init iam (#1)

.buildkite/pipeline.yaml

@@ -0,0 +1,89 @@
+env:
+  APP_NAME: ${BUILDKITE_PIPELINE_SLUG}
+  SONAR_HOST: "https://sonarcloud.io"
+steps:
+  - group: ":knife: Pre-check"
+    key: "precheck"
+    steps:
+      - label: ":golang: go generate"
+        key: "generate"
+        plugins:
+          - docker#v5.11.0:
+              image: "ghcr.io/theopenlane/build-image:v0.1.2"
+              command: ["task", "ci"]
+              environment:
+                - "GOTOOLCHAIN=auto"
+  - group: ":test_tube: Tests"
+    key: "tests"
+    depends_on: "precheck"
+    steps:
+      - label: ":golangci-lint: lint :lint-roller:"
+        key: "lint"
+        plugins:
+          - docker#v5.11.0:
+              image: "registry.hub.docker.com/golangci/golangci-lint:latest-alpine"
+              cancel_on_build_failing: true
+              command: ["golangci-lint", "run", "-v"]
+              always-pull: true
+              environment:
+                - "GOTOOLCHAIN=auto"
+      - label: ":golang: go test"
+        key: "go_test"
+        plugins:
+          - docker#v5.11.0:
+              image: golang:1.23.0
+              command: ["go", "test", "-coverprofile=coverage.out", "./..."]
+        artifact_paths: ["coverage.out"]
+      - label: ":test_tube: generate example"
+        key: "example_generate"
+        plugins:
+          - docker#v5.11.0:
+              image: "ghcr.io/theopenlane/build-image:v0.1.2"
+              workdir: "/fgax"
+              command: ["task", "example:generate"]
+              environment:
+                - "GOTOOLCHAIN=auto"
+  - group: ":closed_lock_with_key: Security Checks"
+    depends_on: "tests"
+    key: "security"
+    steps:
+      - label: ":closed_lock_with_key: gosec"
+        key: "gosec"
+        plugins:
+          - docker#v5.11.0:
+              image: "registry.hub.docker.com/securego/gosec:2.20.0"
+              command: ["-no-fail", "-exclude-generated", "-fmt sonarqube", "-out", "results.txt", "./..."]
+              environment:
+                - "GOTOOLCHAIN=auto"
+        artifact_paths: ["results.txt"]
+      - label: ":github: upload PR reports"
+        key: "scan-upload-pr"
+        if: build.pull_request.id != null
+        depends_on: ["gosec", "go_test"]
+        plugins:
+          - artifacts#v1.9.4:
+              download: "results.txt"
+          - artifacts#v1.9.4:
+              download: "coverage.out"
+              step: "go_test"
+          - docker#v5.11.0:
+              image: "sonarsource/sonar-scanner-cli:5"
+              environment:
+                - "SONAR_TOKEN"
+                - "SONAR_HOST_URL=$SONAR_HOST"
+                - "SONAR_SCANNER_OPTS=-Dsonar.pullrequest.branch=$BUILDKITE_BRANCH -Dsonar.pullrequest.base=$BUILDKITE_PULL_REQUEST_BASE_BRANCH -Dsonar.pullrequest.key=$BUILDKITE_PULL_REQUEST"
+      - label: ":github: upload reports"
+        key: "scan-upload"
+        if: build.branch == "main"
+        depends_on: ["gosec", "go_test"]
+        plugins:
+          - artifacts#v1.9.4:
+              download: results.txt
+          - artifacts#v1.9.4:
+              download: coverage.out
+              step: "go_test"
+          - docker#v5.11.0:
+              image: "sonarsource/sonar-scanner-cli:5"
+              environment:
+                - "SONAR_TOKEN"
+                - "SONAR_HOST_URL=$SONAR_HOST"

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @theopenlane/blacksmiths

.github/labeler.yml

@@ -0,0 +1,9 @@
+# Add 'bug' label to any PR where the head branch name starts with `bug` or has a `bug` section in the name
+bug:
+  - head-branch: ["^bug", "bug"]
+# Add 'enhancement' label to any PR where the head branch name starts with `enhancement` or has a `enhancement` section in the name
+enhancement:
+  - head-branch: ["^enhancement", "enhancement", "^feature", "feature", "^enhance", "enhance", "^feat", "feat"]
+# Add 'breaking-change' label to any PR where the head branch name starts with `breaking-change` or has a `breaking-change` section in the name
+breaking-change:
+  - head-branch: ["^breaking-change", "breaking-change"]

.github/release.yml

@@ -0,0 +1,24 @@
+changelog:
+  exclude:
+    labels:
+      - ignore-for-release
+    authors: []
+  categories:
+    - title: Breaking Changes 🛠
+      labels:
+        - Semver-Major
+        - breaking-change
+    - title: New Features 🎉
+      labels:
+        - Semver-Minor
+        - enhancement
+        - feature
+    - title: Bug Fixes 🐛
+      labels:
+        - bug
+    - title: 👒 Dependencies
+      labels:
+        - dependencies
+    - title: Other Changes
+      labels:
+        - "*"

.github/workflows/labeler.yaml

@@ -0,0 +1,13 @@
+name: "Pull Request Labeler"
+on:
+  - pull_request_target
+jobs:
+  triage:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/labeler@v5
+        with:
+          sync-labels: true

.gitignore

@@ -0,0 +1,43 @@
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+*.test
+
+*.out
+
+go.work
+
+*.db
+server.crt
+server.key
+private_key.pem
+public_key.pem
+
+*.7z
+*.dmg
+*.gz
+*.iso
+*.jar
+*.rar
+*.tar
+
+*.log
+
+.vscode
+
+.DS_Store*
+.AppleDouble
+.LSOverride
+ehthumbs.db
+Icon?
+Thumbs.db
+
+*.mime
+*.mim
+
+*.env
+*.env-dev
+*.config.yaml

.golangci.yaml

@@ -0,0 +1,43 @@
+run:
+  timeout: 10m
+  allow-serial-runners: true
+  concurrency: 0
+linters-settings:
+  goimports:
+    local-prefixes: github.com/theopenlane/iam
+  gofumpt:
+    extra-rules: true
+  gosec:
+    exclude-generated: true
+  revive:
+    ignore-generated-header: true
+linters:
+  enable:
+    - bodyclose
+    - errcheck
+    - gocritic
+    - gocyclo
+    - err113
+    - gofmt
+    - goimports
+    - mnd
+    - gosimple
+    - govet
+    - gosec
+    - ineffassign
+    - misspell
+    - noctx
+    - revive
+    - staticcheck
+    - stylecheck
+    - typecheck
+    - unused
+    - whitespace
+    - wsl
+issues:
+  fix: true
+  exclude-use-default: true
+  exclude-dirs:
+    - mockery/*
+    - entfga/_examples/*
+    - entfga/templates/*

.pre-commit-config.yaml

@@ -0,0 +1,16 @@
+default_stages: [pre-commit]
+fail_fast: true
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: trailing-whitespace
+      - id: detect-private-key
+  - repo: https://github.com/google/yamlfmt
+    rev: v0.13.0
+    hooks:
+      - id: yamlfmt
+  - repo: https://github.com/crate-ci/typos
+    rev: v1.24.1
+    hooks:
+      - id: typos

.typos.toml

@@ -0,0 +1,20 @@
+[files]
+extend-exclude = ["db","internal/ent/generated/**","go.mod","go.sum","pkg/testutils/","pkg/passwd/","pkg/tokens/testdata/","pkg/tokens/expires_test.go","internal/graphapi/tools_test.go","internal/httpserve/handlers/tools_test.go","pkg/keygen/auth_test.go","pkg/utils/oas/","pkg/keygen/crypto_test.go","pkg/auth/auth_test.go"]
+ignore-hidden = true
+ignore-files = true
+ignore-dot = true
+ignore-vcs = true
+ignore-global = true
+ignore-parent = true
+
+[default]
+binary = false
+check-filename = true
+check-file = true
+unicode = true
+ignore-hex = true
+identifier-leading-digits = false
+locale = "en"
+extend-ignore-identifiers-re = []
+extend-ignore-words-re = ["(?i)requestor","(?i)indentity","(?i)encrypter","(?i)seeked","(?i)generater"]
+extend-ignore-re = ["#\\s*spellchecker:off\\s*\\n.*\\n\\s*#\\s*spellchecker:on"]

.yamlfmt

@@ -0,0 +1,4 @@
+exclude:
+  - config/
+formatter:
+  retain_line_breaks: true

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright [2024] [The Open Lane, Inc.]
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -1,2 +1,65 @@
-# iam
-identity and access management tooling and wrappers + helpers
+[![Build status](https://badge.buildkite.com/3346f9d3732a143a78c4da3eb9dcb8f4e9616a64bebd0cbfbd.svg)](https://buildkite.com/theopenlane/iam)
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=theopenlane_iam&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=theopenlane_iam)
+[![Go Report Card](https://goreportcard.com/badge/github.com/theopenlane/iam)](https://goreportcard.com/report/github.com/theopenlane/iam)
+[![Go Reference](https://pkg.go.dev/badge/github.com/theopenlane/iam.svg)](https://pkg.go.dev/github.com/theopenlane/iam)
+[![License: Apache 2.0](https://img.shields.io/badge/License-Apache2.0-brightgreen.svg)](https://opensource.org/licenses/Apache-2.0)
+
+# Identity and Access Management (IAM)
+
+A go library for interacting with [OpenFGA](https://openfga.dev/) - it is comprised of 2 packages, `fgax` and `entfga`.
+- fgax: wrapper to interact with the [OpenFGA go-sdk](https://github.com/openfga/go-sdk) and client libraries
+- entfga: an [ent extension](https://entgo.io/docs/extensions/) to create relationship tuples using [ent Hooks](https://entgo.io/docs/hooks/)
+
+## install
+
+You can install `fgax` by running the following command:
+
+```shell
+go get github.com/theopenlane/fgax@latest
+```
+
+## fgax
+
+This package includes helper functions used heavily in [OpenLane](https://github.com/theopenlane/OpenLane/).
+
+For example, you can easily check for `Read` access of an organization using
+
+```go
+	// create client
+	fgaClient, err := fgax.Client("https://fga-host.example.com")
+	if err != nil {
+		return false
+	}
+
+	// create access check
+	req := fgax.AccessCheck{
+		SubjectID:   "user-id",
+		SubjectType: "user",
+		ObjectID:    "organization-id",
+	}
+
+	allow, err := fgaClient.CheckOrgReadAccess(ctx, req)
+	if err != nil {
+		return false
+	}
+```
+
+## entfga
+
+See the [README](./entfga/README.md) for details
+
+## Contributing
+
+Please read the [contributing](.github/CONTRIBUTING.md) guide as well as the [Developer Certificate of Origin](https://developercertificate.org/). You will be required to sign all commits to the OpenLane project, so if you're unfamiliar with how to set that up, see [github's documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification).
+
+## Security
+
+We take the security of our software products and services seriously, including all of the open source code repositories managed through our Github Organizations, such as [theopenlane](https://github.com/theopenlane). If you believe you have found a security vulnerability in any of our repositories, please report it to us through coordinated disclosure.
+
+**Please do NOT report security vulnerabilities through public github issues, discussions, or pull requests!**
+
+Instead, please send an email to `[email protected]` with as much information as possible to best help us understand and resolve the issues. See the security policy attached to this repository for more details.
+
+## Questions?
+
+Open a github issue on this repository and we'll respond as soon as we're able!