{\"matched_policy\": \"album:object:default\"},\"comment\":{\"matched_policy\": \"album:object:default\"}}R\x07\x61\x63tions\x12\x83\x01\n\x17\x65\x66\x66\x65\x63tive_derived_roles\x18\x02 \x03(\tBK\x92\x41H2;Derived roles that were effective during policy evaluation.J\t[\"owner\"]R\x15\x65\x66\x66\x65\x63tiveDerivedRoles\x1a\x88\x02\n\nEffectMeta\x12o\n\x0ematched_policy\x18\x01 \x01(\tBH\x92\x41\x45\x32+Policy that matched to produce this effect.J\x16\"album:object:default\"R\rmatchedPolicy\x12m\n\rmatched_scope\x18\x02 \x01(\tBH\x92\x41\x45\x32\x31Policy scope that matched to produce this effect.J\x10\"acme.corp.base\"R\x0cmatchedScope:\x1a\x92\x41\x17\n\x15\x32\x13Name of the action.\x1a\x82\x01\n\x0c\x41\x63tionsEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\\\n\x05value\x18\x02 \x01(\x0b\x32\x46.cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta.EffectMetaR\x05value:\x02\x38\x01:)\x92\x41&\n$2\"Metadata about request evaluation.\x1aT\n\x0c\x41\x63tionsEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12.\n\x05value\x18\x02 \x01(\x0e\x32\x18.cerbos.effect.v1.EffectR\x05value:\x02\x38\x01:2\x92\x41/\n-2+Response from the check resources API call.\"\x82\x01\n\x12ServerInfoResponse\x12\x18\n\x07version\x18\x01 \x01(\tR\x07version\x12\x16\n\x06\x63ommit\x18\x02 \x01(\tR\x06\x63ommit\x12\x1d\n\nbuild_date\x18\x03 \x01(\tR\tbuildDate:\x1b\x92\x41\x18\n\x16\x32\x14Server info responseBw\n\x1a\x64\x65v.cerbos.api.v1.responseZ@github.com/cerbos/cerbos/api/genpb/cerbos/response/v1;responsev1\xaa\x02\x16\x43\x65rbos.Api.V1.Responseb\x06proto3"
|
14
|
+
|
15
|
+
pool = Google::Protobuf::DescriptorPool.generated_pool
|
16
|
+
|
17
|
+
begin
|
18
|
+
pool.add_serialized_file(descriptor_data)
|
19
|
+
rescue TypeError => e
|
20
|
+
# Compatibility code: will be removed in the next major version.
|
21
|
+
require 'google/protobuf/descriptor_pb'
|
22
|
+
parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
|
23
|
+
parsed.clear_dependency
|
24
|
+
serialized = parsed.class.encode(parsed)
|
25
|
+
file = pool.add_serialized_file(serialized)
|
26
|
+
warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
|
27
|
+
imports = [
|
28
|
+
["cerbos.engine.v1.PlanResourcesFilter", "cerbos/engine/v1/engine.proto"],
|
29
|
+
["cerbos.schema.v1.ValidationError", "cerbos/schema/v1/schema.proto"],
|
30
|
+
]
|
31
|
+
imports.each do |type_name, expected_filename|
|
32
|
+
import_file = pool.lookup(type_name).file_descriptor
|
33
|
+
if import_file.name != expected_filename
|
34
|
+
warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
|
83
35
|
end
|
84
36
|
end
|
37
|
+
warn "Each proto file must use a consistent fully-qualified name."
|
38
|
+
warn "This will become an error in the next major version."
|
85
39
|
end
|
86
40
|
|
87
41
|
module Cerbos::Protobuf::Cerbos
|