1 files changed, 158 insertions, 0 deletions

diff --git a/etc/authzd/gitlab_schema.cedarschema b/etc/authzd/gitlab_schema.cedarschema
new file mode 100644
index 00000000..78d7bd1a
--- /dev/null
+++ b/etc/authzd/gitlab_schema.cedarschema
@@ -0,0 +1,158 @@
+// GitLab Cedar Schema Definition
+// Defines entity types and actions for GitLab authorization
+
+// User entity represents GitLab users
+entity User = {
+    username: String,
+    name: String,
+    admin: Bool,
+    blocked: Bool,
+    external: Bool,
+    bot: Bool,
+    access_level: Long,
+};
+
+// Group/Namespace entity (can be nested)
+entity Namespace = {
+    name: String,
+    path: String,
+    full_path: String,
+    kind: String, // "user" or "group"
+    visibility_level: String,
+    members: Set<User>,
+} tags Set<String>;
+
+// Project entity represents GitLab projects
+entity Project = {
+    name: String,
+    path: String,
+    full_path: String,
+    visibility: String, // "public", "internal", "private"
+    archived: Bool,
+    members: Set<User>, // Project members
+} tags Set<String>;
+
+// Group alias for Namespace
+entity Group = {
+    name: String,
+    path: String,
+    full_path: String,
+    visibility: String,
+    members: Set<User>,
+} tags Set<String>;
+
+// Project membership relationship
+entity ProjectMembership = {
+    user_id: Long,
+    project_id: Long,
+    access_level: Long,
+    expires_at: String,
+} tags Set<String>;
+
+// Group membership relationship  
+entity GroupMembership = {
+    user_id: Long,
+    group_id: Long,
+    access_level: Long,
+    expires_at: String,
+} tags Set<String>;
+
+// Issue entity
+entity Issue = {
+    iid: Long,
+    title: String,
+    state: String,
+    confidential: Bool,
+    author_id: Long,
+    assignee_ids: Set<Long>,
+    created_at: String,
+    updated_at: String,
+} tags Set<String>;
+
+// Merge Request entity
+entity MergeRequest = {
+    iid: Long,
+    title: String,
+    state: String,
+    merge_status: String,
+    author_id: Long,
+    assignee_id: Long,
+    target_branch: String,
+    source_branch: String,
+    work_in_progress: Bool,
+    created_at: String,
+    updated_at: String,
+} tags Set<String>;
+
+// Actions that can be performed
+action "read_project";
+action "admin_project";
+action "destroy_project";
+action "transfer_project";
+action "archive_project";
+action "change_visibility_level";
+action "manage_project_members";
+
+action "read_group";
+action "admin_group";
+action "read_group_details";
+
+action "read_repository";
+action "download_code";
+action "push_code";
+action "admin_repository";
+action "push_to_delete_protected_branch";
+
+action "read_issue";
+action "create_issue";
+action "update_issue";
+action "admin_issue";
+action "create_issue_note";
+
+action "read_merge_request";
+action "create_merge_request";
+action "update_merge_request";
+action "admin_merge_request";
+action "merge_merge_request";
+
+action "read_wiki";
+action "create_wiki_page";
+action "update_wiki_page";
+action "admin_wiki";
+
+action "read_snippet";
+action "create_snippet";
+action "update_snippet";
+action "admin_snippet";
+
+action "read_build";
+action "read_pipeline";
+action "create_pipeline";
+action "retry_pipeline";
+action "admin_pipeline";
+
+action "read_container_image";
+action "pull_container_image";
+action "push_container_image";
+action "admin_container_registry";
+
+action "read_package";
+action "pull_package";
+action "push_package";
+action "admin_package_registry";
+
+action "read_analytics";
+action "read_cycle_analytics";
+action "read_repository_analytics";
+
+action "read_security_report";
+action "admin_security_policy";
+action "read_vulnerability_report";
+
+action "read_release";
+action "create_release";
+action "update_release";
+action "admin_release";
+
+action "admin_project_hooks";
+action "admin_project_runners";
\ No newline at end of file