cerbos 0.6.1 → 0.8.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e66a450c22c146b4372b0ebd4cfd1e950d3824c78e8d24209275ee41020aa3d1
4
- data.tar.gz: 5f3d5aeb480e91d3918ad3065badb211d9572991b7e729ea4847732655d6bf30
3
+ metadata.gz: c6961d2c4bf6227d115dfa027f8823762bba4725c3d0dbe0c884ba2d69d0a253
4
+ data.tar.gz: 45d8c99f6aaeaa8aea2f30a0b0c4befbed70c6feb97f53f5f6c2288eada4919b
5
5
  SHA512:
6
- metadata.gz: 8de09b89a42c31f5a5283adf91ac8f1af0cfde2d660a8a47443ac6a28fb814a658991fbbd74a5bebcf95dd2382bfd0215b5dac6c27343cac0ad5345211bf38cf
7
- data.tar.gz: 88a4ce5be4f53fcd7df994494e4190b49587159d2a93ae2ee828afa557c3ace338731c21c27f99c5eb69fff9592ef90c1e7fb0e2e7b5b76c82787b06fdc0f4e9
6
+ metadata.gz: 50f06f8fc92658d6ade88f5ccfc92c899e8584aeb0c043faa1d350493645c49674ca0a1faff8484ba07d53f6243436622fb855fed1cdff47705d1dfde0c8c735
7
+ data.tar.gz: 2d440c072fb8554ed687004ca97ed1717e9735d031f385350da15ddf5bd52fe427837c5a330bbc2cb82bbdc3fcfe733f924bcb9cae1c597bed4eec5b79ebc490
data/CHANGELOG.md CHANGED
@@ -1,46 +1,82 @@
1
1
  ## [Unreleased]
2
+
2
3
  No notable changes.
3
4
 
5
+ ## [0.8.0] - 2024-01-12
6
+
7
+ ### Added
8
+
9
+ - `grpc_metadata` option to `Cerbos::Client` constructor and request methods to add gRPC metadata (a.k.a. HTTP headers) to requests to the policy decision point ([#132](https://github.com/cerbos/cerbos-sdk-ruby/pull/132))
10
+
11
+ ## [0.7.0] - 2023-06-07
12
+
13
+ ### Added
14
+
15
+ - Support for user-defined policy rule outputs ([#100](https://github.com/cerbos/cerbos-sdk-ruby/pull/100))
16
+
17
+ Requires a policy decision point server running Cerbos 0.27+.
18
+
19
+ ### Removed
20
+
21
+ - Support for Ruby 2.7 ([#90](https://github.com/cerbos/cerbos-sdk-ruby/pull/90))
22
+
4
23
  ## [0.6.1] - 2023-03-23
24
+
5
25
  ### Removed
26
+
6
27
  - Unused generated code ([#83](https://github.com/cerbos/cerbos-sdk-ruby/pull/83))
7
28
 
8
29
  ## [0.6.0] - 2022-07-01
30
+
9
31
  ### Added
32
+
10
33
  - Support for schema validation in `Cerbos::Client#plan_resources` ([#32](https://github.com/cerbos/cerbos-sdk-ruby/pull/32))
11
34
 
12
- Requires Cerbos 0.19+.
35
+ Requires a policy decision point server running Cerbos 0.19+.
13
36
  `Cerbos::Output::PlanResources#validation_errors` will always return an empty array if the client is connected to an earlier version of Cerbos.
14
37
 
15
38
  As a result, `Cerbos::Output::CheckResources::Result::ValidationError` has moved to `Cerbos::Output::ValidationError`.
16
39
  Attempting to access the class via the old namespace will print a deprecation warning and return the new class.
17
40
 
18
41
  ## [0.5.0] - 2022-06-09
42
+
19
43
  ### Added
44
+
20
45
  - Allow symbol keys in nested attributes hashes ([#28](https://github.com/cerbos/cerbos-sdk-ruby/pull/28))
21
46
 
22
47
  ## [0.4.0] - 2022-06-03
48
+
23
49
  ### Added
50
+
24
51
  - `on_validation_error` option to `Cerbos::Client#initialize` ([#22](https://github.com/cerbos/cerbos-sdk-ruby/pull/22))
25
52
 
26
53
  ### Changed
54
+
27
55
  - Minor documentation fixes ([#21](https://github.com/cerbos/cerbos-sdk-ruby/pull/21))
28
56
 
29
57
  ## [0.3.0] - 2022-05-13
58
+
30
59
  ### Added
60
+
31
61
  - More helper methods ([#11](https://github.com/cerbos/cerbos-sdk-ruby/pull/11))
32
62
  - `Cerbos::Client#allow?` for checking a single action on a resource
33
63
  - `Cerbos::Output::CheckResources#allow_all?` and `Cerbos::Output::CheckResources::Result#allow_all?` for checking if all input actions were allowed
34
64
 
35
65
  ## [0.2.0] - 2022-05-12
66
+
36
67
  ### Changed
68
+
37
69
  - Increased `grpc` version requirement to 1.46+ to avoid [installing a native gem compiled for `x86_64-darwin` on `arm64-darwin`](https://github.com/grpc/grpc/issues/29100) ([#8](https://github.com/cerbos/cerbos-sdk-ruby/pull/8))
38
70
 
39
71
  ## [0.1.0] - 2022-05-12
72
+
40
73
  ### Added
74
+
41
75
  - Initial implementation of `Cerbos::Client` ([#2](https://github.com/cerbos/cerbos-sdk-ruby/pull/2))
42
76
 
43
- [Unreleased]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.1...HEAD
77
+ [Unreleased]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.8.0...HEAD
78
+ [0.8.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.7.0...v0.8.0
79
+ [0.7.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.1...v0.7.0
44
80
  [0.6.1]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.6.0...v0.6.1
45
81
  [0.6.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.5.0...v0.6.0
46
82
  [0.5.0]: https://github.com/cerbos/cerbos-sdk-ruby/compare/v0.4.0...v0.5.0
data/README.md CHANGED
@@ -12,7 +12,7 @@ The Cerbos Ruby SDK makes it easy to interact with the Cerbos PDP from your Ruby
12
12
  ## Prerequisites
13
13
 
14
14
  - Cerbos 0.16+
15
- - Ruby 2.7+
15
+ - Ruby 3.0+
16
16
 
17
17
  ## Installation
18
18
 
data/cerbos.gemspec CHANGED
@@ -31,6 +31,6 @@ Gem::Specification.new do |spec|
31
31
  "yard_extensions.rb"
32
32
  ]
33
33
 
34
- spec.required_ruby_version = ">= 2.7.0"
34
+ spec.required_ruby_version = ">= 3.0.0"
35
35
  spec.add_dependency "grpc", "~> 1.46"
36
36
  end
data/lib/cerbos/client.rb CHANGED
@@ -4,14 +4,22 @@ module Cerbos
4
4
  # A client for interacting with the Cerbos policy decision point (PDP) server over gRPC.
5
5
  #
6
6
  # An instance of the client may be shared between threads.
7
- # However, due to [an issue in the underlying `grpc` gem](https://github.com/grpc/grpc/issues/8798), it's not possible to use the client before and after process forks.
8
- # If your application runs on a forking webserver (for example, Puma in clustered mode), then you'll need to ensure that you only create client instances in the child (worker) processes.
7
+ #
8
+ # Due to [a limitation in the underlying `grpc` gem](https://github.com/grpc/grpc/issues/8798), creating a client instance before a process fork is [only (experimentally) supported on Linux](https://github.com/grpc/grpc/pull/33430) and requires you to
9
+ # - have at least v1.57.0 of the `grpc` gem installed,
10
+ # - set the `GRPC_ENABLE_FORK_SUPPORT` environment variable to `1`,
11
+ # - call `GRPC.prefork` before forking,
12
+ # - call `GRPC.postfork_parent` in the parent process after forking, and
13
+ # - call `GRPC.postfork_child` in the child processes after forking.
14
+ #
15
+ # Otherwise, if your application runs on a forking webserver (for example, Puma in clustered mode), then you'll need to ensure that you only create client instances in the child (worker) processes.
9
16
  class Client
10
17
  # Create a client for interacting with the Cerbos PDP server over gRPC.
11
18
  #
12
19
  # @param target [String] Cerbos PDP server address (`"host"`, `"host:port"`, or `"unix:/path/to/socket"`).
13
20
  # @param tls [TLS, MutualTLS, false] gRPC connection encryption settings (`false` for plaintext).
14
21
  # @param grpc_channel_args [Hash{String, Symbol => String, Integer}] low-level settings for the gRPC channel (see [available keys in the gRPC documentation](https://grpc.github.io/grpc/core/group__grpc__arg__keys.html)).
22
+ # @param grpc_metadata [Hash{String, Symbol => String, Array<String>}] gRPC metadata (a.k.a. HTTP headers) to add to every request to the PDP.
15
23
  # @param on_validation_error [:return, :raise, #call] action to take when input fails schema validation (`:return` to return the validation errors in the response, `:raise` to raise {Error::ValidationFailed}, or a callback to invoke).
16
24
  # @param playground_instance [String, nil] identifier of the playground instance to use when prototyping against the hosted demo PDP.
17
25
  # @param timeout [Numeric, nil] timeout for gRPC calls, in seconds (`nil` to never time out).
@@ -30,7 +38,8 @@ module Cerbos
30
38
  #
31
39
  # @example Invoke a callback when input fails schema validation
32
40
  # client = Cerbos::Client.new("localhost:3593", tls: false, on_validation_error: ->(validation_errors) { do_something_with validation_errors })
33
- def initialize(target, tls:, grpc_channel_args: {}, on_validation_error: :return, playground_instance: nil, timeout: nil)
41
+ def initialize(target, tls:, grpc_channel_args: {}, grpc_metadata: {}, on_validation_error: :return, playground_instance: nil, timeout: nil)
42
+ @grpc_metadata = grpc_metadata.transform_keys(&:to_sym)
34
43
  @on_validation_error = on_validation_error
35
44
 
36
45
  handle_errors do
@@ -60,6 +69,7 @@ module Cerbos
60
69
  # @param action [String] the action to check.
61
70
  # @param aux_data [Input::AuxData, Hash, nil] auxiliary data.
62
71
  # @param request_id [String] identifier for tracing the request.
72
+ # @param grpc_metadata [Hash{String, Symbol => String, Array<String>}] gRPC metadata (a.k.a. HTTP headers) to add to the request.
63
73
  #
64
74
  # @return [Boolean]
65
75
  #
@@ -69,13 +79,14 @@ module Cerbos
69
79
  # resource: {kind: "document", id: "1"},
70
80
  # action: "view"
71
81
  # ) # => true
72
- def allow?(principal:, resource:, action:, aux_data: nil, request_id: SecureRandom.uuid)
82
+ def allow?(principal:, resource:, action:, aux_data: nil, request_id: SecureRandom.uuid, grpc_metadata: {})
73
83
  check_resource(
74
84
  principal: principal,
75
85
  resource: resource,
76
86
  actions: [action],
77
87
  aux_data: aux_data,
78
- request_id: request_id
88
+ request_id: request_id,
89
+ grpc_metadata: grpc_metadata
79
90
  ).allow?(action)
80
91
  end
81
92
 
@@ -87,6 +98,7 @@ module Cerbos
87
98
  # @param aux_data [Input::AuxData, Hash, nil] auxiliary data.
88
99
  # @param include_metadata [Boolean] `true` to include additional metadata ({Output::CheckResources::Result::Metadata}) in the results.
89
100
  # @param request_id [String] identifier for tracing the request.
101
+ # @param grpc_metadata [Hash{String, Symbol => String, Array<String>}] gRPC metadata (a.k.a. HTTP headers) to add to the request.
90
102
  #
91
103
  # @return [Output::CheckResources::Result]
92
104
  #
@@ -98,14 +110,15 @@ module Cerbos
98
110
  # )
99
111
  #
100
112
  # decision.allow?("view") # => true
101
- def check_resource(principal:, resource:, actions:, aux_data: nil, include_metadata: false, request_id: SecureRandom.uuid)
113
+ def check_resource(principal:, resource:, actions:, aux_data: nil, include_metadata: false, request_id: SecureRandom.uuid, grpc_metadata: {})
102
114
  handle_errors do
103
115
  check_resources(
104
116
  principal: principal,
105
117
  resources: [Input::ResourceCheck.new(resource: resource, actions: actions)],
106
118
  aux_data: aux_data,
107
119
  include_metadata: include_metadata,
108
- request_id: request_id
120
+ request_id: request_id,
121
+ grpc_metadata: grpc_metadata
109
122
  ).find_result(resource)
110
123
  end
111
124
  end
@@ -117,6 +130,7 @@ module Cerbos
117
130
  # @param aux_data [Input::AuxData, Hash, nil] auxiliary data.
118
131
  # @param include_metadata [Boolean] `true` to include additional metadata ({Output::CheckResources::Result::Metadata}) in the results.
119
132
  # @param request_id [String] identifier for tracing the request.
133
+ # @param grpc_metadata [Hash{String, Symbol => String, Array<String>}] gRPC metadata (a.k.a. HTTP headers) to add to the request.
120
134
  #
121
135
  # @return [Output::CheckResources]
122
136
  #
@@ -136,7 +150,7 @@ module Cerbos
136
150
  # )
137
151
  #
138
152
  # decision.allow?(resource: {kind: "document", id: "1"}, action: "view") # => true
139
- def check_resources(principal:, resources:, aux_data: nil, include_metadata: false, request_id: SecureRandom.uuid)
153
+ def check_resources(principal:, resources:, aux_data: nil, include_metadata: false, request_id: SecureRandom.uuid, grpc_metadata: {})
140
154
  handle_errors do
141
155
  request = Protobuf::Cerbos::Request::V1::CheckResourcesRequest.new(
142
156
  principal: Input.coerce_required(principal, Input::Principal).to_protobuf,
@@ -146,7 +160,7 @@ module Cerbos
146
160
  request_id: request_id
147
161
  )
148
162
 
149
- response = perform_request(@cerbos_service, :check_resources, request)
163
+ response = perform_request(@cerbos_service, :check_resources, request, grpc_metadata)
150
164
 
151
165
  Output::CheckResources.from_protobuf(response).tap do |output|
152
166
  handle_validation_errors output
@@ -162,6 +176,7 @@ module Cerbos
162
176
  # @param aux_data [Input::AuxData, Hash, nil] auxiliary data.
163
177
  # @param include_metadata [Boolean] `true` to include additional metadata ({Output::CheckResources::Result::Metadata}) in the results.
164
178
  # @param request_id [String] identifier for tracing the request.
179
+ # @param grpc_metadata [Hash{String, Symbol => String, Array<String>}] gRPC metadata (a.k.a. HTTP headers) to add to the request.
165
180
  #
166
181
  # @return [Output::PlanResources]
167
182
  #
@@ -174,7 +189,7 @@ module Cerbos
174
189
  #
175
190
  # plan.conditional? # => true
176
191
  # plan.condition # => #<Cerbos::Output::PlanResources::Expression ...>
177
- def plan_resources(principal:, resource:, action:, aux_data: nil, include_metadata: false, request_id: SecureRandom.uuid)
192
+ def plan_resources(principal:, resource:, action:, aux_data: nil, include_metadata: false, request_id: SecureRandom.uuid, grpc_metadata: {})
178
193
  handle_errors do
179
194
  request = Protobuf::Cerbos::Request::V1::PlanResourcesRequest.new(
180
195
  principal: Input.coerce_required(principal, Input::Principal).to_protobuf,
@@ -185,7 +200,7 @@ module Cerbos
185
200
  request_id: request_id
186
201
  )
187
202
 
188
- response = perform_request(@cerbos_service, :plan_resources, request)
203
+ response = perform_request(@cerbos_service, :plan_resources, request, grpc_metadata)
189
204
 
190
205
  Output::PlanResources.from_protobuf(response).tap do |output|
191
206
  handle_validation_errors output
@@ -195,12 +210,14 @@ module Cerbos
195
210
 
196
211
  # Retrieve information about the Cerbos PDP server.
197
212
  #
213
+ # @param grpc_metadata [Hash{String, Symbol => String, Array<String>}] gRPC metadata (a.k.a. HTTP headers) to add to the request.
214
+ #
198
215
  # @return [Output::ServerInfo]
199
- def server_info
216
+ def server_info(grpc_metadata: {})
200
217
  handle_errors do
201
218
  request = Protobuf::Cerbos::Request::V1::ServerInfoRequest.new
202
219
 
203
- response = perform_request(@cerbos_service, :server_info, request)
220
+ response = perform_request(@cerbos_service, :server_info, request, grpc_metadata)
204
221
 
205
222
  Output::ServerInfo.from_protobuf(response)
206
223
  end
@@ -231,8 +248,8 @@ module Cerbos
231
248
  @on_validation_error.call validation_errors
232
249
  end
233
250
 
234
- def perform_request(service, rpc, request)
235
- service.public_send(rpc, request)
251
+ def perform_request(service, rpc, request, metadata)
252
+ service.public_send(rpc, request, metadata: @grpc_metadata.merge(metadata.transform_keys(&:to_sym)))
236
253
  end
237
254
  end
238
255
  end
data/lib/cerbos/error.rb CHANGED
@@ -12,7 +12,7 @@ module Cerbos
12
12
 
13
13
  # @private
14
14
  def initialize(validation_errors)
15
- super "Input failed schema validation"
15
+ super("Input failed schema validation")
16
16
 
17
17
  @validation_errors = validation_errors
18
18
  end
@@ -48,7 +48,7 @@ module Cerbos
48
48
 
49
49
  # @private
50
50
  def initialize(code:, details:, metadata: {})
51
- super "gRPC error #{code}: #{details}"
51
+ super("gRPC error #{code}: #{details}")
52
52
 
53
53
  @code = code
54
54
  @details = details
@@ -73,7 +73,7 @@ module Cerbos
73
73
  end
74
74
 
75
75
  # The outcome of checking a principal's permissions on single resource.
76
- CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata) do
76
+ CheckResources::Result = Output.new_class(:resource, :actions, :validation_errors, :metadata, :outputs) do
77
77
  # @!attribute [r] resource
78
78
  # The resource that was checked.
79
79
  #
@@ -95,6 +95,11 @@ module Cerbos
95
95
  # @return [Metadata]
96
96
  # @return [nil] if `include_metadata` was `false`.
97
97
 
98
+ # @!attribute [r] outputs
99
+ # User-defined outputs from policy rule evaluations.
100
+ #
101
+ # @return [Array<Output>]
102
+
98
103
  # @private
99
104
  def self.const_missing(const)
100
105
  if const == :ValidationError
@@ -110,7 +115,8 @@ module Cerbos
110
115
  resource: CheckResources::Result::Resource.from_protobuf(entry.resource),
111
116
  actions: entry.actions.to_h,
112
117
  validation_errors: (entry.validation_errors || []).map { |validation_error| ValidationError.from_protobuf(validation_error) },
113
- metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta)
118
+ metadata: CheckResources::Result::Metadata.from_protobuf(entry.meta),
119
+ outputs: (entry.outputs || []).map { |output_entry| CheckResources::Result::Output.from_protobuf(output_entry) }
114
120
  )
115
121
  end
116
122
 
@@ -126,7 +132,7 @@ module Cerbos
126
132
  #
127
133
  # @return [Boolean]
128
134
  def allow_all?
129
- actions.each_value.all? { |effect| effect == :EFFECT_ALLOW }
135
+ actions.each_value.all?(:EFFECT_ALLOW)
130
136
  end
131
137
 
132
138
  # List the actions that should be allowed for the resource.
@@ -135,6 +141,15 @@ module Cerbos
135
141
  def allowed_actions
136
142
  actions.filter_map { |action, effect| action if effect == :EFFECT_ALLOW }
137
143
  end
144
+
145
+ # Find the value of the user-defined output for a particular policy rule.
146
+ #
147
+ # @param source [String] the identifier of the policy rule that produced the output.
148
+ # @return [String, Numeric, Boolean, Array, Hash, nil]
149
+ # @return [nil] if the result does not include an output for the source.
150
+ def output(source)
151
+ outputs.find { |output| output.source == source }&.value
152
+ end
138
153
  end
139
154
 
140
155
  # A resource that was checked.
@@ -216,5 +231,25 @@ module Cerbos
216
231
  )
217
232
  end
218
233
  end
234
+
235
+ # User-defined output from a policy rule evaluation.
236
+ CheckResources::Result::Output = Output.new_class(:source, :value) do
237
+ # @!attribute [r] source
238
+ # The identifier of the policy rule that produced the output.
239
+ #
240
+ # @return [String]
241
+
242
+ # @!attribute [r] value
243
+ # The result of evaluating the output expression.
244
+ #
245
+ # @return [String, Numeric, Boolean, Array, Hash, nil]
246
+
247
+ def self.from_protobuf(output_entry)
248
+ new(
249
+ source: output_entry.src,
250
+ value: output_entry.val&.to_ruby(true)
251
+ )
252
+ end
253
+ end
219
254
  end
220
255
  end
@@ -1,17 +1,34 @@
1
+ # frozen_string_literal: true
1
2
  # Generated by the protocol buffer compiler. DO NOT EDIT!
2
3
  # source: cerbos/effect/v1/effect.proto
3
4
 
4
5
  require 'google/protobuf'
5
6
 
6
- Google::Protobuf::DescriptorPool.generated_pool.build do
7
- add_file("cerbos/effect/v1/effect.proto", :syntax => :proto3) do
8
- add_enum "cerbos.effect.v1.Effect" do
9
- value :EFFECT_UNSPECIFIED, 0
10
- value :EFFECT_ALLOW, 1
11
- value :EFFECT_DENY, 2
12
- value :EFFECT_NO_MATCH, 3
7
+
8
+ descriptor_data = "\n\x1d\x63\x65rbos/effect/v1/effect.proto\x12\x10\x63\x65rbos.effect.v1*X\n\x06\x45\x66\x66\x65\x63t\x12\x16\n\x12\x45\x46\x46\x45\x43T_UNSPECIFIED\x10\x00\x12\x10\n\x0c\x45\x46\x46\x45\x43T_ALLOW\x10\x01\x12\x0f\n\x0b\x45\x46\x46\x45\x43T_DENY\x10\x02\x12\x13\n\x0f\x45\x46\x46\x45\x43T_NO_MATCH\x10\x03\x42o\n\x18\x64\x65v.cerbos.api.v1.effectZ<github.com/cerbos/cerbos/api/genpb/cerbos/effect/v1;effectv1\xaa\x02\x14\x43\x65rbos.Api.V1.Effectb\x06proto3"
9
+
10
+ pool = Google::Protobuf::DescriptorPool.generated_pool
11
+
12
+ begin
13
+ pool.add_serialized_file(descriptor_data)
14
+ rescue TypeError => e
15
+ # Compatibility code: will be removed in the next major version.
16
+ require 'google/protobuf/descriptor_pb'
17
+ parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
18
+ parsed.clear_dependency
19
+ serialized = parsed.class.encode(parsed)
20
+ file = pool.add_serialized_file(serialized)
21
+ warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
22
+ imports = [
23
+ ]
24
+ imports.each do |type_name, expected_filename|
25
+ import_file = pool.lookup(type_name).file_descriptor
26
+ if import_file.name != expected_filename
27
+ warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
13
28
  end
14
29
  end
30
+ warn "Each proto file must use a consistent fully-qualified name."
31
+ warn "This will become an error in the next major version."
15
32
  end
16
33
 
17
34
  module Cerbos::Protobuf::Cerbos
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  # Generated by the protocol buffer compiler. DO NOT EDIT!
2
3
  # source: cerbos/engine/v1/engine.proto
3
4
 
@@ -6,52 +7,32 @@ require 'google/protobuf'
6
7
  require 'google/protobuf/struct_pb'
7
8
  require 'cerbos/protobuf/protoc-gen-openapiv2/options/annotations_pb'
8
9
 
9
- Google::Protobuf::DescriptorPool.generated_pool.build do
10
- add_file("cerbos/engine/v1/engine.proto", :syntax => :proto3) do
11
- add_message "cerbos.engine.v1.PlanResourcesInput" do
12
- end
13
- add_message "cerbos.engine.v1.PlanResourcesInput.Resource" do
14
- optional :kind, :string, 1, json_name: "kind"
15
- map :attr, :string, :message, 2, "google.protobuf.Value"
16
- optional :policy_version, :string, 3, json_name: "policyVersion"
17
- optional :scope, :string, 4, json_name: "scope"
18
- end
19
- add_message "cerbos.engine.v1.PlanResourcesFilter" do
20
- optional :kind, :enum, 1, "cerbos.engine.v1.PlanResourcesFilter.Kind", json_name: "kind"
21
- optional :condition, :message, 2, "cerbos.engine.v1.PlanResourcesFilter.Expression.Operand", json_name: "condition"
22
- end
23
- add_message "cerbos.engine.v1.PlanResourcesFilter.Expression" do
24
- optional :operator, :string, 1, json_name: "operator"
25
- repeated :operands, :message, 2, "cerbos.engine.v1.PlanResourcesFilter.Expression.Operand", json_name: "operands"
26
- end
27
- add_message "cerbos.engine.v1.PlanResourcesFilter.Expression.Operand" do
28
- oneof :node do
29
- optional :value, :message, 1, "google.protobuf.Value", json_name: "value"
30
- optional :expression, :message, 2, "cerbos.engine.v1.PlanResourcesFilter.Expression", json_name: "expression"
31
- optional :variable, :string, 3, json_name: "variable"
32
- end
33
- end
34
- add_enum "cerbos.engine.v1.PlanResourcesFilter.Kind" do
35
- value :KIND_UNSPECIFIED, 0
36
- value :KIND_ALWAYS_ALLOWED, 1
37
- value :KIND_ALWAYS_DENIED, 2
38
- value :KIND_CONDITIONAL, 3
39
- end
40
- add_message "cerbos.engine.v1.Resource" do
41
- optional :kind, :string, 1, json_name: "kind"
42
- optional :policy_version, :string, 2, json_name: "policyVersion"
43
- optional :id, :string, 3, json_name: "id"
44
- map :attr, :string, :message, 4, "google.protobuf.Value"
45
- optional :scope, :string, 5, json_name: "scope"
46
- end
47
- add_message "cerbos.engine.v1.Principal" do
48
- optional :id, :string, 1, json_name: "id"
49
- optional :policy_version, :string, 2, json_name: "policyVersion"
50
- repeated :roles, :string, 3, json_name: "roles"
51
- map :attr, :string, :message, 4, "google.protobuf.Value"
52
- optional :scope, :string, 5, json_name: "scope"
10
+
11
+ descriptor_data = "\n\x1d\x63\x65rbos/engine/v1/engine.proto\x12\x10\x63\x65rbos.engine.v1\x1a\x1cgoogle/protobuf/struct.proto\x1a.protoc-gen-openapiv2/options/annotations.proto\"\xde\x07\n\x12PlanResourcesInput\x1a\xc7\x07\n\x08Resource\x12\xc7\x01\n\x04kind\x18\x01 \x01(\tB\xb2\x01\x92\x41\x62\x32\x0eResource kind.J\x0e\"album:object\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xb8\x01\n\x04\x61ttr\x18\x02 \x03(\x0b\x32\x37.cerbos.engine.v1.PlanResourcesInput.Resource.AttrEntryBk\x92\x41`2^Key-value pairs of contextual data about the resource that are known at a time of the request.\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\xdc\x01\n\x0epolicy_version\x18\x03 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\x85\x02\n\x05scope\x18\x04 \x01(\tB\xee\x01\x92\x41\xb1\x01\x32}A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01\"\xa4\x06\n\x13PlanResourcesFilter\x12\xad\x01\n\x04kind\x18\x01 \x01(\x0e\x32*.cerbos.engine.v1.PlanResourcesFilter.KindBm\x92\x41j2hFilter kind. Defines whether the given action is always allowed, always denied or allowed conditionally.R\x04kind\x12\x9a\x01\n\tcondition\x18\x02 \x01(\x0b\x32\x38.cerbos.engine.v1.PlanResourcesFilter.Expression.OperandBB\x92\x41?2=Filter condition. Only populated if kind is KIND_CONDITIONAL.R\tcondition\x1a\xda\x02\n\nExpression\x12)\n\x08operator\x18\x01 \x01(\tB\r\x92\x41\n2\x08OperatorR\x08operator\x12T\n\x08operands\x18\x02 \x03(\x0b\x32\x38.cerbos.engine.v1.PlanResourcesFilter.Expression.OperandR\x08operands\x1a\xb3\x01\n\x07Operand\x12.\n\x05value\x18\x01 \x01(\x0b\x32\x16.google.protobuf.ValueH\x00R\x05value\x12R\n\nexpression\x18\x02 \x01(\x0b\x32\x30.cerbos.engine.v1.PlanResourcesFilter.ExpressionH\x00R\nexpression\x12\x1c\n\x08variable\x18\x03 \x01(\tH\x00R\x08variableB\x06\n\x04node:\x15\x92\x41\x12\n\x10\x32\x0e\x43\x45L expression\"c\n\x04Kind\x12\x14\n\x10KIND_UNSPECIFIED\x10\x00\x12\x17\n\x13KIND_ALWAYS_ALLOWED\x10\x01\x12\x16\n\x12KIND_ALWAYS_DENIED\x10\x02\x12\x14\n\x10KIND_CONDITIONAL\x10\x03\"\xeb\x01\n\x0bOutputEntry\x12\x65\n\x03src\x18\x01 \x01(\tBS\x92\x41P2)Rule that matched to produce this output.J#\"resource.expense.v1/acme#rule-001\"R\x03src\x12u\n\x03val\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueBK\x92\x41H27Dynamic output, determined by user defined rule output.J\r\"some_string\"R\x03val\"\xc0\x08\n\x08Resource\x12\xe1\x01\n\x04kind\x18\x01 \x01(\tB\xcc\x01\x92\x41|2)Name of the resource kind being accessed.J\r\"album:photo\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\x43\n\x02id\x18\x03 \x01(\tB3\x92\x41&2\x1bID of the resource instanceJ\x07\"XX125\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x02id\x12\xc5\x01\n\x04\x61ttr\x18\x04 \x03(\x0b\x32$.cerbos.engine.v1.Resource.AttrEntryB\x8a\x01\x92\x41\x7f\x32\x64Kay-value pairs of contextual data about this resource that should be used during policy evaluation.J\x17{\"owner\": \"bugs_bunny\"}\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\x92\x02\n\x05scope\x18\x05 \x01(\tB\xfb\x01\x92\x41\xbe\x01\x32}A dot-separated scope that describes the hierarchy this resource belongs to. This is used for determining policy inheritance.J\x0b\"acme.corp\"\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01\"\xe3\x08\n\tPrincipal\x12@\n\x02id\x18\x01 \x01(\tB0\x92\x41#2\x13ID of the principalJ\x0c\"bugs_bunny\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x02id\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\xaa\x01\n\x05roles\x18\x03 \x03(\tB\x93\x01\x92\x41l2FRoles assigned to this principal from your identity management system.J\x08[\"user\"]\x8a\x01\x11^[[:word:]\\-\\.]+$\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\x1e\x92\x01\x1b\x08\x01\x18\x01\"\x15r\x13\x32\x11^[[:word:]\\-\\.]+$R\x05roles\x12\xc5\x01\n\x04\x61ttr\x18\x04 \x03(\x0b\x32%.cerbos.engine.v1.Principal.AttrEntryB\x89\x01\x92\x41~2eKey-value pairs of contextual data about this principal that should be used during policy evaluation.J\x15{\"beta_tester\": true}\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x12\x93\x02\n\x05scope\x18\x05 \x01(\tB\xfc\x01\x92\x41\xbf\x01\x32~A dot-separated scope that describes the hierarchy this principal belongs to. This is used for determining policy inheritance.J\x0b\"acme.corp\"\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01:Y\x92\x41V\nT2RA person or application attempting to perform the actions on the set of resources.Bo\n\x18\x64\x65v.cerbos.api.v1.engineZ<github.com/cerbos/cerbos/api/genpb/cerbos/engine/v1;enginev1\xaa\x02\x14\x43\x65rbos.Api.V1.Engineb\x06proto3"
12
+
13
+ pool = Google::Protobuf::DescriptorPool.generated_pool
14
+
15
+ begin
16
+ pool.add_serialized_file(descriptor_data)
17
+ rescue TypeError => e
18
+ # Compatibility code: will be removed in the next major version.
19
+ require 'google/protobuf/descriptor_pb'
20
+ parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
21
+ parsed.clear_dependency
22
+ serialized = parsed.class.encode(parsed)
23
+ file = pool.add_serialized_file(serialized)
24
+ warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
25
+ imports = [
26
+ ["google.protobuf.Value", "google/protobuf/struct.proto"],
27
+ ]
28
+ imports.each do |type_name, expected_filename|
29
+ import_file = pool.lookup(type_name).file_descriptor
30
+ if import_file.name != expected_filename
31
+ warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
53
32
  end
54
33
  end
34
+ warn "Each proto file must use a consistent fully-qualified name."
35
+ warn "This will become an error in the next major version."
55
36
  end
56
37
 
57
38
  module Cerbos::Protobuf::Cerbos
@@ -63,6 +44,7 @@ module Cerbos::Protobuf::Cerbos
63
44
  PlanResourcesFilter::Expression = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Expression").msgclass
64
45
  PlanResourcesFilter::Expression::Operand = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Expression.Operand").msgclass
65
46
  PlanResourcesFilter::Kind = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.PlanResourcesFilter.Kind").enummodule
47
+ OutputEntry = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.OutputEntry").msgclass
66
48
  Resource = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Resource").msgclass
67
49
  Principal = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("cerbos.engine.v1.Principal").msgclass
68
50
  end
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  # Generated by the protocol buffer compiler. DO NOT EDIT!
2
3
  # source: cerbos/request/v1/request.proto
3
4
 
@@ -9,64 +10,33 @@ require 'google/protobuf/struct_pb'
9
10
  require 'cerbos/protobuf/protoc-gen-openapiv2/options/annotations_pb'
10
11
  require 'cerbos/protobuf/validate/validate_pb'
11
12
 
12
- Google::Protobuf::DescriptorPool.generated_pool.build do
13
- add_file("cerbos/request/v1/request.proto", :syntax => :proto3) do
14
- add_message "cerbos.request.v1.PlanResourcesRequest" do
15
- optional :request_id, :string, 1, json_name: "requestId"
16
- optional :action, :string, 2, json_name: "action"
17
- optional :principal, :message, 3, "cerbos.engine.v1.Principal", json_name: "principal"
18
- optional :resource, :message, 4, "cerbos.engine.v1.PlanResourcesInput.Resource", json_name: "resource"
19
- optional :aux_data, :message, 5, "cerbos.request.v1.AuxData", json_name: "auxData"
20
- optional :include_meta, :bool, 6, json_name: "includeMeta"
21
- end
22
- add_message "cerbos.request.v1.CheckResourceSetRequest" do
23
- optional :request_id, :string, 1, json_name: "requestId"
24
- repeated :actions, :string, 2, json_name: "actions"
25
- optional :principal, :message, 3, "cerbos.engine.v1.Principal", json_name: "principal"
26
- optional :resource, :message, 4, "cerbos.request.v1.ResourceSet", json_name: "resource"
27
- optional :include_meta, :bool, 5, json_name: "includeMeta"
28
- optional :aux_data, :message, 6, "cerbos.request.v1.AuxData", json_name: "auxData"
29
- end
30
- add_message "cerbos.request.v1.ResourceSet" do
31
- optional :kind, :string, 1, json_name: "kind"
32
- optional :policy_version, :string, 2, json_name: "policyVersion"
33
- map :instances, :string, :message, 3, "cerbos.request.v1.AttributesMap"
34
- optional :scope, :string, 4, json_name: "scope"
35
- end
36
- add_message "cerbos.request.v1.AttributesMap" do
37
- map :attr, :string, :message, 1, "google.protobuf.Value"
38
- end
39
- add_message "cerbos.request.v1.CheckResourceBatchRequest" do
40
- optional :request_id, :string, 1, json_name: "requestId"
41
- optional :principal, :message, 2, "cerbos.engine.v1.Principal", json_name: "principal"
42
- repeated :resources, :message, 3, "cerbos.request.v1.CheckResourceBatchRequest.BatchEntry", json_name: "resources"
43
- optional :aux_data, :message, 4, "cerbos.request.v1.AuxData", json_name: "auxData"
44
- end
45
- add_message "cerbos.request.v1.CheckResourceBatchRequest.BatchEntry" do
46
- repeated :actions, :string, 1, json_name: "actions"
47
- optional :resource, :message, 2, "cerbos.engine.v1.Resource", json_name: "resource"
48
- end
49
- add_message "cerbos.request.v1.CheckResourcesRequest" do
50
- optional :request_id, :string, 1, json_name: "requestId"
51
- optional :include_meta, :bool, 2, json_name: "includeMeta"
52
- optional :principal, :message, 3, "cerbos.engine.v1.Principal", json_name: "principal"
53
- repeated :resources, :message, 4, "cerbos.request.v1.CheckResourcesRequest.ResourceEntry", json_name: "resources"
54
- optional :aux_data, :message, 5, "cerbos.request.v1.AuxData", json_name: "auxData"
55
- end
56
- add_message "cerbos.request.v1.CheckResourcesRequest.ResourceEntry" do
57
- repeated :actions, :string, 1, json_name: "actions"
58
- optional :resource, :message, 2, "cerbos.engine.v1.Resource", json_name: "resource"
59
- end
60
- add_message "cerbos.request.v1.AuxData" do
61
- optional :jwt, :message, 1, "cerbos.request.v1.AuxData.JWT", json_name: "jwt"
62
- end
63
- add_message "cerbos.request.v1.AuxData.JWT" do
64
- optional :token, :string, 1, json_name: "token"
65
- optional :key_set_id, :string, 2, json_name: "keySetId"
66
- end
67
- add_message "cerbos.request.v1.ServerInfoRequest" do
13
+
14
+ descriptor_data = "\n\x1f\x63\x65rbos/request/v1/request.proto\x12\x11\x63\x65rbos.request.v1\x1a\x1d\x63\x65rbos/engine/v1/engine.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a.protoc-gen-openapiv2/options/annotations.proto\x1a\x17validate/validate.proto\"\x83\x05\n\x14PlanResourcesRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12h\n\x06\x61\x63tion\x18\x02 \x01(\tBP\x92\x41\x43\x32\x32\x41\x63tion to be applied to each resource in the list.J\r\"view:public\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x06\x61\x63tion\x12\x46\n\tprincipal\x18\x03 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12V\n\x08resource\x18\x04 \x01(\x0b\x32-.cerbos.engine.v1.PlanResourcesInput.ResourceB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource\x12:\n\x08\x61ux_data\x18\x05 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataB\x03\xe0\x41\x01R\x07\x61uxData\x12\x63\n\x0cinclude_meta\x18\x06 \x01(\x08\x42@\x92\x41=2;Opt to receive request processing metadata in the response.R\x0bincludeMeta:\'\x92\x41$\n\"2 PDP Resources Query Plan Request\"\x87\x05\n\x17\x43heckResourceSetRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\x8c\x01\n\x07\x61\x63tions\x18\x02 \x03(\tBr\x92\x41\\28List of actions being performed on the set of resources.J\x1a[\"view:public\", \"comment\"]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\r\x92\x01\n\x08\x01\x18\x01\"\x04r\x02\x10\x01R\x07\x61\x63tions\x12\x46\n\tprincipal\x18\x03 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12G\n\x08resource\x18\x04 \x01(\x0b\x32\x1e.cerbos.request.v1.ResourceSetB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource\x12\x63\n\x0cinclude_meta\x18\x05 \x01(\x08\x42@\x92\x41=2;Opt to receive request processing metadata in the response.R\x0bincludeMeta\x12:\n\x08\x61ux_data\x18\x06 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataB\x03\xe0\x41\x01R\x07\x61uxData:\x12\x92\x41\x0f\n\r2\x0bPDP Request\"\xaf\t\n\x0bResourceSet\x12\xc7\x01\n\x04kind\x18\x01 \x01(\tB\xb2\x01\x92\x41\x62\x32\x0eResource kind.J\x0e\"album:object\"\x8a\x01?^[[:alpha:]][[:word:]\\@\\.\\-]*(\\:[[:alpha:]][[:word:]\\@\\.\\-]*)*$\xe0\x41\x02\xfa\x42GrE\x10\x01\x32\x41^[[:alpha:]][[:word:]\\@\\.\\-/]*(\\:[[:alpha:]][[:word:]\\@\\.\\-/]*)*$R\x04kind\x12\xdc\x01\n\x0epolicy_version\x18\x02 \x01(\tB\xb4\x01\x92\x41\x99\x01\x32|The policy version to use to evaluate this request. If not specified, will default to the server-configured default version.J\t\"default\"\x8a\x01\r^[[:word:]]*$\xe0\x41\x01\xfa\x42\x11r\x0f\x32\r^[[:word:]]*$R\rpolicyVersion\x12\xeb\x02\n\tinstances\x18\x03 \x03(\x0b\x32-.cerbos.request.v1.ResourceSet.InstancesEntryB\x9d\x02\x92\x41\x8c\x02\x32mSet of resource instances to check. Each instance must be keyed by an application-specific unique identifier.J\x97\x01{\"XX125\":{\"attr\":{\"owner\":\"bugs_bunny\", \"public\": false, \"flagged\": false}}, \"XX225\":{\"attr\":{\"owner\":\"daffy_duck\", \"public\": true, \"flagged\": false}}}\xc8\x01\x01\xe0\x41\x02\xfa\x42\x07\x9a\x01\x04\x08\x01\x18\x01R\tinstances\x12\x86\x02\n\x05scope\x18\x04 \x01(\tB\xef\x01\x92\x41\xb2\x01\x32~A dot-separated scope that describes the hierarchy these resources belong to. This is used for determining policy inheritance.\x8a\x01/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$\xe0\x41\x01\xfa\x42\x33r12/^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$R\x05scope\x1a^\n\x0eInstancesEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12\x36\n\x05value\x18\x02 \x01(\x0b\x32 .cerbos.request.v1.AttributesMapR\x05value:\x02\x38\x01: \x92\x41\x1d\n\x1b\x32\x19Set of resources to check\"\xc9\x02\n\rAttributesMap\x12\xb1\x01\n\x04\x61ttr\x18\x01 \x03(\x0b\x32*.cerbos.request.v1.AttributesMap.AttrEntryBq\x92\x41\x66\x32\x64Key-value pairs of contextual data about this instance that should be used during policy evaluation.\xfa\x42\x05\x9a\x01\x02\x18\x01R\x04\x61ttr\x1aO\n\tAttrEntry\x12\x10\n\x03key\x18\x01 \x01(\tR\x03key\x12,\n\x05value\x18\x02 \x01(\x0b\x32\x16.google.protobuf.ValueR\x05value:\x02\x38\x01:3\x92\x41\x30\n.2,Unique identifier for the resource instance.\"\xe1\x06\n\x19\x43heckResourceBatchRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12\x46\n\tprincipal\x18\x02 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12\xbc\x02\n\tresources\x18\x03 \x03(\x0b\x32\x37.cerbos.request.v1.CheckResourceBatchRequest.BatchEntryB\xe4\x01\x92\x41\xd5\x01\x32\x1eList of resources and actions.J\xac\x01[{\"actions\":[\"view\",\"comment\"], \"resource\":{\"kind\":\"album:object\",\"policyVersion\":\"default\",\"id\":\"XX125\",\"attr\":{\"owner\":\"bugs_bunny\", \"public\": false, \"flagged\": false}}}]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\x05\x92\x01\x02\x08\x01R\tresources\x12\x35\n\x08\x61ux_data\x18\x04 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataR\x07\x61uxData\x1a\xd8\x01\n\nBatchEntry\x12\x84\x01\n\x07\x61\x63tions\x18\x01 \x03(\tBj\x92\x41T20List of actions being performed on the resource.J\x1a[\"view:public\", \"comment\"]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\r\x92\x01\n\x08\x01\x18\x01\"\x04r\x02\x10\x01R\x07\x61\x63tions\x12\x43\n\x08resource\x18\x02 \x01(\x0b\x32\x1a.cerbos.engine.v1.ResourceB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource:\x12\x92\x41\x0f\n\r2\x0bPDP Request\"\xc5\x07\n\x15\x43heckResourcesRequest\x12\x96\x01\n\nrequest_id\x18\x01 \x01(\tBw\x92\x41t2JOptional application-specific ID useful for correlating logs for analysis.J&\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"R\trequestId\x12X\n\x0cinclude_meta\x18\x02 \x01(\x08\x42\x35\x92\x41\x32\x32\x30\x41\x64\x64 request processing metadata to the response.R\x0bincludeMeta\x12\x46\n\tprincipal\x18\x03 \x01(\x0b\x32\x1b.cerbos.engine.v1.PrincipalB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\tprincipal\x12\xbb\x02\n\tresources\x18\x04 \x03(\x0b\x32\x36.cerbos.request.v1.CheckResourcesRequest.ResourceEntryB\xe4\x01\x92\x41\xd5\x01\x32\x1eList of resources and actions.J\xac\x01[{\"actions\":[\"view\",\"comment\"], \"resource\":{\"kind\":\"album:object\",\"policyVersion\":\"default\",\"id\":\"XX125\",\"attr\":{\"owner\":\"bugs_bunny\", \"public\": false, \"flagged\": false}}}]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\x05\x92\x01\x02\x08\x01R\tresources\x12\x35\n\x08\x61ux_data\x18\x05 \x01(\x0b\x32\x1a.cerbos.request.v1.AuxDataR\x07\x61uxData\x1a\xdb\x01\n\rResourceEntry\x12\x84\x01\n\x07\x61\x63tions\x18\x01 \x03(\tBj\x92\x41T20List of actions being performed on the resource.J\x1a[\"view:public\", \"comment\"]\xa8\x01\x01\xb0\x01\x01\xe0\x41\x02\xfa\x42\r\x92\x01\n\x08\x01\x18\x01\"\x04r\x02\x10\x01R\x07\x61\x63tions\x12\x43\n\x08resource\x18\x02 \x01(\x0b\x32\x1a.cerbos.engine.v1.ResourceB\x0b\xe0\x41\x02\xfa\x42\x05\x8a\x01\x02\x10\x01R\x08resource:\x1e\x92\x41\x1b\n\x19\x32\x17\x43heck resources request\"\xc5\x06\n\x07\x41uxData\x12\x30\n\x03jwt\x18\x01 \x01(\x0b\x32\x1e.cerbos.request.v1.AuxData.JWTR\x03jwt\x1a\xc3\x05\n\x03JWT\x12\x90\x04\n\x05token\x18\x01 \x01(\tB\xf9\x03\x92\x41\xeb\x03\x32\x1dJWT from the original requestJ\xc9\x03\"eyJhbGciOiJFUzM4NCIsImtpZCI6IjE5TGZaYXRFZGc4M1lOYzVyMjNndU1KcXJuND0iLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiY2VyYm9zLWp3dC10ZXN0cyJdLCJjdXN0b21BcnJheSI6WyJBIiwiQiIsIkMiXSwiY3VzdG9tSW50Ijo0MiwiY3VzdG9tTWFwIjp7IkEiOiJBQSIsIkIiOiJCQiIsIkMiOiJDQyJ9LCJjdXN0b21TdHJpbmciOiJmb29iYXIiLCJleHAiOjE5NDk5MzQwMzksImlzcyI6ImNlcmJvcy10ZXN0LXN1aXRlIn0.WN_tOScSpd_EI-P5EI1YlagxEgExSfBjAtcrgcF6lyWj1lGpR_GKx9goZEp2p_t5AVWXN_bjz_sMUmJdJa4cVd55Qm1miR-FKu6oNRHnSEWdMFmnArwPw-YDJWfylLFX\"\xe0\x41\x02\xfa\x42\x04r\x02\x10\x01R\x05token\x12\x82\x01\n\nkey_set_id\x18\x02 \x01(\tBd\x92\x41\x61\x32RKey ID to use when decoding the token (defined in the Cerbos server configuration)J\x0b\"my-keyset\"R\x08keySetId:$\x92\x41!\n\x1f\x32\x1dJWT from the original request:B\x92\x41?\n=2;Structured auxiliary data useful for evaluating the request\"/\n\x11ServerInfoRequest:\x1a\x92\x41\x17\n\x15\x32\x13Server info requestBs\n\x19\x64\x65v.cerbos.api.v1.requestZ>github.com/cerbos/cerbos/api/genpb/cerbos/request/v1;requestv1\xaa\x02\x15\x43\x65rbos.Api.V1.Requestb\x06proto3"
15
+
16
+ pool = Google::Protobuf::DescriptorPool.generated_pool
17
+
18
+ begin
19
+ pool.add_serialized_file(descriptor_data)
20
+ rescue TypeError => e
21
+ # Compatibility code: will be removed in the next major version.
22
+ require 'google/protobuf/descriptor_pb'
23
+ parsed = Google::Protobuf::FileDescriptorProto.decode(descriptor_data)
24
+ parsed.clear_dependency
25
+ serialized = parsed.class.encode(parsed)
26
+ file = pool.add_serialized_file(serialized)
27
+ warn "Warning: Protobuf detected an import path issue while loading generated file #{__FILE__}"
28
+ imports = [
29
+ ["cerbos.engine.v1.Principal", "cerbos/engine/v1/engine.proto"],
30
+ ["google.protobuf.Value", "google/protobuf/struct.proto"],
31
+ ]
32
+ imports.each do |type_name, expected_filename|
33
+ import_file = pool.lookup(type_name).file_descriptor
34
+ if import_file.name != expected_filename
35
+ warn "- #{file.name} imports #{expected_filename}, but that import was loaded as #{import_file.name}"
68
36
  end
69
37
  end
38
+ warn "Each proto file must use a consistent fully-qualified name."
39
+ warn "This will become an error in the next major version."
70
40
  end
71
41
 
72
42
  module Cerbos::Protobuf::Cerbos