From eb7b476b1cc247d93df7b15b62de786c56cccf12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Tue, 19 Dec 2023 16:51:26 -0500
Subject: [PATCH] incusd/auth/openfga: Handle small model differences
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
---
 internal/server/auth/driver_openfga.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/internal/server/auth/driver_openfga.go b/internal/server/auth/driver_openfga.go
index 6e6b166d4ca..317d0e7536f 100644
--- a/internal/server/auth/driver_openfga.go
+++ b/internal/server/auth/driver_openfga.go
@@ -222,6 +222,26 @@ func (f *fga) connect(ctx context.Context, certificateCache *certificate.Cache,
 		return fmt.Errorf("Existing OpenFGA model has schema version %q, but our model has version %q", readModelResponse.AuthorizationModel.SchemaVersion, builtinAuthorizationModel.SchemaVersion)
 	}
 
+	// Clear condition field from older servers.
+	for _, entry := range readModelResponse.AuthorizationModel.TypeDefinitions {
+		if entry.Metadata == nil || entry.Metadata.Relations == nil {
+			continue
+		}
+
+		for _, relation := range *entry.Metadata.Relations {
+			if relation.DirectlyRelatedUserTypes == nil {
+				continue
+			}
+
+			for i, reference := range *relation.DirectlyRelatedUserTypes {
+				if reference.Condition != nil && *reference.Condition == "" {
+					rel := *relation.DirectlyRelatedUserTypes
+					rel[i].Condition = nil
+				}
+			}
+		}
+	}
+
 	existingTypeDefinitions, err := json.Marshal(readModelResponse.AuthorizationModel.TypeDefinitions)
 	if err != nil {
 		return fmt.Errorf("Failed to compare OpenFGA model type definitions: %w", err)