feat(1199): add bulk-permission check wrapper endpoint

docs/api-reference/apidocs.swagger.json

@@ -651,6 +651,47 @@
         ]
       }
     },
+    "/v1/tenants/{tenant_id}/permissions/bulk-check": {
+      "post": {
+        "summary": "bulk check api",
+        "description": "Check multiple permissions in a single request. Maximum 100 requests allowed.",
+        "operationId": "permissions.bulk-check",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/PermissionBulkCheckResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/Status"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "tenant_id",
+            "description": "Identifier of the tenant, if you are not using multi-tenancy (have only one tenant) use pre-inserted tenant \u003ccode\u003et1\u003c/code\u003e for this field. Required, and must match the pattern \\“[a-zA-Z0-9-,]+\\“, max 64 bytes.",
+            "in": "path",
+            "required": true,
+            "type": "string"
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/BulkCheckBody"
+            }
+          }
+        ],
+        "tags": [
+          "Permission"
+        ]
+      }
+    },
     "/v1/tenants/{tenant_id}/permissions/check": {
       "post": {
         "summary": "check api",
@@ -1479,6 +1520,36 @@
       "default": "ATTRIBUTE_TYPE_UNSPECIFIED",
       "description": "Enumerates the types of attribute.\n\n - ATTRIBUTE_TYPE_UNSPECIFIED: Not specified attribute type. This is the default value.\n - ATTRIBUTE_TYPE_BOOLEAN: A boolean attribute type.\n - ATTRIBUTE_TYPE_BOOLEAN_ARRAY: A boolean array attribute type.\n - ATTRIBUTE_TYPE_STRING: A string attribute type.\n - ATTRIBUTE_TYPE_STRING_ARRAY: A string array attribute type.\n - ATTRIBUTE_TYPE_INTEGER: An integer attribute type.\n - ATTRIBUTE_TYPE_INTEGER_ARRAY: An integer array attribute type.\n - ATTRIBUTE_TYPE_DOUBLE: A double attribute type.\n - ATTRIBUTE_TYPE_DOUBLE_ARRAY: A double array attribute type."
     },
+    "BulkCheckBody": {
+      "type": "object",
+      "properties": {
+        "metadata": {
+          "$ref": "#/definitions/PermissionCheckRequestMetadata",
+          "description": "Metadata associated with this request, required."
+        },
+        "items": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/PermissionBulkCheckRequestItem"
+          },
+          "description": "List of permission check requests, maximum 100 items."
+        },
+        "context": {
+          "$ref": "#/definitions/Context",
+          "description": "Contextual data that can be dynamically added to permission check requests. See details on [Contextual Data](../../operations/contextual-tuples)"
+        },
+        "arguments": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/Argument"
+          },
+          "description": "Additional arguments associated with this request."
+        }
+      },
+      "description": "PermissionBulkCheckRequest is the request message for the BulkCheck method in the Permission service."
+    },
     "Bundle.DeleteBody": {
       "type": "object",
       "properties": {
@@ -2487,6 +2558,39 @@
       },
       "description": "PermissionExpandRequest is the request message for the Expand method in the Permission service."
     },
+    "PermissionBulkCheckRequestItem": {
+      "type": "object",
+      "properties": {
+        "entity": {
+          "$ref": "#/definitions/Entity",
+          "example": "repository:1",
+          "description": "Entity on which the permission needs to be checked, required."
+        },
+        "permission": {
+          "type": "string",
+          "description": "The action the user wants to perform on the resource"
+        },
+        "subject": {
+          "$ref": "#/definitions/Subject",
+          "description": "Subject for which the permission needs to be checked, required."
+        }
+      },
+      "title": "BULK CHECK"
+    },
+    "PermissionBulkCheckResponse": {
+      "type": "object",
+      "properties": {
+        "results": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/PermissionCheckResponse"
+          },
+          "description": "List of permission check responses corresponding to each request."
+        }
+      },
+      "description": "PermissionBulkCheckResponse is the response message for the BulkCheck method in the Permission service."
+    },
     "PermissionCheckRequestMetadata": {
       "type": "object",
       "properties": {

docs/api-reference/openapiv2/apidocs.swagger.json

@@ -651,6 +651,47 @@
         ]
       }
     },
+    "/v1/tenants/{tenant_id}/permissions/bulk-check": {
+      "post": {
+        "summary": "bulk check api",
+        "description": "Check multiple permissions in a single request. Maximum 100 requests allowed.",
+        "operationId": "permissions.bulk-check",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/PermissionBulkCheckResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/Status"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "tenant_id",
+            "description": "Identifier of the tenant, if you are not using multi-tenancy (have only one tenant) use pre-inserted tenant \u003ccode\u003et1\u003c/code\u003e for this field. Required, and must match the pattern \\“[a-zA-Z0-9-,]+\\“, max 64 bytes.",
+            "in": "path",
+            "required": true,
+            "type": "string"
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/BulkCheckBody"
+            }
+          }
+        ],
+        "tags": [
+          "Permission"
+        ]
+      }
+    },
     "/v1/tenants/{tenant_id}/permissions/check": {
       "post": {
         "summary": "check api",
@@ -1477,6 +1518,36 @@
       ],
       "description": "Enumerates the types of attribute.\n\n - ATTRIBUTE_TYPE_BOOLEAN: A boolean attribute type.\n - ATTRIBUTE_TYPE_BOOLEAN_ARRAY: A boolean array attribute type.\n - ATTRIBUTE_TYPE_STRING: A string attribute type.\n - ATTRIBUTE_TYPE_STRING_ARRAY: A string array attribute type.\n - ATTRIBUTE_TYPE_INTEGER: An integer attribute type.\n - ATTRIBUTE_TYPE_INTEGER_ARRAY: An integer array attribute type.\n - ATTRIBUTE_TYPE_DOUBLE: A double attribute type.\n - ATTRIBUTE_TYPE_DOUBLE_ARRAY: A double array attribute type."
     },
+    "BulkCheckBody": {
+      "type": "object",
+      "properties": {
+        "metadata": {
+          "$ref": "#/definitions/PermissionCheckRequestMetadata",
+          "description": "Metadata associated with this request, required."
+        },
+        "items": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/PermissionBulkCheckRequestItem"
+          },
+          "description": "List of permission check requests, maximum 100 items."
+        },
+        "context": {
+          "$ref": "#/definitions/Context",
+          "description": "Contextual data that can be dynamically added to permission check requests. See details on [Contextual Data](../../operations/contextual-tuples)"
+        },
+        "arguments": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/Argument"
+          },
+          "description": "Additional arguments associated with this request."
+        }
+      },
+      "description": "PermissionBulkCheckRequest is the request message for the BulkCheck method in the Permission service."
+    },
     "Bundle.DeleteBody": {
       "type": "object",
       "properties": {
@@ -2471,6 +2542,39 @@
       },
       "description": "PermissionExpandRequest is the request message for the Expand method in the Permission service."
     },
+    "PermissionBulkCheckRequestItem": {
+      "type": "object",
+      "properties": {
+        "entity": {
+          "$ref": "#/definitions/Entity",
+          "example": "repository:1",
+          "description": "Entity on which the permission needs to be checked, required."
+        },
+        "permission": {
+          "type": "string",
+          "description": "The action the user wants to perform on the resource"
+        },
+        "subject": {
+          "$ref": "#/definitions/Subject",
+          "description": "Subject for which the permission needs to be checked, required."
+        }
+      },
+      "title": "BULK CHECK"
+    },
+    "PermissionBulkCheckResponse": {
+      "type": "object",
+      "properties": {
+        "results": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "$ref": "#/definitions/PermissionCheckResponse"
+          },
+          "description": "List of permission check responses corresponding to each request."
+        }
+      },
+      "description": "PermissionBulkCheckResponse is the response message for the BulkCheck method in the Permission service."
+    },
     "PermissionCheckRequestMetadata": {
       "type": "object",
       "properties": {

integration-test/usecases/facebook_groups_test.go

@@ -74,6 +74,62 @@ var _ = Describe("facebook-groups-test", func() {
 			}
 		})
 
+		It("Facebook Groups Sample: Bulk Checks All Scenarios", func() {
+			var bulkRequestItems []*base.PermissionBulkCheckRequestItem
+			var expectedResults []base.CheckResult
+
+			for _, scenario := range shapes.InitialFacebookGroupsShape.Scenarios {
+				for _, check := range scenario.Checks {
+					entity, err := tuple.E(check.Entity)
+					Expect(err).ShouldNot(HaveOccurred())
+					ear, err := tuple.EAR(check.Subject)
+					Expect(err).ShouldNot(HaveOccurred())
+
+					subject := &base.Subject{
+						Type:     ear.GetEntity().GetType(),
+						Id:       ear.GetEntity().GetId(),
+						Relation: ear.GetRelation(),
+					}
+
+					var contextTuples []*base.Tuple
+					for _, t := range check.Context.Tuples {
+						tup, err := tuple.Tuple(t)
+						Expect(err).ShouldNot(HaveOccurred())
+						contextTuples = append(contextTuples, tup)
+					}
+
+					for permission, expected := range check.Assertions {
+						exp := base.CheckResult_CHECK_RESULT_ALLOWED
+						if !expected {
+							exp = base.CheckResult_CHECK_RESULT_DENIED
+						}
+						item := &base.PermissionBulkCheckRequestItem{
+							Entity:     entity,
+							Permission: permission,
+							Subject:    subject,
+						}
+						bulkRequestItems = append(bulkRequestItems, item)
+						expectedResults = append(expectedResults, exp)
+					}
+				}
+			}
+
+			res, err := permissionClient.BulkCheck(ctx, &base.PermissionBulkCheckRequest{
+				TenantId: "facebook-groups",
+				Metadata: &base.PermissionCheckRequestMetadata{
+					SchemaVersion: initialFacebookGroupsSchemaVersion,
+					SnapToken:     initialFacebookGroupsSnapToken,
+					Depth:         100,
+				},
+				Items: bulkRequestItems,
+			})
+			Expect(err).ShouldNot(HaveOccurred())
+			Expect(res.GetResults()).To(HaveLen(len(expectedResults)))
+			for i, r := range res.GetResults() {
+				Expect(r.Can).Should(Equal(expectedResults[i]))
+			}
+		})
+
 		It("Facebook Groups Sample: Entity Filtering", func() {
 			for _, scenario := range shapes.InitialFacebookGroupsShape.Scenarios {
 				for _, filter := range scenario.EntityFilters {

integration-test/usecases/google_docs_test.go

@@ -74,6 +74,62 @@ var _ = Describe("google-docs-test", func() {
 			}
 		})
 
+		It("Google Docs Sample: Bulk Checks All Scenarios", func() {
+			var bulkRequestItems []*base.PermissionBulkCheckRequestItem
+			var expectedResults []base.CheckResult
+
+			for _, scenario := range shapes.InitialGoogleDocsShape.Scenarios {
+				for _, check := range scenario.Checks {
+					entity, err := tuple.E(check.Entity)
+					Expect(err).ShouldNot(HaveOccurred())
+					ear, err := tuple.EAR(check.Subject)
+					Expect(err).ShouldNot(HaveOccurred())
+
+					subject := &base.Subject{
+						Type:     ear.GetEntity().GetType(),
+						Id:       ear.GetEntity().GetId(),
+						Relation: ear.GetRelation(),
+					}
+
+					var contextTuples []*base.Tuple
+					for _, t := range check.Context.Tuples {
+						tup, err := tuple.Tuple(t)
+						Expect(err).ShouldNot(HaveOccurred())
+						contextTuples = append(contextTuples, tup)
+					}
+
+					for permission, expected := range check.Assertions {
+						exp := base.CheckResult_CHECK_RESULT_ALLOWED
+						if !expected {
+							exp = base.CheckResult_CHECK_RESULT_DENIED
+						}
+						item := &base.PermissionBulkCheckRequestItem{
+							Entity:     entity,
+							Permission: permission,
+							Subject:    subject,
+						}
+						bulkRequestItems = append(bulkRequestItems, item)
+						expectedResults = append(expectedResults, exp)
+					}
+				}
+			}
+
+			res, err := permissionClient.BulkCheck(ctx, &base.PermissionBulkCheckRequest{
+				TenantId: "google-docs",
+				Metadata: &base.PermissionCheckRequestMetadata{
+					SchemaVersion: initialGoogleDocsSchemaVersion,
+					SnapToken:     initialGoogleDocsSnapToken,
+					Depth:         100,
+				},
+				Items: bulkRequestItems,
+			})
+			Expect(err).ShouldNot(HaveOccurred())
+			Expect(res.GetResults()).To(HaveLen(len(expectedResults)))
+			for i, r := range res.GetResults() {
+				Expect(r.Can).Should(Equal(expectedResults[i]))
+			}
+		})
+
 		It("Google Docs Sample: Entity Filtering", func() {
 			for _, scenario := range shapes.InitialGoogleDocsShape.Scenarios {
 				for _, filter := range scenario.EntityFilters {