feat: move permissions to shared, a new token proto (#192)

momentohq · Aug 18, 2023 · ce843d6 · ce843d6
1 parent 36e897d
commit ce843d6
Show file tree

Hide file tree

Showing 13 changed files with 193 additions and 101 deletions.
diff --git a/javascript-web/generate_protos.sh b/javascript-web/generate_protos.sh
@@ -65,7 +65,7 @@ mkdir $out
 # So we do a terrible hack to comment out the package declaration before generating the JS types,
 # but add them back before generating the GRPC web bindings
 
-proto_file_list=" extensions.proto cacheclient.proto controlclient.proto auth.proto cacheping.proto cachepubsub.proto vectorindex.proto "
+proto_file_list=" permissions.proto extensions.proto cacheclient.proto controlclient.proto auth.proto cacheping.proto cachepubsub.proto vectorindex.proto token.proto "
 
 echo "Backing up protos dir"
 cp -r ../proto ../proto.bak
@@ -74,6 +74,7 @@ echo "Commenting out package declarations"
 for f in $proto_file_list
 do
   $sed_command 's/^\s*package \(.*\)/\/\/package \1/g' ../proto/${f}
+  $sed_command 's/permissions.Permissions/Permissions/g' ../proto/${f}
 done
 
 protoc -I=../proto -I=/usr/local/include \

diff --git a/javascript-web/index.ts b/javascript-web/index.ts
@@ -1,4 +1,5 @@
 export * as cache from './CacheclientServiceClientPb'
 export * as control from './ControlclientServiceClientPb'
 export * as auth from './AuthServiceClientPb'
+export * as token from './TokenServiceClientPb'
 export * as ping from './CachepingServiceClientPb'
diff --git a/javascript-web/package-lock.json b/javascript-web/package-lock.json
diff --git a/javascript-web/package.json b/javascript-web/package.json
@@ -17,10 +17,13 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@tsconfig/node16": "1.0.2",
+    "@types/google-protobuf": "^3.15.6",
     "@types/node": "16.10.3",
-    "typescript": "4.4.3"
+    "google-protobuf": "3.21.2",
+    "typescript": "^4.9.5"
   },
   "dependencies": {
+    "google-protobuf": "3.21.2",
     "grpc-web": "1.4.2"
   },
   "files": [

diff --git a/javascript/generate_protos.sh b/javascript/generate_protos.sh
@@ -2,4 +2,4 @@
 set -e
 set -x
 
-PATH=node_modules/protoc-gen-ts/bin/:$PATH protoc -I=../proto -I=/usr/local/include --ts_out=src cacheclient.proto controlclient.proto cachepubsub.proto auth.proto cacheping.proto vectorindex.proto
+PATH=node_modules/protoc-gen-ts/bin/:$PATH protoc -I=../proto -I=/usr/local/include --ts_out=src permissions.proto cacheclient.proto controlclient.proto cachepubsub.proto auth.proto cacheping.proto vectorindex.proto token.proto
diff --git a/javascript/index.ts b/javascript/index.ts
@@ -3,3 +3,4 @@ export * as control from './controlclient'
 export * as pubsub from './cachepubsub'
 export * as ping from './cacheping'
 export * as auth from './auth'
+export * as token from './token'
diff --git a/kotlin-messages/kotlin/messages/generated-sources/descriptors/client_protos.dsc b/kotlin-messages/kotlin/messages/generated-sources/descriptors/client_protos.dsc
diff --git a/proto/auth.proto b/proto/auth.proto
@@ -1,5 +1,7 @@
 syntax = "proto3";
 
+import "permissions.proto";
+
 option go_package = "github.com/momentohq/client-sdk-go;client_sdk_go";
 option java_multiple_files = true;
 option java_package = "momento.auth";
@@ -69,98 +71,9 @@ message _GenerateApiTokenRequest {
         Expires expires = 2;
     }
 
-    // Aliases for categories of functionality.
-    enum CacheRole {
-      CachePermitNone = 0;
-      // Restricts access to apis that read and write data from caches: No higher level resource description or modification.
-      CacheReadWrite = 1;
-      // Restricts access to apis that read from caches: No higher level resource description or modification.
-      CacheReadOnly = 2;
-      // Doesn't allow conditional write APIs (SetIfNotExists, IncreaseTTL etc)
-      CacheWriteOnly = 3;
-    }
-
-    // Aliases for categories of functionality.
-    enum TopicRole {
-      TopicPermitNone = 0;
-      // Restricts access to apis that read and write data from topics: No higher level resource description or modification.
-      TopicReadWrite = 1;
-      // Restricts access to apis that read from topics: No higher level resource description or modification.
-      TopicReadOnly = 2;
-      // Only publish allowed
-      TopicWriteOnly = 3;
-    }
-
     string auth_token = 3;
 
-    enum SuperUserPermissions {
-      SuperUser = 0;
-    }
-
-    message Permissions {
-      oneof kind {
-        SuperUserPermissions super_user = 1;
-        ExplicitPermissions explicit = 2;
-      }
-    }
-
-    message ExplicitPermissions {
-      repeated PermissionsType permissions = 1;
-    }
-
-    message PermissionsType {
-      oneof kind {
-        CachePermissions cache_permissions = 1;
-        TopicPermissions topic_permissions = 2;
-      }
-
-      message All {}
-
-      message CacheSelector {
-        oneof kind {
-          string cache_name = 1;
-        }
-      }
-
-      message CacheItemSelector {
-        oneof kind {
-          bytes key = 1;
-          bytes key_prefix = 2;
-        }
-      }
-
-      message CachePermissions {
-        CacheRole role = 1;
-        oneof cache {
-          All all_caches = 2;
-          CacheSelector cache_selector = 3;
-        }
-        oneof cache_item {
-          All all_items = 4;
-          CacheItemSelector item_selector = 5;
-        }
-      }
-
-      message TopicSelector {
-        oneof kind {
-          string topic_name = 1;
-        }
-      }
-
-      message TopicPermissions {
-        TopicRole role = 1;
-        oneof cache {
-          All all_caches = 2;
-          CacheSelector cache_selector = 3;
-        }
-        oneof topic {
-          All all_topics = 4;
-          TopicSelector topic_selector = 5;
-        }        
-      }
-    }
-
-    Permissions permissions = 4;
+    permissions.Permissions permissions = 4;
 }
 
 message _GenerateApiTokenResponse {

diff --git a/proto/permissions.proto b/proto/permissions.proto
@@ -0,0 +1,96 @@
+syntax = "proto3";
+
+option go_package = "github.com/momentohq/client-sdk-go;client_sdk_go";
+option java_multiple_files = true;
+option java_package = "momento.shared.permissions";
+
+package permissions;
+
+// Aliases for categories of functionality.
+enum CacheRole {
+  CachePermitNone = 0;
+  // Restricts access to apis that read and write data from caches: No higher level resource description or modification.
+  CacheReadWrite = 1;
+  // Restricts access to apis that read from caches: No higher level resource description or modification.
+  CacheReadOnly = 2;
+  // Doesn't allow conditional write APIs (SetIfNotExists, IncreaseTTL etc)
+  CacheWriteOnly = 3;
+}
+
+// Aliases for categories of functionality.
+enum TopicRole {
+  TopicPermitNone = 0;
+  // Restricts access to apis that read and write data from topics: No higher level resource description or modification.
+  TopicReadWrite = 1;
+  // Restricts access to apis that read from topics: No higher level resource description or modification.
+  TopicReadOnly = 2;
+  // Only publish allowed
+  TopicWriteOnly = 3;
+}
+
+enum SuperUserPermissions {
+  SuperUser = 0;
+}
+
+message Permissions {
+  oneof kind {
+    SuperUserPermissions super_user = 1;
+    ExplicitPermissions explicit = 2;
+  }
+}
+
+message ExplicitPermissions {
+  repeated PermissionsType permissions = 1;
+}
+
+message PermissionsType {
+  oneof kind {
+    CachePermissions cache_permissions = 1;
+    TopicPermissions topic_permissions = 2;
+  }
+
+  message All {}
+
+  message CacheSelector {
+    oneof kind {
+      string cache_name = 1;
+    }
+  }
+
+  message CacheItemSelector {
+    oneof kind {
+      bytes key = 1;
+      bytes key_prefix = 2;
+    }
+  }
+
+  message CachePermissions {
+    CacheRole role = 1;
+    oneof cache {
+      All all_caches = 2;
+      CacheSelector cache_selector = 3;
+    }
+    oneof cache_item {
+      All all_items = 4;
+      CacheItemSelector item_selector = 5;
+    }
+  }
+
+  message TopicSelector {
+    oneof kind {
+      string topic_name = 1;
+    }
+  }
+
+  message TopicPermissions {
+    TopicRole role = 1;
+    oneof cache {
+      All all_caches = 2;
+      CacheSelector cache_selector = 3;
+    }
+    oneof topic {
+      All all_topics = 4;
+      TopicSelector topic_selector = 5;
+    }
+  }
+}
diff --git a/proto/token.proto b/proto/token.proto
@@ -0,0 +1,37 @@
+syntax = "proto3";
+
+import "permissions.proto";
+
+option go_package = "github.com/momentohq/client-sdk-go;client_sdk_go";
+option java_multiple_files = true;
+option java_package = "momento.token";
+
+package token;
+
+service Token {
+  rpc GenerateAuthAcorn (_GenerateAuthAcornRequest) returns (_GenerateAuthAcornResponse) {}
+}
+
+message _GenerateAuthAcornRequest {
+    // generate a token that has an expiry
+    message Expires {
+        // how many seconds do you want the api token to be valid for?
+        uint32 valid_for_seconds = 1;
+    }
+
+    Expires expires = 1;
+
+  string auth_token = 2;
+
+  permissions.Permissions permissions = 3;
+}
+
+message _GenerateAuthAcornResponse {
+  // the new api key used for authentication against Momento backend
+  string api_key = 1;
+  // the Momento endpoint that this token is allowed to make requests against
+  string endpoint = 2;
+  // epoch seconds when the api token expires
+  uint64 valid_until = 3;
+
+}
diff --git a/python/run-protoc.sh b/python/run-protoc.sh
@@ -23,7 +23,7 @@ do
     if [[ $python_protobuf_version == "protobuf>4" ]]; then
         pyi_out="--pyi_out=$src_path"
     fi
-    poetry run python -m grpc_tools.protoc -I../proto --python_out=$src_path $pyi_out --grpc_python_out=$src_path extensions.proto cacheclient.proto controlclient.proto auth.proto cachepubsub.proto vectorindex.proto
+    poetry run python -m grpc_tools.protoc -I../proto --python_out=$src_path $pyi_out --grpc_python_out=$src_path permissions.proto extensions.proto cacheclient.proto controlclient.proto auth.proto cachepubsub.proto vectorindex.proto token.proto
 
     # A shortcoming of the generated code is in the grpc generated code,
     # the protobuf imports are absolute instead of relative.