Package com.buildless.api

Class MethodAuthorization

java.lang.Object
com.google.protobuf.AbstractMessageLite
com.google.protobuf.AbstractMessage
com.google.protobuf.GeneratedMessageV3
com.buildless.api.MethodAuthorization
All Implemented Interfaces:
MethodAuthorizationOrBuilder, com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, Serializable
public final class MethodAuthorization extends com.google.protobuf.GeneratedMessageV3 implements MethodAuthorizationOrBuilder
 ## Method Authorization

 Specifies authorization configuration for a given RPC method provided by a Buildless API service. Settings on this
 configuration are enforced by interceptors on behalf of the service under invocation. Proto-methods may be annotated
 with these settings via the `buildless.api.authz` coordinate.

 ### Anonymous Access

 If the `anonymous_access` flag is set, the method is allowed to be invoked without any credentials present at all. In
 this case, it is up to the method implementation to enforce second-order auth. There are two application features
 where this is useful:

 - **Open methods.** Some methods (for example, `AppInfo`) return publicly-available information, and don't need to
   perform authorization steps. In this context, authorization may be wasteful.

 - **Anonymous-enabled methods.** Some methods (for example, cache access) can be opened up for public access on a
   policy basis by authorized users. In this case, the method implementation is responsible for enforcing second-order
   authorization state; for example, enforcing authorization state if-and-only-if the project under access demands it.

 ### Publishable API Keys

 "Publishable" API keys are keys which are safe to publish. These keys are typically used for non-sensitive or write-
 only operations, like telemetry submission. If the `publishable` flag is set, interceptors will allow invocations
 which specify a publishable key. By default, publishable keys are not allowed on any method.

 ### Authorization Behavior

 After enforcing the policies defined on this record, interceptors will mount resulting credential material within the
 execution context for the invocation. Implementations may then access these values via well-typed context keys. See
 the `CallMetadata` file for more information.

 Guarantees provided by this implementation:

 - **Values are well-formed.** If a value is read by the interceptor at all, it is well-formed. Downstream consumers
   may assume that the value has been validated statically to a reasonable extent.

 - **Values are semantically valid.** If a value is read by the interceptor, it is used properly and in the right
   "place" (the right header, context, etc). Downstream consumers need not verify the value's use semantics.

 - **Values are verified.** At the point a method invocation begins, all relevant authorization material has already
   been calculated and enforced. Downstream consumers do not need to look up user or tenant records, for example, to
   make sure they exist.

 ### Exhaustive settings list

 - `allow_anonymous`: Allow anonymous invocations (i.e. invocations with no credentials present). **Danger:** When
   this option is set, authorization steps `MUST` be performed by the implementation, as applicable.

 - `allow_publishable`: Allow the use of "publishable" API keys. **Danger:** When this option is set, API keys may be
   used which are intended to be published. The end-client may not be an explicitly-authorized user.

 - `require_token`: Require a valid end-user authorization token, or signed session, to be present on the request. In
   this mode, `USER` authorization mode is implied.

 - `sensitive`: Mark the method as a "sensitive" operation. In this case, an additional authorization step may be
   required; in some circumstances, this may be a "sudo" upgrade of a user's session, for instance, using 2FA. In API
   circumstances, an additional secret-signed HMAC token may be required. Consult method documentation for more info.

 - `authorization_mode`: Governs the principal types that can invoke a given RPC method. Some methods are only able to
   be invoked by end-users or within an org-wide circumstance. See the `AuthorizationMode` enum for more information.

 - `require_tenant`: Require the presence of tenant authorization information on a request, regardless of the mode of
   the request (so, this does apply to `USER` credentials). In the case of `USER` credentials, a tenant `MAY` be
   specified explicitly; if none is specified, the default tenant for the user is used. If no default tenant exists
   for the user, an error is returned.

 - `permission`: Describes the minimum generalized permission level that is required to execute a given RPC method.
   The end-user invoking a request must be granted a role which corresponds *at least* with this permission. This
   concept only applies within the context of `USER`-type credentials.
Protobuf type buildless.api.MethodAuthorization
See Also:

  • Nested Class Summary

    Nested Classes
    Modifier and Type
    Class
    Description
    static final class 
    MethodAuthorization.Builder
    ## Method Authorization Specifies authorization configuration for a given RPC method provided by a Buildless API service.

    Nested classes/interfaces inherited from class com.google.protobuf.GeneratedMessageV3

    com.google.protobuf.GeneratedMessageV3.BuilderParent, com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageT extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage<MessageT>,BuilderT extends com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageT,BuilderT>>, com.google.protobuf.GeneratedMessageV3.ExtendableMessage<MessageT extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage<MessageT>>, com.google.protobuf.GeneratedMessageV3.ExtendableMessageOrBuilder<MessageT extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage<MessageT>>, com.google.protobuf.GeneratedMessageV3.FieldAccessorTable, com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter

    Nested classes/interfaces inherited from class com.google.protobuf.AbstractMessageLite

    com.google.protobuf.AbstractMessageLite.InternalOneOfEnum

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final int
    ALLOW_ANONYMOUS_FIELD_NUMBER
     
    static final int
    ALLOW_PUBLISHABLE_FIELD_NUMBER
     
    static final int
    MODE_FIELD_NUMBER
     
    static final int
    PERMISSION_FIELD_NUMBER
     
    static final int
    REQUIRE_TENANT_FIELD_NUMBER
     
    static final int
    REQUIRE_TOKEN_FIELD_NUMBER
     
    static final int
    SENSITIVE_FIELD_NUMBER
     

    Fields inherited from class com.google.protobuf.GeneratedMessageV3

    alwaysUseFieldBuilders, unknownFields

    Fields inherited from class com.google.protobuf.AbstractMessage

    memoizedSize

    Fields inherited from class com.google.protobuf.AbstractMessageLite

    memoizedHashCode

  • Method Summary

    Modifier and Type
    Method
    Description
    boolean
    equals(Object obj)
     
    boolean
    getAllowAnonymous()
    Allow anonymous invocations (i.e.
    boolean
    getAllowPublishable()
    Allow the use of "publishable" API keys.
    static MethodAuthorization
    getDefaultInstance()
     
    MethodAuthorization
    getDefaultInstanceForType()
     
    static final com.google.protobuf.Descriptors.Descriptor
    getDescriptor()
     
    AuthorizationMode
    getMode()
    Governs the principal types that can invoke a given RPC method.
    int
    getModeValue()
    Governs the principal types that can invoke a given RPC method.
    com.google.protobuf.Parser<MethodAuthorization>
    getParserForType()
     
    PermissionLevel
    getPermission()
    Describes the minimum generalized permission level that is required to execute a given RPC method.
    int
    getPermissionValue()
    Describes the minimum generalized permission level that is required to execute a given RPC method.
    boolean
    getRequireTenant()
    Require the presence of tenant authorization information on a request, regardless of the mode of the request.
    boolean
    getRequireToken()
    Require a valid end-user authorization token, or signed session, to be present on the request.
    boolean
    getSensitive()
    Mark the method as a "sensitive" operation.
    int
    getSerializedSize()
     
    int
    hashCode()
     
    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
    internalGetFieldAccessorTable()
     
    final boolean
    isInitialized()
     
    static MethodAuthorization.Builder
    newBuilder()
     
    static MethodAuthorization.Builder
    newBuilder(MethodAuthorization prototype)
     
    MethodAuthorization.Builder
    newBuilderForType()
     
    protected MethodAuthorization.Builder
    newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
     
    protected Object
    newInstance(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)
     
    static MethodAuthorization
    parseDelimitedFrom(InputStream input)
     
    static MethodAuthorization
    parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static MethodAuthorization
    parseFrom(byte[] data)
     
    static MethodAuthorization
    parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static MethodAuthorization
    parseFrom(com.google.protobuf.ByteString data)
     
    static MethodAuthorization
    parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static MethodAuthorization
    parseFrom(com.google.protobuf.CodedInputStream input)
     
    static MethodAuthorization
    parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static MethodAuthorization
    parseFrom(InputStream input)
     
    static MethodAuthorization
    parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static MethodAuthorization
    parseFrom(ByteBuffer data)
     
    static MethodAuthorization
    parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static com.google.protobuf.Parser<MethodAuthorization>
    parser()
     
    MethodAuthorization.Builder
    toBuilder()
     
    void
    writeTo(com.google.protobuf.CodedOutputStream output)
     

    Methods inherited from class com.google.protobuf.GeneratedMessageV3

    canUseUnsafe, computeStringSize, computeStringSizeNoTag, emptyBooleanList, emptyDoubleList, emptyFloatList, emptyIntList, emptyList, emptyLongList, getAllFields, getDescriptorForType, getField, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof, internalGetMapField, isStringEmpty, makeExtensionsImmutable, makeMutableCopy, makeMutableCopy, mergeFromAndMakeImmutableInternal, mutableCopy, mutableCopy, mutableCopy, mutableCopy, mutableCopy, newBooleanList, newBuilderForType, newDoubleList, newFloatList, newIntList, newLongList, parseDelimitedWithIOException, parseDelimitedWithIOException, parseUnknownField, parseUnknownFieldProto3, parseWithIOException, parseWithIOException, parseWithIOException, parseWithIOException, serializeBooleanMapTo, serializeIntegerMapTo, serializeLongMapTo, serializeStringMapTo, writeReplace, writeString, writeStringNoTag

    Methods inherited from class com.google.protobuf.AbstractMessage

    findInitializationErrors, getInitializationErrorString, hashBoolean, hashEnum, hashEnumList, hashFields, hashLong, toString

    Methods inherited from class com.google.protobuf.AbstractMessageLite

    addAll, addAll, checkByteStringIsUtf8, toByteArray, toByteString, writeDelimitedTo, writeTo

    Methods inherited from class java.lang.Object

    clone, finalize, getClass, notify, notifyAll, wait, wait, wait

    Methods inherited from interface com.google.protobuf.MessageLite

    toByteArray, toByteString, writeDelimitedTo, writeTo

    Methods inherited from interface com.google.protobuf.MessageOrBuilder

    findInitializationErrors, getAllFields, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof

  • Field Details

    • ALLOW_ANONYMOUS_FIELD_NUMBER

      public static final int ALLOW_ANONYMOUS_FIELD_NUMBER
      See Also:

    • ALLOW_PUBLISHABLE_FIELD_NUMBER

      public static final int ALLOW_PUBLISHABLE_FIELD_NUMBER
      See Also:

    • REQUIRE_TOKEN_FIELD_NUMBER

      public static final int REQUIRE_TOKEN_FIELD_NUMBER
      See Also:

    • SENSITIVE_FIELD_NUMBER

      public static final int SENSITIVE_FIELD_NUMBER
      See Also:

    • MODE_FIELD_NUMBER

      public static final int MODE_FIELD_NUMBER
      See Also:

    • REQUIRE_TENANT_FIELD_NUMBER

      public static final int REQUIRE_TENANT_FIELD_NUMBER
      See Also:

    • PERMISSION_FIELD_NUMBER

      public static final int PERMISSION_FIELD_NUMBER
      See Also:

  • Method Details

    • newInstance

      protected Object newInstance(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)
      Overrides:
      newInstance in class com.google.protobuf.GeneratedMessageV3

    • getDescriptor

      public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

    • internalGetFieldAccessorTable

      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
      Specified by:
      internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3

    • getAllowAnonymous

      public boolean getAllowAnonymous()
       Allow anonymous invocations (i.e. invocations with no credentials present).
      bool allow_anonymous = 1 [json_name = "allowAnonymous"];
      Specified by:
      getAllowAnonymous in interface MethodAuthorizationOrBuilder
      Returns:
      The allowAnonymous.

    • getAllowPublishable

      public boolean getAllowPublishable()
       Allow the use of "publishable" API keys.
      bool allow_publishable = 2 [json_name = "allowPublishable"];
      Specified by:
      getAllowPublishable in interface MethodAuthorizationOrBuilder
      Returns:
      The allowPublishable.

    • getRequireToken

      public boolean getRequireToken()
       Require a valid end-user authorization token, or signed session, to be present on the request.
      bool require_token = 3 [json_name = "requireToken"];
      Specified by:
      getRequireToken in interface MethodAuthorizationOrBuilder
      Returns:
      The requireToken.

    • getSensitive

      public boolean getSensitive()
       Mark the method as a "sensitive" operation.
      bool sensitive = 4 [json_name = "sensitive"];
      Specified by:
      getSensitive in interface MethodAuthorizationOrBuilder
      Returns:
      The sensitive.

    • getModeValue

      public int getModeValue()
       Governs the principal types that can invoke a given RPC method.
      .buildless.api.AuthorizationMode mode = 5 [json_name = "mode"];
      Specified by:
      getModeValue in interface MethodAuthorizationOrBuilder
      Returns:
      The enum numeric value on the wire for mode.

    • getMode

      public AuthorizationMode getMode()
       Governs the principal types that can invoke a given RPC method.
      .buildless.api.AuthorizationMode mode = 5 [json_name = "mode"];
      Specified by:
      getMode in interface MethodAuthorizationOrBuilder
      Returns:
      The mode.

    • getRequireTenant

      public boolean getRequireTenant()
       Require the presence of tenant authorization information on a request, regardless of the mode of the request.
      bool require_tenant = 6 [json_name = "requireTenant"];
      Specified by:
      getRequireTenant in interface MethodAuthorizationOrBuilder
      Returns:
      The requireTenant.

    • getPermissionValue

      public int getPermissionValue()
       Describes the minimum generalized permission level that is required to execute a given RPC method.
      .buildless.api.PermissionLevel permission = 7 [json_name = "permission"];
      Specified by:
      getPermissionValue in interface MethodAuthorizationOrBuilder
      Returns:
      The enum numeric value on the wire for permission.

    • getPermission

      public PermissionLevel getPermission()
       Describes the minimum generalized permission level that is required to execute a given RPC method.
      .buildless.api.PermissionLevel permission = 7 [json_name = "permission"];
      Specified by:
      getPermission in interface MethodAuthorizationOrBuilder
      Returns:
      The permission.

    • isInitialized

      public final boolean isInitialized()
      Specified by:
      isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
      Overrides:
      isInitialized in class com.google.protobuf.GeneratedMessageV3

    • writeTo

      public void writeTo(com.google.protobuf.CodedOutputStream output) throws IOException
      Specified by:
      writeTo in interface com.google.protobuf.MessageLite
      Overrides:
      writeTo in class com.google.protobuf.GeneratedMessageV3
      Throws:
      IOException

    • getSerializedSize

      public int getSerializedSize()
      Specified by:
      getSerializedSize in interface com.google.protobuf.MessageLite
      Overrides:
      getSerializedSize in class com.google.protobuf.GeneratedMessageV3

    • equals

      public boolean equals(Object obj)
      Specified by:
      equals in interface com.google.protobuf.Message
      Overrides:
      equals in class com.google.protobuf.AbstractMessage

    • hashCode

      public int hashCode()
      Specified by:
      hashCode in interface com.google.protobuf.Message
      Overrides:
      hashCode in class com.google.protobuf.AbstractMessage

    • parseFrom

      public static MethodAuthorization parseFrom(ByteBuffer data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static MethodAuthorization parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static MethodAuthorization parseFrom(com.google.protobuf.ByteString data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static MethodAuthorization parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static MethodAuthorization parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static MethodAuthorization parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static MethodAuthorization parseFrom(InputStream input) throws IOException
      Throws:
      IOException

    • parseFrom

      public static MethodAuthorization parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • parseDelimitedFrom

      public static MethodAuthorization parseDelimitedFrom(InputStream input) throws IOException
      Throws:
      IOException

    • parseDelimitedFrom

      public static MethodAuthorization parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • parseFrom

      public static MethodAuthorization parseFrom(com.google.protobuf.CodedInputStream input) throws IOException
      Throws:
      IOException

    • parseFrom

      public static MethodAuthorization parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • newBuilderForType

      public MethodAuthorization.Builder newBuilderForType()
      Specified by:
      newBuilderForType in interface com.google.protobuf.Message
      Specified by:
      newBuilderForType in interface com.google.protobuf.MessageLite

    • newBuilder

      public static MethodAuthorization.Builder newBuilder()

    • newBuilder

      public static MethodAuthorization.Builder newBuilder(MethodAuthorization prototype)

    • toBuilder

      public MethodAuthorization.Builder toBuilder()
      Specified by:
      toBuilder in interface com.google.protobuf.Message
      Specified by:
      toBuilder in interface com.google.protobuf.MessageLite

    • newBuilderForType

      protected MethodAuthorization.Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
      Specified by:
      newBuilderForType in class com.google.protobuf.GeneratedMessageV3

    • getDefaultInstance

      public static MethodAuthorization getDefaultInstance()

    • parser

      public static com.google.protobuf.Parser<MethodAuthorization> parser()

    • getParserForType

      public com.google.protobuf.Parser<MethodAuthorization> getParserForType()
      Specified by:
      getParserForType in interface com.google.protobuf.Message
      Specified by:
      getParserForType in interface com.google.protobuf.MessageLite
      Overrides:
      getParserForType in class com.google.protobuf.GeneratedMessageV3

    • getDefaultInstanceForType

      public MethodAuthorization getDefaultInstanceForType()
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder