Update BaseSubjectSet to support caveat expressions #932
Conversation
github-actions
bot
added
area/api v1
josephschorr
force-pushed
the
ls-subjectset
branch
from
3bec295 to
21c5fca
Compare
| @@ -161,7 +161,8 @@ message DispatchLookupSubjectsRequest { | |||
|
|
|||
| message FoundSubject { | |||
| string subject_id = 1; | |||
| repeated string excluded_subject_ids = 2; | |||
| CaveatExpression conditional_expression = 2; | |||
There was a problem hiding this comment.
I don't know off the top of my head what the best way to break a grpc api is - it might be better to skip 2 here entirely?
There was a problem hiding this comment.
It only really matters if we intend back compat and to do so we'd have to fill in the excluded IDs as well. We could do that, but it would require keeping around the extra logic
| for _, excludedSubject := range fs.excludedSubjects { | ||
| // TODO(jschorr): Fix once we add caveats support to debug tooling | ||
| if excludedSubject.conditionalExpression != nil { | ||
| panic("not yet supported") |
There was a problem hiding this comment.
won't panic-ing here prevent us from cutting an release without the debug tooling implemented?
There was a problem hiding this comment.
Yep! That's intended; I want to do something here, even if it is just returning "(unsupported)", but I don't know exactly what yet, so I added in panics
internal/util/basesubjectset.go
Outdated
| // Add adds the found subject to the set. This is equivalent to a Union operation between the | ||
| // existing set of subjects and a set containing the single subject. | ||
| // existing set of subjects and a set containing the single subject, but modifies the set | ||
| // *in place*. | ||
| func (bss BaseSubjectSet[T]) Add(foundSubject T) bool { |
There was a problem hiding this comment.
I haven't gotten to the callsites yet, but it's not obvious to me why Add should return a bool or why it's helpful to know if the set had a wildcard before the add.
There was a problem hiding this comment.
standard set semantics: did this subject already exist when I added it
| } | ||
|
|
||
| // SubtractAll subtracts the other set of subjects from this set of subtracts, modifying this | ||
| // set in place. | ||
| // set *in place*. | ||
| func (bss BaseSubjectSet[T]) SubtractAll(other BaseSubjectSet[T]) { |
There was a problem hiding this comment.
Why not just have Subtract(sets ...BaseSubjectSet[T]) to cover Subtract and SubtractAll?
There was a problem hiding this comment.
Subtract takes in a single element, not a set and to have a combined method, we'd have to convert from one or the other
internal/util/basesubjectset.go
Outdated
| } | ||
|
|
||
| bss.wildcard.subtractConcrete(foundSubject) | ||
| bss.concrete.subtractConcrete(foundSubject) |
There was a problem hiding this comment.
I think this double-bookkeeping is weird but I don't have an alternate suggestion at the moment.
Every operation actually modifies these two underlying sets, and I'll have to figure out how they get combined elsewhere.
There was a problem hiding this comment.
The combination is just taking the values in each; they each track their own state independently.
josephschorr
force-pushed
the
ls-subjectset
branch
from
21c5fca to
ccc2211
Compare
josephschorr
force-pushed
the
ls-subjectset
branch
2 times, most recently
from
2e2a07d to
8a0920c
Compare
|
Updated |
There was a problem hiding this comment.
Had final look, this is some complex stuff and I really appreciate how thorough you were with tests and comments. Could only find one test-test that seems to be missing, touches a portion of code that was untested, and is not giving the result (I, at least) expected
Once that's addressed this LGTM
EDIT: there is also a linter failure
josephschorr
force-pushed
the
ls-subjectset
branch
from
8a0920c to
f84ed73
Compare
|
Updated |
josephschorr
force-pushed
the
ls-subjectset
branch
2 times, most recently
from
f4aaae0 to
442752d
Compare
josephschorr
force-pushed
the
ls-subjectset
branch
5 times, most recently
from
0d2d1f5 to
dc79c72
Compare
There was a problem hiding this comment.
LGTM
I'm convinced this works 👍
Added some extra tests to convince myself in this branch, for future reference: josephschorr/spicedb@josephschorr:dc79c72...ecordell:3b6fbc6
josephschorr
force-pushed
the
ls-subjectset
branch
from
3c1b892 to
521d4c7
Compare
josephschorr
force-pushed
the
ls-subjectset
branch
2 times, most recently
from
4bb3acb to
23fe801
Compare
|
Updated and rewritten as discussed, and added additional tests |
vroldanbet
force-pushed
the
ls-subjectset
branch
from
23fe801 to
cc6800b
Compare
josephschorr
force-pushed
the
ls-subjectset
branch
from
cc6800b to
4fd8043
Compare
|
Updated |
josephschorr
force-pushed
the
ls-subjectset
branch
from
4fd8043 to
33a00fd
Compare
|
Updated |
josephschorr
force-pushed
the
ls-subjectset
branch
from
33a00fd to
b496292
Compare
This is the first (massive) step in supporting caveats in LookupSubjects, as this implements all the bookkeeping and tracking associated with each subject added to the subject set First part of authzed#931
josephschorr
force-pushed
the
ls-subjectset
branch
from
b496292 to
0cb2cfc
Compare
This is the first (massive) step in supporting caveats in LookupSubjects, as this implements all the bookkeeping and tracking associated with each subject added to the subject set
First part of #931