oceanbox/openfga
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Clean up and add how to run

Browse Source
This commit is contained in:
Moritz Jörg
2025-10-29 08:32:48 +01:00
parent e53ddefd7e
commit 8f5be0c091
8 changed files with 258 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
README.md
View File

@@ -1,6 +1,98 @@
# Atlantis FGA model # Atlantis OpenFGA model
To test the model run: To test the model run:
```
```shell
fga model test --tests test.fga.yaml fga model test --tests test.fga.yaml
``` ```
## Writing tuples
Add `user:john@example.no` as a member of organisation `group:/example`
```console
fga tuple write user:john@example.no member group:/example
```
Add as `active` or `registered`:
```console
fga tuple write user:john@example.no active user:john@example.no
fga tuple write user:john@example.no registered user:john@example.no
```
A more complex write operation:
```console
fga tuple write group:/stim#member view archive:23feab9e-e9af-49fd-a740-33c0b63ffd0b --condition-name term --condition-context '{"start_time": "2025-03-18T00:00:00Z", "end_time": "2025-05-01T00:00:00Z"}'
```
To write a group of tuples, specify a file that contains those tuples. Here with `.csv` file:
```console
fga tuple write --file ohs.csv
```
## Deleting a tuples
Delete `user:john@example.no` as a member of organisation `group:/example`
```console
fga tuple delete user:john@example.no member group:/example
```
To delete a group of tuples, specify a file that contains those tuples. Here with `.csv` file:
```console
fga tuple delete --file ohs.csv
```
## Query objects
List all objects from an `archive`, with `group` views
```console
fga query list-objects archive:40d3f9cf-90bc-4aa0-b4d3-62d066d42bd9
fga query list-objects 'group' view archive:fa4ecc27-ba1f-484f-a40b-8e3c1d8f5349
fga query list-objects 'group:/leroy' view archive:fa4ecc27-ba1f-484f-a40b-8e3c1d8f5349
fga query list-objects 'group:/leroy#member' view archive:fa4ecc27-ba1f-484f-a40b-8e3c1d8f5349
```
## How to add a new customer
To add a new customer, you need to define relationships between users, groups, and organizations.
Here's an example of adding a customer named `example`, given an `archive` with ID `f971f6bd-1bb1-4ca5-98d0-c7482a1cc867`, two users `john and jane` with their respective email addresses and a time-based condition for group membership (`2023-06-23` to `2023-07-07`).
1. Create a CSV file (e.g., `csv/customer/example.csv`) with the following content:
```bash
user_type,user_id,relation,object_type,object_id,condition_name,condition_context
system,atlantis,parent,organization,example,, # Establishes the system "atlantis" as a parent of the "example" organization
organization,example,parent,group,/example,, # Sets the "example" organization as a parent of the group "/example"
domain,example.no,realm,organization,example,,# Associates the domain "example.no" with the "example" organization
# Gives the "/example#member" group view access to a specific archive with a time-based condition
group,/example#member,view,archive,f971f6bd-1bb1-4ca5-98d0-c7482a1cc867,term,"{""start_time"": ""2025-06-23T00:00:00Z"", ""end_time"": ""2025-07-07T00:00:00Z""}"
# Gives the "/example#member" group execution rights to the same archive with quota and time conditions
group,/example#member,exec,archive,f971f6bd-1bb1-4ca5-98d0-c7482a1cc867,ticket,"{""tasks"": [ ""*"" ], ""quota"": ""-1.0"", ""start_time"": ""2025-06-23T00:00:00Z"", ""end_time"": ""2025-07-07T00:00:00Z""}"
# Create the user "john@example.no" with active status, registered status, and group membership
user,john@example.no,active,user,john@example.no,,
user,john@example.no,registered,user,john@example.no,,
user,john@example.no,member,group,/example,,
# Create the user "jane@example.no" with active status, registered status, and group membership
user,jane@example.no,active,user,jane@example.no,,
user,jane@example.no,registered,user,jane@example.no,,
user,jane@example.no,member,group,/example,,
```
2. Write all the tuples to OpenFGA with a single command:
```console
$ fga tuple write --file csv/customer/example.csv
```
3. Impersonate the added/removed customer to check the set permissions.
Use `\impersonate?user=john@example.no` in `maps.oceanbox.io` to tempeorarily get the permissions of the new customer
and check if the correct archives modelareas are added. Then `\unimpersonate` can be used to get back your usual access.

92
examples.md
View File

@@ -1,92 +0,0 @@
# OpenFGA
## How to add a new customer
To add a new customer, you need to define relationships between users, groups, and organizations.
Here's an example of adding a customer named `example`, given an `archive` with ID `f971f6bd-1bb1-4ca5-98d0-c7482a1cc867`, two users `john and jane` with their respective email addresses and a time-based condition for group membership (`2023-06-23` to `2023-07-07`).
1. Create a CSV file (e.g., `csv/customer/example.csv`) with the following content:
```csv
user_type,user_id,relation,object_type,object_id,condition_name,condition_context
system,atlantis,parent,organization,example,, # Establishes the system "atlantis" as a parent of the "example" organization
organization,example,parent,group,/example,, # Sets the "example" organization as a parent of the group "/example"
domain,example.no,realm,organization,example,,# Associates the domain "example.no" with the "example" organization
# Gives the "/example#member" group view access to a specific archive with a time-based condition
group,/example#member,view,archive,f971f6bd-1bb1-4ca5-98d0-c7482a1cc867,term,"{""start_time"": ""2025-06-23T00:00:00Z"", ""end_time"": ""2025-07-07T00:00:00Z""}"
# Gives the "/example#member" group execution rights to the same archive with quota and time conditions
group,/example#member,exec,archive,f971f6bd-1bb1-4ca5-98d0-c7482a1cc867,ticket,"{""tasks"": [ ""*"" ], ""quota"": ""-1.0"", ""start_time"": ""2025-06-23T00:00:00Z"", ""end_time"": ""2025-07-07T00:00:00Z""}"
# Create the user "john@example.no" with active status, registered status, and group membership
user,john@example.no,active,user,john@example.no,,
user,john@example.no,registered,user,john@example.no,,
user,john@example.no,member,group,/example,,
# Create the user "jane@example.no" with active status, registered status, and group membership
user,jane@example.no,active,user,jane@example.no,,
user,jane@example.no,registered,user,jane@example.no,,
user,jane@example.no,member,group,/example,,
```
2. Write all the tuples to OpenFGA with a single command:
```console
$ fga tuple write --file csv/customer/example.csv
```
## CLI
### Writing tuples
Add user:aleksander.libaek@akerbla.no as a member of organisation group:/akerbla
```console
$ fga tuple write user:aleksander.libaek@akerbla.no member group:/akerbla
```
Add as `active` or `registered`:
```console
$ fga tuple write user:aleksander.libaek@akerbla.no active user:aleksander.libaek@akerbla.no
$ fga tuple write user:aleksander.libaek@akerbla.no registered user:aleksander.libaek@akerbla.no
```
A more complex write operation:
```console
$ fga tuple write group:/stim#member view archive:23feab9e-e9af-49fd-a740-33c0b63ffd0b --condition-name term --condition-context '{"start_time": "2025-03-18T00:00:00Z", "end_time": "2025-05-01T00:00:00Z"}'
```
To write a group of tuples, specify a file that contains those tuples. Here with `.csv` file:
```console
fga tuple write --file ohs.csv
```
### Deleting a tuples
Delete `user:aleksander.libaek@akerbla.no` as a member of organisation `group:/akerbla`
```console
$ fga tuple delete user:aleksander.libaek@akerbla.no member group:/akerbla
```
To delete a group of tuples, specify a file that contains those tuples. Here with `.csv` file:
```console
$ fga tuple delete --file ohs.csv
```
### Query objects
List all objects from an `archive`, with `group` views
```console
$ fga query list-objects archive:40d3f9cf-90bc-4aa0-b4d3-62d066d42bd9
$ fga query list-objects 'group' view archive:fa4ecc27-ba1f-484f-a40b-8e3c1d8f5349
$ fga query list-objects 'group:/leroy' view archive:fa4ecc27-ba1f-484f-a40b-8e3c1d8f5349
$ fga query list-objects 'group:/leroy#member' view archive:fa4ecc27-ba1f-484f-a40b-8e3c1d8f5349
```

146
npins/default.nix Normal file
View File

@@ -0,0 +1,146 @@
/*
This file is provided under the MIT licence:
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the Software), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
# Generated by npins. Do not modify; will be overwritten regularly
let
data = builtins.fromJSON (builtins.readFile ./sources.json);
version = data.version;
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
range =
first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
concatMapStrings = f: list: concatStrings (map f list);
concatStrings = builtins.concatStringsSep "";
# If the environment variable NPINS_OVERRIDE_${name} is set, then use
# the path directly as opposed to the fetched source.
# (Taken from Niv for compatibility)
mayOverride =
name: path:
let
envVarName = "NPINS_OVERRIDE_${saneName}";
saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
ersatz = builtins.getEnv envVarName;
in
if ersatz == "" then
path
else
# this turns the string into an actual Nix path (for both absolute and
# relative paths)
builtins.trace "Overriding path of \"${name}\" with \"${ersatz}\" due to set \"${envVarName}\"" (
if builtins.substring 0 1 ersatz == "/" then
/. + ersatz
else
/. + builtins.getEnv "PWD" + "/${ersatz}"
);
mkSource =
name: spec:
assert spec ? type;
let
path =
if spec.type == "Git" then
mkGitSource spec
else if spec.type == "GitRelease" then
mkGitSource spec
else if spec.type == "PyPi" then
mkPyPiSource spec
else if spec.type == "Channel" then
mkChannelSource spec
else if spec.type == "Tarball" then
mkTarballSource spec
else
builtins.throw "Unknown source type ${spec.type}";
in
spec // { outPath = mayOverride name path; };
mkGitSource =
{
repository,
revision,
url ? null,
submodules,
hash,
branch ? null,
...
}:
assert repository ? type;
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
# In the latter case, there we will always be an url to the tarball
if url != null && !submodules then
builtins.fetchTarball {
inherit url;
sha256 = hash; # FIXME: check nix version & use SRI hashes
}
else
let
url =
if repository.type == "Git" then
repository.url
else if repository.type == "GitHub" then
"https://github.com/${repository.owner}/${repository.repo}.git"
else if repository.type == "GitLab" then
"${repository.server}/${repository.repo_path}.git"
else
throw "Unrecognized repository type ${repository.type}";
urlToName =
url: rev:
let
matched = builtins.match "^.*/([^/]*)(\\.git)?$" url;
short = builtins.substring 0 7 rev;
appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
in
"${if matched == null then "source" else builtins.head matched}${appendShort}";
name = urlToName url revision;
in
builtins.fetchGit {
rev = revision;
inherit name;
# hash = hash;
inherit url submodules;
};
mkPyPiSource =
{ url, hash, ... }:
builtins.fetchurl {
inherit url;
sha256 = hash;
};
mkChannelSource =
{ url, hash, ... }:
builtins.fetchTarball {
inherit url;
sha256 = hash;
};
mkTarballSource =
{
url,
locked_url ? url,
hash,
...
}:
builtins.fetchTarball {
url = locked_url;
sha256 = hash;
};
in
if version == 5 then
builtins.mapAttrs mkSource data.pins
else
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"

11
npins/sources.json Normal file
View File

@@ -0,0 +1,11 @@
{
"pins": {
"nixpkgs": {
"type": "Channel",
"name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.11pre885943.e99366c665bd/nixexprs.tar.xz",
"hash": "1cl8gphr2r9yz5qxn4r85bcgdba23igjc269dv4jajw9r50xgij6"
}
},
"version": 5
}

2
scripts/trackFga.sh
View File

@@ -8,4 +8,4 @@ esac
curl \ curl \
-H "Authorization: bearer $token" \ -H "Authorization: bearer $token" \
-d "$toggle" \ -d "$toggle" \
https://maps.oceanbox.io/internal/trackFga "https://maps.oceanbox.io/internal/trackFga"

8
shell.nix
View File

@@ -1,12 +1,16 @@
with import <nixpkgs> { }; {
sources ? import ./npins,
pkgs ? import sources.nixpkgs { },
}:
pkgs.mkShellNoCC { pkgs.mkShellNoCC {
packages = [ packages = [
openfga-cli pkgs.openfga-cli
]; ];
FGA_API_URL = "https://openfga.srv.oceanbox.io"; FGA_API_URL = "https://openfga.srv.oceanbox.io";
FGA_STORE_ID = "01JKTZXMP7ANN4GG2P5W8Y56M6"; FGA_STORE_ID = "01JKTZXMP7ANN4GG2P5W8Y56M6";
FGA_MODEL_ID = "01JKTZYMCZZBVSBG66W27XMW0A"; FGA_MODEL_ID = "01JKTZYMCZZBVSBG66W27XMW0A";
# NOTE: Unused, NS has been deleted
# FGA_API_URL = "https://openfga.dev.oceanbox.io"; # FGA_API_URL = "https://openfga.dev.oceanbox.io";
# FGA_STORE_ID = "01JKTQKHSGJH4RW04WFVCPWNTE"; # FGA_STORE_ID = "01JKTQKHSGJH4RW04WFVCPWNTE";
# FGA_MODEL_ID = "01JKTQMXBE7219XRYE3NGYNXSR"; # FGA_MODEL_ID = "01JKTQMXBE7219XRYE3NGYNXSR";

0
tests.csv → tests/tests.csv
View File

0
tests.yaml → tests/tests.yaml
View File