More commands to cli example and minor doc edits

README.md

@@ -62,7 +62,7 @@ These sections show how to use the SDK to perform API management functions. Befo
 9. [Manage JWTs](#manage-jwts)
 10. [Search Audit](#search-audit)
 11. [Embedded Links](#embedded-links)
-12. [Manage Authz](#manage-authz)
+12. [Manage ReBAC Authz](#manage-rebac-authz)
 
 If you wish to run any of our code samples and play with them, check out our [Code Examples](#code-examples) section.
 
@@ -921,7 +921,7 @@ if err == nil {
 }
 ```
 
-### Manage Authz
+### Manage ReBAC Authz
 
 Descope supports full relation based access control (ReBAC) using a zanzibar like schema and operations.
 A schema is comprized of namespaces (entities like documents, folders, orgs, etc.) and each namespace has relation definitions to define relations.

descope/sdk/mgmt.go

@@ -470,7 +470,7 @@ type Authz interface {
 	// SaveNamespace creating or updating the given namespace
 	// Will not delete relation definitions not mentioned in the namespace.
 	// oldName is used if we are changing the namespace name
-	// schemaName is optional and used to track the current schema version.
+	// schemaName is optional and can be used to track the current schema version.
 	SaveNamespace(namespace *descope.AuthzNamespace, oldName, schemaName string) error
 
 	// DeleteNamespace will also delete the relevant relations.
@@ -479,11 +479,11 @@ type Authz interface {
 
 	// SaveRelationDefinition creating or updating the given relation definition.
 	// Provide oldName if we are changing the relation definition name, what was the old name we are updating.
-	// schemaName optional and used to track the current schema version.
+	// schemaName is optional and can be used to track the current schema version.
 	SaveRelationDefinition(relationDefinition *descope.AuthzRelationDefinition, namespace, oldName, schemaName string) error
 
 	// DeleteRelationDefinition will also delete the relevant relations.
-	// schemaName is optional and used to track the current schema version.
+	// schemaName is optional and can be used to track the current schema version.
 	DeleteRelationDefinition(name, namespace, schemaName string) error
 
 	// CreateRelations based on the existing schema

examples/managementcli/main.go

@@ -435,7 +435,36 @@ func authzLoadSchema(args []string) error {
 	return err
 }
 
-func authzHasRelations(args []string) error {
+func authzSaveSchema(args []string) error {
+	schemaFile, err := os.ReadFile(args[0])
+	if err != nil {
+		return err
+	}
+	var schema *descope.AuthzSchema
+	err = json.Unmarshal(schemaFile, &schema)
+	if err != nil {
+		return err
+	}
+	oldSchema, err := descopeClient.Management.Authz().LoadSchema()
+	if err != nil {
+		return err
+	}
+	upgrade, err := strconv.ParseBool(args[1])
+	if err != nil {
+		return err
+	}
+	err = descopeClient.Management.Authz().SaveSchema(schema, upgrade)
+	if err == nil {
+		if oldSchema.Name != schema.Name {
+			fmt.Printf("Schema %s upgraded to %s.\n", oldSchema.Name, schema.Name)
+		} else {
+			fmt.Printf("Schema %s saved.\n", schema.Name)
+		}
+	}
+	return err
+}
+
+func authzHasRelation(args []string) error {
 	res, err := descopeClient.Management.Authz().HasRelations([]*descope.AuthzRelationQuery{
 		{
 			Resource:           args[0],
@@ -452,6 +481,38 @@ func authzHasRelations(args []string) error {
 	return err
 }
 
+func authzAddRelation(args []string) error {
+	err := descopeClient.Management.Authz().CreateRelations([]*descope.AuthzRelation{
+		{
+			Resource:           args[0],
+			RelationDefinition: args[1],
+			Namespace:          args[2],
+			Target:             args[3],
+		},
+	})
+	if err == nil {
+		fmt.Println("Relation added.")
+	}
+	return err
+}
+
+func authzAddRelationTargetSet(args []string) error {
+	err := descopeClient.Management.Authz().CreateRelations([]*descope.AuthzRelation{
+		{
+			Resource:                             args[0],
+			RelationDefinition:                   args[1],
+			Namespace:                            args[2],
+			TargetSetResource:                    args[3],
+			TargetSetRelationDefinition:          args[4],
+			TargetSetRelationDefinitionNamespace: args[5],
+		},
+	})
+	if err == nil {
+		fmt.Println("Relation to target set added.")
+	}
+	return err
+}
+
 // Command line setup
 
 var cli = &cobra.Command{
@@ -650,10 +711,22 @@ func main() {
 	addCommand(authzLoadSchema, "authz-load-schema", "Load and display the current AuthZ ReBAC schema", func(cmd *cobra.Command) {
 	})
 
-	addCommand(authzHasRelations, "authz-has-relation <resource> <relationDefinition> <namespace> <target>", "Check if the given relation exists", func(cmd *cobra.Command) {
+	addCommand(authzSaveSchema, "authz-save-schema <filename> <upgrade>", "Save (and potentially upgrade) the AuthZ ReBAC schema from the given file", func(cmd *cobra.Command) {
+		cmd.Args = cobra.ExactArgs(2)
+	})
+
+	addCommand(authzHasRelation, "authz-has-relation <resource> <relationDefinition> <namespace> <target>", "Check if the given relation exists", func(cmd *cobra.Command) {
 		cmd.Args = cobra.ExactArgs(4)
 	})
 
+	addCommand(authzAddRelation, "authz-add-relation <resource> <relationDefinition> <namespace> <target>", "Add a relation from a resource to a given target", func(cmd *cobra.Command) {
+		cmd.Args = cobra.ExactArgs(4)
+	})
+
+	addCommand(authzAddRelationTargetSet, "authz-add-relation-targetset <resource> <relationDefinition> <namespace> <targetset-resource> <targetset-rd> <targetset-ns>", "Add a relation from a resource to a given target set", func(cmd *cobra.Command) {
+		cmd.Args = cobra.ExactArgs(6)
+	})
+
 	err := cli.Execute()
 	if err != nil {
 		os.Exit(1)