From 8c4ebbfb847823f61c6032ab3b4c9cda20f9a726 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Tue, 26 Nov 2024 15:25:13 -0500 Subject: [PATCH] Add support for relationship expiration in the API --- authzed/api/v1/core.proto | 6 +++++- authzed/api/v1/debug.proto | 5 +++++ authzed/api/v1/permission_service.proto | 5 +++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/authzed/api/v1/core.proto b/authzed/api/v1/core.proto index 1e67cab..d6cb44a 100644 --- a/authzed/api/v1/core.proto +++ b/authzed/api/v1/core.proto @@ -6,6 +6,7 @@ option java_package = "com.authzed.api.v1"; option java_multiple_files = true; import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; import "validate/validate.proto"; // Relationship specifies how a resource relates to a subject. Relationships @@ -24,8 +25,11 @@ message Relationship { // subject is the subject to which the resource is related, in some manner. SubjectReference subject = 3 [ (validate.rules).message.required = true ]; - // optional_caveat is a reference to a the caveat that must be enforced over the relationship + // optional_caveat is a reference to a the caveat that must be enforced over the relationship. ContextualizedCaveat optional_caveat = 4 [ (validate.rules).message.required = false ]; + + // optional_expires_at is the time at which the relationship expires, if any. + google.protobuf.Timestamp optional_expires_at = 5; } // ContextualizedCaveat represents a reference to a caveat to be used by caveated relationships. diff --git a/authzed/api/v1/debug.proto b/authzed/api/v1/debug.proto index 3f72f0a..03fc216 100644 --- a/authzed/api/v1/debug.proto +++ b/authzed/api/v1/debug.proto @@ -5,6 +5,7 @@ import "authzed/api/v1/core.proto"; import "validate/validate.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/duration.proto"; +import "google/protobuf/timestamp.proto"; option go_package = "github.com/authzed/authzed-go/proto/authzed/api/v1"; option java_package = "com.authzed.api.v1"; @@ -77,6 +78,10 @@ message CheckDebugTrace { // and a permissionship of PERMISSIONSHIP_HAS_PERMISSION indicates the subject was found within this relation. SubProblems sub_problems = 7; } + + // optional_expires_at is the time at which at least one of the relationships used to + // compute this result, expires (if any). This is *not* related to the caching window. + google.protobuf.Timestamp optional_expires_at = 10; } // CaveatEvalInfo holds information about a caveat expression that was evaluated. diff --git a/authzed/api/v1/permission_service.proto b/authzed/api/v1/permission_service.proto index 5e1b453..1c754d5 100644 --- a/authzed/api/v1/permission_service.proto +++ b/authzed/api/v1/permission_service.proto @@ -8,6 +8,7 @@ option java_multiple_files = true; import "google/protobuf/struct.proto"; import "google/api/annotations.proto"; import "google/rpc/status.proto"; +import "google/protobuf/timestamp.proto"; import "validate/validate.proto"; import "authzed/api/v1/core.proto"; @@ -405,6 +406,10 @@ message CheckPermissionResponse { // debug_trace is the debugging trace of this check, if requested. DebugInformation debug_trace = 4; + + // optional_expires_at is the time at which at least one of the relationships used to + // compute this result, expires (if any). This is *not* related to the caching window. + google.protobuf.Timestamp optional_expires_at = 5; } // CheckBulkPermissionsRequest issues a check on whether a subject has permission