OpenFGA client crate

[leovalais]

Note

This is a lengthy PR which also requires some amount of OpenFGA knowledge to be understood. It's probably better to peer review it.

• Meant to remain a new sub-crate which will be included in editoast_authz (in which we'll map the authorization model, define our objects, their conversion, relations, etc.)
• The fga binary is necessary to run unit tests for now: https://github.com/openfga/cli
• So is a running OpenFGA instance

TODO:

• Implement all the operations we'll need
  • Operations needed for the roles reimplementation
  • POST /stores/{}/list-users
  • POST /stores/{}/stream-list-objects
  • POST /stores/{}/expand
  • POST /stores/{}/read
  • POST /stores/{}/batch-check
  • Other operations currently not needed, but since there's so few of them, we may want to implement them for completeness?
• Keep an authorization_model_id in the client to forward it to requests—as advised by OpenFGA
• Improve tests utils & debugging tools
  • Client check assertions (make them public + async variant?)
  • Parse OpenFGA errors instead of just forwarding them generically
  • Expose compile_model?
• Documentation (for real this time 👀)
  • mod client
  • mod model
  • crate (ongoing)
• INSTRUMENT EVERYTHING
• Setup OpenFGA in docker compose
• Add check for User.id ≠ '*'
• Add early verification of User.id and Object.id? Not really required for us.
• Implement list-users as this will change the trait User API
• Macros
  • fga!
  • relations!
  • derive(User)
  • derive(Object)

About macros

This crates introduces a few macro_rules, which are only used for tests currently.

• relations! allows defining typed relations concisely to allow quick comparisons with the OpenFGA schema. I think we should keep this one, that'll help the review process and reduce straightforward boilerplate.
• fga_type! declares the newtype structs representing the types of OpenFGA and generates a few implementations. I think this one should remain a #[cfg(test)] definition. However I think derive macros derive(fga::User, fga::Object) would help us and cost nothing as they are trivial to implement.
• fga! allows manipulating and instantiating types and relations with the same syntax as OpenFGA, but in a type-safe way. This is particularly useful for the conciseness of unit tests. I think it should be exported.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

Attention: Patch coverage is 75.44022% with 265 lines in your changes missing coverage. Please review.

Project coverage is 81.68%. Comparing base (bd02b7e) to head (56946bd).
Report is 7 commits behind head on dev.

Files with missing lines	Patch %	Lines
editoast/fga/src/client.rs	74.13%	224 Missing ⚠️
editoast/fga/src/model.rs	71.15%	30 Missing ⚠️
editoast/fga/src/client/queries.rs	37.50%	5 Missing ⚠️
editoast/fga_derive/src/lib.rs	90.74%	5 Missing ⚠️
editoast/fga/src/client/stores.rs	66.66%	1 Missing ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##              dev   #10504      +/-   ##
==========================================
- Coverage   82.55%   81.68%   -0.88%     
==========================================
  Files        1087     1095       +8     
  Lines      108101   110260    +2159     
  Branches      742      742              
==========================================
+ Hits        89248    90071     +823     
- Misses      18811    20147    +1336     
  Partials       42       42              

Flag	Coverage Δ
editoast	72.18% <77.89%> (-2.22%)	⬇️
front	90.38% <ø> (ø)
gateway	2.18% <ø> (ø)
osrdyne	2.98% <0.00%> (-0.31%)	⬇️
railjson_generator	87.58% <ø> (ø)
tests	87.90% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[woshilapin]

Only a first pass on src/client.rs. I'll take a look at the rest later.

[flomonster]

Small review of the docker-compose

[sim51]

I tested the docker integration, and so far it's good (in dev-front and host mode).

As discussed with @flomonster , if you already have a database with some data and you start the stack, you will have some SQL errors from the container openfga-migrate.
To solve it, you need to apply this SQL script :

create schema openfga;
grant all privileges on schema public to osrd;

On a fresh install of this stack (I tested it), the issue is not present: those commands are directly executed by the script docker/init_db.sql which is ran at db creation.

[woshilapin]

Thanks for all the work on this PR. There are a bunch of unchecked items in the description, do we need to put them in an issue?

[leovalais]

There are a bunch of unchecked items in the description, do we need to put them in an issue?

Probably better, but we'll need those to be done eventually to have the full permission system we envision to work.

[Khoyo]

LGTM