typesystem

package
v1.33.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 17, 2024 License: Apache-2.0 Imports: 21 Imported by: 6

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewCaveatNotFoundErr

func NewCaveatNotFoundErr(caveatName string) error

NewCaveatNotFoundErr constructs a new caveat not found error.

func NewDuplicateAllowedRelationErr

func NewDuplicateAllowedRelationErr(nsName string, relationName string, allowedRelationSource string) error

NewDuplicateAllowedRelationErr constructs an error indicating that an allowed relation was defined more than once for a relation.

func NewDuplicateRelationError

func NewDuplicateRelationError(nsName string, relationName string) error

NewDuplicateRelationError constructs an error indicating that a relation was defined more than once in a namespace.

func NewMissingAllowedRelationsErr

func NewMissingAllowedRelationsErr(nsName string, relationName string) error

NewMissingAllowedRelationsErr constructs an error indicating that type information is missing for a relation.

func NewNamespaceNotFoundErr

func NewNamespaceNotFoundErr(nsName string) error

NewNamespaceNotFoundErr constructs a new namespace not found error.

func NewPermissionUsedOnLeftOfArrowErr

func NewPermissionUsedOnLeftOfArrowErr(nsName string, parentPermissionName string, foundPermissionName string) error

NewPermissionUsedOnLeftOfArrowErr constructs an error indicating that a permission was used on the left side of an arrow.

func NewPermissionsCycleErr

func NewPermissionsCycleErr(nsName string, permissionNames []string) error

NewPermissionsCycleErr constructs an error indicating that a cycle exists amongst permissions.

func NewRelationNotFoundErr

func NewRelationNotFoundErr(nsName string, relationName string) error

NewRelationNotFoundErr constructs a new relation not found error.

func NewTransitiveWildcardErr

func NewTransitiveWildcardErr(nsName string, relationName string, foundRelationNamespace string, foundRelationName string, wildcardTypeName string, wildcardRelationReference string) error

NewTransitiveWildcardErr constructs an error indicating that a transitive wildcard exists.

func NewTypeErrorWithSource

func NewTypeErrorWithSource(wrapped error, withSource nspkg.WithSourcePosition, sourceCodeString string) error

NewTypeErrorWithSource creates a new type error at the specific position and with source code, wrapping the underlying error.

func NewUnusedCaveatParameterErr

func NewUnusedCaveatParameterErr(caveatName string, paramName string) error

NewUnusedCaveatParameterErr constructs indicating that a parameter was unused in a caveat expression.

func NewWildcardUsedInArrowErr

func NewWildcardUsedInArrowErr(nsName string, parentPermissionName string, foundRelationName string, wildcardTypeName string, wildcardRelationName string) error

NewWildcardUsedInArrowErr constructs an error indicating that an arrow operated over a relation with a wildcard type.

func SourceForAllowedRelation

func SourceForAllowedRelation(allowedRelation *core.AllowedRelation) string

SourceForAllowedRelation returns the source code representation of an allowed relation.

Types

type AllowedDirectRelation

type AllowedDirectRelation int

AllowedDirectRelation indicates whether a relation is allowed on the right side of another relation.

const (
	// UnknownIfRelationAllowed indicates that no type information is defined for
	// this relation.
	UnknownIfRelationAllowed AllowedDirectRelation = iota

	// DirectRelationValid indicates that the specified subject relation is valid as
	// part of a *direct* tuple on the relation.
	DirectRelationValid

	// DirectRelationNotValid indicates that the specified subject relation is not
	// valid as part of a *direct* tuple on the relation.
	DirectRelationNotValid
)

type AllowedNamespaceOption

type AllowedNamespaceOption int

AllowedNamespaceOption indicates whether an allowed namespace of a particular kind is allowed on the right side of another relation.

const (
	// UnknownIfAllowedNamespace indicates that no type information is defined for
	// this relation.
	UnknownIfAllowedNamespace AllowedNamespaceOption = iota

	// AllowedNamespaceValid indicates that the specified subject namespace is valid.
	AllowedNamespaceValid

	// AllowedNamespaceNotValid indicates that the specified subject namespace is not valid.
	AllowedNamespaceNotValid
)

type AllowedPublicSubject

type AllowedPublicSubject int

AllowedPublicSubject indicates whether a public subject of a particular kind is allowed on the right side of another relation.

const (
	// UnknownIfPublicAllowed indicates that no type information is defined for
	// this relation.
	UnknownIfPublicAllowed AllowedPublicSubject = iota

	// PublicSubjectAllowed indicates that the specified subject wildcard is valid as
	// part of a *direct* tuple on the relation.
	PublicSubjectAllowed

	// PublicSubjectNotAllowed indicates that the specified subject wildcard is not
	// valid as part of a *direct* tuple on the relation.
	PublicSubjectNotAllowed
)

type AllowedRelationOption

type AllowedRelationOption int

AllowedRelationOption indicates whether an allowed relation of a particular kind is allowed on the right side of another relation.

const (
	// UnknownIfAllowed indicates that no type information is defined for
	// this relation.
	UnknownIfAllowed AllowedRelationOption = iota

	// AllowedRelationValid indicates that the specified subject relation is valid.
	AllowedRelationValid

	// AllowedRelationNotValid indicates that the specified subject relation is not valid.
	AllowedRelationNotValid
)

type ErrCaveatNotFound

type ErrCaveatNotFound struct {
	// contains filtered or unexported fields
}

ErrCaveatNotFound occurs when a caveat was not found.

func (ErrCaveatNotFound) CaveatName

func (err ErrCaveatNotFound) CaveatName() string

CaveatName returns the name of the caveat not found.

func (ErrCaveatNotFound) DetailsMetadata

func (err ErrCaveatNotFound) DetailsMetadata() map[string]string

DetailsMetadata returns the metadata for details for this error.

func (ErrCaveatNotFound) MarshalZerologObject

func (err ErrCaveatNotFound) MarshalZerologObject(e *zerolog.Event)

type ErrDuplicateAllowedRelation

type ErrDuplicateAllowedRelation struct {
	// contains filtered or unexported fields
}

ErrDuplicateAllowedRelation indicates that an allowed relation was redefined on a relation.

func (ErrDuplicateAllowedRelation) DetailsMetadata

func (err ErrDuplicateAllowedRelation) DetailsMetadata() map[string]string

DetailsMetadata returns the metadata for details for this error.

func (ErrDuplicateAllowedRelation) MarshalZerologObject

func (err ErrDuplicateAllowedRelation) MarshalZerologObject(e *zerolog.Event)

MarshalZerologObject implements zerolog object marshalling.

type ErrDuplicateRelation

type ErrDuplicateRelation struct {
	// contains filtered or unexported fields
}

ErrDuplicateRelation occurs when a duplicate relation was found inside a namespace.

func (ErrDuplicateRelation) DetailsMetadata

func (err ErrDuplicateRelation) DetailsMetadata() map[string]string

DetailsMetadata returns the metadata for details for this error.

func (ErrDuplicateRelation) MarshalZerologObject

func (err ErrDuplicateRelation) MarshalZerologObject(e *zerolog.Event)

MarshalZerologObject implements zerolog object marshalling.

type ErrMissingAllowedRelations

type ErrMissingAllowedRelations struct {
	// contains filtered or unexported fields
}

ErrMissingAllowedRelations occurs when a relation is defined without any type information.

func (ErrMissingAllowedRelations) DetailsMetadata

func (err ErrMissingAllowedRelations) DetailsMetadata() map[string]string

DetailsMetadata returns the metadata for details for this error.

func (ErrMissingAllowedRelations) MarshalZerologObject

func (err ErrMissingAllowedRelations) MarshalZerologObject(e *zerolog.Event)

MarshalZerologObject implements zerolog object marshalling.

type ErrNamespaceNotFound

type ErrNamespaceNotFound struct {
	// contains filtered or unexported fields
}

ErrNamespaceNotFound occurs when a namespace was not found.

func (ErrNamespaceNotFound) DetailsMetadata

func (err ErrNamespaceNotFound) DetailsMetadata() map[string]string

DetailsMetadata returns the metadata for details for this error.

func (ErrNamespaceNotFound) MarshalZerologObject

func (err ErrNamespaceNotFound) MarshalZerologObject(e *zerolog.Event)

MarshalZerologObject implements zerolog object marshalling.

func (ErrNamespaceNotFound) NotFoundNamespaceName

func (err ErrNamespaceNotFound) NotFoundNamespaceName() string

NotFoundNamespaceName is the name of the namespace not found.

type ErrPermissionUsedOnLeftOfArrow

type ErrPermissionUsedOnLeftOfArrow struct {
	// contains filtered or unexported fields
}

ErrPermissionUsedOnLeftOfArrow occurs when a permission is used on the left side of an arrow expression.

func (ErrPermissionUsedOnLeftOfArrow) DetailsMetadata

func (err ErrPermissionUsedOnLeftOfArrow) DetailsMetadata() map[string]string

DetailsMetadata returns the metadata for details for this error.

func (ErrPermissionUsedOnLeftOfArrow) MarshalZerologObject

func (err ErrPermissionUsedOnLeftOfArrow) MarshalZerologObject(e *zerolog.Event)

MarshalZerologObject implements zerolog object marshalling.

type ErrPermissionsCycle

type ErrPermissionsCycle struct {
	// contains filtered or unexported fields
}

ErrPermissionsCycle occurs when a cycle exists within permissions.

func (ErrPermissionsCycle) DetailsMetadata

func (err ErrPermissionsCycle) DetailsMetadata() map[string]string

DetailsMetadata returns the metadata for details for this error.

func (ErrPermissionsCycle) MarshalZerologObject

func (err ErrPermissionsCycle) MarshalZerologObject(e *zerolog.Event)

MarshalZerologObject implements zerolog object marshalling.

type ErrRelationNotFound

type ErrRelationNotFound struct {
	// contains filtered or unexported fields
}

ErrRelationNotFound occurs when a relation was not found under a namespace.

func (ErrRelationNotFound) DetailsMetadata

func (err ErrRelationNotFound) DetailsMetadata() map[string]string

DetailsMetadata returns the metadata for details for this error.

func (ErrRelationNotFound) MarshalZerologObject

func (err ErrRelationNotFound) MarshalZerologObject(e *zerolog.Event)

func (ErrRelationNotFound) NamespaceName

func (err ErrRelationNotFound) NamespaceName() string

NamespaceName returns the name of the namespace in which the relation was not found.

func (ErrRelationNotFound) NotFoundRelationName

func (err ErrRelationNotFound) NotFoundRelationName() string

NotFoundRelationName returns the name of the relation not found.

type ErrTransitiveWildcard

type ErrTransitiveWildcard struct {
	// contains filtered or unexported fields
}

ErrTransitiveWildcard occurs when a wildcard relation in turn references another wildcard relation.

func (ErrTransitiveWildcard) DetailsMetadata

func (err ErrTransitiveWildcard) DetailsMetadata() map[string]string

DetailsMetadata returns the metadata for details for this error.

func (ErrTransitiveWildcard) MarshalZerologObject

func (err ErrTransitiveWildcard) MarshalZerologObject(e *zerolog.Event)

MarshalZerologObject implements zerolog object marshalling.

type ErrUnusedCaveatParameter

type ErrUnusedCaveatParameter struct {
	// contains filtered or unexported fields
}

ErrUnusedCaveatParameter indicates that a caveat parameter is unused in the caveat expression.

func (ErrUnusedCaveatParameter) DetailsMetadata

func (err ErrUnusedCaveatParameter) DetailsMetadata() map[string]string

DetailsMetadata returns the metadata for details for this error.

func (ErrUnusedCaveatParameter) MarshalZerologObject

func (err ErrUnusedCaveatParameter) MarshalZerologObject(e *zerolog.Event)

MarshalZerologObject implements zerolog object marshalling.

type ErrWildcardUsedInArrow

type ErrWildcardUsedInArrow struct {
	// contains filtered or unexported fields
}

ErrWildcardUsedInArrow occurs when an arrow operates over a relation that contains a wildcard.

func (ErrWildcardUsedInArrow) DetailsMetadata

func (err ErrWildcardUsedInArrow) DetailsMetadata() map[string]string

DetailsMetadata returns the metadata for details for this error.

func (ErrWildcardUsedInArrow) MarshalZerologObject

func (err ErrWildcardUsedInArrow) MarshalZerologObject(e *zerolog.Event)

MarshalZerologObject implements zerolog object marshalling.

type PredefinedElements

type PredefinedElements struct {
	Namespaces []*core.NamespaceDefinition
	Caveats    []*core.CaveatDefinition
}

PredefinedElements are predefined namespaces and/or caveats to give to a resolver.

type ReachabilityEntrypoint

type ReachabilityEntrypoint struct {
	// contains filtered or unexported fields
}

ReachabilityEntrypoint is an entrypoint into the reachability graph for a subject of particular type.

func (ReachabilityEntrypoint) ContainingRelationOrPermission

func (re ReachabilityEntrypoint) ContainingRelationOrPermission() *core.RelationReference

ContainingRelationOrPermission is the relation or permission containing this entrypoint.

func (ReachabilityEntrypoint) DirectRelation

func (re ReachabilityEntrypoint) DirectRelation() (*core.RelationReference, error)

DirectRelation is the relation that this entrypoint represents, if a RELATION_ENTRYPOINT.

func (ReachabilityEntrypoint) EntrypointKind

EntrypointKind is the kind of the entrypoint.

func (ReachabilityEntrypoint) Hash

func (re ReachabilityEntrypoint) Hash() (uint64, error)

Hash returns a hash representing the data in the entrypoint, for comparison to other entrypoints. This is ONLY stable within a single version of SpiceDB and should NEVER be stored for later comparison outside of the process.

func (ReachabilityEntrypoint) IsDirectResult

func (re ReachabilityEntrypoint) IsDirectResult() bool

IsDirectResult returns whether the entrypoint, when evaluated, becomes a direct result of the parent relation/permission. A direct result only exists if the entrypoint is not contained under an intersection or exclusion, which makes the entrypoint's object merely conditionally reachable.

func (ReachabilityEntrypoint) MustDebugString

func (re ReachabilityEntrypoint) MustDebugString() string

func (ReachabilityEntrypoint) String

func (re ReachabilityEntrypoint) String() string

func (ReachabilityEntrypoint) TuplesetRelation

func (re ReachabilityEntrypoint) TuplesetRelation() (string, error)

TuplesetRelation returns the tupleset relation of the TTU, if a TUPLESET_TO_USERSET_ENTRYPOINT.

type ReachabilityGraph

type ReachabilityGraph struct {
	// contains filtered or unexported fields
}

ReachabilityGraph is a helper struct that provides an easy way to determine all entrypoints for a subject of a particular type into a schema, for the purpose of walking from the subject to a specific resource relation.

func ReachabilityGraphFor

func ReachabilityGraphFor(ts *ValidatedNamespaceTypeSystem) *ReachabilityGraph

ReachabilityGraphFor returns a reachability graph for the given namespace.

func (*ReachabilityGraph) AllEntrypointsForSubjectToResource

func (rg *ReachabilityGraph) AllEntrypointsForSubjectToResource(
	ctx context.Context,
	subjectType *core.RelationReference,
	resourceType *core.RelationReference,
) ([]ReachabilityEntrypoint, error)

AllEntrypointsForSubjectToResource returns the entrypoints into the reachability graph, starting at the given subject type and walking to the given resource type.

func (*ReachabilityGraph) HasOptimizedEntrypointsForSubjectToResource

func (rg *ReachabilityGraph) HasOptimizedEntrypointsForSubjectToResource(
	ctx context.Context,
	subjectType *core.RelationReference,
	resourceType *core.RelationReference,
) (bool, error)

HasOptimizedEntrypointsForSubjectToResource returns whether there exists any *optimized* entrypoints into the reachability graph, starting at the given subject type and walking to the given resource type.

The optimized set will skip branches on intersections and exclusions in an attempt to minimize the number of entrypoints.

func (*ReachabilityGraph) OptimizedEntrypointsForSubjectToResource

func (rg *ReachabilityGraph) OptimizedEntrypointsForSubjectToResource(
	ctx context.Context,
	subjectType *core.RelationReference,
	resourceType *core.RelationReference,
) ([]ReachabilityEntrypoint, error)

OptimizedEntrypointsForSubjectToResource returns the *optimized* set of entrypoints into the reachability graph, starting at the given subject type and walking to the given resource type.

The optimized set will skip branches on intersections and exclusions in an attempt to minimize the number of entrypoints.

func (*ReachabilityGraph) RelationsEncounteredForResource added in v1.33.0

func (rg *ReachabilityGraph) RelationsEncounteredForResource(
	ctx context.Context,
	resourceType *core.RelationReference,
) ([]*core.RelationReference, error)

RelationsEncounteredForResource returns all relations that are encountered when walking outward from a resource+relation.

func (*ReachabilityGraph) RelationsEncounteredForSubject added in v1.33.0

func (rg *ReachabilityGraph) RelationsEncounteredForSubject(
	ctx context.Context,
	allDefinitions []*core.NamespaceDefinition,
	startingSubjectType *core.RelationReference,
) ([]*core.RelationReference, error)

RelationsEncounteredForSubject returns all relations that are encountered when walking outward from a subject+relation.

type Resolver

type Resolver interface {
	// LookupNamespace lookups up a namespace.
	LookupNamespace(ctx context.Context, name string) (*core.NamespaceDefinition, error)

	// LookupCaveat lookups up a caveat.
	LookupCaveat(ctx context.Context, name string) (*core.CaveatDefinition, error)

	// WithPredefinedElements adds the given predefined elements to this resolver, returning a new
	// resolver.
	WithPredefinedElements(predefined PredefinedElements) Resolver
}

Resolver is an interface defined for resolving referenced namespaces and caveats when constructing and validating a type system.

func ResolverForDatastoreReader

func ResolverForDatastoreReader(ds datastore.Reader) Resolver

ResolverForDatastoreReader returns a Resolver for a datastore reader.

func ResolverForPredefinedDefinitions

func ResolverForPredefinedDefinitions(predefined PredefinedElements) Resolver

ResolverForPredefinedDefinitions returns a resolver for predefined namespaces and caveats.

func ResolverForSchema

func ResolverForSchema(schema compiler.CompiledSchema) Resolver

ResolverForSchema returns a resolver for a schema.

type TypeError

type TypeError struct {
	// contains filtered or unexported fields
}

TypeError wraps another error as a type error.

func (TypeError) Unwrap

func (err TypeError) Unwrap() error

type TypeSystem

type TypeSystem struct {
	// contains filtered or unexported fields
}

TypeSystem represents typing information found in a namespace.

func NewNamespaceTypeSystem

func NewNamespaceTypeSystem(nsDef *core.NamespaceDefinition, resolver Resolver) (*TypeSystem, error)

NewNamespaceTypeSystem returns a new type system for the given namespace. Note that the type system is not validated until Validate is called.

func (*TypeSystem) AllowedDirectRelationsAndWildcards

func (nts *TypeSystem) AllowedDirectRelationsAndWildcards(sourceRelationName string) ([]*core.AllowedRelation, error)

AllowedDirectRelationsAndWildcards returns the allowed subject relations for a source relation. Note that this function will return wildcards.

func (*TypeSystem) AllowedSubjectRelations

func (nts *TypeSystem) AllowedSubjectRelations(sourceRelationName string) ([]*core.RelationReference, error)

AllowedSubjectRelations returns the allowed subject relations for a source relation. Note that this function will *not* return wildcards.

func (*TypeSystem) GetAllowedDirectNamespaceSubjectRelations added in v1.31.0

func (nts *TypeSystem) GetAllowedDirectNamespaceSubjectRelations(sourceRelationName string, targetNamespaceName string) (*mapz.Set[string], error)

GetAllowedDirectNamespaceSubjectRelations returns the subject relations for the target namespace, if it is defined as appearing somewhere on the right side of a relation (except public). Returns nil if there is no type information or it is not allowed.

func (*TypeSystem) GetRelation added in v1.31.0

func (nts *TypeSystem) GetRelation(relationName string) (*core.Relation, bool)

GetRelation returns the relation that's defined with the give name in the type system or returns false.

func (*TypeSystem) HasAllowedRelation

func (nts *TypeSystem) HasAllowedRelation(sourceRelationName string, toCheck *core.AllowedRelation) (AllowedRelationOption, error)

HasAllowedRelation returns whether the source relation has the given allowed relation.

func (*TypeSystem) HasRelation

func (nts *TypeSystem) HasRelation(relationName string) bool

HasRelation returns true if the namespace has the given relation defined.

func (*TypeSystem) HasTypeInformation

func (nts *TypeSystem) HasTypeInformation(relationName string) bool

HasTypeInformation returns true if the relation with the given name exists and has type information defined.

func (*TypeSystem) IsAllowedDirectNamespace

func (nts *TypeSystem) IsAllowedDirectNamespace(sourceRelationName string, targetNamespaceName string) (AllowedNamespaceOption, error)

IsAllowedDirectNamespace returns whether the target namespace is defined as appearing somewhere on the right side of a relation (except public).

func (*TypeSystem) IsAllowedDirectRelation

func (nts *TypeSystem) IsAllowedDirectRelation(sourceRelationName string, targetNamespaceName string, targetRelationName string) (AllowedDirectRelation, error)

IsAllowedDirectRelation returns whether the subject relation is allowed to appear on the right hand side of a tuple placed in the source relation with the given name.

func (*TypeSystem) IsAllowedPublicNamespace

func (nts *TypeSystem) IsAllowedPublicNamespace(sourceRelationName string, targetNamespaceName string) (AllowedPublicSubject, error)

IsAllowedPublicNamespace returns whether the target namespace is defined as public on the source relation.

func (*TypeSystem) IsPermission

func (nts *TypeSystem) IsPermission(relationName string) bool

IsPermission returns true if the namespace has the given relation defined and it is a permission.

func (*TypeSystem) MustGetRelation

func (nts *TypeSystem) MustGetRelation(relationName string) *core.Relation

MustGetRelation returns the relation that's defined with the give name in the type system or panics.

func (*TypeSystem) Namespace

func (nts *TypeSystem) Namespace() *core.NamespaceDefinition

Namespace is the namespace for which the type system was constructed.

func (*TypeSystem) RelationDoesNotAllowCaveatsForSubject added in v1.31.0

func (nts *TypeSystem) RelationDoesNotAllowCaveatsForSubject(relationName string, subjectTypeName string) (bool, error)

RelationDoesNotAllowCaveatsForSubject returns true if and only if it can be conclusively determined that the given subject type does not accept any caveats on the given relation. If the relation does not have type information, returns an error.

func (*TypeSystem) TypeSystemForNamespace added in v1.32.0

func (nts *TypeSystem) TypeSystemForNamespace(ctx context.Context, namespaceName string) (*TypeSystem, error)

TypeSystemForNamespace returns a type system for the given namespace.

func (*TypeSystem) Validate

Validate runs validation on the type system for the namespace to ensure it is consistent.

type ValidatedNamespaceTypeSystem

type ValidatedNamespaceTypeSystem struct {
	*TypeSystem
}

ValidatedNamespaceTypeSystem is validated type system for a namespace.

func ReadNamespaceAndTypes added in v1.30.0

func ReadNamespaceAndTypes(
	ctx context.Context,
	nsName string,
	ds datastore.Reader,
) (*core.NamespaceDefinition, *ValidatedNamespaceTypeSystem, error)

ReadNamespaceAndTypes reads a namespace definition, version, and type system and returns it if found.

type WildcardTypeReference

type WildcardTypeReference struct {
	// ReferencingRelation is the relation referencing the wildcard type.
	ReferencingRelation *core.RelationReference

	// WildcardType is the wildcard type referenced.
	WildcardType *core.AllowedRelation
}

WildcardTypeReference represents a relation that references a wildcard type.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL