diff --git a/deploy/schema.ksl b/deploy/schema.ksl index 287b551b..f848b2e6 100644 --- a/deploy/schema.ksl +++ b/deploy/schema.ksl @@ -1,32 +1,44 @@ version 0.1 namespace rbac -public type user {} +public type principal {} public type group { - relation member: [Any user or group.member] + relation member: [Any principal or group.member] } public type role { - relation view_the_thing: [bool] } public type role_binding { - relation subject: [Any user or group.member] + relation subject: [Any principal or group.member] relation granted: [AtLeastOne role] - - relation view_the_thing: subject and granted.view_the_thing } public type workspace { relation parent: [AtMostOne workspace] relation user_grant: [Any role_binding] - - relation view_the_thing: user_grant.view_the_thing } -public type thing { +public type widget { relation workspace: [ExactlyOne workspace] - relation view: workspace.view_the_thing + @add_permission(name:'view_widget') + relation view: workspace.view_widget or use + @add_permission(name:'use_widget') + relation use: workspace.use_widget +} + +internal extension add_permission(name) { + type role { + private relation ${name}: [bool] + } + + type role_binding { + internal relation ${name}: subject and granted.${name} + } + + type workspace { + internal relation ${name}: user_grant.${name} or parent.${name} + } } \ No newline at end of file diff --git a/deploy/schema.yaml b/deploy/schema.yaml index 486fa68a..91a02bf2 100644 --- a/deploy/schema.yaml +++ b/deploy/schema.yaml @@ -1,30 +1,39 @@ schema: |- - definition rbac/user {} + definition rbac/principal {} definition rbac/group { - relation member: rbac/user | rbac/group#member + permission member = t_member + relation t_member: rbac/principal | rbac/group#member } definition rbac/role { - relation view_the_thing: rbac/user:* + permission view_widget = t_view_widget + relation t_view_widget: rbac/principal:* + permission use_widget = t_use_widget + relation t_use_widget: rbac/principal:* } definition rbac/role_binding { - relation subject : rbac/user | rbac/group#member - relation granted: rbac/role - - permission view_the_thing = subject & granted->view_the_thing + permission subject = t_subject + relation t_subject: rbac/principal | rbac/group#member + permission granted = t_granted + relation t_granted: rbac/role + permission view_widget = (subject & t_granted->view_widget) + permission use_widget = (subject & t_granted->use_widget) } definition rbac/workspace { - relation parent: rbac/workspace - relation user_grant: rbac/role_binding - - permission view_the_thing = user_grant->view_the_thing + permission parent = t_parent + relation t_parent: rbac/workspace + permission user_grant = t_user_grant + relation t_user_grant: rbac/role_binding + permission view_widget = t_user_grant->view_widget + t_parent->view_widget + permission use_widget = t_user_grant->use_widget + t_parent->use_widget } - definition rbac/thing { - relation workspace: rbac/workspace - - permission view = workspace->view_the_thing - } + definition rbac/widget { + permission workspace = t_workspace + relation t_workspace: rbac/workspace + permission view = t_workspace->view_widget + use + permission use = t_workspace->use_widget + } \ No newline at end of file diff --git a/deploy/schema.zed b/deploy/schema.zed index 541c4597..9df6ec62 100644 --- a/deploy/schema.zed +++ b/deploy/schema.zed @@ -1,21 +1,24 @@ -definition rbac/user {} +definition rbac/principal {} definition rbac/group { permission member = t_member - relation t_member: rbac/user | rbac/group#member + relation t_member: rbac/principal | rbac/group#member } definition rbac/role { - permission view_the_thing = t_view_the_thing - relation t_view_the_thing: rbac/user:* + permission view_widget = t_view_widget + relation t_view_widget: rbac/principal:* + permission use_widget = t_use_widget + relation t_use_widget: rbac/principal:* } definition rbac/role_binding { permission subject = t_subject - relation t_subject: rbac/user | rbac/group#member + relation t_subject: rbac/principal | rbac/group#member permission granted = t_granted relation t_granted: rbac/role - permission view_the_thing = (subject & t_granted->view_the_thing) + permission view_widget = (subject & t_granted->view_widget) + permission use_widget = (subject & t_granted->use_widget) } definition rbac/workspace { @@ -23,11 +26,13 @@ definition rbac/workspace { relation t_parent: rbac/workspace permission user_grant = t_user_grant relation t_user_grant: rbac/role_binding - permission view_the_thing = t_user_grant->view_the_thing + permission view_widget = t_user_grant->view_widget + t_parent->view_widget + permission use_widget = t_user_grant->use_widget + t_parent->use_widget } -definition rbac/thing { +definition rbac/widget { permission workspace = t_workspace relation t_workspace: rbac/workspace - permission view = t_workspace->view_the_thing + permission view = t_workspace->view_widget + use + permission use = t_workspace->use_widget } \ No newline at end of file diff --git a/go.mod b/go.mod index ebb9a149..76e461bc 100644 --- a/go.mod +++ b/go.mod @@ -5,8 +5,8 @@ go 1.22.7 require ( buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.2-20241127180247-a33202765966.1 github.com/MicahParks/keyfunc/v3 v3.3.5 + github.com/authzed/grpcutil v0.0.0-20240123194739-2ea1e3d2d98b github.com/authzed/authzed-go v1.2.0 - github.com/authzed/grpcutil v0.0.0-20230908193239-4286bb1d6403 github.com/bufbuild/protovalidate-go v0.8.0 github.com/go-kratos/kratos/v2 v2.8.2 github.com/golang-jwt/jwt/v5 v5.2.1 @@ -54,6 +54,7 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/google/cel-go v0.22.1 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect + github.com/google/subcommands v1.2.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/gorilla/mux v1.8.1 // indirect github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect @@ -82,11 +83,13 @@ require ( github.com/xeipuuv/gojsonschema v1.2.0 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect + golang.org/x/mod v0.22.0 // indirect + golang.org/x/time v0.6.0 // indirect + golang.org/x/tools v0.27.0 // indirect golang.org/x/net v0.32.0 // indirect golang.org/x/sync v0.10.0 // indirect golang.org/x/sys v0.28.0 // indirect golang.org/x/text v0.21.0 // indirect - golang.org/x/time v0.6.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/go.sum b/go.sum index 4d997e97..32beb9f7 100644 --- a/go.sum +++ b/go.sum @@ -22,10 +22,10 @@ github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEV github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk= github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= +github.com/authzed/grpcutil v0.0.0-20240123194739-2ea1e3d2d98b h1:wbh8IK+aMLTCey9sZasO7b6BWLAJnHHvb79fvWCXwxw= +github.com/authzed/grpcutil v0.0.0-20240123194739-2ea1e3d2d98b/go.mod h1:s3qC7V7XIbiNWERv7Lfljy/Lx25/V1Qlexb0WJuA8uQ= github.com/authzed/authzed-go v1.2.0 h1:Ep1sRJMxcArB++kYqHbYKQCb/GgdGZI0cW4gZrJ1K40= github.com/authzed/authzed-go v1.2.0/go.mod h1:4lkFxvaCISG1roRdnUt35/Sk1StVuMD1QCwTd/BcWcM= -github.com/authzed/grpcutil v0.0.0-20230908193239-4286bb1d6403 h1:bQeIwWWRI9bl93poTqpix4sYHi+gnXUPK7N6bMtXzBE= -github.com/authzed/grpcutil v0.0.0-20230908193239-4286bb1d6403/go.mod h1:s3qC7V7XIbiNWERv7Lfljy/Lx25/V1Qlexb0WJuA8uQ= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= @@ -105,6 +105,7 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= +github.com/google/subcommands v1.2.0 h1:vWQspBTo2nEqTUFita5/KeEWlUL8kQObDFbub/EN9oE= github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -242,6 +243,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= +golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -321,6 +324,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= +golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o= +golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/internal/data/spicedb-test-data/basic_schema.zed b/internal/data/spicedb-test-data/basic_schema.zed index a9e65287..9df6ec62 100644 --- a/internal/data/spicedb-test-data/basic_schema.zed +++ b/internal/data/spicedb-test-data/basic_schema.zed @@ -1,14 +1,24 @@ +definition rbac/principal {} + +definition rbac/group { + permission member = t_member + relation t_member: rbac/principal | rbac/group#member +} + definition rbac/role { - permission view_the_thing = t_view_the_thing - relation t_view_the_thing: rbac/user:* + permission view_widget = t_view_widget + relation t_view_widget: rbac/principal:* + permission use_widget = t_use_widget + relation t_use_widget: rbac/principal:* } definition rbac/role_binding { permission subject = t_subject - relation t_subject: rbac/user | rbac/group#member + relation t_subject: rbac/principal | rbac/group#member permission granted = t_granted relation t_granted: rbac/role - permission view_the_thing = (subject & t_granted->view_the_thing) + permission view_widget = (subject & t_granted->view_widget) + permission use_widget = (subject & t_granted->use_widget) } definition rbac/workspace { @@ -16,18 +26,13 @@ definition rbac/workspace { relation t_parent: rbac/workspace permission user_grant = t_user_grant relation t_user_grant: rbac/role_binding - permission view_the_thing = t_user_grant->view_the_thing + permission view_widget = t_user_grant->view_widget + t_parent->view_widget + permission use_widget = t_user_grant->use_widget + t_parent->use_widget } -definition rbac/thing { +definition rbac/widget { permission workspace = t_workspace relation t_workspace: rbac/workspace - permission view = t_workspace->view_the_thing -} - -definition rbac/user {} - -definition rbac/group { - permission member = t_member - relation t_member: rbac/user | rbac/group#member + permission view = t_workspace->view_widget + use + permission use = t_workspace->use_widget } \ No newline at end of file diff --git a/internal/data/spicedb_test.go b/internal/data/spicedb_test.go index 05a40bed..01523f45 100644 --- a/internal/data/spicedb_test.go +++ b/internal/data/spicedb_test.go @@ -3,12 +3,13 @@ package data import ( "context" "fmt" - "github.com/stretchr/testify/mock" - "google.golang.org/grpc/metadata" "io" "os" "testing" + "github.com/stretchr/testify/mock" + "google.golang.org/grpc/metadata" + apiV1beta1 "github.com/project-kessel/relations-api/api/kessel/relations/v1beta1" "github.com/project-kessel/relations-api/internal/biz" "github.com/project-kessel/relations-api/internal/conf" @@ -51,11 +52,11 @@ func TestCreateRelationship(t *testing.T) { spiceDbRepo, err := container.CreateSpiceDbRepository() assert.NoError(t, err) - preExisting := CheckForRelationship(spiceDbRepo, "bob", "rbac", "user", "", "member", "rbac", "group", "bob_club") + preExisting := CheckForRelationship(spiceDbRepo, "bob", "rbac", "principal", "", "member", "rbac", "group", "bob_club") assert.False(t, preExisting) rels := []*apiV1beta1.Relationship{ - createRelationship("rbac", "group", "bob_club", "member", "rbac", "user", "bob", ""), + createRelationship("rbac", "group", "bob_club", "member", "rbac", "principal", "bob", ""), } touch := biz.TouchSemantics(false) @@ -65,7 +66,7 @@ func TestCreateRelationship(t *testing.T) { container.WaitForQuantizationInterval() - exists := CheckForRelationship(spiceDbRepo, "bob", "rbac", "user", "", "member", "rbac", "group", "bob_club") + exists := CheckForRelationship(spiceDbRepo, "bob", "rbac", "principal", "", "member", "rbac", "group", "bob_club") assert.True(t, exists) } @@ -76,14 +77,14 @@ func TestCreateRelationshipWithSubjectRelation(t *testing.T) { spiceDbRepo, err := container.CreateSpiceDbRepository() assert.NoError(t, err) - preExisting := CheckForRelationship(spiceDbRepo, "bob", "rbac", "user", "", "member", "rbac", "group", "bob_club") + preExisting := CheckForRelationship(spiceDbRepo, "bob", "rbac", "principal", "", "member", "rbac", "group", "bob_club") assert.False(t, preExisting) rels := []*apiV1beta1.Relationship{ - createRelationship("rbac", "group", "bob_club", "member", "rbac", "user", "bob", ""), + createRelationship("rbac", "group", "bob_club", "member", "rbac", "principal", "bob", ""), createRelationship("rbac", "role_binding", "fan_binding", "granted", "rbac", "role", "fan", ""), createRelationship("rbac", "role_binding", "fan_binding", "subject", "rbac", "group", "bob_club", "member"), - createRelationship("rbac", "role", "fan", "view_the_thing", "rbac", "user", "*", ""), + createRelationship("rbac", "role", "fan", "view_widget", "rbac", "principal", "*", ""), } touch := biz.TouchSemantics(false) @@ -93,27 +94,27 @@ func TestCreateRelationshipWithSubjectRelation(t *testing.T) { container.WaitForQuantizationInterval() - exists := CheckForRelationship(spiceDbRepo, "bob", "rbac", "user", "", "member", "rbac", "group", "bob_club") + exists := CheckForRelationship(spiceDbRepo, "bob", "rbac", "principal", "", "member", "rbac", "group", "bob_club") assert.True(t, exists) exists = CheckForRelationship(spiceDbRepo, "bob_club", "rbac", "group", "member", "subject", "rbac", "role_binding", "fan_binding") assert.True(t, exists) - // zed permission check rbac/role_binding:fan_binding subject rbac/user:bob + // zed permission check rbac/role_binding:fan_binding subject rbac/principal:bob // bob is a subject of fan_binding - runSpiceDBCheck(t, ctx, spiceDbRepo, "user", "rbac", "bob", "subject", "role_binding", "rbac", "fan_binding", apiV1beta1.CheckResponse_ALLOWED_TRUE) + runSpiceDBCheck(t, ctx, spiceDbRepo, "principal", "rbac", "bob", "subject", "role_binding", "rbac", "fan_binding", apiV1beta1.CheckResponse_ALLOWED_TRUE) - // zed permission check rbac/role_binding:fan_binding subject rbac/user:alice + // zed permission check rbac/role_binding:fan_binding subject rbac/principal:alice // alice is NOT a subject of fan_binding - runSpiceDBCheck(t, ctx, spiceDbRepo, "user", "rbac", "alice", "subject", "role_binding", "rbac", "fan_binding", apiV1beta1.CheckResponse_ALLOWED_FALSE) + runSpiceDBCheck(t, ctx, spiceDbRepo, "principal", "rbac", "alice", "subject", "role_binding", "rbac", "fan_binding", apiV1beta1.CheckResponse_ALLOWED_FALSE) - // zed permission check rbac/role_binding:fan_binding view_the_thing rbac/user:bob - // bob has view_the_thing permission - runSpiceDBCheck(t, ctx, spiceDbRepo, "user", "rbac", "bob", "view_the_thing", "role_binding", "rbac", "fan_binding", apiV1beta1.CheckResponse_ALLOWED_TRUE) + // zed permission check rbac/role_binding:fan_binding view_widget rbac/principal:bob + // bob has view_widget permission + runSpiceDBCheck(t, ctx, spiceDbRepo, "principal", "rbac", "bob", "view_widget", "role_binding", "rbac", "fan_binding", apiV1beta1.CheckResponse_ALLOWED_TRUE) - // zed permission check rbac/role_binding:fan_binding subject rbac/user:alice - // alice does NOT have view_the_thing permission - runSpiceDBCheck(t, ctx, spiceDbRepo, "user", "rbac", "alice", "view_the_thing", "role_binding", "rbac", "fan_binding", apiV1beta1.CheckResponse_ALLOWED_FALSE) + // zed permission check rbac/role_binding:fan_binding subject rbac/principal:alice + // alice does NOT have view_widget permission + runSpiceDBCheck(t, ctx, spiceDbRepo, "principal", "rbac", "alice", "view_widget", "role_binding", "rbac", "fan_binding", apiV1beta1.CheckResponse_ALLOWED_FALSE) // zed permission check rbac/role_binding:fan_binding t_granted rbac/role:fan // check that role binding is tied to correct role @@ -131,11 +132,11 @@ func TestSecondCreateRelationshipFailsWithTouchFalse(t *testing.T) { spiceDbRepo, err := container.CreateSpiceDbRepository() assert.NoError(t, err) - preExisting := CheckForRelationship(spiceDbRepo, "bob", "rbac", "user", "", "member", "rbac", "group", "bob_club") + preExisting := CheckForRelationship(spiceDbRepo, "bob", "rbac", "principal", "", "member", "rbac", "group", "bob_club") assert.False(t, preExisting) rels := []*apiV1beta1.Relationship{ - createRelationship("rbac", "group", "bob_club", "member", "rbac", "user", "bob", ""), + createRelationship("rbac", "group", "bob_club", "member", "rbac", "principal", "bob", ""), } touch := biz.TouchSemantics(false) @@ -149,7 +150,7 @@ func TestSecondCreateRelationshipFailsWithTouchFalse(t *testing.T) { container.WaitForQuantizationInterval() - exists := CheckForRelationship(spiceDbRepo, "bob", "rbac", "user", "", "member", "rbac", "group", "bob_club") + exists := CheckForRelationship(spiceDbRepo, "bob", "rbac", "principal", "", "member", "rbac", "group", "bob_club") assert.True(t, exists) } @@ -160,11 +161,11 @@ func TestSecondCreateRelationshipSucceedsWithTouchTrue(t *testing.T) { spiceDbRepo, err := container.CreateSpiceDbRepository() assert.NoError(t, err) - preExisting := CheckForRelationship(spiceDbRepo, "bob", "rbac", "user", "", "member", "rbac", "group", "bob_club") + preExisting := CheckForRelationship(spiceDbRepo, "bob", "rbac", "principal", "", "member", "rbac", "group", "bob_club") assert.False(t, preExisting) rels := []*apiV1beta1.Relationship{ - createRelationship("rbac", "group", "bob_club", "member", "rbac", "user", "bob", ""), + createRelationship("rbac", "group", "bob_club", "member", "rbac", "principal", "bob", ""), } touch := biz.TouchSemantics(false) @@ -179,7 +180,7 @@ func TestSecondCreateRelationshipSucceedsWithTouchTrue(t *testing.T) { container.WaitForQuantizationInterval() - exists := CheckForRelationship(spiceDbRepo, "bob", "rbac", "user", "", "member", "rbac", "group", "bob_club") + exists := CheckForRelationship(spiceDbRepo, "bob", "rbac", "principal", "", "member", "rbac", "group", "bob_club") assert.True(t, exists) } @@ -235,10 +236,10 @@ func (m *MockgRPCClientStream) CloseAndRecv() (*apiV1beta1.ImportBulkTuplesRespo func TestImportBulkTuples(t *testing.T) { rels := []*apiV1beta1.Relationship{ - createRelationship("rbac", "group", "bob_club", "member", "rbac", "user", "bob5", ""), - createRelationship("rbac", "group", "bob_club", "member", "rbac", "user", "bob3", ""), - createRelationship("rbac", "group", "bob_club", "member", "rbac", "user", "bob6", ""), - createRelationship("rbac", "group", "bob_club", "member", "rbac", "user", "bob9", ""), + createRelationship("rbac", "group", "bob_club", "member", "rbac", "principal", "bob5", ""), + createRelationship("rbac", "group", "bob_club", "member", "rbac", "principal", "bob3", ""), + createRelationship("rbac", "group", "bob_club", "member", "rbac", "principal", "bob6", ""), + createRelationship("rbac", "group", "bob_club", "member", "rbac", "principal", "bob9", ""), } mockgRPCClientStream := new(MockgRPCClientStream) @@ -253,7 +254,7 @@ func TestImportBulkTuples(t *testing.T) { assert.NoError(t, err) container.WaitForQuantizationInterval() - exists := CheckForRelationship(spiceDbRepo, "bob5", "rbac", "user", "", "member", "rbac", "group", "bob_club") + exists := CheckForRelationship(spiceDbRepo, "bob5", "rbac", "principal", "", "member", "rbac", "group", "bob_club") assert.True(t, exists) } @@ -311,7 +312,7 @@ func TestDoesNotCreateRelationshipWithSlashInObjectType(t *testing.T) { badResourceType := "my/group" rels := []*apiV1beta1.Relationship{ - createRelationship("rbac", badResourceType, "bob_club", "member", "rbac", "user", "bob", ""), + createRelationship("rbac", badResourceType, "bob_club", "member", "rbac", "principal", "bob", ""), } touch := biz.TouchSemantics(false) @@ -352,7 +353,7 @@ func TestCreateRelationshipFailsWithBadObjectType(t *testing.T) { badObjectType := "not_an_object" rels := []*apiV1beta1.Relationship{ - createRelationship("rbac", badObjectType, "bob_club", "member", "rbac", "user", "bob", ""), + createRelationship("rbac", badObjectType, "bob_club", "member", "rbac", "principal", "bob", ""), } touch := biz.TouchSemantics(false) @@ -383,7 +384,7 @@ func TestSupportedNsTypeTupleFilterCombinationsInReadRelationships(t *testing.T) SubjectFilter: &apiV1beta1.SubjectFilter{ SubjectId: pointerize("bob"), SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }, 0, "") @@ -396,7 +397,7 @@ func TestSupportedNsTypeTupleFilterCombinationsInReadRelationships(t *testing.T) SubjectFilter: &apiV1beta1.SubjectFilter{ SubjectId: pointerize("bob"), SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }, 0, "") @@ -409,7 +410,7 @@ func TestSupportedNsTypeTupleFilterCombinationsInReadRelationships(t *testing.T) Relation: pointerize("member"), SubjectFilter: &apiV1beta1.SubjectFilter{ SubjectId: pointerize("bob"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }, 0, "") @@ -436,7 +437,7 @@ func TestSupportedNsTypeTupleFilterCombinationsInReadRelationships(t *testing.T) SubjectFilter: &apiV1beta1.SubjectFilter{ SubjectId: pointerize("bob"), SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }, 0, "") @@ -448,7 +449,7 @@ func TestSupportedNsTypeTupleFilterCombinationsInReadRelationships(t *testing.T) SubjectFilter: &apiV1beta1.SubjectFilter{ SubjectId: pointerize("bob"), SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }, 0, "") @@ -499,7 +500,7 @@ func TestWriteAndReadBackRelationships(t *testing.T) { assert.NoError(t, err) rels := []*apiV1beta1.Relationship{ - createRelationship("rbac", "group", "bob_club", "member", "rbac", "user", "bob", ""), + createRelationship("rbac", "group", "bob_club", "member", "rbac", "principal", "bob", ""), } err = spiceDbRepo.CreateRelationships(ctx, rels, biz.TouchSemantics(true)) @@ -517,7 +518,7 @@ func TestWriteAndReadBackRelationships(t *testing.T) { SubjectFilter: &apiV1beta1.SubjectFilter{ SubjectId: pointerize("bob"), SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }, 0, "") @@ -540,7 +541,7 @@ func TestWriteReadBackDeleteAndReadBackRelationships(t *testing.T) { assert.NoError(t, err) rels := []*apiV1beta1.Relationship{ - createRelationship("rbac", "group", "bob_club", "member", "rbac", "user", "bob", ""), + createRelationship("rbac", "group", "bob_club", "member", "rbac", "principal", "bob", ""), } err = spiceDbRepo.CreateRelationships(ctx, rels, biz.TouchSemantics(true)) @@ -558,7 +559,7 @@ func TestWriteReadBackDeleteAndReadBackRelationships(t *testing.T) { SubjectFilter: &apiV1beta1.SubjectFilter{ SubjectId: pointerize("bob"), SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }, 0, "") @@ -577,7 +578,7 @@ func TestWriteReadBackDeleteAndReadBackRelationships(t *testing.T) { SubjectFilter: &apiV1beta1.SubjectFilter{ SubjectId: pointerize("bob"), SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }) @@ -595,7 +596,7 @@ func TestWriteReadBackDeleteAndReadBackRelationships(t *testing.T) { SubjectFilter: &apiV1beta1.SubjectFilter{ SubjectId: pointerize("bob"), SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }, 0, "") @@ -617,17 +618,12 @@ func TestSpiceDbRepository_CheckPermission(t *testing.T) { return } - //group:bob_club#member@user:bob - //workspace:test#user_grant@role_binding:rb_test - //role_binding:rb_test#granted@role:rl1 - //role_binding:rb_test#subject@user:bob - //role:rl1#view_the_thing@user:* rels := []*apiV1beta1.Relationship{ - createRelationship("rbac", "group", "bob_club", "member", "rbac", "user", "bob", ""), + createRelationship("rbac", "group", "bob_club", "member", "rbac", "principal", "bob", ""), createRelationship("rbac", "workspace", "test", "user_grant", "rbac", "role_binding", "rb_test", ""), createRelationship("rbac", "role_binding", "rb_test", "granted", "rbac", "role", "rl1", ""), - createRelationship("rbac", "role_binding", "rb_test", "subject", "rbac", "user", "bob", ""), - createRelationship("rbac", "role", "rl1", "view_the_thing", "rbac", "user", "*", ""), + createRelationship("rbac", "role_binding", "rb_test", "subject", "rbac", "principal", "bob", ""), + createRelationship("rbac", "role", "rl1", "view_widget", "rbac", "principal", "*", ""), } err = spiceDbRepo.CreateRelationships(ctx, rels, biz.TouchSemantics(true)) @@ -640,7 +636,7 @@ func TestSpiceDbRepository_CheckPermission(t *testing.T) { subject := &apiV1beta1.SubjectReference{ Subject: &apiV1beta1.ObjectReference{ Type: &apiV1beta1.ObjectType{ - Name: "user", Namespace: "rbac", + Name: "principal", Namespace: "rbac", }, Id: "bob", }, @@ -652,10 +648,10 @@ func TestSpiceDbRepository_CheckPermission(t *testing.T) { }, Id: "test", } - // zed permission check workspace:test view_the_thing user:bob --explain + // zed permission check rbac/workspace:test view_widget rbac/principal:bob --explain check := apiV1beta1.CheckRequest{ Subject: subject, - Relation: "view_the_thing", + Relation: "view_widget", Resource: resource, } resp, err := spiceDbRepo.Check(ctx, &check) @@ -668,7 +664,7 @@ func TestSpiceDbRepository_CheckPermission(t *testing.T) { } assert.Equal(t, &checkResponse, resp) - //Remove // role_binding:rb_test#subject@user:bob + //Remove // rbac/role_binding:rb_test#t_subject@rbac/principal:bob err = spiceDbRepo.DeleteRelationships(ctx, &apiV1beta1.RelationTupleFilter{ ResourceId: pointerize("rb_test"), ResourceNamespace: pointerize("rbac"), @@ -677,17 +673,17 @@ func TestSpiceDbRepository_CheckPermission(t *testing.T) { SubjectFilter: &apiV1beta1.SubjectFilter{ SubjectId: pointerize("bob"), SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }) if !assert.NoError(t, err) { return } - // zed permission check workspace:test view_the_thing user:bob --explain + // zed permission check rbac/workspace:test view_widget rbac/principal:bob --explain check2 := apiV1beta1.CheckRequest{ Subject: subject, - Relation: "view_the_thing", + Relation: "view_widget", Resource: resource, } diff --git a/internal/service/lookup_test.go b/internal/service/lookup_test.go index f9302037..5fcf1ec1 100644 --- a/internal/service/lookup_test.go +++ b/internal/service/lookup_test.go @@ -21,7 +21,7 @@ func TestLookupService_LookupSubjects_NoResults(t *testing.T) { spicedb, err := container.CreateSpiceDbRepository() assert.NoError(t, err) - err = seedThingInDefaultWorkspace(ctx, spicedb, "thing1") + err = seedWidgetInDefaultWorkspace(ctx, spicedb, "thing1") assert.NoError(t, err) container.WaitForQuantizationInterval() @@ -29,9 +29,9 @@ func TestLookupService_LookupSubjects_NoResults(t *testing.T) { responseCollector := NewLookup_SubjectsServerStub(ctx) err = service.LookupSubjects(&v1beta1.LookupSubjectsRequest{ - SubjectType: rbac_ns_type("user"), + SubjectType: rbac_ns_type("principal"), Relation: "view", - Resource: &v1beta1.ObjectReference{Type: rbac_ns_type("thing"), Id: "thing1"}, + Resource: &v1beta1.ObjectReference{Type: rbac_ns_type("widget"), Id: "thing1"}, }, responseCollector) assert.NoError(t, err) results := responseCollector.GetResponses() @@ -45,7 +45,7 @@ func TestLookupService_LookupResources_NoResults(t *testing.T) { spicedb, err := container.CreateSpiceDbRepository() assert.NoError(t, err) - err = seedThingInDefaultWorkspace(ctx, spicedb, "thing1") + err = seedWidgetInDefaultWorkspace(ctx, spicedb, "thing1") assert.NoError(t, err) container.WaitForQuantizationInterval() @@ -54,7 +54,7 @@ func TestLookupService_LookupResources_NoResults(t *testing.T) { responseCollector := NewLookup_ResourcesServerStub(ctx) err = service.LookupResources(&v1beta1.LookupResourcesRequest{ Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("workspace"), Id: "default"}}, - Relation: "view_the_thing", + Relation: "view_widget", ResourceType: &v1beta1.ObjectType{ Name: "workspace", Namespace: "rbac", @@ -72,7 +72,7 @@ func TestLookupService_LookupSubjects_OneResult(t *testing.T) { spicedb, err := container.CreateSpiceDbRepository() assert.NoError(t, err) - err = seedThingInDefaultWorkspace(ctx, spicedb, "thing1") + err = seedWidgetInDefaultWorkspace(ctx, spicedb, "thing1") assert.NoError(t, err) err = seedUserWithViewThingInDefaultWorkspace(ctx, spicedb, "u1") assert.NoError(t, err) @@ -82,9 +82,9 @@ func TestLookupService_LookupSubjects_OneResult(t *testing.T) { responseCollector := NewLookup_SubjectsServerStub(ctx) err = service.LookupSubjects(&v1beta1.LookupSubjectsRequest{ - SubjectType: rbac_ns_type("user"), + SubjectType: rbac_ns_type("principal"), Relation: "view", - Resource: &v1beta1.ObjectReference{Type: rbac_ns_type("thing"), Id: "thing1"}, + Resource: &v1beta1.ObjectReference{Type: rbac_ns_type("widget"), Id: "thing1"}, }, responseCollector) assert.NoError(t, err) ids := responseCollector.GetIDs() @@ -98,7 +98,7 @@ func TestLookupService_LookupResources_OneResult(t *testing.T) { spicedb, err := container.CreateSpiceDbRepository() assert.NoError(t, err) - err = seedThingInDefaultWorkspace(ctx, spicedb, "thing1") + err = seedWidgetInDefaultWorkspace(ctx, spicedb, "thing1") assert.NoError(t, err) container.WaitForQuantizationInterval() @@ -109,7 +109,7 @@ func TestLookupService_LookupResources_OneResult(t *testing.T) { Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("workspace"), Id: "default"}}, Relation: "workspace", ResourceType: &v1beta1.ObjectType{ - Name: "thing", + Name: "widget", Namespace: "rbac", }, }, responseCollector) @@ -125,7 +125,7 @@ func TestLookupService_LookupResources_TwoResults(t *testing.T) { spicedb, err := container.CreateSpiceDbRepository() assert.NoError(t, err) - err = seedThingInDefaultWorkspace(ctx, spicedb, "thing1") + err = seedWidgetInDefaultWorkspace(ctx, spicedb, "thing1") assert.NoError(t, err) err = seedUserWithViewThingInDefaultWorkspace(ctx, spicedb, "u1") assert.NoError(t, err) @@ -135,7 +135,7 @@ func TestLookupService_LookupResources_TwoResults(t *testing.T) { //&v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("role_binding"), Id: "default_viewers"}} responseCollector := NewLookup_ResourcesServerStub(ctx) err = service.LookupResources(&v1beta1.LookupResourcesRequest{ - Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("user"), Id: "u1"}}, + Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("principal"), Id: "u1"}}, //Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("workspace"), Id: "default"}}, Relation: "subject", ResourceType: &v1beta1.ObjectType{ @@ -155,7 +155,7 @@ func TestLookupService_LookupSubjects_TwoResults(t *testing.T) { spicedb, err := container.CreateSpiceDbRepository() assert.NoError(t, err) - err = seedThingInDefaultWorkspace(ctx, spicedb, "thing1") + err = seedWidgetInDefaultWorkspace(ctx, spicedb, "thing1") assert.NoError(t, err) err = seedUserWithViewThingInDefaultWorkspace(ctx, spicedb, "u1") assert.NoError(t, err) @@ -167,9 +167,9 @@ func TestLookupService_LookupSubjects_TwoResults(t *testing.T) { responseCollector := NewLookup_SubjectsServerStub(ctx) err = service.LookupSubjects(&v1beta1.LookupSubjectsRequest{ - SubjectType: rbac_ns_type("user"), + SubjectType: rbac_ns_type("principal"), Relation: "view", - Resource: &v1beta1.ObjectReference{Type: rbac_ns_type("thing"), Id: "thing1"}, + Resource: &v1beta1.ObjectReference{Type: rbac_ns_type("widget"), Id: "thing1"}, }, responseCollector) assert.NoError(t, err) ids := responseCollector.GetIDs() @@ -197,7 +197,7 @@ func TestLookupService_LookupResources_IgnoresSubjectRelation(t *testing.T) { { Resource: &v1beta1.ObjectReference{Type: rbac_ns_type("group"), Id: "g1"}, Relation: "member", - Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("user"), Id: "p1"}}, + Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("principal"), Id: "p1"}}, }, }, biz.TouchSemantics(true)) assert.NoError(t, err) @@ -207,7 +207,7 @@ func TestLookupService_LookupResources_IgnoresSubjectRelation(t *testing.T) { service := createLookupService(spicedb) responseCollector := NewLookup_ResourcesServerStub(ctx) err = service.LookupResources(&v1beta1.LookupResourcesRequest{ - Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("user"), Id: "p1"}}, + Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("principal"), Id: "p1"}}, Relation: "subject", ResourceType: &v1beta1.ObjectType{ Name: "role_binding", @@ -244,10 +244,10 @@ func createLookupService(spicedb *data.SpiceDbRepository) *LookupService { ) return NewLookupService(logger, biz.NewGetSubjectsUseCase(spicedb), biz.NewGetResourcesUseCase(spicedb)) } -func seedThingInDefaultWorkspace(ctx context.Context, spicedb *data.SpiceDbRepository, thing string) error { +func seedWidgetInDefaultWorkspace(ctx context.Context, spicedb *data.SpiceDbRepository, thing string) error { return spicedb.CreateRelationships(ctx, []*v1beta1.Relationship{ { - Resource: &v1beta1.ObjectReference{Type: rbac_ns_type("thing"), Id: thing}, + Resource: &v1beta1.ObjectReference{Type: rbac_ns_type("widget"), Id: thing}, Relation: "workspace", Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("workspace"), Id: "default"}}, }, @@ -258,18 +258,18 @@ func seedUserWithViewThingInDefaultWorkspace(ctx context.Context, spicedb *data. return spicedb.CreateRelationships(ctx, []*v1beta1.Relationship{ { Resource: &v1beta1.ObjectReference{Type: rbac_ns_type("role"), Id: "viewers"}, - Relation: "view_the_thing", - Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("user"), Id: "*"}}, + Relation: "view_widget", + Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("principal"), Id: "*"}}, }, { Resource: &v1beta1.ObjectReference{Type: rbac_ns_type("role_binding"), Id: "default_viewers"}, Relation: "subject", - Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("user"), Id: user}}, + Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("principal"), Id: user}}, }, { Resource: &v1beta1.ObjectReference{Type: rbac_ns_type("role_binding"), Id: "default_viewers_two"}, Relation: "subject", - Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("user"), Id: user}}, + Subject: &v1beta1.SubjectReference{Subject: &v1beta1.ObjectReference{Type: rbac_ns_type("principal"), Id: user}}, }, { Resource: &v1beta1.ObjectReference{Type: rbac_ns_type("role_binding"), Id: "default_viewers"}, diff --git a/internal/service/relationships_test.go b/internal/service/relationships_test.go index bc4363a4..95e32bea 100644 --- a/internal/service/relationships_test.go +++ b/internal/service/relationships_test.go @@ -48,7 +48,7 @@ func TestRelationshipsService_CreateRelationships(t *testing.T) { err, relationshipsService := setup(t) assert.NoError(t, err) ctx := context.Background() - expected := createRelationship(rbac_ns_type("group"), "bob_club", "member", rbac_ns_type("user"), "bob", "") + expected := createRelationship(rbac_ns_type("group"), "bob_club", "member", rbac_ns_type("principal"), "bob", "") req := &v1beta1.CreateTuplesRequest{ Tuples: []*v1beta1.Relationship{ @@ -69,7 +69,7 @@ func TestRelationshipsService_CreateRelationships(t *testing.T) { SubjectFilter: &v1beta1.SubjectFilter{ SubjectId: pointerize("bob"), SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }, } @@ -98,7 +98,7 @@ func TestRelationshipsService_CreateRelationshipsWithTouchFalse(t *testing.T) { assert.NoError(t, err) ctx := context.Background() - expected := createRelationship(rbac_ns_type("group"), "bob_club", "member", rbac_ns_type("user"), "bob", "") + expected := createRelationship(rbac_ns_type("group"), "bob_club", "member", rbac_ns_type("principal"), "bob", "") req := &v1beta1.CreateTuplesRequest{ Tuples: []*v1beta1.Relationship{ expected, @@ -118,7 +118,7 @@ func TestRelationshipsService_CreateRelationshipsWithTouchFalse(t *testing.T) { SubjectFilter: &v1beta1.SubjectFilter{ SubjectId: pointerize("bob"), SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }, } @@ -201,7 +201,7 @@ func TestRelationshipsService_DeleteRelationships(t *testing.T) { err, relationshipsService := setup(t) assert.NoError(t, err) - expected := createRelationship(rbac_ns_type("group"), "bob_club", "member", rbac_ns_type("user"), "bob", "") + expected := createRelationship(rbac_ns_type("group"), "bob_club", "member", rbac_ns_type("principal"), "bob", "") ctx := context.Background() req := &v1beta1.CreateTuplesRequest{ @@ -220,7 +220,7 @@ func TestRelationshipsService_DeleteRelationships(t *testing.T) { SubjectFilter: &v1beta1.SubjectFilter{ SubjectId: pointerize("bob"), SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }} _, err = relationshipsService.DeleteTuples(ctx, delreq) @@ -236,7 +236,7 @@ func TestRelationshipsService_DeleteRelationships(t *testing.T) { SubjectFilter: &v1beta1.SubjectFilter{ SubjectId: pointerize("bob"), SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }, } @@ -291,7 +291,7 @@ func TestRelationshipsService_ReadRelationships(t *testing.T) { bulkImportTuplesUsecase := biz.NewImportBulkTuplesUsecase(spiceDbRepository, logger) relationshipsService := NewRelationshipsService(logger, createRelationshipsUsecase, readRelationshipsUsecase, deleteRelationshipsUsecase, bulkImportTuplesUsecase) - expected := createRelationship(rbac_ns_type("group"), "bob_club", "member", rbac_ns_type("user"), "bob", "") + expected := createRelationship(rbac_ns_type("group"), "bob_club", "member", rbac_ns_type("principal"), "bob", "") reqCr := &v1beta1.CreateTuplesRequest{ Tuples: []*v1beta1.Relationship{ @@ -311,7 +311,7 @@ func TestRelationshipsService_ReadRelationships(t *testing.T) { SubjectFilter: &v1beta1.SubjectFilter{ SubjectId: pointerize("bob"), SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }, } @@ -346,8 +346,8 @@ func TestRelationshipsService_ReadRelationships_Paginated(t *testing.T) { bulkImportTuplesUsecase := biz.NewImportBulkTuplesUsecase(spiceDbRepository, logger) relationshipsService := NewRelationshipsService(logger, createRelationshipsUsecase, readRelationshipsUsecase, deleteRelationshipsUsecase, bulkImportTuplesUsecase) - expected1 := createRelationship(rbac_ns_type("group"), "bob_club", "member", rbac_ns_type("user"), "bob", "") - expected2 := createRelationship(rbac_ns_type("group"), "other_bob_club", "member", rbac_ns_type("user"), "bob", "") + expected1 := createRelationship(rbac_ns_type("group"), "bob_club", "member", rbac_ns_type("principal"), "bob", "") + expected2 := createRelationship(rbac_ns_type("group"), "other_bob_club", "member", rbac_ns_type("principal"), "bob", "") reqCr := &v1beta1.CreateTuplesRequest{ Tuples: []*v1beta1.Relationship{ @@ -366,7 +366,7 @@ func TestRelationshipsService_ReadRelationships_Paginated(t *testing.T) { SubjectFilter: &v1beta1.SubjectFilter{ SubjectId: pointerize("bob"), SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), }, }, Pagination: &v1beta1.RequestPagination{ diff --git a/test/kessel_test.go b/test/kessel_test.go index 1dfb1fe9..38076bc0 100644 --- a/test/kessel_test.go +++ b/test/kessel_test.go @@ -85,7 +85,7 @@ func TestKesselAPIGRPC_CreateTuples(t *testing.T) { } client := v1beta1.NewKesselTupleServiceClient(conn) - rels := createRelations("user", "bob", "member", "group", "bob_club") + rels := createRelations("principal", "bob", "member", "group", "bob_club") _, err = client.CreateTuples(context.Background(), &v1beta1.CreateTuplesRequest{ Tuples: rels, }) @@ -117,7 +117,7 @@ func TestKesselAPIGRPC_ReadTuples(t *testing.T) { Relation: pointerize("member"), SubjectFilter: &v1beta1.SubjectFilter{ SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), SubjectId: pointerize("bob"), }, }, @@ -151,7 +151,7 @@ func TestKesselAPIGRPC_DeleteTuples(t *testing.T) { Relation: pointerize("member"), SubjectFilter: &v1beta1.SubjectFilter{ SubjectNamespace: pointerize("rbac"), - SubjectType: pointerize("user"), + SubjectType: pointerize("principal"), SubjectId: pointerize("bob"), }, }, @@ -182,7 +182,7 @@ func TestKesselAPIGRPC_Check(t *testing.T) { Subject: &v1beta1.ObjectReference{ Type: &v1beta1.ObjectType{ Namespace: "rbac", - Name: "user", + Name: "principal", }, Id: "bob", }, @@ -221,7 +221,7 @@ func TestKesselAPIGRPC_LookupSubjects(t *testing.T) { context.Background(), &v1beta1.LookupSubjectsRequest{ Resource: &v1beta1.ObjectReference{Type: simple_type("thing"), Id: "thing1"}, Relation: "view", - SubjectType: simple_type("user"), + SubjectType: simple_type("principal"), }) assert.NoError(t, err) } @@ -251,7 +251,7 @@ func TestKesselAPIGRPC_LookupResources(t *testing.T) { Subject: &v1beta1.SubjectReference{ Subject: &v1beta1.ObjectReference{ Type: &v1beta1.ObjectType{ - Name: "user", + Name: "principal", Namespace: "rbac", }, Id: "bob",