IAPL schema generation (#106)

* [hax] First pass at IAPL schema generation Signed-off-by: John Schaeffer <[email protected]> * [hax] Use better DSL Signed-off-by: John Schaeffer <[email protected]> * Fix SpiceDB schema generation tests Signed-off-by: John Schaeffer <[email protected]> * Use iapl package as source of default policy, fix tests Signed-off-by: John Schaeffer <[email protected]> * Fix linting issues Signed-off-by: John Schaeffer <[email protected]> * Apply suggestions from code review Co-authored-by: E Camden Fisher <[email protected]> Signed-off-by: John Schaeffer <[email protected]> * Add IAPL default policy definition Signed-off-by: John Schaeffer <[email protected]> * Fix more linting Signed-off-by: John Schaeffer <[email protected]> * Expand action bindings and resource types during NewPolicy Signed-off-by: John Schaeffer <[email protected]> * Use correct ID prefixes in default policy Signed-off-by: John Schaeffer <[email protected]> * Use more informative error when defining duplicate types Signed-off-by: John Schaeffer <[email protected]> * Clean up old references to type alias, rename to union Signed-off-by: John Schaeffer <[email protected]> * Add IAPL tests Signed-off-by: John Schaeffer <[email protected]> * Remove unused error from IAPL package Signed-off-by: John Schaeffer <[email protected]> --------- Signed-off-by: John Schaeffer <[email protected]> Signed-off-by: John Schaeffer <[email protected]> Co-authored-by: E Camden Fisher <[email protected]>
infratographer · Jun 15, 2023 · d80de5a · d80de5a
1 parent 3191ab0
commit d80de5a
Show file tree

Hide file tree

Showing 12 changed files with 1,148 additions and 214 deletions.
diff --git a/internal/iapl/default.go b/internal/iapl/default.go
@@ -0,0 +1,214 @@
+package iapl
+
+// DefaultPolicy generates the default policy for permissions-api.
+func DefaultPolicy() Policy {
+	policyDocument := PolicyDocument{
+		ResourceTypes: []ResourceType{
+			{
+				Name:     "role",
+				IDPrefix: "permrol",
+				Relationships: []Relationship{
+					{
+						Relation: "subject",
+						TargetTypeNames: []string{
+							"subject",
+						},
+					},
+				},
+			},
+			{
+				Name:     "user",
+				IDPrefix: "idntusr",
+			},
+			{
+				Name:     "client",
+				IDPrefix: "idntcli",
+			},
+			{
+				Name:     "tenant",
+				IDPrefix: "tnntten",
+				Relationships: []Relationship{
+					{
+						Relation: "parent",
+						TargetTypeNames: []string{
+							"tenant",
+						},
+					},
+				},
+			},
+			{
+				Name:     "loadbalancer",
+				IDPrefix: "loadbal",
+				Relationships: []Relationship{
+					{
+						Relation: "owner",
+						TargetTypeNames: []string{
+							"resourceowner",
+						},
+					},
+				},
+			},
+		},
+		Unions: []Union{
+			{
+				Name: "subject",
+				ResourceTypeNames: []string{
+					"user",
+					"client",
+				},
+			},
+			{
+				Name: "resourceowner",
+				ResourceTypeNames: []string{
+					"tenant",
+				},
+			},
+		},
+		Actions: []Action{
+			{
+				Name: "loadbalancer_create",
+			},
+			{
+				Name: "loadbalancer_get",
+			},
+			{
+				Name: "loadbalancer_list",
+			},
+			{
+				Name: "loadbalancer_update",
+			},
+			{
+				Name: "loadbalancer_delete",
+			},
+		},
+		ActionBindings: []ActionBinding{
+			{
+				ActionName: "loadbalancer_create",
+				TypeName:   "resourceowner",
+				Conditions: []Condition{
+					{
+						RoleBinding: &ConditionRoleBinding{},
+					},
+					{
+						RelationshipAction: &ConditionRelationshipAction{
+							Relation:   "parent",
+							ActionName: "loadbalancer_create",
+						},
+					},
+				},
+			},
+			{
+				ActionName: "loadbalancer_get",
+				TypeName:   "resourceowner",
+				Conditions: []Condition{
+					{
+						RoleBinding: &ConditionRoleBinding{},
+					},
+					{
+						RelationshipAction: &ConditionRelationshipAction{
+							Relation:   "parent",
+							ActionName: "loadbalancer_get",
+						},
+					},
+				},
+			},
+			{
+				ActionName: "loadbalancer_update",
+				TypeName:   "resourceowner",
+				Conditions: []Condition{
+					{
+						RoleBinding: &ConditionRoleBinding{},
+					},
+					{
+						RelationshipAction: &ConditionRelationshipAction{
+							Relation:   "parent",
+							ActionName: "loadbalancer_update",
+						},
+					},
+				},
+			},
+			{
+				ActionName: "loadbalancer_list",
+				TypeName:   "resourceowner",
+				Conditions: []Condition{
+					{
+						RoleBinding: &ConditionRoleBinding{},
+					},
+					{
+						RelationshipAction: &ConditionRelationshipAction{
+							Relation:   "parent",
+							ActionName: "loadbalancer_list",
+						},
+					},
+				},
+			},
+			{
+				ActionName: "loadbalancer_delete",
+				TypeName:   "resourceowner",
+				Conditions: []Condition{
+					{
+						RoleBinding: &ConditionRoleBinding{},
+					},
+					{
+						RelationshipAction: &ConditionRelationshipAction{
+							Relation:   "parent",
+							ActionName: "loadbalancer_delete",
+						},
+					},
+				},
+			},
+			{
+				ActionName: "loadbalancer_get",
+				TypeName:   "loadbalancer",
+				Conditions: []Condition{
+					{
+						RoleBinding: &ConditionRoleBinding{},
+					},
+					{
+						RelationshipAction: &ConditionRelationshipAction{
+							Relation:   "owner",
+							ActionName: "loadbalancer_get",
+						},
+					},
+				},
+			},
+			{
+				ActionName: "loadbalancer_update",
+				TypeName:   "loadbalancer",
+				Conditions: []Condition{
+					{
+						RoleBinding: &ConditionRoleBinding{},
+					},
+					{
+						RelationshipAction: &ConditionRelationshipAction{
+							Relation:   "owner",
+							ActionName: "loadbalancer_update",
+						},
+					},
+				},
+			},
+			{
+				ActionName: "loadbalancer_delete",
+				TypeName:   "loadbalancer",
+				Conditions: []Condition{
+					{
+						RoleBinding: &ConditionRoleBinding{},
+					},
+					{
+						RelationshipAction: &ConditionRelationshipAction{
+							Relation:   "owner",
+							ActionName: "loadbalancer_delete",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	policy := NewPolicy(policyDocument)
+	if err := policy.Validate(); err != nil {
+		panic(err)
+	}
+
+	return policy
+}
diff --git a/internal/iapl/doc.go b/internal/iapl/doc.go
@@ -0,0 +1,3 @@
+// Package iapl contains functions and data for the Infratographer Authorization Policy Language, a
+// domain-specific language for defining authorization policies based on resource relationships.
+package iapl
diff --git a/internal/iapl/errors.go b/internal/iapl/errors.go
@@ -0,0 +1,16 @@
+package iapl
+
+import "errors"
+
+var (
+	// ErrorTypeExists represents an error where a duplicate type or union was declared.
+	ErrorTypeExists = errors.New("type already exists")
+	// ErrorUnknownType represents an error where a resource type is unknown in the authorization policy.
+	ErrorUnknownType = errors.New("unknown resource type")
+	// ErrorInvalidCondition represents an error where an action binding condition is invalid.
+	ErrorInvalidCondition = errors.New("invalid condition")
+	// ErrorUnknownRelation represents an error where a relation is not defined for a resource type.
+	ErrorUnknownRelation = errors.New("unknown relation")
+	// ErrorUnknownAction represents an error where an action is not defined.
+	ErrorUnknownAction = errors.New("unknown action")
+)