refactor: exclusion changes

Permify · May 25, 2023 · a2bd653 · a2bd653
1 parent eb50999
commit a2bd653
Show file tree

Hide file tree

Showing 9 changed files with 72 additions and 58 deletions.
diff --git a/internal/schema/linkedSchema_test.go b/internal/schema/linkedSchema_test.go
@@ -109,7 +109,7 @@ var _ = Describe("connected schema", func() {
 				relation viewer @user
 				relation editor @user
 				relation owner @user
-				action view = viewer and editor and not owner
+				action view = viewer and editor not owner
 			}
 			`).Parse()
 

diff --git a/internal/schema/schema_test.go b/internal/schema/schema_test.go
@@ -73,7 +73,6 @@ var _ = Describe("schema", func() {
 									RewriteOperation: base.Rewrite_OPERATION_UNION,
 									Children: []*base.Child{
 										{
-											Exclusion: false,
 											Type: &base.Child_Leaf{
 												Leaf: &base.Leaf{
 													Type: &base.Leaf_ComputedUserSet{
@@ -85,7 +84,6 @@ var _ = Describe("schema", func() {
 											},
 										},
 										{
-											Exclusion: false,
 											Type: &base.Child_Leaf{
 												Leaf: &base.Leaf{
 													Type: &base.Leaf_ComputedUserSet{
@@ -155,7 +153,6 @@ var _ = Describe("schema", func() {
 									RewriteOperation: base.Rewrite_OPERATION_UNION,
 									Children: []*base.Child{
 										{
-											Exclusion: false,
 											Type: &base.Child_Leaf{
 												Leaf: &base.Leaf{
 													Type: &base.Leaf_ComputedUserSet{
@@ -167,7 +164,6 @@ var _ = Describe("schema", func() {
 											},
 										},
 										{
-											Exclusion: false,
 											Type: &base.Child_Leaf{
 												Leaf: &base.Leaf{
 													Type: &base.Leaf_ComputedUserSet{
@@ -232,7 +228,6 @@ var _ = Describe("schema", func() {
 									RewriteOperation: base.Rewrite_OPERATION_INTERSECTION,
 									Children: []*base.Child{
 										{
-											Exclusion: false,
 											Type: &base.Child_Leaf{
 												Leaf: &base.Leaf{
 													Type: &base.Leaf_ComputedUserSet{
@@ -249,7 +244,6 @@ var _ = Describe("schema", func() {
 													RewriteOperation: base.Rewrite_OPERATION_UNION,
 													Children: []*base.Child{
 														{
-															Exclusion: false,
 															Type: &base.Child_Leaf{
 																Leaf: &base.Leaf{
 																	Type: &base.Leaf_ComputedUserSet{
@@ -261,7 +255,6 @@ var _ = Describe("schema", func() {
 															},
 														},
 														{
-															Exclusion: false,
 															Type: &base.Child_Leaf{
 																Leaf: &base.Leaf{
 																	Type: &base.Leaf_TupleToUserSet{
@@ -289,7 +282,6 @@ var _ = Describe("schema", func() {
 					"delete": {
 						Name: "delete",
 						Child: &base.Child{
-							Exclusion: false,
 							Type: &base.Child_Leaf{
 								Leaf: &base.Leaf{
 									Type: &base.Leaf_TupleToUserSet{

diff --git a/pkg/development/development.go b/pkg/development/development.go
@@ -53,14 +53,15 @@ func NewContainer() *Development {
 	expandEngine := engines.NewExpandEngine(schemaReader, relationshipReader)
 	entityFilterEngine := engines.NewEntityFilterEngine(schemaReader, relationshipReader)
 	lookupEntityEngine := engines.NewLookupEntityEngine(checkEngine, entityFilterEngine)
+	lookupSubjectEngine := engines.NewLookupSubjectEngine(schemaReader, relationshipReader)
 
 	invoker := invoke.NewDirectInvoker(
 		schemaReader,
 		relationshipReader,
 		checkEngine,
 		expandEngine,
 		lookupEntityEngine,
-		nil,
+		lookupSubjectEngine,
 	)
 
 	checkEngine.SetInvoker(invoker)
@@ -91,7 +92,6 @@ func (c *Development) Check(ctx context.Context, subject *v1.Subject, action str
 			SchemaVersion: "",
 			SnapToken:     "",
 			Depth:         20,
-			Exclusion:     false,
 		},
 	}
 
@@ -118,6 +118,24 @@ func (c *Development) LookupEntity(ctx context.Context, subject *v1.Subject, per
 	return c.Container.Invoker.LookupEntity(ctx, req)
 }
 
+// LookupSubject - Looks up a subject's permissions for a given entıty and permission
+func (c *Development) LookupSubject(ctx context.Context, entity *v1.Entity, permission string, subjectReference *v1.RelationReference) (res *v1.PermissionLookupSubjectResponse, err error) {
+	// Create a new permission lookup entity request with the given subject, permission, entity type, and metadata
+	req := &v1.PermissionLookupSubjectRequest{
+		TenantId:         "t1",
+		Entity:           entity,
+		Permission:       permission,
+		SubjectReference: subjectReference,
+		Metadata: &v1.PermissionLookupSubjectRequestMetadata{
+			SchemaVersion: "",
+			SnapToken:     "",
+		},
+	}
+
+	// Invoke the permission lookup entity using the container's invoker and return the response
+	return c.Container.Invoker.LookupSubject(ctx, req)
+}
+
 // ReadTuple - Creates new read API request
 func (c *Development) ReadTuple(ctx context.Context, filter *v1.TupleFilter) (tuples *database.TupleCollection, continuousToken database.EncodedContinuousToken, err error) {
 	// Get the head snapshot of the "t1" schema from the schema repository

diff --git a/pkg/development/graph/graph.go b/pkg/development/graph/graph.go
@@ -13,9 +13,8 @@ type Node struct {
 
 // Edge - Edge Structure
 type Edge struct {
-	Extra any   `json:"extra"`
-	From  *Node `json:"from"`
-	To    *Node `json:"to"`
+	From *Node `json:"from"`
+	To   *Node `json:"to"`
 }
 
 // Graph - Graph Structure
@@ -57,12 +56,11 @@ func (g *Graph) AddEdges(e []*Edge) {
 }
 
 // AddEdge - Add edge to graph
-func (g *Graph) AddEdge(from, to *Node, extra any) {
+func (g *Graph) AddEdge(from, to *Node) {
 	g.lock.Lock()
 	g.edges = append(g.edges, &Edge{
-		Extra: extra,
-		From:  from,
-		To:    to,
+		From: from,
+		To:   to,
 	})
 	g.lock.Unlock()
 }
diff --git a/pkg/development/graph/schema.go b/pkg/development/graph/schema.go
@@ -56,19 +56,19 @@ func EntityToGraph(entity *base.EntityDefinition) (g Graph, err error) {
 					Type:  "relation",
 					ID:    fmt.Sprintf("%s#%s", ref.GetType(), ref.GetRelation()),
 					Label: re.Name,
-				}, nil)
+				})
 			} else {
 				g.AddEdge(reNode, &Node{
 					Type:  "entity",
 					ID:    fmt.Sprintf("%s", ref.GetType()),
 					Label: re.Name,
-				}, nil)
+				})
 			}
 		}
 
 		// Add relation node and edge to the graph
 		g.AddNode(reNode)
-		g.AddEdge(enNode, reNode, nil)
+		g.AddEdge(enNode, reNode)
 	}
 
 	// Iterate through the permissions in the entity
@@ -80,7 +80,7 @@ func EntityToGraph(entity *base.EntityDefinition) (g Graph, err error) {
 			Label: permission.GetName(),
 		}
 		g.AddNode(acNode)
-		g.AddEdge(enNode, acNode, nil)
+		g.AddEdge(enNode, acNode)
 		// Build permission graph for each permission
 		ag, err := buildPermissionGraph(entity, acNode, []*base.Child{permission.GetChild()})
 		if err != nil {
@@ -110,7 +110,7 @@ func buildPermissionGraph(entity *base.EntityDefinition, from *Node, children []
 
 			// Add the rewrite node to the graph and connect it to the parent node
 			g.AddNode(rw)
-			g.AddEdge(from, rw, child.GetExclusion())
+			g.AddEdge(from, rw)
 			// Recursively process the children of the rewrite node
 			ag, err := buildPermissionGraph(entity, rw, child.GetRewrite().GetChildren())
 			if err != nil {
@@ -136,15 +136,15 @@ func buildPermissionGraph(entity *base.EntityDefinition, from *Node, children []
 					Type:  "relation",
 					ID:    fmt.Sprintf("%s#%s", GetTupleSetReferenceReference(re), leaf.GetTupleToUserSet().GetComputed().GetRelation()),
 					Label: leaf.GetTupleToUserSet().GetComputed().GetRelation(),
-				}, child.GetExclusion())
+				})
 
 			case *base.Leaf_ComputedUserSet:
 				// Add an edge between the parent node and the computed user set relation node
 				g.AddEdge(from, &Node{
 					Type:  "relation",
 					ID:    fmt.Sprintf("%s#%s", entity.GetName(), leaf.GetComputedUserSet().GetRelation()),
 					Label: leaf.GetComputedUserSet().GetRelation(),
-				}, child.GetExclusion())
+				})
 			default:
 				break
 			}

diff --git a/pkg/dsl/token/token.go b/pkg/dsl/token/token.go
@@ -90,16 +90,12 @@ const (
 	RELATION   = "RELATION"
 	PERMISSION = "PERMISSION"
 
-	/*
-		Prefix
-	*/
-	NOT = "NOT"
-
 	/*
 		Logical
 	*/
 	AND = "AND"
 	OR  = "OR"
+	NOT = "NOT"
 
 	/*
 		Comments

diff --git a/pkg/schema/builder.go b/pkg/schema/builder.go
@@ -103,9 +103,8 @@ func Permissions(defs ...*base.PermissionDefinition) []*base.PermissionDefinitio
 // ComputedUserSet - returns a Child definition that represents a computed set of users based on a relation
 // relation: the name of the relation on which the computed set is based
 // exclusion: a boolean indicating if the computed set should exclude or include the users in the set
-func ComputedUserSet(relation string, exclusion bool) *base.Child {
+func ComputedUserSet(relation string) *base.Child {
 	return &base.Child{
-		Exclusion: exclusion,
 		Type: &base.Child_Leaf{
 			Leaf: &base.Leaf{
 				Type: &base.Leaf_ComputedUserSet{
@@ -126,9 +125,8 @@ func ComputedUserSet(relation string, exclusion bool) *base.Child {
 // relation: the name of the relation for the computed user set
 // exclusion: a boolean indicating whether to exclude the computed user set
 // Returns a pointer to a base.Child struct.
-func TupleToUserSet(reference, relation string, exclusion bool) *base.Child {
+func TupleToUserSet(reference, relation string) *base.Child {
 	return &base.Child{
-		Exclusion: exclusion,
 		Type: &base.Child_Leaf{
 			Leaf: &base.Leaf{
 				Type: &base.Leaf_TupleToUserSet{
@@ -169,3 +167,15 @@ func Intersection(children ...*base.Child) *base.Child {
 		},
 	}
 }
+
+// Exclusion - Returns a child element that represents the exclusion of the given children. This child element can be used in defining entity relations and actions.
+func Exclusion(children ...*base.Child) *base.Child {
+	return &base.Child{
+		Type: &base.Child_Rewrite{
+			Rewrite: &base.Rewrite{
+				RewriteOperation: base.Rewrite_OPERATION_EXCLUSION,
+				Children:         children,
+			},
+		},
+	}
+}