feat: Extend search to support new group page (#891)

- Adds keywords to the facet results, returned in alphabetical order when read from solr
- Implement `inherited_member:…` and `direct_member:…` query part, supporting user slugs like `direct_member:@john.doe` and user ids `direct_member:123-456-uuid`. 
- while `direct_member` resolves to direct related memberships, `inherited_member` goes up the namespace hierarchy

---------

Co-authored-by: Tasko Olevski <olevski90@gmail.com>

Author: eikek

bases/renku_data_services/data_api/app.py

@@ -32,6 +32,7 @@
 from renku_data_services.repositories.blueprints import RepositoriesBP
 from renku_data_services.search.blueprints import SearchBP
 from renku_data_services.search.reprovision import SearchReprovision
+from renku_data_services.search.solr_user_query import UsernameResolve
 from renku_data_services.session.blueprints import BuildsBP, EnvironmentsBP, SessionLaunchersBP
 from renku_data_services.storage.blueprints import StorageBP, StorageSchemaBP
 from renku_data_services.users.blueprints import KCUsersBP, UserPreferencesBP, UserSecretsBP
@@ -238,6 +239,7 @@ def register_all_handlers(app: Sanic, dm: DependencyManager) -> Sanic:
         name="search2",
         url_prefix=url_prefix,
         authenticator=dm.authenticator,
+        username_resolve=UsernameResolve.db(dm.kc_user_repo),
         search_reprovision=SearchReprovision(
             search_updates_repo=dm.search_updates_repo,
             reprovisioning_repo=dm.reprovisioning_repo,

components/renku_data_services/authz/models.py

@@ -57,6 +57,10 @@ class Scope(Enum):
     ADD_LINK = "add_link"
     IS_ADMIN = "is_admin"
     NON_PUBLIC_READ = "non_public_read"
+    EXCLUSIVE_MEMBER = "exclusive_member"
+    EXCLUSIVE_EDITOR = "exclusive_editor"
+    EXCLUSIVE_OWNER = "exclusive_owner"
+    DIRECT_MEMBER = "direct_member"
 
 
 @dataclass

components/renku_data_services/authz/schemas.py

@@ -585,3 +585,93 @@ def generate_v4(public_project_ids: Iterable[str]) -> AuthzSchemaMigration:
     up=[WriteSchemaRequest(schema=_v6)],
     down=[WriteSchemaRequest(schema=_v5)],
 )
+
+_v7 = """\
+definition user {}
+
+definition group {
+    relation group_platform: platform
+    relation owner: user
+    relation editor: user
+    relation viewer: user
+    relation public_viewer: user:* | anonymous_user:*
+    permission read = public_viewer + read_children
+    permission read_children = viewer + write
+    permission write = editor + delete
+    permission change_membership = delete
+    permission delete = owner + group_platform->is_admin
+    permission non_public_read = owner + editor + viewer - public_viewer
+    permission exclusive_owner = owner
+    permission exclusive_editor = editor
+    permission exclusive_member = viewer + editor + owner
+    permission direct_member = owner + editor + viewer
+}
+
+definition user_namespace {
+    relation user_namespace_platform: platform
+    relation owner: user
+    relation public_viewer: user:* | anonymous_user:*
+    permission read = public_viewer + read_children
+    permission read_children = delete
+    permission write = delete
+    permission delete = owner + user_namespace_platform->is_admin
+    permission non_public_read = owner - public_viewer
+    permission exclusive_owner = owner
+    permission exclusive_member = owner
+    permission direct_member = owner
+}
+
+definition anonymous_user {}
+
+definition platform {
+    relation admin: user
+    permission is_admin = admin
+}
+
+definition project {
+    relation project_platform: platform
+    relation project_namespace: user_namespace | group
+    relation owner: user
+    relation editor: user
+    relation viewer: user
+    relation public_viewer: user:* | anonymous_user:*
+    permission read = public_viewer + read_children
+    permission read_children = viewer + write + project_namespace->read_children
+    permission write = editor + delete + project_namespace->write
+    permission change_membership = delete
+    permission delete = owner + project_platform->is_admin + project_namespace->delete
+    permission non_public_read = owner + editor + viewer + project_namespace->read_children - public_viewer
+    permission exclusive_owner = owner + project_namespace->exclusive_owner
+    permission exclusive_editor = editor + project_namespace->exclusive_editor
+    permission exclusive_member = owner + editor + viewer + project_namespace->exclusive_member
+    permission direct_member = owner + editor + viewer
+}
+
+definition data_connector {
+    relation data_connector_platform: platform
+    relation data_connector_namespace: user_namespace | group | project
+    relation linked_to: project
+    relation owner: user
+    relation editor: user
+    relation viewer: user
+    relation public_viewer: user:* | anonymous_user:*
+    permission read = public_viewer + viewer + write + data_connector_namespace->read_children
+    permission write = editor + delete + data_connector_namespace->write
+    permission change_membership = delete
+    permission delete = owner + data_connector_platform->is_admin + data_connector_namespace->delete
+    permission non_public_read = owner + editor + viewer + data_connector_namespace->read_children - public_viewer
+    permission exclusive_owner = owner + data_connector_namespace->exclusive_owner
+    permission exclusive_editor = editor + data_connector_namespace->exclusive_editor
+    permission exclusive_member = owner + editor + viewer + data_connector_namespace->exclusive_member
+    permission direct_member = owner + editor + viewer
+}"""
+"""This adds three permissions starting with `exclusive_` that are identifying the path of a role.
+
+They are used for reverse lookups (LookupResources) to determine which
+objects a specific user is an owner, editor or member.
+"""
+
+v7 = AuthzSchemaMigration(
+    up=[WriteSchemaRequest(schema=_v7)],
+    down=[WriteSchemaRequest(schema=_v6)],
+)

components/renku_data_services/base_models/nel.py

@@ -0,0 +1,107 @@
+"""Non empty list."""
+
+from __future__ import annotations
+
+from collections.abc import Callable, Iterable, Iterator, Sequence
+from dataclasses import dataclass
+from dataclasses import field as data_field
+from typing import Never, overload
+
+
+@dataclass
+class Nel[A](Sequence[A]):
+    """A non empty list."""
+
+    value: A
+    more_values: Sequence[A] = data_field(default_factory=list)
+
+    @classmethod
+    def of(cls, el: A, *args: A) -> Nel[A]:
+        """Constructor using varargs."""
+        return Nel(value=el, more_values=list(args))
+
+    @classmethod
+    def unsafe_from_list(cls, els: Sequence[A]) -> Nel[A]:
+        """Creates a non-empty list from a list, failing if the argument is empty."""
+        return Nel(els[0], els[1:])
+
+    @classmethod
+    def from_list(cls, els: Sequence[A]) -> Nel[A] | None:
+        """Creates a non-empty list from a list."""
+        if els == []:
+            return None
+        else:
+            return cls.unsafe_from_list(els)
+
+    def __iter__(self) -> Iterator[A]:
+        return _NelIterator(self.value, self.more_values)
+
+    @overload
+    def __getitem__(self, key: int) -> A: ...
+    @overload
+    def __getitem__(self, key: slice[int]) -> Never: ...
+
+    def __getitem__(self, key: int | slice[int]) -> A | Sequence[A]:
+        if isinstance(key, slice):
+            raise NotImplementedError("slicing non-empty lists is not supported")
+        if key == 0:
+            return self.value
+        else:
+            return self.more_values[key - 1]
+
+    def __len__(self) -> int:
+        return len(self.more_values) + 1
+
+    def append(self, other: Iterable[A]) -> Nel[A]:
+        """Append other to this list."""
+        if not other:
+            return self
+        else:
+            remain = [*self.more_values, *other]
+            return Nel(self.value, remain)
+
+    def to_list(self) -> list[A]:
+        """Convert to a list."""
+        lst = [self.value]
+        lst.extend(self.more_values)
+        return lst
+
+    def to_set(self) -> set[A]:
+        """Convert to a set."""
+        return set(self.more_values) | {self.value}
+
+    def mk_string(self, sep: str, f: Callable[[A], str] = str) -> str:
+        """Create a str from all elements mapped over f."""
+        return sep.join([f(x) for x in self])
+
+    def map[B](self, f: Callable[[A], B]) -> Nel[B]:
+        """Maps `f` over this list."""
+        head = f(self.value)
+        rest = [f(x) for x in self.more_values]
+        return Nel(head, rest)
+
+
+class _NelIterator[A](Iterator[A]):
+    """Iterator for non empty lists."""
+
+    def __init__(self, head: A, tail: Sequence[A]) -> None:
+        self._head = head
+        self._tail = tail
+        self._tail_len = len(tail)
+        self._index = 0
+
+    def __iter__(self) -> Iterator[A]:
+        return self
+
+    def __next__(self) -> A:
+        if self._index == 0:
+            self._index += 1
+            return self._head
+        else:
+            idx = self._index - 1
+            if idx < self._tail_len:
+                item = self._tail[idx]
+                self._index += 1
+                return item
+            else:
+                raise StopIteration

components/renku_data_services/migrations/versions/cfda91a3a6a6_add_exclusive_role_relations.py

@@ -0,0 +1,37 @@
+"""Add exclusive role relations
+
+Revision ID: cfda91a3a6a6
+Revises: f4ad62b7b323
+Create Date: 2025-06-13 16:06:26.421053
+
+"""
+
+from renku_data_services.app_config import logging
+from renku_data_services.authz.config import AuthzConfig
+from renku_data_services.authz.schemas import v7
+
+# revision identifiers, used by Alembic.
+revision = "cfda91a3a6a6"
+down_revision = "f4ad62b7b323"
+branch_labels = None
+depends_on = None
+
+logger = logging.getLogger(__name__)
+
+
+def upgrade() -> None:
+    config = AuthzConfig.from_env()
+    client = config.authz_client()
+    responses = v7.upgrade(client)
+    logger.info(
+        f"Finished upgrading the Authz schema to version 7 in Alembic revision {revision}, response: {responses}"
+    )
+
+
+def downgrade() -> None:
+    config = AuthzConfig.from_env()
+    client = config.authz_client()
+    responses = v7.downgrade(client)
+    logger.info(
+        f"Finished downgrading the Authz schema from version 7 in Alembic revision {revision}, response: {responses}"
+    )

components/renku_data_services/search/api.spec.yaml

@@ -137,9 +137,12 @@ components:
       type: object
       required:
         - entityType
+        - keywords
       properties:
         entityType:
           $ref: '#/components/schemas/Map_EntityType_Int'
+        keywords:
+          $ref: '#/components/schemas/Map_EntityType_Int'
     Group:
       title: Group
       examples:

components/renku_data_services/search/apispec.py

@@ -1,6 +1,6 @@
 # generated by datamodel-codegen:
 #   filename:  api.spec.yaml
-#   timestamp: 2025-05-16T14:57:02+00:00
+#   timestamp: 2025-06-12T09:56:04+00:00
 
 from __future__ import annotations
 
@@ -112,6 +112,7 @@ class SearchQuery(PaginationRequest):
 
 class FacetData(BaseAPISpec):
     entityType: MapEntityTypeInt
+    keywords: MapEntityTypeInt
 
 
 class SearchProject(BaseAPISpec):