Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 45 additions & 13 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -303,6 +303,22 @@ tests:
assertions:
member: true
moderator: false
# checks can also be defined for multiple users sharing the same expectation
- object: group:employees
users:
# checks can also target multiple objects with the same expectation
- objects:
- group:admins
- group:employees
user: user:1
assertions:
moderator: false
# either "user" or "users" may be provided, but not both
# either "object" or "objects" may be provided, but not both
- user:3
- user:4
assertions:
member: true
```

If using `output-file`, the response will be written to the specified file on disk. If the desired file already exists, you will be prompted to overwrite the file.
Expand Down Expand Up @@ -558,19 +574,35 @@ tests: # required
- name: test-1
description: testing that the model works # optional
# tuple_file: ./tuples.json # tuples that would apply per test
tuples:
- user: user:anne
relation: owner
object: folder:1
check: # a set of checks to run
- user: user:anne
object: folder:1
assertions:
# a set of expected results for each relation
can_view: true
can_write: true
can_share: false
list_objects: # a set of list objects to run
tuples:
- user: user:anne
relation: owner
object: folder:1
check: # a set of checks to run
- user: user:anne
object: folder:1
assertions:
# a set of expected results for each relation
can_view: true
can_write: true
can_share: false
# checks can group multiple users that share the same expected results
- object: folder:2
users:
- user:beth
- user:carl
assertions:
can_view: false
# checks can group multiple objects that share the same expected results
- objects:
- folder:1
- folder:2
user: user:beth
assertions:
can_write: false
# either "user" or "users" may be provided, but not both
# either "object" or "objects" may be provided, but not both
list_objects: # a set of list objects to run
- user: user:anne
type: folder
assertions:
Expand Down
25 changes: 18 additions & 7 deletions cmd/store/import.go
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,10 @@ func importStore(
maxTuplesPerWrite, maxParallelRequests int,
fileName string,
) (*CreateStoreAndModelResponse, error) {
if err := storeData.Validate(); err != nil {
return nil, err //nolint:wrapcheck
}

response, err := createOrUpdateStore(ctx, clientConfig, fgaClient, storeData, format, storeID, fileName)
if err != nil {
return nil, err
Expand Down Expand Up @@ -232,13 +236,20 @@ func getCheckAssertions(checkTests []storetest.ModelTestCheck) []client.ClientAs
var assertions []client.ClientAssertion

for _, checkTest := range checkTests {
for relation, expectation := range checkTest.Assertions {
assertions = append(assertions, client.ClientAssertion{
User: checkTest.User,
Relation: relation,
Object: checkTest.Object,
Expectation: expectation,
})
users := storetest.GetEffectiveUsers(checkTest)
objects := storetest.GetEffectiveObjects(checkTest)

for _, user := range users {
for _, object := range objects {
for relation, expectation := range checkTest.Assertions {
assertions = append(assertions, client.ClientAssertion{
User: user,
Relation: relation,
Object: object,
Expectation: expectation,
})
}
}
}
}

Expand Down
95 changes: 91 additions & 4 deletions cmd/store/import_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,36 @@ func TestImportStore(t *testing.T) {
Object: "document:doc1",
Expectation: true,
}}

multiUserAssertions := []client.ClientAssertion{
{
User: "user:anne",
Relation: "reader",
Object: "document:doc1",
Expectation: true,
},
{
User: "user:peter",
Relation: "reader",
Object: "document:doc1",
Expectation: true,
},
}

multiObjectAssertions := []client.ClientAssertion{
{
User: "user:peter",
Relation: "reader",
Object: "document:doc1",
Expectation: true,
},
{
User: "user:peter",
Relation: "reader",
Object: "document:doc2",
Expectation: true,
},
}
modelID, storeID := "model-1", "store-1"
expectedOptions := client.ClientWriteAssertionsOptions{AuthorizationModelId: &modelID, StoreId: &storeID}

Expand All @@ -38,9 +68,9 @@ func TestImportStore(t *testing.T) {
mockCreateStore: true,
testStore: storetest.StoreData{
Model: `type user
type document
relations
define reader: [user]`,
type document
relations
define reader: [user]`,
Tests: []storetest.ModelTest{
{
Name: "Test",
Expand All @@ -55,6 +85,54 @@ func TestImportStore(t *testing.T) {
},
},
},
{
name: "import store with multi user assertions",
mockWriteAssertions: true,
mockWriteModel: true,
mockCreateStore: true,
testStore: storetest.StoreData{
Model: `type user
type document
relations
define reader: [user]`,
Tests: []storetest.ModelTest{
{
Name: "Test",
Check: []storetest.ModelTestCheck{
{
Users: []string{"user:anne", "user:peter"},
Object: "document:doc1",
Assertions: map[string]bool{"reader": true},
},
},
},
},
},
},
{
name: "import store with multi object assertions",
mockWriteAssertions: true,
mockWriteModel: true,
mockCreateStore: true,
testStore: storetest.StoreData{
Model: `type user
type document
relations
define reader: [user]`,
Tests: []storetest.ModelTest{
{
Name: "Test",
Check: []storetest.ModelTestCheck{
{
User: "user:peter",
Objects: []string{"document:doc1", "document:doc2"},
Assertions: map[string]bool{"reader": true},
},
},
},
},
},
},
{
name: "create new store without assertions",
mockWriteAssertions: false,
Expand Down Expand Up @@ -107,7 +185,16 @@ func TestImportStore(t *testing.T) {
defer mockCtrl.Finish()

if test.mockWriteAssertions {
setupWriteAssertionsMock(mockCtrl, mockFgaClient, expectedAssertions, expectedOptions)
expected := expectedAssertions

switch test.name {
case "import store with multi user assertions":
expected = multiUserAssertions
case "import store with multi object assertions":
expected = multiObjectAssertions
}

setupWriteAssertionsMock(mockCtrl, mockFgaClient, expected, expectedOptions)
} else {
mockFgaClient.EXPECT().WriteAssertions(gomock.Any()).Times(0)
}
Expand Down
5 changes: 0 additions & 5 deletions example/folder-document-access_tuples.json
Original file line number Diff line number Diff line change
Expand Up @@ -9084,11 +9084,6 @@
"relation": "can_view",
"user": "user:58"
},
{
"object": "document:578",
"relation": "can_view",
"user": "user:410"
},
{
"object": "document:25",
"relation": "can_view",
Expand Down
2 changes: 1 addition & 1 deletion example/model.fga
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,4 @@ type document
define viewer: [user] or owner or parent_owner
define can_share: owner
define can_write: owner or parent_owner
define can_view: viewer or viewer from parent
define can_view: [user] or viewer or viewer from parent
28 changes: 28 additions & 0 deletions example/model.fga.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,33 @@ tests:
can_view: true
can_write: true
can_share: false
- users:
- user:anne
- user:beth
object: folder:product-2021
assertions:
# These assertions are run for each user
can_view: true
can_share: false
- user: user:anne
objects:
- folder:product-2021
- folder:product-2021Q1
assertions:
# These assertions are run for each object
can_view: true
can_write: true
- users:
- user:peter
- user:john
objects:
- folder:product-2021
- folder:product-2021Q1
assertions:
# These assertions are run for each user and each object
can_view: false
can_write: false

list_objects: # Each list objects test is made of: a user, an object type and the expected result for one or more relations
- user: user:anne
type: folder
Expand All @@ -69,6 +96,7 @@ tests:
- folder:product-2021Q1
can_write: []
can_share: []

list_users: # Each list user test is made of: an object, a user filter and the expected result for one or more relations
- object: folder:product-2021
user_filter:
Expand Down
90 changes: 48 additions & 42 deletions internal/storetest/localtest.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,54 +25,60 @@ func RunLocalCheckTest(
options ModelTestOptions,
) []ModelTestCheckSingleResult {
results := []ModelTestCheckSingleResult{}
users := GetEffectiveUsers(checkTest)

objects := GetEffectiveObjects(checkTest)
for _, user := range users {
for _, object := range objects {
for relation, expectation := range checkTest.Assertions {
result := ModelTestCheckSingleResult{
Request: client.ClientCheckRequest{
User: user,
Relation: relation,
Object: object,
ContextualTuples: tuples,
Context: checkTest.Context,
},
Expected: expectation,
}

for relation, expectation := range checkTest.Assertions {
result := ModelTestCheckSingleResult{
Request: client.ClientCheckRequest{
User: checkTest.User,
Relation: relation,
Object: checkTest.Object,
ContextualTuples: tuples,
Context: checkTest.Context,
},
Expected: expectation,
}
var (
ctx *structpb.Struct
err error
)

var (
ctx *structpb.Struct
err error
)

if checkTest.Context != nil {
ctx, err = structpb.NewStruct(*checkTest.Context)
}
if checkTest.Context != nil {
ctx, err = structpb.NewStruct(*checkTest.Context)
}

if err != nil {
result.Error = err
} else {
response, err := RunSingleLocalCheckTest(fgaServer,
&pb.CheckRequest{
StoreId: *options.StoreID,
AuthorizationModelId: *options.ModelID,
TupleKey: &pb.CheckRequestTupleKey{
User: checkTest.User,
Relation: relation,
Object: checkTest.Object,
},
Context: ctx,
},
)
if err != nil {
result.Error = err
}
if err != nil {
result.Error = err
} else {
response, err := RunSingleLocalCheckTest(fgaServer,
&pb.CheckRequest{
StoreId: *options.StoreID,
AuthorizationModelId: *options.ModelID,
TupleKey: &pb.CheckRequestTupleKey{
User: user,
Relation: relation,
Object: object,
},
Context: ctx,
},
)
if err != nil {
result.Error = err
}

if response != nil {
result.Got = &response.Allowed
result.TestResult = result.IsPassing()
}
}

if response != nil {
result.Got = &response.Allowed
result.TestResult = result.IsPassing()
results = append(results, result)
}
}

results = append(results, result)
}

return results
Expand Down
Loading
Loading