fix: subject filtering pagination

[tolgaOzen]

Summary by CodeRabbit

• New Features

  • Updated API documentation version to v1.1.6 for both Swagger and OpenAPI specifications.

• Bug Fixes

  • Improved handling of continuous tokens and pagination in the LookupSubject method, enhancing overall functionality.

• Tests

  • Introduced a new test suite for permissions validation, ensuring robust checks for user roles and group memberships.

• Chores

  • Updated version constants across various files to reflect the new release version v1.1.6.

[coderabbitai]

Walkthrough

This pull request primarily updates the version number of the Permify API documentation and related files from "v1.1.5" to "v1.1.6". The changes span several files, including API documentation and internal components. Additionally, enhancements to the LookupSubject method in the LookupEngine class are introduced, focusing on improved handling of continuous tokens and pagination. New test cases for a subject filter in the permissions system are also added, alongside modifications to the SubjectFilter implementation to refine pagination and wildcard handling.

Changes

File Path	Change Summary
docs/api-reference/apidocs.swagger.json	Version updated from "v1.1.5" to "v1.1.6".
docs/api-reference/openapiv2/apidocs.swagger.json	Version updated from "v1.1.5" to "v1.1.6".
internal/engines/lookup.go	Enhanced LookupSubject method for continuous token handling and pagination logic.
internal/engines/lookup_test.go	New test suite for permissions related to projects and organizations; includes multiple test cases.
internal/engines/subjectFilter.go	Adjusted pagination logic and wildcard handling in SubjectFilter methods.
internal/info.go	Version constant updated from "v1.1.5" to "v1.1.6".
internal/storage/postgres/dataReader.go	New comment suggesting index creation on transactions table for optimization; no logic changes.
proto/base/v1/openapi.proto	Version updated from "v1.1.5" to "v1.1.6".

Possibly related PRs

• build: version info update #1626: Updates version number in multiple files from "v1.1.0" to "v1.1.1", related to versioning context.
• build: version info change #1643: Updates version number in multiple files from "v1.1.1" to "v1.1.2", continuing the versioning sequence.
• fix(depth-check): correctly handle 'depth not enough' error condition #1707: Updates version number from "v1.1.4" to "v1.1.5", part of the same versioning context.
• refactor: remove unnecessary continuous token handling in subject filter #1708: Modifies the LookupSubject method in internal/engines/lookup.go, related to the same file structure.

🐇 In the garden where changes bloom,
A version rises, dispelling gloom.
From five to six, the numbers dance,
With tokens and filters, we take our chance.
Permissions tested, all in a row,
Hoppy updates, let the progress flow! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

🧹 Outside diff range and nitpick comments (4)

internal/engines/lookup.go (2)

248-257: LGTM: Proper handling of continuous token.

The implementation correctly handles the continuous token when present. It decodes the token and extracts the start value, which is then used for pagination. The error handling for the decoding process is also implemented.

Consider wrapping the error returned from the decoding process to provide more context:

 if err != nil {
-    return nil, err
+    return nil, fmt.Errorf("failed to decode continuous token: %w", err)
 }

---

263-271: LGTM: Correct implementation of pagination starting point.

The code correctly determines the starting index for pagination based on the start value. It handles both cases when start is empty and when it contains a value.

Consider using a binary search instead of a linear search for better performance with large lists:

if start != "" {
    startIndex = sort.Search(len(ids), func(i int) bool {
        return ids[i] >= start
    })
}

This change would improve the time complexity from O(n) to O(log n) for finding the starting index.

internal/engines/subjectFilter.go (2)

Line range hint 120-122: Fix typo in function name subjectfFlterComputedAttribute

The function name subjectfFlterComputedAttribute at lines 120-122 contains a typo with an extra 'f' in 'Filter'. This can lead to confusion and potential issues when referencing the function.

Apply this diff to correct the function name:

-func (engine *SubjectFilter) subjectfFlterComputedAttribute(
+func (engine *SubjectFilter) subjectFilterComputedAttribute(
	request *base.PermissionLookupSubjectRequest,
	ca *base.ComputedAttribute,
) SubjectFilterFunction {

Ensure all references to this function are updated accordingly.

---

Line range hint 153-154: Correct function call to subjectFilterComputedAttribute

In the switch case at lines 153-154, the function subjectfFlterComputedAttribute is called, which includes a typo. It should be subjectFilterComputedAttribute to match the corrected function name.

Apply this diff to correct the function call:

case *base.Leaf_ComputedAttribute:
-	return engine.subjectfFlterComputedAttribute(request, op.ComputedAttribute)
+	return engine.subjectFilterComputedAttribute(request, op.ComputedAttribute)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 9b01a79 and 7f374b4.

⛔ Files ignored due to path filters (1)

• pkg/pb/base/v1/openapi.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (8)

• docs/api-reference/apidocs.swagger.json (1 hunks)
• docs/api-reference/openapiv2/apidocs.swagger.json (1 hunks)
• internal/engines/lookup.go (1 hunks)
• internal/engines/lookup_test.go (1 hunks)
• internal/engines/subjectFilter.go (2 hunks)
• internal/info.go (1 hunks)
• internal/storage/postgres/dataReader.go (1 hunks)
• proto/base/v1/openapi.proto (1 hunks)

✅ Files skipped from review due to trivial changes (5)

• docs/api-reference/apidocs.swagger.json
• docs/api-reference/openapiv2/apidocs.swagger.json
• internal/info.go
• internal/storage/postgres/dataReader.go
• proto/base/v1/openapi.proto

🧰 Additional context used

🔇 Additional comments (4)

internal/engines/lookup.go (1)

243-244: LGTM: Initialization of start variable.

The initialization of the start variable as an empty string is a good practice. It provides a default value and will be used later for pagination handling.

internal/engines/subjectFilter.go (1)

698-700: Properly handle wildcard exclusions in subjectFilterUnion

In lines 698-700 within the subjectFilterUnion function, the condition if id != ALL && !slices.Contains(excludedIds, id) correctly ensures that the ALL wildcard is not added to the list of excluded IDs. This prevents logical errors where the wildcard could mistakenly be treated as an exclusion identifier.

internal/engines/lookup_test.go (2)

4659-4661: 🛠️ Refactor suggestion

Consider adding missing project_edit permission check in project_view.

In the project_view permission definition for the project entity, it might be appropriate to include a direct check for project_edit to ensure consistency and completeness.

Apply this diff to include the project_edit permission:

 permission project_view = (project_edit or perms.project_view)
+permission project_edit = admin or parent.admin or perms.project_edit

Likely invalid or redundant comment.

---

4667-4667: Verify the inclusion of all relevant users in group_perms permissions.

The edit permission in group_perms includes users who are not members of group_perms_1. Ensure that this is intentional and that all necessary users are accounted for.

Run the following script to check membership:

✅ Verification successful

Verified: All users with edit permissions are correctly included in group_perms_1.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that all users with the `edit` permission are members of `group_perms_1`.

# Expected: Only users who are members of `group_perms_1` should have the `edit` permission.

grep -rn 'group_perms:group_perms_1#members@group:' ./internal/engines/lookup_test.go

Length of output: 146

---

Script:

#!/bin/bash
# Description: Verify that all users with the `edit` permission are members of `group_1`.

# Users to verify
users=("user_1" "user_2" "user_3" "user_4")

# Check each user in group_1
for user in "${users[@]}"; do
  grep -q "$user" ./internal/engines/lookup_test.go && echo "$user is a member of group_1" || echo "$user is NOT a member of group_1"
done

Length of output: 637

[coderabbitai]

⚠️ Potential issue

Handle pagination tokens for scalability in QueryRelationships

At lines 432-434, you're using database.NewCursorPagination() without handling pagination tokens in the QueryRelationships call for contextual tuples. Without managing pagination tokens or limits, there may be issues when dealing with large datasets, potentially leading to performance bottlenecks or incomplete data retrieval.

Consider modifying the pagination to handle tokens and set appropriate limits. This could involve passing pagination parameters from the request or defining default limits to ensure efficient data retrieval.

-cti, err = storageContext.NewContextualTuples(request.GetContext().GetTuples()...).QueryRelationships(filter, database.NewCursorPagination())
+pagination := database.NewCursorPagination()
+if request.GetContinuousToken() != "" {
+    pagination.Token = request.GetContinuousToken()
+}
+cti, err = storageContext.NewContextualTuples(request.GetContext().GetTuples()...).QueryRelationships(filter, pagination)

Also, ensure that the ContinuousToken is updated appropriately in the response to support continued pagination.

Committable suggestion was skipped due to low confidence.

[coderabbitai]

⚠️ Potential issue

Ensure consistent pagination handling in data reader queries

At lines 440-442, similar to the previous comment, you're using database.NewCursorPagination() in the QueryRelationships call for the data reader without managing pagination tokens or limits. Consistent pagination handling across both contextual tuples and data reader queries is crucial for predictable and efficient data access.

Consider implementing pagination handling as suggested in the previous comment to ensure consistency. Here's an example:

-pagination := database.NewCursorPagination()
+pagination := database.NewCursorPagination()
+if request.GetContinuousToken() != "" {
+    pagination.Token = request.GetContinuousToken()
+}
 rit, err = engine.dataReader.QueryRelationships(ctx, request.GetTenantId(), filter, request.GetMetadata().GetSnapToken(), pagination)

This ensures that both sources respect the pagination parameters, providing a consistent interface for clients.

Committable suggestion was skipped due to low confidence.

[coderabbitai]

⚠️ Potential issue

Ensure pagination logic handles all subjects correctly.

In the loop for retrieving subject IDs, consider handling potential scenarios where the number of subjects exceeds the page size to avoid missing any subjects due to pagination issues.

Apply this diff to adjust the pagination handling:

 for {
     response, err := invoker.LookupSubject(context.Background(), &base.PermissionLookupSubjectRequest{
         TenantId:         "t1",
         SubjectReference: tuple.RelationReference(filter.subjectReference),
         Entity:           entity,
         Permission:       permission,
         Metadata: &base.PermissionLookupSubjectRequestMetadata{
             SnapToken:     token.NewNoopToken().Encode().String(),
             SchemaVersion: "",
         },
         ContinuousToken: ct,
-        PageSize:        2,
+        PageSize:        100, // Increase page size to handle more subjects
     })
     Expect(err).ShouldNot(HaveOccurred())

     ids = append(ids, response.GetSubjectIds()...)

     ct = response.GetContinuousToken()

     if ct == "" {
         break
     }
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	for permission, res := range filter.assertions {
	ct := ""
	var ids []string
	for {
	response, err := invoker.LookupSubject(context.Background(), &base.PermissionLookupSubjectRequest{
	TenantId: "t1",
	SubjectReference: tuple.RelationReference(filter.subjectReference),
	Entity: entity,
	Permission: permission,
	Metadata: &base.PermissionLookupSubjectRequestMetadata{
	SnapToken: token.NewNoopToken().Encode().String(),
	SchemaVersion: "",
	},
	ContinuousToken: ct,
	PageSize: 2,
	})
	Expect(err).ShouldNot(HaveOccurred())
	ids = append(ids, response.GetSubjectIds()...)
	ct = response.GetContinuousToken()
	if ct == "" {
	break
	}
	}
	Expect(ids).Should(Equal(res))
	for permission, res := range filter.assertions {
	ct := ""
	var ids []string
	for {
	response, err := invoker.LookupSubject(context.Background(), &base.PermissionLookupSubjectRequest{
	TenantId: "t1",
	SubjectReference: tuple.RelationReference(filter.subjectReference),
	Entity: entity,
	Permission: permission,
	Metadata: &base.PermissionLookupSubjectRequestMetadata{
	SnapToken: token.NewNoopToken().Encode().String(),
	SchemaVersion: "",
	},
	ContinuousToken: ct,
	PageSize: 100, // Increase page size to handle more subjects
	})
	Expect(err).ShouldNot(HaveOccurred())
	ids = append(ids, response.GetSubjectIds()...)
	ct = response.GetContinuousToken()
	if ct == "" {
	break
	}
	}
	Expect(ids).Should(Equal(res))