diff --git a/cli/go.mod b/cli/go.mod
index dc0b134691..a8e0b2d387 100644
--- a/cli/go.mod
+++ b/cli/go.mod
@@ -21,7 +21,7 @@ require (
github.com/theopenlane/core/common v1.0.21
github.com/theopenlane/go-client v0.10.0
github.com/theopenlane/httpsling v0.3.0
- github.com/theopenlane/iam v0.29.0
+ github.com/theopenlane/iam v0.30.0
github.com/theopenlane/utils v0.7.0
golang.org/x/oauth2 v0.36.0
golang.org/x/term v0.43.0
diff --git a/cli/go.sum b/cli/go.sum
index 381766253a..a974cb6683 100644
--- a/cli/go.sum
+++ b/cli/go.sum
@@ -194,8 +194,8 @@ github.com/theopenlane/go-client v0.10.0 h1:gBEOEWXM3nP7VlXPcmgA/0RPWcvSz1XzFBwA
github.com/theopenlane/go-client v0.10.0/go.mod h1:usNDyObWwEJmNph2vAlsYfnx1q6jxXMwOKC6kQAesFo=
github.com/theopenlane/httpsling v0.3.0 h1:Bad0dGdqCqAB8UVDyVo+YCevzRvGHhmkK22F7T3pXtY=
github.com/theopenlane/httpsling v0.3.0/go.mod h1:iJc3XRLYTFIpfCnPpLZVMBP0xsWIPAb7ozARtQoclAE=
-github.com/theopenlane/iam v0.29.0 h1:mmN5ZC5wfKHiMm69XpTfcqZl0IPMCFTEZuGHI7j2u4I=
-github.com/theopenlane/iam v0.29.0/go.mod h1:WIWrlNu6gBNrEVNCtdAmGX7xrnv4+J2xPl0Frjw94rE=
+github.com/theopenlane/iam v0.30.0 h1:rZcJQVfNUfxss1shF+uinF2vo7UZl9rqEcG6yl5ayRI=
+github.com/theopenlane/iam v0.30.0/go.mod h1:slggeX0cWMUakfYz0RwSZfnz5kOcKdii18sek4SfMEQ=
github.com/theopenlane/utils v0.7.0 h1:tSN9PBC8Ywn2As3TDW/1TAfWsVsodrccec40oAhiZgo=
github.com/theopenlane/utils v0.7.0/go.mod h1:7U9CDoVzCAFWw/JygR5ZhCKGwhHBnuJpK3Jgh1m59+w=
github.com/tinylib/msgp v1.6.4 h1:mOwYbyYDLPj35mkA2BjjYejgJk9BuHxDdvRnb6v2ZcQ=
diff --git a/common/go.mod b/common/go.mod
index 199d2e4f0b..86a20565e6 100644
--- a/common/go.mod
+++ b/common/go.mod
@@ -29,6 +29,7 @@ require (
github.com/agnivade/levenshtein v1.2.1 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/bmatcuk/doublestar v1.3.4 // indirect
+ github.com/brianvoe/gofakeit/v7 v7.15.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/fxamacker/cbor/v2 v2.9.2 // indirect
diff --git a/common/go.sum b/common/go.sum
index 04dfff7690..c64daf0c9d 100644
--- a/common/go.sum
+++ b/common/go.sum
@@ -22,8 +22,8 @@ github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
github.com/bmatcuk/doublestar v1.3.4 h1:gPypJ5xD31uhX6Tf54sDPUOBXTqKH4c9aPY66CyQrS0=
github.com/bmatcuk/doublestar v1.3.4/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=
-github.com/brianvoe/gofakeit/v7 v7.14.1 h1:a7fe3fonbj0cW3wgl5VwIKfZtiH9C3cLnwcIXWT7sow=
-github.com/brianvoe/gofakeit/v7 v7.14.1/go.mod h1:QXuPeBw164PJCzCUZVmgpgHJ3Llj49jSLVkKPMtxtxA=
+github.com/brianvoe/gofakeit/v7 v7.15.0 h1:kGLYAWN8tnmxq2PelKVK6zwpM7kMxdz9SGPH31mFkNs=
+github.com/brianvoe/gofakeit/v7 v7.15.0/go.mod h1:QXuPeBw164PJCzCUZVmgpgHJ3Llj49jSLVkKPMtxtxA=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
diff --git a/config/.env.example b/config/.env.example
index e81f99260b..185f1222a1 100644
--- a/config/.env.example
+++ b/config/.env.example
@@ -141,6 +141,8 @@ CORE_AUTHZ_CREDENTIALS_AUDIENCE=""
CORE_AUTHZ_CREDENTIALS_ISSUER=""
CORE_AUTHZ_CREDENTIALS_SCOPES=""
CORE_AUTHZ_MAXBATCHWRITESIZE="100"
+CORE_AUTHZ_DISABLEPARENTCONTEXT="false"
+CORE_AUTHZ_PARENTCONTEXTSKIPKINDS=""
CORE_DB_DEBUG="false"
CORE_DB_DATABASENAME="openlane"
CORE_DB_DRIVERNAME="pgx"
diff --git a/config/config-dev.example.yaml b/config/config-dev.example.yaml
index fc7950d432..48044e43e0 100644
--- a/config/config-dev.example.yaml
+++ b/config/config-dev.example.yaml
@@ -96,6 +96,7 @@ authz:
createnewmodel: true
credentials:
apitoken: "QKwHEmWX99RnFh28eSRJ3GWlfb2FQkL7toh1GJpzch1mMkVeMg"
+ disableparentcontext: true
# session settings
sessions:
diff --git a/config/config.example.yaml b/config/config.example.yaml
index ef424f048c..8761572647 100644
--- a/config/config.example.yaml
+++ b/config/config.example.yaml
@@ -71,12 +71,15 @@ authz:
clientsecret: ""
issuer: ""
scopes: ""
+ disableparentcontext: false
enabled: true
hosturl: https://authz.theopenlane.io
maxbatchwritesize: 100
modelfile: fga/model/model.fga
modelid: ""
modulefile: ""
+ parentcontextconditions: []
+ parentcontextskipkinds: []
storeid: ""
storename: openlane
cloudflare:
diff --git a/config/configmap-config-file.yaml b/config/configmap-config-file.yaml
index 529962ccae..5e39fd0d2a 100644
--- a/config/configmap-config-file.yaml
+++ b/config/configmap-config-file.yaml
@@ -597,6 +597,19 @@ data:
{{- if .Values.openlane.coreConfiguration.authz.maxbatchwritesize }}
maxbatchwritesize: {{ .Values.openlane.coreConfiguration.authz.maxbatchwritesize }}
{{- end }}
+ {{- if .Values.openlane.coreConfiguration.authz.disableparentcontext }}
+ disableparentcontext: {{ .Values.openlane.coreConfiguration.authz.disableparentcontext }}
+ {{- end }}
+ {{- $sliceValue := (.Values.openlane.coreConfiguration.authz.parentcontextskipkinds | default (list)) }}
+ {{- if gt (len $sliceValue) 0 }}
+ parentcontextskipkinds:
+ {{- toYaml $sliceValue | nindent 8 }}
+ {{- end }}
+ {{- $sliceValue := (.Values.openlane.coreConfiguration.authz.parentcontextconditions | default (list)) }}
+ {{- if gt (len $sliceValue) 0 }}
+ parentcontextconditions:
+ {{- toYaml $sliceValue | nindent 8 }}
+ {{- end }}
{{- end }}
{{- if .Values.openlane.coreConfiguration.db }}
db:
diff --git a/config/helm-values.yaml b/config/helm-values.yaml
index b28f33eef2..46964dc18c 100644
--- a/config/helm-values.yaml
+++ b/config/helm-values.yaml
@@ -306,6 +306,12 @@ coreConfiguration:
scopes: "" # @schema type:string
# -- maximum number of writes per batch in a transaction
maxbatchwritesize: 100 # @schema type:integer; default:100
+ # -- disables the automatic addition of parent context tuples
+ disableparentcontext: false # @schema type:boolean; default:false
+ # -- entity kind names that should not have parent context tuples added
+ parentcontextskipkinds: []
+ # -- relationship conditions to apply on parent context tuples per entity kind
+ parentcontextconditions: []
# -- DB contains the database configuration for the ent client
db:
# -- debug enables printing the debug database logs
diff --git a/go.mod b/go.mod
index 2a855ba2d4..3afd718b11 100644
--- a/go.mod
+++ b/go.mod
@@ -104,12 +104,12 @@ require (
github.com/theopenlane/go-client v0.10.0
github.com/theopenlane/gqlgen-plugins v0.14.7
github.com/theopenlane/httpsling v0.3.0
- github.com/theopenlane/iam v0.29.0
+ github.com/theopenlane/iam v0.30.0
github.com/theopenlane/newman v0.4.0
github.com/theopenlane/riverboat v0.8.8
github.com/theopenlane/utils v0.7.0
github.com/tmc/langchaingo v0.1.14
- github.com/urfave/cli/v3 v3.8.0
+ github.com/urfave/cli/v3 v3.9.0
github.com/vektah/gqlparser/v2 v2.5.33
github.com/xeipuuv/gojsonschema v1.2.0
github.com/yuin/goldmark v1.8.2
@@ -122,7 +122,7 @@ require (
golang.org/x/sync v0.20.0
golang.org/x/text v0.37.0
golang.org/x/tools v0.45.0
- google.golang.org/api v0.278.0
+ google.golang.org/api v0.279.0
gopkg.in/yaml.v3 v3.0.1
gotest.tools/v3 v3.5.2
)
diff --git a/go.sum b/go.sum
index d19197d3c1..c709e9b9c5 100644
--- a/go.sum
+++ b/go.sum
@@ -742,8 +742,8 @@ github.com/theopenlane/gqlgen-plugins v0.14.7 h1:B9I6tpgevch3xQfV3qqRTpxHIlJvwtX
github.com/theopenlane/gqlgen-plugins v0.14.7/go.mod h1:fUjo1cVKEAPLhtRrH+iJtrfivCNp+GxVSB/UJgVBDuA=
github.com/theopenlane/httpsling v0.3.0 h1:Bad0dGdqCqAB8UVDyVo+YCevzRvGHhmkK22F7T3pXtY=
github.com/theopenlane/httpsling v0.3.0/go.mod h1:iJc3XRLYTFIpfCnPpLZVMBP0xsWIPAb7ozARtQoclAE=
-github.com/theopenlane/iam v0.29.0 h1:mmN5ZC5wfKHiMm69XpTfcqZl0IPMCFTEZuGHI7j2u4I=
-github.com/theopenlane/iam v0.29.0/go.mod h1:WIWrlNu6gBNrEVNCtdAmGX7xrnv4+J2xPl0Frjw94rE=
+github.com/theopenlane/iam v0.30.0 h1:rZcJQVfNUfxss1shF+uinF2vo7UZl9rqEcG6yl5ayRI=
+github.com/theopenlane/iam v0.30.0/go.mod h1:slggeX0cWMUakfYz0RwSZfnz5kOcKdii18sek4SfMEQ=
github.com/theopenlane/newman v0.4.0 h1:HiYMASHH3WD63M5GIwYFokf81Gq8lZ0Q/D5eget73x4=
github.com/theopenlane/newman v0.4.0/go.mod h1:KqTNABh60+NafNhmTvFvFXYYeDl78n+BFZrkhdm60Fo=
github.com/theopenlane/oscalot v0.1.0 h1:ExYiMU4Q1ezbGq77sxkgahmfmc46L+2NqB39fg0HXjU=
@@ -773,8 +773,8 @@ github.com/tmc/langchaingo v0.1.14 h1:o1qWBPigAIuFvrG6cjTFo0cZPFEZ47ZqpOYMjM15yZ
github.com/tmc/langchaingo v0.1.14/go.mod h1:aKKYXYoqhIDEv7WKdpnnCLRaqXic69cX9MnDUk72378=
github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
-github.com/urfave/cli/v3 v3.8.0 h1:XqKPrm0q4P0q5JpoclYoCAv0/MIvH/jZ2umzuf8pNTI=
-github.com/urfave/cli/v3 v3.8.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso=
+github.com/urfave/cli/v3 v3.9.0 h1:AV9lIiPv3ukYnxunaCUsHnEozptYmDN2F0+yWqLMn/c=
+github.com/urfave/cli/v3 v3.9.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso=
github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
github.com/valyala/fastjson v1.6.10 h1:/yjJg8jaVQdYR3arGxPE2X5z89xrlhS0eGXdv+ADTh4=
@@ -970,8 +970,8 @@ golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da h1:noIWHXmPHxILtqtCOPIhS
golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
-google.golang.org/api v0.278.0 h1:W7jiRvRi53VYFfZ/HoZjQBtJk7gOFbHD8ot1RzVZU6E=
-google.golang.org/api v0.278.0/go.mod h1:B9TqLBwJqVjp1mtt7WeoQwWRwvu/400y5lETOql+giQ=
+google.golang.org/api v0.279.0 h1:hsx2M2OaRcaKtVYK6vXEUnQvdjnend7ZYES+lYaot74=
+google.golang.org/api v0.279.0/go.mod h1:B9TqLBwJqVjp1mtt7WeoQwWRwvu/400y5lETOql+giQ=
google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7 h1:XzmzkmB14QhVhgnawEVsOn6OFsnpyxNPRY9QV01dNB0=
google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:L43LFes82YgSonw6iTXTxXUX1OlULt4AQtkik4ULL/I=
google.golang.org/genproto/googleapis/api v0.0.0-20260504160031-60b97b32f348 h1:U8orV30l6KpDsi9dxU0CoJZGbjS8EEpw+6ba+XwGPQA=
diff --git a/internal/ent/hooks/tools_test.go b/internal/ent/hooks/tools_test.go
index 343e521b45..eb4fc0526e 100644
--- a/internal/ent/hooks/tools_test.go
+++ b/internal/ent/hooks/tools_test.go
@@ -82,6 +82,7 @@ func (suite *HookTestSuite) setupClient() *generated.Client {
fgatest.WithModelFile(fgaModelFile),
fgatest.WithEnvVars(coreutils.GetDefaultFGAEnvs()),
fgatest.WithVersion(version),
+ fgatest.WithDisableParentContext(),
)
ctx := context.Background()
diff --git a/internal/graphapi/tools_test.go b/internal/graphapi/tools_test.go
index 362e2a7fa8..404fdc8dad 100644
--- a/internal/graphapi/tools_test.go
+++ b/internal/graphapi/tools_test.go
@@ -170,6 +170,7 @@ func (suite *GraphTestSuite) SetupSuite(t *testing.T) {
fgatest.WithModelFile(fgaModelFile),
fgatest.WithEnvVars(coreutils.GetDefaultFGAEnvs()),
fgatest.WithVersion(version),
+ fgatest.WithDisableParentContext(),
)
ctx := context.Background()
diff --git a/internal/httpserve/handlers/tools_test.go b/internal/httpserve/handlers/tools_test.go
index edd091ac0f..3983ece879 100644
--- a/internal/httpserve/handlers/tools_test.go
+++ b/internal/httpserve/handlers/tools_test.go
@@ -154,6 +154,7 @@ func (suite *HandlerTestSuite) SetupSuite() {
fgatest.WithModelFile(fgaModelFile),
fgatest.WithEnvVars(coreutils.GetDefaultFGAEnvs()),
fgatest.WithVersion(version),
+ fgatest.WithDisableParentContext(),
)
// shared token manager to avoid RSA key generation
diff --git a/internal/workflows/engine/tools_test.go b/internal/workflows/engine/tools_test.go
index 504fe0f94a..656ec35d27 100644
--- a/internal/workflows/engine/tools_test.go
+++ b/internal/workflows/engine/tools_test.go
@@ -111,6 +111,7 @@ func (s *WorkflowEngineTestSuite) SetupSuite() {
fgatest.WithModelFile(fgaModelFile),
fgatest.WithEnvVars(coreutils.GetDefaultFGAEnvs()),
fgatest.WithVersion(version),
+ fgatest.WithDisableParentContext(),
)
fgaClient, err := s.ofgaTF.NewFgaClient(s.ctx)
diff --git a/jsonschema/api-docs.md b/jsonschema/api-docs.md
index a24f5c0646..1b858c1b6e 100644
--- a/jsonschema/api-docs.md
+++ b/jsonschema/api-docs.md
@@ -77,7 +77,12 @@ Config contains the configuration for the core server
}
},
"authz": {
- "credentials": {}
+ "credentials": {},
+ "parentcontextconditions": [
+ {
+ "context": {}
+ }
+ ]
},
"db": {},
"jobqueue": {
@@ -884,13 +889,21 @@ OauthProviderConfig represents the configuration for OAuth providers such as Git
|**modulefile**|`string`|path to the fga module file
|no|
|[**credentials**](#authzcredentials)|`object`||no|
|**maxbatchwritesize**|`integer`|maximum number of writes per batch in a transaction
|no|
+|**disableparentcontext**|`boolean`|disables the automatic addition of parent context tuples
|no|
+|[**parentcontextskipkinds**](#authzparentcontextskipkinds)|`string[]`||no|
+|[**parentcontextconditions**](#authzparentcontextconditions)|`array`||no|
**Additional Properties:** not allowed
**Example**
```json
{
- "credentials": {}
+ "credentials": {},
+ "parentcontextconditions": [
+ {
+ "context": {}
+ }
+ ]
}
```
@@ -909,6 +922,27 @@ OauthProviderConfig represents the configuration for OAuth providers such as Git
|**scopes**|`string`|scopes for the openFGA client
||
**Additional Properties:** not allowed
+
+### authz\.parentcontextskipkinds: array
+
+**Items**
+
+**Item Type:** `string`
+
+### authz\.parentcontextconditions: array
+
+**Items**
+
+**Example**
+
+```json
+[
+ {
+ "context": {}
+ }
+]
+```
+
## db: object
diff --git a/jsonschema/core.config.json b/jsonschema/core.config.json
index da324e3b14..6bb56bf2c8 100644
--- a/jsonschema/core.config.json
+++ b/jsonschema/core.config.json
@@ -8,6 +8,12 @@
},
"type": "array"
},
+ "[]fgax.ParentContextConditionConfig": {
+ "items": {
+ "$ref": "#/$defs/fgax.ParentContextConditionConfig"
+ },
+ "type": "array"
+ },
"[]ratelimit.RateOption": {
"items": {
"$ref": "#/$defs/ratelimit.RateOption"
@@ -782,6 +788,18 @@
"maxbatchwritesize": {
"type": "integer",
"description": "maximum number of writes per batch in a transaction"
+ },
+ "disableparentcontext": {
+ "type": "boolean",
+ "description": "disables the automatic addition of parent context tuples"
+ },
+ "parentcontextskipkinds": {
+ "$ref": "#/$defs/[]string",
+ "description": "entity kind names that should not have parent context tuples added"
+ },
+ "parentcontextconditions": {
+ "$ref": "#/$defs/[]fgax.ParentContextConditionConfig",
+ "description": "relationship conditions to apply on parent context tuples per entity kind"
}
},
"additionalProperties": false,
@@ -820,6 +838,24 @@
"additionalProperties": false,
"type": "object"
},
+ "fgax.ParentContextConditionConfig": {
+ "properties": {
+ "kind": {
+ "type": "string",
+ "description": "entity kind name the condition applies to"
+ },
+ "name": {
+ "type": "string",
+ "description": "condition name defined in the authorization model"
+ },
+ "context": {
+ "$ref": "#/$defs/map[string]interface {}",
+ "description": "condition context parameters"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object"
+ },
"github.ProviderConfig": {
"properties": {
"clientid": {
@@ -963,6 +999,9 @@
},
"type": "object"
},
+ "map[string]interface {}": {
+ "type": "object"
+ },
"map[string]river.QueueConfig": {
"additionalProperties": {
"$ref": "#/$defs/river.QueueConfig"