diff --git a/cs3/auth/provider/v1beta1/resources.proto b/cs3/auth/provider/v1beta1/resources.proto new file mode 100644 index 00000000..fd8cd1b9 --- /dev/null +++ b/cs3/auth/provider/v1beta1/resources.proto @@ -0,0 +1,57 @@ +// Copyright 2018-2019 CERN +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// In applying this license, CERN does not waive the privileges and immunities +// granted to it by virtue of its status as an Intergovernmental Organization +// or submit itself to any jurisdiction. + +syntax = "proto3"; + +package cs3.auth.provider.v1beta1; + +option csharp_namespace = "Cs3.Auth.Provider.V1Beta1"; +option go_package = "providerv1beta1"; +option java_multiple_files = true; +option java_outer_classname = "ResourcesProto"; +option java_package = "com.cs3.auth.provider.v1beta1"; +option objc_class_prefix = "CAP"; +option php_namespace = "Cs3\\Auth\\Provider\\V1Beta1"; + +// Scope defines role-based permissions for various paths. +message Scope { + // REQUIRED. + // The path to which a scope applies. + string path = 1; + // REQUIRED. + // The role associated with a particular path. + Role role = 2; +} + +// The role associated with the scope. +enum Role { + // Used for invalid roles + ROLE_INVALID = 0; + // Provides backwards compatibility + ROLE_LEGACY = 1; + // Grants non-editor role on a resource + ROLE_VIEWER = 2; + // Grants editor permission on a resource, including folders + ROLE_EDITOR = 3; + // Grants editor permission on a single file + ROLE_FILE_EDITOR = 4; + // Grants owner permissions on a resource + ROLE_COOWNER = 5; + // Role with only write permission can use InitiateFileUpload, nothing else + ROLE_UPLOADER = 6; +} diff --git a/cs3/gateway/v1beta1/gateway_api.proto b/cs3/gateway/v1beta1/gateway_api.proto index 4a0fb4a3..beb5828a 100644 --- a/cs3/gateway/v1beta1/gateway_api.proto +++ b/cs3/gateway/v1beta1/gateway_api.proto @@ -30,6 +30,7 @@ option php_namespace = "Cs3\\Gateway\\V1Beta1"; import "cs3/app/provider/v1beta1/provider_api.proto"; import "cs3/app/registry/v1beta1/registry_api.proto"; +import "cs3/auth/provider/v1beta1/resources.proto"; import "cs3/auth/registry/v1beta1/registry_api.proto"; import "cs3/gateway/v1beta1/resources.proto"; import "cs3/identity/group/v1beta1/group_api.proto"; @@ -378,10 +379,10 @@ message AuthenticateRequest { string client_secret = 4; // OPTIONAL. // The scope of the issued token. - // This would be a list of paths to which the token would allow access to. + // This would be a list of paths with corresponding role-based access scope. // In case it's not defined, there would be no restriction on the access of // the minted token. - repeated string token_scope = 5; + repeated cs3.auth.provider.v1beta1.Scope token_scope = 5; } message AuthenticateResponse { diff --git a/docs/index.html b/docs/index.html index edb9a9bb..ece9d9bc 100644 --- a/docs/index.html +++ b/docs/index.html @@ -604,6 +604,25 @@

Table of Contents

+
  • + cs3/auth/provider/v1beta1/resources.proto + +
    • + +
  • cs3/auth/registry/v1beta1/registry_api.proto