Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add FGA API support #474

Merged
merged 4 commits into from
Nov 11, 2024
Merged

Add FGA API support #474

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3805693
Add FGA API support
orius123 Nov 10, 2024
755973b
Fix tests
orius123 Nov 10, 2024
8e3f749
Fix Readme
orius123 Nov 10, 2024
d52a842
Fix Readme comments
orius123 Nov 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
208 changes: 50 additions & 158 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ These sections show how to use the SDK to perform API management functions. Befo
10. [Impersonate](#impersonate)
11. [Audit](#audit)
12. [Embedded Links](#embedded-links)
13. [Manage ReBAC Authz](#manage-rebac-authz)
13. [Manage FGA Authz](#manage-fga-authz)
orius123 marked this conversation as resolved.
Show resolved Hide resolved
14. [Manage Project](#manage-project)
15. [Manage SSO Applications](#manage-sso-applications)

Expand Down Expand Up @@ -1319,180 +1319,72 @@ err := descopeClient.Management.Audit().CreateEvent(context.Background(), &desco
})
```

### Manage ReBAC Authz
### Manage FGA Authz

Descope supports full relation based access control (ReBAC) using a zanzibar like schema and operations.
A schema is comprized of namespaces (entities like documents, folders, orgs, etc.) and each namespace has relation definitions to define relations.
Each relation definition can be simple (either you have it or not) or complex (union of nodes).
A schema is comprized of types (entities like documents, folders, orgs, etc.) and each type has relation definitions and permission to define relations to other types.

A simple example for a file system like schema would be:

```yaml
# Example schema for the authz tests
name: Files
namespaces:
- name: org
relationDefinitions:
- name: parent
- name: member
complexDefinition:
nType: union
children:
- nType: child
expression:
neType: self
- nType: child
expression:
neType: relationLeft
relationDefinition: parent
relationDefinitionNamespace: org
targetRelationDefinition: member
targetRelationDefinitionNamespace: org
- name: folder
relationDefinitions:
- name: parent
- name: owner
complexDefinition:
nType: union
children:
- nType: child
expression:
neType: self
- nType: child
expression:
neType: relationRight
relationDefinition: parent
relationDefinitionNamespace: folder
targetRelationDefinition: owner
targetRelationDefinitionNamespace: folder
- name: editor
complexDefinition:
nType: union
children:
- nType: child
expression:
neType: self
- nType: child
expression:
neType: relationRight
relationDefinition: parent
relationDefinitionNamespace: folder
targetRelationDefinition: editor
targetRelationDefinitionNamespace: folder
- nType: child
expression:
neType: targetSet
targetRelationDefinition: owner
targetRelationDefinitionNamespace: folder
- name: viewer
complexDefinition:
nType: union
children:
- nType: child
expression:
neType: self
- nType: child
expression:
neType: relationRight
relationDefinition: parent
relationDefinitionNamespace: folder
targetRelationDefinition: viewer
targetRelationDefinitionNamespace: folder
- nType: child
expression:
neType: targetSet
targetRelationDefinition: editor
targetRelationDefinitionNamespace: folder
- name: doc
relationDefinitions:
- name: parent
- name: owner
complexDefinition:
nType: union
children:
- nType: child
expression:
neType: self
- nType: child
expression:
neType: relationRight
relationDefinition: parent
relationDefinitionNamespace: doc
targetRelationDefinition: owner
targetRelationDefinitionNamespace: folder
- name: editor
complexDefinition:
nType: union
children:
- nType: child
expression:
neType: self
- nType: child
expression:
neType: relationRight
relationDefinition: parent
relationDefinitionNamespace: doc
targetRelationDefinition: editor
targetRelationDefinitionNamespace: folder
- nType: child
expression:
neType: targetSet
targetRelationDefinition: owner
targetRelationDefinitionNamespace: doc
- name: viewer
complexDefinition:
nType: union
children:
- nType: child
expression:
neType: self
- nType: child
expression:
neType: relationRight
relationDefinition: parent
relationDefinitionNamespace: doc
targetRelationDefinition: viewer
targetRelationDefinitionNamespace: folder
- nType: child
expression:
neType: targetSet
targetRelationDefinition: editor
targetRelationDefinitionNamespace: doc
```
model AuthZ 1.0

type user

type org
relation member: user
relation parent: org

type folder
relation parent: folder
relation owner: user | org#member
relation editor: user
relation viewer: user

permission can_create: owner | parent.owner
permission can_edit: editor | can_create
permission can_view: viewer | can_edit

type doc
relation parent: folder
relation owner: user | | org#member
orius123 marked this conversation as resolved.
Show resolved Hide resolved
relation editor: user
relation viewer: user

permission can_create: owner | parent.owner
permission can_edit: editor | can_create
permission can_view: viewer | can_edit


Descope SDK allows you to fully manage the schema and relations as well as perform simple (and not so simple) checks regarding the existence of relations.

```go
// Load the existing schema
schema, err := descopeClient.Management.Authz().LoadSchema(context.Background())
if err != nil {
// handle error
}

// Save schema and make sure to remove all namespaces not listed
err := descopeClient.Management.Authz().SaveSchema(context.Background(), schema, true)
// Save schema
err := descopeClient.Management.FGA().SaveSchema(context.Background(), schema)

// Create a relation between a resource and user
err := descopeClient.Management.Authz().CreateRelations(context.Background(), []*descope.AuthzRelation {
{
resource: "some-doc",
relationDefinition: "owner",
namespace: "doc",
target: "u1",
err := descopeClient.Management.FGA().CreateRelations(context.Background(), []*descope.FGARelation {
{
Resource: "some-doc",
ResourceType: "doc",
Relation: "owner",
Target: "u1",
TargetType: "user"
},
})

// Check if target has the relevant relation
// The answer should be true because an owner is also a viewer
relations, err := descopeClient.Management.Authz().HasRelations(context.Background(), []*descope.AuthzRelationQuery{
// Check if target has a relevant relation
// The answer should be true because an owner can also view
relations, err := descopeClient.Management.FGA().Check(context.Background(), []*descope.FGARelation{
{
resource: "some-doc",
relationDefinition: "viewer",
namespace: "doc",
target: "u1",
Resource: "some-doc",
ResourceType: "doc",
Relation: "can_view",
Target: "u1",
TargetType: "user"
}
})
```
}) -->
orius123 marked this conversation as resolved.
Show resolved Hide resolved


### Manage Project

Expand Down
25 changes: 25 additions & 0 deletions descope/api/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,10 @@ var (
authzRETargetAll: "mgmt/authz/re/targetall",
authzRETargetWithRelation: "mgmt/authz/re/targetwithrelation",
authzGetModified: "mgmt/authz/getmodified",
fgaSaveSchema: "mgmt/fga/schema",
fgaCreateRelations: "mgmt/fga/relations",
fgaDeleteRelations: "mgmt/fga/relations/delete",
fgaCheck: "mgmt/fga/check",
},
logout: "auth/logout",
logoutAll: "auth/logoutall",
Expand Down Expand Up @@ -408,6 +412,11 @@ type mgmtEndpoints struct {
authzRETargetAll string
authzRETargetWithRelation string
authzGetModified string

fgaSaveSchema string
fgaCreateRelations string
fgaDeleteRelations string
fgaCheck string
}

func (e *endpoints) SignInOTP() string {
Expand Down Expand Up @@ -1090,6 +1099,22 @@ func (e *endpoints) ManagementAuthzGetModified() string {
return path.Join(e.version, e.mgmt.authzGetModified)
}

func (e *endpoints) ManagementFGASaveSchema() string {
return path.Join(e.version, e.mgmt.fgaSaveSchema)
}

func (e *endpoints) ManagementFGACreateRelations() string {
return path.Join(e.version, e.mgmt.fgaCreateRelations)
}

func (e *endpoints) ManagementFGADeleteRelations() string {
return path.Join(e.version, e.mgmt.fgaDeleteRelations)
}

func (e *endpoints) ManagementFGACheck() string {
return path.Join(e.version, e.mgmt.fgaCheck)
}

type sdkInfo struct {
name string
version string
Expand Down
22 changes: 22 additions & 0 deletions descope/authztypes.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,3 +90,25 @@ type AuthzModified struct {
Targets []string `json:"targets"`
SchemaChanged bool `json:"schemaChanged"`
}

// FGA

// FGASchema holds the schema for a project
type FGASchema struct {
Schema string `json:"schema"`
}

// FGARelation defines a relation between resource and target
type FGARelation struct {
Resource string `json:"resource"`
ResourceType string `json:"resourceType"`
Relation string `json:"relation"`
Target string `json:"target"`
TargetType string `json:"targetType"`
}

// FGACheck holds the result of a check
type FGACheck struct {
Allowed bool `json:"allowed"`
Relation *FGARelation `json:"relation"`
}
Loading
Loading