feature: Playground API (#118)

* feature: Playground API

* Add tests

Makefile

@@ -30,7 +30,6 @@ generate: clean proto-gen-deps
 	@ $(BUF) lint
 	@ # $(BUF) breaking --against '.git#branch=dev'
 	@ $(BUF) generate --template '$(BUF_GEN_TEMPLATE)' .
-	@ # $(MOCKERY) --quiet --dir=pkg/storage/disk --name="Index" --recursive --output=$(MOCK_DIR)
 	@ go mod tidy
 
 generate-notice: $(GO_LICENSES)

NOTICE.txt

@@ -53,10 +53,12 @@ github.com/prometheus/common                                      https://github
 github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg  https://github.com/prometheus/common/blob/master/internal/bitbucket.org/ww/goautoneg/README.txt  BSD-3-Clause
 github.com/prometheus/procfs                                      https://github.com/prometheus/procfs/blob/master/LICENSE                                         Apache-2.0
 github.com/prometheus/statsd_exporter/pkg/mapper                  https://github.com/prometheus/statsd_exporter/blob/master/pkg/mapper/LICENSE                     Apache-2.0
+github.com/ProtonMail/go-crypto                                   https://github.com/ProtonMail/go-crypto/blob/master/LICENSE                                      BSD-3-Clause
 github.com/rcrowley/go-metrics                                    https://github.com/rcrowley/go-metrics/blob/master/LICENSE                                       BSD-2-Clause-FreeBSD
 github.com/rjeczalik/notify                                       https://github.com/rjeczalik/notify/blob/master/LICENSE                                          MIT
 github.com/sergi/go-diff/diffmatchpatch                           https://github.com/sergi/go-diff/blob/master/diffmatchpatch/LICENSE                              MIT
 github.com/sirupsen/logrus                                        https://github.com/sirupsen/logrus/blob/master/LICENSE                                           MIT
+github.com/spf13/afero                                            https://github.com/spf13/afero/blob/master/LICENSE.txt                                           Apache-2.0
 github.com/spf13/cobra                                            https://github.com/spf13/cobra/blob/master/LICENSE.txt                                           Apache-2.0
 github.com/spf13/pflag                                            https://github.com/spf13/pflag/blob/master/LICENSE                                               BSD-3-Clause
 github.com/stoewer/go-strcase                                     https://github.com/stoewer/go-strcase/blob/master/LICENSE                                        MIT

cmd/compile/compile.go

@@ -71,7 +71,7 @@ func doRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to open directory %s: %w", args[0], err)
 	}
 
-	eng, err := engine.New(ctx, store)
+	eng, err := engine.NewEphemeral(ctx, store)
 	if err != nil {
 		compErr := new(compile.ErrorList)
 		if errors.As(err, compErr) {

docs/modules/ROOT/pages/quickstart.adoc

@@ -29,8 +29,9 @@ echo YOUR_API_KEY | docker login {app-container-registry} -u YOUR_USERNAME --pas
 docker run --rm --name cerbos -d -v $(pwd)/cerbos-quickstart/policies:/policies -p 3592:3592 {app-docker-img} 
 ----
 
-Launch a browser and navigate to http://localhost:3592/. You will be presented with a webpage with documentation about the Cerbos API.
-In the example request, the `bugs_bunny` principal is trying to perform two actions (`view:public` and `comment`) on two `album:object` resource instances. The resource instance with the ID `XX125` belongs to `bugs_bunny` and is private (`public` attribute is `false`). The other resource instance with the ID `XX225` belongs to `daffy_duck` and is public.
+Launch a browser and navigate to http://localhost:3592/. You will be presented with a webpage with documentation about the Cerbos API. Click on the `/api/check` endpoint to follow the rest of this quickstart guide.
+
+Click on btn:[Example] tab to view an example of a request you can make to Cerbos. In the example, the `bugs_bunny` principal is trying to perform two actions (`view:public` and `comment`) on two `album:object` resource instances. The resource instance with the ID `XX125` belongs to `bugs_bunny` and is private (`public` attribute is `false`). The other resource instance with the ID `XX225` belongs to `daffy_duck` and is public.
 
 Click on the btn:[Try] button to try out the example request.
 

docs/modules/configuration/pages/server.adoc

@@ -65,3 +65,14 @@ server:
 ----
 
 NOTE: For production use cases that require automatic certificate reloading, workload identities and other advanced features, we recommend running a proxy server such as link:https://www.envoyproxy.io[Envoy], link:https://github.com/ghostunnel/ghostunnel[Ghostunnel] or link:https://traefik.io[Traefik] in front of the Cerbos server. 
+
+
+== Enable Playground
+
+The Cerbos playground API is disabled by default. To enable it, set `playgroundEnabled` to `true`.
+
+[source,yaml,linenums]
+----
+server:
+  playgroundEnabled: true
+----

go.mod

@@ -23,7 +23,7 @@ require (
 	github.com/goreleaser/goreleaser v0.160.0
 	github.com/gorilla/mux v1.8.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.3.0
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.4.0
 	github.com/iancoleman/strcase v0.1.3 // indirect
 	github.com/kavu/go_reuseport v1.5.0
 	github.com/lyft/protoc-gen-star v0.5.3 // indirect
@@ -37,7 +37,7 @@ require (
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rjeczalik/notify v0.9.3-0.20201210012515-e2a77dcc14cf
 	github.com/rs/zerolog v1.20.0 // indirect
-	github.com/spf13/afero v1.6.0 // indirect
+	github.com/spf13/afero v1.6.0
 	github.com/spf13/cobra v1.1.3
 	github.com/stretchr/testify v1.7.0
 	github.com/tidwall/sjson v1.1.6
@@ -51,8 +51,8 @@ require (
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect
-	google.golang.org/genproto v0.0.0-20210510173355-fb37daa5cd7a
-	google.golang.org/grpc v1.37.0
+	google.golang.org/genproto v0.0.0-20210524142926-3e3a6030be83
+	google.golang.org/grpc v1.38.0
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0
 	google.golang.org/protobuf v1.26.0
 	gotest.tools/gotestsum v1.6.4

go.sum

@@ -599,8 +599,8 @@ github.com/grpc-ecosystem/grpc-gateway v1.9.2/go.mod h1:vNeuVxBJEsws4ogUvrchl83t
 github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.12.1 h1:zCy2xE9ablevUOrUZc3Dl72Dt+ya2FNAvC2yLYMHzi4=
 github.com/grpc-ecosystem/grpc-gateway v1.12.1/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.3.0 h1:IvO4FbbQL6n3v3M1rQNobZ61SGL0gJLdvKA5KETM7Xs=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.3.0/go.mod h1:d2gYTOTUQklu06xp0AJYYmRdTVU1VKrqhkYfYag2L08=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.4.0 h1:R+ZwHcCaBVMLvCQzo/lhJCYkjkL7G506oi2N8SIob/g=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.4.0/go.mod h1:IOyTYjcIO0rkmnGBfJTL0NJ11exy/Tc2QEuv7hCXp24=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
@@ -1378,8 +1378,8 @@ golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20201203001011-0b49973bad19/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93 h1:alLDrZkL34Y2bnGHfvC1CYBRBXCXgx8AC2vY4MRtYX4=
-golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c h1:SgVl/sCtkicsS7psKkje4H9YtjdEl3xsYh7N+5TDHqY=
+golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1690,9 +1690,9 @@ google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201203001206-6486ece9c497/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210207032614-bba0dbe2a9ea/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210224155714-063164c882e6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210510173355-fb37daa5cd7a h1:tzkHckzMzgPr8SC4taTC3AldLr4+oJivSoq1xf/nhsc=
-google.golang.org/genproto v0.0.0-20210510173355-fb37daa5cd7a/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
+google.golang.org/genproto v0.0.0-20210426193834-eac7f76ac494/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
+google.golang.org/genproto v0.0.0-20210524142926-3e3a6030be83 h1:1RnejfrmpVDN9Cq4r1SXBxk74lYLP/w6wOu6NbETf0Y=
+google.golang.org/genproto v0.0.0-20210524142926-3e3a6030be83/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
 google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@@ -1718,11 +1718,11 @@ google.golang.org/grpc v1.32.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
 google.golang.org/grpc v1.35.0-dev.0.20201218190559-666aea1fb34c/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.37.0-dev.0.20210309003715-fce74a94bdff/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.37.0 h1:uSZWeQJX5j11bIQ4AJoj+McDBo29cY1MCoC1wO3ts+c=
 google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
+google.golang.org/grpc v1.38.0 h1:/9BgsAsa5nWe26HqOlvlgJnqBuktYOLCgjCPqsa56W0=
+google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.0.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0 h1:M1YKkFIboKNieVO5DLUEVzQfGwJD30Nv2jfUgzb5UcE=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=

hack/dev/conf.insecure.yaml

@@ -3,6 +3,7 @@ server:
   httpListenAddr: ":3592"
   grpcListenAddr: ":3593"
   logRequestPayloads: false
+  playgroundEnabled: true
 
 storage:
   driver: "disk"

hack/dev/conf.secure.yaml

@@ -3,6 +3,7 @@ server:
   httpListenAddr: ":3592"
   grpcListenAddr: ":3593"
   logRequestPayloads: false
+  playgroundEnabled: true
   tls:
     cert: hack/dev/tls.crt
     key: hack/dev/tls.key

hack/dev/dev.mk

@@ -1,6 +1,5 @@
 DEV_DIR := hack/dev
 PROTOSET := cerbos.bin
-CHECK_RESOURCE_SET_METHOD := svc.v1.CerbosService/CheckResourceSet
 GRPC_PORT := 3593
 HTTP_PORT := 3592
 
@@ -22,43 +21,101 @@ protoset: $(BUF)
 .PHONY: check-grpc
 check-grpc: $(GRPCURL)
 	@ $(foreach REQ_FILE,\
-		$(wildcard $(DEV_DIR)/requests/batch/*.json),\
+		$(wildcard $(DEV_DIR)/requests/check_resource_set/*.json),\
 		echo $(REQ_FILE); \
-		$(GRPCURL) -authority cerbos.local -insecure -d @ localhost:$(GRPC_PORT) $(CHECK_RESOURCE_SET_METHOD) < $(REQ_FILE);\
+		$(GRPCURL) -authority cerbos.local -insecure -d @ localhost:$(GRPC_PORT) svc.v1.CerbosService/CheckResourceSet < $(REQ_FILE);\
+		echo "";)
+
+	@ $(foreach REQ_FILE,\
+		$(wildcard $(DEV_DIR)/requests/check_resource_batch/*.json),\
+		echo $(REQ_FILE); \
+		$(GRPCURL) -authority cerbos.local -insecure -d @ localhost:$(GRPC_PORT) svc.v1.CerbosService/CheckResourceBatch < $(REQ_FILE);\
+		echo "";)
+
+	@ $(foreach REQ_FILE,\
+		$(wildcard $(DEV_DIR)/requests/playground/*.json),\
+		echo $(REQ_FILE); \
+		$(GRPCURL) -authority cerbos.local -insecure -d @ localhost:$(GRPC_PORT) svc.v1.CerbosPlaygroundService/Playground < $(REQ_FILE);\
 		echo "";)
 
 .PHONY: check-grpc-insecure
 check-grpc-insecure: $(GRPCURL)
 	@ $(foreach REQ_FILE,\
-		$(wildcard $(DEV_DIR)/requests/batch/*.json),\
+		$(wildcard $(DEV_DIR)/requests/check_resource_set/*.json),\
+		echo $(REQ_FILE); \
+		$(GRPCURL) -plaintext -d @ localhost:$(GRPC_PORT) svc.v1.CerbosService/CheckResourceSet < $(REQ_FILE);\
+		echo "";)
+
+	@ $(foreach REQ_FILE,\
+		$(wildcard $(DEV_DIR)/requests/check_resource_batch/*.json),\
+		echo $(REQ_FILE); \
+		$(GRPCURL) -plaintext -d @ localhost:$(GRPC_PORT) svc.v1.CerbosService/CheckResourceBatch < $(REQ_FILE);\
+		echo "";)
+
+	@ $(foreach REQ_FILE,\
+		$(wildcard $(DEV_DIR)/requests/playground/*.json),\
 		echo $(REQ_FILE); \
-		$(GRPCURL) -plaintext -d @ localhost:$(GRPC_PORT) $(CHECK_RESOURCE_SET_METHOD) < $(REQ_FILE);\
+		$(GRPCURL) -plaintext -d @ localhost:$(GRPC_PORT) svc.v1.CerbosPlaygroundService/Playground < $(REQ_FILE);\
 		echo "";)
 
 .PHONY: check-http
 check-http:
 	@ $(foreach REQ_FILE,\
-		$(wildcard $(DEV_DIR)/requests/batch/*.json),\
+		$(wildcard $(DEV_DIR)/requests/check_resource_set/*.json),\
 		echo "";\
 		echo $(REQ_FILE); \
 		curl -k https://localhost:$(HTTP_PORT)/api/check?pretty -d @$(REQ_FILE);\
 		echo "";)
 
+	@ $(foreach REQ_FILE,\
+		$(wildcard $(DEV_DIR)/requests/check_resource_batch/*.json),\
+		echo "";\
+		echo $(REQ_FILE); \
+		curl -k https://localhost:$(HTTP_PORT)/api/x/check_resource_batch?pretty -d @$(REQ_FILE);\
+		echo "";)
+
+	@ $(foreach REQ_FILE,\
+		$(wildcard $(DEV_DIR)/requests/playground/*.json),\
+		echo "";\
+		echo $(REQ_FILE); \
+		curl -k https://localhost:$(HTTP_PORT)/api/playground?pretty -d @$(REQ_FILE);\
+		echo "";)
+
 .PHONY: check-http-insecure
 check-http-insecure:
 	@ $(foreach REQ_FILE,\
-		$(wildcard $(DEV_DIR)/requests/batch/*.json),\
+		$(wildcard $(DEV_DIR)/requests/check_resource_set/*.json),\
 		echo "";\
 		echo $(REQ_FILE); \
 		curl http://localhost:$(HTTP_PORT)/api/check?pretty -d @$(REQ_FILE);\
 		echo "";)
 
+	@ $(foreach REQ_FILE,\
+		$(wildcard $(DEV_DIR)/requests/check_resource_batch/*.json),\
+		echo "";\
+		echo $(REQ_FILE); \
+		curl http://localhost:$(HTTP_PORT)/api/x/check_resource_batch?pretty -d @$(REQ_FILE);\
+		echo "";)
+
+	@ $(foreach REQ_FILE,\
+		$(wildcard $(DEV_DIR)/requests/playground/*.json),\
+		echo "";\
+		echo $(REQ_FILE); \
+		curl http://localhost:$(HTTP_PORT)/api/playground?pretty -d @$(REQ_FILE);\
+		echo "";)
+
 .PHONY: perf
 perf: $(GHZ)
 	@ $(foreach REQ_FILE,\
-		$(wildcard $(DEV_DIR)/requests/batch/*.json),\
+		$(wildcard $(DEV_DIR)/requests/check_resource_set/*.json),\
+		echo $(REQ_FILE); \
+		$(GHZ) --cname=cerbos.local --skipTLS -n 500 --call svc.v1.CerbosService/CheckResourceSet -D $(REQ_FILE) localhost:$(GRPC_PORT);\
+		echo "";)
+
+	@ $(foreach REQ_FILE,\
+		$(wildcard $(DEV_DIR)/requests/check_resource_batch/*.json),\
 		echo $(REQ_FILE); \
-		$(GHZ) --cname=cerbos.local -n 500 --call $(CHECK_RESOURCE_SET_METHOD) -D $(REQ_FILE) localhost:$(GRPC_PORT);\
+		$(GHZ) --cname=cerbos.local --skipTLS -n 500 --call svc.v1.CerbosService/CheckResourceBatch -D $(REQ_FILE) localhost:$(GRPC_PORT);\
 		echo "";)
 
 .PHONY: jaeger

hack/dev/requests/check_resource_batch/resource_batch.json

@@ -0,0 +1,55 @@
+{
+  "requestId": "test",
+  "principal": {
+    "id": "donald_duck",
+    "policyVersion": "20210210",
+    "roles": [
+      "employee"
+    ],
+    "attr": {
+      "department": "marketing",
+      "geography": "GB",
+      "team": "design"
+    }
+  },
+  "resources": [
+    {
+      "actions": [
+        "view:public",
+        "approve",
+        "create"
+      ],
+      "resource": {
+        "kind": "leave_request",
+        "policyVersion": "20210210",
+        "id": "XX125",
+        "attr": {
+          "department": "marketing",
+          "geography": "GB",
+          "id": "XX125",
+          "owner": "john",
+          "team": "design"
+        }
+      }
+    },
+    {
+      "actions": [
+        "view:public",
+        "approve",
+        "create"
+      ],
+      "resource": {
+        "kind": "leave_request",
+        "policyVersion": "20210210",
+        "id": "XX150",
+        "attr": {
+          "department": "marketing",
+          "geography": "GB",
+          "id": "XX125",
+          "owner": "mary",
+          "team": "design"
+        }
+      }
+    }
+  ]
+}

hack/dev/requests/playground/req1.json

@@ -0,0 +1,26 @@
+{
+    "playgroundId": "test",
+    "policyFiles": [
+        {
+            "fileName": "common_roles.yaml",
+            "contents": "LS0tCmFwaVZlcnNpb246ICJhcGkuY2VyYm9zLmRldi92MSIKZGVzY3JpcHRpb246IHwtCiAgQ29tbW9uIGR5bmFtaWMgcm9sZXMgdXNlZCB3aXRoaW4gdGhlIEFwYXRyIGFwcApkZXJpdmVkX3JvbGVzOgogIG5hbWU6IGFwYXRyX2NvbW1vbl9yb2xlcwogIGRlZmluaXRpb25zOgogICAgLSBuYW1lOiBvd25lcgogICAgICBwYXJlbnRSb2xlczogWyJ1c2VyIl0KICAgICAgY29uZGl0aW9uOgogICAgICAgIG1hdGNoOgogICAgICAgICAgZXhwcjogcmVxdWVzdC5yZXNvdXJjZS5hdHRyLm93bmVyID09IHJlcXVlc3QucHJpbmNpcGFsLmlkCgogICAgLSBuYW1lOiBhYnVzZV9tb2RlcmF0b3IKICAgICAgcGFyZW50Um9sZXM6IFsibW9kZXJhdG9yIl0KICAgICAgY29uZGl0aW9uOgogICAgICAgIG1hdGNoOgogICAgICAgICAgZXhwcjogcmVxdWVzdC5yZXNvdXJjZS5hdHRyLmZsYWdnZWQgPT0gdHJ1ZQo="
+        },
+        {
+            "fileName": "resource.yaml",
+            "contents": "LS0tCmFwaVZlcnNpb246IGFwaS5jZXJib3MuZGV2L3YxCnJlc291cmNlUG9saWN5OgogIHZlcnNpb246ICJkZWZhdWx0IgogIGltcG9ydERlcml2ZWRSb2xlczoKICAgIC0gYXBhdHJfY29tbW9uX3JvbGVzCiAgcmVzb3VyY2U6ICJhbGJ1bTpvYmplY3QiCiAgcnVsZXM6CiAgICAtIGFjdGlvbnM6IFsnKiddCiAgICAgIGVmZmVjdDogRUZGRUNUX0FMTE9XCiAgICAgIGRlcml2ZWRSb2xlczoKICAgICAgICAtIG93bmVyCgogICAgLSBhY3Rpb25zOiBbJ3ZpZXcnLCAnZmxhZyddCiAgICAgIGVmZmVjdDogRUZGRUNUX0FMTE9XCiAgICAgIHJvbGVzOgogICAgICAgIC0gdXNlcgogICAgICBjb25kaXRpb246CiAgICAgICAgbWF0Y2g6CiAgICAgICAgICBleHByOiByZXF1ZXN0LnJlc291cmNlLmF0dHIucHVibGljID09IHRydWUKCiAgICAtIGFjdGlvbnM6IFsndmlldycsICdkZWxldGUnXQogICAgICBlZmZlY3Q6IEVGRkVDVF9BTExPVwogICAgICBkZXJpdmVkUm9sZXM6CiAgICAgICAgLSBhYnVzZV9tb2RlcmF0b3IK"
+        }
+    ],
+    "actions": ["view", "delete"],
+    "principal": {
+        "id": "alicia",
+        "roles": ["user"]
+    },
+    "resource": {
+        "kind": "album:object",
+        "id": "XX125",
+        "attr": {
+            "owner": "alicia",
+            "public": false
+        }
+    }
+}

hack/dev/requests/playground/req2.json

@@ -0,0 +1,22 @@
+{
+    "playgroundId": "test",
+    "policyFiles": [
+        {
+            "fileName": "resource.yaml",
+            "contents": "LS0tCmFwaVZlcnNpb246IGFwaS5jZXJib3MuZGV2L3YxCnJlc291cmNlUG9saWN5OgogIHZlcnNpb246ICJkZWZhdWx0IgogIGltcG9ydERlcml2ZWRSb2xlczoKICAgIC0gYXBhdHJfY29tbW9uX3JvbGVzCiAgcmVzb3VyY2U6ICJhbGJ1bTpvYmplY3QiCiAgcnVsZXM6CiAgICAtIGFjdGlvbnM6IFsnKiddCiAgICAgIGVmZmVjdDogRUZGRUNUX0FMTE9XCiAgICAgIGRlcml2ZWRSb2xlczoKICAgICAgICAtIG93bmVyCgogICAgLSBhY3Rpb25zOiBbJ3ZpZXcnLCAnZmxhZyddCiAgICAgIGVmZmVjdDogRUZGRUNUX0FMTE9XCiAgICAgIHJvbGVzOgogICAgICAgIC0gdXNlcgogICAgICBjb25kaXRpb246CiAgICAgICAgbWF0Y2g6CiAgICAgICAgICBleHByOiByZXF1ZXN0LnJlc291cmNlLmF0dHIucHVibGljID09IHRydWUKCiAgICAtIGFjdGlvbnM6IFsndmlldycsICdkZWxldGUnXQogICAgICBlZmZlY3Q6IEVGRkVDVF9BTExPVwogICAgICBkZXJpdmVkUm9sZXM6CiAgICAgICAgLSBhYnVzZV9tb2RlcmF0b3IK"
+        }
+    ],
+    "actions": ["view", "delete"],
+    "principal": {
+        "id": "alicia",
+        "roles": ["user"]
+    },
+    "resource": {
+        "kind": "album:object",
+        "id": "XX125",
+        "attr": {
+            "owner": "alicia",
+            "public": false
+        }
+    }
+}