diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..89ffc85 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,8 @@ +.cache +.dockerignore +.git +.github +.gitignore +*.md +/Dockerfile +/LICENSE \ No newline at end of file diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml new file mode 100644 index 0000000..2f061d7 --- /dev/null +++ b/.github/workflows/release-please.yml @@ -0,0 +1,14 @@ +name: Animeshon gRBAC [release-please] + +on: + push: + branches: [master] + +jobs: + release-please: + runs-on: ubuntu-latest + steps: + - uses: GoogleCloudPlatform/release-please-action@v2 + with: + token: ${{ secrets.WORKFLOW_GITHUB_TOKEN }} + release-type: simple diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..98e3de0 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,45 @@ +name: Animeshon gRBAC + +on: + push: + branches: [master] + release: + types: [published] + +jobs: + docker: + environment: release + runs-on: ubuntu-latest + steps: + - name: Clone the repository code + uses: actions/checkout@v2 + + - name: Set up Docker versioning labels and tags + id: docker-metadata + uses: docker/metadata-action@v3 + with: + images: grbac/grbac + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha + + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_TOKEN }} + + - name: Build and push + uses: docker/build-push-action@v2 + with: + push: true + tags: ${{ steps.docker-metadata.outputs.tags }} + labels: ${{ steps.docker-metadata.outputs.labels }} diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..419ae98 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.vscode +bin/* \ No newline at end of file diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..0ca213d --- /dev/null +++ b/.gitmodules @@ -0,0 +1,6 @@ +[submodule "schema/api-common-protos"] + path = schema/api-common-protos + url = https://github.com/googleapis/api-common-protos.git +[submodule "schema/animeapis"] + path = schema/animeapis + url = https://github.com/animeapis/animeapis.git diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..65263fa --- /dev/null +++ b/Dockerfile @@ -0,0 +1,24 @@ +FROM golang:1.16-alpine AS builder + +WORKDIR /build + +COPY go.mod . +COPY go.sum . + +RUN go mod download + +COPY . . + +RUN go build -o grbac ./cmd + +FROM alpine + +WORKDIR /usr/local/grbac + +COPY --from=builder /build/grbac bin/grbac +COPY scripts/docker-compose.sh docker-compose.sh + +ENV PATH=/usr/local/grbac/bin:$PATH + +ENTRYPOINT [ "grbac" ] +CMD [ "version" ] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..f49a4e1 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..aba20fa --- /dev/null +++ b/README.md @@ -0,0 +1,121 @@ +# gRBAC - Graph Role-Based Access Control + +[![Go Reference](https://pkg.go.dev/badge/github.com/grbac/grbac.svg)](https://pkg.go.dev/github.com/grbac/grbac) + + + gRBAC logo + + +--- + +A cloud-native graph implementation of the Role-Based Access Control (RBAC) authorization architecture powered by [dgraph](https://dgraph.io/). + +**NOTE: This project is developed and maintained by [Animeshon](https://animeshon.com) where it is running in production.** + + +## Build with Golang + +``` +go build -o bin/grbac ./cmd +``` + +## Build with Docker + +``` +docker build -t grbac/grbac:latest . +``` + +## Run examples (gRPC only) + +Run gRPC docker-compose: + +``` +docker-compose -f examples/grpc/docker-compose.yaml up +``` + +Run integration tests: + +``` +export INTEGRATION_TEST_DGRAPH_ENDPOINT=127.0.0.1:9060 +go test -tag=integration ./... +``` + +Visit `https://play.dgraph.io/?latest` and connect to the endpoint `http://127.0.0.1:8060`. + +Run the following generic DQL query: +``` +{ + query(func:type(Resource)){ + expand(_all_) { + expand(_all_) { + expand(_all_) { + expand(_all_) { + expand(_all_) { + expand(_all_) + } + } + } + } + } + } +} +``` + +The following image is an example of the expected output: + +![gRBAC Example Graph](./assets/docs/examples/examples-rbac-graph.png) + +## Play with gRBAC + +After succesfully running the gRPC `docker-compose` as described in the **previous paragraph**, build gRBAC locally and execute a random CLI command: + +``` +go build -o bin/grbac ./cmd +``` + +``` +./bin/grbac accesscontrol create-permission \ + --address "127.0.0.1:9070" --insecure \ + --permission.name="permissions/grbac.test.permission" +``` + +_Keep experimenting with other commands or through a gRPC client!_ + +## Resources + +- [Animeshon APIs](https://github.com/animeapis/animeapis/tree/master/animeshon/grbac) +- [Animeshon APIs Client Library for Go](https://github.com/animeapis/api-go-client/tree/master/grbac) +- [Animeshon Protocol Buffers for Go](https://github.com/animeapis/go-genproto/tree/master/grbac) +- [Animeshon Compiled Protocol Buffers](https://github.com/animeapis/proto-binary/tree/master/grbac) + +## Known Issues + +- etags are not implemented +- atomic group changes (AddGroupMember and RemoveGroupMemeber) are not implemented +- resource parent transfer (TransferResource) is not implemented +- [limits and quotas](https://cloud.google.com/iam/quotas) are not implemented +- there is no maximum distance set for `shortest` queries +- groups can currently include other groups - this behavior should be discussed +- partial updates will return partial resources - complete resources should be returned instead + +## Roadmap + +- [ ] resolve known issues +- [ ] remove Animeshon internal business logic +- [ ] move protobuf definitions to this organization +- [ ] generate missing grpc clients (e.g. Java, Python, C#, ...) +- [ ] publish docker image to Docker Hub +- [ ] build the project through Bazel instead of the Go toolchain +- [ ] add unit tests on top of integration tests +- [ ] add monitoring and tracing + +## Off-topic: gRBAC meaning + +The name gRBAC comes from `g` + `RBAC` where `g` stands for: + +- `graph` as it is implemented on top of a graph database and leverages graph's properties +- `gRPC` as its implementation is completely gRPC native +- `google` as this implementation aims at mirroring the Google Cloud IAM architecture + +and RBAC stands for [Role-Based Access Control](https://en.wikipedia.org/wiki/Role-based_access_control). diff --git a/assets/docs/examples/examples-rbac-graph.png b/assets/docs/examples/examples-rbac-graph.png new file mode 100644 index 0000000..66bdff3 Binary files /dev/null and b/assets/docs/examples/examples-rbac-graph.png differ diff --git a/assets/logo-128x-128-transparent.png b/assets/logo-128x-128-transparent.png new file mode 100644 index 0000000..6f8ae8e Binary files /dev/null and b/assets/logo-128x-128-transparent.png differ diff --git a/assets/logo.svg b/assets/logo.svg new file mode 100644 index 0000000..ccaa3b3 --- /dev/null +++ b/assets/logo.svg @@ -0,0 +1 @@ +gRBAC \ No newline at end of file diff --git a/cmd/accesscontrol_service.go b/cmd/accesscontrol_service.go new file mode 100644 index 0000000..49c4433 --- /dev/null +++ b/cmd/accesscontrol_service.go @@ -0,0 +1,107 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "fmt" + + "github.com/spf13/cobra" + "github.com/spf13/viper" + "golang.org/x/oauth2" + "google.golang.org/api/option" + "google.golang.org/grpc" + + gapic "github.com/animeapis/api-go-client/grbac/v1alpha1" +) + +var AccessControlConfig *viper.Viper +var AccessControlClient *gapic.AccessControlClient +var AccessControlSubCommands []string = []string{ + "test-iam-policy", + "get-iam-policy", + "set-iam-policy", + "get-resource", + "create-resource", + "transfer-resource", + "delete-resource", + "create-subject", + "delete-subject", + "get-group", + "create-group", + "update-group", + "add-group-member", + "remove-group-member", + "delete-group", + "create-permission", + "delete-permission", + "get-role", + "create-role", + "update-role", + "delete-role", +} + +func init() { + rootCmd.AddCommand(AccessControlServiceCmd) + + AccessControlConfig = viper.New() + AccessControlConfig.SetEnvPrefix("GRBAC_ACCESSCONTROL") + AccessControlConfig.AutomaticEnv() + + AccessControlServiceCmd.PersistentFlags().Bool("insecure", false, "Make insecure client connection. Or use GRBAC_ACCESSCONTROL_INSECURE. Must be used with \"address\" option") + AccessControlConfig.BindPFlag("insecure", AccessControlServiceCmd.PersistentFlags().Lookup("insecure")) + AccessControlConfig.BindEnv("insecure") + + AccessControlServiceCmd.PersistentFlags().String("address", "", "Set API address used by client. Or use GRBAC_ACCESSCONTROL_ADDRESS.") + AccessControlConfig.BindPFlag("address", AccessControlServiceCmd.PersistentFlags().Lookup("address")) + AccessControlConfig.BindEnv("address") + + AccessControlServiceCmd.PersistentFlags().String("token", "", "Set Bearer token used by the client. Or use GRBAC_ACCESSCONTROL_TOKEN.") + AccessControlConfig.BindPFlag("token", AccessControlServiceCmd.PersistentFlags().Lookup("token")) + AccessControlConfig.BindEnv("token") + + AccessControlServiceCmd.PersistentFlags().String("api_key", "", "Set API Key used by the client. Or use GRBAC_ACCESSCONTROL_API_KEY.") + AccessControlConfig.BindPFlag("api_key", AccessControlServiceCmd.PersistentFlags().Lookup("api_key")) + AccessControlConfig.BindEnv("api_key") +} + +var AccessControlServiceCmd = &cobra.Command{ + Use: "accesscontrol", + Short: "AccessControl is the internal service used by...", + Long: "AccessControl is the internal service used by Animeshon to enforce RBAC rules.", + ValidArgs: AccessControlSubCommands, + PersistentPreRunE: func(cmd *cobra.Command, args []string) (err error) { + var opts []option.ClientOption + + address := AccessControlConfig.GetString("address") + if address != "" { + opts = append(opts, option.WithEndpoint(address)) + } + + if AccessControlConfig.GetBool("insecure") { + if address == "" { + return fmt.Errorf("Missing address to use with insecure connection") + } + + conn, err := grpc.Dial(address, grpc.WithInsecure()) + if err != nil { + return err + } + opts = append(opts, option.WithGRPCConn(conn)) + } + + if token := AccessControlConfig.GetString("token"); token != "" { + opts = append(opts, option.WithTokenSource(oauth2.StaticTokenSource( + &oauth2.Token{ + AccessToken: token, + TokenType: "Bearer", + }))) + } + + if key := AccessControlConfig.GetString("api_key"); key != "" { + opts = append(opts, option.WithAPIKey(key)) + } + + AccessControlClient, err = gapic.NewAccessControlClient(ctx, opts...) + return + }, +} diff --git a/cmd/add-group-member.go b/cmd/add-group-member.go new file mode 100644 index 0000000..4535152 --- /dev/null +++ b/cmd/add-group-member.go @@ -0,0 +1,76 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var AddGroupMemberInput grbacpb.AddGroupMemberRequest + +var AddGroupMemberFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(AddGroupMemberCmd) + + AddGroupMemberCmd.Flags().StringVar(&AddGroupMemberInput.Group, "group", "", "Required. The name of the group to add a member to.") + + AddGroupMemberCmd.Flags().StringVar(&AddGroupMemberInput.Member, "member", "", "Required. The member to be added.") + + AddGroupMemberCmd.Flags().StringVar(&AddGroupMemberFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var AddGroupMemberCmd = &cobra.Command{ + Use: "add-group-member", + Short: "AddGroupMember adds a member to a group.", + Long: "AddGroupMember adds a member to a group.", + PreRun: func(cmd *cobra.Command, args []string) { + + if AddGroupMemberFromFile == "" { + + cmd.MarkFlagRequired("group") + + cmd.MarkFlagRequired("member") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if AddGroupMemberFromFile != "" { + in, err = os.Open(AddGroupMemberFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &AddGroupMemberInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "AddGroupMember", &AddGroupMemberInput) + } + resp, err := AccessControlClient.AddGroupMember(ctx, &AddGroupMemberInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/completion.go b/cmd/completion.go new file mode 100644 index 0000000..123a5e5 --- /dev/null +++ b/cmd/completion.go @@ -0,0 +1,28 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "os" + + "github.com/spf13/cobra" +) + +func init() { + rootCmd.AddCommand(completionCmd) +} + +// completionCmd represents the completion command +var completionCmd = &cobra.Command{ + Use: "completion", + Short: "Emits bash a completion for grbac", + Long: `Enable bash completion like so: + Linux: + source <(grbac completion) + Mac: + brew install bash-completion + grbac completion > $(brew --prefix)/etc/bash_completion.d/grbac`, + Run: func(cmd *cobra.Command, args []string) { + rootCmd.GenBashCompletion(os.Stdout) + }, +} diff --git a/cmd/create-group.go b/cmd/create-group.go new file mode 100644 index 0000000..fc7a003 --- /dev/null +++ b/cmd/create-group.go @@ -0,0 +1,78 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var CreateGroupInput grbacpb.CreateGroupRequest + +var CreateGroupFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(CreateGroupCmd) + + CreateGroupInput.Group = new(grbacpb.Group) + + CreateGroupCmd.Flags().StringVar(&CreateGroupInput.Group.Name, "group.name", "", "Required. The resource name of the group.") + + CreateGroupCmd.Flags().StringSliceVar(&CreateGroupInput.Group.Members, "group.members", []string{}, "The list of members of the group. Groups might...") + + CreateGroupCmd.Flags().BytesHexVar(&CreateGroupInput.Group.Etag, "group.etag", []byte{}, "An etag for concurrency control, ignored during...") + + CreateGroupCmd.Flags().StringVar(&CreateGroupFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var CreateGroupCmd = &cobra.Command{ + Use: "create-group", + Short: "CreateGroup creates a new group.", + Long: "CreateGroup creates a new group.", + PreRun: func(cmd *cobra.Command, args []string) { + + if CreateGroupFromFile == "" { + + cmd.MarkFlagRequired("group.name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if CreateGroupFromFile != "" { + in, err = os.Open(CreateGroupFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &CreateGroupInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "CreateGroup", &CreateGroupInput) + } + resp, err := AccessControlClient.CreateGroup(ctx, &CreateGroupInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/create-permission.go b/cmd/create-permission.go new file mode 100644 index 0000000..4c9c639 --- /dev/null +++ b/cmd/create-permission.go @@ -0,0 +1,74 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var CreatePermissionInput grbacpb.CreatePermissionRequest + +var CreatePermissionFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(CreatePermissionCmd) + + CreatePermissionInput.Permission = new(grbacpb.Permission) + + CreatePermissionCmd.Flags().StringVar(&CreatePermissionInput.Permission.Name, "permission.name", "", "Required. The resource name of the permission.") + + CreatePermissionCmd.Flags().StringVar(&CreatePermissionFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var CreatePermissionCmd = &cobra.Command{ + Use: "create-permission", + Short: "CreatePermission creates a new permission.", + Long: "CreatePermission creates a new permission.", + PreRun: func(cmd *cobra.Command, args []string) { + + if CreatePermissionFromFile == "" { + + cmd.MarkFlagRequired("permission.name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if CreatePermissionFromFile != "" { + in, err = os.Open(CreatePermissionFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &CreatePermissionInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "CreatePermission", &CreatePermissionInput) + } + resp, err := AccessControlClient.CreatePermission(ctx, &CreatePermissionInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/create-resource.go b/cmd/create-resource.go new file mode 100644 index 0000000..00ce1a8 --- /dev/null +++ b/cmd/create-resource.go @@ -0,0 +1,80 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var CreateResourceInput grbacpb.CreateResourceRequest + +var CreateResourceFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(CreateResourceCmd) + + CreateResourceInput.Resource = new(grbacpb.Resource) + + CreateResourceCmd.Flags().StringVar(&CreateResourceInput.Resource.Name, "resource.name", "", "Required. The full resource name that identifies the...") + + CreateResourceCmd.Flags().StringVar(&CreateResourceInput.Resource.Parent, "resource.parent", "", "Required. The full resource name that identifies the parent...") + + CreateResourceCmd.Flags().BytesHexVar(&CreateResourceInput.Resource.Etag, "resource.etag", []byte{}, "An etag for concurrency control, ignored during...") + + CreateResourceCmd.Flags().StringVar(&CreateResourceFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var CreateResourceCmd = &cobra.Command{ + Use: "create-resource", + Short: "CreateResource creates a new resource.", + Long: "CreateResource creates a new resource.", + PreRun: func(cmd *cobra.Command, args []string) { + + if CreateResourceFromFile == "" { + + cmd.MarkFlagRequired("resource.name") + + cmd.MarkFlagRequired("resource.parent") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if CreateResourceFromFile != "" { + in, err = os.Open(CreateResourceFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &CreateResourceInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "CreateResource", &CreateResourceInput) + } + resp, err := AccessControlClient.CreateResource(ctx, &CreateResourceInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/create-role.go b/cmd/create-role.go new file mode 100644 index 0000000..f628ac3 --- /dev/null +++ b/cmd/create-role.go @@ -0,0 +1,80 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var CreateRoleInput grbacpb.CreateRoleRequest + +var CreateRoleFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(CreateRoleCmd) + + CreateRoleInput.Role = new(grbacpb.Role) + + CreateRoleCmd.Flags().StringVar(&CreateRoleInput.Role.Name, "role.name", "", "Required. The resource name of the role.") + + CreateRoleCmd.Flags().StringSliceVar(&CreateRoleInput.Role.Permissions, "role.permissions", []string{}, "Required. The list of permissions granted by the role.") + + CreateRoleCmd.Flags().BytesHexVar(&CreateRoleInput.Role.Etag, "role.etag", []byte{}, "An etag for concurrency control, ignored during...") + + CreateRoleCmd.Flags().StringVar(&CreateRoleFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var CreateRoleCmd = &cobra.Command{ + Use: "create-role", + Short: "CreateRole creates a new role.", + Long: "CreateRole creates a new role.", + PreRun: func(cmd *cobra.Command, args []string) { + + if CreateRoleFromFile == "" { + + cmd.MarkFlagRequired("role.name") + + cmd.MarkFlagRequired("role.permissions") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if CreateRoleFromFile != "" { + in, err = os.Open(CreateRoleFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &CreateRoleInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "CreateRole", &CreateRoleInput) + } + resp, err := AccessControlClient.CreateRole(ctx, &CreateRoleInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/create-subject.go b/cmd/create-subject.go new file mode 100644 index 0000000..5b4aeee --- /dev/null +++ b/cmd/create-subject.go @@ -0,0 +1,74 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var CreateSubjectInput grbacpb.CreateSubjectRequest + +var CreateSubjectFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(CreateSubjectCmd) + + CreateSubjectInput.Subject = new(grbacpb.Subject) + + CreateSubjectCmd.Flags().StringVar(&CreateSubjectInput.Subject.Name, "subject.name", "", "Required. The resource name of the subject.") + + CreateSubjectCmd.Flags().StringVar(&CreateSubjectFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var CreateSubjectCmd = &cobra.Command{ + Use: "create-subject", + Short: "CreateSubject creates a new subject.", + Long: "CreateSubject creates a new subject.", + PreRun: func(cmd *cobra.Command, args []string) { + + if CreateSubjectFromFile == "" { + + cmd.MarkFlagRequired("subject.name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if CreateSubjectFromFile != "" { + in, err = os.Open(CreateSubjectFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &CreateSubjectInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "CreateSubject", &CreateSubjectInput) + } + resp, err := AccessControlClient.CreateSubject(ctx, &CreateSubjectInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/delete-group.go b/cmd/delete-group.go new file mode 100644 index 0000000..f70b2ea --- /dev/null +++ b/cmd/delete-group.go @@ -0,0 +1,65 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var DeleteGroupInput grbacpb.DeleteGroupRequest + +var DeleteGroupFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(DeleteGroupCmd) + + DeleteGroupCmd.Flags().StringVar(&DeleteGroupInput.Name, "name", "", "Required. The resource name of the group to delete.") + + DeleteGroupCmd.Flags().StringVar(&DeleteGroupFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var DeleteGroupCmd = &cobra.Command{ + Use: "delete-group", + Short: "DeleteGroup deletes a group.", + Long: "DeleteGroup deletes a group.", + PreRun: func(cmd *cobra.Command, args []string) { + + if DeleteGroupFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if DeleteGroupFromFile != "" { + in, err = os.Open(DeleteGroupFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &DeleteGroupInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "DeleteGroup", &DeleteGroupInput) + } + err = AccessControlClient.DeleteGroup(ctx, &DeleteGroupInput) + + return err + }, +} diff --git a/cmd/delete-permission.go b/cmd/delete-permission.go new file mode 100644 index 0000000..943731d --- /dev/null +++ b/cmd/delete-permission.go @@ -0,0 +1,65 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var DeletePermissionInput grbacpb.DeletePermissionRequest + +var DeletePermissionFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(DeletePermissionCmd) + + DeletePermissionCmd.Flags().StringVar(&DeletePermissionInput.Name, "name", "", "Required. The resource name of the permission to delete.") + + DeletePermissionCmd.Flags().StringVar(&DeletePermissionFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var DeletePermissionCmd = &cobra.Command{ + Use: "delete-permission", + Short: "DeletePermission deletes a permission.", + Long: "DeletePermission deletes a permission.", + PreRun: func(cmd *cobra.Command, args []string) { + + if DeletePermissionFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if DeletePermissionFromFile != "" { + in, err = os.Open(DeletePermissionFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &DeletePermissionInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "DeletePermission", &DeletePermissionInput) + } + err = AccessControlClient.DeletePermission(ctx, &DeletePermissionInput) + + return err + }, +} diff --git a/cmd/delete-resource.go b/cmd/delete-resource.go new file mode 100644 index 0000000..9c78cc0 --- /dev/null +++ b/cmd/delete-resource.go @@ -0,0 +1,65 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var DeleteResourceInput grbacpb.DeleteResourceRequest + +var DeleteResourceFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(DeleteResourceCmd) + + DeleteResourceCmd.Flags().StringVar(&DeleteResourceInput.Name, "name", "", "Required. The full resource name that identifies the...") + + DeleteResourceCmd.Flags().StringVar(&DeleteResourceFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var DeleteResourceCmd = &cobra.Command{ + Use: "delete-resource", + Short: "DeleteResource deletes a resource.", + Long: "DeleteResource deletes a resource.", + PreRun: func(cmd *cobra.Command, args []string) { + + if DeleteResourceFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if DeleteResourceFromFile != "" { + in, err = os.Open(DeleteResourceFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &DeleteResourceInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "DeleteResource", &DeleteResourceInput) + } + err = AccessControlClient.DeleteResource(ctx, &DeleteResourceInput) + + return err + }, +} diff --git a/cmd/delete-role.go b/cmd/delete-role.go new file mode 100644 index 0000000..21759e0 --- /dev/null +++ b/cmd/delete-role.go @@ -0,0 +1,65 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var DeleteRoleInput grbacpb.DeleteRoleRequest + +var DeleteRoleFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(DeleteRoleCmd) + + DeleteRoleCmd.Flags().StringVar(&DeleteRoleInput.Name, "name", "", "Required. The resource name of the role to delete.") + + DeleteRoleCmd.Flags().StringVar(&DeleteRoleFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var DeleteRoleCmd = &cobra.Command{ + Use: "delete-role", + Short: "DeleteRole deletes a role.", + Long: "DeleteRole deletes a role.", + PreRun: func(cmd *cobra.Command, args []string) { + + if DeleteRoleFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if DeleteRoleFromFile != "" { + in, err = os.Open(DeleteRoleFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &DeleteRoleInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "DeleteRole", &DeleteRoleInput) + } + err = AccessControlClient.DeleteRole(ctx, &DeleteRoleInput) + + return err + }, +} diff --git a/cmd/delete-subject.go b/cmd/delete-subject.go new file mode 100644 index 0000000..d126084 --- /dev/null +++ b/cmd/delete-subject.go @@ -0,0 +1,65 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var DeleteSubjectInput grbacpb.DeleteSubjectRequest + +var DeleteSubjectFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(DeleteSubjectCmd) + + DeleteSubjectCmd.Flags().StringVar(&DeleteSubjectInput.Name, "name", "", "Required. The subject to delete.") + + DeleteSubjectCmd.Flags().StringVar(&DeleteSubjectFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var DeleteSubjectCmd = &cobra.Command{ + Use: "delete-subject", + Short: "DeleteSubject deletes a subject.", + Long: "DeleteSubject deletes a subject.", + PreRun: func(cmd *cobra.Command, args []string) { + + if DeleteSubjectFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if DeleteSubjectFromFile != "" { + in, err = os.Open(DeleteSubjectFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &DeleteSubjectInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "DeleteSubject", &DeleteSubjectInput) + } + err = AccessControlClient.DeleteSubject(ctx, &DeleteSubjectInput) + + return err + }, +} diff --git a/cmd/get-group.go b/cmd/get-group.go new file mode 100644 index 0000000..58d03b5 --- /dev/null +++ b/cmd/get-group.go @@ -0,0 +1,72 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var GetGroupInput grbacpb.GetGroupRequest + +var GetGroupFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(GetGroupCmd) + + GetGroupCmd.Flags().StringVar(&GetGroupInput.Name, "name", "", "Required. The name of the group to retrieve.") + + GetGroupCmd.Flags().StringVar(&GetGroupFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var GetGroupCmd = &cobra.Command{ + Use: "get-group", + Short: "GetGroup returns a group.", + Long: "GetGroup returns a group.", + PreRun: func(cmd *cobra.Command, args []string) { + + if GetGroupFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if GetGroupFromFile != "" { + in, err = os.Open(GetGroupFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &GetGroupInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "GetGroup", &GetGroupInput) + } + resp, err := AccessControlClient.GetGroup(ctx, &GetGroupInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/get-iam-policy.go b/cmd/get-iam-policy.go new file mode 100644 index 0000000..65ceedd --- /dev/null +++ b/cmd/get-iam-policy.go @@ -0,0 +1,76 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + iampb "google.golang.org/genproto/googleapis/iam/v1" + + "os" +) + +var GetIamPolicyInput iampb.GetIamPolicyRequest + +var GetIamPolicyFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(GetIamPolicyCmd) + + GetIamPolicyInput.Options = new(iampb.GetPolicyOptions) + + GetIamPolicyCmd.Flags().StringVar(&GetIamPolicyInput.Resource, "resource", "", "Required. REQUIRED: The resource for which the policy is...") + + GetIamPolicyCmd.Flags().Int32Var(&GetIamPolicyInput.Options.RequestedPolicyVersion, "options.requested_policy_version", 0, "Optional. The policy format version to be...") + + GetIamPolicyCmd.Flags().StringVar(&GetIamPolicyFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var GetIamPolicyCmd = &cobra.Command{ + Use: "get-iam-policy", + Short: "Gets the IAM policy that is attached to a generic...", + Long: "Gets the IAM policy that is attached to a generic resource. Note: the full resource name that identifies the resource must be provided.", + PreRun: func(cmd *cobra.Command, args []string) { + + if GetIamPolicyFromFile == "" { + + cmd.MarkFlagRequired("resource") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if GetIamPolicyFromFile != "" { + in, err = os.Open(GetIamPolicyFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &GetIamPolicyInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "GetIamPolicy", &GetIamPolicyInput) + } + resp, err := AccessControlClient.GetIamPolicy(ctx, &GetIamPolicyInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/get-resource.go b/cmd/get-resource.go new file mode 100644 index 0000000..e0d9f2c --- /dev/null +++ b/cmd/get-resource.go @@ -0,0 +1,72 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var GetResourceInput grbacpb.GetResourceRequest + +var GetResourceFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(GetResourceCmd) + + GetResourceCmd.Flags().StringVar(&GetResourceInput.Name, "name", "", "Required. The full resource name of the resource to...") + + GetResourceCmd.Flags().StringVar(&GetResourceFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var GetResourceCmd = &cobra.Command{ + Use: "get-resource", + Short: "GetResource returns a resource.", + Long: "GetResource returns a resource.", + PreRun: func(cmd *cobra.Command, args []string) { + + if GetResourceFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if GetResourceFromFile != "" { + in, err = os.Open(GetResourceFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &GetResourceInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "GetResource", &GetResourceInput) + } + resp, err := AccessControlClient.GetResource(ctx, &GetResourceInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/get-role.go b/cmd/get-role.go new file mode 100644 index 0000000..7d4cbbe --- /dev/null +++ b/cmd/get-role.go @@ -0,0 +1,72 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var GetRoleInput grbacpb.GetRoleRequest + +var GetRoleFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(GetRoleCmd) + + GetRoleCmd.Flags().StringVar(&GetRoleInput.Name, "name", "", "Required. The name of the role to retrieve.") + + GetRoleCmd.Flags().StringVar(&GetRoleFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var GetRoleCmd = &cobra.Command{ + Use: "get-role", + Short: "GetRole returns a role.", + Long: "GetRole returns a role.", + PreRun: func(cmd *cobra.Command, args []string) { + + if GetRoleFromFile == "" { + + cmd.MarkFlagRequired("name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if GetRoleFromFile != "" { + in, err = os.Open(GetRoleFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &GetRoleInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "GetRole", &GetRoleInput) + } + resp, err := AccessControlClient.GetRole(ctx, &GetRoleInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/grbac.go b/cmd/grbac.go new file mode 100644 index 0000000..6882645 --- /dev/null +++ b/cmd/grbac.go @@ -0,0 +1,61 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "bytes" + "context" + "fmt" + "os" + + "github.com/golang/protobuf/jsonpb" + "github.com/golang/protobuf/proto" + "github.com/spf13/cobra" +) + +var Verbose, OutputJSON bool +var ctx = context.Background() +var marshaler = &jsonpb.Marshaler{Indent: " "} + +func init() { + rootCmd.PersistentFlags().BoolVarP(&Verbose, "verbose", "v", false, "Print verbose output") + rootCmd.PersistentFlags().BoolVarP(&OutputJSON, "json", "j", false, "Print JSON output") +} + +var rootCmd = &cobra.Command{ + Use: "grbac", + Short: "Root command of grbac", +} + +func Execute() { + if err := rootCmd.Execute(); err != nil { + fmt.Println(err) + os.Exit(1) + } +} + +func main() { + Execute() +} + +func printVerboseInput(srv, mthd string, data interface{}) { + fmt.Println("Service:", srv) + fmt.Println("Method:", mthd) + fmt.Print("Input: ") + printMessage(data) +} + +func printMessage(data interface{}) { + var s string + + if msg, ok := data.(proto.Message); ok { + s = msg.String() + if OutputJSON { + var b bytes.Buffer + marshaler.Marshal(&b, msg) + s = b.String() + } + } + + fmt.Println(s) +} diff --git a/cmd/init.go b/cmd/init.go new file mode 100644 index 0000000..14d71e7 --- /dev/null +++ b/cmd/init.go @@ -0,0 +1,37 @@ +package main + +import ( + "context" + + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/sirupsen/logrus" + "github.com/spf13/cobra" +) + +func init() { + type RuntimeConfig struct { + dgraphEndpoint string + } + + config := RuntimeConfig{} + initCmd := &cobra.Command{ + Use: "init", + Short: "Runs the API server initializer", + Run: func(cmd *cobra.Command, args []string) { + ctx := context.Background() + if err := bootstrap.Schema(ctx, config.dgraphEndpoint); err != nil { + logrus.Fatalf("failed to migrate the schema: %v", err) + } + + logrus.Info("finished migrating the schema") + }, + } + + rootCmd.AddCommand(initCmd) + + initCmd.Flags().StringVar( + &config.dgraphEndpoint, + "dgraph-endpoint", + "127.0.0.1:9080", + "The endpoint of the dgraph database.") +} diff --git a/cmd/remove-group-member.go b/cmd/remove-group-member.go new file mode 100644 index 0000000..3908c0d --- /dev/null +++ b/cmd/remove-group-member.go @@ -0,0 +1,76 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var RemoveGroupMemberInput grbacpb.RemoveGroupMemberRequest + +var RemoveGroupMemberFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(RemoveGroupMemberCmd) + + RemoveGroupMemberCmd.Flags().StringVar(&RemoveGroupMemberInput.Group, "group", "", "Required. The name of the group to remove an member from.") + + RemoveGroupMemberCmd.Flags().StringVar(&RemoveGroupMemberInput.Member, "member", "", "Required. The member to be removed.") + + RemoveGroupMemberCmd.Flags().StringVar(&RemoveGroupMemberFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var RemoveGroupMemberCmd = &cobra.Command{ + Use: "remove-group-member", + Short: "RemoveGroupMember removes a member from a group.", + Long: "RemoveGroupMember removes a member from a group.", + PreRun: func(cmd *cobra.Command, args []string) { + + if RemoveGroupMemberFromFile == "" { + + cmd.MarkFlagRequired("group") + + cmd.MarkFlagRequired("member") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if RemoveGroupMemberFromFile != "" { + in, err = os.Open(RemoveGroupMemberFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &RemoveGroupMemberInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "RemoveGroupMember", &RemoveGroupMemberInput) + } + resp, err := AccessControlClient.RemoveGroupMember(ctx, &RemoveGroupMemberInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/run.go b/cmd/run.go new file mode 100644 index 0000000..0baec83 --- /dev/null +++ b/cmd/run.go @@ -0,0 +1,76 @@ +package main + +import ( + "context" + "os" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/grbac/grbac/pkg/graceful" + "github.com/grbac/grbac/pkg/interrupt" + "github.com/grbac/grbac/pkg/services" + "github.com/sirupsen/logrus" + "github.com/spf13/cobra" + "google.golang.org/grpc" + "google.golang.org/grpc/reflection" +) + +type RuntimeConfig struct { + port string + dgraphEndpoint string +} + +// TODO: Investigate whether mTLS could be useful. +// TODO: Investigate whether fallback server for HTTP/1.1 could be useful. + +// See https://github.com/googleapis/gapic-showcase/blob/master/cmd/gapic-showcase/endpoint.go + +func init() { + config := RuntimeConfig{} + runCmd := &cobra.Command{ + Use: "run", + Short: "Runs the API server", + Run: func(cmd *cobra.Command, args []string) { + ctx, cancel := context.WithCancel(ctx) + intr := interrupt.New(func(os.Signal) {}, cancel) + + opts := []grpc.ServerOption{} + server := grpc.NewServer(opts...) + + cfg := &services.AccessControlServerConfig{ + DgraphHostname: config.dgraphEndpoint, + } + + accessControlServer, err := services.NewAccessControlServer(cfg) + if err != nil { + logrus.WithError(err).Fatalf("failed to start the [authorizer] server") + } + defer accessControlServer.(*services.AccessControlServerImpl).Close() + + // Register Services to the server. + grbac.RegisterAccessControlServer(server, accessControlServer) + + // Register reflection service on gRPC server. + reflection.Register(server) + + if err := intr.Run(func() error { return graceful.NewGrpcListener(ctx, config.port, server) }); err != nil { + logrus.WithError(err).Fatalf("http server exited with error") + } + }, + } + + rootCmd.AddCommand(runCmd) + + runCmd.Flags().StringVarP( + &config.port, + "port", + "p", + ":9080", + "The port that this serice will be served on.") + + runCmd.Flags().StringVar( + &config.dgraphEndpoint, + "dgraph-endpoint", + "127.0.0.1:9080", + "The endpoint of the dgraph database.") +} diff --git a/cmd/set-iam-policy.go b/cmd/set-iam-policy.go new file mode 100644 index 0000000..9252875 --- /dev/null +++ b/cmd/set-iam-policy.go @@ -0,0 +1,93 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + iampb "google.golang.org/genproto/googleapis/iam/v1" + + "os" +) + +var SetIamPolicyInput iampb.SetIamPolicyRequest + +var SetIamPolicyFromFile string + +var SetIamPolicyInputPolicyBindings []string + +func init() { + AccessControlServiceCmd.AddCommand(SetIamPolicyCmd) + + SetIamPolicyInput.Policy = new(iampb.Policy) + + SetIamPolicyCmd.Flags().StringVar(&SetIamPolicyInput.Resource, "resource", "", "Required. REQUIRED: The resource for which the policy is...") + + SetIamPolicyCmd.Flags().Int32Var(&SetIamPolicyInput.Policy.Version, "policy.version", 0, "Specifies the format of the policy. Valid...") + + SetIamPolicyCmd.Flags().StringArrayVar(&SetIamPolicyInputPolicyBindings, "policy.bindings", []string{}, "Associates a list of `members` to a `role`....") + + SetIamPolicyCmd.Flags().BytesHexVar(&SetIamPolicyInput.Policy.Etag, "policy.etag", []byte{}, "`etag` is used for optimistic concurrency control...") + + SetIamPolicyCmd.Flags().StringVar(&SetIamPolicyFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var SetIamPolicyCmd = &cobra.Command{ + Use: "set-iam-policy", + Short: "Sets the IAM policy that is attached to a generic...", + Long: "Sets the IAM policy that is attached to a generic resource. Note: the full resource name that identifies the resource must be provided.", + PreRun: func(cmd *cobra.Command, args []string) { + + if SetIamPolicyFromFile == "" { + + cmd.MarkFlagRequired("resource") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if SetIamPolicyFromFile != "" { + in, err = os.Open(SetIamPolicyFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &SetIamPolicyInput) + if err != nil { + return err + } + + } + + // unmarshal JSON strings into slice of structs + for _, item := range SetIamPolicyInputPolicyBindings { + tmp := iampb.Binding{} + err = jsonpb.UnmarshalString(item, &tmp) + if err != nil { + return + } + + SetIamPolicyInput.Policy.Bindings = append(SetIamPolicyInput.Policy.Bindings, &tmp) + } + + if Verbose { + printVerboseInput("AccessControl", "SetIamPolicy", &SetIamPolicyInput) + } + resp, err := AccessControlClient.SetIamPolicy(ctx, &SetIamPolicyInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/test-iam-policy.go b/cmd/test-iam-policy.go new file mode 100644 index 0000000..59fbdcc --- /dev/null +++ b/cmd/test-iam-policy.go @@ -0,0 +1,75 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var TestIamPolicyInput grbacpb.TestIamPolicyRequest + +var TestIamPolicyFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(TestIamPolicyCmd) + + TestIamPolicyInput.AccessTuple = new(grbacpb.AccessTuple) + + TestIamPolicyCmd.Flags().StringVar(&TestIamPolicyInput.AccessTuple.Principal, "access_tuple.principal", "", "Required. The member, or principal, whose access you want...") + + TestIamPolicyCmd.Flags().StringVar(&TestIamPolicyInput.AccessTuple.FullResourceName, "access_tuple.full_resource_name", "", "Required. The full resource name that identifies the...") + + TestIamPolicyCmd.Flags().StringVar(&TestIamPolicyInput.AccessTuple.Permission, "access_tuple.permission", "", "Required. The IAM permission to check for the specified...") + + TestIamPolicyCmd.Flags().StringVar(&TestIamPolicyFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var TestIamPolicyCmd = &cobra.Command{ + Use: "test-iam-policy", + Short: "Checks whether a member has a specific permission...", + Long: "Checks whether a member has a specific permission for a specific resource. If not allowed an Unauthorized (403) error will be returned.", + PreRun: func(cmd *cobra.Command, args []string) { + + if TestIamPolicyFromFile == "" { + + cmd.MarkFlagRequired("access_tuple.principal") + + cmd.MarkFlagRequired("access_tuple.full_resource_name") + + cmd.MarkFlagRequired("access_tuple.permission") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if TestIamPolicyFromFile != "" { + in, err = os.Open(TestIamPolicyFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &TestIamPolicyInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "TestIamPolicy", &TestIamPolicyInput) + } + err = AccessControlClient.TestIamPolicy(ctx, &TestIamPolicyInput) + + return err + }, +} diff --git a/cmd/transfer-resource.go b/cmd/transfer-resource.go new file mode 100644 index 0000000..293757a --- /dev/null +++ b/cmd/transfer-resource.go @@ -0,0 +1,95 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" + + "strings" +) + +var TransferResourceInput grbacpb.TransferResourceRequest + +var TransferResourceFromFile string + +var TransferResourceInputSubstitutions []string + +func init() { + AccessControlServiceCmd.AddCommand(TransferResourceCmd) + + TransferResourceCmd.Flags().StringVar(&TransferResourceInput.Name, "name", "", "Required. The full resource name that identifies the...") + + TransferResourceCmd.Flags().StringVar(&TransferResourceInput.TargetParent, "target_parent", "", "Required. The full resource name that identifies the new...") + + TransferResourceCmd.Flags().StringArrayVar(&TransferResourceInputSubstitutions, "substitutions", []string{}, "key=value pairs. The map of substitutions to apply to the full...") + + TransferResourceCmd.Flags().StringVar(&TransferResourceFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var TransferResourceCmd = &cobra.Command{ + Use: "transfer-resource", + Short: "TransferResource transfers a resource to a new...", + Long: "TransferResource transfers a resource to a new parent.", + PreRun: func(cmd *cobra.Command, args []string) { + + if TransferResourceFromFile == "" { + + cmd.MarkFlagRequired("name") + + cmd.MarkFlagRequired("target_parent") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if TransferResourceFromFile != "" { + in, err = os.Open(TransferResourceFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &TransferResourceInput) + if err != nil { + return err + } + + } + + if len(TransferResourceInputSubstitutions) > 0 { + TransferResourceInput.Substitutions = make(map[string]string) + } + for _, item := range TransferResourceInputSubstitutions { + split := strings.Split(item, "=") + if len(split) < 2 { + err = fmt.Errorf("Invalid map item: %q", item) + return + } + + TransferResourceInput.Substitutions[split[0]] = split[1] + } + + if Verbose { + printVerboseInput("AccessControl", "TransferResource", &TransferResourceInput) + } + resp, err := AccessControlClient.TransferResource(ctx, &TransferResourceInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/update-group.go b/cmd/update-group.go new file mode 100644 index 0000000..15cbadc --- /dev/null +++ b/cmd/update-group.go @@ -0,0 +1,84 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + fieldmaskpb "google.golang.org/protobuf/types/known/fieldmaskpb" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var UpdateGroupInput grbacpb.UpdateGroupRequest + +var UpdateGroupFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(UpdateGroupCmd) + + UpdateGroupInput.Group = new(grbacpb.Group) + + UpdateGroupInput.UpdateMask = new(fieldmaskpb.FieldMask) + + UpdateGroupCmd.Flags().StringVar(&UpdateGroupInput.Group.Name, "group.name", "", "Required. The resource name of the group.") + + UpdateGroupCmd.Flags().StringSliceVar(&UpdateGroupInput.Group.Members, "group.members", []string{}, "The list of members of the group. Groups might...") + + UpdateGroupCmd.Flags().BytesHexVar(&UpdateGroupInput.Group.Etag, "group.etag", []byte{}, "An etag for concurrency control, ignored during...") + + UpdateGroupCmd.Flags().StringSliceVar(&UpdateGroupInput.UpdateMask.Paths, "update_mask.paths", []string{}, "The set of field mask paths.") + + UpdateGroupCmd.Flags().StringVar(&UpdateGroupFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var UpdateGroupCmd = &cobra.Command{ + Use: "update-group", + Short: "UpdateGroup updates a group with a field mask.", + Long: "UpdateGroup updates a group with a field mask.", + PreRun: func(cmd *cobra.Command, args []string) { + + if UpdateGroupFromFile == "" { + + cmd.MarkFlagRequired("group.name") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if UpdateGroupFromFile != "" { + in, err = os.Open(UpdateGroupFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &UpdateGroupInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "UpdateGroup", &UpdateGroupInput) + } + resp, err := AccessControlClient.UpdateGroup(ctx, &UpdateGroupInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/cmd/update-role.go b/cmd/update-role.go new file mode 100644 index 0000000..62ad084 --- /dev/null +++ b/cmd/update-role.go @@ -0,0 +1,86 @@ +// Code generated. DO NOT EDIT. + +package main + +import ( + "github.com/spf13/cobra" + + fieldmaskpb "google.golang.org/protobuf/types/known/fieldmaskpb" + + "fmt" + + "github.com/golang/protobuf/jsonpb" + + grbacpb "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "os" +) + +var UpdateRoleInput grbacpb.UpdateRoleRequest + +var UpdateRoleFromFile string + +func init() { + AccessControlServiceCmd.AddCommand(UpdateRoleCmd) + + UpdateRoleInput.Role = new(grbacpb.Role) + + UpdateRoleInput.UpdateMask = new(fieldmaskpb.FieldMask) + + UpdateRoleCmd.Flags().StringVar(&UpdateRoleInput.Role.Name, "role.name", "", "Required. The resource name of the role.") + + UpdateRoleCmd.Flags().StringSliceVar(&UpdateRoleInput.Role.Permissions, "role.permissions", []string{}, "Required. The list of permissions granted by the role.") + + UpdateRoleCmd.Flags().BytesHexVar(&UpdateRoleInput.Role.Etag, "role.etag", []byte{}, "An etag for concurrency control, ignored during...") + + UpdateRoleCmd.Flags().StringSliceVar(&UpdateRoleInput.UpdateMask.Paths, "update_mask.paths", []string{}, "The set of field mask paths.") + + UpdateRoleCmd.Flags().StringVar(&UpdateRoleFromFile, "from_file", "", "Absolute path to JSON file containing request payload") + +} + +var UpdateRoleCmd = &cobra.Command{ + Use: "update-role", + Short: "UpdateRole updates a role with a field mask.", + Long: "UpdateRole updates a role with a field mask.", + PreRun: func(cmd *cobra.Command, args []string) { + + if UpdateRoleFromFile == "" { + + cmd.MarkFlagRequired("role.name") + + cmd.MarkFlagRequired("role.permissions") + + } + + }, + RunE: func(cmd *cobra.Command, args []string) (err error) { + + in := os.Stdin + if UpdateRoleFromFile != "" { + in, err = os.Open(UpdateRoleFromFile) + if err != nil { + return err + } + defer in.Close() + + err = jsonpb.Unmarshal(in, &UpdateRoleInput) + if err != nil { + return err + } + + } + + if Verbose { + printVerboseInput("AccessControl", "UpdateRole", &UpdateRoleInput) + } + resp, err := AccessControlClient.UpdateRole(ctx, &UpdateRoleInput) + + if Verbose { + fmt.Print("Output: ") + } + printMessage(resp) + + return err + }, +} diff --git a/examples/grpc/docker-compose.yaml b/examples/grpc/docker-compose.yaml new file mode 100644 index 0000000..a2f0eb9 --- /dev/null +++ b/examples/grpc/docker-compose.yaml @@ -0,0 +1,12 @@ +version: '3' +services: + dgraph: + image: dgraph/standalone:v21.03.0 + ports: + - "8060:8080" + - "9060:9080" + grbac: + build: ../../ + entrypoint: /usr/local/grbac/docker-compose.sh + ports: + - "9070:9080" diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..fbdad60 --- /dev/null +++ b/go.mod @@ -0,0 +1,27 @@ +module github.com/grbac/grbac + +go 1.16 + +require ( + github.com/animeapis/api-go-client v0.0.0-20210719185158-3f1ebfbc688e + github.com/animeapis/go-genproto v0.0.0-20210720022825-bf3232b11660 + github.com/dgraph-io/dgo/v210 v210.0.0-20210421093152-78a2fece3ebd + github.com/fsnotify/fsnotify v1.4.9 // indirect + github.com/golang/protobuf v1.5.2 + github.com/google/go-cmp v0.5.6 // indirect + github.com/google/uuid v1.1.2 + github.com/kr/text v0.2.0 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/sirupsen/logrus v1.8.1 + github.com/spf13/cobra v1.1.3 + github.com/spf13/viper v1.7.1 + github.com/stretchr/testify v1.7.0 + golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c + golang.org/x/sync v0.0.0-20210220032951-036812b2e83c + google.golang.org/api v0.47.0 + google.golang.org/genproto v0.0.0-20210617175327-b9e0b3197ced + google.golang.org/grpc v1.38.0 + google.golang.org/protobuf v1.26.0 + gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect + gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..d012cb1 --- /dev/null +++ b/go.sum @@ -0,0 +1,700 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= +cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= +cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= +cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= +cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= +cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= +cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= +cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= +cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= +cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= +cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= +cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= +cloud.google.com/go v0.81.0 h1:at8Tk2zUz63cLPR0JPWm5vp77pEZmzxEQBEfRKn1VV8= +cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= +cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= +cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= +cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= +cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= +cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= +cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= +cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= +cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= +cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/animeapis/api-go-client v0.0.0-20210702020008-910be5621ed0 h1:lny9qbtbsTRkBTw7Xa2IqobVH+icoUna3Z5st5RSs30= +github.com/animeapis/api-go-client v0.0.0-20210702020008-910be5621ed0/go.mod h1:blT8kGsLh12FYcBcZj14IXL+X6o0sSv6lxHPRV7JHKY= +github.com/animeapis/api-go-client v0.0.0-20210706005357-61f55569ce4f h1:gACgGhge+bvE9h0y+dk9EDSCLxPMRwbMIUpBieopoJM= +github.com/animeapis/api-go-client v0.0.0-20210706005357-61f55569ce4f/go.mod h1:blT8kGsLh12FYcBcZj14IXL+X6o0sSv6lxHPRV7JHKY= +github.com/animeapis/api-go-client v0.0.0-20210706012355-5c7d0a25dc1f h1:qsbZJro93Yi4B0optb+HPGkoSPSnaGSRoAHlp+lRoMg= +github.com/animeapis/api-go-client v0.0.0-20210706012355-5c7d0a25dc1f/go.mod h1:blT8kGsLh12FYcBcZj14IXL+X6o0sSv6lxHPRV7JHKY= +github.com/animeapis/api-go-client v0.0.0-20210706130016-f43925eaefe0 h1:9WPMGKnlSFMlvuJTKmv+EkEaFG2elatH80igIyHN+Bo= +github.com/animeapis/api-go-client v0.0.0-20210706130016-f43925eaefe0/go.mod h1:blT8kGsLh12FYcBcZj14IXL+X6o0sSv6lxHPRV7JHKY= +github.com/animeapis/api-go-client v0.0.0-20210719185158-3f1ebfbc688e h1:enf+AfSGCjGnyrmbotM1VClz46mI45ZbRaDh7lFbTd0= +github.com/animeapis/api-go-client v0.0.0-20210719185158-3f1ebfbc688e/go.mod h1:blT8kGsLh12FYcBcZj14IXL+X6o0sSv6lxHPRV7JHKY= +github.com/animeapis/go-genproto v0.0.0-20210521234542-490e9b696088/go.mod h1:uKRvemxPZyVEy2+4cCWJ6WXDeBXyR4YjBFnHgV5cGcg= +github.com/animeapis/go-genproto v0.0.0-20210705160300-2b8f84d86720 h1:n+ozc7P73xOjhvoFjB86vaZF0RA5wSwIcuxFVXiFtsQ= +github.com/animeapis/go-genproto v0.0.0-20210705160300-2b8f84d86720/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs= +github.com/animeapis/go-genproto v0.0.0-20210705231000-2747288cb6e8 h1:3zOJPt/mL2KSDYOT7MewwGRIcNxSKvY5hn4oDKHP4N0= +github.com/animeapis/go-genproto v0.0.0-20210705231000-2747288cb6e8/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs= +github.com/animeapis/go-genproto v0.0.0-20210706005359-67393cbcd97d h1:UEzSoNDmUTqtuB9lGuUtAUzo44vgxHpnz5HDuLoBFEM= +github.com/animeapis/go-genproto v0.0.0-20210706005359-67393cbcd97d/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs= +github.com/animeapis/go-genproto v0.0.0-20210706012357-9e992faa07a7 h1:1myeoc83fA4rpu1QeT0LtZZKKK0rCs3H1qIsLAlEv4c= +github.com/animeapis/go-genproto v0.0.0-20210706012357-9e992faa07a7/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs= +github.com/animeapis/go-genproto v0.0.0-20210706130018-a53e1fd61c52 h1:FSzleLHwQCE2k+FsxSNPPR3d28Bdo249SlrGPlxeHTI= +github.com/animeapis/go-genproto v0.0.0-20210706130018-a53e1fd61c52/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs= +github.com/animeapis/go-genproto v0.0.0-20210706183531-6bde4cfe3722 h1:wH+1TPwGpMJtN+v7BzVT7b53A4fhcLXT9PLDe1uWqMk= +github.com/animeapis/go-genproto v0.0.0-20210706183531-6bde4cfe3722/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs= +github.com/animeapis/go-genproto v0.0.0-20210720022825-bf3232b11660 h1:19vlhXVKZsLRuw4VhJjpzneK8WkURErvGmjKHUpLW/U= +github.com/animeapis/go-genproto v0.0.0-20210720022825-bf3232b11660/go.mod h1:S3f/N8TLUdJ6rYag/SZxKFMCCvpt/ueFMe7ymlyjZEs= +github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= +github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= +github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgraph-io/dgo/v210 v210.0.0-20210421093152-78a2fece3ebd h1:bKck5FnruuJxL1oCmrDSYWRl634IxBwL/IwwWx4UgEM= +github.com/dgraph-io/dgo/v210 v210.0.0-20210421093152-78a2fece3ebd/go.mod h1:dCzdThGGTPYOAuNtrM6BiXj/86voHn7ZzkPL6noXR3s= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= +github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= +github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= +github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= +github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= +github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= +github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= +github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= +github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4= +github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= +github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= +github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= +github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= +github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.1.2 h1:m8/z1t7/fwjysjQRYbP0RD+bUIF/8tJwPdEZsI83ACI= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/cast v1.3.0 h1:oget//CVOEoFewqQxwr0Ej5yjygnqGkvggSE/gB35Q8= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v1.1.3 h1:xghbfqPkxzxP3C/f3n5DdpAbdKLj4ZE4BWQI362l53M= +github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= +github.com/spf13/jwalterweatherman v1.0.0 h1:XHEdyB+EcvlqZamSM4ZOMGlc93t6AcsBEu9Gc1vn7yk= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= +github.com/spf13/viper v1.7.1 h1:pM5oEahlgWv/WnHXpgbKz7iLIxRf65tye2Ci+XFK5sk= +github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s= +github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= +github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= +go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= +go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= +golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= +golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420 h1:a8jGStKg0XqKDlKqjLrXn0ioF5MH36pT7Z0BRTqLhbk= +golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c h1:pkQiBZBvdos9qq4wBAHqlzuZHEXo07pqV06ef90u1WI= +golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210514084401-e8d321eab015 h1:hZR0X1kPW+nwyJ9xRxqZk1vx5RUObAPBdKVvXPDUH/E= +golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= +golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= +golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= +golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= +google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= +google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= +google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= +google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= +google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= +google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= +google.golang.org/api v0.47.0 h1:sQLWZQvP6jPGIP4JGPkJu4zHswrv81iobiyszr3b/0I= +google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= +google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= +google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210521181308-5ccab8a35a9a/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210617175327-b9e0b3197ced h1:c5geK1iMU3cDKtFrCVQIcjR3W+JOZMuhIyICMCTbtus= +google.golang.org/genproto v0.0.0-20210617175327-b9e0b3197ced/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= +google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= +google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= +google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.38.0 h1:/9BgsAsa5nWe26HqOlvlgJnqBuktYOLCgjCPqsa56W0= +google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/ini.v1 v1.51.0 h1:AQvPpx3LzTDM0AjnIRlVFwFFGC+npRopjZxLJj6gdno= +gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= +rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/pkg/bootstrap/data/schema.rdf b/pkg/bootstrap/data/schema.rdf new file mode 100644 index 0000000..4b56e2e --- /dev/null +++ b/pkg/bootstrap/data/schema.rdf @@ -0,0 +1,59 @@ +type Resource { + Resource.etag + Resource.name + Resource.parent + Resource.policy +} + +type Policy { + Policy.bindings + Policy.version + Policy.etag +} + +type Binding { + Binding.role + Binding.members +} + +type Role { + Role.description + Role.displayName + Role.etag + Role.name + Role.permissions +} + +type Permission { + Permission.name +} + +type Group { + Group.etag + Group.members + Group.name +} + +type Subject { + Subject.name +} + +: [uid] . +: uid . +: string @index(hash) @upsert . +: [uid] . +: string @index(hash) @upsert . +: string @index(hash) @upsert . +: [uid] . +: string @index(hash) @upsert . +: int . +: string @index(hash) @upsert . +: string @index(hash) @upsert . +: uid @reverse . +: uid . +: string . +: string . +: string @index(hash) @upsert . +: string @index(hash) @upsert . +: [uid] @reverse . +: string @index(hash) @upsert . \ No newline at end of file diff --git a/pkg/bootstrap/data/system.all-users.condition.rdf b/pkg/bootstrap/data/system.all-users.condition.rdf new file mode 100644 index 0000000..09e363c --- /dev/null +++ b/pkg/bootstrap/data/system.all-users.condition.rdf @@ -0,0 +1 @@ +@if(eq(len(allUsers), 0)) \ No newline at end of file diff --git a/pkg/bootstrap/data/system.all-users.mutation.rdf b/pkg/bootstrap/data/system.all-users.mutation.rdf new file mode 100644 index 0000000..f17db9d --- /dev/null +++ b/pkg/bootstrap/data/system.all-users.mutation.rdf @@ -0,0 +1,2 @@ +uid(allUsers) "Subject" . +uid(allUsers) "system/allUsers" . \ No newline at end of file diff --git a/pkg/bootstrap/data/system.all-users.query.rdf b/pkg/bootstrap/data/system.all-users.query.rdf new file mode 100644 index 0000000..9f7e3e9 --- /dev/null +++ b/pkg/bootstrap/data/system.all-users.query.rdf @@ -0,0 +1,3 @@ +query { + var(func: eq(Subject.name, "system/allUsers")) { allUsers as uid } +} \ No newline at end of file diff --git a/pkg/bootstrap/data/system.animeshon.condition.rdf b/pkg/bootstrap/data/system.animeshon.condition.rdf new file mode 100644 index 0000000..8f6f919 --- /dev/null +++ b/pkg/bootstrap/data/system.animeshon.condition.rdf @@ -0,0 +1 @@ +@if(eq(len(animeshon), 0)) \ No newline at end of file diff --git a/pkg/bootstrap/data/system.animeshon.mutation.rdf b/pkg/bootstrap/data/system.animeshon.mutation.rdf new file mode 100644 index 0000000..25a44f5 --- /dev/null +++ b/pkg/bootstrap/data/system.animeshon.mutation.rdf @@ -0,0 +1,2 @@ +uid(animeshon) "Resource" . +uid(animeshon) "@animeshon" . \ No newline at end of file diff --git a/pkg/bootstrap/data/system.animeshon.query.rdf b/pkg/bootstrap/data/system.animeshon.query.rdf new file mode 100644 index 0000000..1a35324 --- /dev/null +++ b/pkg/bootstrap/data/system.animeshon.query.rdf @@ -0,0 +1,3 @@ +query { + var(func: eq(Resource.name, "@animeshon")) { animeshon as uid } +} \ No newline at end of file diff --git a/pkg/bootstrap/schema.go b/pkg/bootstrap/schema.go new file mode 100644 index 0000000..b0d561b --- /dev/null +++ b/pkg/bootstrap/schema.go @@ -0,0 +1,76 @@ +package bootstrap + +import ( + "context" + + _ "embed" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "google.golang.org/grpc" +) + +//go:embed data/schema.rdf +var schema string + +//go:embed data/system.all-users.query.rdf +var allUsersQuery string + +//go:embed data/system.all-users.mutation.rdf +var allUsersMutation []byte + +//go:embed data/system.all-users.condition.rdf +var allUsersCondition string + +//go:embed data/system.animeshon.query.rdf +var animeshonQuery string + +//go:embed data/system.animeshon.mutation.rdf +var animeshonMutation []byte + +//go:embed data/system.animeshon.condition.rdf +var animeshonCondition string + +func Schema(ctx context.Context, endpoint string) error { + connection, err := grpc.Dial(endpoint, grpc.WithInsecure()) + if err != nil { + return err + } + defer connection.Close() + + op := &api.Operation{ + Schema: schema, + } + + cli := dgo.NewDgraphClient(api.NewDgraphClient(connection)) + if err := cli.Alter(context.Background(), op); err != nil { + return err + } + + allUsers := &api.Request{ + Query: allUsersQuery, + Mutations: []*api.Mutation{{ + Cond: allUsersCondition, + SetNquads: allUsersMutation, + }}, + CommitNow: true, + } + + if _, err := cli.NewTxn().Do(ctx, allUsers); err != nil { + return err + } + + animeshon := &api.Request{ + Query: animeshonQuery, + Mutations: []*api.Mutation{{ + Cond: animeshonCondition, + SetNquads: animeshonMutation, + }}, + CommitNow: true, + } + + if _, err := cli.NewTxn().Do(ctx, animeshon); err != nil { + return err + } + return nil +} diff --git a/pkg/fieldmask/fieldmask.go b/pkg/fieldmask/fieldmask.go new file mode 100644 index 0000000..b746ddd --- /dev/null +++ b/pkg/fieldmask/fieldmask.go @@ -0,0 +1,33 @@ +package fieldmask + +import ( + "strings" + + "google.golang.org/protobuf/types/known/fieldmaskpb" +) + +type FieldMask struct { + paths []string +} + +func (mask *FieldMask) Contains(field string) bool { + if mask == nil { + return true + } + + for _, mask := range mask.paths { + if strings.HasPrefix(field, mask) { + return true + } + } + + return false +} + +func NewFieldMask(mask *fieldmaskpb.FieldMask) *FieldMask { + if len(mask.GetPaths()) == 0 { + return nil + } + + return &FieldMask{paths: mask.GetPaths()} +} diff --git a/pkg/graceful/grpc_listener.go b/pkg/graceful/grpc_listener.go new file mode 100644 index 0000000..139367c --- /dev/null +++ b/pkg/graceful/grpc_listener.go @@ -0,0 +1,60 @@ +package graceful + +import ( + "context" + "net" + + "github.com/sirupsen/logrus" + "golang.org/x/sync/errgroup" + "google.golang.org/grpc" +) + +// NewGrpcListener listens for incoming gRPC requests. +func NewGrpcListener(ctx context.Context, address string, server *grpc.Server) error { + listener, err := net.Listen("tcp", address) + if err != nil { + return err + } + + logrus.Infof("gRPC server listening to [%s]", address) + return ServeWithContext(ctx, server, listener) +} + +// ServeWithContext is a wrapper around the Serve function which also implements +// context cancellation and graceful shutdown. +func ServeWithContext(ctx context.Context, server *grpc.Server, listener net.Listener) error { + serverCtx, cancel := context.WithCancel(context.Background()) + defer cancel() + + gr := new(errgroup.Group) + gr.Go(func() error { + defer cancel() + + if err := server.Serve(listener); err != nil { + return err + } + + return nil + }) + + gr.Go(func() error { + for { + select { + case <-serverCtx.Done(): + // ListenAndServe exited already - nothing to do. + return nil + case <-ctx.Done(): + // SIGTERM or SIGINT received - initiate graceful shutdown. + goto shutdown + } + } + + shutdown: + logrus.Info("gracefully shutting down the server - waiting for active connections to close") + server.GracefulStop() + + return nil + }) + + return gr.Wait() +} diff --git a/pkg/graph/data/groups.exists.query.dql b/pkg/graph/data/groups.exists.query.dql new file mode 100644 index 0000000..d9190d9 --- /dev/null +++ b/pkg/graph/data/groups.exists.query.dql @@ -0,0 +1,5 @@ +query queryExistsGroup($name: string) { + groups(func: eq(Group.name, $name)) { + Group.name + } +} \ No newline at end of file diff --git a/pkg/graph/data/groups.get.query.dql b/pkg/graph/data/groups.get.query.dql new file mode 100644 index 0000000..b302d14 --- /dev/null +++ b/pkg/graph/data/groups.get.query.dql @@ -0,0 +1,10 @@ +query queryGetGroup($name: string) { + groups(func: eq(Group.name, $name)) { + Group.name + Group.etag + Group.members { + Group.name + Subject.name + } + } +} \ No newline at end of file diff --git a/pkg/graph/data/permissions.exists.query.dql b/pkg/graph/data/permissions.exists.query.dql new file mode 100644 index 0000000..549e6b8 --- /dev/null +++ b/pkg/graph/data/permissions.exists.query.dql @@ -0,0 +1,5 @@ +query queryExistsPermission($name: string) { + permissions(func: eq(Permission.name, $name)) { + Permission.name + } +} \ No newline at end of file diff --git a/pkg/graph/data/resources.exists.query.dql b/pkg/graph/data/resources.exists.query.dql new file mode 100644 index 0000000..a158fa4 --- /dev/null +++ b/pkg/graph/data/resources.exists.query.dql @@ -0,0 +1,5 @@ +query queryGetResource($name: string) { + resources(func: eq(Resource.name, $name)) { + Resource.name + } +} diff --git a/pkg/graph/data/resources.get.query.dql b/pkg/graph/data/resources.get.query.dql new file mode 100644 index 0000000..1b41d5f --- /dev/null +++ b/pkg/graph/data/resources.get.query.dql @@ -0,0 +1,22 @@ +query queryGetResource($name: string) { + resources(func: eq(Resource.name, $name)) { + Resource.name + Resource.etag + Resource.policy { + Policy.etag + Policy.version + Policy.bindings { + Binding.role { + Role.name + } + Binding.members { + Group.name + Subject.name + } + } + } + Resource.parent { + Resource.name + } + } +} diff --git a/pkg/graph/data/resources.has_children.query.dql b/pkg/graph/data/resources.has_children.query.dql new file mode 100644 index 0000000..6b2f534 --- /dev/null +++ b/pkg/graph/data/resources.has_children.query.dql @@ -0,0 +1,7 @@ +query queryHasChildren($name: string) { + children(func: eq(Resource.name, $name)) { + ~Resource.parent { + Resource.name + } + } +} \ No newline at end of file diff --git a/pkg/graph/data/roles.exists.query.dql b/pkg/graph/data/roles.exists.query.dql new file mode 100644 index 0000000..7ea6959 --- /dev/null +++ b/pkg/graph/data/roles.exists.query.dql @@ -0,0 +1,5 @@ +query queryExistsRole($name: string) { + roles(func: eq(Role.name, $name)) { + Role.name + } +} \ No newline at end of file diff --git a/pkg/graph/data/roles.get.query.dql b/pkg/graph/data/roles.get.query.dql new file mode 100644 index 0000000..3d21453 --- /dev/null +++ b/pkg/graph/data/roles.get.query.dql @@ -0,0 +1,9 @@ +query queryGetRole($name: string) { + roles(func: eq(Role.name, $name)) { + Role.name + Role.etag + Role.permissions { + Permission.name + } + } +} \ No newline at end of file diff --git a/pkg/graph/data/subjects.exists.query.dql b/pkg/graph/data/subjects.exists.query.dql new file mode 100644 index 0000000..f4a7464 --- /dev/null +++ b/pkg/graph/data/subjects.exists.query.dql @@ -0,0 +1,5 @@ +query queryExistsSubject($name: string) { + subjects(func: eq(Subject.name, $name)) { + Subject.name + } +} \ No newline at end of file diff --git a/pkg/graph/groups.go b/pkg/graph/groups.go new file mode 100644 index 0000000..b9fef89 --- /dev/null +++ b/pkg/graph/groups.go @@ -0,0 +1,56 @@ +package graph + +import ( + "context" + "encoding/json" + + _ "embed" + + "github.com/dgraph-io/dgo/v210" +) + +//go:embed data/groups.get.query.dql +var queryGetGroup string + +//go:embed data/groups.exists.query.dql +var queryExistsGroup string + +func GetGroup(ctx context.Context, txn *dgo.Txn, name string) (*Group, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryGetGroup, m) + if err != nil { + return nil, err + } + + groups := new(struct { + Groups []*Group `json:"groups"` + }) + + if err := json.Unmarshal(resp.Json, &groups); err != nil { + return nil, err + } + + if len(groups.Groups) == 0 { + return nil, nil + } + + return groups.Groups[0], nil +} + +func ExistsGroup(ctx context.Context, txn *dgo.Txn, name string) (bool, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryExistsGroup, m) + if err != nil { + return false, err + } + + groups := new(struct { + Groups []*Group `json:"groups"` + }) + + if err := json.Unmarshal(resp.Json, &groups); err != nil { + return false, err + } + + return len(groups.Groups) != 0, nil +} diff --git a/pkg/graph/permissions.go b/pkg/graph/permissions.go new file mode 100644 index 0000000..e690014 --- /dev/null +++ b/pkg/graph/permissions.go @@ -0,0 +1,31 @@ +package graph + +import ( + "context" + "encoding/json" + + _ "embed" + + "github.com/dgraph-io/dgo/v210" +) + +//go:embed data/permissions.exists.query.dql +var queryExistsPermission string + +func ExistsPermission(ctx context.Context, txn *dgo.Txn, name string) (bool, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryExistsPermission, m) + if err != nil { + return false, err + } + + permissions := new(struct { + Permissions []*Permission `json:"permissions"` + }) + + if err := json.Unmarshal(resp.Json, &permissions); err != nil { + return false, err + } + + return len(permissions.Permissions) != 0, nil +} diff --git a/pkg/graph/resources.go b/pkg/graph/resources.go new file mode 100644 index 0000000..6f6a4af --- /dev/null +++ b/pkg/graph/resources.go @@ -0,0 +1,77 @@ +package graph + +import ( + "context" + "encoding/json" + + _ "embed" + + "github.com/dgraph-io/dgo/v210" +) + +//go:embed data/resources.get.query.dql +var queryGetResource string + +//go:embed data/resources.exists.query.dql +var queryExistsResource string + +//go:embed data/resources.has_children.query.dql +var queryHasChildren string + +func GetResource(ctx context.Context, txn *dgo.Txn, name string) (*Resource, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryGetResource, m) + if err != nil { + return nil, err + } + + resources := new(struct { + Resources []*Resource `json:"resources"` + }) + + if err := json.Unmarshal(resp.Json, &resources); err != nil { + return nil, err + } + + if len(resources.Resources) == 0 { + return nil, nil + } + + return resources.Resources[0], nil +} + +func ExistsResource(ctx context.Context, txn *dgo.Txn, name string) (bool, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryExistsResource, m) + if err != nil { + return false, err + } + + resources := new(struct { + Resources []*Resource `json:"resources"` + }) + + if err := json.Unmarshal(resp.Json, &resources); err != nil { + return false, err + } + + return len(resources.Resources) != 0, nil +} + +func HasChildren(ctx context.Context, txn *dgo.Txn, name string) (bool, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryHasChildren, m) + if err != nil { + return false, err + } + + children := new(struct { + Resources []*Resource `json:"children"` + }) + + if err := json.Unmarshal(resp.Json, &children); err != nil { + return false, err + } + + return len(children.Resources) != 0, nil +} diff --git a/pkg/graph/roles.go b/pkg/graph/roles.go new file mode 100644 index 0000000..969e6f4 --- /dev/null +++ b/pkg/graph/roles.go @@ -0,0 +1,56 @@ +package graph + +import ( + "context" + "encoding/json" + + _ "embed" + + "github.com/dgraph-io/dgo/v210" +) + +//go:embed data/roles.get.query.dql +var queryGetRole string + +//go:embed data/roles.exists.query.dql +var queryExistsRole string + +func GetRole(ctx context.Context, txn *dgo.Txn, name string) (*Role, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryGetRole, m) + if err != nil { + return nil, err + } + + roles := new(struct { + Roles []*Role `json:"roles"` + }) + + if err := json.Unmarshal(resp.Json, &roles); err != nil { + return nil, err + } + + if len(roles.Roles) == 0 { + return nil, nil + } + + return roles.Roles[0], nil +} + +func ExistsRole(ctx context.Context, txn *dgo.Txn, name string) (bool, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryExistsRole, m) + if err != nil { + return false, err + } + + roles := new(struct { + Roles []*Role `json:"roles"` + }) + + if err := json.Unmarshal(resp.Json, &roles); err != nil { + return false, err + } + + return len(roles.Roles) != 0, nil +} diff --git a/pkg/graph/subjects.go b/pkg/graph/subjects.go new file mode 100644 index 0000000..a73ef4b --- /dev/null +++ b/pkg/graph/subjects.go @@ -0,0 +1,31 @@ +package graph + +import ( + "context" + "encoding/json" + + _ "embed" + + "github.com/dgraph-io/dgo/v210" +) + +//go:embed data/subjects.exists.query.dql +var queryExistsSubject string + +func ExistsSubject(ctx context.Context, txn *dgo.Txn, name string) (bool, error) { + m := map[string]string{"$name": name} + resp, err := txn.QueryWithVars(ctx, queryExistsSubject, m) + if err != nil { + return false, err + } + + subjects := new(struct { + Subjects []*Subject `json:"subjects"` + }) + + if err := json.Unmarshal(resp.Json, &subjects); err != nil { + return false, err + } + + return len(subjects.Subjects) != 0, nil +} diff --git a/pkg/graph/types.go b/pkg/graph/types.go new file mode 100644 index 0000000..8b7d5fa --- /dev/null +++ b/pkg/graph/types.go @@ -0,0 +1,44 @@ +package graph + +type Permission struct { + Name string `json:"Permission.name"` +} + +type Role struct { + Name string `json:"Role.name"` + Permissions []*Permission `json:"Role.permissions"` + ETag string `json:"Role.etag"` +} + +type Resource struct { + Name string `json:"Resource.name"` + Policy *Policy `json:"Resource.policy"` + Parent *Resource `json:"Resource.parent"` + ETag string `json:"Resource.etag"` +} + +type Policy struct { + Bindings []*Binding `json:"Policy.bindings"` + Version int32 `json:"Policy.version"` + ETag string `json:"Policy.etag"` +} + +type Binding struct { + Role *Role `json:"Binding.role"` + Members []Member `json:"Binding.members"` +} + +type Member struct { + Group string `json:"Group.name"` + Subject string `json:"Subject.name"` +} + +type Group struct { + Name string `json:"Group.name"` + Members []Member `json:"Group.members"` + ETag string `json:"Group.etag"` +} + +type Subject struct { + Name string `json:"Subject.name"` +} diff --git a/pkg/interrupt/interrupt.go b/pkg/interrupt/interrupt.go new file mode 100644 index 0000000..0265b9f --- /dev/null +++ b/pkg/interrupt/interrupt.go @@ -0,0 +1,104 @@ +/* +Copyright 2016 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package interrupt + +import ( + "os" + "os/signal" + "sync" + "syscall" +) + +// terminationSignals are signals that cause the program to exit in the +// supported platforms (linux, darwin, windows). +var terminationSignals = []os.Signal{syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT} + +// Handler guarantees execution of notifications after a critical section (the function passed +// to a Run method), even in the presence of process termination. It guarantees exactly once +// invocation of the provided notify functions. +type Handler struct { + notify []func() + final func(os.Signal) + once sync.Once +} + +// Chain creates a new handler that invokes all notify functions when the critical section exits +// and then invokes the optional handler's notifications. This allows critical sections to be +// nested without losing exactly once invocations. Notify functions can invoke any cleanup needed +// but should not exit (which is the responsibility of the parent handler). +func Chain(handler *Handler, notify ...func()) *Handler { + if handler == nil { + return New(nil, notify...) + } + return New(handler.Signal, append(notify, handler.Close)...) +} + +// New creates a new handler that guarantees all notify functions are run after the critical +// section exits (or is interrupted by the OS), then invokes the final handler. If no final +// handler is specified, the default final is `os.Exit(1)`. A handler can only be used for +// one critical section. +func New(final func(os.Signal), notify ...func()) *Handler { + return &Handler{ + final: final, + notify: notify, + } +} + +// Close executes all the notification handlers if they have not yet been executed. +func (h *Handler) Close() { + h.once.Do(func() { + for _, fn := range h.notify { + fn() + } + }) +} + +// Signal is called when an os.Signal is received, and guarantees that all notifications +// are executed, then the final handler is executed. This function should only be called once +// per Handler instance. +func (h *Handler) Signal(s os.Signal) { + h.once.Do(func() { + for _, fn := range h.notify { + fn() + } + if h.final == nil { + os.Exit(1) + } + h.final(s) + }) +} + +// Run ensures that any notifications are invoked after the provided fn exits (even if the +// process is interrupted by an OS termination signal). Notifications are only invoked once +// per Handler instance, so calling Run more than once will not behave as the user expects. +func (h *Handler) Run(fn func() error) error { + ch := make(chan os.Signal, 1) + signal.Notify(ch, terminationSignals...) + defer func() { + signal.Stop(ch) + close(ch) + }() + go func() { + sig, ok := <-ch + if !ok { + return + } + h.Signal(sig) + }() + defer h.Close() + return fn() +} diff --git a/pkg/services/authorize.go b/pkg/services/authorize.go new file mode 100644 index 0000000..f522c14 --- /dev/null +++ b/pkg/services/authorize.go @@ -0,0 +1,119 @@ +package services + +import ( + "context" + "encoding/json" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + empty "google.golang.org/protobuf/types/known/emptypb" + + "github.com/sirupsen/logrus" + "golang.org/x/sync/errgroup" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +// TODO(christia-roggia): collapse into a single query as soon as dgraph +// allows `shortest` to be performed with multiple exit nodes. + +//go:embed data/authorize.query.dql +var queryAuthorize string + +func (s *AccessControlServerImpl) validateTestIamPolicy(ctx context.Context, req *grbac.TestIamPolicyRequest) error { + if req.AccessTuple == nil { + return status.New(codes.InvalidArgument, "invalid argument {access tuple not defined}").Err() + } + + if len(req.AccessTuple.FullResourceName) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {full resource name not defined}").Err() + } + if len(req.AccessTuple.Permission) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {permission not defined}").Err() + } + if len(req.AccessTuple.Principal) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {principal not defined}").Err() + } + + if !isUserMember(req.AccessTuple.Principal) && !isServiceAccountMember(req.AccessTuple.Principal) { + return status.New(codes.InvalidArgument, "invalid argument {invalid principal name format}").Err() + } + + return nil +} + +// Checks whether a member has a specific permission for a specific resource. +// If not allowed an Unauthorized (403) error will be returned. +func (s *AccessControlServerImpl) TestIamPolicy(ctx context.Context, req *grbac.TestIamPolicyRequest) (*empty.Empty, error) { + if err := s.validateTestIamPolicy(ctx, req); err != nil { + return nil, err + } + + m := map[string]string{ + "$resource": req.AccessTuple.FullResourceName, + "$permission": toPermissionName(req.AccessTuple.Permission), + } + + if isUserMember(req.AccessTuple.Principal) { + m["$principal"] = toUserName(req.AccessTuple.Principal) + } else if isServiceAccountMember(req.AccessTuple.Principal) { + m["$principal"] = toServiceAccountName(req.AccessTuple.Principal) + } + + allUsers := map[string]string{ + "$principal": allUsers, + "$resource": req.AccessTuple.FullResourceName, + "$permission": toPermissionName(req.AccessTuple.Permission), + } + + // Ask in parallel whether the user is allowed or allUsers is allowed. + var isAllowed, isAllUsersAllowed bool + group, ctx := errgroup.WithContext(ctx) + + group.Go(func() error { + allowed, err := s.testIamPolicy(ctx, m) + + isAllowed = allowed + return err + }) + + group.Go(func() error { + allowed, err := s.testIamPolicy(ctx, allUsers) + + isAllUsersAllowed = allowed + return err + }) + + if err := group.Wait(); err != nil { + logrus.WithError(err).Errorf("failed to execute authorize query") + return nil, status.New(codes.Internal, "internal error").Err() + } + + if isAllowed || isAllUsersAllowed { + return &empty.Empty{}, nil + } + + return nil, status.New(codes.PermissionDenied, "permission denied").Err() +} + +func (s *AccessControlServerImpl) testIamPolicy(ctx context.Context, m map[string]string) (bool, error) { + resp, err := s.cli.NewReadOnlyTxn().QueryWithVars(ctx, queryAuthorize, m) + if err != nil { + return false, err + } + + payload := new(struct { + Ok []json.RawMessage `json:"ok"` + }) + + if err := json.Unmarshal(resp.Json, &payload); err != nil { + return false, err + } + + if len(payload.Ok) == 0 { + return false, nil + } + + return true, nil +} diff --git a/pkg/services/authorize_integration_test.go b/pkg/services/authorize_integration_test.go new file mode 100644 index 0000000..37f475a --- /dev/null +++ b/pkg/services/authorize_integration_test.go @@ -0,0 +1,350 @@ +// +build integration + +package services + +import ( + "context" + "os" + "testing" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "github.com/google/uuid" + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/genproto/googleapis/iam/v1" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func TestIntegrationAuthorize(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Anonymous = "user:anonymous" + + User0 = &grbac.Subject{ + Name: "users/user-0." + uuid.New().String(), + } + User1 = &grbac.Subject{ + Name: "users/user-1." + uuid.New().String(), + } + User2 = &grbac.Subject{ + Name: "users/user-2." + uuid.New().String(), + } + UserNotFound = &grbac.Subject{ + Name: "users/user-?." + uuid.New().String(), + } + + ServiceAccount0 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-0." + uuid.New().String(), + } + ServiceAccount1 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-1." + uuid.New().String(), + } + ServiceAccount2 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-2." + uuid.New().String(), + } + ServiceAccountNotFound = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-?." + uuid.New().String(), + } + + Group0 = &grbac.Group{ + Name: "groups/group-0." + uuid.New().String(), + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + }, + } + Group1 = &grbac.Group{ + Name: "groups/group-1." + uuid.New().String(), + Members: []string{ + toUserMember(User1.Name), + toServiceAccountMember(ServiceAccount1.Name), + }, + } + + PermissionGet = &grbac.Permission{ + Name: "permissions/grbac.test.get", + } + PermissionCreate = &grbac.Permission{ + Name: "permissions/grbac.test.create", + } + PermissionDelete = &grbac.Permission{ + Name: "permissions/grbac.test.delete", + } + PermissionNotFound = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + + RoleAdmin = &grbac.Role{ + Name: "roles/grbac.admin", + Permissions: []string{ + toPermissionId(PermissionGet.Name), + toPermissionId(PermissionCreate.Name), + toPermissionId(PermissionDelete.Name), + }, + } + RoleEditor = &grbac.Role{ + Name: "roles/grbac.editor", + Permissions: []string{ + toPermissionId(PermissionGet.Name), + toPermissionId(PermissionCreate.Name), + }, + } + RoleViewer = &grbac.Role{ + Name: "roles/grbac.viewer", + Permissions: []string{ + toPermissionId(PermissionGet.Name), + }, + } + + Resource0 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-0." + uuid.New().String(), + Parent: "@animeshon", + } + Resource1 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-1." + uuid.New().String(), + Parent: Resource0.Name, + } + Resource2 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-2." + uuid.New().String(), + Parent: "@animeshon", + } + ResourceNotFound = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-?." + uuid.New().String(), + Parent: "@animeshon", + } + + Policy0 = &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: RoleEditor.Name, + Members: []string{ + toGroupMember(Group0.Name), + }, + }, + }, + } + Policy1 = &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: RoleAdmin.Name, + Members: []string{ + toGroupMember(Group0.Name), + }, + }, + { + Role: RoleEditor.Name, + Members: []string{ + toUserMember(User1.Name), + toServiceAccountMember(ServiceAccount1.Name), + }, + }, + { + Role: RoleViewer.Name, + Members: []string{ + "allUsers", + }, + }, + }, + } + Policy2 = &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: RoleViewer.Name, + Members: []string{ + toGroupMember(Group0.Name), + toGroupMember(Group1.Name), + }, + }, + }, + } + ) + + // Create new random resources. + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource0}) + require.NoError(t, err) + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource1}) + require.NoError(t, err) + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource2}) + require.NoError(t, err) + + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: PermissionGet}) + require.NoError(t, err) + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: PermissionCreate}) + require.NoError(t, err) + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: PermissionDelete}) + require.NoError(t, err) + + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: RoleAdmin}) + require.NoError(t, err) + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: RoleEditor}) + require.NoError(t, err) + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: RoleViewer}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0}) + require.NoError(t, err) + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User1}) + require.NoError(t, err) + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User2}) + require.NoError(t, err) + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0}) + require.NoError(t, err) + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount1}) + require.NoError(t, err) + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount2}) + require.NoError(t, err) + + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0}) + require.NoError(t, err) + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group1}) + require.NoError(t, err) + + // Set IAM polices to resources. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{Resource: Resource0.Name, Policy: Policy0}) + require.NoError(t, err) + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{Resource: Resource1.Name, Policy: Policy1}) + require.NoError(t, err) + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{Resource: Resource2.Name, Policy: Policy2}) + require.NoError(t, err) + + type T struct { + object string + subject string + relation string + allowed bool + } + + for _, i := range []*T{ + // Test: authorization rule on non-existing resource should return permission denied. + {ResourceNotFound.Name, User0.Name, PermissionGet.Name, false}, + {ResourceNotFound.Name, Anonymous, PermissionGet.Name, false}, + + // Test: authorization rule on non-existing permission should return permission denied. + {Resource0.Name, User0.Name, PermissionNotFound.Name, false}, + {Resource0.Name, Anonymous, PermissionNotFound.Name, false}, + + // Test: only members of group-0 should be granted "grbac.test.create" permission on resource-0. + {Resource0.Name, User0.Name, PermissionCreate.Name, true}, + {Resource0.Name, ServiceAccount0.Name, PermissionCreate.Name, true}, + + {Resource0.Name, User1.Name, PermissionCreate.Name, false}, + {Resource0.Name, User2.Name, PermissionCreate.Name, false}, + {Resource0.Name, UserNotFound.Name, PermissionCreate.Name, false}, + {Resource0.Name, ServiceAccount1.Name, PermissionCreate.Name, false}, + {Resource0.Name, ServiceAccount2.Name, PermissionCreate.Name, false}, + {Resource0.Name, ServiceAccountNotFound.Name, PermissionCreate.Name, false}, + {Resource0.Name, Anonymous, PermissionCreate.Name, false}, + + // Test: only members of group-0 should be granted "grbac.test.get" permission on resource-0. + {Resource0.Name, User0.Name, PermissionGet.Name, true}, + {Resource0.Name, ServiceAccount0.Name, PermissionGet.Name, true}, + + {Resource0.Name, User1.Name, PermissionGet.Name, false}, + {Resource0.Name, User2.Name, PermissionGet.Name, false}, + {Resource0.Name, UserNotFound.Name, PermissionGet.Name, false}, + {Resource0.Name, ServiceAccount1.Name, PermissionGet.Name, false}, + {Resource0.Name, ServiceAccount2.Name, PermissionGet.Name, false}, + {Resource0.Name, ServiceAccountNotFound.Name, PermissionGet.Name, false}, + {Resource0.Name, Anonymous, PermissionGet.Name, false}, + + // Test: nobody should be granted "grbac.test.delete" permission on resource-0. + {Resource0.Name, User0.Name, PermissionDelete.Name, false}, + {Resource0.Name, User1.Name, PermissionDelete.Name, false}, + {Resource0.Name, User2.Name, PermissionDelete.Name, false}, + {Resource0.Name, UserNotFound.Name, PermissionDelete.Name, false}, + {Resource0.Name, ServiceAccount0.Name, PermissionDelete.Name, false}, + {Resource0.Name, ServiceAccount1.Name, PermissionDelete.Name, false}, + {Resource0.Name, ServiceAccount2.Name, PermissionDelete.Name, false}, + {Resource0.Name, ServiceAccountNotFound.Name, PermissionDelete.Name, false}, + {Resource0.Name, Anonymous, PermissionDelete.Name, false}, + + // Test: all users should be granted "grbac.test.get" permission on resource-1. + {Resource1.Name, User0.Name, PermissionGet.Name, true}, + {Resource1.Name, User1.Name, PermissionGet.Name, true}, + {Resource1.Name, User2.Name, PermissionGet.Name, true}, + {Resource1.Name, UserNotFound.Name, PermissionGet.Name, true}, + {Resource1.Name, ServiceAccount0.Name, PermissionGet.Name, true}, + {Resource1.Name, ServiceAccount1.Name, PermissionGet.Name, true}, + {Resource1.Name, ServiceAccount2.Name, PermissionGet.Name, true}, + {Resource1.Name, ServiceAccountNotFound.Name, PermissionGet.Name, true}, + {Resource1.Name, Anonymous, PermissionGet.Name, true}, + + // Test: only members of group-0 should be granted "grbac.test.delete" permission on resource-1. + {Resource1.Name, User0.Name, PermissionDelete.Name, true}, + {Resource1.Name, ServiceAccount0.Name, PermissionDelete.Name, true}, + + {Resource1.Name, User1.Name, PermissionDelete.Name, false}, + {Resource1.Name, User2.Name, PermissionDelete.Name, false}, + {Resource1.Name, UserNotFound.Name, PermissionDelete.Name, false}, + {Resource1.Name, ServiceAccount1.Name, PermissionDelete.Name, false}, + {Resource1.Name, ServiceAccount2.Name, PermissionDelete.Name, false}, + {Resource1.Name, ServiceAccountNotFound.Name, PermissionDelete.Name, false}, + {Resource1.Name, Anonymous, PermissionDelete.Name, false}, + + // Test: only members of group-0 (inherited) and group-1 should be granted "grbac.test.create" permission on resource-1. + {Resource1.Name, User0.Name, PermissionCreate.Name, true}, + {Resource1.Name, User1.Name, PermissionCreate.Name, true}, + {Resource1.Name, ServiceAccount0.Name, PermissionCreate.Name, true}, + {Resource1.Name, ServiceAccount1.Name, PermissionCreate.Name, true}, + + {Resource1.Name, User2.Name, PermissionCreate.Name, false}, + {Resource1.Name, ServiceAccount2.Name, PermissionCreate.Name, false}, + {Resource1.Name, Anonymous, PermissionCreate.Name, false}, + + // Test: only members of group-0 and group-1 should be granted "grbac.test.get" permission on resource-2. + {Resource2.Name, User0.Name, PermissionGet.Name, true}, + {Resource2.Name, User1.Name, PermissionGet.Name, true}, + {Resource2.Name, ServiceAccount0.Name, PermissionGet.Name, true}, + {Resource2.Name, ServiceAccount1.Name, PermissionGet.Name, true}, + + {Resource2.Name, User2.Name, PermissionGet.Name, false}, + {Resource2.Name, ServiceAccount2.Name, PermissionGet.Name, false}, + {Resource2.Name, Anonymous, PermissionGet.Name, false}, + } { + subject := i.subject + if isUser(i.subject) { + subject = toUserMember(i.subject) + } else if isServiceAccount(i.subject) { + subject = toServiceAccountMember(i.subject) + } + _, err = server.TestIamPolicy(context.TODO(), &grbac.TestIamPolicyRequest{ + AccessTuple: &grbac.AccessTuple{ + FullResourceName: i.object, + Principal: subject, + Permission: toPermissionId(i.relation), + }, + }) + + if i.allowed { + assert.NoError(t, err, "[%s:%s:%s]", i.object, i.relation, i.subject) + } else { + assert.Error(t, err, "[%s:%s:%s]", i.object, i.relation, i.subject) + if err != nil { + assert.Equal(t, codes.PermissionDenied, status.Code(err), "[%s:%s:%s]", i.object, i.relation, i.subject) + } + } + } +} diff --git a/pkg/services/authorizer_service.go b/pkg/services/authorizer_service.go new file mode 100644 index 0000000..4b337cc --- /dev/null +++ b/pkg/services/authorizer_service.go @@ -0,0 +1,118 @@ +package services + +import ( + "context" + "text/template" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "google.golang.org/grpc" +) + +type AccessControlServerConfig struct { + DgraphHostname string +} + +// NewAccessControlServer returns a new instance of AccessControl server. +func NewAccessControlServer(cfg *AccessControlServerConfig) (grbac.AccessControlServer, error) { + connection, err := grpc.Dial(cfg.DgraphHostname, grpc.WithInsecure()) + if err != nil { + return nil, err + } + + return &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(connection)), + conn: connection, + }, nil +} + +type AccessControlServerImpl struct { + cli *dgo.Dgraph + conn *grpc.ClientConn +} + +func (s *AccessControlServerImpl) Close() error { + return s.conn.Close() +} + +func (s *AccessControlServerImpl) delete(ctx context.Context, txn *dgo.Txn, queryTmpl, mutationTmpl *template.Template, data interface{}) error { + query, err := ExecuteTemplate(queryTmpl, data) + if err != nil { + return err + } + + mutation, err := ExecuteTemplate(mutationTmpl, data) + if err != nil { + return err + } + + request := &api.Request{ + Query: string(query), + Mutations: []*api.Mutation{{DelNquads: mutation}}, + CommitNow: true, + } + + _, err = txn.Do(ctx, request) + if err != nil { + return err + } + + return nil +} + +func (s *AccessControlServerImpl) create(ctx context.Context, txn *dgo.Txn, queryTmpl, mutationTmpl *template.Template, data interface{}) error { + query, err := ExecuteTemplate(queryTmpl, data) + if err != nil { + return err + } + + mutation, err := ExecuteTemplate(mutationTmpl, data) + if err != nil { + return err + } + + request := &api.Request{ + Query: string(query), + Mutations: []*api.Mutation{{SetNquads: mutation}}, + CommitNow: true, + } + + _, err = txn.Do(ctx, request) + if err != nil { + return err + } + + return nil +} + +func (s *AccessControlServerImpl) update(ctx context.Context, txn *dgo.Txn, queryTmpl, setTmpl, deleteTmpl *template.Template, data interface{}) error { + query, err := ExecuteTemplate(queryTmpl, data) + if err != nil { + return err + } + + setMutation, err := ExecuteTemplate(setTmpl, data) + if err != nil { + return err + } + + deleteMutation, err := ExecuteTemplate(deleteTmpl, data) + if err != nil { + return err + } + + request := &api.Request{ + Query: string(query), + Mutations: []*api.Mutation{{DelNquads: deleteMutation}, {SetNquads: setMutation}}, + CommitNow: true, + } + + _, err = txn.Do(ctx, request) + if err != nil { + return err + } + + return nil +} diff --git a/pkg/services/data/authorize.query.dql b/pkg/services/data/authorize.query.dql new file mode 100644 index 0000000..57c5a6f --- /dev/null +++ b/pkg/services/data/authorize.query.dql @@ -0,0 +1,17 @@ +query queryAuthorize($principal: string, $resource: string, $permission: string) { + var(func: eq(Subject.name, $principal)) { subject as uid } + var(func: eq(Resource.name, $resource)) { object as uid } + var(func: eq(Permission.name, $permission)) { ~Role.permissions { roles as uid } } + + path as shortest(from: uid(object), to: uid(subject)) { + Resource.parent + Resource.policy + Policy.bindings @filter(uid_in(Binding.role, uid(roles))) + Group.members + Binding.members + } + + ok(func: uid(path), first:1) { + uid + } +} \ No newline at end of file diff --git a/pkg/services/data/groups/groups.create.mutation.go.tmpl b/pkg/services/data/groups/groups.create.mutation.go.tmpl new file mode 100644 index 0000000..22ba4bd --- /dev/null +++ b/pkg/services/data/groups/groups.create.mutation.go.tmpl @@ -0,0 +1,7 @@ +uid(group) "Group" . +uid(group) "{{ .Group.Name }}" . +uid(group) "{{ .ETag }}" . + +{{- range .Group.Members }} +uid(group) uid(members_{{ AlphaNumVar . }}) . +{{- end }} {{/* range .Members */}} \ No newline at end of file diff --git a/pkg/services/data/groups/groups.create.query.go.tmpl b/pkg/services/data/groups/groups.create.query.go.tmpl new file mode 100644 index 0000000..6bafe05 --- /dev/null +++ b/pkg/services/data/groups/groups.create.query.go.tmpl @@ -0,0 +1,15 @@ +query { + var(func: eq(Group.name, "{{ .Group.Name }}")) { group as uid } + + {{- range .Group.Members }} + {{- if IsGroup . }} + var(func: eq(Group.name, "{{ ToGroupName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsUser . }} + var(func: eq(Subject.name, "{{ ToUserName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsServiceAccount . }} + var(func: eq(Subject.name, "{{ ToServiceAccountName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsAllUsers . }} + var(func: eq(Subject.name, "system/allUsers")) { members_{{ AlphaNumVar . }} as uid } + {{- end }} {{/* if IsGroup . */}} + {{- end }} {{/* range .Members */}} +} \ No newline at end of file diff --git a/pkg/services/data/groups/groups.delete.mutation.go.tmpl b/pkg/services/data/groups/groups.delete.mutation.go.tmpl new file mode 100644 index 0000000..a2a14ae --- /dev/null +++ b/pkg/services/data/groups/groups.delete.mutation.go.tmpl @@ -0,0 +1 @@ +uid(group) * * . \ No newline at end of file diff --git a/pkg/services/data/groups/groups.delete.query.go.tmpl b/pkg/services/data/groups/groups.delete.query.go.tmpl new file mode 100644 index 0000000..88708c7 --- /dev/null +++ b/pkg/services/data/groups/groups.delete.query.go.tmpl @@ -0,0 +1,3 @@ +query { + var(func: eq(Group.name, "{{ .Name }}")) { group as uid } +} \ No newline at end of file diff --git a/pkg/services/data/groups/groups.update.delete.go.tmpl b/pkg/services/data/groups/groups.update.delete.go.tmpl new file mode 100644 index 0000000..24539e9 --- /dev/null +++ b/pkg/services/data/groups/groups.update.delete.go.tmpl @@ -0,0 +1,5 @@ +uid(group) * . + +{{- if call .FieldMask "group.members" }} +uid(group) * . +{{- end }} {{/* if FieldMask "group.members" */}} \ No newline at end of file diff --git a/pkg/services/data/groups/groups.update.query.go.tmpl b/pkg/services/data/groups/groups.update.query.go.tmpl new file mode 100644 index 0000000..fb25ddd --- /dev/null +++ b/pkg/services/data/groups/groups.update.query.go.tmpl @@ -0,0 +1,17 @@ +query { + var(func: eq(Group.name, "{{ .Group.Name }}")) { group as uid } + + {{- if call .FieldMask "group.members" }} + {{- range .Group.Members }} + {{- if IsGroup . }} + var(func: eq(Group.name, "{{ ToGroupName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsUser . }} + var(func: eq(Subject.name, "{{ ToUserName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsServiceAccount . }} + var(func: eq(Subject.name, "{{ ToServiceAccountName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsAllUsers . }} + var(func: eq(Subject.name, "system/allUsers")) { members_{{ AlphaNumVar . }} as uid } + {{- end }} {{/* if IsGroup . */}} + {{- end }} {{/* range .Members */}} + {{- end }} {{/* if FieldMask "group.members" */}} +} \ No newline at end of file diff --git a/pkg/services/data/groups/groups.update.set.go.tmpl b/pkg/services/data/groups/groups.update.set.go.tmpl new file mode 100644 index 0000000..15fba4a --- /dev/null +++ b/pkg/services/data/groups/groups.update.set.go.tmpl @@ -0,0 +1,7 @@ +uid(group) "{{ .ETag }}" . + +{{- if call .FieldMask "group.members" }} +{{- range .Group.Members }} +uid(group) uid(members_{{ AlphaNumVar . }}) . +{{- end }} {{/* range .Members */}} +{{- end }} {{/* if FieldMask "group.members" */}} \ No newline at end of file diff --git a/pkg/services/data/permissions/permissions.create.mutation.go.tmpl b/pkg/services/data/permissions/permissions.create.mutation.go.tmpl new file mode 100644 index 0000000..a18fbf8 --- /dev/null +++ b/pkg/services/data/permissions/permissions.create.mutation.go.tmpl @@ -0,0 +1,2 @@ +uid(permission) "Permission" . +uid(permission) "{{ .Permission.Name }}" . \ No newline at end of file diff --git a/pkg/services/data/permissions/permissions.create.query.go.tmpl b/pkg/services/data/permissions/permissions.create.query.go.tmpl new file mode 100644 index 0000000..1b857ed --- /dev/null +++ b/pkg/services/data/permissions/permissions.create.query.go.tmpl @@ -0,0 +1,3 @@ +query { + var(func: eq(Permission.name, "{{ .Permission.Name }}")) { permission as uid } +} \ No newline at end of file diff --git a/pkg/services/data/permissions/permissions.delete.mutation.go.tmpl b/pkg/services/data/permissions/permissions.delete.mutation.go.tmpl new file mode 100644 index 0000000..e74de71 --- /dev/null +++ b/pkg/services/data/permissions/permissions.delete.mutation.go.tmpl @@ -0,0 +1 @@ +uid(permission) * * . \ No newline at end of file diff --git a/pkg/services/data/permissions/permissions.delete.query.go.tmpl b/pkg/services/data/permissions/permissions.delete.query.go.tmpl new file mode 100644 index 0000000..d32fefc --- /dev/null +++ b/pkg/services/data/permissions/permissions.delete.query.go.tmpl @@ -0,0 +1,3 @@ +query { + var(func: eq(Permission.name, "{{ .Name }}")) { permission as uid } +} \ No newline at end of file diff --git a/pkg/services/data/policies/policies.update.delete.go.tmpl b/pkg/services/data/policies/policies.update.delete.go.tmpl new file mode 100644 index 0000000..b84ecf6 --- /dev/null +++ b/pkg/services/data/policies/policies.update.delete.go.tmpl @@ -0,0 +1,5 @@ +uid(policy) * . +uid(policy) * . +uid(policy) * . + +uid(bindings) * * . \ No newline at end of file diff --git a/pkg/services/data/policies/policies.update.query.go.tmpl b/pkg/services/data/policies/policies.update.query.go.tmpl new file mode 100644 index 0000000..6ab198c --- /dev/null +++ b/pkg/services/data/policies/policies.update.query.go.tmpl @@ -0,0 +1,23 @@ +query { + resource as var(func: eq(Resource.name, "{{ .Resource }}")) { + policy as Resource.policy { + bindings as Policy.bindings + } + } + + {{- range .Policy.Bindings }} + var(func: eq(Role.name, "{{ .Role }}")) { role_{{ AlphaNumVar .Role }} as uid } + + {{- range .Members }} + {{- if IsGroup . }} + var(func: eq(Group.name, "{{ ToGroupName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsUser . }} + var(func: eq(Subject.name, "{{ ToUserName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsServiceAccount . }} + var(func: eq(Subject.name, "{{ ToServiceAccountName . }}")) { members_{{ AlphaNumVar . }} as uid } + {{- else if IsAllUsers . }} + var(func: eq(Subject.name, "system/allUsers")) { members_{{ AlphaNumVar . }} as uid } + {{- end }} {{/* if IsGroup . */}} + {{- end }} {{/* range .Members */}} + {{- end }} {{/* range .Bindings */}} +} \ No newline at end of file diff --git a/pkg/services/data/policies/policies.update.set.go.tmpl b/pkg/services/data/policies/policies.update.set.go.tmpl new file mode 100644 index 0000000..f675e25 --- /dev/null +++ b/pkg/services/data/policies/policies.update.set.go.tmpl @@ -0,0 +1,17 @@ +uid(resource) uid(policy) . + +uid(policy) "Policy" . +uid(policy) "{{ .ETag }}" . +uid(policy) "{{ .Policy.Version }}" . + +{{- range .Policy.Bindings }} +uid(policy) _:binding_{{ AlphaNumVar .Role }} . + +_:binding_{{ AlphaNumVar .Role }} "Binding" .. +_:binding_{{ AlphaNumVar .Role }} uid(role_{{ AlphaNumVar .Role }}) . + +{{- $binding := . }} +{{- range .Members }} +_:binding_{{ AlphaNumVar $binding.Role }} uid(members_{{ AlphaNumVar . }}) . +{{- end }} {{/* range .Members */}} +{{- end }} {{/* range .Bindings */}} \ No newline at end of file diff --git a/pkg/services/data/resources/resources.create.mutation.go.tmpl b/pkg/services/data/resources/resources.create.mutation.go.tmpl new file mode 100644 index 0000000..ebc5a09 --- /dev/null +++ b/pkg/services/data/resources/resources.create.mutation.go.tmpl @@ -0,0 +1,7 @@ +uid(resource) "Resource" . +uid(resource) "{{ .Resource.Name }}" . +uid(resource) "{{ .ETag }}" . + +{{- with .Resource.Parent }} +uid(resource) uid(parent) . +{{- end }} {{/* with .Resource.Parent */}} diff --git a/pkg/services/data/resources/resources.create.query.go.tmpl b/pkg/services/data/resources/resources.create.query.go.tmpl new file mode 100644 index 0000000..292fa30 --- /dev/null +++ b/pkg/services/data/resources/resources.create.query.go.tmpl @@ -0,0 +1,7 @@ +query { + var(func: eq(Resource.name, "{{ .Resource.Name }}")) { resource as uid } + + {{- with .Resource.Parent }} + var(func: eq(Resource.name, "{{ . }}")) { parent as uid } + {{- end }} {{/* with .Resource.Parent */}} +} \ No newline at end of file diff --git a/pkg/services/data/resources/resources.delete.mutation.go.tmpl b/pkg/services/data/resources/resources.delete.mutation.go.tmpl new file mode 100644 index 0000000..780e9ea --- /dev/null +++ b/pkg/services/data/resources/resources.delete.mutation.go.tmpl @@ -0,0 +1,3 @@ +uid(resource) * * . +uid(policy) * * . +uid(bindings) * * . \ No newline at end of file diff --git a/pkg/services/data/resources/resources.delete.query.go.tmpl b/pkg/services/data/resources/resources.delete.query.go.tmpl new file mode 100644 index 0000000..5a6b0ed --- /dev/null +++ b/pkg/services/data/resources/resources.delete.query.go.tmpl @@ -0,0 +1,7 @@ +query { + resource as var(func: eq(Resource.name, "{{ .Name }}")) { + policy as Resource.policy { + bindings as Policy.bindings + } + } +} \ No newline at end of file diff --git a/pkg/services/data/roles/roles.create.mutation.go.tmpl b/pkg/services/data/roles/roles.create.mutation.go.tmpl new file mode 100644 index 0000000..fab2cff --- /dev/null +++ b/pkg/services/data/roles/roles.create.mutation.go.tmpl @@ -0,0 +1,7 @@ +uid(role) "Role" . +uid(role) "{{ .Role.Name }}" . +uid(role) "{{ .ETag }}" . + +{{- range .Role.Permissions }} +uid(role) uid(permission_{{ AlphaNumVar . }}) . +{{- end }} \ No newline at end of file diff --git a/pkg/services/data/roles/roles.create.query.go.tmpl b/pkg/services/data/roles/roles.create.query.go.tmpl new file mode 100644 index 0000000..16e1b7a --- /dev/null +++ b/pkg/services/data/roles/roles.create.query.go.tmpl @@ -0,0 +1,7 @@ +query { + var(func: eq(Role.name, "{{ .Role.Name }}")) { role as uid } + + {{- range .Role.Permissions }} + var(func: eq(Permission.name, "{{ ToPermissionName . }}")) { permission_{{ AlphaNumVar . }} as uid } + {{- end }} +} \ No newline at end of file diff --git a/pkg/services/data/roles/roles.delete.mutation.go.tmpl b/pkg/services/data/roles/roles.delete.mutation.go.tmpl new file mode 100644 index 0000000..763512c --- /dev/null +++ b/pkg/services/data/roles/roles.delete.mutation.go.tmpl @@ -0,0 +1 @@ +uid(role) * * . \ No newline at end of file diff --git a/pkg/services/data/roles/roles.delete.query.go.tmpl b/pkg/services/data/roles/roles.delete.query.go.tmpl new file mode 100644 index 0000000..6f043e3 --- /dev/null +++ b/pkg/services/data/roles/roles.delete.query.go.tmpl @@ -0,0 +1,3 @@ +query { + var(func: eq(Role.name, "{{ .Name }}")) { role as uid } +} \ No newline at end of file diff --git a/pkg/services/data/roles/roles.update.delete.go.tmpl b/pkg/services/data/roles/roles.update.delete.go.tmpl new file mode 100644 index 0000000..ef3cda7 --- /dev/null +++ b/pkg/services/data/roles/roles.update.delete.go.tmpl @@ -0,0 +1,3 @@ +{{- if call .FieldMask "role.permissions" }} +uid(role) * . +{{- end }} {{/* if FieldMask "role.permissions" */}} \ No newline at end of file diff --git a/pkg/services/data/roles/roles.update.query.go.tmpl b/pkg/services/data/roles/roles.update.query.go.tmpl new file mode 100644 index 0000000..e759354 --- /dev/null +++ b/pkg/services/data/roles/roles.update.query.go.tmpl @@ -0,0 +1,9 @@ +query { + var(func: eq(Role.name, "{{ .Role.Name }}")) { role as uid } + + {{- if call .FieldMask "role.permissions" }} + {{- range .Role.Permissions }} + var(func: eq(Permission.name, "{{ ToPermissionName . }}")) { permission_{{ AlphaNumVar . }} as uid } + {{- end }} + {{- end }} {{/* if FieldMask "role.permissions" */}} +} \ No newline at end of file diff --git a/pkg/services/data/roles/roles.update.set.go.tmpl b/pkg/services/data/roles/roles.update.set.go.tmpl new file mode 100644 index 0000000..1dda6af --- /dev/null +++ b/pkg/services/data/roles/roles.update.set.go.tmpl @@ -0,0 +1,8 @@ + +uid(role) "{{ .ETag }}" . + +{{- if call .FieldMask "role.permissions" }} +{{- range .Role.Permissions }} +uid(role) uid(permission_{{ AlphaNumVar . }}) . +{{- end }} {{/* range .Permissions */}} +{{- end }} {{/* if FieldMask "role.permissions" */}} \ No newline at end of file diff --git a/pkg/services/data/subjects/subjects.create.mutation.go.tmpl b/pkg/services/data/subjects/subjects.create.mutation.go.tmpl new file mode 100644 index 0000000..998a98c --- /dev/null +++ b/pkg/services/data/subjects/subjects.create.mutation.go.tmpl @@ -0,0 +1,2 @@ +uid(subject) "Subject" . +uid(subject) "{{ .Subject.Name }}" . \ No newline at end of file diff --git a/pkg/services/data/subjects/subjects.create.query.go.tmpl b/pkg/services/data/subjects/subjects.create.query.go.tmpl new file mode 100644 index 0000000..b958a94 --- /dev/null +++ b/pkg/services/data/subjects/subjects.create.query.go.tmpl @@ -0,0 +1,3 @@ +query { + var(func: eq(Subject.name, "{{ .Subject.Name }}")) { subject as uid } +} \ No newline at end of file diff --git a/pkg/services/data/subjects/subjects.delete.mutation.go.tmpl b/pkg/services/data/subjects/subjects.delete.mutation.go.tmpl new file mode 100644 index 0000000..26c75d9 --- /dev/null +++ b/pkg/services/data/subjects/subjects.delete.mutation.go.tmpl @@ -0,0 +1 @@ +uid(subject) * * . \ No newline at end of file diff --git a/pkg/services/data/subjects/subjects.delete.query.go.tmpl b/pkg/services/data/subjects/subjects.delete.query.go.tmpl new file mode 100644 index 0000000..0bcad12 --- /dev/null +++ b/pkg/services/data/subjects/subjects.delete.query.go.tmpl @@ -0,0 +1,3 @@ +query { + var(func: eq(Subject.name, "{{ .Name }}")) { subject as uid } +} \ No newline at end of file diff --git a/pkg/services/groups.go b/pkg/services/groups.go new file mode 100644 index 0000000..ea56383 --- /dev/null +++ b/pkg/services/groups.go @@ -0,0 +1,110 @@ +package services + +import ( + "strings" + + "github.com/grbac/grbac/pkg/graph" +) + +type MemberError struct { + member string + field string + err string +} + +func (e *MemberError) Error() string { + return e.member + ": " + e.field + ": " + e.err +} + +func members(members []graph.Member) ([]string, error) { + var list []string + for _, member := range members { + if len(member.Group) != 0 { + if isGroup(member.Group) { + list = append(list, toGroupMember(member.Group)) + continue + } + + return nil, &MemberError{ + member: member.Group, + field: "Group", + err: "invalid member type", + } + } + + if len(member.Subject) != 0 { + if isAllUsers(member.Subject) { + list = append(list, "allUsers") + continue + } + + if isServiceAccount(member.Subject) { + list = append(list, toServiceAccountMember(member.Subject)) + continue + } + + if isUser(member.Subject) { + list = append(list, toUserMember(member.Subject)) + continue + } + + return nil, &MemberError{ + member: member.Subject, + field: "Subject", + err: "invalid member type", + } + } + + return nil, &MemberError{ + member: "", + field: "", + err: "member is not set", + } + } + + return list, nil +} + +func isUserMember(name string) bool { + return strings.HasPrefix(name, "user:") +} + +func isServiceAccountMember(name string) bool { + return strings.HasPrefix(name, "serviceAccount:") +} + +func isGroupMember(name string) bool { + return strings.HasPrefix(name, "group:") +} + +func isAllUsersMember(name string) bool { + return name == "allUsers" +} + +func isGroup(name string) bool { + return strings.HasPrefix(name, "groups/") +} + +func toUserName(name string) string { + return "users/" + strings.TrimPrefix(name, "user:") +} + +func toServiceAccountName(name string) string { + return "serviceAccounts/" + strings.TrimPrefix(name, "serviceAccount:") +} + +func toGroupName(name string) string { + return "groups/" + strings.TrimPrefix(name, "group:") +} + +func toUserMember(name string) string { + return "user:" + strings.TrimPrefix(name, "users/") +} + +func toServiceAccountMember(name string) string { + return "serviceAccount:" + strings.TrimPrefix(name, "serviceAccounts/") +} + +func toGroupMember(name string) string { + return "group:" + strings.TrimPrefix(name, "groups/") +} diff --git a/pkg/services/groups_create.go b/pkg/services/groups_create.go new file mode 100644 index 0000000..b5917df --- /dev/null +++ b/pkg/services/groups_create.go @@ -0,0 +1,120 @@ +package services + +import ( + "context" + "encoding/base64" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/groups/groups.create.query.go.tmpl +var queryCreateGroup string + +//go:embed data/groups/groups.create.mutation.go.tmpl +var mutationCreateGroup string + +var templateQueryCreateGroup = template.Must( + template.New("QueryCreateGroup").Funcs(defaultFuncMap).Parse(queryCreateGroup), +) + +var templateMutationCreateGroup = template.Must( + template.New("MutationCreateGroup").Funcs(defaultFuncMap).Parse(mutationCreateGroup), +) + +func (s *AccessControlServerImpl) validateCreateGroup(ctx context.Context, txn *dgo.Txn, req *grbac.CreateGroupRequest) error { + // A group must be defined. + if req.Group == nil { + return status.New(codes.InvalidArgument, "invalid argument {group not defined}").Err() + } + + // The group name must be defined. + if len(req.Group.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {group name not defined}").Err() + } + + // The group name must be well formatted. + if !isGroup(req.Group.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid group name format}").Err() + } + + // The members must all exist and must have a valid type. + for _, m := range req.Group.Members { + memberFound, err := false, error(nil) + if isGroupMember(m) { + // TODO: should groups be allowed to include other groups? + // TODO: if yes, a maximum path distance should be set to avoid too heavy queries. + memberFound, err = graph.ExistsGroup(ctx, txn, toGroupName(m)) + } else if isUserMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, toUserName(m)) + } else if isServiceAccountMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, toServiceAccountName(m)) + } else if isAllUsersMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, allUsers) + } else { + return status.New(codes.InvalidArgument, "invalid argument {invalid member type}").Err() + } + + if err != nil { + logrus.WithError(err).Errorf("CreateGroup: failed to query group members") + return status.New(codes.Internal, "internal error").Err() + } + + if !memberFound { + return status.New(codes.FailedPrecondition, "failed precondition {member does not exist}").Err() + } + } + + // The group must be new to avoid race conditions. + groupFound, err := graph.ExistsGroup(ctx, txn, req.Group.Name) + if err != nil { + logrus.WithError(err).Errorf("CreateGroup: failed to query group") + return status.New(codes.Internal, "internal error").Err() + } + + if groupFound { + return status.New(codes.AlreadyExists, "conflict").Err() + } + + return nil +} + +// CreateGroup creates a new group. +func (s *AccessControlServerImpl) CreateGroup(ctx context.Context, req *grbac.CreateGroupRequest) (*grbac.Group, error) { + txn := s.cli.NewTxn() + if err := s.validateCreateGroup(ctx, txn, req); err != nil { + return nil, err + } + + // TODO: etag should be generated according to the data structure. + etag := []byte("TODO") + + data := struct { + Group *grbac.Group + ETag string + }{ + Group: req.GetGroup(), + ETag: base64.StdEncoding.EncodeToString(etag), + } + + if err := s.create(ctx, txn, templateQueryCreateGroup, templateMutationCreateGroup, data); err != nil { + logrus.WithError(err).Errorf("CreateGroup: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + group := &grbac.Group{ + Name: req.Group.Name, + Members: req.Group.Members, + Etag: etag, + } + + return group, nil +} diff --git a/pkg/services/groups_delete.go b/pkg/services/groups_delete.go new file mode 100644 index 0000000..f11d6cf --- /dev/null +++ b/pkg/services/groups_delete.go @@ -0,0 +1,77 @@ +package services + +import ( + "context" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + empty "google.golang.org/protobuf/types/known/emptypb" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/groups/groups.delete.query.go.tmpl +var queryDeleteGroup string + +//go:embed data/groups/groups.delete.mutation.go.tmpl +var mutationDeleteGroup string + +var templateQueryDeleteGroup = template.Must( + template.New("QueryDeleteGroup").Funcs(defaultFuncMap).Parse(queryDeleteGroup), +) + +var templateMutationDeleteGroup = template.Must( + template.New("MutationDeleteGroup").Funcs(defaultFuncMap).Parse(mutationDeleteGroup), +) + +func (s *AccessControlServerImpl) validateDeleteGroup(ctx context.Context, txn *dgo.Txn, req *grbac.DeleteGroupRequest) error { + // The group name must be defined. + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {group name not defined}").Err() + } + + // The group name must be well formatted. + if !isGroup(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid group name format}").Err() + } + + // The group must exist. + groupFound, err := graph.ExistsGroup(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("DeleteGroup: failed to query group") + return status.New(codes.Internal, "internal error").Err() + } + + if !groupFound { + return status.New(codes.NotFound, "not found").Err() + } + + return nil +} + +// DeleteGroup deletes a group. +func (s *AccessControlServerImpl) DeleteGroup(ctx context.Context, req *grbac.DeleteGroupRequest) (*empty.Empty, error) { + txn := s.cli.NewTxn() + if err := s.validateDeleteGroup(ctx, txn, req); err != nil { + return nil, err + } + + data := struct { + Name string + }{ + Name: req.GetName(), + } + + if err := s.delete(ctx, txn, templateQueryDeleteGroup, templateMutationDeleteGroup, data); err != nil { + logrus.WithError(err).Errorf("DeleteGroup: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + return &empty.Empty{}, nil +} diff --git a/pkg/services/groups_get.go b/pkg/services/groups_get.go new file mode 100644 index 0000000..672b38f --- /dev/null +++ b/pkg/services/groups_get.go @@ -0,0 +1,63 @@ +package services + +import ( + "context" + "encoding/base64" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func (s *AccessControlServerImpl) validateGetGroup(ctx context.Context, txn *dgo.Txn, req *grbac.GetGroupRequest) error { + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {group name not defined}").Err() + } + + // The group name must be well formatted. + if !isGroup(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid group name format}").Err() + } + + return nil +} + +// GetGroup returns a group. +func (s *AccessControlServerImpl) GetGroup(ctx context.Context, req *grbac.GetGroupRequest) (*grbac.Group, error) { + txn := s.cli.NewReadOnlyTxn() + if err := s.validateGetGroup(ctx, txn, req); err != nil { + return nil, err + } + + resp, err := graph.GetGroup(ctx, txn, req.GetName()) + if err != nil { + logrus.WithError(err).Errorf("failed to get group [%s]", req.GetName()) + return nil, status.New(codes.Internal, "internal error").Err() + } + + if resp == nil { + return nil, status.New(codes.NotFound, "not found").Err() + } + + group := &grbac.Group{ + Name: resp.Name, + } + + group.Etag, err = base64.StdEncoding.DecodeString(resp.ETag) + if err != nil { + logrus.WithError(err).Errorf("failed to decode resource etag [%s]", req.Name) + return nil, status.New(codes.Internal, "internal error").Err() + } + + group.Members, err = members(resp.Members) + if err != nil { + logrus.WithError(err).Errorf("failed to get group members [%s]", req.Name) + return nil, status.New(codes.Internal, "internal error").Err() + } + + return group, nil +} diff --git a/pkg/services/groups_integration_test.go b/pkg/services/groups_integration_test.go new file mode 100644 index 0000000..319ae16 --- /dev/null +++ b/pkg/services/groups_integration_test.go @@ -0,0 +1,383 @@ +// +build integration + +package services + +import ( + "context" + "os" + "testing" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "github.com/google/uuid" + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" + "google.golang.org/protobuf/types/known/fieldmaskpb" +) + +func TestIntegrationGroupCreate(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + User0 = &grbac.Subject{ + Name: "users/user-0." + uuid.New().String(), + } + User1 = &grbac.Subject{ + Name: "users/user-1." + uuid.New().String(), + } + + ServiceAccount0 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-0." + uuid.New().String(), + } + ServiceAccount1 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-1." + uuid.New().String(), + } + + Group0 = &grbac.Group{ + Name: "groups/group-0." + uuid.New().String(), + Members: []string{ + "allUsers", + toUserMember(User0.Name), + toUserMember(User1.Name), + toServiceAccountMember(ServiceAccount0.Name), + toServiceAccountMember(ServiceAccount1.Name), + }, + } + Group1 = &grbac.Group{ + Name: "groups/group-1." + uuid.New().String(), + Members: []string{ + toGroupMember(Group0.Name), + }, + } + Group2 = &grbac.Group{ + Name: "groups/group-2." + uuid.New().String(), + Members: []string{ + "allUsers", + toUserMember(User0.Name), + toUserMember(User1.Name), + toServiceAccountMember(ServiceAccount0.Name), + toServiceAccountMember(ServiceAccount1.Name), + toGroupMember(Group0.Name), + }, + } + Group3 = &grbac.Group{ + Name: "groups/group-3." + uuid.New().String(), + Members: []string{}, + } + ) + + // Test: creation with non-existing subjects should fail. + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0}) + require.Error(t, err) + assert.Equal(t, codes.FailedPrecondition, status.Code(err)) + + // Test: creation with non-existing groups should fail. + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group1}) + require.Error(t, err) + assert.Equal(t, codes.FailedPrecondition, status.Code(err)) + + // Test: creation with non-existing mixed members should fail. + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group2}) + require.Error(t, err) + assert.Equal(t, codes.FailedPrecondition, status.Code(err)) + + // Create new random subjects. + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User1}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount1}) + require.NoError(t, err) + + // Test: creation (subjects only) should not fail. + group0, err := server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0}) + require.NoError(t, err) + require.NotNil(t, group0) + + assert.Equal(t, Group0.Name, group0.Name) + assert.ElementsMatch(t, Group0.Members, group0.Members) + assert.NotEmpty(t, group0.Etag) + + // Test: creation (groups only) should not fail. + group1, err := server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group1}) + require.NoError(t, err) + require.NotNil(t, group1) + + assert.Equal(t, Group1.Name, group1.Name) + assert.ElementsMatch(t, Group1.Members, group1.Members) + assert.NotEmpty(t, group1.Etag) + + // Test: creation (mixed members) should not fail. + group2, err := server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group2}) + require.NoError(t, err) + require.NotNil(t, group2) + + assert.Equal(t, Group2.Name, group2.Name) + assert.ElementsMatch(t, Group2.Members, group2.Members) + assert.NotEmpty(t, group2.Etag) + + // Test: creation (no members) should not fail. + group3, err := server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group3}) + require.NoError(t, err) + require.NotNil(t, group3) + + assert.Equal(t, Group3.Name, group3.Name) + assert.Empty(t, group3.Members) + assert.NotEmpty(t, group3.Etag) + + // Test: creation of duplicate group should fail with already exists. + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0}) + assert.Error(t, err) + assert.Equal(t, codes.AlreadyExists, status.Code(err)) + + // Test: get group (mixed members) should return the same group created. + group, err := server.GetGroup(context.TODO(), &grbac.GetGroupRequest{Name: Group2.Name}) + require.NoError(t, err) + require.NotNil(t, group) + + assert.Equal(t, Group2.Name, group.Name) + assert.ElementsMatch(t, Group2.Members, group.Members) + assert.NotEmpty(t, group.Etag) + + // Test: get group (no members) should return the same group created. + group, err = server.GetGroup(context.TODO(), &grbac.GetGroupRequest{Name: Group3.Name}) + require.NoError(t, err) + require.NotNil(t, group) + + assert.Equal(t, Group3.Name, group.Name) + assert.Empty(t, group.Members) + assert.NotEmpty(t, group.Etag) +} + +func TestIntegrationGroupDelete(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + User0 = &grbac.Subject{ + Name: "users/user-0." + uuid.New().String(), + } + + ServiceAccount0 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-0." + uuid.New().String(), + } + + Group0 = &grbac.Group{ + Name: "groups/group-0." + uuid.New().String(), + Members: []string{ + "allUsers", + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + }, + } + GroupNotFound = &grbac.Group{ + Name: "groups/group-?." + uuid.New().String(), + } + ) + + // Create new random group and subjects. + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0}) + require.NoError(t, err) + + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0}) + require.NoError(t, err) + + // Test: deletion of existing resource with no children should not fail. + empty, err := server.DeleteGroup(context.TODO(), &grbac.DeleteGroupRequest{Name: Group0.Name}) + assert.NoError(t, err) + assert.NotNil(t, empty) + + // Test: get resource should return 'not found' after deletion. + _, err = server.GetGroup(context.TODO(), &grbac.GetGroupRequest{Name: Group0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of already deleted resource should fail. + _, err = server.DeleteGroup(context.TODO(), &grbac.DeleteGroupRequest{Name: Group0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of non-existing resource should fail. + _, err = server.DeleteGroup(context.TODO(), &grbac.DeleteGroupRequest{Name: GroupNotFound.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) +} + +func TestIntegrationGroupUpdate(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + User0 = &grbac.Subject{ + Name: "users/user-0." + uuid.New().String(), + } + UserNotFound = &grbac.Subject{ + Name: "users/user-?." + uuid.New().String(), + } + + ServiceAccount0 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-0." + uuid.New().String(), + } + ServiceAccountNotFound = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-?." + uuid.New().String(), + } + + Group0 = &grbac.Group{ + Name: "groups/group-0." + uuid.New().String(), + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + }, + } + GroupNotFound = &grbac.Group{ + Name: "groups/group-?." + uuid.New().String(), + } + ) + + // Create new random group and subjects. + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0}) + require.NoError(t, err) + + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0}) + require.NoError(t, err) + + // Test: update (add existing subjects) should not fail. + Group0.Members = append(Group0.Members, + "allUsers", + ) + + group, err := server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{Group: Group0}) + require.NoError(t, err) + require.NotNil(t, group) + + assert.Equal(t, Group0.Name, group.Name) + assert.ElementsMatch(t, Group0.Members, group.Members) + assert.NotEmpty(t, group.Etag) + + group, err = server.GetGroup(context.TODO(), &grbac.GetGroupRequest{Name: Group0.Name}) + require.NoError(t, err) + require.NotNil(t, group) + + assert.Equal(t, Group0.Name, group.Name) + assert.ElementsMatch(t, Group0.Members, group.Members) + assert.NotEmpty(t, group.Etag) + + // Test: update (add non-existing subjects) should fail. + Group0.Members = append(Group0.Members, + toUserMember(UserNotFound.Name), + toServiceAccountMember(ServiceAccountNotFound.Name), + ) + + _, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{Group: Group0}) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: update (remove subjects) should not fail. + Group0.Members = nil + group, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{Group: Group0}) + require.NoError(t, err) + require.NotNil(t, group) + + assert.Equal(t, Group0.Name, group.Name) + assert.ElementsMatch(t, Group0.Members, group.Members) + assert.NotEmpty(t, group.Etag) + + group, err = server.GetGroup(context.TODO(), &grbac.GetGroupRequest{Name: Group0.Name}) + require.NoError(t, err) + require.NotNil(t, group) + + assert.Equal(t, Group0.Name, group.Name) + assert.ElementsMatch(t, Group0.Members, group.Members) + assert.NotEmpty(t, group.Etag) + + // Test: update with mutable field mask should not fail. + _, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{ + Group: Group0, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"group", "group.members"}, + }}) + require.NoError(t, err) + + // Test: update with immutable field mask should fail. + _, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{ + Group: Group0, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"group.name"}, + }}) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: update with invalid field mask should fail. + _, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{ + Group: Group0, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{""}, + }}) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: update of a self-referencing group should fail. + Group0.Members = []string{Group0.Name} + _, err = server.UpdateGroup(context.TODO(), &grbac.UpdateGroupRequest{Group: Group0}) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: update of non-existing resource should fail. + _, err = server.DeleteGroup(context.TODO(), &grbac.DeleteGroupRequest{Name: GroupNotFound.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) +} diff --git a/pkg/services/groups_members_add.go b/pkg/services/groups_members_add.go new file mode 100644 index 0000000..2f9f923 --- /dev/null +++ b/pkg/services/groups_members_add.go @@ -0,0 +1,15 @@ +package services + +import ( + "context" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +// AddGroupMember adds a member to a group. +func (s *AccessControlServerImpl) AddGroupMember(ctx context.Context, req *grbac.AddGroupMemberRequest) (*grbac.Group, error) { + return nil, status.New(codes.Unimplemented, "unimplemented").Err() +} diff --git a/pkg/services/groups_members_remove.go b/pkg/services/groups_members_remove.go new file mode 100644 index 0000000..10c8480 --- /dev/null +++ b/pkg/services/groups_members_remove.go @@ -0,0 +1,15 @@ +package services + +import ( + "context" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +// RemoveGroupMember removes a member from a group. +func (s *AccessControlServerImpl) RemoveGroupMember(ctx context.Context, req *grbac.RemoveGroupMemberRequest) (*grbac.Group, error) { + return nil, status.New(codes.Unimplemented, "unimplemented").Err() +} diff --git a/pkg/services/groups_update.go b/pkg/services/groups_update.go new file mode 100644 index 0000000..d3352ae --- /dev/null +++ b/pkg/services/groups_update.go @@ -0,0 +1,146 @@ +package services + +import ( + "context" + "encoding/base64" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/fieldmask" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/groups/groups.update.query.go.tmpl +var queryUpdateGroup string + +//go:embed data/groups/groups.update.set.go.tmpl +var setUpdateGroup string + +//go:embed data/groups/groups.update.delete.go.tmpl +var deleteUpdateGroup string + +var templateQueryUpdateGroup = template.Must( + template.New("QueryUpdateGroup").Funcs(defaultFuncMap).Parse(queryUpdateGroup), +) + +var templateSetUpdateGroup = template.Must( + template.New("SetUpdateGroup").Funcs(defaultFuncMap).Parse(setUpdateGroup), +) + +var templateDeleteUpdateGroup = template.Must( + template.New("DeleteUpdateGroup").Funcs(defaultFuncMap).Parse(deleteUpdateGroup), +) + +func (s *AccessControlServerImpl) validateUpdateGroup(ctx context.Context, txn *dgo.Txn, req *grbac.UpdateGroupRequest) error { + // A group must be defined. + if req.Group == nil { + return status.New(codes.InvalidArgument, "invalid argument {group not defined}").Err() + } + + // The group name must be defined. + if len(req.Group.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {group name not defined}").Err() + } + + // The group name must be well formatted. + if !isGroup(req.Group.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid group name format}").Err() + } + + // The update field mask must contain valid paths. + for _, path := range req.GetUpdateMask().GetPaths() { + switch path { + case "group", "group.members": + default: + return status.New(codes.InvalidArgument, "invalid argument {invalid field mask}").Err() + } + } + + // The members must all exist and must have a valid type. + for _, m := range req.Group.Members { + memberFound, err := false, error(nil) + if isGroupMember(m) { + if toGroupName(m) == req.Group.Name { + return status.New(codes.InvalidArgument, "invalid argument {self-containing groups are forbidden}").Err() + } + + // TODO: should groups be allowed to include other groups? + // TODO: if yes, a maximum path distance should be set to avoid too heavy queries. + memberFound, err = graph.ExistsGroup(ctx, txn, toGroupName(m)) + } else if isUserMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, toUserName(m)) + } else if isServiceAccountMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, toServiceAccountName(m)) + } else if isAllUsersMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, allUsers) + } else { + return status.New(codes.InvalidArgument, "invalid argument {invalid member type}").Err() + } + + if err != nil { + logrus.WithError(err).Errorf("UpdateGroup: failed to query group members") + return status.New(codes.Internal, "internal error").Err() + } + + if !memberFound { + return status.New(codes.InvalidArgument, "invalid argument {member does not exist}").Err() + } + } + + // The group must exist. + groupFound, err := graph.ExistsGroup(ctx, txn, req.Group.Name) + if err != nil { + logrus.WithError(err).Errorf("UpdateGroup: failed to query group") + return status.New(codes.Internal, "internal error").Err() + } + + if !groupFound { + return status.New(codes.NotFound, "not found").Err() + } + + return nil +} + +// UpdateGroup updates a group with a field mask. +func (s *AccessControlServerImpl) UpdateGroup(ctx context.Context, req *grbac.UpdateGroupRequest) (*grbac.Group, error) { + txn := s.cli.NewTxn() + if err := s.validateUpdateGroup(ctx, txn, req); err != nil { + return nil, err + } + + // TODO: etag should be generated according to the data structure. + etag := []byte("TODO") + + fieldmask := fieldmask.NewFieldMask(req.GetUpdateMask()) + + data := struct { + Group *grbac.Group + FieldMask func(string) bool + ETag string + }{ + Group: req.GetGroup(), + FieldMask: fieldmask.Contains, + ETag: base64.StdEncoding.EncodeToString(etag), + } + + if err := s.update(ctx, txn, templateQueryUpdateGroup, templateSetUpdateGroup, templateDeleteUpdateGroup, data); err != nil { + logrus.WithError(err).Errorf("UpdateGroup: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + // TODO: merge missing fields (not included in the update mask) with the group in dgraph. + group := &grbac.Group{ + Name: req.Group.Name, + Members: req.Group.Members, + Etag: etag, + } + + return group, nil +} diff --git a/pkg/services/iam_policies_get.go b/pkg/services/iam_policies_get.go new file mode 100644 index 0000000..0cc83ea --- /dev/null +++ b/pkg/services/iam_policies_get.go @@ -0,0 +1,80 @@ +package services + +import ( + "context" + "encoding/base64" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/genproto/googleapis/iam/v1" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func (s *AccessControlServerImpl) validateGetIamPolicy(ctx context.Context, txn *dgo.Txn, req *iam.GetIamPolicyRequest) error { + if len(req.Resource) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {resource not defined}").Err() + } + + // The full resource name must be well formatted. + if !isFullResourceName(req.Resource) { + return status.New(codes.InvalidArgument, "invalid argument {invalid resource name format}").Err() + } + + return nil +} + +// Gets the IAM policy that is attached to a generic resource. +func (s *AccessControlServerImpl) GetIamPolicy(ctx context.Context, req *iam.GetIamPolicyRequest) (*iam.Policy, error) { + txn := s.cli.NewReadOnlyTxn() + if err := s.validateGetIamPolicy(ctx, txn, req); err != nil { + return nil, err + } + + // TODO(performance): a new query should be used to query only the resource and its policy. + resp, err := graph.GetResource(ctx, txn, req.GetResource()) + if err != nil { + logrus.WithError(err).Errorf("failed to get resource [%s]", req.GetResource()) + return nil, status.New(codes.Internal, "internal error").Err() + } + + if resp == nil { + return nil, status.New(codes.NotFound, "not found").Err() + } + + if resp.Policy == nil { + return &iam.Policy{}, nil + } + + policy := &iam.Policy{ + Version: resp.Policy.Version, + } + + policy.Etag, err = base64.StdEncoding.DecodeString(resp.Policy.ETag) + if err != nil { + logrus.WithError(err).Errorf("failed to decode policy etag [%s]", req.Resource) + return nil, status.New(codes.Internal, "internal error").Err() + } + + for _, i := range resp.Policy.Bindings { + if i.Role == nil { + logrus.Warningf("found binding with no role in resource [%s]", resp.Name) + continue + } + + binding := &iam.Binding{ + Role: i.Role.Name, + } + + binding.Members, err = members(i.Members) + if err != nil { + logrus.WithError(err).Errorf("failed to get binding members [%s:%s]", req.Resource, i.Role.Name) + return nil, status.New(codes.Internal, "internal error").Err() + } + + policy.Bindings = append(policy.Bindings, binding) + } + + return policy, nil +} diff --git a/pkg/services/iam_policies_integration_test.go b/pkg/services/iam_policies_integration_test.go new file mode 100644 index 0000000..5f51d3e --- /dev/null +++ b/pkg/services/iam_policies_integration_test.go @@ -0,0 +1,334 @@ +// +build integration + +package services + +import ( + "context" + "os" + "testing" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "github.com/google/uuid" + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/genproto/googleapis/iam/v1" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func TestIntegrationSetIamPolicy(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + User0 = &grbac.Subject{ + Name: "users/" + uuid.New().String(), + } + User1 = &grbac.Subject{ + Name: "users/" + uuid.New().String(), + } + + ServiceAccount0 = &grbac.Subject{ + Name: "serviceAccounts/" + uuid.New().String(), + } + ServiceAccount1 = &grbac.Subject{ + Name: "serviceAccounts/" + uuid.New().String(), + } + + Group0 = &grbac.Group{ + Name: "groups/" + uuid.New().String(), + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + }, + } + Group1 = &grbac.Group{ + Name: "groups/" + uuid.New().String(), + } + + Permission0 = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + + Role0 = &grbac.Role{ + Name: "roles/" + uuid.New().String(), + Permissions: []string{ + toPermissionId(Permission0.Name), + }, + } + Role1 = &grbac.Role{ + Name: "roles/" + uuid.New().String(), + } + + Resource0 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/" + uuid.New().String(), + Parent: "@animeshon", + } + Resource1 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/" + uuid.New().String(), + Parent: "@animeshon", + } + + Policy0 = &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + toGroupMember(Group0.Name), + }, + }, + }, + } + ) + + // Create new random resources. + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource0}) + require.NoError(t, err) + + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0}) + require.NoError(t, err) + + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role0}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0}) + require.NoError(t, err) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0}) + require.NoError(t, err) + + _, err = server.CreateGroup(context.TODO(), &grbac.CreateGroupRequest{Group: Group0}) + require.NoError(t, err) + + // Test: newly created resource should have an empty policy. + policy, err := server.GetIamPolicy(context.TODO(), &iam.GetIamPolicyRequest{Resource: Resource0.Name}) + require.NoError(t, err) + require.NotNil(t, policy) + require.Empty(t, policy.Bindings) + require.Empty(t, policy.Etag) + require.Empty(t, policy.Version) + + // Test: get policy should return 'not found' if the resource doesn't exist. + _, err = server.GetIamPolicy(context.TODO(), &iam.GetIamPolicyRequest{Resource: Resource1.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: setting a valid resource policy should not fail. + policy, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: Policy0, + }) + require.NoError(t, err) + require.NotNil(t, policy) + require.Equal(t, Policy0.Bindings, policy.Bindings) + require.Equal(t, Policy0.Version, policy.Version) + require.NotEmpty(t, policy.Etag) + + // Test: get resource should return the same resource created. + policy, err = server.GetIamPolicy(context.TODO(), &iam.GetIamPolicyRequest{Resource: Resource0.Name}) + require.NoError(t, err) + require.NotNil(t, policy) + require.Equal(t, Policy0.Bindings, policy.Bindings) + require.Equal(t, Policy0.Version, policy.Version) + require.NotEmpty(t, policy.Etag) + + // Test: setting an invalid (no policy) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (no resource name) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + toGroupMember(Group0.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (non-existing resource) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource1.Name, + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + toGroupMember(Group0.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: setting an invalid (unsupported version) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: &iam.Policy{ + Version: 5, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + toGroupMember(Group0.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (no role) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + toGroupMember(Group0.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (non-existing role) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role1.Name, + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount0.Name), + toGroupMember(Group0.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (non-existing user) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + Members: []string{ + toUserMember(User1.Name), + toServiceAccountMember(ServiceAccount0.Name), + toGroupMember(Group0.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (non-existing service account) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount1.Name), + toGroupMember(Group0.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (non-existing group) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + Members: []string{ + toUserMember(User0.Name), + toServiceAccountMember(ServiceAccount1.Name), + toGroupMember(Group1.Name), + }, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: setting an invalid (no members) resource policy should fail. + _, err = server.SetIamPolicy(context.TODO(), &iam.SetIamPolicyRequest{ + Resource: Resource0.Name, + Policy: &iam.Policy{ + Version: 1, + Bindings: []*iam.Binding{ + { + Role: Role0.Name, + }, + }, + }, + }) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) +} diff --git a/pkg/services/iam_policies_set.go b/pkg/services/iam_policies_set.go new file mode 100644 index 0000000..fd94977 --- /dev/null +++ b/pkg/services/iam_policies_set.go @@ -0,0 +1,154 @@ +package services + +import ( + "context" + "encoding/base64" + "text/template" + + _ "embed" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/genproto/googleapis/iam/v1" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/policies/policies.update.query.go.tmpl +var queryUpdatePolicy string + +//go:embed data/policies/policies.update.set.go.tmpl +var setUpdatePolicy string + +//go:embed data/policies/policies.update.delete.go.tmpl +var deleteUpdatePolicy string + +var templateQueryUpdatePolicy = template.Must( + template.New("QueryUpdatePolicy").Funcs(defaultFuncMap).Parse(queryUpdatePolicy), +) + +var templateSetUpdatePolicy = template.Must( + template.New("SetUpdatePolicy").Funcs(defaultFuncMap).Parse(setUpdatePolicy), +) + +var templateDeleteUpdatePolicy = template.Must( + template.New("DeleteUpdatePolicy").Funcs(defaultFuncMap).Parse(deleteUpdatePolicy), +) + +func (s *AccessControlServerImpl) validateSetIamPolicy(ctx context.Context, txn *dgo.Txn, req *iam.SetIamPolicyRequest) error { + // The resource name must be defined. + if len(req.Resource) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {resource not defined}").Err() + } + + // The full resource name must be well formatted. + if !isFullResourceName(req.Resource) { + return status.New(codes.InvalidArgument, "invalid argument {invalid resource name format}").Err() + } + + // The resource policy is optional. + if req.Policy == nil { + return status.New(codes.InvalidArgument, "invalid argument {policy not defined}").Err() + } + + // The policy version must be defined and valid. + if req.Policy.Version != 1 { + return status.New(codes.InvalidArgument, "invalid argument {invalid policy version}").Err() + } + + for _, i := range req.Policy.Bindings { + // The binding role must be defined. + if len(i.Role) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {role not defined}").Err() + } + + // The role must exist. + roleFound, err := graph.ExistsRole(ctx, txn, i.Role) + if err != nil { + logrus.WithError(err).Errorf("SetIamPolicy: failed to query role") + return status.New(codes.Internal, "internal error").Err() + } + + if !roleFound { + return status.New(codes.InvalidArgument, "invalid argument {role does not exist}").Err() + } + + // There must be at least one member in the binding. + if len(i.Members) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {binding has no members}").Err() + } + + // The members must all exist and must have a known type. + for _, m := range i.Members { + memberFound := false + if isGroupMember(m) { + memberFound, err = graph.ExistsGroup(ctx, txn, toGroupName(m)) + } else if isUserMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, toUserName(m)) + } else if isServiceAccountMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, toServiceAccountName(m)) + } else if isAllUsersMember(m) { + memberFound, err = graph.ExistsSubject(ctx, txn, allUsers) + } else { + return status.New(codes.InvalidArgument, "invalid argument {unknown member type}").Err() + } + + if err != nil { + logrus.WithError(err).Errorf("SetIamPolicy: failed to query binding members") + return status.New(codes.Internal, "internal error").Err() + } + + if !memberFound { + return status.New(codes.InvalidArgument, "invalid argument {member does not exist}").Err() + } + } + } + + // The resource must exist. + resourceFound, err := graph.ExistsResource(ctx, txn, req.Resource) + if err != nil { + logrus.WithError(err).Errorf("SetIamPolicy: failed to query resource") + return status.New(codes.Internal, "internal error").Err() + } + + if !resourceFound { + return status.New(codes.NotFound, "not found").Err() + } + + return nil +} + +// Sets the IAM policy that is attached to a generic resource. +func (s *AccessControlServerImpl) SetIamPolicy(ctx context.Context, req *iam.SetIamPolicyRequest) (*iam.Policy, error) { + txn := s.cli.NewTxn() + if err := s.validateSetIamPolicy(ctx, txn, req); err != nil { + return nil, err + } + + // TODO: etag should be generated according to the data structure. + etag := []byte("TODO") + + data := struct { + Resource string + Policy *iam.Policy + ETag string + }{ + Resource: req.GetResource(), + Policy: req.GetPolicy(), + ETag: base64.StdEncoding.EncodeToString(etag), + } + + if err := s.update(ctx, txn, templateQueryUpdatePolicy, templateSetUpdatePolicy, templateDeleteUpdatePolicy, data); err != nil { + logrus.WithError(err).Errorf("SetIamPolicy: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + policy := &iam.Policy{ + Version: req.Policy.Version, + Bindings: req.Policy.Bindings, + Etag: etag, + } + + return policy, nil +} diff --git a/pkg/services/permissions.go b/pkg/services/permissions.go new file mode 100644 index 0000000..beb7f55 --- /dev/null +++ b/pkg/services/permissions.go @@ -0,0 +1,21 @@ +package services + +import "strings" + +func isPermission(name string) bool { + return strings.HasPrefix(name, "permissions/") +} + +func toPermissionId(name string) string { + return strings.TrimPrefix(name, "permissions/") +} + +func toPermissionName(name string) string { + return "permissions/" + name +} + +// isValidPermissionId enforces the Google Cloud IAM permission format +// [service].[resource].[verb]. +func isValidPermissionId(name string) bool { + return len(strings.Split(toPermissionId(name), ".")) == 3 +} diff --git a/pkg/services/permissions_create.go b/pkg/services/permissions_create.go new file mode 100644 index 0000000..a3339ec --- /dev/null +++ b/pkg/services/permissions_create.go @@ -0,0 +1,81 @@ +package services + +import ( + "context" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/permissions/permissions.create.query.go.tmpl +var queryCreatePermission string + +//go:embed data/permissions/permissions.create.mutation.go.tmpl +var mutationCreatePermission string + +var templateQueryCreatePermission = template.Must( + template.New("QueryCreatePermission").Funcs(defaultFuncMap).Parse(queryCreatePermission), +) + +var templateMutationCreatePermission = template.Must( + template.New("MutationCreatePermission").Funcs(defaultFuncMap).Parse(mutationCreatePermission), +) + +func (s *AccessControlServerImpl) validateCreatePermission(ctx context.Context, txn *dgo.Txn, req *grbac.CreatePermissionRequest) error { + // A permission must be defined. + if req.Permission == nil { + return status.New(codes.InvalidArgument, "invalid argument {permission not defined}").Err() + } + + // The permission name must be defined. + if len(req.Permission.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {permission name not defined}").Err() + } + + // The permission name must be well formatted. + if !isPermission(req.Permission.Name) || !isValidPermissionId(req.Permission.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid permission name format}").Err() + } + + // The permission must be new to avoid race conditions. + permissionFound, err := graph.ExistsPermission(ctx, txn, req.Permission.Name) + if err != nil { + logrus.WithError(err).Errorf("failed to validate 'CreatePermission' request") + return status.New(codes.Internal, "internal error").Err() + } + + if permissionFound { + return status.New(codes.AlreadyExists, "conflict").Err() + } + + return nil +} + +// CreatePermission creates a new permission. +func (s *AccessControlServerImpl) CreatePermission(ctx context.Context, req *grbac.CreatePermissionRequest) (*grbac.Permission, error) { + txn := s.cli.NewTxn() + if err := s.validateCreatePermission(ctx, txn, req); err != nil { + return nil, err + } + + data := struct { + Permission *grbac.Permission + }{ + Permission: req.GetPermission(), + } + + if err := s.create(ctx, txn, templateQueryCreatePermission, templateMutationCreatePermission, data); err != nil { + logrus.WithError(err).Errorf("CreatePermission: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + return &grbac.Permission{Name: req.Permission.Name}, nil +} diff --git a/pkg/services/permissions_delete.go b/pkg/services/permissions_delete.go new file mode 100644 index 0000000..57cc2cc --- /dev/null +++ b/pkg/services/permissions_delete.go @@ -0,0 +1,77 @@ +package services + +import ( + "context" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + empty "google.golang.org/protobuf/types/known/emptypb" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/permissions/permissions.delete.query.go.tmpl +var queryDeletePermission string + +//go:embed data/permissions/permissions.delete.mutation.go.tmpl +var mutationDeletePermission string + +var templateQueryDeletePermission = template.Must( + template.New("QueryDeletePermission").Funcs(defaultFuncMap).Parse(queryDeletePermission), +) + +var templateMutationDeletePermission = template.Must( + template.New("MutationDeletePermission").Funcs(defaultFuncMap).Parse(mutationDeletePermission), +) + +func (s *AccessControlServerImpl) validateDeletePermission(ctx context.Context, txn *dgo.Txn, req *grbac.DeletePermissionRequest) error { + // The permission name must be defined. + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {permission name not defined}").Err() + } + + // The permission name must be well formatted. + if !isPermission(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid permission name format}").Err() + } + + // The permission must exist. + permissionFound, err := graph.ExistsPermission(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("DeletePermission: failed to query permission") + return status.New(codes.Internal, "internal error").Err() + } + + if !permissionFound { + return status.New(codes.NotFound, "not found").Err() + } + + return nil +} + +// DeletePermission deletes a permission. +func (s *AccessControlServerImpl) DeletePermission(ctx context.Context, req *grbac.DeletePermissionRequest) (*empty.Empty, error) { + txn := s.cli.NewTxn() + if err := s.validateDeletePermission(ctx, txn, req); err != nil { + return nil, err + } + + data := struct { + Name string + }{ + Name: req.GetName(), + } + + if err := s.delete(ctx, txn, templateQueryDeletePermission, templateMutationDeletePermission, data); err != nil { + logrus.WithError(err).Errorf("DeletePermission: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + return &empty.Empty{}, nil +} diff --git a/pkg/services/permissions_integration_test.go b/pkg/services/permissions_integration_test.go new file mode 100644 index 0000000..ecfaf36 --- /dev/null +++ b/pkg/services/permissions_integration_test.go @@ -0,0 +1,109 @@ +// +build integration + +package services + +import ( + "context" + "os" + "testing" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "github.com/google/uuid" + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func TestIntegrationPermissionCreate(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Permission0 = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + PermissionInvalid = &grbac.Permission{ + Name: "permissions/" + uuid.New().String(), + } + ) + + // Test: creation should not fail. + user0, err := server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0}) + require.NoError(t, err) + require.NotNil(t, user0) + + assert.Equal(t, Permission0.Name, user0.Name) + + // Test: creation with invalid format should fail. + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: PermissionInvalid}) + assert.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: creation of duplicate permission should fail with already exists. + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0}) + assert.Error(t, err) + assert.Equal(t, codes.AlreadyExists, status.Code(err)) +} + +func TestIntegrationPermissionDelete(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Permission0 = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + PermissionNotFound = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + ) + + // Create a new random permission. + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0}) + require.NoError(t, err) + + // Test: deletion of existing permission should not fail. + empty, err := server.DeletePermission(context.TODO(), &grbac.DeletePermissionRequest{Name: Permission0.Name}) + require.NoError(t, err) + assert.NotNil(t, empty) + + // Test: deletion of deleted permission should fail. + _, err = server.DeletePermission(context.TODO(), &grbac.DeletePermissionRequest{Name: Permission0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of non-existing permission should fail. + _, err = server.DeletePermission(context.TODO(), &grbac.DeletePermissionRequest{Name: PermissionNotFound.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) +} diff --git a/pkg/services/resources.go b/pkg/services/resources.go new file mode 100644 index 0000000..d56c5ba --- /dev/null +++ b/pkg/services/resources.go @@ -0,0 +1,16 @@ +package services + +import "net/url" + +func isFullResourceName(name string) bool { + if name == "@animeshon" { + return true + } + + if len(name) == 0 || name[:2] != "//" { + return false + } + + _, err := url.Parse("https:" + name) + return err == nil +} diff --git a/pkg/services/resources_create.go b/pkg/services/resources_create.go new file mode 100644 index 0000000..7e1081a --- /dev/null +++ b/pkg/services/resources_create.go @@ -0,0 +1,114 @@ +package services + +import ( + "context" + "encoding/base64" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/resources/resources.create.query.go.tmpl +var queryCreateResource string + +//go:embed data/resources/resources.create.mutation.go.tmpl +var mutationCreateResource string + +var templateQueryCreateResource = template.Must( + template.New("QueryCreateResource").Funcs(defaultFuncMap).Parse(queryCreateResource), +) + +var templateMutationCreateResource = template.Must( + template.New("MutationCreateResource").Funcs(defaultFuncMap).Parse(mutationCreateResource), +) + +func (s *AccessControlServerImpl) validateCreateResource(ctx context.Context, txn *dgo.Txn, req *grbac.CreateResourceRequest) error { + // A resource must be defined. + if req.Resource == nil { + return status.New(codes.InvalidArgument, "invalid argument {resource not defined}").Err() + } + + // The resource name must be defined. + if len(req.Resource.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {resource name not defined}").Err() + } + + // The resource name must be well formatted. + if !isFullResourceName(req.Resource.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid resource name format}").Err() + } + + // The parent name must be defined. + if len(req.Resource.Parent) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {parent name not defined}").Err() + } + + // The parent name must be well formatted. + if !isFullResourceName(req.Resource.Parent) { + return status.New(codes.InvalidArgument, "invalid argument {invalid parent name format}").Err() + } + + // The parent must exist. + parentFound, err := graph.ExistsResource(ctx, txn, req.Resource.Parent) + if err != nil { + logrus.WithError(err).Errorf("CreateResource: failed to query resource parent") + return status.New(codes.Internal, "internal error").Err() + } + + if !parentFound { + return status.New(codes.InvalidArgument, "invalid argument {parent does not exist}").Err() + } + + // The resource must be new to avoid race conditions. + resourceFound, err := graph.ExistsResource(ctx, txn, req.Resource.Name) + if err != nil { + logrus.WithError(err).Errorf("CreateResource: failed to query resource") + return status.New(codes.Internal, "internal error").Err() + } + + if resourceFound { + return status.New(codes.AlreadyExists, "conflict").Err() + } + + return nil +} + +// CreateResource creates a new resource. +func (s *AccessControlServerImpl) CreateResource(ctx context.Context, req *grbac.CreateResourceRequest) (*grbac.Resource, error) { + txn := s.cli.NewTxn() + if err := s.validateCreateResource(ctx, txn, req); err != nil { + return nil, err + } + + // TODO: etag should be generated according to the data structure. + etag := []byte("TODO") + + data := struct { + Resource *grbac.Resource + ETag string + }{ + Resource: req.GetResource(), + ETag: base64.StdEncoding.EncodeToString(etag), + } + + if err := s.create(ctx, txn, templateQueryCreateResource, templateMutationCreateResource, data); err != nil { + logrus.WithError(err).Errorf("CreateResource: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + resource := &grbac.Resource{ + Name: req.Resource.Name, + Parent: req.Resource.Parent, + Etag: etag, + } + + return resource, nil +} diff --git a/pkg/services/resources_delete.go b/pkg/services/resources_delete.go new file mode 100644 index 0000000..fdd59fa --- /dev/null +++ b/pkg/services/resources_delete.go @@ -0,0 +1,88 @@ +package services + +import ( + "context" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + empty "google.golang.org/protobuf/types/known/emptypb" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/resources/resources.delete.query.go.tmpl +var queryDeleteResource string + +//go:embed data/resources/resources.delete.mutation.go.tmpl +var mutationDeleteResource string + +var templateQueryDeleteResource = template.Must( + template.New("QueryDeleteResource").Funcs(defaultFuncMap).Parse(queryDeleteResource), +) + +var templateMutationDeleteResource = template.Must( + template.New("MutationDeleteResource").Funcs(defaultFuncMap).Parse(mutationDeleteResource), +) + +func (s *AccessControlServerImpl) validateDeleteResource(ctx context.Context, txn *dgo.Txn, req *grbac.DeleteResourceRequest) error { + // The resource name must be defined. + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {resource name not defined}").Err() + } + + // The resource name must be well formatted. + if !isFullResourceName(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid resource name format}").Err() + } + + // The resource must exist. + resourceFound, err := graph.ExistsResource(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("DeleteResource: failed to query resource") + return status.New(codes.Internal, "internal error").Err() + } + + if !resourceFound { + return status.New(codes.NotFound, "not found").Err() + } + + // The resource must not have children before deletion. + childrenFound, err := graph.HasChildren(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("DeleteResource: failed to check if resource has children") + return status.New(codes.Internal, "internal error").Err() + } + + if childrenFound { + return status.New(codes.FailedPrecondition, "failed precondition {resource has children}").Err() + } + + return nil +} + +// DeleteResource deletes a resource. +func (s *AccessControlServerImpl) DeleteResource(ctx context.Context, req *grbac.DeleteResourceRequest) (*empty.Empty, error) { + txn := s.cli.NewTxn() + if err := s.validateDeleteResource(ctx, txn, req); err != nil { + return nil, err + } + + data := struct { + Name string + }{ + Name: req.Name, + } + + if err := s.delete(ctx, txn, templateQueryDeleteResource, templateMutationDeleteResource, data); err != nil { + logrus.WithError(err).Errorf("DeleteResource: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + return &empty.Empty{}, nil +} diff --git a/pkg/services/resources_get.go b/pkg/services/resources_get.go new file mode 100644 index 0000000..bb0a007 --- /dev/null +++ b/pkg/services/resources_get.go @@ -0,0 +1,64 @@ +package services + +import ( + "context" + "encoding/base64" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func (s *AccessControlServerImpl) validateGetResource(ctx context.Context, txn *dgo.Txn, req *grbac.GetResourceRequest) error { + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {resource name not defined}").Err() + } + + // The resource name must be well formatted. + if !isFullResourceName(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid resource name format}").Err() + } + + return nil +} + +// GetResource returns a resource. +func (s *AccessControlServerImpl) GetResource(ctx context.Context, req *grbac.GetResourceRequest) (*grbac.Resource, error) { + txn := s.cli.NewReadOnlyTxn() + if err := s.validateGetResource(ctx, txn, req); err != nil { + return nil, err + } + + // TODO(performance): GetResource should return only the resource name and parent (no policy). + resp, err := graph.GetResource(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("failed to get resource [%s]", req.Name) + return nil, status.New(codes.Internal, "internal error").Err() + } + + if resp == nil { + return nil, status.New(codes.NotFound, "not found").Err() + } + + resource := &grbac.Resource{ + Name: resp.Name, + } + + resource.Etag, err = base64.StdEncoding.DecodeString(resp.ETag) + if err != nil { + logrus.WithError(err).Errorf("failed to decode resource etag [%s]", req.Name) + return nil, status.New(codes.Internal, "internal error").Err() + } + + if resp.Parent != nil { + resource.Parent = resp.Parent.Name + } + + return resource, nil +} diff --git a/pkg/services/resources_integration_test.go b/pkg/services/resources_integration_test.go new file mode 100644 index 0000000..3d94ba6 --- /dev/null +++ b/pkg/services/resources_integration_test.go @@ -0,0 +1,174 @@ +// +build integration + +package services + +import ( + "context" + "os" + "testing" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "github.com/google/uuid" + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func TestIntegrationResourceCreate(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + ResourceNotFound = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-?." + uuid.New().String(), + Parent: "@animeshon", + } + Resource0 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-0." + uuid.New().String(), + Parent: "@animeshon", + } + Resource1 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-1." + uuid.New().String(), + Parent: Resource0.Name, + } + Resource2 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-2." + uuid.New().String(), + Parent: ResourceNotFound.Name, + } + Resource3 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-3." + uuid.New().String(), + } + ) + + // Test: creation should not fail. + resource0, err := server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource0}) + require.NoError(t, err) + require.NotNil(t, resource0) + + assert.Equal(t, Resource0.Name, resource0.Name) + assert.Equal(t, Resource0.Parent, resource0.Parent) + assert.NotEmpty(t, resource0.Etag) + + // Test: creation with existing parent should not fail. + resource1, err := server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource1}) + require.NoError(t, err) + require.NotNil(t, resource1) + + assert.Equal(t, Resource1.Name, resource1.Name) + assert.Equal(t, Resource1.Parent, resource1.Parent) + assert.NotEmpty(t, resource1.Etag) + + // Test: creation with non-existing parent should fail. + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource2}) + require.Error(t, err) + require.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: creation without parent should fail. + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource3}) + require.Error(t, err) + require.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: creation of duplicate resource should fail with already exists. + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource0}) + assert.Error(t, err) + assert.Equal(t, codes.AlreadyExists, status.Code(err)) + + // Test: get resource should return the same resource created. + resource, err := server.GetResource(context.TODO(), &grbac.GetResourceRequest{Name: Resource1.Name}) + require.NoError(t, err) + require.NotNil(t, resource) + + assert.Equal(t, Resource1.Name, resource.Name) + assert.Equal(t, Resource1.Parent, resource.Parent) + assert.NotEmpty(t, resource.Etag) +} + +func TestIntegrationResourceDelete(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Resource0 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-0." + uuid.New().String(), + Parent: "@animeshon", + } + Resource1 = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-1." + uuid.New().String(), + Parent: Resource0.Name, + } + ResourceNotFound = &grbac.Resource{ + Name: "//test.animeapis.com/resources/resource-?." + uuid.New().String(), + Parent: "@animeshon", + } + ) + + // Create new random resources. + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource0}) + require.NoError(t, err) + + _, err = server.CreateResource(context.TODO(), &grbac.CreateResourceRequest{Resource: Resource1}) + require.NoError(t, err) + + // Test: deletion of existing resource with children should fail. + _, err = server.DeleteResource(context.TODO(), &grbac.DeleteResourceRequest{Name: Resource0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.FailedPrecondition, status.Code(err)) + + // Test: deletion of existing resource with no children should not fail. + empty, err := server.DeleteResource(context.TODO(), &grbac.DeleteResourceRequest{Name: Resource1.Name}) + assert.NoError(t, err) + assert.NotNil(t, empty) + + empty, err = server.DeleteResource(context.TODO(), &grbac.DeleteResourceRequest{Name: Resource0.Name}) + assert.NoError(t, err) + assert.NotNil(t, empty) + + // Test: get resource should return 'not found' after deletion. + _, err = server.GetResource(context.TODO(), &grbac.GetResourceRequest{Name: Resource0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + _, err = server.GetResource(context.TODO(), &grbac.GetResourceRequest{Name: Resource1.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of already deleted resource should fail. + _, err = server.DeleteResource(context.TODO(), &grbac.DeleteResourceRequest{Name: Resource0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of non-existing resource should fail. + _, err = server.DeleteResource(context.TODO(), &grbac.DeleteResourceRequest{Name: ResourceNotFound.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) +} diff --git a/pkg/services/resources_transfer.go b/pkg/services/resources_transfer.go new file mode 100644 index 0000000..39fc507 --- /dev/null +++ b/pkg/services/resources_transfer.go @@ -0,0 +1,15 @@ +package services + +import ( + "context" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +// TransferResource transfers a resource to a new parent. +func (s *AccessControlServerImpl) TransferResource(ctx context.Context, req *grbac.TransferResourceRequest) (*grbac.Resource, error) { + return nil, status.New(codes.Unimplemented, "unimplemented").Err() +} diff --git a/pkg/services/roles.go b/pkg/services/roles.go new file mode 100644 index 0000000..a2fba0f --- /dev/null +++ b/pkg/services/roles.go @@ -0,0 +1,7 @@ +package services + +import "strings" + +func isRole(name string) bool { + return strings.HasPrefix(name, "roles/") +} diff --git a/pkg/services/roles_create.go b/pkg/services/roles_create.go new file mode 100644 index 0000000..47f28c3 --- /dev/null +++ b/pkg/services/roles_create.go @@ -0,0 +1,110 @@ +package services + +import ( + "context" + "encoding/base64" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/roles/roles.create.query.go.tmpl +var queryCreateRole string + +//go:embed data/roles/roles.create.mutation.go.tmpl +var mutationCreateRole string + +var templateQueryCreateRole = template.Must( + template.New("QueryCreateRole").Funcs(defaultFuncMap).Parse(queryCreateRole), +) + +var templateMutationCreateRole = template.Must( + template.New("MutationCreateRole").Funcs(defaultFuncMap).Parse(mutationCreateRole), +) + +func (s *AccessControlServerImpl) validateCreateRole(ctx context.Context, txn *dgo.Txn, req *grbac.CreateRoleRequest) error { + // A role must be defined. + if req.Role == nil { + return status.New(codes.InvalidArgument, "invalid argument {role not defined}").Err() + } + + // The role name must be defined. + if len(req.Role.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {role name not defined}").Err() + } + + // The role must include at least one permission. + if len(req.Role.Permissions) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {role has no permissions}").Err() + } + + // The permissions included in the role must exist. + for _, permission := range req.Role.Permissions { + permissionFound, err := graph.ExistsPermission(ctx, txn, toPermissionName(permission)) + if err != nil { + logrus.WithError(err).Errorf("CreateRole: failed to query role permissions") + return status.New(codes.Internal, "internal error").Err() + } + + if !permissionFound { + return status.New(codes.FailedPrecondition, "failed precondition {permission does not exist}").Err() + } + } + + // The role name must be well formatted. + if !isRole(req.Role.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid role name format}").Err() + } + + roleFound, err := graph.ExistsRole(ctx, txn, req.Role.Name) + if err != nil { + logrus.WithError(err).Errorf("failed to validate 'CreateRole' request") + return status.New(codes.Internal, "internal error").Err() + } + + if roleFound { + return status.New(codes.AlreadyExists, "conflict").Err() + } + + return nil +} + +// CreateRole creates a new role. +func (s *AccessControlServerImpl) CreateRole(ctx context.Context, req *grbac.CreateRoleRequest) (*grbac.Role, error) { + txn := s.cli.NewTxn() + if err := s.validateCreateRole(ctx, txn, req); err != nil { + return nil, err + } + + // TODO: etag should be generated according to the data structure. + etag := []byte("TODO") + + data := struct { + Role *grbac.Role + ETag string + }{ + Role: req.GetRole(), + ETag: base64.StdEncoding.EncodeToString(etag), + } + + if err := s.create(ctx, txn, templateQueryCreateRole, templateMutationCreateRole, data); err != nil { + logrus.WithError(err).Errorf("CreateRole: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + role := &grbac.Role{ + Name: req.Role.Name, + Permissions: req.Role.Permissions, + Etag: etag, + } + + return role, nil +} diff --git a/pkg/services/roles_delete.go b/pkg/services/roles_delete.go new file mode 100644 index 0000000..12331b2 --- /dev/null +++ b/pkg/services/roles_delete.go @@ -0,0 +1,77 @@ +package services + +import ( + "context" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + empty "google.golang.org/protobuf/types/known/emptypb" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/roles/roles.delete.query.go.tmpl +var queryDeleteRole string + +//go:embed data/roles/roles.delete.mutation.go.tmpl +var mutationDeleteRole string + +var templateQueryDeleteRole = template.Must( + template.New("QueryDeleteRole").Funcs(defaultFuncMap).Parse(queryDeleteRole), +) + +var templateMutationDeleteRole = template.Must( + template.New("MutationDeleteRole").Funcs(defaultFuncMap).Parse(mutationDeleteRole), +) + +func (s *AccessControlServerImpl) validateDeleteRole(ctx context.Context, txn *dgo.Txn, req *grbac.DeleteRoleRequest) error { + // The role name must be defined. + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {role name not defined}").Err() + } + + // The role name must be well formatted. + if !isRole(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid role name format}").Err() + } + + // The role must exist. + roleFound, err := graph.ExistsRole(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("DeleteRole: failed to query role") + return status.New(codes.Internal, "internal error").Err() + } + + if !roleFound { + return status.New(codes.NotFound, "not found").Err() + } + + return nil +} + +// DeleteRole deletes a role. +func (s *AccessControlServerImpl) DeleteRole(ctx context.Context, req *grbac.DeleteRoleRequest) (*empty.Empty, error) { + txn := s.cli.NewTxn() + if err := s.validateDeleteRole(ctx, txn, req); err != nil { + return nil, err + } + + data := struct { + Name string + }{ + Name: req.GetName(), + } + + if err := s.delete(ctx, txn, templateQueryDeleteRole, templateMutationDeleteRole, data); err != nil { + logrus.WithError(err).Errorf("DeleteRole: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + return &empty.Empty{}, nil +} diff --git a/pkg/services/roles_get.go b/pkg/services/roles_get.go new file mode 100644 index 0000000..a1b41ff --- /dev/null +++ b/pkg/services/roles_get.go @@ -0,0 +1,61 @@ +package services + +import ( + "context" + "encoding/base64" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func (s *AccessControlServerImpl) validateGetRole(ctx context.Context, txn *dgo.Txn, req *grbac.GetRoleRequest) error { + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {role name not defined}").Err() + } + + // The role name must be well formatted. + if !isRole(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid role name format}").Err() + } + + return nil +} + +// GetRole returns a role. +func (s *AccessControlServerImpl) GetRole(ctx context.Context, req *grbac.GetRoleRequest) (*grbac.Role, error) { + txn := s.cli.NewReadOnlyTxn() + if err := s.validateGetRole(ctx, txn, req); err != nil { + return nil, err + } + + resp, err := graph.GetRole(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("failed to get role [%s]", req.Name) + return nil, status.New(codes.Internal, "internal error").Err() + } + + if resp == nil { + return nil, status.New(codes.NotFound, "not found").Err() + } + + role := &grbac.Role{ + Name: resp.Name, + } + + role.Etag, err = base64.StdEncoding.DecodeString(resp.ETag) + if err != nil { + logrus.WithError(err).Errorf("failed to decode role etag [%s]", req.Name) + return nil, status.New(codes.Internal, "internal error").Err() + } + + for _, permission := range resp.Permissions { + role.Permissions = append(role.Permissions, toPermissionId(permission.Name)) + } + + return role, nil +} diff --git a/pkg/services/roles_integration_test.go b/pkg/services/roles_integration_test.go new file mode 100644 index 0000000..5a55b70 --- /dev/null +++ b/pkg/services/roles_integration_test.go @@ -0,0 +1,294 @@ +// +build integration + +package services + +import ( + "context" + "os" + "testing" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "github.com/google/uuid" + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" + "google.golang.org/protobuf/types/known/fieldmaskpb" +) + +func TestIntegrationRoleCreate(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Permission0 = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + PermissionNotFound = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + + Role0 = &grbac.Role{ + Name: "roles/role-0." + uuid.New().String(), + Permissions: []string{ + toPermissionId(Permission0.Name), + }, + } + Role1 = &grbac.Role{ + Name: "roles/role-1." + uuid.New().String(), + Permissions: []string{ + toPermissionId(Permission0.Name), + toPermissionId(PermissionNotFound.Name), + }, + } + ) + + // Create a new permission. + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0}) + require.NoError(t, err) + + // Test: creation should not fail. + role, err := server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role0}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) + + // Test: creation with non-existing permission should fail. + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role1}) + require.Error(t, err) + assert.Equal(t, codes.FailedPrecondition, status.Code(err)) + + // Test: creation of duplicate role should fail with already exists. + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role0}) + assert.Error(t, err) + assert.Equal(t, codes.AlreadyExists, status.Code(err)) + + // Test: get role should return the same role created. + role, err = server.GetRole(context.TODO(), &grbac.GetRoleRequest{Name: Role0.Name}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) +} + +func TestIntegrationRoleDelete(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Permission0 = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + + Role0 = &grbac.Role{ + Name: "roles/role-0." + uuid.New().String(), + Permissions: []string{ + toPermissionId(Permission0.Name), + }, + } + RoleNotFound = &grbac.Role{ + Name: "roles/role-?." + uuid.New().String(), + } + ) + + // Create a new random role and permission. + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0}) + require.NoError(t, err) + + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role0}) + require.NoError(t, err) + + // Test: deletion of existing role should not fail. + empty, err := server.DeleteRole(context.TODO(), &grbac.DeleteRoleRequest{Name: Role0.Name}) + assert.NoError(t, err) + assert.NotNil(t, empty) + + // Test: get role should return 'not found' after deletion. + _, err = server.GetRole(context.TODO(), &grbac.GetRoleRequest{Name: Role0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of already deleted role should fail. + _, err = server.DeleteRole(context.TODO(), &grbac.DeleteRoleRequest{Name: Role0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of non-existing role should fail. + _, err = server.DeleteRole(context.TODO(), &grbac.DeleteRoleRequest{Name: RoleNotFound.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) +} + +func TestIntegrationRoleUpdate(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Permission0 = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + Permission1 = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + PermissionNotFound = &grbac.Permission{ + Name: "permissions/grbac.test." + uuid.New().String(), + } + + Role0 = &grbac.Role{ + Name: "roles/role-0." + uuid.New().String(), + Permissions: []string{ + toPermissionId(Permission0.Name), + }, + } + RoleNotFound = &grbac.Role{ + Name: "roles/role-?." + uuid.New().String(), + } + ) + + // Create new random roles. + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission0}) + require.NoError(t, err) + _, err = server.CreatePermission(context.TODO(), &grbac.CreatePermissionRequest{Permission: Permission1}) + require.NoError(t, err) + + _, err = server.CreateRole(context.TODO(), &grbac.CreateRoleRequest{Role: Role0}) + require.NoError(t, err) + + // Test: update (replace permissions) should not fail. + Role0.Permissions = []string{toPermissionId(Permission1.Name)} + role, err := server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{Role: Role0}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) + + role, err = server.GetRole(context.TODO(), &grbac.GetRoleRequest{Name: Role0.Name}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) + + // Test: update (add permissions) should not fail. + Role0.Permissions = append(Role0.Permissions, toPermissionId(Permission0.Name)) + role, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{Role: Role0}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) + + role, err = server.GetRole(context.TODO(), &grbac.GetRoleRequest{Name: Role0.Name}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) + + // Test: update (remove all permissions) should not fail. + Role0.Permissions = nil + role, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{Role: Role0}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) + + role, err = server.GetRole(context.TODO(), &grbac.GetRoleRequest{Name: Role0.Name}) + require.NoError(t, err) + require.NotNil(t, role) + + assert.Equal(t, Role0.Name, role.Name) + assert.ElementsMatch(t, Role0.Permissions, role.Permissions) + assert.NotEmpty(t, role.Etag) + + // Test: update (add non-existing permission) should fail. + Role0.Permissions = []string{toPermissionId(PermissionNotFound.Name)} + _, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{Role: Role0}) + require.Error(t, err) + assert.Equal(t, codes.FailedPrecondition, status.Code(err)) + + // Test: update with mutable field mask should not fail. + Role0.Permissions = []string{toPermissionId(Permission0.Name)} + _, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{ + Role: Role0, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"role", "role.permissions"}, + }}) + require.NoError(t, err) + + // Test: update with immutable field mask should fail. + _, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{ + Role: Role0, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{"role.name"}, + }}) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: update with invalid field mask should fail. + _, err = server.UpdateRole(context.TODO(), &grbac.UpdateRoleRequest{ + Role: Role0, + UpdateMask: &fieldmaskpb.FieldMask{ + Paths: []string{""}, + }}) + require.Error(t, err) + assert.Equal(t, codes.InvalidArgument, status.Code(err)) + + // Test: update of non-existing role should fail. + _, err = server.DeleteRole(context.TODO(), &grbac.DeleteRoleRequest{Name: RoleNotFound.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) +} diff --git a/pkg/services/roles_update.go b/pkg/services/roles_update.go new file mode 100644 index 0000000..cb0a95f --- /dev/null +++ b/pkg/services/roles_update.go @@ -0,0 +1,128 @@ +package services + +import ( + "context" + "encoding/base64" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/fieldmask" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/roles/roles.update.query.go.tmpl +var queryUpdateRole string + +//go:embed data/roles/roles.update.set.go.tmpl +var setUpdateRole string + +//go:embed data/roles/roles.update.delete.go.tmpl +var deleteUpdateRole string + +var templateQueryUpdateRole = template.Must( + template.New("QueryUpdateRole").Funcs(defaultFuncMap).Parse(queryUpdateRole), +) + +var templateSetUpdateRole = template.Must( + template.New("SetUpdateRole").Funcs(defaultFuncMap).Parse(setUpdateRole), +) + +var templateDeleteUpdateRole = template.Must( + template.New("DeleteUpdateRole").Funcs(defaultFuncMap).Parse(deleteUpdateRole), +) + +func (s *AccessControlServerImpl) validateUpdateRole(ctx context.Context, txn *dgo.Txn, req *grbac.UpdateRoleRequest) error { + // A role must be defined. + if req.Role == nil { + return status.New(codes.InvalidArgument, "invalid argument {role not defined}").Err() + } + + // The role name must be defined. + if len(req.Role.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {role name not defined}").Err() + } + + // The role name must be well formatted. + if !isRole(req.Role.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid role name format}").Err() + } + + // The update field mask must contain valid paths. + for _, path := range req.GetUpdateMask().GetPaths() { + switch path { + case "role", "role.permissions": + default: + return status.New(codes.InvalidArgument, "invalid argument {invalid field mask}").Err() + } + } + + // The permissions included in the role must exist. + for _, permission := range req.Role.Permissions { + permissionFound, err := graph.ExistsPermission(ctx, txn, toPermissionName(permission)) + if err != nil { + logrus.WithError(err).Errorf("CreateRole: failed to query role permissions") + return status.New(codes.Internal, "internal error").Err() + } + + if !permissionFound { + return status.New(codes.FailedPrecondition, "failed precondition {permission does not exist}").Err() + } + } + + // The role must exist. + roleFound, err := graph.ExistsRole(ctx, txn, req.Role.Name) + if err != nil { + logrus.WithError(err).Errorf("UpdateRole: failed to query role") + return status.New(codes.Internal, "internal error").Err() + } + + if !roleFound { + return status.New(codes.NotFound, "not found").Err() + } + + return nil +} + +// UpdateRole updates a role with a field mask. +func (s *AccessControlServerImpl) UpdateRole(ctx context.Context, req *grbac.UpdateRoleRequest) (*grbac.Role, error) { + txn := s.cli.NewTxn() + if err := s.validateUpdateRole(ctx, txn, req); err != nil { + return nil, err + } + + // TODO: etag should be generated according to the data structure. + etag := []byte("TODO") + + fieldmask := fieldmask.NewFieldMask(req.GetUpdateMask()) + + data := struct { + Role *grbac.Role + FieldMask func(string) bool + ETag string + }{ + Role: req.GetRole(), + FieldMask: fieldmask.Contains, + ETag: base64.StdEncoding.EncodeToString(etag), + } + + if err := s.update(ctx, txn, templateQueryUpdateRole, templateSetUpdateRole, templateDeleteUpdateRole, data); err != nil { + logrus.WithError(err).Errorf("UpdateRole: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + // TODO: merge missing fields (not included in the update mask) with the role in dgraph. + role := &grbac.Role{ + Name: req.Role.Name, + Permissions: req.Role.Permissions, + Etag: etag, + } + + return role, nil +} diff --git a/pkg/services/subjects.go b/pkg/services/subjects.go new file mode 100644 index 0000000..bad567c --- /dev/null +++ b/pkg/services/subjects.go @@ -0,0 +1,21 @@ +package services + +import "strings" + +func isSubject(name string) bool { + return isUser(name) || isServiceAccount(name) +} + +func isUser(name string) bool { + return strings.HasPrefix(name, "users/") +} + +func isServiceAccount(name string) bool { + return strings.HasPrefix(name, "serviceAccounts/") +} + +const allUsers = "system/allUsers" + +func isAllUsers(name string) bool { + return name == allUsers +} diff --git a/pkg/services/subjects_create.go b/pkg/services/subjects_create.go new file mode 100644 index 0000000..55561fb --- /dev/null +++ b/pkg/services/subjects_create.go @@ -0,0 +1,81 @@ +package services + +import ( + "context" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/subjects/subjects.create.query.go.tmpl +var queryCreateSubject string + +//go:embed data/subjects/subjects.create.mutation.go.tmpl +var mutationCreateSubject string + +var templateQueryCreateSubject = template.Must( + template.New("QueryCreateSubject").Funcs(defaultFuncMap).Parse(queryCreateSubject), +) + +var templateMutationCreateSubject = template.Must( + template.New("MutationCreateSubject").Funcs(defaultFuncMap).Parse(mutationCreateSubject), +) + +func (s *AccessControlServerImpl) validateCreateSubject(ctx context.Context, txn *dgo.Txn, req *grbac.CreateSubjectRequest) error { + // A subject must be defined. + if req.Subject == nil { + return status.New(codes.InvalidArgument, "invalid argument {subject not defined}").Err() + } + + // The subject name must be defined. + if len(req.Subject.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {subject name not defined}").Err() + } + + // The subject name must be well formatted. + if !isSubject(req.Subject.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid subject name format}").Err() + } + + // The subject must be new to avoid race conditions. + subjectFound, err := graph.ExistsSubject(ctx, txn, req.Subject.Name) + if err != nil { + logrus.WithError(err).Errorf("failed to validate 'CreateSubject' request") + return status.New(codes.Internal, "internal error").Err() + } + + if subjectFound { + return status.New(codes.AlreadyExists, "conflict").Err() + } + + return nil +} + +// CreateSubject creates a new subject. +func (s *AccessControlServerImpl) CreateSubject(ctx context.Context, req *grbac.CreateSubjectRequest) (*grbac.Subject, error) { + txn := s.cli.NewTxn() + if err := s.validateCreateSubject(ctx, txn, req); err != nil { + return nil, err + } + + data := struct { + Subject *grbac.Subject + }{ + Subject: req.GetSubject(), + } + + if err := s.create(ctx, txn, templateQueryCreateSubject, templateMutationCreateSubject, data); err != nil { + logrus.WithError(err).Errorf("CreateSubject: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + return &grbac.Subject{Name: req.Subject.Name}, nil +} diff --git a/pkg/services/subjects_delete.go b/pkg/services/subjects_delete.go new file mode 100644 index 0000000..aa38408 --- /dev/null +++ b/pkg/services/subjects_delete.go @@ -0,0 +1,77 @@ +package services + +import ( + "context" + "text/template" + + _ "embed" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + empty "google.golang.org/protobuf/types/known/emptypb" + + "github.com/dgraph-io/dgo/v210" + "github.com/grbac/grbac/pkg/graph" + "github.com/sirupsen/logrus" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +//go:embed data/subjects/subjects.delete.query.go.tmpl +var queryDeleteSubject string + +//go:embed data/subjects/subjects.delete.mutation.go.tmpl +var mutationDeleteSubject string + +var templateQueryDeleteSubject = template.Must( + template.New("QueryDeleteSubject").Funcs(defaultFuncMap).Parse(queryDeleteSubject), +) + +var templateMutationDeleteSubject = template.Must( + template.New("MutationDeleteSubject").Funcs(defaultFuncMap).Parse(mutationDeleteSubject), +) + +func (s *AccessControlServerImpl) validateDeleteSubject(ctx context.Context, txn *dgo.Txn, req *grbac.DeleteSubjectRequest) error { + // The subject name must be defined. + if len(req.Name) == 0 { + return status.New(codes.InvalidArgument, "invalid argument {subject name not defined}").Err() + } + + // The subject name must be well formatted. + if !isSubject(req.Name) { + return status.New(codes.InvalidArgument, "invalid argument {invalid subject name format}").Err() + } + + // The subject must exist. + subjectFound, err := graph.ExistsSubject(ctx, txn, req.Name) + if err != nil { + logrus.WithError(err).Errorf("DeleteSubject: failed to query subject") + return status.New(codes.Internal, "internal error").Err() + } + + if !subjectFound { + return status.New(codes.NotFound, "not found").Err() + } + + return nil +} + +// DeleteSubject deletes a subject. +func (s *AccessControlServerImpl) DeleteSubject(ctx context.Context, req *grbac.DeleteSubjectRequest) (*empty.Empty, error) { + txn := s.cli.NewTxn() + if err := s.validateDeleteSubject(ctx, txn, req); err != nil { + return nil, err + } + + data := struct { + Name string + }{ + Name: req.GetName(), + } + + if err := s.delete(ctx, txn, templateQueryDeleteSubject, templateMutationDeleteSubject, data); err != nil { + logrus.WithError(err).Errorf("DeleteSubject: failed to execute dgraph call") + return nil, status.New(codes.Internal, "internal error").Err() + } + + return &empty.Empty{}, nil +} diff --git a/pkg/services/subjects_integration_test.go b/pkg/services/subjects_integration_test.go new file mode 100644 index 0000000..caada3e --- /dev/null +++ b/pkg/services/subjects_integration_test.go @@ -0,0 +1,115 @@ +// +build integration + +package services + +import ( + "context" + "os" + "testing" + + grbac "github.com/animeapis/go-genproto/grbac/v1alpha1" + + "github.com/dgraph-io/dgo/v210" + "github.com/dgraph-io/dgo/v210/protos/api" + "github.com/google/uuid" + "github.com/grbac/grbac/pkg/bootstrap" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "google.golang.org/grpc" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +func TestIntegrationSubjectCreate(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + User0 = &grbac.Subject{ + Name: "users/user-0." + uuid.New().String(), + } + ServiceAccount0 = &grbac.Subject{ + Name: "serviceAccounts/serviceaccount-0." + uuid.New().String(), + } + ) + + // Test: creation (user) should not fail. + user0, err := server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0}) + require.NoError(t, err) + require.NotNil(t, user0) + + assert.Equal(t, User0.Name, user0.Name) + + // Test: creation (serviceAccount) should not fail. + serviceAccount, err := server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0}) + require.NoError(t, err) + require.NotNil(t, serviceAccount) + + assert.Equal(t, ServiceAccount0.Name, serviceAccount.Name) + + // Test: creation of duplicate subject should fail with already exists. + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: User0}) + assert.Error(t, err) + assert.Equal(t, codes.AlreadyExists, status.Code(err)) + + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: ServiceAccount0}) + assert.Error(t, err) + assert.Equal(t, codes.AlreadyExists, status.Code(err)) +} + +func TestIntegrationSubjectDelete(t *testing.T) { + endpoint := os.Getenv("INTEGRATION_TEST_DGRAPH_ENDPOINT") + require.NotEmpty(t, endpoint) + + err := bootstrap.Schema(context.TODO(), endpoint) + require.NoError(t, err) + + conn, err := grpc.Dial(endpoint, grpc.WithInsecure()) + require.NoError(t, err) + defer conn.Close() + + server := &AccessControlServerImpl{ + cli: dgo.NewDgraphClient(api.NewDgraphClient(conn)), + conn: conn, + } + + var ( + Subject0 = &grbac.Subject{ + Name: "users/user-0." + uuid.New().String(), + } + SubjectNotFound = &grbac.Subject{ + Name: "users/user-?." + uuid.New().String(), + } + ) + + // Create a new random subject. + _, err = server.CreateSubject(context.TODO(), &grbac.CreateSubjectRequest{Subject: Subject0}) + require.NoError(t, err) + + // Test: deletion of existing subject should not fail. + empty, err := server.DeleteSubject(context.TODO(), &grbac.DeleteSubjectRequest{Name: Subject0.Name}) + require.NoError(t, err) + assert.NotNil(t, empty) + + // Test: deletion of deleted subject should fail. + _, err = server.DeleteSubject(context.TODO(), &grbac.DeleteSubjectRequest{Name: Subject0.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) + + // Test: deletion of non-existing subject should fail. + _, err = server.DeleteSubject(context.TODO(), &grbac.DeleteSubjectRequest{Name: SubjectNotFound.Name}) + assert.Error(t, err) + assert.Equal(t, codes.NotFound, status.Code(err)) +} diff --git a/pkg/services/template.go b/pkg/services/template.go new file mode 100644 index 0000000..b4d4407 --- /dev/null +++ b/pkg/services/template.go @@ -0,0 +1,45 @@ +package services + +import ( + "bufio" + "bytes" + "regexp" + "text/template" +) + +var ( + regexAlphaNumeric = regexp.MustCompile("[^A-Za-z0-9]+") + + defaultFuncMap = template.FuncMap{ + "AlphaNumVar": replaceAlphaNumeric, + + "IsUser": isUserMember, + "IsServiceAccount": isServiceAccountMember, + "IsGroup": isGroupMember, + "IsAllUsers": isAllUsersMember, + + "ToUserName": toUserName, + "ToServiceAccountName": toServiceAccountName, + "ToGroupName": toGroupName, + "ToPermissionName": toPermissionName, + } +) + +func replaceAlphaNumeric(name string) string { + return regexAlphaNumeric.ReplaceAllString(name, "_") +} + +func ExecuteTemplate(t *template.Template, data interface{}) ([]byte, error) { + var buffer bytes.Buffer + writer := bufio.NewWriter(&buffer) + + if err := t.Execute(writer, data); err != nil { + return nil, err + } + + if err := writer.Flush(); err != nil { + return nil, err + } + + return buffer.Bytes(), nil +} diff --git a/schema/animeapis b/schema/animeapis new file mode 160000 index 0000000..e1dfc76 --- /dev/null +++ b/schema/animeapis @@ -0,0 +1 @@ +Subproject commit e1dfc764c23e00eb837c43e9f53286a2751af2e9 diff --git a/schema/api-common-protos b/schema/api-common-protos new file mode 160000 index 0000000..37d5125 --- /dev/null +++ b/schema/api-common-protos @@ -0,0 +1 @@ +Subproject commit 37d5125da5c90f2124d15908a54a32ed3f470bc2 diff --git a/scripts/docker-compose.sh b/scripts/docker-compose.sh new file mode 100755 index 0000000..947ca77 --- /dev/null +++ b/scripts/docker-compose.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env sh + +set -o errexit +set -o nounset +set -o pipefail + +sleep 10 + +grbac init --dgraph-endpoint=dgraph:9080 +grbac run --dgraph-endpoint=dgraph:9080 + +exit 0 \ No newline at end of file diff --git a/scripts/gapic.sh b/scripts/gapic.sh new file mode 100755 index 0000000..98d5395 --- /dev/null +++ b/scripts/gapic.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail + +API_NAME="grbac" +API_VERSION="v1alpha1" + +# TODO: Everything should be moved to Bazel for protobuf compilation. + +# Generate CLI via GAPIC. +protoc \ + --experimental_allow_proto3_optional \ + --proto_path="schema/api-common-protos" \ + --proto_path="schema/animeapis" \ + --go_cli_out="cmd" \ + --go_cli_opt="root=grbac" \ + --go_cli_opt="gapic=github.com/animeapis/api-go-client/${API_NAME}/${API_VERSION}" \ + --go_cli_opt="fmt=true" \ + "schema/animeapis/animeshon/${API_NAME}/${API_VERSION}/${API_NAME}.proto" + +exit 0 \ No newline at end of file diff --git a/scripts/run-integration.sh b/scripts/run-integration.sh new file mode 100755 index 0000000..ae0093c --- /dev/null +++ b/scripts/run-integration.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail + +export INTEGRATION_TEST_DGRAPH_ENDPOINT=127.0.0.1:9080 + +# Launch the dgraph docker container and open its ports. +echo "integration: starting the dgraph docker container..." +container_id=$(docker run --detach --rm -p 9080:9080 dgraph/standalone:v21.03.0) + +# Wait for the container to be up and running. +echo "integration: waiting (10s) for the container to be ready..." +sleep 10s + +# Run the integration tests and store the return code of the 'go test' command. +go test -cover -tags=integration ./... && return_code=$? || return_code=$? + +# Stop the dgraph docker container. +echo "integration: stopping the container..." +docker stop $container_id + +exit $return_code \ No newline at end of file diff --git a/scripts/update.sh b/scripts/update.sh new file mode 100755 index 0000000..cb7f179 --- /dev/null +++ b/scripts/update.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail + +WORKDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" + +echo "updating go modules..." + +GOPROXY=direct go get -u github.com/animeapis/api-go-client@master +GOPROXY=direct go get -u github.com/animeapis/go-genproto@master + +echo "updating git submodules..." + +git submodule foreach git pull origin master + +echo "regenerating gapics..." + +source "${WORKDIR}/gapic.sh" + +exit 0 \ No newline at end of file