chore(backend): init filter policy (#1388)

lusergit · lusergit · commit de3b6cf937f9 · 2026-05-06T14:56:45.000+02:00
Adds a filter policy that can be used to filter based on the value of a specific
field and the relation the actor has with such field.

Signed-off-by: Luca Zaninotto &lt;luca.zaninotto@secomind.com&gt;
diff --git a/backend/lib/edgehog/auth/policies/filter.ex b/backend/lib/edgehog/auth/policies/filter.ex
@@ -0,0 +1,87 @@
+#
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+defmodule Edgehog.Auth.Policies.Filter do
+  @moduledoc """
+  An `Ash.Policy.FilterCheck`, filtering the object of type `obj` available to the user `subj`.
+
+  To use it in a policy:
+  ```elixir
+  authorize_if {Edgehog.Auth.Policies.Filter, rel: :can_view, obj: :device}
+  ```
+  """
+
+  use Ash.Policy.FilterCheck
+
+  alias Ash.Policy.FilterCheck
+  alias Edgehog.Auth.FGAService
+
+  require Logger
+
+  @subject_type "user"
+
+  @impl FilterCheck
+  def filter(nil, _context, _opts), do: expr(nil)
+
+  @impl FilterCheck
+  def filter(actor, _context, opts) do
+    subj = Map.get(actor, :sub, "anon")
+
+    rel = opts |> Keyword.fetch!(:rel) |> to_string()
+    obj_type = opts |> Keyword.fetch!(:obj) |> to_string()
+    obj_id = Keyword.get(opts, :obj_id, :id)
+
+    log_context = [
+      subj: subj,
+      obj_type: obj_type,
+      obj_id: obj_id
+    ]
+
+    subject = "#{@subject_type}:#{subj}"
+
+    subject
+    |> FGAService.list_objects(rel, obj_type)
+    |> to_ash_expr(obj_id, log_context)
+  end
+
+  @impl Ash.Policy.Check
+  def describe(opts) do
+    rel = Keyword.fetch!(opts, :rel)
+    obj = Keyword.fetch!(opts, :obj)
+    "Filtering objects of type #{inspect(obj)} where actor has relation #{inspect(rel)}"
+  end
+
+  defp to_ash_expr({:ok, :all}, _id_attribute, _log_context), do: expr(true)
+
+  defp to_ash_expr(
+         {:ok, %Openfga.V1.ListObjectsResponse{objects: ids}},
+         id_attribute,
+         _log_context
+       ) do
+    expr(^ref(id_attribute) in ^ids)
+  end
+
+  defp to_ash_expr({:error, error}, _id_attribute, log_context) do
+    Logger.error("Error while filtering: #{inspect(error)}", log_context)
+
+    # We had an error while interrogating the provider. Poison everything.
+    expr(nil)
+  end
+end
