vendor/github.com/authzed/spicedb/pkg/development/check.go


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

package development

import (
	v1api "github.com/authzed/authzed-go/proto/authzed/api/v1"

	"github.com/authzed/spicedb/internal/graph/computed"
	v1 "github.com/authzed/spicedb/internal/services/v1"
	caveattypes "github.com/authzed/spicedb/pkg/caveats/types"
	v1dispatch "github.com/authzed/spicedb/pkg/proto/dispatch/v1"
	"github.com/authzed/spicedb/pkg/tuple"
)

const defaultWasmDispatchChunkSize = 100

// CheckResult is the result of a RunCheck operation.
type CheckResult struct {
	Permissionship      v1dispatch.ResourceCheckResult_Membership
	MissingCaveatFields []string
	DispatchDebugInfo   *v1dispatch.DebugInformation
	V1DebugInfo         *v1api.DebugInformation
}

// RunCheck performs a check against the data in the development context.
//
// Note that it is up to the caller to call DistinguishGraphError on the error
// if they want to distinguish between user errors and internal errors.
func RunCheck(devContext *DevContext, resource tuple.ObjectAndRelation, subject tuple.ObjectAndRelation, caveatContext map[string]any) (CheckResult, error) {
	ctx := devContext.Ctx
	cr, meta, err := computed.ComputeCheck(ctx, devContext.Dispatcher,
		caveattypes.Default.TypeSet,
		computed.CheckParameters{
			ResourceType:  resource.RelationReference(),
			Subject:       subject,
			CaveatContext: caveatContext,
			AtRevision:    devContext.Revision,
			MaximumDepth:  maxDispatchDepth,
			DebugOption:   computed.TraceDebuggingEnabled,
		},
		resource.ObjectID,
		defaultWasmDispatchChunkSize,
	)
	if err != nil {
		return CheckResult{v1dispatch.ResourceCheckResult_NOT_MEMBER, nil, nil, nil}, err
	}

	reader := devContext.Datastore.SnapshotReader(devContext.Revision)
	converted, err := v1.ConvertCheckDispatchDebugInformation(ctx, caveattypes.Default.TypeSet, caveatContext, meta.DebugInfo, reader)
	if err != nil {
		return CheckResult{v1dispatch.ResourceCheckResult_NOT_MEMBER, nil, nil, nil}, err
	}

	return CheckResult{cr.Membership, cr.MissingExprFields, meta.DebugInfo, converted}, nil
}