chore: improved scenarios descriptions, added listusers/objects tests (…

…#35) * chore: improved scenarios descriptions, added listusers/objects tests * chore: removed comments
openfga · Sep 9, 2024 · 3db31f5 · 3db31f5
1 parent c259d91
commit 3db31f5
Show file tree

Hide file tree

Showing 23 changed files with 371 additions and 77 deletions.
diff --git a/README.md b/README.md
@@ -53,6 +53,7 @@ The OpenFGA [Getting Started](https://openfga.dev/docs/modeling/getting-started)
 
 - [Implementing Multi-Tenancy in Chroma: Part 2 - Authorization Model with OpenFGA](https://cookbook.chromadb.dev/strategies/multi-tenancy/authorization-model-with-openfga/)
 - [Introduction into OpenFGA](https://www.ericksegaar.com/2024/03/04/introduction-into-openfga/)
+- 
 
 ## OpenFGA models in open source projects
 
@@ -69,6 +70,7 @@ The OpenFGA [Getting Started](https://openfga.dev/docs/modeling/getting-started)
 - [sourcegraph/sourcegraph-public-snapshot](https://github.com/sourcegraph/sourcegraph-public-snapshot/blob/main/cmd/enterprise-portal/service/iam_model.fga)
 - [klothoplatform/infracopilot](https://github.com/klothoplatform/infracopilot/blob/main/src/auth_service/model.fga)
 
+
 If you are using OpenFGA in your open source project, please let us know by opening a PR to add your model to this list.
 
 ## Resources

diff --git a/stores/advanced-entitlements/README.md b/stores/advanced-entitlements/README.md
@@ -1,11 +1,13 @@
 # OpenFGA Advanced Entitlements Sample Store
 
-* **Title**: **Advanced Entitlements** 
-
 ## Use-Case
 
 This entitlements model is inspired on [Notion's subscription plans](https://www.notion.so/pricing).
 
+Entitlements limits can be defined based on feature usage like number of collaborators, rows synced, page history days.
+
+The model, tuples and unit tests are detailed in [store.fga.yaml](./store.fga.yaml).
+
 ## Try It Out
 
 1. Make sure you have the [FGA CLI](https://github.com/openfga/cli/?tab=readme-ov-file#installation)

diff --git a/stores/banking/README.md b/stores/banking/README.md
@@ -1,11 +1,11 @@
 # OpenFGA Banking Sample Store
 
-* **Title**: **Bankings** 
-
 ## Use-Case
 
 It models a banking system, with account managers and account owners, where they have different limits for doing bank transactions. The limit can be overruled for a specific transaction.
 
+The model, tuples and unit tests are detailed in [store.fga.yaml](./store.fga.yaml).
+
 ## Try It Out
 
 1. Make sure you have the [FGA CLI](https://github.com/openfga/cli/?tab=readme-ov-file#installation)

diff --git a/stores/condition-data-types/README.md b/stores/condition-data-types/README.md
@@ -1,13 +1,13 @@
 # OpenFGA Condition Data Types Store
 
-* **Title**: **Condition Data Types Store** 
-
 ## Use-Case
 
 OpenFGA's Conditional Relationship Tuples are defined using [Google's CEL expressions](https://github.com/google/cel-spec/blob/master/doc/langdef.md).
 
 This example showcases the different data types and expressions that are supported in OpenFGA conditions and how to use them. 
 
+The model, tuples and unit tests are detailed in [store.fga.yaml](./store.fga.yaml).
+
 ## Try It Out
 
 1. Make sure you have the [FGA CLI](https://github.com/openfga/cli/?tab=readme-ov-file#installation)

diff --git a/stores/custom-roles/store.fga.yaml b/stores/custom-roles/store.fga.yaml
@@ -104,7 +104,7 @@ tuples:
     relation: member
     object: team:qa
 tests:
-  - name: Test
+  - name: Test for different user/permissions
     check:
       - user: user:carlos
         object: org:contoso
@@ -139,3 +139,25 @@ tests:
         object: asset-category:website-media
         assertions:
           asset_creator: true
+
+  - name: Test which asserts can Beth view
+    list_objects:
+      - user: user:beth
+        type: asset
+        assertions:
+          view:
+            - asset:homepage
+            - asset:website-hero-image
+
+  - name: Test users can view the homepage asset
+    list_users:
+      - object: asset:homepage
+        user_filter:
+          - type: user
+        assertions:
+          view:
+            users:
+              - user:beth
+              - user:daniel
+              - user:carlos
+              - user:anne
diff --git a/stores/developer-portal/README.md b/stores/developer-portal/README.md
@@ -2,25 +2,23 @@
 
 ## Use-Case
 
-If your application provides a way to generate API keys to applications to call your APIs, you'll want to create a dashboard where users can manage API keys, and define each API key's permissions.
+It models a developer portal for a B2B SaaS application, where customers can define applications that will make calls to your APIs. 
 
-For this example, we have the following requirements
+For this example, we have the following requirements:
 
-- We want to support multiple customers, and each one should be able to define regular members and administrators for their account.
+- Each customer should be able to define regular members and administrators. 
 - Each customer should be able to define multiple applications.
 - Each customer's administrator should be able to:
-    - Manage organization members (invite, remove, view)
+    - Manage customer's members (invite, remove, view)
     - Manage applications (create, update, delete)
     - Manage application's credentials
     - Configure application's permissions
 - Regular members should be able to:
     - View members
     - View application details
-- Each API should be provisioned access to specific components they can use. For example, the B2B SaaS application could have a Purchase and Payments components. If the customer only paid for the Purchase component, their applications should not be able to access the Payments one.
+- Each application should be provisioned access to specific components they can use. For example, the B2B SaaS application could have a Purchase and Payments components. If the customer only paid for the Purchase component, their applications should not be able to access the Payments component.
 
-
-
-See the model, tuples and tests in the [store.yaml](./store.fga.yaml) file.
+The model, tuples and unit tests are detailed in [store.fga.yaml](./store.fga.yaml).
 
 ## Try It Out
 

diff --git a/stores/developer-portal/store.fga.yaml b/stores/developer-portal/store.fga.yaml
@@ -101,7 +101,8 @@ tuples:
       object: component:payment
 
 tests:
-    - check:
+    - name: Test permissions for users and applications
+      check:
         - user: user:anne
           object: application:1
           assertions:
@@ -127,3 +128,23 @@ tests:
           assertions:
             can_view : true
             can_write : true
+
+    - name: Test the applications anne can view
+      list_objects:
+        - user: user:anne
+          type: application
+          assertions:
+            can_view:
+              - application:1
+
+    - name: Test who can view application:1
+      list_users:
+        - object: application:1
+          user_filter:
+            - type: user
+          assertions:
+            can_view:
+              users:
+                - user:anne 
+                - user:marie 
+
diff --git a/stores/entitlements/store.fga.yaml b/stores/entitlements/store.fga.yaml
@@ -52,7 +52,7 @@ tuples:
     relation: subscriber
     object: plan:team
 tests:
-  - name: Test
+  - name: Test which users have access to different features
     check:
       - user: user:anne
         object: feature:issues
@@ -90,3 +90,25 @@ tests:
         object: feature:sso
         assertions:
           can_access: true
+
+  - name: Test who has access to the issues feature
+    list_users:
+      - object: feature:issues
+        user_filter:
+          - type: user
+        assertions:
+          can_access:
+            users:
+              - user:charles
+              - user:beth
+              - user:anne
+
+  - name: Test which features can Charles access
+    list_objects:
+      - user: user:charles
+        type: feature
+        assertions:
+          can_access:
+            - feature:draft_prs
+            - feature:issues
+            - feature:sso
diff --git a/stores/expenses/store.fga.yaml b/stores/expenses/store.fga.yaml
@@ -23,7 +23,7 @@ tuples:
     relation: submitter
     object: report:sam-chair1
 tests:
-  - name: Test
+  - name: Test for managers and approvers
     check:
       - user: employee:matt
         object: employee:daniel
@@ -36,4 +36,25 @@ tests:
       - user: employee:daniel
         object: report:daniel-chair1
         assertions:
-          approver: false
+          approver: false
+
+  - name: Test which reports can Emily approve
+    list_objects:
+      - user: employee:emily
+        type: report
+        assertions:
+          approver:
+            - report:daniel-chair1
+            - report:sam-chair1
+
+  - name: Test who can approve daniel-chair
+    list_users:
+      - object: report:daniel-chair1
+        user_filter:
+          - type: employee
+        assertions:
+          approver:
+            users:
+              - employee:emily
+              - employee:sam
+              - employee:matt
diff --git a/stores/gdrive/store.fga.yaml b/stores/gdrive/store.fga.yaml
@@ -40,7 +40,7 @@ tuples:
     relation: viewer
     object: doc:public-roadmap
 tests:
-  - name: Test
+  - name: Test user permissions for doc:2021-roadmap
     check:
       - user: user:anne
         object: doc:2021-roadmap
@@ -55,6 +55,28 @@ tests:
         assertions:
           can_read: true
 
+
+  - name: Test which documents can Anne read
+    list_objects:
+      - user: user:anne
+        type: doc
+        assertions:
+          can_read:
+            - doc:2021-roadmap
+            - doc:public-roadmap
+
+  - name: Test who can access doc:2021-roadmap
+    list_users:
+      - object: doc:2021-roadmap
+        user_filter:
+          - type: user
+        assertions:
+          can_read:
+            users: 
+              - user:anne
+              - user:beth
+              - user:charles
+
   - name: Check if the right users have access to the right documents
     list_users:
       - object: doc:public-roadmap
@@ -90,4 +112,3 @@ tests:
             users: 
               - user:anne
               - user:charles
-
diff --git a/stores/github/store.fga.yaml b/stores/github/store.fga.yaml
@@ -40,7 +40,7 @@ tuples:
     relation: member
     object: team:openfga/backend
 tests:
-  - name: Test
+  - name: Test individual user permissions on the openfga/openfga repo
     check:
       - user: user:anne
         object: repo:openfga/openfga
@@ -64,6 +64,28 @@ tests:
         assertions:
           reader: true
 
+  - name: Test who are readers of the openfga/openfga repo
+    list_users:
+    - object: repo:openfga/openfga
+      user_filter:
+        - type: user
+      assertions:
+        reader:
+          users: 
+            - user:diane
+            - user:charles
+            - user:beth
+            - user:anne
+            - user:erik
+
+  - name: Test which repos can Diane read
+    list_objects:
+      - user: user:diane
+        type: repo
+        assertions:
+          reader:
+            - repo:openfga/openfga
+
   - name: Check if the right users have access to the right repositories
     list_users:
       - object: repo:openfga/openfga
@@ -86,4 +108,3 @@ tests:
             users: 
               - team:openfga/backend#member
               - team:openfga/core#member
-
diff --git a/stores/github/tuples.yaml b/stores/github/tuples.yaml
diff --git a/stores/groups-resource-attributes/README.md b/stores/groups-resource-attributes/README.md
@@ -1,11 +1,11 @@
 # OpenFGA Groups Resource Attributes  Sample Store
 
-* **Title**: **Temporal Access** 
-
 ## Use-Case
 
 It enables members of specific groups to access content depending on resource attributes. For example, you can specify that members of the 'marketing' team can only view documents that are 'published' but members of the 'content' team can also view 'draft' documents.
 
+The model, tuples and unit tests are detailed in [store.fga.yaml](./store.fga.yaml).
+
 ## Try It Out
 
 1. Make sure you have the [FGA CLI](https://github.com/openfga/cli/?tab=readme-ov-file#installation)

diff --git a/stores/iot/store.fga.yaml b/stores/iot/store.fga.yaml
@@ -44,7 +44,7 @@ tuples:
     relation: security_guard
     object: device_group:group1
 tests:
-  - name: Test
+  - name: Test specific user permissions on each device
     check:
       - user: user:anne
         object: device:1
@@ -59,3 +59,24 @@ tests:
         object: device:2
         assertions:
           can_rename_device: true
+
+  - name: Test who can view live video on device:1
+    list_users:
+      - object: device:1
+        user_filter:
+          - type: user
+        assertions:
+          can_view_live_video:
+            users:
+              - user:diane
+              - user:charles
+              - user:anne
+              - user:beth
+
+  - name: Test in which devices can Beth view live video
+    list_objects:
+      - type: device
+        user: user:beth
+        assertions:
+          can_view_live_video:
+            - device:1
diff --git a/stores/ip-based-access/README.md b/stores/ip-based-access/README.md
@@ -1,10 +1,10 @@
 # OpenFGA IP-Based Access Sample Store
 
-* **Title**: **IP-Based Access** 
-
 ## Use-Case
 
-It enables granting access for users in a specific IP range.. 
+It enables granting access for users in a specific IP range.
+
+The model, tuples and unit tests are detailed in [store.fga.yaml](./store.fga.yaml).
 
 ## Try It Out