ABAC SUPPORT

go.mod

@@ -8,14 +8,18 @@ require (
 	github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5
 	github.com/cenkalti/backoff/v4 v4.2.1
 	github.com/cespare/xxhash/v2 v2.2.0
+	github.com/davecgh/go-spew v1.1.1
 	github.com/dgraph-io/ristretto v0.1.1
 	github.com/dustin/go-humanize v1.0.1
 	github.com/envoyproxy/protoc-gen-validate v1.0.2
 	github.com/fatih/color v1.15.0
 	github.com/go-jose/go-jose/v3 v3.0.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang/protobuf v1.5.3
+	github.com/google/cel-go v0.17.1
 	github.com/gookit/color v1.5.4
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
+	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.0-rc.5
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.1
 	github.com/hashicorp/go-memdb v1.3.4
 	github.com/hashicorp/go-multierror v1.1.1
@@ -63,10 +67,10 @@ require (
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
 	github.com/armon/go-metrics v0.4.0 // indirect
 	github.com/containerd/containerd v1.6.19 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker v24.0.2+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
@@ -78,14 +82,12 @@ require (
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/glog v1.1.1 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/btree v1.0.0 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gorilla/schema v1.2.0 // indirect
 	github.com/gorilla/securecookie v1.1.1 // indirect
-	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.0-rc.5 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-msgpack v0.5.3 // indirect
@@ -126,6 +128,7 @@ require (
 	github.com/spf13/cast v1.5.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/tklauser/go-sysconf v0.3.11 // indirect

go.sum

@@ -61,6 +61,8 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18=
+github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-metrics v0.4.0 h1:yCQqn7dwca4ITXb+CbubHmedzaQYHhNhrEXLYUeEe8Q=
@@ -204,6 +206,8 @@ github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/cel-go v0.17.1 h1:s2151PDGy/eqpCI80/8dl4VL3xTkqI/YubXLXCFw0mw=
+github.com/google/cel-go v0.17.1/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -515,6 +519,8 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.16.0 h1:rGGH0XDZhdUOryiDWjmIvUSWpbNqisK8Wk0Vyefw8hc=
 github.com/spf13/viper v1.16.0/go.mod h1:yg78JgCJcbrQOvV9YLXgkLaZqUidkY9K+Dd1FofRzQg=
+github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU=
+github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=

internal/engines/bulk.go

@@ -9,6 +9,13 @@ import (
 	base "github.com/Permify/permify/pkg/pb/base/v1"
 )
 
+type BulkCheckerType string
+
+const (
+	BULK_SUBJECT BulkCheckerType = "subject"
+	BULK_ENTITY  BulkCheckerType = "entity"
+)
+
 // BulkCheckerRequest is a struct for a permission check request and the channel to send the result.
 type BulkCheckerRequest struct {
 	Request *base.PermissionCheckRequest
@@ -48,7 +55,7 @@ func NewBulkChecker(ctx context.Context, engine *CheckEngine, callback func(enti
 
 // Start begins processing permission check requests from the RequestChan.
 // It starts an errgroup that manages multiple goroutines for performing permission checks.
-func (c *BulkChecker) Start() {
+func (c *BulkChecker) Start(typ BulkCheckerType) {
 	c.g.Go(func() error {
 		sem := semaphore.NewWeighted(int64(c.concurrencyLimit))
 		for {
@@ -65,16 +72,26 @@ func (c *BulkChecker) Start() {
 			// run the permission check in a separate goroutine
 			c.g.Go(func() error {
 				defer sem.Release(1)
-				if req.Result == base.CheckResult_RESULT_UNKNOWN {
+				if req.Result == base.CheckResult_CHECK_RESULT_UNSPECIFIED {
 					result, err := c.checkEngine.Check(c.ctx, req.Request)
 					if err != nil {
 						return err
 					}
 
-					// call the callback with the result
-					c.callback(req.Request.GetEntity().GetId(), result.Can)
+					if typ == BULK_ENTITY {
+						// call the callback with the result
+						c.callback(req.Request.GetEntity().GetId(), result.Can)
+					} else if typ == BULK_SUBJECT {
+						c.callback(req.Request.GetSubject().GetId(), result.Can)
+					}
+
 				} else {
-					c.callback(req.Request.GetEntity().GetId(), req.Result)
+					if typ == BULK_ENTITY {
+						// call the callback with the result
+						c.callback(req.Request.GetEntity().GetId(), req.Result)
+					} else if typ == BULK_SUBJECT {
+						c.callback(req.Request.GetSubject().GetId(), req.Result)
+					}
 				}
 				return nil
 			})
@@ -95,34 +112,67 @@ func (c *BulkChecker) Wait() error {
 	return c.g.Wait()
 }
 
-// BulkPublisher is a struct for streaming permission check results.
-type BulkPublisher struct {
+// BulkEntityPublisher is a struct for streaming permission check results.
+type BulkEntityPublisher struct {
 	bulkChecker *BulkChecker
 
 	request *base.PermissionLookupEntityRequest
 	// context to manage goroutines and cancellation
 	ctx context.Context
 }
 
-// NewBulkPublisher creates a new BulkStreamer instance.
-func NewBulkPublisher(ctx context.Context, request *base.PermissionLookupEntityRequest, bulkChecker *BulkChecker) *BulkPublisher {
-	return &BulkPublisher{
+// NewBulkEntityPublisher creates a new BulkStreamer instance.
+func NewBulkEntityPublisher(ctx context.Context, request *base.PermissionLookupEntityRequest, bulkChecker *BulkChecker) *BulkEntityPublisher {
+	return &BulkEntityPublisher{
+		bulkChecker: bulkChecker,
+		request:     request,
+		ctx:         ctx,
+	}
+}
+
+// Publish publishes a permission check request to the BulkChecker.
+func (s *BulkEntityPublisher) Publish(entity *base.Entity, metadata *base.PermissionCheckRequestMetadata, context *base.Context, result base.CheckResult) {
+	s.bulkChecker.RequestChan <- BulkCheckerRequest{
+		Request: &base.PermissionCheckRequest{
+			TenantId:   s.request.GetTenantId(),
+			Metadata:   metadata,
+			Entity:     entity,
+			Permission: s.request.GetPermission(),
+			Subject:    s.request.GetSubject(),
+			Context:    context,
+		},
+		Result: result,
+	}
+}
+
+// BulkSubjectPublisher is a struct for streaming permission check results.
+type BulkSubjectPublisher struct {
+	bulkChecker *BulkChecker
+
+	request *base.PermissionLookupSubjectRequest
+	// context to manage goroutines and cancellation
+	ctx context.Context
+}
+
+// NewBulkSubjectPublisher creates a new BulkStreamer instance.
+func NewBulkSubjectPublisher(ctx context.Context, request *base.PermissionLookupSubjectRequest, bulkChecker *BulkChecker) *BulkSubjectPublisher {
+	return &BulkSubjectPublisher{
 		bulkChecker: bulkChecker,
 		request:     request,
 		ctx:         ctx,
 	}
 }
 
 // Publish publishes a permission check request to the BulkChecker.
-func (s *BulkPublisher) Publish(entity *base.Entity, metadata *base.PermissionCheckRequestMetadata, contextual []*base.Tuple, result base.CheckResult) {
+func (s *BulkSubjectPublisher) Publish(subject *base.Subject, metadata *base.PermissionCheckRequestMetadata, context *base.Context, result base.CheckResult) {
 	s.bulkChecker.RequestChan <- BulkCheckerRequest{
 		Request: &base.PermissionCheckRequest{
-			TenantId:         s.request.GetTenantId(),
-			Metadata:         metadata,
-			Entity:           entity,
-			Permission:       s.request.GetPermission(),
-			Subject:          s.request.GetSubject(),
-			ContextualTuples: contextual,
+			TenantId:   s.request.GetTenantId(),
+			Metadata:   metadata,
+			Entity:     s.request.GetEntity(),
+			Permission: s.request.GetPermission(),
+			Subject:    subject,
+			Context:    context,
 		},
 		Result: result,
 	}