MCPcopy
hub / github.com/ory/keto / checkTupleToSubjectSet

Method checkTupleToSubjectSet

internal/check/rewrites.go:242–287  ·  view source on GitHub ↗

checkTupleToSubjectSet rewrites the relation tuple to use the subject-set relation. Given a relation tuple like docs:readme#editor@user, and a tuple-to-subject-set rewrite with the relation "parent" and the computed subject-set relation "owner", the following checks will be performed: - query for

(
	tuple *relationTuple,
	subjectSet *ast.TupleToSubjectSet,
	restDepth int,
)

Source from the content-addressed store, hash-verified

240//
241// * For each matching subject, then check if subject#owner@user.
242func (e *Engine) checkTupleToSubjectSet(
243 tuple *relationTuple,
244 subjectSet *ast.TupleToSubjectSet,
245 restDepth int,
246) checkgroup.CheckFunc {
247 if restDepth < 0 {
248 e.d.Logger().Debug("reached max-depth, therefore this query will not be further expanded")
249 return checkgroup.UnknownMemberFunc
250 }
251
252 e.d.Logger().
253 WithField("request", tuple.String()).
254 WithField("tuple to subject-set relation", subjectSet.Relation).
255 WithField("tuple to subject-set computed", subjectSet.ComputedSubjectSetRelation).
256 Trace("check tuple to subjectSet")
257
258 return func(ctx context.Context, resultCh chan<- checkgroup.Result) {
259 g := checkgroup.New(ctx)
260 for nextPage, _ := keysetpagination.NewPaginator(); !nextPage.IsLast(); {
261 var tuples []*relationTuple
262 var err error
263 tuples, nextPage, err = e.d.RelationTupleManager().GetRelationTuples(ctx, &query{
264 Namespace: &tuple.Namespace,
265 Object: &tuple.Object,
266 Relation: &subjectSet.Relation,
267 },
268 nextPage.ToOptions()...)
269 if err != nil {
270 g.Add(checkgroup.ErrorFunc(err))
271 return
272 }
273
274 for _, t := range tuples {
275 if subSet, ok := t.Subject.(*relationtuple.SubjectSet); ok {
276 g.Add(e.checkIsAllowed(ctx, &relationTuple{
277 Namespace: subSet.Namespace,
278 Object: subSet.Object,
279 Relation: subjectSet.ComputedSubjectSetRelation,
280 Subject: tuple.Subject,
281 }, restDepth-1, false))
282 }
283 }
284 }
285 resultCh <- g.Result()
286 }
287}

Callers 2

checkInvertedMethod · 0.95

Calls 13

IsLastMethod · 0.95
ToOptionsMethod · 0.95
checkIsAllowedMethod · 0.95
NewFunction · 0.92
ErrorFuncFunction · 0.92
DebugMethod · 0.80
WithFieldMethod · 0.80
LoggerMethod · 0.65
StringMethod · 0.65
GetRelationTuplesMethod · 0.65
RelationTupleManagerMethod · 0.65
AddMethod · 0.65

Tested by

no test coverage detected