Skip to content

Commit

Permalink
feat(authorisation_model): adds roles to the authorisation model (#1438)
Browse files Browse the repository at this point in the history
* feat(authorisation_model): adds roles to the authorisation model

Adds roles to our authorisation model

* style(openfga test): remove commented out test

* Update openfga/README.md

* docs(test structure): moves a small detail on test structure over to the readme
  • Loading branch information
ale8k authored Nov 18, 2024
1 parent 428222b commit 6e717a0
Show file tree
Hide file tree
Showing 5 changed files with 569 additions and 443 deletions.
5 changes: 5 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,9 @@ load-rock:
$(eval jimm_version := $(shell cat ./rocks/jimm.yaml | yq ".version"))
@sudo /snap/rockcraft/current/bin/skopeo --insecure-policy copy oci-archive:jimm_${jimm_version}_amd64.rock docker-daemon:jimm:latest

test-auth-model:
fga model test --tests ./openfga/tests.fga.yaml

define check_dep
if ! which $(1) > /dev/null; then\
echo "$(2)";\
Expand All @@ -127,6 +130,8 @@ endef
APT_BASED := $(shell command -v apt-get >/dev/null; echo $$?)
sys-deps:
ifeq ($(APT_BASED),0)
# fga is required for openfga tests
@$(call check_deps,fga,Missing FGA client - install via 'go install github.com/openfga/cli/cmd/fga@latest')
# golangci-lint is necessary for linting.
@$(call check_dep,golangci-lint,Missing Golangci-lint - install from https://golangci-lint.run/welcome/install/ or 'sudo snap install golangci-lint --classic')
# Go acts as the test runner.
Expand Down
32 changes: 32 additions & 0 deletions openfga/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# openfga

## Introduction
The OpenFGA package holds our authorisation model and a go embed to pass the auth model into tests.
It also holds
tests to ensure the authorisation model is working correctly.

## Requirements

### VSCode Extension
Name: OpenFGA
Id: openfga.openfga-vscode
Description: Language support for OpenFGA authorization models
Version: 0.2.24
Publisher: OpenFGA
VS Marketplace Link: https://marketplace.visualstudio.com/items?itemName=openfga.openfga-vscode

### OpenFGA CLI
go install github.com/openfga/cli/cmd/fga@latest

## Adding / modifying [to] the authorsation model
1. Open the authorisation_model.fga
2. Make your modification
3. Open the Command Pallette using Ctrl+Shift+P (Windows) or Command+Shift+P (OSX)
4. Select OpenFGA: Transform DSL to JSON
5. Save the file over the existing authorisation_model.json
6. Add tests to tests.fga.yaml - Learn more [here](https://openfga.dev/docs/modeling/testing)
7. Run them via: `make test-auth-model`

## Test Structure
In order to avoid the potential entanglement of separate tests the tuples are artifically split into groups using this naming convention: (type):(2-letter test name)-(type)-(id)
The GitHub action supports running all tests in a directory, but keeping them in a single file improves the local development experience because the CLI does not.
16 changes: 10 additions & 6 deletions openfga/authorisation_model.fga
Original file line number Diff line number Diff line change
Expand Up @@ -20,19 +20,23 @@ type controller
define audit_log_viewer: [user, user:*, group#member] or administrator
define controller: [controller]

type group
relations
define member: [user, user:*, group#member]

type model
relations
define administrator: [user, user:*, group#member] or administrator from controller
define controller: [controller]
define reader: [user, user:*, group#member] or writer
define writer: [user, user:*, group#member] or administrator

type user

type serviceaccount
relations
define administrator: [user, user:*, group#member]

type user

type role
relations
define assignee: [user, user:*, group#member]

type group
relations
define member: [user, user:*, group#member]
Loading

0 comments on commit 6e717a0

Please sign in to comment.