diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..89ffc85
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,8 @@
+.cache
+.dockerignore
+.git
+.github
+.gitignore
+*.md
+/Dockerfile
+/LICENSE
\ No newline at end of file
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
new file mode 100644
index 0000000..2f061d7
--- /dev/null
+++ b/.github/workflows/release-please.yml
@@ -0,0 +1,14 @@
+name: Animeshon gRBAC [release-please]
+
+on:
+ push:
+ branches: [master]
+
+jobs:
+ release-please:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: GoogleCloudPlatform/release-please-action@v2
+ with:
+ token: ${{ secrets.WORKFLOW_GITHUB_TOKEN }}
+ release-type: simple
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..98e3de0
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,45 @@
+name: Animeshon gRBAC
+
+on:
+ push:
+ branches: [master]
+ release:
+ types: [published]
+
+jobs:
+ docker:
+ environment: release
+ runs-on: ubuntu-latest
+ steps:
+ - name: Clone the repository code
+ uses: actions/checkout@v2
+
+ - name: Set up Docker versioning labels and tags
+ id: docker-metadata
+ uses: docker/metadata-action@v3
+ with:
+ images: grbac/grbac
+ tags: |
+ type=semver,pattern={{version}}
+ type=semver,pattern={{major}}.{{minor}}
+ type=semver,pattern={{major}}
+ type=sha
+
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@v1
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v1
+
+ - name: Login to DockerHub
+ uses: docker/login-action@v1
+ with:
+ username: ${{ secrets.DOCKER_USERNAME }}
+ password: ${{ secrets.DOCKER_TOKEN }}
+
+ - name: Build and push
+ uses: docker/build-push-action@v2
+ with:
+ push: true
+ tags: ${{ steps.docker-metadata.outputs.tags }}
+ labels: ${{ steps.docker-metadata.outputs.labels }}
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..419ae98
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+.vscode
+bin/*
\ No newline at end of file
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..0ca213d
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,6 @@
+[submodule "schema/api-common-protos"]
+ path = schema/api-common-protos
+ url = https://github.com/googleapis/api-common-protos.git
+[submodule "schema/animeapis"]
+ path = schema/animeapis
+ url = https://github.com/animeapis/animeapis.git
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..65263fa
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,24 @@
+FROM golang:1.16-alpine AS builder
+
+WORKDIR /build
+
+COPY go.mod .
+COPY go.sum .
+
+RUN go mod download
+
+COPY . .
+
+RUN go build -o grbac ./cmd
+
+FROM alpine
+
+WORKDIR /usr/local/grbac
+
+COPY --from=builder /build/grbac bin/grbac
+COPY scripts/docker-compose.sh docker-compose.sh
+
+ENV PATH=/usr/local/grbac/bin:$PATH
+
+ENTRYPOINT [ "grbac" ]
+CMD [ "version" ]
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..f49a4e1
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..aba20fa
--- /dev/null
+++ b/README.md
@@ -0,0 +1,121 @@
+# gRBAC - Graph Role-Based Access Control
+
+[![Go Reference](https://pkg.go.dev/badge/github.com/grbac/grbac.svg)](https://pkg.go.dev/github.com/grbac/grbac)
+
+
+
+
+
+---
+
+A cloud-native graph implementation of the Role-Based Access Control (RBAC) authorization architecture powered by [dgraph](https://dgraph.io/).
+
+**NOTE: This project is developed and maintained by [Animeshon](https://animeshon.com) where it is running in production.**
+
+
+## Build with Golang
+
+```
+go build -o bin/grbac ./cmd
+```
+
+## Build with Docker
+
+```
+docker build -t grbac/grbac:latest .
+```
+
+## Run examples (gRPC only)
+
+Run gRPC docker-compose:
+
+```
+docker-compose -f examples/grpc/docker-compose.yaml up
+```
+
+Run integration tests:
+
+```
+export INTEGRATION_TEST_DGRAPH_ENDPOINT=127.0.0.1:9060
+go test -tag=integration ./...
+```
+
+Visit `https://play.dgraph.io/?latest` and connect to the endpoint `http://127.0.0.1:8060`.
+
+Run the following generic DQL query:
+```
+{
+ query(func:type(Resource)){
+ expand(_all_) {
+ expand(_all_) {
+ expand(_all_) {
+ expand(_all_) {
+ expand(_all_) {
+ expand(_all_)
+ }
+ }
+ }
+ }
+ }
+ }
+}
+```
+
+The following image is an example of the expected output:
+
+![gRBAC Example Graph](./assets/docs/examples/examples-rbac-graph.png)
+
+## Play with gRBAC
+
+After succesfully running the gRPC `docker-compose` as described in the **previous paragraph**, build gRBAC locally and execute a random CLI command:
+
+```
+go build -o bin/grbac ./cmd
+```
+
+```
+./bin/grbac accesscontrol create-permission \
+ --address "127.0.0.1:9070" --insecure \
+ --permission.name="permissions/grbac.test.permission"
+```
+
+_Keep experimenting with other commands or through a gRPC client!_
+
+## Resources
+
+- [Animeshon APIs](https://github.com/animeapis/animeapis/tree/master/animeshon/grbac)
+- [Animeshon APIs Client Library for Go](https://github.com/animeapis/api-go-client/tree/master/grbac)
+- [Animeshon Protocol Buffers for Go](https://github.com/animeapis/go-genproto/tree/master/grbac)
+- [Animeshon Compiled Protocol Buffers](https://github.com/animeapis/proto-binary/tree/master/grbac)
+
+## Known Issues
+
+- etags are not implemented
+- atomic group changes (AddGroupMember and RemoveGroupMemeber) are not implemented
+- resource parent transfer (TransferResource) is not implemented
+- [limits and quotas](https://cloud.google.com/iam/quotas) are not implemented
+- there is no maximum distance set for `shortest` queries
+- groups can currently include other groups - this behavior should be discussed
+- partial updates will return partial resources - complete resources should be returned instead
+
+## Roadmap
+
+- [ ] resolve known issues
+- [ ] remove Animeshon internal business logic
+- [ ] move protobuf definitions to this organization
+- [ ] generate missing grpc clients (e.g. Java, Python, C#, ...)
+- [ ] publish docker image to Docker Hub
+- [ ] build the project through Bazel instead of the Go toolchain
+- [ ] add unit tests on top of integration tests
+- [ ] add monitoring and tracing
+
+## Off-topic: gRBAC meaning
+
+The name gRBAC comes from `g` + `RBAC` where `g` stands for:
+
+- `graph` as it is implemented on top of a graph database and leverages graph's properties
+- `gRPC` as its implementation is completely gRPC native
+- `google` as this implementation aims at mirroring the Google Cloud IAM architecture
+
+and RBAC stands for [Role-Based Access Control](https://en.wikipedia.org/wiki/Role-based_access_control).
diff --git a/assets/docs/examples/examples-rbac-graph.png b/assets/docs/examples/examples-rbac-graph.png
new file mode 100644
index 0000000..66bdff3
Binary files /dev/null and b/assets/docs/examples/examples-rbac-graph.png differ
diff --git a/assets/logo-128x-128-transparent.png b/assets/logo-128x-128-transparent.png
new file mode 100644
index 0000000..6f8ae8e
Binary files /dev/null and b/assets/logo-128x-128-transparent.png differ
diff --git a/assets/logo.svg b/assets/logo.svg
new file mode 100644
index 0000000..ccaa3b3
--- /dev/null
+++ b/assets/logo.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/cmd/accesscontrol_service.go b/cmd/accesscontrol_service.go
new file mode 100644
index 0000000..49c4433
--- /dev/null
+++ b/cmd/accesscontrol_service.go
@@ -0,0 +1,107 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "fmt"
+
+ "github.com/spf13/cobra"
+ "github.com/spf13/viper"
+ "golang.org/x/oauth2"
+ "google.golang.org/api/option"
+ "google.golang.org/grpc"
+
+ gapic "github.com/animeapis/api-go-client/grbac/v1alpha1"
+)
+
+var AccessControlConfig *viper.Viper
+var AccessControlClient *gapic.AccessControlClient
+var AccessControlSubCommands []string = []string{
+ "test-iam-policy",
+ "get-iam-policy",
+ "set-iam-policy",
+ "get-resource",
+ "create-resource",
+ "transfer-resource",
+ "delete-resource",
+ "create-subject",
+ "delete-subject",
+ "get-group",
+ "create-group",
+ "update-group",
+ "add-group-member",
+ "remove-group-member",
+ "delete-group",
+ "create-permission",
+ "delete-permission",
+ "get-role",
+ "create-role",
+ "update-role",
+ "delete-role",
+}
+
+func init() {
+ rootCmd.AddCommand(AccessControlServiceCmd)
+
+ AccessControlConfig = viper.New()
+ AccessControlConfig.SetEnvPrefix("GRBAC_ACCESSCONTROL")
+ AccessControlConfig.AutomaticEnv()
+
+ AccessControlServiceCmd.PersistentFlags().Bool("insecure", false, "Make insecure client connection. Or use GRBAC_ACCESSCONTROL_INSECURE. Must be used with \"address\" option")
+ AccessControlConfig.BindPFlag("insecure", AccessControlServiceCmd.PersistentFlags().Lookup("insecure"))
+ AccessControlConfig.BindEnv("insecure")
+
+ AccessControlServiceCmd.PersistentFlags().String("address", "", "Set API address used by client. Or use GRBAC_ACCESSCONTROL_ADDRESS.")
+ AccessControlConfig.BindPFlag("address", AccessControlServiceCmd.PersistentFlags().Lookup("address"))
+ AccessControlConfig.BindEnv("address")
+
+ AccessControlServiceCmd.PersistentFlags().String("token", "", "Set Bearer token used by the client. Or use GRBAC_ACCESSCONTROL_TOKEN.")
+ AccessControlConfig.BindPFlag("token", AccessControlServiceCmd.PersistentFlags().Lookup("token"))
+ AccessControlConfig.BindEnv("token")
+
+ AccessControlServiceCmd.PersistentFlags().String("api_key", "", "Set API Key used by the client. Or use GRBAC_ACCESSCONTROL_API_KEY.")
+ AccessControlConfig.BindPFlag("api_key", AccessControlServiceCmd.PersistentFlags().Lookup("api_key"))
+ AccessControlConfig.BindEnv("api_key")
+}
+
+var AccessControlServiceCmd = &cobra.Command{
+ Use: "accesscontrol",
+ Short: "AccessControl is the internal service used by...",
+ Long: "AccessControl is the internal service used by Animeshon to enforce RBAC rules.",
+ ValidArgs: AccessControlSubCommands,
+ PersistentPreRunE: func(cmd *cobra.Command, args []string) (err error) {
+ var opts []option.ClientOption
+
+ address := AccessControlConfig.GetString("address")
+ if address != "" {
+ opts = append(opts, option.WithEndpoint(address))
+ }
+
+ if AccessControlConfig.GetBool("insecure") {
+ if address == "" {
+ return fmt.Errorf("Missing address to use with insecure connection")
+ }
+
+ conn, err := grpc.Dial(address, grpc.WithInsecure())
+ if err != nil {
+ return err
+ }
+ opts = append(opts, option.WithGRPCConn(conn))
+ }
+
+ if token := AccessControlConfig.GetString("token"); token != "" {
+ opts = append(opts, option.WithTokenSource(oauth2.StaticTokenSource(
+ &oauth2.Token{
+ AccessToken: token,
+ TokenType: "Bearer",
+ })))
+ }
+
+ if key := AccessControlConfig.GetString("api_key"); key != "" {
+ opts = append(opts, option.WithAPIKey(key))
+ }
+
+ AccessControlClient, err = gapic.NewAccessControlClient(ctx, opts...)
+ return
+ },
+}
diff --git a/cmd/add-group-member.go b/cmd/add-group-member.go
new file mode 100644
index 0000000..4535152
--- /dev/null
+++ b/cmd/add-group-member.go
@@ -0,0 +1,76 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "fmt"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var AddGroupMemberInput grbacpb.AddGroupMemberRequest
+
+var AddGroupMemberFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(AddGroupMemberCmd)
+
+ AddGroupMemberCmd.Flags().StringVar(&AddGroupMemberInput.Group, "group", "", "Required. The name of the group to add a member to.")
+
+ AddGroupMemberCmd.Flags().StringVar(&AddGroupMemberInput.Member, "member", "", "Required. The member to be added.")
+
+ AddGroupMemberCmd.Flags().StringVar(&AddGroupMemberFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var AddGroupMemberCmd = &cobra.Command{
+ Use: "add-group-member",
+ Short: "AddGroupMember adds a member to a group.",
+ Long: "AddGroupMember adds a member to a group.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if AddGroupMemberFromFile == "" {
+
+ cmd.MarkFlagRequired("group")
+
+ cmd.MarkFlagRequired("member")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if AddGroupMemberFromFile != "" {
+ in, err = os.Open(AddGroupMemberFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &AddGroupMemberInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "AddGroupMember", &AddGroupMemberInput)
+ }
+ resp, err := AccessControlClient.AddGroupMember(ctx, &AddGroupMemberInput)
+
+ if Verbose {
+ fmt.Print("Output: ")
+ }
+ printMessage(resp)
+
+ return err
+ },
+}
diff --git a/cmd/completion.go b/cmd/completion.go
new file mode 100644
index 0000000..123a5e5
--- /dev/null
+++ b/cmd/completion.go
@@ -0,0 +1,28 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "os"
+
+ "github.com/spf13/cobra"
+)
+
+func init() {
+ rootCmd.AddCommand(completionCmd)
+}
+
+// completionCmd represents the completion command
+var completionCmd = &cobra.Command{
+ Use: "completion",
+ Short: "Emits bash a completion for grbac",
+ Long: `Enable bash completion like so:
+ Linux:
+ source <(grbac completion)
+ Mac:
+ brew install bash-completion
+ grbac completion > $(brew --prefix)/etc/bash_completion.d/grbac`,
+ Run: func(cmd *cobra.Command, args []string) {
+ rootCmd.GenBashCompletion(os.Stdout)
+ },
+}
diff --git a/cmd/create-group.go b/cmd/create-group.go
new file mode 100644
index 0000000..fc7a003
--- /dev/null
+++ b/cmd/create-group.go
@@ -0,0 +1,78 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "fmt"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var CreateGroupInput grbacpb.CreateGroupRequest
+
+var CreateGroupFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(CreateGroupCmd)
+
+ CreateGroupInput.Group = new(grbacpb.Group)
+
+ CreateGroupCmd.Flags().StringVar(&CreateGroupInput.Group.Name, "group.name", "", "Required. The resource name of the group.")
+
+ CreateGroupCmd.Flags().StringSliceVar(&CreateGroupInput.Group.Members, "group.members", []string{}, "The list of members of the group. Groups might...")
+
+ CreateGroupCmd.Flags().BytesHexVar(&CreateGroupInput.Group.Etag, "group.etag", []byte{}, "An etag for concurrency control, ignored during...")
+
+ CreateGroupCmd.Flags().StringVar(&CreateGroupFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var CreateGroupCmd = &cobra.Command{
+ Use: "create-group",
+ Short: "CreateGroup creates a new group.",
+ Long: "CreateGroup creates a new group.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if CreateGroupFromFile == "" {
+
+ cmd.MarkFlagRequired("group.name")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if CreateGroupFromFile != "" {
+ in, err = os.Open(CreateGroupFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &CreateGroupInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "CreateGroup", &CreateGroupInput)
+ }
+ resp, err := AccessControlClient.CreateGroup(ctx, &CreateGroupInput)
+
+ if Verbose {
+ fmt.Print("Output: ")
+ }
+ printMessage(resp)
+
+ return err
+ },
+}
diff --git a/cmd/create-permission.go b/cmd/create-permission.go
new file mode 100644
index 0000000..4c9c639
--- /dev/null
+++ b/cmd/create-permission.go
@@ -0,0 +1,74 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "fmt"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var CreatePermissionInput grbacpb.CreatePermissionRequest
+
+var CreatePermissionFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(CreatePermissionCmd)
+
+ CreatePermissionInput.Permission = new(grbacpb.Permission)
+
+ CreatePermissionCmd.Flags().StringVar(&CreatePermissionInput.Permission.Name, "permission.name", "", "Required. The resource name of the permission.")
+
+ CreatePermissionCmd.Flags().StringVar(&CreatePermissionFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var CreatePermissionCmd = &cobra.Command{
+ Use: "create-permission",
+ Short: "CreatePermission creates a new permission.",
+ Long: "CreatePermission creates a new permission.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if CreatePermissionFromFile == "" {
+
+ cmd.MarkFlagRequired("permission.name")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if CreatePermissionFromFile != "" {
+ in, err = os.Open(CreatePermissionFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &CreatePermissionInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "CreatePermission", &CreatePermissionInput)
+ }
+ resp, err := AccessControlClient.CreatePermission(ctx, &CreatePermissionInput)
+
+ if Verbose {
+ fmt.Print("Output: ")
+ }
+ printMessage(resp)
+
+ return err
+ },
+}
diff --git a/cmd/create-resource.go b/cmd/create-resource.go
new file mode 100644
index 0000000..00ce1a8
--- /dev/null
+++ b/cmd/create-resource.go
@@ -0,0 +1,80 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "fmt"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var CreateResourceInput grbacpb.CreateResourceRequest
+
+var CreateResourceFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(CreateResourceCmd)
+
+ CreateResourceInput.Resource = new(grbacpb.Resource)
+
+ CreateResourceCmd.Flags().StringVar(&CreateResourceInput.Resource.Name, "resource.name", "", "Required. The full resource name that identifies the...")
+
+ CreateResourceCmd.Flags().StringVar(&CreateResourceInput.Resource.Parent, "resource.parent", "", "Required. The full resource name that identifies the parent...")
+
+ CreateResourceCmd.Flags().BytesHexVar(&CreateResourceInput.Resource.Etag, "resource.etag", []byte{}, "An etag for concurrency control, ignored during...")
+
+ CreateResourceCmd.Flags().StringVar(&CreateResourceFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var CreateResourceCmd = &cobra.Command{
+ Use: "create-resource",
+ Short: "CreateResource creates a new resource.",
+ Long: "CreateResource creates a new resource.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if CreateResourceFromFile == "" {
+
+ cmd.MarkFlagRequired("resource.name")
+
+ cmd.MarkFlagRequired("resource.parent")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if CreateResourceFromFile != "" {
+ in, err = os.Open(CreateResourceFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &CreateResourceInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "CreateResource", &CreateResourceInput)
+ }
+ resp, err := AccessControlClient.CreateResource(ctx, &CreateResourceInput)
+
+ if Verbose {
+ fmt.Print("Output: ")
+ }
+ printMessage(resp)
+
+ return err
+ },
+}
diff --git a/cmd/create-role.go b/cmd/create-role.go
new file mode 100644
index 0000000..f628ac3
--- /dev/null
+++ b/cmd/create-role.go
@@ -0,0 +1,80 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "fmt"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var CreateRoleInput grbacpb.CreateRoleRequest
+
+var CreateRoleFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(CreateRoleCmd)
+
+ CreateRoleInput.Role = new(grbacpb.Role)
+
+ CreateRoleCmd.Flags().StringVar(&CreateRoleInput.Role.Name, "role.name", "", "Required. The resource name of the role.")
+
+ CreateRoleCmd.Flags().StringSliceVar(&CreateRoleInput.Role.Permissions, "role.permissions", []string{}, "Required. The list of permissions granted by the role.")
+
+ CreateRoleCmd.Flags().BytesHexVar(&CreateRoleInput.Role.Etag, "role.etag", []byte{}, "An etag for concurrency control, ignored during...")
+
+ CreateRoleCmd.Flags().StringVar(&CreateRoleFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var CreateRoleCmd = &cobra.Command{
+ Use: "create-role",
+ Short: "CreateRole creates a new role.",
+ Long: "CreateRole creates a new role.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if CreateRoleFromFile == "" {
+
+ cmd.MarkFlagRequired("role.name")
+
+ cmd.MarkFlagRequired("role.permissions")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if CreateRoleFromFile != "" {
+ in, err = os.Open(CreateRoleFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &CreateRoleInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "CreateRole", &CreateRoleInput)
+ }
+ resp, err := AccessControlClient.CreateRole(ctx, &CreateRoleInput)
+
+ if Verbose {
+ fmt.Print("Output: ")
+ }
+ printMessage(resp)
+
+ return err
+ },
+}
diff --git a/cmd/create-subject.go b/cmd/create-subject.go
new file mode 100644
index 0000000..5b4aeee
--- /dev/null
+++ b/cmd/create-subject.go
@@ -0,0 +1,74 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "fmt"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var CreateSubjectInput grbacpb.CreateSubjectRequest
+
+var CreateSubjectFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(CreateSubjectCmd)
+
+ CreateSubjectInput.Subject = new(grbacpb.Subject)
+
+ CreateSubjectCmd.Flags().StringVar(&CreateSubjectInput.Subject.Name, "subject.name", "", "Required. The resource name of the subject.")
+
+ CreateSubjectCmd.Flags().StringVar(&CreateSubjectFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var CreateSubjectCmd = &cobra.Command{
+ Use: "create-subject",
+ Short: "CreateSubject creates a new subject.",
+ Long: "CreateSubject creates a new subject.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if CreateSubjectFromFile == "" {
+
+ cmd.MarkFlagRequired("subject.name")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if CreateSubjectFromFile != "" {
+ in, err = os.Open(CreateSubjectFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &CreateSubjectInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "CreateSubject", &CreateSubjectInput)
+ }
+ resp, err := AccessControlClient.CreateSubject(ctx, &CreateSubjectInput)
+
+ if Verbose {
+ fmt.Print("Output: ")
+ }
+ printMessage(resp)
+
+ return err
+ },
+}
diff --git a/cmd/delete-group.go b/cmd/delete-group.go
new file mode 100644
index 0000000..f70b2ea
--- /dev/null
+++ b/cmd/delete-group.go
@@ -0,0 +1,65 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var DeleteGroupInput grbacpb.DeleteGroupRequest
+
+var DeleteGroupFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(DeleteGroupCmd)
+
+ DeleteGroupCmd.Flags().StringVar(&DeleteGroupInput.Name, "name", "", "Required. The resource name of the group to delete.")
+
+ DeleteGroupCmd.Flags().StringVar(&DeleteGroupFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var DeleteGroupCmd = &cobra.Command{
+ Use: "delete-group",
+ Short: "DeleteGroup deletes a group.",
+ Long: "DeleteGroup deletes a group.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if DeleteGroupFromFile == "" {
+
+ cmd.MarkFlagRequired("name")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if DeleteGroupFromFile != "" {
+ in, err = os.Open(DeleteGroupFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &DeleteGroupInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "DeleteGroup", &DeleteGroupInput)
+ }
+ err = AccessControlClient.DeleteGroup(ctx, &DeleteGroupInput)
+
+ return err
+ },
+}
diff --git a/cmd/delete-permission.go b/cmd/delete-permission.go
new file mode 100644
index 0000000..943731d
--- /dev/null
+++ b/cmd/delete-permission.go
@@ -0,0 +1,65 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var DeletePermissionInput grbacpb.DeletePermissionRequest
+
+var DeletePermissionFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(DeletePermissionCmd)
+
+ DeletePermissionCmd.Flags().StringVar(&DeletePermissionInput.Name, "name", "", "Required. The resource name of the permission to delete.")
+
+ DeletePermissionCmd.Flags().StringVar(&DeletePermissionFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var DeletePermissionCmd = &cobra.Command{
+ Use: "delete-permission",
+ Short: "DeletePermission deletes a permission.",
+ Long: "DeletePermission deletes a permission.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if DeletePermissionFromFile == "" {
+
+ cmd.MarkFlagRequired("name")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if DeletePermissionFromFile != "" {
+ in, err = os.Open(DeletePermissionFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &DeletePermissionInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "DeletePermission", &DeletePermissionInput)
+ }
+ err = AccessControlClient.DeletePermission(ctx, &DeletePermissionInput)
+
+ return err
+ },
+}
diff --git a/cmd/delete-resource.go b/cmd/delete-resource.go
new file mode 100644
index 0000000..9c78cc0
--- /dev/null
+++ b/cmd/delete-resource.go
@@ -0,0 +1,65 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var DeleteResourceInput grbacpb.DeleteResourceRequest
+
+var DeleteResourceFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(DeleteResourceCmd)
+
+ DeleteResourceCmd.Flags().StringVar(&DeleteResourceInput.Name, "name", "", "Required. The full resource name that identifies the...")
+
+ DeleteResourceCmd.Flags().StringVar(&DeleteResourceFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var DeleteResourceCmd = &cobra.Command{
+ Use: "delete-resource",
+ Short: "DeleteResource deletes a resource.",
+ Long: "DeleteResource deletes a resource.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if DeleteResourceFromFile == "" {
+
+ cmd.MarkFlagRequired("name")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if DeleteResourceFromFile != "" {
+ in, err = os.Open(DeleteResourceFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &DeleteResourceInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "DeleteResource", &DeleteResourceInput)
+ }
+ err = AccessControlClient.DeleteResource(ctx, &DeleteResourceInput)
+
+ return err
+ },
+}
diff --git a/cmd/delete-role.go b/cmd/delete-role.go
new file mode 100644
index 0000000..21759e0
--- /dev/null
+++ b/cmd/delete-role.go
@@ -0,0 +1,65 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var DeleteRoleInput grbacpb.DeleteRoleRequest
+
+var DeleteRoleFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(DeleteRoleCmd)
+
+ DeleteRoleCmd.Flags().StringVar(&DeleteRoleInput.Name, "name", "", "Required. The resource name of the role to delete.")
+
+ DeleteRoleCmd.Flags().StringVar(&DeleteRoleFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var DeleteRoleCmd = &cobra.Command{
+ Use: "delete-role",
+ Short: "DeleteRole deletes a role.",
+ Long: "DeleteRole deletes a role.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if DeleteRoleFromFile == "" {
+
+ cmd.MarkFlagRequired("name")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if DeleteRoleFromFile != "" {
+ in, err = os.Open(DeleteRoleFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &DeleteRoleInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "DeleteRole", &DeleteRoleInput)
+ }
+ err = AccessControlClient.DeleteRole(ctx, &DeleteRoleInput)
+
+ return err
+ },
+}
diff --git a/cmd/delete-subject.go b/cmd/delete-subject.go
new file mode 100644
index 0000000..d126084
--- /dev/null
+++ b/cmd/delete-subject.go
@@ -0,0 +1,65 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var DeleteSubjectInput grbacpb.DeleteSubjectRequest
+
+var DeleteSubjectFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(DeleteSubjectCmd)
+
+ DeleteSubjectCmd.Flags().StringVar(&DeleteSubjectInput.Name, "name", "", "Required. The subject to delete.")
+
+ DeleteSubjectCmd.Flags().StringVar(&DeleteSubjectFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var DeleteSubjectCmd = &cobra.Command{
+ Use: "delete-subject",
+ Short: "DeleteSubject deletes a subject.",
+ Long: "DeleteSubject deletes a subject.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if DeleteSubjectFromFile == "" {
+
+ cmd.MarkFlagRequired("name")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if DeleteSubjectFromFile != "" {
+ in, err = os.Open(DeleteSubjectFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &DeleteSubjectInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "DeleteSubject", &DeleteSubjectInput)
+ }
+ err = AccessControlClient.DeleteSubject(ctx, &DeleteSubjectInput)
+
+ return err
+ },
+}
diff --git a/cmd/get-group.go b/cmd/get-group.go
new file mode 100644
index 0000000..58d03b5
--- /dev/null
+++ b/cmd/get-group.go
@@ -0,0 +1,72 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "fmt"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var GetGroupInput grbacpb.GetGroupRequest
+
+var GetGroupFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(GetGroupCmd)
+
+ GetGroupCmd.Flags().StringVar(&GetGroupInput.Name, "name", "", "Required. The name of the group to retrieve.")
+
+ GetGroupCmd.Flags().StringVar(&GetGroupFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var GetGroupCmd = &cobra.Command{
+ Use: "get-group",
+ Short: "GetGroup returns a group.",
+ Long: "GetGroup returns a group.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if GetGroupFromFile == "" {
+
+ cmd.MarkFlagRequired("name")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if GetGroupFromFile != "" {
+ in, err = os.Open(GetGroupFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &GetGroupInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "GetGroup", &GetGroupInput)
+ }
+ resp, err := AccessControlClient.GetGroup(ctx, &GetGroupInput)
+
+ if Verbose {
+ fmt.Print("Output: ")
+ }
+ printMessage(resp)
+
+ return err
+ },
+}
diff --git a/cmd/get-iam-policy.go b/cmd/get-iam-policy.go
new file mode 100644
index 0000000..65ceedd
--- /dev/null
+++ b/cmd/get-iam-policy.go
@@ -0,0 +1,76 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "fmt"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ iampb "google.golang.org/genproto/googleapis/iam/v1"
+
+ "os"
+)
+
+var GetIamPolicyInput iampb.GetIamPolicyRequest
+
+var GetIamPolicyFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(GetIamPolicyCmd)
+
+ GetIamPolicyInput.Options = new(iampb.GetPolicyOptions)
+
+ GetIamPolicyCmd.Flags().StringVar(&GetIamPolicyInput.Resource, "resource", "", "Required. REQUIRED: The resource for which the policy is...")
+
+ GetIamPolicyCmd.Flags().Int32Var(&GetIamPolicyInput.Options.RequestedPolicyVersion, "options.requested_policy_version", 0, "Optional. The policy format version to be...")
+
+ GetIamPolicyCmd.Flags().StringVar(&GetIamPolicyFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var GetIamPolicyCmd = &cobra.Command{
+ Use: "get-iam-policy",
+ Short: "Gets the IAM policy that is attached to a generic...",
+ Long: "Gets the IAM policy that is attached to a generic resource. Note: the full resource name that identifies the resource must be provided.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if GetIamPolicyFromFile == "" {
+
+ cmd.MarkFlagRequired("resource")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if GetIamPolicyFromFile != "" {
+ in, err = os.Open(GetIamPolicyFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &GetIamPolicyInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "GetIamPolicy", &GetIamPolicyInput)
+ }
+ resp, err := AccessControlClient.GetIamPolicy(ctx, &GetIamPolicyInput)
+
+ if Verbose {
+ fmt.Print("Output: ")
+ }
+ printMessage(resp)
+
+ return err
+ },
+}
diff --git a/cmd/get-resource.go b/cmd/get-resource.go
new file mode 100644
index 0000000..e0d9f2c
--- /dev/null
+++ b/cmd/get-resource.go
@@ -0,0 +1,72 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "fmt"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var GetResourceInput grbacpb.GetResourceRequest
+
+var GetResourceFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(GetResourceCmd)
+
+ GetResourceCmd.Flags().StringVar(&GetResourceInput.Name, "name", "", "Required. The full resource name of the resource to...")
+
+ GetResourceCmd.Flags().StringVar(&GetResourceFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var GetResourceCmd = &cobra.Command{
+ Use: "get-resource",
+ Short: "GetResource returns a resource.",
+ Long: "GetResource returns a resource.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if GetResourceFromFile == "" {
+
+ cmd.MarkFlagRequired("name")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if GetResourceFromFile != "" {
+ in, err = os.Open(GetResourceFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &GetResourceInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "GetResource", &GetResourceInput)
+ }
+ resp, err := AccessControlClient.GetResource(ctx, &GetResourceInput)
+
+ if Verbose {
+ fmt.Print("Output: ")
+ }
+ printMessage(resp)
+
+ return err
+ },
+}
diff --git a/cmd/get-role.go b/cmd/get-role.go
new file mode 100644
index 0000000..7d4cbbe
--- /dev/null
+++ b/cmd/get-role.go
@@ -0,0 +1,72 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "fmt"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var GetRoleInput grbacpb.GetRoleRequest
+
+var GetRoleFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(GetRoleCmd)
+
+ GetRoleCmd.Flags().StringVar(&GetRoleInput.Name, "name", "", "Required. The name of the role to retrieve.")
+
+ GetRoleCmd.Flags().StringVar(&GetRoleFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var GetRoleCmd = &cobra.Command{
+ Use: "get-role",
+ Short: "GetRole returns a role.",
+ Long: "GetRole returns a role.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if GetRoleFromFile == "" {
+
+ cmd.MarkFlagRequired("name")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if GetRoleFromFile != "" {
+ in, err = os.Open(GetRoleFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &GetRoleInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "GetRole", &GetRoleInput)
+ }
+ resp, err := AccessControlClient.GetRole(ctx, &GetRoleInput)
+
+ if Verbose {
+ fmt.Print("Output: ")
+ }
+ printMessage(resp)
+
+ return err
+ },
+}
diff --git a/cmd/grbac.go b/cmd/grbac.go
new file mode 100644
index 0000000..6882645
--- /dev/null
+++ b/cmd/grbac.go
@@ -0,0 +1,61 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "bytes"
+ "context"
+ "fmt"
+ "os"
+
+ "github.com/golang/protobuf/jsonpb"
+ "github.com/golang/protobuf/proto"
+ "github.com/spf13/cobra"
+)
+
+var Verbose, OutputJSON bool
+var ctx = context.Background()
+var marshaler = &jsonpb.Marshaler{Indent: " "}
+
+func init() {
+ rootCmd.PersistentFlags().BoolVarP(&Verbose, "verbose", "v", false, "Print verbose output")
+ rootCmd.PersistentFlags().BoolVarP(&OutputJSON, "json", "j", false, "Print JSON output")
+}
+
+var rootCmd = &cobra.Command{
+ Use: "grbac",
+ Short: "Root command of grbac",
+}
+
+func Execute() {
+ if err := rootCmd.Execute(); err != nil {
+ fmt.Println(err)
+ os.Exit(1)
+ }
+}
+
+func main() {
+ Execute()
+}
+
+func printVerboseInput(srv, mthd string, data interface{}) {
+ fmt.Println("Service:", srv)
+ fmt.Println("Method:", mthd)
+ fmt.Print("Input: ")
+ printMessage(data)
+}
+
+func printMessage(data interface{}) {
+ var s string
+
+ if msg, ok := data.(proto.Message); ok {
+ s = msg.String()
+ if OutputJSON {
+ var b bytes.Buffer
+ marshaler.Marshal(&b, msg)
+ s = b.String()
+ }
+ }
+
+ fmt.Println(s)
+}
diff --git a/cmd/init.go b/cmd/init.go
new file mode 100644
index 0000000..14d71e7
--- /dev/null
+++ b/cmd/init.go
@@ -0,0 +1,37 @@
+package main
+
+import (
+ "context"
+
+ "github.com/grbac/grbac/pkg/bootstrap"
+ "github.com/sirupsen/logrus"
+ "github.com/spf13/cobra"
+)
+
+func init() {
+ type RuntimeConfig struct {
+ dgraphEndpoint string
+ }
+
+ config := RuntimeConfig{}
+ initCmd := &cobra.Command{
+ Use: "init",
+ Short: "Runs the API server initializer",
+ Run: func(cmd *cobra.Command, args []string) {
+ ctx := context.Background()
+ if err := bootstrap.Schema(ctx, config.dgraphEndpoint); err != nil {
+ logrus.Fatalf("failed to migrate the schema: %v", err)
+ }
+
+ logrus.Info("finished migrating the schema")
+ },
+ }
+
+ rootCmd.AddCommand(initCmd)
+
+ initCmd.Flags().StringVar(
+ &config.dgraphEndpoint,
+ "dgraph-endpoint",
+ "127.0.0.1:9080",
+ "The endpoint of the dgraph database.")
+}
diff --git a/cmd/remove-group-member.go b/cmd/remove-group-member.go
new file mode 100644
index 0000000..3908c0d
--- /dev/null
+++ b/cmd/remove-group-member.go
@@ -0,0 +1,76 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "fmt"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var RemoveGroupMemberInput grbacpb.RemoveGroupMemberRequest
+
+var RemoveGroupMemberFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(RemoveGroupMemberCmd)
+
+ RemoveGroupMemberCmd.Flags().StringVar(&RemoveGroupMemberInput.Group, "group", "", "Required. The name of the group to remove an member from.")
+
+ RemoveGroupMemberCmd.Flags().StringVar(&RemoveGroupMemberInput.Member, "member", "", "Required. The member to be removed.")
+
+ RemoveGroupMemberCmd.Flags().StringVar(&RemoveGroupMemberFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var RemoveGroupMemberCmd = &cobra.Command{
+ Use: "remove-group-member",
+ Short: "RemoveGroupMember removes a member from a group.",
+ Long: "RemoveGroupMember removes a member from a group.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if RemoveGroupMemberFromFile == "" {
+
+ cmd.MarkFlagRequired("group")
+
+ cmd.MarkFlagRequired("member")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if RemoveGroupMemberFromFile != "" {
+ in, err = os.Open(RemoveGroupMemberFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &RemoveGroupMemberInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "RemoveGroupMember", &RemoveGroupMemberInput)
+ }
+ resp, err := AccessControlClient.RemoveGroupMember(ctx, &RemoveGroupMemberInput)
+
+ if Verbose {
+ fmt.Print("Output: ")
+ }
+ printMessage(resp)
+
+ return err
+ },
+}
diff --git a/cmd/run.go b/cmd/run.go
new file mode 100644
index 0000000..0baec83
--- /dev/null
+++ b/cmd/run.go
@@ -0,0 +1,76 @@
+package main
+
+import (
+ "context"
+ "os"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/grbac/grbac/pkg/graceful"
+ "github.com/grbac/grbac/pkg/interrupt"
+ "github.com/grbac/grbac/pkg/services"
+ "github.com/sirupsen/logrus"
+ "github.com/spf13/cobra"
+ "google.golang.org/grpc"
+ "google.golang.org/grpc/reflection"
+)
+
+type RuntimeConfig struct {
+ port string
+ dgraphEndpoint string
+}
+
+// TODO: Investigate whether mTLS could be useful.
+// TODO: Investigate whether fallback server for HTTP/1.1 could be useful.
+
+// See https://github.com/googleapis/gapic-showcase/blob/master/cmd/gapic-showcase/endpoint.go
+
+func init() {
+ config := RuntimeConfig{}
+ runCmd := &cobra.Command{
+ Use: "run",
+ Short: "Runs the API server",
+ Run: func(cmd *cobra.Command, args []string) {
+ ctx, cancel := context.WithCancel(ctx)
+ intr := interrupt.New(func(os.Signal) {}, cancel)
+
+ opts := []grpc.ServerOption{}
+ server := grpc.NewServer(opts...)
+
+ cfg := &services.AccessControlServerConfig{
+ DgraphHostname: config.dgraphEndpoint,
+ }
+
+ accessControlServer, err := services.NewAccessControlServer(cfg)
+ if err != nil {
+ logrus.WithError(err).Fatalf("failed to start the [authorizer] server")
+ }
+ defer accessControlServer.(*services.AccessControlServerImpl).Close()
+
+ // Register Services to the server.
+ grbac.RegisterAccessControlServer(server, accessControlServer)
+
+ // Register reflection service on gRPC server.
+ reflection.Register(server)
+
+ if err := intr.Run(func() error { return graceful.NewGrpcListener(ctx, config.port, server) }); err != nil {
+ logrus.WithError(err).Fatalf("http server exited with error")
+ }
+ },
+ }
+
+ rootCmd.AddCommand(runCmd)
+
+ runCmd.Flags().StringVarP(
+ &config.port,
+ "port",
+ "p",
+ ":9080",
+ "The port that this serice will be served on.")
+
+ runCmd.Flags().StringVar(
+ &config.dgraphEndpoint,
+ "dgraph-endpoint",
+ "127.0.0.1:9080",
+ "The endpoint of the dgraph database.")
+}
diff --git a/cmd/set-iam-policy.go b/cmd/set-iam-policy.go
new file mode 100644
index 0000000..9252875
--- /dev/null
+++ b/cmd/set-iam-policy.go
@@ -0,0 +1,93 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "fmt"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ iampb "google.golang.org/genproto/googleapis/iam/v1"
+
+ "os"
+)
+
+var SetIamPolicyInput iampb.SetIamPolicyRequest
+
+var SetIamPolicyFromFile string
+
+var SetIamPolicyInputPolicyBindings []string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(SetIamPolicyCmd)
+
+ SetIamPolicyInput.Policy = new(iampb.Policy)
+
+ SetIamPolicyCmd.Flags().StringVar(&SetIamPolicyInput.Resource, "resource", "", "Required. REQUIRED: The resource for which the policy is...")
+
+ SetIamPolicyCmd.Flags().Int32Var(&SetIamPolicyInput.Policy.Version, "policy.version", 0, "Specifies the format of the policy. Valid...")
+
+ SetIamPolicyCmd.Flags().StringArrayVar(&SetIamPolicyInputPolicyBindings, "policy.bindings", []string{}, "Associates a list of `members` to a `role`....")
+
+ SetIamPolicyCmd.Flags().BytesHexVar(&SetIamPolicyInput.Policy.Etag, "policy.etag", []byte{}, "`etag` is used for optimistic concurrency control...")
+
+ SetIamPolicyCmd.Flags().StringVar(&SetIamPolicyFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var SetIamPolicyCmd = &cobra.Command{
+ Use: "set-iam-policy",
+ Short: "Sets the IAM policy that is attached to a generic...",
+ Long: "Sets the IAM policy that is attached to a generic resource. Note: the full resource name that identifies the resource must be provided.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if SetIamPolicyFromFile == "" {
+
+ cmd.MarkFlagRequired("resource")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if SetIamPolicyFromFile != "" {
+ in, err = os.Open(SetIamPolicyFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &SetIamPolicyInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ // unmarshal JSON strings into slice of structs
+ for _, item := range SetIamPolicyInputPolicyBindings {
+ tmp := iampb.Binding{}
+ err = jsonpb.UnmarshalString(item, &tmp)
+ if err != nil {
+ return
+ }
+
+ SetIamPolicyInput.Policy.Bindings = append(SetIamPolicyInput.Policy.Bindings, &tmp)
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "SetIamPolicy", &SetIamPolicyInput)
+ }
+ resp, err := AccessControlClient.SetIamPolicy(ctx, &SetIamPolicyInput)
+
+ if Verbose {
+ fmt.Print("Output: ")
+ }
+ printMessage(resp)
+
+ return err
+ },
+}
diff --git a/cmd/test-iam-policy.go b/cmd/test-iam-policy.go
new file mode 100644
index 0000000..59fbdcc
--- /dev/null
+++ b/cmd/test-iam-policy.go
@@ -0,0 +1,75 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var TestIamPolicyInput grbacpb.TestIamPolicyRequest
+
+var TestIamPolicyFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(TestIamPolicyCmd)
+
+ TestIamPolicyInput.AccessTuple = new(grbacpb.AccessTuple)
+
+ TestIamPolicyCmd.Flags().StringVar(&TestIamPolicyInput.AccessTuple.Principal, "access_tuple.principal", "", "Required. The member, or principal, whose access you want...")
+
+ TestIamPolicyCmd.Flags().StringVar(&TestIamPolicyInput.AccessTuple.FullResourceName, "access_tuple.full_resource_name", "", "Required. The full resource name that identifies the...")
+
+ TestIamPolicyCmd.Flags().StringVar(&TestIamPolicyInput.AccessTuple.Permission, "access_tuple.permission", "", "Required. The IAM permission to check for the specified...")
+
+ TestIamPolicyCmd.Flags().StringVar(&TestIamPolicyFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var TestIamPolicyCmd = &cobra.Command{
+ Use: "test-iam-policy",
+ Short: "Checks whether a member has a specific permission...",
+ Long: "Checks whether a member has a specific permission for a specific resource. If not allowed an Unauthorized (403) error will be returned.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if TestIamPolicyFromFile == "" {
+
+ cmd.MarkFlagRequired("access_tuple.principal")
+
+ cmd.MarkFlagRequired("access_tuple.full_resource_name")
+
+ cmd.MarkFlagRequired("access_tuple.permission")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if TestIamPolicyFromFile != "" {
+ in, err = os.Open(TestIamPolicyFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &TestIamPolicyInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "TestIamPolicy", &TestIamPolicyInput)
+ }
+ err = AccessControlClient.TestIamPolicy(ctx, &TestIamPolicyInput)
+
+ return err
+ },
+}
diff --git a/cmd/transfer-resource.go b/cmd/transfer-resource.go
new file mode 100644
index 0000000..293757a
--- /dev/null
+++ b/cmd/transfer-resource.go
@@ -0,0 +1,95 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ "fmt"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+
+ "strings"
+)
+
+var TransferResourceInput grbacpb.TransferResourceRequest
+
+var TransferResourceFromFile string
+
+var TransferResourceInputSubstitutions []string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(TransferResourceCmd)
+
+ TransferResourceCmd.Flags().StringVar(&TransferResourceInput.Name, "name", "", "Required. The full resource name that identifies the...")
+
+ TransferResourceCmd.Flags().StringVar(&TransferResourceInput.TargetParent, "target_parent", "", "Required. The full resource name that identifies the new...")
+
+ TransferResourceCmd.Flags().StringArrayVar(&TransferResourceInputSubstitutions, "substitutions", []string{}, "key=value pairs. The map of substitutions to apply to the full...")
+
+ TransferResourceCmd.Flags().StringVar(&TransferResourceFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var TransferResourceCmd = &cobra.Command{
+ Use: "transfer-resource",
+ Short: "TransferResource transfers a resource to a new...",
+ Long: "TransferResource transfers a resource to a new parent.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if TransferResourceFromFile == "" {
+
+ cmd.MarkFlagRequired("name")
+
+ cmd.MarkFlagRequired("target_parent")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if TransferResourceFromFile != "" {
+ in, err = os.Open(TransferResourceFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &TransferResourceInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if len(TransferResourceInputSubstitutions) > 0 {
+ TransferResourceInput.Substitutions = make(map[string]string)
+ }
+ for _, item := range TransferResourceInputSubstitutions {
+ split := strings.Split(item, "=")
+ if len(split) < 2 {
+ err = fmt.Errorf("Invalid map item: %q", item)
+ return
+ }
+
+ TransferResourceInput.Substitutions[split[0]] = split[1]
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "TransferResource", &TransferResourceInput)
+ }
+ resp, err := AccessControlClient.TransferResource(ctx, &TransferResourceInput)
+
+ if Verbose {
+ fmt.Print("Output: ")
+ }
+ printMessage(resp)
+
+ return err
+ },
+}
diff --git a/cmd/update-group.go b/cmd/update-group.go
new file mode 100644
index 0000000..15cbadc
--- /dev/null
+++ b/cmd/update-group.go
@@ -0,0 +1,84 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ fieldmaskpb "google.golang.org/protobuf/types/known/fieldmaskpb"
+
+ "fmt"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var UpdateGroupInput grbacpb.UpdateGroupRequest
+
+var UpdateGroupFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(UpdateGroupCmd)
+
+ UpdateGroupInput.Group = new(grbacpb.Group)
+
+ UpdateGroupInput.UpdateMask = new(fieldmaskpb.FieldMask)
+
+ UpdateGroupCmd.Flags().StringVar(&UpdateGroupInput.Group.Name, "group.name", "", "Required. The resource name of the group.")
+
+ UpdateGroupCmd.Flags().StringSliceVar(&UpdateGroupInput.Group.Members, "group.members", []string{}, "The list of members of the group. Groups might...")
+
+ UpdateGroupCmd.Flags().BytesHexVar(&UpdateGroupInput.Group.Etag, "group.etag", []byte{}, "An etag for concurrency control, ignored during...")
+
+ UpdateGroupCmd.Flags().StringSliceVar(&UpdateGroupInput.UpdateMask.Paths, "update_mask.paths", []string{}, "The set of field mask paths.")
+
+ UpdateGroupCmd.Flags().StringVar(&UpdateGroupFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var UpdateGroupCmd = &cobra.Command{
+ Use: "update-group",
+ Short: "UpdateGroup updates a group with a field mask.",
+ Long: "UpdateGroup updates a group with a field mask.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if UpdateGroupFromFile == "" {
+
+ cmd.MarkFlagRequired("group.name")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if UpdateGroupFromFile != "" {
+ in, err = os.Open(UpdateGroupFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &UpdateGroupInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "UpdateGroup", &UpdateGroupInput)
+ }
+ resp, err := AccessControlClient.UpdateGroup(ctx, &UpdateGroupInput)
+
+ if Verbose {
+ fmt.Print("Output: ")
+ }
+ printMessage(resp)
+
+ return err
+ },
+}
diff --git a/cmd/update-role.go b/cmd/update-role.go
new file mode 100644
index 0000000..62ad084
--- /dev/null
+++ b/cmd/update-role.go
@@ -0,0 +1,86 @@
+// Code generated. DO NOT EDIT.
+
+package main
+
+import (
+ "github.com/spf13/cobra"
+
+ fieldmaskpb "google.golang.org/protobuf/types/known/fieldmaskpb"
+
+ "fmt"
+
+ "github.com/golang/protobuf/jsonpb"
+
+ grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "os"
+)
+
+var UpdateRoleInput grbacpb.UpdateRoleRequest
+
+var UpdateRoleFromFile string
+
+func init() {
+ AccessControlServiceCmd.AddCommand(UpdateRoleCmd)
+
+ UpdateRoleInput.Role = new(grbacpb.Role)
+
+ UpdateRoleInput.UpdateMask = new(fieldmaskpb.FieldMask)
+
+ UpdateRoleCmd.Flags().StringVar(&UpdateRoleInput.Role.Name, "role.name", "", "Required. The resource name of the role.")
+
+ UpdateRoleCmd.Flags().StringSliceVar(&UpdateRoleInput.Role.Permissions, "role.permissions", []string{}, "Required. The list of permissions granted by the role.")
+
+ UpdateRoleCmd.Flags().BytesHexVar(&UpdateRoleInput.Role.Etag, "role.etag", []byte{}, "An etag for concurrency control, ignored during...")
+
+ UpdateRoleCmd.Flags().StringSliceVar(&UpdateRoleInput.UpdateMask.Paths, "update_mask.paths", []string{}, "The set of field mask paths.")
+
+ UpdateRoleCmd.Flags().StringVar(&UpdateRoleFromFile, "from_file", "", "Absolute path to JSON file containing request payload")
+
+}
+
+var UpdateRoleCmd = &cobra.Command{
+ Use: "update-role",
+ Short: "UpdateRole updates a role with a field mask.",
+ Long: "UpdateRole updates a role with a field mask.",
+ PreRun: func(cmd *cobra.Command, args []string) {
+
+ if UpdateRoleFromFile == "" {
+
+ cmd.MarkFlagRequired("role.name")
+
+ cmd.MarkFlagRequired("role.permissions")
+
+ }
+
+ },
+ RunE: func(cmd *cobra.Command, args []string) (err error) {
+
+ in := os.Stdin
+ if UpdateRoleFromFile != "" {
+ in, err = os.Open(UpdateRoleFromFile)
+ if err != nil {
+ return err
+ }
+ defer in.Close()
+
+ err = jsonpb.Unmarshal(in, &UpdateRoleInput)
+ if err != nil {
+ return err
+ }
+
+ }
+
+ if Verbose {
+ printVerboseInput("AccessControl", "UpdateRole", &UpdateRoleInput)
+ }
+ resp, err := AccessControlClient.UpdateRole(ctx, &UpdateRoleInput)
+
+ if Verbose {
+ fmt.Print("Output: ")
+ }
+ printMessage(resp)
+
+ return err
+ },
+}
diff --git a/examples/grpc/docker-compose.yaml b/examples/grpc/docker-compose.yaml
new file mode 100644
index 0000000..a2f0eb9
--- /dev/null
+++ b/examples/grpc/docker-compose.yaml
@@ -0,0 +1,12 @@
+version: '3'
+services:
+ dgraph:
+ image: dgraph/standalone:v21.03.0
+ ports:
+ - "8060:8080"
+ - "9060:9080"
+ grbac:
+ build: ../../
+ entrypoint: /usr/local/grbac/docker-compose.sh
+ ports:
+ - "9070:9080"
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..fbdad60
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,27 @@
+module github.com/grbac/grbac
+
+go 1.16
+
+require (
+ github.com/animeapis/api-go-client v0.0.0-20210719185158-3f1ebfbc688e
+ github.com/animeapis/go-genproto v0.0.0-20210720022825-bf3232b11660
+ github.com/dgraph-io/dgo/v210 v210.0.0-20210421093152-78a2fece3ebd
+ github.com/fsnotify/fsnotify v1.4.9 // indirect
+ github.com/golang/protobuf v1.5.2
+ github.com/google/go-cmp v0.5.6 // indirect
+ github.com/google/uuid v1.1.2
+ github.com/kr/text v0.2.0 // indirect
+ github.com/pkg/errors v0.9.1 // indirect
+ github.com/sirupsen/logrus v1.8.1
+ github.com/spf13/cobra v1.1.3
+ github.com/spf13/viper v1.7.1
+ github.com/stretchr/testify v1.7.0
+ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c
+ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
+ google.golang.org/api v0.47.0
+ google.golang.org/genproto v0.0.0-20210617175327-b9e0b3197ced
+ google.golang.org/grpc v1.38.0
+ google.golang.org/protobuf v1.26.0
+ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+ gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+)
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..d012cb1
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,700 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
+cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
+cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
+cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
+cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
+cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
+cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
+cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
+cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
+cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
+cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
+cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
+cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
+cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
+cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
+cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
+cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
+cloud.google.com/go v0.81.0 h1:at8Tk2zUz63cLPR0JPWm5vp77pEZmzxEQBEfRKn1VV8=
+cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
+cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
+cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
+cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
+cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
+cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
+cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
+cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
+cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
+cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
+cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
+cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
+cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
+cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
+cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
+cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
+cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
+cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
+cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
+dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/animeapis/api-go-client v0.0.0-20210702020008-910be5621ed0 h1:lny9qbtbsTRkBTw7Xa2IqobVH+icoUna3Z5st5RSs30=
+github.com/animeapis/api-go-client v0.0.0-20210702020008-910be5621ed0/go.mod h1:blT8kGsLh12FYcBcZj14IXL+X6o0sSv6lxHPRV7JHKY=
+github.com/animeapis/api-go-client v0.0.0-20210706005357-61f55569ce4f h1:gACgGhge+bvE9h0y+dk9EDSCLxPMRwbMIUpBieopoJM=
+github.com/animeapis/api-go-client v0.0.0-20210706005357-61f55569ce4f/go.mod h1:blT8kGsLh12FYcBcZj14IXL+X6o0sSv6lxHPRV7JHKY=
+github.com/animeapis/api-go-client v0.0.0-20210706012355-5c7d0a25dc1f h1:qsbZJro93Yi4B0optb+HPGkoSPSnaGSRoAHlp+lRoMg=
+github.com/animeapis/api-go-client v0.0.0-20210706012355-5c7d0a25dc1f/go.mod h1:blT8kGsLh12FYcBcZj14IXL+X6o0sSv6lxHPRV7JHKY=
+github.com/animeapis/api-go-client v0.0.0-20210706130016-f43925eaefe0 h1:9WPMGKnlSFMlvuJTKmv+EkEaFG2elatH80igIyHN+Bo=
+github.com/animeapis/api-go-client v0.0.0-20210706130016-f43925eaefe0/go.mod h1:blT8kGsLh12FYcBcZj14IXL+X6o0sSv6lxHPRV7JHKY=
+github.com/animeapis/api-go-client v0.0.0-20210719185158-3f1ebfbc688e h1:enf+AfSGCjGnyrmbotM1VClz46mI45ZbRaDh7lFbTd0=
+github.com/animeapis/api-go-client v0.0.0-20210719185158-3f1ebfbc688e/go.mod h1:blT8kGsLh12FYcBcZj14IXL+X6o0sSv6lxHPRV7JHKY=
+github.com/animeapis/go-genproto v0.0.0-20210521234542-490e9b696088/go.mod h1:uKRvemxPZyVEy2+4cCWJ6WXDeBXyR4YjBFnHgV5cGcg=
+github.com/animeapis/go-genproto v0.0.0-20210705160300-2b8f84d86720 h1:n+ozc7P73xOjhvoFjB86vaZF0RA5wSwIcuxFVXiFtsQ=
+github.com/animeapis/go-genproto v0.0.0-20210705160300-2b8f84d86720/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs=
+github.com/animeapis/go-genproto v0.0.0-20210705231000-2747288cb6e8 h1:3zOJPt/mL2KSDYOT7MewwGRIcNxSKvY5hn4oDKHP4N0=
+github.com/animeapis/go-genproto v0.0.0-20210705231000-2747288cb6e8/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs=
+github.com/animeapis/go-genproto v0.0.0-20210706005359-67393cbcd97d h1:UEzSoNDmUTqtuB9lGuUtAUzo44vgxHpnz5HDuLoBFEM=
+github.com/animeapis/go-genproto v0.0.0-20210706005359-67393cbcd97d/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs=
+github.com/animeapis/go-genproto v0.0.0-20210706012357-9e992faa07a7 h1:1myeoc83fA4rpu1QeT0LtZZKKK0rCs3H1qIsLAlEv4c=
+github.com/animeapis/go-genproto v0.0.0-20210706012357-9e992faa07a7/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs=
+github.com/animeapis/go-genproto v0.0.0-20210706130018-a53e1fd61c52 h1:FSzleLHwQCE2k+FsxSNPPR3d28Bdo249SlrGPlxeHTI=
+github.com/animeapis/go-genproto v0.0.0-20210706130018-a53e1fd61c52/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs=
+github.com/animeapis/go-genproto v0.0.0-20210706183531-6bde4cfe3722 h1:wH+1TPwGpMJtN+v7BzVT7b53A4fhcLXT9PLDe1uWqMk=
+github.com/animeapis/go-genproto v0.0.0-20210706183531-6bde4cfe3722/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs=
+github.com/animeapis/go-genproto v0.0.0-20210720022825-bf3232b11660 h1:19vlhXVKZsLRuw4VhJjpzneK8WkURErvGmjKHUpLW/U=
+github.com/animeapis/go-genproto v0.0.0-20210720022825-bf3232b11660/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs=
+github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
+github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
+github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
+github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
+github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
+github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgraph-io/dgo/v210 v210.0.0-20210421093152-78a2fece3ebd h1:bKck5FnruuJxL1oCmrDSYWRl634IxBwL/IwwWx4UgEM=
+github.com/dgraph-io/dgo/v210 v210.0.0-20210421093152-78a2fece3ebd/go.mod h1:dCzdThGGTPYOAuNtrM6BiXj/86voHn7ZzkPL6noXR3s=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
+github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY=
+github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
+github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
+github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
+github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM=
+github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
+github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
+github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
+github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
+github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
+github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
+github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
+github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
+github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
+github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
+github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
+github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
+github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
+github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
+github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
+github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4=
+github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
+github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
+github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
+github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
+github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
+github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
+github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc=
+github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
+github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
+github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
+github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
+github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
+github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
+github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
+github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
+github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/spf13/afero v1.1.2 h1:m8/z1t7/fwjysjQRYbP0RD+bUIF/8tJwPdEZsI83ACI=
+github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
+github.com/spf13/cast v1.3.0 h1:oget//CVOEoFewqQxwr0Ej5yjygnqGkvggSE/gB35Q8=
+github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cobra v1.1.3 h1:xghbfqPkxzxP3C/f3n5DdpAbdKLj4ZE4BWQI362l53M=
+github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo=
+github.com/spf13/jwalterweatherman v1.0.0 h1:XHEdyB+EcvlqZamSM4ZOMGlc93t6AcsBEu9Gc1vn7yk=
+github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
+github.com/spf13/viper v1.7.1 h1:pM5oEahlgWv/WnHXpgbKz7iLIxRf65tye2Ci+XFK5sk=
+github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
+github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
+go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
+go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
+go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M=
+go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
+go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
+go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
+go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
+golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
+golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
+golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
+golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
+golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
+golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
+golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
+golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
+golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420 h1:a8jGStKg0XqKDlKqjLrXn0ioF5MH36pT7Z0BRTqLhbk=
+golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c h1:pkQiBZBvdos9qq4wBAHqlzuZHEXo07pqV06ef90u1WI=
+golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210514084401-e8d321eab015 h1:hZR0X1kPW+nwyJ9xRxqZk1vx5RUObAPBdKVvXPDUH/E=
+golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
+golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
+golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
+google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
+google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
+google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
+google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
+google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
+google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
+google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
+google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
+google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
+google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
+google.golang.org/api v0.47.0 h1:sQLWZQvP6jPGIP4JGPkJu4zHswrv81iobiyszr3b/0I=
+google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
+google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
+google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
+google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
+google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
+google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
+google.golang.org/genproto v0.0.0-20210521181308-5ccab8a35a9a/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
+google.golang.org/genproto v0.0.0-20210617175327-b9e0b3197ced h1:c5geK1iMU3cDKtFrCVQIcjR3W+JOZMuhIyICMCTbtus=
+google.golang.org/genproto v0.0.0-20210617175327-b9e0b3197ced/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
+google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
+google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
+google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
+google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
+google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
+google.golang.org/grpc v1.38.0 h1:/9BgsAsa5nWe26HqOlvlgJnqBuktYOLCgjCPqsa56W0=
+google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/ini.v1 v1.51.0 h1:AQvPpx3LzTDM0AjnIRlVFwFFGC+npRopjZxLJj6gdno=
+gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
+gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
+honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
+rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
diff --git a/pkg/bootstrap/data/schema.rdf b/pkg/bootstrap/data/schema.rdf
new file mode 100644
index 0000000..4b56e2e
--- /dev/null
+++ b/pkg/bootstrap/data/schema.rdf
@@ -0,0 +1,59 @@
+type Resource {
+ Resource.etag
+ Resource.name
+ Resource.parent
+ Resource.policy
+}
+
+type Policy {
+ Policy.bindings
+ Policy.version
+ Policy.etag
+}
+
+type Binding {
+ Binding.role
+ Binding.members
+}
+
+type Role {
+ Role.description
+ Role.displayName
+ Role.etag
+ Role.name
+ Role.permissions
+}
+
+type Permission {
+ Permission.name
+}
+
+type Group {
+ Group.etag
+ Group.members
+ Group.name
+}
+
+type Subject {
+ Subject.name
+}
+
+: [uid] .
+: uid .
+: string @index(hash) @upsert .
+: [uid] .
+: string @index(hash) @upsert .
+: string @index(hash) @upsert .
+: [uid] .
+: string @index(hash) @upsert .
+: int .
+: string @index(hash) @upsert .
+: string @index(hash) @upsert .
+: uid @reverse .
+: uid .
+: string .
+: string .
+: string @index(hash) @upsert .
+: string @index(hash) @upsert .
+: [uid] @reverse .
+: string @index(hash) @upsert .
\ No newline at end of file
diff --git a/pkg/bootstrap/data/system.all-users.condition.rdf b/pkg/bootstrap/data/system.all-users.condition.rdf
new file mode 100644
index 0000000..09e363c
--- /dev/null
+++ b/pkg/bootstrap/data/system.all-users.condition.rdf
@@ -0,0 +1 @@
+@if(eq(len(allUsers), 0))
\ No newline at end of file
diff --git a/pkg/bootstrap/data/system.all-users.mutation.rdf b/pkg/bootstrap/data/system.all-users.mutation.rdf
new file mode 100644
index 0000000..f17db9d
--- /dev/null
+++ b/pkg/bootstrap/data/system.all-users.mutation.rdf
@@ -0,0 +1,2 @@
+uid(allUsers) "Subject" .
+uid(allUsers) "system/allUsers" .
\ No newline at end of file
diff --git a/pkg/bootstrap/data/system.all-users.query.rdf b/pkg/bootstrap/data/system.all-users.query.rdf
new file mode 100644
index 0000000..9f7e3e9
--- /dev/null
+++ b/pkg/bootstrap/data/system.all-users.query.rdf
@@ -0,0 +1,3 @@
+query {
+ var(func: eq(Subject.name, "system/allUsers")) { allUsers as uid }
+}
\ No newline at end of file
diff --git a/pkg/bootstrap/data/system.animeshon.condition.rdf b/pkg/bootstrap/data/system.animeshon.condition.rdf
new file mode 100644
index 0000000..8f6f919
--- /dev/null
+++ b/pkg/bootstrap/data/system.animeshon.condition.rdf
@@ -0,0 +1 @@
+@if(eq(len(animeshon), 0))
\ No newline at end of file
diff --git a/pkg/bootstrap/data/system.animeshon.mutation.rdf b/pkg/bootstrap/data/system.animeshon.mutation.rdf
new file mode 100644
index 0000000..25a44f5
--- /dev/null
+++ b/pkg/bootstrap/data/system.animeshon.mutation.rdf
@@ -0,0 +1,2 @@
+uid(animeshon) "Resource" .
+uid(animeshon) "@animeshon" .
\ No newline at end of file
diff --git a/pkg/bootstrap/data/system.animeshon.query.rdf b/pkg/bootstrap/data/system.animeshon.query.rdf
new file mode 100644
index 0000000..1a35324
--- /dev/null
+++ b/pkg/bootstrap/data/system.animeshon.query.rdf
@@ -0,0 +1,3 @@
+query {
+ var(func: eq(Resource.name, "@animeshon")) { animeshon as uid }
+}
\ No newline at end of file
diff --git a/pkg/bootstrap/schema.go b/pkg/bootstrap/schema.go
new file mode 100644
index 0000000..b0d561b
--- /dev/null
+++ b/pkg/bootstrap/schema.go
@@ -0,0 +1,76 @@
+package bootstrap
+
+import (
+ "context"
+
+ _ "embed"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/dgraph-io/dgo/v210/protos/api"
+ "google.golang.org/grpc"
+)
+
+//go:embed data/schema.rdf
+var schema string
+
+//go:embed data/system.all-users.query.rdf
+var allUsersQuery string
+
+//go:embed data/system.all-users.mutation.rdf
+var allUsersMutation []byte
+
+//go:embed data/system.all-users.condition.rdf
+var allUsersCondition string
+
+//go:embed data/system.animeshon.query.rdf
+var animeshonQuery string
+
+//go:embed data/system.animeshon.mutation.rdf
+var animeshonMutation []byte
+
+//go:embed data/system.animeshon.condition.rdf
+var animeshonCondition string
+
+func Schema(ctx context.Context, endpoint string) error {
+ connection, err := grpc.Dial(endpoint, grpc.WithInsecure())
+ if err != nil {
+ return err
+ }
+ defer connection.Close()
+
+ op := &api.Operation{
+ Schema: schema,
+ }
+
+ cli := dgo.NewDgraphClient(api.NewDgraphClient(connection))
+ if err := cli.Alter(context.Background(), op); err != nil {
+ return err
+ }
+
+ allUsers := &api.Request{
+ Query: allUsersQuery,
+ Mutations: []*api.Mutation{{
+ Cond: allUsersCondition,
+ SetNquads: allUsersMutation,
+ }},
+ CommitNow: true,
+ }
+
+ if _, err := cli.NewTxn().Do(ctx, allUsers); err != nil {
+ return err
+ }
+
+ animeshon := &api.Request{
+ Query: animeshonQuery,
+ Mutations: []*api.Mutation{{
+ Cond: animeshonCondition,
+ SetNquads: animeshonMutation,
+ }},
+ CommitNow: true,
+ }
+
+ if _, err := cli.NewTxn().Do(ctx, animeshon); err != nil {
+ return err
+ }
+ return nil
+}
diff --git a/pkg/fieldmask/fieldmask.go b/pkg/fieldmask/fieldmask.go
new file mode 100644
index 0000000..b746ddd
--- /dev/null
+++ b/pkg/fieldmask/fieldmask.go
@@ -0,0 +1,33 @@
+package fieldmask
+
+import (
+ "strings"
+
+ "google.golang.org/protobuf/types/known/fieldmaskpb"
+)
+
+type FieldMask struct {
+ paths []string
+}
+
+func (mask *FieldMask) Contains(field string) bool {
+ if mask == nil {
+ return true
+ }
+
+ for _, mask := range mask.paths {
+ if strings.HasPrefix(field, mask) {
+ return true
+ }
+ }
+
+ return false
+}
+
+func NewFieldMask(mask *fieldmaskpb.FieldMask) *FieldMask {
+ if len(mask.GetPaths()) == 0 {
+ return nil
+ }
+
+ return &FieldMask{paths: mask.GetPaths()}
+}
diff --git a/pkg/graceful/grpc_listener.go b/pkg/graceful/grpc_listener.go
new file mode 100644
index 0000000..139367c
--- /dev/null
+++ b/pkg/graceful/grpc_listener.go
@@ -0,0 +1,60 @@
+package graceful
+
+import (
+ "context"
+ "net"
+
+ "github.com/sirupsen/logrus"
+ "golang.org/x/sync/errgroup"
+ "google.golang.org/grpc"
+)
+
+// NewGrpcListener listens for incoming gRPC requests.
+func NewGrpcListener(ctx context.Context, address string, server *grpc.Server) error {
+ listener, err := net.Listen("tcp", address)
+ if err != nil {
+ return err
+ }
+
+ logrus.Infof("gRPC server listening to [%s]", address)
+ return ServeWithContext(ctx, server, listener)
+}
+
+// ServeWithContext is a wrapper around the Serve function which also implements
+// context cancellation and graceful shutdown.
+func ServeWithContext(ctx context.Context, server *grpc.Server, listener net.Listener) error {
+ serverCtx, cancel := context.WithCancel(context.Background())
+ defer cancel()
+
+ gr := new(errgroup.Group)
+ gr.Go(func() error {
+ defer cancel()
+
+ if err := server.Serve(listener); err != nil {
+ return err
+ }
+
+ return nil
+ })
+
+ gr.Go(func() error {
+ for {
+ select {
+ case <-serverCtx.Done():
+ // ListenAndServe exited already - nothing to do.
+ return nil
+ case <-ctx.Done():
+ // SIGTERM or SIGINT received - initiate graceful shutdown.
+ goto shutdown
+ }
+ }
+
+ shutdown:
+ logrus.Info("gracefully shutting down the server - waiting for active connections to close")
+ server.GracefulStop()
+
+ return nil
+ })
+
+ return gr.Wait()
+}
diff --git a/pkg/graph/data/groups.exists.query.dql b/pkg/graph/data/groups.exists.query.dql
new file mode 100644
index 0000000..d9190d9
--- /dev/null
+++ b/pkg/graph/data/groups.exists.query.dql
@@ -0,0 +1,5 @@
+query queryExistsGroup($name: string) {
+ groups(func: eq(Group.name, $name)) {
+ Group.name
+ }
+}
\ No newline at end of file
diff --git a/pkg/graph/data/groups.get.query.dql b/pkg/graph/data/groups.get.query.dql
new file mode 100644
index 0000000..b302d14
--- /dev/null
+++ b/pkg/graph/data/groups.get.query.dql
@@ -0,0 +1,10 @@
+query queryGetGroup($name: string) {
+ groups(func: eq(Group.name, $name)) {
+ Group.name
+ Group.etag
+ Group.members {
+ Group.name
+ Subject.name
+ }
+ }
+}
\ No newline at end of file
diff --git a/pkg/graph/data/permissions.exists.query.dql b/pkg/graph/data/permissions.exists.query.dql
new file mode 100644
index 0000000..549e6b8
--- /dev/null
+++ b/pkg/graph/data/permissions.exists.query.dql
@@ -0,0 +1,5 @@
+query queryExistsPermission($name: string) {
+ permissions(func: eq(Permission.name, $name)) {
+ Permission.name
+ }
+}
\ No newline at end of file
diff --git a/pkg/graph/data/resources.exists.query.dql b/pkg/graph/data/resources.exists.query.dql
new file mode 100644
index 0000000..a158fa4
--- /dev/null
+++ b/pkg/graph/data/resources.exists.query.dql
@@ -0,0 +1,5 @@
+query queryGetResource($name: string) {
+ resources(func: eq(Resource.name, $name)) {
+ Resource.name
+ }
+}
diff --git a/pkg/graph/data/resources.get.query.dql b/pkg/graph/data/resources.get.query.dql
new file mode 100644
index 0000000..1b41d5f
--- /dev/null
+++ b/pkg/graph/data/resources.get.query.dql
@@ -0,0 +1,22 @@
+query queryGetResource($name: string) {
+ resources(func: eq(Resource.name, $name)) {
+ Resource.name
+ Resource.etag
+ Resource.policy {
+ Policy.etag
+ Policy.version
+ Policy.bindings {
+ Binding.role {
+ Role.name
+ }
+ Binding.members {
+ Group.name
+ Subject.name
+ }
+ }
+ }
+ Resource.parent {
+ Resource.name
+ }
+ }
+}
diff --git a/pkg/graph/data/resources.has_children.query.dql b/pkg/graph/data/resources.has_children.query.dql
new file mode 100644
index 0000000..6b2f534
--- /dev/null
+++ b/pkg/graph/data/resources.has_children.query.dql
@@ -0,0 +1,7 @@
+query queryHasChildren($name: string) {
+ children(func: eq(Resource.name, $name)) {
+ ~Resource.parent {
+ Resource.name
+ }
+ }
+}
\ No newline at end of file
diff --git a/pkg/graph/data/roles.exists.query.dql b/pkg/graph/data/roles.exists.query.dql
new file mode 100644
index 0000000..7ea6959
--- /dev/null
+++ b/pkg/graph/data/roles.exists.query.dql
@@ -0,0 +1,5 @@
+query queryExistsRole($name: string) {
+ roles(func: eq(Role.name, $name)) {
+ Role.name
+ }
+}
\ No newline at end of file
diff --git a/pkg/graph/data/roles.get.query.dql b/pkg/graph/data/roles.get.query.dql
new file mode 100644
index 0000000..3d21453
--- /dev/null
+++ b/pkg/graph/data/roles.get.query.dql
@@ -0,0 +1,9 @@
+query queryGetRole($name: string) {
+ roles(func: eq(Role.name, $name)) {
+ Role.name
+ Role.etag
+ Role.permissions {
+ Permission.name
+ }
+ }
+}
\ No newline at end of file
diff --git a/pkg/graph/data/subjects.exists.query.dql b/pkg/graph/data/subjects.exists.query.dql
new file mode 100644
index 0000000..f4a7464
--- /dev/null
+++ b/pkg/graph/data/subjects.exists.query.dql
@@ -0,0 +1,5 @@
+query queryExistsSubject($name: string) {
+ subjects(func: eq(Subject.name, $name)) {
+ Subject.name
+ }
+}
\ No newline at end of file
diff --git a/pkg/graph/groups.go b/pkg/graph/groups.go
new file mode 100644
index 0000000..b9fef89
--- /dev/null
+++ b/pkg/graph/groups.go
@@ -0,0 +1,56 @@
+package graph
+
+import (
+ "context"
+ "encoding/json"
+
+ _ "embed"
+
+ "github.com/dgraph-io/dgo/v210"
+)
+
+//go:embed data/groups.get.query.dql
+var queryGetGroup string
+
+//go:embed data/groups.exists.query.dql
+var queryExistsGroup string
+
+func GetGroup(ctx context.Context, txn *dgo.Txn, name string) (*Group, error) {
+ m := map[string]string{"$name": name}
+ resp, err := txn.QueryWithVars(ctx, queryGetGroup, m)
+ if err != nil {
+ return nil, err
+ }
+
+ groups := new(struct {
+ Groups []*Group `json:"groups"`
+ })
+
+ if err := json.Unmarshal(resp.Json, &groups); err != nil {
+ return nil, err
+ }
+
+ if len(groups.Groups) == 0 {
+ return nil, nil
+ }
+
+ return groups.Groups[0], nil
+}
+
+func ExistsGroup(ctx context.Context, txn *dgo.Txn, name string) (bool, error) {
+ m := map[string]string{"$name": name}
+ resp, err := txn.QueryWithVars(ctx, queryExistsGroup, m)
+ if err != nil {
+ return false, err
+ }
+
+ groups := new(struct {
+ Groups []*Group `json:"groups"`
+ })
+
+ if err := json.Unmarshal(resp.Json, &groups); err != nil {
+ return false, err
+ }
+
+ return len(groups.Groups) != 0, nil
+}
diff --git a/pkg/graph/permissions.go b/pkg/graph/permissions.go
new file mode 100644
index 0000000..e690014
--- /dev/null
+++ b/pkg/graph/permissions.go
@@ -0,0 +1,31 @@
+package graph
+
+import (
+ "context"
+ "encoding/json"
+
+ _ "embed"
+
+ "github.com/dgraph-io/dgo/v210"
+)
+
+//go:embed data/permissions.exists.query.dql
+var queryExistsPermission string
+
+func ExistsPermission(ctx context.Context, txn *dgo.Txn, name string) (bool, error) {
+ m := map[string]string{"$name": name}
+ resp, err := txn.QueryWithVars(ctx, queryExistsPermission, m)
+ if err != nil {
+ return false, err
+ }
+
+ permissions := new(struct {
+ Permissions []*Permission `json:"permissions"`
+ })
+
+ if err := json.Unmarshal(resp.Json, &permissions); err != nil {
+ return false, err
+ }
+
+ return len(permissions.Permissions) != 0, nil
+}
diff --git a/pkg/graph/resources.go b/pkg/graph/resources.go
new file mode 100644
index 0000000..6f6a4af
--- /dev/null
+++ b/pkg/graph/resources.go
@@ -0,0 +1,77 @@
+package graph
+
+import (
+ "context"
+ "encoding/json"
+
+ _ "embed"
+
+ "github.com/dgraph-io/dgo/v210"
+)
+
+//go:embed data/resources.get.query.dql
+var queryGetResource string
+
+//go:embed data/resources.exists.query.dql
+var queryExistsResource string
+
+//go:embed data/resources.has_children.query.dql
+var queryHasChildren string
+
+func GetResource(ctx context.Context, txn *dgo.Txn, name string) (*Resource, error) {
+ m := map[string]string{"$name": name}
+ resp, err := txn.QueryWithVars(ctx, queryGetResource, m)
+ if err != nil {
+ return nil, err
+ }
+
+ resources := new(struct {
+ Resources []*Resource `json:"resources"`
+ })
+
+ if err := json.Unmarshal(resp.Json, &resources); err != nil {
+ return nil, err
+ }
+
+ if len(resources.Resources) == 0 {
+ return nil, nil
+ }
+
+ return resources.Resources[0], nil
+}
+
+func ExistsResource(ctx context.Context, txn *dgo.Txn, name string) (bool, error) {
+ m := map[string]string{"$name": name}
+ resp, err := txn.QueryWithVars(ctx, queryExistsResource, m)
+ if err != nil {
+ return false, err
+ }
+
+ resources := new(struct {
+ Resources []*Resource `json:"resources"`
+ })
+
+ if err := json.Unmarshal(resp.Json, &resources); err != nil {
+ return false, err
+ }
+
+ return len(resources.Resources) != 0, nil
+}
+
+func HasChildren(ctx context.Context, txn *dgo.Txn, name string) (bool, error) {
+ m := map[string]string{"$name": name}
+ resp, err := txn.QueryWithVars(ctx, queryHasChildren, m)
+ if err != nil {
+ return false, err
+ }
+
+ children := new(struct {
+ Resources []*Resource `json:"children"`
+ })
+
+ if err := json.Unmarshal(resp.Json, &children); err != nil {
+ return false, err
+ }
+
+ return len(children.Resources) != 0, nil
+}
diff --git a/pkg/graph/roles.go b/pkg/graph/roles.go
new file mode 100644
index 0000000..969e6f4
--- /dev/null
+++ b/pkg/graph/roles.go
@@ -0,0 +1,56 @@
+package graph
+
+import (
+ "context"
+ "encoding/json"
+
+ _ "embed"
+
+ "github.com/dgraph-io/dgo/v210"
+)
+
+//go:embed data/roles.get.query.dql
+var queryGetRole string
+
+//go:embed data/roles.exists.query.dql
+var queryExistsRole string
+
+func GetRole(ctx context.Context, txn *dgo.Txn, name string) (*Role, error) {
+ m := map[string]string{"$name": name}
+ resp, err := txn.QueryWithVars(ctx, queryGetRole, m)
+ if err != nil {
+ return nil, err
+ }
+
+ roles := new(struct {
+ Roles []*Role `json:"roles"`
+ })
+
+ if err := json.Unmarshal(resp.Json, &roles); err != nil {
+ return nil, err
+ }
+
+ if len(roles.Roles) == 0 {
+ return nil, nil
+ }
+
+ return roles.Roles[0], nil
+}
+
+func ExistsRole(ctx context.Context, txn *dgo.Txn, name string) (bool, error) {
+ m := map[string]string{"$name": name}
+ resp, err := txn.QueryWithVars(ctx, queryExistsRole, m)
+ if err != nil {
+ return false, err
+ }
+
+ roles := new(struct {
+ Roles []*Role `json:"roles"`
+ })
+
+ if err := json.Unmarshal(resp.Json, &roles); err != nil {
+ return false, err
+ }
+
+ return len(roles.Roles) != 0, nil
+}
diff --git a/pkg/graph/subjects.go b/pkg/graph/subjects.go
new file mode 100644
index 0000000..a73ef4b
--- /dev/null
+++ b/pkg/graph/subjects.go
@@ -0,0 +1,31 @@
+package graph
+
+import (
+ "context"
+ "encoding/json"
+
+ _ "embed"
+
+ "github.com/dgraph-io/dgo/v210"
+)
+
+//go:embed data/subjects.exists.query.dql
+var queryExistsSubject string
+
+func ExistsSubject(ctx context.Context, txn *dgo.Txn, name string) (bool, error) {
+ m := map[string]string{"$name": name}
+ resp, err := txn.QueryWithVars(ctx, queryExistsSubject, m)
+ if err != nil {
+ return false, err
+ }
+
+ subjects := new(struct {
+ Subjects []*Subject `json:"subjects"`
+ })
+
+ if err := json.Unmarshal(resp.Json, &subjects); err != nil {
+ return false, err
+ }
+
+ return len(subjects.Subjects) != 0, nil
+}
diff --git a/pkg/graph/types.go b/pkg/graph/types.go
new file mode 100644
index 0000000..8b7d5fa
--- /dev/null
+++ b/pkg/graph/types.go
@@ -0,0 +1,44 @@
+package graph
+
+type Permission struct {
+ Name string `json:"Permission.name"`
+}
+
+type Role struct {
+ Name string `json:"Role.name"`
+ Permissions []*Permission `json:"Role.permissions"`
+ ETag string `json:"Role.etag"`
+}
+
+type Resource struct {
+ Name string `json:"Resource.name"`
+ Policy *Policy `json:"Resource.policy"`
+ Parent *Resource `json:"Resource.parent"`
+ ETag string `json:"Resource.etag"`
+}
+
+type Policy struct {
+ Bindings []*Binding `json:"Policy.bindings"`
+ Version int32 `json:"Policy.version"`
+ ETag string `json:"Policy.etag"`
+}
+
+type Binding struct {
+ Role *Role `json:"Binding.role"`
+ Members []Member `json:"Binding.members"`
+}
+
+type Member struct {
+ Group string `json:"Group.name"`
+ Subject string `json:"Subject.name"`
+}
+
+type Group struct {
+ Name string `json:"Group.name"`
+ Members []Member `json:"Group.members"`
+ ETag string `json:"Group.etag"`
+}
+
+type Subject struct {
+ Name string `json:"Subject.name"`
+}
diff --git a/pkg/interrupt/interrupt.go b/pkg/interrupt/interrupt.go
new file mode 100644
index 0000000..0265b9f
--- /dev/null
+++ b/pkg/interrupt/interrupt.go
@@ -0,0 +1,104 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package interrupt
+
+import (
+ "os"
+ "os/signal"
+ "sync"
+ "syscall"
+)
+
+// terminationSignals are signals that cause the program to exit in the
+// supported platforms (linux, darwin, windows).
+var terminationSignals = []os.Signal{syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT}
+
+// Handler guarantees execution of notifications after a critical section (the function passed
+// to a Run method), even in the presence of process termination. It guarantees exactly once
+// invocation of the provided notify functions.
+type Handler struct {
+ notify []func()
+ final func(os.Signal)
+ once sync.Once
+}
+
+// Chain creates a new handler that invokes all notify functions when the critical section exits
+// and then invokes the optional handler's notifications. This allows critical sections to be
+// nested without losing exactly once invocations. Notify functions can invoke any cleanup needed
+// but should not exit (which is the responsibility of the parent handler).
+func Chain(handler *Handler, notify ...func()) *Handler {
+ if handler == nil {
+ return New(nil, notify...)
+ }
+ return New(handler.Signal, append(notify, handler.Close)...)
+}
+
+// New creates a new handler that guarantees all notify functions are run after the critical
+// section exits (or is interrupted by the OS), then invokes the final handler. If no final
+// handler is specified, the default final is `os.Exit(1)`. A handler can only be used for
+// one critical section.
+func New(final func(os.Signal), notify ...func()) *Handler {
+ return &Handler{
+ final: final,
+ notify: notify,
+ }
+}
+
+// Close executes all the notification handlers if they have not yet been executed.
+func (h *Handler) Close() {
+ h.once.Do(func() {
+ for _, fn := range h.notify {
+ fn()
+ }
+ })
+}
+
+// Signal is called when an os.Signal is received, and guarantees that all notifications
+// are executed, then the final handler is executed. This function should only be called once
+// per Handler instance.
+func (h *Handler) Signal(s os.Signal) {
+ h.once.Do(func() {
+ for _, fn := range h.notify {
+ fn()
+ }
+ if h.final == nil {
+ os.Exit(1)
+ }
+ h.final(s)
+ })
+}
+
+// Run ensures that any notifications are invoked after the provided fn exits (even if the
+// process is interrupted by an OS termination signal). Notifications are only invoked once
+// per Handler instance, so calling Run more than once will not behave as the user expects.
+func (h *Handler) Run(fn func() error) error {
+ ch := make(chan os.Signal, 1)
+ signal.Notify(ch, terminationSignals...)
+ defer func() {
+ signal.Stop(ch)
+ close(ch)
+ }()
+ go func() {
+ sig, ok := <-ch
+ if !ok {
+ return
+ }
+ h.Signal(sig)
+ }()
+ defer h.Close()
+ return fn()
+}
diff --git a/pkg/services/authorize.go b/pkg/services/authorize.go
new file mode 100644
index 0000000..f522c14
--- /dev/null
+++ b/pkg/services/authorize.go
@@ -0,0 +1,119 @@
+package services
+
+import (
+ "context"
+ "encoding/json"
+
+ _ "embed"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+ empty "google.golang.org/protobuf/types/known/emptypb"
+
+ "github.com/sirupsen/logrus"
+ "golang.org/x/sync/errgroup"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+// TODO(christia-roggia): collapse into a single query as soon as dgraph
+// allows `shortest` to be performed with multiple exit nodes.
+
+//go:embed data/authorize.query.dql
+var queryAuthorize string
+
+func (s *AccessControlServerImpl) validateTestIamPolicy(ctx context.Context, req *grbac.TestIamPolicyRequest) error {
+ if req.AccessTuple == nil {
+ return status.New(codes.InvalidArgument, "invalid argument {access tuple not defined}").Err()
+ }
+
+ if len(req.AccessTuple.FullResourceName) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {full resource name not defined}").Err()
+ }
+ if len(req.AccessTuple.Permission) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {permission not defined}").Err()
+ }
+ if len(req.AccessTuple.Principal) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {principal not defined}").Err()
+ }
+
+ if !isUserMember(req.AccessTuple.Principal) && !isServiceAccountMember(req.AccessTuple.Principal) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid principal name format}").Err()
+ }
+
+ return nil
+}
+
+// Checks whether a member has a specific permission for a specific resource.
+// If not allowed an Unauthorized (403) error will be returned.
+func (s *AccessControlServerImpl) TestIamPolicy(ctx context.Context, req *grbac.TestIamPolicyRequest) (*empty.Empty, error) {
+ if err := s.validateTestIamPolicy(ctx, req); err != nil {
+ return nil, err
+ }
+
+ m := map[string]string{
+ "$resource": req.AccessTuple.FullResourceName,
+ "$permission": toPermissionName(req.AccessTuple.Permission),
+ }
+
+ if isUserMember(req.AccessTuple.Principal) {
+ m["$principal"] = toUserName(req.AccessTuple.Principal)
+ } else if isServiceAccountMember(req.AccessTuple.Principal) {
+ m["$principal"] = toServiceAccountName(req.AccessTuple.Principal)
+ }
+
+ allUsers := map[string]string{
+ "$principal": allUsers,
+ "$resource": req.AccessTuple.FullResourceName,
+ "$permission": toPermissionName(req.AccessTuple.Permission),
+ }
+
+ // Ask in parallel whether the user is allowed or allUsers is allowed.
+ var isAllowed, isAllUsersAllowed bool
+ group, ctx := errgroup.WithContext(ctx)
+
+ group.Go(func() error {
+ allowed, err := s.testIamPolicy(ctx, m)
+
+ isAllowed = allowed
+ return err
+ })
+
+ group.Go(func() error {
+ allowed, err := s.testIamPolicy(ctx, allUsers)
+
+ isAllUsersAllowed = allowed
+ return err
+ })
+
+ if err := group.Wait(); err != nil {
+ logrus.WithError(err).Errorf("failed to execute authorize query")
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ if isAllowed || isAllUsersAllowed {
+ return &empty.Empty{}, nil
+ }
+
+ return nil, status.New(codes.PermissionDenied, "permission denied").Err()
+}
+
+func (s *AccessControlServerImpl) testIamPolicy(ctx context.Context, m map[string]string) (bool, error) {
+ resp, err := s.cli.NewReadOnlyTxn().QueryWithVars(ctx, queryAuthorize, m)
+ if err != nil {
+ return false, err
+ }
+
+ payload := new(struct {
+ Ok []json.RawMessage `json:"ok"`
+ })
+
+ if err := json.Unmarshal(resp.Json, &payload); err != nil {
+ return false, err
+ }
+
+ if len(payload.Ok) == 0 {
+ return false, nil
+ }
+
+ return true, nil
+}
diff --git a/pkg/services/authorize_integration_test.go b/pkg/services/authorize_integration_test.go
new file mode 100644
index 0000000..37f475a
--- /dev/null
+++ b/pkg/services/authorize_integration_test.go
@@ -0,0 +1,350 @@
+// +build integration
+
+package services
+
+import (
+ "context"
+ "os"
+ "testing"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/dgraph-io/dgo/v210/protos/api"
+ "github.com/google/uuid"
+ "github.com/grbac/grbac/pkg/bootstrap"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+ "google.golang.org/genproto/googleapis/iam/v1"
+ "google.golang.org/grpc"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+func TestIntegrationAuthorize(t *testing.T) {
+ endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT")
+ require.NotEmpty(t, endpoint)
+
+ err := bootstrap.Schema(context.TODO(), endpoint)
+ require.NoError(t, err)
+
+ conn, err := grpc.Dial(endpoint, grpc.WithInsecure())
+ require.NoError(t, err)
+ defer conn.Close()
+
+ server := &AccessControlServerImpl{
+ cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)),
+ conn: conn,
+ }
+
+ var (
+ Anonymous = "user:anonymous"
+
+ User0 = &grbac.Subject{
+ Name: "users/user-0." + uuid.New().String(),
+ }
+ User1 = &grbac.Subject{
+ Name: "users/user-1." + uuid.New().String(),
+ }
+ User2 = &grbac.Subject{
+ Name: "users/user-2." + uuid.New().String(),
+ }
+ UserNotFound = &grbac.Subject{
+ Name: "users/user-?." + uuid.New().String(),
+ }
+
+ ServiceAccount0 = &grbac.Subject{
+ Name: "serviceAccounts/serviceaccount-0." + uuid.New().String(),
+ }
+ ServiceAccount1 = &grbac.Subject{
+ Name: "serviceAccounts/serviceaccount-1." + uuid.New().String(),
+ }
+ ServiceAccount2 = &grbac.Subject{
+ Name: "serviceAccounts/serviceaccount-2." + uuid.New().String(),
+ }
+ ServiceAccountNotFound = &grbac.Subject{
+ Name: "serviceAccounts/serviceaccount-?." + uuid.New().String(),
+ }
+
+ Group0 = &grbac.Group{
+ Name: "groups/group-0." + uuid.New().String(),
+ Members: []string{
+ toUserMember(User0.Name),
+ toServiceAccountMember(ServiceAccount0.Name),
+ },
+ }
+ Group1 = &grbac.Group{
+ Name: "groups/group-1." + uuid.New().String(),
+ Members: []string{
+ toUserMember(User1.Name),
+ toServiceAccountMember(ServiceAccount1.Name),
+ },
+ }
+
+ PermissionGet = &grbac.Permission{
+ Name: "permissions/grbac.test.get",
+ }
+ PermissionCreate = &grbac.Permission{
+ Name: "permissions/grbac.test.create",
+ }
+ PermissionDelete = &grbac.Permission{
+ Name: "permissions/grbac.test.delete",
+ }
+ PermissionNotFound = &grbac.Permission{
+ Name: "permissions/grbac.test." + uuid.New().String(),
+ }
+
+ RoleAdmin = &grbac.Role{
+ Name: "roles/grbac.admin",
+ Permissions: []string{
+ toPermissionId(PermissionGet.Name),
+ toPermissionId(PermissionCreate.Name),
+ toPermissionId(PermissionDelete.Name),
+ },
+ }
+ RoleEditor = &grbac.Role{
+ Name: "roles/grbac.editor",
+ Permissions: []string{
+ toPermissionId(PermissionGet.Name),
+ toPermissionId(PermissionCreate.Name),
+ },
+ }
+ RoleViewer = &grbac.Role{
+ Name: "roles/grbac.viewer",
+ Permissions: []string{
+ toPermissionId(PermissionGet.Name),
+ },
+ }
+
+ Resource0 = &grbac.Resource{
+ Name: "//test.animeapis.com/resources/resource-0." + uuid.New().String(),
+ Parent: "@animeshon",
+ }
+ Resource1 = &grbac.Resource{
+ Name: "//test.animeapis.com/resources/resource-1." + uuid.New().String(),
+ Parent: Resource0.Name,
+ }
+ Resource2 = &grbac.Resource{
+ Name: "//test.animeapis.com/resources/resource-2." + uuid.New().String(),
+ Parent: "@animeshon",
+ }
+ ResourceNotFound = &grbac.Resource{
+ Name: "//test.animeapis.com/resources/resource-?." + uuid.New().String(),
+ Parent: "@animeshon",
+ }
+
+ Policy0 = &iam.Policy{
+ Version: 1,
+ Bindings: []*iam.Binding{
+ {
+ Role: RoleEditor.Name,
+ Members: []string{
+ toGroupMember(Group0.Name),
+ },
+ },
+ },
+ }
+ Policy1 = &iam.Policy{
+ Version: 1,
+ Bindings: []*iam.Binding{
+ {
+ Role: RoleAdmin.Name,
+ Members: []string{
+ toGroupMember(Group0.Name),
+ },
+ },
+ {
+ Role: RoleEditor.Name,
+ Members: []string{
+ toUserMember(User1.Name),
+ toServiceAccountMember(ServiceAccount1.Name),
+ },
+ },
+ {
+ Role: RoleViewer.Name,
+ Members: []string{
+ "allUsers",
+ },
+ },
+ },
+ }
+ Policy2 = &iam.Policy{
+ Version: 1,
+ Bindings: []*iam.Binding{
+ {
+ Role: RoleViewer.Name,
+ Members: []string{
+ toGroupMember(Group0.Name),
+ toGroupMember(Group1.Name),
+ },
+ },
+ },
+ }
+ )
+
+ // Create new random resources.
+ _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource0})
+ require.NoError(t, err)
+ _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource1})
+ require.NoError(t, err)
+ _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource2})
+ require.NoError(t, err)
+
+ _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: PermissionGet})
+ require.NoError(t, err)
+ _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: PermissionCreate})
+ require.NoError(t, err)
+ _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: PermissionDelete})
+ require.NoError(t, err)
+
+ _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: RoleAdmin})
+ require.NoError(t, err)
+ _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: RoleEditor})
+ require.NoError(t, err)
+ _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: RoleViewer})
+ require.NoError(t, err)
+
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0})
+ require.NoError(t, err)
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User1})
+ require.NoError(t, err)
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User2})
+ require.NoError(t, err)
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0})
+ require.NoError(t, err)
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount1})
+ require.NoError(t, err)
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount2})
+ require.NoError(t, err)
+
+ _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0})
+ require.NoError(t, err)
+ _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group1})
+ require.NoError(t, err)
+
+ // Set IAM polices to resources.
+ _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{Resource: Resource0.Name, Policy: Policy0})
+ require.NoError(t, err)
+ _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{Resource: Resource1.Name, Policy: Policy1})
+ require.NoError(t, err)
+ _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{Resource: Resource2.Name, Policy: Policy2})
+ require.NoError(t, err)
+
+ type T struct {
+ object string
+ subject string
+ relation string
+ allowed bool
+ }
+
+ for _, i := range []*T{
+ // Test: authorization rule on non-existing resource should return permission denied.
+ {ResourceNotFound.Name, User0.Name, PermissionGet.Name, false},
+ {ResourceNotFound.Name, Anonymous, PermissionGet.Name, false},
+
+ // Test: authorization rule on non-existing permission should return permission denied.
+ {Resource0.Name, User0.Name, PermissionNotFound.Name, false},
+ {Resource0.Name, Anonymous, PermissionNotFound.Name, false},
+
+ // Test: only members of group-0 should be granted "grbac.test.create" permission on resource-0.
+ {Resource0.Name, User0.Name, PermissionCreate.Name, true},
+ {Resource0.Name, ServiceAccount0.Name, PermissionCreate.Name, true},
+
+ {Resource0.Name, User1.Name, PermissionCreate.Name, false},
+ {Resource0.Name, User2.Name, PermissionCreate.Name, false},
+ {Resource0.Name, UserNotFound.Name, PermissionCreate.Name, false},
+ {Resource0.Name, ServiceAccount1.Name, PermissionCreate.Name, false},
+ {Resource0.Name, ServiceAccount2.Name, PermissionCreate.Name, false},
+ {Resource0.Name, ServiceAccountNotFound.Name, PermissionCreate.Name, false},
+ {Resource0.Name, Anonymous, PermissionCreate.Name, false},
+
+ // Test: only members of group-0 should be granted "grbac.test.get" permission on resource-0.
+ {Resource0.Name, User0.Name, PermissionGet.Name, true},
+ {Resource0.Name, ServiceAccount0.Name, PermissionGet.Name, true},
+
+ {Resource0.Name, User1.Name, PermissionGet.Name, false},
+ {Resource0.Name, User2.Name, PermissionGet.Name, false},
+ {Resource0.Name, UserNotFound.Name, PermissionGet.Name, false},
+ {Resource0.Name, ServiceAccount1.Name, PermissionGet.Name, false},
+ {Resource0.Name, ServiceAccount2.Name, PermissionGet.Name, false},
+ {Resource0.Name, ServiceAccountNotFound.Name, PermissionGet.Name, false},
+ {Resource0.Name, Anonymous, PermissionGet.Name, false},
+
+ // Test: nobody should be granted "grbac.test.delete" permission on resource-0.
+ {Resource0.Name, User0.Name, PermissionDelete.Name, false},
+ {Resource0.Name, User1.Name, PermissionDelete.Name, false},
+ {Resource0.Name, User2.Name, PermissionDelete.Name, false},
+ {Resource0.Name, UserNotFound.Name, PermissionDelete.Name, false},
+ {Resource0.Name, ServiceAccount0.Name, PermissionDelete.Name, false},
+ {Resource0.Name, ServiceAccount1.Name, PermissionDelete.Name, false},
+ {Resource0.Name, ServiceAccount2.Name, PermissionDelete.Name, false},
+ {Resource0.Name, ServiceAccountNotFound.Name, PermissionDelete.Name, false},
+ {Resource0.Name, Anonymous, PermissionDelete.Name, false},
+
+ // Test: all users should be granted "grbac.test.get" permission on resource-1.
+ {Resource1.Name, User0.Name, PermissionGet.Name, true},
+ {Resource1.Name, User1.Name, PermissionGet.Name, true},
+ {Resource1.Name, User2.Name, PermissionGet.Name, true},
+ {Resource1.Name, UserNotFound.Name, PermissionGet.Name, true},
+ {Resource1.Name, ServiceAccount0.Name, PermissionGet.Name, true},
+ {Resource1.Name, ServiceAccount1.Name, PermissionGet.Name, true},
+ {Resource1.Name, ServiceAccount2.Name, PermissionGet.Name, true},
+ {Resource1.Name, ServiceAccountNotFound.Name, PermissionGet.Name, true},
+ {Resource1.Name, Anonymous, PermissionGet.Name, true},
+
+ // Test: only members of group-0 should be granted "grbac.test.delete" permission on resource-1.
+ {Resource1.Name, User0.Name, PermissionDelete.Name, true},
+ {Resource1.Name, ServiceAccount0.Name, PermissionDelete.Name, true},
+
+ {Resource1.Name, User1.Name, PermissionDelete.Name, false},
+ {Resource1.Name, User2.Name, PermissionDelete.Name, false},
+ {Resource1.Name, UserNotFound.Name, PermissionDelete.Name, false},
+ {Resource1.Name, ServiceAccount1.Name, PermissionDelete.Name, false},
+ {Resource1.Name, ServiceAccount2.Name, PermissionDelete.Name, false},
+ {Resource1.Name, ServiceAccountNotFound.Name, PermissionDelete.Name, false},
+ {Resource1.Name, Anonymous, PermissionDelete.Name, false},
+
+ // Test: only members of group-0 (inherited) and group-1 should be granted "grbac.test.create" permission on resource-1.
+ {Resource1.Name, User0.Name, PermissionCreate.Name, true},
+ {Resource1.Name, User1.Name, PermissionCreate.Name, true},
+ {Resource1.Name, ServiceAccount0.Name, PermissionCreate.Name, true},
+ {Resource1.Name, ServiceAccount1.Name, PermissionCreate.Name, true},
+
+ {Resource1.Name, User2.Name, PermissionCreate.Name, false},
+ {Resource1.Name, ServiceAccount2.Name, PermissionCreate.Name, false},
+ {Resource1.Name, Anonymous, PermissionCreate.Name, false},
+
+ // Test: only members of group-0 and group-1 should be granted "grbac.test.get" permission on resource-2.
+ {Resource2.Name, User0.Name, PermissionGet.Name, true},
+ {Resource2.Name, User1.Name, PermissionGet.Name, true},
+ {Resource2.Name, ServiceAccount0.Name, PermissionGet.Name, true},
+ {Resource2.Name, ServiceAccount1.Name, PermissionGet.Name, true},
+
+ {Resource2.Name, User2.Name, PermissionGet.Name, false},
+ {Resource2.Name, ServiceAccount2.Name, PermissionGet.Name, false},
+ {Resource2.Name, Anonymous, PermissionGet.Name, false},
+ } {
+ subject := i.subject
+ if isUser(i.subject) {
+ subject = toUserMember(i.subject)
+ } else if isServiceAccount(i.subject) {
+ subject = toServiceAccountMember(i.subject)
+ }
+ _, err = server.TestIamPolicy(context.TODO(), &grbac.TestIamPolicyRequest{
+ AccessTuple: &grbac.AccessTuple{
+ FullResourceName: i.object,
+ Principal: subject,
+ Permission: toPermissionId(i.relation),
+ },
+ })
+
+ if i.allowed {
+ assert.NoError(t, err, "[%s:%s:%s]", i.object, i.relation, i.subject)
+ } else {
+ assert.Error(t, err, "[%s:%s:%s]", i.object, i.relation, i.subject)
+ if err != nil {
+ assert.Equal(t, codes.PermissionDenied, status.Code(err), "[%s:%s:%s]", i.object, i.relation, i.subject)
+ }
+ }
+ }
+}
diff --git a/pkg/services/authorizer_service.go b/pkg/services/authorizer_service.go
new file mode 100644
index 0000000..4b337cc
--- /dev/null
+++ b/pkg/services/authorizer_service.go
@@ -0,0 +1,118 @@
+package services
+
+import (
+ "context"
+ "text/template"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/dgraph-io/dgo/v210/protos/api"
+ "google.golang.org/grpc"
+)
+
+type AccessControlServerConfig struct {
+ DgraphHostname string
+}
+
+// NewAccessControlServer returns a new instance of AccessControl server.
+func NewAccessControlServer(cfg *AccessControlServerConfig) (grbac.AccessControlServer, error) {
+ connection, err := grpc.Dial(cfg.DgraphHostname, grpc.WithInsecure())
+ if err != nil {
+ return nil, err
+ }
+
+ return &AccessControlServerImpl{
+ cli: dgo.NewDgraphClient(api.NewDgraphClient(connection)),
+ conn: connection,
+ }, nil
+}
+
+type AccessControlServerImpl struct {
+ cli *dgo.Dgraph
+ conn *grpc.ClientConn
+}
+
+func (s *AccessControlServerImpl) Close() error {
+ return s.conn.Close()
+}
+
+func (s *AccessControlServerImpl) delete(ctx context.Context, txn *dgo.Txn, queryTmpl, mutationTmpl *template.Template, data interface{}) error {
+ query, err := ExecuteTemplate(queryTmpl, data)
+ if err != nil {
+ return err
+ }
+
+ mutation, err := ExecuteTemplate(mutationTmpl, data)
+ if err != nil {
+ return err
+ }
+
+ request := &api.Request{
+ Query: string(query),
+ Mutations: []*api.Mutation{{DelNquads: mutation}},
+ CommitNow: true,
+ }
+
+ _, err = txn.Do(ctx, request)
+ if err != nil {
+ return err
+ }
+
+ return nil
+}
+
+func (s *AccessControlServerImpl) create(ctx context.Context, txn *dgo.Txn, queryTmpl, mutationTmpl *template.Template, data interface{}) error {
+ query, err := ExecuteTemplate(queryTmpl, data)
+ if err != nil {
+ return err
+ }
+
+ mutation, err := ExecuteTemplate(mutationTmpl, data)
+ if err != nil {
+ return err
+ }
+
+ request := &api.Request{
+ Query: string(query),
+ Mutations: []*api.Mutation{{SetNquads: mutation}},
+ CommitNow: true,
+ }
+
+ _, err = txn.Do(ctx, request)
+ if err != nil {
+ return err
+ }
+
+ return nil
+}
+
+func (s *AccessControlServerImpl) update(ctx context.Context, txn *dgo.Txn, queryTmpl, setTmpl, deleteTmpl *template.Template, data interface{}) error {
+ query, err := ExecuteTemplate(queryTmpl, data)
+ if err != nil {
+ return err
+ }
+
+ setMutation, err := ExecuteTemplate(setTmpl, data)
+ if err != nil {
+ return err
+ }
+
+ deleteMutation, err := ExecuteTemplate(deleteTmpl, data)
+ if err != nil {
+ return err
+ }
+
+ request := &api.Request{
+ Query: string(query),
+ Mutations: []*api.Mutation{{DelNquads: deleteMutation}, {SetNquads: setMutation}},
+ CommitNow: true,
+ }
+
+ _, err = txn.Do(ctx, request)
+ if err != nil {
+ return err
+ }
+
+ return nil
+}
diff --git a/pkg/services/data/authorize.query.dql b/pkg/services/data/authorize.query.dql
new file mode 100644
index 0000000..57c5a6f
--- /dev/null
+++ b/pkg/services/data/authorize.query.dql
@@ -0,0 +1,17 @@
+query queryAuthorize($principal: string, $resource: string, $permission: string) {
+ var(func: eq(Subject.name, $principal)) { subject as uid }
+ var(func: eq(Resource.name, $resource)) { object as uid }
+ var(func: eq(Permission.name, $permission)) { ~Role.permissions { roles as uid } }
+
+ path as shortest(from: uid(object), to: uid(subject)) {
+ Resource.parent
+ Resource.policy
+ Policy.bindings @filter(uid_in(Binding.role, uid(roles)))
+ Group.members
+ Binding.members
+ }
+
+ ok(func: uid(path), first:1) {
+ uid
+ }
+}
\ No newline at end of file
diff --git a/pkg/services/data/groups/groups.create.mutation.go.tmpl b/pkg/services/data/groups/groups.create.mutation.go.tmpl
new file mode 100644
index 0000000..22ba4bd
--- /dev/null
+++ b/pkg/services/data/groups/groups.create.mutation.go.tmpl
@@ -0,0 +1,7 @@
+uid(group) "Group" .
+uid(group) "{{ .Group.Name }}" .
+uid(group) "{{ .ETag }}" .
+
+{{- range .Group.Members }}
+uid(group) uid(members_{{ AlphaNumVar . }}) .
+{{- end }} {{/* range .Members */}}
\ No newline at end of file
diff --git a/pkg/services/data/groups/groups.create.query.go.tmpl b/pkg/services/data/groups/groups.create.query.go.tmpl
new file mode 100644
index 0000000..6bafe05
--- /dev/null
+++ b/pkg/services/data/groups/groups.create.query.go.tmpl
@@ -0,0 +1,15 @@
+query {
+ var(func: eq(Group.name, "{{ .Group.Name }}")) { group as uid }
+
+ {{- range .Group.Members }}
+ {{- if IsGroup . }}
+ var(func: eq(Group.name, "{{ ToGroupName . }}")) { members_{{ AlphaNumVar . }} as uid }
+ {{- else if IsUser . }}
+ var(func: eq(Subject.name, "{{ ToUserName . }}")) { members_{{ AlphaNumVar . }} as uid }
+ {{- else if IsServiceAccount . }}
+ var(func: eq(Subject.name, "{{ ToServiceAccountName . }}")) { members_{{ AlphaNumVar . }} as uid }
+ {{- else if IsAllUsers . }}
+ var(func: eq(Subject.name, "system/allUsers")) { members_{{ AlphaNumVar . }} as uid }
+ {{- end }} {{/* if IsGroup . */}}
+ {{- end }} {{/* range .Members */}}
+}
\ No newline at end of file
diff --git a/pkg/services/data/groups/groups.delete.mutation.go.tmpl b/pkg/services/data/groups/groups.delete.mutation.go.tmpl
new file mode 100644
index 0000000..a2a14ae
--- /dev/null
+++ b/pkg/services/data/groups/groups.delete.mutation.go.tmpl
@@ -0,0 +1 @@
+uid(group) * * .
\ No newline at end of file
diff --git a/pkg/services/data/groups/groups.delete.query.go.tmpl b/pkg/services/data/groups/groups.delete.query.go.tmpl
new file mode 100644
index 0000000..88708c7
--- /dev/null
+++ b/pkg/services/data/groups/groups.delete.query.go.tmpl
@@ -0,0 +1,3 @@
+query {
+ var(func: eq(Group.name, "{{ .Name }}")) { group as uid }
+}
\ No newline at end of file
diff --git a/pkg/services/data/groups/groups.update.delete.go.tmpl b/pkg/services/data/groups/groups.update.delete.go.tmpl
new file mode 100644
index 0000000..24539e9
--- /dev/null
+++ b/pkg/services/data/groups/groups.update.delete.go.tmpl
@@ -0,0 +1,5 @@
+uid(group) * .
+
+{{- if call .FieldMask "group.members" }}
+uid(group) * .
+{{- end }} {{/* if FieldMask "group.members" */}}
\ No newline at end of file
diff --git a/pkg/services/data/groups/groups.update.query.go.tmpl b/pkg/services/data/groups/groups.update.query.go.tmpl
new file mode 100644
index 0000000..fb25ddd
--- /dev/null
+++ b/pkg/services/data/groups/groups.update.query.go.tmpl
@@ -0,0 +1,17 @@
+query {
+ var(func: eq(Group.name, "{{ .Group.Name }}")) { group as uid }
+
+ {{- if call .FieldMask "group.members" }}
+ {{- range .Group.Members }}
+ {{- if IsGroup . }}
+ var(func: eq(Group.name, "{{ ToGroupName . }}")) { members_{{ AlphaNumVar . }} as uid }
+ {{- else if IsUser . }}
+ var(func: eq(Subject.name, "{{ ToUserName . }}")) { members_{{ AlphaNumVar . }} as uid }
+ {{- else if IsServiceAccount . }}
+ var(func: eq(Subject.name, "{{ ToServiceAccountName . }}")) { members_{{ AlphaNumVar . }} as uid }
+ {{- else if IsAllUsers . }}
+ var(func: eq(Subject.name, "system/allUsers")) { members_{{ AlphaNumVar . }} as uid }
+ {{- end }} {{/* if IsGroup . */}}
+ {{- end }} {{/* range .Members */}}
+ {{- end }} {{/* if FieldMask "group.members" */}}
+}
\ No newline at end of file
diff --git a/pkg/services/data/groups/groups.update.set.go.tmpl b/pkg/services/data/groups/groups.update.set.go.tmpl
new file mode 100644
index 0000000..15fba4a
--- /dev/null
+++ b/pkg/services/data/groups/groups.update.set.go.tmpl
@@ -0,0 +1,7 @@
+uid(group) "{{ .ETag }}" .
+
+{{- if call .FieldMask "group.members" }}
+{{- range .Group.Members }}
+uid(group) uid(members_{{ AlphaNumVar . }}) .
+{{- end }} {{/* range .Members */}}
+{{- end }} {{/* if FieldMask "group.members" */}}
\ No newline at end of file
diff --git a/pkg/services/data/permissions/permissions.create.mutation.go.tmpl b/pkg/services/data/permissions/permissions.create.mutation.go.tmpl
new file mode 100644
index 0000000..a18fbf8
--- /dev/null
+++ b/pkg/services/data/permissions/permissions.create.mutation.go.tmpl
@@ -0,0 +1,2 @@
+uid(permission) "Permission" .
+uid(permission) "{{ .Permission.Name }}" .
\ No newline at end of file
diff --git a/pkg/services/data/permissions/permissions.create.query.go.tmpl b/pkg/services/data/permissions/permissions.create.query.go.tmpl
new file mode 100644
index 0000000..1b857ed
--- /dev/null
+++ b/pkg/services/data/permissions/permissions.create.query.go.tmpl
@@ -0,0 +1,3 @@
+query {
+ var(func: eq(Permission.name, "{{ .Permission.Name }}")) { permission as uid }
+}
\ No newline at end of file
diff --git a/pkg/services/data/permissions/permissions.delete.mutation.go.tmpl b/pkg/services/data/permissions/permissions.delete.mutation.go.tmpl
new file mode 100644
index 0000000..e74de71
--- /dev/null
+++ b/pkg/services/data/permissions/permissions.delete.mutation.go.tmpl
@@ -0,0 +1 @@
+uid(permission) * * .
\ No newline at end of file
diff --git a/pkg/services/data/permissions/permissions.delete.query.go.tmpl b/pkg/services/data/permissions/permissions.delete.query.go.tmpl
new file mode 100644
index 0000000..d32fefc
--- /dev/null
+++ b/pkg/services/data/permissions/permissions.delete.query.go.tmpl
@@ -0,0 +1,3 @@
+query {
+ var(func: eq(Permission.name, "{{ .Name }}")) { permission as uid }
+}
\ No newline at end of file
diff --git a/pkg/services/data/policies/policies.update.delete.go.tmpl b/pkg/services/data/policies/policies.update.delete.go.tmpl
new file mode 100644
index 0000000..b84ecf6
--- /dev/null
+++ b/pkg/services/data/policies/policies.update.delete.go.tmpl
@@ -0,0 +1,5 @@
+uid(policy) * .
+uid(policy) * .
+uid(policy) * .
+
+uid(bindings) * * .
\ No newline at end of file
diff --git a/pkg/services/data/policies/policies.update.query.go.tmpl b/pkg/services/data/policies/policies.update.query.go.tmpl
new file mode 100644
index 0000000..6ab198c
--- /dev/null
+++ b/pkg/services/data/policies/policies.update.query.go.tmpl
@@ -0,0 +1,23 @@
+query {
+ resource as var(func: eq(Resource.name, "{{ .Resource }}")) {
+ policy as Resource.policy {
+ bindings as Policy.bindings
+ }
+ }
+
+ {{- range .Policy.Bindings }}
+ var(func: eq(Role.name, "{{ .Role }}")) { role_{{ AlphaNumVar .Role }} as uid }
+
+ {{- range .Members }}
+ {{- if IsGroup . }}
+ var(func: eq(Group.name, "{{ ToGroupName . }}")) { members_{{ AlphaNumVar . }} as uid }
+ {{- else if IsUser . }}
+ var(func: eq(Subject.name, "{{ ToUserName . }}")) { members_{{ AlphaNumVar . }} as uid }
+ {{- else if IsServiceAccount . }}
+ var(func: eq(Subject.name, "{{ ToServiceAccountName . }}")) { members_{{ AlphaNumVar . }} as uid }
+ {{- else if IsAllUsers . }}
+ var(func: eq(Subject.name, "system/allUsers")) { members_{{ AlphaNumVar . }} as uid }
+ {{- end }} {{/* if IsGroup . */}}
+ {{- end }} {{/* range .Members */}}
+ {{- end }} {{/* range .Bindings */}}
+}
\ No newline at end of file
diff --git a/pkg/services/data/policies/policies.update.set.go.tmpl b/pkg/services/data/policies/policies.update.set.go.tmpl
new file mode 100644
index 0000000..f675e25
--- /dev/null
+++ b/pkg/services/data/policies/policies.update.set.go.tmpl
@@ -0,0 +1,17 @@
+uid(resource) uid(policy) .
+
+uid(policy) "Policy" .
+uid(policy) "{{ .ETag }}" .
+uid(policy) "{{ .Policy.Version }}" .
+
+{{- range .Policy.Bindings }}
+uid(policy) _:binding_{{ AlphaNumVar .Role }} .
+
+_:binding_{{ AlphaNumVar .Role }} "Binding" ..
+_:binding_{{ AlphaNumVar .Role }} uid(role_{{ AlphaNumVar .Role }}) .
+
+{{- $binding := . }}
+{{- range .Members }}
+_:binding_{{ AlphaNumVar $binding.Role }} uid(members_{{ AlphaNumVar . }}) .
+{{- end }} {{/* range .Members */}}
+{{- end }} {{/* range .Bindings */}}
\ No newline at end of file
diff --git a/pkg/services/data/resources/resources.create.mutation.go.tmpl b/pkg/services/data/resources/resources.create.mutation.go.tmpl
new file mode 100644
index 0000000..ebc5a09
--- /dev/null
+++ b/pkg/services/data/resources/resources.create.mutation.go.tmpl
@@ -0,0 +1,7 @@
+uid(resource) "Resource" .
+uid(resource) "{{ .Resource.Name }}" .
+uid(resource) "{{ .ETag }}" .
+
+{{- with .Resource.Parent }}
+uid(resource) uid(parent) .
+{{- end }} {{/* with .Resource.Parent */}}
diff --git a/pkg/services/data/resources/resources.create.query.go.tmpl b/pkg/services/data/resources/resources.create.query.go.tmpl
new file mode 100644
index 0000000..292fa30
--- /dev/null
+++ b/pkg/services/data/resources/resources.create.query.go.tmpl
@@ -0,0 +1,7 @@
+query {
+ var(func: eq(Resource.name, "{{ .Resource.Name }}")) { resource as uid }
+
+ {{- with .Resource.Parent }}
+ var(func: eq(Resource.name, "{{ . }}")) { parent as uid }
+ {{- end }} {{/* with .Resource.Parent */}}
+}
\ No newline at end of file
diff --git a/pkg/services/data/resources/resources.delete.mutation.go.tmpl b/pkg/services/data/resources/resources.delete.mutation.go.tmpl
new file mode 100644
index 0000000..780e9ea
--- /dev/null
+++ b/pkg/services/data/resources/resources.delete.mutation.go.tmpl
@@ -0,0 +1,3 @@
+uid(resource) * * .
+uid(policy) * * .
+uid(bindings) * * .
\ No newline at end of file
diff --git a/pkg/services/data/resources/resources.delete.query.go.tmpl b/pkg/services/data/resources/resources.delete.query.go.tmpl
new file mode 100644
index 0000000..5a6b0ed
--- /dev/null
+++ b/pkg/services/data/resources/resources.delete.query.go.tmpl
@@ -0,0 +1,7 @@
+query {
+ resource as var(func: eq(Resource.name, "{{ .Name }}")) {
+ policy as Resource.policy {
+ bindings as Policy.bindings
+ }
+ }
+}
\ No newline at end of file
diff --git a/pkg/services/data/roles/roles.create.mutation.go.tmpl b/pkg/services/data/roles/roles.create.mutation.go.tmpl
new file mode 100644
index 0000000..fab2cff
--- /dev/null
+++ b/pkg/services/data/roles/roles.create.mutation.go.tmpl
@@ -0,0 +1,7 @@
+uid(role) "Role" .
+uid(role) "{{ .Role.Name }}" .
+uid(role) "{{ .ETag }}" .
+
+{{- range .Role.Permissions }}
+uid(role) uid(permission_{{ AlphaNumVar . }}) .
+{{- end }}
\ No newline at end of file
diff --git a/pkg/services/data/roles/roles.create.query.go.tmpl b/pkg/services/data/roles/roles.create.query.go.tmpl
new file mode 100644
index 0000000..16e1b7a
--- /dev/null
+++ b/pkg/services/data/roles/roles.create.query.go.tmpl
@@ -0,0 +1,7 @@
+query {
+ var(func: eq(Role.name, "{{ .Role.Name }}")) { role as uid }
+
+ {{- range .Role.Permissions }}
+ var(func: eq(Permission.name, "{{ ToPermissionName . }}")) { permission_{{ AlphaNumVar . }} as uid }
+ {{- end }}
+}
\ No newline at end of file
diff --git a/pkg/services/data/roles/roles.delete.mutation.go.tmpl b/pkg/services/data/roles/roles.delete.mutation.go.tmpl
new file mode 100644
index 0000000..763512c
--- /dev/null
+++ b/pkg/services/data/roles/roles.delete.mutation.go.tmpl
@@ -0,0 +1 @@
+uid(role) * * .
\ No newline at end of file
diff --git a/pkg/services/data/roles/roles.delete.query.go.tmpl b/pkg/services/data/roles/roles.delete.query.go.tmpl
new file mode 100644
index 0000000..6f043e3
--- /dev/null
+++ b/pkg/services/data/roles/roles.delete.query.go.tmpl
@@ -0,0 +1,3 @@
+query {
+ var(func: eq(Role.name, "{{ .Name }}")) { role as uid }
+}
\ No newline at end of file
diff --git a/pkg/services/data/roles/roles.update.delete.go.tmpl b/pkg/services/data/roles/roles.update.delete.go.tmpl
new file mode 100644
index 0000000..ef3cda7
--- /dev/null
+++ b/pkg/services/data/roles/roles.update.delete.go.tmpl
@@ -0,0 +1,3 @@
+{{- if call .FieldMask "role.permissions" }}
+uid(role) * .
+{{- end }} {{/* if FieldMask "role.permissions" */}}
\ No newline at end of file
diff --git a/pkg/services/data/roles/roles.update.query.go.tmpl b/pkg/services/data/roles/roles.update.query.go.tmpl
new file mode 100644
index 0000000..e759354
--- /dev/null
+++ b/pkg/services/data/roles/roles.update.query.go.tmpl
@@ -0,0 +1,9 @@
+query {
+ var(func: eq(Role.name, "{{ .Role.Name }}")) { role as uid }
+
+ {{- if call .FieldMask "role.permissions" }}
+ {{- range .Role.Permissions }}
+ var(func: eq(Permission.name, "{{ ToPermissionName . }}")) { permission_{{ AlphaNumVar . }} as uid }
+ {{- end }}
+ {{- end }} {{/* if FieldMask "role.permissions" */}}
+}
\ No newline at end of file
diff --git a/pkg/services/data/roles/roles.update.set.go.tmpl b/pkg/services/data/roles/roles.update.set.go.tmpl
new file mode 100644
index 0000000..1dda6af
--- /dev/null
+++ b/pkg/services/data/roles/roles.update.set.go.tmpl
@@ -0,0 +1,8 @@
+
+uid(role) "{{ .ETag }}" .
+
+{{- if call .FieldMask "role.permissions" }}
+{{- range .Role.Permissions }}
+uid(role) uid(permission_{{ AlphaNumVar . }}) .
+{{- end }} {{/* range .Permissions */}}
+{{- end }} {{/* if FieldMask "role.permissions" */}}
\ No newline at end of file
diff --git a/pkg/services/data/subjects/subjects.create.mutation.go.tmpl b/pkg/services/data/subjects/subjects.create.mutation.go.tmpl
new file mode 100644
index 0000000..998a98c
--- /dev/null
+++ b/pkg/services/data/subjects/subjects.create.mutation.go.tmpl
@@ -0,0 +1,2 @@
+uid(subject) "Subject" .
+uid(subject) "{{ .Subject.Name }}" .
\ No newline at end of file
diff --git a/pkg/services/data/subjects/subjects.create.query.go.tmpl b/pkg/services/data/subjects/subjects.create.query.go.tmpl
new file mode 100644
index 0000000..b958a94
--- /dev/null
+++ b/pkg/services/data/subjects/subjects.create.query.go.tmpl
@@ -0,0 +1,3 @@
+query {
+ var(func: eq(Subject.name, "{{ .Subject.Name }}")) { subject as uid }
+}
\ No newline at end of file
diff --git a/pkg/services/data/subjects/subjects.delete.mutation.go.tmpl b/pkg/services/data/subjects/subjects.delete.mutation.go.tmpl
new file mode 100644
index 0000000..26c75d9
--- /dev/null
+++ b/pkg/services/data/subjects/subjects.delete.mutation.go.tmpl
@@ -0,0 +1 @@
+uid(subject) * * .
\ No newline at end of file
diff --git a/pkg/services/data/subjects/subjects.delete.query.go.tmpl b/pkg/services/data/subjects/subjects.delete.query.go.tmpl
new file mode 100644
index 0000000..0bcad12
--- /dev/null
+++ b/pkg/services/data/subjects/subjects.delete.query.go.tmpl
@@ -0,0 +1,3 @@
+query {
+ var(func: eq(Subject.name, "{{ .Name }}")) { subject as uid }
+}
\ No newline at end of file
diff --git a/pkg/services/groups.go b/pkg/services/groups.go
new file mode 100644
index 0000000..ea56383
--- /dev/null
+++ b/pkg/services/groups.go
@@ -0,0 +1,110 @@
+package services
+
+import (
+ "strings"
+
+ "github.com/grbac/grbac/pkg/graph"
+)
+
+type MemberError struct {
+ member string
+ field string
+ err string
+}
+
+func (e *MemberError) Error() string {
+ return e.member + ": " + e.field + ": " + e.err
+}
+
+func members(members []graph.Member) ([]string, error) {
+ var list []string
+ for _, member := range members {
+ if len(member.Group) != 0 {
+ if isGroup(member.Group) {
+ list = append(list, toGroupMember(member.Group))
+ continue
+ }
+
+ return nil, &MemberError{
+ member: member.Group,
+ field: "Group",
+ err: "invalid member type",
+ }
+ }
+
+ if len(member.Subject) != 0 {
+ if isAllUsers(member.Subject) {
+ list = append(list, "allUsers")
+ continue
+ }
+
+ if isServiceAccount(member.Subject) {
+ list = append(list, toServiceAccountMember(member.Subject))
+ continue
+ }
+
+ if isUser(member.Subject) {
+ list = append(list, toUserMember(member.Subject))
+ continue
+ }
+
+ return nil, &MemberError{
+ member: member.Subject,
+ field: "Subject",
+ err: "invalid member type",
+ }
+ }
+
+ return nil, &MemberError{
+ member: "",
+ field: "",
+ err: "member is not set",
+ }
+ }
+
+ return list, nil
+}
+
+func isUserMember(name string) bool {
+ return strings.HasPrefix(name, "user:")
+}
+
+func isServiceAccountMember(name string) bool {
+ return strings.HasPrefix(name, "serviceAccount:")
+}
+
+func isGroupMember(name string) bool {
+ return strings.HasPrefix(name, "group:")
+}
+
+func isAllUsersMember(name string) bool {
+ return name == "allUsers"
+}
+
+func isGroup(name string) bool {
+ return strings.HasPrefix(name, "groups/")
+}
+
+func toUserName(name string) string {
+ return "users/" + strings.TrimPrefix(name, "user:")
+}
+
+func toServiceAccountName(name string) string {
+ return "serviceAccounts/" + strings.TrimPrefix(name, "serviceAccount:")
+}
+
+func toGroupName(name string) string {
+ return "groups/" + strings.TrimPrefix(name, "group:")
+}
+
+func toUserMember(name string) string {
+ return "user:" + strings.TrimPrefix(name, "users/")
+}
+
+func toServiceAccountMember(name string) string {
+ return "serviceAccount:" + strings.TrimPrefix(name, "serviceAccounts/")
+}
+
+func toGroupMember(name string) string {
+ return "group:" + strings.TrimPrefix(name, "groups/")
+}
diff --git a/pkg/services/groups_create.go b/pkg/services/groups_create.go
new file mode 100644
index 0000000..b5917df
--- /dev/null
+++ b/pkg/services/groups_create.go
@@ -0,0 +1,120 @@
+package services
+
+import (
+ "context"
+ "encoding/base64"
+ "text/template"
+
+ _ "embed"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+//go:embed data/groups/groups.create.query.go.tmpl
+var queryCreateGroup string
+
+//go:embed data/groups/groups.create.mutation.go.tmpl
+var mutationCreateGroup string
+
+var templateQueryCreateGroup = template.Must(
+ template.New("QueryCreateGroup").Funcs(defaultFuncMap).Parse(queryCreateGroup),
+)
+
+var templateMutationCreateGroup = template.Must(
+ template.New("MutationCreateGroup").Funcs(defaultFuncMap).Parse(mutationCreateGroup),
+)
+
+func (s *AccessControlServerImpl) validateCreateGroup(ctx context.Context, txn *dgo.Txn, req *grbac.CreateGroupRequest) error {
+ // A group must be defined.
+ if req.Group == nil {
+ return status.New(codes.InvalidArgument, "invalid argument {group not defined}").Err()
+ }
+
+ // The group name must be defined.
+ if len(req.Group.Name) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {group name not defined}").Err()
+ }
+
+ // The group name must be well formatted.
+ if !isGroup(req.Group.Name) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid group name format}").Err()
+ }
+
+ // The members must all exist and must have a valid type.
+ for _, m := range req.Group.Members {
+ memberFound, err := false, error(nil)
+ if isGroupMember(m) {
+ // TODO: should groups be allowed to include other groups?
+ // TODO: if yes, a maximum path distance should be set to avoid too heavy queries.
+ memberFound, err = graph.ExistsGroup(ctx, txn, toGroupName(m))
+ } else if isUserMember(m) {
+ memberFound, err = graph.ExistsSubject(ctx, txn, toUserName(m))
+ } else if isServiceAccountMember(m) {
+ memberFound, err = graph.ExistsSubject(ctx, txn, toServiceAccountName(m))
+ } else if isAllUsersMember(m) {
+ memberFound, err = graph.ExistsSubject(ctx, txn, allUsers)
+ } else {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid member type}").Err()
+ }
+
+ if err != nil {
+ logrus.WithError(err).Errorf("CreateGroup: failed to query group members")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if !memberFound {
+ return status.New(codes.FailedPrecondition, "failed precondition {member does not exist}").Err()
+ }
+ }
+
+ // The group must be new to avoid race conditions.
+ groupFound, err := graph.ExistsGroup(ctx, txn, req.Group.Name)
+ if err != nil {
+ logrus.WithError(err).Errorf("CreateGroup: failed to query group")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if groupFound {
+ return status.New(codes.AlreadyExists, "conflict").Err()
+ }
+
+ return nil
+}
+
+// CreateGroup creates a new group.
+func (s *AccessControlServerImpl) CreateGroup(ctx context.Context, req *grbac.CreateGroupRequest) (*grbac.Group, error) {
+ txn := s.cli.NewTxn()
+ if err := s.validateCreateGroup(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ // TODO: etag should be generated according to the data structure.
+ etag := []byte("TODO")
+
+ data := struct {
+ Group *grbac.Group
+ ETag string
+ }{
+ Group: req.GetGroup(),
+ ETag: base64.StdEncoding.EncodeToString(etag),
+ }
+
+ if err := s.create(ctx, txn, templateQueryCreateGroup, templateMutationCreateGroup, data); err != nil {
+ logrus.WithError(err).Errorf("CreateGroup: failed to execute dgraph call")
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ group := &grbac.Group{
+ Name: req.Group.Name,
+ Members: req.Group.Members,
+ Etag: etag,
+ }
+
+ return group, nil
+}
diff --git a/pkg/services/groups_delete.go b/pkg/services/groups_delete.go
new file mode 100644
index 0000000..f11d6cf
--- /dev/null
+++ b/pkg/services/groups_delete.go
@@ -0,0 +1,77 @@
+package services
+
+import (
+ "context"
+ "text/template"
+
+ _ "embed"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+ empty "google.golang.org/protobuf/types/known/emptypb"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+//go:embed data/groups/groups.delete.query.go.tmpl
+var queryDeleteGroup string
+
+//go:embed data/groups/groups.delete.mutation.go.tmpl
+var mutationDeleteGroup string
+
+var templateQueryDeleteGroup = template.Must(
+ template.New("QueryDeleteGroup").Funcs(defaultFuncMap).Parse(queryDeleteGroup),
+)
+
+var templateMutationDeleteGroup = template.Must(
+ template.New("MutationDeleteGroup").Funcs(defaultFuncMap).Parse(mutationDeleteGroup),
+)
+
+func (s *AccessControlServerImpl) validateDeleteGroup(ctx context.Context, txn *dgo.Txn, req *grbac.DeleteGroupRequest) error {
+ // The group name must be defined.
+ if len(req.Name) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {group name not defined}").Err()
+ }
+
+ // The group name must be well formatted.
+ if !isGroup(req.Name) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid group name format}").Err()
+ }
+
+ // The group must exist.
+ groupFound, err := graph.ExistsGroup(ctx, txn, req.Name)
+ if err != nil {
+ logrus.WithError(err).Errorf("DeleteGroup: failed to query group")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if !groupFound {
+ return status.New(codes.NotFound, "not found").Err()
+ }
+
+ return nil
+}
+
+// DeleteGroup deletes a group.
+func (s *AccessControlServerImpl) DeleteGroup(ctx context.Context, req *grbac.DeleteGroupRequest) (*empty.Empty, error) {
+ txn := s.cli.NewTxn()
+ if err := s.validateDeleteGroup(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ data := struct {
+ Name string
+ }{
+ Name: req.GetName(),
+ }
+
+ if err := s.delete(ctx, txn, templateQueryDeleteGroup, templateMutationDeleteGroup, data); err != nil {
+ logrus.WithError(err).Errorf("DeleteGroup: failed to execute dgraph call")
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ return &empty.Empty{}, nil
+}
diff --git a/pkg/services/groups_get.go b/pkg/services/groups_get.go
new file mode 100644
index 0000000..672b38f
--- /dev/null
+++ b/pkg/services/groups_get.go
@@ -0,0 +1,63 @@
+package services
+
+import (
+ "context"
+ "encoding/base64"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+func (s *AccessControlServerImpl) validateGetGroup(ctx context.Context, txn *dgo.Txn, req *grbac.GetGroupRequest) error {
+ if len(req.Name) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {group name not defined}").Err()
+ }
+
+ // The group name must be well formatted.
+ if !isGroup(req.Name) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid group name format}").Err()
+ }
+
+ return nil
+}
+
+// GetGroup returns a group.
+func (s *AccessControlServerImpl) GetGroup(ctx context.Context, req *grbac.GetGroupRequest) (*grbac.Group, error) {
+ txn := s.cli.NewReadOnlyTxn()
+ if err := s.validateGetGroup(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ resp, err := graph.GetGroup(ctx, txn, req.GetName())
+ if err != nil {
+ logrus.WithError(err).Errorf("failed to get group [%s]", req.GetName())
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ if resp == nil {
+ return nil, status.New(codes.NotFound, "not found").Err()
+ }
+
+ group := &grbac.Group{
+ Name: resp.Name,
+ }
+
+ group.Etag, err = base64.StdEncoding.DecodeString(resp.ETag)
+ if err != nil {
+ logrus.WithError(err).Errorf("failed to decode resource etag [%s]", req.Name)
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ group.Members, err = members(resp.Members)
+ if err != nil {
+ logrus.WithError(err).Errorf("failed to get group members [%s]", req.Name)
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ return group, nil
+}
diff --git a/pkg/services/groups_integration_test.go b/pkg/services/groups_integration_test.go
new file mode 100644
index 0000000..319ae16
--- /dev/null
+++ b/pkg/services/groups_integration_test.go
@@ -0,0 +1,383 @@
+// +build integration
+
+package services
+
+import (
+ "context"
+ "os"
+ "testing"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/dgraph-io/dgo/v210/protos/api"
+ "github.com/google/uuid"
+ "github.com/grbac/grbac/pkg/bootstrap"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+ "google.golang.org/grpc"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+ "google.golang.org/protobuf/types/known/fieldmaskpb"
+)
+
+func TestIntegrationGroupCreate(t *testing.T) {
+ endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT")
+ require.NotEmpty(t, endpoint)
+
+ err := bootstrap.Schema(context.TODO(), endpoint)
+ require.NoError(t, err)
+
+ conn, err := grpc.Dial(endpoint, grpc.WithInsecure())
+ require.NoError(t, err)
+ defer conn.Close()
+
+ server := &AccessControlServerImpl{
+ cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)),
+ conn: conn,
+ }
+
+ var (
+ User0 = &grbac.Subject{
+ Name: "users/user-0." + uuid.New().String(),
+ }
+ User1 = &grbac.Subject{
+ Name: "users/user-1." + uuid.New().String(),
+ }
+
+ ServiceAccount0 = &grbac.Subject{
+ Name: "serviceAccounts/serviceaccount-0." + uuid.New().String(),
+ }
+ ServiceAccount1 = &grbac.Subject{
+ Name: "serviceAccounts/serviceaccount-1." + uuid.New().String(),
+ }
+
+ Group0 = &grbac.Group{
+ Name: "groups/group-0." + uuid.New().String(),
+ Members: []string{
+ "allUsers",
+ toUserMember(User0.Name),
+ toUserMember(User1.Name),
+ toServiceAccountMember(ServiceAccount0.Name),
+ toServiceAccountMember(ServiceAccount1.Name),
+ },
+ }
+ Group1 = &grbac.Group{
+ Name: "groups/group-1." + uuid.New().String(),
+ Members: []string{
+ toGroupMember(Group0.Name),
+ },
+ }
+ Group2 = &grbac.Group{
+ Name: "groups/group-2." + uuid.New().String(),
+ Members: []string{
+ "allUsers",
+ toUserMember(User0.Name),
+ toUserMember(User1.Name),
+ toServiceAccountMember(ServiceAccount0.Name),
+ toServiceAccountMember(ServiceAccount1.Name),
+ toGroupMember(Group0.Name),
+ },
+ }
+ Group3 = &grbac.Group{
+ Name: "groups/group-3." + uuid.New().String(),
+ Members: []string{},
+ }
+ )
+
+ // Test: creation with non-existing subjects should fail.
+ _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0})
+ require.Error(t, err)
+ assert.Equal(t, codes.FailedPrecondition, status.Code(err))
+
+ // Test: creation with non-existing groups should fail.
+ _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group1})
+ require.Error(t, err)
+ assert.Equal(t, codes.FailedPrecondition, status.Code(err))
+
+ // Test: creation with non-existing mixed members should fail.
+ _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group2})
+ require.Error(t, err)
+ assert.Equal(t, codes.FailedPrecondition, status.Code(err))
+
+ // Create new random subjects.
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0})
+ require.NoError(t, err)
+
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User1})
+ require.NoError(t, err)
+
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0})
+ require.NoError(t, err)
+
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount1})
+ require.NoError(t, err)
+
+ // Test: creation (subjects only) should not fail.
+ group0, err := server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0})
+ require.NoError(t, err)
+ require.NotNil(t, group0)
+
+ assert.Equal(t, Group0.Name, group0.Name)
+ assert.ElementsMatch(t, Group0.Members, group0.Members)
+ assert.NotEmpty(t, group0.Etag)
+
+ // Test: creation (groups only) should not fail.
+ group1, err := server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group1})
+ require.NoError(t, err)
+ require.NotNil(t, group1)
+
+ assert.Equal(t, Group1.Name, group1.Name)
+ assert.ElementsMatch(t, Group1.Members, group1.Members)
+ assert.NotEmpty(t, group1.Etag)
+
+ // Test: creation (mixed members) should not fail.
+ group2, err := server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group2})
+ require.NoError(t, err)
+ require.NotNil(t, group2)
+
+ assert.Equal(t, Group2.Name, group2.Name)
+ assert.ElementsMatch(t, Group2.Members, group2.Members)
+ assert.NotEmpty(t, group2.Etag)
+
+ // Test: creation (no members) should not fail.
+ group3, err := server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group3})
+ require.NoError(t, err)
+ require.NotNil(t, group3)
+
+ assert.Equal(t, Group3.Name, group3.Name)
+ assert.Empty(t, group3.Members)
+ assert.NotEmpty(t, group3.Etag)
+
+ // Test: creation of duplicate group should fail with already exists.
+ _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0})
+ assert.Error(t, err)
+ assert.Equal(t, codes.AlreadyExists, status.Code(err))
+
+ // Test: get group (mixed members) should return the same group created.
+ group, err := server.GetGroup(context.TODO(), &grbac.GetGroupRequest{Name: Group2.Name})
+ require.NoError(t, err)
+ require.NotNil(t, group)
+
+ assert.Equal(t, Group2.Name, group.Name)
+ assert.ElementsMatch(t, Group2.Members, group.Members)
+ assert.NotEmpty(t, group.Etag)
+
+ // Test: get group (no members) should return the same group created.
+ group, err = server.GetGroup(context.TODO(), &grbac.GetGroupRequest{Name: Group3.Name})
+ require.NoError(t, err)
+ require.NotNil(t, group)
+
+ assert.Equal(t, Group3.Name, group.Name)
+ assert.Empty(t, group.Members)
+ assert.NotEmpty(t, group.Etag)
+}
+
+func TestIntegrationGroupDelete(t *testing.T) {
+ endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT")
+ require.NotEmpty(t, endpoint)
+
+ err := bootstrap.Schema(context.TODO(), endpoint)
+ require.NoError(t, err)
+
+ conn, err := grpc.Dial(endpoint, grpc.WithInsecure())
+ require.NoError(t, err)
+ defer conn.Close()
+
+ server := &AccessControlServerImpl{
+ cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)),
+ conn: conn,
+ }
+
+ var (
+ User0 = &grbac.Subject{
+ Name: "users/user-0." + uuid.New().String(),
+ }
+
+ ServiceAccount0 = &grbac.Subject{
+ Name: "serviceAccounts/serviceaccount-0." + uuid.New().String(),
+ }
+
+ Group0 = &grbac.Group{
+ Name: "groups/group-0." + uuid.New().String(),
+ Members: []string{
+ "allUsers",
+ toUserMember(User0.Name),
+ toServiceAccountMember(ServiceAccount0.Name),
+ },
+ }
+ GroupNotFound = &grbac.Group{
+ Name: "groups/group-?." + uuid.New().String(),
+ }
+ )
+
+ // Create new random group and subjects.
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0})
+ require.NoError(t, err)
+
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0})
+ require.NoError(t, err)
+
+ _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0})
+ require.NoError(t, err)
+
+ // Test: deletion of existing resource with no children should not fail.
+ empty, err := server.DeleteGroup(context.TODO(), &grbac.DeleteGroupRequest{Name: Group0.Name})
+ assert.NoError(t, err)
+ assert.NotNil(t, empty)
+
+ // Test: get resource should return 'not found' after deletion.
+ _, err = server.GetGroup(context.TODO(), &grbac.GetGroupRequest{Name: Group0.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+
+ // Test: deletion of already deleted resource should fail.
+ _, err = server.DeleteGroup(context.TODO(), &grbac.DeleteGroupRequest{Name: Group0.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+
+ // Test: deletion of non-existing resource should fail.
+ _, err = server.DeleteGroup(context.TODO(), &grbac.DeleteGroupRequest{Name: GroupNotFound.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+}
+
+func TestIntegrationGroupUpdate(t *testing.T) {
+ endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT")
+ require.NotEmpty(t, endpoint)
+
+ err := bootstrap.Schema(context.TODO(), endpoint)
+ require.NoError(t, err)
+
+ conn, err := grpc.Dial(endpoint, grpc.WithInsecure())
+ require.NoError(t, err)
+ defer conn.Close()
+
+ server := &AccessControlServerImpl{
+ cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)),
+ conn: conn,
+ }
+
+ var (
+ User0 = &grbac.Subject{
+ Name: "users/user-0." + uuid.New().String(),
+ }
+ UserNotFound = &grbac.Subject{
+ Name: "users/user-?." + uuid.New().String(),
+ }
+
+ ServiceAccount0 = &grbac.Subject{
+ Name: "serviceAccounts/serviceaccount-0." + uuid.New().String(),
+ }
+ ServiceAccountNotFound = &grbac.Subject{
+ Name: "serviceAccounts/serviceaccount-?." + uuid.New().String(),
+ }
+
+ Group0 = &grbac.Group{
+ Name: "groups/group-0." + uuid.New().String(),
+ Members: []string{
+ toUserMember(User0.Name),
+ toServiceAccountMember(ServiceAccount0.Name),
+ },
+ }
+ GroupNotFound = &grbac.Group{
+ Name: "groups/group-?." + uuid.New().String(),
+ }
+ )
+
+ // Create new random group and subjects.
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0})
+ require.NoError(t, err)
+
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0})
+ require.NoError(t, err)
+
+ _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0})
+ require.NoError(t, err)
+
+ // Test: update (add existing subjects) should not fail.
+ Group0.Members = append(Group0.Members,
+ "allUsers",
+ )
+
+ group, err := server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{Group: Group0})
+ require.NoError(t, err)
+ require.NotNil(t, group)
+
+ assert.Equal(t, Group0.Name, group.Name)
+ assert.ElementsMatch(t, Group0.Members, group.Members)
+ assert.NotEmpty(t, group.Etag)
+
+ group, err = server.GetGroup(context.TODO(), &grbac.GetGroupRequest{Name: Group0.Name})
+ require.NoError(t, err)
+ require.NotNil(t, group)
+
+ assert.Equal(t, Group0.Name, group.Name)
+ assert.ElementsMatch(t, Group0.Members, group.Members)
+ assert.NotEmpty(t, group.Etag)
+
+ // Test: update (add non-existing subjects) should fail.
+ Group0.Members = append(Group0.Members,
+ toUserMember(UserNotFound.Name),
+ toServiceAccountMember(ServiceAccountNotFound.Name),
+ )
+
+ _, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{Group: Group0})
+ require.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: update (remove subjects) should not fail.
+ Group0.Members = nil
+ group, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{Group: Group0})
+ require.NoError(t, err)
+ require.NotNil(t, group)
+
+ assert.Equal(t, Group0.Name, group.Name)
+ assert.ElementsMatch(t, Group0.Members, group.Members)
+ assert.NotEmpty(t, group.Etag)
+
+ group, err = server.GetGroup(context.TODO(), &grbac.GetGroupRequest{Name: Group0.Name})
+ require.NoError(t, err)
+ require.NotNil(t, group)
+
+ assert.Equal(t, Group0.Name, group.Name)
+ assert.ElementsMatch(t, Group0.Members, group.Members)
+ assert.NotEmpty(t, group.Etag)
+
+ // Test: update with mutable field mask should not fail.
+ _, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{
+ Group: Group0,
+ UpdateMask: &fieldmaskpb.FieldMask{
+ Paths: []string{"group", "group.members"},
+ }})
+ require.NoError(t, err)
+
+ // Test: update with immutable field mask should fail.
+ _, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{
+ Group: Group0,
+ UpdateMask: &fieldmaskpb.FieldMask{
+ Paths: []string{"group.name"},
+ }})
+ require.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: update with invalid field mask should fail.
+ _, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{
+ Group: Group0,
+ UpdateMask: &fieldmaskpb.FieldMask{
+ Paths: []string{""},
+ }})
+ require.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: update of a self-referencing group should fail.
+ Group0.Members = []string{Group0.Name}
+ _, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{Group: Group0})
+ require.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: update of non-existing resource should fail.
+ _, err = server.DeleteGroup(context.TODO(), &grbac.DeleteGroupRequest{Name: GroupNotFound.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+}
diff --git a/pkg/services/groups_members_add.go b/pkg/services/groups_members_add.go
new file mode 100644
index 0000000..2f9f923
--- /dev/null
+++ b/pkg/services/groups_members_add.go
@@ -0,0 +1,15 @@
+package services
+
+import (
+ "context"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+// AddGroupMember adds a member to a group.
+func (s *AccessControlServerImpl) AddGroupMember(ctx context.Context, req *grbac.AddGroupMemberRequest) (*grbac.Group, error) {
+ return nil, status.New(codes.Unimplemented, "unimplemented").Err()
+}
diff --git a/pkg/services/groups_members_remove.go b/pkg/services/groups_members_remove.go
new file mode 100644
index 0000000..10c8480
--- /dev/null
+++ b/pkg/services/groups_members_remove.go
@@ -0,0 +1,15 @@
+package services
+
+import (
+ "context"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+// RemoveGroupMember removes a member from a group.
+func (s *AccessControlServerImpl) RemoveGroupMember(ctx context.Context, req *grbac.RemoveGroupMemberRequest) (*grbac.Group, error) {
+ return nil, status.New(codes.Unimplemented, "unimplemented").Err()
+}
diff --git a/pkg/services/groups_update.go b/pkg/services/groups_update.go
new file mode 100644
index 0000000..d3352ae
--- /dev/null
+++ b/pkg/services/groups_update.go
@@ -0,0 +1,146 @@
+package services
+
+import (
+ "context"
+ "encoding/base64"
+ "text/template"
+
+ _ "embed"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/fieldmask"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+//go:embed data/groups/groups.update.query.go.tmpl
+var queryUpdateGroup string
+
+//go:embed data/groups/groups.update.set.go.tmpl
+var setUpdateGroup string
+
+//go:embed data/groups/groups.update.delete.go.tmpl
+var deleteUpdateGroup string
+
+var templateQueryUpdateGroup = template.Must(
+ template.New("QueryUpdateGroup").Funcs(defaultFuncMap).Parse(queryUpdateGroup),
+)
+
+var templateSetUpdateGroup = template.Must(
+ template.New("SetUpdateGroup").Funcs(defaultFuncMap).Parse(setUpdateGroup),
+)
+
+var templateDeleteUpdateGroup = template.Must(
+ template.New("DeleteUpdateGroup").Funcs(defaultFuncMap).Parse(deleteUpdateGroup),
+)
+
+func (s *AccessControlServerImpl) validateUpdateGroup(ctx context.Context, txn *dgo.Txn, req *grbac.UpdateGroupRequest) error {
+ // A group must be defined.
+ if req.Group == nil {
+ return status.New(codes.InvalidArgument, "invalid argument {group not defined}").Err()
+ }
+
+ // The group name must be defined.
+ if len(req.Group.Name) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {group name not defined}").Err()
+ }
+
+ // The group name must be well formatted.
+ if !isGroup(req.Group.Name) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid group name format}").Err()
+ }
+
+ // The update field mask must contain valid paths.
+ for _, path := range req.GetUpdateMask().GetPaths() {
+ switch path {
+ case "group", "group.members":
+ default:
+ return status.New(codes.InvalidArgument, "invalid argument {invalid field mask}").Err()
+ }
+ }
+
+ // The members must all exist and must have a valid type.
+ for _, m := range req.Group.Members {
+ memberFound, err := false, error(nil)
+ if isGroupMember(m) {
+ if toGroupName(m) == req.Group.Name {
+ return status.New(codes.InvalidArgument, "invalid argument {self-containing groups are forbidden}").Err()
+ }
+
+ // TODO: should groups be allowed to include other groups?
+ // TODO: if yes, a maximum path distance should be set to avoid too heavy queries.
+ memberFound, err = graph.ExistsGroup(ctx, txn, toGroupName(m))
+ } else if isUserMember(m) {
+ memberFound, err = graph.ExistsSubject(ctx, txn, toUserName(m))
+ } else if isServiceAccountMember(m) {
+ memberFound, err = graph.ExistsSubject(ctx, txn, toServiceAccountName(m))
+ } else if isAllUsersMember(m) {
+ memberFound, err = graph.ExistsSubject(ctx, txn, allUsers)
+ } else {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid member type}").Err()
+ }
+
+ if err != nil {
+ logrus.WithError(err).Errorf("UpdateGroup: failed to query group members")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if !memberFound {
+ return status.New(codes.InvalidArgument, "invalid argument {member does not exist}").Err()
+ }
+ }
+
+ // The group must exist.
+ groupFound, err := graph.ExistsGroup(ctx, txn, req.Group.Name)
+ if err != nil {
+ logrus.WithError(err).Errorf("UpdateGroup: failed to query group")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if !groupFound {
+ return status.New(codes.NotFound, "not found").Err()
+ }
+
+ return nil
+}
+
+// UpdateGroup updates a group with a field mask.
+func (s *AccessControlServerImpl) UpdateGroup(ctx context.Context, req *grbac.UpdateGroupRequest) (*grbac.Group, error) {
+ txn := s.cli.NewTxn()
+ if err := s.validateUpdateGroup(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ // TODO: etag should be generated according to the data structure.
+ etag := []byte("TODO")
+
+ fieldmask := fieldmask.NewFieldMask(req.GetUpdateMask())
+
+ data := struct {
+ Group *grbac.Group
+ FieldMask func(string) bool
+ ETag string
+ }{
+ Group: req.GetGroup(),
+ FieldMask: fieldmask.Contains,
+ ETag: base64.StdEncoding.EncodeToString(etag),
+ }
+
+ if err := s.update(ctx, txn, templateQueryUpdateGroup, templateSetUpdateGroup, templateDeleteUpdateGroup, data); err != nil {
+ logrus.WithError(err).Errorf("UpdateGroup: failed to execute dgraph call")
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ // TODO: merge missing fields (not included in the update mask) with the group in dgraph.
+ group := &grbac.Group{
+ Name: req.Group.Name,
+ Members: req.Group.Members,
+ Etag: etag,
+ }
+
+ return group, nil
+}
diff --git a/pkg/services/iam_policies_get.go b/pkg/services/iam_policies_get.go
new file mode 100644
index 0000000..0cc83ea
--- /dev/null
+++ b/pkg/services/iam_policies_get.go
@@ -0,0 +1,80 @@
+package services
+
+import (
+ "context"
+ "encoding/base64"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/genproto/googleapis/iam/v1"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+func (s *AccessControlServerImpl) validateGetIamPolicy(ctx context.Context, txn *dgo.Txn, req *iam.GetIamPolicyRequest) error {
+ if len(req.Resource) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {resource not defined}").Err()
+ }
+
+ // The full resource name must be well formatted.
+ if !isFullResourceName(req.Resource) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid resource name format}").Err()
+ }
+
+ return nil
+}
+
+// Gets the IAM policy that is attached to a generic resource.
+func (s *AccessControlServerImpl) GetIamPolicy(ctx context.Context, req *iam.GetIamPolicyRequest) (*iam.Policy, error) {
+ txn := s.cli.NewReadOnlyTxn()
+ if err := s.validateGetIamPolicy(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ // TODO(performance): a new query should be used to query only the resource and its policy.
+ resp, err := graph.GetResource(ctx, txn, req.GetResource())
+ if err != nil {
+ logrus.WithError(err).Errorf("failed to get resource [%s]", req.GetResource())
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ if resp == nil {
+ return nil, status.New(codes.NotFound, "not found").Err()
+ }
+
+ if resp.Policy == nil {
+ return &iam.Policy{}, nil
+ }
+
+ policy := &iam.Policy{
+ Version: resp.Policy.Version,
+ }
+
+ policy.Etag, err = base64.StdEncoding.DecodeString(resp.Policy.ETag)
+ if err != nil {
+ logrus.WithError(err).Errorf("failed to decode policy etag [%s]", req.Resource)
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ for _, i := range resp.Policy.Bindings {
+ if i.Role == nil {
+ logrus.Warningf("found binding with no role in resource [%s]", resp.Name)
+ continue
+ }
+
+ binding := &iam.Binding{
+ Role: i.Role.Name,
+ }
+
+ binding.Members, err = members(i.Members)
+ if err != nil {
+ logrus.WithError(err).Errorf("failed to get binding members [%s:%s]", req.Resource, i.Role.Name)
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ policy.Bindings = append(policy.Bindings, binding)
+ }
+
+ return policy, nil
+}
diff --git a/pkg/services/iam_policies_integration_test.go b/pkg/services/iam_policies_integration_test.go
new file mode 100644
index 0000000..5f51d3e
--- /dev/null
+++ b/pkg/services/iam_policies_integration_test.go
@@ -0,0 +1,334 @@
+// +build integration
+
+package services
+
+import (
+ "context"
+ "os"
+ "testing"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/dgraph-io/dgo/v210/protos/api"
+ "github.com/google/uuid"
+ "github.com/grbac/grbac/pkg/bootstrap"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+ "google.golang.org/genproto/googleapis/iam/v1"
+ "google.golang.org/grpc"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+func TestIntegrationSetIamPolicy(t *testing.T) {
+ endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT")
+ require.NotEmpty(t, endpoint)
+
+ err := bootstrap.Schema(context.TODO(), endpoint)
+ require.NoError(t, err)
+
+ conn, err := grpc.Dial(endpoint, grpc.WithInsecure())
+ require.NoError(t, err)
+ defer conn.Close()
+
+ server := &AccessControlServerImpl{
+ cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)),
+ conn: conn,
+ }
+
+ var (
+ User0 = &grbac.Subject{
+ Name: "users/" + uuid.New().String(),
+ }
+ User1 = &grbac.Subject{
+ Name: "users/" + uuid.New().String(),
+ }
+
+ ServiceAccount0 = &grbac.Subject{
+ Name: "serviceAccounts/" + uuid.New().String(),
+ }
+ ServiceAccount1 = &grbac.Subject{
+ Name: "serviceAccounts/" + uuid.New().String(),
+ }
+
+ Group0 = &grbac.Group{
+ Name: "groups/" + uuid.New().String(),
+ Members: []string{
+ toUserMember(User0.Name),
+ toServiceAccountMember(ServiceAccount0.Name),
+ },
+ }
+ Group1 = &grbac.Group{
+ Name: "groups/" + uuid.New().String(),
+ }
+
+ Permission0 = &grbac.Permission{
+ Name: "permissions/grbac.test." + uuid.New().String(),
+ }
+
+ Role0 = &grbac.Role{
+ Name: "roles/" + uuid.New().String(),
+ Permissions: []string{
+ toPermissionId(Permission0.Name),
+ },
+ }
+ Role1 = &grbac.Role{
+ Name: "roles/" + uuid.New().String(),
+ }
+
+ Resource0 = &grbac.Resource{
+ Name: "//test.animeapis.com/resources/" + uuid.New().String(),
+ Parent: "@animeshon",
+ }
+ Resource1 = &grbac.Resource{
+ Name: "//test.animeapis.com/resources/" + uuid.New().String(),
+ Parent: "@animeshon",
+ }
+
+ Policy0 = &iam.Policy{
+ Version: 1,
+ Bindings: []*iam.Binding{
+ {
+ Role: Role0.Name,
+ Members: []string{
+ toUserMember(User0.Name),
+ toServiceAccountMember(ServiceAccount0.Name),
+ toGroupMember(Group0.Name),
+ },
+ },
+ },
+ }
+ )
+
+ // Create new random resources.
+ _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource0})
+ require.NoError(t, err)
+
+ _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0})
+ require.NoError(t, err)
+
+ _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role0})
+ require.NoError(t, err)
+
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0})
+ require.NoError(t, err)
+
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0})
+ require.NoError(t, err)
+
+ _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0})
+ require.NoError(t, err)
+
+ // Test: newly created resource should have an empty policy.
+ policy, err := server.GetIamPolicy(context.TODO(), &iam.GetIamPolicyRequest{Resource: Resource0.Name})
+ require.NoError(t, err)
+ require.NotNil(t, policy)
+ require.Empty(t, policy.Bindings)
+ require.Empty(t, policy.Etag)
+ require.Empty(t, policy.Version)
+
+ // Test: get policy should return 'not found' if the resource doesn't exist.
+ _, err = server.GetIamPolicy(context.TODO(), &iam.GetIamPolicyRequest{Resource: Resource1.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+
+ // Test: setting a valid resource policy should not fail.
+ policy, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{
+ Resource: Resource0.Name,
+ Policy: Policy0,
+ })
+ require.NoError(t, err)
+ require.NotNil(t, policy)
+ require.Equal(t, Policy0.Bindings, policy.Bindings)
+ require.Equal(t, Policy0.Version, policy.Version)
+ require.NotEmpty(t, policy.Etag)
+
+ // Test: get resource should return the same resource created.
+ policy, err = server.GetIamPolicy(context.TODO(), &iam.GetIamPolicyRequest{Resource: Resource0.Name})
+ require.NoError(t, err)
+ require.NotNil(t, policy)
+ require.Equal(t, Policy0.Bindings, policy.Bindings)
+ require.Equal(t, Policy0.Version, policy.Version)
+ require.NotEmpty(t, policy.Etag)
+
+ // Test: setting an invalid (no policy) resource policy should fail.
+ _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{
+ Resource: Resource0.Name,
+ })
+ require.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: setting an invalid (no resource name) resource policy should fail.
+ _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{
+ Policy: &iam.Policy{
+ Version: 1,
+ Bindings: []*iam.Binding{
+ {
+ Role: Role0.Name,
+ Members: []string{
+ toUserMember(User0.Name),
+ toServiceAccountMember(ServiceAccount0.Name),
+ toGroupMember(Group0.Name),
+ },
+ },
+ },
+ },
+ })
+ require.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: setting an invalid (non-existing resource) resource policy should fail.
+ _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{
+ Resource: Resource1.Name,
+ Policy: &iam.Policy{
+ Version: 1,
+ Bindings: []*iam.Binding{
+ {
+ Role: Role0.Name,
+ Members: []string{
+ toUserMember(User0.Name),
+ toServiceAccountMember(ServiceAccount0.Name),
+ toGroupMember(Group0.Name),
+ },
+ },
+ },
+ },
+ })
+ require.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+
+ // Test: setting an invalid (unsupported version) resource policy should fail.
+ _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{
+ Resource: Resource0.Name,
+ Policy: &iam.Policy{
+ Version: 5,
+ Bindings: []*iam.Binding{
+ {
+ Role: Role0.Name,
+ Members: []string{
+ toUserMember(User0.Name),
+ toServiceAccountMember(ServiceAccount0.Name),
+ toGroupMember(Group0.Name),
+ },
+ },
+ },
+ },
+ })
+ require.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: setting an invalid (no role) resource policy should fail.
+ _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{
+ Resource: Resource0.Name,
+ Policy: &iam.Policy{
+ Version: 1,
+ Bindings: []*iam.Binding{
+ {
+ Members: []string{
+ toUserMember(User0.Name),
+ toServiceAccountMember(ServiceAccount0.Name),
+ toGroupMember(Group0.Name),
+ },
+ },
+ },
+ },
+ })
+ require.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: setting an invalid (non-existing role) resource policy should fail.
+ _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{
+ Resource: Resource0.Name,
+ Policy: &iam.Policy{
+ Version: 1,
+ Bindings: []*iam.Binding{
+ {
+ Role: Role1.Name,
+ Members: []string{
+ toUserMember(User0.Name),
+ toServiceAccountMember(ServiceAccount0.Name),
+ toGroupMember(Group0.Name),
+ },
+ },
+ },
+ },
+ })
+ require.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: setting an invalid (non-existing user) resource policy should fail.
+ _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{
+ Resource: Resource0.Name,
+ Policy: &iam.Policy{
+ Version: 1,
+ Bindings: []*iam.Binding{
+ {
+ Role: Role0.Name,
+ Members: []string{
+ toUserMember(User1.Name),
+ toServiceAccountMember(ServiceAccount0.Name),
+ toGroupMember(Group0.Name),
+ },
+ },
+ },
+ },
+ })
+ require.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: setting an invalid (non-existing service account) resource policy should fail.
+ _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{
+ Resource: Resource0.Name,
+ Policy: &iam.Policy{
+ Version: 1,
+ Bindings: []*iam.Binding{
+ {
+ Role: Role0.Name,
+ Members: []string{
+ toUserMember(User0.Name),
+ toServiceAccountMember(ServiceAccount1.Name),
+ toGroupMember(Group0.Name),
+ },
+ },
+ },
+ },
+ })
+ require.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: setting an invalid (non-existing group) resource policy should fail.
+ _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{
+ Resource: Resource0.Name,
+ Policy: &iam.Policy{
+ Version: 1,
+ Bindings: []*iam.Binding{
+ {
+ Role: Role0.Name,
+ Members: []string{
+ toUserMember(User0.Name),
+ toServiceAccountMember(ServiceAccount1.Name),
+ toGroupMember(Group1.Name),
+ },
+ },
+ },
+ },
+ })
+ require.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: setting an invalid (no members) resource policy should fail.
+ _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{
+ Resource: Resource0.Name,
+ Policy: &iam.Policy{
+ Version: 1,
+ Bindings: []*iam.Binding{
+ {
+ Role: Role0.Name,
+ },
+ },
+ },
+ })
+ require.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+}
diff --git a/pkg/services/iam_policies_set.go b/pkg/services/iam_policies_set.go
new file mode 100644
index 0000000..fd94977
--- /dev/null
+++ b/pkg/services/iam_policies_set.go
@@ -0,0 +1,154 @@
+package services
+
+import (
+ "context"
+ "encoding/base64"
+ "text/template"
+
+ _ "embed"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/genproto/googleapis/iam/v1"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+//go:embed data/policies/policies.update.query.go.tmpl
+var queryUpdatePolicy string
+
+//go:embed data/policies/policies.update.set.go.tmpl
+var setUpdatePolicy string
+
+//go:embed data/policies/policies.update.delete.go.tmpl
+var deleteUpdatePolicy string
+
+var templateQueryUpdatePolicy = template.Must(
+ template.New("QueryUpdatePolicy").Funcs(defaultFuncMap).Parse(queryUpdatePolicy),
+)
+
+var templateSetUpdatePolicy = template.Must(
+ template.New("SetUpdatePolicy").Funcs(defaultFuncMap).Parse(setUpdatePolicy),
+)
+
+var templateDeleteUpdatePolicy = template.Must(
+ template.New("DeleteUpdatePolicy").Funcs(defaultFuncMap).Parse(deleteUpdatePolicy),
+)
+
+func (s *AccessControlServerImpl) validateSetIamPolicy(ctx context.Context, txn *dgo.Txn, req *iam.SetIamPolicyRequest) error {
+ // The resource name must be defined.
+ if len(req.Resource) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {resource not defined}").Err()
+ }
+
+ // The full resource name must be well formatted.
+ if !isFullResourceName(req.Resource) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid resource name format}").Err()
+ }
+
+ // The resource policy is optional.
+ if req.Policy == nil {
+ return status.New(codes.InvalidArgument, "invalid argument {policy not defined}").Err()
+ }
+
+ // The policy version must be defined and valid.
+ if req.Policy.Version != 1 {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid policy version}").Err()
+ }
+
+ for _, i := range req.Policy.Bindings {
+ // The binding role must be defined.
+ if len(i.Role) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {role not defined}").Err()
+ }
+
+ // The role must exist.
+ roleFound, err := graph.ExistsRole(ctx, txn, i.Role)
+ if err != nil {
+ logrus.WithError(err).Errorf("SetIamPolicy: failed to query role")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if !roleFound {
+ return status.New(codes.InvalidArgument, "invalid argument {role does not exist}").Err()
+ }
+
+ // There must be at least one member in the binding.
+ if len(i.Members) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {binding has no members}").Err()
+ }
+
+ // The members must all exist and must have a known type.
+ for _, m := range i.Members {
+ memberFound := false
+ if isGroupMember(m) {
+ memberFound, err = graph.ExistsGroup(ctx, txn, toGroupName(m))
+ } else if isUserMember(m) {
+ memberFound, err = graph.ExistsSubject(ctx, txn, toUserName(m))
+ } else if isServiceAccountMember(m) {
+ memberFound, err = graph.ExistsSubject(ctx, txn, toServiceAccountName(m))
+ } else if isAllUsersMember(m) {
+ memberFound, err = graph.ExistsSubject(ctx, txn, allUsers)
+ } else {
+ return status.New(codes.InvalidArgument, "invalid argument {unknown member type}").Err()
+ }
+
+ if err != nil {
+ logrus.WithError(err).Errorf("SetIamPolicy: failed to query binding members")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if !memberFound {
+ return status.New(codes.InvalidArgument, "invalid argument {member does not exist}").Err()
+ }
+ }
+ }
+
+ // The resource must exist.
+ resourceFound, err := graph.ExistsResource(ctx, txn, req.Resource)
+ if err != nil {
+ logrus.WithError(err).Errorf("SetIamPolicy: failed to query resource")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if !resourceFound {
+ return status.New(codes.NotFound, "not found").Err()
+ }
+
+ return nil
+}
+
+// Sets the IAM policy that is attached to a generic resource.
+func (s *AccessControlServerImpl) SetIamPolicy(ctx context.Context, req *iam.SetIamPolicyRequest) (*iam.Policy, error) {
+ txn := s.cli.NewTxn()
+ if err := s.validateSetIamPolicy(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ // TODO: etag should be generated according to the data structure.
+ etag := []byte("TODO")
+
+ data := struct {
+ Resource string
+ Policy *iam.Policy
+ ETag string
+ }{
+ Resource: req.GetResource(),
+ Policy: req.GetPolicy(),
+ ETag: base64.StdEncoding.EncodeToString(etag),
+ }
+
+ if err := s.update(ctx, txn, templateQueryUpdatePolicy, templateSetUpdatePolicy, templateDeleteUpdatePolicy, data); err != nil {
+ logrus.WithError(err).Errorf("SetIamPolicy: failed to execute dgraph call")
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ policy := &iam.Policy{
+ Version: req.Policy.Version,
+ Bindings: req.Policy.Bindings,
+ Etag: etag,
+ }
+
+ return policy, nil
+}
diff --git a/pkg/services/permissions.go b/pkg/services/permissions.go
new file mode 100644
index 0000000..beb7f55
--- /dev/null
+++ b/pkg/services/permissions.go
@@ -0,0 +1,21 @@
+package services
+
+import "strings"
+
+func isPermission(name string) bool {
+ return strings.HasPrefix(name, "permissions/")
+}
+
+func toPermissionId(name string) string {
+ return strings.TrimPrefix(name, "permissions/")
+}
+
+func toPermissionName(name string) string {
+ return "permissions/" + name
+}
+
+// isValidPermissionId enforces the Google Cloud IAM permission format
+// [service].[resource].[verb].
+func isValidPermissionId(name string) bool {
+ return len(strings.Split(toPermissionId(name), ".")) == 3
+}
diff --git a/pkg/services/permissions_create.go b/pkg/services/permissions_create.go
new file mode 100644
index 0000000..a3339ec
--- /dev/null
+++ b/pkg/services/permissions_create.go
@@ -0,0 +1,81 @@
+package services
+
+import (
+ "context"
+ "text/template"
+
+ _ "embed"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+//go:embed data/permissions/permissions.create.query.go.tmpl
+var queryCreatePermission string
+
+//go:embed data/permissions/permissions.create.mutation.go.tmpl
+var mutationCreatePermission string
+
+var templateQueryCreatePermission = template.Must(
+ template.New("QueryCreatePermission").Funcs(defaultFuncMap).Parse(queryCreatePermission),
+)
+
+var templateMutationCreatePermission = template.Must(
+ template.New("MutationCreatePermission").Funcs(defaultFuncMap).Parse(mutationCreatePermission),
+)
+
+func (s *AccessControlServerImpl) validateCreatePermission(ctx context.Context, txn *dgo.Txn, req *grbac.CreatePermissionRequest) error {
+ // A permission must be defined.
+ if req.Permission == nil {
+ return status.New(codes.InvalidArgument, "invalid argument {permission not defined}").Err()
+ }
+
+ // The permission name must be defined.
+ if len(req.Permission.Name) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {permission name not defined}").Err()
+ }
+
+ // The permission name must be well formatted.
+ if !isPermission(req.Permission.Name) || !isValidPermissionId(req.Permission.Name) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid permission name format}").Err()
+ }
+
+ // The permission must be new to avoid race conditions.
+ permissionFound, err := graph.ExistsPermission(ctx, txn, req.Permission.Name)
+ if err != nil {
+ logrus.WithError(err).Errorf("failed to validate 'CreatePermission' request")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if permissionFound {
+ return status.New(codes.AlreadyExists, "conflict").Err()
+ }
+
+ return nil
+}
+
+// CreatePermission creates a new permission.
+func (s *AccessControlServerImpl) CreatePermission(ctx context.Context, req *grbac.CreatePermissionRequest) (*grbac.Permission, error) {
+ txn := s.cli.NewTxn()
+ if err := s.validateCreatePermission(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ data := struct {
+ Permission *grbac.Permission
+ }{
+ Permission: req.GetPermission(),
+ }
+
+ if err := s.create(ctx, txn, templateQueryCreatePermission, templateMutationCreatePermission, data); err != nil {
+ logrus.WithError(err).Errorf("CreatePermission: failed to execute dgraph call")
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ return &grbac.Permission{Name: req.Permission.Name}, nil
+}
diff --git a/pkg/services/permissions_delete.go b/pkg/services/permissions_delete.go
new file mode 100644
index 0000000..57cc2cc
--- /dev/null
+++ b/pkg/services/permissions_delete.go
@@ -0,0 +1,77 @@
+package services
+
+import (
+ "context"
+ "text/template"
+
+ _ "embed"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+ empty "google.golang.org/protobuf/types/known/emptypb"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+//go:embed data/permissions/permissions.delete.query.go.tmpl
+var queryDeletePermission string
+
+//go:embed data/permissions/permissions.delete.mutation.go.tmpl
+var mutationDeletePermission string
+
+var templateQueryDeletePermission = template.Must(
+ template.New("QueryDeletePermission").Funcs(defaultFuncMap).Parse(queryDeletePermission),
+)
+
+var templateMutationDeletePermission = template.Must(
+ template.New("MutationDeletePermission").Funcs(defaultFuncMap).Parse(mutationDeletePermission),
+)
+
+func (s *AccessControlServerImpl) validateDeletePermission(ctx context.Context, txn *dgo.Txn, req *grbac.DeletePermissionRequest) error {
+ // The permission name must be defined.
+ if len(req.Name) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {permission name not defined}").Err()
+ }
+
+ // The permission name must be well formatted.
+ if !isPermission(req.Name) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid permission name format}").Err()
+ }
+
+ // The permission must exist.
+ permissionFound, err := graph.ExistsPermission(ctx, txn, req.Name)
+ if err != nil {
+ logrus.WithError(err).Errorf("DeletePermission: failed to query permission")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if !permissionFound {
+ return status.New(codes.NotFound, "not found").Err()
+ }
+
+ return nil
+}
+
+// DeletePermission deletes a permission.
+func (s *AccessControlServerImpl) DeletePermission(ctx context.Context, req *grbac.DeletePermissionRequest) (*empty.Empty, error) {
+ txn := s.cli.NewTxn()
+ if err := s.validateDeletePermission(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ data := struct {
+ Name string
+ }{
+ Name: req.GetName(),
+ }
+
+ if err := s.delete(ctx, txn, templateQueryDeletePermission, templateMutationDeletePermission, data); err != nil {
+ logrus.WithError(err).Errorf("DeletePermission: failed to execute dgraph call")
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ return &empty.Empty{}, nil
+}
diff --git a/pkg/services/permissions_integration_test.go b/pkg/services/permissions_integration_test.go
new file mode 100644
index 0000000..ecfaf36
--- /dev/null
+++ b/pkg/services/permissions_integration_test.go
@@ -0,0 +1,109 @@
+// +build integration
+
+package services
+
+import (
+ "context"
+ "os"
+ "testing"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/dgraph-io/dgo/v210/protos/api"
+ "github.com/google/uuid"
+ "github.com/grbac/grbac/pkg/bootstrap"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+ "google.golang.org/grpc"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+func TestIntegrationPermissionCreate(t *testing.T) {
+ endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT")
+ require.NotEmpty(t, endpoint)
+
+ err := bootstrap.Schema(context.TODO(), endpoint)
+ require.NoError(t, err)
+
+ conn, err := grpc.Dial(endpoint, grpc.WithInsecure())
+ require.NoError(t, err)
+ defer conn.Close()
+
+ server := &AccessControlServerImpl{
+ cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)),
+ conn: conn,
+ }
+
+ var (
+ Permission0 = &grbac.Permission{
+ Name: "permissions/grbac.test." + uuid.New().String(),
+ }
+ PermissionInvalid = &grbac.Permission{
+ Name: "permissions/" + uuid.New().String(),
+ }
+ )
+
+ // Test: creation should not fail.
+ user0, err := server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0})
+ require.NoError(t, err)
+ require.NotNil(t, user0)
+
+ assert.Equal(t, Permission0.Name, user0.Name)
+
+ // Test: creation with invalid format should fail.
+ _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: PermissionInvalid})
+ assert.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: creation of duplicate permission should fail with already exists.
+ _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0})
+ assert.Error(t, err)
+ assert.Equal(t, codes.AlreadyExists, status.Code(err))
+}
+
+func TestIntegrationPermissionDelete(t *testing.T) {
+ endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT")
+ require.NotEmpty(t, endpoint)
+
+ err := bootstrap.Schema(context.TODO(), endpoint)
+ require.NoError(t, err)
+
+ conn, err := grpc.Dial(endpoint, grpc.WithInsecure())
+ require.NoError(t, err)
+ defer conn.Close()
+
+ server := &AccessControlServerImpl{
+ cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)),
+ conn: conn,
+ }
+
+ var (
+ Permission0 = &grbac.Permission{
+ Name: "permissions/grbac.test." + uuid.New().String(),
+ }
+ PermissionNotFound = &grbac.Permission{
+ Name: "permissions/grbac.test." + uuid.New().String(),
+ }
+ )
+
+ // Create a new random permission.
+ _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0})
+ require.NoError(t, err)
+
+ // Test: deletion of existing permission should not fail.
+ empty, err := server.DeletePermission(context.TODO(), &grbac.DeletePermissionRequest{Name: Permission0.Name})
+ require.NoError(t, err)
+ assert.NotNil(t, empty)
+
+ // Test: deletion of deleted permission should fail.
+ _, err = server.DeletePermission(context.TODO(), &grbac.DeletePermissionRequest{Name: Permission0.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+
+ // Test: deletion of non-existing permission should fail.
+ _, err = server.DeletePermission(context.TODO(), &grbac.DeletePermissionRequest{Name: PermissionNotFound.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+}
diff --git a/pkg/services/resources.go b/pkg/services/resources.go
new file mode 100644
index 0000000..d56c5ba
--- /dev/null
+++ b/pkg/services/resources.go
@@ -0,0 +1,16 @@
+package services
+
+import "net/url"
+
+func isFullResourceName(name string) bool {
+ if name == "@animeshon" {
+ return true
+ }
+
+ if len(name) == 0 || name[:2] != "//" {
+ return false
+ }
+
+ _, err := url.Parse("https:" + name)
+ return err == nil
+}
diff --git a/pkg/services/resources_create.go b/pkg/services/resources_create.go
new file mode 100644
index 0000000..7e1081a
--- /dev/null
+++ b/pkg/services/resources_create.go
@@ -0,0 +1,114 @@
+package services
+
+import (
+ "context"
+ "encoding/base64"
+ "text/template"
+
+ _ "embed"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+//go:embed data/resources/resources.create.query.go.tmpl
+var queryCreateResource string
+
+//go:embed data/resources/resources.create.mutation.go.tmpl
+var mutationCreateResource string
+
+var templateQueryCreateResource = template.Must(
+ template.New("QueryCreateResource").Funcs(defaultFuncMap).Parse(queryCreateResource),
+)
+
+var templateMutationCreateResource = template.Must(
+ template.New("MutationCreateResource").Funcs(defaultFuncMap).Parse(mutationCreateResource),
+)
+
+func (s *AccessControlServerImpl) validateCreateResource(ctx context.Context, txn *dgo.Txn, req *grbac.CreateResourceRequest) error {
+ // A resource must be defined.
+ if req.Resource == nil {
+ return status.New(codes.InvalidArgument, "invalid argument {resource not defined}").Err()
+ }
+
+ // The resource name must be defined.
+ if len(req.Resource.Name) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {resource name not defined}").Err()
+ }
+
+ // The resource name must be well formatted.
+ if !isFullResourceName(req.Resource.Name) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid resource name format}").Err()
+ }
+
+ // The parent name must be defined.
+ if len(req.Resource.Parent) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {parent name not defined}").Err()
+ }
+
+ // The parent name must be well formatted.
+ if !isFullResourceName(req.Resource.Parent) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid parent name format}").Err()
+ }
+
+ // The parent must exist.
+ parentFound, err := graph.ExistsResource(ctx, txn, req.Resource.Parent)
+ if err != nil {
+ logrus.WithError(err).Errorf("CreateResource: failed to query resource parent")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if !parentFound {
+ return status.New(codes.InvalidArgument, "invalid argument {parent does not exist}").Err()
+ }
+
+ // The resource must be new to avoid race conditions.
+ resourceFound, err := graph.ExistsResource(ctx, txn, req.Resource.Name)
+ if err != nil {
+ logrus.WithError(err).Errorf("CreateResource: failed to query resource")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if resourceFound {
+ return status.New(codes.AlreadyExists, "conflict").Err()
+ }
+
+ return nil
+}
+
+// CreateResource creates a new resource.
+func (s *AccessControlServerImpl) CreateResource(ctx context.Context, req *grbac.CreateResourceRequest) (*grbac.Resource, error) {
+ txn := s.cli.NewTxn()
+ if err := s.validateCreateResource(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ // TODO: etag should be generated according to the data structure.
+ etag := []byte("TODO")
+
+ data := struct {
+ Resource *grbac.Resource
+ ETag string
+ }{
+ Resource: req.GetResource(),
+ ETag: base64.StdEncoding.EncodeToString(etag),
+ }
+
+ if err := s.create(ctx, txn, templateQueryCreateResource, templateMutationCreateResource, data); err != nil {
+ logrus.WithError(err).Errorf("CreateResource: failed to execute dgraph call")
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ resource := &grbac.Resource{
+ Name: req.Resource.Name,
+ Parent: req.Resource.Parent,
+ Etag: etag,
+ }
+
+ return resource, nil
+}
diff --git a/pkg/services/resources_delete.go b/pkg/services/resources_delete.go
new file mode 100644
index 0000000..fdd59fa
--- /dev/null
+++ b/pkg/services/resources_delete.go
@@ -0,0 +1,88 @@
+package services
+
+import (
+ "context"
+ "text/template"
+
+ _ "embed"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+ empty "google.golang.org/protobuf/types/known/emptypb"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+//go:embed data/resources/resources.delete.query.go.tmpl
+var queryDeleteResource string
+
+//go:embed data/resources/resources.delete.mutation.go.tmpl
+var mutationDeleteResource string
+
+var templateQueryDeleteResource = template.Must(
+ template.New("QueryDeleteResource").Funcs(defaultFuncMap).Parse(queryDeleteResource),
+)
+
+var templateMutationDeleteResource = template.Must(
+ template.New("MutationDeleteResource").Funcs(defaultFuncMap).Parse(mutationDeleteResource),
+)
+
+func (s *AccessControlServerImpl) validateDeleteResource(ctx context.Context, txn *dgo.Txn, req *grbac.DeleteResourceRequest) error {
+ // The resource name must be defined.
+ if len(req.Name) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {resource name not defined}").Err()
+ }
+
+ // The resource name must be well formatted.
+ if !isFullResourceName(req.Name) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid resource name format}").Err()
+ }
+
+ // The resource must exist.
+ resourceFound, err := graph.ExistsResource(ctx, txn, req.Name)
+ if err != nil {
+ logrus.WithError(err).Errorf("DeleteResource: failed to query resource")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if !resourceFound {
+ return status.New(codes.NotFound, "not found").Err()
+ }
+
+ // The resource must not have children before deletion.
+ childrenFound, err := graph.HasChildren(ctx, txn, req.Name)
+ if err != nil {
+ logrus.WithError(err).Errorf("DeleteResource: failed to check if resource has children")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if childrenFound {
+ return status.New(codes.FailedPrecondition, "failed precondition {resource has children}").Err()
+ }
+
+ return nil
+}
+
+// DeleteResource deletes a resource.
+func (s *AccessControlServerImpl) DeleteResource(ctx context.Context, req *grbac.DeleteResourceRequest) (*empty.Empty, error) {
+ txn := s.cli.NewTxn()
+ if err := s.validateDeleteResource(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ data := struct {
+ Name string
+ }{
+ Name: req.Name,
+ }
+
+ if err := s.delete(ctx, txn, templateQueryDeleteResource, templateMutationDeleteResource, data); err != nil {
+ logrus.WithError(err).Errorf("DeleteResource: failed to execute dgraph call")
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ return &empty.Empty{}, nil
+}
diff --git a/pkg/services/resources_get.go b/pkg/services/resources_get.go
new file mode 100644
index 0000000..bb0a007
--- /dev/null
+++ b/pkg/services/resources_get.go
@@ -0,0 +1,64 @@
+package services
+
+import (
+ "context"
+ "encoding/base64"
+
+ _ "embed"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+func (s *AccessControlServerImpl) validateGetResource(ctx context.Context, txn *dgo.Txn, req *grbac.GetResourceRequest) error {
+ if len(req.Name) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {resource name not defined}").Err()
+ }
+
+ // The resource name must be well formatted.
+ if !isFullResourceName(req.Name) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid resource name format}").Err()
+ }
+
+ return nil
+}
+
+// GetResource returns a resource.
+func (s *AccessControlServerImpl) GetResource(ctx context.Context, req *grbac.GetResourceRequest) (*grbac.Resource, error) {
+ txn := s.cli.NewReadOnlyTxn()
+ if err := s.validateGetResource(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ // TODO(performance): GetResource should return only the resource name and parent (no policy).
+ resp, err := graph.GetResource(ctx, txn, req.Name)
+ if err != nil {
+ logrus.WithError(err).Errorf("failed to get resource [%s]", req.Name)
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ if resp == nil {
+ return nil, status.New(codes.NotFound, "not found").Err()
+ }
+
+ resource := &grbac.Resource{
+ Name: resp.Name,
+ }
+
+ resource.Etag, err = base64.StdEncoding.DecodeString(resp.ETag)
+ if err != nil {
+ logrus.WithError(err).Errorf("failed to decode resource etag [%s]", req.Name)
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ if resp.Parent != nil {
+ resource.Parent = resp.Parent.Name
+ }
+
+ return resource, nil
+}
diff --git a/pkg/services/resources_integration_test.go b/pkg/services/resources_integration_test.go
new file mode 100644
index 0000000..3d94ba6
--- /dev/null
+++ b/pkg/services/resources_integration_test.go
@@ -0,0 +1,174 @@
+// +build integration
+
+package services
+
+import (
+ "context"
+ "os"
+ "testing"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/dgraph-io/dgo/v210/protos/api"
+ "github.com/google/uuid"
+ "github.com/grbac/grbac/pkg/bootstrap"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+ "google.golang.org/grpc"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+func TestIntegrationResourceCreate(t *testing.T) {
+ endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT")
+ require.NotEmpty(t, endpoint)
+
+ err := bootstrap.Schema(context.TODO(), endpoint)
+ require.NoError(t, err)
+
+ conn, err := grpc.Dial(endpoint, grpc.WithInsecure())
+ require.NoError(t, err)
+ defer conn.Close()
+
+ server := &AccessControlServerImpl{
+ cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)),
+ conn: conn,
+ }
+
+ var (
+ ResourceNotFound = &grbac.Resource{
+ Name: "//test.animeapis.com/resources/resource-?." + uuid.New().String(),
+ Parent: "@animeshon",
+ }
+ Resource0 = &grbac.Resource{
+ Name: "//test.animeapis.com/resources/resource-0." + uuid.New().String(),
+ Parent: "@animeshon",
+ }
+ Resource1 = &grbac.Resource{
+ Name: "//test.animeapis.com/resources/resource-1." + uuid.New().String(),
+ Parent: Resource0.Name,
+ }
+ Resource2 = &grbac.Resource{
+ Name: "//test.animeapis.com/resources/resource-2." + uuid.New().String(),
+ Parent: ResourceNotFound.Name,
+ }
+ Resource3 = &grbac.Resource{
+ Name: "//test.animeapis.com/resources/resource-3." + uuid.New().String(),
+ }
+ )
+
+ // Test: creation should not fail.
+ resource0, err := server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource0})
+ require.NoError(t, err)
+ require.NotNil(t, resource0)
+
+ assert.Equal(t, Resource0.Name, resource0.Name)
+ assert.Equal(t, Resource0.Parent, resource0.Parent)
+ assert.NotEmpty(t, resource0.Etag)
+
+ // Test: creation with existing parent should not fail.
+ resource1, err := server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource1})
+ require.NoError(t, err)
+ require.NotNil(t, resource1)
+
+ assert.Equal(t, Resource1.Name, resource1.Name)
+ assert.Equal(t, Resource1.Parent, resource1.Parent)
+ assert.NotEmpty(t, resource1.Etag)
+
+ // Test: creation with non-existing parent should fail.
+ _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource2})
+ require.Error(t, err)
+ require.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: creation without parent should fail.
+ _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource3})
+ require.Error(t, err)
+ require.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: creation of duplicate resource should fail with already exists.
+ _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource0})
+ assert.Error(t, err)
+ assert.Equal(t, codes.AlreadyExists, status.Code(err))
+
+ // Test: get resource should return the same resource created.
+ resource, err := server.GetResource(context.TODO(), &grbac.GetResourceRequest{Name: Resource1.Name})
+ require.NoError(t, err)
+ require.NotNil(t, resource)
+
+ assert.Equal(t, Resource1.Name, resource.Name)
+ assert.Equal(t, Resource1.Parent, resource.Parent)
+ assert.NotEmpty(t, resource.Etag)
+}
+
+func TestIntegrationResourceDelete(t *testing.T) {
+ endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT")
+ require.NotEmpty(t, endpoint)
+
+ err := bootstrap.Schema(context.TODO(), endpoint)
+ require.NoError(t, err)
+
+ conn, err := grpc.Dial(endpoint, grpc.WithInsecure())
+ require.NoError(t, err)
+ defer conn.Close()
+
+ server := &AccessControlServerImpl{
+ cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)),
+ conn: conn,
+ }
+
+ var (
+ Resource0 = &grbac.Resource{
+ Name: "//test.animeapis.com/resources/resource-0." + uuid.New().String(),
+ Parent: "@animeshon",
+ }
+ Resource1 = &grbac.Resource{
+ Name: "//test.animeapis.com/resources/resource-1." + uuid.New().String(),
+ Parent: Resource0.Name,
+ }
+ ResourceNotFound = &grbac.Resource{
+ Name: "//test.animeapis.com/resources/resource-?." + uuid.New().String(),
+ Parent: "@animeshon",
+ }
+ )
+
+ // Create new random resources.
+ _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource0})
+ require.NoError(t, err)
+
+ _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource1})
+ require.NoError(t, err)
+
+ // Test: deletion of existing resource with children should fail.
+ _, err = server.DeleteResource(context.TODO(), &grbac.DeleteResourceRequest{Name: Resource0.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.FailedPrecondition, status.Code(err))
+
+ // Test: deletion of existing resource with no children should not fail.
+ empty, err := server.DeleteResource(context.TODO(), &grbac.DeleteResourceRequest{Name: Resource1.Name})
+ assert.NoError(t, err)
+ assert.NotNil(t, empty)
+
+ empty, err = server.DeleteResource(context.TODO(), &grbac.DeleteResourceRequest{Name: Resource0.Name})
+ assert.NoError(t, err)
+ assert.NotNil(t, empty)
+
+ // Test: get resource should return 'not found' after deletion.
+ _, err = server.GetResource(context.TODO(), &grbac.GetResourceRequest{Name: Resource0.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+
+ _, err = server.GetResource(context.TODO(), &grbac.GetResourceRequest{Name: Resource1.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+
+ // Test: deletion of already deleted resource should fail.
+ _, err = server.DeleteResource(context.TODO(), &grbac.DeleteResourceRequest{Name: Resource0.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+
+ // Test: deletion of non-existing resource should fail.
+ _, err = server.DeleteResource(context.TODO(), &grbac.DeleteResourceRequest{Name: ResourceNotFound.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+}
diff --git a/pkg/services/resources_transfer.go b/pkg/services/resources_transfer.go
new file mode 100644
index 0000000..39fc507
--- /dev/null
+++ b/pkg/services/resources_transfer.go
@@ -0,0 +1,15 @@
+package services
+
+import (
+ "context"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+// TransferResource transfers a resource to a new parent.
+func (s *AccessControlServerImpl) TransferResource(ctx context.Context, req *grbac.TransferResourceRequest) (*grbac.Resource, error) {
+ return nil, status.New(codes.Unimplemented, "unimplemented").Err()
+}
diff --git a/pkg/services/roles.go b/pkg/services/roles.go
new file mode 100644
index 0000000..a2fba0f
--- /dev/null
+++ b/pkg/services/roles.go
@@ -0,0 +1,7 @@
+package services
+
+import "strings"
+
+func isRole(name string) bool {
+ return strings.HasPrefix(name, "roles/")
+}
diff --git a/pkg/services/roles_create.go b/pkg/services/roles_create.go
new file mode 100644
index 0000000..47f28c3
--- /dev/null
+++ b/pkg/services/roles_create.go
@@ -0,0 +1,110 @@
+package services
+
+import (
+ "context"
+ "encoding/base64"
+ "text/template"
+
+ _ "embed"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+//go:embed data/roles/roles.create.query.go.tmpl
+var queryCreateRole string
+
+//go:embed data/roles/roles.create.mutation.go.tmpl
+var mutationCreateRole string
+
+var templateQueryCreateRole = template.Must(
+ template.New("QueryCreateRole").Funcs(defaultFuncMap).Parse(queryCreateRole),
+)
+
+var templateMutationCreateRole = template.Must(
+ template.New("MutationCreateRole").Funcs(defaultFuncMap).Parse(mutationCreateRole),
+)
+
+func (s *AccessControlServerImpl) validateCreateRole(ctx context.Context, txn *dgo.Txn, req *grbac.CreateRoleRequest) error {
+ // A role must be defined.
+ if req.Role == nil {
+ return status.New(codes.InvalidArgument, "invalid argument {role not defined}").Err()
+ }
+
+ // The role name must be defined.
+ if len(req.Role.Name) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {role name not defined}").Err()
+ }
+
+ // The role must include at least one permission.
+ if len(req.Role.Permissions) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {role has no permissions}").Err()
+ }
+
+ // The permissions included in the role must exist.
+ for _, permission := range req.Role.Permissions {
+ permissionFound, err := graph.ExistsPermission(ctx, txn, toPermissionName(permission))
+ if err != nil {
+ logrus.WithError(err).Errorf("CreateRole: failed to query role permissions")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if !permissionFound {
+ return status.New(codes.FailedPrecondition, "failed precondition {permission does not exist}").Err()
+ }
+ }
+
+ // The role name must be well formatted.
+ if !isRole(req.Role.Name) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid role name format}").Err()
+ }
+
+ roleFound, err := graph.ExistsRole(ctx, txn, req.Role.Name)
+ if err != nil {
+ logrus.WithError(err).Errorf("failed to validate 'CreateRole' request")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if roleFound {
+ return status.New(codes.AlreadyExists, "conflict").Err()
+ }
+
+ return nil
+}
+
+// CreateRole creates a new role.
+func (s *AccessControlServerImpl) CreateRole(ctx context.Context, req *grbac.CreateRoleRequest) (*grbac.Role, error) {
+ txn := s.cli.NewTxn()
+ if err := s.validateCreateRole(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ // TODO: etag should be generated according to the data structure.
+ etag := []byte("TODO")
+
+ data := struct {
+ Role *grbac.Role
+ ETag string
+ }{
+ Role: req.GetRole(),
+ ETag: base64.StdEncoding.EncodeToString(etag),
+ }
+
+ if err := s.create(ctx, txn, templateQueryCreateRole, templateMutationCreateRole, data); err != nil {
+ logrus.WithError(err).Errorf("CreateRole: failed to execute dgraph call")
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ role := &grbac.Role{
+ Name: req.Role.Name,
+ Permissions: req.Role.Permissions,
+ Etag: etag,
+ }
+
+ return role, nil
+}
diff --git a/pkg/services/roles_delete.go b/pkg/services/roles_delete.go
new file mode 100644
index 0000000..12331b2
--- /dev/null
+++ b/pkg/services/roles_delete.go
@@ -0,0 +1,77 @@
+package services
+
+import (
+ "context"
+ "text/template"
+
+ _ "embed"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+ empty "google.golang.org/protobuf/types/known/emptypb"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+//go:embed data/roles/roles.delete.query.go.tmpl
+var queryDeleteRole string
+
+//go:embed data/roles/roles.delete.mutation.go.tmpl
+var mutationDeleteRole string
+
+var templateQueryDeleteRole = template.Must(
+ template.New("QueryDeleteRole").Funcs(defaultFuncMap).Parse(queryDeleteRole),
+)
+
+var templateMutationDeleteRole = template.Must(
+ template.New("MutationDeleteRole").Funcs(defaultFuncMap).Parse(mutationDeleteRole),
+)
+
+func (s *AccessControlServerImpl) validateDeleteRole(ctx context.Context, txn *dgo.Txn, req *grbac.DeleteRoleRequest) error {
+ // The role name must be defined.
+ if len(req.Name) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {role name not defined}").Err()
+ }
+
+ // The role name must be well formatted.
+ if !isRole(req.Name) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid role name format}").Err()
+ }
+
+ // The role must exist.
+ roleFound, err := graph.ExistsRole(ctx, txn, req.Name)
+ if err != nil {
+ logrus.WithError(err).Errorf("DeleteRole: failed to query role")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if !roleFound {
+ return status.New(codes.NotFound, "not found").Err()
+ }
+
+ return nil
+}
+
+// DeleteRole deletes a role.
+func (s *AccessControlServerImpl) DeleteRole(ctx context.Context, req *grbac.DeleteRoleRequest) (*empty.Empty, error) {
+ txn := s.cli.NewTxn()
+ if err := s.validateDeleteRole(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ data := struct {
+ Name string
+ }{
+ Name: req.GetName(),
+ }
+
+ if err := s.delete(ctx, txn, templateQueryDeleteRole, templateMutationDeleteRole, data); err != nil {
+ logrus.WithError(err).Errorf("DeleteRole: failed to execute dgraph call")
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ return &empty.Empty{}, nil
+}
diff --git a/pkg/services/roles_get.go b/pkg/services/roles_get.go
new file mode 100644
index 0000000..a1b41ff
--- /dev/null
+++ b/pkg/services/roles_get.go
@@ -0,0 +1,61 @@
+package services
+
+import (
+ "context"
+ "encoding/base64"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+func (s *AccessControlServerImpl) validateGetRole(ctx context.Context, txn *dgo.Txn, req *grbac.GetRoleRequest) error {
+ if len(req.Name) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {role name not defined}").Err()
+ }
+
+ // The role name must be well formatted.
+ if !isRole(req.Name) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid role name format}").Err()
+ }
+
+ return nil
+}
+
+// GetRole returns a role.
+func (s *AccessControlServerImpl) GetRole(ctx context.Context, req *grbac.GetRoleRequest) (*grbac.Role, error) {
+ txn := s.cli.NewReadOnlyTxn()
+ if err := s.validateGetRole(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ resp, err := graph.GetRole(ctx, txn, req.Name)
+ if err != nil {
+ logrus.WithError(err).Errorf("failed to get role [%s]", req.Name)
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ if resp == nil {
+ return nil, status.New(codes.NotFound, "not found").Err()
+ }
+
+ role := &grbac.Role{
+ Name: resp.Name,
+ }
+
+ role.Etag, err = base64.StdEncoding.DecodeString(resp.ETag)
+ if err != nil {
+ logrus.WithError(err).Errorf("failed to decode role etag [%s]", req.Name)
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ for _, permission := range resp.Permissions {
+ role.Permissions = append(role.Permissions, toPermissionId(permission.Name))
+ }
+
+ return role, nil
+}
diff --git a/pkg/services/roles_integration_test.go b/pkg/services/roles_integration_test.go
new file mode 100644
index 0000000..5a55b70
--- /dev/null
+++ b/pkg/services/roles_integration_test.go
@@ -0,0 +1,294 @@
+// +build integration
+
+package services
+
+import (
+ "context"
+ "os"
+ "testing"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/dgraph-io/dgo/v210/protos/api"
+ "github.com/google/uuid"
+ "github.com/grbac/grbac/pkg/bootstrap"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+ "google.golang.org/grpc"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+ "google.golang.org/protobuf/types/known/fieldmaskpb"
+)
+
+func TestIntegrationRoleCreate(t *testing.T) {
+ endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT")
+ require.NotEmpty(t, endpoint)
+
+ err := bootstrap.Schema(context.TODO(), endpoint)
+ require.NoError(t, err)
+
+ conn, err := grpc.Dial(endpoint, grpc.WithInsecure())
+ require.NoError(t, err)
+ defer conn.Close()
+
+ server := &AccessControlServerImpl{
+ cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)),
+ conn: conn,
+ }
+
+ var (
+ Permission0 = &grbac.Permission{
+ Name: "permissions/grbac.test." + uuid.New().String(),
+ }
+ PermissionNotFound = &grbac.Permission{
+ Name: "permissions/grbac.test." + uuid.New().String(),
+ }
+
+ Role0 = &grbac.Role{
+ Name: "roles/role-0." + uuid.New().String(),
+ Permissions: []string{
+ toPermissionId(Permission0.Name),
+ },
+ }
+ Role1 = &grbac.Role{
+ Name: "roles/role-1." + uuid.New().String(),
+ Permissions: []string{
+ toPermissionId(Permission0.Name),
+ toPermissionId(PermissionNotFound.Name),
+ },
+ }
+ )
+
+ // Create a new permission.
+ _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0})
+ require.NoError(t, err)
+
+ // Test: creation should not fail.
+ role, err := server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role0})
+ require.NoError(t, err)
+ require.NotNil(t, role)
+
+ assert.Equal(t, Role0.Name, role.Name)
+ assert.ElementsMatch(t, Role0.Permissions, role.Permissions)
+ assert.NotEmpty(t, role.Etag)
+
+ // Test: creation with non-existing permission should fail.
+ _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role1})
+ require.Error(t, err)
+ assert.Equal(t, codes.FailedPrecondition, status.Code(err))
+
+ // Test: creation of duplicate role should fail with already exists.
+ _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role0})
+ assert.Error(t, err)
+ assert.Equal(t, codes.AlreadyExists, status.Code(err))
+
+ // Test: get role should return the same role created.
+ role, err = server.GetRole(context.TODO(), &grbac.GetRoleRequest{Name: Role0.Name})
+ require.NoError(t, err)
+ require.NotNil(t, role)
+
+ assert.Equal(t, Role0.Name, role.Name)
+ assert.ElementsMatch(t, Role0.Permissions, role.Permissions)
+ assert.NotEmpty(t, role.Etag)
+}
+
+func TestIntegrationRoleDelete(t *testing.T) {
+ endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT")
+ require.NotEmpty(t, endpoint)
+
+ err := bootstrap.Schema(context.TODO(), endpoint)
+ require.NoError(t, err)
+
+ conn, err := grpc.Dial(endpoint, grpc.WithInsecure())
+ require.NoError(t, err)
+ defer conn.Close()
+
+ server := &AccessControlServerImpl{
+ cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)),
+ conn: conn,
+ }
+
+ var (
+ Permission0 = &grbac.Permission{
+ Name: "permissions/grbac.test." + uuid.New().String(),
+ }
+
+ Role0 = &grbac.Role{
+ Name: "roles/role-0." + uuid.New().String(),
+ Permissions: []string{
+ toPermissionId(Permission0.Name),
+ },
+ }
+ RoleNotFound = &grbac.Role{
+ Name: "roles/role-?." + uuid.New().String(),
+ }
+ )
+
+ // Create a new random role and permission.
+ _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0})
+ require.NoError(t, err)
+
+ _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role0})
+ require.NoError(t, err)
+
+ // Test: deletion of existing role should not fail.
+ empty, err := server.DeleteRole(context.TODO(), &grbac.DeleteRoleRequest{Name: Role0.Name})
+ assert.NoError(t, err)
+ assert.NotNil(t, empty)
+
+ // Test: get role should return 'not found' after deletion.
+ _, err = server.GetRole(context.TODO(), &grbac.GetRoleRequest{Name: Role0.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+
+ // Test: deletion of already deleted role should fail.
+ _, err = server.DeleteRole(context.TODO(), &grbac.DeleteRoleRequest{Name: Role0.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+
+ // Test: deletion of non-existing role should fail.
+ _, err = server.DeleteRole(context.TODO(), &grbac.DeleteRoleRequest{Name: RoleNotFound.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+}
+
+func TestIntegrationRoleUpdate(t *testing.T) {
+ endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT")
+ require.NotEmpty(t, endpoint)
+
+ err := bootstrap.Schema(context.TODO(), endpoint)
+ require.NoError(t, err)
+
+ conn, err := grpc.Dial(endpoint, grpc.WithInsecure())
+ require.NoError(t, err)
+ defer conn.Close()
+
+ server := &AccessControlServerImpl{
+ cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)),
+ conn: conn,
+ }
+
+ var (
+ Permission0 = &grbac.Permission{
+ Name: "permissions/grbac.test." + uuid.New().String(),
+ }
+ Permission1 = &grbac.Permission{
+ Name: "permissions/grbac.test." + uuid.New().String(),
+ }
+ PermissionNotFound = &grbac.Permission{
+ Name: "permissions/grbac.test." + uuid.New().String(),
+ }
+
+ Role0 = &grbac.Role{
+ Name: "roles/role-0." + uuid.New().String(),
+ Permissions: []string{
+ toPermissionId(Permission0.Name),
+ },
+ }
+ RoleNotFound = &grbac.Role{
+ Name: "roles/role-?." + uuid.New().String(),
+ }
+ )
+
+ // Create new random roles.
+ _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0})
+ require.NoError(t, err)
+ _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission1})
+ require.NoError(t, err)
+
+ _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role0})
+ require.NoError(t, err)
+
+ // Test: update (replace permissions) should not fail.
+ Role0.Permissions = []string{toPermissionId(Permission1.Name)}
+ role, err := server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{Role: Role0})
+ require.NoError(t, err)
+ require.NotNil(t, role)
+
+ assert.Equal(t, Role0.Name, role.Name)
+ assert.ElementsMatch(t, Role0.Permissions, role.Permissions)
+ assert.NotEmpty(t, role.Etag)
+
+ role, err = server.GetRole(context.TODO(), &grbac.GetRoleRequest{Name: Role0.Name})
+ require.NoError(t, err)
+ require.NotNil(t, role)
+
+ assert.Equal(t, Role0.Name, role.Name)
+ assert.ElementsMatch(t, Role0.Permissions, role.Permissions)
+ assert.NotEmpty(t, role.Etag)
+
+ // Test: update (add permissions) should not fail.
+ Role0.Permissions = append(Role0.Permissions, toPermissionId(Permission0.Name))
+ role, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{Role: Role0})
+ require.NoError(t, err)
+ require.NotNil(t, role)
+
+ assert.Equal(t, Role0.Name, role.Name)
+ assert.ElementsMatch(t, Role0.Permissions, role.Permissions)
+ assert.NotEmpty(t, role.Etag)
+
+ role, err = server.GetRole(context.TODO(), &grbac.GetRoleRequest{Name: Role0.Name})
+ require.NoError(t, err)
+ require.NotNil(t, role)
+
+ assert.Equal(t, Role0.Name, role.Name)
+ assert.ElementsMatch(t, Role0.Permissions, role.Permissions)
+ assert.NotEmpty(t, role.Etag)
+
+ // Test: update (remove all permissions) should not fail.
+ Role0.Permissions = nil
+ role, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{Role: Role0})
+ require.NoError(t, err)
+ require.NotNil(t, role)
+
+ assert.Equal(t, Role0.Name, role.Name)
+ assert.ElementsMatch(t, Role0.Permissions, role.Permissions)
+ assert.NotEmpty(t, role.Etag)
+
+ role, err = server.GetRole(context.TODO(), &grbac.GetRoleRequest{Name: Role0.Name})
+ require.NoError(t, err)
+ require.NotNil(t, role)
+
+ assert.Equal(t, Role0.Name, role.Name)
+ assert.ElementsMatch(t, Role0.Permissions, role.Permissions)
+ assert.NotEmpty(t, role.Etag)
+
+ // Test: update (add non-existing permission) should fail.
+ Role0.Permissions = []string{toPermissionId(PermissionNotFound.Name)}
+ _, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{Role: Role0})
+ require.Error(t, err)
+ assert.Equal(t, codes.FailedPrecondition, status.Code(err))
+
+ // Test: update with mutable field mask should not fail.
+ Role0.Permissions = []string{toPermissionId(Permission0.Name)}
+ _, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{
+ Role: Role0,
+ UpdateMask: &fieldmaskpb.FieldMask{
+ Paths: []string{"role", "role.permissions"},
+ }})
+ require.NoError(t, err)
+
+ // Test: update with immutable field mask should fail.
+ _, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{
+ Role: Role0,
+ UpdateMask: &fieldmaskpb.FieldMask{
+ Paths: []string{"role.name"},
+ }})
+ require.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: update with invalid field mask should fail.
+ _, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{
+ Role: Role0,
+ UpdateMask: &fieldmaskpb.FieldMask{
+ Paths: []string{""},
+ }})
+ require.Error(t, err)
+ assert.Equal(t, codes.InvalidArgument, status.Code(err))
+
+ // Test: update of non-existing role should fail.
+ _, err = server.DeleteRole(context.TODO(), &grbac.DeleteRoleRequest{Name: RoleNotFound.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+}
diff --git a/pkg/services/roles_update.go b/pkg/services/roles_update.go
new file mode 100644
index 0000000..cb0a95f
--- /dev/null
+++ b/pkg/services/roles_update.go
@@ -0,0 +1,128 @@
+package services
+
+import (
+ "context"
+ "encoding/base64"
+ "text/template"
+
+ _ "embed"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/fieldmask"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+//go:embed data/roles/roles.update.query.go.tmpl
+var queryUpdateRole string
+
+//go:embed data/roles/roles.update.set.go.tmpl
+var setUpdateRole string
+
+//go:embed data/roles/roles.update.delete.go.tmpl
+var deleteUpdateRole string
+
+var templateQueryUpdateRole = template.Must(
+ template.New("QueryUpdateRole").Funcs(defaultFuncMap).Parse(queryUpdateRole),
+)
+
+var templateSetUpdateRole = template.Must(
+ template.New("SetUpdateRole").Funcs(defaultFuncMap).Parse(setUpdateRole),
+)
+
+var templateDeleteUpdateRole = template.Must(
+ template.New("DeleteUpdateRole").Funcs(defaultFuncMap).Parse(deleteUpdateRole),
+)
+
+func (s *AccessControlServerImpl) validateUpdateRole(ctx context.Context, txn *dgo.Txn, req *grbac.UpdateRoleRequest) error {
+ // A role must be defined.
+ if req.Role == nil {
+ return status.New(codes.InvalidArgument, "invalid argument {role not defined}").Err()
+ }
+
+ // The role name must be defined.
+ if len(req.Role.Name) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {role name not defined}").Err()
+ }
+
+ // The role name must be well formatted.
+ if !isRole(req.Role.Name) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid role name format}").Err()
+ }
+
+ // The update field mask must contain valid paths.
+ for _, path := range req.GetUpdateMask().GetPaths() {
+ switch path {
+ case "role", "role.permissions":
+ default:
+ return status.New(codes.InvalidArgument, "invalid argument {invalid field mask}").Err()
+ }
+ }
+
+ // The permissions included in the role must exist.
+ for _, permission := range req.Role.Permissions {
+ permissionFound, err := graph.ExistsPermission(ctx, txn, toPermissionName(permission))
+ if err != nil {
+ logrus.WithError(err).Errorf("CreateRole: failed to query role permissions")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if !permissionFound {
+ return status.New(codes.FailedPrecondition, "failed precondition {permission does not exist}").Err()
+ }
+ }
+
+ // The role must exist.
+ roleFound, err := graph.ExistsRole(ctx, txn, req.Role.Name)
+ if err != nil {
+ logrus.WithError(err).Errorf("UpdateRole: failed to query role")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if !roleFound {
+ return status.New(codes.NotFound, "not found").Err()
+ }
+
+ return nil
+}
+
+// UpdateRole updates a role with a field mask.
+func (s *AccessControlServerImpl) UpdateRole(ctx context.Context, req *grbac.UpdateRoleRequest) (*grbac.Role, error) {
+ txn := s.cli.NewTxn()
+ if err := s.validateUpdateRole(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ // TODO: etag should be generated according to the data structure.
+ etag := []byte("TODO")
+
+ fieldmask := fieldmask.NewFieldMask(req.GetUpdateMask())
+
+ data := struct {
+ Role *grbac.Role
+ FieldMask func(string) bool
+ ETag string
+ }{
+ Role: req.GetRole(),
+ FieldMask: fieldmask.Contains,
+ ETag: base64.StdEncoding.EncodeToString(etag),
+ }
+
+ if err := s.update(ctx, txn, templateQueryUpdateRole, templateSetUpdateRole, templateDeleteUpdateRole, data); err != nil {
+ logrus.WithError(err).Errorf("UpdateRole: failed to execute dgraph call")
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ // TODO: merge missing fields (not included in the update mask) with the role in dgraph.
+ role := &grbac.Role{
+ Name: req.Role.Name,
+ Permissions: req.Role.Permissions,
+ Etag: etag,
+ }
+
+ return role, nil
+}
diff --git a/pkg/services/subjects.go b/pkg/services/subjects.go
new file mode 100644
index 0000000..bad567c
--- /dev/null
+++ b/pkg/services/subjects.go
@@ -0,0 +1,21 @@
+package services
+
+import "strings"
+
+func isSubject(name string) bool {
+ return isUser(name) || isServiceAccount(name)
+}
+
+func isUser(name string) bool {
+ return strings.HasPrefix(name, "users/")
+}
+
+func isServiceAccount(name string) bool {
+ return strings.HasPrefix(name, "serviceAccounts/")
+}
+
+const allUsers = "system/allUsers"
+
+func isAllUsers(name string) bool {
+ return name == allUsers
+}
diff --git a/pkg/services/subjects_create.go b/pkg/services/subjects_create.go
new file mode 100644
index 0000000..55561fb
--- /dev/null
+++ b/pkg/services/subjects_create.go
@@ -0,0 +1,81 @@
+package services
+
+import (
+ "context"
+ "text/template"
+
+ _ "embed"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+//go:embed data/subjects/subjects.create.query.go.tmpl
+var queryCreateSubject string
+
+//go:embed data/subjects/subjects.create.mutation.go.tmpl
+var mutationCreateSubject string
+
+var templateQueryCreateSubject = template.Must(
+ template.New("QueryCreateSubject").Funcs(defaultFuncMap).Parse(queryCreateSubject),
+)
+
+var templateMutationCreateSubject = template.Must(
+ template.New("MutationCreateSubject").Funcs(defaultFuncMap).Parse(mutationCreateSubject),
+)
+
+func (s *AccessControlServerImpl) validateCreateSubject(ctx context.Context, txn *dgo.Txn, req *grbac.CreateSubjectRequest) error {
+ // A subject must be defined.
+ if req.Subject == nil {
+ return status.New(codes.InvalidArgument, "invalid argument {subject not defined}").Err()
+ }
+
+ // The subject name must be defined.
+ if len(req.Subject.Name) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {subject name not defined}").Err()
+ }
+
+ // The subject name must be well formatted.
+ if !isSubject(req.Subject.Name) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid subject name format}").Err()
+ }
+
+ // The subject must be new to avoid race conditions.
+ subjectFound, err := graph.ExistsSubject(ctx, txn, req.Subject.Name)
+ if err != nil {
+ logrus.WithError(err).Errorf("failed to validate 'CreateSubject' request")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if subjectFound {
+ return status.New(codes.AlreadyExists, "conflict").Err()
+ }
+
+ return nil
+}
+
+// CreateSubject creates a new subject.
+func (s *AccessControlServerImpl) CreateSubject(ctx context.Context, req *grbac.CreateSubjectRequest) (*grbac.Subject, error) {
+ txn := s.cli.NewTxn()
+ if err := s.validateCreateSubject(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ data := struct {
+ Subject *grbac.Subject
+ }{
+ Subject: req.GetSubject(),
+ }
+
+ if err := s.create(ctx, txn, templateQueryCreateSubject, templateMutationCreateSubject, data); err != nil {
+ logrus.WithError(err).Errorf("CreateSubject: failed to execute dgraph call")
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ return &grbac.Subject{Name: req.Subject.Name}, nil
+}
diff --git a/pkg/services/subjects_delete.go b/pkg/services/subjects_delete.go
new file mode 100644
index 0000000..aa38408
--- /dev/null
+++ b/pkg/services/subjects_delete.go
@@ -0,0 +1,77 @@
+package services
+
+import (
+ "context"
+ "text/template"
+
+ _ "embed"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+ empty "google.golang.org/protobuf/types/known/emptypb"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/grbac/grbac/pkg/graph"
+ "github.com/sirupsen/logrus"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+//go:embed data/subjects/subjects.delete.query.go.tmpl
+var queryDeleteSubject string
+
+//go:embed data/subjects/subjects.delete.mutation.go.tmpl
+var mutationDeleteSubject string
+
+var templateQueryDeleteSubject = template.Must(
+ template.New("QueryDeleteSubject").Funcs(defaultFuncMap).Parse(queryDeleteSubject),
+)
+
+var templateMutationDeleteSubject = template.Must(
+ template.New("MutationDeleteSubject").Funcs(defaultFuncMap).Parse(mutationDeleteSubject),
+)
+
+func (s *AccessControlServerImpl) validateDeleteSubject(ctx context.Context, txn *dgo.Txn, req *grbac.DeleteSubjectRequest) error {
+ // The subject name must be defined.
+ if len(req.Name) == 0 {
+ return status.New(codes.InvalidArgument, "invalid argument {subject name not defined}").Err()
+ }
+
+ // The subject name must be well formatted.
+ if !isSubject(req.Name) {
+ return status.New(codes.InvalidArgument, "invalid argument {invalid subject name format}").Err()
+ }
+
+ // The subject must exist.
+ subjectFound, err := graph.ExistsSubject(ctx, txn, req.Name)
+ if err != nil {
+ logrus.WithError(err).Errorf("DeleteSubject: failed to query subject")
+ return status.New(codes.Internal, "internal error").Err()
+ }
+
+ if !subjectFound {
+ return status.New(codes.NotFound, "not found").Err()
+ }
+
+ return nil
+}
+
+// DeleteSubject deletes a subject.
+func (s *AccessControlServerImpl) DeleteSubject(ctx context.Context, req *grbac.DeleteSubjectRequest) (*empty.Empty, error) {
+ txn := s.cli.NewTxn()
+ if err := s.validateDeleteSubject(ctx, txn, req); err != nil {
+ return nil, err
+ }
+
+ data := struct {
+ Name string
+ }{
+ Name: req.GetName(),
+ }
+
+ if err := s.delete(ctx, txn, templateQueryDeleteSubject, templateMutationDeleteSubject, data); err != nil {
+ logrus.WithError(err).Errorf("DeleteSubject: failed to execute dgraph call")
+ return nil, status.New(codes.Internal, "internal error").Err()
+ }
+
+ return &empty.Empty{}, nil
+}
diff --git a/pkg/services/subjects_integration_test.go b/pkg/services/subjects_integration_test.go
new file mode 100644
index 0000000..caada3e
--- /dev/null
+++ b/pkg/services/subjects_integration_test.go
@@ -0,0 +1,115 @@
+// +build integration
+
+package services
+
+import (
+ "context"
+ "os"
+ "testing"
+
+ grbac "github.com/animeapis/go-genproto/grbac/v1alpha1"
+
+ "github.com/dgraph-io/dgo/v210"
+ "github.com/dgraph-io/dgo/v210/protos/api"
+ "github.com/google/uuid"
+ "github.com/grbac/grbac/pkg/bootstrap"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+ "google.golang.org/grpc"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
+)
+
+func TestIntegrationSubjectCreate(t *testing.T) {
+ endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT")
+ require.NotEmpty(t, endpoint)
+
+ err := bootstrap.Schema(context.TODO(), endpoint)
+ require.NoError(t, err)
+
+ conn, err := grpc.Dial(endpoint, grpc.WithInsecure())
+ require.NoError(t, err)
+ defer conn.Close()
+
+ server := &AccessControlServerImpl{
+ cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)),
+ conn: conn,
+ }
+
+ var (
+ User0 = &grbac.Subject{
+ Name: "users/user-0." + uuid.New().String(),
+ }
+ ServiceAccount0 = &grbac.Subject{
+ Name: "serviceAccounts/serviceaccount-0." + uuid.New().String(),
+ }
+ )
+
+ // Test: creation (user) should not fail.
+ user0, err := server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0})
+ require.NoError(t, err)
+ require.NotNil(t, user0)
+
+ assert.Equal(t, User0.Name, user0.Name)
+
+ // Test: creation (serviceAccount) should not fail.
+ serviceAccount, err := server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0})
+ require.NoError(t, err)
+ require.NotNil(t, serviceAccount)
+
+ assert.Equal(t, ServiceAccount0.Name, serviceAccount.Name)
+
+ // Test: creation of duplicate subject should fail with already exists.
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0})
+ assert.Error(t, err)
+ assert.Equal(t, codes.AlreadyExists, status.Code(err))
+
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0})
+ assert.Error(t, err)
+ assert.Equal(t, codes.AlreadyExists, status.Code(err))
+}
+
+func TestIntegrationSubjectDelete(t *testing.T) {
+ endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT")
+ require.NotEmpty(t, endpoint)
+
+ err := bootstrap.Schema(context.TODO(), endpoint)
+ require.NoError(t, err)
+
+ conn, err := grpc.Dial(endpoint, grpc.WithInsecure())
+ require.NoError(t, err)
+ defer conn.Close()
+
+ server := &AccessControlServerImpl{
+ cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)),
+ conn: conn,
+ }
+
+ var (
+ Subject0 = &grbac.Subject{
+ Name: "users/user-0." + uuid.New().String(),
+ }
+ SubjectNotFound = &grbac.Subject{
+ Name: "users/user-?." + uuid.New().String(),
+ }
+ )
+
+ // Create a new random subject.
+ _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: Subject0})
+ require.NoError(t, err)
+
+ // Test: deletion of existing subject should not fail.
+ empty, err := server.DeleteSubject(context.TODO(), &grbac.DeleteSubjectRequest{Name: Subject0.Name})
+ require.NoError(t, err)
+ assert.NotNil(t, empty)
+
+ // Test: deletion of deleted subject should fail.
+ _, err = server.DeleteSubject(context.TODO(), &grbac.DeleteSubjectRequest{Name: Subject0.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+
+ // Test: deletion of non-existing subject should fail.
+ _, err = server.DeleteSubject(context.TODO(), &grbac.DeleteSubjectRequest{Name: SubjectNotFound.Name})
+ assert.Error(t, err)
+ assert.Equal(t, codes.NotFound, status.Code(err))
+}
diff --git a/pkg/services/template.go b/pkg/services/template.go
new file mode 100644
index 0000000..b4d4407
--- /dev/null
+++ b/pkg/services/template.go
@@ -0,0 +1,45 @@
+package services
+
+import (
+ "bufio"
+ "bytes"
+ "regexp"
+ "text/template"
+)
+
+var (
+ regexAlphaNumeric = regexp.MustCompile("[^A-Za-z0-9]+")
+
+ defaultFuncMap = template.FuncMap{
+ "AlphaNumVar": replaceAlphaNumeric,
+
+ "IsUser": isUserMember,
+ "IsServiceAccount": isServiceAccountMember,
+ "IsGroup": isGroupMember,
+ "IsAllUsers": isAllUsersMember,
+
+ "ToUserName": toUserName,
+ "ToServiceAccountName": toServiceAccountName,
+ "ToGroupName": toGroupName,
+ "ToPermissionName": toPermissionName,
+ }
+)
+
+func replaceAlphaNumeric(name string) string {
+ return regexAlphaNumeric.ReplaceAllString(name, "_")
+}
+
+func ExecuteTemplate(t *template.Template, data interface{}) ([]byte, error) {
+ var buffer bytes.Buffer
+ writer := bufio.NewWriter(&buffer)
+
+ if err := t.Execute(writer, data); err != nil {
+ return nil, err
+ }
+
+ if err := writer.Flush(); err != nil {
+ return nil, err
+ }
+
+ return buffer.Bytes(), nil
+}
diff --git a/schema/animeapis b/schema/animeapis
new file mode 160000
index 0000000..e1dfc76
--- /dev/null
+++ b/schema/animeapis
@@ -0,0 +1 @@
+Subproject commit e1dfc764c23e00eb837c43e9f53286a2751af2e9
diff --git a/schema/api-common-protos b/schema/api-common-protos
new file mode 160000
index 0000000..37d5125
--- /dev/null
+++ b/schema/api-common-protos
@@ -0,0 +1 @@
+Subproject commit 37d5125da5c90f2124d15908a54a32ed3f470bc2
diff --git a/scripts/docker-compose.sh b/scripts/docker-compose.sh
new file mode 100755
index 0000000..947ca77
--- /dev/null
+++ b/scripts/docker-compose.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env sh
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+sleep 10
+
+grbac init --dgraph-endpoint=dgraph:9080
+grbac run --dgraph-endpoint=dgraph:9080
+
+exit 0
\ No newline at end of file
diff --git a/scripts/gapic.sh b/scripts/gapic.sh
new file mode 100755
index 0000000..98d5395
--- /dev/null
+++ b/scripts/gapic.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+API_NAME="grbac"
+API_VERSION="v1alpha1"
+
+# TODO: Everything should be moved to Bazel for protobuf compilation.
+
+# Generate CLI via GAPIC.
+protoc \
+ --experimental_allow_proto3_optional \
+ --proto_path="schema/api-common-protos" \
+ --proto_path="schema/animeapis" \
+ --go_cli_out="cmd" \
+ --go_cli_opt="root=grbac" \
+ --go_cli_opt="gapic=github.com/animeapis/api-go-client/${API_NAME}/${API_VERSION}" \
+ --go_cli_opt="fmt=true" \
+ "schema/animeapis/animeshon/${API_NAME}/${API_VERSION}/${API_NAME}.proto"
+
+exit 0
\ No newline at end of file
diff --git a/scripts/run-integration.sh b/scripts/run-integration.sh
new file mode 100755
index 0000000..ae0093c
--- /dev/null
+++ b/scripts/run-integration.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+export INTEGRATION_TEST_DGRAPH_ENDPOINT=127.0.0.1:9080
+
+# Launch the dgraph docker container and open its ports.
+echo "integration: starting the dgraph docker container..."
+container_id=$(docker run --detach --rm -p 9080:9080 dgraph/standalone:v21.03.0)
+
+# Wait for the container to be up and running.
+echo "integration: waiting (10s) for the container to be ready..."
+sleep 10s
+
+# Run the integration tests and store the return code of the 'go test' command.
+go test -cover -tags=integration ./... && return_code=$? || return_code=$?
+
+# Stop the dgraph docker container.
+echo "integration: stopping the container..."
+docker stop $container_id
+
+exit $return_code
\ No newline at end of file
diff --git a/scripts/update.sh b/scripts/update.sh
new file mode 100755
index 0000000..cb7f179
--- /dev/null
+++ b/scripts/update.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+WORKDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+
+echo "updating go modules..."
+
+GOPROXY=direct go get -u github.com/animeapis/api-go-client@master
+GOPROXY=direct go get -u github.com/animeapis/go-genproto@master
+
+echo "updating git submodules..."
+
+git submodule foreach git pull origin master
+
+echo "regenerating gapics..."
+
+source "${WORKDIR}/gapic.sh"
+
+exit 0
\ No newline at end of file