feat: basic support for exclusion in graph (#321)

Author: miparnisari

pkg/go/graph/graph_builder.go

@@ -22,7 +22,8 @@ type AuthorizationModelGraphBuilder struct {
 //
 // The edges are defined by the assignments, e.g.
 // `define viewer: [group]` defines an edge from group to document#viewer.
-// TODO expand when more use cases are added.
+// Conditions are not encoded in the graph,
+// and the two edges in an exclusion are not distinguished.
 func NewAuthorizationModelGraph(model *openfgav1.AuthorizationModel) (*AuthorizationModelGraph, error) {
 	res, err := parseModel(model)
 	if err != nil {
@@ -98,8 +99,12 @@ func checkRewrite(graphBuilder *AuthorizationModelGraphBuilder, parentNode *Auth
 		operator = "intersection"
 		children = rw.Intersection.GetChild()
 
-	default:
-		panic("TODO handle difference")
+	case *openfgav1.Userset_Difference:
+		operator = "exclusion"
+		children = []*openfgav1.Userset{
+			rw.Difference.GetBase(),
+			rw.Difference.GetSubtract(),
+		}
 	}
 
 	operatorNode := fmt.Sprintf("%s:%s", operator, ulid.Make().String())

pkg/go/graph/graph_builder_test.go

@@ -537,6 +537,106 @@ rankdir=BT
 2 -> 1 [label=direct];
 2 -> 5 [label=direct];
 5 -> 4 [style=dashed];
+}`,
+		},
+		`exclusion_of_relations`: {
+			model: `
+				model
+					schema 1.1
+				type user
+				type folder
+				   relations
+					 define a: [user]
+					 define b: [user]
+					 define c: a but not b`,
+			expectedOutput: `digraph {
+graph [
+rankdir=BT
+];
+
+// Node definitions.
+0 [label=folder];
+1 [label="folder#a"];
+2 [label=user];
+3 [label="folder#b"];
+4 [label="folder#c"];
+5 [label=exclusion];
+
+// Edge definitions.
+1 -> 5 [style=dashed];
+2 -> 1 [label=direct];
+2 -> 3 [label=direct];
+3 -> 5 [style=dashed];
+5 -> 4 [style=dashed];
+}`,
+		},
+		`exclusion_of_relation_and_type`: {
+			model: `
+				model
+					schema 1.1
+				type user
+				type folder
+				   relations
+					 define a: [user]
+					 define b: [user] but not a`,
+			expectedOutput: `digraph {
+graph [
+rankdir=BT
+];
+
+// Node definitions.
+0 [label=folder];
+1 [label="folder#a"];
+2 [label=user];
+3 [label="folder#b"];
+4 [label=exclusion];
+
+// Edge definitions.
+1 -> 4 [style=dashed];
+2 -> 1 [label=direct];
+2 -> 4 [label=direct];
+4 -> 3 [style=dashed];
+}`,
+		},
+		`exclusion_with_parens`: {
+			model: `
+				model
+					schema 1.1
+				type user
+				type folder
+					relations
+						define a: [user]
+						define b: [user]
+						define c: [user]
+						define d: [user]
+						define e: (a or b or c) but not d`,
+			expectedOutput: `digraph {
+graph [
+rankdir=BT
+];
+
+// Node definitions.
+0 [label=folder];
+1 [label="folder#a"];
+2 [label=user];
+3 [label="folder#b"];
+4 [label="folder#c"];
+5 [label="folder#d"];
+6 [label="folder#e"];
+7 [label=exclusion];
+8 [label=union];
+
+// Edge definitions.
+1 -> 8 [style=dashed];
+2 -> 1 [label=direct];
+2 -> 3 [label=direct];
+2 -> 4 [label=direct];
+2 -> 5 [label=direct];
+3 -> 8 [style=dashed];
+4 -> 8 [style=dashed];
+5 -> 7 [style=dashed];
+7 -> 6 [style=dashed];
+8 -> 7 [style=dashed];
 }`,
 		},
 	}