feat(config): allow specifying api url with port and path

.github/dependabot.yaml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+     dependencies:
+        patterns:
+          - "*"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+     dependencies:
+        patterns:
+          - "*"

.github/workflows/main.yaml

@@ -38,7 +38,9 @@ jobs:
     needs: [test]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.5.4
+        with:
+          fetch-depth: 0
 
       - uses: Roang-zero1/github-create-release-action@57eb9bdce7a964e48788b9e78b5ac766cb684803
         with:

.openapi-generator/FILES

@@ -2,6 +2,7 @@
 .github/CODEOWNERS
 .github/ISSUE_TEMPLATE/bug_report.md
 .github/ISSUE_TEMPLATE/feature_request.md
+.github/dependabot.yaml
 .github/workflows/main.yaml
 .github/workflows/semgrep.yaml
 .gitignore
@@ -66,6 +67,7 @@ docs/Store.md
 docs/Tuple.md
 docs/TupleChange.md
 docs/TupleKey.md
+docs/TupleKeyWithoutCondition.md
 docs/TupleOperation.md
 docs/TupleToUserset.md
 docs/TypeDefinition.md
@@ -81,8 +83,8 @@ docs/WriteAssertionsRequest.md
 docs/WriteAuthorizationModelRequest.md
 docs/WriteAuthorizationModelResponse.md
 docs/WriteRequest.md
-docs/WriteRequestTupleKey.md
-docs/WriteRequestTupleKeys.md
+docs/WriteRequestDeletes.md
+docs/WriteRequestWrites.md
 git_push.sh
 go.mod
 go.sum
@@ -135,6 +137,7 @@ model_store.go
 model_tuple.go
 model_tuple_change.go
 model_tuple_key.go
+model_tuple_key_without_condition.go
 model_tuple_operation.go
 model_tuple_to_userset.go
 model_type_definition.go
@@ -150,8 +153,8 @@ model_write_assertions_request.go
 model_write_authorization_model_request.go
 model_write_authorization_model_response.go
 model_write_request.go
-model_write_request_tuple_key.go
-model_write_request_tuple_keys.go
+model_write_request_deletes.go
+model_write_request_writes.go
 oauth2/LICENSE
 oauth2/ORIGINAL_AUTHORS
 oauth2/ORIGINAL_CONTRIBUTORS

README.md

@@ -111,9 +111,8 @@ import (
 
 func main() {
     fgaClient, err := NewSdkClient(&ClientConfiguration{
-        ApiScheme:      os.Getenv("OPENFGA_API_SCHEME"), // optional, defaults to "https"
-        ApiHost:        os.Getenv("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
-        StoreId:        os.Getenv("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
+        ApiUrl:  os.Getenv("FGA_API_URL"), // required, e.g. https://api.fga.example
+        StoreId: os.Getenv("FGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
     })
 
 	if err != nil {
@@ -133,13 +132,12 @@ import (
 
 func main() {
     fgaClient, err := NewSdkClient(&ClientConfiguration{
-        ApiScheme:      os.Getenv("OPENFGA_API_SCHEME"), // optional, defaults to "https"
-        ApiHost:        os.Getenv("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
-        StoreId:        os.Getenv("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
+        ApiUrl:      os.Getenv("FGA_API_URL"), // required, e.g. https://api.fga.example
+        StoreId:     os.Getenv("FGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
         Credentials: &credentials.Credentials{
             Method: credentials.CredentialsMethodApiToken,
             Config: &credentials.Config{
-                ApiToken: os.Getenv("OPENFGA_API_TOKEN"), // will be passed as the "Authorization: Bearer ${ApiToken}" request header
+                ApiToken: os.Getenv("FGA_API_TOKEN"), // will be passed as the "Authorization: Bearer ${ApiToken}" request header
             },
         },
     })
@@ -162,17 +160,16 @@ import (
 
 func main() {
     fgaClient, err := NewSdkClient(&ClientConfiguration{
-        ApiScheme:              os.Getenv("OPENFGA_API_SCHEME"), // optional, defaults to "https"
-        ApiHost:                os.Getenv("OPENFGA_API_HOST"), // required, define without the scheme (e.g. api.fga.example instead of https://api.fga.example)
-        StoreId:                os.Getenv("OPENFGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
-        AuthorizationModelId:   openfga.PtrString("OPENFGA_AUTHORIZATION_MODEL_ID"),
+        ApiUrl:               os.Getenv("FGA_API_URL"), // required, e.g. https://api.fga.example
+        StoreId:              os.Getenv("FGA_STORE_ID"), // not needed when calling `CreateStore` or `ListStores`
+        AuthorizationModelId: openfga.PtrString("OPENFGA_AUTHORIZATION_MODEL_ID"),
         Credentials: &credentials.Credentials{
             Method: credentials.CredentialsMethodClientCredentials,
             Config: &credentials.Config{
-                ClientCredentialsClientId:       os.Getenv("OPENFGA_CLIENT_ID"),
-                ClientCredentialsClientSecret:   os.Getenv("OPENFGA_CLIENT_SECRET"),
-                ClientCredentialsApiAudience:    os.Getenv("OPENFGA_API_AUDIENCE"),
-                ClientCredentialsApiTokenIssuer: os.Getenv("OPENFGA_API_TOKEN_ISSUER"),
+                ClientCredentialsClientId:       os.Getenv("FGA_CLIENT_ID"),
+                ClientCredentialsClientSecret:   os.Getenv("FGA_CLIENT_SECRET"),
+                ClientCredentialsApiAudience:    os.Getenv("FGA_API_AUDIENCE"),
+                ClientCredentialsApiTokenIssuer: os.Getenv("FGA_API_TOKEN_ISSUER"),
             },
         },
     })

api_client.go

@@ -236,37 +236,27 @@ func (c *APIClient) prepareRequest(
 	}
 
 	// Setup path and query parameters
-	url, err := url.Parse(path)
+	uri, err := url.Parse(c.cfg.ApiUrl + path)
 	if err != nil {
 		return nil, err
 	}
 
-	// Override request host, if applicable
-	if c.cfg.ApiHost != "" {
-		url.Host = c.cfg.ApiHost
-	}
-
-	// Override request scheme, if applicable
-	if c.cfg.ApiScheme != "" {
-		url.Scheme = c.cfg.ApiScheme
-	}
-
 	// Adding Query Param
-	query := url.Query()
+	query := uri.Query()
 	for k, v := range queryParams {
 		for _, iv := range v {
 			query.Add(k, iv)
 		}
 	}
 
 	// Encode the parameters.
-	url.RawQuery = query.Encode()
+	uri.RawQuery = query.Encode()
 
 	// Generate a new request
 	if body != nil {
-		localVarRequest, err = http.NewRequest(method, url.String(), body)
+		localVarRequest, err = http.NewRequest(method, uri.String(), body)
 	} else {
-		localVarRequest, err = http.NewRequest(method, url.String(), nil)
+		localVarRequest, err = http.NewRequest(method, uri.String(), nil)
 	}
 	if err != nil {
 		return nil, err

api_open_fga.go

@@ -34,8 +34,9 @@ type OpenFgaApi interface {
 	/*
 		 * Check Check whether a user is authorized to access an object
 		 * The Check API queries to check if the user has a certain relationship with an object in a certain store.
-	A `contextual_tuples` object may also be included in the body of the request. This object contains one field `tuple_keys`, which is an array of tuple keys.
+	A `contextual_tuples` object may also be included in the body of the request. This object contains one field `tuple_keys`, which is an array of tuple keys. Each of these tuples may have an associated `condition`.
 	You may also provide an `authorization_model_id` in the body. This will be used to assert that the input `tuple_key` is valid for the model specified. If not specified, the assertion will be made against the latest authorization model ID. It is strongly recommended to specify authorization model id for better performance.
+	You may also provide a `context` object that will be used to evaluate the conditioned tuples in the system. It is strongly recommended to provide a value for all the input parameters of all the conditions, to ensure that all tuples be evaluated correctly.
 	The response will return whether the relationship exists in the field `allowed`.
 
 	## Example
@@ -186,7 +187,8 @@ type OpenFgaApi interface {
 		 * ListObjects List all objects of the given type that the user has a relation with
 		 * The ListObjects API returns a list of all the objects of the given type that the user has a relation with. To achieve this, both the store tuples and the authorization model are used.
 	An `authorization_model_id` may be specified in the body. If it is not specified, the latest authorization model ID will be used. It is strongly recommended to specify authorization model id for better performance.
-	You may also specify `contextual_tuples` that will be treated as regular tuples.
+	You may also specify `contextual_tuples` that will be treated as regular tuples. Each of these tuples may have an associated `condition`.
+	You may also provide a `context` object that will be used to evaluate the conditioned tuples in the system. It is strongly recommended to provide a value for all the input parameters of all the conditions, to ensure that all tuples be evaluated correctly.
 	The response will contain the related objects in an array in the "objects" field of the response and they will be strings in the object format `<type>:<id>` (e.g. "document:roadmap").
 	The number of objects in the response array will be limited by the execution timeout specified in the flag OPENFGA_LIST_OBJECTS_DEADLINE and by the upper bound specified in the flag OPENFGA_LIST_OBJECTS_MAX_RESULTS, whichever is hit first.
 	The objects given will not be sorted, and therefore two identical calls can give a given different set of objects.
@@ -451,6 +453,8 @@ type OpenFgaApi interface {
 		 * ReadChanges Return a list of all the tuple changes
 		 * The ReadChanges API will return a paginated list of tuple changes (additions and deletions) that occurred in a given store, sorted by ascending time. The response will include a continuation token that is used to get the next set of changes. If there are no changes after the provided continuation token, the same token will be returned in order for it to be used when new changes are recorded. If the store never had any tuples added or removed, this token will be empty.
 	You can use the `type` parameter to only get the list of tuple changes that affect objects of that type.
+	When reading a write tuple change, if it was conditioned, the condition will be returned.
+	When reading a delete tuple change, the condition will NOT be returned regardless of whether it was originally conditioned or not.
 
 		 * @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
 		 * @return ApiReadChangesRequest
@@ -466,7 +470,8 @@ type OpenFgaApi interface {
 	/*
 		 * Write Add or delete tuples from the store
 		 * The Write API will update the tuples for a certain store. Tuples and type definitions allow OpenFGA to determine whether a relationship exists between an object and an user.
-	In the body, `writes` adds new tuples while `deletes` removes existing tuples. The API is not idempotent: if, later on, you try to add the same tuple, or if you try to delete a non-existing tuple, it will throw an error.
+	In the body, `writes` adds new tuples and `deletes` removes existing tuples. When deleting a tuple, any `condition` specified with it is ignored.
+	The API is not idempotent: if, later on, you try to add the same tuple key (even if the `condition` is different), or if you try to delete a non-existing tuple, it will throw an error.
 	An `authorization_model_id` may be specified in the body. If it is, it will be used to assert that each written tuple (not deleted) is valid for the model specified. If it is not specified, the latest authorization model ID will be used.
 	## Example
 	### Adding relationships
@@ -606,8 +611,9 @@ func (r ApiCheckRequest) Execute() (CheckResponse, *_nethttp.Response, error) {
   - Check Check whether a user is authorized to access an object
   - The Check API queries to check if the user has a certain relationship with an object in a certain store.
 
-A `contextual_tuples` object may also be included in the body of the request. This object contains one field `tuple_keys`, which is an array of tuple keys.
+A `contextual_tuples` object may also be included in the body of the request. This object contains one field `tuple_keys`, which is an array of tuple keys. Each of these tuples may have an associated `condition`.
 You may also provide an `authorization_model_id` in the body. This will be used to assert that the input `tuple_key` is valid for the model specified. If not specified, the assertion will be made against the latest authorization model ID. It is strongly recommended to specify authorization model id for better performance.
+You may also provide a `context` object that will be used to evaluate the conditioned tuples in the system. It is strongly recommended to provide a value for all the input parameters of all the conditions, to ensure that all tuples be evaluated correctly.
 The response will return whether the relationship exists in the field `allowed`.
 
 ## Example
@@ -1996,7 +2002,8 @@ func (r ApiListObjectsRequest) Execute() (ListObjectsResponse, *_nethttp.Respons
   - The ListObjects API returns a list of all the objects of the given type that the user has a relation with. To achieve this, both the store tuples and the authorization model are used.
 
 An `authorization_model_id` may be specified in the body. If it is not specified, the latest authorization model ID will be used. It is strongly recommended to specify authorization model id for better performance.
-You may also specify `contextual_tuples` that will be treated as regular tuples.
+You may also specify `contextual_tuples` that will be treated as regular tuples. Each of these tuples may have an associated `condition`.
+You may also provide a `context` object that will be used to evaluate the conditioned tuples in the system. It is strongly recommended to provide a value for all the input parameters of all the conditions, to ensure that all tuples be evaluated correctly.
 The response will contain the related objects in an array in the "objects" field of the response and they will be strings in the object format `<type>:<id>` (e.g. "document:roadmap").
 The number of objects in the response array will be limited by the execution timeout specified in the flag OPENFGA_LIST_OBJECTS_DEADLINE and by the upper bound specified in the flag OPENFGA_LIST_OBJECTS_MAX_RESULTS, whichever is hit first.
 The objects given will not be sorted, and therefore two identical calls can give a given different set of objects.
@@ -3807,6 +3814,8 @@ func (r ApiReadChangesRequest) Execute() (ReadChangesResponse, *_nethttp.Respons
   - The ReadChanges API will return a paginated list of tuple changes (additions and deletions) that occurred in a given store, sorted by ascending time. The response will include a continuation token that is used to get the next set of changes. If there are no changes after the provided continuation token, the same token will be returned in order for it to be used when new changes are recorded. If the store never had any tuples added or removed, this token will be empty.
 
 You can use the `type` parameter to only get the list of tuple changes that affect objects of that type.
+When reading a write tuple change, if it was conditioned, the condition will be returned.
+When reading a delete tuple change, the condition will NOT be returned regardless of whether it was originally conditioned or not.
 
   - @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
   - @return ApiReadChangesRequest
@@ -4081,7 +4090,8 @@ func (r ApiWriteRequest) Execute() (map[string]interface{}, *_nethttp.Response,
   - Write Add or delete tuples from the store
   - The Write API will update the tuples for a certain store. Tuples and type definitions allow OpenFGA to determine whether a relationship exists between an object and an user.
 
-In the body, `writes` adds new tuples while `deletes` removes existing tuples. The API is not idempotent: if, later on, you try to add the same tuple, or if you try to delete a non-existing tuple, it will throw an error.
+In the body, `writes` adds new tuples and `deletes` removes existing tuples. When deleting a tuple, any `condition` specified with it is ignored.
+The API is not idempotent: if, later on, you try to add the same tuple key (even if the `condition` is different), or if you try to delete a non-existing tuple, it will throw an error.
 An `authorization_model_id` may be specified in the body. If it is, it will be used to assert that each written tuple (not deleted) is valid for the model specified. If it is not specified, the latest authorization model ID will be used.
 ## Example
 ### Adding relationships