cerbos 0.6.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e66a450c22c146b4372b0ebd4cfd1e950d3824c78e8d24209275ee41020aa3d1
4
- data.tar.gz: 5f3d5aeb480e91d3918ad3065badb211d9572991b7e729ea4847732655d6bf30
3
+ metadata.gz: '09d04980a1c08690efeeac6d04608e47e18def9b0f2ab6a5c256b4b22576464d'
4
+ data.tar.gz: 61968be4473d1a480979d9e2d2af05f0911f1d8b4a8c90947d8dce72910565f7
5
5
  SHA512:
6
- metadata.gz: 8de09b89a42c31f5a5283adf91ac8f1af0cfde2d660a8a47443ac6a28fb814a658991fbbd74a5bebcf95dd2382bfd0215b5dac6c27343cac0ad5345211bf38cf
7
- data.tar.gz: 88a4ce5be4f53fcd7df994494e4190b49587159d2a93ae2ee828afa557c3ace338731c21c27f99c5eb69fff9592ef90c1e7fb0e2e7b5b76c82787b06fdc0f4e9
6
+ metadata.gz: 788ca1b6ff6c4e3a1ea71c791fef64f5802a89423d21dba5da7f91f7fc697ff91f1aa7ebcedab4d4bde807c531b3b13b4ac5e95a53b93d76c79077e214ecd54b
7
+ data.tar.gz: 2115919d8cb958b0c347c09710d780d7748fec5933f65f4e91d2af7c937ec0e151ad7cfa808526213a788839ea8360fcfa153b94b9574d9ce6facabdca56fab1
data/CHANGELOG.md CHANGED
@@ -1,46 +1,75 @@
1
1
  ## [Unreleased]
2
+
2
3
  No notable changes.
3
4
 
5
+ ## [0.7.0] - 2023-06-07
6
+
7
+ ### Added
8
+
9
+ - Support for user-defined policy rule outputs ([#100](https://github.com/cerbos/cerbos-sdk-ruby/pull/100))
10
+
11
+ Requires a policy decision point server running Cerbos 0.27+.
12
+
13
+ ### Removed
14
+
15
+ - Support for Ruby 2.7 ([#90](https://github.com/cerbos/cerbos-sdk-ruby/pull/90))
16
+
4
17
  ## [0.6.1] - 2023-03-23
18
+
5
19
  ### Removed
20
+
6
21
  - Unused generated code ([#83](https://github.com/cerbos/cerbos-sdk-ruby/pull/83))
7
22
 
8
23
  ## [0.6.0] - 2022-07-01
24
+
9
25
  ### Added
26
+
10
27
  - Support for schema validation in `Cerbos::Client#plan_resources` ([#32](https://github.com/cerbos/cerbos-sdk-ruby/pull/32))
11
28
 
12
- Requires Cerbos 0.19+.
29
+ Requires a policy decision point server running Cerbos 0.19+.
13
30
  `Cerbos::Output::PlanResources#validation_errors` will always return an empty array if the client is connected to an earlier version of Cerbos.
14
31
 
15
32
  As a result, `Cerbos::Output::CheckResources::Result::ValidationError` has moved to `Cerbos::Output::ValidationError`.
16
33
  Attempting to access the class via the old namespace will print a deprecation warning and return the new class.
17
34
 
18
35
  ## [0.5.0] - 2022-06-09
36
+
19
37
  ### Added
38
+
20
39
  - Allow symbol keys in nested attributes hashes ([#28](https://github.com/cerbos/cerbos-sdk-ruby/pull/28))
21
40
 
22
41
  ## [0.4.0] - 2022-06-03
42
+
23
43
  ### Added
44
+
24
45
  - `on_validation_error` option to `Cerbos::Client#initialize` ([#22](https://github.com/cerbos/cerbos-sdk-ruby/pull/22))
25
46
 
26
47
  ### Changed
48
+
27
49
  - Minor documentation fixes ([#21](https://github.com/cerbos/cerbos-sdk-ruby/pull/21))
28
50
 
29
51
  ## [0.3.0] - 2022-05-13
52
+
30
53
  ### Added
54
+
31
55
  - More helper methods ([#11](https://github.com/cerbos/cerbos-sdk-ruby/pull/11))
32
56
  - `Cerbos::Client#allow?` for checking a single action on a resource
33
57
  - `Cerbos::Output::CheckResources#allow_all?` and `Cerbos::Output::CheckResources::Result#allow_all?` for checking if all input actions were allowed
34
58
 
35
59
  ## [0.2.0] - 2022-05-12
60
+
36
61
  ### Changed
62
+
37
63
  - Increased `grpc` version requirement to 1.46+ to avoid [installing a native gem compiled for `x86_64-darwin` on `arm64-darwin`](https://github.com/grpc/grpc/issues/29100) ([#8](https://github.com/cerbos/cerbos-sdk-ruby/pull/8))
38
64
 
39
65
  ## [0.1.0] - 2022-05-12
66
+
40
67
  ### Added
68
+
41
69
  - Initial implementation of `Cerbos::Client` ([#2](https://github.com/cerbos/cerbos-sdk-ruby/pull/2))
42
70
 
43
- [Unreleased]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.1...HEAD
71
+ [Unreleased]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.7.0...HEAD
72
+ [0.7.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.1...v0.7.0
44
73
  [0.6.1]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.0...v0.6.1
45
74
  [0.6.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.5.0...v0.6.0
46
75
  [0.5.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.4.0...v0.5.0
data/README.md CHANGED
@@ -12,7 +12,7 @@ The Cerbos Ruby SDK makes it easy to interact with the Cerbos PDP from your Ruby
12
12
  ## Prerequisites
13
13
 
14
14
  - Cerbos 0.16+
15
- - Ruby 2.7+
15
+ - Ruby 3.0+
16
16
 
17
17
  ## Installation
18
18
 
data/cerbos.gemspec CHANGED
@@ -31,6 +31,6 @@ Gem::Specification.new do |spec|
31
31
  "yard_extensions.rb"
32
32
  ]
33
33
 
34
- spec.required_ruby_version = ">= 2.7.0"
34
+ spec.required_ruby_version = ">= 3.0.0"
35
35
  spec.add_dependency "grpc", "~> 1.46"
36
36
  end
@@ -73,7 +73,7 @@ module Cerbos
73
73
  end
74
74
 
75
75
  # The outcome of checking a principal's permissions on single resource.
76
- CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata) do
76
+ CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata, :outputs) do
77
77
  # @!attribute [r] resource
78
78
  # The resource that was checked.
79
79
  #
@@ -95,6 +95,11 @@ module Cerbos
95
95
  # @return [Metadata]
96
96
  # @return [nil] if `include_metadata` was `false`.
97
97
 
98
+ # @!attribute [r] outputs
99
+ # User-defined outputs from policy rule evaluations.
100
+ #
101
+ # @return [Array<Output>]
102
+
98
103
  # @private
99
104
  def self.const_missing(const)
100
105
  if const == :ValidationError
@@ -110,7 +115,8 @@ module Cerbos
110
115
  resource: CheckResources::Result::Resource.from_protobuf(entry.resource),
111
116
  actions: entry.actions.to_h,
112
117
  validation_errors: (entry.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
113
- metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta)
118
+ metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta),
119
+ outputs: (entry.outputs || []).map { |output_entry| CheckResources::Result::Output.from_protobuf(output_entry) }
114
120
  )
115
121
  end
116
122
 
@@ -126,7 +132,7 @@ module Cerbos
126
132
  #
127
133
  # @return [Boolean]
128
134
  def allow_all?
129
- actions.each_value.all? { |effect| effect == :EFFECT_ALLOW }
135
+ actions.each_value.all?(:EFFECT_ALLOW)
130
136
  end
131
137
 
132
138
  # List the actions that should be allowed for the resource.
@@ -135,6 +141,15 @@ module Cerbos
135
141
  def allowed_actions
136
142
  actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
137
143
  end
144
+
145
+ # Find the value of the user-defined output for a particular policy rule.
146
+ #
147
+ # @param source [String] the identifier of the policy rule that produced the output.
148
+ # @return [String, Numeric, Boolean, Array, Hash, nil]
149
+ # @return [nil] if the result does not include an output for the source.
150
+ def output(source)
151
+ outputs.find { |output| output.source == source }&.value
152
+ end
138
153
  end
139
154
 
140
155
  # A resource that was checked.
@@ -216,5 +231,25 @@ module Cerbos
216
231
  )
217
232
  end
218
233
  end
234
+
235
+ # User-defined output from a policy rule evaluation.
236
+ CheckResources::Result::Output = Output.new_class(:source, :value) do
237
+ # @!attribute [r] source
238
+ # The identifier of the policy rule that produced the output.
239
+ #
240
+ # @return [String]
241
+
242
+ # @!attribute [r] value
243
+ # The result of evaluating the output expression.
244
+ #
245
+ # @return [String, Numeric, Boolean, Array, Hash, nil]
246
+
247
+ def self.from_protobuf(output_entry)
248
+ new(
249
+ source: output_entry.src,
250
+ value: output_entry.val&.to_ruby(true)
251
+ )
252
+ end
253
+ end
219
254
  end
220
255
  end
@@ -1,17 +1,34 @@
1
+ # frozen_string_literal: true
1
2
  # Generated by the protocol buffer compiler. DO NOT EDIT!
2
3
  # source: cerbos/effect/v1/effect.proto
3
4
 
4
5
  require 'google/protobuf'
5
6
 
6
- Google::Protobuf::DescriptorPool.generated_pool.build do
7
- add_file("cerbos/effect/v1/effect.proto", :syntax => :proto3) do
8
- add_enum "cerbos.effect.v1.Effect" do
9
- value :EFFECT_UNSPECIFIED, 0
10
- value :EFFECT_ALLOW, 1
11
- value :EFFECT_DENY, 2
12
- value :EFFECT_NO_MATCH, 3
7
+
8
+ descriptor_data = "\n\x1d\x63\x65rbos/effect/v1/effect.proto\x12\x10\x63\x65rbos.effect.v1*X\n\x06\x45\x66\x66\x65\x63t\x12\x16\n\x12\x45\x46\x46\x45\x43T_UNSPECIFIED\x10\x00\x12\x10\n\x0c\x45\x46\x46\x45\x43T_ALLOW\x10\x01\x12\x0f\n\x0b\x45\x46\x46\x45\x43T_DENY\x10\x02\x12\x13\n\x0f\x45\x46\x46\x45\x43T_NO_MATCH\x10\x03\x42o\n\x18\x64\x65v.cerbos.api.v1.effectZ<github.com/cerbos/cerbos/api/genpb/cerbos/effect/v1;effectv1\xaa\x02\x14\x43\x65rbos.Api.V1.Effectb\x06proto3"
9
+
10
+ pool = Google::Protobuf::DescriptorPool.generated_pool
11
+
12
+ begin
13
+ pool.add_serialized_file(descriptor_data)
14
+ rescue TypeError => e
15
+ # Compatibility code: will be removed in the next major version.
16
+ require 'google/protobuf/descriptor_pb'
17
+ parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
18
+ parsed.clear_dependency
19
+ serialized = parsed.class.encode(parsed)
20
+ file = pool.add_serialized_file(serialized)
21
+ warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
22
+ imports = [
23
+ ]
24
+ imports.each do |type_name, expected_filename|
25
+ import_file = pool.lookup(type_name).file_descriptor
26
+ if import_file.name != expected_filename
27
+ warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
13
28
  end
14
29
  end
30
+ warn "Each proto file must use a consistent fully-qualified name."
31
+ warn "This will become an error in the next major version."
15
32
  end
16
33
 
17
34
  module Cerbos::Protobuf::Cerbos
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  # Generated by the protocol buffer compiler. DO NOT EDIT!
2
3
  # source: cerbos/engine/v1/engine.proto
3
4
 
@@ -6,52 +7,32 @@ require 'google/protobuf'
6
7
  require 'google/protobuf/struct_pb'
7
8
  require 'cerbos/protobuf/protoc-gen-openapiv2/options/annotations_pb'
8
9
 
9
- Google::Protobuf::DescriptorPool.generated_pool.build do
10
- add_file("cerbos/engine/v1/engine.proto", :syntax => :proto3) do
11
- add_message "cerbos.engine.v1.PlanResourcesInput" do
12
- end
13
- add_message "cerbos.engine.v1.PlanResourcesInput.Resource" do
14
- optional :kind, :string, 1, json_name: "kind"
15
- map :attr, :string, :message, 2, "google.protobuf.Value"
16
- optional :policy_version, :string, 3, json_name: "policyVersion"
17
- optional :scope, :string, 4, json_name: "scope"
18
- end
19
- add_message "cerbos.engine.v1.PlanResourcesFilter" do
20
- optional :kind, :enum, 1, "cerbos.engine.v1.PlanResourcesFilter.Kind", json_name: "kind"
21
- optional :condition, :message, 2, "cerbos.engine.v1.PlanResourcesFilter.Expression.Operand", json_name: "condition"
22
- end
23
- add_message "cerbos.engine.v1.PlanResourcesFilter.Expression" do
24
- optional :operator, :string, 1, json_name: "operator"
25
- repeated :operands, :message, 2, "cerbos.engine.v1.PlanResourcesFilter.Expression.Operand", json_name: "operands"
26
- end
27
- add_message "cerbos.engine.v1.PlanResourcesFilter.Expression.Operand" do
28
- oneof :node do
29
- optional :value, :message, 1, "google.protobuf.Value", json_name: "value"
30
- optional :expression, :message, 2, "cerbos.engine.v1.PlanResourcesFilter.Expression", json_name: "expression"
31
- optional :variable, :string, 3, json_name: "variable"
32
- end
33
- end
34
- add_enum "cerbos.engine.v1.PlanResourcesFilter.Kind" do
35
- value :KIND_UNSPECIFIED, 0
36
- value :KIND_ALWAYS_ALLOWED, 1
37
- value :KIND_ALWAYS_DENIED, 2
38
- value :KIND_CONDITIONAL, 3
39
- end
40
- add_message "cerbos.engine.v1.Resource" do
41
- optional :kind, :string, 1, json_name: "kind"
42
- optional :policy_version, :string, 2, json_name: "policyVersion"
43
- optional :id, :string, 3, json_name: "id"
44
- map :attr, :string, :message, 4, "google.protobuf.Value"
45
- optional :scope, :string, 5, json_name: "scope"
46
- end
47
- add_message "cerbos.engine.v1.Principal" do
48
- optional :id, :string, 1, json_name: "id"
49
- optional :policy_version, :string, 2, json_name: "policyVersion"
50
- repeated :roles, :string, 3, json_name: "roles"
51
- map :attr, :string, :message, 4, "google.protobuf.Value"
52
- optional :scope, :string, 5, json_name: "scope"
10
+
11
+ descriptor_data = "\n\x1d\x63\x65rbos/engine/v1/engine.proto\x12\x10\x63\x65rbos.engine.v1\x1a\x1cgoogle/protobuf/struct.proto\x1a.protoc-gen-openapiv2/options/annotations.proto\"\xde\x07\n\x12PlanResourcesInput\x1a\xc7\x07\n\x08Resource\x12\xc7\x01\n\x04kind\x18\x01 \x01(\tB\xb2\x01\x92\x41\x62\x32\x0eResource kind.J\x0e\"album:object\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xb8\x01\n\x04\x61ttr\x18\x02 \x03(\x0b\x32\x37.cerbos.engine.v1.PlanResourcesInput.Resource.AttrEntryBk\x92\x41`2^Key-value pairs of contextual data about the resource that are known at a time of the request.\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\xdc\x01\n\x0epolicy_version\x18\x03 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\x85\x02\n\x05scope\x18\x04 \x01(\tB\xee\x01\x92\x41\xb1\x01\x32}A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01\"\xa4\x06\n\x13PlanResourcesFilter\x12\xad\x01\n\x04kind\x18\x01 \x01(\x0e\x32*.cerbos.engine.v1.PlanResourcesFilter.KindBm\x92\x41j2hFilter kind. Defines whether the given action is always allowed, always denied or allowed conditionally.R\x04kind\x12\x9a\x01\n\tcondition\x18\x02 \x01(\x0b\x32\x38.cerbos.engine.v1.PlanResourcesFilter.Expression.OperandBB\x92\x41?2=Filter condition. Only populated if kind is KIND_CONDITIONAL.R\tcondition\x1a\xda\x02\n\nExpression\x12)\n\x08operator\x18\x01 \x01(\tB\r\x92\x41\n2\x08OperatorR\x08operator\x12T\n\x08operands\x18\x02 \x03(\x0b\x32\x38.cerbos.engine.v1.PlanResourcesFilter.Expression.OperandR\x08operands\x1a\xb3\x01\n\x07Operand\x12.\n\x05value\x18\x01 \x01(\x0b\x32\x16.google.protobuf.ValueH\x00R\x05value\x12R\n\nexpression\x18\x02 \x01(\x0b\x32\x30.cerbos.engine.v1.PlanResourcesFilter.ExpressionH\x00R\nexpression\x12\x1c\n\x08variable\x18\x03 \x01(\tH\x00R\x08variableB\x06\n\x04node:\x15\x92\x41\x12\n\x10\x32\x0e\x43\x45L expression\"c\n\x04Kind\x12\x14\n\x10KIND_UNSPECIFIED\x10\x00\x12\x17\n\x13KIND_ALWAYS_ALLOWED\x10\x01\x12\x16\n\x12KIND_ALWAYS_DENIED\x10\x02\x12\x14\n\x10KIND_CONDITIONAL\x10\x03\"\xeb\x01\n\x0bOutputEntry\x12\x65\n\x03src\x18\x01 \x01(\tBS\x92\x41P2)Rule that matched to produce this output.J#\"resource.expense.v1/acme#rule-001\"R\x03src\x12u\n\x03val\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueBK\x92\x41H27Dynamic output, determined by user defined rule output.J\r\"some_string\"R\x03val\"\xc0\x08\n\x08Resource\x12\xe1\x01\n\x04kind\x18\x01 \x01(\tB\xcc\x01\x92\x41|2)Name of the resource kind being accessed.J\r\"album:photo\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\x43\n\x02id\x18\x03 \x01(\tB3\x92\x41&2\x1bID of the resource instanceJ\x07\"XX125\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x02id\x12\xc5\x01\n\x04\x61ttr\x18\x04 \x03(\x0b\x32$.cerbos.engine.v1.Resource.AttrEntryB\x8a\x01\x92\x41\x7f\x32\x64Kay-value pairs of contextual data about this resource that should be used during policy evaluation.J\x17{\"owner\": \"bugs_bunny\"}\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\x92\x02\n\x05scope\x18\x05 \x01(\tB\xfb\x01\x92\x41\xbe\x01\x32}A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.J\x0b\"acme.corp\"\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01\"\xe3\x08\n\tPrincipal\x12@\n\x02id\x18\x01 \x01(\tB0\x92\x41#2\x13ID of the principalJ\x0c\"bugs_bunny\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x02id\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\xaa\x01\n\x05roles\x18\x03 \x03(\tB\x93\x01\x92\x41l2FRoles assigned to this principal from your identity management system.J\x08[\"user\"]\x8a\x01\x11^[[:word:]\\-\\.]+$\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\x1e\x92\x01\x1b\x08\x01\x18\x01\"\x15r\x13\x32\x11^[[:word:]\\-\\.]+$R\x05roles\x12\xc5\x01\n\x04\x61ttr\x18\x04 \x03(\x0b\x32%.cerbos.engine.v1.Principal.AttrEntryB\x89\x01\x92\x41~2eKey-value pairs of contextual data about this principal that should be used during policy evaluation.J\x15{\"beta_tester\": true}\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\x93\x02\n\x05scope\x18\x05 \x01(\tB\xfc\x01\x92\x41\xbf\x01\x32~A dot-separated scope that describes the hierarchy this principal belongs to. This is used for determining policy inheritance.J\x0b\"acme.corp\"\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01:Y\x92\x41V\nT2RA person or application attempting to perform the actions on the set of resources.Bo\n\x18\x64\x65v.cerbos.api.v1.engineZ<github.com/cerbos/cerbos/api/genpb/cerbos/engine/v1;enginev1\xaa\x02\x14\x43\x65rbos.Api.V1.Engineb\x06proto3"
12
+
13
+ pool = Google::Protobuf::DescriptorPool.generated_pool
14
+
15
+ begin
16
+ pool.add_serialized_file(descriptor_data)
17
+ rescue TypeError => e
18
+ # Compatibility code: will be removed in the next major version.
19
+ require 'google/protobuf/descriptor_pb'
20
+ parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
21
+ parsed.clear_dependency
22
+ serialized = parsed.class.encode(parsed)
23
+ file = pool.add_serialized_file(serialized)
24
+ warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
25
+ imports = [
26
+ ["google.protobuf.Value", "google/protobuf/struct.proto"],
27
+ ]
28
+ imports.each do |type_name, expected_filename|
29
+ import_file = pool.lookup(type_name).file_descriptor
30
+ if import_file.name != expected_filename
31
+ warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
53
32
  end
54
33
  end
34
+ warn "Each proto file must use a consistent fully-qualified name."
35
+ warn "This will become an error in the next major version."
55
36
  end
56
37
 
57
38
  module Cerbos::Protobuf::Cerbos
@@ -63,6 +44,7 @@ module Cerbos::Protobuf::Cerbos
63
44
  PlanResourcesFilter::Expression = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Expression").msgclass
64
45
  PlanResourcesFilter::Expression::Operand = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Expression.Operand").msgclass
65
46
  PlanResourcesFilter::Kind = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Kind").enummodule
47
+ OutputEntry = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.OutputEntry").msgclass
66
48
  Resource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Resource").msgclass
67
49
  Principal = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Principal").msgclass
68
50
  end
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  # Generated by the protocol buffer compiler. DO NOT EDIT!
2
3
  # source: cerbos/request/v1/request.proto
3
4
 
@@ -9,64 +10,33 @@ require 'google/protobuf/struct_pb'
9
10
  require 'cerbos/protobuf/protoc-gen-openapiv2/options/annotations_pb'
10
11
  require 'cerbos/protobuf/validate/validate_pb'
11
12
 
12
- Google::Protobuf::DescriptorPool.generated_pool.build do
13
- add_file("cerbos/request/v1/request.proto", :syntax => :proto3) do
14
- add_message "cerbos.request.v1.PlanResourcesRequest" do
15
- optional :request_id, :string, 1, json_name: "requestId"
16
- optional :action, :string, 2, json_name: "action"
17
- optional :principal, :message, 3, "cerbos.engine.v1.Principal", json_name: "principal"
18
- optional :resource, :message, 4, "cerbos.engine.v1.PlanResourcesInput.Resource", json_name: "resource"
19
- optional :aux_data, :message, 5, "cerbos.request.v1.AuxData", json_name: "auxData"
20
- optional :include_meta, :bool, 6, json_name: "includeMeta"
21
- end
22
- add_message "cerbos.request.v1.CheckResourceSetRequest" do
23
- optional :request_id, :string, 1, json_name: "requestId"
24
- repeated :actions, :string, 2, json_name: "actions"
25
- optional :principal, :message, 3, "cerbos.engine.v1.Principal", json_name: "principal"
26
- optional :resource, :message, 4, "cerbos.request.v1.ResourceSet", json_name: "resource"
27
- optional :include_meta, :bool, 5, json_name: "includeMeta"
28
- optional :aux_data, :message, 6, "cerbos.request.v1.AuxData", json_name: "auxData"
29
- end
30
- add_message "cerbos.request.v1.ResourceSet" do
31
- optional :kind, :string, 1, json_name: "kind"
32
- optional :policy_version, :string, 2, json_name: "policyVersion"
33
- map :instances, :string, :message, 3, "cerbos.request.v1.AttributesMap"
34
- optional :scope, :string, 4, json_name: "scope"
35
- end
36
- add_message "cerbos.request.v1.AttributesMap" do
37
- map :attr, :string, :message, 1, "google.protobuf.Value"
38
- end
39
- add_message "cerbos.request.v1.CheckResourceBatchRequest" do
40
- optional :request_id, :string, 1, json_name: "requestId"
41
- optional :principal, :message, 2, "cerbos.engine.v1.Principal", json_name: "principal"
42
- repeated :resources, :message, 3, "cerbos.request.v1.CheckResourceBatchRequest.BatchEntry", json_name: "resources"
43
- optional :aux_data, :message, 4, "cerbos.request.v1.AuxData", json_name: "auxData"
44
- end
45
- add_message "cerbos.request.v1.CheckResourceBatchRequest.BatchEntry" do
46
- repeated :actions, :string, 1, json_name: "actions"
47
- optional :resource, :message, 2, "cerbos.engine.v1.Resource", json_name: "resource"
48
- end
49
- add_message "cerbos.request.v1.CheckResourcesRequest" do
50
- optional :request_id, :string, 1, json_name: "requestId"
51
- optional :include_meta, :bool, 2, json_name: "includeMeta"
52
- optional :principal, :message, 3, "cerbos.engine.v1.Principal", json_name: "principal"
53
- repeated :resources, :message, 4, "cerbos.request.v1.CheckResourcesRequest.ResourceEntry", json_name: "resources"
54
- optional :aux_data, :message, 5, "cerbos.request.v1.AuxData", json_name: "auxData"
55
- end
56
- add_message "cerbos.request.v1.CheckResourcesRequest.ResourceEntry" do
57
- repeated :actions, :string, 1, json_name: "actions"
58
- optional :resource, :message, 2, "cerbos.engine.v1.Resource", json_name: "resource"
59
- end
60
- add_message "cerbos.request.v1.AuxData" do
61
- optional :jwt, :message, 1, "cerbos.request.v1.AuxData.JWT", json_name: "jwt"
62
- end
63
- add_message "cerbos.request.v1.AuxData.JWT" do
64
- optional :token, :string, 1, json_name: "token"
65
- optional :key_set_id, :string, 2, json_name: "keySetId"
66
- end
67
- add_message "cerbos.request.v1.ServerInfoRequest" do
13
+
14
+ descriptor_data = "\n\x1f\x63\x65rbos/request/v1/request.proto\x12\x11\x63\x65rbos.request.v1\x1a\x1d\x63\x65rbos/engine/v1/engine.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a.protoc-gen-openapiv2/options/annotations.proto\x1a\x17validate/validate.proto\"\x83\x05\n\x14PlanResourcesRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12h\n\x06\x61\x63tion\x18\x02 \x01(\tBP\x92\x41\x43\x32\x32\x41\x63tion to be applied to each resource in the list.J\r\"view:public\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x06\x61\x63tion\x12\x46\n\tprincipal\x18\x03 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12V\n\x08resource\x18\x04 \x01(\x0b\x32-.cerbos.engine.v1.PlanResourcesInput.ResourceB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource\x12:\n\x08\x61ux_data\x18\x05 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataB\x03\xe0\x41\x01R\x07\x61uxData\x12\x63\n\x0cinclude_meta\x18\x06 \x01(\x08\x42@\x92\x41=2;Opt to receive request processing metadata in the response.R\x0bincludeMeta:\'\x92\x41$\n\"2 PDP Resources Query Plan Request\"\x87\x05\n\x17\x43heckResourceSetRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\x8c\x01\n\x07\x61\x63tions\x18\x02 \x03(\tBr\x92\x41\\28List of actions being performed on the set of resources.J\x1a[\"view:public\", \"comment\"]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\r\x92\x01\n\x08\x01\x18\x01\"\x04r\x02\x10\x01R\x07\x61\x63tions\x12\x46\n\tprincipal\x18\x03 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12G\n\x08resource\x18\x04 \x01(\x0b\x32\x1e.cerbos.request.v1.ResourceSetB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource\x12\x63\n\x0cinclude_meta\x18\x05 \x01(\x08\x42@\x92\x41=2;Opt to receive request processing metadata in the response.R\x0bincludeMeta\x12:\n\x08\x61ux_data\x18\x06 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataB\x03\xe0\x41\x01R\x07\x61uxData:\x12\x92\x41\x0f\n\r2\x0bPDP Request\"\xaf\t\n\x0bResourceSet\x12\xc7\x01\n\x04kind\x18\x01 \x01(\tB\xb2\x01\x92\x41\x62\x32\x0eResource kind.J\x0e\"album:object\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\xeb\x02\n\tinstances\x18\x03 \x03(\x0b\x32-.cerbos.request.v1.ResourceSet.InstancesEntryB\x9d\x02\x92\x41\x8c\x02\x32mSet of resource instances to check. Each instance must be keyed by an application-specific unique identifier.J\x97\x01{\"XX125\":{\"attr\":{\"owner\":\"bugs_bunny\", \"public\": false, \"flagged\": false}}, \"XX225\":{\"attr\":{\"owner\":\"daffy_duck\", \"public\": true, \"flagged\": false}}}\xc8\x01\x01\xe0\x41\x02\xfa\x42\x07\x9a\x01\x04\x08\x01\x18\x01R\tinstances\x12\x86\x02\n\x05scope\x18\x04 \x01(\tB\xef\x01\x92\x41\xb2\x01\x32~A dot-separated scope that describes the hierarchy these resources belong to. This is used for determining policy inheritance.\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1a^\n\x0eInstancesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x36\n\x05value\x18\x02 \x01(\x0b\x32 .cerbos.request.v1.AttributesMapR\x05value:\x02\x38\x01: \x92\x41\x1d\n\x1b\x32\x19Set of resources to check\"\xc9\x02\n\rAttributesMap\x12\xb1\x01\n\x04\x61ttr\x18\x01 \x03(\x0b\x32*.cerbos.request.v1.AttributesMap.AttrEntryBq\x92\x41\x66\x32\x64Key-value pairs of contextual data about this instance that should be used during policy evaluation.\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01:3\x92\x41\x30\n.2,Unique identifier for the resource instance.\"\xe1\x06\n\x19\x43heckResourceBatchRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\x46\n\tprincipal\x18\x02 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12\xbc\x02\n\tresources\x18\x03 \x03(\x0b\x32\x37.cerbos.request.v1.CheckResourceBatchRequest.BatchEntryB\xe4\x01\x92\x41\xd5\x01\x32\x1eList of resources and actions.J\xac\x01[{\"actions\":[\"view\",\"comment\"], \"resource\":{\"kind\":\"album:object\",\"policyVersion\":\"default\",\"id\":\"XX125\",\"attr\":{\"owner\":\"bugs_bunny\", \"public\": false, \"flagged\": false}}}]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\x05\x92\x01\x02\x08\x01R\tresources\x12\x35\n\x08\x61ux_data\x18\x04 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataR\x07\x61uxData\x1a\xd8\x01\n\nBatchEntry\x12\x84\x01\n\x07\x61\x63tions\x18\x01 \x03(\tBj\x92\x41T20List of actions being performed on the resource.J\x1a[\"view:public\", \"comment\"]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\r\x92\x01\n\x08\x01\x18\x01\"\x04r\x02\x10\x01R\x07\x61\x63tions\x12\x43\n\x08resource\x18\x02 \x01(\x0b\x32\x1a.cerbos.engine.v1.ResourceB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource:\x12\x92\x41\x0f\n\r2\x0bPDP Request\"\xc5\x07\n\x15\x43heckResourcesRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12X\n\x0cinclude_meta\x18\x02 \x01(\x08\x42\x35\x92\x41\x32\x32\x30\x41\x64\x64 request processing metadata to the response.R\x0bincludeMeta\x12\x46\n\tprincipal\x18\x03 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12\xbb\x02\n\tresources\x18\x04 \x03(\x0b\x32\x36.cerbos.request.v1.CheckResourcesRequest.ResourceEntryB\xe4\x01\x92\x41\xd5\x01\x32\x1eList of resources and actions.J\xac\x01[{\"actions\":[\"view\",\"comment\"], \"resource\":{\"kind\":\"album:object\",\"policyVersion\":\"default\",\"id\":\"XX125\",\"attr\":{\"owner\":\"bugs_bunny\", \"public\": false, \"flagged\": false}}}]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\x05\x92\x01\x02\x08\x01R\tresources\x12\x35\n\x08\x61ux_data\x18\x05 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataR\x07\x61uxData\x1a\xdb\x01\n\rResourceEntry\x12\x84\x01\n\x07\x61\x63tions\x18\x01 \x03(\tBj\x92\x41T20List of actions being performed on the resource.J\x1a[\"view:public\", \"comment\"]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\r\x92\x01\n\x08\x01\x18\x01\"\x04r\x02\x10\x01R\x07\x61\x63tions\x12\x43\n\x08resource\x18\x02 \x01(\x0b\x32\x1a.cerbos.engine.v1.ResourceB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource:\x1e\x92\x41\x1b\n\x19\x32\x17\x43heck resources request\"\xc5\x06\n\x07\x41uxData\x12\x30\n\x03jwt\x18\x01 \x01(\x0b\x32\x1e.cerbos.request.v1.AuxData.JWTR\x03jwt\x1a\xc3\x05\n\x03JWT\x12\x90\x04\n\x05token\x18\x01 \x01(\tB\xf9\x03\x92\x41\xeb\x03\x32\x1dJWT from the original requestJ\xc9\x03\"eyJhbGciOiJFUzM4NCIsImtpZCI6IjE5TGZaYXRFZGc4M1lOYzVyMjNndU1KcXJuND0iLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiY2VyYm9zLWp3dC10ZXN0cyJdLCJjdXN0b21BcnJheSI6WyJBIiwiQiIsIkMiXSwiY3VzdG9tSW50Ijo0MiwiY3VzdG9tTWFwIjp7IkEiOiJBQSIsIkIiOiJCQiIsIkMiOiJDQyJ9LCJjdXN0b21TdHJpbmciOiJmb29iYXIiLCJleHAiOjE5NDk5MzQwMzksImlzcyI6ImNlcmJvcy10ZXN0LXN1aXRlIn0.WN_tOScSpd_EI-P5EI1YlagxEgExSfBjAtcrgcF6lyWj1lGpR_GKx9goZEp2p_t5AVWXN_bjz_sMUmJdJa4cVd55Qm1miR-FKu6oNRHnSEWdMFmnArwPw-YDJWfylLFX\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x05token\x12\x82\x01\n\nkey_set_id\x18\x02 \x01(\tBd\x92\x41\x61\x32RKey ID to use when decoding the token (defined in the Cerbos server configuration)J\x0b\"my-keyset\"R\x08keySetId:$\x92\x41!\n\x1f\x32\x1dJWT from the original request:B\x92\x41?\n=2;Structured auxiliary data useful for evaluating the request\"/\n\x11ServerInfoRequest:\x1a\x92\x41\x17\n\x15\x32\x13Server info requestBs\n\x19\x64\x65v.cerbos.api.v1.requestZ>github.com/cerbos/cerbos/api/genpb/cerbos/request/v1;requestv1\xaa\x02\x15\x43\x65rbos.Api.V1.Requestb\x06proto3"
15
+
16
+ pool = Google::Protobuf::DescriptorPool.generated_pool
17
+
18
+ begin
19
+ pool.add_serialized_file(descriptor_data)
20
+ rescue TypeError => e
21
+ # Compatibility code: will be removed in the next major version.
22
+ require 'google/protobuf/descriptor_pb'
23
+ parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
24
+ parsed.clear_dependency
25
+ serialized = parsed.class.encode(parsed)
26
+ file = pool.add_serialized_file(serialized)
27
+ warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
28
+ imports = [
29
+ ["cerbos.engine.v1.Principal", "cerbos/engine/v1/engine.proto"],
30
+ ["google.protobuf.Value", "google/protobuf/struct.proto"],
31
+ ]
32
+ imports.each do |type_name, expected_filename|
33
+ import_file = pool.lookup(type_name).file_descriptor
34
+ if import_file.name != expected_filename
35
+ warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
68
36
  end
69
37
  end
38
+ warn "Each proto file must use a consistent fully-qualified name."
39
+ warn "This will become an error in the next major version."
70
40
  end
71
41
 
72
42
  module Cerbos::Protobuf::Cerbos
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  # Generated by the protocol buffer compiler. DO NOT EDIT!
2
3
  # source: cerbos/response/v1/response.proto
3
4
 
@@ -8,80 +9,33 @@ require 'cerbos/protobuf/cerbos/engine/v1/engine_pb'
8
9
  require 'cerbos/protobuf/cerbos/schema/v1/schema_pb'
9
10
  require 'cerbos/protobuf/protoc-gen-openapiv2/options/annotations_pb'
10
11
 
11
- Google::Protobuf::DescriptorPool.generated_pool.build do
12
- add_file("cerbos/response/v1/response.proto", :syntax => :proto3) do
13
- add_message "cerbos.response.v1.PlanResourcesResponse" do
14
- optional :request_id, :string, 1, json_name: "requestId"
15
- optional :action, :string, 2, json_name: "action"
16
- optional :resource_kind, :string, 3, json_name: "resourceKind"
17
- optional :policy_version, :string, 4, json_name: "policyVersion"
18
- optional :filter, :message, 5, "cerbos.engine.v1.PlanResourcesFilter", json_name: "filter"
19
- optional :meta, :message, 6, "cerbos.response.v1.PlanResourcesResponse.Meta", json_name: "meta"
20
- repeated :validation_errors, :message, 7, "cerbos.schema.v1.ValidationError", json_name: "validationErrors"
21
- end
22
- add_message "cerbos.response.v1.PlanResourcesResponse.Meta" do
23
- optional :filter_debug, :string, 1, json_name: "filterDebug"
24
- optional :matched_scope, :string, 2, json_name: "matchedScope"
25
- end
26
- add_message "cerbos.response.v1.CheckResourceSetResponse" do
27
- optional :request_id, :string, 1, json_name: "requestId"
28
- map :resource_instances, :string, :message, 2, "cerbos.response.v1.CheckResourceSetResponse.ActionEffectMap"
29
- optional :meta, :message, 3, "cerbos.response.v1.CheckResourceSetResponse.Meta", json_name: "meta"
30
- end
31
- add_message "cerbos.response.v1.CheckResourceSetResponse.ActionEffectMap" do
32
- map :actions, :string, :enum, 1, "cerbos.effect.v1.Effect"
33
- repeated :validation_errors, :message, 2, "cerbos.schema.v1.ValidationError", json_name: "validationErrors"
34
- end
35
- add_message "cerbos.response.v1.CheckResourceSetResponse.Meta" do
36
- map :resource_instances, :string, :message, 1, "cerbos.response.v1.CheckResourceSetResponse.Meta.ActionMeta"
37
- end
38
- add_message "cerbos.response.v1.CheckResourceSetResponse.Meta.EffectMeta" do
39
- optional :matched_policy, :string, 1, json_name: "matchedPolicy"
40
- optional :matched_scope, :string, 2, json_name: "matchedScope"
41
- end
42
- add_message "cerbos.response.v1.CheckResourceSetResponse.Meta.ActionMeta" do
43
- map :actions, :string, :message, 1, "cerbos.response.v1.CheckResourceSetResponse.Meta.EffectMeta"
44
- repeated :effective_derived_roles, :string, 2, json_name: "effectiveDerivedRoles"
45
- end
46
- add_message "cerbos.response.v1.CheckResourceBatchResponse" do
47
- optional :request_id, :string, 1, json_name: "requestId"
48
- repeated :results, :message, 2, "cerbos.response.v1.CheckResourceBatchResponse.ActionEffectMap", json_name: "results"
49
- end
50
- add_message "cerbos.response.v1.CheckResourceBatchResponse.ActionEffectMap" do
51
- optional :resource_id, :string, 1, json_name: "resourceId"
52
- map :actions, :string, :enum, 2, "cerbos.effect.v1.Effect"
53
- repeated :validation_errors, :message, 3, "cerbos.schema.v1.ValidationError", json_name: "validationErrors"
54
- end
55
- add_message "cerbos.response.v1.CheckResourcesResponse" do
56
- optional :request_id, :string, 1, json_name: "requestId"
57
- repeated :results, :message, 2, "cerbos.response.v1.CheckResourcesResponse.ResultEntry", json_name: "results"
58
- end
59
- add_message "cerbos.response.v1.CheckResourcesResponse.ResultEntry" do
60
- optional :resource, :message, 1, "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Resource", json_name: "resource"
61
- map :actions, :string, :enum, 2, "cerbos.effect.v1.Effect"
62
- repeated :validation_errors, :message, 3, "cerbos.schema.v1.ValidationError", json_name: "validationErrors"
63
- optional :meta, :message, 4, "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta", json_name: "meta"
64
- end
65
- add_message "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Resource" do
66
- optional :id, :string, 1, json_name: "id"
67
- optional :kind, :string, 2, json_name: "kind"
68
- optional :policy_version, :string, 3, json_name: "policyVersion"
69
- optional :scope, :string, 4, json_name: "scope"
70
- end
71
- add_message "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta" do
72
- map :actions, :string, :message, 1, "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta.EffectMeta"
73
- repeated :effective_derived_roles, :string, 2, json_name: "effectiveDerivedRoles"
74
- end
75
- add_message "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta.EffectMeta" do
76
- optional :matched_policy, :string, 1, json_name: "matchedPolicy"
77
- optional :matched_scope, :string, 2, json_name: "matchedScope"
78
- end
79
- add_message "cerbos.response.v1.ServerInfoResponse" do
80
- optional :version, :string, 1, json_name: "version"
81
- optional :commit, :string, 2, json_name: "commit"
82
- optional :build_date, :string, 3, json_name: "buildDate"
12
+
13
+ descriptor_data = "\n!cerbos/response/v1/response.proto\x12\x12\x63\x65rbos.response.v1\x1a\x1d\x63\x65rbos/effect/v1/effect.proto\x1a\x1d\x63\x65rbos/engine/v1/engine.proto\x1a\x1d\x63\x65rbos/schema/v1/schema.proto\x1a.protoc-gen-openapiv2/options/annotations.proto\"\xb5\x08\n\x15PlanResourcesResponse\x12o\n\nrequest_id\x18\x01 \x01(\tBP\x92\x41M2#Request ID provided in the request.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\x32\n\x06\x61\x63tion\x18\x02 \x01(\tB\x1a\x92\x41\x17\x32\x06\x41\x63tionJ\r\"view:public\"R\x06\x61\x63tion\x12\x8a\x01\n\rresource_kind\x18\x03 \x01(\tBe\x92\x41\x62\x32\x0eResource kind.J\x0e\"album:object\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$R\x0cresourceKind\x12J\n\x0epolicy_version\x18\x04 \x01(\tB#\x92\x41 2\x13The policy version.J\t\"default\"R\rpolicyVersion\x12J\n\x06\x66ilter\x18\x05 \x01(\x0b\x32%.cerbos.engine.v1.PlanResourcesFilterB\x0b\x92\x41\x08\x32\x06\x46ilterR\x06\x66ilter\x12\x7f\n\x04meta\x18\x06 \x01(\x0b\x32..cerbos.response.v1.PlanResourcesResponse.MetaB;\x92\x41\x38\x32\x36Optional metadata about the request evaluation processR\x04meta\x12\x90\x01\n\x11validation_errors\x18\x07 \x03(\x0b\x32!.cerbos.schema.v1.ValidationErrorB@\x92\x41=2;List of validation errors (if schema validation is enabled)R\x10validationErrors\x1a\xff\x01\n\x04Meta\x12]\n\x0c\x66ilter_debug\x18\x01 \x01(\tB:\x92\x41\x37\x32\x35\x46ilter textual representation for debugging purposes.R\x0b\x66ilterDebug\x12m\n\rmatched_scope\x18\x02 \x01(\tBH\x92\x41\x45\x32\x31Policy scope that matched to produce this effect.J\x10\"acme.corp.base\"R\x0cmatchedScope:)\x92\x41&\n$2\"Metadata about request evaluation.:<\x92\x41\x39\n725Resources query plan response for a set of resources.\"\xc8\x15\n\x18\x43heckResourceSetResponse\x12o\n\nrequest_id\x18\x01 \x01(\tBP\x92\x41M2#Request ID provided in the request.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\xdb\x02\n\x12resource_instances\x18\x02 \x03(\x0b\x32\x43.cerbos.response.v1.CheckResourceSetResponse.ResourceInstancesEntryB\xe6\x01\x92\x41\xe2\x01\x32KResults for each resource instance, keyed by the ID supplied in the requestJ\x92\x01{\"XX125\":{\"actions\":{\"view:*\":\"EFFECT_ALLOW\", \"comment\": \"EFFECT_ALLOW\"}}, \"XX225\":{\"actions\":{\"view:*\":\"EFFECT_DENY\", \"comment\": \"EFFECT_DENY\"}}}R\x11resourceInstances\x12\x82\x01\n\x04meta\x18\x03 \x01(\x0b\x32\x31.cerbos.response.v1.CheckResourceSetResponse.MetaB;\x92\x41\x38\x32\x36Optional metadata about the request evaluation processR\x04meta\x1a\x8b\x03\n\x0f\x41\x63tionEffectMap\x12\x8e\x01\n\x07\x61\x63tions\x18\x01 \x03(\x0b\x32I.cerbos.response.v1.CheckResourceSetResponse.ActionEffectMap.ActionsEntryB)\x92\x41&2$Mapping of each action to an effect.R\x07\x61\x63tions\x12\x90\x01\n\x11validation_errors\x18\x02 \x03(\x0b\x32!.cerbos.schema.v1.ValidationErrorB@\x92\x41=2;List of validation errors (if schema validation is enabled)R\x10validationErrors\x1aT\n\x0c\x41\x63tionsEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12.\n\x05value\x18\x02 \x01(\x0e\x32\x18.cerbos.effect.v1.EffectR\x05value:\x02\x38\x01\x1a\x89\x0c\n\x04Meta\x12\xcf\x03\n\x12resource_instances\x18\x01 \x03(\x0b\x32H.cerbos.response.v1.CheckResourceSetResponse.Meta.ResourceInstancesEntryB\xd5\x02\x92\x41\xd1\x02\x32\"Metadata about resource instances.J\xaa\x02{\"XX125\": {\"actions\": {\"view:*\":{\"matched_policy\": \"album:object:default\"},\"comment\":{\"matched_policy\": \"album:object:default\"}}, \"effective_derived_roles\": [\"owner\"]}, \"XX225\": {\"actions\": {\"view:*\":{\"matched_policy\": \"album:object:default\"},\"comment\":{\"matched_policy\": \"album:object:default\"}}}}R\x11resourceInstances\x1a\x88\x02\n\nEffectMeta\x12o\n\x0ematched_policy\x18\x01 \x01(\tBH\x92\x41\x45\x32+Policy that matched to produce this effect.J\x16\"album:object:default\"R\rmatchedPolicy\x12m\n\rmatched_scope\x18\x02 \x01(\tBH\x92\x41\x45\x32\x31Policy scope that matched to produce this effect.J\x10\"acme.corp.base\"R\x0cmatchedScope:\x1a\x92\x41\x17\n\x15\x32\x13Name of the action.\x1a\xf3\x04\n\nActionMeta\x12\xa7\x02\n\x07\x61\x63tions\x18\x01 \x03(\x0b\x32I.cerbos.response.v1.CheckResourceSetResponse.Meta.ActionMeta.ActionsEntryB\xc1\x01\x92\x41\xbd\x01\x32OMetadata about the effect calculated for each action on this resource instance.Jj{\"view:*\":{\"matched_policy\": \"album:object:default\"},\"comment\":{\"matched_policy\": \"album:object:default\"}}R\x07\x61\x63tions\x12\x83\x01\n\x17\x65\x66\x66\x65\x63tive_derived_roles\x18\x02 \x03(\tBK\x92\x41H2;Derived roles that were effective during policy evaluation.J\t[\"owner\"]R\x15\x65\x66\x66\x65\x63tiveDerivedRoles\x1ax\n\x0c\x41\x63tionsEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12R\n\x05value\x18\x02 \x01(\x0b\x32<.cerbos.response.v1.CheckResourceSetResponse.Meta.EffectMetaR\x05value:\x02\x38\x01:;\x92\x41\x38\n624Unique resource instance ID supplied in the request.\x1a\x82\x01\n\x16ResourceInstancesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12R\n\x05value\x18\x02 \x01(\x0b\x32<.cerbos.response.v1.CheckResourceSetResponse.Meta.ActionMetaR\x05value:\x02\x38\x01:)\x92\x41&\n$2\"Metadata about request evaluation.\x1a\x82\x01\n\x16ResourceInstancesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12R\n\x05value\x18\x02 \x01(\x0b\x32<.cerbos.response.v1.CheckResourceSetResponse.ActionEffectMapR\x05value:\x02\x38\x01:9\x92\x41\x36\n422Policy evaluation response for a set of resources.\"\xe5\x06\n\x1a\x43heckResourceBatchResponse\x12o\n\nrequest_id\x18\x01 \x01(\tBP\x92\x41M2#Request ID provided in the request.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\xb3\x01\n\x07results\x18\x02 \x03(\x0b\x32>.cerbos.response.v1.CheckResourceBatchResponse.ActionEffectMapBY\x92\x41V2\x18Result for each resourceJ:[{\"resourceId\":\"XX125\",\"actions\":{\"view\":\"EFFECT_ALLOW\"}}]R\x07results\x1a\xe2\x03\n\x0f\x41\x63tionEffectMap\x12:\n\x0bresource_id\x18\x01 \x01(\tB\x19\x92\x41\x16\x32\x0bResource IDJ\x07\"XX125\"R\nresourceId\x12\xa9\x01\n\x07\x61\x63tions\x18\x02 \x03(\x0b\x32K.cerbos.response.v1.CheckResourceBatchResponse.ActionEffectMap.ActionsEntryBB\x92\x41?2$Mapping of each action to an effect.J\x17{\"view\":\"EFFECT_ALLOW\"}R\x07\x61\x63tions\x12\x90\x01\n\x11validation_errors\x18\x03 \x03(\x0b\x32!.cerbos.schema.v1.ValidationErrorB@\x92\x41=2;List of validation errors (if schema validation is enabled)R\x10validationErrors\x1aT\n\x0c\x41\x63tionsEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12.\n\x05value\x18\x02 \x01(\x0e\x32\x18.cerbos.effect.v1.EffectR\x05value:\x02\x38\x01:;\x92\x41\x38\n624Policy evaluation response for a batch of resources.\"\xa6\x17\n\x16\x43heckResourcesResponse\x12o\n\nrequest_id\x18\x01 \x01(\tBP\x92\x41M2#Request ID provided in the request.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\xe3\x01\n\x07results\x18\x02 \x03(\x0b\x32\x36.cerbos.response.v1.CheckResourcesResponse.ResultEntryB\x90\x01\x92\x41\x8c\x01\x32\x18Result for each resourceJp[{\"resource\": {\"Id\":\"XX125\", \"kind\":\"album:object\"}, \"actions\":{\"view\":\"EFFECT_ALLOW\",\"comment\":\"EFFECT_DENY\"}}]R\x07results\x1a\x80\x14\n\x0bResultEntry\x12[\n\x08resource\x18\x01 \x01(\x0b\x32?.cerbos.response.v1.CheckResourcesResponse.ResultEntry.ResourceR\x08resource\x12\xa1\x01\n\x07\x61\x63tions\x18\x02 \x03(\x0b\x32\x43.cerbos.response.v1.CheckResourcesResponse.ResultEntry.ActionsEntryBB\x92\x41?2$Mapping of each action to an effect.J\x17{\"view\":\"EFFECT_ALLOW\"}R\x07\x61\x63tions\x12\x90\x01\n\x11validation_errors\x18\x03 \x03(\x0b\x32!.cerbos.schema.v1.ValidationErrorB@\x92\x41=2;List of validation errors (if schema validation is enabled)R\x10validationErrors\x12\x98\x02\n\x04meta\x18\x04 \x01(\x0b\x32;.cerbos.response.v1.CheckResourcesResponse.ResultEntry.MetaB\xc6\x01\x92\x41\xc2\x01\x32 Metadata about policy evaluationJ\x9d\x01{\"actions\": {\"view:*\":{\"matched_policy\": \"album:object:default\"},\"comment\":{\"matched_policy\": \"album:object:default\"}}, \"effective_derived_roles\": [\"owner\"]}R\x04meta\x12\xf6\x01\n\x07outputs\x18\x05 \x03(\x0b\x32\x1d.cerbos.engine.v1.OutputEntryB\xbc\x01\x92\x41\xb8\x01\x32,Output for each rule with outputs configuredJ\x87\x01[{\"src\": \"resource.expense.v1/acme#rule-001\", \"val\": \"view_allowed:alice\"}, {\"src\": \"resource.expense.v1/acme#rule-002\", \"val\": \"foo\"}]R\x07outputs\x1a\xff\x04\n\x08Resource\x12\x39\n\x02id\x18\x01 \x01(\tB)\x92\x41&2\x1bID of the resource instanceJ\x07\"XX125\"R\x02id\x12\x93\x01\n\x04kind\x18\x02 \x01(\tB\x7f\x92\x41|2)Name of the resource kind being accessed.J\r\"album:photo\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$R\x04kind\x12\xc5\x01\n\x0epolicy_version\x18\x03 \x01(\tB\x9d\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$R\rpolicyVersion\x12\xd9\x01\n\x05scope\x18\x04 \x01(\tB\xc2\x01\x92\x41\xbe\x01\x32}A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.J\x0b\"acme.corp\"\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1a\xf0\x06\n\x04Meta\x12\xa6\x02\n\x07\x61\x63tions\x18\x01 \x03(\x0b\x32H.cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta.ActionsEntryB\xc1\x01\x92\x41\xbd\x01\x32OMetadata about the effect calculated for each action on this resource instance.Jj{\"view:*\":{\"matched_policy\": \"album:object:default\"},\"comment\":{\"matched_policy\": \"album:object:default\"}}R\x07\x61\x63tions\x12\x83\x01\n\x17\x65\x66\x66\x65\x63tive_derived_roles\x18\x02 \x03(\tBK\x92\x41H2;Derived roles that were effective during policy evaluation.J\t[\"owner\"]R\x15\x65\x66\x66\x65\x63tiveDerivedRoles\x1a\x88\x02\n\nEffectMeta\x12o\n\x0ematched_policy\x18\x01 \x01(\tBH\x92\x41\x45\x32+Policy that matched to produce this effect.J\x16\"album:object:default\"R\rmatchedPolicy\x12m\n\rmatched_scope\x18\x02 \x01(\tBH\x92\x41\x45\x32\x31Policy scope that matched to produce this effect.J\x10\"acme.corp.base\"R\x0cmatchedScope:\x1a\x92\x41\x17\n\x15\x32\x13Name of the action.\x1a\x82\x01\n\x0c\x41\x63tionsEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\\\n\x05value\x18\x02 \x01(\x0b\x32\x46.cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta.EffectMetaR\x05value:\x02\x38\x01:)\x92\x41&\n$2\"Metadata about request evaluation.\x1aT\n\x0c\x41\x63tionsEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12.\n\x05value\x18\x02 \x01(\x0e\x32\x18.cerbos.effect.v1.EffectR\x05value:\x02\x38\x01:2\x92\x41/\n-2+Response from the check resources API call.\"\x82\x01\n\x12ServerInfoResponse\x12\x18\n\x07version\x18\x01 \x01(\tR\x07version\x12\x16\n\x06\x63ommit\x18\x02 \x01(\tR\x06\x63ommit\x12\x1d\n\nbuild_date\x18\x03 \x01(\tR\tbuildDate:\x1b\x92\x41\x18\n\x16\x32\x14Server info responseBw\n\x1a\x64\x65v.cerbos.api.v1.responseZ@github.com/cerbos/cerbos/api/genpb/cerbos/response/v1;responsev1\xaa\x02\x16\x43\x65rbos.Api.V1.Responseb\x06proto3"
14
+
15
+ pool = Google::Protobuf::DescriptorPool.generated_pool
16
+
17
+ begin
18
+ pool.add_serialized_file(descriptor_data)
19
+ rescue TypeError => e
20
+ # Compatibility code: will be removed in the next major version.
21
+ require 'google/protobuf/descriptor_pb'
22
+ parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
23
+ parsed.clear_dependency
24
+ serialized = parsed.class.encode(parsed)
25
+ file = pool.add_serialized_file(serialized)
26
+ warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
27
+ imports = [
28
+ ["cerbos.engine.v1.PlanResourcesFilter", "cerbos/engine/v1/engine.proto"],
29
+ ["cerbos.schema.v1.ValidationError", "cerbos/schema/v1/schema.proto"],
30
+ ]
31
+ imports.each do |type_name, expected_filename|
32
+ import_file = pool.lookup(type_name).file_descriptor
33
+ if import_file.name != expected_filename
34
+ warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
83
35
  end
84
36
  end
37
+ warn "Each proto file must use a consistent fully-qualified name."
38
+ warn "This will become an error in the next major version."
85
39
  end
86
40
 
87
41
  module Cerbos::Protobuf::Cerbos