spicedb-rust
An opinionated client for SpiceDB, built on top of the official gRPC API without the suck of using gRPC in rust.
Disclaimer
API not stable yet, breaking changes are possible in the upcoming days. (Probably moving all API's to the top level struct)
API
The API offers builder interfaces for all gRPC requests that leverage the generic trait type system to cut down on some request building boilerplate and potential errors/typos.
Some of the most common requests are directly exposed as functions on the Client struct like lookup_resources directly into a Vec<R::Id> or a check_permission directly to a bool.
As an alternative to builder interfaces the client also exposes/will expose the methods directly with all arguments at once as parameters, if you intend to use the upcoming mock feature to not have to run a local SpiceDB instance in your tests it is recommended you do it this way.
Regarding impl Trait parameters on the SpiceDBClient, those have all been removed with either generics or just String, &str. This little QoL loss allows mockall to build a MockSpiceDBClient.
Type System
The type system of this crate allows definition of rust structs with traits that mirror the schema imported into SpiceDB. This cuts down on potential typos and other bugs that can crawl into development when typing raw strings for relationships & permissions and makes it easier to build the quite complex gRPC requests with some compile-time checks.
Pros
- Never make an error due to passing in the wrong Stringvalue for a relationship or permission
- Never try to create a relationship that does not exist for one of your entities
- Easy way to share your permission schema across multiple services by centralizing your authz schema in a rust library crate
- Type conversions from Stringinto your chosen type of id likeu32orUuidare done automatically
Cons
- A bit of Boilerplate
I don't like the type system, can I just use the raw gRPC API?
Yes you can. SpiceDBClient exposes methods to get the underlying tonic client, and the spicedb module exports all protobuf types. From personal experience, this is not fun.
Example
Lets take the following SpiceDB schema:
definition user {}
definition document {
    relation reader: user | user:*
    relation writer: user
    
    permission read = reader + writer
    permission write = writer
}
We have 2 entities, User and Document. This is the boilerplate:
;
;
;
NOTE: Will be working on some
strumintegration to cut down on the quite obvious boilerplate that turns the enum variants into strings.
This type system now makes it impossible to check for a permission that doesn't exist, or create a relationship not supported for an entity.
NOTE: I don't know if its possible to constrain the Subject part of a relationship through types, I haven't gone down this road, and I don't feel like I need to yet, I'd be curious if there is an easy way to do this.
Now lets create some relationship and check some permissions!
let client = new
    .await?;
let user_id = now_v7;
let relationships = ;
let token = client
    .create_relationships
    .await
    .unwrap;
let actor = MyActor;
let authorized = client.
.await?;
Mocking
Enable the mock feature to instead use a client generated by mockall.
All public interfaces will work as expected, but not the request builder interfaces, as those are not mocked, if you are using those currently you have to test against a real instance of SpiceDB.
The code will still compile, however any tests that hit those lines of code will panic.