schema

package
v1.48.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 9, 2025 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

schema/v2 provides a convenient Go representation of SpiceDB's schema definitions, built on top of the raw protocol buffer types from core.v1.

This package converts low-level protobuf structures (NamespaceDefinition, CaveatDefinition) into ergonomic Schema views that are easier to reason about and work with programatically. The basic types map very closely to the schema language itself.

The proto remains the source of truth; this makes traversing the schema to build queries or determine reachability much easier.

Index

Examples

Constants

View Source 
const (
	CaveatTypeInt        = "int"
	CaveatTypeBool       = "bool"
	CaveatTypeString     = "string"
	CaveatTypeBytes      = "bytes"
	CaveatTypeDouble     = "double"
	CaveatTypeUInt       = "uint"
	CaveatTypeDuration   = "duration"
	CaveatTypeTimestamp  = "timestamp"
	CaveatTypeIPAddress  = "ipaddress"
	CaveatTypeList       = "list"
	CaveatTypeMap        = "map"
	CaveatTypeAny        = "any"
	CaveatTypeListString = "list<string>"
	CaveatTypeListInt    = "list<int>"
	CaveatTypeMapAny     = "map<any>"
)

Common caveat parameter type constants for use with CaveatBuilder.

Variables

This section is empty.

Functions

func WalkBaseRelation added in v1.46.1 

func WalkBaseRelation[T any](br *BaseRelation, v Visitor[T], value T) (T, error)

WalkBaseRelation walks a base relation. Returns the final value and error if any visitor returns an error.

func WalkCaveat added in v1.46.1 

func WalkCaveat[T any](c *Caveat, v Visitor[T], value T) (T, error)

WalkCaveat walks a caveat. Returns the final value and error if any visitor returns an error.

func WalkDefinition added in v1.46.1 

func WalkDefinition[T any](d *Definition, v Visitor[T], value T) (T, error)

WalkDefinition walks a definition and its relations and permissions. Returns the final value and error if any visitor returns an error.

func WalkFlattenedSchema added in v1.46.1 

func WalkFlattenedSchema[T any](fs *FlattenedSchema, v Visitor[T], value T) (T, error)

WalkFlattenedSchema walks the flattened schema tree, calling appropriate visitor methods on the provided Visitor for each node encountered. This is a convenience function that delegates to WalkSchema on the underlying schema.

func WalkOperation added in v1.46.1 

func WalkOperation[T any](op Operation, v Visitor[T], value T) (T, error)

WalkOperation walks an operation tree recursively. Returns the final value and error if any visitor returns an error.

func WalkPermission added in v1.46.1 

func WalkPermission[T any](p *Permission, v Visitor[T], value T) (T, error)

WalkPermission walks a permission and its operation tree. Returns the final value and error if any visitor returns an error.

func WalkRelation added in v1.46.1 

func WalkRelation[T any](r *Relation, v Visitor[T], value T) (T, error)

WalkRelation walks a relation and its base relations. Returns the final value and error if any visitor returns an error.

func WalkResolvedSchema added in v1.46.1 

func WalkResolvedSchema[T any](rs *ResolvedSchema, v Visitor[T], value T) (T, error)

WalkResolvedSchema walks the resolved schema tree, calling appropriate visitor methods on the provided Visitor for each node encountered. This is a convenience function that delegates to WalkSchema on the underlying schema.

func WalkSchema added in v1.46.1 

func WalkSchema[T any](s *Schema, v Visitor[T], value T) (T, error)

WalkSchema walks the entire schema tree, calling appropriate visitor methods on the provided Visitor for each node encountered. Returns the final value and error if any visitor returns an error.

Types

type ArrowOperation added in v1.46.2 

type ArrowOperation interface {
	Operation

	// Left returns the relation on the resource (left side of the arrow).
	Left() string

	// Right returns the relation/permission on the subject (right side of the arrow).
	Right() string

	// Function returns the function type applied to the arrow.
	// For standard arrows (->), this returns FunctionTypeAny.
	// For functioned arrows (.any()/.all()), this returns the specific function type.
	Function() FunctionType
}

ArrowOperation is an interface implemented by all arrow-based operations (both standard and functioned arrows). This includes ArrowReference, FunctionedArrowReference, ResolvedArrowReference, and ResolvedFunctionedArrowReference.

type ArrowOperationVisitor added in v1.46.2 

type ArrowOperationVisitor[T any] interface {
	VisitArrowOperation(ao ArrowOperation, value T) (T, error)
}

ArrowOperationVisitor is called when visiting any ArrowOperation (ArrowReference, FunctionedArrowReference, ResolvedArrowReference, or ResolvedFunctionedArrowReference). Returns the value to pass to subsequent visits, and error to halt immediately.

type ArrowReference 

type ArrowReference struct {
	// contains filtered or unexported fields
}

ArrowReference is an Operation that represents `permission foo = Left->Right`.

func (*ArrowReference) Function added in v1.46.2 

func (a *ArrowReference) Function() FunctionType

Function returns FunctionTypeAny for standard arrows.

func (*ArrowReference) Left 

func (a *ArrowReference) Left() string

Left returns the relation on the resource.

func (*ArrowReference) Right 

func (a *ArrowReference) Right() string

Right returns the relation/permission on the subject.

type ArrowReferenceVisitor added in v1.46.1 

type ArrowReferenceVisitor[T any] interface {
	VisitArrowReference(ar *ArrowReference, value T) (T, error)
}

ArrowReferenceVisitor is called when visiting an ArrowReference. Returns the value to pass to subsequent visits, and error to halt immediately.

type BaseRelation 

type BaseRelation struct {
	// contains filtered or unexported fields
}

BaseRelation is a single type, and its potential caveats, and expiration options. These features are written directly to the database with the parent Relation and Definition as the resource type and relation, and contains the subject type and optional subrelation.

func NewTestBaseRelation added in v1.46.1 

func NewTestBaseRelation(defName, relationName, subjectType, subrelation string) *BaseRelation

NewTestBaseRelation creates a BaseRelation for testing with the proper parent structure. This is exported for use by external test packages that cannot directly create struct literals with unexported fields.

func NewTestBaseRelationWithFeatures added in v1.46.1 

func NewTestBaseRelationWithFeatures(defName, relationName, subjectType, subrelation, caveat string, expiration bool) *BaseRelation

NewTestBaseRelationWithFeatures creates a BaseRelation with caveat and expiration features.

func NewTestWildcardBaseRelation added in v1.46.1 

func NewTestWildcardBaseRelation(defName, relationName, subjectType string) *BaseRelation

NewTestWildcardBaseRelation creates a BaseRelation for wildcard testing.

func NewTestWildcardBaseRelationWithFeatures added in v1.46.1 

func NewTestWildcardBaseRelationWithFeatures(defName, relationName, subjectType, caveat string, expiration bool) *BaseRelation

NewTestWildcardBaseRelationWithFeatures creates a wildcard BaseRelation with caveat and expiration features.

func (*BaseRelation) Caveat 

func (b *BaseRelation) Caveat() string

Caveat returns the caveat of the base relation.

func (*BaseRelation) DefinitionName 

func (b *BaseRelation) DefinitionName() string

DefinitionName returns the name of the Definition in which this BaseRelation appears.

func (*BaseRelation) Expiration 

func (b *BaseRelation) Expiration() bool

Expiration returns whether the base relation has expiration.

func (*BaseRelation) Parent 

func (b *BaseRelation) Parent() *Relation

Parent returns the parent relation.

func (*BaseRelation) RelationName 

func (b *BaseRelation) RelationName() string

RelationName returns the name of the Relation in which this BaseRelation appears.

func (*BaseRelation) Subrelation 

func (b *BaseRelation) Subrelation() string

Subrelation returns the subrelation of the base relation.

func (*BaseRelation) Type 

func (b *BaseRelation) Type() string

Type returns the subject type of the base relation.

func (*BaseRelation) Wildcard 

func (b *BaseRelation) Wildcard() bool

Wildcard returns whether the base relation is a wildcard.

type BaseRelationVisitor added in v1.46.1 

type BaseRelationVisitor[T any] interface {
	VisitBaseRelation(br *BaseRelation, value T) (T, error)
}

BaseRelationVisitor is called when visiting a BaseRelation. Returns the value to pass to subsequent visits, and error to halt immediately.

type Caveat 

type Caveat struct {
	// contains filtered or unexported fields
}

Caveat is a single, top-level caveat definition and it's internal expresion.

func (*Caveat) Expression 

func (c *Caveat) Expression() string

Expression returns the expression of the caveat.

func (*Caveat) Name 

func (c *Caveat) Name() string

Name returns the name of the caveat.

func (*Caveat) Parameters added in v1.47.1 

func (c *Caveat) Parameters() []CaveatParameter

Parameters returns the parameters of the caveat.

func (*Caveat) Parent 

func (c *Caveat) Parent() *Schema

Parent returns the parent schema.

type CaveatBuilder added in v1.47.1 

type CaveatBuilder struct {
	// contains filtered or unexported fields
}

CaveatBuilder provides a fluent API for constructing caveats.

func NewCaveat added in v1.47.1 

func NewCaveat(name string) *CaveatBuilder

NewCaveat creates a new CaveatBuilder for constructing a caveat. This is used with SchemaBuilder.Caveat() to add caveats using the builder pattern.

func (*CaveatBuilder) Done added in v1.47.1 

func (cb *CaveatBuilder) Done() *SchemaBuilder

Done completes the caveat and returns to the schema builder.

func (*CaveatBuilder) Expression added in v1.47.1 

func (cb *CaveatBuilder) Expression(expr string) *CaveatBuilder

Expression sets the caveat's expression.

func (*CaveatBuilder) Parameter added in v1.47.1 

func (cb *CaveatBuilder) Parameter(paramName, paramType string) *CaveatBuilder

Parameter adds a parameter with name and type to the caveat.

func (*CaveatBuilder) ParameterMap added in v1.47.1 

func (cb *CaveatBuilder) ParameterMap(params map[string]string) *CaveatBuilder

ParameterMap adds multiple parameters from a map of name to type. This is useful when you have many parameters to add at once.

type CaveatParameter added in v1.47.1 

type CaveatParameter struct {
	// contains filtered or unexported fields
}

CaveatParameter represents a single parameter in a caveat with its name and type.

func (*CaveatParameter) Name added in v1.47.1 

func (cp *CaveatParameter) Name() string

Name returns the name of the parameter.

func (*CaveatParameter) Type added in v1.47.1 

func (cp *CaveatParameter) Type() string

Type returns the type of the parameter.

type CaveatVisitor added in v1.46.1 

type CaveatVisitor[T any] interface {
	VisitCaveat(c *Caveat, value T) (T, error)
}

CaveatVisitor is called when visiting a Caveat. Returns the value to pass to subsequent visits, and error to halt immediately.

type Definition 

type Definition struct {
	// contains filtered or unexported fields
}

Definition is a single schema object type, with relations and permissions.

func (*Definition) GetPermission added in v1.47.1 

func (d *Definition) GetPermission(name string) (*Permission, bool)

GetPermission returns the permission with the given name and a boolean indicating whether it exists in the definition.

func (*Definition) GetRelation added in v1.47.1 

func (d *Definition) GetRelation(name string) (*Relation, bool)

GetRelation returns the relation with the given name and a boolean indicating whether it exists in the definition.

func (*Definition) Name 

func (d *Definition) Name() string

Name returns the name of the definition.

func (*Definition) Parent 

func (d *Definition) Parent() *Schema

Parent returns the parent schema.

func (*Definition) Permissions 

func (d *Definition) Permissions() map[string]*Permission

Permissions returns the permissions in the definition.

func (*Definition) Relations 

func (d *Definition) Relations() map[string]*Relation

Relations returns the relations in the definition.

type DefinitionBuilder added in v1.47.1 

type DefinitionBuilder struct {
	// contains filtered or unexported fields
}

DefinitionBuilder provides a fluent API for constructing object definitions.

func NewDefinition added in v1.47.1 

func NewDefinition(name string) *DefinitionBuilder

NewDefinition creates a new DefinitionBuilder for constructing a definition. This is used with SchemaBuilder.Definition() to add definitions using the builder pattern.

func (*DefinitionBuilder) AddPermission added in v1.47.1 

func (db *DefinitionBuilder) AddPermission(name string) *PermissionBuilder

AddPermission adds or modifies a permission in the definition by name. Returns a PermissionBuilder for fluent configuration.

func (*DefinitionBuilder) AddRelation added in v1.47.1 

func (db *DefinitionBuilder) AddRelation(name string) *RelationBuilder

AddRelation adds or modifies a relation in the definition by name. Returns a RelationBuilder for fluent configuration.

func (*DefinitionBuilder) Done added in v1.47.1 

func (db *DefinitionBuilder) Done() *SchemaBuilder

Done completes the definition and returns to the schema builder.

func (*DefinitionBuilder) Permission added in v1.47.1 

func (db *DefinitionBuilder) Permission(pb *PermissionBuilder) *DefinitionBuilder

Permission accepts a PermissionBuilder and integrates it into the definition. Returns the DefinitionBuilder for continued chaining.

func (*DefinitionBuilder) Relation added in v1.47.1 

func (db *DefinitionBuilder) Relation(rb *RelationBuilder) *DefinitionBuilder

Relation accepts a RelationBuilder and integrates it into the definition. Returns the DefinitionBuilder for continued chaining.

type DefinitionVisitor added in v1.46.1 

type DefinitionVisitor[T any] interface {
	VisitDefinition(d *Definition, value T) (T, bool, error)
}

DefinitionVisitor is called when visiting a Definition. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type ExclusionExprBuilder added in v1.47.1 

type ExclusionExprBuilder struct {
	// contains filtered or unexported fields
}

ExclusionExprBuilder allows building exclusion operations incrementally.

func NewExclusion added in v1.47.1 

func NewExclusion() *ExclusionExprBuilder

NewExclusion creates a new ExclusionExprBuilder for constructing an exclusion operation. This is useful when you want to build an exclusion expression outside of a permission builder context.

func (*ExclusionExprBuilder) Base added in v1.47.1 

func (eb *ExclusionExprBuilder) Base(op Operation) *ExclusionExprBuilder

Base sets the base operation for the exclusion.

func (*ExclusionExprBuilder) BaseArrow added in v1.47.1 

func (eb *ExclusionExprBuilder) BaseArrow(relationName, permissionName string) *ExclusionExprBuilder

BaseArrow sets the base as an arrow reference.

func (*ExclusionExprBuilder) BaseRelationRef added in v1.47.1 

func (eb *ExclusionExprBuilder) BaseRelationRef(relationName string) *ExclusionExprBuilder

BaseRelationRef sets the base as a relation reference.

func (*ExclusionExprBuilder) Build added in v1.47.1 

func (eb *ExclusionExprBuilder) Build() Operation

Build completes the exclusion expression and returns it as an Operation. This is used when building operations outside of a permission builder context.

func (*ExclusionExprBuilder) Done added in v1.47.1 

func (eb *ExclusionExprBuilder) Done() *PermissionBuilder

Done completes the exclusion expression and returns to the permission builder.

func (*ExclusionExprBuilder) Exclude added in v1.47.1 

func (eb *ExclusionExprBuilder) Exclude(op Operation) *ExclusionExprBuilder

Exclude sets the operation to exclude from the base.

func (*ExclusionExprBuilder) ExcludeArrow added in v1.47.1 

func (eb *ExclusionExprBuilder) ExcludeArrow(relationName, permissionName string) *ExclusionExprBuilder

ExcludeArrow sets the excluded operation as an arrow reference.

func (*ExclusionExprBuilder) ExcludeRelationRef added in v1.47.1 

func (eb *ExclusionExprBuilder) ExcludeRelationRef(relationName string) *ExclusionExprBuilder

ExcludeRelationRef sets the excluded operation as a relation reference.

type ExclusionOperation 

type ExclusionOperation struct {
	// contains filtered or unexported fields
}

ExclusionOperation is an Operation that represents `permission foo = a - b`.

func (*ExclusionOperation) Left 

func (e *ExclusionOperation) Left() Operation

Left returns the operation from which we are excluding.

func (*ExclusionOperation) Right 

func (e *ExclusionOperation) Right() Operation

Right returns the operation that is being excluded.

type ExclusionOperationVisitor added in v1.46.1 

type ExclusionOperationVisitor[T any] interface {
	VisitExclusionOperation(eo *ExclusionOperation, value T) (T, bool, error)
}

ExclusionOperationVisitor is called when visiting an ExclusionOperation. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type FlattenOptions added in v1.46.2 

type FlattenOptions struct {
	// Separator controls what separator is used between permission names and hashes
	// in synthetic permissions ($ or __).
	Separator FlattenSeparator

	// FlattenNonUnionOperations controls whether non-union operations (intersections,
	// exclusions) should be flattened. When true, nested compound operations are
	// extracted into synthetic permissions.
	FlattenNonUnionOperations bool

	// FlattenArrows controls whether arrow operations (->) should be flattened.
	// When true, arrow operations are treated as leaf nodes and are extracted into
	// their own synthetic permissions. When false, they remain as-is in the operation tree.
	FlattenArrows bool
}

FlattenOptions contains options for flattening a schema.

type FlattenSeparator added in v1.46.1 

type FlattenSeparator string

FlattenSeparator is the separator used between permission names and hashes in synthetic permissions. 

const (
	// FlattenSeparatorDollar uses $ as separator (e.g., view$abc123).
	// Note: $ is not valid in schema DSL identifiers, so this is only for internal use.
	FlattenSeparatorDollar FlattenSeparator = "$"

	// FlattenSeparatorDoubleUnderscore uses __ as separator (e.g., view__abc123).
	// This is valid in schema DSL identifiers.
	FlattenSeparatorDoubleUnderscore FlattenSeparator = "__"
)

type FlattenedSchema added in v1.46.1 

type FlattenedSchema struct {
	// contains filtered or unexported fields
}

FlattenedSchema wraps a ResolvedSchema where all nested operations under permissions have been replaced with references to synthetic permissions.

func FlattenSchema added in v1.46.1 

func FlattenSchema(rs *ResolvedSchema, separator FlattenSeparator) (*FlattenedSchema, error)

FlattenSchema takes a resolved schema and recursively flattens all nested operations under each permission's root expression by replacing them with references to new synthetic permissions. The synthetic permissions are named using the pattern: `{permissionName}{separator}{hash}` where hash is computed using rudd BDD canonicalization. The separator parameter controls what separator is used ($ or __).

This function uses default flattening options that flatten both non-union operations and arrows.

func FlattenSchemaWithOptions added in v1.46.2 

func FlattenSchemaWithOptions(rs *ResolvedSchema, options FlattenOptions) (*FlattenedSchema, error)

FlattenSchemaWithOptions takes a resolved schema and recursively flattens operations according to the provided options. Nested operations under each permission's root expression are replaced with references to new synthetic permissions. The synthetic permissions are named using the pattern: `{permissionName}{separator}{hash}` where hash is computed using rudd BDD canonicalization.

func (*FlattenedSchema) ResolvedSchema added in v1.46.1 

func (f *FlattenedSchema) ResolvedSchema() *ResolvedSchema

ResolvedSchema returns the underlying resolved schema with flattened operations.

type FunctionType added in v1.46.1 

type FunctionType int

FunctionType represents the type of function applied to a tupleset. 

const (
	FunctionTypeAny FunctionType = iota
	FunctionTypeAll
)

type FunctionedArrowReference added in v1.46.2 

type FunctionedArrowReference struct {
	// contains filtered or unexported fields
}

FunctionedArrowReference is an Operation that represents functioned arrows like `permission foo = relation.any(other)` or `permission foo = relation.all(other)`.

func (*FunctionedArrowReference) Function added in v1.46.2 

func (f *FunctionedArrowReference) Function() FunctionType

func (*FunctionedArrowReference) Left added in v1.46.2 

func (f *FunctionedArrowReference) Left() string

func (*FunctionedArrowReference) Right added in v1.46.2 

func (f *FunctionedArrowReference) Right() string

type IntersectionExprBuilder added in v1.47.1 

type IntersectionExprBuilder struct {
	// contains filtered or unexported fields
}

IntersectionExprBuilder allows building intersection operations incrementally.

func NewIntersection added in v1.47.1 

func NewIntersection() *IntersectionExprBuilder

NewIntersection creates a new IntersectionExprBuilder for constructing an intersection operation. This is useful when you want to build an intersection expression outside of a permission builder context.

func (*IntersectionExprBuilder) Add added in v1.47.1 

func (ib *IntersectionExprBuilder) Add(op Operation) *IntersectionExprBuilder

Add adds an operation to the intersection.

func (*IntersectionExprBuilder) AddArrow added in v1.47.1 

func (ib *IntersectionExprBuilder) AddArrow(relationName, permissionName string) *IntersectionExprBuilder

AddArrow adds an arrow reference to the intersection.

func (*IntersectionExprBuilder) AddRelationRef added in v1.47.1 

func (ib *IntersectionExprBuilder) AddRelationRef(relationName string) *IntersectionExprBuilder

AddRelationRef adds a relation reference to the intersection.

func (*IntersectionExprBuilder) Build added in v1.47.1 

func (ib *IntersectionExprBuilder) Build() Operation

Build completes the intersection expression and returns it as an Operation. This is used when building operations outside of a permission builder context.

func (*IntersectionExprBuilder) Done added in v1.47.1 

func (ib *IntersectionExprBuilder) Done() *PermissionBuilder

Done completes the intersection expression and returns to the permission builder.

type IntersectionOperation 

type IntersectionOperation struct {
	// contains filtered or unexported fields
}

IntersectionOperation is an Operation that represents `permission foo = a & b & c`.

func (*IntersectionOperation) Children 

func (i *IntersectionOperation) Children() []Operation

Children returns the sub-operations that are intersected together.

type IntersectionOperationVisitor added in v1.46.1 

type IntersectionOperationVisitor[T any] interface {
	VisitIntersectionOperation(io *IntersectionOperation, value T) (T, bool, error)
}

IntersectionOperationVisitor is called when visiting an IntersectionOperation. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type NilReference added in v1.47.1 

type NilReference struct{}

NilReference is a specialized Operation that represents a nil/empty operation. Unlike RelationReference, it is not replaced during resolution.

type NilReferenceVisitor added in v1.47.1 

type NilReferenceVisitor[T any] interface {
	VisitNilReference(nr *NilReference, value T) (T, error)
}

NilReferenceVisitor is called when visiting a NilReference. Returns the value to pass to subsequent visits, and error to halt immediately.

type Operation 

type Operation interface {
	// contains filtered or unexported methods
}

Operation is a closed enum of things that can exist on the right-hand-side of a permission. It forms a tree of unions, intersections and exclusions, until the leaves are things like references to other permissions or relations, or are arrows.

func ArrowRef added in v1.47.1 

func ArrowRef(relationName, permissionName string) Operation

ArrowRef creates an ArrowReference operation for use in permission builders.

func Exclusion added in v1.47.1 

func Exclusion(base, excluded Operation) Operation

Exclusion creates an ExclusionOperation for use in permission builders.

func Intersection added in v1.47.1 

func Intersection(operations ...Operation) Operation

Intersection creates an IntersectionOperation for use in permission builders.

func IntersectionArrowRef added in v1.47.1 

func IntersectionArrowRef(relation string, computedRelationName string) Operation

IntersectionArrowRef creates an intersection arrow operation for use in permission builders.

func NewArrow added in v1.47.1 

func NewArrow(relationName, permissionName string) Operation

NewArrow creates an ArrowReference operation for the given relation and permission names. This is an alternative to ArrowRef() that follows the New* naming convention.

func NewRelationRef added in v1.47.1 

func NewRelationRef(relationName string) Operation

NewRelationRef creates a RelationReference operation for the given relation name. This is an alternative to RelRef() that follows the New* naming convention.

func RelRef added in v1.47.1 

func RelRef(relationName string) Operation

RelRef creates a RelationReference operation for use in permission builders.

func Union added in v1.47.1 

func Union(operations ...Operation) Operation

Union creates a UnionOperation for use in permission builders.

type OperationVisitor added in v1.46.1 

type OperationVisitor[T any] interface {
	VisitOperation(op Operation, value T) (T, bool, error)
}

OperationVisitor is called when visiting any Operation. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type Permission 

type Permission struct {
	// contains filtered or unexported fields
}

Permission is a single `permission` line belonging to a definition. It has a name and a // and/or/not tree of operations representing it's right-hand-side.

func (*Permission) IsSynthetic added in v1.46.1 

func (p *Permission) IsSynthetic() bool

IsSynthetic returns true if this permission was synthesized by the schema system.

func (*Permission) Name 

func (p *Permission) Name() string

Name returns the name of the permission.

func (*Permission) Operation 

func (p *Permission) Operation() Operation

Operation returns the operation of the permission.

func (*Permission) Parent 

func (p *Permission) Parent() *Definition

Parent returns the parent definition.

type PermissionBuilder added in v1.47.1 

type PermissionBuilder struct {
	// contains filtered or unexported fields
}

PermissionBuilder provides a fluent API for constructing permissions.

func NewPermission added in v1.47.1 

func NewPermission(name string, operation Operation) *PermissionBuilder

NewPermission creates a new PermissionBuilder for constructing a permission with an operation. This is used with DefinitionBuilder.Permission() to add permissions using the builder pattern.

func (*PermissionBuilder) Arrow added in v1.47.1 

func (pb *PermissionBuilder) Arrow(relationName, permissionName string) *PermissionBuilder

Arrow creates an arrow reference operation (e.g., "owner->edit").

func (*PermissionBuilder) Done added in v1.47.1 

func (pb *PermissionBuilder) Done() *DefinitionBuilder

Done completes the permission and returns to the definition builder.

func (*PermissionBuilder) Exclusion added in v1.47.1 

func (pb *PermissionBuilder) Exclusion(base, excluded Operation) *PermissionBuilder

Exclusion creates an exclusion (subtraction) operation.

func (*PermissionBuilder) ExclusionExpr added in v1.47.1 

func (pb *PermissionBuilder) ExclusionExpr() *ExclusionExprBuilder

ExclusionExpr starts building an exclusion expression incrementally.

func (*PermissionBuilder) Intersection added in v1.47.1 

func (pb *PermissionBuilder) Intersection(operations ...Operation) *PermissionBuilder

Intersection creates an intersection (AND) operation from multiple operations.

func (*PermissionBuilder) IntersectionArrow added in v1.47.1 

func (pb *PermissionBuilder) IntersectionArrow(relation string, computedRelationName string) *PermissionBuilder

IntersectionArrow creates an intersection arrow operation (e.g., "relation.all(permission)").

func (*PermissionBuilder) IntersectionExpr added in v1.47.1 

func (pb *PermissionBuilder) IntersectionExpr() *IntersectionExprBuilder

IntersectionExpr starts building an intersection expression incrementally.

func (*PermissionBuilder) Operation added in v1.47.1 

func (pb *PermissionBuilder) Operation(op Operation) *PermissionBuilder

Operation sets the permission's operation directly.

func (*PermissionBuilder) RelationRef added in v1.47.1 

func (pb *PermissionBuilder) RelationRef(relationName string) *PermissionBuilder

RelationRef creates a simple relation reference operation (e.g., "viewer").

func (*PermissionBuilder) Union added in v1.47.1 

func (pb *PermissionBuilder) Union(operations ...Operation) *PermissionBuilder

Union creates a union (OR) operation from multiple operations.

func (*PermissionBuilder) UnionExpr added in v1.47.1 

func (pb *PermissionBuilder) UnionExpr() *UnionExprBuilder

UnionExpr starts building a union expression incrementally.

type PermissionVisitor added in v1.46.1 

type PermissionVisitor[T any] interface {
	VisitPermission(p *Permission, value T) (T, bool, error)
}

PermissionVisitor is called when visiting a Permission. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type Relation 

type Relation struct {
	// contains filtered or unexported fields
}

Relation is a single `relation` line belonging to a definition. It has a name and list of types appearing on the right hand side.

func (*Relation) AliasingRelation 

func (r *Relation) AliasingRelation() string

AliasingRelation returns the aliasing relation of the relation.

func (*Relation) BaseRelations 

func (r *Relation) BaseRelations() []*BaseRelation

BaseRelations returns the base relations of the relation.

func (*Relation) Name 

func (r *Relation) Name() string

Name returns the name of the relation.

func (*Relation) Parent 

func (r *Relation) Parent() *Definition

Parent returns the parent definition.

type RelationBuilder added in v1.47.1 

type RelationBuilder struct {
	// contains filtered or unexported fields
}

RelationBuilder provides a fluent API for constructing relations.

func NewRelation added in v1.47.1 

func NewRelation(name string) *RelationBuilder

NewRelation creates a new RelationBuilder for constructing a relation. This is used with DefinitionBuilder.Relation() to add relations using the builder pattern.

func (*RelationBuilder) Alias added in v1.47.1 

func (rb *RelationBuilder) Alias(aliasingRelation string) *RelationBuilder

Alias sets this relation as an alias to another relation.

func (*RelationBuilder) AllowedDirectRelation added in v1.47.1 

func (rb *RelationBuilder) AllowedDirectRelation(subjectType string) *RelationBuilder

AllowedDirectRelation adds a direct subject type to the relation. This allows subjects of the specified type to be directly assigned to this relation.

func (*RelationBuilder) AllowedDirectRelationWithCaveat added in v1.47.1 

func (rb *RelationBuilder) AllowedDirectRelationWithCaveat(subjectType, caveat string) *RelationBuilder

AllowedDirectRelationWithCaveat adds a direct subject type with a caveat.

func (*RelationBuilder) AllowedDirectRelationWithExpiration added in v1.47.1 

func (rb *RelationBuilder) AllowedDirectRelationWithExpiration(subjectType string) *RelationBuilder

AllowedDirectRelationWithExpiration adds a direct subject type with expiration support.

func (*RelationBuilder) AllowedDirectRelationWithFeatures added in v1.47.1 

func (rb *RelationBuilder) AllowedDirectRelationWithFeatures(subjectType, caveat string, expiration bool) *RelationBuilder

AllowedDirectRelationWithFeatures adds a direct subject type with full feature control.

func (*RelationBuilder) AllowedRelation added in v1.47.1 

func (rb *RelationBuilder) AllowedRelation(subjectType, subrelation string) *RelationBuilder

AllowedRelation adds a base relation (allowed subject type with subrelation) to the relation. subrelation specifies a specific relation/permission on the subject type.

func (*RelationBuilder) AllowedRelationWithCaveat added in v1.47.1 

func (rb *RelationBuilder) AllowedRelationWithCaveat(subjectType, subrelation, caveat string) *RelationBuilder

AllowedRelationWithCaveat adds a base relation with a caveat.

func (*RelationBuilder) AllowedRelationWithExpiration added in v1.47.1 

func (rb *RelationBuilder) AllowedRelationWithExpiration(subjectType, subrelation string) *RelationBuilder

AllowedRelationWithExpiration adds a base relation with expiration support.

func (*RelationBuilder) AllowedRelationWithFeatures added in v1.47.1 

func (rb *RelationBuilder) AllowedRelationWithFeatures(subjectType, subrelation, caveat string, expiration bool) *RelationBuilder

AllowedRelationWithFeatures adds a base relation with full feature control.

func (*RelationBuilder) AllowedWildcard added in v1.47.1 

func (rb *RelationBuilder) AllowedWildcard(subjectType string) *RelationBuilder

AllowedWildcard adds a wildcard base relation.

func (*RelationBuilder) AllowedWildcardWithCaveat added in v1.47.1 

func (rb *RelationBuilder) AllowedWildcardWithCaveat(subjectType, caveat string) *RelationBuilder

AllowedWildcardWithCaveat adds a wildcard base relation with a caveat.

func (*RelationBuilder) Done added in v1.47.1 

func (rb *RelationBuilder) Done() *DefinitionBuilder

Done completes the relation and returns to the definition builder.

type RelationOrPermission added in v1.46.1 

type RelationOrPermission interface {
	// contains filtered or unexported methods
}

type RelationReference 

type RelationReference struct {
	// contains filtered or unexported fields
}

RelationReference is an Operation that is a simple relation, such as `permission foo = bar`.

func (*RelationReference) RelationName 

func (r *RelationReference) RelationName() string

RelationName returns the name of the relation or permission being referenced.

type RelationReferenceVisitor added in v1.46.1 

type RelationReferenceVisitor[T any] interface {
	VisitRelationReference(rr *RelationReference, value T) (T, error)
}

RelationReferenceVisitor is called when visiting a RelationReference. Returns the value to pass to subsequent visits, and error to halt immediately.

type RelationVisitor added in v1.46.1 

type RelationVisitor[T any] interface {
	VisitRelation(r *Relation, value T) (T, bool, error)
}

RelationVisitor is called when visiting a Relation. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type ResolvedArrowReference added in v1.46.1 

type ResolvedArrowReference struct {
	// contains filtered or unexported fields
}

ResolvedArrowReference is an Operation that represents a resolved arrow reference. It contains the resolved left side relation and the name of the right side.

func (*ResolvedArrowReference) Function added in v1.46.2 

func (a *ResolvedArrowReference) Function() FunctionType

Function returns FunctionTypeAny for standard resolved arrows.

func (*ResolvedArrowReference) Left added in v1.46.1 

func (a *ResolvedArrowReference) Left() string

Left returns the name of the relation on the resource.

func (*ResolvedArrowReference) ResolvedLeft added in v1.46.1 

func (a *ResolvedArrowReference) ResolvedLeft() *Relation

ResolvedLeft returns the actual Relation being referenced on the left side.

func (*ResolvedArrowReference) Right added in v1.46.1 

func (a *ResolvedArrowReference) Right() string

Right returns the name of the relation/permission on the subject.

type ResolvedArrowReferenceVisitor added in v1.46.1 

type ResolvedArrowReferenceVisitor[T any] interface {
	VisitResolvedArrowReference(rar *ResolvedArrowReference, value T) (T, error)
}

ResolvedArrowReferenceVisitor is called when visiting a ResolvedArrowReference. Returns the value to pass to subsequent visits, and error to halt immediately.

type ResolvedFunctionedArrowReference added in v1.46.2 

type ResolvedFunctionedArrowReference struct {
	// contains filtered or unexported fields
}

ResolvedFunctionedArrowReference is an Operation that represents a resolved functioned arrow reference. It contains the resolved left side relation, the name of the right side, and the function type.

func (*ResolvedFunctionedArrowReference) Function added in v1.46.2 

func (a *ResolvedFunctionedArrowReference) Function() FunctionType

Function returns the function type.

func (*ResolvedFunctionedArrowReference) Left added in v1.46.2 

func (a *ResolvedFunctionedArrowReference) Left() string

Left returns the name of the relation on the resource.

func (*ResolvedFunctionedArrowReference) ResolvedLeft added in v1.46.2 

func (a *ResolvedFunctionedArrowReference) ResolvedLeft() *Relation

ResolvedLeft returns the actual Relation being referenced on the left side.

func (*ResolvedFunctionedArrowReference) Right added in v1.46.2 

func (a *ResolvedFunctionedArrowReference) Right() string

Right returns the name of the relation/permission on the subject.

type ResolvedFunctionedArrowReferenceVisitor added in v1.46.2 

type ResolvedFunctionedArrowReferenceVisitor[T any] interface {
	VisitResolvedFunctionedArrowReference(rfar *ResolvedFunctionedArrowReference, value T) (T, error)
}

ResolvedFunctionedArrowReferenceVisitor is called when visiting a ResolvedFunctionedArrowReference. Returns the value to pass to subsequent visits, and error to halt immediately.

type ResolvedRelationReference added in v1.46.1 

type ResolvedRelationReference struct {
	// contains filtered or unexported fields
}

ResolvedRelationReference is an Operation that is a resolved relation reference. It contains both the name and the actual RelationOrPermission being referenced.

func (*ResolvedRelationReference) RelationName added in v1.46.1 

func (r *ResolvedRelationReference) RelationName() string

RelationName returns the name of the relation or permission being referenced.

func (*ResolvedRelationReference) Resolved added in v1.46.1 

func (r *ResolvedRelationReference) Resolved() RelationOrPermission

Resolved returns the actual RelationOrPermission being referenced.

type ResolvedRelationReferenceVisitor added in v1.46.1 

type ResolvedRelationReferenceVisitor[T any] interface {
	VisitResolvedRelationReference(rrr *ResolvedRelationReference, value T) (T, error)
}

ResolvedRelationReferenceVisitor is called when visiting a ResolvedRelationReference. Returns the value to pass to subsequent visits, and error to halt immediately.

type ResolvedSchema added in v1.46.1 

type ResolvedSchema struct {
	// contains filtered or unexported fields
}

ResolvedSchema wraps a Schema where all RelationReferences and ArrowReferences have been resolved to their actual RelationOrPermission targets.

func ResolveSchema added in v1.46.1 

func ResolveSchema(s *Schema) (*ResolvedSchema, error)

ResolveSchema takes a schema, clones it, walks through all operations, and replaces RelationReference and ArrowReference nodes with their resolved versions. Returns an error if any relation or arrow left side cannot be resolved.

func (*ResolvedSchema) Schema added in v1.46.1 

func (r *ResolvedSchema) Schema() *Schema

Schema returns the underlying resolved schema.

type Schema 

type Schema struct {
	// contains filtered or unexported fields
}

Schema is a view of a complete schema, with all definitions and caveats.

func BuildSchemaFromCompiledSchema 

func BuildSchemaFromCompiledSchema(schema compiler.CompiledSchema) (*Schema, error)

BuildSchemaFromCompiledSchema generates a Schema view from a CompiledSchema.

func BuildSchemaFromDefinitions 

func BuildSchemaFromDefinitions(objectDefs []*corev1.NamespaceDefinition, caveatDefs []*corev1.CaveatDefinition) (*Schema, error)

BuildSchemaFromDefinitions generates a Schema view from the base core.v1 protos.

func CloneSchema added in v1.46.1 

func CloneSchema(s *Schema) *Schema

CloneSchema creates a deep copy of a Schema and all its nested structures. All parent references are properly maintained in the cloned structure.

func (*Schema) Caveats 

func (s *Schema) Caveats() map[string]*Caveat

Caveats returns the caveats in the schema.

func (*Schema) Definitions 

func (s *Schema) Definitions() map[string]*Definition

Definitions returns the definitions in the schema.

func (*Schema) GetTypeDefinition added in v1.47.1 

func (s *Schema) GetTypeDefinition(name string) (*Definition, bool)

GetTypeDefinition returns the type definition with the given name and a boolean indicating whether it exists in the schema.

func (*Schema) ToDefinitions added in v1.47.1 

func (s *Schema) ToDefinitions() ([]*core.NamespaceDefinition, []*core.CaveatDefinition, error)

ToDefinitions converts a Schema to the full set of namespace and caveat definitions. This is useful for converting schemas back to the protobuf format for serialization.

type SchemaBuilder added in v1.47.1 

type SchemaBuilder struct {
	// contains filtered or unexported fields
}

SchemaBuilder provides a fluent API for constructing schemas programmatically. It maintains parent-child relationships automatically and provides method chaining.

Example usage: 

schema := NewSchemaBuilder().
	AddDefinition("user").
		Done().
	AddDefinition("document").
		AddRelation("owner").
			AllowedDirectRelation("user").
			Done().
		AddRelation("viewer").
			AllowedDirectRelation("user").
			AllowedRelation("group", "member").
			Done().
		AddPermission("view").
			UnionExpr().
				Add(RelRef("owner")).
				Add(RelRef("viewer")).
				Done().
			Done().
		Done().
	AddCaveat("has_access").
		Expression("resource == 42").
		Parameter("resource", CaveatTypeInt).
		Done().
	Build()
Example

ExampleSchemaBuilder demonstrates basic schema creation using the builder pattern. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		AddDefinition("user").
		Done().
		AddDefinition("document").
		AddRelation("owner").
		AllowedDirectRelation("user").
		Done().
		AddRelation("viewer").
		AllowedDirectRelation("user").
		Done().
		AddPermission("view").
		Union(
			schema.RelRef("owner"),
			schema.RelRef("viewer"),
		).
		Done().
		Done().
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (Complex)

ExampleSchemaBuilder_complex demonstrates a complex schema with multiple features. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		AddDefinition("user").
		Done().
		AddDefinition("group").
		AddRelation("member").
		AllowedDirectRelation("user").
		AllowedRelation("group", "member").
		Done().
		Done().
		AddDefinition("folder").
		AddRelation("owner").
		AllowedDirectRelation("user").
		Done().
		AddRelation("viewer").
		AllowedDirectRelation("user").
		AllowedRelation("group", "member").
		Done().
		AddPermission("view").
		UnionExpr().
		AddRelationRef("owner").
		AddRelationRef("viewer").
		Done().
		Done().
		AddPermission("edit").
		RelationRef("owner").
		Done().
		Done().
		AddDefinition("document").
		AddRelation("parent").
		AllowedDirectRelation("folder").
		Done().
		AddRelation("owner").
		AllowedDirectRelation("user").
		Done().
		AddRelation("viewer").
		AllowedDirectRelation("user").
		AllowedRelation("group", "member").
		Done().
		AddRelation("banned").
		AllowedDirectRelation("user").
		Done().
		AddPermission("view").
		ExclusionExpr().
		Base(
			schema.Union(
				schema.RelRef("owner"),
				schema.RelRef("viewer"),
				schema.ArrowRef("parent", "view"),
			),
		).
		ExcludeRelationRef("banned").
		Done().
		Done().
		AddPermission("edit").
		IntersectionExpr().
		AddRelationRef("owner").
		AddArrow("parent", "edit").
		Done().
		Done().
		Done().
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (ConstructorComplexNested)

ExampleSchemaBuilder_constructorComplexNested demonstrates complex nested operations with the constructor pattern. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		Definition(schema.NewDefinition("user")).
		Definition(
			schema.NewDefinition("group").
				Relation(schema.NewRelation("member").AllowedDirectRelation("user")),
		).
		Definition(
			schema.NewDefinition("folder").
				Relation(schema.NewRelation("owner").AllowedDirectRelation("user")).
				Relation(
					schema.NewRelation("viewer").
						AllowedDirectRelation("user").
						AllowedRelation("group", "member"),
				).
				Permission(
					schema.NewPermission("view", schema.Union(
						schema.RelRef("owner"),
						schema.RelRef("viewer"),
					)),
				),
		).
		Definition(
			schema.NewDefinition("document").
				Relation(schema.NewRelation("parent").AllowedDirectRelation("folder")).
				Relation(schema.NewRelation("owner").AllowedDirectRelation("user")).
				Relation(schema.NewRelation("banned").AllowedDirectRelation("user")).
				Permission(
					schema.NewPermission("view", schema.Exclusion(
						schema.Union(
							schema.RelRef("owner"),
							schema.ArrowRef("parent", "view"),
						),
						schema.RelRef("banned"),
					)),
				).
				Permission(
					schema.NewPermission("edit", schema.Intersection(
						schema.Union(
							schema.RelRef("owner"),
							schema.ArrowRef("parent", "view"),
						),
						schema.Exclusion(
							schema.RelRef("owner"),
							schema.RelRef("banned"),
						),
					)),
				),
		).
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (ConstructorPattern)

ExampleSchemaBuilder_constructorPattern demonstrates the new constructor-based builder pattern. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		Definition(
			schema.NewDefinition("user"),
		).
		Definition(
			schema.NewDefinition("document").
				Relation(schema.NewRelation("owner").AllowedDirectRelation("user")).
				Relation(schema.NewRelation("editor").AllowedDirectRelation("user")).
				Relation(schema.NewRelation("viewer").AllowedDirectRelation("user")).
				Permission(
					schema.NewPermission("view", schema.Union(
						schema.RelRef("owner"),
						schema.RelRef("editor"),
						schema.RelRef("viewer"),
					)),
				),
		).
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (ConstructorWithArrow)

ExampleSchemaBuilder_constructorWithArrow demonstrates using arrow references for hierarchical permissions. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		Definition(
			schema.NewDefinition("folder").
				Relation(schema.NewRelation("owner").AllowedDirectRelation("user")).
				Permission(schema.NewPermission("view", schema.RelRef("owner"))),
		).
		Definition(
			schema.NewDefinition("document").
				Relation(schema.NewRelation("parent").AllowedDirectRelation("folder")).
				Relation(schema.NewRelation("owner").AllowedDirectRelation("user")).
				Permission(
					schema.NewPermission("view", schema.Union(
						schema.RelRef("owner"),
						schema.ArrowRef("parent", "view"),
					)),
				),
		).
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (ConstructorWithCaveat)

ExampleSchemaBuilder_constructorWithCaveat demonstrates using caveats with the constructor pattern. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		Definition(
			schema.NewDefinition("document").
				Relation(
					schema.NewRelation("conditional_viewer").
						AllowedDirectRelationWithCaveat("user", "valid_ip"),
				),
		).
		Caveat(
			schema.NewCaveat("valid_ip").
				Expression("request.ip_address in allowed_ranges").
				Parameter("allowed_ranges", schema.CaveatTypeListString).
				Parameter("request", schema.CaveatTypeMapAny),
		).
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (ConstructorWithExclusion)

ExampleSchemaBuilder_constructorWithExclusion demonstrates using exclusion (subtraction) with the constructor pattern. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		Definition(
			schema.NewDefinition("document").
				Relation(schema.NewRelation("viewer").AllowedDirectRelation("user")).
				Relation(schema.NewRelation("banned").AllowedDirectRelation("user")).
				Permission(
					schema.NewPermission("view", schema.Exclusion(
						schema.RelRef("viewer"),
						schema.RelRef("banned"),
					)),
				),
		).
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (ConstructorWithIntersection)

ExampleSchemaBuilder_constructorWithIntersection demonstrates using intersection with the constructor pattern. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		Definition(
			schema.NewDefinition("document").
				Relation(schema.NewRelation("owner").AllowedDirectRelation("user")).
				Relation(schema.NewRelation("approved").AllowedDirectRelation("user")).
				Permission(
					schema.NewPermission("admin_edit", schema.Intersection(
						schema.RelRef("owner"),
						schema.RelRef("approved"),
					)),
				),
		).
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (ConstructorWithIntersectionArrow)

ExampleSchemaBuilder_constructorWithIntersectionArrow demonstrates using intersection arrow (all) operations. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		Definition(
			schema.NewDefinition("folder").
				Relation(schema.NewRelation("viewer").AllowedDirectRelation("user")),
		).
		Definition(
			schema.NewDefinition("document").
				Relation(schema.NewRelation("parent").AllowedDirectRelation("folder")).
				Permission(
					schema.NewPermission("all_parents_can_view", schema.IntersectionArrowRef("parent", "viewer")),
				),
		).
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (IncrementalUnion)

ExampleSchemaBuilder_incrementalUnion demonstrates building a union permission incrementally. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		AddDefinition("document").
		AddRelation("owner").
		AllowedDirectRelation("user").
		Done().
		AddRelation("editor").
		AllowedDirectRelation("user").
		Done().
		AddRelation("viewer").
		AllowedDirectRelation("user").
		Done().
		AddPermission("view").
		UnionExpr().
		AddRelationRef("owner").
		AddRelationRef("editor").
		AddRelationRef("viewer").
		Done().
		Done().
		Done().
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (WithArrow)

ExampleSchemaBuilder_withArrow demonstrates using arrow references for hierarchical permissions. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		AddDefinition("folder").
		AddRelation("owner").
		AllowedDirectRelation("user").
		Done().
		AddPermission("view").
		RelationRef("owner").
		Done().
		Done().
		AddDefinition("document").
		AddRelation("parent").
		AllowedDirectRelation("folder").
		Done().
		AddRelation("owner").
		AllowedDirectRelation("user").
		Done().
		AddPermission("view").
		UnionExpr().
		AddRelationRef("owner").
		AddArrow("parent", "view").
		Done().
		Done().
		Done().
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (WithCaveat)

ExampleSchemaBuilder_withCaveat demonstrates using caveats with relations. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		AddDefinition("document").
		AddRelation("conditional_viewer").
		AllowedDirectRelationWithCaveat("user", "valid_ip").
		Done().
		Done().
		AddCaveat("valid_ip").
		Expression("request.ip_address in allowed_ranges").
		Parameter("allowed_ranges", "list<string>").
		Parameter("request", "map<any>").
		Done().
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (WithCaveatTypes)

ExampleSchemaBuilder_withCaveatTypes demonstrates using type constants and ParameterMap for caveats. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		AddDefinition("document").
		AddRelation("viewer").
		AllowedDirectRelationWithCaveat("user", "ip_and_time_check").
		Done().
		Done().
		AddCaveat("ip_and_time_check").
		Expression("request.ip in allowed_ips && current_time < expiration").
		Parameter("allowed_ips", schema.CaveatTypeListString).
		Parameter("expiration", schema.CaveatTypeTimestamp).
		Parameter("current_time", schema.CaveatTypeTimestamp).
		Done().
		AddCaveat("role_check").
		Expression("user_roles.contains(required_role) && is_active").
		ParameterMap(map[string]string{
			"user_roles":    schema.CaveatTypeListString,
			"required_role": schema.CaveatTypeString,
			"is_active":     schema.CaveatTypeBool,
		}).
		Done().
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (WithExclusion)

ExampleSchemaBuilder_withExclusion demonstrates using exclusion (subtraction) in permissions. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		AddDefinition("document").
		AddRelation("viewer").
		AllowedDirectRelation("user").
		Done().
		AddRelation("banned").
		AllowedDirectRelation("user").
		Done().
		AddPermission("view").
		ExclusionExpr().
		BaseRelationRef("viewer").
		ExcludeRelationRef("banned").
		Done().
		Done().
		Done().
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (WithIntersection)

ExampleSchemaBuilder_withIntersection demonstrates using intersection (AND) in permissions. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		AddDefinition("document").
		AddRelation("owner").
		AllowedDirectRelation("user").
		Done().
		AddRelation("approved").
		AllowedDirectRelation("user").
		Done().
		AddPermission("admin_edit").
		IntersectionExpr().
		AddRelationRef("owner").
		AddRelationRef("approved").
		Done().
		Done().
		Done().
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (WithIntersectionArrow)

ExampleSchemaBuilder_withIntersectionArrow demonstrates using intersection arrow (all) operation. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		AddDefinition("folder").
		AddRelation("viewer").
		AllowedDirectRelation("user").
		Done().
		Done().
		AddDefinition("document").
		AddRelation("parent").
		AllowedDirectRelation("folder").
		Done().
		AddPermission("all_parents_can_view").
		IntersectionArrow("parent", "viewer").
		Done().
		Done().
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}
Example (WithWildcard)

ExampleSchemaBuilder_withWildcard demonstrates using wildcard relations. 

package main

import (
	"fmt"
	"strings"

	schema "github.com/authzed/spicedb/pkg/schema/v2"
	"github.com/authzed/spicedb/pkg/schemadsl/compiler"
	"github.com/authzed/spicedb/pkg/schemadsl/generator"
)

func toSchemaDefinitions[T compiler.SchemaDefinition](items []T) []compiler.SchemaDefinition {
	result := make([]compiler.SchemaDefinition, len(items))
	for i, item := range items {
		result[i] = item
	}
	return result
}

func main() {
	s := schema.NewSchemaBuilder().
		AddDefinition("document").
		AddRelation("public_viewer").
		AllowedWildcard("user").
		Done().
		Done().
		Build()

	defs, caveats, _ := s.ToDefinitions()
	schemaText, _, _ := generator.GenerateSchema(append(toSchemaDefinitions(defs), toSchemaDefinitions(caveats)...))
	fmt.Println(strings.TrimSpace(schemaText))
}

func NewSchemaBuilder added in v1.47.1 

func NewSchemaBuilder() *SchemaBuilder

NewSchemaBuilder creates a new builder for constructing schemas.

func (*SchemaBuilder) AddCaveat added in v1.47.1 

func (sb *SchemaBuilder) AddCaveat(name string) *CaveatBuilder

AddCaveat adds or modifies a caveat in the schema by name. Returns a CaveatBuilder for fluent configuration.

func (*SchemaBuilder) AddDefinition added in v1.47.1 

func (sb *SchemaBuilder) AddDefinition(name string) *DefinitionBuilder

AddDefinition adds or modifies a definition in the schema by name. Returns a DefinitionBuilder for fluent configuration.

func (*SchemaBuilder) Build added in v1.47.1 

func (sb *SchemaBuilder) Build() *Schema

Build finalizes and returns the constructed schema.

func (*SchemaBuilder) Caveat added in v1.47.1 

func (sb *SchemaBuilder) Caveat(cb *CaveatBuilder) *SchemaBuilder

Caveat accepts a CaveatBuilder and integrates it into the schema. Returns the SchemaBuilder for continued chaining.

func (*SchemaBuilder) Definition added in v1.47.1 

func (sb *SchemaBuilder) Definition(db *DefinitionBuilder) *SchemaBuilder

Definition accepts a DefinitionBuilder and integrates it into the schema. Returns the SchemaBuilder for continued chaining.

type SchemaVisitor added in v1.46.1 

type SchemaVisitor[T any] interface {
	VisitSchema(s *Schema, value T) (T, bool, error)
}

SchemaVisitor is called when visiting a Schema. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type SyntheticPermission added in v1.46.1 

type SyntheticPermission struct {
	Permission
	// contains filtered or unexported fields
}

SyntheticPermission is a permission that has been synthesized by the schema system (e.g., during flattening operations). It is functionally identical to a Permission but is marked as synthetic for tracking purposes.

func (*SyntheticPermission) IsSynthetic added in v1.46.1 

func (sp *SyntheticPermission) IsSynthetic() bool

IsSynthetic returns true for synthetic permissions.

type UnionExprBuilder added in v1.47.1 

type UnionExprBuilder struct {
	// contains filtered or unexported fields
}

UnionExprBuilder allows building union operations incrementally.

func NewUnion added in v1.47.1 

func NewUnion() *UnionExprBuilder

NewUnion creates a new UnionExprBuilder for constructing a union operation. This is useful when you want to build a union expression outside of a permission builder context.

func (*UnionExprBuilder) Add added in v1.47.1 

func (ub *UnionExprBuilder) Add(op Operation) *UnionExprBuilder

Add adds an operation to the union.

func (*UnionExprBuilder) AddArrow added in v1.47.1 

func (ub *UnionExprBuilder) AddArrow(relationName, permissionName string) *UnionExprBuilder

AddArrow adds an arrow reference to the union.

func (*UnionExprBuilder) AddRelationRef added in v1.47.1 

func (ub *UnionExprBuilder) AddRelationRef(relationName string) *UnionExprBuilder

AddRelationRef adds a relation reference to the union.

func (*UnionExprBuilder) Build added in v1.47.1 

func (ub *UnionExprBuilder) Build() Operation

Build completes the union expression and returns it as an Operation. This is used when building operations outside of a permission builder context.

func (*UnionExprBuilder) Done added in v1.47.1 

func (ub *UnionExprBuilder) Done() *PermissionBuilder

Done completes the union expression and returns to the permission builder.

type UnionOperation 

type UnionOperation struct {
	// contains filtered or unexported fields
}

UnionOperation is an Operation that represents `permission foo = a | b | c`.

func (*UnionOperation) Children 

func (u *UnionOperation) Children() []Operation

Children returns the sub-operations that are unioned together.

type UnionOperationVisitor added in v1.46.1 

type UnionOperationVisitor[T any] interface {
	VisitUnionOperation(uo *UnionOperation, value T) (T, bool, error)
}

UnionOperationVisitor is called when visiting a UnionOperation. Returns the value to pass to subsequent visits, true to continue walking, false to stop, and error to halt immediately.

type Visitor added in v1.46.1 

type Visitor[T any] any

Visitor is the base interface that all specific visitor interfaces embed.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.