query

package
v1.50.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 18, 2026 License: Apache-2.0 Imports: 26 Imported by: 0

README

Query Package

The query package implements SpiceDB's query plan system for evaluating permissions and relationships. It provides a tree-based iterator architecture for efficient graph traversal and permission checking.

Overview

Query plans are built from schema definitions and executed to answer three fundamental questions:

  1. Check: Does a specific subject have access to a resource?
  2. IterSubjects: Which subjects have access to a given resource?
  3. IterResources: Which resources can a given subject access?

Each iterator in the tree implements these three methods, allowing complex permission queries to be evaluated by composing simple operations.

Iterator Types

Iterators are organized into several categories based on their role in the query plan:

Iterator Description
LEAF ITERATORS Data source iterators with no subiterators
DatastoreIterator Queries the datastore for stored relationships. The fundamental data source for all queries.
FixedIterator Contains pre-computed paths. Used in testing and as frontier in recursive queries.
SelfIterator Produces reflexive relations (object→object). Used for self keyword checks.
RecursiveSentinelIterator Placeholder marking recursion points during tree construction. Replaced at runtime.
UNARY ITERATORS Wrap a single child iterator
AliasIterator Rewrites the relation field of paths. Maps computed permissions to their defining relation.
BINARY ITERATORS Combine two child iterators
ArrowIterator Graph walk operator (). Chains two iterators for path composition.
IntersectionArrowIterator Conditional intersection. Implements all() semantics - ALL left subjects must satisfy right.
ExclusionIterator Set difference (-). Removes excluded paths from main set.
N-ARY ITERATORS Combine multiple child iterators
UnionIterator Logical OR (|). Concatenates results from all children with deduplication.
IntersectionIterator Logical AND (&). Intersects results from all children.
FILTER ITERATORS Apply filtering conditions to results
CaveatIterator Evaluates caveat conditions on paths. Filters results based on runtime context.
CONTROL FLOW ITERATORS Manage execution flow and recursion
RecursiveIterator Manages recursive schema definitions with and represents the transitive closure operation.

Key Concepts

Iterator Interface

All iterators implement the Iterator interface with these core methods:

type Iterator interface {
    // Evaluation methods
    CheckImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error)
    IterSubjectsImpl(ctx *Context, resource Object, filterSubjectType ObjectType) (PathSeq, error)
    IterResourcesImpl(ctx *Context, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

    // Tree navigation
    Clone() Iterator
    Subiterators() []Iterator
    ReplaceSubiterators(newSubs []Iterator) (Iterator, error)

    // Metadata
    ID() string
    Explain() Explain
    ResourceType() ([]ObjectType, error)
    SubjectTypes() ([]ObjectType, error)
}
Path Sequences

Results are returned as PathSeq (Go 1.23 iterators - iter.Seq2[Path, error]), allowing lazy evaluation and streaming of results without materializing entire result sets in memory.

Context

The Context type carries execution state including:

  • Datastore reader
  • Optional trace logger for debugging
  • Execution depth tracking
  • Analysis/statistics collection

Usage Example

// Build a query plan from schema
it, err := BuildIteratorFromSchema(schema, "document", "viewer")

// Create execution context
ctx := NewContext(datastoreReader)

// Execute a check query
resources := []Object{NewObject("document", "doc1")}
subject := NewObject("user", "alice").WithEllipses()

pathSeq, err := ctx.Check(it, resources, subject)
for path, err := range pathSeq {
    if err != nil {
        return err
    }
    // Process path...
}

Documentation

Overview

This package provides the structures, interfaces, and functions for a sort of Lego-set to build query trees. It should depend on as few other packages as possible, as in the longer future, these can be passed around a lot, and refactoring to reduce import loops is a pain.

The underlying philosophy of a query plan is that we build query trees out of iterators. Iterators are nodes in the tree and represent a logical set of valid relations that match or don't match.

Take the example schema: 

definition foo {
  relation bar: foo
}

For example, the simplest set is that of `bar` -- all relationships written directly with `bar` as the Relation type, `foo:a#bar@foo:b#...`

But by combining different operations on these sets, we can invent arbitrary permissions, using standard set operations like And and Or, along with a few special ones that come from relational algebra, like Arrow (as a form of the Join operation).

Index

Constants

View Source 
const WildcardObjectID = tuple.PublicWildcard

WildcardObjectID is the subject ID representing a public wildcard ("*").

Variables

This section is empty.

Functions

func FormatAnalysis added in v1.49.0 

func FormatAnalysis(tree Iterator, analyze map[CanonicalKey]AnalyzeStats) string

FormatAnalysis returns a formatted string showing the iterator tree with execution statistics for each iterator. Stats are looked up by iterator canonical key from the analyze map.

func ObjectAndRelationKey added in v1.46.1 

func ObjectAndRelationKey(oar ObjectAndRelation) string

ObjectAndRelationKey returns a unique string key for an ObjectAndRelation

func OutlineCompare added in v1.49.2 

func OutlineCompare(a, b Outline) int

OutlineCompare defines a total ordering on Outline for canonicalization. Returns -1 if a < b, 0 if a == b, 1 if a > b. Compatible with slices.SortFunc.

func PathOrder added in v1.49.2 

func PathOrder(a, b Path) int

PathOrder defines ordering for Path objects Returns -1 if a < b, 0 if a == b, 1 if a > b

Compatible with slices.SortFunc.

func SimplifyCaveatExpression added in v1.46.1 

func SimplifyCaveatExpression(
	ctx context.Context,
	runner *caveats.CaveatRunner,
	expr *core.CaveatExpression,
	context map[string]any,
	reader caveats.CaveatDefinitionLookup,
) (*core.CaveatExpression, bool, error)

SimplifyCaveatExpression simplifies a caveat expression by applying AND/OR logic and running them with a CaveatRunner if they match the expected caveat: - For AND: if a caveat evaluates to true, remove it from the expression - For OR: if a caveat evaluates to true, the entire expression becomes true Returns:

  • simplified: the simplified expression (nil if unconditionally true)
  • passes: true if passes unconditionally or conditionally, false if fails
  • error: any error that occurred during simplification

func WalkOutlinePreOrder added in v1.50.0 

func WalkOutlinePreOrder(outline Outline, fn func(Outline) error) error

WalkOutlinePreOrder performs a pre-order traversal of an Outline tree, calling fn on each node before visiting its children. fn returns an error to abort the traversal early.

Types

type AliasIterator added in v1.49.2 

type AliasIterator struct {
	// contains filtered or unexported fields
}

AliasIterator is an iterator that rewrites the Resource's Relation field of all paths streamed from the sub-iterator to a specified alias relation.

func NewAliasIterator added in v1.49.2 

func NewAliasIterator(relation string, subIt Iterator) *AliasIterator

NewAliasIterator creates a new Alias iterator that rewrites paths from the sub-iterator to use the specified relation name.

func (*AliasIterator) CanonicalKey added in v1.49.2 

func (a *AliasIterator) CanonicalKey() CanonicalKey

func (*AliasIterator) CheckImpl added in v1.49.2 

func (a *AliasIterator) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error)

func (*AliasIterator) Clone added in v1.49.2 

func (a *AliasIterator) Clone() Iterator

func (*AliasIterator) Explain added in v1.49.2 

func (a *AliasIterator) Explain() Explain

func (*AliasIterator) IterResourcesImpl added in v1.49.2 

func (a *AliasIterator) IterResourcesImpl(ctx *Context, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

func (*AliasIterator) IterSubjectsImpl added in v1.49.2 

func (a *AliasIterator) IterSubjectsImpl(ctx *Context, resource Object, filterSubjectType ObjectType) (PathSeq, error)

func (*AliasIterator) ReplaceSubiterators added in v1.49.2 

func (a *AliasIterator) ReplaceSubiterators(newSubs []Iterator) (Iterator, error)

func (*AliasIterator) ResourceType added in v1.49.2 

func (a *AliasIterator) ResourceType() ([]ObjectType, error)

func (*AliasIterator) Subiterators added in v1.49.2 

func (a *AliasIterator) Subiterators() []Iterator

func (*AliasIterator) SubjectTypes added in v1.49.2 

func (a *AliasIterator) SubjectTypes() ([]ObjectType, error)

type AnalyzeObserver added in v1.49.2 

type AnalyzeObserver struct {
	*CountObserver // handles call and result counts
	// contains filtered or unexported fields
}

AnalyzeObserver is a thread-safe Observer that collects execution statistics keyed by CanonicalKey. It embeds a CountObserver for tracking calls and results, and adds timing information.

func NewAnalyzeObserver added in v1.49.2 

func NewAnalyzeObserver() *AnalyzeObserver

NewAnalyzeObserver creates a new thread-safe analyze observer.

func (*AnalyzeObserver) GetStats added in v1.49.2 

func (a *AnalyzeObserver) GetStats() map[CanonicalKey]AnalyzeStats

GetStats returns a copy of all collected stats, merging counts from CountObserver with timings.

func (*AnalyzeObserver) ObserveEnterIterator added in v1.49.2 

func (a *AnalyzeObserver) ObserveEnterIterator(op ObserverOperation, key CanonicalKey)

ObserveEnterIterator increments the call counter (via CountObserver) and records the start time.

func (*AnalyzeObserver) ObservePath added in v1.49.2 

func (a *AnalyzeObserver) ObservePath(op ObserverOperation, key CanonicalKey, path Path)

ObservePath increments the result counter (via CountObserver).

func (*AnalyzeObserver) ObserveReturnIterator added in v1.49.2 

func (a *AnalyzeObserver) ObserveReturnIterator(op ObserverOperation, key CanonicalKey)

ObserveReturnIterator records elapsed time since ObserveEnterIterator was called. Note: CountObserver.ObserveReturnIterator is a no-op, so we don't call it here.

type AnalyzeStats added in v1.49.0 

type AnalyzeStats struct {
	CountStats        // embedded: CheckCalls, IterSubjectsCalls, etc.
	CheckTime         time.Duration
	IterSubjectsTime  time.Duration
	IterResourcesTime time.Duration
}

AnalyzeStats collects the number of operations performed for each iterator as a query takes place, including both counts and timing information.

func AggregateAnalyzeStats added in v1.49.0 

func AggregateAnalyzeStats(analyze map[CanonicalKey]AnalyzeStats) AnalyzeStats

AggregateAnalyzeStats combines all the analyze stats from a map into a single aggregated AnalyzeStats. This is useful for getting total counts across all iterators in a query execution.

type ArrowIterator added in v1.49.2 

type ArrowIterator struct {
	// contains filtered or unexported fields
}

ArrowIterator is an iterator that represents the set of paths that follow from a walk in the graph.

Ex: `folder->owner` and `left->right`

func NewArrowIterator added in v1.49.2 

func NewArrowIterator(left, right Iterator) *ArrowIterator

func NewSchemaArrow added in v1.49.1 

func NewSchemaArrow(left, right Iterator) *ArrowIterator

func (*ArrowIterator) CanonicalKey added in v1.49.2 

func (a *ArrowIterator) CanonicalKey() CanonicalKey

func (*ArrowIterator) CheckImpl added in v1.49.2 

func (a *ArrowIterator) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error)

func (*ArrowIterator) Clone added in v1.49.2 

func (a *ArrowIterator) Clone() Iterator

func (*ArrowIterator) Explain added in v1.49.2 

func (a *ArrowIterator) Explain() Explain

func (*ArrowIterator) IterResourcesImpl added in v1.49.2 

func (a *ArrowIterator) IterResourcesImpl(ctx *Context, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

func (*ArrowIterator) IterSubjectsImpl added in v1.49.2 

func (a *ArrowIterator) IterSubjectsImpl(ctx *Context, resource Object, filterSubjectType ObjectType) (PathSeq, error)

func (*ArrowIterator) ReplaceSubiterators added in v1.49.2 

func (a *ArrowIterator) ReplaceSubiterators(newSubs []Iterator) (Iterator, error)

func (*ArrowIterator) ResourceType added in v1.49.2 

func (a *ArrowIterator) ResourceType() ([]ObjectType, error)

func (*ArrowIterator) Subiterators added in v1.49.2 

func (a *ArrowIterator) Subiterators() []Iterator

func (*ArrowIterator) SubjectTypes added in v1.49.2 

func (a *ArrowIterator) SubjectTypes() ([]ObjectType, error)

type CanonicalKey added in v1.49.2 

type CanonicalKey string

CanonicalKey is a unique string identifier for a canonical Outline subtree. It is computed after canonicalization and represents the entire structure in a compact, deterministic format.

func (CanonicalKey) Hash added in v1.49.2 

func (k CanonicalKey) Hash() uint64

Hash returns a hash fingerprint of the key for use in maps

func (CanonicalKey) IsEmpty added in v1.49.2 

func (k CanonicalKey) IsEmpty() bool

IsEmpty returns true if the key is empty (not yet computed)

func (CanonicalKey) String added in v1.49.2 

func (k CanonicalKey) String() string

String returns the string representation of the key

type CanonicalKeySource added in v1.50.0 

type CanonicalKeySource interface {
	GetCanonicalKey(id OutlineNodeID) CanonicalKey
}

CanonicalKeySource can resolve a CanonicalKey for a given outline node ID. PlanAdvisors receive this instead of the full CanonicalOutline to stay decoupled from the outline structure.

type CanonicalOutline added in v1.49.2 

type CanonicalOutline struct {
	Root          Outline
	CanonicalKeys map[OutlineNodeID]CanonicalKey
	Hints         map[OutlineNodeID][]Hint
}

CanonicalOutline is an Outline tree that has been fully canonicalized. It pairs the root Outline (with every node's ID assigned) with a map from those IDs to their CanonicalKeys. Only CanonicalOutlines can be Compiled, ensuring every iterator in the resulting tree receives its canonical key.

func ApplyAdvisor added in v1.50.0 

func ApplyAdvisor(co CanonicalOutline, advisor PlanAdvisor) (CanonicalOutline, error)

ApplyAdvisor applies a PlanAdvisor to a CanonicalOutline in two phases:

  1. Bottom-up mutations: for each node, GetMutations is called and the returned mutations are applied. Each mutation must preserve the node's ID (it is a bug if it does not). Newly synthesised child nodes (ID==0) receive fresh IDs and keys via assignNewNodeIDs, producing an updated CanonicalOutline.

  2. Hints collection: for each node in the updated outline, GetHints is called using the updated CanonicalOutline as the key source, and the returned hints are stored in the Hints map.

The returned CanonicalOutline has the same CanonicalKeys as the input for all pre-existing nodes, extended with keys for any newly synthesised nodes, and a fully populated Hints map.

func BuildOutlineFromSchema added in v1.49.2 

func BuildOutlineFromSchema(fullSchema *schema.Schema, definitionName string, relationName string) (CanonicalOutline, error)

BuildOutlineFromSchema builds a canonical Outline tree from the schema.

func CanonicalizeOutline added in v1.49.2 

func CanonicalizeOutline(outline Outline) (CanonicalOutline, error)

CanonicalizeOutline transforms an Outline into canonical form, returning a CanonicalOutline that pairs the transformed tree with a map of node IDs to their CanonicalKeys.

The canonicalization process has two phases: 1. Filter Lifting: Extract all caveats, sort them, and nest them at the top 2. Bottom-Up Canonicalization: Apply five transformation steps sequentially

The function is idempotent: applying it multiple times produces the same result.

func (CanonicalOutline) Compile added in v1.49.2 

func (co CanonicalOutline) Compile() (Iterator, error)

Compile converts a CanonicalOutline into the actual Iterator representation. All iterators in the resulting tree have their canonical keys set and hints applied.

func (CanonicalOutline) GetCanonicalKey added in v1.50.0 

func (co CanonicalOutline) GetCanonicalKey(id OutlineNodeID) CanonicalKey

GetCanonicalKey implements CanonicalKeySource.

type CaveatIterator added in v1.46.1 

type CaveatIterator struct {
	// contains filtered or unexported fields
}

CaveatIterator wraps another iterator and applies caveat evaluation to its results. It checks caveat conditions on relationships during iteration and only yields relationships that satisfy the caveat constraints.

func NewCaveatIterator added in v1.46.1 

func NewCaveatIterator(subiterator Iterator, caveat *core.ContextualizedCaveat) *CaveatIterator

NewCaveatIterator creates a new caveat iterator that wraps the given subiterator and applies the specified caveat conditions.

func (*CaveatIterator) CanonicalKey added in v1.49.2 

func (c *CaveatIterator) CanonicalKey() CanonicalKey

func (*CaveatIterator) CheckImpl added in v1.46.1 

func (c *CaveatIterator) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error)

func (*CaveatIterator) Clone added in v1.46.1 

func (c *CaveatIterator) Clone() Iterator

func (*CaveatIterator) Explain added in v1.46.1 

func (c *CaveatIterator) Explain() Explain

func (*CaveatIterator) IterResourcesImpl added in v1.46.1 

func (c *CaveatIterator) IterResourcesImpl(ctx *Context, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

func (*CaveatIterator) IterSubjectsImpl added in v1.46.1 

func (c *CaveatIterator) IterSubjectsImpl(ctx *Context, resource Object, filterSubjectType ObjectType) (PathSeq, error)

func (*CaveatIterator) ReplaceSubiterators added in v1.46.1 

func (c *CaveatIterator) ReplaceSubiterators(newSubs []Iterator) (Iterator, error)

func (*CaveatIterator) ResourceType added in v1.49.0 

func (c *CaveatIterator) ResourceType() ([]ObjectType, error)

func (*CaveatIterator) Subiterators added in v1.46.1 

func (c *CaveatIterator) Subiterators() []Iterator

func (*CaveatIterator) SubjectTypes added in v1.49.0 

func (c *CaveatIterator) SubjectTypes() ([]ObjectType, error)

type Context 

type Context struct {
	context.Context
	Executor          Executor
	Reader            QueryDatastoreReader // Datastore reader for this query at a specific revision
	CaveatContext     map[string]any
	CaveatRunner      *caveats.CaveatRunner
	TraceLogger       *TraceLogger // For debugging iterator execution (used by TraceStep calls inside iterators)
	MaxRecursionDepth int          // Maximum depth for recursive iterators (0 = use default of 10)

	// Pagination options for IterSubjects and IterResources
	PaginationCursors map[string]*tuple.Relationship // Cursors for pagination, keyed by iterator ID
	PaginationLimit   *uint64                        // Limit for pagination (max number of results to return)
	// contains filtered or unexported fields
}

Context represents a single execution of a query. It is both a standard context.Context and all the query-time specific handles needed to evaluate a query, such as which datastore it is running against.

Context is the concrete type that contains the overall handles, and uses the executor as a strategy for continuing execution.

func NewLocalContext added in v1.49.0 

func NewLocalContext(stdContext context.Context, opts ...ContextOption) *Context

NewLocalContext creates a new query execution context with a LocalExecutor. This is a convenience constructor for tests and local execution scenarios.

func NewTestContext added in v1.50.0 

func NewTestContext(t testing.TB) *Context

NewTestContext creates a fresh Context with a LocalExecutor for use in tests. Each call returns an independent context — parallel subtests must each call this rather than sharing a single context, because Context holds mutable state (e.g. topLevelIterator) that is not safe for concurrent reuse.

Pass the current *testing.T so that the Go context is tied to the test's lifetime. Passing nil leaves Context.Context unset (callers must set it).

func (*Context) Check 

func (ctx *Context) Check(it Iterator, resources []Object, subject ObjectAndRelation) (PathSeq, error)

Check tests if, for the underlying set of relationships (which may be a full expression or a basic lookup, depending on the iterator) any of the `resources` are connected to `subject`. Returns the sequence of matching paths, if they exist, at most `len(resources)`.

func (*Context) CollectFrontierObject added in v1.49.2 

func (ctx *Context) CollectFrontierObject(iteratorID uint64, obj Object)

CollectFrontierObject appends an object to the frontier collection. Only appends if collection mode is enabled (non-nil entry exists).

func (*Context) EnableFrontierCollection added in v1.49.2 

func (ctx *Context) EnableFrontierCollection(iteratorID uint64)

EnableFrontierCollection enables frontier collection for a RecursiveIterator. Creates a non-nil entry in the map, which signals collection mode.

func (*Context) ExtractFrontierCollection added in v1.49.2 

func (ctx *Context) ExtractFrontierCollection(iteratorID uint64) []Object

ExtractFrontierCollection retrieves and removes the collected frontier.

func (*Context) GetPaginationCursor added in v1.49.2 

func (ctx *Context) GetPaginationCursor(iteratorID string) *tuple.Relationship

GetPaginationCursor retrieves the cursor for a specific iterator ID.

func (*Context) IsCollectingFrontier added in v1.49.2 

func (ctx *Context) IsCollectingFrontier(iteratorID uint64) bool

IsCollectingFrontier checks if collection mode is enabled (non-nil entry exists).

func (*Context) IterResources 

func (ctx *Context) IterResources(it Iterator, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

IterResources returns a sequence of all the relations in this set that match the given subject. The filterResourceType parameter filters results to only include resources matching the specified ObjectType. If filterResourceType.Type is empty, no filtering is applied. The first call sets topLevelIteratorHash and wraps the result with DeduplicatePathSeq; recursive sub-calls pass through unchanged.

func (*Context) IterSubjects 

func (ctx *Context) IterSubjects(it Iterator, resource Object, filterSubjectType ObjectType) (PathSeq, error)

IterSubjects returns a sequence of all the paths in this set that match the given resource. The filterSubjectType parameter filters results to only include subjects matching the specified ObjectType. If filterSubjectType.Type is empty, no filtering is applied. The first call sets topLevelIteratorHash and wraps the result with DeduplicatePathSeq; recursive sub-calls pass through unchanged.

func (*Context) SetPaginationCursor added in v1.49.2 

func (ctx *Context) SetPaginationCursor(iteratorID string, cursor *tuple.Relationship)

SetPaginationCursor sets the cursor for a specific iterator ID.

func (*Context) TraceEnter added in v1.46.1 

func (ctx *Context) TraceEnter(it Iterator, traceString string)

func (*Context) TraceExit added in v1.46.1 

func (ctx *Context) TraceExit(it Iterator, paths []Path)

func (*Context) TraceStep added in v1.46.1 

func (ctx *Context) TraceStep(it Iterator, step string, data ...any)

type ContextOption added in v1.49.0 

type ContextOption func(*Context)

ContextOption is a function that configures a Context.

func WithCaveatContext added in v1.49.0 

func WithCaveatContext(caveatCtx map[string]any) ContextOption

WithCaveatContext sets the caveat context for the context.

func WithCaveatRunner added in v1.49.0 

func WithCaveatRunner(runner *caveats.CaveatRunner) ContextOption

WithCaveatRunner sets the caveat runner for the context.

func WithMaxRecursionDepth added in v1.49.0 

func WithMaxRecursionDepth(depth int) ContextOption

WithMaxRecursionDepth sets the maximum recursion depth for the context.

func WithObserver added in v1.49.2 

func WithObserver(o Observer) ContextOption

WithObserver adds an Observer to the context.

func WithPaginationLimit added in v1.49.2 

func WithPaginationLimit(limit uint64) ContextOption

WithPaginationLimit sets the pagination limit for the context.

func WithReader added in v1.49.0 

func WithReader(reader QueryDatastoreReader) ContextOption

WithReader sets the datastore reader for the context.

func WithRevisionedReader added in v1.50.0 

func WithRevisionedReader(reader datalayer.RevisionedReader) ContextOption

WithRevisionedReader wraps a datalayer.RevisionedReader as a QueryDatastoreReader and sets it as the datastore reader for the context.

func WithTraceLogger added in v1.49.0 

func WithTraceLogger(logger *TraceLogger) ContextOption

WithTraceLogger sets the trace logger for the context.

type CountAdvisor added in v1.50.0 

type CountAdvisor struct {
	// contains filtered or unexported fields
}

CountAdvisor uses observed CountStats keyed by CanonicalKey to hint whether arrow iterators should be reversed. It compares the IterSubjectsResults of the left subtree against the IterResourcesResults of the right subtree: if the left fan-out is, on average, wider than the right fan-out, starting from the right is likely cheaper.

func NewCountAdvisor added in v1.50.0 

func NewCountAdvisor(stats map[CanonicalKey]CountStats) *CountAdvisor

NewCountAdvisor creates a CountAdvisor from a snapshot of observed stats.

func (*CountAdvisor) GetHints added in v1.50.0 

func (a *CountAdvisor) GetHints(outline Outline, keySource CanonicalKeySource) ([]Hint, error)

GetHints returns an ArrowDirectionHint for arrow nodes when observed result ratios suggest reversal is beneficial. For all other node types it returns nil.

func (*CountAdvisor) GetMutations added in v1.50.0 

func (a *CountAdvisor) GetMutations(outline Outline, keySource CanonicalKeySource) ([]OutlineMutation, error)

GetMutations is a stub — no structural mutations from count data yet.

type CountObserver added in v1.50.0 

type CountObserver struct {
	// contains filtered or unexported fields
}

CountObserver is a thread-safe Observer that collects call and result counts keyed by CanonicalKey. It does not record timing information.

func NewCountObserver added in v1.50.0 

func NewCountObserver() *CountObserver

NewCountObserver creates a new thread-safe count observer.

func (*CountObserver) GetStats added in v1.50.0 

func (c *CountObserver) GetStats() map[CanonicalKey]CountStats

GetStats returns a copy of all collected count stats.

func (*CountObserver) ObserveEnterIterator added in v1.50.0 

func (c *CountObserver) ObserveEnterIterator(op ObserverOperation, key CanonicalKey)

ObserveEnterIterator increments the call counter for the given operation and key.

func (*CountObserver) ObservePath added in v1.50.0 

func (c *CountObserver) ObservePath(op ObserverOperation, key CanonicalKey, _ Path)

ObservePath increments the result counter for the given operation and key.

func (*CountObserver) ObserveReturnIterator added in v1.50.0 

func (c *CountObserver) ObserveReturnIterator(_ ObserverOperation, _ CanonicalKey)

ObserveReturnIterator is a no-op for CountObserver; no timing is recorded.

type CountStats added in v1.50.0 

type CountStats struct {
	CheckCalls           int
	IterSubjectsCalls    int
	IterResourcesCalls   int
	CheckResults         int
	IterSubjectsResults  int
	IterResourcesResults int
}

CountStats collects the number of calls and results for each of the three iterator operations (Check, IterSubjects, IterResources).

func AggregateCountStats added in v1.50.0 

func AggregateCountStats(counts map[CanonicalKey]CountStats) CountStats

AggregateCountStats combines all the count stats from a map into a single aggregated CountStats. This is useful for getting total counts across all iterators in a query execution.

type DatastoreIterator added in v1.49.2 

type DatastoreIterator struct {
	// contains filtered or unexported fields
}

DatastoreIterator is a common leaf iterator. It represents the set of all relationships of the given schema.BaseRelation, ie, relations that have a known resource and subject type and may contain caveats or expiration.

The DatastoreIterator, being the leaf, generates this set by calling the datastore.

func NewDatastoreIterator added in v1.49.2 

func NewDatastoreIterator(base *schema.BaseRelation) *DatastoreIterator

func (*DatastoreIterator) CanonicalKey added in v1.49.2 

func (r *DatastoreIterator) CanonicalKey() CanonicalKey

func (*DatastoreIterator) CheckImpl added in v1.49.2 

func (r *DatastoreIterator) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error)

func (*DatastoreIterator) Clone added in v1.49.2 

func (r *DatastoreIterator) Clone() Iterator

func (*DatastoreIterator) Explain added in v1.49.2 

func (r *DatastoreIterator) Explain() Explain

func (*DatastoreIterator) IterResourcesImpl added in v1.49.2 

func (r *DatastoreIterator) IterResourcesImpl(ctx *Context, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

func (*DatastoreIterator) IterSubjectsImpl added in v1.49.2 

func (r *DatastoreIterator) IterSubjectsImpl(ctx *Context, resource Object, filterSubjectType ObjectType) (PathSeq, error)

func (*DatastoreIterator) ReplaceSubiterators added in v1.49.2 

func (r *DatastoreIterator) ReplaceSubiterators(newSubs []Iterator) (Iterator, error)

func (*DatastoreIterator) ResourceType added in v1.49.2 

func (r *DatastoreIterator) ResourceType() ([]ObjectType, error)

func (*DatastoreIterator) Subiterators added in v1.49.2 

func (r *DatastoreIterator) Subiterators() []Iterator

func (*DatastoreIterator) SubjectTypes added in v1.49.2 

func (r *DatastoreIterator) SubjectTypes() ([]ObjectType, error)

type ExclusionIterator added in v1.49.2 

type ExclusionIterator struct {
	// contains filtered or unexported fields
}

ExclusionIterator represents the set of relations that are in the mainSet but not in the excluded set. This is equivalent to `permission foo = bar - baz`

func NewExclusionIterator added in v1.49.2 

func NewExclusionIterator(mainSet, excluded Iterator) *ExclusionIterator

func (*ExclusionIterator) CanonicalKey added in v1.49.2 

func (e *ExclusionIterator) CanonicalKey() CanonicalKey

func (*ExclusionIterator) CheckImpl added in v1.49.2 

func (e *ExclusionIterator) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error)

func (*ExclusionIterator) Clone added in v1.49.2 

func (e *ExclusionIterator) Clone() Iterator

func (*ExclusionIterator) Explain added in v1.49.2 

func (e *ExclusionIterator) Explain() Explain

func (*ExclusionIterator) IterResourcesImpl added in v1.49.2 

func (e *ExclusionIterator) IterResourcesImpl(ctx *Context, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

func (*ExclusionIterator) IterSubjectsImpl added in v1.49.2 

func (e *ExclusionIterator) IterSubjectsImpl(ctx *Context, resource Object, filterSubjectType ObjectType) (PathSeq, error)

func (*ExclusionIterator) ReplaceSubiterators added in v1.49.2 

func (e *ExclusionIterator) ReplaceSubiterators(newSubs []Iterator) (Iterator, error)

func (*ExclusionIterator) ResourceType added in v1.49.2 

func (e *ExclusionIterator) ResourceType() ([]ObjectType, error)

func (*ExclusionIterator) Subiterators added in v1.49.2 

func (e *ExclusionIterator) Subiterators() []Iterator

func (*ExclusionIterator) SubjectTypes added in v1.49.2 

func (e *ExclusionIterator) SubjectTypes() ([]ObjectType, error)

type Executor 

type Executor interface {
	// Check tests if, for the underlying set of relationships (which may be a full expression or a basic lookup, depending on the iterator)
	// any of the `resources` are connected to `subject`.
	// Returns the sequence of matching relations, if they exist, at most `len(resources)`.
	Check(ctx *Context, it Iterator, resources []Object, subject ObjectAndRelation) (PathSeq, error)

	// IterSubjects returns a sequence of all the relations in this set that match the given resource.
	// The filterSubjectType parameter filters results to only include subjects matching the
	// specified ObjectType. If filterSubjectType.Type is empty, no filtering is applied.
	IterSubjects(ctx *Context, it Iterator, resource Object, filterSubjectType ObjectType) (PathSeq, error)

	// IterResources returns a sequence of all the relations in this set that match the given subject.
	// The filterResourceType parameter filters results to only include resources matching the
	// specified ObjectType. If filterResourceType.Type is empty, no filtering is applied.
	IterResources(ctx *Context, it Iterator, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)
}

Executor as chooses how to proceed given an iterator -- perhaps in parallel, perhaps by RPC, etc -- and chooses how to process iteration from the subtree. The correctness logic for the results that are generated are up to each iterator, and each iterator may use statistics to choose the best, yet still correct, logical evaluation strategy. The Executor, meanwhile, makes that evaluation happen in the most convienent form, based on its implementation.

type Explain 

type Explain struct {
	Name       string // Short name for tracing (e.g., "Arrow", "Union")
	Info       string // Full info for display
	SubExplain []Explain
}

Explain describes the state of an iterator tree, in a human-readable fashion, with an Info line at each node.

TODO: This can be extended with other interesting stats about the tree.

func (Explain) IndentString 

func (e Explain) IndentString(depth int) string

IndentString pretty-prints an Explain tree with a given indentation.

func (Explain) String 

func (e Explain) String() string

type FaultyIterator 

type FaultyIterator struct {
	// contains filtered or unexported fields
}

FaultyIterator is a test helper that simulates iterator errors

func NewFaultyIterator 

func NewFaultyIterator(shouldFailOnCheck, shouldFailOnCollect bool, resourceType ObjectType, subjectTypes []ObjectType) *FaultyIterator

NewFaultyIterator creates a new FaultyIterator for testing error conditions

func (*FaultyIterator) CanonicalKey added in v1.49.2 

func (f *FaultyIterator) CanonicalKey() CanonicalKey

func (*FaultyIterator) CheckImpl 

func (f *FaultyIterator) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error)

func (*FaultyIterator) Clone 

func (f *FaultyIterator) Clone() Iterator

func (*FaultyIterator) Explain 

func (f *FaultyIterator) Explain() Explain

func (*FaultyIterator) IterResourcesImpl 

func (f *FaultyIterator) IterResourcesImpl(ctx *Context, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

func (*FaultyIterator) IterSubjectsImpl 

func (f *FaultyIterator) IterSubjectsImpl(ctx *Context, resource Object, filterSubjectType ObjectType) (PathSeq, error)

func (*FaultyIterator) ReplaceSubiterators added in v1.46.1 

func (f *FaultyIterator) ReplaceSubiterators(newSubs []Iterator) (Iterator, error)

func (*FaultyIterator) ResourceType added in v1.49.0 

func (f *FaultyIterator) ResourceType() ([]ObjectType, error)

func (*FaultyIterator) Subiterators added in v1.46.1 

func (f *FaultyIterator) Subiterators() []Iterator

func (*FaultyIterator) SubjectTypes added in v1.49.0 

func (f *FaultyIterator) SubjectTypes() ([]ObjectType, error)

type FixedIterator 

type FixedIterator struct {
	// contains filtered or unexported fields
}

For example: document->folder->ownerGroup->user -- and we'd like to find all documents (IterResources) that traverse a known folder->ownerGroup relationship

func NewDocumentAccessFixedIterator 

func NewDocumentAccessFixedIterator() *FixedIterator

NewDocumentAccessFixedIterator creates a FixedIterator with typical document access patterns

func NewEmptyFixedIterator 

func NewEmptyFixedIterator() *FixedIterator

NewEmptyFixedIterator creates an empty FixedIterator for testing edge cases

func NewFixedIterator 

func NewFixedIterator(paths ...Path) *FixedIterator

func NewFolderHierarchyFixedIterator 

func NewFolderHierarchyFixedIterator() *FixedIterator

NewFolderHierarchyFixedIterator creates a FixedIterator with folder hierarchy relations

func NewLargeFixedIterator 

func NewLargeFixedIterator() *FixedIterator

NewLargeFixedIterator creates a FixedIterator with many relations for performance testing

func NewMultiRoleFixedIterator 

func NewMultiRoleFixedIterator() *FixedIterator

NewMultiRoleFixedIterator creates a FixedIterator where users have multiple roles on the same resources

func NewSingleUserFixedIterator 

func NewSingleUserFixedIterator(userID string) *FixedIterator

NewSingleUserFixedIterator creates a FixedIterator with relations for a single user across multiple resources

func (*FixedIterator) CanonicalKey added in v1.49.2 

func (f *FixedIterator) CanonicalKey() CanonicalKey

func (*FixedIterator) CheckImpl 

func (f *FixedIterator) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error)

func (*FixedIterator) Clone 

func (f *FixedIterator) Clone() Iterator

func (*FixedIterator) Explain 

func (f *FixedIterator) Explain() Explain

func (*FixedIterator) IterResourcesImpl 

func (f *FixedIterator) IterResourcesImpl(ctx *Context, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

func (*FixedIterator) IterSubjectsImpl 

func (f *FixedIterator) IterSubjectsImpl(ctx *Context, resource Object, filterSubjectType ObjectType) (PathSeq, error)

func (*FixedIterator) ReplaceSubiterators added in v1.46.1 

func (f *FixedIterator) ReplaceSubiterators(newSubs []Iterator) (Iterator, error)

func (*FixedIterator) ResourceType added in v1.49.0 

func (f *FixedIterator) ResourceType() ([]ObjectType, error)

func (*FixedIterator) Subiterators added in v1.46.1 

func (f *FixedIterator) Subiterators() []Iterator

func (*FixedIterator) SubjectTypes added in v1.49.0 

func (f *FixedIterator) SubjectTypes() ([]ObjectType, error)

type Hint added in v1.50.0 

type Hint func(it Iterator) error

func ArrowDirectionHint added in v1.50.0 

func ArrowDirectionHint(direction arrowDirection) Hint

type IntersectionArrowIterator added in v1.49.2 

type IntersectionArrowIterator struct {
	// contains filtered or unexported fields
}

IntersectionArrowIterator is an iterator that represents the set of relations that follow from a walk in the graph where ALL subjects on the left must satisfy the right side condition.

Ex: `group.all(member)` - user must be member of ALL groups

func NewIntersectionArrowIterator added in v1.49.2 

func NewIntersectionArrowIterator(left, right Iterator) *IntersectionArrowIterator

func (*IntersectionArrowIterator) CanonicalKey added in v1.49.2 

func (ia *IntersectionArrowIterator) CanonicalKey() CanonicalKey

func (*IntersectionArrowIterator) CheckImpl added in v1.49.2 

func (ia *IntersectionArrowIterator) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error)

func (*IntersectionArrowIterator) Clone added in v1.49.2 

func (ia *IntersectionArrowIterator) Clone() Iterator

func (*IntersectionArrowIterator) Explain added in v1.49.2 

func (ia *IntersectionArrowIterator) Explain() Explain

func (*IntersectionArrowIterator) IterResourcesImpl added in v1.49.2 

func (ia *IntersectionArrowIterator) IterResourcesImpl(ctx *Context, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

func (*IntersectionArrowIterator) IterSubjectsImpl added in v1.49.2 

func (ia *IntersectionArrowIterator) IterSubjectsImpl(ctx *Context, resource Object, filterSubjectType ObjectType) (PathSeq, error)

func (*IntersectionArrowIterator) ReplaceSubiterators added in v1.49.2 

func (ia *IntersectionArrowIterator) ReplaceSubiterators(newSubs []Iterator) (Iterator, error)

func (*IntersectionArrowIterator) ResourceType added in v1.49.2 

func (ia *IntersectionArrowIterator) ResourceType() ([]ObjectType, error)

func (*IntersectionArrowIterator) Subiterators added in v1.49.2 

func (ia *IntersectionArrowIterator) Subiterators() []Iterator

func (*IntersectionArrowIterator) SubjectTypes added in v1.49.2 

func (ia *IntersectionArrowIterator) SubjectTypes() ([]ObjectType, error)

type IntersectionIterator added in v1.49.2 

type IntersectionIterator struct {
	// contains filtered or unexported fields
}

IntersectionIterator the set of paths that are in all of underlying subiterators. This is equivalent to `permission foo = bar & baz`

func (*IntersectionIterator) CanonicalKey added in v1.49.2 

func (i *IntersectionIterator) CanonicalKey() CanonicalKey

func (*IntersectionIterator) CheckImpl added in v1.49.2 

func (i *IntersectionIterator) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error)

func (*IntersectionIterator) Clone added in v1.49.2 

func (i *IntersectionIterator) Clone() Iterator

func (*IntersectionIterator) Explain added in v1.49.2 

func (i *IntersectionIterator) Explain() Explain

func (*IntersectionIterator) IterResourcesImpl added in v1.49.2 

func (i *IntersectionIterator) IterResourcesImpl(ctx *Context, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

func (*IntersectionIterator) IterSubjectsImpl added in v1.49.2 

func (i *IntersectionIterator) IterSubjectsImpl(ctx *Context, resource Object, filterSubjectType ObjectType) (PathSeq, error)

func (*IntersectionIterator) ReplaceSubiterators added in v1.49.2 

func (i *IntersectionIterator) ReplaceSubiterators(newSubs []Iterator) (Iterator, error)

func (*IntersectionIterator) ResourceType added in v1.49.2 

func (i *IntersectionIterator) ResourceType() ([]ObjectType, error)

func (*IntersectionIterator) Subiterators added in v1.49.2 

func (i *IntersectionIterator) Subiterators() []Iterator

func (*IntersectionIterator) SubjectTypes added in v1.49.2 

func (i *IntersectionIterator) SubjectTypes() ([]ObjectType, error)

type Iterator 

type Iterator interface {
	Plan

	// Clone does a deep-copy to duplicate the iterator tree at this point.
	Clone() Iterator

	// Subiterators returns the child iterators of this iterator, if any.
	// Returns nil or empty slice for leaf iterators.
	Subiterators() []Iterator

	// ReplaceSubiterators returns a new iterator with the given subiterators replacing the current ones.
	// This method always returns a new iterator instance.
	// For leaf iterators (those with no subiterators), this returns an error.
	// For composite iterators, the length of newSubs should match the length of Subiterators().
	// Returns an error if the replacement fails or if the length of newSubs doesn't match expectations.
	ReplaceSubiterators(newSubs []Iterator) (Iterator, error)

	// CanonicalKey returns the canonical key for this iterator.
	// Cloned iterators share the same canonical key since they represent the same query plan node.
	CanonicalKey() CanonicalKey

	// ResourceType returns the ObjectType(s) of this iterator's resources.
	// Returns a slice to support iterators that can return multiple types (e.g., unions).
	ResourceType() ([]ObjectType, error)

	// SubjectTypes returns all the ObjectTypes for this iterator tree.
	// Returns an error if subject types cannot be determined.
	SubjectTypes() ([]ObjectType, error)
}

Iterator is a Plan that forms a tree structure through its Subiterators, where the tree represents the query execution plan that can be traversed and optimized. While Plan provides a read-only query interface, Iterator adds methods for cloning, inspecting, and rebuilding iterator trees. This enables query optimization by rewriting the tree.

Implementations should form a composite tree structure where leaf nodes (e.g., datastore scans) have no subiterators, and composite nodes (e.g., unions, intersections) combine multiple subiterators.

Most tree transformations should use the Walk helper function rather than manually calling Subiterators and ReplaceSubiterators.

func NewIntersectionIterator added in v1.49.2 

func NewIntersectionIterator(subiterators ...Iterator) Iterator

func NewUnionIterator added in v1.49.2 

func NewUnionIterator(subiterators ...Iterator) Iterator

func Walk added in v1.46.1 

func Walk(root Iterator, callback func(Iterator) (Iterator, error)) (Iterator, error)

Walk traverses an iterator tree depth-first, calling the callback for each node. If the callback returns a different iterator than the input, that iterator replaces the current node. The callback is applied bottom-up (children are processed before parents). Panics if ReplaceSubiterators returns an error (should never happen in normal operation).

type IteratorArgs added in v1.49.2 

type IteratorArgs struct {
	Relation       *schema.BaseRelation
	DefinitionName string
	RelationName   string
	Caveat         *core.ContextualizedCaveat
	FixedPaths     []Path
}

IteratorArgs represents all the possible arguments to the Iterator constructors. It is used by the Outline to carry the context of an Iterator.

type IteratorType added in v1.49.2 

type IteratorType byte

IteratorType is an enum to represent each basic type of iterator by a well-known byte.

Remember to also update the allIteratorTypes list below when adding a new one. 

const (
	NullIteratorType              IteratorType = '0'
	DatastoreIteratorType         IteratorType = 'D'
	UnionIteratorType             IteratorType = '|'
	IntersectionIteratorType      IteratorType = '&'
	FixedIteratorType             IteratorType = 'F'
	ArrowIteratorType             IteratorType = '>'
	ExclusionIteratorType         IteratorType = 'X'
	CaveatIteratorType            IteratorType = 'C'
	AliasIteratorType             IteratorType = '@'
	RecursiveIteratorType         IteratorType = 'R'
	RecursiveSentinelIteratorType IteratorType = 'r'
	IntersectionArrowIteratorType IteratorType = 'A'
	SelfIteratorType              IteratorType = '='
)

type LocalExecutor 

type LocalExecutor struct{}

LocalExecutor is the simplest executor. It simply calls the iterator's implementation directly.

func (LocalExecutor) Check 

func (l LocalExecutor) Check(ctx *Context, it Iterator, resources []Object, subject ObjectAndRelation) (PathSeq, error)

Check tests if, for the underlying set of relationships (which may be a full expression or a basic lookup, depending on the iterator) any of the `resources` are connected to `subject`. Returns the sequence of matching paths, if they exist, at most `len(resources)`.

func (LocalExecutor) IterResources 

func (l LocalExecutor) IterResources(ctx *Context, it Iterator, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

IterResources returns a sequence of all the paths in this set that match the given subject.

func (LocalExecutor) IterSubjects 

func (l LocalExecutor) IterSubjects(ctx *Context, it Iterator, resource Object, filterSubjectType ObjectType) (PathSeq, error)

IterSubjects returns a sequence of all the paths in this set that match the given resource.

type Object 

type Object struct {
	ObjectID   string
	ObjectType string
}

Object represents a single object, without specifying the relation.

func GetObject 

func GetObject(oar ObjectAndRelation) Object

GetObject extracts the Object part from an ObjectAndRelation.

func NewObject 

func NewObject(objectType, objectID string) Object

NewObject creates a new Object with the given object type and ID.

func NewObjects 

func NewObjects(objectType string, objectIDs ...string) []Object

NewObjects creates a slice of Objects of the same type with the given object IDs.

func (Object) Equals 

func (o Object) Equals(other Object) bool

func (Object) Key added in v1.46.1 

func (o Object) Key() string

Key returns a unique string key for this Object

func (Object) WithEllipses 

func (o Object) WithEllipses() ObjectAndRelation

WithEllipses builds an ObjectAndRelation from an object with the default ellipses relation.

func (Object) WithRelation 

func (o Object) WithRelation(relation string) ObjectAndRelation

WithRelation builds a full ObjectAndRelation out of the given Object.

type ObjectAndRelation 

type ObjectAndRelation = tuple.ObjectAndRelation

func NewObjectAndRelation 

func NewObjectAndRelation(objectID, objectType, relation string) ObjectAndRelation

NewObjectAndRelation creates a new ObjectAndRelation with the given object ID, type, and relation.

type ObjectType added in v1.49.0 

type ObjectType struct {
	Type        string
	Subrelation string
}

func NewType added in v1.49.0 

func NewType(typename string, subrelation ...string) ObjectType

func NoObjectFilter added in v1.49.0 

func NoObjectFilter() ObjectType

NoObjectFilter returns an empty ObjectType that indicates no filtering should be applied. Use this instead of ObjectType{} for clarity when calling IterResources or IterSubjects.

func (ObjectType) String added in v1.49.0 

func (t ObjectType) String() string

type Observer added in v1.49.2 

type Observer interface {
	ObserveEnterIterator(op ObserverOperation, key CanonicalKey)
	ObservePath(op ObserverOperation, key CanonicalKey, path Path)
	ObserveReturnIterator(op ObserverOperation, key CanonicalKey)
}

type ObserverOperation added in v1.49.2 

type ObserverOperation int
const (
	CheckOperation ObserverOperation = iota
	IterSubjectsOperation
	IterResourcesOperation
)

type Outline added in v1.49.2 

type Outline struct {
	Type        IteratorType
	Args        *IteratorArgs
	SubOutlines []Outline
	ID          OutlineNodeID // Populated only inside a CanonicalOutline
}

Outline is a single type representing the tree of yet-to-be-compiled Iterators.

func Decompile added in v1.49.2 

func Decompile(it Iterator) (Outline, error)

Decompile converts an Iterator back to its Outline representation

func FillMissingNodeIDs added in v1.50.0 

func FillMissingNodeIDs(outline Outline, keys map[OutlineNodeID]CanonicalKey) Outline

FillMissingNodeIDs walks the outline tree bottom-up and assigns fresh OutlineNodeIDs to any node where ID == 0, recording their CanonicalKeys in the provided map. Nodes that already have an ID are left unchanged, and their existing map entries are preserved.

This is used after mutations that may introduce new structural nodes (e.g. caveat wrappers, rotated arrows) into an already-canonicalized tree.

func MutateOutline added in v1.49.2 

func MutateOutline(outline Outline, fns []OutlineMutation) Outline

MutateOutline performs a bottom-up traversal of the outline tree, applying all the given transformation functions to each node after processing its children.

func NullPropagation added in v1.50.0 

func NullPropagation(outline Outline) Outline

NullPropagation is an OutlineMutation that propagates NullIteratorType nodes upward through the tree according to each node type's semantics:

  • Union: null if ALL children are null
  • Intersection: null if ANY child is null
  • Arrow/IntersectionArrow: null if the right child is null
  • Exclusion: null if the left child is null
  • Caveat/Alias/Recursive: null if the only child is null

This is intended to run after a mutation that nullifies leaf nodes (e.g. reachability pruning), so that the nulls cascade correctly through the tree during the bottom-up walk.

func WalkOutlineBottomUp added in v1.50.0 

func WalkOutlineBottomUp(outline Outline, fn func(Outline) (Outline, error)) (Outline, error)

WalkOutlineBottomUp performs a bottom-up traversal of an Outline tree, rebuilding each node with its processed children before passing it to fn. fn receives the node (with already-processed children) and returns a replacement node and an optional error. The traversal stops and the error is propagated on the first failure.

func (Outline) Equals added in v1.49.2 

func (outline Outline) Equals(other Outline) bool

Equals checks if two Outlines are structurally equal

func (Outline) Serialize added in v1.49.2 

func (outline Outline) Serialize() CanonicalKey

Serialize generates a compact, deterministic string representation of an Outline subtree based on its Type, Args, and SubOutlines. The ID field is not included in serialization. Format: <Type>(<Args>)[<Sub1>,<Sub2>,...] Returns a CanonicalKey wrapping the serialized string.

CaveatIterator nodes are identified solely by their caveat name, independent of their position in the tree. Their subiterators are not included in the key.

type OutlineMutation added in v1.49.2 

type OutlineMutation func(Outline) Outline

OutlineMutation is a function that transforms an Outline node. Mutations are typically applied during a bottom-up tree traversal.

func ReorderMutation added in v1.50.0 

func ReorderMutation(order []int) OutlineMutation

ReorderMutation returns an OutlineMutation that reorders SubOutlines according to order, where order[i] is the index of the child to place at position i. If order has a different length than the node's SubOutlines, it is a no-op.

func RotateArrowMutation added in v1.50.0 

func RotateArrowMutation(rotateLeft bool) OutlineMutation

RotateArrowMutation returns an OutlineMutation that rotates nested arrow structures to potentially reduce execution cost.

If rotateLeft is true:

  • Transforms (A->B)->C into A->(B->C)
  • Requires: outline is ArrowIteratorType with left child also ArrowIteratorType

If rotateLeft is false:

  • Transforms A->(B->C) into (A->B)->C
  • Requires: outline is ArrowIteratorType with right child also ArrowIteratorType

Returns outline unchanged if preconditions are not met or if the outline is not an arrow type.

type OutlineNodeID added in v1.49.2 

type OutlineNodeID uint64

OutlineNodeID is a numeric identifier assigned to each node in a CanonicalOutline. It is populated by CanonicalizeOutline; plain (non-canonical, non-filter) Outlines have a zero-valued ID and cannot be compiled.

type Path added in v1.46.0 

type Path struct {
	Resource   Object
	Relation   string
	Subject    ObjectAndRelation
	Caveat     *core.CaveatExpression
	Expiration *time.Time
	Integrity  []*core.RelationshipIntegrity

	Metadata map[string]any
}

Path is an abstract notion of an individual relation. While tuple.Relation is what is stored under the hood, this represents a virtual relation, one that may either be backed by a real tuple, or one that is constructed from a query path, equivalent to a subtree of a query.Plan. `permission foo = bar | baz`, for example, is a Path named foo that can be constructed by either the bar path or the baz path (which themselves may be other paths, down to individual, stored, relations.)

func CollectAll 

func CollectAll(seq PathSeq) ([]Path, error)

CollectAll is a helper function to build read a complete PathSeq and turn it into a fully realized slice of Paths.

func FromRelationship added in v1.46.0 

func FromRelationship(rel tuple.Relationship) Path

FromRelationship creates a new Path from a tuple.Relationship.

func MustPathFromString added in v1.46.0 

func MustPathFromString(relationshipStr string) Path

MustPathFromString is a helper function for tests that creates a Path from a relationship string. It uses tuple.MustParse to parse the string and then converts it to a Path using FromRelationship. Example: MustPathFromString("document:doc1#viewer@user:alice")

func (Path) EndpointsKey added in v1.47.1 

func (p Path) EndpointsKey() string

EndpointsKey returns a unique string key for this Path based on its resource and subject only, excluding the relation. This matches the semantics of EqualsEndpoints.

func (Path) Equals added in v1.46.1 

func (p Path) Equals(other Path) bool

Equals checks if two paths are fully equal (all fields match)

func (Path) EqualsEndpoints added in v1.46.1 

func (p Path) EqualsEndpoints(other Path) bool

EqualsEndpoints checks if two paths have the same Resource and Subject endpoints (types and IDs only)

func (Path) IsExpired added in v1.46.0 

func (p Path) IsExpired() bool

func (Path) Key added in v1.46.1 

func (p Path) Key() string

Key returns a unique string key for this Path based on its resource and subject

func (Path) MergeAnd added in v1.46.0 

func (p Path) MergeAnd(other Path) (Path, error)

MergeAnd combines the paths, ANDing the caveats and expiration and metadata together. Returns a new Path with the merged values.

func (Path) MergeAndNot added in v1.46.0 

func (p Path) MergeAndNot(other Path) (Path, error)

MergeAndNot combines the paths, subtracting the caveats and expiration and metadata together. Returns a new Path with the merged values.

func (Path) MergeOr added in v1.46.0 

func (p Path) MergeOr(other Path) (Path, error)

MergeOr combines the paths, ORing the caveats and expiration and metadata together. Returns a new Path with the merged values.

func (Path) ResourceOAR added in v1.46.0 

func (p Path) ResourceOAR() ObjectAndRelation

ResourceOAR returns the resource as an ObjectAndRelation with the current relation type.

func (Path) ToRelationship added in v1.46.0 

func (p Path) ToRelationship() (tuple.Relationship, error)

ToRelationship converts the Path to a tuple.Relationship.

type PathSeq added in v1.46.0 

type PathSeq iter.Seq2[Path, error]

PathSeq is the intermediate iter closure that any of the planning calls return.

func DeduplicatePathSeq added in v1.47.1 

func DeduplicatePathSeq(seq PathSeq) PathSeq

DeduplicatePathSeq returns a new PathSeq that deduplicates paths based on their endpoints (resource and subject, excluding relation). Paths with the same endpoints are merged using OR semantics (caveats are OR'd, no caveat wins over caveat). This collects all paths first, deduplicates with merging, then yields results.

func EmptyPathSeq added in v1.46.0 

func EmptyPathSeq() PathSeq

EmptyPathSeq returns an empty iterator, that is error-free but empty.

func FilterResourcesByType added in v1.49.0 

func FilterResourcesByType(seq PathSeq, filter ObjectType) PathSeq

FilterResourcesByType filters a PathSeq to only include paths where the resource matches the specified ObjectType. If filter.Type is empty, no filtering is applied.

func FilterSubjectsByType added in v1.49.0 

func FilterSubjectsByType(seq PathSeq, filter ObjectType) PathSeq

FilterSubjectsByType filters a PathSeq to only include paths where the subject matches the specified ObjectType. If filter.Type is empty, no filtering is applied.

func FilterWildcardSubjects added in v1.49.0 

func FilterWildcardSubjects(seq PathSeq) PathSeq

FilterWildcardSubjects filters out any paths with wildcard subjects.

func PathSeqFromSlice added in v1.49.2 

func PathSeqFromSlice(paths []Path) PathSeq

PathSeqFromSlice creates a PathSeq that yields all paths from the given slice.

func RewriteSubject added in v1.49.0 

func RewriteSubject(seq PathSeq, subject ObjectAndRelation) PathSeq

type Plan 

type Plan interface {
	// CheckImpl tests if, for the underlying set of relationships (which may be a full expression or a basic lookup, depending on the iterator)
	// any of the `resourceIDs` are connected to `subjectID`.
	// Returns the sequence of matching paths, if they exist, at most `len(resourceIDs)`.
	CheckImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error)

	// IterSubjectsImpl returns a sequence of all the paths in this set that match the given resourceID.
	// The filterSubjectType parameter filters the results to only include subjects matching the
	// specified ObjectType. If filterSubjectType.Type is empty, no filtering is applied.
	IterSubjectsImpl(ctx *Context, resource Object, filterSubjectType ObjectType) (PathSeq, error)

	// IterResourcesImpl returns a sequence of all the paths in this set that match the given subjectID.
	// The filterResourceType parameter filters the results to only include resources matching the
	// specified ObjectType. If filterResourceType.Type is empty, no filtering is applied.
	IterResourcesImpl(ctx *Context, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

	// Explain generates a human-readable tree that describes each iterator and its state.
	Explain() Explain
}

Plan is the external-facing notion of a query plan. These follow the general API for querying anything in the database as well as describing the plan.

type PlanAdvisor added in v1.50.0 

type PlanAdvisor interface {
	// GetHints returns a list of hints to apply to the given outline node.
	// keySource can be used to resolve the CanonicalKey for any node in the
	// outline tree by its ID, including the current node and its children.
	// The caller is responsible for walking the outline tree and calling this
	// method on each node, then applying the returned hints.
	GetHints(outline Outline, keySource CanonicalKeySource) ([]Hint, error)

	// GetMutations returns a list of outline mutations to apply to the given
	// outline node. keySource can be used to resolve the CanonicalKey for any
	// node in the outline tree by its ID, including the current node and its children.
	// The caller is responsible for walking the outline tree and
	// applying these transformations.
	GetMutations(outline Outline, keySource CanonicalKeySource) ([]OutlineMutation, error)
}

PlanAdvisor provides query plan optimization guidance through hints and mutations. Implementations can use internal cost models or other heuristics to suggest optimizations without exposing those details to callers.

func CombinePlanAdvisors added in v1.50.0 

func CombinePlanAdvisors(advisors ...PlanAdvisor) PlanAdvisor

CombinePlanAdvisors creates a PlanAdvisor that combines multiple advisors by running through them in order and returning the first non-nil result for either GetHints or GetMutations.

type QueryDatastoreReader added in v1.50.0 

type QueryDatastoreReader interface {
	// CheckRelationships finds paths for specific resource objects matched against
	// a subject. subject.ObjectID may be WildcardObjectID for wildcard checks.
	// All resource IDs must be of the same resourceType.
	CheckRelationships(
		ctx context.Context,
		resourceType ObjectType,
		resourceIDs []string,
		resourceRelation string,
		subject ObjectAndRelation,
		withCaveats, withExpiration bool,
	) (PathSeq, error)

	// QuerySubjects finds all subject paths for a resource.
	// If resource.ObjectID is empty, no resource ID filter is applied (wildcard expansion).
	// subjectType.Subrelation drives the ellipsis-vs-non-ellipsis filter.
	QuerySubjects(
		ctx context.Context,
		resource Object,
		resourceRelation string,
		subjectType ObjectType,
		withCaveats, withExpiration bool,
		page QueryPage,
	) (PathSeq, error)

	// QueryResources finds all resource paths for a subject.
	// subject.ObjectID may be WildcardObjectID for wildcard resource queries.
	QueryResources(
		ctx context.Context,
		resourceType string,
		resourceRelation string,
		subject ObjectAndRelation,
		withCaveats, withExpiration bool,
		page QueryPage,
	) (PathSeq, error)

	// SubjectExistsAsRelationship is an existence probe used by AliasIterator.
	// It includes expired relationships and returns true if any relationship
	// has the given subject with the specified non-ellipsis relation.
	SubjectExistsAsRelationship(
		ctx context.Context,
		subject Object,
		nonEllipsisRelation string,
	) (bool, error)

	// LookupCaveatDefinition fetches a single caveat definition by name.
	// Implementations are expected to cache results.
	LookupCaveatDefinition(
		ctx context.Context,
		name string,
	) (datastore.CaveatDefinition, error)
}

QueryDatastoreReader is the minimal datastore interface used by pkg/query. It exposes only the four logical operations actually performed by this package, returning PathSeq values directly so callers never touch raw relationship iterators.

func NewDelayReader added in v1.50.0 

func NewDelayReader(delay time.Duration, inner QueryDatastoreReader) QueryDatastoreReader

NewDelayReader wraps inner with a shim that sleeps for delay before every call. Use this in benchmarks to model realistic network round-trip costs.

func NewQueryDatastoreReader added in v1.50.0 

func NewQueryDatastoreReader(r datalayer.RevisionedReader) QueryDatastoreReader

NewQueryDatastoreReader wraps a datalayer.RevisionedReader as a QueryDatastoreReader.

type QueryPage added in v1.50.0 

type QueryPage struct {
	Limit  *uint64
	Cursor *tuple.Relationship
}

QueryPage bundles pagination parameters for QuerySubjects and QueryResources.

type RecursiveIterator added in v1.46.1 

type RecursiveIterator struct {
	// contains filtered or unexported fields
}

RecursiveIterator is the root controller that manages iterative deepening for recursive schemas. It wraps an iterator tree that contains RecursiveSentinel sentinels, and executes the tree repeatedly with increasing depth until a fixed point is reached or max depth is exceeded.

func NewRecursiveIterator added in v1.46.1 

func NewRecursiveIterator(templateTree Iterator, definitionName, relationName string) *RecursiveIterator

NewRecursiveIterator creates a new recursive iterator controller

func (*RecursiveIterator) CanonicalKey added in v1.49.2 

func (r *RecursiveIterator) CanonicalKey() CanonicalKey

func (*RecursiveIterator) CheckImpl added in v1.46.1 

func (r *RecursiveIterator) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error)

CheckImpl implements traversal for Check operations with strategy selection

func (*RecursiveIterator) Clone added in v1.46.1 

func (r *RecursiveIterator) Clone() Iterator

Clone creates a deep copy of the RecursiveIterator

func (*RecursiveIterator) Explain added in v1.46.1 

func (r *RecursiveIterator) Explain() Explain

Explain returns a description of this recursive iterator

func (*RecursiveIterator) IterResourcesImpl added in v1.46.1 

func (r *RecursiveIterator) IterResourcesImpl(ctx *Context, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

IterResourcesImpl implements BFS traversal for IterResources operations

func (*RecursiveIterator) IterSubjectsImpl added in v1.46.1 

func (r *RecursiveIterator) IterSubjectsImpl(ctx *Context, resource Object, filterSubjectType ObjectType) (PathSeq, error)

IterSubjectsImpl implements BFS traversal for IterSubjects operations

func (*RecursiveIterator) ReplaceSubiterators added in v1.46.1 

func (r *RecursiveIterator) ReplaceSubiterators(newSubs []Iterator) (Iterator, error)

func (*RecursiveIterator) ResourceType added in v1.49.0 

func (r *RecursiveIterator) ResourceType() ([]ObjectType, error)

func (*RecursiveIterator) Subiterators added in v1.46.1 

func (r *RecursiveIterator) Subiterators() []Iterator

func (*RecursiveIterator) SubjectTypes added in v1.49.0 

func (r *RecursiveIterator) SubjectTypes() ([]ObjectType, error)

type RecursiveSentinelIterator added in v1.49.2 

type RecursiveSentinelIterator struct {
	// contains filtered or unexported fields
}

RecursiveSentinelIterator is a sentinel iterator that marks recursion points during iterator tree construction. It acts as a placeholder that will be replaced during execution by RecursiveIterator.

func NewRecursiveSentinelIterator added in v1.49.2 

func NewRecursiveSentinelIterator(definitionName, relationName string, withSubRelations bool) *RecursiveSentinelIterator

NewRecursiveSentinelIterator creates a new sentinel marking a recursion point

func (*RecursiveSentinelIterator) CanonicalKey added in v1.49.2 

func (r *RecursiveSentinelIterator) CanonicalKey() CanonicalKey

func (*RecursiveSentinelIterator) CheckImpl added in v1.49.2 

func (r *RecursiveSentinelIterator) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error)

CheckImpl returns an empty PathSeq. If collection mode is enabled, it collects the queried resources to the frontier collection instead of returning paths.

func (*RecursiveSentinelIterator) Clone added in v1.49.2 

func (r *RecursiveSentinelIterator) Clone() Iterator

Clone returns a shallow copy of the sentinel

func (*RecursiveSentinelIterator) DefinitionName added in v1.49.2 

func (r *RecursiveSentinelIterator) DefinitionName() string

DefinitionName returns the definition name this sentinel represents

func (*RecursiveSentinelIterator) Explain added in v1.49.2 

func (r *RecursiveSentinelIterator) Explain() Explain

Explain returns a description of this sentinel for debugging

func (*RecursiveSentinelIterator) IterResourcesImpl added in v1.49.2 

func (r *RecursiveSentinelIterator) IterResourcesImpl(ctx *Context, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

IterResourcesImpl returns an empty PathSeq since sentinels don't execute during construction

func (*RecursiveSentinelIterator) IterSubjectsImpl added in v1.49.2 

func (r *RecursiveSentinelIterator) IterSubjectsImpl(ctx *Context, resource Object, filterSubjectType ObjectType) (PathSeq, error)

IterSubjectsImpl returns an empty PathSeq. If collection mode is enabled, it collects the queried resource to the frontier collection instead of returning paths.

func (*RecursiveSentinelIterator) RelationName added in v1.49.2 

func (r *RecursiveSentinelIterator) RelationName() string

RelationName returns the relation name this sentinel represents

func (*RecursiveSentinelIterator) ReplaceSubiterators added in v1.49.2 

func (r *RecursiveSentinelIterator) ReplaceSubiterators(newSubs []Iterator) (Iterator, error)

func (*RecursiveSentinelIterator) ResourceType added in v1.49.2 

func (r *RecursiveSentinelIterator) ResourceType() ([]ObjectType, error)

func (*RecursiveSentinelIterator) Subiterators added in v1.49.2 

func (r *RecursiveSentinelIterator) Subiterators() []Iterator

func (*RecursiveSentinelIterator) SubjectTypes added in v1.49.2 

func (r *RecursiveSentinelIterator) SubjectTypes() ([]ObjectType, error)

func (*RecursiveSentinelIterator) WithSubRelations added in v1.49.2 

func (r *RecursiveSentinelIterator) WithSubRelations() bool

WithSubRelations returns whether subrelations should be included

type RelationNotFoundError added in v1.47.1 

type RelationNotFoundError struct {
	// contains filtered or unexported fields
}

RelationNotFoundError is returned when a relation or permission is not found in a definition

func (RelationNotFoundError) Error added in v1.47.1 

func (e RelationNotFoundError) Error() string

type SelfIterator added in v1.49.2 

type SelfIterator struct {
	// contains filtered or unexported fields
}

SelfIterator is an iterator that produces a synthetic relation for every Resource in the subiterator that connects it to streamed from the sub-iterator to a specified alias relation.

func NewSelfIterator added in v1.49.2 

func NewSelfIterator(relation string, typeName string) *SelfIterator

func (*SelfIterator) CanonicalKey added in v1.49.2 

func (s *SelfIterator) CanonicalKey() CanonicalKey

func (*SelfIterator) CheckImpl added in v1.49.2 

func (s *SelfIterator) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error)

func (*SelfIterator) Clone added in v1.49.2 

func (s *SelfIterator) Clone() Iterator

func (*SelfIterator) Explain added in v1.49.2 

func (s *SelfIterator) Explain() Explain

func (*SelfIterator) IterResourcesImpl added in v1.49.2 

func (s *SelfIterator) IterResourcesImpl(ctx *Context, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

func (*SelfIterator) IterSubjectsImpl added in v1.49.2 

func (s *SelfIterator) IterSubjectsImpl(ctx *Context, resource Object, filterSubjectType ObjectType) (PathSeq, error)

func (*SelfIterator) ReplaceSubiterators added in v1.49.2 

func (s *SelfIterator) ReplaceSubiterators(newSubs []Iterator) (Iterator, error)

func (*SelfIterator) ResourceType added in v1.49.2 

func (s *SelfIterator) ResourceType() ([]ObjectType, error)

func (*SelfIterator) Subiterators added in v1.49.2 

func (s *SelfIterator) Subiterators() []Iterator

func (*SelfIterator) SubjectTypes added in v1.49.2 

func (s *SelfIterator) SubjectTypes() ([]ObjectType, error)

type StaticAdvisor added in v1.50.0 

type StaticAdvisor struct {
	// NumberOfTuplesInRelation is the assumed number of tuples in any relation (a complete average).
	NumberOfTuplesInRelation int

	// Fanout is the assumed average number of subjects per resource or
	// resources per subject.
	Fanout int

	// CheckSelectivity is the default probability (0.0-1.0) that a Check
	// operation will return true.
	CheckSelectivity float64
}

StaticAdvisor provides query plan optimization guidance using static cost estimates. It uses configurable parameters to estimate iterator costs and suggest optimizations through hints and mutations.

Costs are static for StaticAdvisor -- we take the base cost of a check to be 1 tuple check. For iterating subjects and resources, we take it to iterate all tuples for a given relation.

func DefaultStaticAdvisor added in v1.50.0 

func DefaultStaticAdvisor() StaticAdvisor

DefaultStaticAdvisor returns a StaticAdvisor instance with default values

func (StaticAdvisor) GetHints added in v1.50.0 

func (s StaticAdvisor) GetHints(outline Outline, keySource CanonicalKeySource) ([]Hint, error)

GetHints returns optimization hints for the given outline node. For arrow iterators, it suggests the optimal execution direction based on cost estimates.

func (StaticAdvisor) GetMutations added in v1.50.0 

func (s StaticAdvisor) GetMutations(outline Outline, keySource CanonicalKeySource) ([]OutlineMutation, error)

GetMutations returns outline mutations for the given outline node. This includes reordering union/intersection branches by selectivity and rebalancing nested arrow structures.

type TraceLogger added in v1.46.1 

type TraceLogger struct {
	// contains filtered or unexported fields
}

TraceLogger is used for debugging iterator execution

func NewTraceLogger added in v1.46.1 

func NewTraceLogger() *TraceLogger

NewTraceLogger creates a new trace logger

func NewTraceLoggerWithWriter added in v1.49.2 

func NewTraceLoggerWithWriter(w io.Writer) *TraceLogger

NewTraceLoggerWithWriter creates a new trace logger with an optional writer for real-time trace output

func (*TraceLogger) DumpTrace added in v1.46.1 

func (t *TraceLogger) DumpTrace() string

DumpTrace returns all traces as a string

func (*TraceLogger) EnterIterator added in v1.46.1 

func (t *TraceLogger) EnterIterator(it Iterator, traceString string)

EnterIterator logs entering an iterator and pushes it onto the stack

func (*TraceLogger) ExitIterator added in v1.46.1 

func (t *TraceLogger) ExitIterator(it Iterator, paths []Path)

ExitIterator logs exiting an iterator and pops it from the stack

func (*TraceLogger) LogStep added in v1.46.1 

func (t *TraceLogger) LogStep(it Iterator, step string, data ...any)

LogStep logs an intermediate step within an iterator, using the iterator pointer to find the correct indentation level

type UnionIterator added in v1.49.2 

type UnionIterator struct {
	// contains filtered or unexported fields
}

UnionIterator the set of paths that are in any of underlying subiterators. This is equivalent to `permission foo = bar | baz`

func (*UnionIterator) CanonicalKey added in v1.49.2 

func (u *UnionIterator) CanonicalKey() CanonicalKey

func (*UnionIterator) CheckImpl added in v1.49.2 

func (u *UnionIterator) CheckImpl(ctx *Context, resources []Object, subject ObjectAndRelation) (PathSeq, error)

func (*UnionIterator) Clone added in v1.49.2 

func (u *UnionIterator) Clone() Iterator

func (*UnionIterator) Explain added in v1.49.2 

func (u *UnionIterator) Explain() Explain

func (*UnionIterator) IterResourcesImpl added in v1.49.2 

func (u *UnionIterator) IterResourcesImpl(ctx *Context, subject ObjectAndRelation, filterResourceType ObjectType) (PathSeq, error)

func (*UnionIterator) IterSubjectsImpl added in v1.49.2 

func (u *UnionIterator) IterSubjectsImpl(ctx *Context, resource Object, filterSubjectType ObjectType) (PathSeq, error)

func (*UnionIterator) ReplaceSubiterators added in v1.49.2 

func (u *UnionIterator) ReplaceSubiterators(newSubs []Iterator) (Iterator, error)

func (*UnionIterator) ResourceType added in v1.49.2 

func (u *UnionIterator) ResourceType() ([]ObjectType, error)

func (*UnionIterator) Subiterators added in v1.49.2 

func (u *UnionIterator) Subiterators() []Iterator

func (*UnionIterator) SubjectTypes added in v1.49.2 

func (u *UnionIterator) SubjectTypes() ([]ObjectType, error)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.