feat(backend): init OpenFGA provider

Adds necessary callbacks and functions to the fga service. These callbacks are
necessary for
- handling singel checks
- handling syncronous and streamed filter

Adds initial support for an `OpenFGA` provider for authentication.

Signed-off-by: Luca Zaninotto <luca.zaninotto@secomind.com>

Author: lusergit

backend/.credo.exs

@@ -34,7 +34,7 @@
           "apps/*/test/",
           "apps/*/web/"
         ],
-        excluded: [~r"/_build/", ~r"/deps/", ~r"/node_modules/"]
+        excluded: [~r"/_build/", ~r"/deps/", ~r"/node_modules/", ~r/openfga/]
       },
       #
       # Load and configure plugins here:

backend/lib/edgehog/application.ex

@@ -52,6 +52,8 @@ defmodule Edgehog.Application do
       EdgehogWeb.Telemetry,
       # Start the PubSub system
       {Phoenix.PubSub, name: Edgehog.PubSub},
+      # gRPC connections batcher
+      {GRPC.Client.Supervisor, []},
       # Ash GraphQL subscription batcher
       AshGraphql.Subscription.Batcher,
       # Start Finch

backend/lib/edgehog/auth/fga_service.ex

@@ -31,7 +31,26 @@ defmodule Edgehog.Auth.FGAService do
     tuple = {subj, rel, obj}
 
     provider = Keyword.fetch!(Config.authz_config!(), :provider)
+    config = Keyword.fetch!(Config.authz_config!(), :config)
 
-    provider.check(tuple, provider.init_context())
+    provider.check(tuple, provider.init_context(config))
+  end
+
+  def list_objects(subj, rel, type) do
+    tuple = {subj, rel, type}
+
+    provider = Keyword.fetch!(Config.authz_config!(), :provider)
+    config = Keyword.fetch!(Config.authz_config!(), :config)
+
+    provider.list_objects(tuple, provider.init_context(config))
+  end
+
+  def stream_list_objects(subj, rel, type) do
+    tuple = {subj, rel, type}
+
+    provider = Keyword.fetch!(Config.authz_config!(), :provider)
+    config = Keyword.fetch!(Config.authz_config!(), :config)
+
+    provider.stream_list_objects(tuple, provider.init_context(config))
   end
 end

backend/lib/edgehog/auth/providers/behaviour.ex

@@ -25,6 +25,9 @@ defmodule Edgehog.Auth.Providers.Behaviour do
 
   @type context() :: term()
   @type fga_tuple() :: {subj :: String.t(), rel :: String.t(), obj :: String.t()}
+  @type fga_access_tuple() :: {subj :: String.t(), rel :: String.t(), type :: String.t()}
+  @type objects() :: %{objects: term()}
+  @type obj_stream() :: term()
 
   @doc """
   The context initialization function. The context can carry useful information for subsequent actions.
@@ -42,11 +45,51 @@ defmodule Edgehog.Auth.Providers.Behaviour do
   The context is also provided.
 
   The check can return
-  - {:ok, context()}    :: meaning that the subject has the right permission to access the resource
-  - {:notok, context()} :: meaning that the subject has not the right permission to access the resource
-  - {:error, error}     :: meaning that there was some error in the request.
+  - :ok             :: meaning that the subject has the right permission to access the resource
+  - :notok          :: meaning that the subject has not the right permission to access the resource
+  - {:error, error} :: meaning that there was some error in the request.
 
   For successful returns the new `context` should be provided.
   """
   @callback check(tuple :: fga_tuple(), context :: context()) :: :ok | :notok | {:error, term()}
+
+  @doc """
+  A list_objects call lists all objects of the selected type a user has access to.
+
+  - subj :: is some id of the person making the request, ideally a OpenID Connect UUID
+  - rel  :: is the requested access to the resource (object) in order to perform the action
+  - type :: is the type of resources we want to fetch
+
+  The context should also be provided.
+
+  NOTICE: This creates a list with all the objects ! This might be very
+  inefficent an d possibly stalls the request (e.g. 1mln devices), consider
+  using `stream_list_objects`
+
+  The call can return
+  - {:ok, objects()} :: meaning that the user has access to the %{objects: list()} list of objects of type `type`
+  - {:error, error}  :: meaning that there was some error in the request.
+
+  For successful returns the new `context` should be provided.
+  """
+  @callback list_objects(tuple :: fga_access_tuple(), context :: context()) ::
+              {:ok, objects()} | {:ok, :all} | {:error, term()}
+
+  @doc """
+  A stream_list_objects call streams all objects of the selected type a user has access to.
+
+  - subj :: is some id of the person making the request, ideally a OpenID Connect UUID
+  - rel  :: is the requested access to the resource (object) in order to perform the action
+  - type :: is the type of resources we want to fetch
+
+  The context should also be provided.
+
+  The call can return
+  - {:ok, stream(objects())} :: meaning that the user has access to the %{objects: list()} list of objects of type `type`
+  - {:error, error}          :: meaning that there was some error in the request.
+
+  For successful returns the new `context` should be provided.
+  """
+  @callback stream_list_objects(tuple :: fga_access_tuple(), context :: context()) ::
+              {:ok, obj_stream()} | {:ok, :all} | {:error, term()}
 end

backend/lib/edgehog/auth/providers/none.ex

@@ -25,18 +25,34 @@ defmodule Edgehog.Auth.Providers.None do
 
   @behaviour Edgehog.Auth.Providers.Behaviour
 
+  alias Edgehog.Auth.Providers.Behaviour
+
   require Logger
 
-  @impl Edgehog.Auth.Providers.Behaviour
+  @impl Behaviour
   def init_context(_args) do
     # We do not need a context in this case
     {:ok, []}
   end
 
-  @impl Edgehog.Auth.Providers.Behaviour
+  @impl Behaviour
   def check({subj, rel, obj}, _context) do
     Logger.debug("Authorizing tuple {#{subj}, #{rel}, #{obj}}.")
 
     :ok
   end
+
+  @impl Behaviour
+  def list_objects({subj, rel, type}, _context) do
+    Logger.debug("Filtering objects for: {#{subj}, #{rel}, #{type}}.")
+
+    {:ok, :all}
+  end
+
+  @impl Behaviour
+  def stream_list_objects({subj, rel, type}, _context) do
+    Logger.debug("Filtering objects for: {#{subj}, #{rel}, #{type}}.")
+
+    {:ok, :all}
+  end
 end

backend/lib/edgehog/auth/providers/openfga.ex

@@ -0,0 +1,89 @@
+#
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+defmodule Edgehog.Auth.Providers.OpenFGA do
+  @moduledoc """
+  OpenFGA Auth provider.
+
+  This provider queries OpenFGA based on some model description to check tuples.
+  """
+
+  @behaviour Edgehog.Auth.Providers.Behaviour
+
+  alias Edgehog.Auth.Providers.Behaviour
+  alias Openfga.V1.OpenFGAService.Stub
+
+  @impl Behaviour
+  def init_context(args) do
+    ctx = Map.new(args)
+
+    {endpoint, ctx} = Map.pop!(ctx, :endpoint)
+
+    with {:ok, channel} <- GRPC.Stub.connect(endpoint) do
+      ctx = Map.put(ctx, :channel, channel)
+
+      {:ok, ctx}
+    end
+  end
+
+  @impl Behaviour
+  def check({subj, rel, obj}, %{channel: channel, store_id: store_id}) do
+    tuple = %Openfga.V1.CheckRequestTupleKey{
+      user: subj,
+      relation: rel,
+      object: obj
+    }
+
+    request = %Openfga.V1.CheckRequest{
+      store_id: store_id,
+      tuple_key: tuple
+    }
+
+    case Stub.check(channel, request) do
+      {:ok, %{allowed: true}} -> :ok
+      {:ok, %{allowed: false}} -> :notok
+      error -> error
+    end
+  end
+
+  @impl Behaviour
+  def list_objects({subj, rel, type}, %{channel: channel, store_id: store_id}) do
+    request = %Openfga.V1.ListObjectsRequest{
+      store_id: store_id,
+      type: type,
+      relation: rel,
+      user: subj
+    }
+
+    Stub.list_objects(channel, request)
+  end
+
+  @impl Behaviour
+  def stream_list_objects({subj, rel, type}, %{channel: channel, store_id: store_id}) do
+    request = %Openfga.V1.StreamedListObjectsRequest{
+      store_id: store_id,
+      type: type,
+      relation: rel,
+      user: subj
+    }
+
+    Stub.streamed_list_objects(channel, request)
+  end
+end

backend/lib/edgehog/config.ex

@@ -24,6 +24,7 @@ defmodule Edgehog.Config do
   """
   use Skogsra
 
+  alias Edgehog.Auth.Providers.None
   alias Edgehog.Config.AuthzProvider
   alias Edgehog.Config.GeocodingProviders
   alias Edgehog.Config.GeolocationProviders
@@ -104,7 +105,23 @@ defmodule Edgehog.Config do
   app_env :authz_provider, :edgehog, :authz_provider,
     os_env: "AUTHZ_PROVIDER",
     type: AuthzProvider,
-    default: Edgehog.Auth.Providers.None
+    default: None
+
+  @envdoc """
+  OpenFGA gRPC endpoint.
+  Defaults to `localhost:8081`
+  """
+  app_env :openfga_grpc_endpoint, :edgehog, :openfga_grpc_endpoint,
+    os_env: "OPENFGA_GRPC_ENDPOINT",
+    type: :binary,
+    default: "localhost:8081"
+
+  @envdoc """
+  OpenFGA store id. A store in OpenFGA has a unique id associated.
+  """
+  app_env :openfga_store_id, :edgehog, :openfga_store_id,
+    os_env: "OPENFGA_STORE_ID",
+    type: :binary
 
   @doc """
   Returns true if edgehog should use an ssl connection with the database.
@@ -201,14 +218,32 @@ defmodule Edgehog.Config do
     :ok
   end
 
+  @doc """
+  Returns the config of the required provider
+  """
+  @spec authz_provider_config!(provider :: module()) :: Keyword.t()
+  def authz_provider_config!(provider)
+
+  def authz_provider_config!(None), do: Keyword.new()
+
+  def authz_provider_config!(Edgehog.Auth.Providers.OpenFGA) do
+    [
+      endpoint: openfga_grpc_endpoint!(),
+      store: openfga_store_id!()
+    ]
+  end
+
   @doc """
   Returns the FGA provider configuration.
   """
   @spec authz_config!() :: Keyword.t()
   def authz_config! do
     provider = authz_provider!()
+    config = authz_provider_config!(provider)
 
     # Generate the argument that will be passed down to the providers
-    Keyword.put(Keyword.new(), :provider, provider)
+    Keyword.new()
+    |> Keyword.put(:provider, provider)
+    |> Keyword.put(:config, config)
   end
 end

backend/lib/edgehog/config/authz_provider.ex

@@ -22,8 +22,8 @@ defmodule Edgehog.Config.AuthzProvider do
   @moduledoc false
   use Skogsra.Type
 
-  @allowed_providers ~w(none)
-  @providers [Edgehog.Auth.Providers.None]
+  @allowed_providers ~w(none openfga)
+  @providers [Edgehog.Auth.Providers.None, Edgehog.Auth.Providers.OpenFGA]
   @providers_map @allowed_providers |> Enum.zip(@providers) |> Map.new()
 
   @impl Skogsra.Type

backend/mix.exs

@@ -135,7 +135,8 @@ defmodule Edgehog.MixProject do
       {:absinthe_phoenix, "~> 2.0"},
       {:mix_audit, "~> 2.1", only: [:dev, :test], runtime: false},
       {:sobelow, "~> 0.14", only: [:dev, :test], runtime: false},
-      {:ex_doc, "~> 0.40", only: :dev}
+      {:ex_doc, "~> 0.40", only: :dev},
+      {:grpc, "~> 0.11"}
     ]
   end
 

backend/mix.lock

@@ -38,13 +38,18 @@
   "expo": {:hex, :expo, "1.1.1", "4202e1d2ca6e2b3b63e02f69cfe0a404f77702b041d02b58597c00992b601db5", [:mix], [], "hexpm", "5fb308b9cb359ae200b7e23d37c76978673aa1b06e2b3075d814ce12c5811640"},
   "file_system": {:hex, :file_system, "1.1.1", "31864f4685b0148f25bd3fbef2b1228457c0c89024ad67f7a81a3ffbc0bbad3a", [:mix], [], "hexpm", "7a15ff97dfe526aeefb090a7a9d3d03aa907e100e262a0f8f7746b78f8f87a5d"},
   "finch": {:hex, :finch, "0.21.0", "b1c3b2d48af02d0c66d2a9ebfb5622be5c5ecd62937cf79a88a7f98d48a8290c", [:mix], [{:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:mint, "~> 1.6.2 or ~> 1.7", [hex: :mint, repo: "hexpm", optional: false]}, {:nimble_options, "~> 0.4 or ~> 1.0", [hex: :nimble_options, repo: "hexpm", optional: false]}, {:nimble_pool, "~> 1.1", [hex: :nimble_pool, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "87dc6e169794cb2570f75841a19da99cfde834249568f2a5b121b809588a4377"},
+  "flow": {:hex, :flow, "1.2.4", "1dd58918287eb286656008777cb32714b5123d3855956f29aa141ebae456922d", [:mix], [{:gen_stage, "~> 1.0", [hex: :gen_stage, repo: "hexpm", optional: false]}], "hexpm", "874adde96368e71870f3510b91e35bc31652291858c86c0e75359cbdd35eb211"},
+  "gen_stage": {:hex, :gen_stage, "1.3.2", "7c77e5d1e97de2c6c2f78f306f463bca64bf2f4c3cdd606affc0100b89743b7b", [:mix], [], "hexpm", "0ffae547fa777b3ed889a6b9e1e64566217413d018cabd825f786e843ffe63e7"},
   "gen_state_machine": {:hex, :gen_state_machine, "3.0.0", "1e57f86a494e5c6b14137ebef26a7eb342b3b0070c7135f2d6768ed3f6b6cdff", [:mix], [], "hexpm", "0a59652574bebceb7309f6b749d2a41b45fdeda8dbb4da0791e355dd19f0ed15"},
   "gettext": {:hex, :gettext, "1.0.2", "5457e1fd3f4abe47b0e13ff85086aabae760497a3497909b8473e0acee57673b", [:mix], [{:expo, "~> 0.5.1 or ~> 1.0", [hex: :expo, repo: "hexpm", optional: false]}], "hexpm", "eab805501886802071ad290714515c8c4a17196ea76e5afc9d06ca85fb1bfeb3"},
   "glob_ex": {:hex, :glob_ex, "0.1.11", "cb50d3f1ef53f6ca04d6252c7fde09fd7a1cf63387714fe96f340a1349e62c93", [:mix], [], "hexpm", "342729363056e3145e61766b416769984c329e4378f1d558b63e341020525de4"},
   "google_api_storage": {:hex, :google_api_storage, "0.46.1", "f944e40828b7fd90d00cef1ddb9ac542acb88adb18d6bc7c2015bafbd696eb6c", [:mix], [{:google_gax, "~> 0.4", [hex: :google_gax, repo: "hexpm", optional: false]}], "hexpm", "a6e162017b51bf1d80ae9d0e5cd47c8a3d246d52d9f025c9ca5e2eb71b1b6f75"},
   "google_gax": {:hex, :google_gax, "0.4.0", "83651f8561c02a295826cb96b4bddde030e2369747bbddc592c4569526bafe94", [:mix], [{:poison, ">= 3.0.0 and < 5.0.0", [hex: :poison, repo: "hexpm", optional: false]}, {:tesla, "~> 1.2", [hex: :tesla, repo: "hexpm", optional: false]}], "hexpm", "a95d36f1dd753ab31268dd8bb6de9911243c911cfda9080f64778f6297b9ac57"},
+  "googleapis": {:hex, :googleapis, "0.1.0", "13770f3f75f5b863fb9acf41633c7bc71bad788f3f553b66481a096d083ee20e", [:mix], [{:protobuf, "~> 0.12", [hex: :protobuf, repo: "hexpm", optional: false]}], "hexpm", "1989a7244fd17d3eb5f3de311a022b656c3736b39740db46506157c4604bd212"},
   "goth": {:hex, :goth, "1.4.5", "ee37f96e3519bdecd603f20e7f10c758287088b6d77c0147cd5ee68cf224aade", [:mix], [{:finch, "~> 0.17", [hex: :finch, repo: "hexpm", optional: false]}, {:jason, "~> 1.1", [hex: :jason, repo: "hexpm", optional: false]}, {:jose, "~> 1.11", [hex: :jose, repo: "hexpm", optional: false]}], "hexpm", "0fc2dce5bd710651ed179053d0300ce3a5d36afbdde11e500d57f05f398d5ed5"},
+  "grpc": {:hex, :grpc, "0.11.5", "5dbde9420718b58712779ad98fff1ef50349ca0fa7cc0858ae0f826015068654", [:mix], [{:castore, "~> 0.1 or ~> 1.0", [hex: :castore, repo: "hexpm", optional: true]}, {:cowboy, "~> 2.10", [hex: :cowboy, repo: "hexpm", optional: false]}, {:cowlib, "~> 2.12", [hex: :cowlib, repo: "hexpm", optional: false]}, {:flow, "~> 1.2", [hex: :flow, repo: "hexpm", optional: false]}, {:googleapis, "~> 0.1.0", [hex: :googleapis, repo: "hexpm", optional: false]}, {:gun, "~> 2.0", [hex: :gun, repo: "hexpm", optional: false]}, {:jason, ">= 0.0.0", [hex: :jason, repo: "hexpm", optional: false]}, {:mint, "~> 1.5", [hex: :mint, repo: "hexpm", optional: false]}, {:protobuf, "~> 0.14", [hex: :protobuf, repo: "hexpm", optional: false]}, {:telemetry, "~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "0a5d8673ef16649bef0903bca01c161acfc148e4d269133b6834b2af1f07f45e"},
   "guardian": {:hex, :guardian, "2.4.0", "efbbb397ecca881bb548560169922fc4433a05bc98c2eb96a7ed88ede9e17d64", [:mix], [{:jose, "~> 1.11.9", [hex: :jose, repo: "hexpm", optional: false]}, {:plug, "~> 1.3.3 or ~> 1.4", [hex: :plug, repo: "hexpm", optional: true]}], "hexpm", "5c80103a9c538fbc2505bf08421a82e8f815deba9eaedb6e734c66443154c518"},
+  "gun": {:hex, :gun, "2.2.0", "b8f6b7d417e277d4c2b0dc3c07dfdf892447b087f1cc1caff9c0f556b884e33d", [:make, :rebar3], [{:cowlib, ">= 2.15.0 and < 3.0.0", [hex: :cowlib, repo: "hexpm", optional: false]}], "hexpm", "76022700c64287feb4df93a1795cff6741b83fb37415c40c34c38d2a4645261a"},
   "hackney": {:hex, :hackney, "1.25.0", "390e9b83f31e5b325b9f43b76e1a785cbdb69b5b6cd4e079aa67835ded046867", [:rebar3], [{:certifi, "~> 2.15.0", [hex: :certifi, repo: "hexpm", optional: false]}, {:idna, "~> 6.1.0", [hex: :idna, repo: "hexpm", optional: false]}, {:metrics, "~> 1.0.0", [hex: :metrics, repo: "hexpm", optional: false]}, {:mimerl, "~> 1.4", [hex: :mimerl, repo: "hexpm", optional: false]}, {:parse_trans, "3.4.1", [hex: :parse_trans, repo: "hexpm", optional: false]}, {:ssl_verify_fun, "~> 1.1.0", [hex: :ssl_verify_fun, repo: "hexpm", optional: false]}, {:unicode_util_compat, "~> 0.7.1", [hex: :unicode_util_compat, repo: "hexpm", optional: false]}], "hexpm", "7209bfd75fd1f42467211ff8f59ea74d6f2a9e81cbcee95a56711ee79fd6b1d4"},
   "hpax": {:hex, :hpax, "1.0.3", "ed67ef51ad4df91e75cc6a1494f851850c0bd98ebc0be6e81b026e765ee535aa", [:mix], [], "hexpm", "8eab6e1cfa8d5918c2ce4ba43588e894af35dbd8e91e6e55c817bca5847df34a"},
   "httpoison": {:hex, :httpoison, "1.8.2", "9eb9c63ae289296a544842ef816a85d881d4a31f518a0fec089aaa744beae290", [:mix], [{:hackney, "~> 1.17", [hex: :hackney, repo: "hexpm", optional: false]}], "hexpm", "2bb350d26972e30c96e2ca74a1aaf8293d61d0742ff17f01e0279fef11599921"},