OpenFGA Integration

.github/workflows/openfga-app-test.yml

@@ -0,0 +1,37 @@
+name: OpenFGA Tests
+
+on:
+  push:
+    branches: [ test ]
+  pull_request:
+    branches: [ test ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.x'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install pytest pytest-asyncio aiohttp docker
+
+    - name: Start services
+      run: |
+        ./app-tests/run-openfga-services.sh
+
+    - name: Run tests
+      run: |
+        pytest app-tests/openfga-test.py -v
+
+    - name: Cleanup
+      if: always()  # Run cleanup even if tests fail
+      run: |
+        ./app-tests/clean-openfga-services.sh

Makefile

@@ -6,6 +6,7 @@ OPAL_SERVER_URL ?= http://host.docker.internal:7002
 OPAL_AUTH_PRIVATE_KEY ?= /root/ssh/opal_rsa
 OPAL_AUTH_PUBLIC_KEY ?= /root/ssh/opal_rsa.pub
 OPAL_POLICY_STORE_URL ?= http://host.docker.internal:8181
+OPENFGA_STORE_ID ?= 01JAT34GM6T5WRVMXXDYWGSYKN #change id
 
 # python packages (pypi)
 clean:
@@ -64,6 +65,8 @@ docker-build-next:
 	@docker build -t permitio/opal-client-standalone:next --target client-standalone -f docker/Dockerfile .
 	@docker build -t permitio/opal-client:next --target client -f docker/Dockerfile .
 	@docker build -t permitio/opal-server:next --target server -f docker/Dockerfile .
+	@docker build -t permitio/opal-client-openfga:next --target client-openfga -f docker/Dockerfile .
+
 
 docker-run-server:
 	@if [[ -z "$(OPAL_POLICY_REPO_SSH_KEY)" ]]; then \
@@ -87,3 +90,22 @@ docker-run-server-secure:
 		-e "OPAL_POLICY_REPO_URL=$(OPAL_POLICY_REPO_URL)" \
 		-p 7002:7002 \
 		permitio/opal-server
+
+
+# OpenFGA related
+docker-build-client-openfga:
+	@docker build -t permitio/opal-client-openfga --target client-openfga -f docker/Dockerfile .
+
+docker-run-client-openfga: create-openfga-volume
+	@docker run -it \
+	    -e "OPAL_SERVER_URL=$(OPAL_SERVER_URL)" \
+	    -e "OPAL_POLICY_STORE_TYPE=OPENFGA" \
+	    -e "OPAL_POLICY_STORE_URL=http://0.0.0.0:8080" \
+	    -e "OPAL_OPENFGA_STORE_ID=$(OPENFGA_STORE_ID)" \
+	    -e "OPAL_INLINE_OPENFGA_ENABLED=true" \
+	    -e "OPAL_LOG_FORMAT_INCLUDE_PID=true" \
+	    -v openfga_backup:/opal/backup:rw \
+	    -p 7766:7000 \
+	    -p 8080:8080 \
+	    -p 3000:3000 \
+	    permitio/opal-client-openfga

README.md

@@ -34,7 +34,7 @@ Open Policy Administration Layer
 
 ## What is OPAL?
 
-OPAL is an administration layer for Policy Engines such as <a target="_blank" href="https://www.openpolicyagent.org/">Open Policy Agent (OPA)</a>, and <a target="_blank" href="https://github.com/permitio/cedar-agent">AWS' Cedar Agent</a> detecting changes to both policy and policy data in realtime and pushing live updates to your agents. OPAL brings open-policy up to the speed needed by live applications.
+OPAL is an administration layer for Policy Engines such as <a target="_blank" href="https://www.openpolicyagent.org/">Open Policy Agent (OPA)</a>, <a target="_blank" href="https://github.com/permitio/cedar-agent">AWS' Cedar Agent</a> and <a target="_blank" href="https://openfga.dev">OpenFGA</a> detecting changes to both policy and policy data in realtime and pushing live updates to your agents. OPAL brings open-policy up to the speed needed by live applications.
 
 As your app's data state changes (whether it's via your APIs, DBs, git, S3 or 3rd-party SaaS services), OPAL will make sure your services are always in sync with the authorization data and policy they need (and only those they need).
 
@@ -68,6 +68,11 @@ This is where [Cedar-Agent](https://github.com/permitio/cedar-agent) and OPAL co
 
 This [video](https://youtu.be/tG8jrdcc7Zo) briefly explains OPAL and how it works with OPA, and a deeper dive into it at [this OWASP DevSlop talk](https://www.youtube.com/watch?v=1_Iz0tRQCH4).
 
+
+### OpenFGA + OPAL == 🔑
+
+OpenFGA provides a high-performance implementation of Google's Zanzibar authorization model, and OPAL makes it easy to keep your OpenFGA instances up-to-date in real-time. Whether you're managing complex relationship-based permissions or implementing fine-grained access control, OPAL ensures your OpenFGA agents stay synchronized with your application's state changes.
+
 ## Who's Using OPAL?
 OPAL is being used as the core engine of Permit.io Authorization Service and serves in production:
 * \> 10,000 policy engines deployment

app-tests/clean-openfga-services.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Stop and remove containers, networks, volumes
+echo "Cleaning up services..."
+docker compose -f docker-compose-app-tests-openfga.yml down -v
+
+echo "Cleanup complete"

app-tests/docker-compose-app-tests-openfga.yml

@@ -0,0 +1,56 @@
+version: '3'
+services:
+  broadcast_channel:
+    image: postgres:alpine
+    environment:
+      - POSTGRES_DB=postgres
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=postgres
+    networks:
+      - opal-network
+
+  opal_server:
+    image: permitio/opal-server:latest
+    environment:
+      - OPAL_BROADCAST_URI=postgres://postgres:postgres@broadcast_channel:5432/postgres
+      - UVICORN_NUM_WORKERS=4
+      - OPAL_POLICY_REPO_URL=https://github.com/daveads/opal-example-policy-openfga
+      - OPAL_POLICY_REPO_POLLING_INTERVAL=30
+      - OPAL_DATA_CONFIG_SOURCES={"config":{"entries":[{"url":"http://opal_server:7002/policy-data","topics":["policy_data"],"dst_path":"/static"}]}}
+      - OPAL_LOG_FORMAT_INCLUDE_PID=true
+    ports:
+      - "7002:7002"
+    depends_on:
+      - broadcast_channel
+    networks:
+      - opal-network
+
+  opal_client_openfga:
+    image: permitio/opal-client-openfga:latest
+    environment:
+      - OPAL_SERVER_URL=http://opal_server:7002
+      - OPAL_LOG_FORMAT_INCLUDE_PID=true
+      - OPAL_POLICY_STORE_TYPE=OPENFGA
+      - OPAL_POLICY_STORE_URL=http://0.0.0.0:8080
+      - OPAL_OPENFGA_STORE_ID=01JAT34GM6T5WRVMXXDYWGSYKN
+      - OPAL_INLINE_OPENFGA_ENABLED=true
+      #- OPAL_LOG_LEVEL=DEBUG
+
+    ports:
+      - "7766:7000"
+      - "8080:8080"
+      - "3000:3000"
+    networks:
+      - opal-network
+    depends_on:
+      - opal_server
+    command: sh -c "exec ./wait-for.sh opal_server:7002 --timeout=20 -- ./start.sh"
+    volumes:
+      - openfga_backup:/opal/backup:rw
+
+networks:
+  opal-network:
+    driver: bridge
+
+volumes:
+  openfga_backup: