fix: correct boolean comparisons and add keypair active check in host permission filter

Author: seedspirit

docs/manager/graphql-reference/supergraph.graphql

@@ -5608,7 +5608,7 @@ input HostPermissionFilter
   in: [VFolderHostPermission!] = null
 
   """
-  Include only vfolders on hosts where the user LACKS the listed permissions.
+  Include only vfolders on hosts where the user does NOT have all of the listed permissions (i.e., lacks at least one of them).
   """
   notIn: [VFolderHostPermission!] = null
 }

docs/manager/graphql-reference/v2-schema.graphql

@@ -3336,7 +3336,7 @@ input HostPermissionFilter {
   in: [VFolderHostPermission!] = null
 
   """
-  Include only vfolders on hosts where the user LACKS the listed permissions.
+  Include only vfolders on hosts where the user does NOT have all of the listed permissions (i.e., lacks at least one of them).
   """
   notIn: [VFolderHostPermission!] = null
 }

src/ai/backend/manager/api/gql/vfolder_v2/types/filters.py

@@ -80,7 +80,10 @@ class HostPermissionFilterGQL(PydanticInputMixin[HostPermissionFilter]):
         default=None,
     )
     not_in: list[VFolderHostPermissionGQL] | None = gql_field(
-        description="Include only vfolders on hosts where the user LACKS the listed permissions.",
+        description=(
+            "Include only vfolders on hosts where the user does NOT have all of the listed "
+            "permissions (i.e., lacks at least one of them)."
+        ),
         default=None,
     )
 

src/ai/backend/manager/models/vfolder/conditions.py

@@ -238,7 +238,7 @@ def _build_source_query(
             domain_pairs = _build_source_query(
                 DomainRow.allowed_vfolder_hosts,
                 DomainRow.__table__,
-                (DomainRow.name == requester.domain_name) & (DomainRow.is_active),
+                (DomainRow.name == requester.domain_name) & (DomainRow.is_active.is_(True)),
             )
 
             # 2. User's group hosts
@@ -251,7 +251,7 @@ def _build_source_query(
                 group_from,
                 (AssocGroupUserRow.user_id == requester.user_id)
                 & (GroupRow.domain_name == requester.domain_name)
-                & (GroupRow.is_active),
+                & (GroupRow.is_active.is_(True)),
             )
 
             # 3. Keypair resource policy hosts
@@ -262,7 +262,7 @@ def _build_source_query(
             keypair_pairs = _build_source_query(
                 KeyPairResourcePolicyRow.allowed_vfolder_hosts,
                 krp_from,
-                KeyPairRow.user == requester.user_id,
+                (KeyPairRow.user == requester.user_id) & (KeyPairRow.is_active.is_(True)),
             )
 
             # UNION ALL (host, perm) from all sources, then GROUP BY host

tests/unit/manager/repositories/vfolder/test_vfolder_host_permission_filter.py

@@ -73,6 +73,9 @@ class HostPermissionTestData:
     # VFolder owned by User C
     vf_alpha_c2_id: uuid.UUID  # host="host-c"
 
+    # VFolder on keypair resource policy host
+    vf_alpha_krp_id: uuid.UUID  # host="host-krp" (from keypair resource policy)
+
     # Shared vfolders (owned by B/C, shared to A via VFolderPermissionRow)
     vf_shared_to_a_id: uuid.UUID  # owned by B, host="host-shared", shared to A
     vf_shared_on_c_id: uuid.UUID  # owned by C, host="host-c", shared to A
@@ -175,6 +178,7 @@ async def test_data(
         vf_beta_a_id = uuid.uuid4()
         vf_alpha_c2_id = uuid.uuid4()
         vf_shared_to_a_id = uuid.uuid4()
+        vf_alpha_krp_id = uuid.uuid4()
         vf_shared_on_c_id = uuid.uuid4()
 
         async with db_with_cleanup.begin_session() as db_sess:
@@ -233,6 +237,9 @@ async def test_data(
                     max_concurrent_sftp_sessions=5,
                     max_containers_per_session=1,
                     idle_timeout=3600,
+                    allowed_vfolder_hosts={
+                        "host-krp": ["create-vfolder", "mount-in-session"],
+                    },
                 )
             )
             await db_sess.flush()
@@ -363,6 +370,7 @@ def _make_vfolder(
                 (vf_alpha_b_id, "vf-alpha-b", "host-b"),
                 (vf_alpha_c_id, "vf-alpha-c", "host-c"),
                 (vf_alpha_orphan_id, "vf-alpha-orphan", "host-nowhere"),
+                (vf_alpha_krp_id, "vf-alpha-krp", "host-krp"),
             ]:
                 db_sess.add(_make_vfolder(vid, name, host, "alpha", user_a_id))
 
@@ -413,6 +421,7 @@ def _make_vfolder(
             vf_alpha_b_id=vf_alpha_b_id,
             vf_alpha_c_id=vf_alpha_c_id,
             vf_alpha_orphan_id=vf_alpha_orphan_id,
+            vf_alpha_krp_id=vf_alpha_krp_id,
             vf_beta_shared_id=vf_beta_shared_id,
             vf_beta_x_id=vf_beta_x_id,
             vf_beta_y_id=vf_beta_y_id,
@@ -438,6 +447,7 @@ def _make_vfolder(
                         "vf_alpha_shared_id",
                         "vf_alpha_a_id",
                         "vf_alpha_b_id",
+                        "vf_alpha_krp_id",
                         "vf_shared_to_a_id",
                     },
                 ),
@@ -511,6 +521,7 @@ def _make_vfolder(
                         "vf_alpha_shared_id",
                         "vf_alpha_a_id",
                         "vf_alpha_b_id",
+                        "vf_alpha_krp_id",
                         "vf_shared_to_a_id",
                     },
                     excluded_vf_keys={"vf_shared_on_c_id"},
@@ -531,6 +542,7 @@ def _make_vfolder(
                         "vf_alpha_shared_id",
                         "vf_alpha_a_id",  # CREATE from domain + MOUNT from group (cross-source)
                         "vf_alpha_b_id",
+                        "vf_alpha_krp_id",  # both CREATE + MOUNT from keypair policy
                         "vf_shared_to_a_id",
                     },
                 ),
@@ -550,6 +562,7 @@ def _make_vfolder(
                         "vf_alpha_shared_id",
                         "vf_alpha_a_id",
                         "vf_alpha_b_id",
+                        "vf_alpha_krp_id",
                         "vf_shared_to_a_id",
                     },
                     excluded_vf_keys={
@@ -559,6 +572,23 @@ def _make_vfolder(
                 ),
                 id="cross-source-union",
             ),
+            pytest.param(
+                HostPermFilterCase(
+                    description="keypair resource policy host included in filter results",
+                    user_id_field="user_a_id",
+                    domain_name="alpha",
+                    permissions=[VFolderHostPermission.CREATE],
+                    negate=False,
+                    expected_vf_keys={
+                        "vf_alpha_shared_id",
+                        "vf_alpha_a_id",
+                        "vf_alpha_b_id",
+                        "vf_alpha_krp_id",  # from keypair resource policy
+                        "vf_shared_to_a_id",
+                    },
+                ),
+                id="keypair-source",
+            ),
         ],
     )
     async def test_host_permission_filter(
@@ -612,8 +642,8 @@ async def test_no_filter_returns_all_user_vfolders(
 
         result = await vfolder_repository.search_user_vfolders(querier, scope)
 
-        # User A owns 5 vfolders + 2 shared = 7
-        assert result.total_count == 7
+        # User A owns 6 vfolders + 2 shared = 8
+        assert result.total_count == 8
 
     # ── H-12: pagination compatibility ──
 
@@ -645,7 +675,7 @@ async def test_pagination_with_host_permission_filter(
 
         result = await vfolder_repository.search_user_vfolders(querier, scope)
 
-        assert result.total_count == 4
+        assert result.total_count == 5
         assert len(result.items) == 2
         assert result.has_next_page is True