warrant 4.0.0 → 5.0.0

data/lib/warrant/models/object.rb

@@ -0,0 +1,230 @@
+# frozen_string_literal: true
+
+module Warrant
+    class Object
+        attr_reader :object_type, :object_id, :meta, :created_at
+
+        # @!visibility private
+        def initialize(object_type, object_id, meta = {}, created_at = nil)
+            @object_type = object_type
+            @object_id = object_id
+            @meta = meta
+            @created_at = created_at
+        end
+
+        # Creates an object with the given parameters
+        #
+        # @option params [String] :object_type The type of the object (e.g. user, tenant, role, permission, etc).
+        # @option params [String] :object_id Customer defined string identifier for this object. Can only contain alphanumeric chars and/or '-', '_', '|', '@'. If not provided, Warrant will create a univerally unique identifier (UUID) for the object and return it. If allowing Warrant to generate an id, store the id in your application so you can provide it for authorization requests on that object. (optional)
+        # @option params [Hash] :meta A JSON object containing additional information about this object (e.g. role name/description, user email/name, etc.) to be persisted to Warrant. (optional)
+        #
+        # @return [Object] created object
+        #
+        # @example Create a new Object with the object type "user" and object id "test-customer"
+        #   Warrant::Object.create(object_type: "user", object_id: "test-customer")
+        #
+        # @raise [Warrant::DuplicateRecordError]
+        # @raise [Warrant::InternalError]
+        # @raise [Warrant::InvalidParameterError]
+        # @raise [Warrant::InvalidRequestError]
+        # @raise [Warrant::NotFoundError]
+        # @raise [Warrant::UnauthorizedError]
+        def self.create(params = {}, options = {})
+            res = APIOperations.post(URI.parse("#{::Warrant.config.api_base}/v2/objects"), params: Util.normalize_params(params), options: options)
+
+            case res
+            when Net::HTTPSuccess
+                res_json = JSON.parse(res.body, symbolize_names: true)
+                Object.new(res_json[:objectType], res_json[:objectId], res_json[:meta], res_json[:createdAt])
+            else
+                APIOperations.raise_error(res)
+            end
+        end
+
+        # Batch creates multiple objects with given parameters
+        #
+        # @param [Array<Hash>] objects Array of objects to create.
+        # @option objects [String] :object_type The type of the object (e.g. user, tenant, role, permission, etc).
+        # @option objects [String] :object_id Customer defined string identifier for this object. Can only contain alphanumeric chars and/or '-', '_', '|', '@'. If not provided, Warrant will create a univerally unique identifier (UUID) for the object and return it. If allowing Warrant to generate an id, store the id in your application so you can provide it for authorization requests on that object. (optional)
+        # @option objects [Hash] :meta A JSON object containing additional information about this object (e.g. role name/description, user email/name, etc.) to be persisted to Warrant. (optional)
+        #
+        # @return [Array<Object>] all created objects
+        #
+        # @example Create two new objects with object type "user" and object ids "test-user-1" and "test-user-2"
+        #   Warrant::Object.batch_create([{ object_type: "user", object_id: "test-user-1" }, { object_type: "user", object_id: "test-user-2" }])
+        #
+        # @raise [Warrant::DuplicateRecordError]
+        # @raise [Warrant::InternalError]
+        # @raise [Warrant::InvalidParameterError]
+        # @raise [Warrant::InvalidRequestError]
+        # @raise [Warrant::NotFoundError]
+        # @raise [Warrant::UnauthorizedError]
+        def self.batch_create(objects, options = {})
+            res = APIOperations.post(URI.parse("#{::Warrant.config.api_base}/v2/objects"), params: Util.normalize_params(objects), options: options)
+
+            case res
+            when Net::HTTPSuccess
+                objects = JSON.parse(res.body, symbolize_names: true)
+                objects.map{ |object| Object.new(object[:objectType], object[:objectId], object[:meta], object[:createdAt]) }
+            else
+                APIOperations.raise_error(res)
+            end
+        end
+
+        # Deletes a object with given object type and id
+        #
+        # @param object_type [String] The type of the object (e.g. user, tenant, role, permission, etc).
+        # @param object_id [String] User defined string identifier for this object.
+        #
+        # @return [nil] if delete was successful
+        #
+        # @example Delete a Object with the object type "user" and object id "test-customer"
+        #   Warrant::Object.delete("user", "test-customer")
+        #
+        # @raise [Warrant::InternalError]
+        # @raise [Warrant::InvalidParameterError]
+        # @raise [Warrant::NotFoundError]
+        # @raise [Warrant::UnauthorizedError]
+        def self.delete(object_type, object_id, options = {})
+            res = APIOperations.delete(URI.parse("#{::Warrant.config.api_base}/v2/objects/#{object_type}/#{object_id}"), options: options)
+
+            case res
+            when Net::HTTPSuccess
+                return res['Warrant-Token']
+            else
+                APIOperations.raise_error(res)
+            end
+        end
+
+        # Batch deletes multiple objects with given parameters
+        #
+        # @param [Array<Hash>] objects Array of objects to delete.
+        # @option objects [String] :object_type The type of the object (e.g. user, tenant, role, permission, etc).
+        # @option objects [String] :object_id Customer defined string identifier for this object.
+        #
+        # @return [nil] if delete was successful
+        #
+        # @example Delete two objects with object type "user" and object ids "test-user-1" and "test-user-2"
+        #   Warrant::Object.batch_delete([{ object_type: "user", object_id: "test-user-1" }, { object_type: "user", object_id: "test-user-2" }])
+        #
+        # @raise [Warrant::InternalError]
+        # @raise [Warrant::InvalidParameterError]
+        # @raise [Warrant::NotFoundError]
+        # @raise [Warrant::UnauthorizedError]
+        def self.batch_delete(objects, options = {})
+            res = APIOperations.delete(URI.parse("#{::Warrant.config.api_base}/v2/objects"), params: Util.normalize_params(objects), options: options)
+
+            case res
+            when Net::HTTPSuccess
+                return res['Warrant-Token']
+            else
+                APIOperations.raise_error(res)
+            end
+        end
+
+        # Lists all objects for your organization and environment
+        #
+        # @param [Hash] filters Filters to apply to result set
+        # @param [Hash] options Options to apply on a per-request basis
+        # @option filters [String] :object_type Only return objects with an +object_type+ matching this value
+        # @option filters [Integer] :limit A positive integer representing the maximum number of items to return in the response. Must be less than or equal to 1000. Defaults to 25. (optional)
+        # @option filters [String] :prev_cursor A cursor representing your place in a list of results. Requests containing prev_cursor will return the results immediately preceding the cursor. (optional)
+        # @option filters [String] :next_cursor A cursor representing your place in a list of results. Requests containing next_cursor will return the results immediately following the cursor. (optional)
+        # @option filters [String] :sort_by The column to sort the result by. Unless otherwise specified, all list endpoints are sorted by their unique identifier by default. Supported values for objects are +object_type+, +object_id+, and +created_at+ (optional)
+        # @option filters [String] :sort_order The order in which to sort the result by. Valid values are +ASC+ and +DESC+. Defaults to +ASC+. (optional)
+        # @option options [String] :warrant_token A valid warrant token from a previous write operation or latest. Used to specify desired consistency for this read operation. (optional)
+        #
+        # @return [Array<Object>] all objects for your organization and environment
+        #
+        # @example List all objects
+        #   Warrant::Object.list()
+        #
+        # @raise [Warrant::InternalError]
+        # @raise [Warrant::InvalidParameterError]
+        # @raise [Warrant::UnauthorizedError]
+        def self.list(filters = {}, options = {})
+            res = APIOperations.get(URI.parse("#{::Warrant.config.api_base}/v2/objects"), params: Util.normalize_params(filters), options: options)
+
+            case res
+            when Net::HTTPSuccess
+                list_result = JSON.parse(res.body, symbolize_names: true)
+                objects = list_result[:results].map{ |object| Object.new(object[:objectType], object[:objectId], object[:meta], object[:createdAt]) }
+                return ListResponse.new(objects, list_result[:prevCursor], list_result[:nextCursor])
+            else
+                APIOperations.raise_error(res)
+            end
+        end
+
+        # Get a object with the given object_type and object_id
+        #
+        # @param object_id [String] Object defined string identifier for this object. If not provided, Warrant will create an id for the object and return it. In this case, you should store the id in your system as you will need to provide it for any authorization requests for that object. Note that objectIds in Warrant must be composed of alphanumeric chars and/or '-', '_', and '@'.
+        #
+        # @return [Object] retrieved object
+        #
+        # @raise [Warrant::InternalError]
+        # @raise [Warrant::InvalidParameterError]
+        # @raise [Warrant::NotFoundError]
+        # @raise [Warrant::UnauthorizedError]
+        def self.get(object_type, object_id, options = {})
+            res = APIOperations.get(URI.parse("#{::Warrant.config.api_base}/v2/objects/#{object_type}/#{object_id}"), options: options)
+
+            case res
+            when Net::HTTPSuccess
+                object = JSON.parse(res.body, symbolize_names: true)
+                Object.new(object[:objectType], object[:objectId], object[:meta], object[:createdAt])
+            else
+                APIOperations.raise_error(res)
+            end
+        end
+
+        # Updates a object with the given object_type and object_id and params
+        #
+        # @param object_type [String] The type of the object (e.g. user, tenant, role, permission, etc).
+        # @param object_id [String] User defined string identifier for this object.
+        # @param meta [Hash] A JSON object containing additional information about this object (e.g. role name/description, user email/name, etc.) to be persisted to Warrant.
+        #
+        # @return [Object] updated object
+        #
+        # @example Update user "test-user"'s email
+        #   Warrant::Object.update("user", "test-user", { email: "my-new-email@example.com" })
+        #
+        # @raise [Warrant::InternalError]
+        # @raise [Warrant::InvalidParameterError]
+        # @raise [Warrant::InvalidRequestError]
+        # @raise [Warrant::NotFoundError]
+        # @raise [Warrant::UnauthorizedError]
+        def self.update(object_type, object_id, meta, options = {})
+            params = {
+                meta: meta,
+            }
+            res = APIOperations.put(URI.parse("#{::Warrant.config.api_base}/v2/objects/#{object_type}/#{object_id}"), params: Util.normalize_params(params), options: options)
+
+            case res
+            when Net::HTTPSuccess
+                res_json = JSON.parse(res.body, symbolize_names: true)
+                Object.new(res_json[:objectType], res_json[:objectId], res_json[:meta], res_json[:createdAt])
+            else
+                APIOperations.raise_error(res)
+            end
+        end
+
+        # Updates a object with the given object_type and object_id and params
+        #
+        # @param meta [Hash] A JSON object containing additional information about this object (e.g. role name/description, user email/name, etc.) to be persisted to Warrant.
+        #
+        # @return [Object] updated object
+        #
+        # @example Update user "test-user"'s email
+        #   user = Warrant::Object.get("user", "test-user")
+        #   user.update({ email: "my-new-email@example.com" })
+        #
+        # @raise [Warrant::InternalError]
+        # @raise [Warrant::InvalidParameterError]
+        # @raise [Warrant::InvalidRequestError]
+        # @raise [Warrant::NotFoundError]
+        # @raise [Warrant::UnauthorizedError]
+        def update(meta, options = {})
+            return Object.update(object_type, object_id, meta, options)
+        end
+    end
+end

data/lib/warrant/models/permission.rb

@@ -1,23 +1,22 @@
 # frozen_string_literal: true
 
 module Warrant
-    class Permission
+    class Permission < Warrant::Object
         OBJECT_TYPE = "permission"
 
         include Warrant::WarrantObject
 
-        attr_reader :permission_id, :name, :description
+        alias :permission_id :object_id
 
         # @!visibility private
-        def initialize(permission_id, name = nil, description = nil)
-            @permission_id = permission_id
-            @name = name
-            @description = description
+        def initialize(permission_id, meta = {}, created_at = nil)
+            super(OBJECT_TYPE, permission_id, meta, created_at)
         end
 
         # Creates a permission with the given parameters
         #
-        # @option params [String] :permission_id A string identifier for this new permission. The permission_id can only be composed of lower-case alphanumeric chars and/or '-' and '_'.
+        # @option params [String] :role_id User defined string identifier for this permission. If not provided, Warrant will create an id for the permission and return it. In this case, you should store the id in your system as you will need to provide it for any authorization requests for that permission. Note that permissionIds in Warrant must be composed of alphanumeric chars, '-', and/or '_'. (optional)
+        # @option params [Hash] :meta A JSON object containing additional information about this permission (e.g. name/description) to be persisted to Warrant. (optional)
         #
         # @return [Permission] created permission
         #
@@ -28,16 +27,9 @@ module Warrant
         # @raise [Warrant::InternalError]
         # @raise [Warrant::InvalidRequestError]
         # @raise [Warrant::UnauthorizedError]
-        def self.create(params = {})
-            res = APIOperations.post(URI.parse("#{::Warrant.config.api_base}/v1/permissions"), Util.normalize_params(params))
-
-            case res
-            when Net::HTTPSuccess
-                res_json = JSON.parse(res.body)
-                Permission.new(res_json['permissionId'], res_json['name'], res_json['description'])
-            else
-                APIOperations.raise_error(res)
-            end
+        def self.create(params = {}, options = {})
+            object = Object.create({ object_type: OBJECT_TYPE, object_id: params[:permission_id], meta: params[:meta] }, options)
+            return Permission.new(object.object_id, object.meta, object.created_at)
         end
 
         # Deletes a permission with given permission id
@@ -53,27 +45,20 @@ module Warrant
         # @raise [Warrant::MissingRequiredParameterError]
         # @raise [Warrant::NotFoundError]
         # @raise [Warrant::UnauthorizedError]
-        def self.delete(permission_id)
-            res = APIOperations.delete(URI.parse("#{::Warrant.config.api_base}/v1/permissions/#{permission_id}"))
-
-            case res
-            when Net::HTTPSuccess
-                return
-            else
-                APIOperations.raise_error(res)
-            end
+        def self.delete(permission_id, options = {})
+            return Object.delete(OBJECT_TYPE, permission_id, options)
         end
 
         # Lists all permissions for your organization
         #
-        # @option filters [Integer] :page A positive integer (starting with 1) representing the page of items to return in response. Used in conjunction with the limit param. (optional)
-        # @option filters [Integer] :limit A positive integer representing the max number of items to return in response. (optional)
-        # @option filters [String] :beforeId A string representing a cursor value in the form of a permissionId. If provided, the results returned are immediately before the provided value. (optional)
-        # @option filters [String] :beforeValue A string representing a cursor value in the form of the `sortBy` value. If provided, the results returned are immediately before the provided value. (optional)
-        # @option filters [String] :afterId A string representing a cursor value in the form of a permissionId. If provided, the results returned are immediately after the provided value. (optional)
-        # @option filters [String] :afterValue A string representing a cursor value in the form of the `sortBy` value. If provided, the results returned are immediately after the provided value. (optional)
-        # @option filters [String] :sortBy A string representing the field to sort results by. Default value is permissionId. (optional)
-        # @option filters [String] :sortOrder A string representing whether to sort results in ascending or descending order. Must be ASC or DESC. (optional)
+        # @param [Hash] filters Filters to apply to result set
+        # @param [Hash] options Options to apply on a per-request basis
+        # @option filters [Integer] :limit A positive integer representing the maximum number of items to return in the response. Must be less than or equal to 1000. Defaults to 25. (optional)
+        # @option filters [String] :prev_cursor A cursor representing your place in a list of results. Requests containing prev_cursor will return the results immediately preceding the cursor. (optional)
+        # @option filters [String] :next_cursor A cursor representing your place in a list of results. Requests containing next_cursor will return the results immediately following the cursor. (optional)
+        # @option filters [String] :sort_by The column to sort the result by. Unless otherwise specified, all list endpoints are sorted by their unique identifier by default. Supported values for objects are +object_type+, +object_id+, and +created_at+ (optional)
+        # @option filters [String] :sort_order The order in which to sort the result by. Valid values are +ASC+ and +DESC+. Defaults to +ASC+. (optional)
+        # @option options [String] :warrant_token A valid warrant token from a previous write operation or latest. Used to specify desired consistency for this read operation. (optional)
         #
         # @return [Array<Permission>] all permissions for your organization
         #
@@ -83,16 +68,11 @@ module Warrant
         # @raise [Warrant::InternalError]
         # @raise [Warrant::InvalidParameterError]
         # @raise [Warrant::UnauthorizedError]
-        def self.list(filters = {})
-            res = APIOperations.get(URI.parse("#{::Warrant.config.api_base}/v1/permissions"), Util.normalize_params(filters))
-
-            case res
-            when Net::HTTPSuccess
-                permissions = JSON.parse(res.body)
-                permissions.map{ |permission| Permission.new(permission['permissionId'], permission['name'], permission['description']) }
-            else
-                APIOperations.raise_error(res)
-            end
+        def self.list(filters = {}, options = {})
+            filters.merge({ object_type: "permission" })
+            list_response = Object.list(filters, options)
+            permissions = list_response.results.map{ |object| Permission.new(object.object_id, object.meta, object.created_at)}
+            return ListResponse.new(permissions, list_response.prev_cursor, list_response.next_cursor)
         end
 
         # Get a permission with the given permission_id
@@ -105,24 +85,15 @@ module Warrant
         # @raise [Warrant::MissingRequiredParameterError]
         # @raise [Warrant::NotFoundError]
         # @raise [Warrant::UnauthorizedError]
-        def self.get(permission_id)
-            res = APIOperations.get(URI.parse("#{::Warrant.config.api_base}/v1/permissions/#{permission_id}"))
-
-            case res
-            when Net::HTTPSuccess
-                permission = JSON.parse(res.body)
-                Permission.new(permission['permissionId'], permission['name'], permission['description'])
-            else
-                APIOperations.raise_error(res)
-            end
+        def self.get(permission_id, options = {})
+            object = Object.get(OBJECT_TYPE, permission_id, options)
+            return Permission.new(object.object_id, object.meta, object.created_at)
         end
 
         # Updates a permission with the given role_id and params
         #
         # @param permission_id [String] The permission_id of the permission to be updated.
-        # @param [Hash] params attributes to update user with
-        # @option params [String] :name Name for the permission. Designed to be used as a UI-friendly identifier. (optional)
-        # @option params [String] :description Description of the permission. Designed to be used as a UI-friendly identifier. (optional)
+        # @param meta [Hash] A JSON object containing additional information about this permission (e.g. name/description, etc.) to be persisted to Warrant.
         #
         # @return [Permission] updated permission
         #
@@ -134,23 +105,15 @@ module Warrant
         # @raise [Warrant::InvalidRequestError]
         # @raise [Warrant::NotFoundError]
         # @raise [Warrant::UnauthorizedError]
-        def self.update(permission_id, params = {})
-            res = APIOperations.put(URI.parse("#{::Warrant.config.api_base}/v1/permissions/#{permission_id}"), Util.normalize_params(params))
-
-            case res
-            when Net::HTTPSuccess
-                res_json = JSON.parse(res.body)
-                Permission.new(res_json['permissionId'], res_json['name'], res_json['description'])
-            else
-                APIOperations.raise_error(res)
-            end
+        def self.update(permission_id, meta, options = {})
+            object = Object.update(OBJECT_TYPE, permission_id, meta, options)
+            return Permission.new(object.object_id, object.meta, object.created_at)
         end
 
         # Updates a permission with the given params
         #
         # @param [Hash] params attributes to update user with
-        # @option params [String] :name Name for the permission. Designed to be used as a UI-friendly identifier. (optional)
-        # @option params [String] :description Description of the permission. Designed to be used as a UI-friendly identifier. (optional)
+        # @param meta [Hash] A JSON object containing additional information about this permission (e.g. name/description, etc.) to be persisted to Warrant.
         #
         # @return [Permission] updated permission
         #
@@ -162,37 +125,39 @@ module Warrant
         # @raise [Warrant::InvalidRequestError]
         # @raise [Warrant::NotFoundError]
         # @raise [Warrant::UnauthorizedError]
-        def update(params = {})
-            return Permission.update(permission_id, params)
+        def update(meta, options = {})
+            return Permission.update(permission_id, meta, options)
         end
 
         # List permissions for a role
         #
         # @param role_id [String] The role_id of the role to list assigned permissions for.
-        # @option filters [Integer] :page A positive integer (starting with 1) representing the page of items to return in response. Used in conjunction with the limit param. (optional)
-        # @option filters [Integer] :limit A positive integer representing the max number of items to return in response. (optional)
+        # @param [Hash] filters Filters to apply to result set
+        # @param [Hash] options Options to apply on a per-request basis
+        # @option filters [String] :object_type Only return objects with an `objectType` matching this value
+        # @option filters [Integer] :limit A positive integer representing the maximum number of items to return in the response. Must be less than or equal to 1000. Defaults to 25. (optional)
+        # @option filters [String] :prev_cursor A cursor representing your place in a list of results. Requests containing prev_cursor will return the results immediately preceding the cursor. (optional)
+        # @option filters [String] :next_cursor A cursor representing your place in a list of results. Requests containing next_cursor will return the results immediately following the cursor. (optional)
+        # @option filters [String] :sort_by The column to sort the result by. Unless otherwise specified, all list endpoints are sorted by their unique identifier by default. Supported values for objects are +object_type+, +object_id+, and +created_at+ (optional)
+        # @option filters [String] :sort_order The order in which to sort the result by. Valid values are +ASC+ and +DESC+. Defaults to +ASC+. (optional)
+        # @option options [String] :warrant_token A valid warrant token from a previous write operation or latest. Used to specify desired consistency for this read operation. (optional)
         #
         # @return [Array<Permission>] all assigned permissions for the role
         #
         # @raise [Warrant::InternalError]
         # @raise [Warrant::MissingRequiredParameterError]
         # @raise [Warrant::UnauthorizedError]
-        def self.list_for_role(role_id, filters = {})
-            res = APIOperations.get(URI.parse("#{::Warrant.config.api_base}/v1/roles/#{role_id}/permissions"), Util.normalize_params(filters))
-
-            case res
-            when Net::HTTPSuccess
-                permissions = JSON.parse(res.body)
-                permissions.map{ |permission| Permission.new(permission['permissionId'], permission['name'], permission['description']) }
-            else
-                APIOperations.raise_error(res)
-            end
+        def self.list_for_role(role_id, filters = {}, options = {})
+            query_response = Warrant.query("select permission where role:#{role_id} is *", filters: filters, options: options)
+            permissions = query_response.results.map{ |result| Permission.new(result.object_id, result.meta) }
+            return ListResponse.new(permissions, query_response.prev_cursor, query_response.next_cursor)
         end
 
         # Assign a permission to a role
         #
         # @param role_id [String] The role_id of the role you want to assign a permission to.
         # @param permission_id [String] The permission_id of the permission you want to assign to a role.
+        # @param relation [String] The relation for this permission to role association. The relation must be valid as per the +permission+ object type definition.
         #
         # @return [Warrant] warrant assigning permission to role
         #
@@ -202,14 +167,15 @@ module Warrant
         # @raise [Warrant::MissingRequiredParameterError]
         # @raise [Warrant::NotFoundError]
         # @raise [Warrant::UnauthorizedError]
-        def self.assign_to_role(role_id, permission_id)
-            Warrant.create({ object_type: Permission::OBJECT_TYPE, object_id: permission_id }, "member", { object_type: Role::OBJECT_TYPE, object_id: role_id })
+        def self.assign_to_role(role_id, permission_id, relation: "member", options: {})
+            Warrant.create({ object_type: Permission::OBJECT_TYPE, object_id: permission_id }, relation, { object_type: Role::OBJECT_TYPE, object_id: role_id }, nil, options)
         end
 
         # Remove a permission from a role
         #
         # @param role_id [String] The role_id of the role you want to remove a permission from.
         # @param permission_id [String] The permission_id of the permission you want to remove from a role.
+        # @param relation [String] The relation for this permission to role association. The relation must be valid as per the +permission+ object type definition.
         #
         # @return [nil] if remove was successful
         #
@@ -218,37 +184,39 @@ module Warrant
         # @raise [Warrant::NotFoundError]
         # @raise [Warrant::UnauthorizedError]
         # @raise [Warrant::WarrantError]
-        def self.remove_from_role(role_id, permission_id)
-            Warrant.delete({ object_type: Permission::OBJECT_TYPE, object_id: permission_id }, "member", { object_type: Role::OBJECT_TYPE, object_id: role_id })
+        def self.remove_from_role(role_id, permission_id, relation: "member", options: {})
+            Warrant.delete({ object_type: Permission::OBJECT_TYPE, object_id: permission_id }, relation, { object_type: Role::OBJECT_TYPE, object_id: role_id }, nil, options)
         end
 
         # List permissions for a user
         #
         # @param user_id [String] The user_id of the user to list assigned permissions for.
-        # @option filters [Integer] :page A positive integer (starting with 1) representing the page of items to return in response. Used in conjunction with the limit param. (optional)
-        # @option filters [Integer] :limit A positive integer representing the max number of items to return in response. (optional)
+        # @param [Hash] filters Filters to apply to result set
+        # @param [Hash] options Options to apply on a per-request basis
+        # @option filters [String] :object_type Only return objects with an `objectType` matching this value
+        # @option filters [Integer] :limit A positive integer representing the maximum number of items to return in the response. Must be less than or equal to 1000. Defaults to 25. (optional)
+        # @option filters [String] :prev_cursor A cursor representing your place in a list of results. Requests containing prev_cursor will return the results immediately preceding the cursor. (optional)
+        # @option filters [String] :next_cursor A cursor representing your place in a list of results. Requests containing next_cursor will return the results immediately following the cursor. (optional)
+        # @option filters [String] :sort_by The column to sort the result by. Unless otherwise specified, all list endpoints are sorted by their unique identifier by default. Supported values for objects are +object_type+, +object_id+, and +created_at+ (optional)
+        # @option filters [String] :sort_order The order in which to sort the result by. Valid values are +ASC+ and +DESC+. Defaults to +ASC+. (optional)
+        # @option options [String] :warrant_token A valid warrant token from a previous write operation or latest. Used to specify desired consistency for this read operation. (optional)
         #
         # @return [Array<Permission>] all assigned permissions for the user
         #
         # @raise [Warrant::InternalError]
         # @raise [Warrant::MissingRequiredParameterError]
         # @raise [Warrant::UnauthorizedError]
-        def self.list_for_user(user_id, filters = {})
-            res = APIOperations.get(URI.parse("#{::Warrant.config.api_base}/v1/users/#{user_id}/permissions"), Util.normalize_params(filters))
-
-            case res
-            when Net::HTTPSuccess
-                permissions = JSON.parse(res.body)
-                permissions.map{ |permission| Permission.new(permission['permissionId'], permission['name'], permission['description']) }
-            else
-                APIOperations.raise_error(res)
-            end
+        def self.list_for_user(user_id, filters = {}, options = {})
+            query_response = Warrant.query("select permission where user:#{user_id} is *", filters: filters, options: options)
+            permissions = query_response.results.map{ |result| Permission.new(result.object_id, result.meta) }
+            return ListResponse.new(permissions, query_response.prev_cursor, query_response.next_cursor)
         end
 
         # Assign a permission to a user
         #
         # @param user_id [String] The user_id of the user you want to assign a permission to.
         # @param permission_id [String] The permission_id of the permission you want to assign to a user.
+        # @param relation [String] The relation for this permission to user association. The relation must be valid as per the +permission+ object type definition.
         #
         # @return [Warrant] warrant assigning permission to user
         #
@@ -258,14 +226,15 @@ module Warrant
         # @raise [Warrant::MissingRequiredParameterError]
         # @raise [Warrant::NotFoundError]
         # @raise [Warrant::UnauthorizedError]
-        def self.assign_to_user(user_id, permission_id)
-            Warrant.create({ object_type: Permission::OBJECT_TYPE, object_id: permission_id }, "member", { object_type: User::OBJECT_TYPE, object_id: user_id })
+        def self.assign_to_user(user_id, permission_id, relation: "member", options: {})
+            Warrant.create({ object_type: Permission::OBJECT_TYPE, object_id: permission_id }, relation, { object_type: User::OBJECT_TYPE, object_id: user_id }, nil, options)
         end
 
         # Remove a permission from a user
         #
         # @param user_id [String] The user_id of the user you want to remove a permission from.
         # @param permission_id [String] The permission_id of the permission you want to remove from a user.
+        # @param relation [String] The relation for this permission to user association. The relation must be valid as per the +permission+ object type definition.
         #
         # @return [nil] if remove was successful
         #
@@ -274,8 +243,8 @@ module Warrant
         # @raise [Warrant::NotFoundError]
         # @raise [Warrant::UnauthorizedError]
         # @raise [Warrant::WarrantError]
-        def self.remove_from_user(user_id, permission_id)
-            Warrant.delete({ object_type: Permission::OBJECT_TYPE, object_id: permission_id }, "member", { object_type: User::OBJECT_TYPE, object_id: user_id })
+        def self.remove_from_user(user_id, permission_id, relation: "member", options: {})
+            Warrant.delete({ object_type: Permission::OBJECT_TYPE, object_id: permission_id }, relation, { object_type: User::OBJECT_TYPE, object_id: user_id }, nil, options)
         end
 
         def warrant_object_type