SyncbaseCore/Source/Permissions.swift - release.swift - Git at Google

 // Copyright 2016 The Vanadium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 import Foundation

 /// Permissions maps string tags to access lists specifying the blessings
 /// required to invoke methods with that tag.
 ///
 /// These tags are meant to add a layer of interposition between the set of
 /// users (blessings, specifically) and the set of methods, much like "Roles" do
 /// in Role Based Access Control.
 /// (http://en.wikipedia.org/wiki/Role-based_access_control)
 public typealias Permissions = [String: BlessingPattern]

 /// BlessingPattern is a pattern that is matched by specific blessings.
 ///
 /// A pattern can either be a blessing (slash-separated human-readable string)
 /// or a blessing ending in "/$". A pattern ending in "/$" is matched exactly
 /// by the blessing specified by the pattern string with the "/$" suffix stripped
 /// out. For example, the pattern "a/b/c/$" is matched by exactly by the blessing
 /// "a/b/c".
 ///
 /// A pattern not ending in "/$" is more permissive, and is also matched by blessings
 /// that are extensions of the pattern (including the pattern itself). For example, the
 /// pattern "a/b/c" is matched by the blessings "a/b/c", "a/b/c/x", "a/b/c/x/y", etc.
 public typealias BlessingPattern = String

 public typealias PermissionsVersion = String

 /// AccessList represents a set of blessings that should be granted access.
 ///
 /// See also: https://vanadium.github.io/glossary.html#access-list
 public struct AcccessList {
   /// allowed denotes the set of blessings (represented as BlessingPatterns) that
   /// should be granted access, unless blacklisted by an entry in notAllowed.
   ///
   /// For example:
   /// allowed: {"alice:family"}
   /// grants access to a principal that presents at least one of
   /// "alice:family", "alice:family:friend", "alice:family:friend:spouse" etc.
   /// as a blessing.
   public let allowed: [BlessingPattern]

   /// notAllowed denotes the set of blessings (and their delegates) that
   /// have been explicitly blacklisted from the allowed set.
   ///
   /// For example:
   /// allowed: {"alice:friend"}, notAllowed: {"alice:friend:bob"}
   /// grants access to principals that present "alice:friend",
   /// "alice:friend:carol" etc. but NOT to a principal that presents
   /// "alice:friend:bob" or "alice:friend:bob:spouse" etc.
   public let notAllowed: [BlessingPattern]
 }

 /// AccessController provides access control for various syncbase objects.
 public protocol AccessController {
   /// setPermissions replaces the current Permissions for an object.
   func setPermissions(perms: Permissions, version: PermissionsVersion) throws

   /// GetPermissions returns the current Permissions for an object.
   /// For detailed documentation, see Object.GetPermissions.
   func getPermissions() throws -> (Permissions, PermissionsVersion)
 }
	// Copyright 2016 The Vanadium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	import Foundation

	/// Permissions maps string tags to access lists specifying the blessings
	/// required to invoke methods with that tag.
	///
	/// These tags are meant to add a layer of interposition between the set of
	/// users (blessings, specifically) and the set of methods, much like "Roles" do
	/// in Role Based Access Control.
	/// (http://en.wikipedia.org/wiki/Role-based_access_control)
	public typealias Permissions = [String: BlessingPattern]

	/// BlessingPattern is a pattern that is matched by specific blessings.
	///
	/// A pattern can either be a blessing (slash-separated human-readable string)
	/// or a blessing ending in "/$". A pattern ending in "/$" is matched exactly
	/// by the blessing specified by the pattern string with the "/$" suffix stripped
	/// out. For example, the pattern "a/b/c/$" is matched by exactly by the blessing
	/// "a/b/c".
	///
	/// A pattern not ending in "/$" is more permissive, and is also matched by blessings
	/// that are extensions of the pattern (including the pattern itself). For example, the
	/// pattern "a/b/c" is matched by the blessings "a/b/c", "a/b/c/x", "a/b/c/x/y", etc.
	public typealias BlessingPattern = String

	public typealias PermissionsVersion = String

	/// AccessList represents a set of blessings that should be granted access.
	///
	/// See also: https://vanadium.github.io/glossary.html#access-list
	public struct AcccessList {
	/// allowed denotes the set of blessings (represented as BlessingPatterns) that
	/// should be granted access, unless blacklisted by an entry in notAllowed.
	///
	/// For example:
	/// allowed: {"alice:family"}
	/// grants access to a principal that presents at least one of
	/// "alice:family", "alice:family:friend", "alice:family:friend:spouse" etc.
	/// as a blessing.
	public let allowed: [BlessingPattern]

	/// notAllowed denotes the set of blessings (and their delegates) that
	/// have been explicitly blacklisted from the allowed set.
	///
	/// For example:
	/// allowed: {"alice:friend"}, notAllowed: {"alice:friend:bob"}
	/// grants access to principals that present "alice:friend",
	/// "alice:friend:carol" etc. but NOT to a principal that presents
	/// "alice:friend:bob" or "alice:friend:bob:spouse" etc.
	public let notAllowed: [BlessingPattern]
	}

	/// AccessController provides access control for various syncbase objects.
	public protocol AccessController {
	/// setPermissions replaces the current Permissions for an object.
	func setPermissions(perms: Permissions, version: PermissionsVersion) throws

	/// GetPermissions returns the current Permissions for an object.
	/// For detailed documentation, see Object.GetPermissions.
	func getPermissions() throws -> (Permissions, PermissionsVersion)
	}