From 67384580144ea89d7f968c0d880859f95491a783 Mon Sep 17 00:00:00 2001 From: Alexander <42068202+ale8k@users.noreply.github.com> Date: Tue, 19 Nov 2024 10:10:45 +0000 Subject: [PATCH] fix(auth model): assignee missing from each type for roles (#1444) * fix(auth model): assignee missing from each type for roles * test(fgatests): add all assignee tests * feat(authmodel): generate auth model * chore(make): rename make target auth-model-json --- Makefile | 2 + openfga/README.md | 4 +- openfga/authorisation_model.fga | 49 ++-- openfga/authorisation_model.json | 478 +------------------------------ openfga/tests.fga.yaml | 87 +++++- 5 files changed, 115 insertions(+), 505 deletions(-) diff --git a/Makefile b/Makefile index d1f05b7cc..fd89b0eda 100644 --- a/Makefile +++ b/Makefile @@ -115,6 +115,8 @@ load-rock: $(eval jimm_version := $(shell cat ./rocks/jimm.yaml | yq ".version")) @sudo /snap/rockcraft/current/bin/skopeo --insecure-policy copy oci-archive:jimm_${jimm_version}_amd64.rock docker-daemon:jimm:latest +auth-model-json: + fga model transform --file ./openfga/authorisation_model.fga > ./openfga/authorisation_model.json test-auth-model: fga model test --tests ./openfga/tests.fga.yaml diff --git a/openfga/README.md b/openfga/README.md index c0fee2ede..2f82c6435 100644 --- a/openfga/README.md +++ b/openfga/README.md @@ -21,9 +21,7 @@ go install github.com/openfga/cli/cmd/fga@latest ## Adding / modifying [to] the authorsation model 1. Open the authorisation_model.fga 2. Make your modification -3. Open the Command Pallette using Ctrl+Shift+P (Windows) or Command+Shift+P (OSX) -4. Select OpenFGA: Transform DSL to JSON -5. Save the file over the existing authorisation_model.json +3. Run: `make transform-auth-model` 6. Add tests to tests.fga.yaml - Learn more [here](https://openfga.dev/docs/modeling/testing) 7. Run them via: `make test-auth-model` diff --git a/openfga/authorisation_model.fga b/openfga/authorisation_model.fga index be4668616..d3e2b2bf7 100644 --- a/openfga/authorisation_model.fga +++ b/openfga/authorisation_model.fga @@ -1,42 +1,43 @@ model schema 1.1 -type applicationoffer - relations - define administrator: [user, user:*, group#member] or administrator from model - define consumer: [user, user:*, group#member] or administrator - define model: [model] - define reader: [user, user:*, group#member] or consumer +type user -type cloud +type role + relations + define assignee: [user, user:*, group#member] + +type group relations - define administrator: [user, user:*, group#member] or administrator from controller - define can_addmodel: [user, user:*, group#member] or administrator - define controller: [controller] + define member: [user, user:*, group#member] type controller relations - define administrator: [user, user:*, group#member] or administrator from controller - define audit_log_viewer: [user, user:*, group#member] or administrator define controller: [controller] + define administrator: [user, user:*, group#member, role#assignee] or administrator from controller + define audit_log_viewer: [user, user:*, group#member, role#assignee] or administrator type model relations - define administrator: [user, user:*, group#member] or administrator from controller define controller: [controller] - define reader: [user, user:*, group#member] or writer - define writer: [user, user:*, group#member] or administrator + define administrator: [user, user:*, group#member, role#assignee] or administrator from controller + define reader: [user, user:*, group#member, role#assignee] or writer + define writer: [user, user:*, group#member, role#assignee] or administrator -type serviceaccount +type applicationoffer relations - define administrator: [user, user:*, group#member] - -type user + define model: [model] + define administrator: [user, user:*, group#member, role#assignee] or administrator from model + define consumer: [user, user:*, group#member, role#assignee] or administrator + define reader: [user, user:*, group#member, role#assignee] or consumer -type role - relations - define assignee: [user, user:*, group#member] +type cloud + relations + define controller: [controller] + define administrator: [user, user:*, group#member, role#assignee] or administrator from controller + define can_addmodel: [user, user:*, group#member, role#assignee] or administrator -type group +type serviceaccount relations - define member: [user, user:*, group#member] + define administrator: [user, user:*, group#member, role#assignee] + diff --git a/openfga/authorisation_model.json b/openfga/authorisation_model.json index 362553c60..db45d3076 100644 --- a/openfga/authorisation_model.json +++ b/openfga/authorisation_model.json @@ -1,477 +1 @@ -{ - "schema_version": "1.1", - "type_definitions": [ - { - "type": "applicationoffer", - "relations": { - "administrator": { - "union": { - "child": [ - { - "this": {} - }, - { - "tupleToUserset": { - "computedUserset": { - "relation": "administrator" - }, - "tupleset": { - "relation": "model" - } - } - } - ] - } - }, - "consumer": { - "union": { - "child": [ - { - "this": {} - }, - { - "computedUserset": { - "relation": "administrator" - } - } - ] - } - }, - "model": { - "this": {} - }, - "reader": { - "union": { - "child": [ - { - "this": {} - }, - { - "computedUserset": { - "relation": "consumer" - } - } - ] - } - } - }, - "metadata": { - "relations": { - "administrator": { - "directly_related_user_types": [ - { - "type": "user" - }, - { - "type": "user", - "wildcard": {} - }, - { - "type": "group", - "relation": "member" - } - ] - }, - "consumer": { - "directly_related_user_types": [ - { - "type": "user" - }, - { - "type": "user", - "wildcard": {} - }, - { - "type": "group", - "relation": "member" - } - ] - }, - "model": { - "directly_related_user_types": [ - { - "type": "model" - } - ] - }, - "reader": { - "directly_related_user_types": [ - { - "type": "user" - }, - { - "type": "user", - "wildcard": {} - }, - { - "type": "group", - "relation": "member" - } - ] - } - } - } - }, - { - "type": "cloud", - "relations": { - "administrator": { - "union": { - "child": [ - { - "this": {} - }, - { - "tupleToUserset": { - "computedUserset": { - "relation": "administrator" - }, - "tupleset": { - "relation": "controller" - } - } - } - ] - } - }, - "can_addmodel": { - "union": { - "child": [ - { - "this": {} - }, - { - "computedUserset": { - "relation": "administrator" - } - } - ] - } - }, - "controller": { - "this": {} - } - }, - "metadata": { - "relations": { - "administrator": { - "directly_related_user_types": [ - { - "type": "user" - }, - { - "type": "user", - "wildcard": {} - }, - { - "type": "group", - "relation": "member" - } - ] - }, - "can_addmodel": { - "directly_related_user_types": [ - { - "type": "user" - }, - { - "type": "user", - "wildcard": {} - }, - { - "type": "group", - "relation": "member" - } - ] - }, - "controller": { - "directly_related_user_types": [ - { - "type": "controller" - } - ] - } - } - } - }, - { - "type": "controller", - "relations": { - "administrator": { - "union": { - "child": [ - { - "this": {} - }, - { - "tupleToUserset": { - "computedUserset": { - "relation": "administrator" - }, - "tupleset": { - "relation": "controller" - } - } - } - ] - } - }, - "audit_log_viewer": { - "union": { - "child": [ - { - "this": {} - }, - { - "computedUserset": { - "relation": "administrator" - } - } - ] - } - }, - "controller": { - "this": {} - } - }, - "metadata": { - "relations": { - "administrator": { - "directly_related_user_types": [ - { - "type": "user" - }, - { - "type": "user", - "wildcard": {} - }, - { - "type": "group", - "relation": "member" - } - ] - }, - "audit_log_viewer": { - "directly_related_user_types": [ - { - "type": "user" - }, - { - "type": "user", - "wildcard": {} - }, - { - "type": "group", - "relation": "member" - } - ] - }, - "controller": { - "directly_related_user_types": [ - { - "type": "controller" - } - ] - } - } - } - }, - { - "type": "model", - "relations": { - "administrator": { - "union": { - "child": [ - { - "this": {} - }, - { - "tupleToUserset": { - "computedUserset": { - "relation": "administrator" - }, - "tupleset": { - "relation": "controller" - } - } - } - ] - } - }, - "controller": { - "this": {} - }, - "reader": { - "union": { - "child": [ - { - "this": {} - }, - { - "computedUserset": { - "relation": "writer" - } - } - ] - } - }, - "writer": { - "union": { - "child": [ - { - "this": {} - }, - { - "computedUserset": { - "relation": "administrator" - } - } - ] - } - } - }, - "metadata": { - "relations": { - "administrator": { - "directly_related_user_types": [ - { - "type": "user" - }, - { - "type": "user", - "wildcard": {} - }, - { - "type": "group", - "relation": "member" - } - ] - }, - "controller": { - "directly_related_user_types": [ - { - "type": "controller" - } - ] - }, - "reader": { - "directly_related_user_types": [ - { - "type": "user" - }, - { - "type": "user", - "wildcard": {} - }, - { - "type": "group", - "relation": "member" - } - ] - }, - "writer": { - "directly_related_user_types": [ - { - "type": "user" - }, - { - "type": "user", - "wildcard": {} - }, - { - "type": "group", - "relation": "member" - } - ] - } - } - } - }, - { - "type": "serviceaccount", - "relations": { - "administrator": { - "this": {} - } - }, - "metadata": { - "relations": { - "administrator": { - "directly_related_user_types": [ - { - "type": "user" - }, - { - "type": "user", - "wildcard": {} - }, - { - "type": "group", - "relation": "member" - } - ] - } - } - } - }, - { - "type": "user", - "relations": {}, - "metadata": null - }, - { - "type": "role", - "relations": { - "assignee": { - "this": {} - } - }, - "metadata": { - "relations": { - "assignee": { - "directly_related_user_types": [ - { - "type": "user" - }, - { - "type": "user", - "wildcard": {} - }, - { - "type": "group", - "relation": "member" - } - ] - } - } - } - }, - { - "type": "group", - "relations": { - "member": { - "this": {} - } - }, - "metadata": { - "relations": { - "member": { - "directly_related_user_types": [ - { - "type": "user" - }, - { - "type": "user", - "wildcard": {} - }, - { - "type": "group", - "relation": "member" - } - ] - } - } - } - } - ] -} \ No newline at end of file +{"schema_version":"1.1","type_definitions":[{"type":"user"},{"metadata":{"relations":{"assignee":{"directly_related_user_types":[{"type":"user"},{"type":"user","wildcard":{}},{"relation":"member","type":"group"}]}}},"relations":{"assignee":{"this":{}}},"type":"role"},{"metadata":{"relations":{"member":{"directly_related_user_types":[{"type":"user"},{"type":"user","wildcard":{}},{"relation":"member","type":"group"}]}}},"relations":{"member":{"this":{}}},"type":"group"},{"metadata":{"relations":{"administrator":{"directly_related_user_types":[{"type":"user"},{"type":"user","wildcard":{}},{"relation":"member","type":"group"},{"relation":"assignee","type":"role"}]},"audit_log_viewer":{"directly_related_user_types":[{"type":"user"},{"type":"user","wildcard":{}},{"relation":"member","type":"group"},{"relation":"assignee","type":"role"}]},"controller":{"directly_related_user_types":[{"type":"controller"}]}}},"relations":{"administrator":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"administrator"},"tupleset":{"relation":"controller"}}}]}},"audit_log_viewer":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"administrator"}}]}},"controller":{"this":{}}},"type":"controller"},{"metadata":{"relations":{"administrator":{"directly_related_user_types":[{"type":"user"},{"type":"user","wildcard":{}},{"relation":"member","type":"group"},{"relation":"assignee","type":"role"}]},"controller":{"directly_related_user_types":[{"type":"controller"}]},"reader":{"directly_related_user_types":[{"type":"user"},{"type":"user","wildcard":{}},{"relation":"member","type":"group"},{"relation":"assignee","type":"role"}]},"writer":{"directly_related_user_types":[{"type":"user"},{"type":"user","wildcard":{}},{"relation":"member","type":"group"},{"relation":"assignee","type":"role"}]}}},"relations":{"administrator":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"administrator"},"tupleset":{"relation":"controller"}}}]}},"controller":{"this":{}},"reader":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"writer"}}]}},"writer":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"administrator"}}]}}},"type":"model"},{"metadata":{"relations":{"administrator":{"directly_related_user_types":[{"type":"user"},{"type":"user","wildcard":{}},{"relation":"member","type":"group"},{"relation":"assignee","type":"role"}]},"consumer":{"directly_related_user_types":[{"type":"user"},{"type":"user","wildcard":{}},{"relation":"member","type":"group"},{"relation":"assignee","type":"role"}]},"model":{"directly_related_user_types":[{"type":"model"}]},"reader":{"directly_related_user_types":[{"type":"user"},{"type":"user","wildcard":{}},{"relation":"member","type":"group"},{"relation":"assignee","type":"role"}]}}},"relations":{"administrator":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"administrator"},"tupleset":{"relation":"model"}}}]}},"consumer":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"administrator"}}]}},"model":{"this":{}},"reader":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"consumer"}}]}}},"type":"applicationoffer"},{"metadata":{"relations":{"administrator":{"directly_related_user_types":[{"type":"user"},{"type":"user","wildcard":{}},{"relation":"member","type":"group"},{"relation":"assignee","type":"role"}]},"can_addmodel":{"directly_related_user_types":[{"type":"user"},{"type":"user","wildcard":{}},{"relation":"member","type":"group"},{"relation":"assignee","type":"role"}]},"controller":{"directly_related_user_types":[{"type":"controller"}]}}},"relations":{"administrator":{"union":{"child":[{"this":{}},{"tupleToUserset":{"computedUserset":{"relation":"administrator"},"tupleset":{"relation":"controller"}}}]}},"can_addmodel":{"union":{"child":[{"this":{}},{"computedUserset":{"relation":"administrator"}}]}},"controller":{"this":{}}},"type":"cloud"},{"metadata":{"relations":{"administrator":{"directly_related_user_types":[{"type":"user"},{"type":"user","wildcard":{}},{"relation":"member","type":"group"},{"relation":"assignee","type":"role"}]}}},"relations":{"administrator":{"this":{}}},"type":"serviceaccount"}]} diff --git a/openfga/tests.fga.yaml b/openfga/tests.fga.yaml index 1512d4d9e..dd862d896 100644 --- a/openfga/tests.fga.yaml +++ b/openfga/tests.fga.yaml @@ -18,7 +18,7 @@ tuples: relation: assignee object: role:ro-role-1 - # User to role via group + # User to role via group with resources - user: user:ro-user-2 relation: member object: group:ro-group-1 @@ -27,6 +27,40 @@ tuples: relation: assignee object: role:ro-role-2 + - user: role:ro-role-2#assignee + relation: administrator + object: controller:ro-controller-1 + - user: role:ro-role-2#assignee + relation: audit_log_viewer + object: controller:ro-controller-2 + + - user: role:ro-role-2#assignee + relation: administrator + object: model:ro-model-1 + - user: role:ro-role-2#assignee + relation: reader + object: model:ro-model-2 + - user: role:ro-role-2#assignee + relation: writer + object: model:ro-model-3 + + - user: role:ro-role-2#assignee + relation: administrator + object: applicationoffer:ro-applicationoffer-1 + - user: role:ro-role-2#assignee + relation: reader + object: applicationoffer:ro-applicationoffer-2 + - user: role:ro-role-2#assignee + relation: consumer + object: applicationoffer:ro-applicationoffer-3 + + - user: role:ro-role-2#assignee + relation: administrator + object: cloud:ro-cloud-1 + - user: role:ro-role-2#assignee + relation: can_addmodel + object: cloud:ro-cloud-2 + # Wildcard user to role - user: user:* relation: assignee @@ -213,6 +247,57 @@ tests: assertions: assignee: true + - user: user:ro-user-2 + object: controller:ro-controller-1 + assertions: + administrator: true + + - user: user:ro-user-2 + object: controller:ro-controller-2 + assertions: + audit_log_viewer: true + + - user: user:ro-user-2 + object: model:ro-model-1 + assertions: + administrator: true + + - user: user:ro-user-2 + object: model:ro-model-2 + assertions: + reader: true + + - user: user:ro-user-2 + object: model:ro-model-3 + assertions: + writer: true + + - user: user:ro-user-2 + object: applicationoffer:ro-applicationoffer-1 + assertions: + administrator: true + + + - user: user:ro-user-2 + object: applicationoffer:ro-applicationoffer-2 + assertions: + reader: true + + - user: user:ro-user-2 + object: applicationoffer:ro-applicationoffer-3 + assertions: + consumer: true + + - user: user:ro-user-2 + object: cloud:ro-cloud-1 + assertions: + administrator: true + + - user: user:ro-user-2 + object: cloud:ro-cloud-2 + assertions: + can_addmodel: true + list_objects: - user: user:ro-user-3 type: role