Package com.buildless.api

Class MethodAuthorization.Builder

java.lang.Object
com.google.protobuf.AbstractMessageLite.Builder
com.google.protobuf.AbstractMessage.Builder<BuilderT>
com.google.protobuf.GeneratedMessageV3.Builder<MethodAuthorization.Builder>
com.buildless.api.MethodAuthorization.Builder
All Implemented Interfaces:
MethodAuthorizationOrBuilder, com.google.protobuf.Message.Builder, com.google.protobuf.MessageLite.Builder, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, Cloneable
Enclosing class:
MethodAuthorization
public static final class MethodAuthorization.Builder extends com.google.protobuf.GeneratedMessageV3.Builder<MethodAuthorization.Builder> implements MethodAuthorizationOrBuilder
 ## Method Authorization

 Specifies authorization configuration for a given RPC method provided by a Buildless API service. Settings on this
 configuration are enforced by interceptors on behalf of the service under invocation. Proto-methods may be annotated
 with these settings via the `buildless.api.authz` coordinate.

 ### Anonymous Access

 If the `anonymous_access` flag is set, the method is allowed to be invoked without any credentials present at all. In
 this case, it is up to the method implementation to enforce second-order auth. There are two application features
 where this is useful:

 - **Open methods.** Some methods (for example, `AppInfo`) return publicly-available information, and don't need to
   perform authorization steps. In this context, authorization may be wasteful.

 - **Anonymous-enabled methods.** Some methods (for example, cache access) can be opened up for public access on a
   policy basis by authorized users. In this case, the method implementation is responsible for enforcing second-order
   authorization state; for example, enforcing authorization state if-and-only-if the project under access demands it.

 ### Publishable API Keys

 "Publishable" API keys are keys which are safe to publish. These keys are typically used for non-sensitive or write-
 only operations, like telemetry submission. If the `publishable` flag is set, interceptors will allow invocations
 which specify a publishable key. By default, publishable keys are not allowed on any method.

 ### Authorization Behavior

 After enforcing the policies defined on this record, interceptors will mount resulting credential material within the
 execution context for the invocation. Implementations may then access these values via well-typed context keys. See
 the `CallMetadata` file for more information.

 Guarantees provided by this implementation:

 - **Values are well-formed.** If a value is read by the interceptor at all, it is well-formed. Downstream consumers
   may assume that the value has been validated statically to a reasonable extent.

 - **Values are semantically valid.** If a value is read by the interceptor, it is used properly and in the right
   "place" (the right header, context, etc). Downstream consumers need not verify the value's use semantics.

 - **Values are verified.** At the point a method invocation begins, all relevant authorization material has already
   been calculated and enforced. Downstream consumers do not need to look up user or tenant records, for example, to
   make sure they exist.

 ### Exhaustive settings list

 - `allow_anonymous`: Allow anonymous invocations (i.e. invocations with no credentials present). **Danger:** When
   this option is set, authorization steps `MUST` be performed by the implementation, as applicable.

 - `allow_publishable`: Allow the use of "publishable" API keys. **Danger:** When this option is set, API keys may be
   used which are intended to be published. The end-client may not be an explicitly-authorized user.

 - `require_token`: Require a valid end-user authorization token, or signed session, to be present on the request. In
   this mode, `USER` authorization mode is implied.

 - `sensitive`: Mark the method as a "sensitive" operation. In this case, an additional authorization step may be
   required; in some circumstances, this may be a "sudo" upgrade of a user's session, for instance, using 2FA. In API
   circumstances, an additional secret-signed HMAC token may be required. Consult method documentation for more info.

 - `authorization_mode`: Governs the principal types that can invoke a given RPC method. Some methods are only able to
   be invoked by end-users or within an org-wide circumstance. See the `AuthorizationMode` enum for more information.

 - `require_tenant`: Require the presence of tenant authorization information on a request, regardless of the mode of
   the request (so, this does apply to `USER` credentials). In the case of `USER` credentials, a tenant `MAY` be
   specified explicitly; if none is specified, the default tenant for the user is used. If no default tenant exists
   for the user, an error is returned.

 - `permission`: Describes the minimum generalized permission level that is required to execute a given RPC method.
   The end-user invoking a request must be granted a role which corresponds *at least* with this permission. This
   concept only applies within the context of `USER`-type credentials.
Protobuf type buildless.api.MethodAuthorization

  • Method Details

    • getDescriptor

      public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

    • internalGetFieldAccessorTable

      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
      Specified by:
      internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3.Builder<MethodAuthorization.Builder>

    • clear

      public MethodAuthorization.Builder clear()
      Specified by:
      clear in interface com.google.protobuf.Message.Builder
      Specified by:
      clear in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      clear in class com.google.protobuf.GeneratedMessageV3.Builder<MethodAuthorization.Builder>

    • getDescriptorForType

      public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
      Specified by:
      getDescriptorForType in interface com.google.protobuf.Message.Builder
      Specified by:
      getDescriptorForType in interface com.google.protobuf.MessageOrBuilder
      Overrides:
      getDescriptorForType in class com.google.protobuf.GeneratedMessageV3.Builder<MethodAuthorization.Builder>

    • getDefaultInstanceForType

      public MethodAuthorization getDefaultInstanceForType()
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder

    • build

      public MethodAuthorization build()
      Specified by:
      build in interface com.google.protobuf.Message.Builder
      Specified by:
      build in interface com.google.protobuf.MessageLite.Builder

    • buildPartial

      public MethodAuthorization buildPartial()
      Specified by:
      buildPartial in interface com.google.protobuf.Message.Builder
      Specified by:
      buildPartial in interface com.google.protobuf.MessageLite.Builder

    • clone

      public MethodAuthorization.Builder clone()
      Specified by:
      clone in interface com.google.protobuf.Message.Builder
      Specified by:
      clone in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      clone in class com.google.protobuf.GeneratedMessageV3.Builder<MethodAuthorization.Builder>

    • setField

      public MethodAuthorization.Builder setField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
      Specified by:
      setField in interface com.google.protobuf.Message.Builder
      Overrides:
      setField in class com.google.protobuf.GeneratedMessageV3.Builder<MethodAuthorization.Builder>

    • clearField

      public MethodAuthorization.Builder clearField(com.google.protobuf.Descriptors.FieldDescriptor field)
      Specified by:
      clearField in interface com.google.protobuf.Message.Builder
      Overrides:
      clearField in class com.google.protobuf.GeneratedMessageV3.Builder<MethodAuthorization.Builder>

    • clearOneof

      public MethodAuthorization.Builder clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof)
      Specified by:
      clearOneof in interface com.google.protobuf.Message.Builder
      Overrides:
      clearOneof in class com.google.protobuf.GeneratedMessageV3.Builder<MethodAuthorization.Builder>

    • setRepeatedField

      public MethodAuthorization.Builder setRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, int index, Object value)
      Specified by:
      setRepeatedField in interface com.google.protobuf.Message.Builder
      Overrides:
      setRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<MethodAuthorization.Builder>

    • addRepeatedField

      public MethodAuthorization.Builder addRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
      Specified by:
      addRepeatedField in interface com.google.protobuf.Message.Builder
      Overrides:
      addRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<MethodAuthorization.Builder>

    • mergeFrom

      public MethodAuthorization.Builder mergeFrom(com.google.protobuf.Message other)
      Specified by:
      mergeFrom in interface com.google.protobuf.Message.Builder
      Overrides:
      mergeFrom in class com.google.protobuf.AbstractMessage.Builder<MethodAuthorization.Builder>

    • mergeFrom

      public MethodAuthorization.Builder mergeFrom(MethodAuthorization other)

    • isInitialized

      public final boolean isInitialized()
      Specified by:
      isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
      Overrides:
      isInitialized in class com.google.protobuf.GeneratedMessageV3.Builder<MethodAuthorization.Builder>

    • mergeFrom

      public MethodAuthorization.Builder mergeFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Specified by:
      mergeFrom in interface com.google.protobuf.Message.Builder
      Specified by:
      mergeFrom in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      mergeFrom in class com.google.protobuf.AbstractMessage.Builder<MethodAuthorization.Builder>
      Throws:
      IOException

    • getAllowAnonymous

      public boolean getAllowAnonymous()
       Allow anonymous invocations (i.e. invocations with no credentials present).
      bool allow_anonymous = 1 [json_name = "allowAnonymous"];
      Specified by:
      getAllowAnonymous in interface MethodAuthorizationOrBuilder
      Returns:
      The allowAnonymous.

    • setAllowAnonymous

      public MethodAuthorization.Builder setAllowAnonymous(boolean value)
       Allow anonymous invocations (i.e. invocations with no credentials present).
      bool allow_anonymous = 1 [json_name = "allowAnonymous"];
      Parameters:
      value - The allowAnonymous to set.
      Returns:
      This builder for chaining.

    • clearAllowAnonymous

      public MethodAuthorization.Builder clearAllowAnonymous()
       Allow anonymous invocations (i.e. invocations with no credentials present).
      bool allow_anonymous = 1 [json_name = "allowAnonymous"];
      Returns:
      This builder for chaining.

    • getAllowPublishable

      public boolean getAllowPublishable()
       Allow the use of "publishable" API keys.
      bool allow_publishable = 2 [json_name = "allowPublishable"];
      Specified by:
      getAllowPublishable in interface MethodAuthorizationOrBuilder
      Returns:
      The allowPublishable.

    • setAllowPublishable

      public MethodAuthorization.Builder setAllowPublishable(boolean value)
       Allow the use of "publishable" API keys.
      bool allow_publishable = 2 [json_name = "allowPublishable"];
      Parameters:
      value - The allowPublishable to set.
      Returns:
      This builder for chaining.

    • clearAllowPublishable

      public MethodAuthorization.Builder clearAllowPublishable()
       Allow the use of "publishable" API keys.
      bool allow_publishable = 2 [json_name = "allowPublishable"];
      Returns:
      This builder for chaining.

    • getRequireToken

      public boolean getRequireToken()
       Require a valid end-user authorization token, or signed session, to be present on the request.
      bool require_token = 3 [json_name = "requireToken"];
      Specified by:
      getRequireToken in interface MethodAuthorizationOrBuilder
      Returns:
      The requireToken.

    • setRequireToken

      public MethodAuthorization.Builder setRequireToken(boolean value)
       Require a valid end-user authorization token, or signed session, to be present on the request.
      bool require_token = 3 [json_name = "requireToken"];
      Parameters:
      value - The requireToken to set.
      Returns:
      This builder for chaining.

    • clearRequireToken

      public MethodAuthorization.Builder clearRequireToken()
       Require a valid end-user authorization token, or signed session, to be present on the request.
      bool require_token = 3 [json_name = "requireToken"];
      Returns:
      This builder for chaining.

    • getSensitive

      public boolean getSensitive()
       Mark the method as a "sensitive" operation.
      bool sensitive = 4 [json_name = "sensitive"];
      Specified by:
      getSensitive in interface MethodAuthorizationOrBuilder
      Returns:
      The sensitive.

    • setSensitive

      public MethodAuthorization.Builder setSensitive(boolean value)
       Mark the method as a "sensitive" operation.
      bool sensitive = 4 [json_name = "sensitive"];
      Parameters:
      value - The sensitive to set.
      Returns:
      This builder for chaining.

    • clearSensitive

      public MethodAuthorization.Builder clearSensitive()
       Mark the method as a "sensitive" operation.
      bool sensitive = 4 [json_name = "sensitive"];
      Returns:
      This builder for chaining.

    • getModeValue

      public int getModeValue()
       Governs the principal types that can invoke a given RPC method.
      .buildless.api.AuthorizationMode mode = 5 [json_name = "mode"];
      Specified by:
      getModeValue in interface MethodAuthorizationOrBuilder
      Returns:
      The enum numeric value on the wire for mode.

    • setModeValue

      public MethodAuthorization.Builder setModeValue(int value)
       Governs the principal types that can invoke a given RPC method.
      .buildless.api.AuthorizationMode mode = 5 [json_name = "mode"];
      Parameters:
      value - The enum numeric value on the wire for mode to set.
      Returns:
      This builder for chaining.

    • getMode

      public AuthorizationMode getMode()
       Governs the principal types that can invoke a given RPC method.
      .buildless.api.AuthorizationMode mode = 5 [json_name = "mode"];
      Specified by:
      getMode in interface MethodAuthorizationOrBuilder
      Returns:
      The mode.

    • setMode

      public MethodAuthorization.Builder setMode(AuthorizationMode value)
       Governs the principal types that can invoke a given RPC method.
      .buildless.api.AuthorizationMode mode = 5 [json_name = "mode"];
      Parameters:
      value - The mode to set.
      Returns:
      This builder for chaining.

    • clearMode

      public MethodAuthorization.Builder clearMode()
       Governs the principal types that can invoke a given RPC method.
      .buildless.api.AuthorizationMode mode = 5 [json_name = "mode"];
      Returns:
      This builder for chaining.

    • getRequireTenant

      public boolean getRequireTenant()
       Require the presence of tenant authorization information on a request, regardless of the mode of the request.
      bool require_tenant = 6 [json_name = "requireTenant"];
      Specified by:
      getRequireTenant in interface MethodAuthorizationOrBuilder
      Returns:
      The requireTenant.

    • setRequireTenant

      public MethodAuthorization.Builder setRequireTenant(boolean value)
       Require the presence of tenant authorization information on a request, regardless of the mode of the request.
      bool require_tenant = 6 [json_name = "requireTenant"];
      Parameters:
      value - The requireTenant to set.
      Returns:
      This builder for chaining.

    • clearRequireTenant

      public MethodAuthorization.Builder clearRequireTenant()
       Require the presence of tenant authorization information on a request, regardless of the mode of the request.
      bool require_tenant = 6 [json_name = "requireTenant"];
      Returns:
      This builder for chaining.

    • getPermissionValue

      public int getPermissionValue()
       Describes the minimum generalized permission level that is required to execute a given RPC method.
      .buildless.api.PermissionLevel permission = 7 [json_name = "permission"];
      Specified by:
      getPermissionValue in interface MethodAuthorizationOrBuilder
      Returns:
      The enum numeric value on the wire for permission.

    • setPermissionValue

      public MethodAuthorization.Builder setPermissionValue(int value)
       Describes the minimum generalized permission level that is required to execute a given RPC method.
      .buildless.api.PermissionLevel permission = 7 [json_name = "permission"];
      Parameters:
      value - The enum numeric value on the wire for permission to set.
      Returns:
      This builder for chaining.

    • getPermission

      public PermissionLevel getPermission()
       Describes the minimum generalized permission level that is required to execute a given RPC method.
      .buildless.api.PermissionLevel permission = 7 [json_name = "permission"];
      Specified by:
      getPermission in interface MethodAuthorizationOrBuilder
      Returns:
      The permission.

    • setPermission

      public MethodAuthorization.Builder setPermission(PermissionLevel value)
       Describes the minimum generalized permission level that is required to execute a given RPC method.
      .buildless.api.PermissionLevel permission = 7 [json_name = "permission"];
      Parameters:
      value - The permission to set.
      Returns:
      This builder for chaining.

    • clearPermission

      public MethodAuthorization.Builder clearPermission()
       Describes the minimum generalized permission level that is required to execute a given RPC method.
      .buildless.api.PermissionLevel permission = 7 [json_name = "permission"];
      Returns:
      This builder for chaining.

    • setUnknownFields

      public final MethodAuthorization.Builder setUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
      Specified by:
      setUnknownFields in interface com.google.protobuf.Message.Builder
      Overrides:
      setUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<MethodAuthorization.Builder>

    • mergeUnknownFields

      public final MethodAuthorization.Builder mergeUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
      Specified by:
      mergeUnknownFields in interface com.google.protobuf.Message.Builder
      Overrides:
      mergeUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<MethodAuthorization.Builder>