diff --git a/dart/lib/src/cedar_cork.dart b/dart/lib/src/cedar_cork.dart index 4e96258..81d6ab0 100644 --- a/dart/lib/src/cedar_cork.dart +++ b/dart/lib/src/cedar_cork.dart @@ -30,11 +30,8 @@ extension type CedarCorkBuilder(CorkBuilder _builder) implements CorkBuilder { } @redeclare - void addCaveat(cedar.CedarPolicy policy) { - if (policy.effect != cedar.CedarPolicyEffect.forbid) { - throw ArgumentError('Only forbid policies are allowed as caveats.'); - } - _builder.addCaveat(policy.toProto()); + void addCaveat(cedar.JsonExpr caveat) { + _builder.addCaveat(caveat.toProto()); } } @@ -81,8 +78,8 @@ extension type CedarCork(Cork _cork) implements Cork { } @redeclare - List get caveats => UnmodifiableListView([ + List get caveats => UnmodifiableListView([ for (final caveat in _cork.caveats) - proto.Policy().unpackAny(caveat).fromProto(), + proto.Expr().unpackAny(caveat).fromProto(), ]); } diff --git a/dart/lib/src/proto/cedar/v3/cork.pb.dart b/dart/lib/src/proto/cedar/v3/cork.pb.dart index 0ee8384..6e57636 100644 --- a/dart/lib/src/proto/cedar/v3/cork.pb.dart +++ b/dart/lib/src/proto/cedar/v3/cork.pb.dart @@ -13,9 +13,9 @@ import 'dart:core' as $core; import 'package:protobuf/protobuf.dart' as $pb; -import 'entity.pb.dart' as $4; +import 'entity.pb.dart' as $3; import 'entity_id.pb.dart' as $0; -import 'policy.pb.dart' as $5; +import 'expr.pb.dart' as $4; /// A bearer token that can be used to make claims about an entity for the purpose /// of authorization and authentication w/ Cedar. @@ -25,8 +25,8 @@ class Cork extends $pb.GeneratedMessage { $0.EntityId? issuer, $0.EntityId? bearer, $0.EntityId? audience, - $4.Entity? claims, - $core.Iterable<$5.Policy>? caveats, + $3.Entity? claims, + $core.Iterable<$4.Expr>? caveats, $core.List<$core.int>? signature, }) { final $result = create(); @@ -62,8 +62,8 @@ class Cork extends $pb.GeneratedMessage { ..aOM<$0.EntityId>(2, _omitFieldNames ? '' : 'issuer', subBuilder: $0.EntityId.create) ..aOM<$0.EntityId>(3, _omitFieldNames ? '' : 'bearer', subBuilder: $0.EntityId.create) ..aOM<$0.EntityId>(4, _omitFieldNames ? '' : 'audience', subBuilder: $0.EntityId.create) - ..aOM<$4.Entity>(5, _omitFieldNames ? '' : 'claims', subBuilder: $4.Entity.create) - ..pc<$5.Policy>(6, _omitFieldNames ? '' : 'caveats', $pb.PbFieldType.PM, subBuilder: $5.Policy.create) + ..aOM<$3.Entity>(5, _omitFieldNames ? '' : 'claims', subBuilder: $3.Entity.create) + ..pc<$4.Expr>(6, _omitFieldNames ? '' : 'caveats', $pb.PbFieldType.PM, subBuilder: $4.Expr.create) ..a<$core.List<$core.int>>(999, _omitFieldNames ? '' : 'signature', $pb.PbFieldType.OY) ..hasRequiredFields = false ; @@ -137,23 +137,24 @@ class Cork extends $pb.GeneratedMessage { /// Claims made about the [bearer] of the cork. @$pb.TagNumber(5) - $4.Entity get claims => $_getN(4); + $3.Entity get claims => $_getN(4); @$pb.TagNumber(5) - set claims($4.Entity v) { setField(5, v); } + set claims($3.Entity v) { setField(5, v); } @$pb.TagNumber(5) $core.bool hasClaims() => $_has(4); @$pb.TagNumber(5) void clearClaims() => clearField(5); @$pb.TagNumber(5) - $4.Entity ensureClaims() => $_ensure(4); + $3.Entity ensureClaims() => $_ensure(4); /// The caveats to this cork's validity and usage. /// - /// /// Caveats are structured conditions which must be met for the cork to be considered /// valid and for its claims to be considered true. + /// + /// Effectively, these form the body of a `forbid unless` policy AND'd together. @$pb.TagNumber(6) - $core.List<$5.Policy> get caveats => $_getList(5); + $core.List<$4.Expr> get caveats => $_getList(5); /// The final signature of the cork. @$pb.TagNumber(999) diff --git a/dart/lib/src/proto/cedar/v3/cork.pbjson.dart b/dart/lib/src/proto/cedar/v3/cork.pbjson.dart index 6b03fb1..9d34a76 100644 --- a/dart/lib/src/proto/cedar/v3/cork.pbjson.dart +++ b/dart/lib/src/proto/cedar/v3/cork.pbjson.dart @@ -22,7 +22,7 @@ const Cork$json = { {'1': 'bearer', '3': 3, '4': 1, '5': 11, '6': '.cedar.v3.EntityId', '10': 'bearer'}, {'1': 'audience', '3': 4, '4': 1, '5': 11, '6': '.cedar.v3.EntityId', '9': 0, '10': 'audience', '17': true}, {'1': 'claims', '3': 5, '4': 1, '5': 11, '6': '.cedar.v3.Entity', '9': 1, '10': 'claims', '17': true}, - {'1': 'caveats', '3': 6, '4': 3, '5': 11, '6': '.cedar.v3.Policy', '10': 'caveats'}, + {'1': 'caveats', '3': 6, '4': 3, '5': 11, '6': '.cedar.v3.Expr', '10': 'caveats'}, {'1': 'signature', '3': 999, '4': 1, '5': 12, '10': 'signature'}, ], '8': [ @@ -36,7 +36,7 @@ final $typed_data.Uint8List corkDescriptor = $convert.base64Decode( 'CgRDb3JrEg4KAmlkGAEgASgMUgJpZBIqCgZpc3N1ZXIYAiABKAsyEi5jZWRhci52My5FbnRpdH' 'lJZFIGaXNzdWVyEioKBmJlYXJlchgDIAEoCzISLmNlZGFyLnYzLkVudGl0eUlkUgZiZWFyZXIS' 'MwoIYXVkaWVuY2UYBCABKAsyEi5jZWRhci52My5FbnRpdHlJZEgAUghhdWRpZW5jZYgBARItCg' - 'ZjbGFpbXMYBSABKAsyEC5jZWRhci52My5FbnRpdHlIAVIGY2xhaW1ziAEBEioKB2NhdmVhdHMY' - 'BiADKAsyEC5jZWRhci52My5Qb2xpY3lSB2NhdmVhdHMSHQoJc2lnbmF0dXJlGOcHIAEoDFIJc2' - 'lnbmF0dXJlQgsKCV9hdWRpZW5jZUIJCgdfY2xhaW1z'); + 'ZjbGFpbXMYBSABKAsyEC5jZWRhci52My5FbnRpdHlIAVIGY2xhaW1ziAEBEigKB2NhdmVhdHMY' + 'BiADKAsyDi5jZWRhci52My5FeHByUgdjYXZlYXRzEh0KCXNpZ25hdHVyZRjnByABKAxSCXNpZ2' + '5hdHVyZUILCglfYXVkaWVuY2VCCQoHX2NsYWltcw=='); diff --git a/dart/lib/src/proto/cedar/v3/policy.pb.dart b/dart/lib/src/proto/cedar/v3/policy.pb.dart index 39c6947..3e076ed 100644 --- a/dart/lib/src/proto/cedar/v3/policy.pb.dart +++ b/dart/lib/src/proto/cedar/v3/policy.pb.dart @@ -14,7 +14,7 @@ import 'dart:core' as $core; import 'package:protobuf/protobuf.dart' as $pb; import 'entity_id.pb.dart' as $0; -import 'expr.pb.dart' as $3; +import 'expr.pb.dart' as $4; import 'policy.pbenum.dart'; export 'policy.pbenum.dart'; @@ -428,7 +428,7 @@ class PolicyResource extends $pb.GeneratedMessage { class PolicyCondition extends $pb.GeneratedMessage { factory PolicyCondition({ PolicyConditionKind? kind, - $3.Expr? body, + $4.Expr? body, }) { final $result = create(); if (kind != null) { @@ -445,7 +445,7 @@ class PolicyCondition extends $pb.GeneratedMessage { static final $pb.BuilderInfo _i = $pb.BuilderInfo(_omitMessageNames ? '' : 'PolicyCondition', package: const $pb.PackageName(_omitMessageNames ? '' : 'cedar.v3'), createEmptyInstance: create) ..e(1, _omitFieldNames ? '' : 'kind', $pb.PbFieldType.OE, defaultOrMaker: PolicyConditionKind.POLICY_CONDITION_KIND_UNSPECIFIED, valueOf: PolicyConditionKind.valueOf, enumValues: PolicyConditionKind.values) - ..aOM<$3.Expr>(2, _omitFieldNames ? '' : 'body', subBuilder: $3.Expr.create) + ..aOM<$4.Expr>(2, _omitFieldNames ? '' : 'body', subBuilder: $4.Expr.create) ..hasRequiredFields = false ; @@ -480,15 +480,15 @@ class PolicyCondition extends $pb.GeneratedMessage { void clearKind() => clearField(1); @$pb.TagNumber(2) - $3.Expr get body => $_getN(1); + $4.Expr get body => $_getN(1); @$pb.TagNumber(2) - set body($3.Expr v) { setField(2, v); } + set body($4.Expr v) { setField(2, v); } @$pb.TagNumber(2) $core.bool hasBody() => $_has(1); @$pb.TagNumber(2) void clearBody() => clearField(2); @$pb.TagNumber(2) - $3.Expr ensureBody() => $_ensure(1); + $4.Expr ensureBody() => $_ensure(1); } diff --git a/dart/lib/src/proto/corks/v1/cork.pb.dart b/dart/lib/src/proto/corks/v1/cork.pb.dart index eb475ef..97dfc91 100644 --- a/dart/lib/src/proto/corks/v1/cork.pb.dart +++ b/dart/lib/src/proto/corks/v1/cork.pb.dart @@ -13,7 +13,7 @@ import 'dart:core' as $core; import 'package:protobuf/protobuf.dart' as $pb; -import '../../google/protobuf/any.pb.dart' as $6; +import '../../google/protobuf/any.pb.dart' as $5; /// Encodes a cork's metadata and its signature. /// @@ -25,11 +25,11 @@ import '../../google/protobuf/any.pb.dart' as $6; class Cork extends $pb.GeneratedMessage { factory Cork({ $core.List<$core.int>? id, - $6.Any? issuer, - $6.Any? bearer, - $6.Any? audience, - $6.Any? claims, - $core.Iterable<$6.Any>? caveats, + $5.Any? issuer, + $5.Any? bearer, + $5.Any? audience, + $5.Any? claims, + $core.Iterable<$5.Any>? caveats, $core.List<$core.int>? signature, }) { final $result = create(); @@ -62,11 +62,11 @@ class Cork extends $pb.GeneratedMessage { static final $pb.BuilderInfo _i = $pb.BuilderInfo(_omitMessageNames ? '' : 'Cork', package: const $pb.PackageName(_omitMessageNames ? '' : 'corks.v1'), createEmptyInstance: create) ..a<$core.List<$core.int>>(1, _omitFieldNames ? '' : 'id', $pb.PbFieldType.OY) - ..aOM<$6.Any>(2, _omitFieldNames ? '' : 'issuer', subBuilder: $6.Any.create) - ..aOM<$6.Any>(3, _omitFieldNames ? '' : 'bearer', subBuilder: $6.Any.create) - ..aOM<$6.Any>(4, _omitFieldNames ? '' : 'audience', subBuilder: $6.Any.create) - ..aOM<$6.Any>(5, _omitFieldNames ? '' : 'claims', subBuilder: $6.Any.create) - ..pc<$6.Any>(6, _omitFieldNames ? '' : 'caveats', $pb.PbFieldType.PM, subBuilder: $6.Any.create) + ..aOM<$5.Any>(2, _omitFieldNames ? '' : 'issuer', subBuilder: $5.Any.create) + ..aOM<$5.Any>(3, _omitFieldNames ? '' : 'bearer', subBuilder: $5.Any.create) + ..aOM<$5.Any>(4, _omitFieldNames ? '' : 'audience', subBuilder: $5.Any.create) + ..aOM<$5.Any>(5, _omitFieldNames ? '' : 'claims', subBuilder: $5.Any.create) + ..pc<$5.Any>(6, _omitFieldNames ? '' : 'caveats', $pb.PbFieldType.PM, subBuilder: $5.Any.create) ..a<$core.List<$core.int>>(999, _omitFieldNames ? '' : 'signature', $pb.PbFieldType.OY) ..hasRequiredFields = false ; @@ -104,55 +104,55 @@ class Cork extends $pb.GeneratedMessage { /// The encoded issuer of the cork. @$pb.TagNumber(2) - $6.Any get issuer => $_getN(1); + $5.Any get issuer => $_getN(1); @$pb.TagNumber(2) - set issuer($6.Any v) { setField(2, v); } + set issuer($5.Any v) { setField(2, v); } @$pb.TagNumber(2) $core.bool hasIssuer() => $_has(1); @$pb.TagNumber(2) void clearIssuer() => clearField(2); @$pb.TagNumber(2) - $6.Any ensureIssuer() => $_ensure(1); + $5.Any ensureIssuer() => $_ensure(1); /// The encoded bearer of the cork. @$pb.TagNumber(3) - $6.Any get bearer => $_getN(2); + $5.Any get bearer => $_getN(2); @$pb.TagNumber(3) - set bearer($6.Any v) { setField(3, v); } + set bearer($5.Any v) { setField(3, v); } @$pb.TagNumber(3) $core.bool hasBearer() => $_has(2); @$pb.TagNumber(3) void clearBearer() => clearField(3); @$pb.TagNumber(3) - $6.Any ensureBearer() => $_ensure(2); + $5.Any ensureBearer() => $_ensure(2); /// The encoded audience of the cork. @$pb.TagNumber(4) - $6.Any get audience => $_getN(3); + $5.Any get audience => $_getN(3); @$pb.TagNumber(4) - set audience($6.Any v) { setField(4, v); } + set audience($5.Any v) { setField(4, v); } @$pb.TagNumber(4) $core.bool hasAudience() => $_has(3); @$pb.TagNumber(4) void clearAudience() => clearField(4); @$pb.TagNumber(4) - $6.Any ensureAudience() => $_ensure(3); + $5.Any ensureAudience() => $_ensure(3); /// The encoded claims of the cork. @$pb.TagNumber(5) - $6.Any get claims => $_getN(4); + $5.Any get claims => $_getN(4); @$pb.TagNumber(5) - set claims($6.Any v) { setField(5, v); } + set claims($5.Any v) { setField(5, v); } @$pb.TagNumber(5) $core.bool hasClaims() => $_has(4); @$pb.TagNumber(5) void clearClaims() => clearField(5); @$pb.TagNumber(5) - $6.Any ensureClaims() => $_ensure(4); + $5.Any ensureClaims() => $_ensure(4); /// The encoded caveats of the cork. @$pb.TagNumber(6) - $core.List<$6.Any> get caveats => $_getList(5); + $core.List<$5.Any> get caveats => $_getList(5); /// The final signature of the cork. @$pb.TagNumber(999) diff --git a/dart/test/cedar_cork_test.dart b/dart/test/cedar_cork_test.dart index 259d1ca..3ed843e 100644 --- a/dart/test/cedar_cork_test.dart +++ b/dart/test/cedar_cork_test.dart @@ -32,28 +32,14 @@ final bKey = secretKey; final issuer = CedarEntityId('Organization', 'acme-corp'); final bearer = CedarEntityId('User', 'alice'); -final _caveat = CedarPolicy( - effect: CedarPolicyEffect.forbid, - principal: CedarPolicyPrincipal( - op: CedarPolicyOp.equals, - entity: bearer, +final _caveat = JsonExpr.equals( + JsonExpr.getAttribute( + JsonExpr.variable(CedarVariable.principal), + 'name', + ), + JsonExpr.value( + CedarValueJson.string('Alice'), ), - action: CedarPolicyAction(op: CedarPolicyOp.all), - resource: CedarPolicyResource(op: CedarPolicyOp.all), - conditions: [ - CedarPolicyCondition( - kind: CedarPolicyConditionKind.unless, - body: JsonExpr.equals( - JsonExpr.getAttribute( - JsonExpr.variable(CedarVariable.principal), - 'name', - ), - JsonExpr.value( - CedarValueJson.string('Alice'), - ), - ), - ), - ], ); final _tests = <_TestCase>[ diff --git a/go/cedar/expr/expr.go b/go/cedar/expr/expr.go index 18aeab9..fbe662e 100644 --- a/go/cedar/expr/expr.go +++ b/go/cedar/expr/expr.go @@ -2,7 +2,15 @@ package cedarexpr import cedarv3 "github.com/celest-dev/corks/go/proto/cedar/v3" -type Expr = cedarv3.Expr +type Expr cedarv3.Expr + +func (e *Expr) Raw() *cedarv3.Expr { + if e == nil { + return nil + } + return (*cedarv3.Expr)(e) +} + type Value = cedarv3.Expr_Value type Var = cedarv3.Expr_Var type Slot = cedarv3.Expr_Slot diff --git a/go/cedar/policy.go b/go/cedar/policy.go index 1305485..80e7667 100644 --- a/go/cedar/policy.go +++ b/go/cedar/policy.go @@ -139,7 +139,7 @@ func (c *PolicyCondition) Raw() *cedarv3.PolicyCondition { } return &cedarv3.PolicyCondition{ Kind: c.Kind.Raw(), - Body: c.Body, + Body: c.Body.Raw(), } } diff --git a/go/cedarcork/cedarcork.go b/go/cedarcork/cedarcork.go index 299bd4c..48b7c25 100644 --- a/go/cedarcork/cedarcork.go +++ b/go/cedarcork/cedarcork.go @@ -6,6 +6,7 @@ import ( corks "github.com/celest-dev/corks/go" "github.com/celest-dev/corks/go/cedar" + cedarexpr "github.com/celest-dev/corks/go/cedar/expr" cedarv3 "github.com/celest-dev/corks/go/proto/cedar/v3" ) @@ -77,21 +78,27 @@ func (c *Cork) Claims() *cedarv3.Entity { return entity } -func (c *Cork) Caveats() []*cedarv3.Policy { +func (c *Cork) Caveats() []*cedarv3.Expr { if c == nil { return nil } caveats := c.Cork.Caveats() - policies := make([]*cedarv3.Policy, len(caveats)) + expressions := make([]*cedarv3.Expr, len(caveats)) for i, caveat := range caveats { - policy := new(cedarv3.Policy) - err := caveat.UnmarshalTo(policy) + expression := new(cedarv3.Expr) + err := caveat.UnmarshalTo(expression) if err != nil { return nil } - policies[i] = policy + expressions[i] = expression } - return policies + return expressions +} + +// Rebuild returns a new builder with the cork's data. +func (c *Cork) Rebuild() *builder { + b := &builder{Builder: c.Cork.Rebuild()} + return b } type builder struct { @@ -129,12 +136,12 @@ func (b *builder) Claims(claims *cedar.Entity) *builder { } // Caveat adds a caveat to the cork. -func (b *builder) Caveat(caveat *cedar.Policy) *builder { - if caveat.Effect != cedar.EffectForbid { - b.errors = append(b.errors, errors.New("only forbid policies are allowed")) - } else { - b.Builder.Caveat(caveat.Raw()) +func (b *builder) Caveat(caveat *cedarexpr.Expr) *builder { + if caveat == nil { + b.errors = append(b.errors, fmt.Errorf("%w: caveat is nil", corks.ErrInvalidCork)) + return b } + b.Builder.Caveat(caveat.Raw()) return b } diff --git a/go/cedarcork/cedarcork_test.go b/go/cedarcork/cedarcork_test.go index c6ea44b..f88cae6 100644 --- a/go/cedarcork/cedarcork_test.go +++ b/go/cedarcork/cedarcork_test.go @@ -7,7 +7,9 @@ import ( corks "github.com/celest-dev/corks/go" "github.com/celest-dev/corks/go/cedar" + cedarexpr "github.com/celest-dev/corks/go/cedar/expr" "github.com/celest-dev/corks/go/cedarcork" + cedarv3 "github.com/celest-dev/corks/go/proto/cedar/v3" "github.com/google/go-cmp/cmp" "github.com/stretchr/testify/require" "google.golang.org/protobuf/testing/protocmp" @@ -87,8 +89,16 @@ func TestBuildAndVerify(t *testing.T) { "email": cedar.String("test@example.com"), }, } - caveat := &cedar.Policy{ - Effect: cedar.EffectForbid, + caveat := &cedarexpr.Expr{ + Expr: &cedarv3.Expr_Value{ + Value: &cedarv3.ExprValue{ + Value: &cedarv3.Value{ + Value: &cedarv3.Value_Bool{ + Bool: true, + }, + }, + }, + }, } return cedarcork.NewBuilder(aId). Issuer(issuer). diff --git a/go/cork.go b/go/cork.go index 60bdb95..e226c80 100644 --- a/go/cork.go +++ b/go/cork.go @@ -95,6 +95,20 @@ func (c *Cork) Raw() *corksv1.Cork { return c.raw } +// Rebuild returns a new builder with the cork's data. +func (c *Cork) Rebuild() *Builder { + b := &Builder{id: c.raw.Id} + b. + Issuer(c.raw.Issuer). + Bearer(c.raw.Bearer). + Audience(c.raw.Audience). + Claims(c.raw.Claims) + for _, caveat := range c.raw.Caveats { + b.Caveat(caveat) + } + return b +} + // clone returns a deep copy of the cork. func (c *Cork) clone() *Cork { copy := proto.Clone(c.raw).(*corksv1.Cork) diff --git a/go/proto/cedar/v3/cork.pb.go b/go/proto/cedar/v3/cork.pb.go index 0392fa5..241d829 100644 --- a/go/proto/cedar/v3/cork.pb.go +++ b/go/proto/cedar/v3/cork.pb.go @@ -42,7 +42,9 @@ type Cork struct { // // Caveats are structured conditions which must be met for the cork to be considered // valid and for its claims to be considered true. - Caveats []*Policy `protobuf:"bytes,6,rep,name=caveats,proto3" json:"caveats,omitempty"` + // + // Effectively, these form the body of a `forbid unless` policy AND'd together. + Caveats []*Expr `protobuf:"bytes,6,rep,name=caveats,proto3" json:"caveats,omitempty"` // The final signature of the cork. Signature []byte `protobuf:"bytes,999,opt,name=signature,proto3" json:"signature,omitempty"` } @@ -114,7 +116,7 @@ func (x *Cork) GetClaims() *Entity { return nil } -func (x *Cork) GetCaveats() []*Policy { +func (x *Cork) GetCaveats() []*Expr { if x != nil { return x.Caveats } @@ -136,39 +138,39 @@ var file_cedar_v3_cork_proto_rawDesc = []byte{ 0x15, 0x63, 0x65, 0x64, 0x61, 0x72, 0x2f, 0x76, 0x33, 0x2f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x18, 0x63, 0x65, 0x64, 0x61, 0x72, 0x2f, 0x76, 0x33, 0x2f, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x69, 0x64, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x1a, 0x15, 0x63, 0x65, 0x64, 0x61, 0x72, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x61, 0x6e, 0x79, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x22, 0xb5, 0x02, 0x0a, 0x04, 0x43, 0x6f, 0x72, 0x6b, 0x12, 0x0e, 0x0a, 0x02, 0x69, - 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2a, 0x0a, 0x06, 0x69, - 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x63, 0x65, - 0x64, 0x61, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x64, 0x52, - 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x2a, 0x0a, 0x06, 0x62, 0x65, 0x61, 0x72, 0x65, - 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x63, 0x65, 0x64, 0x61, 0x72, 0x2e, - 0x76, 0x33, 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x64, 0x52, 0x06, 0x62, 0x65, 0x61, - 0x72, 0x65, 0x72, 0x12, 0x33, 0x0a, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, - 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x63, 0x65, 0x64, 0x61, 0x72, 0x2e, 0x76, 0x33, - 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x64, 0x48, 0x00, 0x52, 0x08, 0x61, 0x75, 0x64, - 0x69, 0x65, 0x6e, 0x63, 0x65, 0x88, 0x01, 0x01, 0x12, 0x2d, 0x0a, 0x06, 0x63, 0x6c, 0x61, 0x69, - 0x6d, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x65, 0x64, 0x61, 0x72, - 0x2e, 0x76, 0x33, 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x48, 0x01, 0x52, 0x06, 0x63, 0x6c, - 0x61, 0x69, 0x6d, 0x73, 0x88, 0x01, 0x01, 0x12, 0x2a, 0x0a, 0x07, 0x63, 0x61, 0x76, 0x65, 0x61, - 0x74, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x65, 0x64, 0x61, 0x72, - 0x2e, 0x76, 0x33, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x07, 0x63, 0x61, 0x76, 0x65, - 0x61, 0x74, 0x73, 0x12, 0x1d, 0x0a, 0x09, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, - 0x18, 0xe7, 0x07, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, - 0x72, 0x65, 0x42, 0x0b, 0x0a, 0x09, 0x5f, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x42, - 0x09, 0x0a, 0x07, 0x5f, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x42, 0x91, 0x01, 0x0a, 0x0c, 0x63, - 0x6f, 0x6d, 0x2e, 0x63, 0x65, 0x64, 0x61, 0x72, 0x2e, 0x76, 0x33, 0x42, 0x09, 0x43, 0x6f, 0x72, - 0x6b, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x35, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x65, 0x6c, 0x65, 0x73, 0x74, 0x2d, 0x64, 0x65, 0x76, 0x2f, - 0x63, 0x6f, 0x72, 0x6b, 0x73, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x63, - 0x65, 0x64, 0x61, 0x72, 0x2f, 0x76, 0x33, 0x3b, 0x63, 0x65, 0x64, 0x61, 0x72, 0x76, 0x33, 0xa2, - 0x02, 0x03, 0x43, 0x58, 0x58, 0xaa, 0x02, 0x08, 0x43, 0x65, 0x64, 0x61, 0x72, 0x2e, 0x56, 0x33, - 0xca, 0x02, 0x08, 0x43, 0x65, 0x64, 0x61, 0x72, 0x5c, 0x56, 0x33, 0xe2, 0x02, 0x14, 0x43, 0x65, - 0x64, 0x61, 0x72, 0x5c, 0x56, 0x33, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0xea, 0x02, 0x09, 0x43, 0x65, 0x64, 0x61, 0x72, 0x3a, 0x3a, 0x56, 0x33, 0x62, 0x06, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x1a, 0x13, 0x63, 0x65, 0x64, 0x61, 0x72, 0x2f, 0x76, 0x33, 0x2f, 0x65, 0x78, 0x70, 0x72, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x61, 0x6e, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x22, 0xb3, 0x02, 0x0a, 0x04, 0x43, 0x6f, 0x72, 0x6b, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2a, 0x0a, 0x06, 0x69, 0x73, 0x73, + 0x75, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x63, 0x65, 0x64, 0x61, + 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x64, 0x52, 0x06, 0x69, + 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x2a, 0x0a, 0x06, 0x62, 0x65, 0x61, 0x72, 0x65, 0x72, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x63, 0x65, 0x64, 0x61, 0x72, 0x2e, 0x76, 0x33, + 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x64, 0x52, 0x06, 0x62, 0x65, 0x61, 0x72, 0x65, + 0x72, 0x12, 0x33, 0x0a, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x04, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x63, 0x65, 0x64, 0x61, 0x72, 0x2e, 0x76, 0x33, 0x2e, 0x45, + 0x6e, 0x74, 0x69, 0x74, 0x79, 0x49, 0x64, 0x48, 0x00, 0x52, 0x08, 0x61, 0x75, 0x64, 0x69, 0x65, + 0x6e, 0x63, 0x65, 0x88, 0x01, 0x01, 0x12, 0x2d, 0x0a, 0x06, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, + 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x65, 0x64, 0x61, 0x72, 0x2e, 0x76, + 0x33, 0x2e, 0x45, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x48, 0x01, 0x52, 0x06, 0x63, 0x6c, 0x61, 0x69, + 0x6d, 0x73, 0x88, 0x01, 0x01, 0x12, 0x28, 0x0a, 0x07, 0x63, 0x61, 0x76, 0x65, 0x61, 0x74, 0x73, + 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x63, 0x65, 0x64, 0x61, 0x72, 0x2e, 0x76, + 0x33, 0x2e, 0x45, 0x78, 0x70, 0x72, 0x52, 0x07, 0x63, 0x61, 0x76, 0x65, 0x61, 0x74, 0x73, 0x12, + 0x1d, 0x0a, 0x09, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x18, 0xe7, 0x07, 0x20, + 0x01, 0x28, 0x0c, 0x52, 0x09, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x42, 0x0b, + 0x0a, 0x09, 0x5f, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x42, 0x09, 0x0a, 0x07, 0x5f, + 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x73, 0x42, 0x91, 0x01, 0x0a, 0x0c, 0x63, 0x6f, 0x6d, 0x2e, 0x63, + 0x65, 0x64, 0x61, 0x72, 0x2e, 0x76, 0x33, 0x42, 0x09, 0x43, 0x6f, 0x72, 0x6b, 0x50, 0x72, 0x6f, + 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x35, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, + 0x2f, 0x63, 0x65, 0x6c, 0x65, 0x73, 0x74, 0x2d, 0x64, 0x65, 0x76, 0x2f, 0x63, 0x6f, 0x72, 0x6b, + 0x73, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x63, 0x65, 0x64, 0x61, 0x72, + 0x2f, 0x76, 0x33, 0x3b, 0x63, 0x65, 0x64, 0x61, 0x72, 0x76, 0x33, 0xa2, 0x02, 0x03, 0x43, 0x58, + 0x58, 0xaa, 0x02, 0x08, 0x43, 0x65, 0x64, 0x61, 0x72, 0x2e, 0x56, 0x33, 0xca, 0x02, 0x08, 0x43, + 0x65, 0x64, 0x61, 0x72, 0x5c, 0x56, 0x33, 0xe2, 0x02, 0x14, 0x43, 0x65, 0x64, 0x61, 0x72, 0x5c, + 0x56, 0x33, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, + 0x09, 0x43, 0x65, 0x64, 0x61, 0x72, 0x3a, 0x3a, 0x56, 0x33, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, } var ( @@ -188,14 +190,14 @@ var file_cedar_v3_cork_proto_goTypes = []any{ (*Cork)(nil), // 0: cedar.v3.Cork (*EntityId)(nil), // 1: cedar.v3.EntityId (*Entity)(nil), // 2: cedar.v3.Entity - (*Policy)(nil), // 3: cedar.v3.Policy + (*Expr)(nil), // 3: cedar.v3.Expr } var file_cedar_v3_cork_proto_depIdxs = []int32{ 1, // 0: cedar.v3.Cork.issuer:type_name -> cedar.v3.EntityId 1, // 1: cedar.v3.Cork.bearer:type_name -> cedar.v3.EntityId 1, // 2: cedar.v3.Cork.audience:type_name -> cedar.v3.EntityId 2, // 3: cedar.v3.Cork.claims:type_name -> cedar.v3.Entity - 3, // 4: cedar.v3.Cork.caveats:type_name -> cedar.v3.Policy + 3, // 4: cedar.v3.Cork.caveats:type_name -> cedar.v3.Expr 5, // [5:5] is the sub-list for method output_type 5, // [5:5] is the sub-list for method input_type 5, // [5:5] is the sub-list for extension type_name @@ -210,7 +212,7 @@ func file_cedar_v3_cork_proto_init() { } file_cedar_v3_entity_proto_init() file_cedar_v3_entity_id_proto_init() - file_cedar_v3_policy_proto_init() + file_cedar_v3_expr_proto_init() if !protoimpl.UnsafeEnabled { file_cedar_v3_cork_proto_msgTypes[0].Exporter = func(v any, i int) any { switch v := v.(*Cork); i { diff --git a/proto/cedar/v3/cork.proto b/proto/cedar/v3/cork.proto index 8414dbb..f2c19e9 100644 --- a/proto/cedar/v3/cork.proto +++ b/proto/cedar/v3/cork.proto @@ -4,7 +4,7 @@ package cedar.v3; import "cedar/v3/entity.proto"; import "cedar/v3/entity_id.proto"; -import "cedar/v3/policy.proto"; +import "cedar/v3/expr.proto"; import "google/protobuf/any.proto"; option go_package = "cedar/v3;cedarpb"; @@ -29,10 +29,11 @@ message Cork { // The caveats to this cork's validity and usage. // - // // Caveats are structured conditions which must be met for the cork to be considered // valid and for its claims to be considered true. - repeated cedar.v3.Policy caveats = 6; + // + // Effectively, these form the body of a `forbid unless` policy AND'd together. + repeated cedar.v3.Expr caveats = 6; // The final signature of the cork. bytes signature = 999;