spicedb-embedded-sys 0.7.0

FFI and native library for SpiceDB C shared library (builds from Go or downloads prebuilt)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188

//! Safe, typed wrappers for the memory-transport FFI.
//!
//! All marshalling/unmarshalling and unsafe FFI calls are contained here.
//! The main crate uses these functions for idiomatic, safe APIs.

use std::os::raw::{c_char, c_int, c_uchar, c_ulonglong};

use prost::Message;
use spicedb_grpc_tonic::v1::{
    CheckBulkPermissionsRequest, CheckBulkPermissionsResponse, CheckPermissionRequest,
    CheckPermissionResponse, DeleteRelationshipsRequest, DeleteRelationshipsResponse,
    ExpandPermissionTreeRequest, ExpandPermissionTreeResponse, ReadSchemaRequest,
    ReadSchemaResponse, WriteRelationshipsRequest, WriteRelationshipsResponse, WriteSchemaRequest,
    WriteSchemaResponse,
};

/// Error from a memory-transport RPC (FFI or decode).
#[derive(Debug, Clone)]
pub struct RpcError(pub String);

impl std::fmt::Display for RpcError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "{}", self.0)
    }
}

impl std::error::Error for RpcError {}

/// Result type for memory-transport RPCs.
pub type RpcResult<T> = Result<T, RpcError>;

/// Raw call: request bytes in, response bytes or error string. Handles all unsafe FFI and buffer freeing.
fn raw_call(
    handle: u64,
    request_bytes: &[u8],
    f: unsafe extern "C" fn(
        c_ulonglong,
        *const c_uchar,
        c_int,
        *mut *mut c_uchar,
        *mut c_int,
        *mut *mut c_char,
    ),
) -> RpcResult<Vec<u8>> {
    let request_len = c_int::try_from(request_bytes.len())
        .map_err(|_| RpcError("request too large for FFI (exceeds c_int::MAX)".into()))?;

    let mut out_response_bytes: *mut c_uchar = std::ptr::null_mut();
    let mut out_response_len: c_int = 0;
    let mut out_error: *mut c_char = std::ptr::null_mut();

    unsafe {
        f(
            handle as c_ulonglong,
            request_bytes.as_ptr(),
            request_len,
            &mut out_response_bytes,
            &mut out_response_len,
            &mut out_error,
        );
    }

    if !out_error.is_null() {
        let s = unsafe { std::ffi::CStr::from_ptr(out_error) }
            .to_string_lossy()
            .into_owned();
        unsafe { crate::spicedb_free(out_error) };
        return Err(RpcError(s));
    }

    if out_response_len < 0 {
        return Err(RpcError(format!(
            "FFI returned negative response length: {}",
            out_response_len
        )));
    }
    let len = out_response_len as usize;
    let bytes = if len == 0 {
        vec![]
    } else {
        unsafe { std::slice::from_raw_parts(out_response_bytes, len).to_vec() }
    };
    if !out_response_bytes.is_null() {
        unsafe { crate::spicedb_free_bytes(out_response_bytes as *mut std::ffi::c_void) };
    }
    Ok(bytes)
}

// --- PermissionsService ---

/// PermissionsService.CheckPermission.
pub fn check_permission(
    handle: u64,
    request: &CheckPermissionRequest,
) -> RpcResult<CheckPermissionResponse> {
    let mut buf = Vec::new();
    request
        .encode(&mut buf)
        .map_err(|e| RpcError(e.to_string()))?;
    let bytes = raw_call(handle, &buf, crate::spicedb_permissions_check_permission)?;
    CheckPermissionResponse::decode(&bytes[..]).map_err(|e| RpcError(e.to_string()))
}

/// PermissionsService.WriteRelationships.
pub fn write_relationships(
    handle: u64,
    request: &WriteRelationshipsRequest,
) -> RpcResult<WriteRelationshipsResponse> {
    let mut buf = Vec::new();
    request
        .encode(&mut buf)
        .map_err(|e| RpcError(e.to_string()))?;
    let bytes = raw_call(handle, &buf, crate::spicedb_permissions_write_relationships)?;
    WriteRelationshipsResponse::decode(&bytes[..]).map_err(|e| RpcError(e.to_string()))
}

/// PermissionsService.DeleteRelationships.
pub fn delete_relationships(
    handle: u64,
    request: &DeleteRelationshipsRequest,
) -> RpcResult<DeleteRelationshipsResponse> {
    let mut buf = Vec::new();
    request
        .encode(&mut buf)
        .map_err(|e| RpcError(e.to_string()))?;
    let bytes = raw_call(
        handle,
        &buf,
        crate::spicedb_permissions_delete_relationships,
    )?;
    DeleteRelationshipsResponse::decode(&bytes[..]).map_err(|e| RpcError(e.to_string()))
}

/// PermissionsService.CheckBulkPermissions.
pub fn check_bulk_permissions(
    handle: u64,
    request: &CheckBulkPermissionsRequest,
) -> RpcResult<CheckBulkPermissionsResponse> {
    let mut buf = Vec::new();
    request
        .encode(&mut buf)
        .map_err(|e| RpcError(e.to_string()))?;
    let bytes = raw_call(
        handle,
        &buf,
        crate::spicedb_permissions_check_bulk_permissions,
    )?;
    CheckBulkPermissionsResponse::decode(&bytes[..]).map_err(|e| RpcError(e.to_string()))
}

/// PermissionsService.ExpandPermissionTree.
pub fn expand_permission_tree(
    handle: u64,
    request: &ExpandPermissionTreeRequest,
) -> RpcResult<ExpandPermissionTreeResponse> {
    let mut buf = Vec::new();
    request
        .encode(&mut buf)
        .map_err(|e| RpcError(e.to_string()))?;
    let bytes = raw_call(
        handle,
        &buf,
        crate::spicedb_permissions_expand_permission_tree,
    )?;
    ExpandPermissionTreeResponse::decode(&bytes[..]).map_err(|e| RpcError(e.to_string()))
}

// --- SchemaService ---

/// SchemaService.ReadSchema.
pub fn read_schema(handle: u64, request: &ReadSchemaRequest) -> RpcResult<ReadSchemaResponse> {
    let mut buf = Vec::new();
    request
        .encode(&mut buf)
        .map_err(|e| RpcError(e.to_string()))?;
    let bytes = raw_call(handle, &buf, crate::spicedb_schema_read_schema)?;
    ReadSchemaResponse::decode(&bytes[..]).map_err(|e| RpcError(e.to_string()))
}

/// SchemaService.WriteSchema.
pub fn write_schema(handle: u64, request: &WriteSchemaRequest) -> RpcResult<WriteSchemaResponse> {
    let mut buf = Vec::new();
    request
        .encode(&mut buf)
        .map_err(|e| RpcError(e.to_string()))?;
    let bytes = raw_call(handle, &buf, crate::spicedb_schema_write_schema)?;
    WriteSchemaResponse::decode(&bytes[..]).map_err(|e| RpcError(e.to_string()))
}