================================================================================
empty definition
================================================================================
definition user {}
--------------------------------------------------------------------------------
(source_file
	(object_definition name: (type_identifier)))

================================================================================
empty definition with prefix
================================================================================
definition namespaced/user {}
--------------------------------------------------------------------------------
(source_file
	(object_definition name: (type_identifier)))

================================================================================
empty definition with comment
================================================================================
definition user { /* comment */ }
--------------------------------------------------------------------------------
(source_file
	(object_definition name: (type_identifier) (comment)))

================================================================================
definition with multi-line docstring
================================================================================
/**
 * user represents a user that can be granted role(s)
 */
definition user {}
--------------------------------------------------------------------------------
(source_file
	(comment)
	(object_definition name: (type_identifier)))

================================================================================
definition with single line docstring
================================================================================
// user represents a user that can be granted role(s)
definition user {}
--------------------------------------------------------------------------------
(source_file
	(comment)
	(object_definition name: (type_identifier)))

================================================================================
two empty definitions
================================================================================
definition user {}
definition document {}
--------------------------------------------------------------------------------
(source_file
	(object_definition name: (type_identifier))
	(object_definition name: (type_identifier)))

================================================================================
definition with single userset relation
================================================================================
definition user {}
definition document {
  relation creator: user
}
--------------------------------------------------------------------------------
(source_file
	(object_definition name: (type_identifier))
	(object_definition
		name: (type_identifier)
		body: (relation
			name: (field_identifier)
			expr: (relation_expr (unary_relation_expr
				(relation_type (type_identifier)))))))

================================================================================
definition with wildcard relation
================================================================================
definition user {}
definition document {
  relation creator: user:*
}
--------------------------------------------------------------------------------
(source_file
	(object_definition name: (type_identifier))
	(object_definition
		name: (type_identifier)
		body: (relation
			name: (field_identifier)
			expr: (relation_expr (unary_relation_expr
				(relation_type (wildcard_type (type_identifier))))))))

================================================================================
definition with reference relation
================================================================================
definition user {}
definition group {
  relation members: user
}
definition document {
  relation creator: group#member
}
--------------------------------------------------------------------------------
(source_file
	(object_definition name: (type_identifier))
	(object_definition
		name: (type_identifier)
		body: (relation
			name: (field_identifier)
			expr: (relation_expr (unary_relation_expr (relation_type (type_identifier))))))
	(object_definition
		name: (type_identifier)
		body: (relation
			name: (field_identifier)
			expr: (relation_expr (unary_relation_expr
				(relation_type (reference_type
					(type_identifier)
					(field_identifier))))))))

================================================================================
definition with multi-userset relation (2)
================================================================================
definition user {}
definition document {
  relation creator: user | user:*
}
--------------------------------------------------------------------------------
(source_file
	(object_definition name: (type_identifier))
	(object_definition
		name: (type_identifier)
		body: (relation
			name: (field_identifier)
			expr: (relation_expr (binary_relation_expr
				(relation_expr (unary_relation_expr (relation_type
					(type_identifier))))
				(relation_expr (unary_relation_expr (relation_type
					(wildcard_type (type_identifier))))))))))

================================================================================
definition with multi-userset relation (3)
================================================================================
definition bot {}
definition user {}
definition document {
  relation creator: user | user:* | bot
}
--------------------------------------------------------------------------------
(source_file
	(object_definition name: (type_identifier))
	(object_definition name: (type_identifier))
	(object_definition
		name: (type_identifier)
		body: (relation
			name: (field_identifier)
			expr: (relation_expr (binary_relation_expr
				(relation_expr (binary_relation_expr
					(relation_expr (unary_relation_expr (relation_type (type_identifier))))
					(relation_expr (unary_relation_expr (relation_type (wildcard_type (type_identifier)))))))
				(relation_expr (unary_relation_expr (relation_type (type_identifier)))))))))

================================================================================
definition with nil permission
================================================================================
definition document {
  permission write = nil
}
--------------------------------------------------------------------------------
(source_file
	(object_definition
		name: (type_identifier)
		body: (permission
			name: (method_identifier)
			expr: (permission_expr))))

================================================================================
definition with single userset permission
================================================================================
definition user {}
definition document {
  relation creator: user
  permission write = creator
}
--------------------------------------------------------------------------------
(source_file
	(object_definition name: (type_identifier))
	(object_definition
		name: (type_identifier)
		body: (relation
			name: (field_identifier)
			expr: (relation_expr (unary_relation_expr
				(relation_type (type_identifier)))))
		body: (permission
			name: (method_identifier)
			expr: (permission_expr (unary_permission_expr
				(userset (field_identifier))))))) 

================================================================================
basic caveat definition
================================================================================
caveat only_on_tuesday(day_of_week string) {
	day_of_week == "tuesday"
}
--------------------------------------------------------------------------------
(source_file
	(caveat_definition
		(func_identifier)
		(parameter
			(parameter_identifier (cel_variable_identifier))
			(parameter_type_identifier (cel_type_identifier)))
        (caveat_expr)))

================================================================================
caveat with registry cel expression
================================================================================
caveat only_on_tuesday(day_of_week string) {
	object.spec.template.spec.containers.all(container,
	  params.allowedRegistries.exists(registry,
	    ((registry in ['docker.io', 'docker.io/library']) && !container.image.contains('/')) ||
	    container.image.startsWith(registry)
	  )
	)
}
--------------------------------------------------------------------------------
(source_file
	(caveat_definition
		(func_identifier)
		(parameter
			(parameter_identifier (cel_variable_identifier))
			(parameter_type_identifier (cel_type_identifier)))
        (caveat_expr)))
