-
Notifications
You must be signed in to change notification settings - Fork 41
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add simplified FGA model and tests for same
- Loading branch information
1 parent
f6da731
commit 665c0f7
Showing
3 changed files
with
157 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| We use per-resource-type permissions off of "project" because | ||
| we don't allow granting permissions on individual resources, only | ||
| on projects. This allows us to minimize the amount of state we | ||
| need to keep consistent between OpenFGA and the main database. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| model | ||
| schema 1.1 | ||
|
|
||
| type user | ||
|
|
||
| type project | ||
| relations | ||
| define parent: [project] | ||
|
|
||
| define admin: [user] or admin from parent | ||
| define editor: [user] or admin or editor from parent | ||
| define viewer: [user] or editor or viewer from parent | ||
|
|
||
| define getter: viewer | ||
| define creator: admin | ||
| define updater: admin | ||
| define deleter: admin | ||
|
|
||
| define repo_getter: viewer | ||
| define repo_creator: editor | ||
| define repo_updater: editor | ||
| define repo_deleter: editor | ||
|
|
||
| define artifact_getter: viewer | ||
| define artifact_creator: editor | ||
| define artifact_updater: editor | ||
| define artifact_deleter: editor | ||
|
|
||
| define pr_getter: viewer | ||
| define pr_creator: editor | ||
| define pr_updater: editor | ||
| define pr_deleter: editor | ||
|
|
||
| define provider_getter: viewer | ||
| define provider_creator: admin | ||
| define provider_updater: admin | ||
| define provider_deleter: admin | ||
|
|
||
| define rule_type_getter: viewer | ||
| define rule_type_creator: editor | ||
| define rule_type_updater: editor | ||
| define rule_type_deleter: editor |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,111 @@ | ||
| name: Auth tests | ||
| model_file: ../model.fga | ||
|
|
||
| tuples: | ||
| - user: project:001 | ||
| relation: parent | ||
| object: project:002 | ||
| - user: project:001 | ||
| relation: parent | ||
| object: project:003 | ||
|
|
||
| - user: user:admin1 | ||
| relation: admin | ||
| object: project:001 | ||
| - user: user:admin2 | ||
| relation: admin | ||
| object: project:001 | ||
| - user: user:nonadmin1 | ||
| relation: viewer | ||
| object: project:001 | ||
| - user: user:nonadmin1 | ||
| relation: editor | ||
| object: project:002 | ||
| - user: user:nonadmin1 | ||
| relation: admin | ||
| object: project:003 | ||
| - user: user:otherproject | ||
| relation: admin | ||
| object: project:010 | ||
|
|
||
| tests: | ||
| - name: check-inheritance | ||
| check: | ||
| - user: user:admin1 | ||
| object: project:001 | ||
| assertions: | ||
| creator: true | ||
| viewer: true | ||
| repo_updater: true | ||
| provider_creator: true | ||
| artifact_updater: true | ||
| - user: user:admin1 | ||
| object: project:002 | ||
| assertions: | ||
| creator: true | ||
| viewer: true | ||
| repo_updater: true | ||
| provider_creator: true | ||
| artifact_updater: true | ||
| - user: user:admin2 | ||
| object: project:001 | ||
| assertions: | ||
| creator: true | ||
| viewer: true | ||
| repo_updater: true | ||
| provider_creator: true | ||
| artifact_updater: true | ||
| - user: user:admin2 | ||
| object: project:003 | ||
| assertions: | ||
| creator: true | ||
| viewer: true | ||
| repo_updater: true | ||
| provider_creator: true | ||
| artifact_updater: true | ||
| - user: user:nonadmin1 | ||
| object: project:001 | ||
| assertions: | ||
| creator: false | ||
| viewer: true | ||
| repo_updater: false | ||
| provider_creator: false | ||
| artifact_updater: false | ||
| provider_getter: true | ||
| - user: user:nonadmin1 | ||
| object: project:002 # editor | ||
| assertions: | ||
| creator: false | ||
| viewer: true | ||
| repo_updater: true | ||
| provider_creator: false | ||
| artifact_updater: true | ||
| provider_getter: true | ||
| - user: user:nonadmin1 | ||
| object: project:003 # admin | ||
| assertions: | ||
| creator: true | ||
| viewer: true | ||
| repo_updater: true | ||
| provider_creator: true | ||
| artifact_updater: true | ||
| provider_getter: true | ||
| - user: user:otherproject | ||
| object: project:003 # no role | ||
| assertions: | ||
| creator: false | ||
| viewer: false | ||
| repo_updater: false | ||
| provider_creator: false | ||
| artifact_updater: false | ||
| provider_getter: false | ||
| - user: user:otherproject | ||
| object: project:010 # admin | ||
| assertions: | ||
| creator: true | ||
| viewer: true | ||
| repo_updater: true | ||
| provider_creator: true | ||
| artifact_updater: true | ||
| provider_getter: true | ||
|
|