Subject expansion failed when depth exceeds 2

Question

Subject expansion failed when depth exceeds 2

stonelgh opened this issue a year ago · comments

stonelgh commented a year ago

Preflight checklist

I could not find a solution in the existing issues, docs, nor discussions.
I agree to follow this project's Code of Conduct.
I have read and am following this repository's Contribution Guidelines.
This issue affects my Ory Network project.
I have joined the Ory Community Slack.
I am signed up to the Ory Security Patch Newsletter.

Describe the bug

Given the namespace definition

class Role implements Namespace {
	related: {
		perms: SubjectSet<Role, "perms">[]
	}
}

and the relation tuples:

"Role:a#perms@Role:b#perms",
"Role:b#perms@Role:c#perms",
"Role:c#perms@Role:d#perms",
"Role:d#perms@get",

The check "Role:a#perms@get" will fail.

Reproducing the bug

package check_test

import (
	"context"
	"testing"

	"github.com/sirupsen/logrus"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"go.uber.org/goleak"

	"github.com/ory/keto/internal/check"
	"github.com/ory/keto/internal/check/checkgroup"
	"github.com/ory/keto/internal/driver/config"
	"github.com/ory/keto/internal/namespace"
	"github.com/ory/keto/internal/schema"
)

func TestSubjectExpansion(t *testing.T) {
	var rawns = `
	import { Namespace, SubjectSet, Context } from '@ory/keto-namespace-types';
	
	class Role implements Namespace {
	  related: {
		perms: SubjectSet<Role, "perms">[]
	  }
	}`

	nss, err := schema.Parse(rawns)
	require.True(t, err == nil)
	namespaces := make([]*namespace.Namespace, len(nss))
	for i, ns := range nss {
		ns := ns
		namespaces[i] = &ns
	}

	reg := newDepsProvider(t, namespaces)
	reg.Logger().Logger.SetLevel(logrus.InfoLevel)

	insertFixtures(t, reg.RelationTupleManager(), []string{
		"Role:a#perms@Role:b#perms",
		"Role:b#perms@Role:c#perms",
		"Role:c#perms@Role:d#perms",
		"Role:d#perms@get",
	})

	testCases := []struct {
		query         string
		expected      checkgroup.Result
		expectedPaths []path
	}{{
		query:    "Role:d#perms@get",
		expected: checkgroup.ResultIsMember,
	}, {
		query:    "Role:c#perms@get",
		expected: checkgroup.ResultIsMember,
	}, {
		query:    "Role:b#perms@get",
		expected: checkgroup.ResultIsMember,
	}, { // This case will fail
		query:    "Role:a#perms@get",
		expected: checkgroup.ResultIsMember,
	}}

	t.Run("suite=testcases", func(t *testing.T) {
		ctx := context.Background()
		reg.Config(ctx).Set(config.KeyLimitMaxReadDepth, 10)
		e := check.NewEngine(reg)
		defer goleak.VerifyNone(t, goleak.IgnoreCurrent())

		for _, tc := range testCases {
			t.Run("case="+tc.query, func(t *testing.T) {
				rt := tupleFromString(t, tc.query)

				res := e.CheckRelationTuple(ctx, rt, 100)
				require.NoError(t, res.Err)
				t.Logf("tree:\n%s", res.Tree)
				assert.Equal(t, tc.expected.Membership, res.Membership)

				if len(tc.expectedPaths) > 0 {
					for _, path := range tc.expectedPaths {
						assertPath(t, path, res.Tree)
					}
				}
			})
		}
	})
}

Relevant log output

=== RUN   TestSubjectExpansion
time=2023-02-24T19:45:04+08:00 level=info msg=No tracer configured - skipping tracing setup audience=application service_name=Ory Keto service_version=testing
=== RUN   TestSubjectExpansion/suite=testcases
=== RUN   TestSubjectExpansion/suite=testcases/case=Role:d#perms@get
    /keto/internal/check/check_test.go:80: tree:
        ∋ Role:5d0ab373-34e6-5449-9217-196aa2ef5d76#perms@01338e40-ba98-5539-a9ee-856b0223c9b1️
=== RUN   TestSubjectExpansion/suite=testcases/case=Role:c#perms@get
    /keto/internal/check/check_test.go:80: tree:
=== RUN   TestSubjectExpansion/suite=testcases/case=Role:b#perms@get
    /keto/internal/check/check_test.go:80: tree:
=== RUN   TestSubjectExpansion/suite=testcases/case=Role:a#perms@get
    /keto/internal/check/check_test.go:80: tree:
    /keto/internal/check/check_test.go:81:
        	Error Trace:	/keto/internal/check/check_test.go:81
        	Error:      	Not equal:
        	            	expected: 1
        	            	actual  : 2
        	Test:       	TestSubjectExpansion/suite=testcases/case=Role:a#perms@get
--- FAIL: TestSubjectExpansion (0.02s)
    --- FAIL: TestSubjectExpansion/suite=testcases (0.00s)
        --- PASS: TestSubjectExpansion/suite=testcases/case=Role:d#perms@get (0.00s)
        --- PASS: TestSubjectExpansion/suite=testcases/case=Role:c#perms@get (0.00s)
        --- PASS: TestSubjectExpansion/suite=testcases/case=Role:b#perms@get (0.00s)
        --- FAIL: TestSubjectExpansion/suite=testcases/case=Role:a#perms@get (0.00s)
FAIL
FAIL	github.com/ory/keto/internal/check	0.811s

Relevant configuration

No response

Version

master

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response