From d257886344a4f2895fff75f40e86c12d5c586a1f Mon Sep 17 00:00:00 2001 From: Andres Aguiar Date: Mon, 22 Jul 2024 09:03:58 -0400 Subject: [PATCH 1/2] feat: added a step by step incremental openfga demo --- stores/public-demo/step-1-basic.fga.yaml | 57 ++++ .../step-10-fine-grained-api-access.fga.yaml | 272 ++++++++++++++++++ .../public-demo/step-2-multi-tenancy.fga.yaml | 86 ++++++ stores/public-demo/step-3-groups.fga.yaml | 117 ++++++++ .../public-demo/step-4-public-access.fga.yaml | 128 +++++++++ .../step-5-relation-based-abac.fga.yaml | 157 ++++++++++ .../public-demo/step-6-super-admin.fga.yaml | 178 ++++++++++++ ...-7-conditional-relationships-abac.fga.yaml | 202 +++++++++++++ .../public-demo/step-8-custom-roles.fga.yaml | 244 ++++++++++++++++ .../step-9-application-access.fga.yaml | 260 +++++++++++++++++ 10 files changed, 1701 insertions(+) create mode 100644 stores/public-demo/step-1-basic.fga.yaml create mode 100644 stores/public-demo/step-10-fine-grained-api-access.fga.yaml create mode 100644 stores/public-demo/step-2-multi-tenancy.fga.yaml create mode 100644 stores/public-demo/step-3-groups.fga.yaml create mode 100644 stores/public-demo/step-4-public-access.fga.yaml create mode 100644 stores/public-demo/step-5-relation-based-abac.fga.yaml create mode 100644 stores/public-demo/step-6-super-admin.fga.yaml create mode 100644 stores/public-demo/step-7-conditional-relationships-abac.fga.yaml create mode 100644 stores/public-demo/step-8-custom-roles.fga.yaml create mode 100644 stores/public-demo/step-9-application-access.fga.yaml diff --git a/stores/public-demo/step-1-basic.fga.yaml b/stores/public-demo/step-1-basic.fga.yaml new file mode 100644 index 0000000..948b50d --- /dev/null +++ b/stores/public-demo/step-1-basic.fga.yaml @@ -0,0 +1,57 @@ +# Basic demo with documents and folders. +# - Folder permission get inherited by nested folders and documents + +model: | + model + schema 1.1 + + type user + + type folder + relations + define parent: [folder] + define owner : [user] + define viewer: [user] + define editor: [user] + + define can_edit : editor or owner or can_edit from parent + define can_view : viewer or can_edit + + type document + relations + define parent: [folder] + define viewer: [user] or viewer from parent + define owner : [user] + define editor: [user] + + define can_edit : editor or owner or can_edit from parent + define can_view : viewer or can_edit + +tuples: +# Tuples for basic example + - user: user:anne + object: folder:root + relation: owner + + - user: folder:root + object: document:welcome + relation: parent + + - user: user:bob + object: document:welcome + relation : owner + +tests: + - name: Tests for basic example + check: + - user: user:anne + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:bob + object: folder:root + assertions: + can_edit : false + can_view : false diff --git a/stores/public-demo/step-10-fine-grained-api-access.fga.yaml b/stores/public-demo/step-10-fine-grained-api-access.fga.yaml new file mode 100644 index 0000000..b6b2887 --- /dev/null +++ b/stores/public-demo/step-10-fine-grained-api-access.fga.yaml @@ -0,0 +1,272 @@ +# Custom roles can be defined for each organization: +# - Uses can be assigned to roles +# - Roles can be assigned to permissions + +model: | + model + schema 1.1 + + type user + + type application + + type system + relations + define super_admin : [user with time_based_grant] + + type role + relations + define assignee : [user, group#member] + + type organization + relations + define system : [system] + define admin : [user] or super_admin from system + + # allow defining permissions per application + define can_edit_documents: [role#assignee, application] or admin + define can_add_admin : [role#assignee, application] or admin + define can_create_document : [role#assignee, application] or admin + + type group + relations + define member : [user, group#member] + + type folder + relations + define organization : [organization] + define parent: [folder] + define owner : [user] + define viewer: [user, group#member] + define editor: [user, group#member] + + # we now refer to fine grained permissions from the organization instead of the admin role + define can_edit : editor or owner or can_edit from parent or can_edit_documents from organization + define can_view : viewer or can_edit + + type document + relations + define parent: [folder] + define viewer: [user, user:*] or viewer from parent + define owner : [user, group#member] + define editor: [user, group#member] + + define published: [document] + + define can_edit : editor or owner or can_edit from parent + define can_view : (viewer and viewer from published) or can_edit + + condition time_based_grant(current_time: timestamp, grant_time: timestamp, grant_duration: duration) { + current_time < grant_time + grant_duration + } + +tuples: +# Tuples for basic example + - user: user:anne + object: folder:root + relation: owner + + - user: folder:root + object: document:welcome + relation: parent + + - user: user:bob + object: document:welcome + relation : owner + +# Tuples for multi-tenancy example + - user: user:peter + object: organization:acme + relation: admin + + - user: organization:acme + object: folder:root + relation: organization + +# Tuples for groups example + - user: user:martin + object: group:engineering + relation: member + + - user: group:engineering#member + object: group:everyone + relation: member + + - user: group:everyone#member + object: folder:root + relation: editor + + - user: user:* + object: document:public-roadmap + relation: viewer + +# Tuples for Relationship Based ABAC + - user: folder:root + object: document:document-not-published + relation: parent + + - user: user:* + object: document:document-not-published + relation: viewer + + - user: document:public-roadmap + object: document:public-roadmap + relation: published + +# Tuples for super-admin example + + # This tuple is no longer valid in this model + # - user: user:sam + # object: system:root + # relation: super_admin + - user: system:root + object: organization:acme + relation: system + +# Tuples for conditional relationships + - user: user:sam + object: system:root + relation: super_admin + condition: + name: time_based_grant + context: + grant_time : "2024-07-21T00:00:00Z" + grant_duration : 1h + +# Tuples for custom roles + - user: user:omar + object: role:acme-organization-manager + relation: assignee + + - user: user:edith + object: role:acme-content-editor + relation: assignee + + - user: role:acme-organization-manager#assignee + object: organization:acme + relation: can_add_admin + + - user: role:acme-content-editor#assignee + object: organization:acme + relation: can_create_document + +# Tuples for fine grained API access + - user: application:app-1 + object: organization:acme + relation: can_create_document + + - user: application:app-1 + object: organization:acme + relation: can_edit_documents + +tests: + - name: Tests for basic example + check: + - user: user:anne + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:bob + object: folder:root + assertions: + can_edit : false + can_view : false + + - name: Tests for multi-tenancy example + check: + - user: user:peter + object: folder:root + assertions: + can_edit : true + can_view : true + + - user: user:peter + object: document:welcome + assertions: + can_edit : true + can_view : true + + - name: Tests for groups example + check: + - user: user:martin + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:martin + object: folder:root + assertions: + can_edit : true + can_view : true + + + - name: Tests for public access example + check: + - user: user:john + object: document:public-roadmap + assertions: + can_edit : false + can_view : true + + - name: Tests for relationship based abac example + check: + - user: user:john + object: document:document-not-published + assertions: + can_edit : false + can_view : false + +# The tests from the previous example need to be completely replaced +# as they will require an additional parameter to be sent + - name: Tests for super-admin example with conditional relationships + check: + - user: user:sam + object: document:welcome + context: + current_time: "2024-07-21T00:00:09Z" + assertions: + can_edit : true + can_view : true + + - user: user:sam + object: document:welcome + context: + current_time: "2024-07-22T00:00:09Z" + assertions: + can_edit : false + can_view : false + + - name : Test for custom roles + check: + - user: user:omar + object: organization:acme + assertions: + can_add_admin : true + can_create_document : false + - user: user:edith + object: organization:acme + assertions: + can_add_admin : false + can_create_document : true + + - name : Test API access + check: + - user: application:app-1 + object: organization:acme + assertions: + can_add_admin : false + can_create_document : true + - user: application:app-1 + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: application:app-2 + object: organization:acme + assertions: + can_add_admin : false + can_create_document : false \ No newline at end of file diff --git a/stores/public-demo/step-2-multi-tenancy.fga.yaml b/stores/public-demo/step-2-multi-tenancy.fga.yaml new file mode 100644 index 0000000..b2dec7e --- /dev/null +++ b/stores/public-demo/step-2-multi-tenancy.fga.yaml @@ -0,0 +1,86 @@ +# Adds support for B2B: +# - Folders belong to an organization +# - Organizations have admins that can edit all content + +model: | + model + schema 1.1 + + type user + type organization + relations + define admin : [user] + define can_edit_documents : admin + + type folder + relations + define organization : [organization] + define parent: [folder] + define owner : [user] + define viewer: [user] + define editor: [user] + + define can_edit : editor or owner or can_edit from parent or can_edit_documents from organization + define can_view : viewer or can_edit + + type document + relations + define parent: [folder] + define viewer: [user] or viewer from parent + define owner : [user] + define editor: [user] + + define can_edit : editor or owner or can_edit from parent + define can_view : viewer or can_edit + +tuples: +# Tuples for basic example + - user: user:anne + object: folder:root + relation: owner + + - user: folder:root + object: document:welcome + relation: parent + + - user: user:bob + object: document:welcome + relation : owner + +# Tuples for multi-tenancy example + - user: user:peter + object: organization:acme + relation: admin + + - user: organization:acme + object: folder:root + relation: organization + +tests: + - name: Tests for basic example + check: + - user: user:anne + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:bob + object: folder:root + assertions: + can_edit : false + can_view : false + + - name: Tests for multi-tenancy + check: + - user: user:peter + object: folder:root + assertions: + can_edit : true + can_view : true + + - user: user:peter + object: document:welcome + assertions: + can_edit : true + can_view : true \ No newline at end of file diff --git a/stores/public-demo/step-3-groups.fga.yaml b/stores/public-demo/step-3-groups.fga.yaml new file mode 100644 index 0000000..46d9afb --- /dev/null +++ b/stores/public-demo/step-3-groups.fga.yaml @@ -0,0 +1,117 @@ +# Adds support for Groups: +# - Editors and Viewers can be assigned to groups +# - Groups can be nested + +model: | + model + schema 1.1 + + type user + type organization + relations + define admin : [user] + define can_edit_documents : admin + + type group + relations + define member : [user, group#member] + + type folder + relations + define organization : [organization] + define parent: [folder] + define owner : [user] + define viewer: [user, group#member] + define editor: [user, group#member] + + define can_edit : editor or owner or can_edit from parent or can_edit_documents from organization + define can_view : viewer or can_edit + + type document + relations + define parent: [folder] + define viewer: [user] or viewer from parent + define owner : [user, group#member] + define editor: [user, group#member] + + define can_edit : editor or owner or can_edit from parent + define can_view : viewer or can_edit + +tuples: +# Tuples for basic example + - user: user:anne + object: folder:root + relation: owner + + - user: folder:root + object: document:welcome + relation: parent + + - user: user:bob + object: document:welcome + relation : owner + +# Tuples for multi-tenancy example + - user: user:peter + object: organization:acme + relation: admin + + - user: organization:acme + object: folder:root + relation: organization + +# Tuples for groups example + - user: user:martin + object: group:engineering + relation: member + + - user: group:engineering#member + object: group:everyone + relation: member + + - user: group:everyone#member + object: folder:root + relation: editor + +tests: + - name: Tests for basic example + check: + - user: user:anne + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:bob + object: folder:root + assertions: + can_edit : false + can_view : false + + - name: Tests for multi-tenancy + check: + - user: user:peter + object: folder:root + assertions: + can_edit : true + can_view : true + + - user: user:peter + object: document:welcome + assertions: + can_edit : true + can_view : true + + - name: Tests for groups + check: + - user: user:martin + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:martin + object: folder:root + assertions: + can_edit : true + can_view : true \ No newline at end of file diff --git a/stores/public-demo/step-4-public-access.fga.yaml b/stores/public-demo/step-4-public-access.fga.yaml new file mode 100644 index 0000000..c0a0186 --- /dev/null +++ b/stores/public-demo/step-4-public-access.fga.yaml @@ -0,0 +1,128 @@ +# Adds support for Public Access: +# - Documents can be shared publicly + +model: | + model + schema 1.1 + + type user + type organization + relations + define admin : [user] + define can_edit_documents : admin + + type group + relations + define member : [user, group#member] + + type folder + relations + define organization : [organization] + define parent: [folder] + define owner : [user] + define viewer: [user, group#member] + define editor: [user, group#member] + + define can_edit : editor or owner or can_edit from parent or can_edit_documents from organization + define can_view : viewer or can_edit + + type document + relations + define parent: [folder] + define viewer: [user, user:*] or viewer from parent + define owner : [user, group#member] + define editor: [user, group#member] + + define can_edit : editor or owner or can_edit from parent + define can_view : viewer or can_edit + +tuples: +# Tuples for basic example + - user: user:anne + object: folder:root + relation: owner + + - user: folder:root + object: document:welcome + relation: parent + + - user: user:bob + object: document:welcome + relation : owner + +# Tuples for multi-tenancy example + - user: user:peter + object: organization:acme + relation: admin + + - user: organization:acme + object: folder:root + relation: organization + +# Tuples for groups example + - user: user:martin + object: group:engineering + relation: member + + - user: group:engineering#member + object: group:everyone + relation: member + + - user: group:everyone#member + object: folder:root + relation: editor + + - user: user:* + object: document:public-roadmap + relation: viewer + +tests: + - name: Tests for basic example + check: + - user: user:anne + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:bob + object: folder:root + assertions: + can_edit : false + can_view : false + + - name: Tests for multi-tenancy + check: + - user: user:peter + object: folder:root + assertions: + can_edit : true + can_view : true + + - user: user:peter + object: document:welcome + assertions: + can_edit : true + can_view : true + + - name: Tests for groups + check: + - user: user:martin + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:martin + object: folder:root + assertions: + can_edit : true + can_view : true + + - name: Tests for public access + check: + - user: user:john + object: document:public-roadmap + assertions: + can_edit : false + can_view : true diff --git a/stores/public-demo/step-5-relation-based-abac.fga.yaml b/stores/public-demo/step-5-relation-based-abac.fga.yaml new file mode 100644 index 0000000..64da6bb --- /dev/null +++ b/stores/public-demo/step-5-relation-based-abac.fga.yaml @@ -0,0 +1,157 @@ +# Non published documents can be viewed only by editors + +model: | + model + schema 1.1 + + type user + type organization + relations + define admin : [user] + define can_edit_documents : admin + + type group + relations + define member : [user, group#member] + + type folder + relations + define organization : [organization] + define parent: [folder] + define owner : [user] + define viewer: [user, group#member] + define editor: [user, group#member] + + define can_edit : editor or owner or can_edit from parent or can_edit_documents from organization + define can_view : viewer or can_edit + + type document + relations + define parent: [folder] + define viewer: [user, user:*] or viewer from parent + define owner : [user, group#member] + define editor: [user, group#member] + + define published: [document] + + define can_edit : editor or owner or can_edit from parent + define can_view : (viewer and viewer from published) or can_edit + +tuples: +# Tuples for basic example + - user: user:anne + object: folder:root + relation: owner + + - user: folder:root + object: document:welcome + relation: parent + + - user: user:bob + object: document:welcome + relation : owner + +# Tuples for multi-tenancy example + - user: user:peter + object: organization:acme + relation: admin + + - user: organization:acme + object: folder:root + relation: organization + +# Tuples for groups example + - user: user:martin + object: group:engineering + relation: member + + - user: group:engineering#member + object: group:everyone + relation: member + + - user: group:everyone#member + object: folder:root + relation: editor + + - user: user:* + object: document:public-roadmap + relation: viewer + +# Tuples for Relationship Based ABAC + - user: folder:root + object: document:document-not-published + relation: parent + + - user: user:* + object: document:document-not-published + relation: viewer + + - user: document:public-roadmap + object: document:public-roadmap + relation: published + +tests: + - name: Tests for basic example + check: + - user: user:anne + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:bob + object: folder:root + assertions: + can_edit : false + can_view : false + + - name: Tests for multi-tenancy + check: + - user: user:peter + object: folder:root + assertions: + can_edit : true + can_view : true + + - user: user:peter + object: document:welcome + assertions: + can_edit : true + can_view : true + + - name: Tests for groups + check: + - user: user:martin + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:martin + object: folder:root + assertions: + can_edit : true + can_view : true + + + - name: Tests for public access + check: + - user: user:john + object: document:public-roadmap + assertions: + can_edit : false + can_view : true + + - name: Tests for published documents + check: + - user: user:john + object: document:document-not-published + assertions: + can_edit : false + can_view : false + + - user: user:peter + object: document:document-not-published + assertions: + can_edit : true + can_view : true diff --git a/stores/public-demo/step-6-super-admin.fga.yaml b/stores/public-demo/step-6-super-admin.fga.yaml new file mode 100644 index 0000000..f3eb08e --- /dev/null +++ b/stores/public-demo/step-6-super-admin.fga.yaml @@ -0,0 +1,178 @@ +# Super admins can edit documents in every organization + +model: | + model + schema 1.1 + + type user + + # Add system type + type system + relations + define super_admin : [user] + + type organization + relations + # Add relationship between organization and system + define system : [system] + # Redefine `admin` so super_admins are also organization admins + define admin : [user] or super_admin from system + define can_edit_documents : admin + + type group + relations + define member : [user, group#member] + + type folder + relations + define organization : [organization] + define parent: [folder] + define owner : [user] + define viewer: [user, group#member] + define editor: [user, group#member] + + define can_edit : editor or owner or can_edit from parent or can_edit_documents from organization + define can_view : viewer or can_edit + + type document + relations + define parent: [folder] + define viewer: [user, user:*] or viewer from parent + define owner : [user, group#member] + define editor: [user, group#member] + + define published: [document] + + define can_edit : editor or owner or can_edit from parent + define can_view : (viewer and viewer from published) or can_edit + +tuples: +# Tuples for basic example + - user: user:anne + object: folder:root + relation: owner + + - user: folder:root + object: document:welcome + relation: parent + + - user: user:bob + object: document:welcome + relation : owner + +# Tuples for multi-tenancy example + - user: user:peter + object: organization:acme + relation: admin + + - user: organization:acme + object: folder:root + relation: organization + +# Tuples for groups example + - user: user:martin + object: group:engineering + relation: member + + - user: group:engineering#member + object: group:everyone + relation: member + + - user: group:everyone#member + object: folder:root + relation: editor + + - user: user:* + object: document:public-roadmap + relation: viewer + +# Tuples for Relationship Based ABAC + - user: folder:root + object: document:document-not-published + relation: parent + + - user: user:* + object: document:document-not-published + relation: viewer + + - user: document:public-roadmap + object: document:public-roadmap + relation: published + +# Tuples for super-admin example + - user: user:sam + object: system:root + relation: super_admin + + - user: system:root + object: organization:acme + relation: system + +tests: + - name: Tests for basic example + check: + - user: user:anne + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:bob + object: folder:root + assertions: + can_edit : false + can_view : false + + - name: Tests for multi-tenancy example + check: + - user: user:peter + object: folder:root + assertions: + can_edit : true + can_view : true + + - user: user:peter + object: document:welcome + assertions: + can_edit : true + can_view : true + + - name: Tests for groups example + check: + - user: user:martin + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:martin + object: folder:root + assertions: + can_edit : true + can_view : true + + + - name: Tests for public access example + check: + - user: user:john + object: document:public-roadmap + assertions: + can_edit : false + can_view : true + + - name: Tests for relationship based abac example + check: + - user: user:john + object: document:document-not-published + assertions: + can_edit : false + can_view : false + + - name: Tests for super-admin example + check: + - user: user:sam + object: document:document-not-published + assertions: + can_edit : true + can_view : true + diff --git a/stores/public-demo/step-7-conditional-relationships-abac.fga.yaml b/stores/public-demo/step-7-conditional-relationships-abac.fga.yaml new file mode 100644 index 0000000..3896b2a --- /dev/null +++ b/stores/public-demo/step-7-conditional-relationships-abac.fga.yaml @@ -0,0 +1,202 @@ +# Super admins can edit documents in every organization + +model: | + model + schema 1.1 + + type user + + type system + relations + # Use a conditional relationship for super_admin + define super_admin : [user with time_based_grant] + + type organization + relations + define system : [system] + define admin : [user] or super_admin from system + define can_edit_documents : admin + + type group + relations + define member : [user, group#member] + + type folder + relations + define organization : [organization] + define parent: [folder] + define owner : [user] + define viewer: [user, group#member] + define editor: [user, group#member] + + define can_edit : editor or owner or can_edit from parent or can_edit_documents from organization + define can_view : viewer or can_edit + + type document + relations + define parent: [folder] + define viewer: [user, user:*] or viewer from parent + define owner : [user, group#member] + define editor: [user, group#member] + + define published: [document] + + define can_edit : editor or owner or can_edit from parent + define can_view : (viewer and viewer from published) or can_edit + + condition time_based_grant(current_time: timestamp, grant_time: timestamp, grant_duration: duration) { + current_time < grant_time + grant_duration + } + +tuples: +# Tuples for basic example + - user: user:anne + object: folder:root + relation: owner + + - user: folder:root + object: document:welcome + relation: parent + + - user: user:bob + object: document:welcome + relation : owner + +# Tuples for multi-tenancy example + - user: user:peter + object: organization:acme + relation: admin + + - user: organization:acme + object: folder:root + relation: organization + +# Tuples for groups example + - user: user:martin + object: group:engineering + relation: member + + - user: group:engineering#member + object: group:everyone + relation: member + + - user: group:everyone#member + object: folder:root + relation: editor + + - user: user:* + object: document:public-roadmap + relation: viewer + +# Tuples for Relationship Based ABAC + - user: folder:root + object: document:document-not-published + relation: parent + + - user: user:* + object: document:document-not-published + relation: viewer + + - user: document:public-roadmap + object: document:public-roadmap + relation: published + +# Tuples for super-admin example + + # This tuple is no longer valid in this model + # - user: user:sam + # object: system:root + # relation: super_admin + - user: system:root + object: organization:acme + relation: system + +# Tuples for conditional relationships + - user: user:sam + object: system:root + relation: super_admin + condition: + name: time_based_grant + context: + grant_time : "2024-07-21T00:00:00Z" + grant_duration : 1h + +tests: + - name: Tests for basic example + check: + - user: user:anne + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:bob + object: folder:root + assertions: + can_edit : false + can_view : false + + - name: Tests for multi-tenancy example + check: + - user: user:peter + object: folder:root + assertions: + can_edit : true + can_view : true + + - user: user:peter + object: document:welcome + assertions: + can_edit : true + can_view : true + + - name: Tests for groups example + check: + - user: user:martin + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:martin + object: folder:root + assertions: + can_edit : true + can_view : true + + + - name: Tests for public access example + check: + - user: user:john + object: document:public-roadmap + assertions: + can_edit : false + can_view : true + + - name: Tests for relationship based abac example + check: + - user: user:john + object: document:document-not-published + assertions: + can_edit : false + can_view : false + +# The tests from the previous example need to be completely replaced +# as they will require an additional parameter to be sent + - name: Tests for super-admin example with conditional relationships + check: + - user: user:sam + object: document:welcome + context: + current_time: "2024-07-21T00:00:09Z" + assertions: + can_edit : true + can_view : true + + - user: user:sam + object: document:welcome + context: + current_time: "2024-07-22T00:00:09Z" + assertions: + can_edit : false + can_view : false diff --git a/stores/public-demo/step-8-custom-roles.fga.yaml b/stores/public-demo/step-8-custom-roles.fga.yaml new file mode 100644 index 0000000..e090a3b --- /dev/null +++ b/stores/public-demo/step-8-custom-roles.fga.yaml @@ -0,0 +1,244 @@ +# Custom roles can be defined for each organization: +# - Uses can be assigned to roles +# - Roles can be assigned to permissions + +model: | + model + schema 1.1 + + type user + + type system + relations + # Use a conditional relationship for super_admin + define super_admin : [user with time_based_grant] + + # Added role type + type role + relations + define assignee : [user, group#member] + + type organization + relations + define system : [system] + define admin : [user] or super_admin from system + + # Permissions can be assigned to role assignees + define can_edit_documents : [role#assignee] or admin + define can_create_document : [role#assignee] or admin + define can_add_admin : [role#assignee] or admin + + type group + relations + define member : [user, group#member] + + type folder + relations + define organization : [organization] + define parent: [folder] + define owner : [user] + define viewer: [user, group#member] + define editor: [user, group#member] + + define can_edit : editor or owner or can_edit from parent or admin from organization + define can_view : viewer or can_edit + + type document + relations + define parent: [folder] + define viewer: [user, user:*] or viewer from parent + define owner : [user, group#member] + define editor: [user, group#member] + + define published: [document] + + define can_edit : editor or owner or can_edit from parent + define can_view : (viewer and viewer from published) or can_edit + + condition time_based_grant(current_time: timestamp, grant_time: timestamp, grant_duration: duration) { + current_time < grant_time + grant_duration + } + +tuples: +# Tuples for basic example + - user: user:anne + object: folder:root + relation: owner + + - user: folder:root + object: document:welcome + relation: parent + + - user: user:bob + object: document:welcome + relation : owner + +# Tuples for multi-tenancy example + - user: user:peter + object: organization:acme + relation: admin + + - user: organization:acme + object: folder:root + relation: organization + +# Tuples for groups example + - user: user:martin + object: group:engineering + relation: member + + - user: group:engineering#member + object: group:everyone + relation: member + + - user: group:everyone#member + object: folder:root + relation: editor + + - user: user:* + object: document:public-roadmap + relation: viewer + +# Tuples for Relationship Based ABAC + - user: folder:root + object: document:document-not-published + relation: parent + + - user: user:* + object: document:document-not-published + relation: viewer + + - user: document:public-roadmap + object: document:public-roadmap + relation: published + +# Tuples for super-admin example + + # This tuple is no longer valid in this model + # - user: user:sam + # object: system:root + # relation: super_admin + - user: system:root + object: organization:acme + relation: system + +# Tuples for conditional relationships + - user: user:sam + object: system:root + relation: super_admin + condition: + name: time_based_grant + context: + grant_time : "2024-07-21T00:00:00Z" + grant_duration : 1h + +# Tuples for custom roles + - user: user:omar + object: role:acme-organization-manager + relation: assignee + + - user: user:edith + object: role:acme-content-editor + relation: assignee + + - user: role:acme-organization-manager#assignee + object: organization:acme + relation: can_add_admin + + - user: role:acme-content-editor#assignee + object: organization:acme + relation: can_create_document + +tests: + - name: Tests for basic example + check: + - user: user:anne + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:bob + object: folder:root + assertions: + can_edit : false + can_view : false + + - name: Tests for multi-tenancy example + check: + - user: user:peter + object: folder:root + assertions: + can_edit : true + can_view : true + + - user: user:peter + object: document:welcome + assertions: + can_edit : true + can_view : true + + - name: Tests for groups example + check: + - user: user:martin + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:martin + object: folder:root + assertions: + can_edit : true + can_view : true + + + - name: Tests for public access example + check: + - user: user:john + object: document:public-roadmap + assertions: + can_edit : false + can_view : true + + - name: Tests for relationship based abac example + check: + - user: user:john + object: document:document-not-published + assertions: + can_edit : false + can_view : false + +# The tests from the previous example need to be completely replaced +# as they will require an additional parameter to be sent + - name: Tests for super-admin example with conditional relationships + check: + - user: user:sam + object: document:welcome + context: + current_time: "2024-07-21T00:00:09Z" + assertions: + can_edit : true + can_view : true + + - user: user:sam + object: document:welcome + context: + current_time: "2024-07-22T00:00:09Z" + assertions: + can_edit : false + can_view : false + + - name : Test for custom roles + check: + - user: user:omar + object: organization:acme + assertions: + can_add_admin : true + can_create_document : false + - user: user:edith + object: organization:acme + assertions: + can_add_admin : false + can_create_document : true + diff --git a/stores/public-demo/step-9-application-access.fga.yaml b/stores/public-demo/step-9-application-access.fga.yaml new file mode 100644 index 0000000..df50849 --- /dev/null +++ b/stores/public-demo/step-9-application-access.fga.yaml @@ -0,0 +1,260 @@ +# We + +model: | + model + schema 1.1 + + type user + + # add an application type + type application + + type system + relations + define super_admin : [user with time_based_grant] + + type role + relations + define assignee : [user, group#member] + + type organization + relations + define system : [system] + define admin : [user] or super_admin from system or application + define application : [application] + + define can_edit_documents : [role#assignee] or admin or application + define can_create_document : [role#assignee] or admin or application + define can_add_admin : [role#assignee] or admin or application + + type group + relations + define member : [user, group#member] + + type folder + relations + define organization : [organization] + define parent: [folder] + define owner : [user] + define viewer: [user, group#member] + define editor: [user, group#member] + + define can_edit : editor or owner or can_edit from parent or admin from organization + define can_view : viewer or can_edit + + type document + relations + define parent: [folder] + define viewer: [user, user:*] or viewer from parent + define owner : [user, group#member] + define editor: [user, group#member] + + define published: [document] + + define can_edit : editor or owner or can_edit from parent + define can_view : (viewer and viewer from published) or can_edit + + condition time_based_grant(current_time: timestamp, grant_time: timestamp, grant_duration: duration) { + current_time < grant_time + grant_duration + } + +tuples: +# Tuples for basic example + - user: user:anne + object: folder:root + relation: owner + + - user: folder:root + object: document:welcome + relation: parent + + - user: user:bob + object: document:welcome + relation : owner + +# Tuples for multi-tenancy example + - user: user:peter + object: organization:acme + relation: admin + + - user: organization:acme + object: folder:root + relation: organization + +# Tuples for groups example + - user: user:martin + object: group:engineering + relation: member + + - user: group:engineering#member + object: group:everyone + relation: member + + - user: group:everyone#member + object: folder:root + relation: editor + + - user: user:* + object: document:public-roadmap + relation: viewer + +# Tuples for Relationship Based ABAC + - user: folder:root + object: document:document-not-published + relation: parent + + - user: user:* + object: document:document-not-published + relation: viewer + + - user: document:public-roadmap + object: document:public-roadmap + relation: published + +# Tuples for super-admin example + + # This tuple is no longer valid in this model + # - user: user:sam + # object: system:root + # relation: super_admin + - user: system:root + object: organization:acme + relation: system + +# Tuples for conditional relationships + - user: user:sam + object: system:root + relation: super_admin + condition: + name: time_based_grant + context: + grant_time : "2024-07-21T00:00:00Z" + grant_duration : 1h + +# Tuples for custom roles + - user: user:omar + object: role:acme-organization-manager + relation: assignee + + - user: user:edith + object: role:acme-content-editor + relation: assignee + + - user: role:acme-organization-manager#assignee + object: organization:acme + relation: can_add_admin + + - user: role:acme-content-editor#assignee + object: organization:acme + relation: can_create_document + +# Tuples for API access + - user: application:app-1 + object: organization:acme + relation: application + +tests: + - name: Tests for basic example + check: + - user: user:anne + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:bob + object: folder:root + assertions: + can_edit : false + can_view : false + + - name: Tests for multi-tenancy example + check: + - user: user:peter + object: folder:root + assertions: + can_edit : true + can_view : true + + - user: user:peter + object: document:welcome + assertions: + can_edit : true + can_view : true + + - name: Tests for groups example + check: + - user: user:martin + object: document:welcome + assertions: + can_edit : true + can_view : true + + - user: user:martin + object: folder:root + assertions: + can_edit : true + can_view : true + + + - name: Tests for public access example + check: + - user: user:john + object: document:public-roadmap + assertions: + can_edit : false + can_view : true + + - name: Tests for relationship based abac example + check: + - user: user:john + object: document:document-not-published + assertions: + can_edit : false + can_view : false + +# The tests from the previous example need to be completely replaced +# as they will require an additional parameter to be sent + - name: Tests for super-admin example with conditional relationships + check: + - user: user:sam + object: document:welcome + context: + current_time: "2024-07-21T00:00:09Z" + assertions: + can_edit : true + can_view : true + + - user: user:sam + object: document:welcome + context: + current_time: "2024-07-22T00:00:09Z" + assertions: + can_edit : false + can_view : false + + - name : Test for custom roles + check: + - user: user:omar + object: organization:acme + assertions: + can_add_admin : true + can_create_document : false + - user: user:edith + object: organization:acme + assertions: + can_add_admin : false + can_create_document : true + + - name : Test API access + check: + - user: application:app-1 + object: organization:acme + assertions: + can_add_admin : true + can_create_document : true + - user: application:app-1 + object: document:welcome + assertions: + can_edit : true + can_view : true From f66230b9ea715715ce5c09f61a3c98be960ffbab Mon Sep 17 00:00:00 2001 From: Andres Aguiar Date: Fri, 15 Nov 2024 09:48:07 -0700 Subject: [PATCH 2/2] chore: added readme and renamed folder --- stores/modeling-guide/README.md | 12 ++++++++++++ .../step-1-basic.fga.yaml | 0 .../step-10-fine-grained-api-access.fga.yaml | 0 .../step-2-multi-tenancy.fga.yaml | 0 .../step-3-groups.fga.yaml | 0 .../step-4-public-access.fga.yaml | 0 .../step-5-relation-based-abac.fga.yaml | 0 .../step-6-super-admin.fga.yaml | 0 .../step-7-conditional-relationships-abac.fga.yaml | 0 .../step-8-custom-roles.fga.yaml | 0 .../step-9-application-access.fga.yaml | 0 11 files changed, 12 insertions(+) create mode 100644 stores/modeling-guide/README.md rename stores/{public-demo => modeling-guide}/step-1-basic.fga.yaml (100%) rename stores/{public-demo => modeling-guide}/step-10-fine-grained-api-access.fga.yaml (100%) rename stores/{public-demo => modeling-guide}/step-2-multi-tenancy.fga.yaml (100%) rename stores/{public-demo => modeling-guide}/step-3-groups.fga.yaml (100%) rename stores/{public-demo => modeling-guide}/step-4-public-access.fga.yaml (100%) rename stores/{public-demo => modeling-guide}/step-5-relation-based-abac.fga.yaml (100%) rename stores/{public-demo => modeling-guide}/step-6-super-admin.fga.yaml (100%) rename stores/{public-demo => modeling-guide}/step-7-conditional-relationships-abac.fga.yaml (100%) rename stores/{public-demo => modeling-guide}/step-8-custom-roles.fga.yaml (100%) rename stores/{public-demo => modeling-guide}/step-9-application-access.fga.yaml (100%) diff --git a/stores/modeling-guide/README.md b/stores/modeling-guide/README.md new file mode 100644 index 0000000..466343f --- /dev/null +++ b/stores/modeling-guide/README.md @@ -0,0 +1,12 @@ +# OpenFGA Modeling Guide + +This folder includes a sequence of models that start from a basic document&documents model, starts adding features on top of it. + +Each step is covered in the [OpenFGA Model Guides](https://www.youtube.com/playlist?list=PLUR5l-oTFZqWaDdhEOVt_IfPOIbKo1Ypt) Youtube playlist. + +## Try It Out + +1. Make sure you have the [FGA CLI](https://github.com/openfga/cli/?tab=readme-ov-file#installation) + +2. In the `modeling-guide` directory, run `fga model test --tests step-1-basic.fga.yaml` for any example you can to test. + diff --git a/stores/public-demo/step-1-basic.fga.yaml b/stores/modeling-guide/step-1-basic.fga.yaml similarity index 100% rename from stores/public-demo/step-1-basic.fga.yaml rename to stores/modeling-guide/step-1-basic.fga.yaml diff --git a/stores/public-demo/step-10-fine-grained-api-access.fga.yaml b/stores/modeling-guide/step-10-fine-grained-api-access.fga.yaml similarity index 100% rename from stores/public-demo/step-10-fine-grained-api-access.fga.yaml rename to stores/modeling-guide/step-10-fine-grained-api-access.fga.yaml diff --git a/stores/public-demo/step-2-multi-tenancy.fga.yaml b/stores/modeling-guide/step-2-multi-tenancy.fga.yaml similarity index 100% rename from stores/public-demo/step-2-multi-tenancy.fga.yaml rename to stores/modeling-guide/step-2-multi-tenancy.fga.yaml diff --git a/stores/public-demo/step-3-groups.fga.yaml b/stores/modeling-guide/step-3-groups.fga.yaml similarity index 100% rename from stores/public-demo/step-3-groups.fga.yaml rename to stores/modeling-guide/step-3-groups.fga.yaml diff --git a/stores/public-demo/step-4-public-access.fga.yaml b/stores/modeling-guide/step-4-public-access.fga.yaml similarity index 100% rename from stores/public-demo/step-4-public-access.fga.yaml rename to stores/modeling-guide/step-4-public-access.fga.yaml diff --git a/stores/public-demo/step-5-relation-based-abac.fga.yaml b/stores/modeling-guide/step-5-relation-based-abac.fga.yaml similarity index 100% rename from stores/public-demo/step-5-relation-based-abac.fga.yaml rename to stores/modeling-guide/step-5-relation-based-abac.fga.yaml diff --git a/stores/public-demo/step-6-super-admin.fga.yaml b/stores/modeling-guide/step-6-super-admin.fga.yaml similarity index 100% rename from stores/public-demo/step-6-super-admin.fga.yaml rename to stores/modeling-guide/step-6-super-admin.fga.yaml diff --git a/stores/public-demo/step-7-conditional-relationships-abac.fga.yaml b/stores/modeling-guide/step-7-conditional-relationships-abac.fga.yaml similarity index 100% rename from stores/public-demo/step-7-conditional-relationships-abac.fga.yaml rename to stores/modeling-guide/step-7-conditional-relationships-abac.fga.yaml diff --git a/stores/public-demo/step-8-custom-roles.fga.yaml b/stores/modeling-guide/step-8-custom-roles.fga.yaml similarity index 100% rename from stores/public-demo/step-8-custom-roles.fga.yaml rename to stores/modeling-guide/step-8-custom-roles.fga.yaml diff --git a/stores/public-demo/step-9-application-access.fga.yaml b/stores/modeling-guide/step-9-application-access.fga.yaml similarity index 100% rename from stores/public-demo/step-9-application-access.fga.yaml rename to stores/modeling-guide/step-9-application-access.fga.yaml