@cerbos/core
Version:
Common types used by the Cerbos client libraries
520 lines • 16.8 kB
JavaScript
/* eslint-disable @typescript-eslint/no-deprecated */
import { fromJson } from "@bufbuild/protobuf";
import { ValueSchema, timestampFromDate } from "@bufbuild/protobuf/wkt";
import { v4 as uuidv4 } from "uuid";
import { Effect as EffectProtobuf } from "@cerbos/api/cerbos/effect/v1/effect_pb";
import { ScopePermissions as ScopePermissionsProtobuf } from "@cerbos/api/cerbos/policy/v1/policy_pb";
import { ListAuditLogEntriesRequest_Kind } from "@cerbos/api/cerbos/request/v1/request_pb";
import { Effect, SchemaDefinition, ScopePermissions, Service, auditLogFilterIsBetween, auditLogFilterIsSince, auditLogFilterIsTail, matchIsMatchAll, matchIsMatchAny, matchIsMatchExpr, matchIsMatchNone, policyIsDerivedRoles, policyIsExportConstants, policyIsExportVariables, policyIsPrincipalPolicy, policyIsResourcePolicy, policyIsRolePolicy, } from "../types/external.js";
const encoder = new TextEncoder();
export function addOrUpdatePoliciesRequestToProtobuf({ policies, }) {
return {
$typeName: "cerbos.request.v1.AddOrUpdatePolicyRequest",
policies: policies.map(policyToProtobuf),
};
}
/** @internal */
export function policyToProtobuf(policy) {
const { apiVersion = "api.cerbos.dev/v1", description = "", disabled = false, variables = {}, } = policy;
return {
$typeName: "cerbos.policy.v1.Policy",
apiVersion,
description,
disabled,
jsonSchema: "",
policyType: policyTypeToProtobuf(policy),
variables,
};
}
function policyTypeToProtobuf(policy) {
if (policyIsDerivedRoles(policy)) {
return {
case: "derivedRoles",
value: derivedRolesToProtobuf(policy),
};
}
if (policyIsExportConstants(policy)) {
return {
case: "exportConstants",
value: exportConstantsToProtobuf(policy),
};
}
if (policyIsExportVariables(policy)) {
return {
case: "exportVariables",
value: exportVariablesToProtobuf(policy),
};
}
if (policyIsPrincipalPolicy(policy)) {
return {
case: "principalPolicy",
value: principalPolicyToProtobuf(policy),
};
}
if (policyIsResourcePolicy(policy)) {
return {
case: "resourcePolicy",
value: resourcePolicyToProtobuf(policy),
};
}
if (policyIsRolePolicy(policy)) {
return {
case: "rolePolicy",
value: rolePolicyToProtobuf(policy),
};
}
throw new Error(`Unknown policy type: ${JSON.stringify(policy, null, 2)}`);
}
function derivedRolesToProtobuf({ derivedRoles: { name, definitions, constants, variables }, }) {
return {
$typeName: "cerbos.policy.v1.DerivedRoles",
name,
definitions: definitions.map(derivedRoleDefinitionToProtobuf),
constants: constants && constantsToProtobuf(constants),
variables: variables && variablesToProtobuf(variables),
};
}
function derivedRoleDefinitionToProtobuf({ name, parentRoles, condition, }) {
return {
$typeName: "cerbos.policy.v1.RoleDef",
name,
parentRoles,
condition: condition && conditionToProtobuf(condition),
};
}
function conditionToProtobuf({ match }) {
return {
$typeName: "cerbos.policy.v1.Condition",
condition: {
case: "match",
value: matchToProtobuf(match),
},
};
}
function matchToProtobuf(match) {
if (matchIsMatchAll(match)) {
return {
$typeName: "cerbos.policy.v1.Match",
op: {
case: "all",
value: matchesToProtobuf(match.all),
},
};
}
if (matchIsMatchAny(match)) {
return {
$typeName: "cerbos.policy.v1.Match",
op: {
case: "any",
value: matchesToProtobuf(match.any),
},
};
}
if (matchIsMatchNone(match)) {
return {
$typeName: "cerbos.policy.v1.Match",
op: {
case: "none",
value: matchesToProtobuf(match.none),
},
};
}
if (matchIsMatchExpr(match)) {
return {
$typeName: "cerbos.policy.v1.Match",
op: {
case: "expr",
value: match.expr,
},
};
}
throw new Error(`Unknown match type: ${JSON.stringify(match, null, 2)}`);
}
function matchesToProtobuf({ of }) {
return {
$typeName: "cerbos.policy.v1.Match.ExprList",
of: of.map(matchToProtobuf),
};
}
function constantsToProtobuf({ import: imports = [], local = {}, }) {
return {
$typeName: "cerbos.policy.v1.Constants",
import: imports,
local: valuesToProtobuf(local),
};
}
function exportConstantsToProtobuf({ exportConstants: { name, definitions }, }) {
return {
$typeName: "cerbos.policy.v1.ExportConstants",
name,
definitions: valuesToProtobuf(definitions),
};
}
function variablesToProtobuf({ import: imports = [], local = {}, }) {
return {
$typeName: "cerbos.policy.v1.Variables",
import: imports,
local,
};
}
function exportVariablesToProtobuf({ exportVariables: { name, definitions }, }) {
return {
$typeName: "cerbos.policy.v1.ExportVariables",
name,
definitions,
};
}
function principalPolicyToProtobuf({ principalPolicy: { principal, version, rules, scope = "", scopePermissions, constants, variables, }, }) {
return {
$typeName: "cerbos.policy.v1.PrincipalPolicy",
principal,
version,
rules: rules.map(principalRuleToProtobuf),
scope,
scopePermissions: scopePermissionsToProtobuf(scopePermissions),
constants: constants && constantsToProtobuf(constants),
variables: variables && variablesToProtobuf(variables),
};
}
function principalRuleToProtobuf({ resource, actions, }) {
return {
$typeName: "cerbos.policy.v1.PrincipalRule",
resource,
actions: actions.map(principalRuleActionToProtobuf),
};
}
function principalRuleActionToProtobuf({ action, effect, condition, name = "", output, }) {
return {
$typeName: "cerbos.policy.v1.PrincipalRule.Action",
action,
effect: effectToProtobuf(effect),
condition: condition && conditionToProtobuf(condition),
name,
output: output && outputToProtobuf(output),
};
}
function scopePermissionsToProtobuf(scopePermissions) {
switch (scopePermissions) {
case ScopePermissions.OVERRIDE_PARENT:
return ScopePermissionsProtobuf.OVERRIDE_PARENT;
case ScopePermissions.REQUIRE_PARENTAL_CONSENT_FOR_ALLOWS:
return ScopePermissionsProtobuf.REQUIRE_PARENTAL_CONSENT_FOR_ALLOWS;
default:
return ScopePermissionsProtobuf.UNSPECIFIED;
}
}
function effectToProtobuf(effect) {
return effect === Effect.ALLOW ? EffectProtobuf.ALLOW : EffectProtobuf.DENY;
}
function outputToProtobuf({ expr = "", when }) {
return {
$typeName: "cerbos.policy.v1.Output",
expr,
when: when && outputExpressionsToProtobuf(when),
};
}
function outputExpressionsToProtobuf({ ruleActivated = "", conditionNotMet = "", }) {
return {
$typeName: "cerbos.policy.v1.Output.When",
ruleActivated,
conditionNotMet,
};
}
function resourcePolicyToProtobuf({ resourcePolicy: { resource, version, importDerivedRoles = [], rules, scope = "", scopePermissions, schemas, constants, variables, }, }) {
return {
$typeName: "cerbos.policy.v1.ResourcePolicy",
resource,
version,
importDerivedRoles,
rules: rules.map(resourceRuleToProtobuf),
scope,
scopePermissions: scopePermissionsToProtobuf(scopePermissions),
schemas: schemas && policySchemasToProtobuf(schemas),
constants: constants && constantsToProtobuf(constants),
variables: variables && variablesToProtobuf(variables),
};
}
function resourceRuleToProtobuf({ actions, effect, derivedRoles = [], roles = [], condition, name = "", output, }) {
return {
$typeName: "cerbos.policy.v1.ResourceRule",
actions,
effect: effectToProtobuf(effect),
derivedRoles,
roles,
condition: condition && conditionToProtobuf(condition),
name,
output: output && outputToProtobuf(output),
};
}
function rolePolicyToProtobuf({ rolePolicy: { role, parentRoles, scope, rules }, }) {
return {
$typeName: "cerbos.policy.v1.RolePolicy",
policyType: { case: "role", value: role },
parentRoles: parentRoles ?? [],
scope: scope ?? "",
scopePermissions: ScopePermissionsProtobuf.UNSPECIFIED,
rules: rules.map(roleRuleToProtobuf),
};
}
function roleRuleToProtobuf({ resource, allowActions, condition, }) {
return {
$typeName: "cerbos.policy.v1.RoleRule",
resource,
allowActions,
condition: condition && conditionToProtobuf(condition),
};
}
function policySchemasToProtobuf({ principalSchema, resourceSchema, }) {
return {
$typeName: "cerbos.policy.v1.Schemas",
principalSchema: principalSchema && policySchemaToProtobuf(principalSchema),
resourceSchema: resourceSchema && policySchemaToProtobuf(resourceSchema),
};
}
function policySchemaToProtobuf({ ref, ignoreWhen, }) {
return {
$typeName: "cerbos.policy.v1.Schemas.Schema",
ref,
ignoreWhen: ignoreWhen && {
$typeName: "cerbos.policy.v1.Schemas.IgnoreWhen",
actions: ignoreWhen.actions,
},
};
}
export function addOrUpdateSchemasRequestToProtobuf({ schemas, }) {
return {
$typeName: "cerbos.request.v1.AddOrUpdateSchemaRequest",
schemas: schemas.map(schemaToProtobuf),
};
}
function schemaToProtobuf({ id, definition }) {
return {
$typeName: "cerbos.schema.v1.Schema",
id,
definition: schemaDefinitionToProtobuf(definition),
};
}
function schemaDefinitionToProtobuf(definition) {
if (definition instanceof Uint8Array) {
return definition;
}
if (definition instanceof SchemaDefinition) {
return definition.bytes;
}
if (typeof definition === "string") {
return encoder.encode(definition);
}
return encoder.encode(JSON.stringify(definition));
}
export function checkResourcesRequestToProtobuf({ principal, resources, auxData, includeMetadata = false, requestId = uuidv4(), }) {
return {
$typeName: "cerbos.request.v1.CheckResourcesRequest",
principal: principalToProtobuf(principal),
resources: resources.map(resourceCheckToProtobuf),
auxData: auxData && auxDataToProtobuf(auxData),
includeMeta: includeMetadata,
requestId,
};
}
function principalToProtobuf({ id, roles, attr = {}, attributes = {}, policyVersion = "", scope = "", }) {
return {
$typeName: "cerbos.engine.v1.Principal",
id,
roles,
attr: valuesToProtobuf({
...attributes,
...attr,
}),
policyVersion,
scope,
};
}
function resourceCheckToProtobuf({ resource, actions, }) {
return {
$typeName: "cerbos.request.v1.CheckResourcesRequest.ResourceEntry",
resource: resourceToProtobuf(resource),
actions,
};
}
function resourceToProtobuf({ kind, id, attr = {}, attributes = {}, policyVersion = "", scope = "", }) {
return {
$typeName: "cerbos.engine.v1.Resource",
kind,
id,
attr: valuesToProtobuf({
...attributes,
...attr,
}),
policyVersion,
scope,
};
}
function auxDataToProtobuf({ jwt }) {
if (!jwt) {
return undefined;
}
return {
$typeName: "cerbos.request.v1.AuxData",
jwt: jwtToProtobuf(jwt),
};
}
function jwtToProtobuf({ token, keySetId = "" }) {
return {
$typeName: "cerbos.request.v1.AuxData.JWT",
token,
keySetId,
};
}
export function deleteSchemasRequestToProtobuf({ ids, }) {
return {
$typeName: "cerbos.request.v1.DeleteSchemaRequest",
id: ids,
};
}
export function disablePoliciesRequestToProtobuf({ ids, }) {
return {
$typeName: "cerbos.request.v1.DisablePolicyRequest",
id: ids,
};
}
export function enablePoliciesRequestToProtobuf({ ids, }) {
return {
$typeName: "cerbos.request.v1.EnablePolicyRequest",
id: ids,
};
}
export function getPoliciesRequestToProtobuf({ ids, }) {
return {
$typeName: "cerbos.request.v1.GetPolicyRequest",
id: ids,
};
}
export function getSchemasRequestToProtobuf({ ids, }) {
return {
$typeName: "cerbos.request.v1.GetSchemaRequest",
id: ids,
};
}
export function healthCheckRequestToProtobuf({ service = Service.CERBOS, }) {
return {
$typeName: "grpc.health.v1.HealthCheckRequest",
service,
};
}
export function listAccessLogEntriesRequestToProtobuf({ filter, }) {
return {
$typeName: "cerbos.request.v1.ListAuditLogEntriesRequest",
kind: ListAuditLogEntriesRequest_Kind.ACCESS,
filter: auditLogFilterToProtobuf(filter),
};
}
export function listDecisionLogEntriesRequestToProtobuf({ filter, }) {
return {
$typeName: "cerbos.request.v1.ListAuditLogEntriesRequest",
kind: ListAuditLogEntriesRequest_Kind.DECISION,
filter: auditLogFilterToProtobuf(filter),
};
}
function auditLogFilterToProtobuf(filter) {
if (auditLogFilterIsBetween(filter)) {
return {
case: "between",
value: {
$typeName: "cerbos.request.v1.ListAuditLogEntriesRequest.TimeRange",
start: timestampFromDate(filter.start),
end: timestampFromDate(filter.end),
},
};
}
if (auditLogFilterIsSince(filter)) {
return {
case: "since",
value: durationToProtobuf(filter.since),
};
}
if (auditLogFilterIsTail(filter)) {
return {
case: "tail",
value: filter.tail,
};
}
return { case: undefined };
}
function durationToProtobuf(duration) {
const [seconds, nanos] = duration.toFixed(9).split(".", 2);
return {
$typeName: "google.protobuf.Duration",
seconds: BigInt(seconds),
nanos: parseInt(nanos, 10),
};
}
export function inspectPoliciesRequestToProtobuf({ includeDisabled = false, ids = [], nameRegexp = "", scopeRegexp = "", versionRegexp = "", }) {
return {
$typeName: "cerbos.request.v1.InspectPoliciesRequest",
policyId: ids,
includeDisabled,
nameRegexp,
scopeRegexp,
versionRegexp,
};
}
export function listPoliciesRequestToProtobuf({ includeDisabled = false, ids = [], nameRegexp = "", scopeRegexp = "", versionRegexp = "", }) {
return {
$typeName: "cerbos.request.v1.ListPoliciesRequest",
policyId: ids,
includeDisabled,
nameRegexp,
scopeRegexp,
versionRegexp,
};
}
export function planResourcesRequestToProtobuf(request) {
const { principal, resource, auxData, includeMetadata = false, requestId = uuidv4(), } = request;
return {
$typeName: "cerbos.request.v1.PlanResourcesRequest",
principal: principalToProtobuf(principal),
resource: resourceQueryToProtobuf(resource),
...planResourcesActionsToProtobuf(request),
auxData: auxData && auxDataToProtobuf(auxData),
includeMeta: includeMetadata,
requestId,
};
}
function planResourcesActionsToProtobuf(request) {
if ("actions" in request) {
return {
action: "",
actions: request.actions,
};
}
return {
action: request.action,
actions: [],
};
}
function resourceQueryToProtobuf({ kind, attr = {}, attributes = {}, policyVersion = "", scope = "", }) {
return {
$typeName: "cerbos.engine.v1.PlanResourcesInput.Resource",
kind,
attr: valuesToProtobuf({
...attributes,
...attr,
}),
policyVersion,
scope,
};
}
export function reloadStoreRequestToProtobuf({ wait, }) {
return {
$typeName: "cerbos.request.v1.ReloadStoreRequest",
wait,
};
}
/** @internal */
export function valuesToProtobuf(values) {
return Object.fromEntries(Object.entries(values).map(([key, value]) => [key, valueToProtobuf(value)]));
}
function valueToProtobuf(value) {
return fromJson(ValueSchema, value);
}
//# sourceMappingURL=toProtobuf.js.map