Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: proto changes for attribute-based access control #98

Merged
merged 20 commits into from
Dec 1, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
aa7d2ff
feat: update definitions to support ABAC Conditions (#90)
jpadilla Sep 14, 2023
2b2e5ac
feat(abac): update Write API to include a condition per tuple (#95)
miparnisari Sep 15, 2023
8bd5c66
fix: fix json interface for Write API (#96)
jpadilla Sep 20, 2023
c3a581f
fix: use snake case (#99)
jpadilla Sep 26, 2023
dba5895
Re-order tuple-related fields (#97)
jpadilla Sep 29, 2023
8def830
fix: set condition name to be `condition_name` in json
rhamzeh Oct 3, 2023
e4bc967
fix: reduce stutter in `RelationshipCondition` (#103)
jpadilla Oct 13, 2023
6484aa0
chore: run workflow against base branch instead of always main (#105)
rhamzeh Oct 13, 2023
0fc8019
fix!: mark required fields as required (#104)
rhamzeh Oct 13, 2023
7c84e50
feat: increase contextual tuple limit to 20 (#92)
rhamzeh Aug 28, 2023
105d9e7
fix: add missing newline in Read API (#93)
miparnisari Aug 29, 2023
7278f42
chore(deps): bump golang.org/x/net from 0.12.0 to 0.17.0 in /proto (#…
dependabot[bot] Oct 12, 2023
9e3d648
rebuild
jpadilla Oct 13, 2023
fb9e0a8
Merge branch 'main' into feat/abac
jpadilla Oct 13, 2023
c85ea63
Merge branch 'main' into feat/abac
rhamzeh Nov 9, 2023
7161d70
refactor(write): normalize `deletes` field to TupleKeyWithoutConditio…
jon-whit Nov 22, 2023
7f9be45
refactor: modify WriteRequestWrites body (#117)
jon-whit Nov 22, 2023
abc04f2
docs: update docs for abac (#118)
miparnisari Nov 30, 2023
4281354
Merge branch 'main' into feat/abac
jon-whit Dec 1, 2023
79c1ad3
fix: mark more fields as required - add ComputedUserset (#109)
rhamzeh Dec 1, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .gitattributes
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
/docs/openapiv2/apidocs.swagger.json linguist-generated=true
*.pb.go linguist-generated=true
*.pb.*.go linguist-generated=true
go.sum linguist-generated=true
buf.lock linguist-generated=true
3 changes: 2 additions & 1 deletion .github/workflows/review.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ on:
pull_request:
branches:
- main
- feat/abac

permissions:
contents: read
Expand All @@ -21,7 +22,7 @@ jobs:
- uses: bufbuild/buf-breaking-action@a074e988ee34efcd4927079e79c611f428354c01 # v1.1.3
with:
# The 'main' branch of the GitHub repository that defines the module.
against: "https://github.com/${GITHUB_REPOSITORY}.git#branch=main"
against: "https://github.com/${GITHUB_REPOSITORY}.git#branch=${GITHUB_BASE_REF}"
- run: buf format -d --exit-code

diff-openapi:
Expand Down
404 changes: 357 additions & 47 deletions docs/openapiv2/apidocs.swagger.json

Large diffs are not rendered by default.

89 changes: 82 additions & 7 deletions openfga/v1/authzmodel.proto
Original file line number Diff line number Diff line change
Expand Up @@ -8,24 +8,33 @@ import "validate/validate.proto";

message AuthorizationModel {
string id = 1 [
(validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$"},
(google.api.field_behavior) = REQUIRED,
(validate.rules).string = {pattern: "^[ABCDEFGHJKMNPQRSTVWXYZ0-9]{26}$", ignore_empty: false},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01G5JAVJ41T49E9TT3SKVS7X1J\""}
];

string schema_version = 2 [
(google.api.field_behavior) = REQUIRED,
(validate.rules).string = {pattern: "^[1-9].[1-9]$", ignore_empty: false},
json_name = "schema_version"
];

repeated TypeDefinition type_definitions = 3 [
json_name = "type_definitions",
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "[{\"type\": \"user\"}, {\"type\":\"document\",\"relations\":{\"reader\":{\"union\":{\"child\":[{\"this\":{}},{\"computedUserset\":{\"object\":\"\",\"relation\":\"writer\"}}]}},\"writer\":{\"this\":{}}},\"metadata\":{\"relations\":{\"reader\":{\"directly_related_user_types\":[{\"type\":\"user\"}]},\"writer\":{\"directly_related_user_types\":[{\"type\":\"user\"}]}}}}]"}
];

map<string, Condition> conditions = 4 [
json_name = "conditions",
(validate.rules).map.max_pairs = 25,
(validate.rules).map.keys.string = {pattern: "^[^:#@\\s]{1,50}$", ignore_empty: false}
];
}

message TypeDefinition {
string type = 1 [
(validate.rules).string = {pattern: "^[^:#@\\s]{1,254}$"},
(validate.rules).string = {pattern: "^[^:#@\\s]{1,254}$", ignore_empty: false},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"document\""}
];
Expand All @@ -40,7 +49,7 @@ message TypeDefinition {
}

message Relation {
string name = 1 [(validate.rules).string = {pattern: "^[^:#@\\s]{1,50}$"}];
string name = 1 [(validate.rules).string = {pattern: "^[^:#@\\s]{1,50}$", ignore_empty: false}];

Userset rewrite = 2 [
(validate.rules).message.required = true,
Expand All @@ -65,7 +74,7 @@ message RelationMetadata {
// RelationReference represents a relation of a particular object type (e.g. 'document#viewer').
message RelationReference {
string type = 1 [
(validate.rules).string = {pattern: "^[^:#@\\s]{1,254}$"},
(validate.rules).string = {pattern: "^[^:#@\\s]{1,254}$", ignore_empty: false},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"group\""}
];
Expand All @@ -81,12 +90,17 @@ message RelationReference {

Wildcard wildcard = 3;
}

// The name of a condition that is enforced over the allowed relation.
string condition = 4;
}

message Wildcard {}

message Usersets {
repeated Userset child = 1;
repeated Userset child = 1 [
(google.api.field_behavior) = REQUIRED
];
}

message Difference {
Expand Down Expand Up @@ -121,8 +135,69 @@ message ObjectRelation {
string relation = 2 [(validate.rules).string = {max_bytes: 50}];
}

message ComputedUserset {
string relation = 1 [
(google.api.field_behavior) = REQUIRED,
(validate.rules).string = {max_bytes: 50, ignore_empty: false}
];
}

message TupleToUserset {
// The target object/relation
ObjectRelation tupleset = 1;
ObjectRelation computed_userset = 2;
ObjectRelation tupleset = 1 [
(google.api.field_behavior) = REQUIRED,
(validate.rules).message.required = true
];
ObjectRelation computed_userset = 2 [
(google.api.field_behavior) = REQUIRED,
(validate.rules).message.required = true
];
}

message Condition {
// A unique name for the condition
string name = 1 [
(google.api.field_behavior) = REQUIRED,
(validate.rules).string = {pattern: "^[^:#@\\s]{1,50}$", ignore_empty: false}
];

// A Google CEL expression, expressed as a string.
string expression = 2 [
(google.api.field_behavior) = REQUIRED,
(validate.rules).string = {max_bytes: 512, ignore_empty: false}
];

// A map of parameter names to the parameter's defined type reference.
map<string, ConditionParamTypeRef> parameters = 3 [
(validate.rules).map.max_pairs = 25,
(validate.rules).map.keys.string = {pattern: "^[^:#@\\s]{1,50}$"}
];
}

message ConditionParamTypeRef {
enum TypeName {
TYPE_NAME_UNSPECIFIED = 0;
TYPE_NAME_ANY = 1;
TYPE_NAME_BOOL = 2;
TYPE_NAME_STRING = 3;
TYPE_NAME_INT = 4;
TYPE_NAME_UINT = 5;
TYPE_NAME_DOUBLE = 6;
TYPE_NAME_DURATION = 7;
TYPE_NAME_TIMESTAMP = 8;
TYPE_NAME_MAP = 9;
TYPE_NAME_LIST = 10;
TYPE_NAME_IPADDRESS = 11;
}

TypeName type_name = 1 [
json_name = "type_name",
(google.api.field_behavior) = REQUIRED,
(validate.rules).enum.defined_only = true
];

repeated ConditionParamTypeRef generic_types = 2 [
json_name = "generic_types",
(validate.rules).repeated.max_items = 5
];
}
Loading
Loading