Change to storing the tupleset in entrypoint, to remove the need for …

…the operations path

internal/graph/reachableresources.go

@@ -104,25 +104,20 @@ func (crr *ConcurrentReachableResources) ReachableResources(
 		case core.ReachabilityEntrypoint_TUPLESET_TO_USERSET_ENTRYPOINT:
 			containingRelation := entrypoint.ContainingRelationOrPermission()
 
-			// TODO(jschorr): Should we put this information into the entrypoint itself, to avoid
-			// a lookup of the namespace?
-			nsDef, ttuTypeSystem, err := namespace.ReadNamespaceAndTypes(ctx, containingRelation.Namespace, reader)
+			_, ttuTypeSystem, err := namespace.ReadNamespaceAndTypes(ctx, containingRelation.Namespace, reader)
 			if err != nil {
 				return err
 			}
 
-			ttu := entrypoint.TupleToUserset(nsDef)
-			if ttu == nil {
-				return fmt.Errorf("found nil ttu for TTU entrypoint")
-			}
+			tuplesetRelation := entrypoint.TuplesetRelation()
 
 			// Search for the resolved subject in the tupleset of the TTU. Note that we need to do so
 			// for both `...` as well as the subject's defined relation, as either is applicable in
 			// the tupleset (the relation is ignored when following the arrow).
 			relations := strset.New(tuple.Ellipsis, req.Subject.Relation)
 
 			for _, subjectRelation := range relations.List() {
-				isAllowed, err := ttuTypeSystem.IsAllowedDirectRelation(ttu.Tupleset.Relation, req.Subject.Namespace, subjectRelation)
+				isAllowed, err := ttuTypeSystem.IsAllowedDirectRelation(tuplesetRelation, req.Subject.Namespace, subjectRelation)
 				if err != nil {
 					return err
 				}
@@ -140,7 +135,7 @@ func (crr *ConcurrentReachableResources) ReachableResources(
 					}),
 					options.WithResRelation(&options.ResourceRelation{
 						Namespace: containingRelation.Namespace,
-						Relation:  ttu.Tupleset.Relation,
+						Relation:  tuplesetRelation,
 					}),
 				)
 				if err != nil {

internal/namespace/reachabilitygraph.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"sync"
 
-	"github.com/authzed/spicedb/pkg/graph"
 	core "github.com/authzed/spicedb/pkg/proto/core/v1"
 	"github.com/authzed/spicedb/pkg/tuple"
 )
@@ -31,23 +30,13 @@ func (re ReachabilityEntrypoint) EntrypointKind() core.ReachabilityEntrypoint_Re
 	return re.re.Kind
 }
 
-// TupleToUserset returns the TTU associated with this entrypoint, if a TUPLESET_TO_USERSET_ENTRYPOINT.
-func (re ReachabilityEntrypoint) TupleToUserset(nsDef *core.NamespaceDefinition) *core.TupleToUserset {
+// TuplesetRelation returns the tupleset relation of the TTU, if a TUPLESET_TO_USERSET_ENTRYPOINT.
+func (re ReachabilityEntrypoint) TuplesetRelation() string {
 	if re.EntrypointKind() != core.ReachabilityEntrypoint_TUPLESET_TO_USERSET_ENTRYPOINT {
 		panic(fmt.Sprintf("cannot call TupleToUserset for kind %v", re.EntrypointKind()))
 	}
 
-	if nsDef.Name != re.parentRelation.Namespace {
-		panic("invalid namespace definition given to TupleToUserset")
-	}
-
-	for _, relation := range nsDef.Relation {
-		if relation.Name == re.parentRelation.Relation {
-			return graph.FindOperation[core.TupleToUserset](relation.GetUsersetRewrite(), re.re.OperationPath)
-		}
-	}
-
-	return nil
+	return re.re.TuplesetRelation
 }
 
 // DirectRelation is the relation that this entrypoint represents, if a RELATION_ENTRYPOINT.
@@ -168,17 +157,6 @@ func (rg *ReachabilityGraph) getOrBuildGraph(ctx context.Context, resourceType *
 		return nil, err
 	}
 
-	relation, ok := rts.relationMap[resourceType.Relation]
-	if !ok {
-		return nil, fmt.Errorf("unknown relation `%s` under namespace `%s` for reachability", resourceType.Relation, resourceType.Namespace)
-	}
-
-	// Decorate with operation paths, if necessary.
-	derr := decorateRelationOpPaths(relation)
-	if derr != nil {
-		return nil, derr
-	}
-
 	rrg, err := computeReachability(ctx, rts, resourceType.Relation, reachabilityOption)
 	if err != nil {
 		return nil, err

internal/namespace/reachabilitygraphbuilder.go

@@ -36,7 +36,7 @@ func computeReachability(ctx context.Context, ts *TypeSystem, relationName strin
 
 	// If there is no userRewrite, then we have a relation and its entrypoints will all be
 	// relation entrypoints.
-	return graph, addSubjectLinks(graph, []uint32{}, core.ReachabilityEntrypoint_DIRECT_OPERATION_RESULT, targetRelation, ts)
+	return graph, addSubjectLinks(graph, core.ReachabilityEntrypoint_DIRECT_OPERATION_RESULT, targetRelation, ts)
 }
 
 func computeRewriteReachability(ctx context.Context, graph *core.ReachabilityGraph, rewrite *core.UsersetRewrite, operationResultState core.ReachabilityEntrypoint_EntrypointResultStatus, targetRelation *core.Relation, ts *TypeSystem, option reachabilityOption) error {
@@ -71,16 +71,12 @@ func computeRewriteOpReachability(ctx context.Context, children []*core.SetOpera
 		Relation:  targetRelation.Name,
 	}
 
-	for index, childOneof := range children {
-		if len(childOneof.OperationPath) == 0 {
-			return fmt.Errorf("missing operation path on child #%d under relation `%s#%s`", index, ts.nsDef.Name, targetRelation.Name)
-		}
-
+	for _, childOneof := range children {
 		switch child := childOneof.ChildType.(type) {
 		case *core.SetOperation_Child_XThis:
 			// TODO(jschorr): Remove once v0 namespace support is completed removed.
 			// A _this{} indicates subject links directly to the operation.
-			err := addSubjectLinks(graph, childOneof.OperationPath, operationResultState, targetRelation, ts)
+			err := addSubjectLinks(graph, operationResultState, targetRelation, ts)
 			if err != nil {
 				return err
 			}
@@ -90,7 +86,6 @@ func computeRewriteOpReachability(ctx context.Context, children []*core.SetOpera
 			addSubjectEntrypoint(graph, ts.nsDef.Name, child.ComputedUserset.Relation, &core.ReachabilityEntrypoint{
 				Kind:           core.ReachabilityEntrypoint_COMPUTED_USERSET_ENTRYPOINT,
 				TargetRelation: rr,
-				OperationPath:  childOneof.OperationPath,
 				ResultStatus:   operationResultState,
 			})
 
@@ -146,10 +141,10 @@ func computeRewriteOpReachability(ctx context.Context, children []*core.SetOpera
 
 				if relTypeSystem.HasRelation(computedUsersetRelation) {
 					addSubjectEntrypoint(graph, allowedRelationType.Namespace, computedUsersetRelation, &core.ReachabilityEntrypoint{
-						Kind:           core.ReachabilityEntrypoint_TUPLESET_TO_USERSET_ENTRYPOINT,
-						TargetRelation: rr,
-						OperationPath:  childOneof.OperationPath,
-						ResultStatus:   operationResultState,
+						Kind:             core.ReachabilityEntrypoint_TUPLESET_TO_USERSET_ENTRYPOINT,
+						TargetRelation:   rr,
+						ResultStatus:     operationResultState,
+						TuplesetRelation: tuplesetRelation,
 					})
 				}
 			}
@@ -188,7 +183,7 @@ func addSubjectEntrypoint(graph *core.ReachabilityGraph, namespaceName string, r
 	)
 }
 
-func addSubjectLinks(graph *core.ReachabilityGraph, operationPath []uint32, operationResultState core.ReachabilityEntrypoint_EntrypointResultStatus, relation *core.Relation, ts *TypeSystem) error {
+func addSubjectLinks(graph *core.ReachabilityGraph, operationResultState core.ReachabilityEntrypoint_EntrypointResultStatus, relation *core.Relation, ts *TypeSystem) error {
 	typeInfo := relation.GetTypeInformation()
 	if typeInfo == nil {
 		return fmt.Errorf("missing type information for relation %s#%s", ts.nsDef.Name, relation.Name)
@@ -216,7 +211,6 @@ func addSubjectLinks(graph *core.ReachabilityGraph, operationPath []uint32, oper
 				&core.ReachabilityEntrypoint{
 					Kind:           core.ReachabilityEntrypoint_RELATION_ENTRYPOINT,
 					TargetRelation: rr,
-					OperationPath:  operationPath,
 					ResultStatus:   operationResultState,
 				},
 			)
@@ -226,7 +220,6 @@ func addSubjectLinks(graph *core.ReachabilityGraph, operationPath []uint32, oper
 		addSubjectEntrypoint(graph, directRelation.Namespace, directRelation.GetRelation(), &core.ReachabilityEntrypoint{
 			Kind:           core.ReachabilityEntrypoint_RELATION_ENTRYPOINT,
 			TargetRelation: rr,
-			OperationPath:  operationPath,
 			ResultStatus:   operationResultState,
 		})
 	}