Add support for multi-object checks

Author: aaguiarz

README.md

@@ -306,7 +306,15 @@ tests:
       # checks can also be defined for multiple users sharing the same expectation
       - object: group:employees
         users:
+      # checks can also target multiple objects with the same expectation
+      - objects:
+          - group:admins
+          - group:employees
+        user: user:1
+        assertions:
+          moderator: false
       # either "user" or "users" may be provided, but not both
+      # either "object" or "objects" may be provided, but not both
           - user:3
           - user:4
         assertions:
@@ -585,7 +593,15 @@ tests: # required
             - user:carl
           assertions:
             can_view: false
+        # checks can group multiple objects that share the same expected results
+        - objects:
+            - folder:1
+            - folder:2
+          user: user:beth
+          assertions:
+            can_write: false
         # either "user" or "users" may be provided, but not both
+        # either "object" or "objects" may be provided, but not both
       list_objects: # a set of list objects to run
       - user: user:anne
         type: folder

cmd/store/import.go

@@ -237,15 +237,18 @@ func getCheckAssertions(checkTests []storetest.ModelTestCheck) []client.ClientAs
 
 	for _, checkTest := range checkTests {
 		users := storetest.GetEffectiveUsers(checkTest)
+		objects := storetest.GetEffectiveObjects(checkTest)
 
 		for _, user := range users {
-			for relation, expectation := range checkTest.Assertions {
-				assertions = append(assertions, client.ClientAssertion{
-					User:        user,
-					Relation:    relation,
-					Object:      checkTest.Object,
-					Expectation: expectation,
-				})
+			for _, object := range objects {
+				for relation, expectation := range checkTest.Assertions {
+					assertions = append(assertions, client.ClientAssertion{
+						User:        user,
+						Relation:    relation,
+						Object:      object,
+						Expectation: expectation,
+					})
+				}
 			}
 		}
 	}

cmd/store/import_test.go

@@ -36,6 +36,21 @@ func TestImportStore(t *testing.T) {
 			Expectation: true,
 		},
 	}
+
+	multiObjectAssertions := []client.ClientAssertion{
+		{
+			User:        "user:peter",
+			Relation:    "reader",
+			Object:      "document:doc1",
+			Expectation: true,
+		},
+		{
+			User:        "user:peter",
+			Relation:    "reader",
+			Object:      "document:doc2",
+			Expectation: true,
+		},
+	}
 	modelID, storeID := "model-1", "store-1"
 	expectedOptions := client.ClientWriteAssertionsOptions{AuthorizationModelId: &modelID, StoreId: &storeID}
 
@@ -75,6 +90,30 @@ func TestImportStore(t *testing.T) {
 			mockWriteAssertions: true,
 			mockWriteModel:      true,
 			mockCreateStore:     true,
+			testStore: storetest.StoreData{
+				Model: `type user
+                                       type document
+                                               relations
+                                                       define reader: [user]`,
+				Tests: []storetest.ModelTest{
+					{
+						Name: "Test",
+						Check: []storetest.ModelTestCheck{
+							{
+								Users:      []string{"user:anne", "user:peter"},
+								Object:     "document:doc1",
+								Assertions: map[string]bool{"reader": true},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:                "import store with multi object assertions",
+			mockWriteAssertions: true,
+			mockWriteModel:      true,
+			mockCreateStore:     true,
 			testStore: storetest.StoreData{
 				Model: `type user
                                         type document
@@ -85,8 +124,8 @@ func TestImportStore(t *testing.T) {
 						Name: "Test",
 						Check: []storetest.ModelTestCheck{
 							{
-								Users:      []string{"user:anne", "user:peter"},
-								Object:     "document:doc1",
+								User:       "user:peter",
+								Objects:    []string{"document:doc1", "document:doc2"},
 								Assertions: map[string]bool{"reader": true},
 							},
 						},
@@ -147,8 +186,12 @@ func TestImportStore(t *testing.T) {
 
 			if test.mockWriteAssertions {
 				expected := expectedAssertions
-				if test.name == "import store with multi user assertions" {
+
+				switch test.name {
+				case "import store with multi user assertions":
 					expected = multiUserAssertions
+				case "import store with multi object assertions":
+					expected = multiObjectAssertions
 				}
 
 				setupWriteAssertionsMock(mockCtrl, mockFgaClient, expected, expectedOptions)

internal/storetest/localtest.go

@@ -27,54 +27,57 @@ func RunLocalCheckTest(
 	results := []ModelTestCheckSingleResult{}
 	users := GetEffectiveUsers(checkTest)
 
+	objects := GetEffectiveObjects(checkTest)
 	for _, user := range users {
-		for relation, expectation := range checkTest.Assertions {
-			result := ModelTestCheckSingleResult{
-				Request: client.ClientCheckRequest{
-					User:             user,
-					Relation:         relation,
-					Object:           checkTest.Object,
-					ContextualTuples: tuples,
-					Context:          checkTest.Context,
-				},
-				Expected: expectation,
-			}
+		for _, object := range objects {
+			for relation, expectation := range checkTest.Assertions {
+				result := ModelTestCheckSingleResult{
+					Request: client.ClientCheckRequest{
+						User:             user,
+						Relation:         relation,
+						Object:           object,
+						ContextualTuples: tuples,
+						Context:          checkTest.Context,
+					},
+					Expected: expectation,
+				}
 
-			var (
-				ctx *structpb.Struct
-				err error
-			)
+				var (
+					ctx *structpb.Struct
+					err error
+				)
 
-			if checkTest.Context != nil {
-				ctx, err = structpb.NewStruct(*checkTest.Context)
-			}
+				if checkTest.Context != nil {
+					ctx, err = structpb.NewStruct(*checkTest.Context)
+				}
 
-			if err != nil {
-				result.Error = err
-			} else {
-				response, err := RunSingleLocalCheckTest(fgaServer,
-					&pb.CheckRequest{
-						StoreId:              *options.StoreID,
-						AuthorizationModelId: *options.ModelID,
-						TupleKey: &pb.CheckRequestTupleKey{
-							User:     user,
-							Relation: relation,
-							Object:   checkTest.Object,
-						},
-						Context: ctx,
-					},
-				)
 				if err != nil {
 					result.Error = err
+				} else {
+					response, err := RunSingleLocalCheckTest(fgaServer,
+						&pb.CheckRequest{
+							StoreId:              *options.StoreID,
+							AuthorizationModelId: *options.ModelID,
+							TupleKey: &pb.CheckRequestTupleKey{
+								User:     user,
+								Relation: relation,
+								Object:   object,
+							},
+							Context: ctx,
+						},
+					)
+					if err != nil {
+						result.Error = err
+					}
+
+					if response != nil {
+						result.Got = &response.Allowed
+						result.TestResult = result.IsPassing()
+					}
 				}
 
-				if response != nil {
-					result.Got = &response.Allowed
-					result.TestResult = result.IsPassing()
-				}
+				results = append(results, result)
 			}
-
-			results = append(results, result)
 		}
 	}
 

internal/storetest/remotetest.go

@@ -35,21 +35,24 @@ func RunRemoteCheckTest(
 	results := []ModelTestCheckSingleResult{}
 
 	users := GetEffectiveUsers(checkTest)
+	objects := GetEffectiveObjects(checkTest)
 
 	for _, user := range users {
-		for relation, expectation := range checkTest.Assertions {
-			result := RunSingleRemoteCheckTest(
-				fgaClient,
-				client.ClientCheckRequest{
-					User:             user,
-					Relation:         relation,
-					Object:           checkTest.Object,
-					Context:          checkTest.Context,
-					ContextualTuples: tuples,
-				},
-				expectation,
-			)
-			results = append(results, result)
+		for _, object := range objects {
+			for relation, expectation := range checkTest.Assertions {
+				result := RunSingleRemoteCheckTest(
+					fgaClient,
+					client.ClientCheckRequest{
+						User:             user,
+						Relation:         relation,
+						Object:           object,
+						Context:          checkTest.Context,
+						ContextualTuples: tuples,
+					},
+					expectation,
+				)
+				results = append(results, result)
+			}
 		}
 	}
 

internal/storetest/storedata.go

@@ -34,6 +34,7 @@ type ModelTestCheck struct {
 	User       string                  `json:"user"       yaml:"user"`
 	Users      []string                `json:"users"      yaml:"users"`
 	Object     string                  `json:"object"     yaml:"object"`
+	Objects    []string                `json:"objects"    yaml:"objects"`
 	Context    *map[string]interface{} `json:"context"    yaml:"context,omitempty"`
 	Assertions map[string]bool         `json:"assertions" yaml:"assertions"`
 }
@@ -140,6 +141,7 @@ func (storeData *StoreData) LoadTuples(basePath string) error {
 	return nil
 }
 
+//nolint:cyclop
 func (storeData *StoreData) Validate() error {
 	var errs error
 
@@ -152,6 +154,14 @@ func (storeData *StoreData) Validate() error {
 				msg := fmt.Sprintf("test %s check %d must specify 'user' or 'users'", test.Name, index)
 				errs = errors.Join(errs, fmt.Errorf("%w: %s", clierrors.ErrValidation, msg))
 			}
+
+			if check.Object != "" && len(check.Objects) > 0 {
+				msg := fmt.Sprintf("test %s check %d cannot contain both 'object' and 'objects'", test.Name, index)
+				errs = errors.Join(errs, fmt.Errorf("%w: %s", clierrors.ErrValidation, msg))
+			} else if check.Object == "" && len(check.Objects) == 0 {
+				msg := fmt.Sprintf("test %s check %d must specify 'object' or 'objects'", test.Name, index)
+				errs = errors.Join(errs, fmt.Errorf("%w: %s", clierrors.ErrValidation, msg))
+			}
 		}
 	}
 

internal/storetest/storedata_test.go

@@ -20,13 +20,23 @@ func TestStoreDataValidate(t *testing.T) {
 	}}}}}
 	assert.NoError(t, validUsers.Validate())
 
+	validObjects := StoreData{Tests: []ModelTest{{Name: "t1", Check: []ModelTestCheck{{
+		User: "user:1", Objects: []string{"doc:1", "doc:2"}, Assertions: map[string]bool{"read": true},
+	}}}}}
+	assert.NoError(t, validObjects.Validate())
+
 	invalidBoth := StoreData{Tests: []ModelTest{{Name: "t1", Check: []ModelTestCheck{{
 		User: "user:1", Users: []string{"user:2"}, Object: "doc:1", Assertions: map[string]bool{"read": true},
 	}}}}}
 	require.Error(t, invalidBoth.Validate())
 
+	invalidObjectBoth := StoreData{Tests: []ModelTest{{Name: "t1", Check: []ModelTestCheck{{
+		User: "user:1", Object: "doc:1", Objects: []string{"doc:2"}, Assertions: map[string]bool{"read": true},
+	}}}}}
+	require.Error(t, invalidObjectBoth.Validate())
+
 	invalidNone := StoreData{Tests: []ModelTest{{Name: "t1", Check: []ModelTestCheck{{
-		Object: "doc:1", Assertions: map[string]bool{"read": true},
+		User: "user:1", Assertions: map[string]bool{"read": true},
 	}}}}}
 	require.Error(t, invalidNone.Validate())
 }

internal/storetest/utils.go

@@ -7,3 +7,11 @@ func GetEffectiveUsers(checkTest ModelTestCheck) []string {
 
 	return []string{checkTest.User}
 }
+
+func GetEffectiveObjects(checkTest ModelTestCheck) []string {
+	if len(checkTest.Objects) > 0 {
+		return checkTest.Objects
+	}
+
+	return []string{checkTest.Object}
+}