fix OpenFGA model and add sample tuples

MGTheTrain · Nov 17, 2024 · 8f53dfd · 8f53dfd
1 parent b99efb7
commit 8f53dfd
Show file tree

Hide file tree

Showing 2 changed files with 99 additions and 11 deletions.
diff --git a/docs/diagrams/openfga-tuples.yml b/docs/diagrams/openfga-tuples.yml
@@ -0,0 +1,85 @@
+tuples:
+  # Admin granting full control over all blobs
+  - user: "user:AdminUser"
+    relation: "admin"
+    object: "blob:Blob1"
+
+  # Owner managing their own blob
+  - user: "user:OwnerUser"
+    relation: "owner"
+    object: "blob:Blob1"
+
+  # Owner granting permission to a grantee to download a blob
+  - user: "user:OwnerUser"
+    relation: "owner"
+    object: "blob:Blob1"
+
+  # Owner granting permission to a grantee to view a blob
+  - user: "user:OwnerUser"
+    relation: "owner"
+    object: "blob:Blob1"
+
+  # Grantee granted permission to download the blob
+  - user: "user:GranteeUser"
+    relation: "grantee"
+    object: "blob:Blob1"
+
+  # Grantee granted permission to view the blob
+  - user: "user:GranteeUser"
+    relation: "grantee"
+    object: "blob:Blob1"
+
+  # Owner performing cryptographic action (create own keys)
+  - user: "user:OwnerUser"
+    relation: "owner"
+    object: "blob:Blob1"
+
+  # Owner encrypting a file (blob)
+  - user: "user:OwnerUser"
+    relation: "owner"
+    object: "blob:Blob1"
+
+  # Owner generating signature for their own file (blob)
+  - user: "user:OwnerUser"
+    relation: "owner"
+    object: "blob:Blob1"
+
+  # Grantee verifying the signature of the file (blob)
+  - user: "user:GranteeUser"
+    relation: "grantee"
+    object: "blob:Blob1"
+
+  # Admin granting full permissions for cryptographic actions
+  - user: "user:AdminUser"
+    relation: "admin"
+    object: "blob:Blob1"
+
+  # Admin granting full permissions to view and manage all blobs
+  - user: "user:AdminUser"
+    relation: "admin"
+    object: "blob:Blob2"
+
+  # Owner granting access to download a specific file to a grantee
+  - user: "user:OwnerUser"
+    relation: "owner"
+    object: "blob:Blob2"
+
+  # Owner granting access to view a specific file to a grantee
+  - user: "user:OwnerUser"
+    relation: "owner"
+    object: "blob:Blob2"
+
+  # Grantee being allowed to download a blob with permissions granted
+  - user: "user:GranteeUser"
+    relation: "grantee"
+    object: "blob:Blob2"
+
+  # Grantee being allowed to view a blob with permissions granted
+  - user: "user:GranteeUser"
+    relation: "grantee"
+    object: "blob:Blob2"
+
+  # Example of an Admin performing an action that is beyond a normal user
+  - user: "user:AdminUser"
+    relation: "admin"
+    object: "blob:Blob3"
diff --git a/docs/diagrams/openfga.dsl b/docs/diagrams/openfga.dsl
@@ -3,33 +3,36 @@ model
 
 type user
 
+type user_group
+  relations
+    define owner: [user]
+    define grantee: [user]  # A user who has been granted permissions for an owner's blob
+    define admin: [user]    # Admin can manage all blobs, including cryptographic actions
+
 type blob
   relations
-    # Permissions related to blob management
+    # Permissions related to file management
     define can_manage_all_blobs: admin
     define can_manage_own_blobs: owner
     define can_download_blobs_with_given_permission: grantee
     define can_view_blobs_with_given_permission: grantee
 
     # Cryptographic actions
-    define can_manage_all_keys: admin
     define create_own_cryptographic_keys: owner
-    define encrypt_decrypt_own_blobs: owner
-    define generate_signature_for_own_blobs: owner
-    define verify_blob_signature: owner or grantee  # Public key verification is possible for grantee
+    define encrypt_decrypt_own_files: owner
+    define generate_signature_for_own_files: owner
+    define verify_file_signature: owner or grantee  # Public key verification is possible for grantee
 
     # Access control for owners and grantees
     define can_grant_access_to_download_owned_blobs: owner
     define can_grant_access_to_view_owned_blobs: owner
 
     # Ownership and user roles
-    define owner: [user]
-    define grantee: [user]  # A user who has been granted permissions for an owner's blob
-    define admin: [user]    # Admin can manage all blobs, including cryptographic actions
+    define owner: [user, user_group#owner]
+    define grantee: [user, user_group#grantee]  # A user who has been granted permissions for an owner's blob
+    define admin: [user, user_group#admin]    # Admin can manage all blobs, including cryptographic actions
 
     # Additional clarifications
     # - Admin has full control over all blobs
     # - Owner controls access to their own blob, including granting permissions
-    # - Grantee has permission to download or view blobs if granted by the owner
-
-    # In order to visualize the relationship based model visit https://play.fga.dev/sandbox/?store=github and paste in this content
+    # - Grantee has permission to download or view blobs if granted by the owner