wildcard_option does not affect the result of LookupSubjects

[GennadyC]

Hello. i'm using SpiceDB v1.45.1.

It looks like SpiceDB is ignoring the wildcard_option parameter in LookupSubjects. We might be using it incorrectly.

Steps to Reproduce

1. upload schema to SpiceDB

definition user {}

definition document {
    relation viewer: user | user:*

    permission view = viewer
}

2. Append relations to SpiceDB

document:document_1#viewer@user:user_1,
document:document_1#viewer@user:*

3. Make a LookupSubjects request with the following parameters (i'm using the python client):

from authzed.api.v1 import LookupSubjectsRequest
from google.protobuf.json_format import MessageToDict

req = LookupSubjectsRequest(
    resource=ObjectReference(
        object_type="document",
        object_id="document_1",
    ),
    permission="view",
    subject_object_type="user",
    wildcard_option=LookupSubjectsRequest.WILDCARD_OPTION_EXCLUDE_WILDCARDS,
)

async for chunk in client.LookupSubjects(req):
    print(MessageToDict(chunk))

Expected Result

It is expected that spicedb will exclude the wildcard from the result or change the permission

{'subjectObjectId': 'user_1', 'permissionship': 'LOOKUP_PERMISSIONSHIP_HAS_PERMISSION'}

Actual Result

SpiceDB sets LOOKUP_PERMISSIONSHIP_HAS_PERMISSION for wildcard relationship

{'subjectObjectId': 'user_1', 'permissionship': 'LOOKUP_PERMISSIONSHIP_HAS_PERMISSION'}
{'subjectObjectId': '*', 'permissionship': 'LOOKUP_PERMISSIONSHIP_HAS_PERMISSION'}

[josephschorr]

It looks like SpiceDB is ignoring the wildcard_option parameter in LookupSubjects. We might be using it incorrectly.

This flag was added to support a new version of LookupSubjects that ended up getting canceled; it might still be used for the new version (if/when we get around to it), but today, it does nothing