keto OPL parsing error

[amirzahavi]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

I self-host keto on Kubernetes cluster.
After upgrading to keto version v0.10.0-alpha.0
and change my namespace config to point to the OPL config file

keto was not able to parse my config typescript file with the following error:

Failed to parse OPL config files at target file:///usr/data/configs/permissions.ts.

when I comment it out keto throws on other parsing issues (I suspect it is not a subset of typescript at all, keto fails on commas and other typescript syntax rules)

Reproducing the bug

import { Namespace, SubjectSet, Context } from '@ory/keto-namespace-types';

class Role implements Namespace {
  related: {
    member: Role[]
  }
}

class Resource implements Namespace {
  related: {
    admins: SubjectSet<Role, 'member'>[],
    supervisors: SubjectSet<Role, 'member'>[],
    annotators: SubjectSet<Role, 'member'>[],
    medicalAnnotators: SubjectSet<Role, 'member'>[],
  };

  permits = {
    read: (ctx: Context) => this.related.admins.traverse((role) => role.related.member.includes(ctx.subject)) ||
      this.related.annotators.traverse((role) => role.related.member.includes(ctx.subject)) ||
      this.related.medicalAnnotators.traverse((role) => role.related.member.includes(ctx.subject)) ||
      this.related.supervisors.traverse((role) => role.related.member.includes(ctx.subject)),

    comment: (ctx: Context) => this.permits.read(ctx),

    update: (ctx: Context) => this.related.admins.traverse((role) => role.related.member.includes(ctx.subject)) ||
      this.related.annotators.traverse((role) => role.related.member.includes(ctx.subject)) ||
      this.related.medicalAnnotators.traverse((role) => role.related.member.includes(ctx.subject)) ||
      this.related.supervisors.traverse((role) => role.related.member.includes(ctx.subject)),

    create: (ctx: Context) => this.related.admins.traverse((role) => role.related.member.includes(ctx.subject)) ||
      this.related.annotators.traverse((role) => role.related.member.includes(ctx.subject)) ||
      this.related.supervisors.traverse((role) => role.related.member.includes(ctx.subject)),

    approve: (ctx: Context) => this.related.admins.traverse((role) => role.related.member.includes(ctx.subject)) ||
      this.related.supervisors.traverse((role) => role.related.member.includes(ctx.subject)),

    delete: (ctx: Context) => this.related.admins.traverse((role) => role.related.member.includes(ctx.subject)) ||
      this.related.supervisors.traverse((role) => role.related.member.includes(ctx.subject)),
  };
}

Relevant log output

time=2022-10-02T14:23:52Z level=error msg=Failed to parse OPL config files at target file:///usr/data/configs/permissions.ts. audience=application error=map[message:error from 1:48 to 1:48: fatal: at "@ory/keto-namespace-types';\n\nclass Role implements Namespace {\n  related: {\n    member: Role[];\n  };\n}\n\nclass Resource implements Namespace {\n  related: {\n    admins: SubjectSet<Role, 'member'>[];\n    supervisors: SubjectSet<Role, 'member'>[];\n    annotators: SubjectSet<Role, 'member'>[];\n    medicalAnnotators: SubjectSet<Role, 'member'>[];\n  };\n\n  permits = {\n    read: (ctx: Context) =>\n      this.related.admins.traverse((role) =>\n        role.related.member.includes(ctx.subject)\n      ) ||\n      this.related.annotators.traverse((role) =>\n        role.related.member.includes(ctx.subject)\n      ) ||\n      this.related.medicalAnnotators.traverse((role) =>\n        role.related.member.includes(ctx.subject)\n      ) ||\n      this.related.supervisors.traverse((role) =>\n        role.related.member.includes(ctx.subject)\n      ),\n\n    comment: (ctx: Context) => this.permits.read(ctx),\n\n    update: (ctx: Context) =>\n      this.related.admins.traverse((role) =>\n        role.related.member.includes(ctx.subject)\n      ) ||\n      this.related.annotators.traverse((role) =>\n        role.related.member.includes(ctx.subject)\n      ) ||\n      this.related.medicalAnnotators.traverse((role) =>\n        role.related.member.includes(ctx.subject)\n      ) ||\n      this.related.supervisors.traverse((role) =>\n        role.related.member.includes(ctx.subject)\n      ),\n\n    create: (ctx: Context) =>\n      this.related.admins.traverse((role) =>\n        role.related.member.includes(ctx.subject)\n      ) ||\n      this.related.annotators.traverse((role) =>\n        role.related.member.includes(ctx.subject)\n      ) ||\n      this.related.supervisors.traverse((role) =>\n        role.related.member.includes(ctx.subject)\n      ),\n\n    approve: (ctx: Context) =>\n      this.related.admins.traverse((role) =>\n        role.related.member.includes(ctx.subject)\n      ) ||\n      this.related.supervisors.traverse((role) =>\n        role.related.member.includes(ctx.subject)\n      ),\n\n    delete: (ctx: Context) =>\n      this.related.admins.traverse((role) =>\n        role.related.member.includes(ctx.subject)\n      ) ||\n      this.related.supervisors.traverse((role) =>\n        role.related.member.includes(ctx.subject)\n      ),\n  };\n}\n": unclosed string literal

   0 | import { Namespace, SubjectSet, Context } from '@ory/keto-namespace-types';
                                                       ^                          
   0 | 

 stack_trace:stack trace could not be recovered from error type *schema.ParseError] service_name=Ory Keto service_version=v0.10.0-alpha.0

Relevant configuration

log:
  format: text
  leak_sensitive_values: true
  level: debug
namespaces:
  location: file:///usr/data/configs/permissions.ts

Version

v0.10.0-alpha.0

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Kubernetes with Helm

Additional Context

I also use Prettier to format my typescript files (it seems that keto doesn't know how to parse typescript file correctly)

[EvanBarbour3]

I also ran into this, had a look around and found it's been fixed in #1041

Until this is released, I've done the following to be able to carry on with userset-rewrites:

# Because I'm on a mac, I didn't have Make 4.3 in the path, but had it via `brew install make` (check `brew info make`)
export PATH="/opt/homebrew/opt/make/libexec/gnubin:$PATH"

# Check you have the correct make version
make -v

# Build oryd/keto:latest locally
make docker

Assuming you're using docker, you can change your docker-compose.yml to use image: oryd/keto:latest

[dan2kx]

I had other issues when I removed this line, the parser didn’t recognise ! Or ? Or ; characters. it also didn’t seems to understand the items defined in my related sections, are those also fixed with this update?

[hperl]

Thanks for the report! I added your example to the test cases and it now passes except for the line comment: (ctx: Context) => this.permits.read(ctx). Currently, you can only reference related attributes, not permits. But I agree that it is useful :).

If you have other examples of syntax that should be working, please keep them coming.