feat: bulk deletion of relation tuples

[vancanhuit]

Related issue(s)

Closes #599

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security. vulnerability, I
  confirm that I got green light (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

[zepatrik]

This is already a good start, but needs some improvements. Also, the same behavior should be reflected over gRPC as well.

[zepatrik]

This is quite problematic as you only delete the first page here. Can you instead implement the selection of delete candidates on the persistence layer? A request DELETE /relation-tuples?namespace=foo should result in the following SQL statement to be executed: DELETE FROM keto_relation_tuples WHERE namespace=foo.

[vancanhuit]

Aha, yeah I will try. For the gRPC part, I may need time to understand it because I've never worked with gRPC before.

[zepatrik]

Ah so there is no specific delete RPC, but only the transact one. I would add a DeleteReleationTuples RPC here

keto/proto/ory/keto/acl/v1alpha1/write_service.proto

Lines 14 to 20 in 67c4c60

	// The write service to create and delete Access Control Lists.
	//
	// This service is part of the [write-APIs](../concepts/api-overview.mdx#write-apis).
	service WriteService {
	// Writes one or more relation tuples in a single transaction.
	rpc TransactRelationTuples(TransactRelationTuplesRequest) returns (TransactRelationTuplesResponse);
	}

It should behave exactly as the REST handler, so you can probably use the same internal helper function. The current transaction handler is implemented here:

keto/internal/relationtuple/transact_server.go

Lines 30 to 53 in 67c4c60

	func (h *handler) TransactRelationTuples(ctx context.Context, req *acl.TransactRelationTuplesRequest) (*acl.TransactRelationTuplesResponse, error) {
	insertTuples, err := protoTuplesWithAction(req.RelationTupleDeltas, acl.RelationTupleDelta_INSERT)
	if err != nil {
	return nil, err
	}
	deleteTuples, err := protoTuplesWithAction(req.RelationTupleDeltas, acl.RelationTupleDelta_DELETE)
	if err != nil {
	return nil, err
	}
	err = h.d.RelationTupleManager().TransactRelationTuples(ctx, insertTuples, deleteTuples)
	if err != nil {
	return nil, err
	}
	snaptokens := make([]string, len(insertTuples))
	for i := range insertTuples {
	snaptokens[i] = "not yet implemented"
	}
	return &acl.TransactRelationTuplesResponse{
	Snaptokens: snaptokens,
	}, nil
	}

, you can just follow the implementation of that as a guidance.

[zepatrik]

Getting there 😉

[zepatrik]

Please use the pop query builder for this instead of raw query. Just as we do here:

keto/internal/persistence/sql/relationtuples.go

Lines 218 to 236 in 7ee65b5

	if query.Relation != "" {
	sqlQuery.Where("relation = ?", query.Relation)
	}
	if query.Object != "" {
	sqlQuery.Where("object = ?", query.Object)
	}
	if s := query.Subject(); s != nil {
	if err := p.whereSubject(ctx, sqlQuery, s); err != nil {
	return nil, "", err
	}
	}
	if query.Namespace != "" {
	n, err := p.GetNamespaceByName(ctx, query.Namespace)
	if err != nil {
	return nil, "", err
	}
	sqlQuery.Where("namespace_id = ?", n.ID)
	}

and here

keto/internal/persistence/sql/relationtuples.go

Lines 186 to 196 in 7ee65b5

	q := p.QueryWithNetwork(ctx).
	Where("namespace_id = ?", n.ID).
	Where("object = ?", r.Object).
	Where("relation = ?", r.Relation)
	if err := p.whereSubject(ctx, q, r.Subject); err != nil {
	return err
	}
	if err := q.Delete(&RelationTuple{}); err != nil {
	return err
	}

As is, there is no SQL injection possible, but it is easy to add one later if you don't pay attention.

[vancanhuit]

Ah, my bad. I actually used pop query builder but for some reason, it didn't work. Now I realized why 🤪
I will push a new commit.

[vancanhuit]

For the gRPC part, I had a basic understanding of it, now trying to figure out how to do it.

[zepatrik]

Always return errors.WithStack(herodot.ErrInvalidRequest.WithReason(...)) or similar errors, they will automatically set the right response codes through the middle-ware.

[zepatrik]

Now this looks very good now. The very last thing would be to add e2e tests.

• here are all cases, add some more that test the new feature: https://github.com/ory/keto/blob/7ee65b5cd0827a3de87be3b6a7fa62d9038ea2df/internal/e2e/cases_test.go
• here is the interface definition for the clients, add a deleteAll function and implement it in all clients:

  keto/internal/e2e/full_suit_test.go

  Lines 33 to 41 in 7ee65b5

  	client interface {
  	createTuple(t require.TestingT, r *relationtuple.InternalRelationTuple)
  	deleteTuple(t require.TestingT, r *relationtuple.InternalRelationTuple)
  	queryTuple(t require.TestingT, q *relationtuple.RelationQuery, opts ...x.PaginationOptionSetter) *relationtuple.GetResponse
  	queryTupleErr(t require.TestingT, expected herodot.DefaultError, q *relationtuple.RelationQuery, opts ...x.PaginationOptionSetter)
  	check(t require.TestingT, r *relationtuple.InternalRelationTuple) bool
  	expand(t require.TestingT, r *relationtuple.SubjectSet, depth int) *expand.Tree
  	waitUntilLive(t require.TestingT)
  	}

[zepatrik]

Now this looks way better, but it is the same code as in the GetRelationTuples function.
Can you instead add a helper function similar to this (naming is just a draft):

// whereQuery takes a relation tuple query and appends where clauses to the base pop query
func whereQuery(ctx context.Context, baseQuery *pop.Query, rq *relationtuple.RelationQuery) (*pop.Query, error) {
	if query.Namespace != "" {
		n, err := p.GetNamespaceByName(ctx, rq.Namespace)
		if err != nil {
			return nil, err
		}
		baseQuery.Where("namespace_id = ?", n.ID)
	}
	if rq.Object != "" {
		baseQuery.Where("object = ?", rq.Object)
	}
	if rq.Relation != "" {
		baseQuery.Where("relation = ?", rq.Relation)
	}
	if s := rq.Subject(); s != nil {
		if err := p.whereSubject(ctx, baseQuery, s); err != nil {
			return err
		}
	}
}

[zepatrik]

And then of course use it in both functions.

[vancanhuit]

Yeah, I will update it.

[zepatrik]

The generated proto definitions have getter functions, so you can instead rewrite func (q *RelationQuery) FromProto(...) to take an interface with the getter functions. That way you don't have to convert the type which might break in the future at some point.

[vancanhuit]

I will add e2e tests later on.

[vancanhuit]

@zepatrik Currently I'm getting stuck in the CLI client test. The keto relation-tuple delete command only supports JSON files containing a list of tuples. It is impossible to create a test for it based on a relation query. What should I do?

[zepatrik]

I think it would make sense to not break keto relation-tuple delete behavior, but maybe add a flag --all-matching and then flags for each key you could delete by? Similar to how the list command works:

keto/cmd/relationtuple/get.go

Lines 22 to 65 in fabf1a0

	const (
	FlagSubject = "subject"
	FlagSubjectID = "subject-id"
	FlagSubjectSet = "subject-set"
	FlagRelation = "relation"
	FlagObject = "object"
	FlagPageSize = "page-size"
	FlagPageToken = "page-token"
	)
	func registerRelationTupleFlags(flags *pflag.FlagSet) {
	flags.String(FlagSubjectID, "", "Set the requested subject ID")
	flags.String(FlagSubjectSet, "", `Set the requested subject set; format: "namespace:object#relation"`)
	flags.String(FlagRelation, "", "Set the requested relation")
	flags.String(FlagObject, "", "Set the requested object")
	flags.String(FlagSubject, "", "")
	if err := flags.MarkHidden(FlagSubject); err != nil {
	panic(err.Error())
	}
	}
	func readQueryFromFlags(cmd *cobra.Command, namespace string) (*acl.ListRelationTuplesRequest_Query, error) {
	query := &acl.ListRelationTuplesRequest_Query{
	Namespace: namespace,
	Object: flagx.MustGetString(cmd, FlagObject),
	Relation: flagx.MustGetString(cmd, FlagRelation),
	}
	switch flags := cmd.Flags(); {
	case flags.Changed(FlagSubjectID) && flags.Changed(FlagSubjectSet):
	return nil, relationtuple.ErrDuplicateSubject
	case flags.Changed(FlagSubjectID):
	query.Subject = (&relationtuple.SubjectID{ID: flagx.MustGetString(cmd, FlagSubjectID)}).ToProto()
	case flags.Changed(FlagSubjectSet):
	s, err := (&relationtuple.SubjectSet{}).FromString(flagx.MustGetString(cmd, FlagSubjectSet))
	if err != nil {
	return nil, err
	}
	query.Subject = s.ToProto()
	}
	return query, nil
	}

[vancanhuit]

I think it would make sense to not break keto relation-tuple delete behavior, but maybe add a flag --all-matching and then flags for each key you could delete by? Similar to how the list command works:

keto/cmd/relationtuple/get.go

Lines 22 to 65 in fabf1a0

	const (
	FlagSubject = "subject"
	FlagSubjectID = "subject-id"
	FlagSubjectSet = "subject-set"
	FlagRelation = "relation"
	FlagObject = "object"
	FlagPageSize = "page-size"
	FlagPageToken = "page-token"
	)
	func registerRelationTupleFlags(flags *pflag.FlagSet) {
	flags.String(FlagSubjectID, "", "Set the requested subject ID")
	flags.String(FlagSubjectSet, "", `Set the requested subject set; format: "namespace:object#relation"`)
	flags.String(FlagRelation, "", "Set the requested relation")
	flags.String(FlagObject, "", "Set the requested object")
	flags.String(FlagSubject, "", "")
	if err := flags.MarkHidden(FlagSubject); err != nil {
	panic(err.Error())
	}
	}
	func readQueryFromFlags(cmd *cobra.Command, namespace string) (*acl.ListRelationTuplesRequest_Query, error) {
	query := &acl.ListRelationTuplesRequest_Query{
	Namespace: namespace,
	Object: flagx.MustGetString(cmd, FlagObject),
	Relation: flagx.MustGetString(cmd, FlagRelation),
	}
	switch flags := cmd.Flags(); {
	case flags.Changed(FlagSubjectID) && flags.Changed(FlagSubjectSet):
	return nil, relationtuple.ErrDuplicateSubject
	case flags.Changed(FlagSubjectID):
	query.Subject = (&relationtuple.SubjectID{ID: flagx.MustGetString(cmd, FlagSubjectID)}).ToProto()
	case flags.Changed(FlagSubjectSet):
	s, err := (&relationtuple.SubjectSet{}).FromString(flagx.MustGetString(cmd, FlagSubjectSet))
	if err != nil {
	return nil, err
	}
	query.Subject = s.ToProto()
	}
	return query, nil
	}

Does this mean that we will support two cases: one is deleting from JSON files and one is deleting by specifying query keys?

[vancanhuit]

@zepatrik How do you think about my latest change?

[zepatrik]

Thank you, this looks very good now 👍
I am really sorry for the late review.

[zepatrik]

This will result in breaking changes in the SDK, right @aeneasr? The behavior changed a bit, but nothing that should break existing integrations.

[zepatrik]

FYI, as this is a new rpc it will not break existing integrations.

[zepatrik]

I actually just realized that splitting the delete and delete-all into two subcommands makes more sense, as it now reflects the two behaviors and will not break existing behavior. Also, with this it should be harder to delete stuff by mistake. Thought it is easier if I just quickly do that instead of annoying you again 😅
Thanks again for your work there, appreciate 👍