refactor: openfga sync client refactoring

Author: jrmcauliffe00

backend/app/api/routes/items.py

@@ -6,7 +6,7 @@
 
 from app.api.deps import CurrentUser, SessionDep
 from app.models import Item, ItemCreate, ItemPublic, ItemsPublic, ItemUpdate, Message
-from app.openfga.fgaMiddleware import create_fga_tuple, delete_fga_tuple
+from app.openfga.fgaMiddleware import check_user_has_relation, create_fga_tuple, delete_fga_tuple, initialize_fga_client
 from app.openfga.fgaMiddleware import check_user_has_permission
 from openfga_sdk.client.models.tuple import ClientTuple
 
@@ -15,11 +15,13 @@
 
 @router.get("/", response_model=ItemsPublic)
 def read_items(
-    session: SessionDep, current_user: CurrentUser, skip: int = 0, limit: int = 100
+    session: SessionDep, current_user: CurrentUser, skip: int = 0, limit: int = 100, get_completed: bool = False
 ) -> Any:
     """
     Retrieve items.
     """
+    fga_client = initialize_fga_client()
+
     if current_user.is_superuser:
         count_statement = select(func.count()).select_from(Item)
         count = session.exec(count_statement).one()
@@ -39,8 +41,16 @@ def read_items(
             .limit(limit)
         )
         items = session.exec(statement).all()
+            
+    if get_completed:
+        item_ids = check_user_has_relation(fga_client, relation="completed", user=f"{current_user.email}")
+        if len(item_ids) == 0:
+            return ItemsPublic(data=[], count=0)
+        else:
+            # get those items with those ids
+            items = [session.get(Item, id) for id in item_ids]
 
-    return ItemsPublic(data=items, count=count) # type: ignore
+    return ItemsPublic(data=[ItemPublic.model_validate(item) for item in items], count=count)
 
 
 @router.get("/{id}", response_model=ItemPublic)
@@ -57,17 +67,22 @@ def read_item(session: SessionDep, current_user: CurrentUser, id: uuid.UUID) ->
 
 
 @router.post("/", response_model=ItemPublic)
-async def create_item(
+def create_item(
     *, session: SessionDep, current_user: CurrentUser, item_in: ItemCreate
 ) -> Any:
     """
     Create new item.
     """
+
     item = Item.model_validate(item_in, update={"owner_id": current_user.id})
     session.add(item)
     session.commit()
     session.refresh(item)
-    await create_fga_tuple([ClientTuple(user=f"user:{current_user.id}", relation="owner", object=f"item:{item.id}")])
+
+    fga_client = initialize_fga_client()
+    create_fga_tuple(fga_client, [
+        ClientTuple(user=f"user:{current_user.email}", relation="owner", object=f"item:{item.id}")
+    ])
     return item
 
 
@@ -79,11 +94,19 @@ async def update_item(
     id: uuid.UUID,
     item_in: ItemUpdate,
 ) -> Any:
-    if not await check_user_has_permission(ClientTuple(user=f"user:{current_user.id}", relation="update", object=f"item:{id}")):
-        raise HTTPException(status_code=400, detail="Not enough permissions")
+    
     """
     Update an item.
     """
+    # check if the user has the permission to update the item
+    # if not, raise an error
+    # if the user has the permission, update the item
+    # return the updated item
+
+    fga_client = initialize_fga_client()
+    if not check_user_has_permission(fga_client, ClientTuple(user=f"user:{current_user.id}", relation="update", object=f"item:{id}")):
+        raise HTTPException(status_code=400, detail="Not enough permissions")
+    
     item = session.get(Item, id)
     if not item:
         raise HTTPException(status_code=404, detail="Item not found")
@@ -103,7 +126,9 @@ async def can_update_item(
     current_user: CurrentUser,
     id: uuid.UUID,
 ):
-    has_permission = await check_user_has_permission(ClientTuple(user=f"user:{current_user.id}", relation="update", object=f"item:{id}"))
+    fga_client = initialize_fga_client()
+    has_permission = check_user_has_permission(fga_client, ClientTuple(user=f"user:{current_user.id}", relation="update", object=f"item:{id}"))
+    
     return has_permission
 
 @router.delete("/{id}")
@@ -120,5 +145,8 @@ async def delete_item(
         raise HTTPException(status_code=400, detail="Not enough permissions")
     session.delete(item)
     session.commit()
-    await delete_fga_tuple([ClientTuple(user=f"user:{current_user.id}", relation="owner", object=f"item:{id}")])
+
+    fga_client = initialize_fga_client()
+    delete_fga_tuple(fga_client, [ClientTuple(user=f"user:{current_user.id}", relation="owner", object=f"item:{id}")])
+    
     return Message(message="Item deleted successfully")

backend/app/core/config.py

@@ -117,6 +117,9 @@ def _enforce_non_default_secrets(self) -> Self:
         self._check_default_secret(
             "FIRST_SUPERUSER_PASSWORD", self.FIRST_SUPERUSER_PASSWORD
         )
+        self._check_default_secret("OPENFGA_API_URL", self.OPENFGA_API_URL)
+        self._check_default_secret("OPENFGA_STORE_ID", self.OPENFGA_STORE_ID)
+        self._check_default_secret("OPENFGA_AUTHORIZATION_MODEL_ID", self.OPENFGA_AUTHORIZATION_MODEL_ID)
 
         return self
 

backend/app/main.py

@@ -17,16 +17,10 @@ def custom_generate_unique_id(route: APIRoute) -> str:
 if settings.SENTRY_DSN and settings.ENVIRONMENT != "local":
     sentry_sdk.init(dsn=str(settings.SENTRY_DSN), enable_tracing=True)
 
-@asynccontextmanager
-async def lifespan(app: FastAPI):
-    await initialize_fga_client()
-    yield
-
 app = FastAPI(
     title=settings.PROJECT_NAME,
     openapi_url=f"{settings.API_V1_STR}/openapi.json",
     generate_unique_id_function=custom_generate_unique_id,
-    lifespan=lifespan,
 )
 
 # Set all CORS enabled origins

backend/app/openfga/fgaMiddleware.py

@@ -1,45 +1,72 @@
-import asyncio
+import logging
+from typing import Any
 from app.core.config import settings
-from fastapi import logger
-from openfga_sdk.client import ClientConfiguration, OpenFgaClient, ClientCheckRequest
-from openfga_sdk.client.models import ClientBatchCheckRequest, ClientWriteRequest, ClientBatchCheckItem
+from openfga_sdk import (
+    Condition,
+    ConditionParamTypeRef,
+    CreateStoreRequest,
+    Metadata,
+    ObjectRelation,
+    OpenFgaClient,
+    ReadRequestTupleKey,
+    RelationMetadata,
+    RelationReference,
+    RelationshipCondition,
+    TypeDefinition,
+    Userset,
+    Usersets,
+    UserTypeFilter,
+    WriteAuthorizationModelRequest,
+)
+from openfga_sdk.client.models import (
+    ClientAssertion,
+    ClientBatchCheckItem,
+    ClientBatchCheckRequest,
+    ClientCheckRequest,
+    ClientListObjectsRequest,
+    ClientListRelationsRequest,
+    ClientReadChangesRequest,
+    ClientTuple,
+    ClientWriteRequest,
+    WriteTransactionOpts,
+)
+from openfga_sdk.client.models.list_users_request import ClientListUsersRequest
+from openfga_sdk.credentials import CredentialConfiguration, Credentials
+from openfga_sdk.models.fga_object import FgaObject
 from openfga_sdk.client.models.tuple import ClientTuple
+from openfga_sdk.client import ClientConfiguration
+from openfga_sdk.sync import OpenFgaClient
 
-# We default fga_client to None until it is initialized
-fga_client = None
 
-async def initialize_fga_client():
-    # This function is called to initialize our FGA Client instance if it is not already available
-    print("Initializing OpenFGA Client SDK")
-    configuration = ClientConfiguration(
-        api_url = settings.OPENFGA_API_URL, 
-        store_id = settings.OPENFGA_STORE_ID, 
-        authorization_model_id = settings.OPENFGA_AUTHORIZATION_MODEL_ID, 
-    )
+import traceback
 
-    global fga_client
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger(__name__)
 
+def initialize_fga_client():
+    configuration = ClientConfiguration(
+        api_url=settings.OPENFGA_API_URL,  # required
+        store_id=settings.OPENFGA_STORE_ID,  # optional, not needed when calling `CreateStore` or `ListStores`
+        authorization_model_id=settings.OPENFGA_AUTHORIZATION_MODEL_ID,  # optional, can be overridden per request
+    )
     # Enter a context with an instance of the OpenFgaClient
-    async with OpenFgaClient(configuration) as fga_client:
-        fga_client = OpenFgaClient(configuration)
-        await fga_client.read_authorization_models() # type: ignore
-        print("FGA Client initialized.")
-        return True
+    with OpenFgaClient(configuration) as fga_client:
+        return fga_client
 
-async def close_fga_client(fga_client: OpenFgaClient):
-    await fga_client.close()
+def close_fga_client(fga_client: OpenFgaClient):
+    fga_client.close()
 
 # Check if a user has a permission on an object
-async def check_user_has_permission(tuple: ClientTuple) -> bool:
-    if fga_client is None:
-        await initialize_fga_client()
+def check_user_has_permission(fga_client: OpenFgaClient, tuple: ClientTuple) -> bool:
+    if fga_client is None: # type: ignore
+        fga_client = initialize_fga_client()
 
     if fga_client is None:
         logger.info("FGA client not initialized") # type: ignore
         return False
 
     try:
-        response = await fga_client.check(
+        response = fga_client.check(
             ClientCheckRequest( 
                 user=tuple.user,
                 relation=tuple.relation,
@@ -65,16 +92,19 @@ async def check_user_has_permission(tuple: ClientTuple) -> bool:
 #         "object": "document:123"
 #     }
 # ]
-async def check_user_has_permission_batch(tuples: list[ClientBatchCheckItem]) -> bool:
-    if fga_client is None:
-        await initialize_fga_client()
+def check_user_has_permission_batch(fga_client: OpenFgaClient, tuples: list[ClientBatchCheckItem]) -> bool:
+    if fga_client is None: # type: ignore
+        fga_client = initialize_fga_client()
 
     if fga_client is None:
         logger.info("FGA client not initialized") # type: ignore
         return False
 
+    logger.info(f"Check fga_client: {fga_client}")
+    logger.info(f"Check fga status: {fga_client.get_store_id()}")
+    
     try:
-        response = await fga_client.batch_check(
+        response = fga_client.batch_check(
             ClientBatchCheckRequest(
                 checks=tuples
             )
@@ -93,37 +123,37 @@ async def check_user_has_permission_batch(tuples: list[ClientBatchCheckItem]) ->
 #         "object": "document:123"
 #     }
 # ]
-async def create_fga_tuple(tuples: list[ClientTuple]) -> bool:
-    if fga_client is None:
-        await initialize_fga_client()
+def create_fga_tuple(fga_client: OpenFgaClient, tuples: list[ClientTuple]) -> bool:
+    if fga_client is None: # type: ignore
+        fga_client = initialize_fga_client()
 
     if fga_client is None:
         logger.info("FGA client not initialized") # type: ignore
         return False
 
+    logger.info(f"Creating FGA tuple: {tuples}")
+    logger.info(f"So is this even working lol: {fga_client.get_store_id()}")
+
     try:
-        response = await fga_client.write(
-            ClientWriteRequest(
-                writes=tuples
-            )
-        )
-        return response.allowed # type: ignore
+        response = fga_client.write_tuples(tuples)
+        logger.info(f"Response vars: {vars(response)}")
+        return True
     except Exception as e:
         logger.info(f"Error creating FGA tuple: {e}") # type: ignore
         return False
 
 # Delete a tuple
-async def delete_fga_tuple(tuples: list[ClientTuple]) -> bool:
+def delete_fga_tuple(fga_client: OpenFgaClient, tuples: list[ClientTuple]) -> bool:
     # This is the opposite of the create_fga_tuple function
-    if fga_client is None:
-        await initialize_fga_client()
+    if fga_client is None: # type: ignore
+        fga_client = initialize_fga_client()
 
     if fga_client is None:
         logger.info("FGA client not initialized") # type: ignore
         return False
 
     try:
-        response = await fga_client.write(
+        response = fga_client.write(
             ClientWriteRequest(
                 deletes=tuples
             )
@@ -132,3 +162,32 @@ async def delete_fga_tuple(tuples: list[ClientTuple]) -> bool:
     except Exception as e:
         logger.info(f"Error deleting FGA tuple: {e}") # type: ignore
         return False
+
+
+def check_user_has_relation(fga_client: OpenFgaClient, relation: str, user: str) -> list[str]:
+
+    if fga_client is None: # type: ignore
+        fga_client = initialize_fga_client()
+
+    if fga_client is None:
+        logger.info("FGA client not initialized") # type: ignore
+        return []
+    
+    body = ClientListObjectsRequest(
+        user=f"user:{user}",
+        relation=f"{relation}",
+        type="item"
+    )
+
+    try:
+        response = fga_client.list_objects(body)
+        # response.objects = ["document:otherdoc", "document:planning"]
+        # we need to return a list of objects
+        if len(response.objects) > 0:
+            return [item.split(":")[1] for item in response.objects] # type: ignore
+        else:
+            return []
+    except Exception as e:
+        logger.info(f"Error checking user relation: {e}")
+        logger.info(traceback.format_exc())
+        return []

docker-compose.fga.yml

@@ -1,6 +1,6 @@
 services:
   openfga:
-    image: openfga/openfga:v1.8.0
+    image: openfga/openfga:latest
     container_name: openfga
     restart: always
     tty: true

docker-compose.yml

@@ -74,6 +74,9 @@ services:
       - POSTGRES_USER=${POSTGRES_USER?Variable not set}
       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD?Variable not set}
       - SENTRY_DSN=${SENTRY_DSN}
+      - OPENFGA_API_URL=${OPENFGA_API_URL}
+      - OPENFGA_STORE_ID=${OPENFGA_STORE_ID}
+      - OPENFGA_AUTHORIZATION_MODEL_ID=${OPENFGA_AUTHORIZATION_MODEL_ID}
 
   backend:
     image: '${DOCKER_IMAGE_BACKEND?Variable not set}:${TAG-latest}'