diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 76ccc21..a77f9a9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,3 +24,63 @@ jobs: uses: ./ with: test_path: ./example/model.fga.yaml + + test_conditions_against_openfga_version: + name: Run test against given OpenFGA version + runs-on: ubuntu-latest + strategy: + matrix: + test: + - openfga_version: 1.5.3 + conditions_supported: true + - openfga_version: 1.4.3 + conditions_supported: true + - openfga_version: 1.3.7 + conditions_supported: false + services: + postgres: + image: postgres:14 + env: + POSTGRES_USER: openfga + POSTGRES_PASSWORD: "1234" + ports: + - 5432:5432 + options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 + env: + OPENFGA_DATASTORE_ENGINE: 'postgres' + OPENFGA_DATASTORE_URI: 'postgres://openfga:1234@127.0.0.1:5432/openfga' + OPENFGA_LOG_LEVEL: debug + steps: + - uses: actions/checkout@v4 + - name: Install OpenFGA server ${{ matrix.test.openfga_version }} + uses: jaxxstorm/action-install-gh-release@v1.11.0 + with: + repo: openfga/openfga + tag: ${{ matrix.test.openfga_version }} + cache: enable + - name: Migrate OpenFGA Database + shell: bash + run: openfga migrate + - name: Start OpenFGA Server + shell: bash + run: openfga run & + - name: Run OpenFGA CLI Tests + id: 'tests' + uses: ./ + continue-on-error: true + with: + test_path: ./example/model_with_conditions.fga.yaml + fga_server_url: 'http://localhost:8080' + - name: Assert expected results + run: | + if [ "${{ matrix.test.conditions_supported }}" == "true" ] && [ "${{ steps.tests.outcome }}" == "failure" ] + then + echo "${{ matrix.test.openfga_version }} is expected to support conditions but tests failed" + exit 1 + fi + if [ "${{ matrix.test.conditions_supported }}" == "false" ] && [ "${{ steps.tests.outcome }}" == "success" ] + then + echo "${{ matrix.test.openfga_version }} is expected to not support conditions but tests passed" + exit 1 + fi + diff --git a/example/model_with_conditions.fga b/example/model_with_conditions.fga new file mode 100644 index 0000000..be929ae --- /dev/null +++ b/example/model_with_conditions.fga @@ -0,0 +1,12 @@ +model + schema 1.1 + +type user + +type document + relations + define viewer: [user, user with non_expired_grant] + +condition non_expired_grant(current_time: timestamp, grant_time: timestamp, grant_duration: duration) { + current_time < grant_time + grant_duration +} \ No newline at end of file diff --git a/example/model_with_conditions.fga.yaml b/example/model_with_conditions.fga.yaml new file mode 100644 index 0000000..89991c5 --- /dev/null +++ b/example/model_with_conditions.fga.yaml @@ -0,0 +1,64 @@ +name: FolderBox with temporal accesses # store name +model_file: ./model_with_conditions.fga + +tuples: + - user: user:bob + relation: viewer + object: document:1 + + - user: user:anne + relation: viewer + object: document:1 + condition: + name: non_expired_grant + context: + grant_time : "2023-01-01T00:00:00Z" + grant_duration : 1h + + - user: user:anne + relation: viewer + object: document:2 + condition: + name: non_expired_grant + context: + grant_time : "2023-01-01T00:00:00Z" + grant_duration : 5s + +tests: + - name: Test temporal access + check: + - user: user:anne + object: document:1 + context: + current_time: "2023-01-01T00:10:00Z" + assertions: + viewer: true + + - user: user:anne + object: document:1 + context: + current_time: "2023-01-01T02:00:00Z" + assertions: + viewer: false + + - user: user:anne + object: document:2 + context: + current_time: "2023-01-01T00:00:09Z" + assertions: + viewer: false + + - user: user:bob + object: document:1 + assertions: + viewer: true + + list_objects: + - user: user:anne + type: document + context: + current_time: "2023-01-01T00:00:01Z" + assertions: + viewer: + - document:1 + - document:2 \ No newline at end of file