checkTupleToSubjectSet rewrites the relation tuple to use the subject-set relation. Given a relation tuple like docs:readme#editor@user, and a tuple-to-subject-set rewrite with the relation "parent" and the computed subject-set relation "owner", the following checks will be performed: - query for
( tuple *relationTuple, subjectSet *ast.TupleToSubjectSet, restDepth int, )
| 240 | // |
| 241 | // * For each matching subject, then check if subject#owner@user. |
| 242 | func (e *Engine) checkTupleToSubjectSet( |
| 243 | tuple *relationTuple, |
| 244 | subjectSet *ast.TupleToSubjectSet, |
| 245 | restDepth int, |
| 246 | ) checkgroup.CheckFunc { |
| 247 | if restDepth < 0 { |
| 248 | e.d.Logger().Debug("reached max-depth, therefore this query will not be further expanded") |
| 249 | return checkgroup.UnknownMemberFunc |
| 250 | } |
| 251 | |
| 252 | e.d.Logger(). |
| 253 | WithField("request", tuple.String()). |
| 254 | WithField("tuple to subject-set relation", subjectSet.Relation). |
| 255 | WithField("tuple to subject-set computed", subjectSet.ComputedSubjectSetRelation). |
| 256 | Trace("check tuple to subjectSet") |
| 257 | |
| 258 | return func(ctx context.Context, resultCh chan<- checkgroup.Result) { |
| 259 | g := checkgroup.New(ctx) |
| 260 | for nextPage, _ := keysetpagination.NewPaginator(); !nextPage.IsLast(); { |
| 261 | var tuples []*relationTuple |
| 262 | var err error |
| 263 | tuples, nextPage, err = e.d.RelationTupleManager().GetRelationTuples(ctx, &query{ |
| 264 | Namespace: &tuple.Namespace, |
| 265 | Object: &tuple.Object, |
| 266 | Relation: &subjectSet.Relation, |
| 267 | }, |
| 268 | nextPage.ToOptions()...) |
| 269 | if err != nil { |
| 270 | g.Add(checkgroup.ErrorFunc(err)) |
| 271 | return |
| 272 | } |
| 273 | |
| 274 | for _, t := range tuples { |
| 275 | if subSet, ok := t.Subject.(*relationtuple.SubjectSet); ok { |
| 276 | g.Add(e.checkIsAllowed(ctx, &relationTuple{ |
| 277 | Namespace: subSet.Namespace, |
| 278 | Object: subSet.Object, |
| 279 | Relation: subjectSet.ComputedSubjectSetRelation, |
| 280 | Subject: tuple.Subject, |
| 281 | }, restDepth-1, false)) |
| 282 | } |
| 283 | } |
| 284 | } |
| 285 | resultCh <- g.Result() |
| 286 | } |
| 287 | } |
no test coverage detected