@spotify/backstage-plugin-rbac-common 0.4.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/CHANGELOG.md +12 -0
  2. package/dist/index.cjs.js +1 -1
  3. package/dist/index.d.ts +1191 -515
  4. package/dist/index.esm.js +1 -1
  5. package/package.json +4 -4
package/dist/index.d.ts CHANGED
@@ -1,13 +1,14 @@
1
1
  import * as _backstage_plugin_permission_common from '@backstage/plugin-permission-common';
2
2
  import { PermissionCondition, PermissionCriteria, AllOfCriteria, AnyOfCriteria, NotCriteria, Permission, PermissionRuleParam, PermissionRuleParams } from '@backstage/plugin-permission-common';
3
3
  import { z } from 'zod';
4
+ import { CompoundEntityRef } from '@backstage/catalog-model';
4
5
 
5
6
  /** @public */
6
7
  declare const PolicyDefaultName = "Untitled policy";
7
8
  /** @public */
8
9
  declare const BackstageUserPlaceholder = ":backstageUser";
9
10
  /** @public */
10
- declare type RBACPermissionCondition = Omit<PermissionCondition, 'resourceType'>;
11
+ type RBACPermissionCondition = Omit<PermissionCondition, 'resourceType'>;
11
12
  /** @public */
12
13
  declare const PermissionConditionParser: z.ZodSchema<RBACPermissionCondition>;
13
14
  /** @public */
@@ -18,11 +19,11 @@ declare const ConditionalDecisionParser: z.ZodObject<{
18
19
  }, "strip", z.ZodTypeAny, {
19
20
  pluginId: string;
20
21
  resourceType: string;
21
- conditions: PermissionCriteria<RBACPermissionCondition>;
22
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
22
23
  }, {
23
24
  pluginId: string;
24
25
  resourceType: string;
25
- conditions: PermissionCriteria<RBACPermissionCondition>;
26
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
26
27
  }>;
27
28
  /** @public */
28
29
  declare const LiteralDecisionParser: z.ZodUnion<[z.ZodLiteral<"allow">, z.ZodLiteral<"deny">]>;
@@ -34,11 +35,11 @@ declare const PermissionDecisionParser: z.ZodUnion<[z.ZodUnion<[z.ZodLiteral<"al
34
35
  }, "strip", z.ZodTypeAny, {
35
36
  pluginId: string;
36
37
  resourceType: string;
37
- conditions: PermissionCriteria<RBACPermissionCondition>;
38
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
38
39
  }, {
39
40
  pluginId: string;
40
41
  resourceType: string;
41
- conditions: PermissionCriteria<RBACPermissionCondition>;
42
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
42
43
  }>]>;
43
44
  /** @public */
44
45
  declare const PermissionMatchParser: z.ZodUnion<[z.ZodLiteral<"*">, z.ZodObject<{
@@ -77,60 +78,92 @@ declare const RolePermissionParser: z.ZodEffects<z.ZodObject<{
77
78
  }, "strip", z.ZodTypeAny, {
78
79
  pluginId: string;
79
80
  resourceType: string;
80
- conditions: PermissionCriteria<RBACPermissionCondition>;
81
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
81
82
  }, {
82
83
  pluginId: string;
83
84
  resourceType: string;
84
- conditions: PermissionCriteria<RBACPermissionCondition>;
85
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
85
86
  }>]>;
86
87
  }, "strip", z.ZodTypeAny, {
87
88
  id: string;
88
- match: "*" | {
89
+ match: ("*" | {
89
90
  name?: string | undefined;
90
91
  actions?: string[] | undefined;
91
92
  resourceType?: string | undefined;
92
- };
93
- decision: "allow" | {
93
+ }) & ("*" | {
94
+ name?: string | undefined;
95
+ actions?: string[] | undefined;
96
+ resourceType?: string | undefined;
97
+ } | undefined);
98
+ decision: ("allow" | {
94
99
  pluginId: string;
95
100
  resourceType: string;
96
- conditions: PermissionCriteria<RBACPermissionCondition>;
97
- } | "deny";
101
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
102
+ } | "deny") & ("allow" | {
103
+ pluginId: string;
104
+ resourceType: string;
105
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
106
+ } | "deny" | undefined);
98
107
  }, {
99
- id?: string | undefined;
100
- match: "*" | {
108
+ match: ("*" | {
101
109
  name?: string | undefined;
102
110
  actions?: string[] | undefined;
103
111
  resourceType?: string | undefined;
104
- };
105
- decision: "allow" | {
112
+ }) & ("*" | {
113
+ name?: string | undefined;
114
+ actions?: string[] | undefined;
115
+ resourceType?: string | undefined;
116
+ } | undefined);
117
+ decision: ("allow" | {
118
+ pluginId: string;
119
+ resourceType: string;
120
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
121
+ } | "deny") & ("allow" | {
106
122
  pluginId: string;
107
123
  resourceType: string;
108
- conditions: PermissionCriteria<RBACPermissionCondition>;
109
- } | "deny";
124
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
125
+ } | "deny" | undefined);
126
+ id?: string | undefined;
110
127
  }>, {
111
128
  id: string;
112
- match: "*" | {
129
+ match: ("*" | {
113
130
  name?: string | undefined;
114
131
  actions?: string[] | undefined;
115
132
  resourceType?: string | undefined;
116
- };
117
- decision: "allow" | {
133
+ }) & ("*" | {
134
+ name?: string | undefined;
135
+ actions?: string[] | undefined;
136
+ resourceType?: string | undefined;
137
+ } | undefined);
138
+ decision: ("allow" | {
139
+ pluginId: string;
140
+ resourceType: string;
141
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
142
+ } | "deny") & ("allow" | {
118
143
  pluginId: string;
119
144
  resourceType: string;
120
- conditions: PermissionCriteria<RBACPermissionCondition>;
121
- } | "deny";
145
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
146
+ } | "deny" | undefined);
122
147
  }, {
123
- id?: string | undefined;
124
- match: "*" | {
148
+ match: ("*" | {
125
149
  name?: string | undefined;
126
150
  actions?: string[] | undefined;
127
151
  resourceType?: string | undefined;
128
- };
129
- decision: "allow" | {
152
+ }) & ("*" | {
153
+ name?: string | undefined;
154
+ actions?: string[] | undefined;
155
+ resourceType?: string | undefined;
156
+ } | undefined);
157
+ decision: ("allow" | {
130
158
  pluginId: string;
131
159
  resourceType: string;
132
- conditions: PermissionCriteria<RBACPermissionCondition>;
133
- } | "deny";
160
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
161
+ } | "deny") & ("allow" | {
162
+ pluginId: string;
163
+ resourceType: string;
164
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
165
+ } | "deny" | undefined);
166
+ id?: string | undefined;
134
167
  }>;
135
168
  /** @public */
136
169
  declare const RolePermissionsParser: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodObject<{
@@ -155,84 +188,132 @@ declare const RolePermissionsParser: z.ZodEffects<z.ZodArray<z.ZodEffects<z.ZodO
155
188
  }, "strip", z.ZodTypeAny, {
156
189
  pluginId: string;
157
190
  resourceType: string;
158
- conditions: PermissionCriteria<RBACPermissionCondition>;
191
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
159
192
  }, {
160
193
  pluginId: string;
161
194
  resourceType: string;
162
- conditions: PermissionCriteria<RBACPermissionCondition>;
195
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
163
196
  }>]>;
164
197
  }, "strip", z.ZodTypeAny, {
165
198
  id: string;
166
- match: "*" | {
199
+ match: ("*" | {
167
200
  name?: string | undefined;
168
201
  actions?: string[] | undefined;
169
202
  resourceType?: string | undefined;
170
- };
171
- decision: "allow" | {
203
+ }) & ("*" | {
204
+ name?: string | undefined;
205
+ actions?: string[] | undefined;
206
+ resourceType?: string | undefined;
207
+ } | undefined);
208
+ decision: ("allow" | {
209
+ pluginId: string;
210
+ resourceType: string;
211
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
212
+ } | "deny") & ("allow" | {
172
213
  pluginId: string;
173
214
  resourceType: string;
174
- conditions: PermissionCriteria<RBACPermissionCondition>;
175
- } | "deny";
215
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
216
+ } | "deny" | undefined);
176
217
  }, {
177
- id?: string | undefined;
178
- match: "*" | {
218
+ match: ("*" | {
179
219
  name?: string | undefined;
180
220
  actions?: string[] | undefined;
181
221
  resourceType?: string | undefined;
182
- };
183
- decision: "allow" | {
222
+ }) & ("*" | {
223
+ name?: string | undefined;
224
+ actions?: string[] | undefined;
225
+ resourceType?: string | undefined;
226
+ } | undefined);
227
+ decision: ("allow" | {
228
+ pluginId: string;
229
+ resourceType: string;
230
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
231
+ } | "deny") & ("allow" | {
184
232
  pluginId: string;
185
233
  resourceType: string;
186
- conditions: PermissionCriteria<RBACPermissionCondition>;
187
- } | "deny";
234
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
235
+ } | "deny" | undefined);
236
+ id?: string | undefined;
188
237
  }>, {
189
238
  id: string;
190
- match: "*" | {
239
+ match: ("*" | {
191
240
  name?: string | undefined;
192
241
  actions?: string[] | undefined;
193
242
  resourceType?: string | undefined;
194
- };
195
- decision: "allow" | {
243
+ }) & ("*" | {
244
+ name?: string | undefined;
245
+ actions?: string[] | undefined;
246
+ resourceType?: string | undefined;
247
+ } | undefined);
248
+ decision: ("allow" | {
196
249
  pluginId: string;
197
250
  resourceType: string;
198
- conditions: PermissionCriteria<RBACPermissionCondition>;
199
- } | "deny";
251
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
252
+ } | "deny") & ("allow" | {
253
+ pluginId: string;
254
+ resourceType: string;
255
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
256
+ } | "deny" | undefined);
200
257
  }, {
201
- id?: string | undefined;
202
- match: "*" | {
258
+ match: ("*" | {
203
259
  name?: string | undefined;
204
260
  actions?: string[] | undefined;
205
261
  resourceType?: string | undefined;
206
- };
207
- decision: "allow" | {
262
+ }) & ("*" | {
263
+ name?: string | undefined;
264
+ actions?: string[] | undefined;
265
+ resourceType?: string | undefined;
266
+ } | undefined);
267
+ decision: ("allow" | {
268
+ pluginId: string;
269
+ resourceType: string;
270
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
271
+ } | "deny") & ("allow" | {
208
272
  pluginId: string;
209
273
  resourceType: string;
210
- conditions: PermissionCriteria<RBACPermissionCondition>;
211
- } | "deny";
274
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
275
+ } | "deny" | undefined);
276
+ id?: string | undefined;
212
277
  }>, "many">, {
213
278
  id: string;
214
- match: "*" | {
279
+ match: ("*" | {
215
280
  name?: string | undefined;
216
281
  actions?: string[] | undefined;
217
282
  resourceType?: string | undefined;
218
- };
219
- decision: "allow" | {
283
+ }) & ("*" | {
284
+ name?: string | undefined;
285
+ actions?: string[] | undefined;
286
+ resourceType?: string | undefined;
287
+ } | undefined);
288
+ decision: ("allow" | {
289
+ pluginId: string;
290
+ resourceType: string;
291
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
292
+ } | "deny") & ("allow" | {
220
293
  pluginId: string;
221
294
  resourceType: string;
222
- conditions: PermissionCriteria<RBACPermissionCondition>;
223
- } | "deny";
295
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
296
+ } | "deny" | undefined);
224
297
  }[], {
225
- id?: string | undefined;
226
- match: "*" | {
298
+ match: ("*" | {
227
299
  name?: string | undefined;
228
300
  actions?: string[] | undefined;
229
301
  resourceType?: string | undefined;
230
- };
231
- decision: "allow" | {
302
+ }) & ("*" | {
303
+ name?: string | undefined;
304
+ actions?: string[] | undefined;
305
+ resourceType?: string | undefined;
306
+ } | undefined);
307
+ decision: ("allow" | {
308
+ pluginId: string;
309
+ resourceType: string;
310
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
311
+ } | "deny") & ("allow" | {
232
312
  pluginId: string;
233
313
  resourceType: string;
234
- conditions: PermissionCriteria<RBACPermissionCondition>;
235
- } | "deny";
314
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
315
+ } | "deny" | undefined);
316
+ id?: string | undefined;
236
317
  }[]>;
237
318
  /** @public */
238
319
  declare const RoleParser: z.ZodObject<{
@@ -261,119 +342,183 @@ declare const RoleParser: z.ZodObject<{
261
342
  }, "strip", z.ZodTypeAny, {
262
343
  pluginId: string;
263
344
  resourceType: string;
264
- conditions: PermissionCriteria<RBACPermissionCondition>;
345
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
265
346
  }, {
266
347
  pluginId: string;
267
348
  resourceType: string;
268
- conditions: PermissionCriteria<RBACPermissionCondition>;
349
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
269
350
  }>]>;
270
351
  }, "strip", z.ZodTypeAny, {
271
352
  id: string;
272
- match: "*" | {
353
+ match: ("*" | {
273
354
  name?: string | undefined;
274
355
  actions?: string[] | undefined;
275
356
  resourceType?: string | undefined;
276
- };
277
- decision: "allow" | {
357
+ }) & ("*" | {
358
+ name?: string | undefined;
359
+ actions?: string[] | undefined;
360
+ resourceType?: string | undefined;
361
+ } | undefined);
362
+ decision: ("allow" | {
363
+ pluginId: string;
364
+ resourceType: string;
365
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
366
+ } | "deny") & ("allow" | {
278
367
  pluginId: string;
279
368
  resourceType: string;
280
- conditions: PermissionCriteria<RBACPermissionCondition>;
281
- } | "deny";
369
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
370
+ } | "deny" | undefined);
282
371
  }, {
283
- id?: string | undefined;
284
- match: "*" | {
372
+ match: ("*" | {
373
+ name?: string | undefined;
374
+ actions?: string[] | undefined;
375
+ resourceType?: string | undefined;
376
+ }) & ("*" | {
285
377
  name?: string | undefined;
286
378
  actions?: string[] | undefined;
287
379
  resourceType?: string | undefined;
288
- };
289
- decision: "allow" | {
380
+ } | undefined);
381
+ decision: ("allow" | {
290
382
  pluginId: string;
291
383
  resourceType: string;
292
- conditions: PermissionCriteria<RBACPermissionCondition>;
293
- } | "deny";
384
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
385
+ } | "deny") & ("allow" | {
386
+ pluginId: string;
387
+ resourceType: string;
388
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
389
+ } | "deny" | undefined);
390
+ id?: string | undefined;
294
391
  }>, {
295
392
  id: string;
296
- match: "*" | {
393
+ match: ("*" | {
297
394
  name?: string | undefined;
298
395
  actions?: string[] | undefined;
299
396
  resourceType?: string | undefined;
300
- };
301
- decision: "allow" | {
397
+ }) & ("*" | {
398
+ name?: string | undefined;
399
+ actions?: string[] | undefined;
400
+ resourceType?: string | undefined;
401
+ } | undefined);
402
+ decision: ("allow" | {
403
+ pluginId: string;
404
+ resourceType: string;
405
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
406
+ } | "deny") & ("allow" | {
302
407
  pluginId: string;
303
408
  resourceType: string;
304
- conditions: PermissionCriteria<RBACPermissionCondition>;
305
- } | "deny";
409
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
410
+ } | "deny" | undefined);
306
411
  }, {
307
- id?: string | undefined;
308
- match: "*" | {
412
+ match: ("*" | {
413
+ name?: string | undefined;
414
+ actions?: string[] | undefined;
415
+ resourceType?: string | undefined;
416
+ }) & ("*" | {
309
417
  name?: string | undefined;
310
418
  actions?: string[] | undefined;
311
419
  resourceType?: string | undefined;
312
- };
313
- decision: "allow" | {
420
+ } | undefined);
421
+ decision: ("allow" | {
314
422
  pluginId: string;
315
423
  resourceType: string;
316
- conditions: PermissionCriteria<RBACPermissionCondition>;
317
- } | "deny";
424
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
425
+ } | "deny") & ("allow" | {
426
+ pluginId: string;
427
+ resourceType: string;
428
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
429
+ } | "deny" | undefined);
430
+ id?: string | undefined;
318
431
  }>, "many">, {
319
432
  id: string;
320
- match: "*" | {
433
+ match: ("*" | {
434
+ name?: string | undefined;
435
+ actions?: string[] | undefined;
436
+ resourceType?: string | undefined;
437
+ }) & ("*" | {
321
438
  name?: string | undefined;
322
439
  actions?: string[] | undefined;
323
440
  resourceType?: string | undefined;
324
- };
325
- decision: "allow" | {
441
+ } | undefined);
442
+ decision: ("allow" | {
443
+ pluginId: string;
444
+ resourceType: string;
445
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
446
+ } | "deny") & ("allow" | {
326
447
  pluginId: string;
327
448
  resourceType: string;
328
- conditions: PermissionCriteria<RBACPermissionCondition>;
329
- } | "deny";
449
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
450
+ } | "deny" | undefined);
330
451
  }[], {
331
- id?: string | undefined;
332
- match: "*" | {
452
+ match: ("*" | {
333
453
  name?: string | undefined;
334
454
  actions?: string[] | undefined;
335
455
  resourceType?: string | undefined;
336
- };
337
- decision: "allow" | {
456
+ }) & ("*" | {
457
+ name?: string | undefined;
458
+ actions?: string[] | undefined;
459
+ resourceType?: string | undefined;
460
+ } | undefined);
461
+ decision: ("allow" | {
338
462
  pluginId: string;
339
463
  resourceType: string;
340
- conditions: PermissionCriteria<RBACPermissionCondition>;
341
- } | "deny";
464
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
465
+ } | "deny") & ("allow" | {
466
+ pluginId: string;
467
+ resourceType: string;
468
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
469
+ } | "deny" | undefined);
470
+ id?: string | undefined;
342
471
  }[]>;
343
472
  }, "strip", z.ZodTypeAny, {
344
473
  id: string;
345
- members: string[] | "*";
474
+ members: (string[] | "*") & (string[] | "*" | undefined);
346
475
  name: string;
347
476
  permissions: {
348
477
  id: string;
349
- match: "*" | {
478
+ match: ("*" | {
350
479
  name?: string | undefined;
351
480
  actions?: string[] | undefined;
352
481
  resourceType?: string | undefined;
353
- };
354
- decision: "allow" | {
482
+ }) & ("*" | {
483
+ name?: string | undefined;
484
+ actions?: string[] | undefined;
485
+ resourceType?: string | undefined;
486
+ } | undefined);
487
+ decision: ("allow" | {
488
+ pluginId: string;
489
+ resourceType: string;
490
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
491
+ } | "deny") & ("allow" | {
355
492
  pluginId: string;
356
493
  resourceType: string;
357
- conditions: PermissionCriteria<RBACPermissionCondition>;
358
- } | "deny";
494
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
495
+ } | "deny" | undefined);
359
496
  }[];
360
497
  }, {
361
- id?: string | undefined;
362
- members: string[] | "*";
498
+ members: (string[] | "*") & (string[] | "*" | undefined);
363
499
  name: string;
364
500
  permissions: {
365
- id?: string | undefined;
366
- match: "*" | {
501
+ match: ("*" | {
502
+ name?: string | undefined;
503
+ actions?: string[] | undefined;
504
+ resourceType?: string | undefined;
505
+ }) & ("*" | {
367
506
  name?: string | undefined;
368
507
  actions?: string[] | undefined;
369
508
  resourceType?: string | undefined;
370
- };
371
- decision: "allow" | {
509
+ } | undefined);
510
+ decision: ("allow" | {
372
511
  pluginId: string;
373
512
  resourceType: string;
374
- conditions: PermissionCriteria<RBACPermissionCondition>;
375
- } | "deny";
513
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
514
+ } | "deny") & ("allow" | {
515
+ pluginId: string;
516
+ resourceType: string;
517
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
518
+ } | "deny" | undefined);
519
+ id?: string | undefined;
376
520
  }[];
521
+ id?: string | undefined;
377
522
  }>;
378
523
  /** @public */
379
524
  declare const RolesParser: z.ZodEffects<z.ZodDefault<z.ZodArray<z.ZodObject<{
@@ -402,159 +547,256 @@ declare const RolesParser: z.ZodEffects<z.ZodDefault<z.ZodArray<z.ZodObject<{
402
547
  }, "strip", z.ZodTypeAny, {
403
548
  pluginId: string;
404
549
  resourceType: string;
405
- conditions: PermissionCriteria<RBACPermissionCondition>;
550
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
406
551
  }, {
407
552
  pluginId: string;
408
553
  resourceType: string;
409
- conditions: PermissionCriteria<RBACPermissionCondition>;
554
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
410
555
  }>]>;
411
556
  }, "strip", z.ZodTypeAny, {
412
557
  id: string;
413
- match: "*" | {
558
+ match: ("*" | {
414
559
  name?: string | undefined;
415
560
  actions?: string[] | undefined;
416
561
  resourceType?: string | undefined;
417
- };
418
- decision: "allow" | {
562
+ }) & ("*" | {
563
+ name?: string | undefined;
564
+ actions?: string[] | undefined;
565
+ resourceType?: string | undefined;
566
+ } | undefined);
567
+ decision: ("allow" | {
568
+ pluginId: string;
569
+ resourceType: string;
570
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
571
+ } | "deny") & ("allow" | {
419
572
  pluginId: string;
420
573
  resourceType: string;
421
- conditions: PermissionCriteria<RBACPermissionCondition>;
422
- } | "deny";
574
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
575
+ } | "deny" | undefined);
423
576
  }, {
424
- id?: string | undefined;
425
- match: "*" | {
577
+ match: ("*" | {
578
+ name?: string | undefined;
579
+ actions?: string[] | undefined;
580
+ resourceType?: string | undefined;
581
+ }) & ("*" | {
426
582
  name?: string | undefined;
427
583
  actions?: string[] | undefined;
428
584
  resourceType?: string | undefined;
429
- };
430
- decision: "allow" | {
585
+ } | undefined);
586
+ decision: ("allow" | {
587
+ pluginId: string;
588
+ resourceType: string;
589
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
590
+ } | "deny") & ("allow" | {
431
591
  pluginId: string;
432
592
  resourceType: string;
433
- conditions: PermissionCriteria<RBACPermissionCondition>;
434
- } | "deny";
593
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
594
+ } | "deny" | undefined);
595
+ id?: string | undefined;
435
596
  }>, {
436
597
  id: string;
437
- match: "*" | {
598
+ match: ("*" | {
438
599
  name?: string | undefined;
439
600
  actions?: string[] | undefined;
440
601
  resourceType?: string | undefined;
441
- };
442
- decision: "allow" | {
602
+ }) & ("*" | {
603
+ name?: string | undefined;
604
+ actions?: string[] | undefined;
605
+ resourceType?: string | undefined;
606
+ } | undefined);
607
+ decision: ("allow" | {
608
+ pluginId: string;
609
+ resourceType: string;
610
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
611
+ } | "deny") & ("allow" | {
443
612
  pluginId: string;
444
613
  resourceType: string;
445
- conditions: PermissionCriteria<RBACPermissionCondition>;
446
- } | "deny";
614
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
615
+ } | "deny" | undefined);
447
616
  }, {
448
- id?: string | undefined;
449
- match: "*" | {
617
+ match: ("*" | {
618
+ name?: string | undefined;
619
+ actions?: string[] | undefined;
620
+ resourceType?: string | undefined;
621
+ }) & ("*" | {
450
622
  name?: string | undefined;
451
623
  actions?: string[] | undefined;
452
624
  resourceType?: string | undefined;
453
- };
454
- decision: "allow" | {
625
+ } | undefined);
626
+ decision: ("allow" | {
455
627
  pluginId: string;
456
628
  resourceType: string;
457
- conditions: PermissionCriteria<RBACPermissionCondition>;
458
- } | "deny";
629
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
630
+ } | "deny") & ("allow" | {
631
+ pluginId: string;
632
+ resourceType: string;
633
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
634
+ } | "deny" | undefined);
635
+ id?: string | undefined;
459
636
  }>, "many">, {
460
637
  id: string;
461
- match: "*" | {
638
+ match: ("*" | {
639
+ name?: string | undefined;
640
+ actions?: string[] | undefined;
641
+ resourceType?: string | undefined;
642
+ }) & ("*" | {
462
643
  name?: string | undefined;
463
644
  actions?: string[] | undefined;
464
645
  resourceType?: string | undefined;
465
- };
466
- decision: "allow" | {
646
+ } | undefined);
647
+ decision: ("allow" | {
648
+ pluginId: string;
649
+ resourceType: string;
650
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
651
+ } | "deny") & ("allow" | {
467
652
  pluginId: string;
468
653
  resourceType: string;
469
- conditions: PermissionCriteria<RBACPermissionCondition>;
470
- } | "deny";
654
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
655
+ } | "deny" | undefined);
471
656
  }[], {
472
- id?: string | undefined;
473
- match: "*" | {
657
+ match: ("*" | {
658
+ name?: string | undefined;
659
+ actions?: string[] | undefined;
660
+ resourceType?: string | undefined;
661
+ }) & ("*" | {
474
662
  name?: string | undefined;
475
663
  actions?: string[] | undefined;
476
664
  resourceType?: string | undefined;
477
- };
478
- decision: "allow" | {
665
+ } | undefined);
666
+ decision: ("allow" | {
479
667
  pluginId: string;
480
668
  resourceType: string;
481
- conditions: PermissionCriteria<RBACPermissionCondition>;
482
- } | "deny";
669
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
670
+ } | "deny") & ("allow" | {
671
+ pluginId: string;
672
+ resourceType: string;
673
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
674
+ } | "deny" | undefined);
675
+ id?: string | undefined;
483
676
  }[]>;
484
677
  }, "strip", z.ZodTypeAny, {
485
678
  id: string;
486
- members: string[] | "*";
679
+ members: (string[] | "*") & (string[] | "*" | undefined);
487
680
  name: string;
488
681
  permissions: {
489
682
  id: string;
490
- match: "*" | {
683
+ match: ("*" | {
684
+ name?: string | undefined;
685
+ actions?: string[] | undefined;
686
+ resourceType?: string | undefined;
687
+ }) & ("*" | {
491
688
  name?: string | undefined;
492
689
  actions?: string[] | undefined;
493
690
  resourceType?: string | undefined;
494
- };
495
- decision: "allow" | {
691
+ } | undefined);
692
+ decision: ("allow" | {
693
+ pluginId: string;
694
+ resourceType: string;
695
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
696
+ } | "deny") & ("allow" | {
496
697
  pluginId: string;
497
698
  resourceType: string;
498
- conditions: PermissionCriteria<RBACPermissionCondition>;
499
- } | "deny";
699
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
700
+ } | "deny" | undefined);
500
701
  }[];
501
702
  }, {
502
- id?: string | undefined;
503
- members: string[] | "*";
703
+ members: (string[] | "*") & (string[] | "*" | undefined);
504
704
  name: string;
505
705
  permissions: {
506
- id?: string | undefined;
507
- match: "*" | {
706
+ match: ("*" | {
707
+ name?: string | undefined;
708
+ actions?: string[] | undefined;
709
+ resourceType?: string | undefined;
710
+ }) & ("*" | {
508
711
  name?: string | undefined;
509
712
  actions?: string[] | undefined;
510
713
  resourceType?: string | undefined;
511
- };
512
- decision: "allow" | {
714
+ } | undefined);
715
+ decision: ("allow" | {
716
+ pluginId: string;
717
+ resourceType: string;
718
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
719
+ } | "deny") & ("allow" | {
513
720
  pluginId: string;
514
721
  resourceType: string;
515
- conditions: PermissionCriteria<RBACPermissionCondition>;
516
- } | "deny";
722
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
723
+ } | "deny" | undefined);
724
+ id?: string | undefined;
517
725
  }[];
726
+ id?: string | undefined;
518
727
  }>, "many">>, {
519
728
  id: string;
520
- members: string[] | "*";
729
+ members: (string[] | "*") & (string[] | "*" | undefined);
521
730
  name: string;
522
731
  permissions: {
523
732
  id: string;
524
- match: "*" | {
733
+ match: ("*" | {
525
734
  name?: string | undefined;
526
735
  actions?: string[] | undefined;
527
736
  resourceType?: string | undefined;
528
- };
529
- decision: "allow" | {
737
+ }) & ("*" | {
738
+ name?: string | undefined;
739
+ actions?: string[] | undefined;
740
+ resourceType?: string | undefined;
741
+ } | undefined);
742
+ decision: ("allow" | {
530
743
  pluginId: string;
531
744
  resourceType: string;
532
- conditions: PermissionCriteria<RBACPermissionCondition>;
533
- } | "deny";
745
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
746
+ } | "deny") & ("allow" | {
747
+ pluginId: string;
748
+ resourceType: string;
749
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
750
+ } | "deny" | undefined);
534
751
  }[];
535
752
  }[], {
536
- id?: string | undefined;
537
- members: string[] | "*";
753
+ members: (string[] | "*") & (string[] | "*" | undefined);
538
754
  name: string;
539
755
  permissions: {
540
- id?: string | undefined;
541
- match: "*" | {
756
+ match: ("*" | {
757
+ name?: string | undefined;
758
+ actions?: string[] | undefined;
759
+ resourceType?: string | undefined;
760
+ }) & ("*" | {
542
761
  name?: string | undefined;
543
762
  actions?: string[] | undefined;
544
763
  resourceType?: string | undefined;
545
- };
546
- decision: "allow" | {
764
+ } | undefined);
765
+ decision: ("allow" | {
766
+ pluginId: string;
767
+ resourceType: string;
768
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
769
+ } | "deny") & ("allow" | {
547
770
  pluginId: string;
548
771
  resourceType: string;
549
- conditions: PermissionCriteria<RBACPermissionCondition>;
550
- } | "deny";
772
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
773
+ } | "deny" | undefined);
774
+ id?: string | undefined;
551
775
  }[];
776
+ id?: string | undefined;
552
777
  }[] | undefined>;
553
778
  /** @public */
554
779
  declare const PolicyTitleParser: z.ZodDefault<z.ZodString>;
555
780
  /** @public */
781
+ declare const PolicyRoleResolutionStrategyParser: z.ZodUnion<[z.ZodLiteral<"first-match">, z.ZodLiteral<"any-allow">]>;
782
+ /** @public */
783
+ declare const PolicyConfigOptionsParser: z.ZodDefault<z.ZodObject<{
784
+ resolutionStrategy: z.ZodUnion<[z.ZodLiteral<"first-match">, z.ZodLiteral<"any-allow">]>;
785
+ }, "strip", z.ZodTypeAny, {
786
+ resolutionStrategy: "first-match" | "any-allow";
787
+ }, {
788
+ resolutionStrategy: "first-match" | "any-allow";
789
+ }>>;
790
+ /** @public */
556
791
  declare const PolicyConfigParser: z.ZodObject<{
557
792
  name: z.ZodDefault<z.ZodString>;
793
+ options: z.ZodDefault<z.ZodObject<{
794
+ resolutionStrategy: z.ZodUnion<[z.ZodLiteral<"first-match">, z.ZodLiteral<"any-allow">]>;
795
+ }, "strip", z.ZodTypeAny, {
796
+ resolutionStrategy: "first-match" | "any-allow";
797
+ }, {
798
+ resolutionStrategy: "first-match" | "any-allow";
799
+ }>>;
558
800
  roles: z.ZodEffects<z.ZodDefault<z.ZodArray<z.ZodObject<{
559
801
  name: z.ZodString;
560
802
  id: z.ZodDefault<z.ZodString>;
@@ -581,198 +823,307 @@ declare const PolicyConfigParser: z.ZodObject<{
581
823
  }, "strip", z.ZodTypeAny, {
582
824
  pluginId: string;
583
825
  resourceType: string;
584
- conditions: PermissionCriteria<RBACPermissionCondition>;
826
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
585
827
  }, {
586
828
  pluginId: string;
587
829
  resourceType: string;
588
- conditions: PermissionCriteria<RBACPermissionCondition>;
830
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
589
831
  }>]>;
590
832
  }, "strip", z.ZodTypeAny, {
591
833
  id: string;
592
- match: "*" | {
834
+ match: ("*" | {
835
+ name?: string | undefined;
836
+ actions?: string[] | undefined;
837
+ resourceType?: string | undefined;
838
+ }) & ("*" | {
593
839
  name?: string | undefined;
594
840
  actions?: string[] | undefined;
595
841
  resourceType?: string | undefined;
596
- };
597
- decision: "allow" | {
842
+ } | undefined);
843
+ decision: ("allow" | {
598
844
  pluginId: string;
599
845
  resourceType: string;
600
- conditions: PermissionCriteria<RBACPermissionCondition>;
601
- } | "deny";
846
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
847
+ } | "deny") & ("allow" | {
848
+ pluginId: string;
849
+ resourceType: string;
850
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
851
+ } | "deny" | undefined);
602
852
  }, {
603
- id?: string | undefined;
604
- match: "*" | {
853
+ match: ("*" | {
605
854
  name?: string | undefined;
606
855
  actions?: string[] | undefined;
607
856
  resourceType?: string | undefined;
608
- };
609
- decision: "allow" | {
857
+ }) & ("*" | {
858
+ name?: string | undefined;
859
+ actions?: string[] | undefined;
860
+ resourceType?: string | undefined;
861
+ } | undefined);
862
+ decision: ("allow" | {
610
863
  pluginId: string;
611
864
  resourceType: string;
612
- conditions: PermissionCriteria<RBACPermissionCondition>;
613
- } | "deny";
865
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
866
+ } | "deny") & ("allow" | {
867
+ pluginId: string;
868
+ resourceType: string;
869
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
870
+ } | "deny" | undefined);
871
+ id?: string | undefined;
614
872
  }>, {
615
873
  id: string;
616
- match: "*" | {
874
+ match: ("*" | {
617
875
  name?: string | undefined;
618
876
  actions?: string[] | undefined;
619
877
  resourceType?: string | undefined;
620
- };
621
- decision: "allow" | {
878
+ }) & ("*" | {
879
+ name?: string | undefined;
880
+ actions?: string[] | undefined;
881
+ resourceType?: string | undefined;
882
+ } | undefined);
883
+ decision: ("allow" | {
622
884
  pluginId: string;
623
885
  resourceType: string;
624
- conditions: PermissionCriteria<RBACPermissionCondition>;
625
- } | "deny";
886
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
887
+ } | "deny") & ("allow" | {
888
+ pluginId: string;
889
+ resourceType: string;
890
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
891
+ } | "deny" | undefined);
626
892
  }, {
627
- id?: string | undefined;
628
- match: "*" | {
893
+ match: ("*" | {
894
+ name?: string | undefined;
895
+ actions?: string[] | undefined;
896
+ resourceType?: string | undefined;
897
+ }) & ("*" | {
629
898
  name?: string | undefined;
630
899
  actions?: string[] | undefined;
631
900
  resourceType?: string | undefined;
632
- };
633
- decision: "allow" | {
901
+ } | undefined);
902
+ decision: ("allow" | {
903
+ pluginId: string;
904
+ resourceType: string;
905
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
906
+ } | "deny") & ("allow" | {
634
907
  pluginId: string;
635
908
  resourceType: string;
636
- conditions: PermissionCriteria<RBACPermissionCondition>;
637
- } | "deny";
909
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
910
+ } | "deny" | undefined);
911
+ id?: string | undefined;
638
912
  }>, "many">, {
639
913
  id: string;
640
- match: "*" | {
914
+ match: ("*" | {
641
915
  name?: string | undefined;
642
916
  actions?: string[] | undefined;
643
917
  resourceType?: string | undefined;
644
- };
645
- decision: "allow" | {
918
+ }) & ("*" | {
919
+ name?: string | undefined;
920
+ actions?: string[] | undefined;
921
+ resourceType?: string | undefined;
922
+ } | undefined);
923
+ decision: ("allow" | {
924
+ pluginId: string;
925
+ resourceType: string;
926
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
927
+ } | "deny") & ("allow" | {
646
928
  pluginId: string;
647
929
  resourceType: string;
648
- conditions: PermissionCriteria<RBACPermissionCondition>;
649
- } | "deny";
930
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
931
+ } | "deny" | undefined);
650
932
  }[], {
651
- id?: string | undefined;
652
- match: "*" | {
933
+ match: ("*" | {
934
+ name?: string | undefined;
935
+ actions?: string[] | undefined;
936
+ resourceType?: string | undefined;
937
+ }) & ("*" | {
653
938
  name?: string | undefined;
654
939
  actions?: string[] | undefined;
655
940
  resourceType?: string | undefined;
656
- };
657
- decision: "allow" | {
941
+ } | undefined);
942
+ decision: ("allow" | {
943
+ pluginId: string;
944
+ resourceType: string;
945
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
946
+ } | "deny") & ("allow" | {
658
947
  pluginId: string;
659
948
  resourceType: string;
660
- conditions: PermissionCriteria<RBACPermissionCondition>;
661
- } | "deny";
949
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
950
+ } | "deny" | undefined);
951
+ id?: string | undefined;
662
952
  }[]>;
663
953
  }, "strip", z.ZodTypeAny, {
664
954
  id: string;
665
- members: string[] | "*";
955
+ members: (string[] | "*") & (string[] | "*" | undefined);
666
956
  name: string;
667
957
  permissions: {
668
958
  id: string;
669
- match: "*" | {
959
+ match: ("*" | {
670
960
  name?: string | undefined;
671
961
  actions?: string[] | undefined;
672
962
  resourceType?: string | undefined;
673
- };
674
- decision: "allow" | {
963
+ }) & ("*" | {
964
+ name?: string | undefined;
965
+ actions?: string[] | undefined;
966
+ resourceType?: string | undefined;
967
+ } | undefined);
968
+ decision: ("allow" | {
675
969
  pluginId: string;
676
970
  resourceType: string;
677
- conditions: PermissionCriteria<RBACPermissionCondition>;
678
- } | "deny";
971
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
972
+ } | "deny") & ("allow" | {
973
+ pluginId: string;
974
+ resourceType: string;
975
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
976
+ } | "deny" | undefined);
679
977
  }[];
680
978
  }, {
681
- id?: string | undefined;
682
- members: string[] | "*";
979
+ members: (string[] | "*") & (string[] | "*" | undefined);
683
980
  name: string;
684
981
  permissions: {
685
- id?: string | undefined;
686
- match: "*" | {
982
+ match: ("*" | {
983
+ name?: string | undefined;
984
+ actions?: string[] | undefined;
985
+ resourceType?: string | undefined;
986
+ }) & ("*" | {
687
987
  name?: string | undefined;
688
988
  actions?: string[] | undefined;
689
989
  resourceType?: string | undefined;
690
- };
691
- decision: "allow" | {
990
+ } | undefined);
991
+ decision: ("allow" | {
992
+ pluginId: string;
993
+ resourceType: string;
994
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
995
+ } | "deny") & ("allow" | {
692
996
  pluginId: string;
693
997
  resourceType: string;
694
- conditions: PermissionCriteria<RBACPermissionCondition>;
695
- } | "deny";
998
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
999
+ } | "deny" | undefined);
1000
+ id?: string | undefined;
696
1001
  }[];
1002
+ id?: string | undefined;
697
1003
  }>, "many">>, {
698
1004
  id: string;
699
- members: string[] | "*";
1005
+ members: (string[] | "*") & (string[] | "*" | undefined);
700
1006
  name: string;
701
1007
  permissions: {
702
1008
  id: string;
703
- match: "*" | {
1009
+ match: ("*" | {
1010
+ name?: string | undefined;
1011
+ actions?: string[] | undefined;
1012
+ resourceType?: string | undefined;
1013
+ }) & ("*" | {
704
1014
  name?: string | undefined;
705
1015
  actions?: string[] | undefined;
706
1016
  resourceType?: string | undefined;
707
- };
708
- decision: "allow" | {
1017
+ } | undefined);
1018
+ decision: ("allow" | {
1019
+ pluginId: string;
1020
+ resourceType: string;
1021
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1022
+ } | "deny") & ("allow" | {
709
1023
  pluginId: string;
710
1024
  resourceType: string;
711
- conditions: PermissionCriteria<RBACPermissionCondition>;
712
- } | "deny";
1025
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1026
+ } | "deny" | undefined);
713
1027
  }[];
714
1028
  }[], {
715
- id?: string | undefined;
716
- members: string[] | "*";
1029
+ members: (string[] | "*") & (string[] | "*" | undefined);
717
1030
  name: string;
718
1031
  permissions: {
719
- id?: string | undefined;
720
- match: "*" | {
1032
+ match: ("*" | {
1033
+ name?: string | undefined;
1034
+ actions?: string[] | undefined;
1035
+ resourceType?: string | undefined;
1036
+ }) & ("*" | {
721
1037
  name?: string | undefined;
722
1038
  actions?: string[] | undefined;
723
1039
  resourceType?: string | undefined;
724
- };
725
- decision: "allow" | {
1040
+ } | undefined);
1041
+ decision: ("allow" | {
726
1042
  pluginId: string;
727
1043
  resourceType: string;
728
- conditions: PermissionCriteria<RBACPermissionCondition>;
729
- } | "deny";
1044
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1045
+ } | "deny") & ("allow" | {
1046
+ pluginId: string;
1047
+ resourceType: string;
1048
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1049
+ } | "deny" | undefined);
1050
+ id?: string | undefined;
730
1051
  }[];
1052
+ id?: string | undefined;
731
1053
  }[] | undefined>;
732
1054
  }, "strip", z.ZodTypeAny, {
733
1055
  name: string;
1056
+ options: {
1057
+ resolutionStrategy: "first-match" | "any-allow";
1058
+ };
734
1059
  roles: {
735
1060
  id: string;
736
- members: string[] | "*";
1061
+ members: (string[] | "*") & (string[] | "*" | undefined);
737
1062
  name: string;
738
1063
  permissions: {
739
1064
  id: string;
740
- match: "*" | {
1065
+ match: ("*" | {
1066
+ name?: string | undefined;
1067
+ actions?: string[] | undefined;
1068
+ resourceType?: string | undefined;
1069
+ }) & ("*" | {
741
1070
  name?: string | undefined;
742
1071
  actions?: string[] | undefined;
743
1072
  resourceType?: string | undefined;
744
- };
745
- decision: "allow" | {
1073
+ } | undefined);
1074
+ decision: ("allow" | {
746
1075
  pluginId: string;
747
1076
  resourceType: string;
748
- conditions: PermissionCriteria<RBACPermissionCondition>;
749
- } | "deny";
1077
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1078
+ } | "deny") & ("allow" | {
1079
+ pluginId: string;
1080
+ resourceType: string;
1081
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1082
+ } | "deny" | undefined);
750
1083
  }[];
751
1084
  }[];
752
1085
  }, {
753
1086
  name?: string | undefined;
1087
+ options?: {
1088
+ resolutionStrategy: "first-match" | "any-allow";
1089
+ } | undefined;
754
1090
  roles?: {
755
- id?: string | undefined;
756
- members: string[] | "*";
1091
+ members: (string[] | "*") & (string[] | "*" | undefined);
757
1092
  name: string;
758
1093
  permissions: {
759
- id?: string | undefined;
760
- match: "*" | {
1094
+ match: ("*" | {
761
1095
  name?: string | undefined;
762
1096
  actions?: string[] | undefined;
763
1097
  resourceType?: string | undefined;
764
- };
765
- decision: "allow" | {
1098
+ }) & ("*" | {
1099
+ name?: string | undefined;
1100
+ actions?: string[] | undefined;
1101
+ resourceType?: string | undefined;
1102
+ } | undefined);
1103
+ decision: ("allow" | {
1104
+ pluginId: string;
1105
+ resourceType: string;
1106
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1107
+ } | "deny") & ("allow" | {
766
1108
  pluginId: string;
767
1109
  resourceType: string;
768
- conditions: PermissionCriteria<RBACPermissionCondition>;
769
- } | "deny";
1110
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1111
+ } | "deny" | undefined);
1112
+ id?: string | undefined;
770
1113
  }[];
1114
+ id?: string | undefined;
771
1115
  }[] | undefined;
772
1116
  }>;
773
1117
  /** @public */
774
1118
  declare const DefaultingPolicyConfigParser: z.ZodDefault<z.ZodObject<{
775
1119
  name: z.ZodDefault<z.ZodString>;
1120
+ options: z.ZodDefault<z.ZodObject<{
1121
+ resolutionStrategy: z.ZodUnion<[z.ZodLiteral<"first-match">, z.ZodLiteral<"any-allow">]>;
1122
+ }, "strip", z.ZodTypeAny, {
1123
+ resolutionStrategy: "first-match" | "any-allow";
1124
+ }, {
1125
+ resolutionStrategy: "first-match" | "any-allow";
1126
+ }>>;
776
1127
  roles: z.ZodEffects<z.ZodDefault<z.ZodArray<z.ZodObject<{
777
1128
  name: z.ZodString;
778
1129
  id: z.ZodDefault<z.ZodString>;
@@ -799,193 +1150,295 @@ declare const DefaultingPolicyConfigParser: z.ZodDefault<z.ZodObject<{
799
1150
  }, "strip", z.ZodTypeAny, {
800
1151
  pluginId: string;
801
1152
  resourceType: string;
802
- conditions: PermissionCriteria<RBACPermissionCondition>;
1153
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
803
1154
  }, {
804
1155
  pluginId: string;
805
1156
  resourceType: string;
806
- conditions: PermissionCriteria<RBACPermissionCondition>;
1157
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
807
1158
  }>]>;
808
1159
  }, "strip", z.ZodTypeAny, {
809
1160
  id: string;
810
- match: "*" | {
1161
+ match: ("*" | {
1162
+ name?: string | undefined;
1163
+ actions?: string[] | undefined;
1164
+ resourceType?: string | undefined;
1165
+ }) & ("*" | {
811
1166
  name?: string | undefined;
812
1167
  actions?: string[] | undefined;
813
1168
  resourceType?: string | undefined;
814
- };
815
- decision: "allow" | {
1169
+ } | undefined);
1170
+ decision: ("allow" | {
816
1171
  pluginId: string;
817
1172
  resourceType: string;
818
- conditions: PermissionCriteria<RBACPermissionCondition>;
819
- } | "deny";
1173
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1174
+ } | "deny") & ("allow" | {
1175
+ pluginId: string;
1176
+ resourceType: string;
1177
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1178
+ } | "deny" | undefined);
820
1179
  }, {
821
- id?: string | undefined;
822
- match: "*" | {
1180
+ match: ("*" | {
1181
+ name?: string | undefined;
1182
+ actions?: string[] | undefined;
1183
+ resourceType?: string | undefined;
1184
+ }) & ("*" | {
823
1185
  name?: string | undefined;
824
1186
  actions?: string[] | undefined;
825
1187
  resourceType?: string | undefined;
826
- };
827
- decision: "allow" | {
1188
+ } | undefined);
1189
+ decision: ("allow" | {
1190
+ pluginId: string;
1191
+ resourceType: string;
1192
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1193
+ } | "deny") & ("allow" | {
828
1194
  pluginId: string;
829
1195
  resourceType: string;
830
- conditions: PermissionCriteria<RBACPermissionCondition>;
831
- } | "deny";
1196
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1197
+ } | "deny" | undefined);
1198
+ id?: string | undefined;
832
1199
  }>, {
833
1200
  id: string;
834
- match: "*" | {
1201
+ match: ("*" | {
1202
+ name?: string | undefined;
1203
+ actions?: string[] | undefined;
1204
+ resourceType?: string | undefined;
1205
+ }) & ("*" | {
835
1206
  name?: string | undefined;
836
1207
  actions?: string[] | undefined;
837
1208
  resourceType?: string | undefined;
838
- };
839
- decision: "allow" | {
1209
+ } | undefined);
1210
+ decision: ("allow" | {
840
1211
  pluginId: string;
841
1212
  resourceType: string;
842
- conditions: PermissionCriteria<RBACPermissionCondition>;
843
- } | "deny";
1213
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1214
+ } | "deny") & ("allow" | {
1215
+ pluginId: string;
1216
+ resourceType: string;
1217
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1218
+ } | "deny" | undefined);
844
1219
  }, {
845
- id?: string | undefined;
846
- match: "*" | {
1220
+ match: ("*" | {
1221
+ name?: string | undefined;
1222
+ actions?: string[] | undefined;
1223
+ resourceType?: string | undefined;
1224
+ }) & ("*" | {
847
1225
  name?: string | undefined;
848
1226
  actions?: string[] | undefined;
849
1227
  resourceType?: string | undefined;
850
- };
851
- decision: "allow" | {
1228
+ } | undefined);
1229
+ decision: ("allow" | {
1230
+ pluginId: string;
1231
+ resourceType: string;
1232
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1233
+ } | "deny") & ("allow" | {
852
1234
  pluginId: string;
853
1235
  resourceType: string;
854
- conditions: PermissionCriteria<RBACPermissionCondition>;
855
- } | "deny";
1236
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1237
+ } | "deny" | undefined);
1238
+ id?: string | undefined;
856
1239
  }>, "many">, {
857
1240
  id: string;
858
- match: "*" | {
1241
+ match: ("*" | {
1242
+ name?: string | undefined;
1243
+ actions?: string[] | undefined;
1244
+ resourceType?: string | undefined;
1245
+ }) & ("*" | {
859
1246
  name?: string | undefined;
860
1247
  actions?: string[] | undefined;
861
1248
  resourceType?: string | undefined;
862
- };
863
- decision: "allow" | {
1249
+ } | undefined);
1250
+ decision: ("allow" | {
864
1251
  pluginId: string;
865
1252
  resourceType: string;
866
- conditions: PermissionCriteria<RBACPermissionCondition>;
867
- } | "deny";
1253
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1254
+ } | "deny") & ("allow" | {
1255
+ pluginId: string;
1256
+ resourceType: string;
1257
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1258
+ } | "deny" | undefined);
868
1259
  }[], {
869
- id?: string | undefined;
870
- match: "*" | {
1260
+ match: ("*" | {
1261
+ name?: string | undefined;
1262
+ actions?: string[] | undefined;
1263
+ resourceType?: string | undefined;
1264
+ }) & ("*" | {
871
1265
  name?: string | undefined;
872
1266
  actions?: string[] | undefined;
873
1267
  resourceType?: string | undefined;
874
- };
875
- decision: "allow" | {
1268
+ } | undefined);
1269
+ decision: ("allow" | {
1270
+ pluginId: string;
1271
+ resourceType: string;
1272
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1273
+ } | "deny") & ("allow" | {
876
1274
  pluginId: string;
877
1275
  resourceType: string;
878
- conditions: PermissionCriteria<RBACPermissionCondition>;
879
- } | "deny";
1276
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1277
+ } | "deny" | undefined);
1278
+ id?: string | undefined;
880
1279
  }[]>;
881
1280
  }, "strip", z.ZodTypeAny, {
882
1281
  id: string;
883
- members: string[] | "*";
1282
+ members: (string[] | "*") & (string[] | "*" | undefined);
884
1283
  name: string;
885
1284
  permissions: {
886
1285
  id: string;
887
- match: "*" | {
1286
+ match: ("*" | {
1287
+ name?: string | undefined;
1288
+ actions?: string[] | undefined;
1289
+ resourceType?: string | undefined;
1290
+ }) & ("*" | {
888
1291
  name?: string | undefined;
889
1292
  actions?: string[] | undefined;
890
1293
  resourceType?: string | undefined;
891
- };
892
- decision: "allow" | {
1294
+ } | undefined);
1295
+ decision: ("allow" | {
893
1296
  pluginId: string;
894
1297
  resourceType: string;
895
- conditions: PermissionCriteria<RBACPermissionCondition>;
896
- } | "deny";
1298
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1299
+ } | "deny") & ("allow" | {
1300
+ pluginId: string;
1301
+ resourceType: string;
1302
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1303
+ } | "deny" | undefined);
897
1304
  }[];
898
1305
  }, {
899
- id?: string | undefined;
900
- members: string[] | "*";
1306
+ members: (string[] | "*") & (string[] | "*" | undefined);
901
1307
  name: string;
902
1308
  permissions: {
903
- id?: string | undefined;
904
- match: "*" | {
1309
+ match: ("*" | {
905
1310
  name?: string | undefined;
906
1311
  actions?: string[] | undefined;
907
1312
  resourceType?: string | undefined;
908
- };
909
- decision: "allow" | {
1313
+ }) & ("*" | {
1314
+ name?: string | undefined;
1315
+ actions?: string[] | undefined;
1316
+ resourceType?: string | undefined;
1317
+ } | undefined);
1318
+ decision: ("allow" | {
1319
+ pluginId: string;
1320
+ resourceType: string;
1321
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1322
+ } | "deny") & ("allow" | {
910
1323
  pluginId: string;
911
1324
  resourceType: string;
912
- conditions: PermissionCriteria<RBACPermissionCondition>;
913
- } | "deny";
1325
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1326
+ } | "deny" | undefined);
1327
+ id?: string | undefined;
914
1328
  }[];
1329
+ id?: string | undefined;
915
1330
  }>, "many">>, {
916
1331
  id: string;
917
- members: string[] | "*";
1332
+ members: (string[] | "*") & (string[] | "*" | undefined);
918
1333
  name: string;
919
1334
  permissions: {
920
1335
  id: string;
921
- match: "*" | {
1336
+ match: ("*" | {
1337
+ name?: string | undefined;
1338
+ actions?: string[] | undefined;
1339
+ resourceType?: string | undefined;
1340
+ }) & ("*" | {
922
1341
  name?: string | undefined;
923
1342
  actions?: string[] | undefined;
924
1343
  resourceType?: string | undefined;
925
- };
926
- decision: "allow" | {
1344
+ } | undefined);
1345
+ decision: ("allow" | {
1346
+ pluginId: string;
1347
+ resourceType: string;
1348
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1349
+ } | "deny") & ("allow" | {
927
1350
  pluginId: string;
928
1351
  resourceType: string;
929
- conditions: PermissionCriteria<RBACPermissionCondition>;
930
- } | "deny";
1352
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1353
+ } | "deny" | undefined);
931
1354
  }[];
932
1355
  }[], {
933
- id?: string | undefined;
934
- members: string[] | "*";
1356
+ members: (string[] | "*") & (string[] | "*" | undefined);
935
1357
  name: string;
936
1358
  permissions: {
937
- id?: string | undefined;
938
- match: "*" | {
1359
+ match: ("*" | {
1360
+ name?: string | undefined;
1361
+ actions?: string[] | undefined;
1362
+ resourceType?: string | undefined;
1363
+ }) & ("*" | {
939
1364
  name?: string | undefined;
940
1365
  actions?: string[] | undefined;
941
1366
  resourceType?: string | undefined;
942
- };
943
- decision: "allow" | {
1367
+ } | undefined);
1368
+ decision: ("allow" | {
1369
+ pluginId: string;
1370
+ resourceType: string;
1371
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1372
+ } | "deny") & ("allow" | {
944
1373
  pluginId: string;
945
1374
  resourceType: string;
946
- conditions: PermissionCriteria<RBACPermissionCondition>;
947
- } | "deny";
1375
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1376
+ } | "deny" | undefined);
1377
+ id?: string | undefined;
948
1378
  }[];
1379
+ id?: string | undefined;
949
1380
  }[] | undefined>;
950
1381
  }, "strip", z.ZodTypeAny, {
951
1382
  name: string;
1383
+ options: {
1384
+ resolutionStrategy: "first-match" | "any-allow";
1385
+ };
952
1386
  roles: {
953
1387
  id: string;
954
- members: string[] | "*";
1388
+ members: (string[] | "*") & (string[] | "*" | undefined);
955
1389
  name: string;
956
1390
  permissions: {
957
1391
  id: string;
958
- match: "*" | {
1392
+ match: ("*" | {
1393
+ name?: string | undefined;
1394
+ actions?: string[] | undefined;
1395
+ resourceType?: string | undefined;
1396
+ }) & ("*" | {
959
1397
  name?: string | undefined;
960
1398
  actions?: string[] | undefined;
961
1399
  resourceType?: string | undefined;
962
- };
963
- decision: "allow" | {
1400
+ } | undefined);
1401
+ decision: ("allow" | {
1402
+ pluginId: string;
1403
+ resourceType: string;
1404
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1405
+ } | "deny") & ("allow" | {
964
1406
  pluginId: string;
965
1407
  resourceType: string;
966
- conditions: PermissionCriteria<RBACPermissionCondition>;
967
- } | "deny";
1408
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1409
+ } | "deny" | undefined);
968
1410
  }[];
969
1411
  }[];
970
1412
  }, {
971
1413
  name?: string | undefined;
1414
+ options?: {
1415
+ resolutionStrategy: "first-match" | "any-allow";
1416
+ } | undefined;
972
1417
  roles?: {
973
- id?: string | undefined;
974
- members: string[] | "*";
1418
+ members: (string[] | "*") & (string[] | "*" | undefined);
975
1419
  name: string;
976
1420
  permissions: {
977
- id?: string | undefined;
978
- match: "*" | {
1421
+ match: ("*" | {
1422
+ name?: string | undefined;
1423
+ actions?: string[] | undefined;
1424
+ resourceType?: string | undefined;
1425
+ }) & ("*" | {
979
1426
  name?: string | undefined;
980
1427
  actions?: string[] | undefined;
981
1428
  resourceType?: string | undefined;
982
- };
983
- decision: "allow" | {
1429
+ } | undefined);
1430
+ decision: ("allow" | {
984
1431
  pluginId: string;
985
1432
  resourceType: string;
986
- conditions: PermissionCriteria<RBACPermissionCondition>;
987
- } | "deny";
1433
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1434
+ } | "deny") & ("allow" | {
1435
+ pluginId: string;
1436
+ resourceType: string;
1437
+ conditions: PermissionCriteria<RBACPermissionCondition> & (PermissionCriteria<RBACPermissionCondition> | undefined);
1438
+ } | "deny" | undefined);
1439
+ id?: string | undefined;
988
1440
  }[];
1441
+ id?: string | undefined;
989
1442
  }[] | undefined;
990
1443
  }>>;
991
1444
  /** @public */
@@ -997,36 +1450,36 @@ declare function isAnyOfPermissionCriteria(conditions: PermissionCriteria<RBACPe
997
1450
  /** @public */
998
1451
  declare function isNotPermissionCriteria(conditions: PermissionCriteria<RBACPermissionCondition>): conditions is NotCriteria<RBACPermissionCondition>;
999
1452
  /** @public */
1000
- declare type ConditionalDecision = z.infer<typeof ConditionalDecisionParser>;
1453
+ type ConditionalDecision = z.infer<typeof ConditionalDecisionParser>;
1001
1454
  /** @public */
1002
- declare type LiteralDecision = z.infer<typeof LiteralDecisionParser>;
1455
+ type LiteralDecision = z.infer<typeof LiteralDecisionParser>;
1003
1456
  /** @public */
1004
- declare type PermissionDecision = z.infer<typeof PermissionDecisionParser>;
1457
+ type PermissionDecision = z.infer<typeof PermissionDecisionParser>;
1005
1458
  /** @public */
1006
- declare type PermissionMatch = z.infer<typeof PermissionMatchParser>;
1459
+ type PermissionMatch = z.infer<typeof PermissionMatchParser>;
1007
1460
  /** @public */
1008
- declare type RolePermission = z.infer<typeof RolePermissionParser>;
1461
+ type RolePermission = z.infer<typeof RolePermissionParser>;
1009
1462
  /** @public */
1010
- declare type RolePermissions = z.infer<typeof RolePermissionsParser>;
1463
+ type RolePermissions = z.infer<typeof RolePermissionsParser>;
1011
1464
  /** @public */
1012
- declare type RawRole = z.input<typeof RoleParser>;
1465
+ type RawRole = z.input<typeof RoleParser>;
1013
1466
  /** @public */
1014
- declare type Role = z.infer<typeof RoleParser>;
1467
+ type Role = z.infer<typeof RoleParser>;
1015
1468
  /** @public */
1016
- declare type RawPolicyConfig = z.input<typeof PolicyConfigParser>;
1469
+ type RawPolicyConfig = z.input<typeof PolicyConfigParser>;
1017
1470
  /** @public */
1018
- declare type PolicyConfig = z.infer<typeof PolicyConfigParser>;
1471
+ type PolicyConfig = z.infer<typeof PolicyConfigParser>;
1472
+ /** @public */
1473
+ type PolicyRoleResolutionStrategy = z.infer<typeof PolicyRoleResolutionStrategyParser>;
1474
+ /** @public */
1475
+ type PolicyConfigOptions = z.infer<typeof PolicyConfigOptionsParser>;
1019
1476
 
1020
1477
  /** @public */
1021
- declare type Policy = {
1478
+ type Policy = PolicyConfig & {
1022
1479
  /**
1023
1480
  * Internal ID for lookups/references.
1024
1481
  */
1025
1482
  id: string;
1026
- /**
1027
- * Display name for the version.
1028
- */
1029
- name: string;
1030
1483
  /**
1031
1484
  * Date that the version was created in ISO-8601 format.
1032
1485
  */
@@ -1055,10 +1508,6 @@ declare type Policy = {
1055
1508
  * Entity ref of the latest user that published the version.
1056
1509
  */
1057
1510
  lastPublishedBy?: string;
1058
- /**
1059
- * List of role configurations for policy evaluation.
1060
- */
1061
- roles: Role[];
1062
1511
  /**
1063
1512
  * Current status of the policy.
1064
1513
  */
@@ -1068,6 +1517,13 @@ declare type Policy = {
1068
1517
  /** @public */
1069
1518
  declare const CreateDraftRequestParser: z.ZodObject<{
1070
1519
  name: z.ZodDefault<z.ZodString>;
1520
+ options: z.ZodDefault<z.ZodObject<{
1521
+ resolutionStrategy: z.ZodUnion<[z.ZodLiteral<"first-match">, z.ZodLiteral<"any-allow">]>;
1522
+ }, "strip", z.ZodTypeAny, {
1523
+ resolutionStrategy: "first-match" | "any-allow";
1524
+ }, {
1525
+ resolutionStrategy: "first-match" | "any-allow";
1526
+ }>>;
1071
1527
  roles: z.ZodEffects<z.ZodDefault<z.ZodArray<z.ZodObject<{
1072
1528
  name: z.ZodString;
1073
1529
  id: z.ZodDefault<z.ZodString>;
@@ -1094,198 +1550,307 @@ declare const CreateDraftRequestParser: z.ZodObject<{
1094
1550
  }, "strip", z.ZodTypeAny, {
1095
1551
  pluginId: string;
1096
1552
  resourceType: string;
1097
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1553
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1098
1554
  }, {
1099
1555
  pluginId: string;
1100
1556
  resourceType: string;
1101
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1557
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1102
1558
  }>]>;
1103
1559
  }, "strip", z.ZodTypeAny, {
1104
1560
  id: string;
1105
- match: "*" | {
1561
+ match: ("*" | {
1562
+ name?: string | undefined;
1563
+ actions?: string[] | undefined;
1564
+ resourceType?: string | undefined;
1565
+ }) & ("*" | {
1106
1566
  name?: string | undefined;
1107
1567
  actions?: string[] | undefined;
1108
1568
  resourceType?: string | undefined;
1109
- };
1110
- decision: "allow" | {
1569
+ } | undefined);
1570
+ decision: ("allow" | {
1111
1571
  pluginId: string;
1112
1572
  resourceType: string;
1113
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1114
- } | "deny";
1573
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1574
+ } | "deny") & ("allow" | {
1575
+ pluginId: string;
1576
+ resourceType: string;
1577
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1578
+ } | "deny" | undefined);
1115
1579
  }, {
1116
- id?: string | undefined;
1117
- match: "*" | {
1580
+ match: ("*" | {
1581
+ name?: string | undefined;
1582
+ actions?: string[] | undefined;
1583
+ resourceType?: string | undefined;
1584
+ }) & ("*" | {
1118
1585
  name?: string | undefined;
1119
1586
  actions?: string[] | undefined;
1120
1587
  resourceType?: string | undefined;
1121
- };
1122
- decision: "allow" | {
1588
+ } | undefined);
1589
+ decision: ("allow" | {
1590
+ pluginId: string;
1591
+ resourceType: string;
1592
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1593
+ } | "deny") & ("allow" | {
1123
1594
  pluginId: string;
1124
1595
  resourceType: string;
1125
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1126
- } | "deny";
1596
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1597
+ } | "deny" | undefined);
1598
+ id?: string | undefined;
1127
1599
  }>, {
1128
1600
  id: string;
1129
- match: "*" | {
1601
+ match: ("*" | {
1602
+ name?: string | undefined;
1603
+ actions?: string[] | undefined;
1604
+ resourceType?: string | undefined;
1605
+ }) & ("*" | {
1130
1606
  name?: string | undefined;
1131
1607
  actions?: string[] | undefined;
1132
1608
  resourceType?: string | undefined;
1133
- };
1134
- decision: "allow" | {
1609
+ } | undefined);
1610
+ decision: ("allow" | {
1135
1611
  pluginId: string;
1136
1612
  resourceType: string;
1137
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1138
- } | "deny";
1613
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1614
+ } | "deny") & ("allow" | {
1615
+ pluginId: string;
1616
+ resourceType: string;
1617
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1618
+ } | "deny" | undefined);
1139
1619
  }, {
1140
- id?: string | undefined;
1141
- match: "*" | {
1620
+ match: ("*" | {
1621
+ name?: string | undefined;
1622
+ actions?: string[] | undefined;
1623
+ resourceType?: string | undefined;
1624
+ }) & ("*" | {
1142
1625
  name?: string | undefined;
1143
1626
  actions?: string[] | undefined;
1144
1627
  resourceType?: string | undefined;
1145
- };
1146
- decision: "allow" | {
1628
+ } | undefined);
1629
+ decision: ("allow" | {
1630
+ pluginId: string;
1631
+ resourceType: string;
1632
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1633
+ } | "deny") & ("allow" | {
1147
1634
  pluginId: string;
1148
1635
  resourceType: string;
1149
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1150
- } | "deny";
1636
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1637
+ } | "deny" | undefined);
1638
+ id?: string | undefined;
1151
1639
  }>, "many">, {
1152
1640
  id: string;
1153
- match: "*" | {
1641
+ match: ("*" | {
1642
+ name?: string | undefined;
1643
+ actions?: string[] | undefined;
1644
+ resourceType?: string | undefined;
1645
+ }) & ("*" | {
1154
1646
  name?: string | undefined;
1155
1647
  actions?: string[] | undefined;
1156
1648
  resourceType?: string | undefined;
1157
- };
1158
- decision: "allow" | {
1649
+ } | undefined);
1650
+ decision: ("allow" | {
1159
1651
  pluginId: string;
1160
1652
  resourceType: string;
1161
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1162
- } | "deny";
1653
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1654
+ } | "deny") & ("allow" | {
1655
+ pluginId: string;
1656
+ resourceType: string;
1657
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1658
+ } | "deny" | undefined);
1163
1659
  }[], {
1164
- id?: string | undefined;
1165
- match: "*" | {
1660
+ match: ("*" | {
1661
+ name?: string | undefined;
1662
+ actions?: string[] | undefined;
1663
+ resourceType?: string | undefined;
1664
+ }) & ("*" | {
1166
1665
  name?: string | undefined;
1167
1666
  actions?: string[] | undefined;
1168
1667
  resourceType?: string | undefined;
1169
- };
1170
- decision: "allow" | {
1668
+ } | undefined);
1669
+ decision: ("allow" | {
1670
+ pluginId: string;
1671
+ resourceType: string;
1672
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1673
+ } | "deny") & ("allow" | {
1171
1674
  pluginId: string;
1172
1675
  resourceType: string;
1173
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1174
- } | "deny";
1676
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1677
+ } | "deny" | undefined);
1678
+ id?: string | undefined;
1175
1679
  }[]>;
1176
1680
  }, "strip", z.ZodTypeAny, {
1177
1681
  id: string;
1178
- members: string[] | "*";
1682
+ members: (string[] | "*") & (string[] | "*" | undefined);
1179
1683
  name: string;
1180
1684
  permissions: {
1181
1685
  id: string;
1182
- match: "*" | {
1686
+ match: ("*" | {
1687
+ name?: string | undefined;
1688
+ actions?: string[] | undefined;
1689
+ resourceType?: string | undefined;
1690
+ }) & ("*" | {
1183
1691
  name?: string | undefined;
1184
1692
  actions?: string[] | undefined;
1185
1693
  resourceType?: string | undefined;
1186
- };
1187
- decision: "allow" | {
1694
+ } | undefined);
1695
+ decision: ("allow" | {
1188
1696
  pluginId: string;
1189
1697
  resourceType: string;
1190
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1191
- } | "deny";
1698
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1699
+ } | "deny") & ("allow" | {
1700
+ pluginId: string;
1701
+ resourceType: string;
1702
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1703
+ } | "deny" | undefined);
1192
1704
  }[];
1193
1705
  }, {
1194
- id?: string | undefined;
1195
- members: string[] | "*";
1706
+ members: (string[] | "*") & (string[] | "*" | undefined);
1196
1707
  name: string;
1197
1708
  permissions: {
1198
- id?: string | undefined;
1199
- match: "*" | {
1709
+ match: ("*" | {
1200
1710
  name?: string | undefined;
1201
1711
  actions?: string[] | undefined;
1202
1712
  resourceType?: string | undefined;
1203
- };
1204
- decision: "allow" | {
1713
+ }) & ("*" | {
1714
+ name?: string | undefined;
1715
+ actions?: string[] | undefined;
1716
+ resourceType?: string | undefined;
1717
+ } | undefined);
1718
+ decision: ("allow" | {
1719
+ pluginId: string;
1720
+ resourceType: string;
1721
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1722
+ } | "deny") & ("allow" | {
1205
1723
  pluginId: string;
1206
1724
  resourceType: string;
1207
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1208
- } | "deny";
1725
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1726
+ } | "deny" | undefined);
1727
+ id?: string | undefined;
1209
1728
  }[];
1729
+ id?: string | undefined;
1210
1730
  }>, "many">>, {
1211
1731
  id: string;
1212
- members: string[] | "*";
1732
+ members: (string[] | "*") & (string[] | "*" | undefined);
1213
1733
  name: string;
1214
1734
  permissions: {
1215
1735
  id: string;
1216
- match: "*" | {
1736
+ match: ("*" | {
1737
+ name?: string | undefined;
1738
+ actions?: string[] | undefined;
1739
+ resourceType?: string | undefined;
1740
+ }) & ("*" | {
1217
1741
  name?: string | undefined;
1218
1742
  actions?: string[] | undefined;
1219
1743
  resourceType?: string | undefined;
1220
- };
1221
- decision: "allow" | {
1744
+ } | undefined);
1745
+ decision: ("allow" | {
1746
+ pluginId: string;
1747
+ resourceType: string;
1748
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1749
+ } | "deny") & ("allow" | {
1222
1750
  pluginId: string;
1223
1751
  resourceType: string;
1224
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1225
- } | "deny";
1752
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1753
+ } | "deny" | undefined);
1226
1754
  }[];
1227
1755
  }[], {
1228
- id?: string | undefined;
1229
- members: string[] | "*";
1756
+ members: (string[] | "*") & (string[] | "*" | undefined);
1230
1757
  name: string;
1231
1758
  permissions: {
1232
- id?: string | undefined;
1233
- match: "*" | {
1759
+ match: ("*" | {
1760
+ name?: string | undefined;
1761
+ actions?: string[] | undefined;
1762
+ resourceType?: string | undefined;
1763
+ }) & ("*" | {
1234
1764
  name?: string | undefined;
1235
1765
  actions?: string[] | undefined;
1236
1766
  resourceType?: string | undefined;
1237
- };
1238
- decision: "allow" | {
1767
+ } | undefined);
1768
+ decision: ("allow" | {
1769
+ pluginId: string;
1770
+ resourceType: string;
1771
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1772
+ } | "deny") & ("allow" | {
1239
1773
  pluginId: string;
1240
1774
  resourceType: string;
1241
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1242
- } | "deny";
1775
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1776
+ } | "deny" | undefined);
1777
+ id?: string | undefined;
1243
1778
  }[];
1779
+ id?: string | undefined;
1244
1780
  }[] | undefined>;
1245
1781
  }, "strip", z.ZodTypeAny, {
1246
1782
  name: string;
1783
+ options: {
1784
+ resolutionStrategy: "first-match" | "any-allow";
1785
+ };
1247
1786
  roles: {
1248
1787
  id: string;
1249
- members: string[] | "*";
1788
+ members: (string[] | "*") & (string[] | "*" | undefined);
1250
1789
  name: string;
1251
1790
  permissions: {
1252
1791
  id: string;
1253
- match: "*" | {
1792
+ match: ("*" | {
1793
+ name?: string | undefined;
1794
+ actions?: string[] | undefined;
1795
+ resourceType?: string | undefined;
1796
+ }) & ("*" | {
1254
1797
  name?: string | undefined;
1255
1798
  actions?: string[] | undefined;
1256
1799
  resourceType?: string | undefined;
1257
- };
1258
- decision: "allow" | {
1800
+ } | undefined);
1801
+ decision: ("allow" | {
1802
+ pluginId: string;
1803
+ resourceType: string;
1804
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1805
+ } | "deny") & ("allow" | {
1259
1806
  pluginId: string;
1260
1807
  resourceType: string;
1261
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1262
- } | "deny";
1808
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1809
+ } | "deny" | undefined);
1263
1810
  }[];
1264
1811
  }[];
1265
1812
  }, {
1266
1813
  name?: string | undefined;
1814
+ options?: {
1815
+ resolutionStrategy: "first-match" | "any-allow";
1816
+ } | undefined;
1267
1817
  roles?: {
1268
- id?: string | undefined;
1269
- members: string[] | "*";
1818
+ members: (string[] | "*") & (string[] | "*" | undefined);
1270
1819
  name: string;
1271
1820
  permissions: {
1272
- id?: string | undefined;
1273
- match: "*" | {
1821
+ match: ("*" | {
1822
+ name?: string | undefined;
1823
+ actions?: string[] | undefined;
1824
+ resourceType?: string | undefined;
1825
+ }) & ("*" | {
1274
1826
  name?: string | undefined;
1275
1827
  actions?: string[] | undefined;
1276
1828
  resourceType?: string | undefined;
1277
- };
1278
- decision: "allow" | {
1829
+ } | undefined);
1830
+ decision: ("allow" | {
1279
1831
  pluginId: string;
1280
1832
  resourceType: string;
1281
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1282
- } | "deny";
1833
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1834
+ } | "deny") & ("allow" | {
1835
+ pluginId: string;
1836
+ resourceType: string;
1837
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1838
+ } | "deny" | undefined);
1839
+ id?: string | undefined;
1283
1840
  }[];
1841
+ id?: string | undefined;
1284
1842
  }[] | undefined;
1285
1843
  }>;
1286
1844
  /** @public */
1287
1845
  declare const UpdateDraftRequestParser: z.ZodObject<{
1288
1846
  name: z.ZodOptional<z.ZodDefault<z.ZodString>>;
1847
+ options: z.ZodOptional<z.ZodDefault<z.ZodObject<{
1848
+ resolutionStrategy: z.ZodUnion<[z.ZodLiteral<"first-match">, z.ZodLiteral<"any-allow">]>;
1849
+ }, "strip", z.ZodTypeAny, {
1850
+ resolutionStrategy: "first-match" | "any-allow";
1851
+ }, {
1852
+ resolutionStrategy: "first-match" | "any-allow";
1853
+ }>>>;
1289
1854
  roles: z.ZodOptional<z.ZodEffects<z.ZodDefault<z.ZodArray<z.ZodObject<{
1290
1855
  name: z.ZodString;
1291
1856
  id: z.ZodDefault<z.ZodString>;
@@ -1312,193 +1877,295 @@ declare const UpdateDraftRequestParser: z.ZodObject<{
1312
1877
  }, "strip", z.ZodTypeAny, {
1313
1878
  pluginId: string;
1314
1879
  resourceType: string;
1315
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1880
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1316
1881
  }, {
1317
1882
  pluginId: string;
1318
1883
  resourceType: string;
1319
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1884
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1320
1885
  }>]>;
1321
1886
  }, "strip", z.ZodTypeAny, {
1322
1887
  id: string;
1323
- match: "*" | {
1888
+ match: ("*" | {
1889
+ name?: string | undefined;
1890
+ actions?: string[] | undefined;
1891
+ resourceType?: string | undefined;
1892
+ }) & ("*" | {
1324
1893
  name?: string | undefined;
1325
1894
  actions?: string[] | undefined;
1326
1895
  resourceType?: string | undefined;
1327
- };
1328
- decision: "allow" | {
1896
+ } | undefined);
1897
+ decision: ("allow" | {
1898
+ pluginId: string;
1899
+ resourceType: string;
1900
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1901
+ } | "deny") & ("allow" | {
1329
1902
  pluginId: string;
1330
1903
  resourceType: string;
1331
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1332
- } | "deny";
1904
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1905
+ } | "deny" | undefined);
1333
1906
  }, {
1334
- id?: string | undefined;
1335
- match: "*" | {
1907
+ match: ("*" | {
1336
1908
  name?: string | undefined;
1337
1909
  actions?: string[] | undefined;
1338
1910
  resourceType?: string | undefined;
1339
- };
1340
- decision: "allow" | {
1911
+ }) & ("*" | {
1912
+ name?: string | undefined;
1913
+ actions?: string[] | undefined;
1914
+ resourceType?: string | undefined;
1915
+ } | undefined);
1916
+ decision: ("allow" | {
1917
+ pluginId: string;
1918
+ resourceType: string;
1919
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1920
+ } | "deny") & ("allow" | {
1341
1921
  pluginId: string;
1342
1922
  resourceType: string;
1343
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1344
- } | "deny";
1923
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1924
+ } | "deny" | undefined);
1925
+ id?: string | undefined;
1345
1926
  }>, {
1346
1927
  id: string;
1347
- match: "*" | {
1928
+ match: ("*" | {
1929
+ name?: string | undefined;
1930
+ actions?: string[] | undefined;
1931
+ resourceType?: string | undefined;
1932
+ }) & ("*" | {
1348
1933
  name?: string | undefined;
1349
1934
  actions?: string[] | undefined;
1350
1935
  resourceType?: string | undefined;
1351
- };
1352
- decision: "allow" | {
1936
+ } | undefined);
1937
+ decision: ("allow" | {
1938
+ pluginId: string;
1939
+ resourceType: string;
1940
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1941
+ } | "deny") & ("allow" | {
1353
1942
  pluginId: string;
1354
1943
  resourceType: string;
1355
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1356
- } | "deny";
1944
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1945
+ } | "deny" | undefined);
1357
1946
  }, {
1358
- id?: string | undefined;
1359
- match: "*" | {
1947
+ match: ("*" | {
1360
1948
  name?: string | undefined;
1361
1949
  actions?: string[] | undefined;
1362
1950
  resourceType?: string | undefined;
1363
- };
1364
- decision: "allow" | {
1951
+ }) & ("*" | {
1952
+ name?: string | undefined;
1953
+ actions?: string[] | undefined;
1954
+ resourceType?: string | undefined;
1955
+ } | undefined);
1956
+ decision: ("allow" | {
1957
+ pluginId: string;
1958
+ resourceType: string;
1959
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1960
+ } | "deny") & ("allow" | {
1365
1961
  pluginId: string;
1366
1962
  resourceType: string;
1367
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1368
- } | "deny";
1963
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1964
+ } | "deny" | undefined);
1965
+ id?: string | undefined;
1369
1966
  }>, "many">, {
1370
1967
  id: string;
1371
- match: "*" | {
1968
+ match: ("*" | {
1969
+ name?: string | undefined;
1970
+ actions?: string[] | undefined;
1971
+ resourceType?: string | undefined;
1972
+ }) & ("*" | {
1372
1973
  name?: string | undefined;
1373
1974
  actions?: string[] | undefined;
1374
1975
  resourceType?: string | undefined;
1375
- };
1376
- decision: "allow" | {
1976
+ } | undefined);
1977
+ decision: ("allow" | {
1978
+ pluginId: string;
1979
+ resourceType: string;
1980
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1981
+ } | "deny") & ("allow" | {
1377
1982
  pluginId: string;
1378
1983
  resourceType: string;
1379
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1380
- } | "deny";
1984
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
1985
+ } | "deny" | undefined);
1381
1986
  }[], {
1382
- id?: string | undefined;
1383
- match: "*" | {
1987
+ match: ("*" | {
1384
1988
  name?: string | undefined;
1385
1989
  actions?: string[] | undefined;
1386
1990
  resourceType?: string | undefined;
1387
- };
1388
- decision: "allow" | {
1991
+ }) & ("*" | {
1992
+ name?: string | undefined;
1993
+ actions?: string[] | undefined;
1994
+ resourceType?: string | undefined;
1995
+ } | undefined);
1996
+ decision: ("allow" | {
1997
+ pluginId: string;
1998
+ resourceType: string;
1999
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
2000
+ } | "deny") & ("allow" | {
1389
2001
  pluginId: string;
1390
2002
  resourceType: string;
1391
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1392
- } | "deny";
2003
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
2004
+ } | "deny" | undefined);
2005
+ id?: string | undefined;
1393
2006
  }[]>;
1394
2007
  }, "strip", z.ZodTypeAny, {
1395
2008
  id: string;
1396
- members: string[] | "*";
2009
+ members: (string[] | "*") & (string[] | "*" | undefined);
1397
2010
  name: string;
1398
2011
  permissions: {
1399
2012
  id: string;
1400
- match: "*" | {
2013
+ match: ("*" | {
2014
+ name?: string | undefined;
2015
+ actions?: string[] | undefined;
2016
+ resourceType?: string | undefined;
2017
+ }) & ("*" | {
1401
2018
  name?: string | undefined;
1402
2019
  actions?: string[] | undefined;
1403
2020
  resourceType?: string | undefined;
1404
- };
1405
- decision: "allow" | {
2021
+ } | undefined);
2022
+ decision: ("allow" | {
2023
+ pluginId: string;
2024
+ resourceType: string;
2025
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
2026
+ } | "deny") & ("allow" | {
1406
2027
  pluginId: string;
1407
2028
  resourceType: string;
1408
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1409
- } | "deny";
2029
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
2030
+ } | "deny" | undefined);
1410
2031
  }[];
1411
2032
  }, {
1412
- id?: string | undefined;
1413
- members: string[] | "*";
2033
+ members: (string[] | "*") & (string[] | "*" | undefined);
1414
2034
  name: string;
1415
2035
  permissions: {
1416
- id?: string | undefined;
1417
- match: "*" | {
2036
+ match: ("*" | {
2037
+ name?: string | undefined;
2038
+ actions?: string[] | undefined;
2039
+ resourceType?: string | undefined;
2040
+ }) & ("*" | {
1418
2041
  name?: string | undefined;
1419
2042
  actions?: string[] | undefined;
1420
2043
  resourceType?: string | undefined;
1421
- };
1422
- decision: "allow" | {
2044
+ } | undefined);
2045
+ decision: ("allow" | {
1423
2046
  pluginId: string;
1424
2047
  resourceType: string;
1425
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1426
- } | "deny";
2048
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
2049
+ } | "deny") & ("allow" | {
2050
+ pluginId: string;
2051
+ resourceType: string;
2052
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
2053
+ } | "deny" | undefined);
2054
+ id?: string | undefined;
1427
2055
  }[];
2056
+ id?: string | undefined;
1428
2057
  }>, "many">>, {
1429
2058
  id: string;
1430
- members: string[] | "*";
2059
+ members: (string[] | "*") & (string[] | "*" | undefined);
1431
2060
  name: string;
1432
2061
  permissions: {
1433
2062
  id: string;
1434
- match: "*" | {
2063
+ match: ("*" | {
1435
2064
  name?: string | undefined;
1436
2065
  actions?: string[] | undefined;
1437
2066
  resourceType?: string | undefined;
1438
- };
1439
- decision: "allow" | {
2067
+ }) & ("*" | {
2068
+ name?: string | undefined;
2069
+ actions?: string[] | undefined;
2070
+ resourceType?: string | undefined;
2071
+ } | undefined);
2072
+ decision: ("allow" | {
2073
+ pluginId: string;
2074
+ resourceType: string;
2075
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
2076
+ } | "deny") & ("allow" | {
1440
2077
  pluginId: string;
1441
2078
  resourceType: string;
1442
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1443
- } | "deny";
2079
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
2080
+ } | "deny" | undefined);
1444
2081
  }[];
1445
2082
  }[], {
1446
- id?: string | undefined;
1447
- members: string[] | "*";
2083
+ members: (string[] | "*") & (string[] | "*" | undefined);
1448
2084
  name: string;
1449
2085
  permissions: {
1450
- id?: string | undefined;
1451
- match: "*" | {
2086
+ match: ("*" | {
2087
+ name?: string | undefined;
2088
+ actions?: string[] | undefined;
2089
+ resourceType?: string | undefined;
2090
+ }) & ("*" | {
1452
2091
  name?: string | undefined;
1453
2092
  actions?: string[] | undefined;
1454
2093
  resourceType?: string | undefined;
1455
- };
1456
- decision: "allow" | {
2094
+ } | undefined);
2095
+ decision: ("allow" | {
2096
+ pluginId: string;
2097
+ resourceType: string;
2098
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
2099
+ } | "deny") & ("allow" | {
1457
2100
  pluginId: string;
1458
2101
  resourceType: string;
1459
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1460
- } | "deny";
2102
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
2103
+ } | "deny" | undefined);
2104
+ id?: string | undefined;
1461
2105
  }[];
2106
+ id?: string | undefined;
1462
2107
  }[] | undefined>>;
1463
2108
  }, "strip", z.ZodTypeAny, {
1464
2109
  name?: string | undefined;
2110
+ options?: {
2111
+ resolutionStrategy: "first-match" | "any-allow";
2112
+ } | undefined;
1465
2113
  roles?: {
1466
2114
  id: string;
1467
- members: string[] | "*";
2115
+ members: (string[] | "*") & (string[] | "*" | undefined);
1468
2116
  name: string;
1469
2117
  permissions: {
1470
2118
  id: string;
1471
- match: "*" | {
2119
+ match: ("*" | {
2120
+ name?: string | undefined;
2121
+ actions?: string[] | undefined;
2122
+ resourceType?: string | undefined;
2123
+ }) & ("*" | {
1472
2124
  name?: string | undefined;
1473
2125
  actions?: string[] | undefined;
1474
2126
  resourceType?: string | undefined;
1475
- };
1476
- decision: "allow" | {
2127
+ } | undefined);
2128
+ decision: ("allow" | {
2129
+ pluginId: string;
2130
+ resourceType: string;
2131
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
2132
+ } | "deny") & ("allow" | {
1477
2133
  pluginId: string;
1478
2134
  resourceType: string;
1479
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1480
- } | "deny";
2135
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
2136
+ } | "deny" | undefined);
1481
2137
  }[];
1482
2138
  }[] | undefined;
1483
2139
  }, {
1484
2140
  name?: string | undefined;
2141
+ options?: {
2142
+ resolutionStrategy: "first-match" | "any-allow";
2143
+ } | undefined;
1485
2144
  roles?: {
1486
- id?: string | undefined;
1487
- members: string[] | "*";
2145
+ members: (string[] | "*") & (string[] | "*" | undefined);
1488
2146
  name: string;
1489
2147
  permissions: {
1490
- id?: string | undefined;
1491
- match: "*" | {
2148
+ match: ("*" | {
2149
+ name?: string | undefined;
2150
+ actions?: string[] | undefined;
2151
+ resourceType?: string | undefined;
2152
+ }) & ("*" | {
1492
2153
  name?: string | undefined;
1493
2154
  actions?: string[] | undefined;
1494
2155
  resourceType?: string | undefined;
1495
- };
1496
- decision: "allow" | {
2156
+ } | undefined);
2157
+ decision: ("allow" | {
1497
2158
  pluginId: string;
1498
2159
  resourceType: string;
1499
- conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition>;
1500
- } | "deny";
2160
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
2161
+ } | "deny") & ("allow" | {
2162
+ pluginId: string;
2163
+ resourceType: string;
2164
+ conditions: _backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> & (_backstage_plugin_permission_common.PermissionCriteria<RBACPermissionCondition> | undefined);
2165
+ } | "deny" | undefined);
2166
+ id?: string | undefined;
1501
2167
  }[];
2168
+ id?: string | undefined;
1502
2169
  }[] | undefined;
1503
2170
  }>;
1504
2171
  /** @public */
@@ -1510,50 +2177,59 @@ declare const PublishVersionRequestParser: z.ZodObject<{
1510
2177
  description?: string | undefined;
1511
2178
  }>;
1512
2179
  /** @public */
1513
- declare type CreateDraftRequest = z.input<typeof CreateDraftRequestParser>;
2180
+ type CreateDraftRequest = z.input<typeof CreateDraftRequestParser>;
1514
2181
  /** @public */
1515
- declare type UpdateDraftRequest = z.input<typeof UpdateDraftRequestParser>;
2182
+ type UpdateDraftRequest = z.input<typeof UpdateDraftRequestParser>;
1516
2183
  /** @public */
1517
- declare type PublishVersionRequest = z.infer<typeof PublishVersionRequestParser>;
2184
+ type PublishVersionRequest = z.infer<typeof PublishVersionRequestParser>;
1518
2185
  /** @public */
1519
- declare type SearchMembersRequest = {
2186
+ type SearchMembersRequest = {
1520
2187
  query: string;
1521
2188
  };
1522
2189
  /** @public */
1523
- declare type AuthorizeResponse = {
2190
+ type AuthorizeResponse = {
1524
2191
  authorized: boolean;
1525
2192
  };
1526
2193
  /** @public */
1527
- declare type MemberResponse = {
2194
+ type MemberResponse = {
1528
2195
  name?: string;
1529
2196
  type: 'user' | 'group' | 'all' | 'unknown';
1530
2197
  entityRef: string;
1531
2198
  };
1532
2199
  /** @public */
1533
- declare type PolicyMember = {
2200
+ type PolicyMember = {
1534
2201
  policyId: string;
1535
2202
  members: MemberResponse[];
1536
2203
  };
1537
2204
  /** @public */
1538
- declare type SearchMembersResponse = {
2205
+ type SearchMembersResponse = {
1539
2206
  members: MemberResponse[];
1540
2207
  };
1541
2208
  /** @public */
1542
- declare type PaginatedResponse<T> = {
2209
+ type PaginatedResponse<T> = {
1543
2210
  items: T[];
1544
2211
  nextCursor?: string;
1545
2212
  prevCursor?: string;
1546
2213
  totalItems: number;
1547
2214
  };
1548
2215
  /** @public */
1549
- declare type PoliciesResponse = PaginatedResponse<Policy>;
2216
+ type PoliciesResponse = PaginatedResponse<Policy>;
1550
2217
 
1551
2218
  /** @public */
1552
2219
  declare const isMatchingPermission: (permission: Permission, match: PermissionMatch) => boolean;
2220
+ /**
2221
+ * Compares a user entity ref to an entry from a list of
2222
+ * policy members. The two refs must either match exactly,
2223
+ * or the policy member must be a wildcard (i.e. the result
2224
+ * of parsing the string "*" as an entityRef).
2225
+ *
2226
+ * @public
2227
+ */
2228
+ declare const matchesEntityRef: (userClaim: CompoundEntityRef, policyMember: CompoundEntityRef) => boolean;
1553
2229
 
1554
2230
  /** @public */
1555
- declare type MapParamsCallback = (param: PermissionRuleParam) => PermissionRuleParam;
2231
+ type MapParamsCallback = (param: PermissionRuleParam) => PermissionRuleParam;
1556
2232
  /** @public */
1557
2233
  declare function mapParams(params: PermissionRuleParams, cb: MapParamsCallback): PermissionRuleParams;
1558
2234
 
1559
- export { AuthorizeResponse, BackstageUserPlaceholder, ConditionalDecision, ConditionalDecisionParser, CreateDraftRequest, CreateDraftRequestParser, DefaultingPolicyConfigParser, LiteralDecision, LiteralDecisionParser, MapParamsCallback, MemberResponse, PaginatedResponse, PermissionConditionParser, PermissionDecision, PermissionDecisionParser, PermissionMatch, PermissionMatchParser, PoliciesResponse, Policy, PolicyConfig, PolicyConfigParser, PolicyDefaultName, PolicyMember, PolicyTitleParser, PublishVersionRequest, PublishVersionRequestParser, RBACPermissionCondition, RawPolicyConfig, RawRole, Role, RoleParser, RolePermission, RolePermissionParser, RolePermissions, RolePermissionsParser, RolesParser, SearchMembersRequest, SearchMembersResponse, UpdateDraftRequest, UpdateDraftRequestParser, isAllOfPermissionCriteria, isAnyOfPermissionCriteria, isConditionalDecision, isMatchingPermission, isNotPermissionCriteria, mapParams };
2235
+ export { AuthorizeResponse, BackstageUserPlaceholder, ConditionalDecision, ConditionalDecisionParser, CreateDraftRequest, CreateDraftRequestParser, DefaultingPolicyConfigParser, LiteralDecision, LiteralDecisionParser, MapParamsCallback, MemberResponse, PaginatedResponse, PermissionConditionParser, PermissionDecision, PermissionDecisionParser, PermissionMatch, PermissionMatchParser, PoliciesResponse, Policy, PolicyConfig, PolicyConfigOptions, PolicyConfigOptionsParser, PolicyConfigParser, PolicyDefaultName, PolicyMember, PolicyRoleResolutionStrategy, PolicyRoleResolutionStrategyParser, PolicyTitleParser, PublishVersionRequest, PublishVersionRequestParser, RBACPermissionCondition, RawPolicyConfig, RawRole, Role, RoleParser, RolePermission, RolePermissionParser, RolePermissions, RolePermissionsParser, RolesParser, SearchMembersRequest, SearchMembersResponse, UpdateDraftRequest, UpdateDraftRequestParser, isAllOfPermissionCriteria, isAnyOfPermissionCriteria, isConditionalDecision, isMatchingPermission, isNotPermissionCriteria, mapParams, matchesEntityRef };