Auth: Generate entitlement definitions #13256

markylaing · 2024-04-03T16:45:13Z

This PR adds a small go program to read the OpenFGA model file and generate a go file containing entitlement definitions and a mapping of entity type to entitlement slice. This is used to validate entitlements when add a permission to a group, and when using the permissions API.

This can be taken further to generate documentation from the comments that are in the OpenFGA model file.

Generating entitlements directly from the model revealed a few discrepancies between the model and the entitlement to entity type map that was previously defined. These would have led to some quite obfuscated bugs. I've fixed them in this PR and generating entitlements from the model should prevent this happening in the future.

Partially addresses #12999
Prepares for #12928

Signed-off-by: Mark Laing <[email protected]>

markylaing · 2024-04-04T08:23:17Z

@tomponline ready for review when you have time. Thanks

lxd/auth/driver_openfga_model.openfga

lxd/auth/generate/main.go

tomponline

LGTM - just a couple of nits.

tomponline · 2024-04-04T10:01:47Z

@markylaing should this be linked to any outstanding issue such that its closed when merged?

Signed-off-by: Mark Laing <[email protected]>

…tor`. EntitlementProjectOperator was the string "operator". This was to differentiate it from the server level operator but there is no benefit to this now that we are generating the entitlements. Signed-off-by: Mark Laing <[email protected]>

Signed-off-by: Mark Laing <[email protected]>

Granting a `can_delete` permission on an identity to a group was possible via the API but this would have had no effect because the relation was not present in the model. Signed-off-by: Mark Laing <[email protected]>

Granting `can_view`, `can_edit`, or `can_delete` on a group was possible via the API but this would have had no effect because members of a group (group#member) could not be directly related to the group type in the model via these relations. Signed-off-by: Mark Laing <[email protected]>

Re-generate the entitlements map to reflect changes. Signed-off-by: Mark Laing <[email protected]>

…tificate. This restriction was artificial and also incorrect. We should allow granting permissions against certificates because this is used by the certificates API. Since identities and certificates are different entity types, a permission granted on an identity is not identical to a permission granted on a certificate, so we need to allow this. Signed-off-by: Mark Laing <[email protected]>

This adds entitlements for identity provider groups that we previously omitted incorrectly. Additionally, the `can_view` entitlement on server cannot be granted because this is the type-bound public access that allows all authenticated clients to call GET /1.0. Signed-off-by: Mark Laing <[email protected]>

markylaing · 2024-04-04T13:04:40Z

All comments addressed I think. I've linked a couple of relevant issues but there is no specific issue for this.

tomponline

This is great thanks!

markylaing self-assigned this Apr 3, 2024

markylaing force-pushed the generate-entitlements branch from 4ac66db to 47efe2c Compare April 4, 2024 08:01

lxd/auth: Add comments to the OpenFGA model describing entitlements.

bfff083

Signed-off-by: Mark Laing <[email protected]>

markylaing force-pushed the generate-entitlements branch from 47efe2c to 89aa6e5 Compare April 4, 2024 08:22

markylaing marked this pull request as ready for review April 4, 2024 08:22

markylaing requested a review from tomponline as a code owner April 4, 2024 08:22

markylaing requested review from roosterfish and gabrielmougard April 4, 2024 08:23