Merge pull request #2532 from josephschorr/improve-schema-diff-errors

josephschorr · web-flow · commit 7332a2d5b634 · 2025-08-15T16:02:03.000Z
Improve the errors returned from schema changes
diff --git a/internal/services/shared/errors.go b/internal/services/shared/errors.go
@@ -41,15 +41,17 @@ func mustMakeStatusReadonly() error {
 
 // NewSchemaWriteDataValidationError creates a new error representing that a schema write cannot be
 // completed due to existing data that would be left unreferenced.
-func NewSchemaWriteDataValidationError(message string, args ...any) SchemaWriteDataValidationError {
+func NewSchemaWriteDataValidationError(message string, args []any, metadata map[string]string) SchemaWriteDataValidationError {
 	return SchemaWriteDataValidationError{
-		error: fmt.Errorf(message, args...),
+		error:    fmt.Errorf(message, args...),
+		metadata: metadata,
 	}
 }
 
 // SchemaWriteDataValidationError occurs when a schema cannot be applied due to leaving data unreferenced.
 type SchemaWriteDataValidationError struct {
 	error
+	metadata map[string]string
 }
 
 // MarshalZerologObject implements zerolog object marshalling.
@@ -59,12 +61,15 @@ func (err SchemaWriteDataValidationError) MarshalZerologObject(e *zerolog.Event)
 
 // GRPCStatus implements retrieving the gRPC status for the error.
 func (err SchemaWriteDataValidationError) GRPCStatus() *status.Status {
+	if err.metadata == nil {
+		err.metadata = map[string]string{}
+	}
 	return spiceerrors.WithCodeAndDetails(
 		err,
 		codes.InvalidArgument,
 		spiceerrors.ForReason(
 			v1.ErrorReason_ERROR_REASON_SCHEMA_TYPE_ERROR,
-			map[string]string{},
+			err.metadata,
 		),
 	)
 }
diff --git a/internal/services/shared/schema.go b/internal/services/shared/schema.go
@@ -2,6 +2,7 @@ package shared
 
 import (
 	"context"
+	"maps"
 
 	log "github.com/authzed/spicedb/internal/logging"
 	"github.com/authzed/spicedb/internal/namespace"
@@ -256,10 +257,18 @@ func sanityCheckCaveatChanges(
 	for _, delta := range diff.Deltas() {
 		switch delta.Type {
 		case caveatdiff.RemovedParameter:
-			return diff, NewSchemaWriteDataValidationError("cannot remove parameter `%s` on caveat `%s`", delta.ParameterName, caveatDef.Name)
+			return diff, NewSchemaWriteDataValidationError("cannot remove parameter `%s` on caveat `%s`", []any{delta.ParameterName, caveatDef.Name}, map[string]string{
+				"caveat_name":    caveatDef.Name,
+				"parameter_name": delta.ParameterName,
+				"operation":      "remove_parameter",
+			})
 
 		case caveatdiff.ParameterTypeChanged:
-			return diff, NewSchemaWriteDataValidationError("cannot change the type of parameter `%s` on caveat `%s`", delta.ParameterName, caveatDef.Name)
+			return diff, NewSchemaWriteDataValidationError("cannot change the type of parameter `%s` on caveat `%s`", []any{delta.ParameterName, caveatDef.Name}, map[string]string{
+				"caveat_name":    caveatDef.Name,
+				"parameter_name": delta.ParameterName,
+				"operation":      "change_parameter_type",
+			})
 		}
 	}
 
@@ -280,8 +289,12 @@ func ensureNoRelationshipsExistWithResourceType(ctx context.Context, rwt datasto
 		ctx,
 		qy,
 		qyErr,
-		"cannot delete object definition `%s`, as a relationship exists under it",
-		namespaceName,
+		"cannot delete object definition `%s`, as at least one relationship exists under it",
+		[]any{namespaceName},
+		map[string]string{
+			"resource_type": namespaceName,
+			"operation":     "delete_object_definition",
+		},
 	)
 }
 
@@ -344,7 +357,14 @@ func sanityCheckNamespaceChanges(
 				ctx,
 				qy,
 				qyErr,
-				"cannot delete relation `%s` in object definition `%s`, as a relationship exists under it", delta.RelationName, nsdef.Name)
+				"cannot delete relation `%s` in object definition `%s`, as at least one relationship exists under it",
+				[]any{delta.RelationName, nsdef.Name},
+				map[string]string{
+					"resource_type": nsdef.Name,
+					"relation":      delta.RelationName,
+					"operation":     "delete_relation",
+				},
+			)
 			if err != nil {
 				return diff, err
 			}
@@ -364,7 +384,14 @@ func sanityCheckNamespaceChanges(
 				ctx,
 				qy,
 				qyErr,
-				"cannot delete relation `%s` in object definition `%s`, as a relationship references it", delta.RelationName, nsdef.Name)
+				"cannot delete relation `%s` in object definition `%s`, as at least one relationship references it",
+				[]any{delta.RelationName, nsdef.Name},
+				map[string]string{
+					"resource_type": nsdef.Name,
+					"relation":      delta.RelationName,
+					"operation":     "delete_relation_reverse_check",
+				},
+			)
 			if err != nil {
 				return diff, err
 			}
@@ -410,7 +437,14 @@ func sanityCheckNamespaceChanges(
 				qyr,
 				qyrErr,
 				"cannot remove allowed type `%s` from relation `%s` in object definition `%s`, as a relationship exists with it",
-				schema.SourceForAllowedRelation(delta.AllowedType), delta.RelationName, nsdef.Name)
+				[]any{schema.SourceForAllowedRelation(delta.AllowedType), delta.RelationName, nsdef.Name},
+				map[string]string{
+					"resource_type": nsdef.Name,
+					"relation":      delta.RelationName,
+					"allowed_type":  schema.SourceForAllowedRelation(delta.AllowedType),
+					"operation":     "remove_allowed_type",
+				},
+			)
 			if err != nil {
 				return diff, err
 			}
@@ -430,16 +464,29 @@ func subjectRelationFilterForAllowedType(allowedType *core.AllowedRelation) data
 
 // errorIfTupleIteratorReturnsTuples takes a tuple iterator and any error that was generated
 // when the original iterator was created, and returns an error if iterator contains any tuples.
-func errorIfTupleIteratorReturnsTuples(_ context.Context, qy datastore.RelationshipIterator, qyErr error, message string, args ...any) error {
+func errorIfTupleIteratorReturnsTuples(_ context.Context, qy datastore.RelationshipIterator, qyErr error, message string, args []any, metadata map[string]string) error {
 	if qyErr != nil {
 		return qyErr
 	}
 
-	for _, err := range qy {
+	for rel, err := range qy {
 		if err != nil {
 			return err
 		}
-		return NewSchemaWriteDataValidationError(message, args...)
+
+		strValue, err := tuple.String(rel)
+		if err != nil {
+			return err
+		}
+
+		// Create metadata with relationship information
+		fullMetadata := maps.Clone(metadata)
+		if fullMetadata == nil {
+			fullMetadata = make(map[string]string)
+		}
+		fullMetadata["relationship"] = strValue
+		newArgs := append(args, strValue)
+		return NewSchemaWriteDataValidationError(message+": %s", newArgs, fullMetadata)
 	}
 
 	return nil
diff --git a/internal/services/shared/schema_test.go b/internal/services/shared/schema_test.go
@@ -88,7 +88,7 @@ func TestApplySchemaChanges(t *testing.T) {
 				}
 
 				definition document {}`,
-			expectedError: "cannot delete relation `viewer` in object definition `document`, as a relationship exists under it",
+			expectedError: "cannot delete relation `viewer` in object definition `document`, as at least one relationship exists under it: document:somedoc#viewer@user:alice",
 		},
 		{
 			name: "attempt to remove a relation with indirect relationships",
@@ -119,7 +119,7 @@ func TestApplySchemaChanges(t *testing.T) {
 				}
 
 				definition document {}`,
-			expectedError: "cannot delete relation `viewer` in object definition `document`, as a relationship exists under it",
+			expectedError: "cannot delete relation `viewer` in object definition `document`, as at least one relationship exists under it: document:somedoc#viewer@group:somegroup#member",
 		},
 		{
 			name: "attempt to remove a relation with other indirect relationships",
@@ -150,7 +150,7 @@ func TestApplySchemaChanges(t *testing.T) {
 				}
 
 				definition document {}`,
-			expectedError: "cannot delete relation `viewer` in object definition `document`, as a relationship exists under it",
+			expectedError: "cannot delete relation `viewer` in object definition `document`, as at least one relationship exists under it: document:somedoc#viewer@org:someorg#admin",
 		},
 		{
 			name: "attempt to remove a relation with wildcard",
@@ -165,7 +165,7 @@ func TestApplySchemaChanges(t *testing.T) {
 				definition user {}
 
 				definition document {}`,
-			expectedError: "cannot delete relation `viewer` in object definition `document`, as a relationship exists under it",
+			expectedError: "cannot delete relation `viewer` in object definition `document`, as at least one relationship exists under it: document:somedoc#viewer@user:*",
 		},
 		{
 			name: "attempt to remove a relation with only indirect relationships",
@@ -196,7 +196,7 @@ func TestApplySchemaChanges(t *testing.T) {
 				}
 
 				definition document {}`,
-			expectedError: "cannot delete relation `viewer` in object definition `document`, as a relationship exists under it",
+			expectedError: "cannot delete relation `viewer` in object definition `document`, as at least one relationship exists under it: document:somedoc#viewer@org:someorg#admin",
 		},
 		{
 			name: "remove a relation with no relationships",
@@ -287,7 +287,7 @@ func TestApplySchemaChanges(t *testing.T) {
 					permission view = viewer
 				}
 			`,
-			expectedError: "cannot remove allowed type `group#member` from relation `viewer` in object definition `document`, as a relationship exists with it",
+			expectedError: "cannot remove allowed type `group#member` from relation `viewer` in object definition `document`, as a relationship exists with it: document:somedoc#viewer@group:somegroup#member",
 		},
 		{
 			name: "attempt to remove non-caveated type when only caveated relationship exists",
@@ -361,7 +361,7 @@ func TestApplySchemaChanges(t *testing.T) {
 					permission view = nil
 				}
 			`,
-			expectedError: "cannot delete relation `reader` in object definition `document`, as a relationship exists under it",
+			expectedError: "cannot delete relation `reader` in object definition `document`, as at least one relationship exists under it: document:firstdoc#reader@user:tom",
 		},
 		{
 			name: "delete a subject type with relation but no data",
@@ -403,7 +403,7 @@ func TestApplySchemaChanges(t *testing.T) {
 					permission view = reader
 				}
 			`,
-			expectedError: "cannot remove allowed type `user` from relation `reader` in object definition `document`, as a relationship exists with it",
+			expectedError: "cannot remove allowed type `user` from relation `reader` in object definition `document`, as a relationship exists with it: document:firstdoc#reader@user:tom",
 		},
 		{
 			name: "delete a subject type while adding a replacement",
@@ -480,7 +480,7 @@ func TestApplySchemaChanges(t *testing.T) {
 					permission view = reader
 				}
 			`,
-			expectedError: "cannot remove allowed type `user` from relation `reader` in object definition `document`, as a relationship exists with it",
+			expectedError: "cannot remove allowed type `user` from relation `reader` in object definition `document`, as a relationship exists with it: document:firstdoc#reader@user:tom",
 		},
 		{
 			name: "attempt to delete an indirect subject type while direct remains",
@@ -505,7 +505,7 @@ func TestApplySchemaChanges(t *testing.T) {
 					permission view = reader
 				}
 			`,
-			expectedError: "cannot remove allowed type `user#foo` from relation `reader` in object definition `document`, as a relationship exists with it",
+			expectedError: "cannot remove allowed type `user#foo` from relation `reader` in object definition `document`, as a relationship exists with it: document:firstdoc#reader@user:tom#foo",
 		},
 		{
 			name: "delete an indirect subject type while direct remains",
diff --git a/internal/services/steelthreadtesting/steelresults/write-schema-removal-attempt-to-remove-the-user-relation-results.yaml b/internal/services/steelthreadtesting/steelresults/write-schema-removal-attempt-to-remove-the-user-relation-results.yaml
@@ -1,2 +1,2 @@
 ---
-error: 'failed to write schema: rpc error: code = InvalidArgument desc = cannot remove allowed type `user` from relation `viewer` in object definition `document`, as a relationship exists with it'
+error: 'failed to write schema: rpc error: code = InvalidArgument desc = cannot remove allowed type `user` from relation `viewer` in object definition `document`, as a relationship exists with it: document:somedoc#viewer@user:user-0'
diff --git a/internal/services/steelthreadtesting/steelresults/write-schema-removal-attempt-to-remove-the-wildcard-on-the-editor-results.yaml b/internal/services/steelthreadtesting/steelresults/write-schema-removal-attempt-to-remove-the-wildcard-on-the-editor-results.yaml
@@ -1,2 +1,2 @@
 ---
-error: 'failed to write schema: rpc error: code = InvalidArgument desc = cannot remove allowed type `user2:*` from relation `editor` in object definition `document`, as a relationship exists with it'
+error: 'failed to write schema: rpc error: code = InvalidArgument desc = cannot remove allowed type `user2:*` from relation `editor` in object definition `document`, as a relationship exists with it: document:somedoc#editor@user2:*'
diff --git a/internal/services/steelthreadtesting/testdata/basic-schema-and-data.yaml b/internal/services/steelthreadtesting/testdata/basic-schema-and-data.yaml
@@ -16,109 +16,5 @@ schema: |+
   }
 
 relationships: |
-  // A single user2:* on a document.
   document:somedoc#editor@user2:*
-
-  // 100 direct users
-  // for userid in range(0, 100)
-  //    document:somedoc#viewer@user:user-{userid}
   document:somedoc#viewer@user:user-0
-  document:somedoc#viewer@user:user-1
-  document:somedoc#viewer@user:user-2
-  document:somedoc#viewer@user:user-3
-  document:somedoc#viewer@user:user-4
-  document:somedoc#viewer@user:user-5
-  document:somedoc#viewer@user:user-6
-  document:somedoc#viewer@user:user-7
-  document:somedoc#viewer@user:user-8
-  document:somedoc#viewer@user:user-9
-  document:somedoc#viewer@user:user-10
-  document:somedoc#viewer@user:user-11
-  document:somedoc#viewer@user:user-12
-  document:somedoc#viewer@user:user-13
-  document:somedoc#viewer@user:user-14
-  document:somedoc#viewer@user:user-15
-  document:somedoc#viewer@user:user-16
-  document:somedoc#viewer@user:user-17
-  document:somedoc#viewer@user:user-18
-  document:somedoc#viewer@user:user-19
-  document:somedoc#viewer@user:user-20
-  document:somedoc#viewer@user:user-21
-  document:somedoc#viewer@user:user-22
-  document:somedoc#viewer@user:user-23
-  document:somedoc#viewer@user:user-24
-  document:somedoc#viewer@user:user-25
-  document:somedoc#viewer@user:user-26
-  document:somedoc#viewer@user:user-27
-  document:somedoc#viewer@user:user-28
-  document:somedoc#viewer@user:user-29
-  document:somedoc#viewer@user:user-30
-  document:somedoc#viewer@user:user-31
-  document:somedoc#viewer@user:user-32
-  document:somedoc#viewer@user:user-33
-  document:somedoc#viewer@user:user-34
-  document:somedoc#viewer@user:user-35
-  document:somedoc#viewer@user:user-36
-  document:somedoc#viewer@user:user-37
-  document:somedoc#viewer@user:user-38
-  document:somedoc#viewer@user:user-39
-  document:somedoc#viewer@user:user-40
-  document:somedoc#viewer@user:user-41
-  document:somedoc#viewer@user:user-42
-  document:somedoc#viewer@user:user-43
-  document:somedoc#viewer@user:user-44
-  document:somedoc#viewer@user:user-45
-  document:somedoc#viewer@user:user-46
-  document:somedoc#viewer@user:user-47
-  document:somedoc#viewer@user:user-48
-  document:somedoc#viewer@user:user-49
-  document:somedoc#viewer@user:user-50
-  document:somedoc#viewer@user:user-51
-  document:somedoc#viewer@user:user-52
-  document:somedoc#viewer@user:user-53
-  document:somedoc#viewer@user:user-54
-  document:somedoc#viewer@user:user-55
-  document:somedoc#viewer@user:user-56
-  document:somedoc#viewer@user:user-57
-  document:somedoc#viewer@user:user-58
-  document:somedoc#viewer@user:user-59
-  document:somedoc#viewer@user:user-60
-  document:somedoc#viewer@user:user-61
-  document:somedoc#viewer@user:user-62
-  document:somedoc#viewer@user:user-63
-  document:somedoc#viewer@user:user-64
-  document:somedoc#viewer@user:user-65
-  document:somedoc#viewer@user:user-66
-  document:somedoc#viewer@user:user-67
-  document:somedoc#viewer@user:user-68
-  document:somedoc#viewer@user:user-69
-  document:somedoc#viewer@user:user-70
-  document:somedoc#viewer@user:user-71
-  document:somedoc#viewer@user:user-72
-  document:somedoc#viewer@user:user-73
-  document:somedoc#viewer@user:user-74
-  document:somedoc#viewer@user:user-75
-  document:somedoc#viewer@user:user-76
-  document:somedoc#viewer@user:user-77
-  document:somedoc#viewer@user:user-78
-  document:somedoc#viewer@user:user-79
-  document:somedoc#viewer@user:user-80
-  document:somedoc#viewer@user:user-81
-  document:somedoc#viewer@user:user-82
-  document:somedoc#viewer@user:user-83
-  document:somedoc#viewer@user:user-84
-  document:somedoc#viewer@user:user-85
-  document:somedoc#viewer@user:user-86
-  document:somedoc#viewer@user:user-87
-  document:somedoc#viewer@user:user-88
-  document:somedoc#viewer@user:user-89
-  document:somedoc#viewer@user:user-90
-  document:somedoc#viewer@user:user-91
-  document:somedoc#viewer@user:user-92
-  document:somedoc#viewer@user:user-93
-  document:somedoc#viewer@user:user-94
-  document:somedoc#viewer@user:user-95
-  document:somedoc#viewer@user:user-96
-  document:somedoc#viewer@user:user-97
-  document:somedoc#viewer@user:user-98
-  document:somedoc#viewer@user:user-99
diff --git a/internal/services/v1/schema_test.go b/internal/services/v1/schema_test.go

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ func TestApplySchemaChanges(t *testing.T) {`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	definition document {}`,
`91`		- expectedError: "cannot delete relation `viewer` in object definition `document`, as a relationship exists under it",
	`91`	+ expectedError: "cannot delete relation `viewer` in object definition `document`, as at least one relationship exists under it: document:somedoc#viewer@user:alice",
`92`	`92`	`},`
`93`	`93`	`{`
`94`	`94`	`name: "attempt to remove a relation with indirect relationships",`
`@@ -119,7 +119,7 @@ func TestApplySchemaChanges(t *testing.T) {`
`119`	`119`	`}`
`120`	`120`
`121`	`121`	definition document {}`,
`122`		- expectedError: "cannot delete relation `viewer` in object definition `document`, as a relationship exists under it",
	`122`	+ expectedError: "cannot delete relation `viewer` in object definition `document`, as at least one relationship exists under it: document:somedoc#viewer@group:somegroup#member",
`123`	`123`	`},`
`124`	`124`	`{`
`125`	`125`	`name: "attempt to remove a relation with other indirect relationships",`
`@@ -150,7 +150,7 @@ func TestApplySchemaChanges(t *testing.T) {`
`150`	`150`	`}`
`151`	`151`
`152`	`152`	definition document {}`,
`153`		- expectedError: "cannot delete relation `viewer` in object definition `document`, as a relationship exists under it",
	`153`	+ expectedError: "cannot delete relation `viewer` in object definition `document`, as at least one relationship exists under it: document:somedoc#viewer@org:someorg#admin",
`154`	`154`	`},`
`155`	`155`	`{`
`156`	`156`	`name: "attempt to remove a relation with wildcard",`
`@@ -165,7 +165,7 @@ func TestApplySchemaChanges(t *testing.T) {`
`165`	`165`	`definition user {}`
`166`	`166`
`167`	`167`	definition document {}`,
`168`		- expectedError: "cannot delete relation `viewer` in object definition `document`, as a relationship exists under it",
	`168`	+ expectedError: "cannot delete relation `viewer` in object definition `document`, as at least one relationship exists under it: document:somedoc#viewer@user:*",
`169`	`169`	`},`
`170`	`170`	`{`
`171`	`171`	`name: "attempt to remove a relation with only indirect relationships",`
`@@ -196,7 +196,7 @@ func TestApplySchemaChanges(t *testing.T) {`
`196`	`196`	`}`
`197`	`197`
`198`	`198`	definition document {}`,
`199`		- expectedError: "cannot delete relation `viewer` in object definition `document`, as a relationship exists under it",
	`199`	+ expectedError: "cannot delete relation `viewer` in object definition `document`, as at least one relationship exists under it: document:somedoc#viewer@org:someorg#admin",
`200`	`200`	`},`
`201`	`201`	`{`
`202`	`202`	`name: "remove a relation with no relationships",`
`@@ -287,7 +287,7 @@ func TestApplySchemaChanges(t *testing.T) {`
`287`	`287`	`permission view = viewer`
`288`	`288`	`}`
`289`	`289`	`,
`290`		- expectedError: "cannot remove allowed type `group#member` from relation `viewer` in object definition `document`, as a relationship exists with it",
	`290`	+ expectedError: "cannot remove allowed type `group#member` from relation `viewer` in object definition `document`, as a relationship exists with it: document:somedoc#viewer@group:somegroup#member",
`291`	`291`	`},`
`292`	`292`	`{`
`293`	`293`	`name: "attempt to remove non-caveated type when only caveated relationship exists",`
`@@ -361,7 +361,7 @@ func TestApplySchemaChanges(t *testing.T) {`
`361`	`361`	`permission view = nil`
`362`	`362`	`}`
`363`	`363`	`,
`364`		- expectedError: "cannot delete relation `reader` in object definition `document`, as a relationship exists under it",
	`364`	+ expectedError: "cannot delete relation `reader` in object definition `document`, as at least one relationship exists under it: document:firstdoc#reader@user:tom",
`365`	`365`	`},`
`366`	`366`	`{`
`367`	`367`	`name: "delete a subject type with relation but no data",`
`@@ -403,7 +403,7 @@ func TestApplySchemaChanges(t *testing.T) {`
`403`	`403`	`permission view = reader`
`404`	`404`	`}`
`405`	`405`	`,
`406`		- expectedError: "cannot remove allowed type `user` from relation `reader` in object definition `document`, as a relationship exists with it",
	`406`	+ expectedError: "cannot remove allowed type `user` from relation `reader` in object definition `document`, as a relationship exists with it: document:firstdoc#reader@user:tom",
`407`	`407`	`},`
`408`	`408`	`{`
`409`	`409`	`name: "delete a subject type while adding a replacement",`
`@@ -480,7 +480,7 @@ func TestApplySchemaChanges(t *testing.T) {`
`480`	`480`	`permission view = reader`
`481`	`481`	`}`
`482`	`482`	`,
`483`		- expectedError: "cannot remove allowed type `user` from relation `reader` in object definition `document`, as a relationship exists with it",
	`483`	+ expectedError: "cannot remove allowed type `user` from relation `reader` in object definition `document`, as a relationship exists with it: document:firstdoc#reader@user:tom",
`484`	`484`	`},`
`485`	`485`	`{`
`486`	`486`	`name: "attempt to delete an indirect subject type while direct remains",`
`@@ -505,7 +505,7 @@ func TestApplySchemaChanges(t *testing.T) {`
`505`	`505`	`permission view = reader`
`506`	`506`	`}`
`507`	`507`	`,
`508`		- expectedError: "cannot remove allowed type `user#foo` from relation `reader` in object definition `document`, as a relationship exists with it",
	`508`	+ expectedError: "cannot remove allowed type `user#foo` from relation `reader` in object definition `document`, as a relationship exists with it: document:firstdoc#reader@user:tom#foo",
`509`	`509`	`},`
`510`	`510`	`{`
`511`	`511`	`name: "delete an indirect subject type while direct remains",`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`---`
`2`		-error: 'failed to write schema: rpc error: code = InvalidArgument desc = cannot remove allowed type `user` from relation `viewer` in object definition `document`, as a relationship exists with it'
	`2`	+error: 'failed to write schema: rpc error: code = InvalidArgument desc = cannot remove allowed type `user` from relation `viewer` in object definition `document`, as a relationship exists with it: document:somedoc#viewer@user:user-0'