From 7fd12247b94ab6e57eec53c489c5e476f2d069b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Aguiar?= Date: Thu, 7 Nov 2024 09:23:31 -0300 Subject: [PATCH 1/7] Update self-assessment.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added a few more adopters, a link to the release process and a third party security review. Signed-off-by: Andrés Aguiar --- .../projects/openfga/self-assessment.md | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/community/assessments/projects/openfga/self-assessment.md b/community/assessments/projects/openfga/self-assessment.md index 40de0ab7c..87781daab 100644 --- a/community/assessments/projects/openfga/self-assessment.md +++ b/community/assessments/projects/openfga/self-assessment.md @@ -48,7 +48,6 @@ This assessment was contributed to by community members as part of the [Security | Security Policy | [OpenFGA Security Policy](https://github.com/openfga/openfga/security/policy) | | Security Insights | [OpenFGA Security Insights](https://github.com/openfga/openfga/blob/main/SECURITY-INSIGHTS.yml) | | Security risks | [OpenFGA Security risks](https://github.com/orgs/openfga/security/risk) | -| -- | -- | ## Overview @@ -109,6 +108,8 @@ With this information, OpenFGA can be queried in different ways: - Using the [/list-objects](https://openfga.dev/api/service#/Relationship%20Queries/ListObjects) endpoint to ask questions like "What are all the documents for which `user:alice` is a `viewer`. With the data provided above, OpenFGA will return `{object_ids { "document:readme" }` +- Using the [/list-users](https://openfga.dev/api/service#/Relationship%20Queries/ListUsers) endpoint to ask questions like "What are all the users that are a `viewer` of the `document:readme` object". With the data provided above, OpenFGA will return `{users { "user:alice" }`. + ### Actors The actors within the system are the OpenFGA server, Database server, and the CLI/API clients. @@ -155,7 +156,7 @@ Every time a server endpoint is invoked, OpenFGA validates that: #### Calling the Authorization Query endpoints -When the [/check](https://openfga.dev/api/service#/Relationship%20Queries/Check) and [/list-objects](https://openfga.dev/api/service#/Relationship%20Queries/ListObjects) endpoints are called, OpenFGA limits the number of simultaneous paths explored and enforces depth limitations on the graph traversal. +When the [/check](https://openfga.dev/api/service#/Relationship%20Queries/Check), [/list-objects](https://openfga.dev/api/service#/Relationship%20Queries/ListObjects) and [/list-users](https://openfga.dev/api/service#/Relationship%20Queries/ListUsers) endpoints are called, OpenFGA limits the number of simultaneous paths explored and enforces depth limitations on the graph traversal. To protect against DoS attacks, OpenFGA restricts both the number of simultaneous paths explored and the depth of paths traversed in the graph. @@ -321,6 +322,7 @@ actions: relationships.queries: - check - expand + - list-users - list-objects - streamed-list-objects @@ -458,6 +460,10 @@ By refraining from including PII in relationship tuples, users can simplify thei | CLOMonitor | [![openfga](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/openfga/badge)](https://clomonitor.io/projects/cncf/openfga) | | | | +### Release Process + +The release process is documented [here](https://github.com/openfga/openfga/blob/main/RELEASES.md). + ### Communication Channels #### Internal @@ -490,6 +496,8 @@ OpenFGA can be integrated with and monitored through the following technologies: [![jaeger](https://img.shields.io/badge/Jaeger--openfga?color=25c2a0&logo=jaeger)](https://jaegertracing.io/) [![dynatrace](https://img.shields.io/badge/Dynatrace--openfga?color=25c2a0&logo=Dynatrace)](https://dynatrace.io/) +#### Observability + ## Security Issue Resolution ### Responsible Disclosure @@ -512,8 +520,15 @@ All OpenFGA security issues can be found on the [Github advisories page](https:/ ### Case Studies -The [list](https://github.com/openfga/community/blob/main/ADOPTERS.md) of projects that utilize OpenFGA include Okta FGA, Twintag, Mapped, Procure Ai,Canonical (Juju & LFX), Wolt, Italarchivi, Read AI, Virtool, Configu, Fianu Labs, and ExcID. +The [list](https://github.com/openfga/community/blob/main/ADOPTERS.md) of projects that utilize OpenFGA include Okta FGA, Canonical (Juju & LXD), Docker, Wolt, Sourcegraph, Bump, Italarchivi, Read AI, Virtool, Configu, Fianu Labs, ExcID, Twintag, Mapped, Procure Ai, and many more. ### Related Projects/Vendors The list of related projects is available as a [community resource](https://github.com/openfga/community/blob/main/related-projects.md) + +### Third Party Security Reviews + +[Trail Of Bits](https://www.trailofbits.com/) published a [Comparative Language Security Assessment](https://github.com/trailofbits/publications/blob/master/reports/Policy_Language_Security_Comparison_and_TM.pdf) that evaluates Cedar, Rego and OpenFGA. + + + From e21321f7e4ec9f5b7b1c4fd4f084d37779444f58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Aguiar?= Date: Thu, 7 Nov 2024 09:28:35 -0300 Subject: [PATCH 2/7] chore: removed extra whitespace MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Aguiar --- community/assessments/projects/openfga/self-assessment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/assessments/projects/openfga/self-assessment.md b/community/assessments/projects/openfga/self-assessment.md index 87781daab..63da92eb8 100644 --- a/community/assessments/projects/openfga/self-assessment.md +++ b/community/assessments/projects/openfga/self-assessment.md @@ -156,7 +156,7 @@ Every time a server endpoint is invoked, OpenFGA validates that: #### Calling the Authorization Query endpoints -When the [/check](https://openfga.dev/api/service#/Relationship%20Queries/Check), [/list-objects](https://openfga.dev/api/service#/Relationship%20Queries/ListObjects) and [/list-users](https://openfga.dev/api/service#/Relationship%20Queries/ListUsers) endpoints are called, OpenFGA limits the number of simultaneous paths explored and enforces depth limitations on the graph traversal. +When the [/check](https://openfga.dev/api/service#/Relationship%20Queries/Check), [/list-objects](https://openfga.dev/api/service#/Relationship%20Queries/ListObjects) and [/list-users](https://openfga.dev/api/service#/Relationship%20Queries/ListUsers) endpoints are called, OpenFGA limits the number of simultaneous paths explored and enforces depth limitations on the graph traversal. To protect against DoS attacks, OpenFGA restricts both the number of simultaneous paths explored and the depth of paths traversed in the graph. From f3c2c56fe109db409c4082fe654f5b328123e4eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Aguiar?= Date: Thu, 7 Nov 2024 09:38:51 -0300 Subject: [PATCH 3/7] Updated linter errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Aguiar --- community/assessments/projects/openfga/self-assessment.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/community/assessments/projects/openfga/self-assessment.md b/community/assessments/projects/openfga/self-assessment.md index 63da92eb8..33a47db35 100644 --- a/community/assessments/projects/openfga/self-assessment.md +++ b/community/assessments/projects/openfga/self-assessment.md @@ -496,8 +496,6 @@ OpenFGA can be integrated with and monitored through the following technologies: [![jaeger](https://img.shields.io/badge/Jaeger--openfga?color=25c2a0&logo=jaeger)](https://jaegertracing.io/) [![dynatrace](https://img.shields.io/badge/Dynatrace--openfga?color=25c2a0&logo=Dynatrace)](https://dynatrace.io/) -#### Observability - ## Security Issue Resolution ### Responsible Disclosure @@ -529,6 +527,3 @@ The list of related projects is available as a [community resource](https://gith ### Third Party Security Reviews [Trail Of Bits](https://www.trailofbits.com/) published a [Comparative Language Security Assessment](https://github.com/trailofbits/publications/blob/master/reports/Policy_Language_Security_Comparison_and_TM.pdf) that evaluates Cedar, Rego and OpenFGA. - - - From baad5422cb89fb7de8ddbb02165570ac8dcb8127 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Aguiar?= Date: Thu, 7 Nov 2024 09:43:18 -0300 Subject: [PATCH 4/7] Fixed lint issue MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Aguiar --- community/assessments/projects/openfga/self-assessment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/assessments/projects/openfga/self-assessment.md b/community/assessments/projects/openfga/self-assessment.md index 33a47db35..33f13d1b6 100644 --- a/community/assessments/projects/openfga/self-assessment.md +++ b/community/assessments/projects/openfga/self-assessment.md @@ -526,4 +526,4 @@ The list of related projects is available as a [community resource](https://gith ### Third Party Security Reviews -[Trail Of Bits](https://www.trailofbits.com/) published a [Comparative Language Security Assessment](https://github.com/trailofbits/publications/blob/master/reports/Policy_Language_Security_Comparison_and_TM.pdf) that evaluates Cedar, Rego and OpenFGA. +[Trail Of Bits](https://www.trailofbits.com/) published a [Comparative Language Security Assessment](https://github.com/trailofbits/publications/blob/master/reports/Policy_Language_Security_Comparison_and_TM.pdf) that evaluates Cedar, Rego and OpenFGA. From 8fa46df301a022a3e614f26af704602c51067412 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Aguiar?= Date: Thu, 7 Nov 2024 09:52:07 -0300 Subject: [PATCH 5/7] added spelling linter directive MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Aguiar --- community/assessments/projects/openfga/self-assessment.md | 1 + 1 file changed, 1 insertion(+) diff --git a/community/assessments/projects/openfga/self-assessment.md b/community/assessments/projects/openfga/self-assessment.md index 33f13d1b6..aa17e0073 100644 --- a/community/assessments/projects/openfga/self-assessment.md +++ b/community/assessments/projects/openfga/self-assessment.md @@ -518,6 +518,7 @@ All OpenFGA security issues can be found on the [Github advisories page](https:/ ### Case Studies + The [list](https://github.com/openfga/community/blob/main/ADOPTERS.md) of projects that utilize OpenFGA include Okta FGA, Canonical (Juju & LXD), Docker, Wolt, Sourcegraph, Bump, Italarchivi, Read AI, Virtool, Configu, Fianu Labs, ExcID, Twintag, Mapped, Procure Ai, and many more. ### Related Projects/Vendors From 49a79dabff16fa019d93871111db80ab36767b74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Aguiar?= Date: Thu, 7 Nov 2024 13:26:07 -0300 Subject: [PATCH 6/7] Try fixing the link linter error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Aguiar --- community/assessments/projects/openfga/self-assessment.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/community/assessments/projects/openfga/self-assessment.md b/community/assessments/projects/openfga/self-assessment.md index aa17e0073..d06f2a60f 100644 --- a/community/assessments/projects/openfga/self-assessment.md +++ b/community/assessments/projects/openfga/self-assessment.md @@ -527,4 +527,6 @@ The list of related projects is available as a [community resource](https://gith ### Third Party Security Reviews + [Trail Of Bits](https://www.trailofbits.com/) published a [Comparative Language Security Assessment](https://github.com/trailofbits/publications/blob/master/reports/Policy_Language_Security_Comparison_and_TM.pdf) that evaluates Cedar, Rego and OpenFGA. + From ef4da58620f14e0c30535fe2bdfc358838f8e02c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Aguiar?= Date: Sat, 9 Nov 2024 16:09:14 -0300 Subject: [PATCH 7/7] Fixed broken links MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Removed link to https://github.com/orgs/openfga/security/risk as it requires to be logged-in and have permissions on the OpenFGA repository to view them - Removed link to https://snyk.io/test/github/openfga/openfga as it's not working on the snyk side. I left only the badge for now Signed-off-by: Andrés Aguiar --- community/assessments/projects/openfga/self-assessment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/community/assessments/projects/openfga/self-assessment.md b/community/assessments/projects/openfga/self-assessment.md index d06f2a60f..e3a3f60fa 100644 --- a/community/assessments/projects/openfga/self-assessment.md +++ b/community/assessments/projects/openfga/self-assessment.md @@ -47,7 +47,6 @@ This assessment was contributed to by community members as part of the [Security | -- | -- | | Security Policy | [OpenFGA Security Policy](https://github.com/openfga/openfga/security/policy) | | Security Insights | [OpenFGA Security Insights](https://github.com/openfga/openfga/blob/main/SECURITY-INSIGHTS.yml) | -| Security risks | [OpenFGA Security risks](https://github.com/orgs/openfga/security/risk) | ## Overview @@ -454,7 +453,7 @@ By refraining from including PII in relationship tuples, users can simplify thei | - | - | | Build | [![main](https://github.com/openfga/openfga/actions/workflows/main.yaml/badge.svg)](https://github.com/openfga/openfga/actions/workflows/main.yaml) [![pr](https://github.com/openfga/openfga/actions/workflows/pull_request.yaml/badge.svg)](https://github.com/openfga/openfga/actions/workflows/pull_request.yaml) [![codecov](https://codecov.io/gh/openfga/openfga/branch/main/graph/badge.svg)](https://codecov.io/gh/openfga/openfga) | | Release| [![release.yaml](https://github.com/openfga/openfga/actions/workflows/release.yaml/badge.svg)](https://github.com/openfga/openfga/actions/workflows/release.yaml) | -| Scanning | [![CodeQL](https://github.com/openfga/openfga/actions/workflows/github-code-scanning/codeql/badge.svg)](https://github.com/openfga/openfga/actions/workflows/github-code-scanning/codeql) [![Semgrep](https://github.com/openfga/openfga/actions/workflows/semgrep.yaml/badge.svg)](https://github.com/openfga/openfga/actions/workflows/semgrep.yaml) [![Snyk](https://snyk.io/test/github/openfga/openfga/main/badge.svg)](https://snyk.io/test/github/openfga/openfga) | +| Scanning | [![CodeQL](https://github.com/openfga/openfga/actions/workflows/github-code-scanning/codeql/badge.svg)](https://github.com/openfga/openfga/actions/workflows/github-code-scanning/codeql) [![Semgrep](https://github.com/openfga/openfga/actions/workflows/semgrep.yaml/badge.svg)](https://github.com/openfga/openfga/actions/workflows/semgrep.yaml) ![Snyk](https://snyk.io/test/github/openfga/openfga/main/badge.svg) | | License| [![FOSSA](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fopenfga%2Fopenfga.svg?type=shield&issueType=license)](https://app.fossa.com/projects/git%2Bgithub.com%2Fopenfga%2Fopenfga?ref=badge_shield&issueType=license) [![FOSSA](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fopenfga%2Fopenfga.svg?type=shield&issueType=security)](https://app.fossa.com/projects/git%2Bgithub.com%2Fopenfga%2Fopenfga?ref=badge_shield&issueType=security)| | OpenSSF | [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/6374/badge)](https://www.bestpractices.dev/projects/6374) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/openfga/openfga/badge)](https://securityscorecards.dev/viewer/?uri=github.com/openfga/openfga) | | CLOMonitor | [![openfga](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/openfga/badge)](https://clomonitor.io/projects/cncf/openfga) |