feat: support grouping user/object checks in store tests

README.md

@@ -303,6 +303,22 @@ tests:
           assertions:
             member: true
             moderator: false
+      # checks can also be defined for multiple users sharing the same expectation
+      - object: group:employees
+        users:
+      # checks can also target multiple objects with the same expectation
+      - objects:
+          - group:admins
+          - group:employees
+        user: user:1
+        assertions:
+          moderator: false
+      # either "user" or "users" may be provided, but not both
+      # either "object" or "objects" may be provided, but not both
+          - user:3
+          - user:4
+        assertions:
+          member: true
 ```
 
 If using `output-file`, the response will be written to the specified file on disk. If the desired file already exists, you will be prompted to overwrite the file.
@@ -558,19 +574,35 @@ tests: # required
   - name: test-1
     description: testing that the model works # optional
     # tuple_file: ./tuples.json # tuples that would apply per test
-    tuples:
-      - user: user:anne
-        relation: owner
-        object: folder:1
-    check: # a set of checks to run
-      - user: user:anne
-        object: folder:1
-        assertions:
-          # a set of expected results for each relation
-          can_view: true
-          can_write: true
-          can_share: false
-    list_objects: # a set of list objects to run
+      tuples:
+        - user: user:anne
+          relation: owner
+          object: folder:1
+      check: # a set of checks to run
+        - user: user:anne
+          object: folder:1
+          assertions:
+            # a set of expected results for each relation
+            can_view: true
+            can_write: true
+            can_share: false
+        # checks can group multiple users that share the same expected results
+        - object: folder:2
+          users:
+            - user:beth
+            - user:carl
+          assertions:
+            can_view: false
+        # checks can group multiple objects that share the same expected results
+        - objects:
+            - folder:1
+            - folder:2
+          user: user:beth
+          assertions:
+            can_write: false
+        # either "user" or "users" may be provided, but not both
+        # either "object" or "objects" may be provided, but not both
+      list_objects: # a set of list objects to run
       - user: user:anne
         type: folder
         assertions:

cmd/store/import.go

@@ -121,6 +121,10 @@ func importStore(
 	maxTuplesPerWrite, maxParallelRequests int,
 	fileName string,
 ) (*CreateStoreAndModelResponse, error) {
+	if err := storeData.Validate(); err != nil {
+		return nil, err //nolint:wrapcheck
+	}
+
 	response, err := createOrUpdateStore(ctx, clientConfig, fgaClient, storeData, format, storeID, fileName)
 	if err != nil {
 		return nil, err
@@ -232,13 +236,20 @@ func getCheckAssertions(checkTests []storetest.ModelTestCheck) []client.ClientAs
 	var assertions []client.ClientAssertion
 
 	for _, checkTest := range checkTests {
-		for relation, expectation := range checkTest.Assertions {
-			assertions = append(assertions, client.ClientAssertion{
-				User:        checkTest.User,
-				Relation:    relation,
-				Object:      checkTest.Object,
-				Expectation: expectation,
-			})
+		users := storetest.GetEffectiveUsers(checkTest)
+		objects := storetest.GetEffectiveObjects(checkTest)
+
+		for _, user := range users {
+			for _, object := range objects {
+				for relation, expectation := range checkTest.Assertions {
+					assertions = append(assertions, client.ClientAssertion{
+						User:        user,
+						Relation:    relation,
+						Object:      object,
+						Expectation: expectation,
+					})
+				}
+			}
 		}
 	}
 

cmd/store/import_test.go

@@ -21,6 +21,36 @@ func TestImportStore(t *testing.T) {
 		Object:      "document:doc1",
 		Expectation: true,
 	}}
+
+	multiUserAssertions := []client.ClientAssertion{
+		{
+			User:        "user:anne",
+			Relation:    "reader",
+			Object:      "document:doc1",
+			Expectation: true,
+		},
+		{
+			User:        "user:peter",
+			Relation:    "reader",
+			Object:      "document:doc1",
+			Expectation: true,
+		},
+	}
+
+	multiObjectAssertions := []client.ClientAssertion{
+		{
+			User:        "user:peter",
+			Relation:    "reader",
+			Object:      "document:doc1",
+			Expectation: true,
+		},
+		{
+			User:        "user:peter",
+			Relation:    "reader",
+			Object:      "document:doc2",
+			Expectation: true,
+		},
+	}
 	modelID, storeID := "model-1", "store-1"
 	expectedOptions := client.ClientWriteAssertionsOptions{AuthorizationModelId: &modelID, StoreId: &storeID}
 
@@ -38,9 +68,9 @@ func TestImportStore(t *testing.T) {
 			mockCreateStore:     true,
 			testStore: storetest.StoreData{
 				Model: `type user
-					type document
-						relations
-							define reader: [user]`,
+                                        type document
+                                                relations
+                                                        define reader: [user]`,
 				Tests: []storetest.ModelTest{
 					{
 						Name: "Test",
@@ -55,6 +85,54 @@ func TestImportStore(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:                "import store with multi user assertions",
+			mockWriteAssertions: true,
+			mockWriteModel:      true,
+			mockCreateStore:     true,
+			testStore: storetest.StoreData{
+				Model: `type user
+                                       type document
+                                               relations
+                                                       define reader: [user]`,
+				Tests: []storetest.ModelTest{
+					{
+						Name: "Test",
+						Check: []storetest.ModelTestCheck{
+							{
+								Users:      []string{"user:anne", "user:peter"},
+								Object:     "document:doc1",
+								Assertions: map[string]bool{"reader": true},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:                "import store with multi object assertions",
+			mockWriteAssertions: true,
+			mockWriteModel:      true,
+			mockCreateStore:     true,
+			testStore: storetest.StoreData{
+				Model: `type user
+                                        type document
+                                                relations
+                                                        define reader: [user]`,
+				Tests: []storetest.ModelTest{
+					{
+						Name: "Test",
+						Check: []storetest.ModelTestCheck{
+							{
+								User:       "user:peter",
+								Objects:    []string{"document:doc1", "document:doc2"},
+								Assertions: map[string]bool{"reader": true},
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name:                "create new store without assertions",
 			mockWriteAssertions: false,
@@ -107,7 +185,16 @@ func TestImportStore(t *testing.T) {
 			defer mockCtrl.Finish()
 
 			if test.mockWriteAssertions {
-				setupWriteAssertionsMock(mockCtrl, mockFgaClient, expectedAssertions, expectedOptions)
+				expected := expectedAssertions
+
+				switch test.name {
+				case "import store with multi user assertions":
+					expected = multiUserAssertions
+				case "import store with multi object assertions":
+					expected = multiObjectAssertions
+				}
+
+				setupWriteAssertionsMock(mockCtrl, mockFgaClient, expected, expectedOptions)
 			} else {
 				mockFgaClient.EXPECT().WriteAssertions(gomock.Any()).Times(0)
 			}

example/folder-document-access_tuples.json

@@ -9084,11 +9084,6 @@
     "relation": "can_view",
     "user": "user:58"
   },
-  {
-    "object": "document:578",
-    "relation": "can_view",
-    "user": "user:410"
-  },
   {
     "object": "document:25",
     "relation": "can_view",

example/model.fga

@@ -21,4 +21,4 @@ type document
     define viewer: [user] or owner or parent_owner
     define can_share: owner
     define can_write: owner or parent_owner
-    define can_view: viewer or viewer from parent
+    define can_view: [user] or viewer or viewer from parent

example/model.fga.yaml

@@ -47,6 +47,33 @@ tests:
           can_view: true
           can_write: true
           can_share: false
+      - users:
+          - user:anne
+          - user:beth
+        object: folder:product-2021
+        assertions:
+          # These assertions are run for each user
+          can_view: true
+          can_share: false
+      - user: user:anne
+        objects:
+          - folder:product-2021
+          - folder:product-2021Q1
+        assertions:
+          # These assertions are run for each object
+          can_view: true
+          can_write: true
+      - users:
+          - user:peter
+          - user:john
+        objects:
+          - folder:product-2021
+          - folder:product-2021Q1
+        assertions:
+          # These assertions are run for each user and each object
+          can_view: false
+          can_write: false
+
     list_objects: # Each list objects test is made of: a user, an object type and the expected result for one or more relations
       - user: user:anne
         type: folder
@@ -69,6 +96,7 @@ tests:
             - folder:product-2021Q1
           can_write: []
           can_share: []
+
     list_users: # Each list user test is made of: an object, a user filter and the expected result for one or more relations
       - object: folder:product-2021
         user_filter:

internal/storetest/localtest.go

@@ -25,54 +25,60 @@ func RunLocalCheckTest(
 	options ModelTestOptions,
 ) []ModelTestCheckSingleResult {
 	results := []ModelTestCheckSingleResult{}
+	users := GetEffectiveUsers(checkTest)
+
+	objects := GetEffectiveObjects(checkTest)
+	for _, user := range users {
+		for _, object := range objects {
+			for relation, expectation := range checkTest.Assertions {
+				result := ModelTestCheckSingleResult{
+					Request: client.ClientCheckRequest{
+						User:             user,
+						Relation:         relation,
+						Object:           object,
+						ContextualTuples: tuples,
+						Context:          checkTest.Context,
+					},
+					Expected: expectation,
+				}
 
-	for relation, expectation := range checkTest.Assertions {
-		result := ModelTestCheckSingleResult{
-			Request: client.ClientCheckRequest{
-				User:             checkTest.User,
-				Relation:         relation,
-				Object:           checkTest.Object,
-				ContextualTuples: tuples,
-				Context:          checkTest.Context,
-			},
-			Expected: expectation,
-		}
+				var (
+					ctx *structpb.Struct
+					err error
+				)
 
-		var (
-			ctx *structpb.Struct
-			err error
-		)
-
-		if checkTest.Context != nil {
-			ctx, err = structpb.NewStruct(*checkTest.Context)
-		}
+				if checkTest.Context != nil {
+					ctx, err = structpb.NewStruct(*checkTest.Context)
+				}
 
-		if err != nil {
-			result.Error = err
-		} else {
-			response, err := RunSingleLocalCheckTest(fgaServer,
-				&pb.CheckRequest{
-					StoreId:              *options.StoreID,
-					AuthorizationModelId: *options.ModelID,
-					TupleKey: &pb.CheckRequestTupleKey{
-						User:     checkTest.User,
-						Relation: relation,
-						Object:   checkTest.Object,
-					},
-					Context: ctx,
-				},
-			)
-			if err != nil {
-				result.Error = err
-			}
+				if err != nil {
+					result.Error = err
+				} else {
+					response, err := RunSingleLocalCheckTest(fgaServer,
+						&pb.CheckRequest{
+							StoreId:              *options.StoreID,
+							AuthorizationModelId: *options.ModelID,
+							TupleKey: &pb.CheckRequestTupleKey{
+								User:     user,
+								Relation: relation,
+								Object:   object,
+							},
+							Context: ctx,
+						},
+					)
+					if err != nil {
+						result.Error = err
+					}
+
+					if response != nil {
+						result.Got = &response.Allowed
+						result.TestResult = result.IsPassing()
+					}
+				}
 
-			if response != nil {
-				result.Got = &response.Allowed
-				result.TestResult = result.IsPassing()
+				results = append(results, result)
 			}
 		}
-
-		results = append(results, result)
 	}
 
 	return results