feat(schema): add support for parent namespace in arrow information (#2844)

mazdakb · web-flow · commit 6046505bf988 · 2026-01-23T14:42:24.000Z
diff --git a/pkg/schema/arrows.go b/pkg/schema/arrows.go
@@ -14,6 +14,7 @@ import (
 type ArrowInformation struct {
 	Arrow              *core.TupleToUserset
 	Path               string
+	ParentNamespace    string
 	ParentRelationName string
 }
 
@@ -55,6 +56,14 @@ func (as *ArrowSet) HasPossibleArrowWithComputedUserset(namespaceName string, re
 	return as.arrowsByComputedUsersetNamespaceAndRelation.Has(namespaceName + "#" + relationName)
 }
 
+// LookupArrowsWithComputedUserset returns all arrows that have the given namespace and relation
+// as the computed userset.
+func (as *ArrowSet) LookupArrowsWithComputedUserset(namespaceName string, relationName string) []ArrowInformation {
+	key := namespaceName + "#" + relationName
+	found, _ := as.arrowsByComputedUsersetNamespaceAndRelation.Get(key)
+	return found
+}
+
 // LookupTuplesetArrows finds all arrows with the given namespace and relation name as the arrows' tupleset.
 func (as *ArrowSet) LookupTuplesetArrows(namespaceName string, relationName string) []ArrowInformation {
 	key := namespaceName + "#" + relationName
@@ -79,7 +88,7 @@ func (as *ArrowSet) compute(ctx context.Context) error {
 
 func (as *ArrowSet) add(ttu *core.TupleToUserset, path string, namespaceName string, relationName string) {
 	tsKey := namespaceName + "#" + ttu.Tupleset.Relation
-	as.arrowsByFullTuplesetRelation.Add(tsKey, ArrowInformation{Path: path, Arrow: ttu, ParentRelationName: relationName})
+	as.arrowsByFullTuplesetRelation.Add(tsKey, ArrowInformation{Path: path, Arrow: ttu, ParentNamespace: namespaceName, ParentRelationName: relationName})
 }
 
 func (as *ArrowSet) collectArrowInformationForRelation(ctx context.Context, def *ValidatedDefinition, relationName string) error {
@@ -115,15 +124,15 @@ func (as *ArrowSet) registerTupleToUsersetArrows(ctx context.Context, ttu *core.
 	}
 
 	for _, ast := range allowedSubjectTypes {
-		def, err := as.ts.GetValidatedDefinition(ctx, ast.Namespace)
+		subjectDef, err := as.ts.GetValidatedDefinition(ctx, ast.Namespace)
 		if err != nil {
 			return err
 		}
 
 		// NOTE: this is explicitly added to the arrowsByComputedUsersetNamespaceAndRelation without
 		// checking if the relation/permission exists, because it's needed for schema diff tracking.
-		as.arrowsByComputedUsersetNamespaceAndRelation.Add(ast.Namespace+"#"+computedUsersetRelation, ArrowInformation{Path: updatedPath, Arrow: ttu, ParentRelationName: relation.Name})
-		if def.HasRelation(computedUsersetRelation) {
+		as.arrowsByComputedUsersetNamespaceAndRelation.Add(ast.Namespace+"#"+computedUsersetRelation, ArrowInformation{Path: updatedPath, Arrow: ttu, ParentNamespace: def.Namespace().Name, ParentRelationName: relation.Name})
+		if subjectDef.HasRelation(computedUsersetRelation) {
 			as.reachableComputedUsersetRelationsByTuplesetRelation.Add(ast.Namespace+"#"+tuplesetRelation, ast.Namespace+"#"+computedUsersetRelation)
 		}
 	}
diff --git a/pkg/schema/arrows_test.go b/pkg/schema/arrows_test.go
@@ -271,3 +271,275 @@ func TestAllReachableRelations(t *testing.T) {
 		})
 	}
 }
+
+func TestLookupArrowsWithComputedUserset(t *testing.T) {
+	t.Parallel()
+
+	type expectedArrow struct {
+		parentNamespace string
+		parentRelation  string
+		arrowExpression string
+	}
+
+	type testcase struct {
+		name       string
+		schemaText string
+
+		targetNamespace string
+		targetRelation  string
+		expected        []expectedArrow
+	}
+
+	tcs := []testcase{
+		{
+			name: "basic arrow",
+			schemaText: `
+			definition user {}
+
+			definition organization {
+				relation member: user
+			}
+
+			definition resource {
+				relation org: organization
+				permission view = org->member
+			}
+		`,
+			targetNamespace: "organization",
+			targetRelation:  "member",
+			expected: []expectedArrow{
+				{
+					parentNamespace: "resource",
+					parentRelation:  "view",
+					arrowExpression: "org->member",
+				},
+			},
+		},
+		{
+			name: "multiple arrows to same relation",
+			schemaText: `
+			definition user {}
+
+			definition organization {
+				relation member: user
+			}
+
+			definition resource {
+				relation org: organization
+				permission view = org->member
+				permission another_view = org->member
+			}
+
+			definition another_resource {
+				relation org: organization
+				permission view = org->member
+			}
+		`,
+			targetNamespace: "organization",
+			targetRelation:  "member",
+			expected: []expectedArrow{
+				{
+					parentNamespace: "resource",
+					parentRelation:  "view",
+					arrowExpression: "org->member",
+				},
+				{
+					parentNamespace: "resource",
+					parentRelation:  "another_view",
+					arrowExpression: "org->member",
+				},
+				{
+					parentNamespace: "another_resource",
+					parentRelation:  "view",
+					arrowExpression: "org->member",
+				},
+			},
+		},
+		{
+			name: "arrows across different namespaces",
+			schemaText: `
+			definition user {}
+
+			definition organization {
+				relation member: user
+			}
+
+			definition project {
+				relation org: organization
+				permission view = org->member
+			}
+
+			definition document {
+				relation org: organization
+				permission view = org->member
+			}
+		`,
+			targetNamespace: "organization",
+			targetRelation:  "member",
+			expected: []expectedArrow{
+				{
+					parentNamespace: "project",
+					parentRelation:  "view",
+					arrowExpression: "org->member",
+				},
+				{
+					parentNamespace: "document",
+					parentRelation:  "view",
+					arrowExpression: "org->member",
+				},
+			},
+		},
+		{
+			name: "arrow in union and exclusion expression",
+			schemaText: `
+			definition user {}
+
+			definition organization {
+				relation member: user
+			}
+
+			definition resource {
+				relation reader: user
+				relation writer: user
+				relation banned: user
+				relation org: organization
+				permission view = reader + writer - banned + org->member
+			}
+		`,
+			targetNamespace: "organization",
+			targetRelation:  "member",
+			expected: []expectedArrow{
+				{
+					parentNamespace: "resource",
+					parentRelation:  "view",
+					arrowExpression: "org->member",
+				},
+			},
+		},
+		{
+			name: "chained arrow through intermediate type",
+			schemaText: `
+			definition user {}
+
+			definition team {
+				relation member: user
+			}
+
+			definition organization {
+				relation team: team
+				permission member = team->member
+			}
+
+			definition resource {
+				relation org: organization
+				permission view = org->member
+			}
+		`,
+			targetNamespace: "team",
+			targetRelation:  "member",
+			expected: []expectedArrow{
+				{
+					parentNamespace: "organization",
+					parentRelation:  "member",
+					arrowExpression: "team->member",
+				},
+			},
+		},
+		{
+			name: "multiple arrows in nested expression",
+			schemaText: `
+			definition user {}
+
+			definition team {
+				relation member: user
+			}
+
+			definition organization {
+				relation admin: user
+				relation team: team
+				permission member = admin + team->member
+			}
+
+			definition resource {
+				relation org: organization
+				relation team: team
+				permission view = org->member + team->member
+			}
+		`,
+			targetNamespace: "team",
+			targetRelation:  "member",
+			expected: []expectedArrow{
+				{
+					parentNamespace: "organization",
+					parentRelation:  "member",
+					arrowExpression: "team->member",
+				},
+				{
+					parentNamespace: "resource",
+					parentRelation:  "view",
+					arrowExpression: "team->member",
+				},
+			},
+		},
+		{
+			name: "arrow with intersection and exclusion",
+			schemaText: `
+			definition user {}
+
+			definition organization {
+				relation member: user
+				relation admin: user
+			}
+
+			definition resource {
+				relation org: organization
+				relation blocked: user
+				permission view = org->member & org->admin - blocked
+			}
+		`,
+			targetNamespace: "organization",
+			targetRelation:  "member",
+			expected: []expectedArrow{
+				{
+					parentNamespace: "resource",
+					parentRelation:  "view",
+					arrowExpression: "org->member",
+				},
+			},
+		},
+	}
+
+	for _, tc := range tcs {
+		t.Run(tc.name, func(t *testing.T) {
+			tc := tc
+			t.Parallel()
+
+			schema, err := compiler.Compile(compiler.InputSchema{
+				Source:       "",
+				SchemaString: tc.schemaText,
+			}, compiler.AllowUnprefixedObjectType())
+			require.NoError(t, err)
+
+			res := ResolverForCompiledSchema(*schema)
+			arrowSet, err := buildArrowSet(t.Context(), res)
+			require.NoError(t, err)
+
+			arrows := arrowSet.LookupArrowsWithComputedUserset(tc.targetNamespace, tc.targetRelation)
+			require.Len(t, arrows, len(tc.expected))
+
+			for _, expected := range tc.expected {
+				found := false
+				for _, actual := range arrows {
+					actualExpression := actual.Arrow.Tupleset.Relation + "->" + actual.Arrow.ComputedUserset.Relation
+					if actual.ParentNamespace == expected.parentNamespace &&
+						actual.ParentRelationName == expected.parentRelation &&
+						actualExpression == expected.arrowExpression {
+						found = true
+						break
+					}
+				}
+				require.True(t, found, "expected arrow %v not found in %v", expected, arrows)
+			}
+		})
+	}
+}
