mv relationship pkg

x/acp/auth_engine/test_suite.go

@@ -193,3 +193,6 @@ func runSuite(t *testing.T, suite *TestSuite) {
 		})
 	}
 }
+
+// TODO Add Tests for Check, Filter Relationship and yada yada
+// (should this be tested directly? seems redundant)

x/acp/relationship/authorizer.go

@@ -0,0 +1,40 @@
+package relationship
+
+import (
+	"context"
+
+	"github.com/sourcenetwork/sourcehub/x/acp/auth_engine"
+	"github.com/sourcenetwork/sourcehub/x/acp/types"
+)
+
+func NewRelationshipAuthorizer(engine auth_engine.AuthEngine) *RelationshipAuthorizer {
+	return &RelationshipAuthorizer{
+		engine: engine,
+	}
+}
+
+// RelationshipAuthorizer acts as an Authorization Request engine
+// which validates whether a Relationship can be set or deleted by an Actor.
+//
+// The Permission evaluation is done through a Check call using the auxiliary permissions
+// auto generated by the ACP module and attached to a permission.
+//
+// For instance, take the Relationship (obj:foo, reader, steve) being submitted by Actor Bob.
+// Bob is allowed to Create that relationship if and only if:
+// Bob has the permission _can_manage_reader for "obj:foo".
+type RelationshipAuthorizer struct {
+	engine auth_engine.AuthEngine
+}
+
+// IsAuthorized validates whether actor is a manager for the given relationship.
+//
+// A given Relationship is only valid if for the Relationship's Object and Relation
+// the Actor has an associated permission to manage the Object, Relation pair.
+func (a *RelationshipAuthorizer) IsAuthorized(ctx context.Context, policy *types.Policy, relationship *types.Relationship, actor *types.Actor) (bool, error) {
+	authRequest := &types.Operation{
+		Object:   relationship.Object,
+		Permission: policy.GetManagementPermissionName(relationship.Relation),
+	}
+
+	return a.engine.Check(ctx, policy, authRequest, actor)
+}