From 7c5cbedaff2265889f802bcb42db194301493d97 Mon Sep 17 00:00:00 2001 From: pkulik0 Date: Thu, 20 Jun 2024 10:18:47 +0000 Subject: [PATCH 1/9] Add OpenFGA auth model tests --- openfga/tests.fga.yaml | 328 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 328 insertions(+) create mode 100644 openfga/tests.fga.yaml diff --git a/openfga/tests.fga.yaml b/openfga/tests.fga.yaml new file mode 100644 index 000000000..2b14ef9c4 --- /dev/null +++ b/openfga/tests.fga.yaml @@ -0,0 +1,328 @@ +model_file: ./authorisation_model.fga + +# In order to avoid the potential entanglement of separate tests the tuples are artifically split into groups using this naming convention: (type):(2-letter test name)-(id) +# The GitHub action supports running all tests in a directory, but keeping them in a single file improves the local development experience because the CLI does not. +tuples: + # Group + - user: user:gr-1 + relation: member + object: group:gr-1 + - user: group:gr-1#member + relation: member + object: group:gr-2 + - user: user:* + relation: member + object: group:gr-3 + + # Controller + - user: user:co-1 + relation: administrator + object: controller:co-1 + - user: controller:co-1 + relation: controller + object: controller:co-2 + - user: user:* + relation: administrator + object: controller:co-2 + - user: group:co-1#member + relation: administrator + object: controller:co-2 + - user: user:co-2 + relation: audit_log_viewer + object: controller:co-1 + + # Model + - user: user:mo-1 + relation: administrator + object: model:mo-1 + - user: user:* + relation: administrator + object: model:mo-2 + - user: group:mo-1#member + relation: administrator + object: model:mo-1 + - user: controller:mo-1 + relation: controller + object: model:mo-1 + - user: user:mo-3 + relation: administrator + object: controller:mo-1 + - user: group:mo-2#member + relation: writer + object: model:mo-1 + - user: user:mo-4 + relation: reader + object: model:mo-1 + + # Cloud + - user: user:cl-1 + relation: administrator + object: cloud:cl-1 + - user: user:* + relation: administrator + object: cloud:cl-2 + - user: group:cl-1#member + relation: administrator + object: cloud:cl-1 + - user: user:cl-2 + relation: administrator + object: controller:cl-1 + - user: controller:cl-1 + relation: controller + object: cloud:cl-1 + - user: group:cl-2#member + relation: can_addmodel + object: cloud:cl-1 + + # Application Offer + - user: user:ao-1 + relation: administrator + object: applicationoffer:ao-1 + - user: user:* + relation: administrator + object: applicationoffer:ao-2 + - user: group:ao-1#member + relation: administrator + object: applicationoffer:ao-1 + - user: user:ao-2 + relation: administrator + object: model:ao-1 + - user: model:ao-1 + relation: model + object: applicationoffer:ao-1 + - user: group:ao-2#member + relation: consumer + object: applicationoffer:ao-1 + - user: user:ao-3 + relation: reader + object: applicationoffer:ao-1 + + # Service Account + - user: user:sa-1 + relation: administator + object: serviceaccount:sa-1 + - user: user:* + relation: administator + object: serviceaccount:sa-2 + - user: group:sa-1#member + relation: administator + object: serviceaccount:sa-1 + +# Tests directly correspond to the types available in JIMM's authorisation model +tests: + # Ensures: + # - all or individual users can become members of a group + # - group membership can have multiple layers + - name: Group + list_objects: + - user: user:gr-1 + type: group + assertions: + member: + - group:gr-1 + - group:gr-2 + - group:gr-3 + + # Checks whether: + # - all or invididual users, or group members can become administators and audit_log_viewers of a controller + # - controllers can be related to each other with correct inheritance of administrator + # - audit_log_viewer is a weaker relation that administrator + - name: Controller + list_objects: + - user: user:co-1 + type: controller + assertions: + administrator: + - controller:co-1 + - controller:co-2 + audit_log_viewer: + - controller:co-1 + - controller:co-2 + - user: group:co-1#member + type: controller + assertions: + administrator: + - controller:co-2 + audit_log_viewer: + - controller:co-2 + check: + - user: user:co-2 + object: controller:co-1 + assertions: + audit_log_viewer: true + administrator: false + + # Ensures: + # - all or individual users, as well as group members can take part in appropriate relations + # - correct relationship with controllers and inheritance of administators from them + # - appropriate hierachy of relations in the following order: administrator > writer > reader + - name: Model + list_objects: + - user: user:mo-1 + type: model + assertions: + administrator: + - model:mo-1 + - model:mo-2 + writer: + - model:mo-1 + - model:mo-2 + reader: + - model:mo-1 + - model:mo-2 + - user: group:mo-1#member + type: model + assertions: + administrator: + - model:mo-1 + writer: + - model:mo-1 + reader: + - model:mo-1 + - user: controller:mo-1 + type: model + assertions: + controller: + - model:mo-1 + - user: user:mo-3 + type: model + assertions: + administrator: + - model:mo-1 + - model:mo-2 + writer: + - model:mo-1 + - model:mo-2 + reader: + - model:mo-1 + - model:mo-2 + check: + - user: group:mo-2#member + object: model:mo-1 + assertions: + writer: true + reader: true + administrator: false + - user: user:mo-4 + object: model:mo-1 + assertions: + writer: false + reader: true + administrator: false + + # Makes sure that: + # - all or individual users, as well as group members, can enter relations with a cloud + # - the controller relation and inheritance of their administrators is correct + # - proper hierarchy of relations: administrator > can_addmodel + - name: Cloud + list_objects: + - user: user:cl-1 + type: cloud + assertions: + administrator: + - cloud:cl-1 + - cloud:cl-2 + can_addmodel: + - cloud:cl-1 + - cloud:cl-2 + - user: group:cl-1#member + type: cloud + assertions: + administrator: + - cloud:cl-1 + can_addmodel: + - cloud:cl-1 + - user: controller:cl-1 + type: cloud + assertions: + controller: + - cloud:cl-1 + - user: user:cl-2 + type: cloud + assertions: + administrator: + - cloud:cl-1 + - cloud:cl-2 + can_addmodel: + - cloud:cl-1 + - cloud:cl-2 + check: + - user: group:cl-2#member + object: cloud:cl-1 + assertions: + can_addmodel: true + administrator: false + + # Similarly as the other tests it enforces that: + # - individual or all users, or group members can enter relations with applicationoffer + # - applicationoffer can relate to models and inherit their administrators + # - hierarchy of relations has the correct order, that is: administrator > consumer > reader. + - name: Application Offer + list_objects: + - user: user:ao-1 + type: applicationoffer + assertions: + administrator: + - applicationoffer:ao-1 + - applicationoffer:ao-2 + consumer: + - applicationoffer:ao-1 + - applicationoffer:ao-2 + reader: + - applicationoffer:ao-1 + - applicationoffer:ao-2 + - user: group:ao-1#member + type: applicationoffer + assertions: + administrator: + - applicationoffer:ao-1 + consumer: + - applicationoffer:ao-1 + reader: + - applicationoffer:ao-1 + - user: model:ao-1 + type: applicationoffer + assertions: + model: + - applicationoffer:ao-1 + - user: user:ao-2 + type: applicationoffer + assertions: + administrator: + - applicationoffer:ao-1 + - applicationoffer:ao-2 + consumer: + - applicationoffer:ao-1 + - applicationoffer:ao-2 + reader: + - applicationoffer:ao-1 + - applicationoffer:ao-2 + check: + - user: group:ao-2#member + object: applicationoffer:ao-1 + assertions: + administrator: false + consumer: true + reader: true + - user: user:ao-3 + object: applicationoffer:ao-1 + assertions: + administrator: false + consumer: false + reader: true + + # Guarantees that all or individual users, or group members can become administrators of a service account + - name: Service Account + list_objects: + - user: user:sa-1 + type: serviceaccount + assertions: + administator: + - serviceaccount:sa-1 + - serviceaccount:sa-2 + - user: group:sa-1#member + type: serviceaccount + assertions: + administator: + - serviceaccount:sa-1 + \ No newline at end of file From 3e74ba0776a526533353fba97f7ba834df78d64f Mon Sep 17 00:00:00 2001 From: pkulik0 Date: Thu, 20 Jun 2024 10:19:52 +0000 Subject: [PATCH 2/9] Include OpenFGA tests as a step in CI --- .github/workflows/ci.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 13b0a1e50..0b6c061dd 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -71,6 +71,11 @@ jobs: - name: Start test environment run: docker compose up -d --wait + - name: Run OpenFGA authorisation model tests + uses: openfga/action-openfga-test@v0.1.0 + with: + store-file-path: ./openfga/tests.fga.yaml + - name: Build and Test run: go test -mod readonly ./... -timeout 1h -cover env: From a0b7f633b8523f8ab55a879f9f49320ee9f02ef2 Mon Sep 17 00:00:00 2001 From: pkulik0 Date: Thu, 20 Jun 2024 13:09:43 +0000 Subject: [PATCH 3/9] Add assertions requested in PR comments --- openfga/tests.fga.yaml | 41 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) diff --git a/openfga/tests.fga.yaml b/openfga/tests.fga.yaml index 2b14ef9c4..72d5fdd36 100644 --- a/openfga/tests.fga.yaml +++ b/openfga/tests.fga.yaml @@ -24,12 +24,21 @@ tuples: - user: user:* relation: administrator object: controller:co-2 + - user: user:co-2 + relation: audit_log_viewer + object: controller:co-1 + - user: user:co-3 + relation: member + object: group:co-1 - user: group:co-1#member relation: administrator object: controller:co-2 - - user: user:co-2 + - user: user:co-4 + relation: member + object: group:co-2 + - user: group:co-2#member relation: audit_log_viewer - object: controller:co-1 + object: controller:co-2 # Model - user: user:mo-1 @@ -53,6 +62,12 @@ tuples: - user: user:mo-4 relation: reader object: model:mo-1 + - user: user:mo-5 + relation: member + object: group:mo-3 + - user: group:mo-3#member + relation: writer + object: model:mo-1 # Cloud - user: user:cl-1 @@ -145,6 +160,17 @@ tests: - controller:co-2 audit_log_viewer: - controller:co-2 + - user: user:co-3 + type: controller + assertions: + administrator: + - controller:co-2 + - user: user:co-4 + type: controller + assertions: + audit_log_viewer: + - controller:co-2 + check: - user: user:co-2 object: controller:co-1 @@ -196,6 +222,17 @@ tests: reader: - model:mo-1 - model:mo-2 + - user: user:mo-5 + type: model + assertions: + administrator: + - model:mo-2 + writer: + - model:mo-1 + - model:mo-2 + reader: + - model:mo-1 + - model:mo-2 check: - user: group:mo-2#member object: model:mo-1 From fc54f92751cceac1bc09d03bce7384bc5da7604b Mon Sep 17 00:00:00 2001 From: pkulik0 Date: Fri, 21 Jun 2024 10:29:58 +0000 Subject: [PATCH 4/9] Fix typo in comment --- openfga/tests.fga.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openfga/tests.fga.yaml b/openfga/tests.fga.yaml index 72d5fdd36..0b1367c6d 100644 --- a/openfga/tests.fga.yaml +++ b/openfga/tests.fga.yaml @@ -140,8 +140,8 @@ tests: # Checks whether: # - all or invididual users, or group members can become administators and audit_log_viewers of a controller - # - controllers can be related to each other with correct inheritance of administrator - # - audit_log_viewer is a weaker relation that administrator + # - controllers can be related to each other with correct inheritance of administrators + # - proper hierarchy of relations is upheld: administrator > audit_log_viewer - name: Controller list_objects: - user: user:co-1 From ba5c3fdc2d4caf4aefe53130fa1966e9883f967c Mon Sep 17 00:00:00 2001 From: pkulik0 Date: Fri, 21 Jun 2024 10:40:11 +0000 Subject: [PATCH 5/9] Add comment explaining OpenFGA CLI usage, fix a typo in the administrator relation of serviceaccount --- openfga/authorisation_model.fga | 2 +- openfga/tests.fga.yaml | 15 ++++++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/openfga/authorisation_model.fga b/openfga/authorisation_model.fga index b1d90c74b..793151ccf 100644 --- a/openfga/authorisation_model.fga +++ b/openfga/authorisation_model.fga @@ -35,4 +35,4 @@ type user type serviceaccount relations - define administator: [user, user:*, group#member] + define administrator: [user, user:*, group#member] diff --git a/openfga/tests.fga.yaml b/openfga/tests.fga.yaml index 0b1367c6d..b8a534891 100644 --- a/openfga/tests.fga.yaml +++ b/openfga/tests.fga.yaml @@ -1,3 +1,8 @@ +# OpenFGA CLI instructions +# +# Installation: https://github.com/openfga/cli?tab=readme-ov-file#installation +# Command: fga model test --tests tests.fga.yaml + model_file: ./authorisation_model.fga # In order to avoid the potential entanglement of separate tests the tuples are artifically split into groups using this naming convention: (type):(2-letter test name)-(id) @@ -114,13 +119,13 @@ tuples: # Service Account - user: user:sa-1 - relation: administator + relation: administrator object: serviceaccount:sa-1 - user: user:* - relation: administator + relation: administrator object: serviceaccount:sa-2 - user: group:sa-1#member - relation: administator + relation: administrator object: serviceaccount:sa-1 # Tests directly correspond to the types available in JIMM's authorisation model @@ -354,12 +359,12 @@ tests: - user: user:sa-1 type: serviceaccount assertions: - administator: + administrator: - serviceaccount:sa-1 - serviceaccount:sa-2 - user: group:sa-1#member type: serviceaccount assertions: - administator: + administrator: - serviceaccount:sa-1 \ No newline at end of file From fb90f06d16c6560e884898a227462bd1805c8d78 Mon Sep 17 00:00:00 2001 From: pkulik0 Date: Fri, 21 Jun 2024 10:45:47 +0000 Subject: [PATCH 6/9] Add remaining test cases for indirect relations through a group --- openfga/tests.fga.yaml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/openfga/tests.fga.yaml b/openfga/tests.fga.yaml index b8a534891..91b916ad7 100644 --- a/openfga/tests.fga.yaml +++ b/openfga/tests.fga.yaml @@ -93,6 +93,12 @@ tuples: - user: group:cl-2#member relation: can_addmodel object: cloud:cl-1 + - user: user:cl-3 + relation: member + object: group:cl-3 + - user: group:cl-3#member + relation: can_addmodel + object: cloud:cl-1 # Application Offer - user: user:ao-1 @@ -116,6 +122,18 @@ tuples: - user: user:ao-3 relation: reader object: applicationoffer:ao-1 + - user: user:ao-4 + relation: member + object: group:ao-3 + - user: group:ao-3#member + relation: consumer + object: applicationoffer:ao-1 + - user: user:ao-5 + relation: member + object: group:ao-4 + - user: group:ao-4#member + relation: reader + object: applicationoffer:ao-1 # Service Account - user: user:sa-1 @@ -294,6 +312,11 @@ tests: assertions: can_addmodel: true administrator: false + - user: user:cl-3 + object: cloud:cl-1 + assertions: + can_addmodel: true + administrator: false # Similarly as the other tests it enforces that: # - individual or all users, or group members can enter relations with applicationoffer @@ -352,6 +375,18 @@ tests: administrator: false consumer: false reader: true + - user: user:ao-4 + object: applicationoffer:ao-1 + assertions: + administrator: false + consumer: true + reader: true + - user: user:ao-5 + object: applicationoffer:ao-1 + assertions: + administrator: false + consumer: false + reader: true # Guarantees that all or individual users, or group members can become administrators of a service account - name: Service Account From c2678cb463a9cc4398e46f1df33222e54b9e1946 Mon Sep 17 00:00:00 2001 From: pkulik0 Date: Fri, 21 Jun 2024 13:41:47 +0000 Subject: [PATCH 7/9] Add type name to object names per Kian's request --- openfga/tests.fga.yaml | 358 ++++++++++++++++++++--------------------- 1 file changed, 179 insertions(+), 179 deletions(-) diff --git a/openfga/tests.fga.yaml b/openfga/tests.fga.yaml index 91b916ad7..da5ab57fc 100644 --- a/openfga/tests.fga.yaml +++ b/openfga/tests.fga.yaml @@ -5,146 +5,146 @@ model_file: ./authorisation_model.fga -# In order to avoid the potential entanglement of separate tests the tuples are artifically split into groups using this naming convention: (type):(2-letter test name)-(id) +# In order to avoid the potential entanglement of separate tests the tuples are artifically split into groups using this naming convention: (type):(2-letter test name)-(type)-(id) # The GitHub action supports running all tests in a directory, but keeping them in a single file improves the local development experience because the CLI does not. tuples: # Group - - user: user:gr-1 + - user: user:gr-user-1 relation: member - object: group:gr-1 - - user: group:gr-1#member + object: group:gr-group-1 + - user: group:gr-group-1#member relation: member - object: group:gr-2 + object: group:gr-group-2 - user: user:* relation: member - object: group:gr-3 + object: group:gr-group-3 # Controller - - user: user:co-1 + - user: user:co-user-1 relation: administrator - object: controller:co-1 - - user: controller:co-1 + object: controller:co-controller-1 + - user: controller:co-controller-1 relation: controller - object: controller:co-2 + object: controller:co-controller-2 - user: user:* relation: administrator - object: controller:co-2 - - user: user:co-2 + object: controller:co-controller-2 + - user: user:co-user-2 relation: audit_log_viewer - object: controller:co-1 - - user: user:co-3 + object: controller:co-controller-1 + - user: user:co-user-3 relation: member - object: group:co-1 - - user: group:co-1#member + object: group:co-group-1 + - user: group:co-group-1#member relation: administrator - object: controller:co-2 - - user: user:co-4 + object: controller:co-controller-2 + - user: user:co-user-4 relation: member - object: group:co-2 - - user: group:co-2#member + object: group:co-group-2 + - user: group:co-group-2#member relation: audit_log_viewer - object: controller:co-2 + object: controller:co-controller-2 # Model - - user: user:mo-1 + - user: user:mo-user-1 relation: administrator - object: model:mo-1 + object: model:mo-model-1 - user: user:* relation: administrator - object: model:mo-2 - - user: group:mo-1#member + object: model:mo-model-2 + - user: group:mo-group-1#member relation: administrator - object: model:mo-1 - - user: controller:mo-1 + object: model:mo-model-1 + - user: controller:mo-controller-1 relation: controller - object: model:mo-1 - - user: user:mo-3 + object: model:mo-model-1 + - user: user:mo-user-3 relation: administrator - object: controller:mo-1 - - user: group:mo-2#member + object: controller:mo-controller-1 + - user: group:mo-group-2#member relation: writer - object: model:mo-1 - - user: user:mo-4 + object: model:mo-model-1 + - user: user:mo-user-4 relation: reader - object: model:mo-1 - - user: user:mo-5 + object: model:mo-model-1 + - user: user:mo-user-5 relation: member - object: group:mo-3 - - user: group:mo-3#member + object: group:mo-group-3 + - user: group:mo-group-3#member relation: writer - object: model:mo-1 + object: model:mo-model-1 # Cloud - - user: user:cl-1 + - user: user:cl-user-1 relation: administrator - object: cloud:cl-1 + object: cloud:cl-cloud-1 - user: user:* relation: administrator - object: cloud:cl-2 - - user: group:cl-1#member + object: cloud:cl-cloud-2 + - user: group:cl-group-1#member relation: administrator - object: cloud:cl-1 - - user: user:cl-2 + object: cloud:cl-cloud-1 + - user: user:cl-user-2 relation: administrator - object: controller:cl-1 - - user: controller:cl-1 + object: controller:cl-controller-1 + - user: controller:cl-controller-1 relation: controller - object: cloud:cl-1 - - user: group:cl-2#member + object: cloud:cl-cloud-1 + - user: group:cl-group-2#member relation: can_addmodel - object: cloud:cl-1 - - user: user:cl-3 + object: cloud:cl-cloud-1 + - user: user:cl-user-3 relation: member - object: group:cl-3 - - user: group:cl-3#member + object: group:cl-group-3 + - user: group:cl-group-3#member relation: can_addmodel - object: cloud:cl-1 + object: cloud:cl-cloud-1 # Application Offer - - user: user:ao-1 + - user: user:ao-user-1 relation: administrator - object: applicationoffer:ao-1 + object: applicationoffer:ao-applicationoffer-1 - user: user:* relation: administrator - object: applicationoffer:ao-2 - - user: group:ao-1#member + object: applicationoffer:ao-applicationoffer-2 + - user: group:ao-group-1#member relation: administrator - object: applicationoffer:ao-1 - - user: user:ao-2 + object: applicationoffer:ao-applicationoffer-1 + - user: user:ao-user-2 relation: administrator - object: model:ao-1 - - user: model:ao-1 + object: model:ao-model-1 + - user: model:ao-model-1 relation: model - object: applicationoffer:ao-1 - - user: group:ao-2#member + object: applicationoffer:ao-applicationoffer-1 + - user: group:ao-group-2#member relation: consumer - object: applicationoffer:ao-1 - - user: user:ao-3 + object: applicationoffer:ao-applicationoffer-1 + - user: user:ao-user-3 relation: reader - object: applicationoffer:ao-1 - - user: user:ao-4 + object: applicationoffer:ao-applicationoffer-1 + - user: user:ao-user-4 relation: member - object: group:ao-3 - - user: group:ao-3#member + object: group:ao-group-3 + - user: group:ao-group-3#member relation: consumer - object: applicationoffer:ao-1 - - user: user:ao-5 + object: applicationoffer:ao-applicationoffer-1 + - user: user:ao-user-5 relation: member - object: group:ao-4 - - user: group:ao-4#member + object: group:ao-group-4 + - user: group:ao-group-4#member relation: reader - object: applicationoffer:ao-1 + object: applicationoffer:ao-applicationoffer-1 # Service Account - - user: user:sa-1 + - user: user:sa-user-1 relation: administrator - object: serviceaccount:sa-1 + object: serviceaccount:sa-serviceaccount-1 - user: user:* relation: administrator - object: serviceaccount:sa-2 - - user: group:sa-1#member + object: serviceaccount:sa-serviceaccount-2 + - user: group:sa-group-1#member relation: administrator - object: serviceaccount:sa-1 + object: serviceaccount:sa-serviceaccount-1 # Tests directly correspond to the types available in JIMM's authorisation model tests: @@ -153,13 +153,13 @@ tests: # - group membership can have multiple layers - name: Group list_objects: - - user: user:gr-1 + - user: user:gr-user-1 type: group assertions: member: - - group:gr-1 - - group:gr-2 - - group:gr-3 + - group:gr-group-1 + - group:gr-group-2 + - group:gr-group-3 # Checks whether: # - all or invididual users, or group members can become administators and audit_log_viewers of a controller @@ -167,36 +167,36 @@ tests: # - proper hierarchy of relations is upheld: administrator > audit_log_viewer - name: Controller list_objects: - - user: user:co-1 + - user: user:co-user-1 type: controller assertions: administrator: - - controller:co-1 - - controller:co-2 + - controller:co-controller-1 + - controller:co-controller-2 audit_log_viewer: - - controller:co-1 - - controller:co-2 - - user: group:co-1#member + - controller:co-controller-1 + - controller:co-controller-2 + - user: group:co-group-1#member type: controller assertions: administrator: - - controller:co-2 + - controller:co-controller-2 audit_log_viewer: - - controller:co-2 - - user: user:co-3 + - controller:co-controller-2 + - user: user:co-user-3 type: controller assertions: administrator: - - controller:co-2 - - user: user:co-4 + - controller:co-controller-2 + - user: user:co-user-4 type: controller assertions: audit_log_viewer: - - controller:co-2 + - controller:co-controller-2 check: - - user: user:co-2 - object: controller:co-1 + - user: user:co-user-2 + object: controller:co-controller-1 assertions: audit_log_viewer: true administrator: false @@ -207,64 +207,64 @@ tests: # - appropriate hierachy of relations in the following order: administrator > writer > reader - name: Model list_objects: - - user: user:mo-1 + - user: user:mo-user-1 type: model assertions: administrator: - - model:mo-1 - - model:mo-2 + - model:mo-model-1 + - model:mo-model-2 writer: - - model:mo-1 - - model:mo-2 + - model:mo-model-1 + - model:mo-model-2 reader: - - model:mo-1 - - model:mo-2 - - user: group:mo-1#member + - model:mo-model-1 + - model:mo-model-2 + - user: group:mo-group-1#member type: model assertions: administrator: - - model:mo-1 + - model:mo-model-1 writer: - - model:mo-1 + - model:mo-model-1 reader: - - model:mo-1 - - user: controller:mo-1 + - model:mo-model-1 + - user: controller:mo-controller-1 type: model assertions: controller: - - model:mo-1 - - user: user:mo-3 + - model:mo-model-1 + - user: user:mo-user-3 type: model assertions: administrator: - - model:mo-1 - - model:mo-2 + - model:mo-model-1 + - model:mo-model-2 writer: - - model:mo-1 - - model:mo-2 + - model:mo-model-1 + - model:mo-model-2 reader: - - model:mo-1 - - model:mo-2 - - user: user:mo-5 + - model:mo-model-1 + - model:mo-model-2 + - user: user:mo-user-5 type: model assertions: administrator: - - model:mo-2 + - model:mo-model-2 writer: - - model:mo-1 - - model:mo-2 + - model:mo-model-1 + - model:mo-model-2 reader: - - model:mo-1 - - model:mo-2 + - model:mo-model-1 + - model:mo-model-2 check: - - user: group:mo-2#member - object: model:mo-1 + - user: group:mo-group-2#member + object: model:mo-model-1 assertions: writer: true reader: true administrator: false - - user: user:mo-4 - object: model:mo-1 + - user: user:mo-user-4 + object: model:mo-model-1 assertions: writer: false reader: true @@ -276,44 +276,44 @@ tests: # - proper hierarchy of relations: administrator > can_addmodel - name: Cloud list_objects: - - user: user:cl-1 + - user: user:cl-user-1 type: cloud assertions: administrator: - - cloud:cl-1 - - cloud:cl-2 + - cloud:cl-cloud-1 + - cloud:cl-cloud-2 can_addmodel: - - cloud:cl-1 - - cloud:cl-2 - - user: group:cl-1#member + - cloud:cl-cloud-1 + - cloud:cl-cloud-2 + - user: group:cl-group-1#member type: cloud assertions: administrator: - - cloud:cl-1 + - cloud:cl-cloud-1 can_addmodel: - - cloud:cl-1 - - user: controller:cl-1 + - cloud:cl-cloud-1 + - user: controller:cl-controller-1 type: cloud assertions: controller: - - cloud:cl-1 - - user: user:cl-2 + - cloud:cl-cloud-1 + - user: user:cl-user-2 type: cloud assertions: administrator: - - cloud:cl-1 - - cloud:cl-2 + - cloud:cl-cloud-1 + - cloud:cl-cloud-2 can_addmodel: - - cloud:cl-1 - - cloud:cl-2 + - cloud:cl-cloud-1 + - cloud:cl-cloud-2 check: - - user: group:cl-2#member - object: cloud:cl-1 + - user: group:cl-group-2#member + object: cloud:cl-cloud-1 assertions: can_addmodel: true administrator: false - - user: user:cl-3 - object: cloud:cl-1 + - user: user:cl-user-3 + object: cloud:cl-cloud-1 assertions: can_addmodel: true administrator: false @@ -324,65 +324,65 @@ tests: # - hierarchy of relations has the correct order, that is: administrator > consumer > reader. - name: Application Offer list_objects: - - user: user:ao-1 + - user: user:ao-user-1 type: applicationoffer assertions: administrator: - - applicationoffer:ao-1 - - applicationoffer:ao-2 + - applicationoffer:ao-applicationoffer-1 + - applicationoffer:ao-applicationoffer-2 consumer: - - applicationoffer:ao-1 - - applicationoffer:ao-2 + - applicationoffer:ao-applicationoffer-1 + - applicationoffer:ao-applicationoffer-2 reader: - - applicationoffer:ao-1 - - applicationoffer:ao-2 - - user: group:ao-1#member + - applicationoffer:ao-applicationoffer-1 + - applicationoffer:ao-applicationoffer-2 + - user: group:ao-group-1#member type: applicationoffer assertions: administrator: - - applicationoffer:ao-1 + - applicationoffer:ao-applicationoffer-1 consumer: - - applicationoffer:ao-1 + - applicationoffer:ao-applicationoffer-1 reader: - - applicationoffer:ao-1 - - user: model:ao-1 + - applicationoffer:ao-applicationoffer-1 + - user: model:ao-model-1 type: applicationoffer assertions: model: - - applicationoffer:ao-1 - - user: user:ao-2 + - applicationoffer:ao-applicationoffer-1 + - user: user:ao-user-2 type: applicationoffer assertions: administrator: - - applicationoffer:ao-1 - - applicationoffer:ao-2 + - applicationoffer:ao-applicationoffer-1 + - applicationoffer:ao-applicationoffer-2 consumer: - - applicationoffer:ao-1 - - applicationoffer:ao-2 + - applicationoffer:ao-applicationoffer-1 + - applicationoffer:ao-applicationoffer-2 reader: - - applicationoffer:ao-1 - - applicationoffer:ao-2 + - applicationoffer:ao-applicationoffer-1 + - applicationoffer:ao-applicationoffer-2 check: - - user: group:ao-2#member - object: applicationoffer:ao-1 + - user: group:ao-group-2#member + object: applicationoffer:ao-applicationoffer-1 assertions: administrator: false consumer: true reader: true - - user: user:ao-3 - object: applicationoffer:ao-1 + - user: user:ao-user-3 + object: applicationoffer:ao-applicationoffer-1 assertions: administrator: false consumer: false reader: true - - user: user:ao-4 - object: applicationoffer:ao-1 + - user: user:ao-user-4 + object: applicationoffer:ao-applicationoffer-1 assertions: administrator: false consumer: true reader: true - - user: user:ao-5 - object: applicationoffer:ao-1 + - user: user:ao-user-5 + object: applicationoffer:ao-applicationoffer-1 assertions: administrator: false consumer: false @@ -391,15 +391,15 @@ tests: # Guarantees that all or individual users, or group members can become administrators of a service account - name: Service Account list_objects: - - user: user:sa-1 + - user: user:sa-user-1 type: serviceaccount assertions: administrator: - - serviceaccount:sa-1 - - serviceaccount:sa-2 - - user: group:sa-1#member + - serviceaccount:sa-serviceaccount-1 + - serviceaccount:sa-serviceaccount-2 + - user: group:sa-group-1#member type: serviceaccount assertions: administrator: - - serviceaccount:sa-1 + - serviceaccount:sa-serviceaccount-1 \ No newline at end of file From b6ae795e17cbdab397682325540a571d15601c83 Mon Sep 17 00:00:00 2001 From: pkulik0 Date: Fri, 21 Jun 2024 13:44:06 +0000 Subject: [PATCH 8/9] Include the short name in comments above tuples for specific tests --- openfga/tests.fga.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/openfga/tests.fga.yaml b/openfga/tests.fga.yaml index da5ab57fc..337f9e3f5 100644 --- a/openfga/tests.fga.yaml +++ b/openfga/tests.fga.yaml @@ -8,7 +8,7 @@ model_file: ./authorisation_model.fga # In order to avoid the potential entanglement of separate tests the tuples are artifically split into groups using this naming convention: (type):(2-letter test name)-(type)-(id) # The GitHub action supports running all tests in a directory, but keeping them in a single file improves the local development experience because the CLI does not. tuples: - # Group + # Group (gr) - user: user:gr-user-1 relation: member object: group:gr-group-1 @@ -19,7 +19,7 @@ tuples: relation: member object: group:gr-group-3 - # Controller + # Controller (co) - user: user:co-user-1 relation: administrator object: controller:co-controller-1 @@ -45,7 +45,7 @@ tuples: relation: audit_log_viewer object: controller:co-controller-2 - # Model + # Model (mo) - user: user:mo-user-1 relation: administrator object: model:mo-model-1 @@ -74,7 +74,7 @@ tuples: relation: writer object: model:mo-model-1 - # Cloud + # Cloud (cl) - user: user:cl-user-1 relation: administrator object: cloud:cl-cloud-1 @@ -100,7 +100,7 @@ tuples: relation: can_addmodel object: cloud:cl-cloud-1 - # Application Offer + # Application Offer (ao) - user: user:ao-user-1 relation: administrator object: applicationoffer:ao-applicationoffer-1 @@ -135,7 +135,7 @@ tuples: relation: reader object: applicationoffer:ao-applicationoffer-1 - # Service Account + # Service Account (sa) - user: user:sa-user-1 relation: administrator object: serviceaccount:sa-serviceaccount-1 From 072609eea2298d8e409c611aa0ac074430d14b43 Mon Sep 17 00:00:00 2001 From: pkulik0 Date: Fri, 21 Jun 2024 13:46:45 +0000 Subject: [PATCH 9/9] Add another test case for serviceaccount --- openfga/tests.fga.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/openfga/tests.fga.yaml b/openfga/tests.fga.yaml index 337f9e3f5..eabcaba86 100644 --- a/openfga/tests.fga.yaml +++ b/openfga/tests.fga.yaml @@ -145,6 +145,12 @@ tuples: - user: group:sa-group-1#member relation: administrator object: serviceaccount:sa-serviceaccount-1 + - user: user:sa-user-2 + relation: member + object: group:sa-group-2 + - user: group:sa-group-2#member + relation: administrator + object: serviceaccount:sa-serviceaccount-1 # Tests directly correspond to the types available in JIMM's authorisation model tests: @@ -402,4 +408,10 @@ tests: assertions: administrator: - serviceaccount:sa-serviceaccount-1 + - user: user:sa-user-2 + type: serviceaccount + assertions: + administrator: + - serviceaccount:sa-serviceaccount-1 + - serviceaccount:sa-serviceaccount-2 \ No newline at end of file