feat: add internal flag for running CheckPermission with a query plan (#2663)

Author: barakmich

internal/services/integrationtesting/query_plan_consistency_test.go

@@ -50,8 +50,7 @@ func (q *queryPlanConsistencyHandle) buildContext(t *testing.T) *query.Context {
 	return &query.Context{
 		Context:      t.Context(),
 		Executor:     query.LocalExecutor{},
-		Datastore:    q.ds,
-		Revision:     q.revision,
+		Reader:       q.ds.SnapshotReader(q.revision),
 		CaveatRunner: caveats.NewCaveatRunner(caveattypes.Default.TypeSet),
 		TraceLogger:  query.NewTraceLogger(), // Enable tracing for debugging
 	}

internal/services/v1/permissions.go

@@ -70,6 +70,10 @@ func (ps *permissionServer) CheckPermission(ctx context.Context, req *v1.CheckPe
 
 	telemetry.LogicalChecks.Inc()
 
+	if ps.config.ExperimentalQueryPlan {
+		return ps.checkPermissionWithQueryPlan(ctx, req)
+	}
+
 	atRevision, checkedAt, err := consistency.RevisionFromContext(ctx)
 	if err != nil {
 		return nil, ps.rewriteError(ctx, err)

internal/services/v1/permissions_queryplan.go

@@ -0,0 +1,125 @@
+package v1
+
+import (
+	"context"
+
+	v1 "github.com/authzed/authzed-go/proto/authzed/api/v1"
+
+	caveatsimpl "github.com/authzed/spicedb/internal/caveats"
+	datastoremw "github.com/authzed/spicedb/internal/middleware/datastore"
+	"github.com/authzed/spicedb/pkg/datastore"
+	"github.com/authzed/spicedb/pkg/middleware/consistency"
+	"github.com/authzed/spicedb/pkg/query"
+	"github.com/authzed/spicedb/pkg/schema/v2"
+)
+
+// checkPermissionWithQueryPlan executes a permission check using the query plan API.
+// This builds an iterator tree from the schema and executes it against the datastore.
+func (ps *permissionServer) checkPermissionWithQueryPlan(ctx context.Context, req *v1.CheckPermissionRequest) (*v1.CheckPermissionResponse, error) {
+	atRevision, checkedAt, err := consistency.RevisionFromContext(ctx)
+	if err != nil {
+		return nil, ps.rewriteError(ctx, err)
+	}
+
+	ds := datastoremw.MustFromContext(ctx)
+	reader := ds.SnapshotReader(atRevision)
+
+	// Load all namespace and caveat definitions to build the schema
+	// TODO: Better schema caching
+	namespaces, err := reader.ListAllNamespaces(ctx)
+	if err != nil {
+		return nil, ps.rewriteError(ctx, err)
+	}
+
+	caveats, err := reader.ListAllCaveats(ctx)
+	if err != nil {
+		return nil, ps.rewriteError(ctx, err)
+	}
+
+	// Build schema from definitions
+	fullSchema, err := schema.BuildSchemaFromDefinitions(
+		datastore.DefinitionsOf(namespaces),
+		datastore.DefinitionsOf(caveats),
+	)
+	if err != nil {
+		return nil, ps.rewriteError(ctx, err)
+	}
+
+	// Build iterator tree from schema
+	// TODO: Better iterator caching
+	it, err := query.BuildIteratorFromSchema(fullSchema, req.Resource.ObjectType, req.Permission)
+	if err != nil {
+		return nil, ps.rewriteError(ctx, err)
+	}
+
+	// Parse caveat context if provided
+	caveatContext, err := GetCaveatContext(ctx, req.Context, ps.config.MaxCaveatContextSize)
+	if err != nil {
+		return nil, ps.rewriteError(ctx, err)
+	}
+
+	// Create query context with optional tracing
+	qctx := &query.Context{
+		Context:       ctx,
+		Executor:      query.LocalExecutor{},
+		Reader:        reader,
+		CaveatContext: caveatContext,
+		CaveatRunner:  caveatsimpl.NewCaveatRunner(ps.config.CaveatTypeSet),
+	}
+
+	// Execute the check
+	resource := query.Object{
+		ObjectType: req.Resource.ObjectType,
+		ObjectID:   req.Resource.ObjectId,
+	}
+
+	subject := query.ObjectAndRelation{
+		ObjectType: req.Subject.Object.ObjectType,
+		ObjectID:   req.Subject.Object.ObjectId,
+		Relation:   normalizeSubjectRelation(req.Subject),
+	}
+
+	pathSeq, err := qctx.Check(it, []query.Object{resource}, subject)
+	if err != nil {
+		return nil, ps.rewriteError(ctx, err)
+	}
+
+	// Collect results and convert to response
+	permissionship, partialCaveat, err := convertPathsToPermissionship(pathSeq)
+	if err != nil {
+		return nil, ps.rewriteError(ctx, err)
+	}
+
+	resp := &v1.CheckPermissionResponse{
+		CheckedAt:         checkedAt,
+		Permissionship:    permissionship,
+		PartialCaveatInfo: partialCaveat,
+	}
+
+	return resp, nil
+}
+
+// convertPathsToPermissionship iterates over paths and determines the permissionship result.
+// Returns the first path's permissionship status, as any path indicates access.
+func convertPathsToPermissionship(pathSeq query.PathSeq) (v1.CheckPermissionResponse_Permissionship, *v1.PartialCaveatInfo, error) {
+	// Iterate over paths to find the first valid result
+	for path, err := range pathSeq {
+		if err != nil {
+			return v1.CheckPermissionResponse_PERMISSIONSHIP_UNSPECIFIED, nil, err
+		}
+
+		// Found a path - determine permissionship based on caveat presence
+		if path.Caveat != nil {
+			// TODO: Extract missing required context from caveat expression
+			return v1.CheckPermissionResponse_PERMISSIONSHIP_CONDITIONAL_PERMISSION, &v1.PartialCaveatInfo{
+				MissingRequiredContext: []string{},
+			}, nil
+		}
+
+		// Path exists without caveat - has permission
+		return v1.CheckPermissionResponse_PERMISSIONSHIP_HAS_PERMISSION, nil, nil
+	}
+
+	// No paths found - no permission
+	return v1.CheckPermissionResponse_PERMISSIONSHIP_NO_PERMISSION, nil, nil
+}

internal/services/v1/relationships.go

@@ -115,6 +115,9 @@ type PermissionsServerConfig struct {
 
 	// EnableExperimentalLookupResources3 is used to enable LookupResources v3 for testing.
 	EnableExperimentalLookupResources3 bool // TODO: remove when LookupResources v3 is fully enabled
+
+	// ExperimentalQueryPlan enables the experimental query plan for API calls.
+	ExperimentalQueryPlan bool
 }
 
 // NewPermissionsServer creates a PermissionsServiceServer instance.
@@ -140,6 +143,7 @@ func NewPermissionsServer(
 		ExpiringRelationshipsEnabled:       config.ExpiringRelationshipsEnabled,
 		PerformanceInsightMetricsEnabled:   config.PerformanceInsightMetricsEnabled,
 		EnableExperimentalLookupResources3: config.EnableExperimentalLookupResources3,
+		ExperimentalQueryPlan:              config.ExperimentalQueryPlan,
 	}
 
 	return &permissionServer{

pkg/cmd/serve.go

@@ -167,6 +167,10 @@ func RegisterServeFlags(cmd *cobra.Command, config *server.Config) error {
 
 	experimentalFlags := nfs.FlagSet(BoldBlue("Experimental"))
 	// Flags for experimental features
+	experimentalFlags.StringVar(&config.ExperimentalQueryPlan, "experimental-query-plan", "", "if non-empty, the version of the experimental query plan to use: `check` or empty")
+	if err := experimentalFlags.MarkHidden("experimental-query-plan"); err != nil {
+		return fmt.Errorf("failed to mark flag as hidden: %w", err)
+	}
 	experimentalFlags.StringVar(&config.ExperimentalLookupResourcesVersion, "experimental-lookup-resources-version", "", "if non-empty, the version of the experimental lookup resources API to use: `lr3` or empty")
 	experimentalFlags.BoolVar(&config.EnableRelationshipExpiration, "enable-experimental-relationship-expiration", true, "enables experimental support for relationship expiration")
 	if err := experimentalFlags.MarkHidden("enable-experimental-relationship-expiration"); err != nil {

pkg/cmd/server/server.go

@@ -128,6 +128,7 @@ type Config struct {
 	MaxBulkExportRelationshipsLimit    uint32        `debugmap:"visible"`
 	EnableExperimentalLookupResources  bool          `debugmap:"visible"`
 	ExperimentalLookupResourcesVersion string        `debugmap:"visible"`
+	ExperimentalQueryPlan              string        `debugmap:"visible"`
 	EnableRelationshipExpiration       bool          `debugmap:"visible" default:"true"`
 	EnableRevisionHeartbeat            bool          `debugmap:"visible"`
 	EnablePerformanceInsightMetrics    bool          `debugmap:"visible"`
@@ -498,6 +499,7 @@ func (c *Config) Complete(ctx context.Context) (RunnableServer, error) {
 		CaveatTypeSet:                      c.DatastoreConfig.CaveatTypeSet,
 		PerformanceInsightMetricsEnabled:   c.EnablePerformanceInsightMetrics,
 		EnableExperimentalLookupResources3: c.ExperimentalLookupResourcesVersion == "lr3",
+		ExperimentalQueryPlan:              c.ExperimentalQueryPlan == "check",
 	}
 
 	healthManager := health.NewHealthManager(dispatcher, ds)

pkg/cmd/server/zz_generated.options.go

@@ -31,10 +31,9 @@ func TestBuildTree(t *testing.T) {
 	require.NoError(err)
 
 	ctx := &Context{
-		Context:   t.Context(),
-		Executor:  LocalExecutor{},
-		Datastore: ds,
-		Revision:  revision,
+		Context:  t.Context(),
+		Executor: LocalExecutor{},
+		Reader:   ds.SnapshotReader(revision),
 	}
 
 	relSeq, err := ctx.Check(it, NewObjects("document", "specialplan"), NewObject("user", "multiroleguy").WithEllipses())
@@ -65,10 +64,9 @@ func TestBuildTreeMultipleRelations(t *testing.T) {
 	require.Contains(explain.String(), "Union", "edit permission should create a union iterator")
 
 	ctx := &Context{
-		Context:   t.Context(),
-		Executor:  LocalExecutor{},
-		Datastore: ds,
-		Revision:  revision,
+		Context:  t.Context(),
+		Executor: LocalExecutor{},
+		Reader:   ds.SnapshotReader(revision),
 	}
 
 	relSeq, err := ctx.Check(it, NewObjects("document", "specialplan"), NewObject("user", "multiroleguy").WithEllipses())
@@ -120,10 +118,9 @@ func TestBuildTreeSubRelations(t *testing.T) {
 	require.NotEmpty(explain.String())
 
 	ctx := &Context{
-		Context:   t.Context(),
-		Executor:  LocalExecutor{},
-		Datastore: ds,
-		Revision:  revision,
+		Context:  t.Context(),
+		Executor: LocalExecutor{},
+		Reader:   ds.SnapshotReader(revision),
 	}
 
 	// Just test that the iterator can be executed without error
@@ -223,10 +220,9 @@ func TestBuildTreeIntersectionOperation(t *testing.T) {
 	require.Contains(explain.String(), "Intersection", "should create intersection iterator")
 
 	ctx := &Context{
-		Context:   t.Context(),
-		Executor:  LocalExecutor{},
-		Datastore: ds,
-		Revision:  revision,
+		Context:  t.Context(),
+		Executor: LocalExecutor{},
+		Reader:   ds.SnapshotReader(revision),
 	}
 
 	// Test execution
@@ -290,10 +286,9 @@ func TestBuildTreeExclusionEdgeCases(t *testing.T) {
 	ds, revision := testfixtures.StandardDatastoreWithData(rawDS, require)
 
 	ctx := &Context{
-		Context:   t.Context(),
-		Executor:  LocalExecutor{},
-		Datastore: ds,
-		Revision:  revision,
+		Context:  t.Context(),
+		Executor: LocalExecutor{},
+		Reader:   ds.SnapshotReader(revision),
 	}
 
 	userDef := testfixtures.UserNS.CloneVT()
@@ -554,10 +549,9 @@ func TestBuildTreeSingleRelationOptimization(t *testing.T) {
 	require.Contains(explain.String(), "Relation", "should create relation iterator")
 
 	ctx := &Context{
-		Context:   t.Context(),
-		Executor:  LocalExecutor{},
-		Datastore: ds,
-		Revision:  revision,
+		Context:  t.Context(),
+		Executor: LocalExecutor{},
+		Reader:   ds.SnapshotReader(revision),
 	}
 
 	// Test execution
@@ -578,10 +572,9 @@ func TestBuildTreeSubrelationHandling(t *testing.T) {
 	ds, revision := testfixtures.StandardDatastoreWithData(rawDS, require)
 
 	ctx := &Context{
-		Context:   t.Context(),
-		Executor:  LocalExecutor{},
-		Datastore: ds,
-		Revision:  revision,
+		Context:  t.Context(),
+		Executor: LocalExecutor{},
+		Reader:   ds.SnapshotReader(revision),
 	}
 
 	userDef := testfixtures.UserNS.CloneVT()

pkg/query/build_tree_test.go

@@ -125,16 +125,13 @@ func (c *CaveatIterator) simplifyCaveat(ctx *Context, path Path) (*core.CaveatEx
 		return nil, false, errors.New("no caveat runner available for caveat evaluation")
 	}
 
-	// Get a snapshot reader which should implement CaveatReader
-	reader := ctx.Datastore.SnapshotReader(ctx.Revision)
-
 	// Use the SimplifyCaveatExpression function to properly handle AND/OR logic
 	simplified, passes, err := SimplifyCaveatExpression(
 		ctx,
 		ctx.CaveatRunner,
 		path.Caveat,
 		ctx.CaveatContext,
-		reader,
+		ctx.Reader,
 	)
 	if err != nil {
 		return nil, false, fmt.Errorf("failed to simplify caveat: %w", err)

pkg/query/caveat.go

@@ -111,8 +111,7 @@ func TestCaveatIteratorNoCaveat(t *testing.T) {
 			queryCtx := &Context{
 				Context:       context.Background(),
 				Executor:      LocalExecutor{},
-				Datastore:     ds,
-				Revision:      rev,
+				Reader:        ds.SnapshotReader(rev),
 				CaveatContext: tc.caveatContext,
 				CaveatRunner:  caveats.NewCaveatRunner(types.NewTypeSet()),
 			}
@@ -207,8 +206,7 @@ func TestCaveatIteratorWithCaveat(t *testing.T) {
 			queryCtx := &Context{
 				Context:       context.Background(),
 				Executor:      LocalExecutor{},
-				Datastore:     ds,
-				Revision:      rev,
+				Reader:        ds.SnapshotReader(rev),
 				CaveatContext: tc.caveatContext,
 				CaveatRunner:  caveats.NewCaveatRunner(types.NewTypeSet()),
 			}