spicedb
spicedb copied to clipboard
authzed
feat: add dry-run support to WriteSchema API
fixes: https://github.com/authzed/spicedb/issues/2418
Manual Testing Results
- Initial Schema Write
$ grpcurl -plaintext -H "authorization: Bearer development-key" -d '{"schema": "definition user {}\n\ndefinition document {\n relation viewer: user\n}"}' localhost:50051 authzed.api.v1.SchemaService/WriteSchema
{
"writtenAt": {
"token": "GgYKBENPTUc="
}
}
- Read Current Schema
$ grpcurl -plaintext -H "authorization: Bearer development-key" localhost:50051 authzed.api.v1.SchemaService/ReadSchema
{
"schemaText": "definition user {}\n\ndefinition document {\n\trelation viewer: user\n}",
"readAt": {
"token": "GgYKBENPUUc="
}
}
- Dry Run - Schema (Success)
$ grpcurl -plaintext -H "authorization: Bearer development-key" -d '{"schema": "definition user {}\n\ndefinition organization {\n relation admin: user\n relation member: user\n permission manage = admin\n}\n\ndefinition document {\n relation viewer: user\n relation editor: user | organization#member\n relation owner: user | organization#admin\n permission view = viewer + editor + owner\n permission edit = editor + owner\n permission delete = owner\n}", "dry_run": true}' localhost:50051 authzed.api.v1.SchemaService/WriteSchema
{
"writtenAt": {
"token": "GgYKBENPY0c="
}
}
- Verify Schema Unchanged After Dry Run
$ grpcurl -plaintext -H "authorization: Bearer development-key" localhost:50051 authzed.api.v1.SchemaService/ReadSchema
{
"schemaText": "definition user {}\n\ndefinition document {\n\trelation viewer: user\n}",
"readAt": {
"token": "GgYKBENPY0c="
}
}
- Create Test Relationship
$ grpcurl -plaintext -H "authorization: Bearer development-key" -d '{"updates": [{"operation": "OPERATION_CREATE", "relationship": {"resource": {"objectType": "document", "objectId": "doc1"}, "relation": "viewer", "subject": {"object": {"objectType": "user", "objectId": "user1"}}}}]}' localhost:50051 authzed.api.v1.PermissionsService/WriteRelationships
{
"writtenAt": {
"token": "GgYKBENPd0c="
}
}
- Dry Run - Breaking Change (Error)
$ grpcurl -plaintext -H "authorization: Bearer development-key" -d '{"schema": "definition user {}\n\ndefinition document {\n relation editor: user\n permission edit = editor\n}", "dry_run": true}' localhost:50051 authzed.api.v1.SchemaService/WriteSchema
ERROR:
Code: InvalidArgument
Message: cannot delete relation `viewer` in object definition `document`, as a relationship exists under it
Details:
1) {
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"domain": "authzed.com",
"reason": "ERROR_REASON_SCHEMA_TYPE_ERROR"
}
- Verify Schema Still Protected
$ grpcurl -plaintext -H "authorization: Bearer development-key" localhost:50051 authzed.api.v1.SchemaService/ReadSchema
{
"schemaText": "definition user {}\n\ndefinition document {\n\trelation viewer: user\n}",
"readAt": {
"token": "GgYKBENQSUc="
}
}
TODO: tests
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Requesting an initial review. I’m unsure about the extent of changes that may be needed, so I’ll add tests after the review.