A client for managing authzed or any API-compatible system from your command line.

Overview

zed

Go Report Card GoDoc Lines of Code License IRC Channel

A client for managing authzed or any API-compatible system from your command line.

Installation

zed is currently packaged by as a head-only Homebrew Formula for both macOS and Linux.

$ brew install --HEAD authzed/tap/zed

Example Usage

Managing credentials

Configuring credentials is similar to kubeconfig in kubectl.

API Tokens are stored in the system keychain.

$ zed config set-token [email protected] tu_zed_hanazawa_deadbeefdeadbeefdeadbeefdeadbeef
NAME             	ENDPOINT            	TOKEN
[email protected]	grpc.authzed.com:443	

$ zed config get-tokens
NAME             	ENDPOINT            	TOKEN
[email protected]	grpc.authzed.com:443	

Context data is stored in $XDG_CONFIG_HOME/zed falling back to ~/.zed if that environment variable is not set.

$ zed config set-context rbac rbac_example [email protected]
NAME	TENANT      	TOKEN NAME       	ENDPOINT            	CURRENT
rbac	rbac_example	[email protected]	grpc.authzed.com:443

$ zed config use-context rbac
NAME	TENANT      	TOKEN NAME       	ENDPOINT            	CURRENT
rbac	rbac_example	[email protected]	grpc.authzed.com:443	true

The environment variables $ZED_TENANT, $ZED_TOKEN, and $ZED_ENDPOINT can be used to override their respective values in the current context.

Explore relationships

The describe command provides a tree view of a namespace definition.

$ zed describe document
document
 ├── writer
 └── reader
      └── union
           ├── _this
           └── TUPLE_OBJECT: writer

The expand command provides a tree view of a relation of a particular object.

$ zed expand document:firstdoc reader
document:firstdoc reader
 └── union
      ├── user:fred
      └── document:firstdoc writer
           └── user:tom

When piped or provided the --json flag, API responses are converted into JSON.

$ zed describe document | jq '.config.relation[0].name'
"writer"

Modify relationships

$ zed check user:jimmy document:firstdoc reader
false

$ zed create user:jimmy document:firstdoc writer
CAESAwiLBA==

$ zed check user:jimmy document:firstdoc writer
true

$ zed check user:jimmy document:firstdoc reader
true

$ zed delete user:jimmy document:firstdoc writer
CAESAwiMBA==

$ zed check user:jimmy document:firstdoc reader
false

$ zed check user:jimmy document:firstdoc writer
false
Issues
  • Support prefix rewrites for zed import just like the playground does

    Support prefix rewrites for zed import just like the playground does

    When one edits a schema in the playground then imports it back into a permissions system via the "import" button, the playground automatically prepends the permission system's prefix to each reference in the schema.

    However, that rewrite doesn't happen on zed import operations, making it difficult to share a common schema file with multiple permission systems; each reference in the schema has to be manually modified to include the prefix for the destination permission system.

    This is a request to either:

    • fetch the prefix from the destination permissions system and then automatically prepend the prefix to each reference, just like the playground (ideal)
    • pass in the prefix via a command line option (not as ideal)
    area/CLI area/tooling 
    opened by glorious-beard 2
  • Bump tailscale.com from 1.18.2 to 1.20.1

    Bump tailscale.com from 1.18.2 to 1.20.1

    Bumps tailscale.com from 1.18.2 to 1.20.1.

    Release notes

    Sourced from tailscale.com's releases.

    1.20.1

    Fix a potential deadlock in handling the DERPmap.

    1.20.0

    All Platforms

    • New: When using an exit node, DNS queries will be forwarded to the exit node for resolution
    • New: tailscaled now allows running the outgoing SOCKS5 and HTTP proxies on the same port.
    • New: SOCKS5/HTTP proxies now allow connecting via subnet routers & exit nodes when run in userspace-networking mode
    • New: More debug metrics available
    • New: tailscale ip -1 flag
    • New: CLI now lets you select exit node by name
    • New: CLI now shows you which nodes are offering exit nodes
    • New: CLI now refuses to let you pick an invalid exit node (when connected)
    • New: Packet filter now supports matching any IP protocol number when enabled in ACLs (previously only TCP, UDP, ICMP and SCTP)
    • New: Added Online boolean to tailscale status --json, made tailscale status show offline nodes
    • New: Added tailscale up --json
    • Fixed: MagicDNS now works over IPv6 when CGNAT IPv4 is disabled using DisableIPv4: true in ACL
    • Fixed: choose a new DERP if the current DERP is removed from the DERPmap
    • Fixed: bug fixes, cleanups, log spam reduction

    Linux

    • Changed: tailscale file cp sends via the local tailscaled now, so it now supports tailscaled running in tun-free, userspace-networking mode (such as on Synology DSM7 unless you enable TUN mode)

    Windows

    • New: GUI support for running an exit node

    macOS

    • New: GUI support for running an exit node

    iOS

    • Changed: Send heartbeats less often, to conserve battery

    Android

    • New: Talkback support
    • New: Menu selection to generate a bug report
    • New: "Allow LAN Access" checkbox in Exit Node menu
    • Changed: Send heartbeats less often, to conserve battery
    • Changed: implement DNS config reporting, no longer require fallback DNS to be configured in admin panel
    • Fixed: Report in the UI when connectivity is lost; this functionality was present but broken in prior releases

    FreeBSD

    • Fixed: Now supports running in a jail (if devd isn't available, it falls back to network status polling mode)
    Commits
    • 88c4bde VERSION.txt: this is v1.20.1
    • 7052c6f wgengine/magicsock: fix lock ordering deadlock with derphttp
    • e510abc net/dnscache: don't cancel the TLS context before writing to the result channel.
    • 958917d VERSION.txt: this is v1.20.0
    • 7c1a1aa tailcfg: no-op bump of MapRequest.Version
    • 90423bf wgengine/netstack: make userspace ping work when tailscaled has CAP_NET_RAW
    • 0028a8d cmd/tailscale/cli/web: fix typo where the html template data was being
    • 8519cab net/dns/resolver: handle tabs as whitespace when ExitDNS parses resolv.conf
    • 4cd0620 net/netns: remove a useless probe of the "ip" command
    • 04a7f50 cmd/tailscale: let 'tailscale up --reset' do a pref edit
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 2
  • Bump github.com/open-policy-agent/opa from 0.29.4 to 0.36.0

    Bump github.com/open-policy-agent/opa from 0.29.4 to 0.36.0

    Bumps github.com/open-policy-agent/opa from 0.29.4 to 0.36.0.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.36.0

    This release contains a number of fixes and enhancements.

    OpenTelemetry and opa exec

    This release adds OpenTelemetry support to OPA. This makes it possible to emit spans to an OpenTelemetry collector via gRPC on both incoming and outgoing (i.e. http.send) calls in the server. See the updated docs on monitoring for more information and configuration options (#1469 authored by @​rvalkenaers)

    This release also adds a new opa exec command for doing one-off evaluations of policy against input similar to opa eval, but using the full capabilities of the server (config file, plugins, etc). This is particularly useful in contexts such as CI/CD or when enforcing policy for infrastructure as code, where one might want to run OPA with remote bundles and decision logs but without having a running server. See the updated docs on Terraform for an example use case. (#3525)

    Built-in Functions

    • Four new functions for working with HMAC (crypto.hmac.md5, crypto.hmac.sha1, crypto.hmac.sha256, and crypto.hmac.sha512) was added (#1740 reported by @​jshaw86)
    • array.reverse(array) and strings.reverse(string) was added for reversing arrays and strings (#3736 authored by @​kristiansvalland and @​olamiko)
    • The http.send built-in function now uses a metric for counting inter-query cache hits (#4023 authored by @​mirayadav)
    • An overflow issue with dates very far in the future has been fixed in the time.* built-in functions (#4098 reported by @​morgante)

    Tooling

    • A problem with future keyword import of in was fixed for opa fmt (#4111, reported by @​keshavprasadms)
    • An issue with opa fmt when refs contained operators was fixed (authored by @​jaspervdj-luminal)
    • Fix file renaming check in optimization using opa build (authored by @​davidmarne-wf)
    • The allow_net capability was added, allowing setting limits on what hosts can be reached in built-ins like http.send and net.lookup_ip_addr (#3665)

    Server

    • A new credential provider for AWS credential files was added (#2786 reported by @​rgueldem)
    • The new --tls-cert-refresh-period flag can now be provided to opa run. If used with a positive duration, such as "5m" (5 minutes), "24h", etc, the server will track the certificate and key files' contents. When their content changes, the certificates will be reloaded (#2500 reported by @​patoarvizu)
    • A new v1/status endpoint was added, providing the same data as the status plugin would send to a remote endpoint (#4089)
    • The HTTP router of OPA is now exposed to the plugin manager (#2777 authored by @​bhoriuchi reported by @​mneil)
    • Calling print now works in decision masking policies
    • An unintended switch between long/regular polling on 304 HTTP status was fixed (#3923 authored by @​floriangasc)
    • The error message about prohibited config in the discovery plugin has been improved
    • The discovery plugin no longer panics in Trigger() if downloader is nil
    • The bundle plugin now ignores service errors for file:// resources
    • The bundle plugin file loader was updated to support directories
    • A timer to HTTP request was added to the downloader
    • The requested_by field in the logging plugin is now optional

    Rego

    • The error message raised when using - with a number and a set is now more specific (as opposed to the correct usage with two sets, or two numbers) (#1643)

    • Fixed an edge case when using print and arrays in unification (#4078)

    • Improved performance of some array operations by caching an array's groundness bit (#3679)

    • ⚠️ Stricter check of arity in undefined function stage (#4054). This change will fail evaluation in some unusual cases where it previously would succeed, but these policies should be very uncommon.

      An example policy that previously would succeed but no longer will (wrong arity):

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.36.0

    This release contains a number of fixes and enhancements.

    OpenTelemetry and opa exec

    This release adds OpenTelemetry support to OPA. This makes it possible to emit spans to an OpenTelemetry collector via gRPC on both incoming and outgoing (i.e. http.send) calls in the server. See the updated docs on monitoring for more information and configuration options (#1469) authored by @rvalkenaers

    This release also adds a new opa exec command for doing one-off evaluations of policy against input similar to opa eval, but using the full capabilities of the server (config file, plugins, etc). This is particularly useful in contexts such as CI/CD or when enforcing policy for infrastructure as code, where one might want to run OPA with remote bundles and decision logs but without having a running server. See the updated docs on Terraform for an example use case. (#3525)

    Built-in Functions

    • Four new functions for working with HMAC (crypto.hmac.md5, crypto.hmac.sha1, crypto.hmac.sha256, and crypto.hmac.sha512) was added (#1740) reported by @jshaw86
    • array.reverse(array) and strings.reverse(string) was added for reversing arrays and strings (#3736) authored by @kristiansvalland and @olamiko
    • The http.send built-in function now uses a metric for counting inter-query cache hits (#4023) authored by @mirayadav
    • An overflow issue with dates very far in the future has been fixed in the time.* built-in functions (#4098) reported by @morgante

    Tooling

    • A problem with future keyword import of in was fixed for opa fmt (#4111) reported by @keshavprasadms
    • An issue with opa fmt when refs contained operators was fixed (authored by @jaspervdj-luminal)
    • Fix file renaming check in optimization using opa build (authored by @davidmarne-wf)
    • The allow_net capability was added, allowing setting limits on what hosts can be reached in built-ins like http.send and net.lookup_ip_addr (#3665)

    Server

    • A new credential provider for AWS credential files was added (#2786) reported by @rgueldem
    • The new --tls-cert-refresh-period flag can now be provided to opa run. If used with a positive duration, such as "5m" (5 minutes), "24h", etc, the server will track the certificate and key files' contents. When their content changes, the certificates will be reloaded (#2500) reported by @patoarvizu
    • A new v1/status endpoint was added, providing the same data as the status plugin would send to a remote endpoint (#4089)
    • The HTTP router of OPA is now exposed to the plugin manager (#2777) authored by @bhoriuchi reported by @mneil
    • Calling print now works in decision masking policies
    • An unintended switch between long/regular polling on 304 HTTP status was fixed (#3923) authored by @floriangasc
    • The error message about prohibited config in the discovery plugin has been improved
    • The discovery plugin no longer panics in Trigger() if downloader is nil
    • The bundle plugin now ignores service errors for file:// resources
    • The bundle plugin file loader was updated to support directories
    • A timer to HTTP request was added to the downloader
    • The requested_by field in the logging plugin is now optional

    Rego

    ... (truncated)

    Commits
    • c2b2c62 Prepare v0.36.0 release (#4178)
    • 0ddf1db Add Open Service Mesh to ecosystem (#4171)
    • 06664d0 ci: Update golangci-lint to v1.43.0 (#4173)
    • 31422b4 wasm: Update generated binaries
    • 6f81c4a Add array.reverse(array) and strings.reverse(string) built-in functions. ...
    • 328ffcd docs/website add blog links for apisix blog (#4168)
    • 48b8be3 Check PR for mistakes in ecosystem page change (#4164)
    • 83eaed4 docs: Update terraform tutorial to use opa exec
    • 55b053b cmd/exec: Add new exec subcommand
    • a1aba34 plugins/bundle: update file loader to support directories
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 2
  • Bump tailscale.com from 1.6.0 to 1.18.2

    Bump tailscale.com from 1.6.0 to 1.18.2

    Bumps tailscale.com from 1.6.0 to 1.18.2.

    Release notes

    Sourced from tailscale.com's releases.

    1.18.2

    Bugfixes

    All Platforms

    • make exit node selection take effect (almost) immediately
    • permit protocols other than TCP+UDP if ACL allows *

    Linux

    • in DNS DirectManager, allow comments at the end of a line
    • don't get stuck waiting for systemd-resolved if we mis-estimated the DNS manager

    Synology

    • fix receiving taildrop files

    v1.18.1

    • Linux-only release to fix some regressions on some kernel configs related to our direct use of netlink rather than using the ip command to program routes and policy routing.

    1.18.0

    Platform independent

    • Improve UPnP discovery; eero devices now work, allowing a port to be opened for direct connections (also in 1.16.2)
    • If unable to upload telemetry, limit amount buffered to 50MB
    • Retry more transient DNS errors, instead of passing the failure back to the client
    • fix state machine transition regarding expired key extension
    • the tailscaled debug server now exports Prometheus metrics at /debug/metrics

    Linux

    • Support storing Tailscale state using AWS SSM (ex: tailscaled -state arn:aws:ssm:eu-west-1:123456789:parameter/foo) (thank you Maxime VISONNEAU)
    • use AF_NETLINK messages to configure IP, not the ip command. Set TS_DEBUG_USE_IP_COMMAND environment variable to revert to use of /sbin/ip if this breaks your device.
    • if resolvconf wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not resolvconf
    • if NetworkManager wrote /etc/resolv.conf but pointed it to systemd-resolved, use systemd-resolved for DNS not NetworkManager
    • handle /etc/resolv.conf being a bind mount into a container, such that we cannot rename() it.
    • work around Ubuntu 18.04 setLinkDomain length limit by omitting reverse lookup information
    • make /etc/resolv.conf parse to the end of the comment section, not use the first match it finds

    iOS

    • on iOS 15+, where Network Extensions have more memory available, allow the same number of DNS-over-HTTPS requests in flight as other platforms

    Synology

    • only use AmbientCaps on DSM7+
    • add an exit node enable checkbox in the web login form

    1.16.2

    • Fix UPnP discovery for certain Wi-Fi routers, notably eero tailscale/tailscale#3197
    • Limit log buffer size on disk, for example if uploads are blocked

    1.16.1

    General improvements

    • Resolve connectivity issue where a DISCO key was assumed to map to one node when in reality it could be any of several nodes.

    Platform specific

    ... (truncated)

    Commits
    • b04815c VERSION.txt: this is v1.18.2
    • e67182d cmd/tailscaled: fix windows logtail integration
    • d4fd80c net/tshttpproxy: use correct size for Windows BOOL argument
    • 71be839 net/portmapper: improve handling of UPnP parse errors
    • 3221078 net/dns: fix checking for wrapped error when attempting to read wsl.conf for ...
    • 3d99375 cmd/tailscale: clarify which prefless flags don't need revert protection
    • 972bccc wgengine/filter: let unknown IPProto match if IP okay & match allows all ports
    • 6c44133 ipn/{ipnserver,ipnlocal}: support incoming Taildrop on Synology
    • 2d64046 net/dns: bound how long we block looking for, restarting systemd-resolved
    • 7d6407a wgengine/router{windows}: return the output from the firewallTweaker
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 2
  • Bump github.com/authzed/spicedb from 1.1.0 to 1.4.0

    Bump github.com/authzed/spicedb from 1.1.0 to 1.4.0

    Bumps github.com/authzed/spicedb from 1.1.0 to 1.4.0.

    Release notes

    Sourced from github.com/authzed/spicedb's releases.

    v1.4.0

    Changelog

    NOTE: This change includes a security fix for a vulnerability introduced in v1.3.0. All users of v1.3.0 should update to this version. See the security advisory for more information.

    Full Changelog: https://github.com/authzed/spicedb/compare/v1.3.0...v1.4.0

    What's Changed

    Docker Images

    This release is available at quay.io/authzed/spicedb:v1.4.0 and ghcr.io/authzed/spicedb:v1.4.0

    v1.3.0

    WARNING: This release contains a security issue as described in the security advisory. All users are requested to update to at least version v1.4.0 to remediate.

    Feature Highlights

    • Namespaces are now versioned internally, guaranteeing consistency during schema upgrades
    • A wildcard can be specified to allow any object to have a relationship

    What's Changed

    ... (truncated)

    Commits
    • d1b6877 Merge pull request #374 from josephschorr/fix-formatting
    • 883fc2c Fixes for lint issues
    • 15bba2e Merge pull request from GHSA-7p8f-8hjm-wm92
    • 635b575 Update tooling and testing to properly handle wildcards
    • ae5d23b Update membershipset to handle wildcards
    • d1c7514 SECURITY FIX: Ensure wildcard is properly handled in Lookup
    • 62e88f2 Update UserSet to a SubjectSet that can handle wildcards
    • d002401 Merge pull request #371 from ecordell/3char
    • 0b0c9ce remove unused validation package
    • 2f1948c bump authzed-go to 0.4.1
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 2
  • Bump github.com/cockroachdb/cockroach from 20.1.13+incompatible to 20.1.17+incompatible

    Bump github.com/cockroachdb/cockroach from 20.1.13+incompatible to 20.1.17+incompatible

    Bumps github.com/cockroachdb/cockroach from 20.1.13+incompatible to 20.1.17+incompatible.

    Commits
    • 9a63e29 Merge pull request #64952 from rafiss/release-20.1
    • c4aec65 Merge pull request #64126 from koorosh/backport20.1-56591
    • 885f9f4 ui: fix Overview screen in OSS builds
    • 006a72f roachtest: disable pgx test
    • 3ae6b59 Merge pull request #64604 from erikgrinaker/backport20.1-64471
    • 733ad65 kvserver: synchronize replica removal with read-write requests
    • 1a0b6fa Merge pull request #64568 from nvanbenschoten/backport20.1-56860
    • ae2ef96 Merge pull request #64498 from jbowens/jackson/release-20.1-sync
    • 145b011 kv: prioritize NodeLiveness Range in Raft scheduler
    • e1c93b1 kv: cap COCKROACH_SCHEDULER_CONCURRENCY at 96
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 2
  • Add experimental postgres importer

    Add experimental postgres importer

    This PR adds an experiment postgres import command: zed experiment postgres import

    zed experiment postgres import will connect to postgres, generate an example zed schema and a config file that maps postgresql data into SpiceDB, and then attempt to sync that data into SpiceDB as relationships.

    By default, it will dry-run to show you what would be synced.

    It can also be run as two stages: one to generate an example schema and config, and one to actually import relationships based on that config.

    Self-Driving

    This is good for getting some real data into SpiceDB for testing purposes. The importer reads the schema of the PostgreSQL database and makes a best-effort mapping config based on foreign-key relationships. For simple schemas, this may be all you need.

    $ zed experiment postgres import --dry-run=false "postgres://postgres:[email protected]:5432/mydb?sslmode=disable"
    
    • Prints out a zed schema + a config mapping from PostgreSQL to SpiceDB
    • Appends the generated zed schema to SpiceDB's schema
    • Mirrors all relationships into SpiceDB according to that config

    Dry-Run

    Without any flags specified, the import will be a dry-run. It will print the generated SpiceDB schema and mapping to stdout, and will log relationships that would have been written to SpiceDB to stderr.

    This can be a good place to start for writing your own config file.

    $ zed experiment postgres import "postgres://postgres:[email protected]:5432/mydb?sslmode=disable" > config.yaml
    
    • Prints out a zed schema + a config mapping from PostgreSQL to SpiceDB
    • Logs relationships that would have been written to SpiceDB

    Custom Config

    You might want to write your own importer config if:

    • You have a complex schema that the importer doesn't generate a good mapping for
    • You want to generate relationships that differ from the foreign key relationships in PostgreSQL (i.e. if you have a join table)
    • You want to generate relationships that don't correspond to foreign key constraints at all
    • You want to change the generated object type and relationship names

    You can tell the importer exactly how to map rows from PostgreSQL into relationships in SpiceDB. Running the importer first as a dry-run is a good way to get an example config for your database.

    $ zed experiment postgres import --config=config.yaml --append-schema=false "postgres://postgres:[email protected]:5432/mydb?sslmode=disable"
    
    • Uses the provided config.yaml to write relationships into SpiceDB
    • If the required schema is already in SpiceDB, skip appending it with --append-schema=false

    Example config.yaml

    schema: |2
      definition customer {}
    
      definition contact {
          relation customer: customer
      }
    
      definition article {
          relation tags: tags
      }
    
      definition tags {
          relation article: article
      }
    tables:
    # for each row in the contacts table
    - name: contacts
      relationships:
      # generate a relationship contact:<contact_id>#[email protected]:<customer_id>_<customer_name>
      - resource_type: contact
        resource_id_cols:
        - contact_id
        relation: customer
        subject_type: customer
        subject_id_cols:
        - customer_id
        - customer_name
    # for each row in the article_tag table (a join table from articles <-> tags)
    - name: article_tag
      relationships:
      # generate a relationship article:<article_id>#[email protected]:<tag_id>
      - resource_type: article
        resource_id_cols:
        - article_id
        relation: tags
        subject_type: tags
        subject_id_cols:
        - tag_id
      # generate a second relationship tags:<tag_id>#[email protected]:<article_id>
      - resource_type: tags
        resource_id_cols:
        - tag_id
        relation: article
        subject_type: article
        subject_id_cols:
        - article_id
    

    See connector-postgresql for more details.

    area/CLI priority/4 maybe 
    opened by ecordell 2
  • build(deps): bump github.com/jzelinskie/cobrautil from 0.0.10 to 0.0.12

    build(deps): bump github.com/jzelinskie/cobrautil from 0.0.10 to 0.0.12

    Bumps github.com/jzelinskie/cobrautil from 0.0.10 to 0.0.12.

    Release notes

    Sourced from github.com/jzelinskie/cobrautil's releases.

    v0.0.12

    No release notes provided.

    v0.0.11

    What's Changed

    Full Changelog: https://github.com/jzelinskie/cobrautil/compare/v0.0.10...v0.0.11

    Commits
    • e0dedbe Merge pull request #11 from jzelinskie/gitversion
    • 0eaafb6 version: use buildinfo vcs revision
    • 33f7632 Merge pull request #10 from jzelinskie/allowempty
    • 7489441 allow for empty env vars
    • ec5ba7d Merge pull request #9 from cjs/fix-error-check
    • a6cae92 fix inverted error check
    • f164bfe .github: init workflows
    • 1025940 Merge pull request #8 from cjs/use-envars-otel-resource
    • 1aa4975 nit: cleanup blank line
    • b9a185a propagate err from resource creation
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • build(deps): bump google.golang.org/grpc from 1.45.0 to 1.46.0

    build(deps): bump google.golang.org/grpc from 1.45.0 to 1.46.0

    Bumps google.golang.org/grpc from 1.45.0 to 1.46.0.

    Release notes

    Sourced from google.golang.org/grpc's releases.

    Release 1.46.0

    New Features

    • server: Support setting TCP_USER_TIMEOUT on grpc.Server connections using keepalive.ServerParameters.Time (#5219)
    • client: perform graceful switching of LB policies in the ClientConn by default (#5285)
    • all: improve logging by including channelz identifier in log messages (#5192)

    API Changes

    • grpc: delete WithBalancerName() API, deprecated over 4 years ago in #1697 (#5232)
    • balancer: change BuildOptions.ChannelzParentID to an opaque identifier instead of int (#5192)
      • Note: the balancer package is labeled as EXPERIMENTAL, and we don't believe users were using this field.

    Behavior Changes

    • client: change connectivity state to TransientFailure in pick_first LB policy when all addresses are removed (#5274)
      • This is a minor change that brings grpc-go's behavior in line with the intended behavior and how C and Java behave.
    • metadata: add client-side validation of HTTP-invalid metadata before attempting to send (#4886)

    Bug Fixes

    • metadata: make a copy of the value slices in FromContext() functions so that modifications won't be made to the original copy (#5267)
    • client: handle invalid service configs by applying the default, if applicable (#5238)
    • xds: the xds client will now apply a 1 second backoff before recreating ADS or LRS streams (#5280)

    Dependencies

    Commits
    • e8d06c5 Change version to 1.46.0 (#5296)
    • efbd542 gcp/observability: correctly test this module in presubmit tests (#5300) (#5307)
    • 4467a29 gcp/observability: implement logging via binarylog (#5196)
    • 18fdf54 cmd/protoc-gen-go-grpc: allow hooks to modify client structs and service hand...
    • 337b815 interop: build client without timeout; add logs to help debug failures (#5294)
    • e583b19 xds: Add RLS in xDS e2e test (#5281)
    • 0066bf6 grpc: perform graceful switching of LB policies in the ClientConn by defaul...
    • 3cccf6a xdsclient: always backoff between new streams even after successful stream (#...
    • 4e78093 xds: ignore routes with unsupported cluster specifiers (#5269)
    • 99aae34 cluster manager: Add Graceful Switch functionality to Cluster Manager (#5265)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • build(deps): bump github.com/open-policy-agent/opa from 0.36.1 to 0.39.0

    build(deps): bump github.com/open-policy-agent/opa from 0.36.1 to 0.39.0

    Bumps github.com/open-policy-agent/opa from 0.36.1 to 0.39.0.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.39.0

    This release contains a number of fixes and enhancements.

    Disk Storage

    The on-disk storage backend has been fully integrated with the OPA server, and can now be enabled via configuration:

    storage:
      disk:
        directory: /var/opa # put data here
        auto_create: true   # create directory if it doesn't exist
        partitions:         # partitioning is important for data storage,
        - /users/*          # please see the documentation
    

    It is intended to enable the use of OPA in scenarios where the data needed for policy evaluation exceeds the available memory.

    The on-disk contents will persist among restarts, but should not be used as a single source of truth: there are no backup mechanisms, and certain data partitioning changes will require a start-over. These are things that may get improved in the future.

    For all the details, please refer to the configuration and detailled Disk Storage section of the documentations.

    Tooling, SDK, and Runtime

    • Server: Add warning when input attribute is missing in POST /v1/data API (#4386) authored by @​aflmp
    • SDK: Support partial evaluation (#4240), authored by @​kroekle; with a fix to avoid using different state (authored by @​Iceber)
    • Runtime: Suppress payloads in debug logs for handlers that compress responses (/metrics and /debug/pprof) (authored by @​christian1607)
    • opa test: Add file path to failing tests to make debugging failing tests easier (#4457), authored by @​liamg
    • opa fmt: avoid whitespace mixed with tabs on with statements (#4376) reported by @​tiwood
    • Coverage reporting: Remove duplicates from coverage report (#4393) reported by @​gianna7wu
    • Plugins: Fix broken retry logic in decision logs plugin (#4486) reported by @​iamatwork
    • Plugins: Update regular polling fallback mechanism for downloader
    • Plugins: Support for adding custom parameters and headers for OAuth2 Client Credentials Token request (authored by @​srlk)
    • Plugins: Log message on unexpected bundle content type (#4278)
    • Plugins: Mask Authorization header value in debug logs (#4495)
    • Docker images: Use GID 1000 in -rootless images (#4380); also warn when using UID/GID 0.
    • Runtime: change processed file event log level to info

    Rego and Topdown

    • Type checker: Skip pattern JSON Schema attribute compilation (#4426): These are not supported, but could have caused the parsing of a JSON Schema document to fail.
    • Topdown: Copy without modifying expr, fixing a bug that could occur when running multiple partial evaluation requests concurrently.
    • Compiler strict mode: Raise error on unused imports (#4354) authored by @​damienjburks

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.39.0

    This release contains a number of fixes and enhancements.

    Disk Storage

    The on-disk storage backend has been fully integrated with the OPA server, and can now be enabled via configuration:

    storage:
      disk:
        directory: /var/opa # put data here
        auto_create: true   # create directory if it doesn't exist
        partitions:         # partitioning is important for data storage,
        - /users/*          # please see the documentation
    

    It is intended to enable the use of OPA in scenarios where the data needed for policy evaluation exceeds the available memory.

    The on-disk contents will persist among restarts, but should not be used as a single source of truth: there are no backup mechanisms, and certain data partitioning changes will require a start-over. These are things that may get improved in the future.

    For all the details, please refer to the configuration and detailled Disk Storage section of the documentations.

    Tooling, SDK, and Runtime

    • Server: Add warning when input attribute is missing in POST /v1/data API (#4386) authored by @​aflmp
    • SDK: Support partial evaluation (#4240), authored by @​kroekle; with a fix to avoid using different state (authored by @​Iceber)
    • Runtime: Suppress payloads in debug logs for handlers that compress responses (/metrics and /debug/pprof) (authored by @​christian1607)
    • opa test: Add file path to failing tests to make debugging failing tests easier (#4457), authored by @​liamg
    • opa fmt: avoid whitespace mixed with tabs on with statements (#4376) reported by @​tiwood
    • Coverage reporting: Remove duplicates from coverage report (#4393) reported by @​gianna7wu
    • Plugins: Fix broken retry logic in decision logs plugin (#4486) reported by @​iamatwork
    • Plugins: Update regular polling fallback mechanism for downloader
    • Plugins: Support for adding custom parameters and headers for OAuth2 Client Credentials Token request (authored by @​srlk)
    • Plugins: Log message on unexpected bundle content type (#4278)
    • Plugins: Mask Authorization header value in debug logs (#4495)
    • Docker images: Use GID 1000 in -rootless images (#4380); also warn when using UID/GID 0.
    • Runtime: change processed file event log level to info

    Rego and Topdown

    • Type checker: Skip pattern JSON Schema attribute compilation (#4426): These are not supported, but could have caused the parsing of a JSON Schema document to fail.
    • Topdown: Copy without modifying expr, fixing a bug that could occur when running multiple partial evaluation requests concurrently.

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • build(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1

    build(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1

    Bumps github.com/stretchr/testify from 1.7.0 to 1.7.1.

    Commits
    • 083ff1c Fixed didPanic to now detect panic(nil).
    • 1e36bfe Use cross Go version compatible build tag syntax
    • e798dc2 Add docs on 1.17 build tags
    • 83198c2 assert: guard CanConvert call in backward compatible wrapper
    • 087b655 assert: allow comparing time.Time
    • 7bcf74e fix msgAndArgs forwarding
    • c29de71 add tests for correct msgAndArgs forwarding
    • f87e2b2 Update builds
    • ab6dc32 fix linting errors in /assert package
    • edff5a0 fix funtion name
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • build(deps): bump google.golang.org/grpc from 1.45.0 to 1.47.0

    build(deps): bump google.golang.org/grpc from 1.45.0 to 1.47.0

    Bumps google.golang.org/grpc from 1.45.0 to 1.47.0.

    Release notes

    Sourced from google.golang.org/grpc's releases.

    Release 1.47.0

    New Features

    • xds: add support for RBAC metadata invert matchers (#5345)

    Bug Fixes

    • client: fix a context leaked if a connection to an address is lost before it is fully established (#5337)
    • client: fix potential panic during RPC retries (#5323)
    • xds/client: fix a potential concurrent map read/write in load reporting (#5331)
    • client/SubConn: do not recreate addrConn if UpdateAddresses is called with the same addresses (#5373)
    • xds/eds: resources containing duplicate localities with the same priority will be rejected (#5303)
    • server: return Canceled or DeadlineExceeded status code when writing headers to a stream that is already closed (#5292)

    Behavior Changes

    • xds/priority: start the init timer when a child switches to Connecting from non-failure states (#5334)
    • server: respond with HTTP Status 405 and gRPC status INTERNAL if the method sent to server is not POST (#5364)

    Documentation

    • server: clarify documentation around setting and sending headers and ServerStream errors (#5302)

    Release v1.46.2

    Bug Fixes

    • client: fix potential panic during RPC retries (#5323)
    • xds: fix leak of deleted CDS resources from CSDS view (#5339)

    Release 1.46.0

    New Features

    • server: Support setting TCP_USER_TIMEOUT on grpc.Server connections using keepalive.ServerParameters.Time (#5219)
    • client: perform graceful switching of LB policies in the ClientConn by default (#5285)
    • all: improve logging by including channelz identifier in log messages (#5192)

    API Changes

    • grpc: delete WithBalancerName() API, deprecated over 4 years ago in #1697 (#5232)
    • balancer: change BuildOptions.ChannelzParentID to an opaque identifier instead of int (#5192)
      • Note: the balancer package is labeled as EXPERIMENTAL, and we don't believe users were using this field.

    Behavior Changes

    • client: change connectivity state to TransientFailure in pick_first LB policy when all addresses are removed (#5274)
      • This is a minor change that brings grpc-go's behavior in line with the intended behavior and how C and Java behave.
    • metadata: add client-side validation of HTTP-invalid metadata before attempting to send (#4886)

    ... (truncated)

    Commits
    • 5b509df Change version to 1.47.0 (#5377)
    • ed75225 Don't call cmp in non testing file (#5370)
    • 081c688 client: fix hctx leakage in addrConn.createTransport (#5337)
    • 30b9d59 client/SubConn: do not recreate addrConn if UpdateAddresses is called with th...
    • 459729d xds/priority: avoid sending duplicate updates to children (#5374)
    • 9f4b31a Added HTTP status and grpc status to POST check (#5364)
    • 333a441 xds/ringhash: update connectivity state aggregation, and make sure at least o...
    • e23132c Added support for metadata matcher invert (#5345)
    • d9b952b xds/resolver: use correct resource name in log message (#5357)
    • db79903 xds/priority: start the init timer when a child switch to Connecting from non...
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
  • `zed expand <...> --json` does not match the expected schema

    `zed expand <...> --json` does not match the expected schema

    The JSON output of zed expand returns something like:

    {
      "expandedAt": {
        "token": "GgMKATY="
      },
      "treeRoot": {
        "expandedObject": {
          "objectId": "aae48b55-ad96-11eb-a562-06368a59bfb7",
          "objectType": "care_recipient"
        },
        "expandedRelation": "agency",
        "leaf": {}
      }
    }
    

    Whereas the API returns, for the same request:

    {
      "expandedAt": {
        "token": "GgMKATY="
      },
      "treeRoot": {
        "treeType": {
          "oneofKind": "leaf",
          "leaf": {
            "subjects": []
          }
        },
        "expandedRelation": "agency",
        "expandedObject": {
          "objectType": "care_recipient",
          "objectId": "aae48b55-ad96-11eb-a562-06368a59bfb7"
        }
      }
    }
    

    In the zed response, we do not have the treeType attribute

    area/CLI priority/2 medium kind/tech debt area/dependencies 
    opened by williamdclt 2
  • build(deps): bump github.com/open-policy-agent/opa from 0.36.1 to 0.40.0

    build(deps): bump github.com/open-policy-agent/opa from 0.36.1 to 0.40.0

    Bumps github.com/open-policy-agent/opa from 0.36.1 to 0.40.0.

    Release notes

    Sourced from github.com/open-policy-agent/opa's releases.

    v0.40.0

    This release contains a number of fixes and enhancements.

    Metadata introspection

    The rich metadata added in the v0.38.0 release can now be introspected from the policies themselves!

    package example
    

    METADATA

    title: Edits by owner only

    description: |

    Only the owner is allowed to edit their data.

    deny[{"allowed": false, "message": rego.metadata.rule().description}] { input.user != input.owner }

    This snippet will evaluate to

    [{
      "allowed": false,
      "message": "Only the owner is allowed to edit their data.\n"
    }]
    

    Both the rule's metadata can be accessed, via rego.metadata.rule(), and the entire chain of metadata attached to the rule via the various scopes that different metadata annotations can have, via rego.metadata.chain().

    All the details can be found in the documentation of these new built-in functions.

    Function mocking

    It is now possible to mock functions in tests! Both built-in and non-built-in functions can be mocked:

    package authz
    import data.jwks.cert
    import data.helpers.extract_token
    

    allow { [true, _, _] = io.jwt.decode_verify(extract_token(input.headers), {"cert": cert, "iss": "corp.issuer.com"}) }

    test_allow { allow with input.headers as [] with data.jwks.cert as "mock-cert" with io.jwt.decode_verify as [true, {}, {}] # mocked built-in with extract_token as "my-jwt" # mocked non-built-in }

    For further information about policy testing with data and function mock, see the Policy Testing docs. All details about with can be found in its Policy Language section.

    ... (truncated)

    Changelog

    Sourced from github.com/open-policy-agent/opa's changelog.

    0.40.0

    This release contains a number of fixes and enhancements.

    Metadata introspection

    The rich metadata added in the v0.38.0 release can now be introspected from the policies themselves!

    package example
    

    METADATA

    title: Edits by owner only

    description: |

    Only the owner is allowed to edit their data.

    deny[{"allowed": false, "message": rego.metadata.rule().description}] { input.user != input.owner }

    This snippet will evaluate to

    [{
      "allowed": false,
      "message": "Only the owner is allowed to edit their data.\n"
    }]
    

    Both the rule's metadata can be accessed, via rego.metadata.rule(), and the entire chain of metadata attached to the rule via the various scopes that different metadata annotations can have, via rego.metadata.chain().

    All the details can be found in the documentation of these new built-in functions.

    Function mocking

    It is now possible to mock functions in tests! Both built-in and non-built-in functions can be mocked:

    package authz
    import data.jwks.cert
    import data.helpers.extract_token
    

    allow { [true, _, _] = io.jwt.decode_verify(extract_token(input.headers), {"cert": cert, "iss": "corp.issuer.com"}) }

    test_allow { allow with input.headers as [] with data.jwks.cert as "mock-cert" with io.jwt.decode_verify as [true, {}, {}] # mocked built-in

    ... (truncated)

    Commits
    • b3c8d80 Prepare v0.40.0 Release (#4631)
    • 39125a0 downloader: support for downloading bundles from an OCI registry (#4558)
    • 2f6b417 format: keep whitespaces for multiple indented same-line withs (#4635)
    • 7e50293 ast+topdown+planner: replacement of non-built-in functions via 'with' (#4616)
    • 02c1c1e bundle/status: Include bundle type in status information
    • 654b245 docs: update version in kubernetes examples (#4627)
    • 8e79fc9 build(deps): bump github.com/fsnotify/fsnotify v1.5.2 -> v1.5.4 (#4628)
    • 4154d99 Dockerfile: add source annotation (#4626)
    • b481f00 topdown/net: require prefix length for IPv6 in net.cidr_merge (#4613)
    • eb94b73 website: add playground button to navbar (#4622)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
  • build(deps): bump github.com/AlecAivazis/survey/v2 from 2.3.2 to 2.3.4

    build(deps): bump github.com/AlecAivazis/survey/v2 from 2.3.2 to 2.3.4

    Bumps github.com/AlecAivazis/survey/v2 from 2.3.2 to 2.3.4.

    Release notes

    Sourced from github.com/AlecAivazis/survey/v2's releases.

    v2.3.4

    What's Changed

    Full Changelog: https://github.com/AlecAivazis/survey/compare/v2.3.3...v2.3.4

    v2.3.3

    No release notes provided.

    Commits
    • 459523e Add terminal.Cursor error handling on Windows (#414)
    • 6cbb195 Fix Survey output on Windows (#413)
    • c07023a Skip vi-dependent tests when there is no vi in PATH (#397)
    • 099a968 Fix multiple validator inconsistency (#401)
    • 1b28f27 fix: ensure terminal has required read settings in non-canonical mode (#409)
    • bcabe24 Stricter error handling in tests (#404)
    • 3cabaff Drop proprietary runner dependency in favor of go tooling (#403)
    • a8912d0 fix: error message for MinItems validator (#389)
    • 13bc976 Reconfigure CI to test on all branches (#374)
    • 82fd306 :fire: Gopkg files (#376)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
  • build(deps): bump github.com/99designs/keyring from 1.1.6 to 1.2.1

    build(deps): bump github.com/99designs/keyring from 1.1.6 to 1.2.1

    Bumps github.com/99designs/keyring from 1.1.6 to 1.2.1.

    Release notes

    Sourced from github.com/99designs/keyring's releases.

    v1.2.1

    Fixed

    • pass backend: use PASSWORD_STORE_DIR if set #104 #109
    • Fix tilde expansion #108 #110
    • Add golangci-lint and fix linting issues #111

    v1.2.0

    Fixed

    • wincred: Detect german error message on windows #79
    • secret service: using dashes in keys #82 #83
    • kwallet: empty wallet key error #87
    • build errors on Windows ARM64 #100 #101
    • pass: Expand dir path #86

    Added

    • Add Linux kernel keyring (keyctl) backend implementation #91
    Commits
    • 81fed19 Add tilde tests
    • a382f92 Merge pull request #111 from 99designs/add-golangci-lint
    • 859d578 Add golangci-lint and fix linting issues
    • 932029a Merge pull request #110 from 99designs/fix-tilde-handling
    • af41858 Fix tilde handling
    • ecf5c8e Merge pull request #109 from merrickluo/password-store-dir
    • e99e39c use PASSWORD_STORE_DIR if set
    • 7098185 Update README.md
    • b22ef9e Update deps
    • 2e56fec Merge pull request #86 from benjamb/benbrown/expand-paths
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
Releases(v0.4.4)
Owner
authzed
The platform to store, compute, and validate application permissions.
authzed
An open-source GitLab command line tool bringing GitLab's cool features to your command line

GLab is an open source GitLab CLI tool bringing GitLab to your terminal next to where you are already working with git and your code without switching

Clement Sam 2k Jun 25, 2022
textnote is a command line tool for quickly creating and managing daily plain text notes.

textnote is a command line tool for quickly creating and managing daily plain text notes. It is designed for ease of use to encourage the practice of daily, organized note taking. textnote intentionally facilitates only the management (creation, opening, organizing, and consolidated archiving) of notes, following the philosophy that notes are best written in a text editor and not via a CLI.

Daniel Kaslovsky 156 Jun 7, 2022
CraftTalk Command Line Tool helps with managing CraftTalk releases on baremetal instances

ctcli - CraftTalk Command Line Tool Commands help Shows help version Shows version init Initializes specified root directory as a ctcli dir. ctcli --r

CraftTalk 11 Jan 20, 2022
A twitch focused command line tool for producing, archiving and managing live stream content. Built for Linux.

twinx is a live-streaming command line tool for Linux. It connects streaming services (like Twitch, OBS and YouTube) together via a common title and description.

Kris Nóva 23 May 27, 2022
MyApps is a universal command line tool for managing manually installed applications.

MyApps MyApps is a universal command line tool for managing manually installed applications. Disclaimer I wrote this tool over two long nights while p

Piotr Icikowski 3 Jan 9, 2022
Command Line Tool for managing Apache Kafka

kafkactl A command-line interface for interaction with Apache Kafka | Features command auto-completion for bash, zsh, fish shell including dynamic com

Device Insight 417 Jun 27, 2022
e2d is a command-line tool for deploying and managing etcd clusters, both in the cloud or on bare-metal

e2d is a command-line tool for deploying and managing etcd clusters, both in the cloud or on bare-metal. It also includes e2db, an ORM-like abstraction for working with etcd.

Chris Marshall 1 Jan 31, 2022
Aces is a command line utility that lets you encode any file to a character set of your choice.

Aces Any Character Encoding Set Aces is a command line utility that lets you encode any file to a character set of your choice. For example, you could

Ishan Goel 10 Jan 2, 2022
Command-line utility for Postgres-compatible SCRAM-SHA-256 passwords

scram-password -- Command-line utility for Postgres-compatible SCRAM-SHA-256 passwords SCRAM-SHA-256 (see RFC-7677, Salted Challenge Response Authenti

Tv 1 Jan 21, 2022
A command line tool to prompt for a value to be included in another command line.

readval is a command line tool which is designed for one specific purpose—to prompt for a value to be included in another command line. readval prints

Venky 0 Dec 22, 2021
this service provides an API for publishing and managing your articles

REST API Для Публикации и Работы с Articles на Go В работе применены следующие концепции: Разработка Веб-Приложений на Go, следуя дизайну REST API. Ра

astduman 0 Dec 15, 2021
Portal is a quick and easy command-line file transfer utility from any computer to another 🖥️ 🌌 💻

Portal is a quick and easy command-line file transfer utility from any computer to another ??️ ?? ??

Zino Kader 136 Jun 20, 2022
A CLI tool to find the absolute path of any folder in your local file system.

Table of Contents What is this? How to use this Examples of usage How to compile it What am I looking at It's a CLI tool that I made for finding the a

Benyakir Horowitz 0 Jan 15, 2022
Package command provide simple API to create modern command-line interface

Package command Package command provide simple API to create modern command-line interface, mainly for lightweight usage, inspired by cobra Usage pack

chenen 0 Jan 16, 2022
Watch your favourite anime using the video player of your choice directly from the command line

anime-cli Watch your favourite anime using the video player of your choice direc

Ruben Dewitte 4 Feb 10, 2022
Command Line Alias Manager and Plugin System - Written in Golang

aly - Command Line Alias Manager and Packager Aly offers the simplest way to manage, share, and obtain command line aliases! Warning: This project is

Max Bridgland 21 Jun 16, 2022
🖼️ A command-line system information tool written in bash 3.2+

A command-line system information tool written in bash 3.2+ Neofetch is a command-line system information tool written in bash 3.2+. Neofetch displays

dylan 15.4k Jun 26, 2022
Gofetch is a pretty command-line "Go and System information" tool written in Go

GoFetch Show off your Go information with this cool command-line tool! Report Bug || Request Feature Table of Contents About the Project Built With Ge

null 75 May 31, 2022
Go package to make lightweight ASCII line graph ╭┈╯ in command line apps with no other dependencies.

asciigraph Go package to make lightweight ASCII line graphs ╭┈╯. Installation go get github.com/guptarohit/asciigraph Usage Basic graph package main

Rohit Gupta 2k Jun 23, 2022