chore(core): enhance error messages for access controls check

[goldmedal]

Description

Show the rule name in the error messages

Summary by CodeRabbit

• Bug Fixes

  • Error messages related to session property validation now include the specific rule name, making it easier to identify which rule caused the error.

• Tests

  • Updated test cases to expect error messages that mention the relevant rule name for improved clarity and traceability.

[coderabbitai]

Walkthrough

This change updates error messages in row-level access control (RLAC) logic to include the rule name, improving clarity and traceability. The validate_rule function signature is modified to accept the rule name, and all related function calls and test assertions are updated to expect error messages with rule names. No core logic or control flow is altered.

Changes

Cohort / File(s)	Change Summary
RLAC Error Message Context Update wren-core/core/src/logical_plan/analyze/access_control.rs	Error messages in session property validation now include the RLAC rule name; validate_rule signature updated to accept rule name; related test cases updated.
RLAC Rule Validation Callsite Update wren-core/core/src/logical_plan/analyze/model_generation.rs	Calls to validate_rule updated to pass the rule name as an argument; logic otherwise unchanged.
Session Property Validation Callsite Update wren-core/core/src/logical_plan/analyze/plan.rs	Calls to validate_rule updated to include rule name; no other logic changes.
Test Assertion Updates wren-core/core/src/mdl/mod.rs	Test assertions for RLAC/CLAC error messages updated to expect rule names in error strings.

Sequence Diagram(s)

sequenceDiagram
    participant Caller
    participant AccessControl
    participant ModelGen
    participant Plan

    Caller->>AccessControl: validate_rule(name, required_properties, headers)
    AccessControl-->>Caller: Result (error message includes rule name)

    ModelGen->>AccessControl: validate_rule(&rule.name, &rule.required_properties, self.properties)
    AccessControl-->>ModelGen: Result (error message includes rule name)

    Plan->>AccessControl: validate_rule(&rule.name, &rule.required_properties, &self.properties)
    AccessControl-->>Plan: Result (error message includes rule name)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• feat(core): introduce the row-level access control for the model #1161: Introduces the entire row-level access control feature, including the original validate_rule function and its usage, which are directly updated in this PR.

Suggested reviewers

• douenergy

Poem

A bunny with spectacles hopped by the code,
Adding rule names to errors, a helpful new mode.
Now when things break, the reason is clear—
The rule’s name appears, so no need to fear!
With clarity bright, our tests now delight,
This bunny’s small tweak makes debugging a treat! 🐇✨

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

wren-core/core/src/mdl/mod.rs (2)

1936-1939: Prefer consistent wording for all rule-name messages

The new wording is fine, but to avoid awkward sentences when the rule name itself already ends with “rule” (see below) consider the more neutral pattern

session property <prop> is required by rule \<rule_name>` but not found in headers`

This keeps the grammar uniform and eliminates a hard-coded “rule” suffix that may duplicate the word later.

---

2025-2028: Apply the same wording guideline here

Same comment as above – switching to “…required by rule `name`…” makes the error copy consistent across the codebase.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c1aa61f and cf6bac7.

📒 Files selected for processing (4)

• wren-core/core/src/logical_plan/analyze/access_control.rs (19 hunks)
• wren-core/core/src/logical_plan/analyze/model_generation.rs (1 hunks)
• wren-core/core/src/logical_plan/analyze/plan.rs (1 hunks)
• wren-core/core/src/mdl/mod.rs (4 hunks)

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: wren-core/core/src/logical_plan/analyze/access_control.rs:0-0
Timestamp: 2025-04-30T01:15:15.009Z
Learning: In the row-level access control implementation, separate error checks are maintained for different failure modes (missing property vs null vs empty) to provide more precise and actionable error messages, even if it means slightly more verbose code with multiple Option checks.

Learnt from: goldmedal
PR: Canner/wren-engine#1250
File: wren-core/core/src/mdl/mod.rs:391-417
Timestamp: 2025-07-11T02:36:24.323Z
Learning: In Wren Engine's column-level access control (CLAC) implementation, the `permission_analyze` function is used to provide better error messages when SQL planning fails. If permission_analyze succeeds (Ok), the original planning error is returned. If permission_analyze fails (Err), the permission error is returned instead, providing more specific error messages about access control violations.

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: wren-core/core/src/logical_plan/analyze/access_control.rs:0-0
Timestamp: 2025-04-30T01:18:21.776Z
Learning: In the `collect_condition` function of the row-level access control implementation, compound identifiers are intentionally ignored rather than causing failures when processing expressions. This is by design as confirmed by the team.

📚 Learning: the row-level access control implementation in wren engine filters headers with the prefix `x_wren_v...

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: ibis-server/app/routers/v3/connector.py:78-83
Timestamp: 2025-05-05T02:27:29.829Z
Learning: The row-level access control implementation in Wren Engine filters headers with the prefix `X_WREN_VARIABLE_PREFIX` in `EmbeddedEngineRewriter.get_session_properties` and validates session property expressions in `access_control.rs` to ensure they only contain literal values, preventing SQL injection.

Applied to files:

• wren-core/core/src/logical_plan/analyze/model_generation.rs
• wren-core/core/src/logical_plan/analyze/plan.rs
• wren-core/core/src/logical_plan/analyze/access_control.rs
• wren-core/core/src/mdl/mod.rs

📚 Learning: in the row-level access control implementation, separate error checks are maintained for different f...

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: wren-core/core/src/logical_plan/analyze/access_control.rs:0-0
Timestamp: 2025-04-30T01:15:15.009Z
Learning: In the row-level access control implementation, separate error checks are maintained for different failure modes (missing property vs null vs empty) to provide more precise and actionable error messages, even if it means slightly more verbose code with multiple Option checks.

Applied to files:

• wren-core/core/src/logical_plan/analyze/model_generation.rs
• wren-core/core/src/logical_plan/analyze/plan.rs
• wren-core/core/src/logical_plan/analyze/access_control.rs
• wren-core/core/src/mdl/mod.rs

📚 Learning: in wren engine's column-level access control (clac) implementation, the `permission_analyze` functio...

Learnt from: goldmedal
PR: Canner/wren-engine#1250
File: wren-core/core/src/mdl/mod.rs:391-417
Timestamp: 2025-07-11T02:36:24.323Z
Learning: In Wren Engine's column-level access control (CLAC) implementation, the `permission_analyze` function is used to provide better error messages when SQL planning fails. If permission_analyze succeeds (Ok), the original planning error is returned. If permission_analyze fails (Err), the permission error is returned instead, providing more specific error messages about access control violations.

Applied to files:

• wren-core/core/src/logical_plan/analyze/model_generation.rs
• wren-core/core/src/logical_plan/analyze/access_control.rs
• wren-core/core/src/mdl/mod.rs

📚 Learning: in the `collect_condition` function of the row-level access control implementation, compound identif...

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: wren-core/core/src/logical_plan/analyze/access_control.rs:0-0
Timestamp: 2025-04-30T01:18:21.776Z
Learning: In the `collect_condition` function of the row-level access control implementation, compound identifiers are intentionally ignored rather than causing failures when processing expressions. This is by design as confirmed by the team.

Applied to files:

• wren-core/core/src/logical_plan/analyze/model_generation.rs

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: cargo test (win64)
• GitHub Check: cargo test (macos)
• GitHub Check: cargo check
• GitHub Check: cargo test (macos-aarch64)
• GitHub Check: test
• GitHub Check: ci

🔇 Additional comments (7)

wren-core/core/src/logical_plan/analyze/plan.rs (1)

409-409: LGTM: Enhanced error reporting with rule name

The addition of &rule.name as the first parameter to validate_rule correctly implements the enhanced error messaging described in the PR objectives. This will provide more informative error messages when access control validation fails by including the specific rule name in the error output.

wren-core/core/src/logical_plan/analyze/model_generation.rs (1)

274-274: LGTM: Consistent implementation of enhanced error reporting

The addition of &rule.name as the first parameter to validate_rule is consistent with the changes in plan.rs and correctly implements the enhanced error messaging for row-level access control validation. This ensures that error messages will include the specific rule name, making debugging access control issues more straightforward.

wren-core/core/src/logical_plan/analyze/access_control.rs (5)

86-86: LGTM! Enhanced error messages with rule name.

The extraction of the rule name and its inclusion in error messages provides better context for debugging access control issues, which aligns perfectly with the PR objectives.

Also applies to: 101-108

---

147-150: LGTM! Consistent error message enhancement across all validation scenarios.

All session property validation error messages now consistently include the rule name using the same formatting pattern, providing clear context for each type of validation failure.

Also applies to: 156-159, 165-168, 178-181

---

288-288: LGTM! Correctly updated for new validate_rule signature.

The call now properly passes the CLAC rule name to maintain consistency with the enhanced error messaging pattern.

---

395-496: LGTM! Comprehensive test updates for enhanced error messages.

All test cases have been systematically updated to:

• Pass the rule name parameter to validate_rule calls
• Update assertion snapshots to expect rule names in error messages
• Maintain test coverage while validating the enhanced error messaging functionality

The test updates are thorough and consistent with the implementation changes.

Also applies to: 610-610, 630-630, 789-789

---

245-245: All validate_rule call sites updated with name parameter

Verified that every invocation of validate_rule now includes the rule name as its first argument:

• wren-core/core/src/logical_plan/analyze/access_control.rs: lines 288, 400–404, 411–415, 422–426, 541–553
• wren-core/core/src/logical_plan/analyze/plan.rs: line 409
• wren-core/core/src/logical_plan/analyze/model_generation.rs: line 274

No further changes required.

[douenergy]

Thanks @goldmedal