chore(backend): init check and filter policies

lusergit · lusergit · commit 6b829f2ce825 · 2026-04-30T16:26:01.000+02:00
Filter and check policies can be used in various parts of the code. These
policies are meant to trigger authorization based on the given provider.

Signed-off-by: Luca Zaninotto &lt;luca.zaninotto@secomind.com&gt;
diff --git a/backend/lib/edgehog/auth/policies/check.ex b/backend/lib/edgehog/auth/policies/check.ex
@@ -0,0 +1,86 @@
+#
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+defmodule Edgehog.Auth.Policies.Check do
+  @moduledoc """
+  An `Ash.Policy.SimpleCheck` check to query the provider for a specific `relation` with `object`
+
+  To use it, call it this way in a policy
+  ```elixir
+  {Edgehog.Auth.Policies.Check, id: :id_attribute, rel: :can_view, obj: "deployment"}
+  ```
+
+  The following opts are available:
+  - `rel` (required) :: the relationship you want to check for.
+  - `obj` (required) :: type object you want to check for.
+  - `obj_id`         :: the id of the resource. This is used to build the value `type:id` for the object in the tuple.
+
+  Example: for devices
+
+  ```elixir
+  alias Edgehog.Auth.Policies.Check
+
+  # This can be used to authorize reads on single devices
+  authorize_if {Check, rel: :can_view, obj: :device, obj_id: :device_id}
+  ```
+  """
+  use Ash.Policy.SimpleCheck
+
+  alias Edgehog.Auth.FGAService
+
+  require Logger
+
+  @subject_type "user"
+
+  @impl Ash.Policy.SimpleCheck
+  def match?(actor, %{subject: data} = context, opts) do
+    dbg(actor: actor, context: context, opts: opts)
+    obj_id = Keyword.get(opts, :obj_id, :id)
+
+    subj = actor.sub
+    rel = opts |> Keyword.fetch!(:rel) |> to_string()
+    obj = opts |> Keyword.fetch!(:obj) |> to_string()
+
+    obj_id = nil
+
+    Logger.debug("Authorizing a tuple",
+      subject: @subject_type,
+      subject_id: subj,
+      relationship: rel,
+      object: obj,
+      object_id: obj
+    )
+
+    case FGAService.check("#{@subject_type}:#{subj}", rel, "#{obj}:#{obj_id}") do
+      :ok -> {:ok, true}
+      :notok -> {:ok, false}
+      error -> error
+    end
+  end
+
+  @impl Ash.Policy.Check
+  def describe(opts) do
+    rel = Keyword.fetch!(opts, :rel)
+    obj = Keyword.fetch!(opts, :obj)
+    obj_id = Keyword.get(opts, :obj_id, :id)
+
+    "Checking if the actor has relation #{inspect(rel)} on #{inspect(obj)} (using field #{inspect(obj_id)} for ID)"
+  end
+end
diff --git a/backend/lib/edgehog/auth/policies/filter.ex b/backend/lib/edgehog/auth/policies/filter.ex
@@ -0,0 +1,105 @@
+#
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+defmodule Edgehog.Auth.Policies.Filter do
+  @moduledoc """
+  An `Ash.Policy.FilterCheck`, filtering the object of type `obj` available to the user `subj`.
+
+  To use it in a policy:
+  ```elixir
+  authorize_if {Edgehog.Auth.Policies.Filter, rel: :can_view, obj: :device}
+  ```
+  """
+
+  use Ash.Policy.FilterCheck
+
+  alias Ash.Policy.FilterCheck
+  alias Edgehog.Auth.FGAService
+
+  require Logger
+
+  @subject_type "user"
+
+  @impl FilterCheck
+  def filter(actor, _context, opts) do
+    subj = Map.get(actor, :sub, "anon")
+
+    rel = opts |> Keyword.fetch!(:rel) |> to_string()
+    obj_type = opts |> Keyword.fetch!(:obj) |> to_string()
+    obj_id = Keyword.get(opts, :obj_id, :id)
+
+    log_context = [
+      subj: subj,
+      obj_type: obj_type,
+      obj_id: obj_id
+    ]
+
+    subject = "#{@subject_type}:#{subj}"
+
+    subject
+    |> FGAService.list_objects(rel, obj_type)
+    |> to_ash_expr(obj_id, log_context)
+  end
+
+  @impl FilterCheck
+  def reject(actor, _context, opts) do
+    subj = Map.get(actor, :sub, "anon")
+
+    rel = opts |> Keyword.fetch!(:rel) |> to_string()
+    obj_type = opts |> Keyword.fetch!(:obj) |> to_string()
+    obj_id = Keyword.get(opts, :obj_id, :id)
+
+    log_context = [
+      subj: subj,
+      obj_type: obj_type,
+      obj_id: obj_id
+    ]
+
+    subject = "#{@subject_type}:#{subj}"
+
+    subject
+    |> FGAService.list_objects(rel, obj_type)
+    |> to_ash_expr(obj_id, log_context)
+  end
+
+  @impl Ash.Policy.Check
+  def describe(opts) do
+    rel = Keyword.fetch!(opts, :rel)
+    obj = Keyword.fetch!(opts, :obj)
+    "Filtering objects of type #{inspect(obj)} where actor has relation #{inspect(rel)}"
+  end
+
+  defp to_ash_expr({:ok, :all}, id_attribute, _log_context), do: expr(true)
+
+  defp to_ash_expr(
+         {:ok, %Openfga.V1.ListObjectsResponse{objects: ids}},
+         id_attribute,
+         _log_context
+       ) do
+    expr(^ref(id_attribute) in ^ids)
+  end
+
+  defp to_ash_expr({:error, error}, _id_attribute, log_context) do
+    Logger.error("Error while filtering: #{inspect(error)}", log_context)
+
+    # We had an error while interrogating the provider. Poison everything.
+    expr(nil)
+  end
+end
