Add permissions to schema. (#8736)

Allows creation of custom permissions within the schema:
```
Permission foo;
```

Permissions can be used in general expressions by using the `global` keyword:
```
select global foo;
```

Currently, all such expressions evaluate to `false`.

Author: dnwpark

edb/edgeql-parser/src/ast.rs

@@ -1010,6 +1010,7 @@ pub enum CreateObjectKind {
     CreateConcretePointer(CreateConcretePointer),
     CreateAlias(CreateAlias),
     CreateGlobal(CreateGlobal),
+    CreatePermission(CreatePermission),
     CreateConcreteConstraint(CreateConcreteConstraint),
     CreateConcreteIndex(CreateConcreteIndex),
     CreateAnnotationValue(CreateAnnotationValue),
@@ -1044,6 +1045,7 @@ pub enum AlterObjectKind {
     AlterObjectType(AlterObjectType),
     AlterAlias(AlterAlias),
     AlterGlobal(AlterGlobal),
+    AlterPermission(AlterPermission),
     AlterLink(AlterLink),
     AlterConcreteLink(AlterConcreteLink),
     AlterConstraint(AlterConstraint),
@@ -1084,6 +1086,7 @@ pub enum DropObjectKind {
     DropObjectType(DropObjectType),
     DropAlias(DropAlias),
     DropGlobal(DropGlobal),
+    DropPermission(DropPermission),
     DropLink(DropLink),
     DropConcreteLink(DropConcreteLink),
     DropConstraint(DropConstraint),
@@ -1426,6 +1429,18 @@ pub struct SetGlobalType {
     pub reset_value: bool,
 }
 
+#[derive(Debug, Clone)]
+#[cfg_attr(feature = "python", derive(IntoPython))]
+pub struct CreatePermission {}
+
+#[derive(Debug, Clone)]
+#[cfg_attr(feature = "python", derive(IntoPython))]
+pub struct AlterPermission {}
+
+#[derive(Debug, Clone)]
+#[cfg_attr(feature = "python", derive(IntoPython))]
+pub struct DropPermission {}
+
 #[derive(Debug, Clone)]
 #[cfg_attr(feature = "python", derive(IntoPython))]
 pub struct CreateLink {}
@@ -2017,6 +2032,7 @@ pub enum SchemaObjectClass {
     MODULE,
     OPERATOR,
     PARAMETER,
+    PERMISSION,
     PROPERTY,
     PSEUDO_TYPE,
     RANGE_TYPE,

edb/edgeql-parser/src/keywords.rs

@@ -68,6 +68,7 @@ pub const UNRESERVED_KEYWORDS: phf::Set<&str> = phf_set!(
     "overloaded",
     "owned",
     "package",
+    "permission",
     "policy",
     "populate",
     "postfix",

edb/edgeql/ast.py

@@ -1166,6 +1166,23 @@ class SetGlobalType(SetField):
     reset_value: bool = False
 
 
+class PermissionCommand(ObjectDDL):
+
+    __abstract_node__ = True
+
+
+class CreatePermission(CreateObject, PermissionCommand):
+    pass
+
+
+class AlterPermission(AlterObject, PermissionCommand):
+    pass
+
+
+class DropPermission(DropObject, PermissionCommand):
+    pass
+
+
 class LinkCommand(ObjectDDL):
 
     __abstract_node__ = True

edb/edgeql/codegen.py

@@ -2465,6 +2465,15 @@ def visit_AlterGlobal(self, node: qlast.AlterGlobal) -> None:
     def visit_DropGlobal(self, node: qlast.DropGlobal) -> None:
         self._visit_DropObject(node, 'GLOBAL')
 
+    def visit_CreatePermission(self, node: qlast.CreatePermission) -> None:
+        self._visit_CreateObject(node, 'PERMISSION')
+
+    def visit_AlterPermission(self, node: qlast.AlterPermission) -> None:
+        self._visit_AlterObject(node, 'PERMISSION')
+
+    def visit_DropPermission(self, node: qlast.DropPermission) -> None:
+        self._visit_DropObject(node, 'PERMISSION')
+
     def visit_ConfigSet(self, node: qlast.ConfigSet) -> None:
         if node.scope == qltypes.ConfigScope.GLOBAL:
             self._write_keywords('SET GLOBAL ')

edb/edgeql/compiler/expr.py

@@ -39,9 +39,12 @@
 from edb.schema import globals as s_globals
 from edb.schema import indexes as s_indexes
 from edb.schema import name as sn
+from edb.schema import objects as so
 from edb.schema import objtypes as s_objtypes
+from edb.schema import permissions as s_permissions
 from edb.schema import pseudo as s_pseudo
 from edb.schema import scalars as s_scalars
+from edb.schema import schema as s_schema
 from edb.schema import types as s_types
 from edb.schema import utils as s_utils
 from edb.schema import expr as s_expr
@@ -549,10 +552,56 @@ def compile_UnaryOp(
 def compile_GlobalExpr(
     expr: qlast.GlobalExpr, *, ctx: context.ContextLevel
 ) -> irast.Set:
-    glob = ctx.env.get_schema_object_and_track(
-        s_utils.ast_ref_to_name(expr.name), expr.name,
-        modaliases=ctx.modaliases, type=s_globals.Global)
-    assert isinstance(glob, s_globals.Global)
+    # The expr object can be either a Permission or Global.
+    # Get an Object and manually check for correct type and None.
+    expr_schema_name = s_utils.ast_ref_to_name(expr.name)
+    expr_obj = ctx.env.get_schema_object_and_track(
+        expr_schema_name,
+        expr.name,
+        default=None,
+        modaliases=ctx.modaliases,
+        type=so.Object,
+    )
+
+    # Check for None first.
+    if expr_obj is None:
+        # If no object is found, we want to raise an error with 'global' as
+        # the desired type.
+        # If we let `get_schema_object_and_track`, the error will contain
+        # 'object' instead.
+        s_schema.Schema.raise_bad_reference(
+            expr_schema_name,
+            module_aliases=ctx.modaliases,
+            span=expr.span,
+            type=s_globals.Global,
+        )
+
+    # Check for permission
+    if isinstance(expr_obj, s_permissions.Permission):
+        std_type = sn.QualName('std', 'bool')
+        ct = typegen.type_to_typeref(
+            ctx.env.get_schema_type_and_track(std_type),
+            env=ctx.env,
+        )
+        ir_expr = irast.BooleanConstant(
+            value="false", typeref=ct, span=expr.span
+        )
+        return setgen.ensure_set(ir_expr, ctx=ctx)
+
+    # Check for non-global
+    if not isinstance(expr_obj, s_globals.Global):
+        s_schema.Schema.raise_wrong_type(
+            expr_schema_name,
+            expr_obj.__class__,
+            s_globals.Global,
+            span=expr.span,
+        )
+        # Raise an error here so mypy knows that expr_obj can only be a global
+        # past this point.
+        raise AssertionError('should never happen')
+
+    # Non-permission global
+    glob = expr_obj
 
     if glob.is_computable(ctx.env.schema):
         obj_ref = s_utils.name_to_ast_ref(

edb/edgeql/declarative.py

@@ -404,6 +404,8 @@ def sdl_to_ddl(
                     ctx.objects[fq_name] = qltracer.Annotation(fq_name)
                 elif isinstance(decl_ast, qlast.CreateGlobal):
                     ctx.objects[fq_name] = qltracer.Global(fq_name)
+                elif isinstance(decl_ast, qlast.CreatePermission):
+                    ctx.objects[fq_name] = qltracer.Permission(fq_name)
                 elif isinstance(decl_ast, qlast.CreateIndex):
                     ctx.objects[fq_name] = qltracer.Index(fq_name)
                 else:
@@ -1046,6 +1048,21 @@ def trace_Global(
     _register_item(node, hard_dep_exprs=deps, ctx=ctx)
 
 
+@trace_dependencies.register
+def trace_Permission(
+    node: qlast.CreatePermission,
+    *,
+    ctx: DepTraceContext,
+) -> None:
+    deps: list[Dependency] = [
+        TypeDependency(texpr=qlast.TypeName(
+            maintype=qlast.ObjectRef(module='__std__', name='bool')
+        ))
+    ]
+
+    _register_item(node, hard_dep_exprs=deps, ctx=ctx)
+
+
 @trace_dependencies.register
 def trace_Function(
     node: qlast.CreateFunction,
@@ -1602,6 +1619,8 @@ def _get_tracer_type(
     elif isinstance(decl, (qlast.CreateLink,
                            qlast.CreateConcreteLink)):
         tracer_type = qltracer.Link
+    elif isinstance(decl, qlast.CreatePermission):
+        tracer_type = qltracer.Permission
     elif isinstance(decl, (qlast.CreateIndex,
                            qlast.CreateConcreteIndex)):
         tracer_type = qltracer.Index

edb/edgeql/parser/grammar/ddl.py

@@ -248,6 +248,18 @@ def reduce_AlterGlobalStmt(self, *_):
     def reduce_DropGlobalStmt(self, *_):
         pass
 
+    @parsing.inline(0)
+    def reduce_CreatePermissionStmt(self, *_):
+        pass
+
+    @parsing.inline(0)
+    def reduce_AlterPermissionStmt(self, *_):
+        pass
+
+    @parsing.inline(0)
+    def reduce_DropPermissionStmt(self, *_):
+        pass
+
     @parsing.inline(0)
     def reduce_DropCastStmt(self, *_):
         pass
@@ -3600,6 +3612,67 @@ def reduce_DropGlobal(self, *kids):
             name=kids[2].val
         )
 
+
+#
+# CREATE PERMISSION
+#
+commands_block(
+    'CreatePermission',
+    CreateAnnotationValueStmt,
+)
+
+
+class CreatePermissionStmt(Nonterm):
+    def reduce_CreatePermission(self, *kids):
+        """%reduce
+            CREATE PERMISSION NodeName
+            OptCreatePermissionCommandsBlock
+        """
+        _, _, name, commands = kids
+        self.val = qlast.CreatePermission(
+            name=name.val,
+            commands=commands.val,
+        )
+
+
+#
+# ALTER PERMISSION
+#
+commands_block(
+    'AlterPermission',
+    CreateAnnotationValueStmt,
+    AlterAnnotationValueStmt,
+    DropAnnotationValueStmt,
+    RenameStmt,
+    opt=False
+)
+
+
+class AlterPermissionStmt(Nonterm):
+    def reduce_AlterPermission(self, *kids):
+        r"""%reduce \
+            ALTER PERMISSION NodeName \
+            AlterPermissionCommandsBlock \
+        """
+        _, _, name, commands = kids
+        self.val = qlast.AlterPermission(
+            name=name.val,
+            commands=commands.val,
+        )
+
+
+#
+# DROP PERMISSION
+#
+class DropPermissionStmt(Nonterm):
+    def reduce_DropPermission(self, *kids):
+        r"""%reduce DROP PERMISSION NodeName"""
+        _, _, name = kids
+        self.val = qlast.DropPermission(
+            name=name.val
+        )
+
+
 #
 # MIGRATIONS
 #

edb/edgeql/parser/grammar/sdl.py

@@ -103,6 +103,10 @@ def reduce_GlobalDeclaration(self, *kids):
     def reduce_IndexDeclaration(self, *kids):
         pass
 
+    @parsing.inline(0)
+    def reduce_PermissionDeclaration(self, *kids):
+        pass
+
 
 # these statements have no {} block
 class SDLShortStatement(Nonterm):
@@ -155,6 +159,10 @@ def reduce_GlobalDeclarationShort(self, *kids):
     def reduce_IndexDeclarationShort(self, *kids):
         pass
 
+    @parsing.inline(0)
+    def reduce_PermissionDeclarationShort(self, *kids):
+        pass
+
 
 # A rule for an SDL block, either as part of `module` declaration or
 # as top-level schema used in MIGRATION DDL.
@@ -1949,3 +1957,38 @@ def reduce_CreateComputedGlobalShort(self, *kids):
             name=name.val,
             target=expr.val,
         )
+
+
+#
+# Permissions
+#
+
+
+sdl_commands_block(
+    'CreatePermission',
+    SetAnnotation,
+)
+
+
+class PermissionDeclaration(Nonterm):
+    def reduce_CreatePermission(self, *kids):
+        """%reduce
+            PERMISSION NodeName
+            CreatePermissionSDLCommandsBlock
+        """
+        _, name, commands = kids
+        self.val = qlast.CreatePermission(
+            name=name.val,
+            commands=commands.val,
+        )
+
+
+class PermissionDeclarationShort(Nonterm):
+    def reduce_CreatePermission(self, *kids):
+        """%reduce
+            PERMISSION NodeName
+        """
+        _, name = kids
+        self.val = qlast.CreatePermission(
+            name=name.val,
+        )

edb/edgeql/qltypes.py

@@ -290,6 +290,7 @@ class SchemaObjectClass(s_enum.StrEnum):
     MULTIRANGE_TYPE = 'MULTIRANGE_TYPE'
     OPERATOR = 'OPERATOR'
     PARAMETER = 'PARAMETER'
+    PERMISSION = 'PERMISSION'
     PROPERTY = 'PROPERTY'
     PSEUDO_TYPE = 'PSEUDO TYPE'
     RANGE_TYPE = 'RANGE TYPE'

edb/edgeql/tracer.py

@@ -89,6 +89,10 @@ class Global(NamedObject):
     pass
 
 
+class Permission(NamedObject):
+    pass
+
+
 class Index(NamedObject):
     pass