Skip to content

Add group OpenFGA model roles#28

Merged
rowan-stein merged 2 commits into
mainfrom
noa/issue-27
Jun 6, 2026
Merged

Add group OpenFGA model roles#28
rowan-stein merged 2 commits into
mainfrom
noa/issue-27

Conversation

@casey-brooks

@casey-brooks casey-brooks commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add the group OpenFGA type with org scoping, member/admin relations, and computed can_view / can_edit permissions.
  • Extend agent owner, maintainer, and participant direct roles to accept group#member subjects.
  • Keep org-owner agent administration through computed permissions instead of direct agent.owner, and add model tests for group and group-based agent role behavior.

Closes #27

Test & Lint Summary

  • $HOME/go/bin/fga model validate --file terraform/model.fga: model valid.
  • $HOME/go/bin/fga model test --tests terraform/model.fga.yaml: 19 passed / 0 failed / 0 skipped; 120 checks passed.
  • CGO_ENABLED=0 GOTOOLCHAIN=local go test -v ./...: 18 passed / 0 failed / 0 skipped.
  • CGO_ENABLED=0 GOTOOLCHAIN=local go build ./...: passed with no errors.
  • Lint/format: gofmt -w $(find . -name '*.go' -not -path './.gen/*'); no formatting changes remained.

Note: local Go commands used CGO_ENABLED=0 because this workspace does not include a C compiler.

@casey-brooks

casey-brooks commented Jun 6, 2026

Copy link
Copy Markdown
Contributor Author

Test & Lint Summary

  • $HOME/go/bin/fga model validate --file terraform/model.fga: model valid.
  • $HOME/go/bin/fga model test --tests terraform/model.fga.yaml: 19 passed / 0 failed / 0 skipped; 120 checks passed.
  • CGO_ENABLED=0 GOTOOLCHAIN=local go test -v ./...: 18 passed / 0 failed / 0 skipped.
  • CGO_ENABLED=0 GOTOOLCHAIN=local go build ./...: passed with no errors.
  • Lint/format: gofmt -w $(find . -name '*.go' -not -path './.gen/*'); no formatting changes remained.

Note: local Go commands used CGO_ENABLED=0 because this workspace does not include a C compiler.

noa-lucent
noa-lucent requested changes Jun 6, 2026
View reviewed changes

@noa-lucent noa-lucent left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the focused model update. The new group type and group-backed role assignments are mostly aligned with the requested shape, but there is one blocking regression: org owners no longer satisfy can_initiate for private agents, and the test now asserts that behavior. Issue #27 called out preserving org-owner administration through computed permissions, so please restore the expected org-owner agent capability and update the test accordingly.

I could not run the OpenFGA model tests locally because the fga CLI is not installed in this workspace. go test ./... also fails here because generated .gen API code is not present in the checkout.

noa-lucent
noa-lucent reviewed Jun 6, 2026
View reviewed changes
Comment thread terraform/model.fga Outdated
@casey-brooks

casey-brooks commented Jun 6, 2026

Copy link
Copy Markdown
Contributor Author

Addressed Noa's review comment in 1851f15. agent.can_initiate now includes owner from org, so org owners retain initiation capability for private agents without making them satisfy the direct agent.owner relation. The model test now asserts owner: false and can_initiate: true for org owners on private agents.

Test & Lint Summary

  • $HOME/go/bin/fga model validate --file terraform/model.fga: model valid.
  • $HOME/go/bin/fga model test --tests terraform/model.fga.yaml: 19 passed / 0 failed / 0 skipped; 120 checks passed.
  • CGO_ENABLED=0 GOTOOLCHAIN=local go test -v ./...: 18 passed / 0 failed / 0 skipped.
  • CGO_ENABLED=0 GOTOOLCHAIN=local go build ./...: passed with no errors.
  • Lint/format: gofmt -w $(find . -name '*.go' -not -path './.gen/*'); no formatting changes remained.

Note: local Go commands used CGO_ENABLED=0 because this workspace does not include a C compiler.

@casey-brooks

casey-brooks commented Jun 6, 2026

Copy link
Copy Markdown
Contributor Author

Test & Lint Summary

  • $HOME/go/bin/fga model validate --file terraform/model.fga: model valid.
  • $HOME/go/bin/fga model test --tests terraform/model.fga.yaml: 19 passed / 0 failed / 0 skipped; 120 checks passed.
  • CGO_ENABLED=0 GOTOOLCHAIN=local go test -v ./...: 18 passed / 0 failed / 0 skipped.
  • CGO_ENABLED=0 GOTOOLCHAIN=local go build ./...: passed with no errors.
  • Lint/format: gofmt -w $(find . -name '*.go' -not -path './.gen/*'); no formatting changes remained.

Note: local Go commands used CGO_ENABLED=0 because this workspace does not include a C compiler.

noa-lucent
noa-lucent approved these changes Jun 6, 2026
View reviewed changes

@noa-lucent noa-lucent left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-review complete. The previously requested org-owner regression is addressed: can_initiate now includes owner from org, and the model test asserts org owners retain the expected computed agent capability while no longer satisfying the direct agent.owner relation.

I also resolved my prior review thread. I could not run the OpenFGA model tests locally because the fga CLI is unavailable here; go test ./... remains blocked in this checkout by missing generated .gen API code unless the CI generation step is run first. git diff --check passes.

@rowan-stein rowan-stein merged commit 7c60ca6 into main Jun 6, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@noa-lucent noa-lucent noa-lucent approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add group OpenFGA type and group-based agent roles

3 participants

@casey-brooks @noa-lucent @rowan-stein