chore: init writes on authorization providers (#1410)

Auth providers should be updated with the state of the application. This can
happen after each transaction, effectively writing the `tenant` relationship
also in the authorization level

Signed-off-by: Luca Zaninotto <luca.zaninotto@secomind.com>

Author: lusergit

backend/lib/edgehog/auth/changes/write_tenant.ex

@@ -0,0 +1,92 @@
+#
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+defmodule Edgehog.Auth.Changes.WriteTenant do
+  @moduledoc """
+  Generic tuple writer. 
+  """
+
+  use Ash.Resource.Change
+
+  alias Edgehog.Auth.FGAService
+
+  require Logger
+
+  @impl Ash.Resource.Change
+  def init(opts) do
+    errors =
+      if Keyword.has_key?(opts, :obj),
+        do: [],
+        else: [:obj_missing]
+
+    errors =
+      if Keyword.has_key?(opts, :obj_id),
+        do: errors,
+        else: [:obj_id_missing | errors]
+
+    if Enum.empty?(errors),
+      do: {:ok, opts},
+      else: {:error, errors}
+  end
+
+  @impl Ash.Resource.Change
+  def change(changeset, opts, context) do
+    Ash.Changeset.after_transaction(changeset, &write_tenant_tuple(&1, &2, opts, context))
+  end
+
+  defp write_tenant_tuple(_changeset, {:ok, result}, opts, %{tenant: tenant}) do
+    # Writes the tuple
+    # {"tenant:slug", "tenant", "obj:obj_id"}
+
+    obj =
+      opts
+      |> Keyword.fetch!(:obj)
+      |> to_string()
+
+    obj_id = opts[:obj_id]
+
+    obj_id =
+      result
+      |> Ash.load!(obj_id)
+      |> Map.get(obj_id)
+      |> to_string()
+
+    obj = "#{obj}:#{obj_id}"
+
+    rel = "tenant"
+
+    slug = tenant.slug
+    subj = "tenant:#{slug}"
+
+    with {:ok, _res} <- FGAService.write(subj, rel, obj) do
+      {:ok, result}
+    end
+  end
+
+  defp write_tenant_tuple(_changeset, error, opts, context) do
+    Logger.debug("Error while executing DB transaction. Skipping writing tuple on the provider.",
+      error: error,
+      opts: opts,
+      context: context
+    )
+
+    error
+  end
+end

backend/lib/edgehog/auth/fga_service.ex

@@ -38,6 +38,17 @@ defmodule Edgehog.Auth.FGAService do
     end
   end
 
+  def write(subj, rel, obj) do
+    tuple = {subj, rel, obj}
+
+    provider = Keyword.fetch!(Config.authz_config!(), :provider)
+    config = Keyword.fetch!(Config.authz_config!(), :config)
+
+    with {:ok, context} <- provider.init_context(config) do
+      provider.write(tuple, context)
+    end
+  end
+
   def list_objects(subj, rel, type) do
     tuple = {subj, rel, type}
 

backend/lib/edgehog/auth/providers/behaviour.ex

@@ -35,6 +35,18 @@ defmodule Edgehog.Auth.Providers.Behaviour do
   """
   @callback init_context(args :: Keyword.t()) :: {:ok, context()} | {:error, term()}
 
+  @doc """
+  Writes a tuple to the provider.
+
+  - tuple :: the fga tuple, composed of `subject`, `relationship` and `object`
+  - context :: the context from `init_context`
+
+  A write can return
+  - {:ok, result}   :: if the write was successful
+  - {:error, error} :: if some error was encountered while writing
+  """
+  @callback write(tuple :: fga_tuple(), context :: context()) :: {:ok, term()} | {:error, term()}
+
   @doc """
   A check call checks a tuple against the provider
 

backend/lib/edgehog/auth/providers/none.ex

@@ -55,4 +55,12 @@ defmodule Edgehog.Auth.Providers.None do
 
     {:ok, :all}
   end
+
+  @impl Behaviour
+  def write(tuple, _context) do
+    Logger.debug("Writing tuple onto the service", tuple: tuple)
+
+    # Result actually not important here
+    {:ok, nil}
+  end
 end

backend/lib/edgehog/auth/providers/openfga.ex

@@ -84,4 +84,25 @@ defmodule Edgehog.Auth.Providers.OpenFGA do
 
     Stub.streamed_list_objects(channel, request)
   end
+
+  @impl Behaviour
+  def write({subj, rel, obj}, %{channel: channel, store_id: store_id}) do
+    tuple = %Openfga.V1.TupleKey{
+      user: subj,
+      relation: rel,
+      object: obj
+    }
+
+    to_write = %Openfga.V1.WriteRequestWrites{
+      tuple_keys: [tuple],
+      on_duplicate: "ignore"
+    }
+
+    request = %Openfga.V1.WriteRequest{
+      store_id: store_id,
+      writes: to_write
+    }
+
+    Stub.write(channel, request)
+  end
 end

backend/test/edgehog/auth/providers/openfga_integration_test.exs

@@ -45,6 +45,30 @@ defmodule Edgehog.Auth.Providers.OpenFGAIntegrationTests do
     assert ctx.store_id == config[:store_id]
   end
 
+  describe "write/2" do
+    setup do
+      config = Edgehog.Config.authz_config!()[:config]
+
+      {:ok, ctx} = OpenFGA.init_context(config)
+
+      %{context: ctx}
+    end
+
+    test "Writes correct tuples", %{context: context} do
+      opts = [
+        subj_type: "user",
+        subj_id: System.unique_integer([:positive]),
+        rel: "owner",
+        obj_type: "tenant",
+        obj_id: "test"
+      ]
+
+      tuple = TupleFixtures.tuple(opts)
+
+      assert {:ok, _} = OpenFGA.write(tuple, context)
+    end
+  end
+
   describe "check/2" do
     setup do
       config = Edgehog.Config.authz_config!()[:config]