schema

type ArrowOperation ¶ added in v1.46.2

type ArrowOperation interface {
	Operation

	// Left returns the relation on the resource (left side of the arrow).
	Left() string

	// Right returns the relation/permission on the subject (right side of the arrow).
	Right() string

	// Function returns the function type applied to the arrow.
	// For standard arrows (->), this returns FunctionTypeAny.
	// For functioned arrows (.any()/.all()), this returns the specific function type.
	Function() FunctionType
}

ArrowOperation is an interface implemented by all arrow-based operations (both standard and functioned arrows). This includes ArrowReference, FunctionedArrowReference, ResolvedArrowReference, and ResolvedFunctionedArrowReference.

type ArrowOperationVisitor ¶ added in v1.46.2

type ArrowOperationVisitor[T any] interface {
	VisitArrowOperation(ao ArrowOperation, value T) (T, error)
}

ArrowOperationVisitor is called when visiting any ArrowOperation (ArrowReference, FunctionedArrowReference, ResolvedArrowReference, or ResolvedFunctionedArrowReference). Returns the value to pass to subsequent visits, and error to halt immediately.

type ArrowReference ¶

type ArrowReference struct {
	// contains filtered or unexported fields
}

ArrowReference is an Operation that represents `permission foo = Left->Right`.

func (a *ArrowReference) Function() FunctionType

func (a *ArrowReference) Left() string

func (a *ArrowReference) Right() string

type ArrowReferenceVisitor ¶ added in v1.46.1

type ArrowReferenceVisitor[T any] interface {
	VisitArrowReference(ar *ArrowReference, value T) (T, error)
}

ArrowReferenceVisitor is called when visiting an ArrowReference. Returns the value to pass to subsequent visits, and error to halt immediately.

type BaseRelation ¶

type BaseRelation struct {
	// contains filtered or unexported fields
}

BaseRelation is a single type, and its potential caveats, and expiration options. These features are written directly to the database with the parent Relation and Definition as the resource type and relation, and contains the subject type and optional subrelation.

func NewTestBaseRelation(defName, relationName, subjectType, subrelation string) *BaseRelation

func NewTestBaseRelationWithFeatures(defName, relationName, subjectType, subrelation, caveat string, expiration bool) *BaseRelation

func NewTestWildcardBaseRelation(defName, relationName, subjectType string) *BaseRelation

func NewTestWildcardBaseRelationWithFeatures(defName, relationName, subjectType, caveat string, expiration bool) *BaseRelation

func (b *BaseRelation) Caveat() string

func (b *BaseRelation) DefinitionName() string

func (b *BaseRelation) Expiration() bool

func (b *BaseRelation) Parent() *Relation

func (b *BaseRelation) RelationName() string

func (b *BaseRelation) Subrelation() string

func (b *BaseRelation) Type() string

func (b *BaseRelation) Wildcard() bool

type BaseRelationVisitor ¶ added in v1.46.1

type BaseRelationVisitor[T any] interface {
	VisitBaseRelation(br *BaseRelation, value T) (T, error)
}

BaseRelationVisitor is called when visiting a BaseRelation. Returns the value to pass to subsequent visits, and error to halt immediately.

type Caveat ¶

type Caveat struct {
	// contains filtered or unexported fields
}

Caveat is a single, top-level caveat definition and it's internal expresion.

func (c *Caveat) Expression() string

func (c *Caveat) Name() string

func (c *Caveat) ParameterTypes() []string

func (c *Caveat) Parent() *Schema

type CaveatVisitor ¶ added in v1.46.1

type CaveatVisitor[T any] interface {
	VisitCaveat(c *Caveat, value T) (T, error)
}

CaveatVisitor is called when visiting a Caveat. Returns the value to pass to subsequent visits, and error to halt immediately.

type Definition ¶

type Definition struct {
	// contains filtered or unexported fields
}

Definition is a single schema object type, with relations and permissions.

func (d *Definition) Name() string

func (d *Definition) Parent() *Schema

func (d *Definition) Permissions() map[string]*Permission

func (d *Definition) Relations() map[string]*Relation

type DefinitionVisitor ¶ added in v1.46.1

type DefinitionVisitor[T any] interface {
	VisitDefinition(d *Definition, value T) (T, bool, error)
}

DefinitionVisitor is called when visiting a Definition. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type ExclusionOperation ¶

type ExclusionOperation struct {
	// contains filtered or unexported fields
}

ExclusionOperation is an Operation that represents `permission foo = a - b`.

func (e *ExclusionOperation) Left() Operation

func (e *ExclusionOperation) Right() Operation

type ExclusionOperationVisitor ¶ added in v1.46.1

type ExclusionOperationVisitor[T any] interface {
	VisitExclusionOperation(eo *ExclusionOperation, value T) (T, bool, error)
}

ExclusionOperationVisitor is called when visiting an ExclusionOperation. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type FlattenOptions ¶ added in v1.46.2

type FlattenOptions struct {
	// Separator controls what separator is used between permission names and hashes
	// in synthetic permissions ($ or __).
	Separator FlattenSeparator

	// FlattenNonUnionOperations controls whether non-union operations (intersections,
	// exclusions) should be flattened. When true, nested compound operations are
	// extracted into synthetic permissions.
	FlattenNonUnionOperations bool

	// FlattenArrows controls whether arrow operations (->) should be flattened.
	// When true, arrow operations are treated as leaf nodes and are extracted into
	// their own synthetic permissions. When false, they remain as-is in the operation tree.
	FlattenArrows bool
}

FlattenOptions contains options for flattening a schema.

type FlattenSeparator ¶ added in v1.46.1

type FlattenSeparator string

FlattenSeparator is the separator used between permission names and hashes in synthetic permissions.

const (
	// FlattenSeparatorDollar uses $ as separator (e.g., view$abc123).
	// Note: $ is not valid in schema DSL identifiers, so this is only for internal use.
	FlattenSeparatorDollar FlattenSeparator = "$"

	// FlattenSeparatorDoubleUnderscore uses __ as separator (e.g., view__abc123).
	// This is valid in schema DSL identifiers.
	FlattenSeparatorDoubleUnderscore FlattenSeparator = "__"
)

type FlattenedSchema ¶ added in v1.46.1

type FlattenedSchema struct {
	// contains filtered or unexported fields
}

FlattenedSchema wraps a ResolvedSchema where all nested operations under permissions have been replaced with references to synthetic permissions.

func FlattenSchema(rs *ResolvedSchema, separator FlattenSeparator) (*FlattenedSchema, error)

func FlattenSchemaWithOptions(rs *ResolvedSchema, options FlattenOptions) (*FlattenedSchema, error)

func (f *FlattenedSchema) ResolvedSchema() *ResolvedSchema

type FunctionType ¶ added in v1.46.1

type FunctionType int

FunctionType represents the type of function applied to a tupleset.

const (
	FunctionTypeAny FunctionType = iota
	FunctionTypeAll
)

type FunctionedArrowReference ¶ added in v1.46.2

type FunctionedArrowReference struct {
	// contains filtered or unexported fields
}

FunctionedArrowReference is an Operation that represents functioned arrows like `permission foo = relation.any(other)` or `permission foo = relation.all(other)`.

func (f *FunctionedArrowReference) Function() FunctionType

func (f *FunctionedArrowReference) Left() string

func (f *FunctionedArrowReference) Right() string

type IntersectionOperation ¶

type IntersectionOperation struct {
	// contains filtered or unexported fields
}

IntersectionOperation is an Operation that represents `permission foo = a & b & c`.

func (i *IntersectionOperation) Children() []Operation

type IntersectionOperationVisitor ¶ added in v1.46.1

type IntersectionOperationVisitor[T any] interface {
	VisitIntersectionOperation(io *IntersectionOperation, value T) (T, bool, error)
}

IntersectionOperationVisitor is called when visiting an IntersectionOperation. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type Operation ¶

type Operation interface {
	// contains filtered or unexported methods
}

Operation is a closed enum of things that can exist on the right-hand-side of a permission. It forms a tree of unions, intersections and exclusions, until the leaves are things like references to other permissions or relations, or are arrows.

type OperationVisitor ¶ added in v1.46.1

type OperationVisitor[T any] interface {
	VisitOperation(op Operation, value T) (T, bool, error)
}

OperationVisitor is called when visiting any Operation. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type Permission ¶

type Permission struct {
	// contains filtered or unexported fields
}

Permission is a single `permission` line belonging to a definition. It has a name and a // and/or/not tree of operations representing it's right-hand-side.

func (p *Permission) IsSynthetic() bool

func (p *Permission) Name() string

func (p *Permission) Operation() Operation

func (p *Permission) Parent() *Definition

type PermissionVisitor ¶ added in v1.46.1

type PermissionVisitor[T any] interface {
	VisitPermission(p *Permission, value T) (T, bool, error)
}

PermissionVisitor is called when visiting a Permission. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type Relation ¶

type Relation struct {
	// contains filtered or unexported fields
}

Relation is a single `relation` line belonging to a definition. It has a name and list of types appearing on the right hand side.

func (r *Relation) AliasingRelation() string

func (r *Relation) BaseRelations() []*BaseRelation

func (r *Relation) Name() string

func (r *Relation) Parent() *Definition

type RelationOrPermission ¶ added in v1.46.1

type RelationOrPermission interface {
	// contains filtered or unexported methods
}

type RelationReference ¶

type RelationReference struct {
	// contains filtered or unexported fields
}

RelationReference is an Operation that is a simple relation, such as `permission foo = bar`.

func (r *RelationReference) RelationName() string

type RelationReferenceVisitor ¶ added in v1.46.1

type RelationReferenceVisitor[T any] interface {
	VisitRelationReference(rr *RelationReference, value T) (T, error)
}

RelationReferenceVisitor is called when visiting a RelationReference. Returns the value to pass to subsequent visits, and error to halt immediately.

type RelationVisitor ¶ added in v1.46.1

type RelationVisitor[T any] interface {
	VisitRelation(r *Relation, value T) (T, bool, error)
}

RelationVisitor is called when visiting a Relation. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type ResolvedArrowReference ¶ added in v1.46.1

type ResolvedArrowReference struct {
	// contains filtered or unexported fields
}

ResolvedArrowReference is an Operation that represents a resolved arrow reference. It contains the resolved left side relation and the name of the right side.

func (a *ResolvedArrowReference) Function() FunctionType

func (a *ResolvedArrowReference) Left() string

func (a *ResolvedArrowReference) ResolvedLeft() *Relation

func (a *ResolvedArrowReference) Right() string

type ResolvedArrowReferenceVisitor ¶ added in v1.46.1

type ResolvedArrowReferenceVisitor[T any] interface {
	VisitResolvedArrowReference(rar *ResolvedArrowReference, value T) (T, error)
}

ResolvedArrowReferenceVisitor is called when visiting a ResolvedArrowReference. Returns the value to pass to subsequent visits, and error to halt immediately.

type ResolvedFunctionedArrowReference ¶ added in v1.46.2

type ResolvedFunctionedArrowReference struct {
	// contains filtered or unexported fields
}

ResolvedFunctionedArrowReference is an Operation that represents a resolved functioned arrow reference. It contains the resolved left side relation, the name of the right side, and the function type.

func (a *ResolvedFunctionedArrowReference) Function() FunctionType

func (a *ResolvedFunctionedArrowReference) Left() string

func (a *ResolvedFunctionedArrowReference) ResolvedLeft() *Relation

func (a *ResolvedFunctionedArrowReference) Right() string

type ResolvedFunctionedArrowReferenceVisitor ¶ added in v1.46.2

type ResolvedFunctionedArrowReferenceVisitor[T any] interface {
	VisitResolvedFunctionedArrowReference(rfar *ResolvedFunctionedArrowReference, value T) (T, error)
}

ResolvedFunctionedArrowReferenceVisitor is called when visiting a ResolvedFunctionedArrowReference. Returns the value to pass to subsequent visits, and error to halt immediately.

type ResolvedRelationReference ¶ added in v1.46.1

type ResolvedRelationReference struct {
	// contains filtered or unexported fields
}

ResolvedRelationReference is an Operation that is a resolved relation reference. It contains both the name and the actual RelationOrPermission being referenced.

func (r *ResolvedRelationReference) RelationName() string

func (r *ResolvedRelationReference) Resolved() RelationOrPermission

type ResolvedRelationReferenceVisitor ¶ added in v1.46.1

type ResolvedRelationReferenceVisitor[T any] interface {
	VisitResolvedRelationReference(rrr *ResolvedRelationReference, value T) (T, error)
}

ResolvedRelationReferenceVisitor is called when visiting a ResolvedRelationReference. Returns the value to pass to subsequent visits, and error to halt immediately.

type ResolvedSchema ¶ added in v1.46.1

type ResolvedSchema struct {
	// contains filtered or unexported fields
}

ResolvedSchema wraps a Schema where all RelationReferences and ArrowReferences have been resolved to their actual RelationOrPermission targets.

func ResolveSchema(s *Schema) (*ResolvedSchema, error)

func (r *ResolvedSchema) Schema() *Schema

type Schema ¶

type Schema struct {
	// contains filtered or unexported fields
}

Schema is a view of a complete schema, with all definitions and caveats.

func BuildSchemaFromCompiledSchema(schema compiler.CompiledSchema) (*Schema, error)

func BuildSchemaFromDefinitions(objectDefs []*corev1.NamespaceDefinition, caveatDefs []*corev1.CaveatDefinition) (*Schema, error)

func CloneSchema(s *Schema) *Schema

func (s *Schema) Caveats() map[string]*Caveat

func (s *Schema) Definitions() map[string]*Definition

func (s *Schema) ToNamespaceDefinition(name string) ([]*core.NamespaceDefinition, []*core.CaveatDefinition, error)

type SchemaVisitor ¶ added in v1.46.1

type SchemaVisitor[T any] interface {
	VisitSchema(s *Schema, value T) (T, bool, error)
}

SchemaVisitor is called when visiting a Schema. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type SyntheticPermission ¶ added in v1.46.1

type SyntheticPermission struct {
	Permission
	// contains filtered or unexported fields
}

SyntheticPermission is a permission that has been synthesized by the schema system (e.g., during flattening operations). It is functionally identical to a Permission but is marked as synthetic for tracking purposes.

func (sp *SyntheticPermission) IsSynthetic() bool

type UnionOperation ¶

type UnionOperation struct {
	// contains filtered or unexported fields
}

UnionOperation is an Operation that represents `permission foo = a | b | c`.

func (u *UnionOperation) Children() []Operation

type UnionOperationVisitor ¶ added in v1.46.1

type UnionOperationVisitor[T any] interface {
	VisitUnionOperation(uo *UnionOperation, value T) (T, bool, error)
}

UnionOperationVisitor is called when visiting a UnionOperation. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type Visitor ¶ added in v1.46.1

type Visitor[T any] any

Visitor is the base interface that all specific visitor interfaces embed.