// Copyright 2021-2024 Zenauth Ltd. // SPDX-License-Identifier: Apache-2.0 syntax = "proto3"; package cerbos.response.v1; import "cerbos/audit/v1/audit.proto"; import "cerbos/effect/v1/effect.proto"; import "cerbos/engine/v1/engine.proto"; import "cerbos/policy/v1/policy.proto"; import "cerbos/schema/v1/schema.proto"; import "google/protobuf/empty.proto"; import "protoc-gen-openapiv2/options/annotations.proto"; option csharp_namespace = "Cerbos.Api.V1.Response"; option go_package = "github.com/cerbos/cerbos/api/genpb/cerbos/response/v1;responsev1"; option java_package = "dev.cerbos.api.v1.response"; message PlanResourcesResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Resources query plan response for a set of resources."} }; message Meta { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Metadata about request evaluation."} }; string filter_debug = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Filter textual representation for debugging purposes."}]; string matched_scope = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Policy scope that matched to produce this effect." example: "\"acme.corp.base\"" }]; } string request_id = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Request ID provided in the request." example: "\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"" }]; string action = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Action" example: "\"view:public\"" }]; string resource_kind = 3 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Resource kind." example: "\"album:object\"" }]; string policy_version = 4 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "The policy version." example: "\"default\"" }]; cerbos.engine.v1.PlanResourcesFilter filter = 5 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Filter"}]; Meta meta = 6 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Optional metadata about the request evaluation process"}]; repeated cerbos.schema.v1.ValidationError validation_errors = 7 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "List of validation errors (if schema validation is enabled)"}]; string cerbos_call_id = 8 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Audit log call ID associated with this request"}]; } // Deprecated. See CheckResourcesResponse. message CheckResourceSetResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Policy evaluation response for a set of resources."} }; message ActionEffectMap { map actions = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Mapping of each action to an effect."}]; repeated cerbos.schema.v1.ValidationError validation_errors = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "List of validation errors (if schema validation is " "enabled)" }]; } message Meta { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Metadata about request evaluation."} }; message EffectMeta { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Name of the action."} }; string matched_policy = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Policy that matched to produce this effect." example: "\"album:object:default\"" }]; string matched_scope = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Policy scope that matched to produce this effect." example: "\"acme.corp.base\"" }]; } message ActionMeta { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Unique resource instance ID supplied in the request."} }; map actions = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Metadata about the effect calculated for each " "action on this resource instance." example: "{\"view:*\":{\"matched_policy\": " "\"album:object:default\"},\"comment\":{\"matched_" "policy\": \"album:object:default\"}}" }]; repeated string effective_derived_roles = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Derived roles that were effective during policy " "evaluation." example: "[\"owner\"]" }]; } map resource_instances = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Metadata about resource instances." example: "{\"XX125\": {\"actions\": {\"view:*\":{\"matched_policy\": " "\"album:object:default\"},\"comment\":{\"matched_policy\": " "\"album:object:default\"}}, \"effective_derived_roles\": " "[\"owner\"]}, \"XX225\": {\"actions\": " "{\"view:*\":{\"matched_policy\": " "\"album:object:default\"},\"comment\":{\"matched_policy\": " "\"album:object:default\"}}}}" }]; } string request_id = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Request ID provided in the request." example: "\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"" }]; map resource_instances = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Results for each resource instance, keyed by the ID " "supplied in the request" example: "{\"XX125\":{\"actions\":{\"view:*\":\"EFFECT_ALLOW\", " "\"comment\": \"EFFECT_ALLOW\"}}, " "\"XX225\":{\"actions\":{\"view:*\":\"EFFECT_DENY\", " "\"comment\": \"EFFECT_DENY\"}}}" }]; Meta meta = 3 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Optional metadata about the request evaluation process"}]; } // Deprecated. See CheckResourcesResponse. message CheckResourceBatchResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Policy evaluation response for a batch of resources."} }; message ActionEffectMap { string resource_id = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Resource ID" example: "\"XX125\"" }]; map actions = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Mapping of each action to an effect." example: "{\"view\":\"EFFECT_ALLOW\"}" }]; repeated cerbos.schema.v1.ValidationError validation_errors = 3 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "List of validation errors (if schema validation is " "enabled)" }]; } string request_id = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Request ID provided in the request." example: "\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"" }]; repeated ActionEffectMap results = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Result for each resource" example: "[{\"resourceId\":\"XX125\",\"actions\":{\"view\":\"EFFECT_" "ALLOW\"}}]" }]; } message CheckResourcesResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Response from the check resources API call."} }; message ResultEntry { message Resource { string id = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "ID of the resource instance" example: "\"XX125\"" }]; string kind = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Name of the resource kind being accessed." example: "\"album:photo\"" }]; string policy_version = 3 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "The policy version to use to evaluate this request. " "If not specified, will default to the " "server-configured default version." pattern: "^[[:word:]]*$" example: "\"default\"" }]; string scope = 4 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "A dot-separated scope that describes the hierarchy " "this resource belongs to. This is used for " "determining policy inheritance." pattern: "^([[:alnum:]][[:word:]\\-]*(\\.[[:word:]\\-]*)*)*$" example: "\"acme.corp\"" }]; } message Meta { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Metadata about request evaluation."} }; message EffectMeta { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Name of the action."} }; string matched_policy = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Policy that matched to produce this effect." example: "\"album:object:default\"" }]; string matched_scope = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Policy scope that matched to produce this effect." example: "\"acme.corp.base\"" }]; } map actions = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Metadata about the effect calculated for each " "action on this resource instance." example: "{\"view:*\":{\"matched_policy\": " "\"album:object:default\"},\"comment\":{\"matched_" "policy\": \"album:object:default\"}}" }]; repeated string effective_derived_roles = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Derived roles that were effective during policy " "evaluation." example: "[\"owner\"]" }]; } Resource resource = 1; map actions = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Mapping of each action to an effect." example: "{\"view\":\"EFFECT_ALLOW\"}" }]; repeated cerbos.schema.v1.ValidationError validation_errors = 3 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "List of validation errors (if schema validation is " "enabled)" }]; Meta meta = 4 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Metadata about policy evaluation" example: "{\"actions\": {\"view:*\":{\"matched_policy\": " "\"album:object:default\"},\"comment\":{\"matched_policy\":" " \"album:object:default\"}}, \"effective_derived_roles\": " "[\"owner\"]}" }]; repeated cerbos.engine.v1.OutputEntry outputs = 5 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Output for each rule with outputs configured" example: "[{\"src\": \"resource.expense.v1/acme#rule-001\", " "\"val\": \"view_allowed:alice\"}, {\"src\": " "\"resource.expense.v1/acme#rule-002\", \"val\": \"foo\"}]" }]; } string request_id = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Request ID provided in the request." example: "\"c2db17b8-4f9f-4fb1-acfd-9162a02be42b\"" }]; repeated ResultEntry results = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { description: "Result for each resource" example: "[{\"resource\": {\"Id\":\"XX125\", \"kind\":\"album:object\"}, " "\"actions\":{\"view\":\"EFFECT_ALLOW\",\"comment\":\"EFFECT_" "DENY\"}}]" }]; string cerbos_call_id = 3 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Audit log call ID associated with this request"}]; } message PlaygroundFailure { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Playground response"} }; message ErrorDetails { uint32 line = 1; uint32 column = 2; string context = 3; } message Error { string file = 1; string error = 2; ErrorDetails details = 3; } repeated Error errors = 1; } message PlaygroundValidateResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Playground validate response"} }; string playground_id = 1; oneof outcome { PlaygroundFailure failure = 2; google.protobuf.Empty success = 3; } } message PlaygroundTestResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Playground test response"} }; message TestResults { cerbos.policy.v1.TestResults results = 1; } string playground_id = 1; oneof outcome { PlaygroundFailure failure = 2; TestResults success = 3; } } message PlaygroundEvaluateResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Playground evaluate response"} }; message EvalResult { string action = 1; cerbos.effect.v1.Effect effect = 2; string policy = 3; repeated string effective_derived_roles = 4 [deprecated = true]; repeated cerbos.schema.v1.ValidationError validation_errors = 5 [deprecated = true]; } message EvalResultList { repeated EvalResult results = 1; repeated string effective_derived_roles = 2; repeated cerbos.schema.v1.ValidationError validation_errors = 3; repeated cerbos.engine.v1.OutputEntry outputs = 4; } string playground_id = 1; oneof outcome { PlaygroundFailure failure = 2; EvalResultList success = 3; } } message PlaygroundProxyResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Playground proxy response"} }; string playground_id = 1; oneof outcome { PlaygroundFailure failure = 2; CheckResourceSetResponse check_resource_set = 3; CheckResourceBatchResponse check_resource_batch = 4; PlanResourcesResponse plan_resources = 5; CheckResourcesResponse check_resources = 6; } } message AddOrUpdatePolicyResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Add/update policy response"} }; google.protobuf.Empty success = 1; } message ListAuditLogEntriesResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Audit log stream."} }; oneof entry { cerbos.audit.v1.AccessLogEntry access_log_entry = 1; cerbos.audit.v1.DecisionLogEntry decision_log_entry = 2; } } message ServerInfoResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Server info response"} }; string version = 1; string commit = 2; string build_date = 3; } message ListPoliciesResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "List of policies stored in the Cerbos server"} }; repeated string policy_ids = 1; } message GetPolicyResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Get policy response"} }; repeated cerbos.policy.v1.Policy policies = 1; } message DisablePolicyResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Disable policy response"} }; uint32 disabled_policies = 1; } message EnablePolicyResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Enable policy response"} }; uint32 enabled_policies = 1; } message InspectPoliciesResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Inspect policies response"} }; message Attribute { enum Kind { KIND_UNSPECIFIED = 0; KIND_PRINCIPAL_ATTRIBUTE = 1; KIND_RESOURCE_ATTRIBUTE = 2; } Kind kind = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Kind of the attribute being referenced."}]; string name = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Name of the attribute being referenced."}]; } message DerivedRole { enum Kind { KIND_UNSPECIFIED = 0; KIND_UNDEFINED = 1; KIND_EXPORTED = 2; KIND_IMPORTED = 3; } string name = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Derived role name defined in the policy."}]; Kind kind = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Kind of the derived role defined in the policy."}]; string source = 3 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Source of the derived role defined in the policy."}]; } message Variable { enum Kind { KIND_UNSPECIFIED = 0; KIND_EXPORTED = 1; KIND_IMPORTED = 2; KIND_LOCAL = 3; KIND_UNDEFINED = 4; KIND_UNKNOWN = 5; } string name = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Variable name defined in the policy."}]; string value = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Raw value of the variable defined in the policy."}]; Kind kind = 3 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Kind of the variable defined in the policy."}]; string source = 4 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Source of the variable defined in the policy. Only exists if the kind is imported."}]; bool used = 5 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Whether the variable is used in a condition."}]; } message Result { repeated string actions = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Actions defined in the policy."}]; repeated Variable variables = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Variables referenced in the policy."}]; string policy_id = 3 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "For blob, disk, and git stores policy ID is the file name. For other stores it is ../."}]; repeated DerivedRole derived_roles = 4 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Derived roles referenced in the policy."}]; repeated Attribute attributes = 5 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {description: "Attributes referenced in the policy."}]; } map results = 1; } message AddOrUpdateSchemaResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Add/update schema response"} }; } message ListSchemasResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "List schema ids response"} }; repeated string schema_ids = 1; } message GetSchemaResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Get schema(s) response"} }; repeated cerbos.schema.v1.Schema schemas = 1; } message DeleteSchemaResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Delete schema(s) response"} }; uint32 deleted_schemas = 1; } message ReloadStoreResponse { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = { json_schema: {description: "Reload store response"} }; }