feat: support direct assignments in graph (#308)

miparnisari · web-flow · commit b27a3bc8d77f · 2024-08-08T18:59:35.000Z
diff --git a/pkg/go/.golangci.yaml b/pkg/go/.golangci.yaml
@@ -67,3 +67,7 @@ linters-settings:
 
 issues:
   exclude-use-default: true
+  exclude-rules:
+    - path: _test.go
+      linters:
+        - funlen
diff --git a/pkg/go/Makefile b/pkg/go/Makefile
@@ -1,6 +1,11 @@
 BINARY_NAME=openfga-language
 DOCKER_BINARY=docker
 GO_BIN ?= $(shell go env GOPATH)/bin
+.DEFAULT_GOAL := help
+
+help: ## Show this help
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
 
 #-----------------------------------------------------------------------------------------------------------------------
 # Rules (https://www.gnu.org/software/make/manual/html_node/Rule-Introduction.html#Rule-Introduction)
@@ -28,8 +33,8 @@ build:
 clean: ## Clean project files
 	go clean
 
-test: ## Run tests
-	go test ./... -count=1
+test: ## Run Go tests
+	go test ./... -count=1 -race
 
 lint: $(GO_BIN)/golangci-lint ## Lint Go source files
 	@echo "==> Linting Go source files"
@@ -43,4 +48,4 @@ format: $(GO_BIN)/gofumpt ## Format Go source files
 	@echo "==> Formatting project files"
 	gofumpt -w transformer/ errors/
 
-all-tests: build audit lint test
+all-tests: build audit lint test ## Run linting and tests
diff --git a/pkg/go/graph/graph_builder.go b/pkg/go/graph/graph_builder.go
@@ -61,17 +61,7 @@ func parseModel(model *openfgav1.AuthorizationModel) (*multi.DirectedGraph, erro
 
 			rewrite := typeDef.GetRelations()[relation]
 			if _, ok := rewrite.GetUserset().(*openfgav1.Userset_This); ok {
-				directlyRelated := make([]*openfgav1.RelationReference, 0)
-				if metadata, ok := typeDef.GetMetadata().GetRelations()[relation]; ok {
-					directlyRelated = metadata.GetDirectlyRelatedUserTypes()
-				}
-
-				for _, directlyRelatedDef := range directlyRelated {
-					assignableType := directlyRelatedDef.GetType()
-
-					newNode := graphBuilder.GetOrAddNode(assignableType, assignableType, SpecificType)
-					graphBuilder.AddEdge(newNode, relationNode, DirectEdge)
-				}
+				parseThis(typeDef, relation, graphBuilder, relationNode)
 			}
 		}
 	}
@@ -84,6 +74,36 @@ func parseModel(model *openfgav1.AuthorizationModel) (*multi.DirectedGraph, erro
 	return nil, fmt.Errorf("%w: could not cast to directed graph", ErrBuildingGraph)
 }
 
+func parseThis(typeDef *openfgav1.TypeDefinition, relation string, graphBuilder *AuthorizationModelGraphBuilder, relationNode *AuthorizationModelNode) {
+	directlyRelated := make([]*openfgav1.RelationReference, 0)
+	if relationMetadata, ok := typeDef.GetMetadata().GetRelations()[relation]; ok {
+		directlyRelated = relationMetadata.GetDirectlyRelatedUserTypes()
+	}
+
+	for _, directlyRelatedDef := range directlyRelated {
+		if directlyRelatedDef.GetRelationOrWildcard() == nil {
+			// direct assignment to concrete type
+			assignableType := directlyRelatedDef.GetType()
+			newNode := graphBuilder.GetOrAddNode(assignableType, assignableType, SpecificType)
+			graphBuilder.AddEdge(newNode, relationNode, DirectEdge)
+		}
+
+		if directlyRelatedDef.GetWildcard() != nil {
+			// direct assignment to wildcard
+			assignableWildcard := directlyRelatedDef.GetType() + ":*"
+			newNode := graphBuilder.GetOrAddNode(assignableWildcard, assignableWildcard, SpecificType)
+			graphBuilder.AddEdge(newNode, relationNode, DirectEdge)
+		}
+
+		if directlyRelatedDef.GetRelation() != "" {
+			// direct assignment to userset
+			assignableUserset := directlyRelatedDef.GetType() + "#" + directlyRelatedDef.GetRelation()
+			newNode := graphBuilder.GetOrAddNode(assignableUserset, assignableUserset, SpecificTypeAndRelation)
+			graphBuilder.AddEdge(newNode, relationNode, DirectEdge)
+		}
+	}
+}
+
 func (g *AuthorizationModelGraphBuilder) GetOrAddNode(uniqueLabel, label string, nodeType NodeType) *AuthorizationModelNode {
 	if existingNode := g.GetNodeFor(uniqueLabel); existingNode != nil {
 		return existingNode
diff --git a/pkg/go/graph/graph_builder_test.go b/pkg/go/graph/graph_builder_test.go
@@ -37,6 +37,106 @@ rankdir=BT
 1 [label="folder#viewer"];
 2 [label=user];
 
+// Edge definitions.
+2 -> 1 [label=direct];
+}`,
+		},
+		`direct_assignment_with_wildcard`: {
+			model: `
+				model
+					schema 1.1
+				type folder
+					relations
+						define viewer: [user:*]
+				type user`,
+			expectedOutput: `digraph {
+graph [
+rankdir=BT
+];
+
+// Node definitions.
+0 [label=folder];
+1 [label="folder#viewer"];
+2 [label="user:*"];
+3 [label=user];
+
+// Edge definitions.
+2 -> 1 [label=direct];
+}`,
+		},
+		`direct_assignment_with_wildcard_and_type`: {
+			model: `
+				model
+					schema 1.1
+				type folder
+					relations
+						define viewer: [user:*, user]
+				type user`,
+			expectedOutput: `digraph {
+graph [
+rankdir=BT
+];
+
+// Node definitions.
+0 [label=folder];
+1 [label="folder#viewer"];
+2 [label="user:*"];
+3 [label=user];
+
+// Edge definitions.
+2 -> 1 [label=direct];
+3 -> 1 [label=direct];
+}`,
+		},
+		`direct_assignment_with_usersets`: {
+			model: `
+				model
+					schema 1.1
+				type folder
+					relations
+						define viewer: [group#member]
+				type group
+					relations
+						define member: [user]
+				type user`,
+			expectedOutput: `digraph {
+graph [
+rankdir=BT
+];
+
+// Node definitions.
+0 [label=folder];
+1 [label="folder#viewer"];
+2 [label="group#member"];
+3 [label=group];
+4 [label=user];
+
+// Edge definitions.
+2 -> 1 [label=direct];
+4 -> 2 [label=direct];
+}`,
+		},
+		`direct_assignment_with_conditions`: { // conditions are not represented
+			model: `
+				model
+					schema 1.1
+				type user
+				type folder
+					relations
+						define viewer: [user with condX]
+				condition condX (x:int) {
+					x > 0
+				}`,
+			expectedOutput: `digraph {
+graph [
+rankdir=BT
+];
+
+// Node definitions.
+0 [label=folder];
+1 [label="folder#viewer"];
+2 [label=user];
+
 // Edge definitions.
 2 -> 1 [label=direct];
 }`,
