openfga
diff --git a/‎pkg/go/graph/graph_edge.go‎
Lines changed: 0 additions & 15 deletions b/‎pkg/go/graph/graph_edge.go‎
Lines changed: 0 additions & 15 deletions
diff --git a/‎pkg/go/graph/graph_node.go‎
Lines changed: 0 additions & 13 deletions b/‎pkg/go/graph/graph_node.go‎
Lines changed: 0 additions & 13 deletions
diff --git a/‎pkg/go/graph/weighted_graph.go‎
Lines changed: 48 additions & 44 deletions b/‎pkg/go/graph/weighted_graph.go‎
Lines changed: 48 additions & 44 deletions
diff --git a/‎pkg/go/graph/weighted_graph_builder.go‎
Lines changed: 21 additions & 4 deletions b/‎pkg/go/graph/weighted_graph_builder.go‎
Lines changed: 21 additions & 4 deletions
@@ -5,21 +5,6 @@ import (
 	"gonum.org/v1/gonum/graph/encoding"
 )
 
-type EdgeType int64
-
-const (
-	DirectEdge   EdgeType = 0
-	RewriteEdge  EdgeType = 1
-	TTUEdge      EdgeType = 2
-	ComputedEdge EdgeType = 3
-	// When an edge does not have cond in the model, it will have a condition with value none.
-	// This is required to differentiate when an edge need to support condition and no condition
-	// like define rel1: [user, user with condX], in this case the edge will have [none, condX]
-	// or an edge needs to support only condition like define rel1: [user with condX], the edge will have [condX]
-	// in the case the edge does not have any condition like define rel1: [user], the edge will have [none].
-	NoCond string = "none"
-)
-
 type AuthorizationModelEdge struct {
 	graph.Line
 
 
@@ -5,19 +5,6 @@ import (
 	"gonum.org/v1/gonum/graph/encoding"
 )
 
-type NodeType int64
-
-const (
-	SpecificType            NodeType = 0 // e.g. `group`
-	SpecificTypeAndRelation NodeType = 1 // e.g. `group#viewer`
-	OperatorNode            NodeType = 2 // e.g. union
-	SpecificTypeWildcard    NodeType = 3 // e.g. `group:*`
-
-	UnionOperator        = "union"
-	IntersectionOperator = "intersection"
-	ExclusionOperator    = "exclusion"
-)
-
 type AuthorizationModelNode struct {
 	graph.Node
 
 
@@ -129,8 +129,8 @@ func (wg *WeightedAuthorizationModelGraph) AssignWeights() error {
 	tupleCycleDependencies := make(map[string][]*WeightedAuthorizationModelEdge)
 
 	for nodeID, node := range wg.nodes {
-		if node.GetNodeType() == OperatorNode {
-			// Inititally defer weight assignment of operator nodes to later in `fixDependantNodesWeight()`.
+		if wg.isLogicalOperator(node) {
+			// Inititally defer weight assignment of operator nodes and the logical nodes to later in `fixDependantNodesWeight()`.
 			// This enables more deterministic behavior of intermediate functions.
 			continue
 		}
@@ -150,6 +150,24 @@ func (wg *WeightedAuthorizationModelGraph) AssignWeights() error {
 	return nil
 }
 
+func (wg *WeightedAuthorizationModelGraph) isLogicalOperator(node *WeightedAuthorizationModelNode) bool {
+	// a logical ttu is when a ttu has more than one edges due to having multiple terminal types as usersets,
+	// and should always be treated as a union among all those ttu edges as they belong to the same logical ttu
+	// a logical userset is when we have multiple asignations to terminal types or usersets, we need to treat that
+	// as a union for all the direct edges
+	nodeType := node.GetNodeType()
+	return nodeType == OperatorNode || nodeType == LogicalTTUGrouping || nodeType == LogicalDirectGrouping
+}
+
+func (wg *WeightedAuthorizationModelGraph) isLogicalUnionOperator(node *WeightedAuthorizationModelNode) bool {
+	// a logical ttu is when a ttu has more than one edges due to having multiple terminal types as usersets,
+	// and should always be treated as a union among all those ttu edges as they belong to the same logical ttu
+	// a logical userset is when we have multiple asignations to terminal types or usersets, we need to treat that
+	// as a union for all the direct edges
+	nodeType := node.GetNodeType()
+	return (nodeType == OperatorNode && node.GetLabel() == UnionOperator) || nodeType == LogicalTTUGrouping || nodeType == LogicalDirectGrouping
+}
+
 func (wg *WeightedAuthorizationModelGraph) calculateEdgeWildcards(edge *WeightedAuthorizationModelEdge) {
 	// if wildcards already exist, we don't need to calculate them
 	if len(edge.wildcards) > 0 {
@@ -437,8 +455,9 @@ func (wg *WeightedAuthorizationModelGraph) calculateNodeWeightFromTheEdges(nodeI
 		return tupleCycles, nil
 	}
 
-	// there is a cycle but the node is not responsible for the cycle and it is not an operator node
-	if node.nodeType != OperatorNode {
+	// there is a cycle but the node is not responsible for the cycle and it is not a logical operator node
+	// a logical operator node is an operator node, a logical ttu and a logical userset node
+	if !wg.isLogicalOperator(node) {
 		// even when there is a cycle, if the relation is not recursive then we calculate the weight using the max strategy
 		err = wg.calculateNodeWeightWithMaxStrategy(nodeID)
 		if err != nil {
@@ -447,8 +466,9 @@ func (wg *WeightedAuthorizationModelGraph) calculateNodeWeightFromTheEdges(nodeI
 		return tupleCycles, nil
 	}
 
-	// if the node is an union operator and there is a cycle
-	if node.nodeType == OperatorNode && node.label == UnionOperator {
+	// if the node is a logical union operator,
+	// a logical union operator is a union node, a logical userset or a logical ttu.
+	if wg.isLogicalUnionOperator(node) {
 		// if the node is the reference node of the cycle, recalculate the weight, solve the depencies and remove the node from the tuple cycle
 		if wg.isNodeTupleCycleReference(nodeID, tupleCycles) {
 			err := wg.calculateNodeWeightAndFixDependencies(nodeID, tupleCycleDependencies)
@@ -497,30 +517,35 @@ func (wg *WeightedAuthorizationModelGraph) calculateNodeWeightWithMaxStrategy(no
 // calculateNodeWeightWithMixedStrategy is a mixed weight strategy used for exclusion node (A but not B).
 // For all A edges, we take all the types for all the edges and get the max value
 // if more than one edge have the same type in their weights.
-// For all
 func (wg *WeightedAuthorizationModelGraph) calculateNodeWeightWithMixedStrategy(nodeID string) error {
 	node := wg.nodes[nodeID]
-	weights := make(map[string]int)
 	edges := wg.edges[nodeID]
 
 	if len(edges) == 0 && node.nodeType != SpecificType && node.nodeType != SpecificTypeWildcard {
 		return fmt.Errorf("%w: %s node does not have any terminal type to reach to", ErrInvalidModel, node.uniqueLabel)
 	}
 
-	for idx, edge := range edges {
-		for key, value := range edge.weights {
-			if _, ok := weights[key]; !ok {
-				if idx != len(edges)-1 {
-					// This is the A edge.  We take the max weight of all key
-					weights[key] = value
-				} // otherwise, B edge requires weight to be present in A. Otherwise, we will ignore.
-			} else {
-				weights[key] = int(math.Max(float64(weights[key]), float64(value)))
-			}
+	if node.nodeType != OperatorNode || node.label != ExclusionOperator {
+		return fmt.Errorf("%w: node %s cannot apply mixed strategy, only accepted exclusion nodes", ErrInvalidModel, nodeID)
+	}
+
+	// with the logical ttu and userset, an exclusion operation only has two edges
+	// the first edge is the one that defines the userset, the second edge is the one that excludes it
+	if len(edges) != 2 {
+		return fmt.Errorf("%w: invalid number of edges for exclusion node %s", ErrInvalidModel, nodeID)
+	}
+	nodeWeights := make(map[string]int, len(edges))
+	for k, v := range edges[0].weights {
+		nodeWeights[k] = v
+	}
+
+	for key, value := range edges[1].weights {
+		if w, ok := nodeWeights[key]; ok {
+			nodeWeights[key] = int(math.Max(float64(w), float64(value)))
 		}
 	}
 
-	node.weights = weights
+	node.weights = nodeWeights
 	return nil
 }
 
@@ -536,19 +561,9 @@ func (wg *WeightedAuthorizationModelGraph) calculateNodeWeightWithEnforceTypeStr
 		return fmt.Errorf("%w: %s node does not have any terminal type to reach to", ErrInvalidModel, node.uniqueLabel)
 	}
 
-	// In intersection, directly-assignable types must be handled separately from rewritten types.
-	// All types flatten to edges, but directly-assignable weights are OR'd together, and that result
-	// is then AND'd with the combined weights of the rewritten edges for validity and weight assignment.
-	directlyAssignableWeights := make(map[string]int, len(edges))
 	rewriteWeights := make(map[string]int, len(edges))
-
 	for _, edge := range edges {
-		if edge.GetEdgeType() == DirectEdge {
-			for key, weight := range edge.weights {
-				directlyAssignableWeights[key] = weight
-			}
-			continue
-		}
+
 		if len(rewriteWeights) == 0 {
 			for key, weight := range edge.weights {
 				rewriteWeights[key] = weight
@@ -564,18 +579,7 @@ func (wg *WeightedAuthorizationModelGraph) calculateNodeWeightWithEnforceTypeStr
 		}
 	}
 
-	if len(directlyAssignableWeights) > 0 {
-		for key := range directlyAssignableWeights {
-			if _, existsInBoth := rewriteWeights[key]; existsInBoth {
-				if node.weights == nil {
-					node.weights = make(map[string]int, int(math.Min(float64(len(rewriteWeights)), float64(len(directlyAssignableWeights)))))
-				}
-				node.weights[key] = int(math.Max(float64(rewriteWeights[key]), float64(directlyAssignableWeights[key])))
-			}
-		}
-	} else {
-		node.weights = rewriteWeights
-	}
+	node.weights = rewriteWeights
 
 	if len(node.weights) == 0 {
 		return fmt.Errorf("%w: not all paths return the same type for the node %s", ErrInvalidModel, nodeID)
@@ -605,8 +609,8 @@ func (wg *WeightedAuthorizationModelGraph) calculateNodeWeightAndFixDependencies
 	referenceNodeID := "R#" + nodeID
 	edges := wg.edges[nodeID]
 
-	if (node.nodeType == OperatorNode && node.label != UnionOperator) || (node.nodeType != SpecificTypeAndRelation && node.nodeType != OperatorNode) {
-		return fmt.Errorf("%w: invalid node, reference node is not a union operator or a relation: %s", ErrTupleCycle, nodeID)
+	if node.nodeType != SpecificTypeAndRelation && !wg.isLogicalUnionOperator(node) {
+		return fmt.Errorf("%w: invalid node, reference node is not a union operator or a relation or a logical userset or logical TTU: %s", ErrTupleCycle, nodeID)
 	}
 
 	if len(edges) == 0 && node.nodeType != SpecificType && node.nodeType != SpecificTypeWildcard {
 
@@ -122,6 +122,16 @@ func (wgb *WeightedAuthorizationModelGraphBuilder) parseTupleToUserset(wg *Weigh
 		return fmt.Errorf("%w: Model cannot be parsed. No type and relation link exists for tupleset relation %s and computed relation %s", ErrInvalidModel, tuplesetRelation, computedRelation)
 	}
 
+	typeTuplesetRelation := typeDef.GetType() + "#" + tuplesetRelation
+	node := parentNode
+	if parentNode.nodeType != SpecificTypeAndRelation && len(directlyRelated) > 1 {
+		uniqueLabel := typeDef.GetType() + "#ttu:" + tuplesetRelation + "#" + computedRelation
+		// add a logical ttu node for grouping of TTU that are part of the same tuplesetrelation and computed relation
+		logicalNode := wg.GetOrAddNode(uniqueLabel, uniqueLabel, LogicalTTUGrouping)
+		wg.AddEdge(parentNode.uniqueLabel, logicalNode.uniqueLabel, TTULogicalEdge, parentRelationName, typeTuplesetRelation, nil)
+		node = logicalNode
+	}
+
 	for _, relatedType := range directlyRelated {
 		tuplesetType := relatedType.GetType()
 
@@ -131,9 +141,8 @@ func (wgb *WeightedAuthorizationModelGraphBuilder) parseTupleToUserset(wg *Weigh
 
 		rewrittenNodeName := fmt.Sprintf("%s#%s", tuplesetType, computedRelation)
 		nodeSource := wg.GetOrAddNode(rewrittenNodeName, rewrittenNodeName, SpecificTypeAndRelation)
-		typeTuplesetRelation := typeDef.GetType() + "#" + tuplesetRelation
 
-		if wg.HasEdge(parentNode, nodeSource, TTUEdge, typeTuplesetRelation) {
+		if wg.HasEdge(node, nodeSource, TTUEdge, typeTuplesetRelation) {
 			// we don't need to do any condition update, only de-dup the edge. In case of TTU
 			// the direct relation will have the conditions
 			// for example, in the case of
@@ -147,7 +156,7 @@ func (wgb *WeightedAuthorizationModelGraphBuilder) parseTupleToUserset(wg *Weigh
 		}
 
 		// new edge from "xxx#admin" to "yyy#viewer" tuplesetRelation on "yyy#parent"
-		wg.UpsertEdge(parentNode, nodeSource, TTUEdge, parentRelationName, typeTuplesetRelation, relatedType.GetCondition())
+		wg.UpsertEdge(node, nodeSource, TTUEdge, parentRelationName, typeTuplesetRelation, relatedType.GetCondition())
 	}
 	return nil
 }
@@ -171,6 +180,14 @@ func (wgb *WeightedAuthorizationModelGraphBuilder) parseThis(wg *WeightedAuthori
 	if relationMetadata, ok := typeDef.GetMetadata().GetRelations()[relation]; ok {
 		directlyRelated = relationMetadata.GetDirectlyRelatedUserTypes()
 	}
+	node := parentNode
+	// add a logical userset node for grouping of direct usersets that are defined in the same relation
+	if parentNode.nodeType != SpecificTypeAndRelation && len(directlyRelated) > 1 {
+		uniqueLabel := typeDef.GetType() + "#direct:" + relation
+		logicalNode := wg.GetOrAddNode(uniqueLabel, uniqueLabel, LogicalDirectGrouping)
+		wg.AddEdge(parentNode.uniqueLabel, logicalNode.uniqueLabel, DirectLogicalEdge, parentRelationName, "", nil)
+		node = logicalNode
+	}
 
 	for _, directlyRelatedDef := range directlyRelated {
 		switch {
@@ -190,7 +207,7 @@ func (wgb *WeightedAuthorizationModelGraphBuilder) parseThis(wg *WeightedAuthori
 
 		// de-dup types that are conditioned, e.g. if define viewer: [user, user with condX]
 		// we only draw one edge from user to x#viewer, but with two conditions: none and condX
-		err := wg.UpsertEdge(parentNode, curNode, DirectEdge, parentRelationName, "", directlyRelatedDef.GetCondition())
+		err := wg.UpsertEdge(node, curNode, DirectEdge, parentRelationName, "", directlyRelatedDef.GetCondition())
 		if err != nil {
 			return err
 		}