ensure permissions checks are fully consistent (#141)

Signed-off-by: Mike Mason <mimason@equinix.com>

internal/api/permissions.go

@@ -59,7 +59,7 @@ func (r *Router) checkAction(c echo.Context) error {
 	}
 
 	// Check the permissions
-	err = r.engine.SubjectHasPermission(ctx, subjectResource, action, resource, "")
+	err = r.engine.SubjectHasPermission(ctx, subjectResource, action, resource)
 	if err != nil && errors.Is(err, query.ErrActionNotAssigned) {
 		msg := fmt.Sprintf("subject '%s' does not have permission to perform action '%s' on resource '%s'",
 			subject, action, resourceIDStr)

internal/query/mock/mock.go

@@ -139,7 +139,7 @@ func (e *Engine) GetResourceType(name string) *types.ResourceType {
 }
 
 // SubjectHasPermission returns nil to satisfy the Engine interface.
-func (e *Engine) SubjectHasPermission(ctx context.Context, subject types.Resource, action string, resource types.Resource, queryToken string) error {
+func (e *Engine) SubjectHasPermission(ctx context.Context, subject types.Resource, action string, resource types.Resource) error {
 	e.Called()
 
 	return nil

internal/query/relations.go

@@ -60,16 +60,21 @@ func resourceToSpiceDBRef(namespace string, r types.Resource) *pb.ObjectReferenc
 }
 
 // SubjectHasPermission checks if the given subject can do the given action on the given resource
-func (e *engine) SubjectHasPermission(ctx context.Context, subject types.Resource, action string, resource types.Resource, queryToken string) error {
+func (e *engine) SubjectHasPermission(ctx context.Context, subject types.Resource, action string, resource types.Resource) error {
 	req := &pb.CheckPermissionRequest{
+		Consistency: &pb.Consistency{
+			Requirement: &pb.Consistency_FullyConsistent{
+				FullyConsistent: true,
+			},
+		},
 		Resource:   resourceToSpiceDBRef(e.namespace, resource),
 		Permission: action,
 		Subject: &pb.SubjectReference{
 			Object: resourceToSpiceDBRef(e.namespace, subject),
 		},
 	}
 
-	return e.checkPermission(ctx, req, queryToken)
+	return e.checkPermission(ctx, req)
 }
 
 // AssignSubjectRole assigns the given role to the given subject.
@@ -170,11 +175,7 @@ func (e *engine) subjectRoleRelDelete(subject types.Resource, role types.Role) *
 	}
 }
 
-func (e *engine) checkPermission(ctx context.Context, req *pb.CheckPermissionRequest, queryToken string) error {
-	if queryToken != "" {
-		req.Consistency = &pb.Consistency{Requirement: &pb.Consistency_AtLeastAsFresh{AtLeastAsFresh: &pb.ZedToken{Token: queryToken}}}
-	}
-
+func (e *engine) checkPermission(ctx context.Context, req *pb.CheckPermissionRequest) error {
 	resp, err := e.client.CheckPermission(ctx, req)
 	if err != nil {
 		return err

internal/query/relations_test.go

@@ -523,7 +523,7 @@ func TestSubjectActions(t *testing.T) {
 		},
 	)
 	assert.NoError(t, err)
-	queryToken, err := e.AssignSubjectRole(ctx, subjRes, role)
+	_, err = e.AssignSubjectRole(ctx, subjRes, role)
 	assert.NoError(t, err)
 
 	type testInput struct {
@@ -565,7 +565,7 @@ func TestSubjectActions(t *testing.T) {
 	}
 
 	testFn := func(ctx context.Context, input testInput) testingx.TestResult[any] {
-		err := e.SubjectHasPermission(ctx, subjRes, input.action, input.resource, queryToken)
+		err := e.SubjectHasPermission(ctx, subjRes, input.action, input.resource)
 
 		return testingx.TestResult[any]{
 			Err: err,

internal/query/service.go

@@ -25,7 +25,7 @@ type Engine interface {
 	DeleteRelationships(ctx context.Context, resource types.Resource) (string, error)
 	NewResourceFromID(id gidx.PrefixedID) (types.Resource, error)
 	GetResourceType(name string) *types.ResourceType
-	SubjectHasPermission(ctx context.Context, subject types.Resource, action string, resource types.Resource, queryToken string) error
+	SubjectHasPermission(ctx context.Context, subject types.Resource, action string, resource types.Resource) error
 }
 
 type engine struct {