// Copyright 2020 Make.TV Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package tv.make.api;

option go_package = "git.ltnglobal.com/make.tv/genproto/api;api";

import "google/protobuf/timestamp.proto";

message Policy {
  // The effect specifies whether or not the policy allows or denies access.
  enum Effect {
    // If the effect is unspecified, it will default to ALLOW
    EFFECT_UNSPECIFIED = 0;
    ALLOW = 1;
    DENY = 2;
  }

  // The unique identifier of the policy.
  string id = 1;

  // The unique identifier of the owning team.
  string team_id = 2;

  // The display name of the policy.
  string display_name = 3;

  // The description of the policy.
  string description = 4;

  // When has this policy been created.
  //
  // Output only.
  google.protobuf.Timestamp create_time = 5;

  // When has this policy been modified.
  //
  // Output only.
  google.protobuf.Timestamp update_time = 6;

  // The user who created this policy.
  //
  // Output only.
  string creator_id = 7;

  // The resource labels.
  map<string, string> labels = 8;

  Effect effect = 9;

  // The resource path for which this policy applies.
  //
  // Paths may contain wildcards.
  //
  // Examples:
  // - `/teams/*/production/*`
  // - `/teams/95ac51c7-9ff1-487b-b544-08bf6458b071/productions/088447a1-9e99-4cff-a5fa-4eff194f82`
  string resource_path = 10;

  // The set of methods which are either allowed or denied by this policy.
  //
  // Custom methods are resource specific. Standard methods are
  // "create", "read", "update", "delete" and "list".
  //
  // Methods may contain wildcards.
  repeated string methods = 11;

  // An optional condition that specifies when this policy applies.
  //
  // Example:
  // - `resource.input_id == 'foo'`
  // - `user_id == '1234' && getFullYear() < 2025`
  //
  // The resource is populated with the known fields of the resource
  // at the time of the query.
  //
  // See also: https://github.com/google/cel-spec/blob/master/doc/langdef.md
  string condition = 12;

  // Whether or not the policy can be modified.
  //
  // Clients can not set this field. Default policies are created read-only by the system.
  //
  // [Output-Only]
  bool read_only = 13;
}