From 01a75645d4a1380c348e19269eb67d0dea41798f Mon Sep 17 00:00:00 2001 From: Patrik Date: Wed, 15 Jun 2022 17:19:38 +0200 Subject: [PATCH] chore: format (#882) --- .github/pull_request_template.md | 17 +-- .schema/README.md | 5 +- CODE_OF_CONDUCT.md | 66 ++++------ CONTRIBUTING.md | 208 ++++++++++++------------------- README.md | 82 +++++------- SECURITY.md | 11 +- UPGRADE.md | 162 ++++++++++-------------- docs/README.md | 3 +- package-lock.json | 14 +-- package.json | 9 +- proto/README.md | 10 +- proto/ory/keto/README.md | 12 +- 12 files changed, 232 insertions(+), 367 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 8125a1915..d8bcb167f 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -38,18 +38,13 @@ If you're unsure about any of them, don't hesitate to ask. We're here to help! --> - [ ] I have read the [contributing guidelines](../blob/master/CONTRIBUTING.md). -- [ ] I have referenced an issue containing the design document if my change - introduces a new feature. -- [ ] I am following the - [contributing code guidelines](../blob/master/CONTRIBUTING.md#contributing-code). +- [ ] I have referenced an issue containing the design document if my change introduces a new feature. +- [ ] I am following the [contributing code guidelines](../blob/master/CONTRIBUTING.md#contributing-code). - [ ] I have read the [security policy](../security/policy). -- [ ] I confirm that this pull request does not address a security - vulnerability. If this pull request addresses a security. vulnerability, I - confirm that I got green light (please contact - [security@ory.sh](mailto:security@ory.sh)) from the maintainers to push - the changes. -- [ ] I have added tests that prove my fix is effective or that my feature - works. +- [ ] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security. + vulnerability, I confirm that I got green light (please contact [security@ory.sh](mailto:security@ory.sh)) from the + maintainers to push the changes. +- [ ] I have added tests that prove my fix is effective or that my feature works. - [ ] I have added or changed [the documentation](https://github.com/ory/docs). ## Further Comments diff --git a/.schema/README.md b/.schema/README.md index 2de087297..245091ef8 100644 --- a/.schema/README.md +++ b/.schema/README.md @@ -1,5 +1,4 @@ The schemas in this directory are meant for external and public use. -The config schema is generated from the internal one at -`internal/driver/config/config.schema.json`, so in case of changes to the config -schema, please edit that internal schema instead. +The config schema is generated from the internal one at `internal/driver/config/config.schema.json`, so in case of changes to the +config schema, please edit that internal schema instead. diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 2351896e4..f9ab1ecc4 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -2,17 +2,14 @@ ## Our Pledge -In the interest of fostering an open and welcoming environment, we as -contributors and maintainers pledge to making participation in our project and -our community a harassment-free experience for everyone, regardless of age, body -size, disability, ethnicity, sex characteristics, gender identity and -expression, level of experience, education, socio-economic status, nationality, -personal appearance, race, religion, or sexual identity and orientation. +In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation +in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, +sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal +appearance, race, religion, or sexual identity and orientation. ## Our Standards -Examples of behavior that contributes to creating a positive environment -include: +Examples of behavior that contributes to creating a positive environment include: - Using welcoming and inclusive language - Being respectful of differing viewpoints and experiences @@ -22,56 +19,43 @@ include: Examples of unacceptable behavior by participants include: -- The use of sexualized language or imagery and unwelcome sexual attention or - advances +- The use of sexualized language or imagery and unwelcome sexual attention or advances - Trolling, insulting/derogatory comments, and personal or political attacks - Public or private harassment -- Publishing others' private information, such as a physical or electronic - address, without explicit permission -- Other conduct which could reasonably be considered inappropriate in a - professional setting +- Publishing others' private information, such as a physical or electronic address, without explicit permission +- Other conduct which could reasonably be considered inappropriate in a professional setting ## Our Responsibilities -Project maintainers are responsible for clarifying the standards of acceptable -behavior and are expected to take appropriate and fair corrective action in -response to any instances of unacceptable behavior. +Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and +fair corrective action in response to any instances of unacceptable behavior. -Project maintainers have the right and responsibility to remove, edit, or reject -comments, commits, code, wiki edits, issues, and other contributions that are -not aligned to this Code of Conduct, or to ban temporarily or permanently any -contributor for other behaviors that they deem inappropriate, threatening, -offensive, or harmful. +Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and +other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other +behaviors that they deem inappropriate, threatening, offensive, or harmful. ## Scope -This Code of Conduct applies both within project spaces and in public spaces -when an individual is representing the project or its community. Examples of -representing a project or community include using an official project e-mail -address, posting via an official social media account, or acting as an appointed -representative at an online or offline event. Representation of a project may be -further defined and clarified by project maintainers. +This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its +community. Examples of representing a project or community include using an official project e-mail address, posting via an +official social media account, or acting as an appointed representative at an online or offline event. Representation of a project +may be further defined and clarified by project maintainers. ## Enforcement -Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported by contacting the project team at office@ory.sh. All complaints will be -reviewed and investigated and will result in a response that is deemed necessary -and appropriate to the circumstances. The project team is obligated to maintain -confidentiality with regard to the reporter of an incident. Further details of -specific enforcement policies may be posted separately. +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at +office@ory.sh. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and +appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an +incident. Further details of specific enforcement policies may be posted separately. -Project maintainers who do not follow or enforce the Code of Conduct in good -faith may face temporary or permanent repercussions as determined by other -members of the project's leadership. +Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions +as determined by other members of the project's leadership. ## Attribution -This Code of Conduct is adapted from the [Contributor Covenant][homepage], -version 1.4, available at +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html [homepage]: https://www.contributor-covenant.org -For answers to common questions about this code of conduct, see -https://www.contributor-covenant.org/faq +For answers to common questions about this code of conduct, see https://www.contributor-covenant.org/faq diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 19a370730..56c1c3636 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -28,46 +28,36 @@ https://github.com/ory/meta/blob/master/templates/repository/common/CONTRIBUTING ## Introduction -There are many ways in which you can contribute, beyond writing code. The goal -of this document is to provide a high-level overview of how you can get -involved. +There are many ways in which you can contribute, beyond writing code. The goal of this document is to provide a high-level +overview of how you can get involved. -_Please note_: We take Ory Keto's security and our users' trust very seriously. -If you believe you have found a security issue in Ory Keto, please responsibly -disclose by contacting us at security@ory.sh. +_Please note_: We take Ory Keto's security and our users' trust very seriously. If you believe you have found a security issue in +Ory Keto, please responsibly disclose by contacting us at security@ory.sh. -First: As a potential contributor, your changes and ideas are welcome at any -hour of the day or night, weekdays, weekends, and holidays. Please do not ever -hesitate to ask a question or send a pull request. +First: As a potential contributor, your changes and ideas are welcome at any hour of the day or night, weekdays, weekends, and +holidays. Please do not ever hesitate to ask a question or send a pull request. -If you are unsure, just ask or submit the issue or pull request anyways. You -won't be yelled at for giving it your best effort. The worst that can happen is -that you'll be politely asked to change something. We appreciate any sort of -contributions, and don't want a wall of rules to get in the way of that. +If you are unsure, just ask or submit the issue or pull request anyways. You won't be yelled at for giving it your best effort. +The worst that can happen is that you'll be politely asked to change something. We appreciate any sort of contributions, and don't +want a wall of rules to get in the way of that. -That said, if you want to ensure that a pull request is likely to be merged, -talk to us! You can find out our thoughts and ensure that your contribution -won't clash or be obviated by Ory Keto's normal direction. A great way to do -this is via [Ory Keto Discussions](https://github.com/ory/keto/discussions) or -the [Ory Chat](https://www.ory.sh/chat). +That said, if you want to ensure that a pull request is likely to be merged, talk to us! You can find out our thoughts and ensure +that your contribution won't clash or be obviated by Ory Keto's normal direction. A great way to do this is via +[Ory Keto Discussions](https://github.com/ory/keto/discussions) or the [Ory Chat](https://www.ory.sh/chat). ## FAQ - I am new to the community. Where can I find the [Ory Community Code of Conduct?](https://github.com/ory/keto/blob/master/CODE_OF_CONDUCT.md) -- I have a question. Where can I get - [answers to questions regarding Ory Keto?](#communication) +- I have a question. Where can I get [answers to questions regarding Ory Keto?](#communication) -- I would like to contribute but I am not sure how. Are there - [easy ways to contribute?](#how-can-i-contribute) +- I would like to contribute but I am not sure how. Are there [easy ways to contribute?](#how-can-i-contribute) [Or good first issues?](https://github.com/search?l=&o=desc&q=label%3A%22help+wanted%22+label%3A%22good+first+issue%22+is%3Aopen+user%3Aory+user%3Aory-corp&s=updated&type=Issues) -- I want to talk to other Ory Keto users. - [How can I become a part of the community?](#communication) +- I want to talk to other Ory Keto users. [How can I become a part of the community?](#communication) -- I would like to know what I am agreeing to when I contribute to Ory Keto. Does - Ory have +- I would like to know what I am agreeing to when I contribute to Ory Keto. Does Ory have [a Contributors License Agreement?](https://cla-assistant.io/ory/keto) - I would like updates about new versions of Ory Keto. @@ -78,137 +68,108 @@ the [Ory Chat](https://www.ory.sh/chat). If you want to start contributing code right away, we have a [list of good first issues](https://github.com/ory/keto/labels/good%20first%20issue). -There are many other ways you can contribute without writing any code. Here are -a few things you can do to help out: +There are many other ways you can contribute without writing any code. Here are a few things you can do to help out: -- **Give us a star.** It may not seem like much, but it really makes a - difference. This is something that everyone can do to help out Ory Keto. - Github stars help the project gain visibility and stand out. +- **Give us a star.** It may not seem like much, but it really makes a difference. This is something that everyone can do to help + out Ory Keto. Github stars help the project gain visibility and stand out. -- **Join the community.** Sometimes helping people can be as easy as listening - to their problems and offering a different perspective. Join our Slack, have a - look at discussions in the forum and take part in our weekly hangout. More - info on this in [Communication](#communication). +- **Join the community.** Sometimes helping people can be as easy as listening to their problems and offering a different + perspective. Join our Slack, have a look at discussions in the forum and take part in our weekly hangout. More info on this in + [Communication](#communication). -- **Helping with open issues.** We have a lot of open issues for Ory Keto and - some of them may lack necessary information, some are duplicates of older - issues. You can help out by guiding people through the process of filling out - the issue template, asking for clarifying information, or pointing them to - existing issues that match their description of the problem. +- **Helping with open issues.** We have a lot of open issues for Ory Keto and some of them may lack necessary information, some + are duplicates of older issues. You can help out by guiding people through the process of filling out the issue template, asking + for clarifying information, or pointing them to existing issues that match their description of the problem. -- **Reviewing documentation changes.** Most documentation just needs a review - for proper spelling and grammar. If you think a document can be improved in - any way, feel free to hit the `edit` button at the top of the page. More info - on contributing to documentation [here](#documentation). +- **Reviewing documentation changes.** Most documentation just needs a review for proper spelling and grammar. If you think a + document can be improved in any way, feel free to hit the `edit` button at the top of the page. More info on contributing to + documentation [here](#documentation). -- **Help with tests.** Some pull requests may lack proper tests or test plans. - These are needed for the change to be implemented safely. +- **Help with tests.** Some pull requests may lack proper tests or test plans. These are needed for the change to be implemented + safely. ## Communication -We use [Slack](https://www.ory.sh/chat). You are welcome to drop in and ask -questions, discuss bugs and feature requests, talk to other users of Ory, etc. +We use [Slack](https://www.ory.sh/chat). You are welcome to drop in and ask questions, discuss bugs and feature requests, talk to +other users of Ory, etc. -Check out [Ory Keto Discussions](https://github.com/ory/keto/discussions). This -is a great place for in-depth discussions and lots of code examples, logs and -similar data. +Check out [Ory Keto Discussions](https://github.com/ory/keto/discussions). This is a great place for in-depth discussions and lots +of code examples, logs and similar data. -You can also join our community hangout, if you want to speak to the Ory team -directly or ask some questions. You can find more info on the hangouts in -[Slack](https://www.ory.sh/chat). +You can also join our community hangout, if you want to speak to the Ory team directly or ask some questions. You can find more +info on the hangouts in [Slack](https://www.ory.sh/chat). -If you want to receive regular notifications about updates to Ory Keto, consider -joining the mailing list. We will _only_ send you vital information on the -projects that you are interested in. +If you want to receive regular notifications about updates to Ory Keto, consider joining the mailing list. We will _only_ send you +vital information on the projects that you are interested in. Also [follow us on twitter](https://twitter.com/orycorp). ## Contributing Code -Unless you are fixing a known bug, we **strongly** recommend discussing it with -the core team via a GitHub issue or [in our chat](https://www.ory.sh/chat) -before getting started to ensure your work is consistent with Ory Keto's roadmap -and architecture. +Unless you are fixing a known bug, we **strongly** recommend discussing it with the core team via a GitHub issue or +[in our chat](https://www.ory.sh/chat) before getting started to ensure your work is consistent with Ory Keto's roadmap and +architecture. -All contributions are made via pull requests. To make a pull request, you will -need a GitHub account; if you are unclear on this process, see GitHub's -documentation on [forking](https://help.github.com/articles/fork-a-repo) and -[pull requests](https://help.github.com/articles/using-pull-requests). Pull -requests should be targeted at the `master` branch. Before creating a pull -request, go through this checklist: +All contributions are made via pull requests. To make a pull request, you will need a GitHub account; if you are unclear on this +process, see GitHub's documentation on [forking](https://help.github.com/articles/fork-a-repo) and +[pull requests](https://help.github.com/articles/using-pull-requests). Pull requests should be targeted at the `master` branch. +Before creating a pull request, go through this checklist: 1. Create a feature branch off of `master` so that changes do not get mixed up. -1. [Rebase](http://git-scm.com/book/en/Git-Branching-Rebasing) your local - changes against the `master` branch. -1. Run the full project test suite with the `go test -tags sqlite ./...` (or - equivalent) command and confirm that it passes. -1. Run `make format` if a `Makefile` is available, `gofmt -s` if the project is - written in Go, `npm run format` if the project is written for NodeJS. -1. Ensure that each commit has a descriptive prefix. This ensures a uniform - commit history and helps structure the changelog. - Please refer to this - [list of prefixes for Keto](https://github.com/ory/keto/blob/master/.github/semantic.yml) - for an overview. -1. Sign-up with CircleCI so that it has access to your repository with the - branch containing your PR. Simply creating a CircleCI account is sufficient - for the CI jobs to run, you do not need to setup a CircleCI project for the - branch. +1. [Rebase](http://git-scm.com/book/en/Git-Branching-Rebasing) your local changes against the `master` branch. +1. Run the full project test suite with the `go test -tags sqlite ./...` (or equivalent) command and confirm that it passes. +1. Run `make format` if a `Makefile` is available, `gofmt -s` if the project is written in Go, `npm run format` if the project is + written for NodeJS. +1. Ensure that each commit has a descriptive prefix. This ensures a uniform commit history and helps structure the changelog. + Please refer to this [list of prefixes for Keto](https://github.com/ory/keto/blob/master/.github/semantic.yml) for an overview. +1. Sign-up with CircleCI so that it has access to your repository with the branch containing your PR. Simply creating a CircleCI + account is sufficient for the CI jobs to run, you do not need to setup a CircleCI project for the branch. If a pull request is not ready to be reviewed yet [it should be marked as a "Draft"](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request). -Before your contributions can be reviewed you need to sign our -[Contributor License Agreement](https://cla-assistant.io/ory/keto). +Before your contributions can be reviewed you need to sign our [Contributor License Agreement](https://cla-assistant.io/ory/keto). -This agreement defines the terms under which your code is contributed to Ory. -More specifically it declares that you have the right to, and actually do, grant -us the rights to use your contribution. You can see the Apache 2.0 license under -which our projects are published -[here](https://github.com/ory/meta/blob/master/LICENSE). +This agreement defines the terms under which your code is contributed to Ory. More specifically it declares that you have the +right to, and actually do, grant us the rights to use your contribution. You can see the Apache 2.0 license under which our +projects are published [here](https://github.com/ory/meta/blob/master/LICENSE). -When pull requests fail testing, authors are expected to update their pull -requests to address the failures until the tests pass. +When pull requests fail testing, authors are expected to update their pull requests to address the failures until the tests pass. Pull requests eligible for review 1. follow the repository's code formatting conventions; -2. include tests which prove that the change works as intended and does not add - regressions; +2. include tests which prove that the change works as intended and does not add regressions; 3. document the changes in the code and/or the project's documentation; 4. pass the CI pipeline; -5. have signed our - [Contributor License Agreement](https://cla-assistant.io/ory/keto); +5. have signed our [Contributor License Agreement](https://cla-assistant.io/ory/keto); 6. include a proper git commit message following the [Conventional Commit Specification](https://www.conventionalcommits.org/en/v1.0.0/). -If all of these items are checked, the pull request is ready to be reviewed and -you should change the status to "Ready for review" and +If all of these items are checked, the pull request is ready to be reviewed and you should change the status to "Ready for review" +and [request review from a maintainer](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/requesting-a-pull-request-review). Reviewers will approve the pull request once they are satisfied with the patch. ## Documentation -Please provide documentation when changing, removing, or adding features. -Documentation resides in the project's -[docs](https://github.com/ory/keto/tree/master/docs) folder. Generate API and -configuration reference documentation using `cd docs; npm run gen`. +Please provide documentation when changing, removing, or adding features. Documentation resides in the project's +[docs](https://github.com/ory/keto/tree/master/docs) folder. Generate API and configuration reference documentation using +`cd docs; npm run gen`. -For further instructions please head over to -[docs/README.md](https://github.com/ory/keto/blob/master/README.md). +For further instructions please head over to [docs/README.md](https://github.com/ory/keto/blob/master/README.md). ## Disclosing vulnerabilities -Please disclose vulnerabilities exclusively to -[security@ory.sh](mailto:security@ory.sh). Do not use GitHub issues. +Please disclose vulnerabilities exclusively to [security@ory.sh](mailto:security@ory.sh). Do not use GitHub issues. ## Code Style Please follow these guidelines when formatting source code: - Go code should match the output of `gofmt -s` and pass `golangci-lint run`. -- NodeJS and JavaScript code should be prettified using `npm run format` where - appropriate. +- NodeJS and JavaScript code should be prettified using `npm run format` where appropriate. ### Working with Forks @@ -239,25 +200,18 @@ Now go to the project's GitHub Pull Request page and click "New pull request" ## Conduct -Whether you are a regular contributor or a newcomer, we care about making this -community a safe place for you and we've got your back. +Whether you are a regular contributor or a newcomer, we care about making this community a safe place for you and we've got your +back. -- We are committed to providing a friendly, safe and welcoming environment for - all, regardless of gender, sexual orientation, disability, ethnicity, - religion, or similar personal characteristic. -- Please avoid using nicknames that might detract from a friendly, safe and - welcoming environment for all. +- We are committed to providing a friendly, safe and welcoming environment for all, regardless of gender, sexual orientation, + disability, ethnicity, religion, or similar personal characteristic. +- Please avoid using nicknames that might detract from a friendly, safe and welcoming environment for all. - Be kind and courteous. There is no need to be mean or rude. -- We will exclude you from interaction if you insult, demean or harass anyone. - In particular, we do not tolerate behavior that excludes people in socially - marginalized groups. -- Private harassment is also unacceptable. No matter who you are, if you feel - you have been or are being harassed or made uncomfortable by a community - member, please contact one of the channel ops or a member of the Ory Keto core - team immediately. -- Likewise any spamming, trolling, flaming, baiting or other attention-stealing - behaviour is not welcome. - -We welcome discussion about creating a welcoming, safe, and productive -environment for the community. If you have any questions, feedback, or concerns -[please let us know](https://www.ory.sh/chat). +- We will exclude you from interaction if you insult, demean or harass anyone. In particular, we do not tolerate behavior that + excludes people in socially marginalized groups. +- Private harassment is also unacceptable. No matter who you are, if you feel you have been or are being harassed or made + uncomfortable by a community member, please contact one of the channel ops or a member of the Ory Keto core team immediately. +- Likewise any spamming, trolling, flaming, baiting or other attention-stealing behaviour is not welcome. + +We welcome discussion about creating a welcoming, safe, and productive environment for the community. If you have any questions, +feedback, or concerns [please let us know](https://www.ory.sh/chat). diff --git a/README.md b/README.md index 15c79cbe8..b4859afe6 100644 --- a/README.md +++ b/README.md @@ -22,8 +22,7 @@

-Ory Keto is the first and most popular open source implementation of "Zanzibar: -Google's Consistent, Global Authorization System"! +Ory Keto is the first and most popular open source implementation of "Zanzibar: Google's Consistent, Global Authorization System"! ## Ory Cloud @@ -31,46 +30,35 @@ The easiest way to get started with Ory Software is in Ory Cloud! It is [**free for developers**](https://console.ory.sh/registration?utm_source=github&utm_medium=banner&utm_campaign=keto-readme), forever, no credit card required! -Ory Cloud has easy examples, administrative user interfaces, hosted pages (e.g. -for login or registration), support for custom domains, collaborative features -for your colleagues, and much more! +Ory Cloud has easy examples, administrative user interfaces, hosted pages (e.g. for login or registration), support for custom +domains, collaborative features for your colleagues, and much more! ### :mega: Community gets Ory Cloud for Free! :mega: -Ory community members get the Ory Cloud Start Up plan **free for six months**, -with all quality-of-life features available, such as custom domains and giving -your team members access. +Ory community members get the Ory Cloud Start Up plan **free for six months**, with all quality-of-life features available, such +as custom domains and giving your team members access. [Sign up with your GitHub account](https://console.ory.sh/registration?preferred_plan=start-up&utm_source=github&utm_medium=banner&utm_campaign=keto-readme-first900) -and use the coupon code **`FIRST900`** on the _"Start-Up Plan"_ checkout page to -claim your free project now! Make sure to be signed up to the -[Ory Community Slack](https://slack.ory.sh) when using the code! +and use the coupon code **`FIRST900`** on the _"Start-Up Plan"_ checkout page to claim your free project now! Make sure to be +signed up to the [Ory Community Slack](https://slack.ory.sh) when using the code! ### Google's Zanzibar -> Determining whether online users are authorized to access digital objects is -> central to preserving privacy. This paper presents the design, implementation, -> and deployment of Zanzibar, a global system for storing and evaluating access -> control lists. Zanzibar provides a uniform data model and configuration -> language for expressing a wide range of access control policies from hundreds -> of client services at Google, including Calendar, Cloud, Drive, Maps, Photos, -> and YouTube. Its authorization decisions respect causal ordering of user -> actions and thus provide external consistency amid changes to access control -> lists and object contents. Zanzibar scales to trillions of access control -> lists and millions of authorization requests per second to support services -> used by billions of people. It has maintained 95th-percentile latency of less -> than 10 milliseconds and availability of greater than 99.999% over 3 years of -> production use. +> Determining whether online users are authorized to access digital objects is central to preserving privacy. This paper presents +> the design, implementation, and deployment of Zanzibar, a global system for storing and evaluating access control lists. +> Zanzibar provides a uniform data model and configuration language for expressing a wide range of access control policies from +> hundreds of client services at Google, including Calendar, Cloud, Drive, Maps, Photos, and YouTube. Its authorization decisions +> respect causal ordering of user actions and thus provide external consistency amid changes to access control lists and object +> contents. Zanzibar scales to trillions of access control lists and millions of authorization requests per second to support +> services used by billions of people. It has maintained 95th-percentile latency of less than 10 milliseconds and availability of +> greater than 99.999% over 3 years of production use. > > [Source](https://research.google/pubs/pub48190/) -If you need to know if a user (or robot, car, service) is allowed to do -something - Ory Keto is the right fit for you. +If you need to know if a user (or robot, car, service) is allowed to do something - Ory Keto is the right fit for you. -Currently, Ory Keto implements the basic API contracts for managing and checking -relations ("permissions") with HTTP and gRPC APIs. Future versions will include -features such as userset rewrites (e.g. RBAC-style role-permission models), -Zookies, and more. An overview of what is implemented and upcoming can be found -at +Currently, Ory Keto implements the basic API contracts for managing and checking relations ("permissions") with HTTP and gRPC +APIs. Future versions will include features such as userset rewrites (e.g. RBAC-style role-permission models), Zookies, and more. +An overview of what is implemented and upcoming can be found at [Implemented and Planned Features](https://www.ory.sh/keto/docs/next/implemented-planned-features). --- @@ -294,8 +282,7 @@ Kennedy, Drozzy, Edwin Trejos, Howard Edidin, Ken Adler Oz Haven, Stefan Hans, T ### Installation -Head over to the documentation to learn about ways of -[installing ORY Keto](https://www.ory.sh/docs/next/keto/install). +Head over to the documentation to learn about ways of [installing ORY Keto](https://www.ory.sh/docs/next/keto/install). ## Ecosystem @@ -344,14 +331,13 @@ on a resource. ### Disclosing Vulnerabilities -If you think you found a security vulnerability, please refrain from posting it -publicly on the forums, the chat, or GitHub and send us an email to -[hi@ory.am](mailto:hi@ory.am) instead. +If you think you found a security vulnerability, please refrain from posting it publicly on the forums, the chat, or GitHub and +send us an email to [hi@ory.am](mailto:hi@ory.am) instead. ## Telemetry -Our services collect summarized, anonymized data which can optionally be turned -off. Click [here](https://www.ory.sh/docs/ecosystem/sqa) to learn more. +Our services collect summarized, anonymized data which can optionally be turned off. Click +[here](https://www.ory.sh/docs/ecosystem/sqa) to learn more. ### Guide @@ -363,8 +349,7 @@ The HTTP API is documented [here](https://www.ory.sh/docs/next/keto/sdk/api). ### Upgrading and Changelog -New releases might introduce breaking changes. To help you identify and -incorporate those changes, we document these changes in +New releases might introduce breaking changes. To help you identify and incorporate those changes, we document these changes in [UPGRADE.md](./UPGRADE.md) and [CHANGELOG.md](./CHANGELOG.md). ### Command Line Documentation @@ -373,8 +358,7 @@ Run `keto -h` or `keto help`. ### Develop -We encourage all contributions and recommend you read our -[contribution guidelines](./CONTRIBUTING.md). +We encourage all contributions and recommend you read our [contribution guidelines](./CONTRIBUTING.md). #### Dependencies @@ -384,8 +368,7 @@ You need Go 1.16+ and (for the test suites): - GNU Make 4.3 - NodeJS / npm@v7 -It is possible to develop ORY Keto on Windows, but please be aware that all -guides assume a Unix shell like bash or zsh. +It is possible to develop ORY Keto on Windows, but please be aware that all guides assume a Unix shell like bash or zsh. #### Install From Source @@ -395,8 +378,7 @@ make install #### Formatting Code -You can format all code using make format. Our -CI checks if your code is properly formatted. +You can format all code using make format. Our CI checks if your code is properly formatted. #### Running Tests @@ -421,11 +403,9 @@ go test -tags sqlite -short ./internal/check/... ##### Regular Tests -Regular tests require a database set up. Our test suite is able to work with -docker directly (using [ory/dockertest](https://github.com/ory/dockertest)) but -we encourage to use the script instead. Using dockertest can bloat the number of -Docker Images on your system and starting them on each run is quite slow. -Instead we recommend doing: +Regular tests require a database set up. Our test suite is able to work with docker directly (using +[ory/dockertest](https://github.com/ory/dockertest)) but we encourage to use the script instead. Using dockertest can bloat the +number of Docker Images on your system and starting them on each run is quite slow. Instead we recommend doing: ```shell source ./scripts/test-resetdb.sh diff --git a/SECURITY.md b/SECURITY.md index 70f1ef4dd..8152c97a5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -21,8 +21,8 @@ https://github.com/ory/meta/blob/master/templates/repository/SECURITY.md ## Supported Versions -We release patches for security vulnerabilities. Which versions are eligible -receiving such patches depend on the CVSS v3.0 Rating: +We release patches for security vulnerabilities. Which versions are eligible receiving such patches depend on the CVSS v3.0 +Rating: | CVSS v3.0 | Supported Versions | | --------- | ----------------------------------------- | @@ -31,7 +31,6 @@ receiving such patches depend on the CVSS v3.0 Rating: ## Reporting a Vulnerability -Please report (suspected) security vulnerabilities to -**[security@ory.sh](mailto:security@ory.sh)**. You will receive a response from -us within 48 hours. If the issue is confirmed, we will release a patch as soon -as possible depending on complexity but historically within a few days. +Please report (suspected) security vulnerabilities to **[security@ory.sh](mailto:security@ory.sh)**. You will receive a response +from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but +historically within a few days. diff --git a/UPGRADE.md b/UPGRADE.md index 321a3e57c..0f31fab89 100644 --- a/UPGRADE.md +++ b/UPGRADE.md @@ -1,9 +1,8 @@ # Upgrading -The intent of this document is to make migration of breaking changes as easy as -possible. Please note that not all breaking changes might be included here. -Please check the [CHANGELOG.md](./CHANGELOG.md) for a full list of changes -before finalizing the upgrade process. +The intent of this document is to make migration of breaking changes as easy as possible. Please note that not all breaking +changes might be included here. Please check the [CHANGELOG.md](./CHANGELOG.md) for a full list of changes before finalizing the +upgrade process. @@ -32,9 +31,8 @@ before finalizing the upgrade process. ## 0.4.0-sandbox -This release focuses on a rework of the SDK pipeline. First of all, we have -introduced new SDKs for all popular programming languages and published them on -their respective package repositories: +This release focuses on a rework of the SDK pipeline. First of all, we have introduced new SDKs for all popular programming +languages and published them on their respective package repositories: - [Python](https://pypi.org/project/ory-keto-client/) - [PHP](https://packagist.org/packages/ory/keto-client) @@ -43,46 +41,38 @@ their respective package repositories: - [Java](https://search.maven.org/artifact/sh.ory.keto/keto-client) - [Ruby](https://rubygems.org/gems/ory-keto-client) -The SDKs hosted in this repository (under ./sdk/...) have been completely -removed. Please use only the SDKs from the above sources from now on as it will -also remove several issues that were caused by the previous SDK pipeline. +The SDKs hosted in this repository (under ./sdk/...) have been completely removed. Please use only the SDKs from the above sources +from now on as it will also remove several issues that were caused by the previous SDK pipeline. Unfortunately, there were breaking changes introduced by the new SDK generation: -- Several structs and fields have been renamed in the Go SDK. However, nothing - else changed so upgrading should be a matter of half an hour if you made - extensive use of the SDK, or several minutes if just one or two methods are - being used. -- All other SDKs changed to `openapi-generator`, which is a better maintained - generator that creates better code than the one previously used. This - manifests in TypeScript definitions for the NodeJS SDK and several other - goodies. We do not have a proper migration path for those, unfortunately. +- Several structs and fields have been renamed in the Go SDK. However, nothing else changed so upgrading should be a matter of + half an hour if you made extensive use of the SDK, or several minutes if just one or two methods are being used. +- All other SDKs changed to `openapi-generator`, which is a better maintained generator that creates better code than the one + previously used. This manifests in TypeScript definitions for the NodeJS SDK and several other goodies. We do not have a proper + migration path for those, unfortunately. -If you have issues with upgrading the SDK, please let us know in an issue on -this repository! +If you have issues with upgrading the SDK, please let us know in an issue on this repository! ## 0.3.0-sandbox ### Configuration -The configuration management was updated and now allows configuration via a -config file. Environment variables can still be used to configure ORY Keto but -have been updated. However, old env vars still work but will yield a warning. +The configuration management was updated and now allows configuration via a config file. Environment variables can still be used +to configure ORY Keto but have been updated. However, old env vars still work but will yield a warning. An overview of an exemplary configuration file can be found in [./docs/config.yml](https://github.com/ory/hydra/blob/master/docs/config.yaml). ### ORY Access Control Policies Allowed Endpoint -Endpoint `/engines/acp/ory/{flavor}/allowed` now returns a 403 error when the -request is disallowed. +Endpoint `/engines/acp/ory/{flavor}/allowed` now returns a 403 error when the request is disallowed. ### SDK -Generation of the Go SDK has moved from -[`swagger-codegen`](https://github.com/swagger-api/swagger-codegen) to -[`go-swagger`](https://github.com/go-swagger/go-swagger). If you wish to migrate -your existing SDK integration please open an issue. +Generation of the Go SDK has moved from [`swagger-codegen`](https://github.com/swagger-api/swagger-codegen) to +[`go-swagger`](https://github.com/go-swagger/go-swagger). If you wish to migrate your existing SDK integration please open an +issue. ## 0.2.0-sandbox @@ -90,18 +80,14 @@ ORY Keto has been completely reworked. The major goals of this refactoring are: 1. To allow easy extension of existing access control mechanisms. 2. Improve stability and responsiveness. -3. Support more than one access control mechanism. Future mechanisms include: - RBAC, ACL, AWS IAM Policies, ... +3. Support more than one access control mechanism. Future mechanisms include: RBAC, ACL, AWS IAM Policies, ... -We know that these changes seem massive. They are, but they will benefit the -long-term use of this particular piece of software, and they will allow you to -build better systems. +We know that these changes seem massive. They are, but they will benefit the long-term use of this particular piece of software, +and they will allow you to build better systems. -If you relied on ORY Keto before this release and you are looking for a -migration path, don't hesitate to ask in [the forums](https://community.ory.sh/) -or open a [GitHub issue](https://github.com/ory/keto/issues/new/). Feel free to -do the same if you want the access control policy feature implemented in ORY -Hydra before version `1.0.0`. +If you relied on ORY Keto before this release and you are looking for a migration path, don't hesitate to ask in +[the forums](https://community.ory.sh/) or open a [GitHub issue](https://github.com/ory/keto/issues/new/). Feel free to do the +same if you want the access control policy feature implemented in ORY Hydra before version `1.0.0`. ### Conceptual changes @@ -116,13 +102,10 @@ The following things have been completely deprecated: The following things have changed: -1. ORY Keto no longer uses ORY Ladon as the engine but instead relies on the - [Open Policy Agent](http://openpolicyagent.org/). The concept of ORY Ladon - Access Policies are working exactly like before, the internal logic however - was rewritten in Rego. +1. ORY Keto no longer uses ORY Ladon as the engine but instead relies on the [Open Policy Agent](http://openpolicyagent.org/). The + concept of ORY Ladon Access Policies are working exactly like before, the internal logic however was rewritten in Rego. 2. The "Warden" concept has been deprecated and replaced. -3. The CLI commands have changed - apart from `serve`, `version`, - `migrate sql` - entirely. +3. The CLI commands have changed - apart from `serve`, `version`, `migrate sql` - entirely. 4. The API has changed (read the next section for information on this). 5. Environment variables changed or have been removed. @@ -137,85 +120,66 @@ The following things have been added: The following things remain conceptually untouched: -1. ORY (Ladon) Access Control Policies with `regex` string `matching-strategy`. - This is the logic that ORY Ladon and previous versions of ORY Keto implement. +1. ORY (Ladon) Access Control Policies with `regex` string `matching-strategy`. This is the logic that ORY Ladon and previous + versions of ORY Keto implement. ### API Changes #### Renamed Endpoints -- `GET,PUT,POST,DELETE /policies[/]` moved to - `/engines/acp/ory//policies[/]`. - - `POST /policies` has been deprecated and merged with `PUT /policies/` - which is now available at - `PUT /engines/acp/ory//policies` and will upsert (insert - or update) the policy identified by the `id` field in the JSON payload. - - The request & response payloads **did not change** nor did any of the - concepts. -- `GET,PUT,POST,DELETE /roles[/]` moved to - `/engines/acp/ory//roles[/]`. - - `POST /roles` has been deprecated and merged with `PUT /roles/` which is - now available at `PUT /engines/acp/ory//policies` and - will upsert (insert or update) the role identified by the `id` field in the - JSON payload. - - The request & response payloads **did not change** nor did any of the - concepts. -- `POST,GET /roles//members` move to - `/engines/acp/ory//roles//members`. - - `POST /roles` has been moved to - `PUT /engines/acp/ory//policies//members` and will - upsert (insert or update) the role identified by the `id` field in the URL - path. - - The request & response payloads **did not change** nor did any of the - concepts. +- `GET,PUT,POST,DELETE /policies[/]` moved to `/engines/acp/ory//policies[/]`. + - `POST /policies` has been deprecated and merged with `PUT /policies/` which is now available at + `PUT /engines/acp/ory//policies` and will upsert (insert or update) the policy identified by the `id` field + in the JSON payload. + - The request & response payloads **did not change** nor did any of the concepts. +- `GET,PUT,POST,DELETE /roles[/]` moved to `/engines/acp/ory//roles[/]`. + - `POST /roles` has been deprecated and merged with `PUT /roles/` which is now available at + `PUT /engines/acp/ory//policies` and will upsert (insert or update) the role identified by the `id` field + in the JSON payload. + - The request & response payloads **did not change** nor did any of the concepts. +- `POST,GET /roles//members` move to `/engines/acp/ory//roles//members`. + - `POST /roles` has been moved to `PUT /engines/acp/ory//policies//members` and will upsert (insert or + update) the role identified by the `id` field in the URL path. + - The request & response payloads **did not change** nor did any of the concepts. #### Reworked Endpoints -The Warden concept has been deprecated. Previously, it was possible to send -credentials alongside requests for prior authentication. This concept interfered -with the clear boundary ORY Keto is focusing on, which is permissioning -concepts. +The Warden concept has been deprecated. Previously, it was possible to send credentials alongside requests for prior +authentication. This concept interfered with the clear boundary ORY Keto is focusing on, which is permissioning concepts. The Warden API featured endpoints such as: -- `/warden/oauth2/access-tokens/authorize`: Permformed OAuth 2.0 Token - Introspection on the `token` field, took the `sub` value of the introspection - and used that as input to ORY (Ladon) Access Control Policies. -- `/warden/oauth2/clients/authorize`: Validated the HTTP Basic Authorization - Header using the OAuth 2.0 Client Credentials grant and took the `username` - value of the HTTP Basic Authorization Header and used that as input to ORY - (Ladon) Access Control Policies. +- `/warden/oauth2/access-tokens/authorize`: Permformed OAuth 2.0 Token Introspection on the `token` field, took the `sub` value of + the introspection and used that as input to ORY (Ladon) Access Control Policies. +- `/warden/oauth2/clients/authorize`: Validated the HTTP Basic Authorization Header using the OAuth 2.0 Client Credentials grant + and took the `username` value of the HTTP Basic Authorization Header and used that as input to ORY (Ladon) Access Control + Policies. -These endpoints have been deprecated without replacement. Another endpoint was -`/warden/subjects/authorize` which used the format -`{ "subject": "peter", "action": "delete", "resource": "something:valuable" }` -as syntax. This endpoint is available in the exact same format at -`/engines/acp/ory//allowed`. +These endpoints have been deprecated without replacement. Another endpoint was `/warden/subjects/authorize` which used the format +`{ "subject": "peter", "action": "delete", "resource": "something:valuable" }` as syntax. This endpoint is available in the exact +same format at `/engines/acp/ory//allowed`. #### New Endpoints - `GET /version`: Returns the running software version. -- `GET /health/ready`: Returns `{"status": "ok"}` with a 200 HTTP response if - the service is ready to accept connections and handle data. -- `GET /health/alive`: Returns `{"status": "ok"}` with a 200 HTTP response if - the service is ready to accept connections. +- `GET /health/ready`: Returns `{"status": "ok"}` with a 200 HTTP response if the service is ready to accept connections and + handle data. +- `GET /health/alive`: Returns `{"status": "ok"}` with a 200 HTTP response if the service is ready to accept connections. ### Migration -If you relied on ORY Keto before this release and you are looking for a -migration path, don't hesitate to [contact us](mailto:hi@ory.sh). We will help -you migrate and improve this guide as we see more migration use cases. +If you relied on ORY Keto before this release and you are looking for a migration path, don't hesitate to +[contact us](mailto:hi@ory.sh). We will help you migrate and improve this guide as we see more migration use cases. #### SQL -The SQL schema changed completely and it is not possible to migrate from the -previous version to this version with just using `keto migrate sql`. Please ask -in [the forums](https://community.ory.sh/) or open a +The SQL schema changed completely and it is not possible to migrate from the previous version to this version with just using +`keto migrate sql`. Please ask in [the forums](https://community.ory.sh/) or open a [GitHub issue](https://github.com/ory/keto/issues/new/) if this affects you. ## 0.0.1 ### CORS is disabled by default -A new environment variable `CORS_ENABLED` was introduced. It sets whether CORS -is enabled ("true") or not ("false")". Default is disabled. +A new environment variable `CORS_ENABLED` was introduced. It sets whether CORS is enabled ("true") or not ("false")". Default is +disabled. diff --git a/docs/README.md b/docs/README.md index 7da9b86a8..980bdbb06 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,7 +1,6 @@ # Documentation -Please find the documentation at -[www.ory.sh/docs/keto](https://www.ory.sh/docs/keto). +Please find the documentation at [www.ory.sh/docs/keto](https://www.ory.sh/docs/keto). To contribute to the documentation, please head over to: [github.com/ory/docs/tree/master/docs/keto](https://github.com/ory/docs/tree/master/docs/keto) diff --git a/package-lock.json b/package-lock.json index 6521fc602..d697ab61d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -16,7 +16,7 @@ "devDependencies": { "doctoc": "^2.0.1", "opencollective": "^1.0.3", - "ory-prettier-styles": "^1.1.2", + "ory-prettier-styles": "^1.2.0", "prettier": "2.5.1" } }, @@ -2144,9 +2144,9 @@ } }, "node_modules/ory-prettier-styles": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/ory-prettier-styles/-/ory-prettier-styles-1.1.2.tgz", - "integrity": "sha512-J7YcNdGlfTKCXAHEoFl9lp5EhnIASGgM5ua9Y+8OdWtS9tXJTik5xFYCF6xS46tpI3sk8cxFguKWhZeaeb6Z/A==", + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/ory-prettier-styles/-/ory-prettier-styles-1.2.0.tgz", + "integrity": "sha512-0kt+p6sy55XGtLkgcy4LC0vjOrRL3GbkJ8y95Ad7biguWWX/83w4N8ILFo0kJb8/CN9K4LuM51gsN5GdAuWcWg==", "dev": true }, "node_modules/os-tmpdir": { @@ -4459,9 +4459,9 @@ } }, "ory-prettier-styles": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/ory-prettier-styles/-/ory-prettier-styles-1.1.2.tgz", - "integrity": "sha512-J7YcNdGlfTKCXAHEoFl9lp5EhnIASGgM5ua9Y+8OdWtS9tXJTik5xFYCF6xS46tpI3sk8cxFguKWhZeaeb6Z/A==", + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/ory-prettier-styles/-/ory-prettier-styles-1.2.0.tgz", + "integrity": "sha512-0kt+p6sy55XGtLkgcy4LC0vjOrRL3GbkJ8y95Ad7biguWWX/83w4N8ILFo0kJb8/CN9K4LuM51gsN5GdAuWcWg==", "dev": true }, "os-tmpdir": { diff --git a/package.json b/package.json index a80a003fd..745d1bb4b 100644 --- a/package.json +++ b/package.json @@ -7,13 +7,10 @@ "fs": false }, "prettier": "ory-prettier-styles", - "config": { - "prettierTarget": "." - }, "devDependencies": { "doctoc": "^2.0.1", "opencollective": "^1.0.3", - "ory-prettier-styles": "^1.1.2", + "ory-prettier-styles": "^1.2.0", "prettier": "2.5.1" }, "collective": { @@ -28,8 +25,8 @@ }, "scripts": { "doctoc": "doctoc README.md", - "format": "prettier --write ${npm_package_config_prettierTarget}", - "format:check": "prettier --check ${npm_package_config_prettierTarget}", + "format": "prettier --write .", + "format:check": "prettier --check .", "openapi-generator-cli": "openapi-generator-cli" } } diff --git a/proto/README.md b/proto/README.md index 88f25c77d..8d06a576a 100644 --- a/proto/README.md +++ b/proto/README.md @@ -1,10 +1,8 @@ # Ory Keto gRPC Client -This package provides the generated gRPC client for -[Ory Keto](https://ory.sh/keto). Go to +This package provides the generated gRPC client for [Ory Keto](https://ory.sh/keto). Go to [the documentation](https://ory.sh/keto/docs) to learn more -The protocol buffer compiler, `protoc`, is used to compile `.proto` files, which -contain service and message definitions. Go to -[the gRPC documentation](https://grpc.io/docs/protoc-installation/#install-pre-compiled-binaries-any-os) -for installation instructions. +The protocol buffer compiler, `protoc`, is used to compile `.proto` files, which contain service and message definitions. Go to +[the gRPC documentation](https://grpc.io/docs/protoc-installation/#install-pre-compiled-binaries-any-os) for installation +instructions. diff --git a/proto/ory/keto/README.md b/proto/ory/keto/README.md index ba8b9fd0d..7b8d442e0 100644 --- a/proto/ory/keto/README.md +++ b/proto/ory/keto/README.md @@ -1,16 +1,12 @@ # Notes -> ORY Keto is still a `sandbox` project and the included APIs are unstable until -> we reach `v1` and release `v1.0.0` of Keto! +> ORY Keto is still a `sandbox` project and the included APIs are unstable until we reach `v1` and release `v1.0.0` of Keto! > -> Older API versions, such as `v1alpha2`, will still get support for a -> reasonable amount of time after release of `v1`! +> Older API versions, such as `v1alpha2`, will still get support for a reasonable amount of time after release of `v1`! -This directory contains the ProtoBuf & gRPC definitions for the Access Control -APIs. +This directory contains the ProtoBuf & gRPC definitions for the Access Control APIs. -**ACL is the flexible and scalable "base system" all other access control -schemes built upon.** +**ACL is the flexible and scalable "base system" all other access control schemes built upon.** ## Directory layout