feat: Add QueryResourcesCount API endpoint

Implement resource count aggregation endpoint to provide efficient
counting of resources with access control support.

Changes include:
- Add new GET /query/resources/count endpoint in Goa design
- Implement QueryResourcesCount method in service layer
- Add resource count domain model and service interfaces
- Update mock implementation to support count operations
- Fix OpenSearch aggregation field to use .keyword subfield
- Add access control integration for private resource counting

Generated with Claude Code (https://claude.ai/code)

Signed-off-by: Andres Tobon <[email protected]>

Author: andrest50

charts/lfx-v2-query-service/templates/ruleset.yaml

@@ -45,6 +45,23 @@ spec:
           config:
             values:
               aud: lfx-v2-query-service
+    - id: "rule:lfx:lfx-v2-query-service:resources-count"
+      match:
+        methods:
+          - GET
+        routes:
+          - path: /query/resources/count
+      execute:
+        - authenticator: oidc
+        - authenticator: anonymous_authenticator
+        {{- if .Values.app.use_oidc_contextualizer }}
+        - contextualizer: oidc_contextualizer
+        {{- end }}
+        - authorizer: allow_all
+        - finalizer: create_jwt
+          config:
+            values:
+              aud: lfx-v2-query-service
     - id: "rule:lfx:lfx-v2-query-service:org-search"
       match:
         methods:

cmd/service/converters.go

@@ -79,6 +79,67 @@ func (s *querySvcsrvc) domainResultToResponse(result *model.SearchResult) *query
 	return response
 }
 
+func (s *querySvcsrvc) payloadToCountPublicCriteria(payload *querysvc.QueryResourcesCountPayload) model.SearchCriteria {
+	// Parameters used for /<index>/_count search.
+	criteria := model.SearchCriteria{
+		GroupBySize: constants.DefaultBucketSize,
+		// Page size is not passed to this endpoint.
+		PageSize: -1,
+		// For _count, we only want public resources.
+		PublicOnly: true,
+	}
+
+	// Set the criteria from the payload
+	criteria.Tags = payload.Tags
+	if payload.Name != nil {
+		criteria.Name = payload.Name
+	}
+	if payload.Type != nil {
+		criteria.ResourceType = payload.Type
+	}
+	if payload.Parent != nil {
+		criteria.ParentRef = payload.Parent
+	}
+
+	return criteria
+}
+
+func (s *querySvcsrvc) payloadToCountAggregationCriteria(payload *querysvc.QueryResourcesCountPayload) model.SearchCriteria {
+	// Parameters used for the "group by" aggregated /<index>/_search search.
+	criteria := model.SearchCriteria{
+		GroupBySize: constants.DefaultBucketSize,
+		// We only want the aggregation, not the actual results.
+		PageSize: 0,
+		// The aggregation results will only count private resources.
+		PrivateOnly: true,
+		// Set the attribute to aggregate on.
+		// Use .keyword subfield for aggregation on text fields
+		GroupBy: "access_check_query.keyword",
+	}
+
+	// Set the criteria from the payload
+	criteria.Tags = payload.Tags
+	if payload.Name != nil {
+		criteria.Name = payload.Name
+	}
+	if payload.Type != nil {
+		criteria.ResourceType = payload.Type
+	}
+	if payload.Parent != nil {
+		criteria.ParentRef = payload.Parent
+	}
+
+	return criteria
+}
+
+func (s *querySvcsrvc) domainCountResultToResponse(result *model.CountResult) *querysvc.QueryResourcesCountResult {
+	return &querysvc.QueryResourcesCountResult{
+		Count:        uint64(result.Count),
+		HasMore:      result.HasMore,
+		CacheControl: result.CacheControl,
+	}
+}
+
 // payloadToOrganizationCriteria converts the generated payload to domain organization search criteria
 func (s *querySvcsrvc) payloadToOrganizationCriteria(ctx context.Context, p *querysvc.QueryOrgsPayload) model.OrganizationSearchCriteria {
 	criteria := model.OrganizationSearchCriteria{

cmd/service/service.go

@@ -18,9 +18,10 @@ import (
 
 // query-svc service implementation using clean architecture.
 type querySvcsrvc struct {
-	resourceService     service.ResourceSearcher
-	organizationService service.OrganizationSearcher
-	auth                port.Authenticator
+	resourceService      service.ResourceSearcher
+	resourceCountService service.ResourceCountSearcher
+	organizationService  service.OrganizationSearcher
+	auth                 port.Authenticator
 }
 
 // JWTAuth implements the authorization logic for service "query-svc" for the
@@ -66,6 +67,28 @@ func (s *querySvcsrvc) QueryResources(ctx context.Context, p *querysvc.QueryReso
 	return res, nil
 }
 
+// QueryResourcesCount returns an aggregate count of resources the user hase
+// access to, by implementing an aggregation over the stored OpenFGA
+// relationship.
+func (s *querySvcsrvc) QueryResourcesCount(ctx context.Context, p *querysvc.QueryResourcesCountPayload) (*querysvc.QueryResourcesCountResult, error) {
+
+	slog.DebugContext(ctx, "querySvc.query-resources",
+		"name", p.Name,
+	)
+
+	// Convert payload to domain criteria
+	countCriteria := s.payloadToCountPublicCriteria(p)
+	aggregationCriteria := s.payloadToCountAggregationCriteria(p)
+
+	// Execute search using the service layer
+	result, errQueryResources := s.resourceCountService.QueryResourcesCount(ctx, countCriteria, aggregationCriteria)
+	if errQueryResources != nil {
+		return nil, wrapError(ctx, errQueryResources)
+	}
+
+	return s.domainCountResultToResponse(result), nil
+}
+
 // Locate a single organization by name or domain.
 func (s *querySvcsrvc) QueryOrgs(ctx context.Context, p *querysvc.QueryOrgsPayload) (res *querysvc.Organization, err error) {
 
@@ -136,10 +159,12 @@ func NewQuerySvc(resourceSearcher port.ResourceSearcher,
 	auth port.Authenticator,
 ) querysvc.Service {
 	resourceService := service.NewResourceSearch(resourceSearcher, accessControlChecker)
+	resourceCountService := service.NewResourceCount(resourceSearcher, accessControlChecker)
 	organizationService := service.NewOrganizationSearch(organizationSearcher)
 	return &querySvcsrvc{
-		resourceService:     resourceService,
-		organizationService: organizationService,
-		auth:                auth,
+		resourceService:      resourceService,
+		resourceCountService: resourceCountService,
+		organizationService:  organizationService,
+		auth:                 auth,
 	}
 }

design/query-svc.go

@@ -86,6 +86,66 @@ var _ = dsl.Service("query-svc", func() {
 		})
 	})
 
+	dsl.Method("query-resources-count", func() {
+		dsl.Description("Count matching resources by query.")
+
+		dsl.Security(JWTAuth)
+
+		dsl.Payload(func() {
+			dsl.Token("bearer_token", dsl.String, func() {
+				dsl.Description("JWT token issued by Heimdall")
+				dsl.Example("eyJhbGci...")
+			})
+			dsl.Attribute("version", dsl.String, "Version of the API", func() {
+				dsl.Enum("1")
+				dsl.Example("1")
+			})
+			dsl.Attribute("name", dsl.String, "Resource name or alias; supports typeahead", func() {
+				dsl.Example("gov board")
+				dsl.MinLength(1)
+			})
+			dsl.Attribute("parent", dsl.String, "Parent (for navigation; varies by object type)", func() {
+				dsl.Example("project:123")
+			})
+			dsl.Attribute("type", dsl.String, "Resource type to search", func() {
+				dsl.Example("committee")
+			})
+			dsl.Attribute("tags", dsl.ArrayOf(dsl.String), "Tags to search (varies by object type)", func() {
+				dsl.Example([]string{"active"})
+			})
+			dsl.Required("bearer_token", "version")
+		})
+
+		dsl.Result(func() {
+			dsl.Attribute("count", dsl.UInt64, "Count of resources found", func() {
+				dsl.Example(1234)
+			})
+			dsl.Attribute("has_more", dsl.Boolean, "True if count is not guaranteed to be exhaustive: client should request a narrower query", func() {
+				dsl.Example(false)
+			})
+			dsl.Attribute("cache_control", dsl.String, "Cache control header", func() {
+				dsl.Example("public, max-age=300")
+			})
+			dsl.Required("count", "has_more")
+		})
+
+		dsl.Error("BadRequest", dsl.ErrorResult, "Bad request")
+
+		dsl.HTTP(func() {
+			dsl.GET("/query/resources/count")
+			dsl.Param("version:v")
+			dsl.Param("name")
+			dsl.Param("parent")
+			dsl.Param("type")
+			dsl.Param("tags")
+			dsl.Header("bearer_token:Authorization")
+			dsl.Response(dsl.StatusOK, func() {
+				dsl.Header("cache_control:Cache-Control")
+			})
+			dsl.Response("BadRequest", dsl.StatusBadRequest)
+		})
+	})
+
 	dsl.Method("query-orgs", func() {
 		dsl.Description("Locate a single organization by name or domain.")