fix: apply consistency policy to ReadRelationships and supply permissions in integration tests

raz-shlomo-frontegg · raz-shlomo-frontegg · commit d73504da73fe · 2026-03-24T14:05:42.000+02:00
- RouteSpiceDBQuery.loadRelations() now sets the configured consistency policy on the
  ReadRelationshipsRequest; previously no consistency was set, causing the route
  relationship written in @BeforeAll to be invisible under FULLY_CONSISTENT tests.
- SpiceDBIntegrationTest permission check tests now pass the expected permission key
  in UserSubjectContext so the client-side short-circuit in PermissionSpiceDBQuery
  passes before hitting SpiceDB.

Fixes 3 failing integration tests on the Java 21 CI job.
diff --git a/src/main/java/com/frontegg/sdk/entitlements/internal/RouteSpiceDBQuery.java b/src/main/java/com/frontegg/sdk/entitlements/internal/RouteSpiceDBQuery.java
@@ -282,6 +282,7 @@ private List<RouteRule> loadRelations() {
         }
 
         ReadRelationshipsRequest request = ReadRelationshipsRequest.newBuilder()
+                .setConsistency(consistencySupplier.get())
                 .setRelationshipFilter(RelationshipFilter.newBuilder()
                         .setResourceType(TYPE_ROUTE)
                         .build())
diff --git a/src/test/java/com/frontegg/sdk/entitlements/integration/SpiceDBIntegrationTest.java b/src/test/java/com/frontegg/sdk/entitlements/integration/SpiceDBIntegrationTest.java
@@ -16,6 +16,8 @@
 import com.frontegg.sdk.entitlements.model.UserSubjectContext;
 
 import java.time.Instant;
+import java.util.List;
+import java.util.Map;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.MethodOrderer;
@@ -138,8 +140,9 @@ void featureCheck_nonExistentFeature_returnsDenied() {
     @Test
     @Order(10)
     void permissionCheck_singlePermission_entitled_returnsAllowed() {
+        // Supply the user's permission list so the client-side short-circuit passes.
         EntitlementsResult result = client.isEntitledTo(
-                new UserSubjectContext("user-1", "tenant-1"),
+                new UserSubjectContext("user-1", "tenant-1", List.of("reports:read"), Map.of()),
                 new PermissionRequestContext("reports:read"));
         assertTrue(result.result(), "user-1 should be entitled to 'reports:read'");
     }
@@ -148,9 +151,10 @@ void permissionCheck_singlePermission_entitled_returnsAllowed() {
     @Order(11)
     void permissionCheck_singlePermission_notLinkedToFeature_returnsAllowed() {
         // 'admin:write' has no parent feature link in SpiceDB — self-sufficient permission
-        // → SDK short-circuits to allowed without a CheckBulkPermissions call (JS SDK parity)
+        // → SDK short-circuits to allowed without a CheckBulkPermissions call (JS SDK parity).
+        // Still requires the permission to be in the user's list to pass the client-side check.
         EntitlementsResult result = client.isEntitledTo(
-                new UserSubjectContext("user-1", "tenant-1"),
+                new UserSubjectContext("user-1", "tenant-1", List.of("admin:write"), Map.of()),
                 new PermissionRequestContext("admin:write"));
         assertTrue(result.result(), "permission not linked to any feature should be self-sufficient → allowed");
     }

Original file line number	Diff line number	Diff line change
`@@ -282,6 +282,7 @@ private List<RouteRule> loadRelations() {`
`282`	`282`	`}`
`283`	`283`
`284`	`284`	`ReadRelationshipsRequest request = ReadRelationshipsRequest.newBuilder()`
	`285`	`+ .setConsistency(consistencySupplier.get())`
`285`	`286`	`.setRelationshipFilter(RelationshipFilter.newBuilder()`
`286`	`287`	`.setResourceType(TYPE_ROUTE)`
`287`	`288`	`.build())`