Testing Authorization

schema: >-
  entity user {}

  entity organization {

      relation admin @user
      relation member @user

      action create_repository = (admin or member)
      action delete = admin
  }

  entity repository {

      relation owner @user @organization#member
      relation parent @organization

      action push = owner
      action read = (owner and (parent.admin and parent.member))
      action delete = (parent.member and (parent.admin or owner))
      action edit = parent.member not owner
  }

relationships:
  - "organization:1#admin@user:1"
  - "organization:1#member@user:1"
  - "repository:1#owner@user:1"
  - "repository:2#owner@user:2"
  - "repository:2#owner@user:3"
  - "repository:1#parent@organization:1#..."
  - "organization:1#member@user:43"
  - "repository:1#owner@user:43"

scenarios:
  - name: "scenario 1"
    description: "test description"
    checks:
      - entity: "repository:1"
        subject: "user:1"
        assertions:
          push: true
          owner: true
      - entity: "repository:2"
        subject: "user:1"
        assertions:
          push: false
      - entity: "repository:3"
        subject: "user:1"
        context:
          - "repository:3#owner@user:1"
        assertions:
          push: true
      - entity: "repository:1"
        subject: "user:43"
        assertions:
          edit: false
    entity_filters:
      - entity_type: "repository"
        subject: "user:1"
        context:
          - "repository:3#owner@user:1"
          - "repository:4#owner@user:1"
          - "repository:5#owner@user:1"
        assertions:
          push: ["1", "3", "4", "5"]
          edit: []
    subject_filters:
      - subject_reference: "user"
        entity: "repository:1"
        context:
          - "organization:1#member@user:58"
        assertions:
          push: ["1", "43"]
          edit: ["58"]

scenarios:
  - name: # name of the scenario
    description: # description of the scenario
    checks: # simple access check cases
    entity_filters: # lookup-entity queries
    subject_filters: # lookup-subject queries

checks:
  - entity: "repository:3"      # resource to check access for
    subject: "user:1"            # subject performing the check
    depth: 100                   # traversal depth (default: 100, minimum: 3)
    context:                     # contextual tuples evaluated alongside stored data
      - "repository:3#owner@user:1"
    assertions:                  # expected results for each action
      push: true

entity_filters:
  - entity_type: "repository"   # type of entity to filter
    subject: "user:1"           # subject performing the lookup
    depth: 100
    context:
      - "repository:3#owner@user:1"
      - "repository:4#owner@user:1"
      - "repository:5#owner@user:1"
    assertions:
      push: ["1", "3", "4", "5"]  # expected entity IDs
      edit: []

subject_filters:
  - subject_reference: "user"   # type of subject to filter
    entity: "repository:1"      # entity to check access on
    depth: 100
    context:
      - "organization:1#member@user:58"
    assertions:
      push: ["1", "43"]          # expected subject IDs
      edit: ["58"]

make build
./permify validate {path-to-your-validation-file.yaml}

permify coverage {path-to-your-validation-file.yaml}

permify ast {path-to-your-validation-file.yaml}