Promote BulkCheckPermission to v1

The 'BulkCheckPermission' API is stable and can be promoted into the v1 'PermissionsService'.
authzed · Feb 14, 2024 · 024e5ff · 024e5ff
1 parent 1485497
commit 024e5ff
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 43 deletions.
diff --git a/authzed/api/v1/experimental_service.proto b/authzed/api/v1/experimental_service.proto
@@ -6,16 +6,13 @@ option java_package = "com.authzed.api.v1";
 
 import "google/api/annotations.proto";
 import "validate/validate.proto";
-import "google/protobuf/struct.proto";
-import "google/rpc/status.proto";
 
 import "authzed/api/v1/core.proto";
 import "authzed/api/v1/permission_service.proto";
 
 // ExperimentalService exposes a number of APIs that are currently being
 // prototyped and tested for future inclusion in the stable API.
 service ExperimentalService {
-
   // BulkImportRelationships is a faster path to writing a large number of
   // relationships at once. It is both batched and streaming. For maximum
   // performance, the caller should attempt to write relationships in as close
@@ -53,46 +50,6 @@ service ExperimentalService {
   }
 }
 
-message BulkCheckPermissionRequest {
-  Consistency consistency = 1;
-
-  repeated BulkCheckPermissionRequestItem items = 2 [ (validate.rules).repeated .items.message.required = true ];
-}
-
-message BulkCheckPermissionRequestItem {
-  ObjectReference resource = 1 [ (validate.rules).message.required = true ];
-
-  string permission = 2 [ (validate.rules).string = {
-    pattern : "^([a-z][a-z0-9_]{1,62}[a-z0-9])?$",
-    max_bytes : 64,
-  } ];
-
-  SubjectReference subject = 3 [ (validate.rules).message.required = true ];
-
-  google.protobuf.Struct context = 4 [ (validate.rules).message.required = false ];
-}
-
-message BulkCheckPermissionResponse {
-  ZedToken checked_at = 1 [ (validate.rules).message.required = false ];
-
-  repeated BulkCheckPermissionPair pairs = 2 [ (validate.rules).repeated .items.message.required = true ];
-}
-
-message BulkCheckPermissionPair {
-  BulkCheckPermissionRequestItem request = 1;
-  oneof response {
-    BulkCheckPermissionResponseItem item = 2;
-    google.rpc.Status error = 3;
-  }
-}
-
-message BulkCheckPermissionResponseItem {
-
-  CheckPermissionResponse.Permissionship permissionship = 1 [ (validate.rules).enum = {defined_only: true, not_in: [0]} ];
-
-  PartialCaveatInfo partial_caveat_info = 2 [ (validate.rules).message.required = false ];
-}
-
 // BulkImportRelationshipsRequest represents one batch of the streaming
 // BulkImportRelationships API. The maximum size is only limited by the backing
 // datastore, and optimal size should be determined by the calling client

diff --git a/authzed/api/v1/permission_service.proto b/authzed/api/v1/permission_service.proto
@@ -6,6 +6,7 @@ option java_package = "com.authzed.api.v1";
 
 import "google/protobuf/struct.proto";
 import "google/api/annotations.proto";
+import "google/rpc/status.proto";
 import "validate/validate.proto";
 
 import "authzed/api/v1/core.proto";
@@ -56,6 +57,16 @@ service PermissionsService {
       };
     }
 
+  // BulkCheckPermission accepts a list of permission checks and returns
+  // the results of those checks in a single response.
+  rpc BulkCheckPermission(BulkCheckPermissionRequest)
+    returns (BulkCheckPermissionResponse) {
+      option (google.api.http) = {
+        post: "/v1/permissions/bulkcheckpermission"
+        body: "*"
+      };
+    }
+
   // ExpandPermissionTree reveals the graph structure for a resource's
   // permission or relation. This RPC does not recurse infinitely deep and may
   // require multiple calls to fully unnest a deeply nested graph.
@@ -349,6 +360,46 @@ message CheckPermissionResponse {
   PartialCaveatInfo partial_caveat_info = 3 [ (validate.rules).message.required = false ];
 }
 
+message BulkCheckPermissionRequest {
+  Consistency consistency = 1;
+
+  repeated BulkCheckPermissionRequestItem items = 2 [ (validate.rules).repeated .items.message.required = true ];
+}
+
+message BulkCheckPermissionRequestItem {
+  ObjectReference resource = 1 [ (validate.rules).message.required = true ];
+
+  string permission = 2 [ (validate.rules).string = {
+    pattern : "^([a-z][a-z0-9_]{1,62}[a-z0-9])?$",
+    max_bytes : 64,
+  } ];
+
+  SubjectReference subject = 3 [ (validate.rules).message.required = true ];
+
+  google.protobuf.Struct context = 4 [ (validate.rules).message.required = false ];
+}
+
+message BulkCheckPermissionResponse {
+  ZedToken checked_at = 1 [ (validate.rules).message.required = false ];
+
+  repeated BulkCheckPermissionPair pairs = 2 [ (validate.rules).repeated .items.message.required = true ];
+}
+
+message BulkCheckPermissionPair {
+  BulkCheckPermissionRequestItem request = 1;
+
+  oneof response {
+    BulkCheckPermissionResponseItem item = 2;
+    google.rpc.Status error = 3;
+  }
+}
+
+message BulkCheckPermissionResponseItem {
+  CheckPermissionResponse.Permissionship permissionship = 1 [ (validate.rules).enum = {defined_only: true, not_in: [0]} ];
+
+  PartialCaveatInfo partial_caveat_info = 2 [ (validate.rules).message.required = false ];
+}
+
 // ExpandPermissionTreeRequest returns a tree representing the expansion of all
 // relationships found accessible from a permission or relation on a particular
 // resource.

diff --git a/buf.yaml b/buf.yaml
@@ -8,3 +8,8 @@ deps:
 lint:
   ignore:
     - "authzed/api/v0"  # legacy from before we used buf
+  ignore_only:
+    # BulkCheckPermission exists in both experimental and v1
+    RPC_REQUEST_RESPONSE_UNIQUE:
+      - "authzed/api/v1/experimental_service.proto"
+      - "authzed/api/v1/permission_service.proto"