fix: handle wildcards with expiration properly in the schema compiler

josephschorr · josephschorr · commit b8f2f4718491 · 2025-09-12T12:35:43.000-04:00
diff --git a/pkg/schema/definition_test.go b/pkg/schema/definition_test.go
@@ -1263,7 +1263,9 @@ func TestTypeSystemAccessors(t *testing.T) {
 			`use expiration
 
 			definition user {}
-			definition group {}
+			definition group {
+				relation member: user
+			}
 
 			caveat somecaveat(somecondition int) {
 				somecondition == 42
@@ -1274,6 +1276,12 @@ func TestTypeSystemAccessors(t *testing.T) {
 				relation caveated: user with somecaveat | group
 				relation expired: user with expiration | group
 				relation mixed: user | group with somecaveat and expiration
+				relation viewer: user | user:* with expiration
+				relation caveated_viewer: user | user:* with somecaveat
+				relation membered: group#member with somecaveat and expiration
+				relation membered_plain: group#member
+				relation caveated_membered: group#member with somecaveat | group#member
+				relation expired_membered: group#member with expiration | group#member
 			}`,
 			map[string]tsTester{
 				"resource": func(t *testing.T, vts *ValidatedDefinition) {
@@ -1298,6 +1306,36 @@ func TestTypeSystemAccessors(t *testing.T) {
 						require.True(t, traits.AllowsCaveats)
 						require.True(t, traits.AllowsExpiration)
 
+						traits, err = vts.PossibleTraitsForAnySubject("viewer")
+						require.NoError(t, err)
+						require.False(t, traits.AllowsCaveats)
+						require.True(t, traits.AllowsExpiration)
+
+						traits, err = vts.PossibleTraitsForAnySubject("caveated_viewer")
+						require.NoError(t, err)
+						require.True(t, traits.AllowsCaveats)
+						require.False(t, traits.AllowsExpiration)
+
+						traits, err = vts.PossibleTraitsForAnySubject("membered")
+						require.NoError(t, err)
+						require.True(t, traits.AllowsCaveats)
+						require.True(t, traits.AllowsExpiration)
+
+						traits, err = vts.PossibleTraitsForAnySubject("membered_plain")
+						require.NoError(t, err)
+						require.False(t, traits.AllowsCaveats)
+						require.False(t, traits.AllowsExpiration)
+
+						traits, err = vts.PossibleTraitsForAnySubject("caveated_membered")
+						require.NoError(t, err)
+						require.True(t, traits.AllowsCaveats)
+						require.False(t, traits.AllowsExpiration)
+
+						traits, err = vts.PossibleTraitsForAnySubject("expired_membered")
+						require.NoError(t, err)
+						require.False(t, traits.AllowsCaveats)
+						require.True(t, traits.AllowsExpiration)
+
 						_, err = vts.PossibleTraitsForAnySubject("unknown")
 						require.Error(t, err)
 					})
diff --git a/pkg/schemadsl/compiler/compiler_test.go b/pkg/schemadsl/compiler/compiler_test.go
@@ -1008,6 +1008,25 @@ func TestCompile(t *testing.T) {
 				),
 			},
 		},
+		{
+			"wildcard relation with expiration trait",
+			withTenantPrefix,
+			`use expiration
+			
+			definition simple {
+				relation viewer: user:* with expiration
+			}`,
+			"",
+			[]SchemaDefinition{
+				namespace.Namespace("sometenant/simple",
+					namespace.MustRelation("viewer", nil,
+						namespace.WithExpiration(
+							namespace.AllowedPublicNamespace("sometenant/user"),
+						),
+					),
+				),
+			},
+		},
 		{
 			"duplicate use pragmas",
 			withTenantPrefix,
diff --git a/pkg/schemadsl/compiler/translator.go b/pkg/schemadsl/compiler/translator.go
@@ -651,76 +651,66 @@ func translateSpecificTypeReference(tctx *translationContext, typeRefNode *dslNo
 		return nil, typeRefNode.Errorf("%w", err)
 	}
 
-	if typeRefNode.Has(dslshape.NodeSpecificReferencePredicateWildcard) {
-		ref := &core.AllowedRelation{
-			Namespace: nspath,
-			RelationOrWildcard: &core.AllowedRelation_PublicWildcard_{
-				PublicWildcard: &core.AllowedRelation_PublicWildcard{},
-			},
-		}
-
-		err = addWithCaveats(tctx, typeRefNode, ref)
-		if err != nil {
-			return nil, typeRefNode.Errorf("invalid caveat: %w", err)
-		}
-
-		if !tctx.skipValidate {
-			if err := ref.Validate(); err != nil {
-				return nil, typeRefNode.Errorf("invalid type relation: %w", err)
-			}
-		}
-
-		ref.SourcePosition = getSourcePosition(typeRefNode, tctx.mapper)
-		return ref, nil
-	}
-
 	relationName := Ellipsis
 	if typeRefNode.Has(dslshape.NodeSpecificReferencePredicateRelation) {
 		relationName, err = typeRefNode.GetString(dslshape.NodeSpecificReferencePredicateRelation)
 		if err != nil {
 			return nil, typeRefNode.Errorf("invalid type relation: %w", err)
 		}
 	}
-
 	ref := &core.AllowedRelation{
 		Namespace: nspath,
 		RelationOrWildcard: &core.AllowedRelation_Relation{
 			Relation: relationName,
 		},
 	}
 
+	if typeRefNode.Has(dslshape.NodeSpecificReferencePredicateWildcard) {
+		ref.RelationOrWildcard = &core.AllowedRelation_PublicWildcard_{
+			PublicWildcard: &core.AllowedRelation_PublicWildcard{},
+		}
+	}
+
 	// Add the caveat(s), if any.
 	err = addWithCaveats(tctx, typeRefNode, ref)
 	if err != nil {
 		return nil, typeRefNode.Errorf("invalid caveat: %w", err)
 	}
 
 	// Add the expiration trait, if any.
+	err = addWithExpiration(tctx, typeRefNode, ref)
+	if err != nil {
+		return nil, typeRefNode.Errorf("invalid expiration: %w", err)
+	}
+
+	if !tctx.skipValidate {
+		if err := ref.Validate(); err != nil {
+			return nil, typeRefNode.Errorf("invalid type relation: %w", err)
+		}
+	}
+
+	ref.SourcePosition = getSourcePosition(typeRefNode, tctx.mapper)
+	return ref, nil
+}
+
+func addWithExpiration(tctx *translationContext, typeRefNode *dslNode, ref *core.AllowedRelation) error {
 	if traitNode, err := typeRefNode.Lookup(dslshape.NodeSpecificReferencePredicateTrait); err == nil {
 		traitName, err := traitNode.GetString(dslshape.NodeTraitPredicateTrait)
 		if err != nil {
-			return nil, typeRefNode.Errorf("invalid trait: %w", err)
+			return err
 		}
 
 		if traitName != "expiration" {
-			return nil, typeRefNode.Errorf("invalid trait: %s", traitName)
+			return fmt.Errorf("invalid trait: %s", traitName)
 		}
 
 		if !slices.Contains(tctx.allowedFlags, "expiration") {
-			return nil, typeRefNode.Errorf("expiration trait is not allowed")
+			return fmt.Errorf("expiration trait is not allowed")
 		}
 
 		ref.RequiredExpiration = &core.ExpirationTrait{}
 	}
-
-	if !tctx.skipValidate {
-		if err := ref.Validate(); err != nil {
-			return nil, typeRefNode.Errorf("invalid type relation: %w", err)
-		}
-	}
-
-	ref.SourcePosition = getSourcePosition(typeRefNode, tctx.mapper)
-	return ref, nil
+	return nil
 }
 
 func addWithCaveats(tctx *translationContext, typeRefNode *dslNode, ref *core.AllowedRelation) error {
