Move debug traces for CheckPermission into the response

e2e/go.mod

@@ -5,7 +5,7 @@ go 1.21
 toolchain go1.21.1
 
 require (
-	github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d
+	github.com/authzed/authzed-go v0.10.2-0.20240313203343-903be5541103
 	github.com/authzed/grpcutil v0.0.0-20240123092924-129dc0a6a6e1
 	github.com/authzed/spicedb v1.29.5
 	github.com/brianvoe/gofakeit/v6 v6.23.2

e2e/go.sum

@@ -20,8 +20,8 @@ github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8
 github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9 h1:goHVqTbFX3AIo0tzGr14pgfAW2ZfPChKO21Z9MGf/gk=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM=
-github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d h1:hzo0UIaYtLyJsEdCrM05k1k2YZHqPAyMpHL7rq37j5Q=
-github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d/go.mod h1:2cnND+OBSxz1DpVfaQBKtdobTiaX2qAlj7k9eNr/pM4=
+github.com/authzed/authzed-go v0.10.2-0.20240313203343-903be5541103 h1:7LvqvFL9z+zyo7wlkH7rBKDD6SgJ7jbP1nvAJWi1Oug=
+github.com/authzed/authzed-go v0.10.2-0.20240313203343-903be5541103/go.mod h1:2cnND+OBSxz1DpVfaQBKtdobTiaX2qAlj7k9eNr/pM4=
 github.com/authzed/cel-go v0.17.5 h1:lfpkNrR99B5QRHg5qdG9oLu/kguVlZC68VJuMk8tH9Y=
 github.com/authzed/cel-go v0.17.5/go.mod h1:XL/zEq5hKGVF8aOdMbG7w+BQPihLjY2W8N+UIygDA2I=
 github.com/authzed/grpcutil v0.0.0-20240123092924-129dc0a6a6e1 h1:zBfQzia6Hz45pJBeURTrv1b6HezmejB6UmiGuBilHZM=

go.mod

@@ -8,7 +8,7 @@ require (
 	contrib.go.opencensus.io/exporter/prometheus v0.4.2
 	github.com/IBM/pgxpoolprometheus v1.1.1
 	github.com/Masterminds/squirrel v1.5.4
-	github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d
+	github.com/authzed/authzed-go v0.10.2-0.20240313203343-903be5541103
 	github.com/authzed/cel-go v0.17.5
 	github.com/authzed/consistent v0.1.0
 	github.com/authzed/grpcutil v0.0.0-20240123092924-129dc0a6a6e1

go.sum

@@ -111,8 +111,8 @@ github.com/ashanbrown/forbidigo v1.6.0 h1:D3aewfM37Yb3pxHujIPSpTf6oQk9sc9WZi8ger
 github.com/ashanbrown/forbidigo v1.6.0/go.mod h1:Y8j9jy9ZYAEHXdu723cUlraTqbzjKF1MUyfOKL+AjcU=
 github.com/ashanbrown/makezero v1.1.1 h1:iCQ87C0V0vSyO+M9E/FZYbu65auqH0lnsOkf5FcB28s=
 github.com/ashanbrown/makezero v1.1.1/go.mod h1:i1bJLCRSCHOcOa9Y6MyF2FTfMZMFdHvxKHxgO5Z1axI=
-github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d h1:hzo0UIaYtLyJsEdCrM05k1k2YZHqPAyMpHL7rq37j5Q=
-github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d/go.mod h1:2cnND+OBSxz1DpVfaQBKtdobTiaX2qAlj7k9eNr/pM4=
+github.com/authzed/authzed-go v0.10.2-0.20240313203343-903be5541103 h1:7LvqvFL9z+zyo7wlkH7rBKDD6SgJ7jbP1nvAJWi1Oug=
+github.com/authzed/authzed-go v0.10.2-0.20240313203343-903be5541103/go.mod h1:2cnND+OBSxz1DpVfaQBKtdobTiaX2qAlj7k9eNr/pM4=
 github.com/authzed/cel-go v0.17.5 h1:lfpkNrR99B5QRHg5qdG9oLu/kguVlZC68VJuMk8tH9Y=
 github.com/authzed/cel-go v0.17.5/go.mod h1:XL/zEq5hKGVF8aOdMbG7w+BQPihLjY2W8N+UIygDA2I=
 github.com/authzed/consistent v0.1.0 h1:tlh1wvKoRbjRhMm2P+X5WQQyR54SRoS4MyjLOg17Mp8=

internal/services/v1/debug_test.go

@@ -12,7 +12,6 @@ import (
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/metadata"
-	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/encoding/prototext"
 	"google.golang.org/protobuf/types/known/structpb"
 
@@ -485,9 +484,7 @@ func TestCheckPermissionWithDebug(t *testing.T) {
 
 					req.NotNil(encodedDebugInfo)
 
-					debugInfo := &v1.DebugInformation{}
-					err = protojson.Unmarshal([]byte(*encodedDebugInfo), debugInfo)
-					req.NoError(err)
+					debugInfo := checkResp.DebugTrace
 					req.NotEmpty(debugInfo.SchemaUsed)
 
 					req.Equal(stc.checkRequest.resource.ObjectType, debugInfo.Check.Resource.ObjectType)

internal/services/v1/permissions.go

@@ -11,7 +11,6 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
-	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/structpb"
 
@@ -67,13 +66,18 @@ func (ps *permissionServer) CheckPermission(ctx context.Context, req *v1.CheckPe
 	}
 
 	debugOption := computed.NoDebugging
+
 	if md, ok := metadata.FromIncomingContext(ctx); ok {
 		_, isDebuggingEnabled := md[string(requestmeta.RequestDebugInformation)]
 		if isDebuggingEnabled {
 			debugOption = computed.BasicDebuggingEnabled
 		}
 	}
 
+	if req.WithTracing {
+		debugOption = computed.BasicDebuggingEnabled
+	}
+
 	cr, metadata, err := computed.ComputeCheck(ctx, ps.dispatch,
 		computed.CheckParameters{
 			ResourceType: &core.RelationReference{
@@ -94,21 +98,18 @@ func (ps *permissionServer) CheckPermission(ctx context.Context, req *v1.CheckPe
 	)
 	usagemetrics.SetInContext(ctx, metadata)
 
+	var debugTrace *v1.DebugInformation
 	if debugOption != computed.NoDebugging && metadata.DebugInfo != nil {
-		// Convert the dispatch debug information into API debug information and marshal into
-		// the footer.
+		// Convert the dispatch debug information into API debug information.
 		converted, cerr := ConvertCheckDispatchDebugInformation(ctx, caveatContext, metadata, ds)
 		if cerr != nil {
 			return nil, ps.rewriteError(ctx, cerr)
 		}
+		debugTrace = converted
 
-		marshaled, merr := protojson.Marshal(converted)
-		if merr != nil {
-			return nil, ps.rewriteError(ctx, merr)
-		}
-
+		// TODO(jschorr): Remove this once the trailer is not longer used by anyone.
 		serr := responsemeta.SetResponseTrailerMetadata(ctx, map[responsemeta.ResponseMetadataTrailerKey]string{
-			responsemeta.DebugInformation: string(marshaled),
+			responsemeta.DebugInformation: `{"note": "debug information has been moved into the response object. See https://spicedb.dev/d/check-traces"}`,
 		})
 		if serr != nil {
 			return nil, ps.rewriteError(ctx, serr)
@@ -125,6 +126,7 @@ func (ps *permissionServer) CheckPermission(ctx context.Context, req *v1.CheckPe
 		CheckedAt:         checkedAt,
 		Permissionship:    permissionship,
 		PartialCaveatInfo: partialCaveat,
+		DebugTrace:        debugTrace,
 	}, nil
 }
 

internal/services/v1/permissions_test.go

@@ -22,7 +22,6 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
-	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/types/known/structpb"
 
 	"github.com/authzed/spicedb/internal/datastore/memdb"
@@ -296,9 +295,7 @@ func TestCheckPermissions(t *testing.T) {
 								if debug {
 									require.NotNil(encodedDebugInfo)
 
-									debugInfo := &v1.DebugInformation{}
-									err = protojson.Unmarshal([]byte(*encodedDebugInfo), debugInfo)
-									require.NoError(err)
+									debugInfo := checkResp.DebugTrace
 									require.NotNil(debugInfo.Check)
 									require.NotNil(debugInfo.Check.Duration)
 									require.Equal(tuple.StringObjectRef(tc.resource), tuple.StringObjectRef(debugInfo.Check.Resource))
@@ -347,10 +344,7 @@ func TestCheckPermissionWithDebugInfo(t *testing.T) {
 
 	require.NotNil(encodedDebugInfo)
 
-	debugInfo := &v1.DebugInformation{}
-	err = protojson.Unmarshal([]byte(*encodedDebugInfo), debugInfo)
-	require.NoError(err)
-
+	debugInfo := checkResp.DebugTrace
 	require.GreaterOrEqual(len(debugInfo.Check.GetSubProblems().Traces), 1)
 	require.NotEmpty(debugInfo.SchemaUsed)