From 9cce5df4e19e49ebb95061f93ef756be03ec18f8 Mon Sep 17 00:00:00 2001
From: Robert Lin <robert@bobheadxi.dev>
Date: Thu, 27 Jun 2024 11:56:39 -0700
Subject: [PATCH] chore/enterpriseportal: add test for iam_model (#63503)

Uses the guidance in https://openfga.dev/docs/modeling/testing to craft
some rudimentary IAM model tests for Enterprise Portal IAM.

Not automated for now - the model tests must be run manually:

```
go run github.com/openfga/cli/cmd/fga@latest model test --tests='cmd/enterprise-portal/service/iam_model.fga.yml'
```

If we end up changing the model more I'll ask around in dev-infra to see
how we should automate this.

## Test plan

CI and:

```
go run github.com/openfga/cli/cmd/fga@latest model test --tests='cmd/enterprise-portal/service/iam_model.fga.yml'
```

---------

Co-authored-by: James Cotter <35706755+jac@users.noreply.github.com>
---
 .../service/iam_model.fga.yml                 | 80 +++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 cmd/enterprise-portal/service/iam_model.fga.yml

diff --git a/cmd/enterprise-portal/service/iam_model.fga.yml b/cmd/enterprise-portal/service/iam_model.fga.yml
new file mode 100644
index 00000000000..e237925c584
--- /dev/null
+++ b/cmd/enterprise-portal/service/iam_model.fga.yml
@@ -0,0 +1,80 @@
+# To run this test suite:
+#
+#   go run github.com/openfga/cli/cmd/fga@latest model test --tests='cmd/enterprise-portal/service/iam_model.fga.yml'
+#
+# See https://openfga.dev/docs/modeling/testing
+
+model_file: ./iam_model.fga
+
+tuples:
+- user: user:user_uuid_a
+  relation: member
+  object: customer_admin:subscription_uuid_a
+- user: customer_admin:subscription_uuid_a#member
+  relation: view
+  object: subscription_cody_analytics:subscription_uuid_a
+
+- user: user:user_uuid_b
+  relation: member
+  object: customer_admin:subscription_uuid_b
+- user: customer_admin:subscription_uuid_b#member
+  relation: view
+  object: subscription_cody_analytics:subscription_uuid_b
+
+tests:
+- name: unexpected users are not customer_admin members
+  check:
+    - user: user:unknown_user_uuid_a # unknown user
+      object: customer_admin:subscription_uuid_a
+      assertions:
+        member: false
+    - user: user:unknown_user_uuid_a # unknown user
+      object: customer_admin:subscription_uuid_b
+      assertions:
+        member: false
+
+- name: expected users are customer_admin members
+  check:
+    - user: user:user_uuid_a
+      object: customer_admin:subscription_uuid_a
+      assertions:
+        member: true
+
+    - user: user:user_uuid_b
+      object: customer_admin:subscription_uuid_b
+      assertions:
+        member: true
+
+- name: customer_admin members have access to their Cody Analytics
+  check:
+    - user: user:user_uuid_a
+      object: subscription_cody_analytics:subscription_uuid_a
+      assertions:
+        view: true
+
+    - user: user:user_uuid_b
+      object: subscription_cody_analytics:subscription_uuid_b
+      assertions:
+        view: true
+
+- name: non-customer_admin members cannot access Cody Analytics
+  check:
+    - user: user:user_uuid_b
+      object: subscription_cody_analytics:subscription_uuid_a
+      assertions:
+        view: false
+
+    - user: user:user_uuid_a
+      object: subscription_cody_analytics:subscription_uuid_b
+      assertions:
+        view: false
+
+    - user: user:unknown_user_uuid_a # unknown user
+      object: subscription_cody_analytics:subscription_uuid_a
+      assertions:
+        view: false
+
+    - user: user:unknown_user_uuid_a # unknown user
+      object: subscription_cody_analytics:subscription_uuid_b
+      assertions:
+        view: false