Add ALTER AUTHORIZATION statement and AS clause support

- Add AlterAuthorizationStatement AST type and parser
- Add AS clause support to DenyStatement
- Add FULLTEXT STOPLIST object kind support
- Enable SecurityStatement90Tests and Baselines90_SecurityStatement90Tests

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: kyleconroy

ast/alter_authorization_statement.go

@@ -0,0 +1,11 @@
+package ast
+
+// AlterAuthorizationStatement represents an ALTER AUTHORIZATION statement
+type AlterAuthorizationStatement struct {
+	SecurityTargetObject *SecurityTargetObject
+	ToSchemaOwner        bool
+	PrincipalName        *Identifier
+}
+
+func (s *AlterAuthorizationStatement) node()      {}
+func (s *AlterAuthorizationStatement) statement() {}

ast/deny_statement.go

@@ -6,6 +6,7 @@ type DenyStatement struct {
 	Principals           []*SecurityPrincipal
 	CascadeOption        bool
 	SecurityTargetObject *SecurityTargetObject
+	AsClause             *Identifier
 }
 
 func (s *DenyStatement) node()      {}

parser/marshal.go

@@ -605,6 +605,8 @@ func statementToJSON(stmt ast.Statement) jsonNode {
 		return alterEndpointStatementToJSON(s)
 	case *ast.AlterEventSessionStatement:
 		return alterEventSessionStatementToJSON(s)
+	case *ast.AlterAuthorizationStatement:
+		return alterAuthorizationStatementToJSON(s)
 	case *ast.AlterServiceStatement:
 		return alterServiceStatementToJSON(s)
 	case *ast.AlterCertificateStatement:
@@ -7879,8 +7881,13 @@ func (p *Parser) parseGrantStatement() (*ast.GrantStatement, error) {
 			p.nextToken() // consume FULLTEXT
 			if strings.ToUpper(p.curTok.Literal) == "CATALOG" {
 				p.nextToken() // consume CATALOG
+				stmt.SecurityTargetObject.ObjectKind = "FullTextCatalog"
+			} else if strings.ToUpper(p.curTok.Literal) == "STOPLIST" {
+				p.nextToken() // consume STOPLIST
+				stmt.SecurityTargetObject.ObjectKind = "FullTextStopList"
+			} else {
+				stmt.SecurityTargetObject.ObjectKind = "FullTextCatalog"
 			}
-			stmt.SecurityTargetObject.ObjectKind = "FullTextCatalog"
 		case "MESSAGE":
 			p.nextToken() // consume MESSAGE
 			if strings.ToUpper(p.curTok.Literal) == "TYPE" {
@@ -8170,8 +8177,13 @@ func (p *Parser) parseRevokeStatement() (*ast.RevokeStatement, error) {
 			p.nextToken()
 			if strings.ToUpper(p.curTok.Literal) == "CATALOG" {
 				p.nextToken()
+				stmt.SecurityTargetObject.ObjectKind = "FullTextCatalog"
+			} else if strings.ToUpper(p.curTok.Literal) == "STOPLIST" {
+				p.nextToken()
+				stmt.SecurityTargetObject.ObjectKind = "FullTextStopList"
+			} else {
+				stmt.SecurityTargetObject.ObjectKind = "FullTextCatalog"
 			}
-			stmt.SecurityTargetObject.ObjectKind = "FullTextCatalog"
 		case "MESSAGE":
 			p.nextToken()
 			if strings.ToUpper(p.curTok.Literal) == "TYPE" {
@@ -8442,8 +8454,13 @@ func (p *Parser) parseDenyStatement() (*ast.DenyStatement, error) {
 			p.nextToken()
 			if strings.ToUpper(p.curTok.Literal) == "CATALOG" {
 				p.nextToken()
+				stmt.SecurityTargetObject.ObjectKind = "FullTextCatalog"
+			} else if strings.ToUpper(p.curTok.Literal) == "STOPLIST" {
+				p.nextToken()
+				stmt.SecurityTargetObject.ObjectKind = "FullTextStopList"
+			} else {
+				stmt.SecurityTargetObject.ObjectKind = "FullTextCatalog"
 			}
-			stmt.SecurityTargetObject.ObjectKind = "FullTextCatalog"
 		case "MESSAGE":
 			p.nextToken()
 			if strings.ToUpper(p.curTok.Literal) == "TYPE" {
@@ -8570,7 +8587,7 @@ func (p *Parser) parseDenyStatement() (*ast.DenyStatement, error) {
 	}
 
 	// Parse principal(s)
-	for p.curTok.Type != TokenEOF && p.curTok.Type != TokenSemicolon && strings.ToUpper(p.curTok.Literal) != "CASCADE" {
+	for p.curTok.Type != TokenEOF && p.curTok.Type != TokenSemicolon && strings.ToUpper(p.curTok.Literal) != "CASCADE" && strings.ToUpper(p.curTok.Literal) != "AS" {
 		principal := &ast.SecurityPrincipal{}
 		if p.curTok.Type == TokenPublic {
 			principal.PrincipalType = "Public"
@@ -8599,6 +8616,12 @@ func (p *Parser) parseDenyStatement() (*ast.DenyStatement, error) {
 		p.nextToken()
 	}
 
+	// Check for AS clause
+	if strings.ToUpper(p.curTok.Literal) == "AS" {
+		p.nextToken() // consume AS
+		stmt.AsClause = p.parseIdentifier()
+	}
+
 	// Skip optional semicolon
 	if p.curTok.Type == TokenSemicolon {
 		p.nextToken()
@@ -9302,6 +9325,9 @@ func denyStatementToJSON(s *ast.DenyStatement) jsonNode {
 		}
 		node["Principals"] = principals
 	}
+	if s.AsClause != nil {
+		node["AsClause"] = identifierToJSON(s.AsClause)
+	}
 	return node
 }
 
@@ -16973,6 +16999,20 @@ func alterEventSessionStatementToJSON(s *ast.AlterEventSessionStatement) jsonNod
 	return node
 }
 
+func alterAuthorizationStatementToJSON(s *ast.AlterAuthorizationStatement) jsonNode {
+	node := jsonNode{
+		"$type":         "AlterAuthorizationStatement",
+		"ToSchemaOwner": s.ToSchemaOwner,
+	}
+	if s.SecurityTargetObject != nil {
+		node["SecurityTargetObject"] = securityTargetObjectToJSON(s.SecurityTargetObject)
+	}
+	if s.PrincipalName != nil {
+		node["PrincipalName"] = identifierToJSON(s.PrincipalName)
+	}
+	return node
+}
+
 func eventDeclarationToJSON(e *ast.EventDeclaration) jsonNode {
 	node := jsonNode{
 		"$type": "EventDeclaration",

parser/parse_ddl.go

@@ -2189,6 +2189,8 @@ func (p *Parser) parseAlterStatement() (ast.Statement, error) {
 		return p.parseAlterExternalStatement()
 	case TokenView:
 		return p.parseAlterViewStatement()
+	case TokenAuthorization:
+		return p.parseAlterAuthorizationStatement()
 	case TokenIdent:
 		// Handle keywords that are not reserved tokens
 		switch strings.ToUpper(p.curTok.Literal) {
@@ -11744,3 +11746,186 @@ done:
 	}
 	return stmt, nil
 }
+
+func (p *Parser) parseAlterAuthorizationStatement() (*ast.AlterAuthorizationStatement, error) {
+	// Consume AUTHORIZATION
+	p.nextToken()
+
+	stmt := &ast.AlterAuthorizationStatement{}
+
+	// Expect ON
+	if p.curTok.Type == TokenOn {
+		p.nextToken() // consume ON
+	}
+
+	// Parse security target object
+	stmt.SecurityTargetObject = &ast.SecurityTargetObject{}
+	stmt.SecurityTargetObject.ObjectKind = "NotSpecified"
+
+	// Parse object kind and ::
+	objectKind := strings.ToUpper(p.curTok.Literal)
+	switch objectKind {
+	case "SERVER":
+		p.nextToken()
+		if strings.ToUpper(p.curTok.Literal) == "ROLE" {
+			p.nextToken()
+			stmt.SecurityTargetObject.ObjectKind = "ServerRole"
+		} else {
+			stmt.SecurityTargetObject.ObjectKind = "Server"
+		}
+	case "APPLICATION":
+		p.nextToken()
+		if strings.ToUpper(p.curTok.Literal) == "ROLE" {
+			p.nextToken()
+		}
+		stmt.SecurityTargetObject.ObjectKind = "ApplicationRole"
+	case "ASYMMETRIC":
+		p.nextToken()
+		if strings.ToUpper(p.curTok.Literal) == "KEY" {
+			p.nextToken()
+		}
+		stmt.SecurityTargetObject.ObjectKind = "AsymmetricKey"
+	case "SYMMETRIC":
+		p.nextToken()
+		if strings.ToUpper(p.curTok.Literal) == "KEY" {
+			p.nextToken()
+		}
+		stmt.SecurityTargetObject.ObjectKind = "SymmetricKey"
+	case "REMOTE":
+		p.nextToken()
+		if strings.ToUpper(p.curTok.Literal) == "SERVICE" {
+			p.nextToken()
+			if strings.ToUpper(p.curTok.Literal) == "BINDING" {
+				p.nextToken()
+			}
+		}
+		stmt.SecurityTargetObject.ObjectKind = "RemoteServiceBinding"
+	case "FULLTEXT":
+		p.nextToken()
+		if strings.ToUpper(p.curTok.Literal) == "CATALOG" {
+			p.nextToken()
+		}
+		stmt.SecurityTargetObject.ObjectKind = "FullTextCatalog"
+	case "MESSAGE":
+		p.nextToken()
+		if strings.ToUpper(p.curTok.Literal) == "TYPE" {
+			p.nextToken()
+		}
+		stmt.SecurityTargetObject.ObjectKind = "MessageType"
+	case "XML":
+		p.nextToken()
+		if strings.ToUpper(p.curTok.Literal) == "SCHEMA" {
+			p.nextToken()
+			if strings.ToUpper(p.curTok.Literal) == "COLLECTION" {
+				p.nextToken()
+			}
+		}
+		stmt.SecurityTargetObject.ObjectKind = "XmlSchemaCollection"
+	case "SEARCH":
+		p.nextToken()
+		if strings.ToUpper(p.curTok.Literal) == "PROPERTY" {
+			p.nextToken()
+			if strings.ToUpper(p.curTok.Literal) == "LIST" {
+				p.nextToken()
+			}
+		}
+		stmt.SecurityTargetObject.ObjectKind = "SearchPropertyList"
+	case "AVAILABILITY":
+		p.nextToken()
+		if strings.ToUpper(p.curTok.Literal) == "GROUP" {
+			p.nextToken()
+		}
+		stmt.SecurityTargetObject.ObjectKind = "AvailabilityGroup"
+	case "TYPE":
+		p.nextToken()
+		stmt.SecurityTargetObject.ObjectKind = "Type"
+	case "OBJECT":
+		p.nextToken()
+		stmt.SecurityTargetObject.ObjectKind = "Object"
+	case "ASSEMBLY":
+		p.nextToken()
+		stmt.SecurityTargetObject.ObjectKind = "Assembly"
+	case "CERTIFICATE":
+		p.nextToken()
+		stmt.SecurityTargetObject.ObjectKind = "Certificate"
+	case "CONTRACT":
+		p.nextToken()
+		stmt.SecurityTargetObject.ObjectKind = "Contract"
+	case "DATABASE":
+		p.nextToken()
+		stmt.SecurityTargetObject.ObjectKind = "Database"
+	case "ENDPOINT":
+		p.nextToken()
+		stmt.SecurityTargetObject.ObjectKind = "Endpoint"
+	case "LOGIN":
+		p.nextToken()
+		stmt.SecurityTargetObject.ObjectKind = "Login"
+	case "ROLE":
+		p.nextToken()
+		stmt.SecurityTargetObject.ObjectKind = "Role"
+	case "ROUTE":
+		p.nextToken()
+		stmt.SecurityTargetObject.ObjectKind = "Route"
+	case "SCHEMA":
+		p.nextToken()
+		stmt.SecurityTargetObject.ObjectKind = "Schema"
+	case "SERVICE":
+		p.nextToken()
+		stmt.SecurityTargetObject.ObjectKind = "Service"
+	case "USER":
+		p.nextToken()
+		stmt.SecurityTargetObject.ObjectKind = "User"
+	}
+
+	// Parse :: if present
+	if p.curTok.Type == TokenColonColon {
+		p.nextToken()
+	}
+
+	// Parse object name as multi-part identifier
+	if p.curTok.Type == TokenDot || p.curTok.Type == TokenIdent || p.curTok.Type == TokenLBracket {
+		stmt.SecurityTargetObject.ObjectName = &ast.SecurityTargetObjectName{}
+		multiPart := &ast.MultiPartIdentifier{}
+		for {
+			if p.curTok.Type == TokenDot {
+				multiPart.Identifiers = append(multiPart.Identifiers, &ast.Identifier{
+					Value:     "",
+					QuoteType: "NotQuoted",
+				})
+			} else {
+				id := p.parseIdentifier()
+				multiPart.Identifiers = append(multiPart.Identifiers, id)
+			}
+			if p.curTok.Type == TokenDot {
+				p.nextToken()
+			} else {
+				break
+			}
+		}
+		multiPart.Count = len(multiPart.Identifiers)
+		stmt.SecurityTargetObject.ObjectName.MultiPartIdentifier = multiPart
+	}
+
+	// Expect TO
+	if p.curTok.Type == TokenTo {
+		p.nextToken()
+	}
+
+	// Check for SCHEMA OWNER or principal name
+	if strings.ToUpper(p.curTok.Literal) == "SCHEMA" {
+		p.nextToken() // consume SCHEMA
+		if strings.ToUpper(p.curTok.Literal) == "OWNER" {
+			p.nextToken() // consume OWNER
+		}
+		stmt.ToSchemaOwner = true
+	} else {
+		// Parse principal name
+		stmt.PrincipalName = p.parseIdentifier()
+	}
+
+	if p.curTok.Type == TokenSemicolon {
+		p.nextToken()
+	}
+
+	return stmt, nil
+}

parser/testdata/Baselines90_SecurityStatement90Tests/metadata.json

@@ -1 +1 @@
-{"todo": true}
+{}

parser/testdata/SecurityStatement90Tests/metadata.json

@@ -1 +1 @@
-{"todo": true}
+{}