Merge pull request #149 from josephschorr/lookup-subjects

Add LookupSubjects support to zed
authzed · Sep 13, 2022 · f0f9fbc · f0f9fbc
2 parents b65772a + 9fbd48d
commit f0f9fbc
Show file tree

Hide file tree

Showing 9 changed files with 147 additions and 42 deletions.
diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
@@ -1,6 +1,6 @@
 ---
 name: "Build & Test"
-on:  # yamllint disable-line rule:truthy
+on: # yamllint disable-line rule:truthy
   push:
     branches:
       - "!dependabot/*"
@@ -16,7 +16,7 @@ jobs:
       - uses: "actions/checkout@v3"
       - uses: "actions/setup-go@v3"
         with:
-          go-version: "~1.18"
+          go-version: "~1.19.1"
       - uses: "authzed/actions/go-build@main"
 
   image-build:
@@ -33,6 +33,6 @@ jobs:
       - uses: "actions/checkout@v3"
       - uses: "actions/setup-go@v3"
         with:
-          go-version: "~1.18"
+          go-version: "~1.19.1"
       - uses: "authzed/action-spicedb@v1"
       - uses: "authzed/actions/go-test@main"
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -1,6 +1,6 @@
 ---
 name: "Lint"
-on:  # yamllint disable-line rule:truthy
+on: # yamllint disable-line rule:truthy
   push:
     branches:
       - "!dependabot/*"
@@ -15,7 +15,7 @@ jobs:
       - uses: "actions/checkout@v3"
       - uses: "actions/setup-go@v3"
         with:
-          go-version: "~1.18"
+          go-version: "~1.19.1"
       - uses: "authzed/actions/gofumpt@main"
       - uses: "authzed/actions/go-mod-tidy@main"
       - uses: "authzed/actions/go-generate@main"
@@ -60,4 +60,4 @@ jobs:
       - name: "Upload Trivy scan results to GitHub Security tab"
         uses: "github/codeql-action/upload-sarif@v2"
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: "trivy-results.sarif"
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -3,7 +3,7 @@ name: "release"
 on:
   push:
     tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+'
+      - "v[0-9]+.[0-9]+.[0-9]+"
 jobs:
   github:
     runs-on: "macos-latest"
@@ -43,7 +43,7 @@ jobs:
         run: "sudo apt-get update && sudo apt-get install -y gcc-aarch64-linux-gnu gcc-mingw-w64-x86-64"
       - uses: "actions/setup-go@v3"
         with:
-          go-version: "~1.18"
+          go-version: "~1.19.1"
       - uses: "goreleaser/goreleaser-action@v2"
         with:
           distribution: "goreleaser"

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.18-alpine3.15 AS build
+FROM golang:1.19.1-alpine3.15 AS build
 
 RUN apk update
 RUN apk add git

diff --git a/cmd/zed/permission.go b/cmd/zed/permission.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"strings"
 
 	"github.com/authzed/authzed-go/pkg/requestmeta"
 	"github.com/authzed/authzed-go/pkg/responsemeta"
@@ -39,6 +40,14 @@ func registerPermissionCmd(rootCmd *cobra.Command) {
 	permissionCmd.AddCommand(lookupCmd)
 	lookupCmd.Flags().Bool("json", false, "output as JSON")
 	lookupCmd.Flags().String("revision", "", "optional revision at which to check")
+
+	permissionCmd.AddCommand(lookupResourcesCmd)
+	lookupResourcesCmd.Flags().Bool("json", false, "output as JSON")
+	lookupResourcesCmd.Flags().String("revision", "", "optional revision at which to check")
+
+	permissionCmd.AddCommand(lookupSubjectsCmd)
+	lookupSubjectsCmd.Flags().Bool("json", false, "output as JSON")
+	lookupSubjectsCmd.Flags().String("revision", "", "optional revision at which to check")
 }
 
 var permissionCmd = &cobra.Command{
@@ -60,11 +69,26 @@ var expandCmd = &cobra.Command{
 	RunE:  cobrautil.CommandStack(LogCmdFunc, expandCmdFunc),
 }
 
+var lookupResourcesCmd = &cobra.Command{
+	Use:   "lookup-resources <type> <permission> <subject:id>",
+	Short: "looks up the Resources of a given type for which the Subject has Permission",
+	Args:  cobra.ExactArgs(3),
+	RunE:  cobrautil.CommandStack(LogCmdFunc, lookupResourcesCmdFunc),
+}
+
 var lookupCmd = &cobra.Command{
-	Use:   "lookup <type> <permission> <subject:id>",
-	Short: "lookup the Resources of a given type for which the Subject has Permission",
+	Use:    "lookup <type> <permission> <subject:id>",
+	Short:  "lookup the Resources of a given type for which the Subject has Permission",
+	Args:   cobra.ExactArgs(3),
+	RunE:   cobrautil.CommandStack(LogCmdFunc, lookupResourcesCmdFunc),
+	Hidden: true,
+}
+
+var lookupSubjectsCmd = &cobra.Command{
+	Use:   "lookup-subjects <resource:id> <permission> <subject_type#optional_subject_relation>",
+	Short: "lookup the Subjects of a given type for which the Subject has Permission on the Resource",
 	Args:  cobra.ExactArgs(3),
-	RunE:  cobrautil.CommandStack(LogCmdFunc, lookupCmdFunc),
+	RunE:  cobrautil.CommandStack(LogCmdFunc, lookupSubjectsCmdFunc),
 }
 
 func parseSubject(s string) (namespace, id, relation string, err error) {
@@ -80,6 +104,11 @@ func parseSubject(s string) (namespace, id, relation string, err error) {
 	return
 }
 
+func parseType(s string) (namespace, relation string) {
+	namespace, relation, _ = strings.Cut(s, "#")
+	return
+}
+
 func checkCmdFunc(cmd *cobra.Command, args []string) error {
 	var objectNS, objectID string
 	err := stringz.SplitExact(args[0], ":", &objectNS, &objectID)
@@ -223,7 +252,7 @@ func expandCmdFunc(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
-func lookupCmdFunc(cmd *cobra.Command, args []string) error {
+func lookupResourcesCmdFunc(cmd *cobra.Command, args []string) error {
 	objectNS := args[0]
 	relation := args[1]
 	subjectNS, subjectID, subjectRel, err := parseSubject(args[2])
@@ -291,6 +320,80 @@ func lookupCmdFunc(cmd *cobra.Command, args []string) error {
 	}
 }
 
+func lookupSubjectsCmdFunc(cmd *cobra.Command, args []string) error {
+	var objectNS, objectID string
+	err := stringz.SplitExact(args[0], ":", &objectNS, &objectID)
+	if err != nil {
+		return err
+	}
+
+	permission := args[1]
+
+	subjectType, subjectRelation := parseType(args[2])
+
+	configStore, secretStore := defaultStorage()
+	token, err := storage.DefaultToken(
+		cobrautil.MustGetString(cmd, "endpoint"),
+		cobrautil.MustGetString(cmd, "token"),
+		configStore,
+		secretStore,
+	)
+	if err != nil {
+		return err
+	}
+	log.Trace().Interface("token", token).Send()
+
+	client, err := authzed.NewClient(token.Endpoint, dialOptsFromFlags(cmd, token)...)
+	if err != nil {
+		return err
+	}
+
+	request := &v1.LookupSubjectsRequest{
+		Resource: &v1.ObjectReference{
+			ObjectType: objectNS,
+			ObjectId:   objectID,
+		},
+		Permission:              permission,
+		SubjectObjectType:       subjectType,
+		OptionalSubjectRelation: subjectRelation,
+	}
+
+	if zedtoken := cobrautil.MustGetString(cmd, "revision"); zedtoken != "" {
+		request.Consistency = atLeastAsFresh(zedtoken)
+	}
+	log.Trace().Interface("request", request).Send()
+
+	respStream, err := client.LookupSubjects(context.Background(), request)
+	if err != nil {
+		return err
+	}
+
+	for {
+		resp, err := respStream.Recv()
+		switch {
+		case errors.Is(err, io.EOF):
+			return nil
+		case err != nil:
+			return err
+		default:
+			if cobrautil.MustGetBool(cmd, "json") {
+				prettyProto, err := prettyProto(resp)
+				if err != nil {
+					return err
+				}
+
+				fmt.Println(string(prettyProto))
+			}
+
+			if len(resp.ExcludedSubjectIds) > 0 {
+				fmt.Printf("%s:* - {%s}\n", subjectType, strings.Join(resp.ExcludedSubjectIds, ", "))
+			} else {
+				fmt.Printf("%s:%s\n", subjectType, resp.SubjectObjectId)
+			}
+		}
+	}
+}
+
 func displayDebugInformationIfRequested(cmd *cobra.Command, trailerMD metadata.MD, hasError bool) error {
 	if cobrautil.MustGetBool(cmd, "explain") || cobrautil.MustGetBool(cmd, "schema") {
 		found, err := responsemeta.GetResponseTrailerMetadataOrNil(trailerMD, responsemeta.DebugInformation)

diff --git a/cmd/zed/schema.go b/cmd/zed/schema.go
@@ -5,7 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"
 	"strings"
 
@@ -142,7 +142,7 @@ func schemaWriteCmdFunc(cmd *cobra.Command, args []string) error {
 		}
 		log.Trace().Str("schema", string(schemaBytes)).Str("file", args[0]).Msg("read schema from file")
 	case 0:
-		schemaBytes, err = ioutil.ReadAll(os.Stdin)
+		schemaBytes, err = io.ReadAll(os.Stdin)
 		if err != nil {
 			return fmt.Errorf("failed to read schema file: %w", err)
 		}

diff --git a/go.mod b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/99designs/keyring v1.2.1
 	github.com/AlecAivazis/survey/v2 v2.3.5
 	github.com/TylerBrock/colorjson v0.0.0-20200706003622-8a50f05110d2
-	github.com/authzed/authzed-go v0.6.1-0.20220721164311-7b705b328aed
+	github.com/authzed/authzed-go v0.7.0
 	github.com/authzed/connector-postgresql v0.2.1-0.20211110161636-5a22597732ae
 	github.com/authzed/grpcutil v0.0.0-20220104222419-f813f77722e5
 	github.com/authzed/spicedb v1.10.0
@@ -21,9 +21,9 @@ require (
 	github.com/rs/zerolog v1.27.0
 	github.com/spf13/cobra v1.5.0
 	github.com/stretchr/testify v1.8.0
-	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
+	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
-	google.golang.org/grpc v1.48.0
+	google.golang.org/grpc v1.49.0
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/yaml.v3 v3.0.1
 )
@@ -34,7 +34,7 @@ require (
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/agnivade/levenshtein v1.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bytecodealliance/wasmtime-go v0.36.0 // indirect
+	github.com/bytecodealliance/wasmtime-go v0.40.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/certifi/gocertifi v0.0.0-20210507211836-431795d63e8d // indirect
 	github.com/cespare/xxhash v1.1.0 // indirect
@@ -78,7 +78,7 @@ require (
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.0-rc.2.0.20210831071041-dd1540ef8252 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.10.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 // indirect
 	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-memdb v1.3.3 // indirect
@@ -130,7 +130,7 @@ require (
 	github.com/scylladb/go-set v1.0.2 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
-	github.com/spf13/afero v1.8.2 // indirect
+	github.com/spf13/afero v1.9.2 // indirect
 	github.com/spf13/cast v1.4.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
@@ -160,12 +160,12 @@ require (
 	go.uber.org/multierr v1.8.0 // indirect
 	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
-	golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
-	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect
+	golang.org/x/net v0.0.0-20220909164309-bea034e7d591 // indirect
+	golang.org/x/sys v0.0.0-20220818161305-2296e01440c6 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
-	google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect
+	google.golang.org/genproto v0.0.0-20220822174746-9e6da59bd2fc // indirect
 	gopkg.in/ini.v1 v1.66.4 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	oras.land/oras-go v1.2.0 // indirect