cerbos 0.6.1 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e66a450c22c146b4372b0ebd4cfd1e950d3824c78e8d24209275ee41020aa3d1
-  data.tar.gz: 5f3d5aeb480e91d3918ad3065badb211d9572991b7e729ea4847732655d6bf30
+  metadata.gz: '09d04980a1c08690efeeac6d04608e47e18def9b0f2ab6a5c256b4b22576464d'
+  data.tar.gz: 61968be4473d1a480979d9e2d2af05f0911f1d8b4a8c90947d8dce72910565f7
 SHA512:
-  metadata.gz: 8de09b89a42c31f5a5283adf91ac8f1af0cfde2d660a8a47443ac6a28fb814a658991fbbd74a5bebcf95dd2382bfd0215b5dac6c27343cac0ad5345211bf38cf
-  data.tar.gz: 88a4ce5be4f53fcd7df994494e4190b49587159d2a93ae2ee828afa557c3ace338731c21c27f99c5eb69fff9592ef90c1e7fb0e2e7b5b76c82787b06fdc0f4e9
+  metadata.gz: 788ca1b6ff6c4e3a1ea71c791fef64f5802a89423d21dba5da7f91f7fc697ff91f1aa7ebcedab4d4bde807c531b3b13b4ac5e95a53b93d76c79077e214ecd54b
+  data.tar.gz: 2115919d8cb958b0c347c09710d780d7748fec5933f65f4e91d2af7c937ec0e151ad7cfa808526213a788839ea8360fcfa153b94b9574d9ce6facabdca56fab1

data/CHANGELOG.md

@@ -1,46 +1,75 @@
 ## [Unreleased]
+
 No notable changes.
 
+## [0.7.0] - 2023-06-07
+
+### Added
+
+- Support for user-defined policy rule outputs ([#100](https://github.com/cerbos/cerbos-sdk-ruby/pull/100))
+
+  Requires a policy decision point server running Cerbos 0.27+.
+
+### Removed
+
+- Support for Ruby 2.7 ([#90](https://github.com/cerbos/cerbos-sdk-ruby/pull/90))
+
 ## [0.6.1] - 2023-03-23
+
 ### Removed
+
 - Unused generated code ([#83](https://github.com/cerbos/cerbos-sdk-ruby/pull/83))
 
 ## [0.6.0] - 2022-07-01
+
 ### Added
+
 - Support for schema validation in `Cerbos::Client#plan_resources` ([#32](https://github.com/cerbos/cerbos-sdk-ruby/pull/32))
 
-  Requires Cerbos 0.19+.
+  Requires a policy decision point server running Cerbos 0.19+.
   `Cerbos::Output::PlanResources#validation_errors` will always return an empty array if the client is connected to an earlier version of Cerbos.
 
   As a result, `Cerbos::Output::CheckResources::Result::ValidationError` has moved to `Cerbos::Output::ValidationError`.
   Attempting to access the class via the old namespace will print a deprecation warning and return the new class.
 
 ## [0.5.0] - 2022-06-09
+
 ### Added
+
 - Allow symbol keys in nested attributes hashes ([#28](https://github.com/cerbos/cerbos-sdk-ruby/pull/28))
 
 ## [0.4.0] - 2022-06-03
+
 ### Added
+
 - `on_validation_error` option to `Cerbos::Client#initialize` ([#22](https://github.com/cerbos/cerbos-sdk-ruby/pull/22))
 
 ### Changed
+
 - Minor documentation fixes ([#21](https://github.com/cerbos/cerbos-sdk-ruby/pull/21))
 
 ## [0.3.0] - 2022-05-13
+
 ### Added
+
 - More helper methods ([#11](https://github.com/cerbos/cerbos-sdk-ruby/pull/11))
   - `Cerbos::Client#allow?` for checking a single action on a resource
   - `Cerbos::Output::CheckResources#allow_all?` and `Cerbos::Output::CheckResources::Result#allow_all?` for checking if all input actions were allowed
 
 ## [0.2.0] - 2022-05-12
+
 ### Changed
+
 - Increased `grpc` version requirement to 1.46+ to avoid [installing a native gem compiled for `x86_64-darwin` on `arm64-darwin`](https://github.com/grpc/grpc/issues/29100) ([#8](https://github.com/cerbos/cerbos-sdk-ruby/pull/8))
 
 ## [0.1.0] - 2022-05-12
+
 ### Added
+
 - Initial implementation of `Cerbos::Client` ([#2](https://github.com/cerbos/cerbos-sdk-ruby/pull/2))
 
-[Unreleased]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.1...HEAD
+[Unreleased]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.7.0...HEAD
+[0.7.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.1...v0.7.0
 [0.6.1]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.0...v0.6.1
 [0.6.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.5.0...v0.6.0
 [0.5.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.4.0...v0.5.0

data/README.md

@@ -12,7 +12,7 @@ The Cerbos Ruby SDK makes it easy to interact with the Cerbos PDP from your Ruby
 ## Prerequisites
 
 - Cerbos 0.16+
-- Ruby 2.7+
+- Ruby 3.0+
 
 ## Installation
 

data/cerbos.gemspec

@@ -31,6 +31,6 @@ Gem::Specification.new do |spec|
     "yard_extensions.rb"
   ]
 
-  spec.required_ruby_version = ">= 2.7.0"
+  spec.required_ruby_version = ">= 3.0.0"
   spec.add_dependency "grpc", "~> 1.46"
 end

data/lib/cerbos/output/check_resources.rb

@@ -73,7 +73,7 @@ module Cerbos
     end
 
     # The outcome of checking a principal's permissions on single resource.
-    CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata) do
+    CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata, :outputs) do
       # @!attribute [r] resource
       #   The resource that was checked.
       #
@@ -95,6 +95,11 @@ module Cerbos
       #   @return [Metadata]
       #   @return [nil] if `include_metadata` was `false`.
 
+      # @!attribute [r] outputs
+      #   User-defined outputs from policy rule evaluations.
+      #
+      #   @return [Array<Output>]
+
       # @private
       def self.const_missing(const)
         if const == :ValidationError
@@ -110,7 +115,8 @@ module Cerbos
           resource: CheckResources::Result::Resource.from_protobuf(entry.resource),
           actions: entry.actions.to_h,
           validation_errors: (entry.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
-          metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta)
+          metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta),
+          outputs: (entry.outputs || []).map { |output_entry| CheckResources::Result::Output.from_protobuf(output_entry) }
         )
       end
 
@@ -126,7 +132,7 @@ module Cerbos
       #
       # @return [Boolean]
       def allow_all?
-        actions.each_value.all? { |effect| effect == :EFFECT_ALLOW }
+        actions.each_value.all?(:EFFECT_ALLOW)
       end
 
       # List the actions that should be allowed for the resource.
@@ -135,6 +141,15 @@ module Cerbos
       def allowed_actions
         actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
       end
+
+      # Find the value of the user-defined output for a particular policy rule.
+      #
+      # @param source [String] the identifier of the policy rule that produced the output.
+      # @return [String, Numeric, Boolean, Array, Hash, nil]
+      # @return [nil] if the result does not include an output for the source.
+      def output(source)
+        outputs.find { |output| output.source == source }&.value
+      end
     end
 
     # A resource that was checked.
@@ -216,5 +231,25 @@ module Cerbos
         )
       end
     end
+
+    # User-defined output from a policy rule evaluation.
+    CheckResources::Result::Output = Output.new_class(:source, :value) do
+      # @!attribute [r] source
+      #   The identifier of the policy rule that produced the output.
+      #
+      #   @return [String]
+
+      # @!attribute [r] value
+      #   The result of evaluating the output expression.
+      #
+      #   @return [String, Numeric, Boolean, Array, Hash, nil]
+
+      def self.from_protobuf(output_entry)
+        new(
+          source: output_entry.src,
+          value: output_entry.val&.to_ruby(true)
+        )
+      end
+    end
   end
 end

data/lib/cerbos/protobuf/cerbos/effect/v1/effect_pb.rb

@@ -1,17 +1,34 @@
+# frozen_string_literal: true
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # source: cerbos/effect/v1/effect.proto
 
 require 'google/protobuf'
 
-Google::Protobuf::DescriptorPool.generated_pool.build do
-  add_file("cerbos/effect/v1/effect.proto", :syntax => :proto3) do
-    add_enum "cerbos.effect.v1.Effect" do
-      value :EFFECT_UNSPECIFIED, 0
-      value :EFFECT_ALLOW, 1
-      value :EFFECT_DENY, 2
-      value :EFFECT_NO_MATCH, 3
+
+descriptor_data = "\n\x1d\x63\x65rbos/effect/v1/effect.proto\x12\x10\x63\x65rbos.effect.v1*X\n\x06\x45\x66\x66\x65\x63t\x12\x16\n\x12\x45\x46\x46\x45\x43T_UNSPECIFIED\x10\x00\x12\x10\n\x0c\x45\x46\x46\x45\x43T_ALLOW\x10\x01\x12\x0f\n\x0b\x45\x46\x46\x45\x43T_DENY\x10\x02\x12\x13\n\x0f\x45\x46\x46\x45\x43T_NO_MATCH\x10\x03\x42o\n\x18\x64\x65v.cerbos.api.v1.effectZ<github.com/cerbos/cerbos/api/genpb/cerbos/effect/v1;effectv1\xaa\x02\x14\x43\x65rbos.Api.V1.Effectb\x06proto3"
+
+pool = Google::Protobuf::DescriptorPool.generated_pool
+
+begin
+  pool.add_serialized_file(descriptor_data)
+rescue TypeError => e
+  # Compatibility code: will be removed in the next major version.
+  require 'google/protobuf/descriptor_pb'
+  parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
+  parsed.clear_dependency
+  serialized = parsed.class.encode(parsed)
+  file = pool.add_serialized_file(serialized)
+  warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
+  imports = [
+  ]
+  imports.each do |type_name, expected_filename|
+    import_file = pool.lookup(type_name).file_descriptor
+    if import_file.name != expected_filename
+      warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
     end
   end
+  warn "Each proto file must use a consistent fully-qualified name."
+  warn "This will become an error in the next major version."
 end
 
 module Cerbos::Protobuf::Cerbos

data/lib/cerbos/protobuf/cerbos/engine/v1/engine_pb.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # source: cerbos/engine/v1/engine.proto
 
@@ -6,52 +7,32 @@ require 'google/protobuf'
 require 'google/protobuf/struct_pb'
 require 'cerbos/protobuf/protoc-gen-openapiv2/options/annotations_pb'
 
-Google::Protobuf::DescriptorPool.generated_pool.build do
-  add_file("cerbos/engine/v1/engine.proto", :syntax => :proto3) do
-    add_message "cerbos.engine.v1.PlanResourcesInput" do
-    end
-    add_message "cerbos.engine.v1.PlanResourcesInput.Resource" do
-      optional :kind, :string, 1, json_name: "kind"
-      map :attr, :string, :message, 2, "google.protobuf.Value"
-      optional :policy_version, :string, 3, json_name: "policyVersion"
-      optional :scope, :string, 4, json_name: "scope"
-    end
-    add_message "cerbos.engine.v1.PlanResourcesFilter" do
-      optional :kind, :enum, 1, "cerbos.engine.v1.PlanResourcesFilter.Kind", json_name: "kind"
-      optional :condition, :message, 2, "cerbos.engine.v1.PlanResourcesFilter.Expression.Operand", json_name: "condition"
-    end
-    add_message "cerbos.engine.v1.PlanResourcesFilter.Expression" do
-      optional :operator, :string, 1, json_name: "operator"
-      repeated :operands, :message, 2, "cerbos.engine.v1.PlanResourcesFilter.Expression.Operand", json_name: "operands"
-    end
-    add_message "cerbos.engine.v1.PlanResourcesFilter.Expression.Operand" do
-      oneof :node do
-        optional :value, :message, 1, "google.protobuf.Value", json_name: "value"
-        optional :expression, :message, 2, "cerbos.engine.v1.PlanResourcesFilter.Expression", json_name: "expression"
-        optional :variable, :string, 3, json_name: "variable"
-      end
-    end
-    add_enum "cerbos.engine.v1.PlanResourcesFilter.Kind" do
-      value :KIND_UNSPECIFIED, 0
-      value :KIND_ALWAYS_ALLOWED, 1
-      value :KIND_ALWAYS_DENIED, 2
-      value :KIND_CONDITIONAL, 3
-    end
-    add_message "cerbos.engine.v1.Resource" do
-      optional :kind, :string, 1, json_name: "kind"
-      optional :policy_version, :string, 2, json_name: "policyVersion"
-      optional :id, :string, 3, json_name: "id"
-      map :attr, :string, :message, 4, "google.protobuf.Value"
-      optional :scope, :string, 5, json_name: "scope"
-    end
-    add_message "cerbos.engine.v1.Principal" do
-      optional :id, :string, 1, json_name: "id"
-      optional :policy_version, :string, 2, json_name: "policyVersion"
-      repeated :roles, :string, 3, json_name: "roles"
-      map :attr, :string, :message, 4, "google.protobuf.Value"
-      optional :scope, :string, 5, json_name: "scope"
+
+descriptor_data = "\n\x1d\x63\x65rbos/engine/v1/engine.proto\x12\x10\x63\x65rbos.engine.v1\x1a\x1cgoogle/protobuf/struct.proto\x1a.protoc-gen-openapiv2/options/annotations.proto\"\xde\x07\n\x12PlanResourcesInput\x1a\xc7\x07\n\x08Resource\x12\xc7\x01\n\x04kind\x18\x01 \x01(\tB\xb2\x01\x92\x41\x62\x32\x0eResource kind.J\x0e\"album:object\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xb8\x01\n\x04\x61ttr\x18\x02 \x03(\x0b\x32\x37.cerbos.engine.v1.PlanResourcesInput.Resource.AttrEntryBk\x92\x41`2^Key-value pairs of contextual data about the resource that are known at a time of the request.\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\xdc\x01\n\x0epolicy_version\x18\x03 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\x85\x02\n\x05scope\x18\x04 \x01(\tB\xee\x01\x92\x41\xb1\x01\x32}A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01\"\xa4\x06\n\x13PlanResourcesFilter\x12\xad\x01\n\x04kind\x18\x01 \x01(\x0e\x32*.cerbos.engine.v1.PlanResourcesFilter.KindBm\x92\x41j2hFilter kind. Defines whether the given action is always allowed, always denied or allowed conditionally.R\x04kind\x12\x9a\x01\n\tcondition\x18\x02 \x01(\x0b\x32\x38.cerbos.engine.v1.PlanResourcesFilter.Expression.OperandBB\x92\x41?2=Filter condition. Only populated if kind is KIND_CONDITIONAL.R\tcondition\x1a\xda\x02\n\nExpression\x12)\n\x08operator\x18\x01 \x01(\tB\r\x92\x41\n2\x08OperatorR\x08operator\x12T\n\x08operands\x18\x02 \x03(\x0b\x32\x38.cerbos.engine.v1.PlanResourcesFilter.Expression.OperandR\x08operands\x1a\xb3\x01\n\x07Operand\x12.\n\x05value\x18\x01 \x01(\x0b\x32\x16.google.protobuf.ValueH\x00R\x05value\x12R\n\nexpression\x18\x02 \x01(\x0b\x32\x30.cerbos.engine.v1.PlanResourcesFilter.ExpressionH\x00R\nexpression\x12\x1c\n\x08variable\x18\x03 \x01(\tH\x00R\x08variableB\x06\n\x04node:\x15\x92\x41\x12\n\x10\x32\x0e\x43\x45L expression\"c\n\x04Kind\x12\x14\n\x10KIND_UNSPECIFIED\x10\x00\x12\x17\n\x13KIND_ALWAYS_ALLOWED\x10\x01\x12\x16\n\x12KIND_ALWAYS_DENIED\x10\x02\x12\x14\n\x10KIND_CONDITIONAL\x10\x03\"\xeb\x01\n\x0bOutputEntry\x12\x65\n\x03src\x18\x01 \x01(\tBS\x92\x41P2)Rule that matched to produce this output.J#\"resource.expense.v1/acme#rule-001\"R\x03src\x12u\n\x03val\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueBK\x92\x41H27Dynamic output, determined by user defined rule output.J\r\"some_string\"R\x03val\"\xc0\x08\n\x08Resource\x12\xe1\x01\n\x04kind\x18\x01 \x01(\tB\xcc\x01\x92\x41|2)Name of the resource kind being accessed.J\r\"album:photo\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\x43\n\x02id\x18\x03 \x01(\tB3\x92\x41&2\x1bID of the resource instanceJ\x07\"XX125\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x02id\x12\xc5\x01\n\x04\x61ttr\x18\x04 \x03(\x0b\x32$.cerbos.engine.v1.Resource.AttrEntryB\x8a\x01\x92\x41\x7f\x32\x64Kay-value pairs of contextual data about this resource that should be used during policy evaluation.J\x17{\"owner\": \"bugs_bunny\"}\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\x92\x02\n\x05scope\x18\x05 \x01(\tB\xfb\x01\x92\x41\xbe\x01\x32}A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.J\x0b\"acme.corp\"\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01\"\xe3\x08\n\tPrincipal\x12@\n\x02id\x18\x01 \x01(\tB0\x92\x41#2\x13ID of the principalJ\x0c\"bugs_bunny\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x02id\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\xaa\x01\n\x05roles\x18\x03 \x03(\tB\x93\x01\x92\x41l2FRoles assigned to this principal from your identity management system.J\x08[\"user\"]\x8a\x01\x11^[[:word:]\\-\\.]+$\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\x1e\x92\x01\x1b\x08\x01\x18\x01\"\x15r\x13\x32\x11^[[:word:]\\-\\.]+$R\x05roles\x12\xc5\x01\n\x04\x61ttr\x18\x04 \x03(\x0b\x32%.cerbos.engine.v1.Principal.AttrEntryB\x89\x01\x92\x41~2eKey-value pairs of contextual data about this principal that should be used during policy evaluation.J\x15{\"beta_tester\": true}\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\x93\x02\n\x05scope\x18\x05 \x01(\tB\xfc\x01\x92\x41\xbf\x01\x32~A dot-separated scope that describes the hierarchy this principal belongs to. This is used for determining policy inheritance.J\x0b\"acme.corp\"\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01:Y\x92\x41V\nT2RA person or application attempting to perform the actions on the set of resources.Bo\n\x18\x64\x65v.cerbos.api.v1.engineZ<github.com/cerbos/cerbos/api/genpb/cerbos/engine/v1;enginev1\xaa\x02\x14\x43\x65rbos.Api.V1.Engineb\x06proto3"
+
+pool = Google::Protobuf::DescriptorPool.generated_pool
+
+begin
+  pool.add_serialized_file(descriptor_data)
+rescue TypeError => e
+  # Compatibility code: will be removed in the next major version.
+  require 'google/protobuf/descriptor_pb'
+  parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
+  parsed.clear_dependency
+  serialized = parsed.class.encode(parsed)
+  file = pool.add_serialized_file(serialized)
+  warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
+  imports = [
+    ["google.protobuf.Value", "google/protobuf/struct.proto"],
+  ]
+  imports.each do |type_name, expected_filename|
+    import_file = pool.lookup(type_name).file_descriptor
+    if import_file.name != expected_filename
+      warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
     end
   end
+  warn "Each proto file must use a consistent fully-qualified name."
+  warn "This will become an error in the next major version."
 end
 
 module Cerbos::Protobuf::Cerbos
@@ -63,6 +44,7 @@ module Cerbos::Protobuf::Cerbos
       PlanResourcesFilter::Expression = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Expression").msgclass
       PlanResourcesFilter::Expression::Operand = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Expression.Operand").msgclass
       PlanResourcesFilter::Kind = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Kind").enummodule
+      OutputEntry = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.OutputEntry").msgclass
       Resource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Resource").msgclass
       Principal = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Principal").msgclass
     end

data/lib/cerbos/protobuf/cerbos/request/v1/request_pb.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # source: cerbos/request/v1/request.proto
 
@@ -9,64 +10,33 @@ require 'google/protobuf/struct_pb'
 require 'cerbos/protobuf/protoc-gen-openapiv2/options/annotations_pb'
 require 'cerbos/protobuf/validate/validate_pb'
 
-Google::Protobuf::DescriptorPool.generated_pool.build do
-  add_file("cerbos/request/v1/request.proto", :syntax => :proto3) do
-    add_message "cerbos.request.v1.PlanResourcesRequest" do
-      optional :request_id, :string, 1, json_name: "requestId"
-      optional :action, :string, 2, json_name: "action"
-      optional :principal, :message, 3, "cerbos.engine.v1.Principal", json_name: "principal"
-      optional :resource, :message, 4, "cerbos.engine.v1.PlanResourcesInput.Resource", json_name: "resource"
-      optional :aux_data, :message, 5, "cerbos.request.v1.AuxData", json_name: "auxData"
-      optional :include_meta, :bool, 6, json_name: "includeMeta"
-    end
-    add_message "cerbos.request.v1.CheckResourceSetRequest" do
-      optional :request_id, :string, 1, json_name: "requestId"
-      repeated :actions, :string, 2, json_name: "actions"
-      optional :principal, :message, 3, "cerbos.engine.v1.Principal", json_name: "principal"
-      optional :resource, :message, 4, "cerbos.request.v1.ResourceSet", json_name: "resource"
-      optional :include_meta, :bool, 5, json_name: "includeMeta"
-      optional :aux_data, :message, 6, "cerbos.request.v1.AuxData", json_name: "auxData"
-    end
-    add_message "cerbos.request.v1.ResourceSet" do
-      optional :kind, :string, 1, json_name: "kind"
-      optional :policy_version, :string, 2, json_name: "policyVersion"
-      map :instances, :string, :message, 3, "cerbos.request.v1.AttributesMap"
-      optional :scope, :string, 4, json_name: "scope"
-    end
-    add_message "cerbos.request.v1.AttributesMap" do
-      map :attr, :string, :message, 1, "google.protobuf.Value"
-    end
-    add_message "cerbos.request.v1.CheckResourceBatchRequest" do
-      optional :request_id, :string, 1, json_name: "requestId"
-      optional :principal, :message, 2, "cerbos.engine.v1.Principal", json_name: "principal"
-      repeated :resources, :message, 3, "cerbos.request.v1.CheckResourceBatchRequest.BatchEntry", json_name: "resources"
-      optional :aux_data, :message, 4, "cerbos.request.v1.AuxData", json_name: "auxData"
-    end
-    add_message "cerbos.request.v1.CheckResourceBatchRequest.BatchEntry" do
-      repeated :actions, :string, 1, json_name: "actions"
-      optional :resource, :message, 2, "cerbos.engine.v1.Resource", json_name: "resource"
-    end
-    add_message "cerbos.request.v1.CheckResourcesRequest" do
-      optional :request_id, :string, 1, json_name: "requestId"
-      optional :include_meta, :bool, 2, json_name: "includeMeta"
-      optional :principal, :message, 3, "cerbos.engine.v1.Principal", json_name: "principal"
-      repeated :resources, :message, 4, "cerbos.request.v1.CheckResourcesRequest.ResourceEntry", json_name: "resources"
-      optional :aux_data, :message, 5, "cerbos.request.v1.AuxData", json_name: "auxData"
-    end
-    add_message "cerbos.request.v1.CheckResourcesRequest.ResourceEntry" do
-      repeated :actions, :string, 1, json_name: "actions"
-      optional :resource, :message, 2, "cerbos.engine.v1.Resource", json_name: "resource"
-    end
-    add_message "cerbos.request.v1.AuxData" do
-      optional :jwt, :message, 1, "cerbos.request.v1.AuxData.JWT", json_name: "jwt"
-    end
-    add_message "cerbos.request.v1.AuxData.JWT" do
-      optional :token, :string, 1, json_name: "token"
-      optional :key_set_id, :string, 2, json_name: "keySetId"
-    end
-    add_message "cerbos.request.v1.ServerInfoRequest" do
+
+descriptor_data = "\n\x1f\x63\x65rbos/request/v1/request.proto\x12\x11\x63\x65rbos.request.v1\x1a\x1d\x63\x65rbos/engine/v1/engine.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a.protoc-gen-openapiv2/options/annotations.proto\x1a\x17validate/validate.proto\"\x83\x05\n\x14PlanResourcesRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12h\n\x06\x61\x63tion\x18\x02 \x01(\tBP\x92\x41\x43\x32\x32\x41\x63tion to be applied to each resource in the list.J\r\"view:public\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x06\x61\x63tion\x12\x46\n\tprincipal\x18\x03 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12V\n\x08resource\x18\x04 \x01(\x0b\x32-.cerbos.engine.v1.PlanResourcesInput.ResourceB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource\x12:\n\x08\x61ux_data\x18\x05 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataB\x03\xe0\x41\x01R\x07\x61uxData\x12\x63\n\x0cinclude_meta\x18\x06 \x01(\x08\x42@\x92\x41=2;Opt to receive request processing metadata in the response.R\x0bincludeMeta:\'\x92\x41$\n\"2 PDP Resources Query Plan Request\"\x87\x05\n\x17\x43heckResourceSetRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\x8c\x01\n\x07\x61\x63tions\x18\x02 \x03(\tBr\x92\x41\\28List of actions being performed on the set of resources.J\x1a[\"view:public\", \"comment\"]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\r\x92\x01\n\x08\x01\x18\x01\"\x04r\x02\x10\x01R\x07\x61\x63tions\x12\x46\n\tprincipal\x18\x03 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12G\n\x08resource\x18\x04 \x01(\x0b\x32\x1e.cerbos.request.v1.ResourceSetB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource\x12\x63\n\x0cinclude_meta\x18\x05 \x01(\x08\x42@\x92\x41=2;Opt to receive request processing metadata in the response.R\x0bincludeMeta\x12:\n\x08\x61ux_data\x18\x06 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataB\x03\xe0\x41\x01R\x07\x61uxData:\x12\x92\x41\x0f\n\r2\x0bPDP Request\"\xaf\t\n\x0bResourceSet\x12\xc7\x01\n\x04kind\x18\x01 \x01(\tB\xb2\x01\x92\x41\x62\x32\x0eResource kind.J\x0e\"album:object\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\xeb\x02\n\tinstances\x18\x03 \x03(\x0b\x32-.cerbos.request.v1.ResourceSet.InstancesEntryB\x9d\x02\x92\x41\x8c\x02\x32mSet of resource instances to check. Each instance must be keyed by an application-specific unique identifier.J\x97\x01{\"XX125\":{\"attr\":{\"owner\":\"bugs_bunny\", \"public\": false, \"flagged\": false}}, \"XX225\":{\"attr\":{\"owner\":\"daffy_duck\", \"public\": true, \"flagged\": false}}}\xc8\x01\x01\xe0\x41\x02\xfa\x42\x07\x9a\x01\x04\x08\x01\x18\x01R\tinstances\x12\x86\x02\n\x05scope\x18\x04 \x01(\tB\xef\x01\x92\x41\xb2\x01\x32~A dot-separated scope that describes the hierarchy these resources belong to. This is used for determining policy inheritance.\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1a^\n\x0eInstancesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x36\n\x05value\x18\x02 \x01(\x0b\x32 .cerbos.request.v1.AttributesMapR\x05value:\x02\x38\x01: \x92\x41\x1d\n\x1b\x32\x19Set of resources to check\"\xc9\x02\n\rAttributesMap\x12\xb1\x01\n\x04\x61ttr\x18\x01 \x03(\x0b\x32*.cerbos.request.v1.AttributesMap.AttrEntryBq\x92\x41\x66\x32\x64Key-value pairs of contextual data about this instance that should be used during policy evaluation.\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01:3\x92\x41\x30\n.2,Unique identifier for the resource instance.\"\xe1\x06\n\x19\x43heckResourceBatchRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\x46\n\tprincipal\x18\x02 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12\xbc\x02\n\tresources\x18\x03 \x03(\x0b\x32\x37.cerbos.request.v1.CheckResourceBatchRequest.BatchEntryB\xe4\x01\x92\x41\xd5\x01\x32\x1eList of resources and actions.J\xac\x01[{\"actions\":[\"view\",\"comment\"], \"resource\":{\"kind\":\"album:object\",\"policyVersion\":\"default\",\"id\":\"XX125\",\"attr\":{\"owner\":\"bugs_bunny\", \"public\": false, \"flagged\": false}}}]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\x05\x92\x01\x02\x08\x01R\tresources\x12\x35\n\x08\x61ux_data\x18\x04 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataR\x07\x61uxData\x1a\xd8\x01\n\nBatchEntry\x12\x84\x01\n\x07\x61\x63tions\x18\x01 \x03(\tBj\x92\x41T20List of actions being performed on the resource.J\x1a[\"view:public\", \"comment\"]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\r\x92\x01\n\x08\x01\x18\x01\"\x04r\x02\x10\x01R\x07\x61\x63tions\x12\x43\n\x08resource\x18\x02 \x01(\x0b\x32\x1a.cerbos.engine.v1.ResourceB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource:\x12\x92\x41\x0f\n\r2\x0bPDP Request\"\xc5\x07\n\x15\x43heckResourcesRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12X\n\x0cinclude_meta\x18\x02 \x01(\x08\x42\x35\x92\x41\x32\x32\x30\x41\x64\x64 request processing metadata to the response.R\x0bincludeMeta\x12\x46\n\tprincipal\x18\x03 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12\xbb\x02\n\tresources\x18\x04 \x03(\x0b\x32\x36.cerbos.request.v1.CheckResourcesRequest.ResourceEntryB\xe4\x01\x92\x41\xd5\x01\x32\x1eList of resources and actions.J\xac\x01[{\"actions\":[\"view\",\"comment\"], \"resource\":{\"kind\":\"album:object\",\"policyVersion\":\"default\",\"id\":\"XX125\",\"attr\":{\"owner\":\"bugs_bunny\", \"public\": false, \"flagged\": false}}}]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\x05\x92\x01\x02\x08\x01R\tresources\x12\x35\n\x08\x61ux_data\x18\x05 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataR\x07\x61uxData\x1a\xdb\x01\n\rResourceEntry\x12\x84\x01\n\x07\x61\x63tions\x18\x01 \x03(\tBj\x92\x41T20List of actions being performed on the resource.J\x1a[\"view:public\", \"comment\"]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\r\x92\x01\n\x08\x01\x18\x01\"\x04r\x02\x10\x01R\x07\x61\x63tions\x12\x43\n\x08resource\x18\x02 \x01(\x0b\x32\x1a.cerbos.engine.v1.ResourceB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource:\x1e\x92\x41\x1b\n\x19\x32\x17\x43heck resources request\"\xc5\x06\n\x07\x41uxData\x12\x30\n\x03jwt\x18\x01 \x01(\x0b\x32\x1e.cerbos.request.v1.AuxData.JWTR\x03jwt\x1a\xc3\x05\n\x03JWT\x12\x90\x04\n\x05token\x18\x01 \x01(\tB\xf9\x03\x92\x41\xeb\x03\x32\x1dJWT from the original requestJ\xc9\x03\"eyJhbGciOiJFUzM4NCIsImtpZCI6IjE5TGZaYXRFZGc4M1lOYzVyMjNndU1KcXJuND0iLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiY2VyYm9zLWp3dC10ZXN0cyJdLCJjdXN0b21BcnJheSI6WyJBIiwiQiIsIkMiXSwiY3VzdG9tSW50Ijo0MiwiY3VzdG9tTWFwIjp7IkEiOiJBQSIsIkIiOiJCQiIsIkMiOiJDQyJ9LCJjdXN0b21TdHJpbmciOiJmb29iYXIiLCJleHAiOjE5NDk5MzQwMzksImlzcyI6ImNlcmJvcy10ZXN0LXN1aXRlIn0.WN_tOScSpd_EI-P5EI1YlagxEgExSfBjAtcrgcF6lyWj1lGpR_GKx9goZEp2p_t5AVWXN_bjz_sMUmJdJa4cVd55Qm1miR-FKu6oNRHnSEWdMFmnArwPw-YDJWfylLFX\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x05token\x12\x82\x01\n\nkey_set_id\x18\x02 \x01(\tBd\x92\x41\x61\x32RKey ID to use when decoding the token (defined in the Cerbos server configuration)J\x0b\"my-keyset\"R\x08keySetId:$\x92\x41!\n\x1f\x32\x1dJWT from the original request:B\x92\x41?\n=2;Structured auxiliary data useful for evaluating the request\"/\n\x11ServerInfoRequest:\x1a\x92\x41\x17\n\x15\x32\x13Server info requestBs\n\x19\x64\x65v.cerbos.api.v1.requestZ>github.com/cerbos/cerbos/api/genpb/cerbos/request/v1;requestv1\xaa\x02\x15\x43\x65rbos.Api.V1.Requestb\x06proto3"
+
+pool = Google::Protobuf::DescriptorPool.generated_pool
+
+begin
+  pool.add_serialized_file(descriptor_data)
+rescue TypeError => e
+  # Compatibility code: will be removed in the next major version.
+  require 'google/protobuf/descriptor_pb'
+  parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
+  parsed.clear_dependency
+  serialized = parsed.class.encode(parsed)
+  file = pool.add_serialized_file(serialized)
+  warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
+  imports = [
+    ["cerbos.engine.v1.Principal", "cerbos/engine/v1/engine.proto"],
+    ["google.protobuf.Value", "google/protobuf/struct.proto"],
+  ]
+  imports.each do |type_name, expected_filename|
+    import_file = pool.lookup(type_name).file_descriptor
+    if import_file.name != expected_filename
+      warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
     end
   end
+  warn "Each proto file must use a consistent fully-qualified name."
+  warn "This will become an error in the next major version."
 end
 
 module Cerbos::Protobuf::Cerbos

data/lib/cerbos/protobuf/cerbos/response/v1/response_pb.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # source: cerbos/response/v1/response.proto
 
@@ -8,80 +9,33 @@ require 'cerbos/protobuf/cerbos/engine/v1/engine_pb'
 require 'cerbos/protobuf/cerbos/schema/v1/schema_pb'
 require 'cerbos/protobuf/protoc-gen-openapiv2/options/annotations_pb'
 
-Google::Protobuf::DescriptorPool.generated_pool.build do
-  add_file("cerbos/response/v1/response.proto", :syntax => :proto3) do
-    add_message "cerbos.response.v1.PlanResourcesResponse" do
-      optional :request_id, :string, 1, json_name: "requestId"
-      optional :action, :string, 2, json_name: "action"
-      optional :resource_kind, :string, 3, json_name: "resourceKind"
-      optional :policy_version, :string, 4, json_name: "policyVersion"
-      optional :filter, :message, 5, "cerbos.engine.v1.PlanResourcesFilter", json_name: "filter"
-      optional :meta, :message, 6, "cerbos.response.v1.PlanResourcesResponse.Meta", json_name: "meta"
-      repeated :validation_errors, :message, 7, "cerbos.schema.v1.ValidationError", json_name: "validationErrors"
-    end
-    add_message "cerbos.response.v1.PlanResourcesResponse.Meta" do
-      optional :filter_debug, :string, 1, json_name: "filterDebug"
-      optional :matched_scope, :string, 2, json_name: "matchedScope"
-    end
-    add_message "cerbos.response.v1.CheckResourceSetResponse" do
-      optional :request_id, :string, 1, json_name: "requestId"
-      map :resource_instances, :string, :message, 2, "cerbos.response.v1.CheckResourceSetResponse.ActionEffectMap"
-      optional :meta, :message, 3, "cerbos.response.v1.CheckResourceSetResponse.Meta", json_name: "meta"
-    end
-    add_message "cerbos.response.v1.CheckResourceSetResponse.ActionEffectMap" do
-      map :actions, :string, :enum, 1, "cerbos.effect.v1.Effect"
-      repeated :validation_errors, :message, 2, "cerbos.schema.v1.ValidationError", json_name: "validationErrors"
-    end
-    add_message "cerbos.response.v1.CheckResourceSetResponse.Meta" do
-      map :resource_instances, :string, :message, 1, "cerbos.response.v1.CheckResourceSetResponse.Meta.ActionMeta"
-    end
-    add_message "cerbos.response.v1.CheckResourceSetResponse.Meta.EffectMeta" do
-      optional :matched_policy, :string, 1, json_name: "matchedPolicy"
-      optional :matched_scope, :string, 2, json_name: "matchedScope"
-    end
-    add_message "cerbos.response.v1.CheckResourceSetResponse.Meta.ActionMeta" do
-      map :actions, :string, :message, 1, "cerbos.response.v1.CheckResourceSetResponse.Meta.EffectMeta"
-      repeated :effective_derived_roles, :string, 2, json_name: "effectiveDerivedRoles"
-    end
-    add_message "cerbos.response.v1.CheckResourceBatchResponse" do
-      optional :request_id, :string, 1, json_name: "requestId"
-      repeated :results, :message, 2, "cerbos.response.v1.CheckResourceBatchResponse.ActionEffectMap", json_name: "results"
-    end
-    add_message "cerbos.response.v1.CheckResourceBatchResponse.ActionEffectMap" do
-      optional :resource_id, :string, 1, json_name: "resourceId"
-      map :actions, :string, :enum, 2, "cerbos.effect.v1.Effect"
-      repeated :validation_errors, :message, 3, "cerbos.schema.v1.ValidationError", json_name: "validationErrors"
-    end
-    add_message "cerbos.response.v1.CheckResourcesResponse" do
-      optional :request_id, :string, 1, json_name: "requestId"
-      repeated :results, :message, 2, "cerbos.response.v1.CheckResourcesResponse.ResultEntry", json_name: "results"
-    end
-    add_message "cerbos.response.v1.CheckResourcesResponse.ResultEntry" do
-      optional :resource, :message, 1, "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Resource", json_name: "resource"
-      map :actions, :string, :enum, 2, "cerbos.effect.v1.Effect"
-      repeated :validation_errors, :message, 3, "cerbos.schema.v1.ValidationError", json_name: "validationErrors"
-      optional :meta, :message, 4, "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta", json_name: "meta"
-    end
-    add_message "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Resource" do
-      optional :id, :string, 1, json_name: "id"
-      optional :kind, :string, 2, json_name: "kind"
-      optional :policy_version, :string, 3, json_name: "policyVersion"
-      optional :scope, :string, 4, json_name: "scope"
-    end
-    add_message "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta" do
-      map :actions, :string, :message, 1, "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta.EffectMeta"
-      repeated :effective_derived_roles, :string, 2, json_name: "effectiveDerivedRoles"
-    end
-    add_message "cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta.EffectMeta" do
-      optional :matched_policy, :string, 1, json_name: "matchedPolicy"
-      optional :matched_scope, :string, 2, json_name: "matchedScope"
-    end
-    add_message "cerbos.response.v1.ServerInfoResponse" do
-      optional :version, :string, 1, json_name: "version"
-      optional :commit, :string, 2, json_name: "commit"
-      optional :build_date, :string, 3, json_name: "buildDate"
+
+descriptor_data = "\n!cerbos/response/v1/response.proto\x12\x12\x63\x65rbos.response.v1\x1a\x1d\x63\x65rbos/effect/v1/effect.proto\x1a\x1d\x63\x65rbos/engine/v1/engine.proto\x1a\x1d\x63\x65rbos/schema/v1/schema.proto\x1a.protoc-gen-openapiv2/options/annotations.proto\"\xb5\x08\n\x15PlanResourcesResponse\x12o\n\nrequest_id\x18\x01 \x01(\tBP\x92\x41M2#Request ID provided in the request.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\x32\n\x06\x61\x63tion\x18\x02 \x01(\tB\x1a\x92\x41\x17\x32\x06\x41\x63tionJ\r\"view:public\"R\x06\x61\x63tion\x12\x8a\x01\n\rresource_kind\x18\x03 \x01(\tBe\x92\x41\x62\x32\x0eResource kind.J\x0e\"album:object\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$R\x0cresourceKind\x12J\n\x0epolicy_version\x18\x04 \x01(\tB#\x92\x41 2\x13The policy version.J\t\"default\"R\rpolicyVersion\x12J\n\x06\x66ilter\x18\x05 \x01(\x0b\x32%.cerbos.engine.v1.PlanResourcesFilterB\x0b\x92\x41\x08\x32\x06\x46ilterR\x06\x66ilter\x12\x7f\n\x04meta\x18\x06 \x01(\x0b\x32..cerbos.response.v1.PlanResourcesResponse.MetaB;\x92\x41\x38\x32\x36Optional metadata about the request evaluation processR\x04meta\x12\x90\x01\n\x11validation_errors\x18\x07 \x03(\x0b\x32!.cerbos.schema.v1.ValidationErrorB@\x92\x41=2;List of validation errors (if schema validation is enabled)R\x10validationErrors\x1a\xff\x01\n\x04Meta\x12]\n\x0c\x66ilter_debug\x18\x01 \x01(\tB:\x92\x41\x37\x32\x35\x46ilter textual representation for debugging purposes.R\x0b\x66ilterDebug\x12m\n\rmatched_scope\x18\x02 \x01(\tBH\x92\x41\x45\x32\x31Policy scope that matched to produce this effect.J\x10\"acme.corp.base\"R\x0cmatchedScope:)\x92\x41&\n$2\"Metadata about request evaluation.:<\x92\x41\x39\n725Resources query plan response for a set of resources.\"\xc8\x15\n\x18\x43heckResourceSetResponse\x12o\n\nrequest_id\x18\x01 \x01(\tBP\x92\x41M2#Request ID provided in the request.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\xdb\x02\n\x12resource_instances\x18\x02 \x03(\x0b\x32\x43.cerbos.response.v1.CheckResourceSetResponse.ResourceInstancesEntryB\xe6\x01\x92\x41\xe2\x01\x32KResults for each resource instance, keyed by the ID supplied in the requestJ\x92\x01{\"XX125\":{\"actions\":{\"view:*\":\"EFFECT_ALLOW\", \"comment\": \"EFFECT_ALLOW\"}}, \"XX225\":{\"actions\":{\"view:*\":\"EFFECT_DENY\", \"comment\": \"EFFECT_DENY\"}}}R\x11resourceInstances\x12\x82\x01\n\x04meta\x18\x03 \x01(\x0b\x32\x31.cerbos.response.v1.CheckResourceSetResponse.MetaB;\x92\x41\x38\x32\x36Optional metadata about the request evaluation processR\x04meta\x1a\x8b\x03\n\x0f\x41\x63tionEffectMap\x12\x8e\x01\n\x07\x61\x63tions\x18\x01 \x03(\x0b\x32I.cerbos.response.v1.CheckResourceSetResponse.ActionEffectMap.ActionsEntryB)\x92\x41&2$Mapping of each action to an effect.R\x07\x61\x63tions\x12\x90\x01\n\x11validation_errors\x18\x02 \x03(\x0b\x32!.cerbos.schema.v1.ValidationErrorB@\x92\x41=2;List of validation errors (if schema validation is enabled)R\x10validationErrors\x1aT\n\x0c\x41\x63tionsEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12.\n\x05value\x18\x02 \x01(\x0e\x32\x18.cerbos.effect.v1.EffectR\x05value:\x02\x38\x01\x1a\x89\x0c\n\x04Meta\x12\xcf\x03\n\x12resource_instances\x18\x01 \x03(\x0b\x32H.cerbos.response.v1.CheckResourceSetResponse.Meta.ResourceInstancesEntryB\xd5\x02\x92\x41\xd1\x02\x32\"Metadata about resource instances.J\xaa\x02{\"XX125\": {\"actions\": {\"view:*\":{\"matched_policy\": \"album:object:default\"},\"comment\":{\"matched_policy\": \"album:object:default\"}}, \"effective_derived_roles\": [\"owner\"]}, \"XX225\": {\"actions\": {\"view:*\":{\"matched_policy\": \"album:object:default\"},\"comment\":{\"matched_policy\": \"album:object:default\"}}}}R\x11resourceInstances\x1a\x88\x02\n\nEffectMeta\x12o\n\x0ematched_policy\x18\x01 \x01(\tBH\x92\x41\x45\x32+Policy that matched to produce this effect.J\x16\"album:object:default\"R\rmatchedPolicy\x12m\n\rmatched_scope\x18\x02 \x01(\tBH\x92\x41\x45\x32\x31Policy scope that matched to produce this effect.J\x10\"acme.corp.base\"R\x0cmatchedScope:\x1a\x92\x41\x17\n\x15\x32\x13Name of the action.\x1a\xf3\x04\n\nActionMeta\x12\xa7\x02\n\x07\x61\x63tions\x18\x01 \x03(\x0b\x32I.cerbos.response.v1.CheckResourceSetResponse.Meta.ActionMeta.ActionsEntryB\xc1\x01\x92\x41\xbd\x01\x32OMetadata about the effect calculated for each action on this resource instance.Jj{\"view:*\":{\"matched_policy\": \"album:object:default\"},\"comment\":{\"matched_policy\": \"album:object:default\"}}R\x07\x61\x63tions\x12\x83\x01\n\x17\x65\x66\x66\x65\x63tive_derived_roles\x18\x02 \x03(\tBK\x92\x41H2;Derived roles that were effective during policy evaluation.J\t[\"owner\"]R\x15\x65\x66\x66\x65\x63tiveDerivedRoles\x1ax\n\x0c\x41\x63tionsEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12R\n\x05value\x18\x02 \x01(\x0b\x32<.cerbos.response.v1.CheckResourceSetResponse.Meta.EffectMetaR\x05value:\x02\x38\x01:;\x92\x41\x38\n624Unique resource instance ID supplied in the request.\x1a\x82\x01\n\x16ResourceInstancesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12R\n\x05value\x18\x02 \x01(\x0b\x32<.cerbos.response.v1.CheckResourceSetResponse.Meta.ActionMetaR\x05value:\x02\x38\x01:)\x92\x41&\n$2\"Metadata about request evaluation.\x1a\x82\x01\n\x16ResourceInstancesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12R\n\x05value\x18\x02 \x01(\x0b\x32<.cerbos.response.v1.CheckResourceSetResponse.ActionEffectMapR\x05value:\x02\x38\x01:9\x92\x41\x36\n422Policy evaluation response for a set of resources.\"\xe5\x06\n\x1a\x43heckResourceBatchResponse\x12o\n\nrequest_id\x18\x01 \x01(\tBP\x92\x41M2#Request ID provided in the request.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\xb3\x01\n\x07results\x18\x02 \x03(\x0b\x32>.cerbos.response.v1.CheckResourceBatchResponse.ActionEffectMapBY\x92\x41V2\x18Result for each resourceJ:[{\"resourceId\":\"XX125\",\"actions\":{\"view\":\"EFFECT_ALLOW\"}}]R\x07results\x1a\xe2\x03\n\x0f\x41\x63tionEffectMap\x12:\n\x0bresource_id\x18\x01 \x01(\tB\x19\x92\x41\x16\x32\x0bResource IDJ\x07\"XX125\"R\nresourceId\x12\xa9\x01\n\x07\x61\x63tions\x18\x02 \x03(\x0b\x32K.cerbos.response.v1.CheckResourceBatchResponse.ActionEffectMap.ActionsEntryBB\x92\x41?2$Mapping of each action to an effect.J\x17{\"view\":\"EFFECT_ALLOW\"}R\x07\x61\x63tions\x12\x90\x01\n\x11validation_errors\x18\x03 \x03(\x0b\x32!.cerbos.schema.v1.ValidationErrorB@\x92\x41=2;List of validation errors (if schema validation is enabled)R\x10validationErrors\x1aT\n\x0c\x41\x63tionsEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12.\n\x05value\x18\x02 \x01(\x0e\x32\x18.cerbos.effect.v1.EffectR\x05value:\x02\x38\x01:;\x92\x41\x38\n624Policy evaluation response for a batch of resources.\"\xa6\x17\n\x16\x43heckResourcesResponse\x12o\n\nrequest_id\x18\x01 \x01(\tBP\x92\x41M2#Request ID provided in the request.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\xe3\x01\n\x07results\x18\x02 \x03(\x0b\x32\x36.cerbos.response.v1.CheckResourcesResponse.ResultEntryB\x90\x01\x92\x41\x8c\x01\x32\x18Result for each resourceJp[{\"resource\": {\"Id\":\"XX125\", \"kind\":\"album:object\"}, \"actions\":{\"view\":\"EFFECT_ALLOW\",\"comment\":\"EFFECT_DENY\"}}]R\x07results\x1a\x80\x14\n\x0bResultEntry\x12[\n\x08resource\x18\x01 \x01(\x0b\x32?.cerbos.response.v1.CheckResourcesResponse.ResultEntry.ResourceR\x08resource\x12\xa1\x01\n\x07\x61\x63tions\x18\x02 \x03(\x0b\x32\x43.cerbos.response.v1.CheckResourcesResponse.ResultEntry.ActionsEntryBB\x92\x41?2$Mapping of each action to an effect.J\x17{\"view\":\"EFFECT_ALLOW\"}R\x07\x61\x63tions\x12\x90\x01\n\x11validation_errors\x18\x03 \x03(\x0b\x32!.cerbos.schema.v1.ValidationErrorB@\x92\x41=2;List of validation errors (if schema validation is enabled)R\x10validationErrors\x12\x98\x02\n\x04meta\x18\x04 \x01(\x0b\x32;.cerbos.response.v1.CheckResourcesResponse.ResultEntry.MetaB\xc6\x01\x92\x41\xc2\x01\x32 Metadata about policy evaluationJ\x9d\x01{\"actions\": {\"view:*\":{\"matched_policy\": \"album:object:default\"},\"comment\":{\"matched_policy\": \"album:object:default\"}}, \"effective_derived_roles\": [\"owner\"]}R\x04meta\x12\xf6\x01\n\x07outputs\x18\x05 \x03(\x0b\x32\x1d.cerbos.engine.v1.OutputEntryB\xbc\x01\x92\x41\xb8\x01\x32,Output for each rule with outputs configuredJ\x87\x01[{\"src\": \"resource.expense.v1/acme#rule-001\", \"val\": \"view_allowed:alice\"}, {\"src\": \"resource.expense.v1/acme#rule-002\", \"val\": \"foo\"}]R\x07outputs\x1a\xff\x04\n\x08Resource\x12\x39\n\x02id\x18\x01 \x01(\tB)\x92\x41&2\x1bID of the resource instanceJ\x07\"XX125\"R\x02id\x12\x93\x01\n\x04kind\x18\x02 \x01(\tB\x7f\x92\x41|2)Name of the resource kind being accessed.J\r\"album:photo\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$R\x04kind\x12\xc5\x01\n\x0epolicy_version\x18\x03 \x01(\tB\x9d\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$R\rpolicyVersion\x12\xd9\x01\n\x05scope\x18\x04 \x01(\tB\xc2\x01\x92\x41\xbe\x01\x32}A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.J\x0b\"acme.corp\"\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1a\xf0\x06\n\x04Meta\x12\xa6\x02\n\x07\x61\x63tions\x18\x01 \x03(\x0b\x32H.cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta.ActionsEntryB\xc1\x01\x92\x41\xbd\x01\x32OMetadata about the effect calculated for each action on this resource instance.Jj{\"view:*\":{\"matched_policy\": \"album:object:default\"},\"comment\":{\"matched_policy\": \"album:object:default\"}}R\x07\x61\x63tions\x12\x83\x01\n\x17\x65\x66\x66\x65\x63tive_derived_roles\x18\x02 \x03(\tBK\x92\x41H2;Derived roles that were effective during policy evaluation.J\t[\"owner\"]R\x15\x65\x66\x66\x65\x63tiveDerivedRoles\x1a\x88\x02\n\nEffectMeta\x12o\n\x0ematched_policy\x18\x01 \x01(\tBH\x92\x41\x45\x32+Policy that matched to produce this effect.J\x16\"album:object:default\"R\rmatchedPolicy\x12m\n\rmatched_scope\x18\x02 \x01(\tBH\x92\x41\x45\x32\x31Policy scope that matched to produce this effect.J\x10\"acme.corp.base\"R\x0cmatchedScope:\x1a\x92\x41\x17\n\x15\x32\x13Name of the action.\x1a\x82\x01\n\x0c\x41\x63tionsEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\\\n\x05value\x18\x02 \x01(\x0b\x32\x46.cerbos.response.v1.CheckResourcesResponse.ResultEntry.Meta.EffectMetaR\x05value:\x02\x38\x01:)\x92\x41&\n$2\"Metadata about request evaluation.\x1aT\n\x0c\x41\x63tionsEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12.\n\x05value\x18\x02 \x01(\x0e\x32\x18.cerbos.effect.v1.EffectR\x05value:\x02\x38\x01:2\x92\x41/\n-2+Response from the check resources API call.\"\x82\x01\n\x12ServerInfoResponse\x12\x18\n\x07version\x18\x01 \x01(\tR\x07version\x12\x16\n\x06\x63ommit\x18\x02 \x01(\tR\x06\x63ommit\x12\x1d\n\nbuild_date\x18\x03 \x01(\tR\tbuildDate:\x1b\x92\x41\x18\n\x16\x32\x14Server info responseBw\n\x1a\x64\x65v.cerbos.api.v1.responseZ@github.com/cerbos/cerbos/api/genpb/cerbos/response/v1;responsev1\xaa\x02\x16\x43\x65rbos.Api.V1.Responseb\x06proto3"
+
+pool = Google::Protobuf::DescriptorPool.generated_pool
+
+begin
+  pool.add_serialized_file(descriptor_data)
+rescue TypeError => e
+  # Compatibility code: will be removed in the next major version.
+  require 'google/protobuf/descriptor_pb'
+  parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
+  parsed.clear_dependency
+  serialized = parsed.class.encode(parsed)
+  file = pool.add_serialized_file(serialized)
+  warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
+  imports = [
+    ["cerbos.engine.v1.PlanResourcesFilter", "cerbos/engine/v1/engine.proto"],
+    ["cerbos.schema.v1.ValidationError", "cerbos/schema/v1/schema.proto"],
+  ]
+  imports.each do |type_name, expected_filename|
+    import_file = pool.lookup(type_name).file_descriptor
+    if import_file.name != expected_filename
+      warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
     end
   end
+  warn "Each proto file must use a consistent fully-qualified name."
+  warn "This will become an error in the next major version."
 end
 
 module Cerbos::Protobuf::Cerbos