feat(abac): update Write API to include a condition per tuple

docs/openapiv2/apidocs.swagger.json

@@ -975,10 +975,16 @@
               "type": "object",
               "properties": {
                 "writes": {
-                  "$ref": "#/definitions/TupleKeys"
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/definitions/WriteRequestTupleKey"
+                  }
                 },
                 "deletes": {
-                  "$ref": "#/definitions/TupleKeys"
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/definitions/WriteRequestTupleKey"
+                  }
                 },
                 "authorization_model_id": {
                   "type": "string",
@@ -1373,6 +1379,14 @@
       ],
       "default": "no_not_found_error"
     },
+    "NullValue": {
+      "type": "string",
+      "enum": [
+        "NULL_VALUE"
+      ],
+      "default": "NULL_VALUE",
+      "description": "`NullValue` is a singleton enumeration to represent the null value for the\n`Value` type union.\n\n The JSON representation for `NullValue` is JSON `null`.\n\n - NULL_VALUE: Null value."
+    },
     "ObjectRelation": {
       "type": "object",
       "properties": {
@@ -1501,6 +1515,24 @@
         "type"
       ]
     },
+    "RelationshipCondition": {
+      "type": "object",
+      "properties": {
+        "conditionName": {
+          "type": "string",
+          "example": "condition1",
+          "description": "A reference (by name) of the relationship condition defined in the authorization model.",
+          "maxLength": 256
+        },
+        "context": {
+          "type": "object",
+          "description": "Additional context/data to persist along with the condition.\nThe keys must match the parameters defined by the condition, and the value types must\nmatch the parameter type definitions."
+        }
+      },
+      "required": [
+        "conditionName"
+      ]
+    },
     "Status": {
       "type": "object",
       "properties": {
@@ -1599,21 +1631,6 @@
         }
       }
     },
-    "TupleKeys": {
-      "type": "object",
-      "properties": {
-        "tuple_keys": {
-          "type": "array",
-          "items": {
-            "$ref": "#/definitions/TupleKey",
-            "minimum": 1
-          }
-        }
-      },
-      "required": [
-        "tuple_keys"
-      ]
-    },
     "TupleOperation": {
       "type": "string",
       "enum": [
@@ -1774,6 +1791,29 @@
         }
       }
     },
+    "WriteRequestTupleKey": {
+      "type": "object",
+      "properties": {
+        "user": {
+          "type": "string",
+          "example": "user:anne",
+          "maxLength": 512
+        },
+        "relation": {
+          "type": "string",
+          "example": "reader",
+          "maxLength": 50
+        },
+        "object": {
+          "type": "string",
+          "example": "document:2021-budget",
+          "maxLength": 256
+        },
+        "condition": {
+          "$ref": "#/definitions/RelationshipCondition"
+        }
+      }
+    },
     "WriteResponse": {
       "type": "object"
     },

openfga/v1/openfga.proto

@@ -3,6 +3,7 @@ syntax = "proto3";
 package openfga.v1;
 
 import "google/api/field_behavior.proto";
+import "google/protobuf/struct.proto";
 import "google/protobuf/timestamp.proto";
 import "protoc-gen-openapiv2/options/annotations.proto";
 import "validate/validate.proto";
@@ -25,6 +26,24 @@ message Object {
   ];
 }
 
+message RelationshipCondition {
+
+  // A reference (by name) of the relationship condition defined in the authorization model.
+  string condition_name = 1 [
+    (validate.rules).string = {pattern: "^[^\\s]{2,256}$"},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      max_length: 256,
+      example: "\"condition1\""
+    }
+  ];
+
+  // Additional context/data to persist along with the condition.
+  // The keys must match the parameters defined by the condition, and the value types must
+  // match the parameter type definitions.
+  google.protobuf.Struct context = 2;
+}
+
 message TupleKey {
   string object = 1 [
     (validate.rules).string = {

openfga/v1/openfga_service.proto

@@ -5,6 +5,7 @@ package openfga.v1;
 import "google/api/annotations.proto";
 import "google/api/field_behavior.proto";
 import "google/api/visibility.proto";
+import "google/protobuf/struct.proto";
 import "google/protobuf/timestamp.proto";
 import "google/protobuf/wrappers.proto";
 import "openfga/v1/authzmodel.proto";
@@ -816,6 +817,40 @@ message ReadResponse {
   ];
 }
 
+message WriteRequestTupleKey {
+  string user = 1 [
+    (validate.rules).string = {max_bytes: 512},
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      max_length: 512,
+      example: "\"user:anne\""
+    }
+  ];
+
+  string relation = 2 [
+    (validate.rules).string = {
+      pattern: "^[^:#@\\s]{1,50}$",
+      ignore_empty: true
+    },
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      max_length: 50,
+      example: "\"reader\""
+    }
+  ];
+
+  string object = 3 [
+    (validate.rules).string = {
+      pattern: "^[^\\s]{2,256}$",
+      ignore_empty: true
+    },
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      max_length: 256,
+      example: "\"document:2021-budget\""
+    }
+  ];
+
+  RelationshipCondition condition = 4;
+}
+
 message WriteRequest {
   string store_id = 1 [
     json_name = "store_id",
@@ -824,9 +859,9 @@ message WriteRequest {
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"01YCP46JKYM8FJCQ37NMBYHE5X\""}
   ];
 
-  openfga.v1.TupleKeys writes = 2;
+  repeated WriteRequestTupleKey writes = 2;
 
-  openfga.v1.TupleKeys deletes = 3;
+  repeated WriteRequestTupleKey deletes = 3;
 
   string authorization_model_id = 4 [
     json_name = "authorization_model_id",