feat: update definitions to support ABAC Conditions (#90)

* feat: add `condition` to RelationReference * feat: add `Condition` definition * feat: add `conditions` to AuthorizationModel * update swagger * feat: add `conditions` to WriteAuthorizationModelRequest * feat: add `context` fields to query requests * use an enum for condition param type names * add feat branch to review workflow * stick to enum conventions * suppress diffs from generated files * regenerate * add missing type name * proposed validation as starting point * add ipaddress type * tweaks * update validation for Condition.name * refactor: change Assertion TupleKey to CheckRequestTupleKey * feat: adding condition for tuple key (#94) * feat: adding condition for tuple key * remove redundant validation --------- Co-authored-by: Jonathan Whitaker <[email protected]> Co-authored-by: Adrian Tam <[email protected]>
openfga · Sep 14, 2023 · aa7d2ff · aa7d2ff
1 parent db20ad1
commit aa7d2ff
Show file tree

Hide file tree

Showing 12 changed files with 4,927 additions and 2,647 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1,5 @@
+/docs/openapiv2/apidocs.swagger.json linguist-generated=true
+*.pb.go linguist-generated=true
+*.pb.*.go linguist-generated=true
+go.sum linguist-generated=true
+buf.lock linguist-generated=true
diff --git a/.github/workflows/review.yaml b/.github/workflows/review.yaml
@@ -3,6 +3,7 @@ on:
   pull_request:
     branches:
       - main
+      - feat/abac
 
 permissions:
   contents: read

diff --git a/docs/openapiv2/apidocs.swagger.json b/docs/openapiv2/apidocs.swagger.json
diff --git a/openfga/v1/authzmodel.proto b/openfga/v1/authzmodel.proto
@@ -21,6 +21,12 @@ message AuthorizationModel {
     json_name = "type_definitions",
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "[{\"type\": \"user\"}, {\"type\":\"document\",\"relations\":{\"reader\":{\"union\":{\"child\":[{\"this\":{}},{\"computedUserset\":{\"object\":\"\",\"relation\":\"writer\"}}]}},\"writer\":{\"this\":{}}},\"metadata\":{\"relations\":{\"reader\":{\"directly_related_user_types\":[{\"type\":\"user\"}]},\"writer\":{\"directly_related_user_types\":[{\"type\":\"user\"}]}}}}]"}
   ];
+
+  map<string, Condition> conditions = 4 [
+    json_name = "conditions",
+    (validate.rules).map.max_pairs = 25,
+    (validate.rules).map.keys.string = {pattern: "^[^:#@\\s]{1,50}$"}
+  ];
 }
 
 message TypeDefinition {
@@ -81,6 +87,9 @@ message RelationReference {
 
     Wildcard wildcard = 3;
   }
+
+  // The name of a condition that is enforced over the allowed relation.
+  string condition = 4;
 }
 
 message Wildcard {}
@@ -126,3 +135,47 @@ message TupleToUserset {
   ObjectRelation tupleset = 1;
   ObjectRelation computed_userset = 2;
 }
+
+message Condition {
+  // A unique name for the condition
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (validate.rules).string = {pattern: "^[^:#@\\s]{1,50}$"}
+  ];
+
+  // A Google CEL expression, expressed as a string.
+  string expression = 2 [
+    (google.api.field_behavior) = REQUIRED,
+    (validate.rules).string = {max_bytes: 512}
+  ];
+
+  // A map of parameter names to the parameter's defined type reference.
+  map<string, ConditionParamTypeRef> parameters = 3 [
+    (validate.rules).map.max_pairs = 25,
+    (validate.rules).map.keys.string = {pattern: "^[^:#@\\s]{1,50}$"}
+  ];
+}
+
+message ConditionParamTypeRef {
+  enum TypeName {
+    TYPE_NAME_UNSPECIFIED = 0;
+    TYPE_NAME_ANY = 1;
+    TYPE_NAME_BOOL = 2;
+    TYPE_NAME_STRING = 3;
+    TYPE_NAME_INT = 4;
+    TYPE_NAME_UINT = 5;
+    TYPE_NAME_DOUBLE = 6;
+    TYPE_NAME_DURATION = 7;
+    TYPE_NAME_TIMESTAMP = 8;
+    TYPE_NAME_MAP = 9;
+    TYPE_NAME_LIST = 10;
+    TYPE_NAME_IPADDRESS = 11;
+  }
+
+  TypeName type_name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (validate.rules).enum.defined_only = true
+  ];
+
+  repeated ConditionParamTypeRef generic_types = 2 [(validate.rules).repeated.max_items = 5];
+}