Recursive check does not properly resolve

[FaeyUmbrea]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

When checking permissions of a (User | SubjectSet<Group,"members")[] union, the users are only resolved by "...includes(ctx.subject)" if the group they belong to is the directly attached subject set.

However, directly querying the relation itself will still correctly return the users attached to it.

This behaviour is also exhibited by expand. Where the user subject_id leaf nodes only appear if the group subject set is the direct child.

Reproducing the bug

Create a keto namespace config that uses the User and Group types from the tutorial (including the (User | Group)[] union type for the members relation)

Create a new type that has a (User | SubjectSet<Group,"members")[] union relation and a permission that resolves to this.relation.relationname.includes(ctx.subject)

Create two group objects.

Set Group 1's member subject set to be members of Group 2.
Set a user to be a member of Group 1.
Set Group 2's subject set to be part of the relation on the third type.

Finally, query keto, once against the relation and once against the permit. The relation will fail and the permit will succeed.

Relevant log output

Relevant configuration

import type { Namespace, Context, SubjectSet } from "@ory/keto-namespace-types"

class User implements Namespace {}
class Group implements Namespace {
    related: {
        members: (User | Group)[]
    }
}

class Feature implements Namespace {
    related: {
        readers: (User | SubjectSet<Group, "members">)[]
        editors: (User | SubjectSet<Group, "members">)[]
    }

    permits = {
        read: (ctx: Context): boolean =>
            this.related.readers.includes(ctx.subject) || this.related.editors.includes(ctx.subject),

        edit: (ctx: Context): boolean =>
            this.related.editors.includes(ctx.subject)
    }
}

Version

0.14.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker

Additional Context

No response

[zepatrik]

Thanks for the report, we are preparing to fix a bunch of issues with the OPL and will include this one.