From 4e7ff70b548dc3dad7e8d0f87a64fdee8ee47794 Mon Sep 17 00:00:00 2001 From: aman Date: Tue, 24 Mar 2026 11:43:08 +0530 Subject: [PATCH 1/2] refactor: PAT scope restructure --- raystack/frontier/v1beta1/frontier.proto | 20 ++++++++------------ raystack/frontier/v1beta1/models.proto | 18 ++++++++++++++++-- 2 files changed, 24 insertions(+), 14 deletions(-) diff --git a/raystack/frontier/v1beta1/frontier.proto b/raystack/frontier/v1beta1/frontier.proto index 762c34ad..88aaadb2 100644 --- a/raystack/frontier/v1beta1/frontier.proto +++ b/raystack/frontier/v1beta1/frontier.proto @@ -2852,14 +2852,12 @@ message CreateCurrentUserPATRequest { (validate.rules).string.uuid = true, (google.api.field_behavior) = REQUIRED ]; - // Role ids to scope the PAT to - repeated string role_ids = 3 [ + reserved 3, 4; + // Role-scope assignments for the PAT + repeated PATScope scopes = 7 [ (google.api.field_behavior) = REQUIRED, - (validate.rules).repeated = {min_items: 1}, - (validate.rules).repeated.items.string.uuid = true + (validate.rules).repeated = {min_items: 1} ]; - // For project-scoped roles: empty = all projects, non-empty = specific projects - repeated string project_ids = 4 [(validate.rules).repeated.items.string.uuid = true]; google.protobuf.Timestamp expires_at = 5 [(google.api.field_behavior) = REQUIRED]; google.protobuf.Struct metadata = 6; } @@ -2918,14 +2916,12 @@ message UpdateCurrentUserPATRequest { (validate.rules).string.min_len = 1, (google.api.field_behavior) = REQUIRED ]; - // Role ids to scope the PAT to - repeated string role_ids = 3 [ + reserved 3, 4; + // Role-scope assignments for the PAT + repeated PATScope scopes = 6 [ (google.api.field_behavior) = REQUIRED, - (validate.rules).repeated = {min_items: 1}, - (validate.rules).repeated.items.string.uuid = true + (validate.rules).repeated = {min_items: 1} ]; - // For project-scoped roles: empty = all projects, non-empty = specific projects - repeated string project_ids = 4 [(validate.rules).repeated.items.string.uuid = true]; google.protobuf.Struct metadata = 5; } diff --git a/raystack/frontier/v1beta1/models.proto b/raystack/frontier/v1beta1/models.proto index d2954965..7b0bcf3a 100644 --- a/raystack/frontier/v1beta1/models.proto +++ b/raystack/frontier/v1beta1/models.proto @@ -270,6 +270,20 @@ message ServiceUserToken { google.protobuf.Timestamp created_at = 4; } +// PATScope pairs a role with its scope and optional resource IDs. +message PATScope { + string role_id = 1 [ + (validate.rules).string.uuid = true, + (google.api.field_behavior) = REQUIRED + ]; + // Scope namespace: "app/organization" or "app/project" + string scope = 2 [ + (google.api.field_behavior) = REQUIRED + ]; + // Specific resource UUIDs within the scope (optional) + repeated string resource_ids = 3 [(validate.rules).repeated.items.string.uuid = true]; +} + message PAT { string id = 1; string title = 2; @@ -280,8 +294,8 @@ message PAT { // this value is never persisted in the system so if lost, can't be recovered string token = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; - repeated string role_ids = 6; - repeated string project_ids = 7; + reserved 6, 7; + repeated PATScope scopes = 8; google.protobuf.Timestamp expires_at = 10; google.protobuf.Timestamp last_used_at = 11 [(google.api.field_behavior) = OUTPUT_ONLY]; From 31643873c2f00fa3baed51861d24ca6103e5454e Mon Sep 17 00:00:00 2001 From: aman Date: Tue, 24 Mar 2026 13:58:19 +0530 Subject: [PATCH 2/2] refactor: rename PATScope fields --- raystack/frontier/v1beta1/models.proto | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/raystack/frontier/v1beta1/models.proto b/raystack/frontier/v1beta1/models.proto index 7b0bcf3a..aa5aea04 100644 --- a/raystack/frontier/v1beta1/models.proto +++ b/raystack/frontier/v1beta1/models.proto @@ -270,17 +270,17 @@ message ServiceUserToken { google.protobuf.Timestamp created_at = 4; } -// PATScope pairs a role with its scope and optional resource IDs. +// PATScope pairs a role with its resource type and optional resource IDs. message PATScope { string role_id = 1 [ (validate.rules).string.uuid = true, (google.api.field_behavior) = REQUIRED ]; - // Scope namespace: "app/organization" or "app/project" - string scope = 2 [ + // Resource type: "app/organization" or "app/project" + string resource_type = 2 [ (google.api.field_behavior) = REQUIRED ]; - // Specific resource UUIDs within the scope (optional) + // Specific resource UUIDs within the resource type (optional) repeated string resource_ids = 3 [(validate.rules).repeated.items.string.uuid = true]; }