aserto-dev
diff --git a/‎.envrc‎
Lines changed: 0 additions & 1 deletion b/‎.envrc‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎.github/workflows/build.yaml‎
Lines changed: 18 additions & 57 deletions b/‎.github/workflows/build.yaml‎
Lines changed: 18 additions & 57 deletions
diff --git a/‎.github/workflows/gitleaks-check.yml‎
Lines changed: 0 additions & 13 deletions b/‎.github/workflows/gitleaks-check.yml‎
Lines changed: 0 additions & 13 deletions
diff --git a/‎.github/workflows/gitleaks.yml‎
Lines changed: 19 additions & 0 deletions b/‎.github/workflows/gitleaks.yml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎buf.yaml‎
Lines changed: 1 addition & 1 deletion b/‎buf.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎makefile‎
Lines changed: 50 additions & 84 deletions b/‎makefile‎
Lines changed: 50 additions & 84 deletions
diff --git a/‎proto/aserto/authorizer/v2/api/decision_logs.proto‎
Lines changed: 24 additions & 25 deletions b/‎proto/aserto/authorizer/v2/api/decision_logs.proto‎
Lines changed: 24 additions & 25 deletions
@@ -9,11 +9,17 @@ on:
     tags:
       - 'v*.*.*'
   pull_request:
+    types: [opened, synchronize, reopened, labeled, unlabeled]
     branches:
       - main
+  delete:
+
+permissions:
+  contents: read
+  pull-requests: write
+
 env:
-  VAULT_ADDR: https://vault.eng.aserto.com/
-  BUF_VERSION: "1.34.0"
+  BUF_VERSION: "1.61.0"
 
 jobs:
   build:
@@ -25,51 +31,13 @@ jobs:
         with:
           fetch-depth: 0
       -
-        name: Read Configuration
-        uses: hashicorp/vault-action@v3
-        id: vault
-        with:
-          url: ${{ env.VAULT_ADDR }}
-          token: ${{ secrets.VAULT_TOKEN }}
-          secrets: |
-            kv/data/github    "USERNAME"          | GH_USERNAME;
-            kv/data/github    "READ_WRITE_TOKEN"  | GH_TOKEN;
-            kv/data/buf.build "ASERTO_BUF_USER"   | ASERTO_BUF_USER;
-            kv/data/buf.build "ASERTO_BUF_TOKEN"  | ASERTO_BUF_TOKEN;
-      -
-        name: Install svu
-        run: |
-          echo 'deb [trusted=yes] https://apt.fury.io/caarlos0/ /' | sudo tee /etc/apt/sources.list.d/caarlos0.list
-          sudo apt update
-          sudo apt install svu
-          svu --version
-          svu
-      - 
-        name: Install buf
-        uses: bufbuild/buf-setup-action@v1
-        with:
-          version: ${{ env.BUF_VERSION }}
-          github_token: ${{ github.token }}
-          buf_user: ${{ steps.vault.outputs.ASERTO_BUF_USER }}
-          buf_api_token: ${{ steps.vault.outputs.ASERTO_BUF_TOKEN}}
-      - 
-        name: Buf Lint
-        uses: bufbuild/buf-lint-action@v1
-      - 
-        name: Buf Breaking
-        uses: bufbuild/buf-breaking-action@v1
-        with:
-          against: "https://github.com/${GITHUB_REPOSITORY}.git#branch=main"
-      - 
         name: Buf Build
-        run: |
-          mkdir -p ./bin 
-          buf build --output ./bin/directory.bin
-      - 
-        name: Buf Push
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
-        run: |
-          buf push --label $(svu)
+        uses: bufbuild/buf-action@v1
+        with:
+          version:  ${{ env.BUF_VERSION }}
+          token: ${{ secrets.ASERTO_BUF_TOKEN}}
+          github_token: ${{ secrets.GITHUB_TOKEN}}
+          push_disable_create: true
 
   trigger-dispatches:
     runs-on: ubuntu-latest
@@ -80,27 +48,20 @@ jobs:
         cfg:
           - { project: go-authorizer }
           - { project: node-authorizer }
-          - { project: ruby-authorizer }
           - { project: dotnet-authorizer }
+          - { project: ruby-authorizer }
           - { project: python-authorizer }
           - { project: openapi-authorizer }
           - { project: java-authorizer }
 
     name: Generate on ${{ matrix.cfg.project }}
     steps:
-      -
-        name: Read Configuration
-        uses: hashicorp/vault-action@v3
-        id: vault
-        with:
-          url: ${{ env.VAULT_ADDR }}
-          token: ${{ secrets.VAULT_TOKEN }}
-          secrets: |
-            kv/data/github    "USERNAME"          | GH_USERNAME;
-            kv/data/github    "READ_WRITE_TOKEN"  | GH_TOKEN;
       -
         name: Trigger dispatch
         run: |
           curl -XPOST -u "${GH_USERNAME}:${GH_TOKEN}" \
           -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" \
           https://api.github.com/repos/aserto-dev/${{ matrix.cfg.project }}/actions/workflows/ci.yaml/dispatches --data '{"ref": "main", "inputs": {"proto_ref": "${{ github.ref }}", "proto_sha": "${{ github.sha }}" }}'
+        env:
+          GH_USERNAME: ${{ secrets.USERNAME }}
+          GH_TOKEN: $${{ secrets.READ_WRITE_TOKEN }}
@@ -0,0 +1,19 @@
+name: gitleaks
+on:
+  pull_request:
+  push:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 4 * * *" # run once a day at 4 AM
+jobs:
+  scan:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
@@ -7,7 +7,7 @@ deps:
   - buf.build/grpc-ecosystem/grpc-gateway
 lint:
   use:
-    - DEFAULT
+    - STANDARD
   except:
     - FIELD_NOT_REQUIRED
     - PACKAGE_DIRECTORY_MATCH
 
@@ -1,50 +1,57 @@
-SHELL           := $(shell which bash)
-    
-NO_COLOR        := \033[0m
-OK_COLOR        := \033[32;01m
-ERR_COLOR       := \033[31;01m
-WARN_COLOR      := \033[36;01m
-ATTN_COLOR      := \033[33;01m
-
-GOOS            := $(shell go env GOOS)
-GOARCH          := $(shell go env GOARCH)
-GOPRIVATE       := "github.com/aserto-dev"
-
-BIN_DIR         := ./bin
-EXT_DIR         := ./.ext
-EXT_BIN_DIR     := ${EXT_DIR}/bin
-EXT_TMP_DIR     := ${EXT_DIR}/tmp
-
-VAULT_VERSION   := 1.8.12
-SVU_VERSION     := 1.12.0
-WIRE_VERSION    := 0.6.0
-BUF_VERSION     := 1.34.0
-
-PROJECT         := authorizer
-BUF_USER        := $(shell vault kv get -field ASERTO_BUF_USER kv/buf.build)
-BUF_TOKEN       := $(shell vault kv get -field ASERTO_BUF_TOKEN kv/buf.build)
-BUF_REPO        := "buf.build/aserto-dev/${PROJECT}"
-BUF_LATEST      := $(shell BUF_BETA_SUPPRESS_WARNINGS=1 ${EXT_BIN_DIR}/buf beta registry label list ${BUF_REPO} --format json --reverse | jq -r '.results[0].name')
-BUF_DEV_IMAGE   := "${PROJECT}.bin"
-PROTO_REPO      := "pb-${PROJECT}"
-
-GIT_ORG         := "https://github.com/aserto-dev"
-
-RELEASE_TAG     := $$(svu)
+SHELL              := $(shell which bash)
 
-.PHONY: deps
-deps: info install-vault install-buf install-svu
-	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
+NO_COLOR           := \033[0m
+OK_COLOR           := \033[32;01m
+ERR_COLOR          := \033[31;01m
+WARN_COLOR         := \033[36;01m
+ATTN_COLOR         := \033[33;01m
+
+GOOS               := $(shell go env GOOS)
+GOARCH             := $(shell go env GOARCH)
+GOPRIVATE          := "github.com/aserto-dev"
+
+BIN_DIR            := ${PWD}/bin
+EXT_DIR            := ${PWD}/.ext
+EXT_BIN_DIR        := ${EXT_DIR}/bin
+EXT_TMP_DIR        := ${EXT_DIR}/tmp
+
+SVU_VER            := 3.3.0
+BUF_VER            := 1.61.0
 
-.PHONY: vault-login
-vault-login:
+PROJECT            := authorizer
+BUF_REPO           := "buf.build/aserto-dev/${PROJECT}"
+BUF_LATEST         := $(shell ${EXT_BIN_DIR}/buf registry module label list ${BUF_REPO} --format json | jq -r '.labels[0].name')
+BUF_DEV_IMAGE      := "${PROJECT}.bin"
+PROTO_REPO         := "pb-${PROJECT}"
+GIT_ORG            := "https://github.com/aserto-dev"
+
+RELEASE_TAG        := $$(${EXT_BIN_DIR}/svu current)
+
+.DEFAULT_GOAL      := buf-build
+
+.PHONY: deps
+deps: info install-buf install-svu
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
-	@vault login -method=github token=$$(gh auth token)
 
 .PHONY: buf-login
 buf-login:
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
-	@echo ${BUF_TOKEN} | ${EXT_BIN_DIR}/buf registry login --username ${BUF_USER} --token-stdin
+	@echo ${BUF_TOKEN} | ${EXT_BIN_DIR}/buf registry login --token-stdin
+
+.PHONY: buf-dep-update
+buf-dep-update:
+	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
+	@${EXT_BIN_DIR}/buf dep update
+
+.PHONY: buf-format
+buf-format:
+	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
+	@${EXT_BIN_DIR}/buf format -w proto
+
+.PHONY: buf-build
+buf-build: ${BIN_DIR}
+	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
+	@${EXT_BIN_DIR}/buf build --output ${BIN_DIR}/${BUF_DEV_IMAGE}
 
 .PHONY: buf-lint
 buf-lint:
@@ -56,31 +63,11 @@ buf-breaking:
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
 	@${EXT_BIN_DIR}/buf breaking --against "${GIT_ORG}/${PROTO_REPO}.git#branch=main"
 
-.PHONY: buf-build
-buf-build: ${BIN_DIR}
-	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
-	@${EXT_BIN_DIR}/buf build --output ${BIN_DIR}/${BUF_DEV_IMAGE}
-
 .PHONY: buf-push
 buf-push:
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
 	@${EXT_BIN_DIR}/buf push --label ${RELEASE_TAG}
 
-.PHONY: buf-dep-update
-buf-dep-update:
-	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
-	@${EXT_BIN_DIR}/buf dep update
-
-.PHONY: buf-generate
-buf-generate:
-	@echo -e "$(ATTN_COLOR)==> $@ ${BUF_REPO}:${BUF_LATEST}$(NO_COLOR)"
-	@${EXT_BIN_DIR}/buf generate ${BUF_REPO}:${BUF_LATEST}
-
-.PHONY: buf-generate-dev
-buf-generate-dev:
-	@echo -e "$(ATTN_COLOR)==> $@ ../${PROTO_REPO}/bin/${BUF_DEV_IMAGE}$(NO_COLOR)"
-	@${EXT_BIN_DIR}/buf generate "../${PROTO_REPO}/bin/${BUF_DEV_IMAGE}"
-
 .PHONY: info
 info:
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
@@ -97,39 +84,18 @@ info:
 	@echo "BUF_DEV_IMAGE: ${BUF_DEV_IMAGE}"
 	@echo "PROTO_REPO:    ${PROTO_REPO}"
 
-.PHONY: install-vault
-install-vault: ${EXT_BIN_DIR} ${EXT_TMP_DIR}
-	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
-	@curl -s -o ${EXT_TMP_DIR}/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_${GOOS}_${GOARCH}.zip
-	@unzip -o ${EXT_TMP_DIR}/vault.zip vault -d ${EXT_BIN_DIR}/  &> /dev/null
-	@chmod +x ${EXT_BIN_DIR}/vault
-	@${EXT_BIN_DIR}/vault --version 
-
 .PHONY: install-buf
 install-buf: ${EXT_BIN_DIR}
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
-	@gh release download v${BUF_VERSION} --repo https://github.com/bufbuild/buf --pattern "buf-$$(uname -s)-$$(uname -m)" --output "${EXT_BIN_DIR}/buf" --clobber
-	@chmod +x ${EXT_BIN_DIR}/buf
+	@GOBIN=${EXT_BIN_DIR} go install github.com/bufbuild/buf/cmd/buf@v${BUF_VER}
 	@${EXT_BIN_DIR}/buf --version
 
 .PHONY: install-svu
-install-svu: install-svu-${GOOS}
+install-svu: ${EXT_BIN_DIR}
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
-	@chmod +x ${EXT_BIN_DIR}/svu
+	@GOBIN=${EXT_BIN_DIR} go install github.com/caarlos0/svu/v3@v${SVU_VER}
 	@${EXT_BIN_DIR}/svu --version
 
-.PHONY: install-svu-darwin
-install-svu-darwin: ${EXT_TMP_DIR} ${EXT_BIN_DIR}
-	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
-	@gh release download --repo https://github.com/caarlos0/svu --pattern "svu_*_darwin_all.tar.gz" --output "${EXT_TMP_DIR}/svu.tar.gz" --clobber
-	@tar -xvf ${EXT_TMP_DIR}/svu.tar.gz --directory ${EXT_BIN_DIR} svu &> /dev/null
-
-.PHONY: install-svu-linux
-install-svu-linux: ${EXT_TMP_DIR} ${EXT_BIN_DIR}
-	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
-	@gh release download --repo https://github.com/caarlos0/svu --pattern "svu_*_linux_${GOARCH}.tar.gz" --output "${EXT_TMP_DIR}/svu.tar.gz" --clobber
-	@tar -xvf ${EXT_TMP_DIR}/svu.tar.gz --directory ${EXT_BIN_DIR} svu &> /dev/null
-
 .PHONY: clean
 clean:
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
 
@@ -1,43 +1,42 @@
 syntax = "proto3";
 
-option go_package = "github.com/aserto-dev/go-authorizer/aserto/authorizer/v2/api;api"; 
-option csharp_namespace = "Aserto.Authorizer.V2.API";
-
 package aserto.authorizer.v2.api;
 
+import "aserto/authorizer/v2/api/identity_context.proto";
+import "aserto/authorizer/v2/api/policy_context.proto";
+import "aserto/authorizer/v2/api/policy_instance.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/timestamp.proto";
 
-import "aserto/authorizer/v2/api/policy_context.proto";
-import "aserto/authorizer/v2/api/identity_context.proto";
-import "aserto/authorizer/v2/api/policy_instance.proto";
+option csharp_namespace = "Aserto.Authorizer.V2.API";
+option go_package = "github.com/aserto-dev/go-authorizer/aserto/authorizer/v2/api;api";
 
 // represents a decision that an authorizer performed in the past
 message Decision {
-    string id                           = 1;    // unique id, replay a decision starting with this, also useful to de-dup
-    google.protobuf.Timestamp timestamp = 2;    // UTC time when the decision was made
-    string path                         = 3;    // Policy path used in decision
-    DecisionUser user                   = 4;    // info about user for whom the decision as made
-    DecisionPolicy policy               = 5;    // info about policy used for the decision    
-    map<string, bool> outcomes          = 6;    // outcome of the decisions specified in the policy context
-    google.protobuf.Struct resource     = 7;    // the resource context used in a decision
-    map<string, string> annotations     = 8;    // annotations that may be added to a decision    
-    optional string tenant_id           = 9;    // id of the tenant that generated the decision
+  string id = 1; // unique id, replay a decision starting with this, also useful to de-dup
+  google.protobuf.Timestamp timestamp = 2; // UTC time when the decision was made
+  string path = 3; // Policy path used in decision
+  DecisionUser user = 4; // info about user for whom the decision as made
+  DecisionPolicy policy = 5; // info about policy used for the decision
+  map<string, bool> outcomes = 6; // outcome of the decisions specified in the policy context
+  google.protobuf.Struct resource = 7; // the resource context used in a decision
+  map<string, string> annotations = 8; // annotations that may be added to a decision
+  optional string tenant_id = 9; // id of the tenant that generated the decision
 }
 
 // information about a user on behalf of whom a decision was made
-message DecisionUser {    
-    aserto.authorizer.v2.api.IdentityContext context = 1;    // identity context used in the decision
-    string id                                        = 2;    // id of the user the identity resolved to    
-    string email                                     = 3;    // convinience human-readable identifier
+message DecisionUser {
+  aserto.authorizer.v2.api.IdentityContext context = 1; // identity context used in the decision
+  string id = 2; // id of the user the identity resolved to
+  string email = 3; // convinience human-readable identifier
 }
 
 // information about a policy used in a decision
 message DecisionPolicy {
-    aserto.authorizer.v2.api.PolicyContext  context          = 1;    // policy context used in the decision
-    string                                  registry_service = 2;    // registry service where policy was retrieved from (e.g. opcr.io)
-    string                                  registry_image   = 3;    // image of the policy in the registry, including org (e.g. acmecorp/peoplefinder-abac)
-    string                                  registry_tag     = 4;    // tag of the policy image (e.g. 0.8.2 or latest)
-    string                                  registry_digest  = 5;    // digest of the policy image 
-    aserto.authorizer.v2.api.PolicyInstance policy_instance  = 6;    // policy instance used in decision
+  aserto.authorizer.v2.api.PolicyContext context = 1; // policy context used in the decision
+  string registry_service = 2; // registry service where policy was retrieved from (e.g. opcr.io)
+  string registry_image = 3; // image of the policy in the registry, including org (e.g. acmecorp/peoplefinder-abac)
+  string registry_tag = 4; // tag of the policy image (e.g. 0.8.2 or latest)
+  string registry_digest = 5; // digest of the policy image
+  aserto.authorizer.v2.api.PolicyInstance policy_instance = 6; // policy instance used in decision
 }