fix manifests

aserto-dev · Mar 6, 2025 · 5a32b8e · 5a32b8e
1 parent 73dfbd5
commit 5a32b8e
Show file tree

Hide file tree

Showing 10 changed files with 168 additions and 167 deletions.
diff --git a/assets/acmecorp/manifest.yaml b/assets/acmecorp/manifest.yaml
@@ -25,7 +25,7 @@ types:
 
     permissions:
       ### display_name: user#in_management_chain ###
-      in_management_chain: manager | manager->in_management_chain
+      in_management_chain: manager | manager->identifier | manager->in_management_chain
 
   ### display_name: Group ###
   group:

diff --git a/assets/api-auth/manifest.yaml b/assets/api-auth/manifest.yaml
@@ -21,7 +21,7 @@ types:
 
     permissions:
       ### display_name: user#in_management_chain ###
-      in_management_chain: manager | manager->in_management_chain
+      in_management_chain: manager | manager->identifier | manager->in_management_chain
 
   ### display_name: Group ###
   # group represents a collection of users and/or (nested) groups
@@ -40,11 +40,11 @@ types:
       reader: user | group#member
 
     permissions:
-      can_get: reader | can_put
-      can_put: writer | can_post
-      can_patch: writer | can_post
-      can_post: creator | can_delete
-      can_delete: deleter | owner
+      can_get: reader | reader->identifier | can_put
+      can_put: writer | writer->identifier | can_post
+      can_patch: writer | writer->identifier | can_post
+      can_post: creator | creator->identifier | can_delete
+      can_delete: deleter | deleter->identifier | owner | owner->identifier
 
   ### display_name: Endpoint ###
   # endpoint represents a specific API endpoint
@@ -59,5 +59,5 @@ types:
       # invoker allows a user or group to get access to invoke this specific endpoint
       invoker: user | group#member
     permissions:
-      can_invoke: invoker | service-reader->can_get | service-writer->can_put |
+      can_invoke: invoker | invoker->identifier | service-reader->can_get | service-writer->can_put |
         service-creator->can_post | service-deleter->can_delete
diff --git a/assets/api-auth/test/api-auth_assertions.json b/assets/api-auth/test/api-auth_assertions.json
@@ -5,7 +5,7 @@
         "object_type": "endpoint",
         "object_id": "todo:DELETE:/v1/todos/{todoId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": true
@@ -15,7 +15,7 @@
         "object_type": "endpoint",
         "object_id": "todo:DELETE:/v1/todos/{todoId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -25,7 +25,7 @@
         "object_type": "endpoint",
         "object_id": "todo:DELETE:/v1/todos/{todoId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -35,7 +35,7 @@
         "object_type": "endpoint",
         "object_id": "todo:DELETE:/v1/todos/{todoId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -45,7 +45,7 @@
         "object_type": "endpoint",
         "object_id": "todo:DELETE:/v1/todos/{todoId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -55,7 +55,7 @@
         "object_type": "endpoint",
         "object_id": "todo:GET:/v1/todos",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": true
@@ -65,7 +65,7 @@
         "object_type": "endpoint",
         "object_id": "todo:GET:/v1/todos",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": true
@@ -75,7 +75,7 @@
         "object_type": "endpoint",
         "object_id": "todo:GET:/v1/todos",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": true
@@ -85,7 +85,7 @@
         "object_type": "endpoint",
         "object_id": "todo:GET:/v1/todos",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": true
@@ -95,7 +95,7 @@
         "object_type": "endpoint",
         "object_id": "todo:GET:/v1/todos",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": true
@@ -105,7 +105,7 @@
         "object_type": "endpoint",
         "object_id": "todo:POST:/v1/todos",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": true
@@ -115,7 +115,7 @@
         "object_type": "endpoint",
         "object_id": "todo:POST:/v1/todos",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": true
@@ -125,7 +125,7 @@
         "object_type": "endpoint",
         "object_id": "todo:POST:/v1/todos",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -135,7 +135,7 @@
         "object_type": "endpoint",
         "object_id": "todo:POST:/v1/todos",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -145,7 +145,7 @@
         "object_type": "endpoint",
         "object_id": "todo:POST:/v1/todos",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -155,7 +155,7 @@
         "object_type": "endpoint",
         "object_id": "rick-and-morty:GET:/v1/characters",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": true
@@ -165,7 +165,7 @@
         "object_type": "endpoint",
         "object_id": "rick-and-morty:GET:/v1/characters",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -175,7 +175,7 @@
         "object_type": "endpoint",
         "object_id": "rick-and-morty:GET:/v1/characters",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -185,7 +185,7 @@
         "object_type": "endpoint",
         "object_id": "rick-and-morty:GET:/v1/characters",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -195,7 +195,7 @@
         "object_type": "endpoint",
         "object_id": "rick-and-morty:GET:/v1/characters",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -205,7 +205,7 @@
         "object_type": "endpoint",
         "object_id": "petstore:GET:/pet/{petId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": true
@@ -215,7 +215,7 @@
         "object_type": "endpoint",
         "object_id": "petstore:GET:/pet/{petId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": true
@@ -225,7 +225,7 @@
         "object_type": "endpoint",
         "object_id": "petstore:GET:/pet/{petId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -235,7 +235,7 @@
         "object_type": "endpoint",
         "object_id": "petstore:GET:/pet/{petId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -245,7 +245,7 @@
         "object_type": "endpoint",
         "object_id": "petstore:GET:/pet/{petId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -255,7 +255,7 @@
         "object_type": "endpoint",
         "object_id": "petstore:POST:/pet/{petId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": true
@@ -265,7 +265,7 @@
         "object_type": "endpoint",
         "object_id": "petstore:POST:/pet/{petId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": true
@@ -275,7 +275,7 @@
         "object_type": "endpoint",
         "object_id": "petstore:POST:/pet/{petId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -285,7 +285,7 @@
         "object_type": "endpoint",
         "object_id": "petstore:POST:/pet/{petId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -295,7 +295,7 @@
         "object_type": "endpoint",
         "object_id": "petstore:POST:/pet/{petId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -305,7 +305,7 @@
         "object_type": "endpoint",
         "object_id": "petstore:DELETE:/pet/{petId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": true
@@ -315,7 +315,7 @@
         "object_type": "endpoint",
         "object_id": "petstore:DELETE:/pet/{petId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -325,7 +325,7 @@
         "object_type": "endpoint",
         "object_id": "petstore:DELETE:/pet/{petId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -335,7 +335,7 @@
         "object_type": "endpoint",
         "object_id": "petstore:DELETE:/pet/{petId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false
@@ -345,7 +345,7 @@
         "object_type": "endpoint",
         "object_id": "petstore:DELETE:/pet/{petId}",
         "relation": "can_invoke",
-        "subject_type": "user",
+        "subject_type": "identity",
         "subject_id": "[email protected]"
       },
       "expected": false

diff --git a/assets/github/manifest.yaml b/assets/github/manifest.yaml
@@ -47,10 +47,10 @@ types:
       repo_writer: user | organization#member
 
     permissions:
-      is_member:      member | owner
-      can_administer: repo_admin | owner
-      can_write:      repo_writer | can_administer
-      can_read:       repo_reader | can_write
+      is_member:      member | member->identifier | owner | owner->identifier
+      can_administer: repo_admin | repo_admin->identifier | owner | owner->identifier
+      can_write:      repo_writer | repo_writer->identifier | can_administer
+      can_read:       repo_reader | repo_reader->identifier | can_write
 
   ### display_name: Repository ###
   repo:
@@ -64,9 +64,9 @@ types:
       writer:     user | team#member
 
     permissions:
-      can_administer: admin | owner->can_administer
+      can_administer: admin | admin->identifier | owner->can_administer
       can_delete:     can_administer
-      can_maintain:   maintainer | can_administer
-      can_write:      writer  | can_maintain | owner->can_write
-      can_triage:     triager | can_write
-      can_read:       reader  | can_triage   | owner->can_read
+      can_maintain:   maintainer | maintainer->identifier | can_administer
+      can_write:      writer | writer->identifier | can_maintain | owner->can_write
+      can_triage:     triager | triager->identifier | can_write
+      can_read:       reader | reader->identifier  | can_triage   | owner->can_read