-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathstore.fga.yaml
110 lines (106 loc) · 3.15 KB
/
store.fga.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# Documentation: https://openfga.dev/docs/modeling/advanced/github
# FGA Playground: https://play.fga.dev/sandbox/?store=github
name: GitHub
model_file: ./model.fga
tuples:
# The OpenFGA organization is the owner of the openfga/openfga repository
- user: organization:openfga
relation: owner
object: repo:openfga/openfga
# Members of the OpenFGA organization have a repository admin base permission on the organization
- user: organization:openfga#member
relation: repo_admin
object: organization:openfga
# Erik is a member of the OpenFGA organization
- user: user:erik
relation: member
object: organization:openfga
# The openfga/core team members are admins on the openfga/openfga repository
- user: team:openfga/core#member
relation: admin
object: repo:openfga/openfga
# Anne is a reader on the openfga/openfga repository
- user: user:anne
relation: reader
object: repo:openfga/openfga
# Beth is a writer on the openfga/openfga repository
- user: user:beth
relation: writer
object: repo:openfga/openfga
# Charles is a member of the openfga/core team
- user: user:charles
relation: member
object: team:openfga/core
# Members of the openfga/backend team are members of the openfga/core team
- user: team:openfga/backend#member
relation: member
object: team:openfga/core
# Diane is a member of the openfga/backend team
- user: user:diane
relation: member
object: team:openfga/backend
tests:
- name: Test individual user permissions on the openfga/openfga repo
check:
- user: user:anne
object: repo:openfga/openfga
assertions:
reader: true
triager: false
- user: user:beth
object: repo:openfga/openfga
assertions:
admin: false
- user: user:charles
object: repo:openfga/openfga
assertions:
writer: true
- user: user:diane
object: repo:openfga/openfga
assertions:
admin: true
- user: user:erik
object: repo:openfga/openfga
assertions:
reader: true
- name: Test who are readers of the openfga/openfga repo
list_users:
- object: repo:openfga/openfga
user_filter:
- type: user
assertions:
reader:
users:
- user:diane
- user:charles
- user:beth
- user:anne
- user:erik
- name: Test which repos can Diane read
list_objects:
- user: user:diane
type: repo
assertions:
reader:
- repo:openfga/openfga
- name: Check if the right users have access to the right repositories
list_users:
- object: repo:openfga/openfga
user_filter:
- type: user
assertions:
writer:
users:
- user:charles
- user:beth
- user:diane
- user:erik
- object: repo:openfga/openfga
user_filter:
- type: team
relation: member
assertions:
writer:
users:
- team:openfga/backend#member
- team:openfga/core#member