fix(auth model): assignee missing from each type for roles (#1444)

* fix(auth model): assignee missing from each type for roles

* test(fgatests): add all assignee tests

* feat(authmodel): generate auth model

* chore(make): rename make target auth-model-json

Makefile

@@ -115,6 +115,8 @@ load-rock:
 	$(eval jimm_version := $(shell cat ./rocks/jimm.yaml | yq ".version"))
 	@sudo /snap/rockcraft/current/bin/skopeo --insecure-policy copy oci-archive:jimm_${jimm_version}_amd64.rock docker-daemon:jimm:latest
 
+auth-model-json:
+	fga model transform --file ./openfga/authorisation_model.fga > ./openfga/authorisation_model.json
 test-auth-model:
 	fga model test --tests ./openfga/tests.fga.yaml 
 

openfga/README.md

@@ -21,9 +21,7 @@ go install github.com/openfga/cli/cmd/fga@latest
 ## Adding / modifying [to] the authorsation model
 1. Open the authorisation_model.fga 
 2. Make your modification
-3. Open the Command Pallette using Ctrl+Shift+P (Windows) or Command+Shift+P (OSX)
-4. Select OpenFGA: Transform DSL to JSON
-5. Save the file over the existing authorisation_model.json
+3. Run: `make transform-auth-model`
 6. Add tests to tests.fga.yaml - Learn more [here](https://openfga.dev/docs/modeling/testing)
 7. Run them via: `make test-auth-model`
 

openfga/authorisation_model.fga

@@ -1,42 +1,43 @@
 model
   schema 1.1
 
-type applicationoffer
-  relations
-    define administrator: [user, user:*, group#member] or administrator from model
-    define consumer: [user, user:*, group#member] or administrator
-    define model: [model]
-    define reader: [user, user:*, group#member] or consumer
+type user
 
-type cloud
+type role
+ relations
+   define assignee: [user, user:*, group#member]
+
+type group
   relations
-    define administrator: [user, user:*, group#member] or administrator from controller
-    define can_addmodel: [user, user:*, group#member] or administrator
-    define controller: [controller]
+    define member: [user, user:*, group#member]
 
 type controller
   relations
-    define administrator: [user, user:*, group#member] or administrator from controller
-    define audit_log_viewer: [user, user:*, group#member] or administrator
     define controller: [controller]
+    define administrator: [user, user:*, group#member, role#assignee] or administrator from controller
+    define audit_log_viewer: [user, user:*, group#member, role#assignee] or administrator
 
 type model
   relations
-    define administrator: [user, user:*, group#member] or administrator from controller
     define controller: [controller]
-    define reader: [user, user:*, group#member] or writer
-    define writer: [user, user:*, group#member] or administrator
+    define administrator: [user, user:*, group#member, role#assignee] or administrator from controller
+    define reader: [user, user:*, group#member, role#assignee] or writer
+    define writer: [user, user:*, group#member, role#assignee] or administrator
 
-type serviceaccount
+type applicationoffer
   relations
-    define administrator: [user, user:*, group#member]
-
-type user
+    define model: [model]
+    define administrator: [user, user:*, group#member, role#assignee] or administrator from model
+    define consumer: [user, user:*, group#member, role#assignee] or administrator
+    define reader: [user, user:*, group#member, role#assignee] or consumer
 
-type role
- relations
-   define assignee: [user, user:*, group#member]
+type cloud
+  relations
+    define controller: [controller]
+    define administrator: [user, user:*, group#member, role#assignee] or administrator from controller
+    define can_addmodel: [user, user:*, group#member, role#assignee] or administrator
 
-type group
+type serviceaccount
   relations
-    define member: [user, user:*, group#member]
+    define administrator: [user, user:*, group#member, role#assignee]
+