ENG-7055: High level Python client for abac

protos/buf.lock

@@ -9,8 +9,8 @@ deps:
   - remote: buf.build
     owner: googleapis
     repository: googleapis
-    commit: 72c8614f3bd0466ea67931ef2c43d608
-    digest: shake256:b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4
+    commit: 004180b77378443887d3b55cabc00384
+    digest: shake256:d26c7c2fd95f0873761af33ca4a0c0d92c8577122b6feb74eb3b0a57ebe47a98ab24a209a0e91945ac4c77204e9da0c2de0020b2cedc27bdbcdea6c431eec69b
   - remote: buf.build
     owner: grpc-ecosystem
     repository: grpc-gateway

protos/sift/policies/v1/policies.proto

@@ -0,0 +1,213 @@
+syntax = "proto3";
+
+package sift.policies.v1;
+
+import "buf/validate/validate.proto";
+import "google/api/annotations.proto";
+import "google/api/field_behavior.proto";
+import "google/protobuf/field_mask.proto";
+import "google/protobuf/timestamp.proto";
+import "protoc-gen-openapiv2/options/annotations.proto";
+
+option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
+  info: {title: "Policy service"}
+};
+
+service PolicyService {
+  option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_tag) = {description: "Service to manage ABAC policies."};
+
+  // Retrieve a policy
+  rpc GetPolicy(GetPolicyRequest) returns (GetPolicyResponse) {
+    option (google.api.http) = {get: "/api/v1/policies/{policy_id}"};
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      summary: "GetPolicy"
+      description: "Retrieve a policy."
+      operation_id: "PolicyService_GetPolicy"
+    };
+  }
+
+  // Retrieve policies using an optional filter.
+  rpc ListPolicies(ListPoliciesRequest) returns (ListPoliciesResponse) {
+    option (google.api.http) = {get: "/api/v1/policies"};
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      summary: "ListPolicies"
+      description: "Retrieve policies using an optional filter."
+      operation_id: "PolicyService_ListPolicies"
+    };
+  }
+
+  // Create a policy
+  rpc CreatePolicy(CreatePolicyRequest) returns (CreatePolicyResponse) {
+    option (google.api.http) = {
+      post: "/api/v1/policies"
+      body: "*"
+    };
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      summary: "CreatePolicy"
+      description: "Create a new policy."
+      operation_id: "PolicyService_CreatePolicy"
+    };
+  }
+
+  // Update a policy
+  rpc UpdatePolicy(UpdatePolicyRequest) returns (UpdatePolicyResponse) {
+    option (google.api.http) = {
+      patch: "/api/v1/policies"
+      body: "*"
+    };
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      summary: "UpdatePolicy"
+      description: "Update a policy."
+      operation_id: "PolicyService_UpdatePolicy"
+    };
+  }
+
+  // Archive a policy
+  rpc ArchivePolicy(ArchivePolicyRequest) returns (ArchivePolicyResponse) {
+    option (google.api.http) = {post: "/api/v1/policies/{policy_id}/archive"};
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      summary: "ArchivePolicy"
+      description: "Archive a policy."
+      operation_id: "PolicyService_ArchivePolicy"
+    };
+  }
+}
+
+message Policy {
+  string policy_id = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (buf.validate.field).string.uuid = true
+  ];
+  string name = 2 [(google.api.field_behavior) = REQUIRED];
+  optional string description = 3 [(google.api.field_behavior) = OPTIONAL];
+  string organization_id = 4 [
+    (google.api.field_behavior) = REQUIRED,
+    (buf.validate.field).string.uuid = true
+  ];
+  string created_by_user_id = 5 [
+    (google.api.field_behavior) = REQUIRED,
+    (buf.validate.field).string.uuid = true
+  ];
+  string modified_by_user_id = 6 [
+    (google.api.field_behavior) = REQUIRED,
+    (buf.validate.field).string.uuid = true
+  ];
+  google.protobuf.Timestamp created_date = 7 [(google.api.field_behavior) = REQUIRED];
+  google.protobuf.Timestamp modified_date = 8 [(google.api.field_behavior) = REQUIRED];
+  // Policy rules/configuration
+  PolicyConfiguration configuration = 9 [(google.api.field_behavior) = REQUIRED];
+  // Reference to the current policy version ID
+  string policy_version_id = 10 [
+    (google.api.field_behavior) = REQUIRED,
+    (buf.validate.field).string.uuid = true
+  ];
+  // The date the policy was archived.
+  google.protobuf.Timestamp archived_date = 11 [(google.api.field_behavior) = OPTIONAL];
+  bool is_archived = 12 [(google.api.field_behavior) = REQUIRED];
+  // Optional version number for this policy
+  optional int32 version = 13 [(google.api.field_behavior) = OPTIONAL];
+  // Optional notes for this version
+  optional string version_notes = 14 [(google.api.field_behavior) = OPTIONAL];
+  // Auto-generated change message for this version
+  optional string generated_change_message = 15 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// PolicyConfiguration represents the configuration and rules for a policy.
+// Expects a string containing a policy in the Cedar format
+// https://docs.cedarpolicy.com/policies/syntax-policy.html
+message PolicyConfiguration {
+  string cedar_policy = 1;
+}
+
+// The request for a call to `PolicyService_GetPolicy`.
+message GetPolicyRequest {
+  string policy_id = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (buf.validate.field).string.uuid = true
+  ];
+}
+
+// The response of a call to `PolicyService_GetPolicy`.
+message GetPolicyResponse {
+  Policy policy = 1 [(google.api.field_behavior) = REQUIRED];
+}
+
+// The request for a call to `PolicyService_ListPolicies` to retrieve policies.
+message ListPoliciesRequest {
+  // The maximum number of policies to return. The service may return fewer than this value.
+  // If unspecified, at most 50 policies will be returned. The maximum value is 100; values above
+  // 100 will be coerced to 100. Optional.
+  uint32 page_size = 1 [(google.api.field_behavior) = OPTIONAL];
+
+  // A page token, received from a previous `ListPolicies` call.
+  // Provide this to retrieve the subsequent page.
+  // When paginating, all other parameters provided to `ListPolicies` must match
+  // the call that provided the page token. Optional.
+  string page_token = 2 [(google.api.field_behavior) = OPTIONAL];
+
+  // A [Common Expression Language (CEL)](https://github.com/google/cel-spec) filter string.
+  // Available fields to filter by are `policy_id`, `organization_id`, `name`, `description`,
+  // `created_by_user_id`, `modified_by_user_id`, `created_date`, `modified_date`, `archived_date`, and `is_archived`.
+  // For further information about how to use CELs, please refer to [this guide](https://github.com/google/cel-spec/blob/master/doc/langdef.md#standard-definitions).
+  // For more information about the fields used for filtering, please refer to [this definition](/docs/api/grpc/protocol-buffers/policies#policy). Optional.
+  string filter = 3 [(google.api.field_behavior) = OPTIONAL];
+
+  // How to order the retrieved policies. Formatted as a comma-separated string i.e. "FIELD_NAME[ desc],...".
+  // Available fields to order_by are `created_date`, `modified_date`, and `name`.
+  // If left empty, items are ordered by `created_date` in descending order (newest-first).
+  // For more information about the format of this field, read [this](https://google.aip.dev/132#ordering)
+  // Example: "created_date desc,modified_date"
+  string order_by = 4 [(google.api.field_behavior) = OPTIONAL];
+
+  // Whether to include archived policies in the response. If false or unset, archived policies are excluded.
+  bool include_archived = 6 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// The result of a call to `PolicyService_ListPolicies`.
+message ListPoliciesResponse {
+  repeated Policy policies = 1;
+  string next_page_token = 2;
+}
+
+// The request for a call to `PolicyService_CreatePolicy` to create a new policy.
+message CreatePolicyRequest {
+  string name = 1 [(google.api.field_behavior) = REQUIRED];
+  optional string description = 2 [(google.api.field_behavior) = OPTIONAL];
+  // Policy rules/configuration
+  PolicyConfiguration configuration = 3 [(google.api.field_behavior) = REQUIRED];
+  // Optional notes for this version
+  optional string version_notes = 4 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// The response of a call to `PolicyService_CreatePolicy`.
+message CreatePolicyResponse {
+  Policy policy = 1 [(google.api.field_behavior) = REQUIRED];
+}
+
+// The request for a call to `PolicyService_UpdatePolicy` to update a policy.
+message UpdatePolicyRequest {
+  Policy policy = 1 [(google.api.field_behavior) = REQUIRED];
+  // The list of fields to be updated. The fields available to be updated are `name`, `description`, `configuration`, and `is_archived`.
+  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
+  // Optional notes for the new policy version when configuration changes
+  optional string version_notes = 3;
+}
+
+// The response of a call to `PolicyService_UpdatePolicy`.
+message UpdatePolicyResponse {
+  Policy policy = 1 [(google.api.field_behavior) = REQUIRED];
+}
+
+// The request for a call to `PolicyService_ArchivePolicy` to archive a policy.
+message ArchivePolicyRequest {
+  string policy_id = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (buf.validate.field).string.uuid = true
+  ];
+}
+
+// The response of a call to `PolicyService_ArchivePolicy`.
+message ArchivePolicyResponse {
+  Policy policy = 1 [(google.api.field_behavior) = REQUIRED];
+}
+