-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsession.proto
85 lines (79 loc) · 2.67 KB
/
session.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
// Copyright 2021 The Cockroach Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
// The types in this package have shortened JSON names because they
// are embedded in JWT tokens and we'd like to make them easier to
// copy and paste.
package cacheroach.session;
import "google/protobuf/descriptor.proto";
import "google/protobuf/timestamp.proto";
import "capabilities.proto";
import "principal.proto";
import "tenant.proto";
option go_package = "github.com/bobvawter/cacheroach/api/session";
message ID {
bytes data = 1 [json_name = "d"];
}
message Location {
// The tenant.
tenant.ID tenant_id = 1 [json_name = "t"];
// A specific path (e.g. /foo/bar/baz) or a path prefix
// (e.g. /foo/bar/*).
string path = 2 [json_name = "p"];
// Restricts access to a specific version of the data on the path.
int64 version = 3 [json_name = "v"];
}
message Scope {
oneof Kind {
// A super-token is only used internally and allows anything.
bool super_token = 1 [
json_name = "s",
(capabilities.field_rule).auth_status = SUPER
];
// Delegates access to a principal (which may be the top-level principal_id).
principal.ID on_principal = 2 [json_name = "p"];
// Delegates operations within a tenancy.
Location on_location = 3 [json_name = "l"];
}
}
message Session {
option (capabilities.msg_rule).or = {
rule: {direction: RESPONSE}
rule: {
message: "requested session must be a subset of caller's session"
is_subset: true
}
};
ID ID = 1;
capabilities.Capabilities capabilities = 2 [json_name = "c"];
principal.ID principal_id = 3 [
json_name = "p",
(capabilities.field_rule).or = {
rule: {direction: RESPONSE},
rule: {
message: "must have delegation access"
may: {
capabilities: {delegate: true}
scope: {on_principal: {field: 3}}
}
}
}
];
Scope scope = 4 [json_name = "s"];
google.protobuf.Timestamp expires_at = 5 [json_name = "x"];
// A long-form note, to describe the session to a human.
string note = 6;
// A key that is unique per principal, to allow easy
// programmatic access to a specific session.
string name = 7;
}