From 665c0f7ebcb80c423ee04f8e0192311dc87aff6d Mon Sep 17 00:00:00 2001
From: Evan Anderson <evan@stacklok.com>
Date: Thu, 30 Nov 2023 22:23:05 -0800
Subject: [PATCH] Add simplified FGA model and tests for same

---
 auth/README.md               |   4 ++
 auth/model.fga               |  42 +++++++++++++
 auth/tests/simple.tests.yaml | 111 +++++++++++++++++++++++++++++++++++
 3 files changed, 157 insertions(+)
 create mode 100644 auth/README.md
 create mode 100644 auth/model.fga
 create mode 100644 auth/tests/simple.tests.yaml

diff --git a/auth/README.md b/auth/README.md
new file mode 100644
index 0000000000..4a79a8ae9a
--- /dev/null
+++ b/auth/README.md
@@ -0,0 +1,4 @@
+We use per-resource-type permissions off of "project" because
+we don't allow granting permissions on individual resources, only
+on projects.  This allows us to minimize the amount of state we
+need to keep consistent between OpenFGA and the main database.
diff --git a/auth/model.fga b/auth/model.fga
new file mode 100644
index 0000000000..6ed795c662
--- /dev/null
+++ b/auth/model.fga
@@ -0,0 +1,42 @@
+model
+  schema 1.1
+
+type user
+
+type project
+  relations
+    define parent: [project]
+
+    define admin: [user] or admin from parent
+    define editor: [user] or admin or editor from parent
+    define viewer: [user] or editor or viewer from parent
+
+    define getter: viewer
+    define creator: admin
+    define updater: admin
+    define deleter: admin
+
+    define repo_getter: viewer
+    define repo_creator: editor
+    define repo_updater: editor
+    define repo_deleter: editor
+
+    define artifact_getter: viewer
+    define artifact_creator: editor
+    define artifact_updater: editor
+    define artifact_deleter: editor
+
+    define pr_getter: viewer
+    define pr_creator: editor
+    define pr_updater: editor
+    define pr_deleter: editor
+
+    define provider_getter: viewer
+    define provider_creator: admin
+    define provider_updater: admin
+    define provider_deleter: admin
+
+    define rule_type_getter: viewer
+    define rule_type_creator: editor
+    define rule_type_updater: editor
+    define rule_type_deleter: editor
\ No newline at end of file
diff --git a/auth/tests/simple.tests.yaml b/auth/tests/simple.tests.yaml
new file mode 100644
index 0000000000..5485eec4a8
--- /dev/null
+++ b/auth/tests/simple.tests.yaml
@@ -0,0 +1,111 @@
+name: Auth tests
+model_file: ../model.fga
+
+tuples:
+- user: project:001
+  relation: parent
+  object: project:002
+- user: project:001
+  relation: parent
+  object: project:003
+
+- user: user:admin1
+  relation: admin
+  object: project:001
+- user: user:admin2
+  relation: admin
+  object: project:001
+- user: user:nonadmin1
+  relation: viewer
+  object: project:001
+- user: user:nonadmin1
+  relation: editor
+  object: project:002
+- user: user:nonadmin1
+  relation: admin
+  object: project:003
+- user: user:otherproject
+  relation: admin
+  object: project:010
+
+tests:
+- name: check-inheritance
+  check:
+  - user: user:admin1
+    object: project:001
+    assertions:
+      creator: true
+      viewer: true
+      repo_updater: true
+      provider_creator: true
+      artifact_updater: true
+  - user: user:admin1
+    object: project:002
+    assertions:
+      creator: true
+      viewer: true
+      repo_updater: true
+      provider_creator: true
+      artifact_updater: true
+  - user: user:admin2
+    object: project:001
+    assertions:
+      creator: true
+      viewer: true
+      repo_updater: true
+      provider_creator: true
+      artifact_updater: true
+  - user: user:admin2
+    object: project:003
+    assertions:
+      creator: true
+      viewer: true
+      repo_updater: true
+      provider_creator: true
+      artifact_updater: true
+  - user: user:nonadmin1
+    object: project:001
+    assertions:
+      creator: false
+      viewer: true
+      repo_updater: false
+      provider_creator: false
+      artifact_updater: false
+      provider_getter: true
+  - user: user:nonadmin1
+    object: project:002  # editor
+    assertions:
+      creator: false
+      viewer: true
+      repo_updater: true
+      provider_creator: false
+      artifact_updater: true
+      provider_getter: true
+  - user: user:nonadmin1
+    object: project:003  # admin
+    assertions:
+      creator: true
+      viewer: true
+      repo_updater: true
+      provider_creator: true
+      artifact_updater: true
+      provider_getter: true
+  - user: user:otherproject
+    object: project:003  # no role
+    assertions:
+      creator: false
+      viewer: false
+      repo_updater: false
+      provider_creator: false
+      artifact_updater: false
+      provider_getter: false
+  - user: user:otherproject
+    object: project:010  # admin
+    assertions:
+      creator: true
+      viewer: true
+      repo_updater: true
+      provider_creator: true
+      artifact_updater: true
+      provider_getter: true
+