support for rel and namespace deprecation

Signed-off-by: Kartikay <[email protected]>

Author: kartikaysaxena

internal/relationships/validation.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/authzed/spicedb/internal/namespace"
+	"github.com/authzed/spicedb/internal/services/shared"
 	"github.com/authzed/spicedb/pkg/caveats"
 	caveattypes "github.com/authzed/spicedb/pkg/caveats/types"
 	"github.com/authzed/spicedb/pkg/datastore"
@@ -14,6 +15,7 @@ import (
 	"github.com/authzed/spicedb/pkg/schema"
 	"github.com/authzed/spicedb/pkg/spiceerrors"
 	"github.com/authzed/spicedb/pkg/tuple"
+	"github.com/rs/zerolog/log"
 )
 
 // ValidateRelationshipUpdates performs validation on the given relationship updates, ensuring that
@@ -188,6 +190,11 @@ func ValidateOneRelationship(
 		return NewCannotWriteToPermissionError(rel)
 	}
 
+	// Validate if the resource, relation or subject is deprecated
+	if err := checkForDeprecatedRelationsAndObjects(rel, namespaceMap); err != nil {
+		return err
+	}
+
 	// Validate the subject against the allowed relation(s).
 	var caveat *core.AllowedCaveat
 	if rel.OptionalCaveat != nil {
@@ -277,3 +284,53 @@ func hasNonEmptyCaveatContext(relationship tuple.Relationship) bool {
 		relationship.OptionalCaveat.Context != nil &&
 		len(relationship.OptionalCaveat.Context.GetFields()) > 0
 }
+
+func checkForDeprecatedRelationsAndObjects(rel tuple.Relationship, nsMap map[string]*schema.Definition) error {
+	// Validate if the resource relation is deprecated
+	resource := nsMap[rel.Resource.ObjectType]
+	relDef, ok := resource.GetRelation(rel.Resource.Relation)
+	if relDef.Deprecation != nil && relDef.Deprecation.DeprecationType != core.DeprecationType_DEPRECATED_TYPE_UNSPECIFIED && ok {
+		switch relDef.Deprecation.DeprecationType {
+		case core.DeprecationType_DEPRECATED_TYPE_WARNING:
+			log.Warn().
+				Str("namespace", rel.Resource.ObjectType).
+				Str("relation", rel.Resource.Relation).
+				Str("comments", relDef.Deprecation.Comments).
+				Msg("write to deprecated relation")
+		case core.DeprecationType_DEPRECATED_TYPE_ERROR:
+			return shared.NewDeprecationError(rel.Resource.ObjectType, rel.Resource.Relation, relDef.Deprecation.Comments)
+		}
+	}
+
+	// Validate if the resource namespace is deprecated
+	resourceNS := resource.Namespace()
+	if resourceNS.Deprecation != nil && resourceNS.Deprecation.DeprecationType != core.DeprecationType_DEPRECATED_TYPE_UNSPECIFIED {
+		switch resourceNS.Deprecation.DeprecationType {
+		case core.DeprecationType_DEPRECATED_TYPE_WARNING:
+			log.Warn().
+				Str("namespace", rel.Resource.ObjectType).
+				Str("comments", resourceNS.Deprecation.Comments).
+				Msg("write to deprecated object")
+		case core.DeprecationType_DEPRECATED_TYPE_ERROR:
+			return shared.NewDeprecationError(rel.Resource.ObjectType, "", resourceNS.Deprecation.Comments)
+		}
+	}
+
+	// Validate if the subject namespace is deprecated
+	subject := nsMap[rel.Subject.ObjectType]
+	subjectNS := subject.Namespace()
+	if subjectNS.Deprecation != nil &&
+		subjectNS.Deprecation.DeprecationType != core.DeprecationType_DEPRECATED_TYPE_UNSPECIFIED {
+		switch subjectNS.Deprecation.DeprecationType {
+		case core.DeprecationType_DEPRECATED_TYPE_WARNING:
+			log.Warn().
+				Str("namespace", rel.Subject.ObjectType).
+				Str("comments", subjectNS.Deprecation.Comments).
+				Msg("write to deprecated object")
+		case core.DeprecationType_DEPRECATED_TYPE_ERROR:
+			return shared.NewDeprecationError(rel.Subject.ObjectType, "", subjectNS.Deprecation.Comments)
+		}
+	}
+
+	return nil
+}

internal/relationships/validation_test.go

@@ -306,6 +306,21 @@ func TestValidateRelationshipOperations(t *testing.T) {
 			core.RelationTupleUpdate_CREATE,
 			"subjects of type `user with somecaveat and expiration` are not allowed on relation `resource#viewer`",
 		},
+		{
+			"deprecation namespace test",
+			`use deprecation
+			definition testuser {}
+			definition user {}
+
+			definition document {
+				@deprecated(error,"deprecated, migrate away")
+				relation editor: testuser
+				relation viewer: user
+			}`,
+			"document:foo#editor@testuser:tom",
+			core.RelationTupleUpdate_CREATE,
+			"the relation document#editor is deprecated: deprecated, migrate away",
+		},
 	}
 
 	for _, tc := range tcs {

internal/services/server.go

@@ -73,6 +73,7 @@ func RegisterGrpcServices(
 			CaveatTypeSet:                    permSysConfig.CaveatTypeSet,
 			AdditiveOnly:                     schemaServiceOption == V1SchemaServiceAdditiveOnly,
 			ExpiringRelsEnabled:              permSysConfig.ExpiringRelationshipsEnabled,
+			FeatureDeprecationEnabled:        permSysConfig.DeprecatedRelationshipsAndObjectsEnabled,
 			PerformanceInsightMetricsEnabled: permSysConfig.PerformanceInsightMetricsEnabled,
 		}
 		v1.RegisterSchemaServiceServer(srv, v1svc.NewSchemaServer(schemaConfig))

internal/services/shared/errors.go

@@ -47,6 +47,43 @@ func NewSchemaWriteDataValidationError(message string, args ...any) SchemaWriteD
 	}
 }
 
+// DeprecationError is an error returned when a schema object or relation is deprecated.
+type DeprecationError struct {
+	error
+}
+
+func (err DeprecationError) GRPCStatus() *status.Status {
+	return spiceerrors.WithCodeAndDetails(
+		err,
+		codes.Aborted,
+		spiceerrors.ForReason(
+			v1.ErrorReason_ERROR_REASON_SCHEMA_TYPE_ERROR,
+			map[string]string{},
+		),
+	)
+}
+
+func NewDeprecationError(namespace, relation, comments string) DeprecationError {
+	switch {
+	case relation == "" && comments != "":
+		return DeprecationError{
+			error: fmt.Errorf("the object type %s is deprecated: %s", namespace, comments),
+		}
+	case relation == "":
+		return DeprecationError{
+			error: fmt.Errorf("the object type %s has been marked as deprecated", namespace),
+		}
+	case comments != "":
+		return DeprecationError{
+			error: fmt.Errorf("the relation %s#%s is deprecated: %s", namespace, relation, comments),
+		}
+	default:
+		return DeprecationError{
+			error: fmt.Errorf("the relation %s#%s has been marked as deprecated", namespace, relation),
+		}
+	}
+}
+
 // SchemaWriteDataValidationError occurs when a schema cannot be applied due to leaving data unreferenced.
 type SchemaWriteDataValidationError struct {
 	error

internal/services/v1/relationships.go

@@ -103,6 +103,9 @@ type PermissionsServerConfig struct {
 	// ExpiringRelationshipsEnabled defines whether or not expiring relationships are enabled.
 	ExpiringRelationshipsEnabled bool
 
+	// DeprecatedRelationshipsEnabled defines whether or not deprecated relationships are enabled.
+	DeprecatedRelationshipsAndObjectsEnabled bool
+
 	// CaveatTypeSet is the set of caveat types to use for caveats. If not specified,
 	// the default type set is used.
 	CaveatTypeSet *caveattypes.TypeSet
@@ -117,22 +120,23 @@ func NewPermissionsServer(
 	config PermissionsServerConfig,
 ) v1.PermissionsServiceServer {
 	configWithDefaults := PermissionsServerConfig{
-		MaxPreconditionsCount:            defaultIfZero(config.MaxPreconditionsCount, 1000),
-		MaxUpdatesPerWrite:               defaultIfZero(config.MaxUpdatesPerWrite, 1000),
-		MaximumAPIDepth:                  defaultIfZero(config.MaximumAPIDepth, 50),
-		StreamingAPITimeout:              defaultIfZero(config.StreamingAPITimeout, 30*time.Second),
-		MaxCaveatContextSize:             defaultIfZero(config.MaxCaveatContextSize, 4096),
-		MaxRelationshipContextSize:       defaultIfZero(config.MaxRelationshipContextSize, 25_000),
-		MaxDatastoreReadPageSize:         defaultIfZero(config.MaxDatastoreReadPageSize, 1_000),
-		MaxReadRelationshipsLimit:        defaultIfZero(config.MaxReadRelationshipsLimit, 1_000),
-		MaxDeleteRelationshipsLimit:      defaultIfZero(config.MaxDeleteRelationshipsLimit, 1_000),
-		MaxLookupResourcesLimit:          defaultIfZero(config.MaxLookupResourcesLimit, 1_000),
-		MaxBulkExportRelationshipsLimit:  defaultIfZero(config.MaxBulkExportRelationshipsLimit, 100_000),
-		DispatchChunkSize:                defaultIfZero(config.DispatchChunkSize, 100),
-		MaxCheckBulkConcurrency:          defaultIfZero(config.MaxCheckBulkConcurrency, 50),
-		CaveatTypeSet:                    caveattypes.TypeSetOrDefault(config.CaveatTypeSet),
-		ExpiringRelationshipsEnabled:     config.ExpiringRelationshipsEnabled,
-		PerformanceInsightMetricsEnabled: config.PerformanceInsightMetricsEnabled,
+		MaxPreconditionsCount:                    defaultIfZero(config.MaxPreconditionsCount, 1000),
+		MaxUpdatesPerWrite:                       defaultIfZero(config.MaxUpdatesPerWrite, 1000),
+		MaximumAPIDepth:                          defaultIfZero(config.MaximumAPIDepth, 50),
+		StreamingAPITimeout:                      defaultIfZero(config.StreamingAPITimeout, 30*time.Second),
+		MaxCaveatContextSize:                     defaultIfZero(config.MaxCaveatContextSize, 4096),
+		MaxRelationshipContextSize:               defaultIfZero(config.MaxRelationshipContextSize, 25_000),
+		MaxDatastoreReadPageSize:                 defaultIfZero(config.MaxDatastoreReadPageSize, 1_000),
+		MaxReadRelationshipsLimit:                defaultIfZero(config.MaxReadRelationshipsLimit, 1_000),
+		MaxDeleteRelationshipsLimit:              defaultIfZero(config.MaxDeleteRelationshipsLimit, 1_000),
+		MaxLookupResourcesLimit:                  defaultIfZero(config.MaxLookupResourcesLimit, 1_000),
+		MaxBulkExportRelationshipsLimit:          defaultIfZero(config.MaxBulkExportRelationshipsLimit, 100_000),
+		DispatchChunkSize:                        defaultIfZero(config.DispatchChunkSize, 100),
+		MaxCheckBulkConcurrency:                  defaultIfZero(config.MaxCheckBulkConcurrency, 50),
+		CaveatTypeSet:                            caveattypes.TypeSetOrDefault(config.CaveatTypeSet),
+		ExpiringRelationshipsEnabled:             config.ExpiringRelationshipsEnabled,
+		DeprecatedRelationshipsAndObjectsEnabled: config.DeprecatedRelationshipsAndObjectsEnabled,
+		PerformanceInsightMetricsEnabled:         config.PerformanceInsightMetricsEnabled,
 	}
 
 	return &permissionServer{
@@ -324,6 +328,7 @@ func (ps *permissionServer) WriteRelationships(ctx context.Context, req *v1.Writ
 	updateRelationshipSet := mapz.NewSet[string]()
 	for _, update := range req.Updates {
 		// TODO(jschorr): Change to struct-based keys.
+
 		tupleStr := tuple.V1StringRelationshipWithoutCaveatOrExpiration(update.Relationship)
 		if !updateRelationshipSet.Add(tupleStr) {
 			return nil, ps.rewriteError(

internal/services/v1/schema.go

@@ -43,6 +43,9 @@ type SchemaServerConfig struct {
 
 	// PerformanceInsightMetricsEnabled indicates whether performance insight metrics are enabled.
 	PerformanceInsightMetricsEnabled bool
+
+	// DeprecatedRelsEnabled indicates whether deprecated relations are enabled.
+	FeatureDeprecationEnabled bool
 }
 
 // NewSchemaServer creates a SchemaServiceServer instance.
@@ -61,19 +64,21 @@ func NewSchemaServer(config SchemaServerConfig) v1.SchemaServiceServer {
 				perfinsights.StreamServerInterceptor(config.PerformanceInsightMetricsEnabled),
 			),
 		},
-		additiveOnly:        config.AdditiveOnly,
-		expiringRelsEnabled: config.ExpiringRelsEnabled,
-		caveatTypeSet:       cts,
+		additiveOnly:              config.AdditiveOnly,
+		expiringRelsEnabled:       config.ExpiringRelsEnabled,
+		featureDeprecationEnabled: config.FeatureDeprecationEnabled,
+		caveatTypeSet:             cts,
 	}
 }
 
 type schemaServer struct {
 	v1.UnimplementedSchemaServiceServer
 	shared.WithServiceSpecificInterceptors
 
-	caveatTypeSet       *caveattypes.TypeSet
-	additiveOnly        bool
-	expiringRelsEnabled bool
+	caveatTypeSet             *caveattypes.TypeSet
+	additiveOnly              bool
+	expiringRelsEnabled       bool
+	featureDeprecationEnabled bool
 }
 
 func (ss *schemaServer) rewriteError(ctx context.Context, err error) error {
@@ -147,6 +152,9 @@ func (ss *schemaServer) WriteSchema(ctx context.Context, in *v1.WriteSchemaReque
 	if !ss.expiringRelsEnabled {
 		opts = append(opts, compiler.DisallowExpirationFlag())
 	}
+	if !ss.featureDeprecationEnabled {
+		opts = append(opts, compiler.DisallowDeprecationFlag())
+	}
 
 	opts = append(opts, compiler.CaveatTypeSet(ss.caveatTypeSet))
 

internal/services/v1/schema_test.go

@@ -1642,3 +1642,71 @@ func TestComputablePermissions(t *testing.T) {
 		})
 	}
 }
+
+func TestSchemaChangeRelationDeprecation(t *testing.T) {
+	conn, cleanup, _, _ := testserver.NewTestServer(require.New(t), 0, memdb.DisableGC, true, tf.EmptyDatastore)
+	t.Cleanup(cleanup)
+	client := v1.NewSchemaServiceClient(conn)
+	v1client := v1.NewPermissionsServiceClient(conn)
+
+	// Write a basic schema with deprecations.
+	originalSchema := `
+		use deprecation
+		
+		definition user {}
+
+		@deprecated(error, "super deprecated")
+		definition testuser {}
+
+		definition document {
+			relation somerelation: user
+
+			@deprecated(warn)
+			relation otherelation: testuser
+		}
+		`
+	_, err := client.WriteSchema(t.Context(), &v1.WriteSchemaRequest{
+		Schema: originalSchema,
+	})
+	require.NoError(t, err)
+
+	// Write the relationship referencing the relation.
+	toWrite := tuple.MustParse("document:somedoc#somerelation@user:tom")
+	_, err = v1client.WriteRelationships(t.Context(), &v1.WriteRelationshipsRequest{
+		Updates: []*v1.RelationshipUpdate{tuple.MustUpdateToV1RelationshipUpdate(tuple.Create(
+			toWrite,
+		))},
+	})
+	require.Nil(t, err)
+
+	// Attempt to write to a deprecated object which should fail.
+	toWrite = tuple.MustParse("document:somedoc#otherelation@testuser:jerry")
+	_, err = v1client.WriteRelationships(t.Context(), &v1.WriteRelationshipsRequest{
+		Updates: []*v1.RelationshipUpdate{tuple.MustUpdateToV1RelationshipUpdate(tuple.Create(
+			toWrite,
+		))},
+	})
+	require.Equal(t, "rpc error: code = Aborted desc = the object type testuser is deprecated: super deprecated", err.Error())
+
+	// Change the schema to remove the deprecation type.
+	newSchema := `
+		use deprecation
+		definition user {}
+		definition testuser {}
+		definition document {
+			relation somerelation: user
+			relation otherelation: testuser
+		}`
+	_, err = client.WriteSchema(t.Context(), &v1.WriteSchemaRequest{
+		Schema: newSchema,
+	})
+	require.NoError(t, err)
+
+	// Again attempt to write to the relation, which should now succeed.
+	_, err = v1client.WriteRelationships(t.Context(), &v1.WriteRelationshipsRequest{
+		Updates: []*v1.RelationshipUpdate{tuple.MustUpdateToV1RelationshipUpdate(tuple.Create(
+			toWrite,
+		))},
+	})
+	require.NoError(t, err)
+}

internal/testserver/server.go

@@ -76,6 +76,7 @@ func NewTestServerWithConfigAndDatastore(require *require.Assertions,
 	cts := caveattypes.TypeSetOrDefault(config.CaveatTypeSet)
 	srv, err := server.NewConfigWithOptionsAndDefaults(
 		server.WithEnableExperimentalRelationshipExpiration(true),
+		server.WithEnableExperimentalRelationshipDeprecation(true),
 		server.WithDatastore(ds),
 		server.WithDispatcher(graph.NewLocalOnlyDispatcher(cts, 10, 100)),
 		server.WithDispatchMaxDepth(50),

pkg/cmd/serve.go

@@ -169,6 +169,7 @@ func RegisterServeFlags(cmd *cobra.Command, config *server.Config) error {
 	}
 
 	experimentalFlags.BoolVar(&config.EnableExperimentalRelationshipExpiration, "enable-experimental-relationship-expiration", false, "enables experimental support for relationship expiration")
+	experimentalFlags.BoolVar(&config.EnableExperimentalRelationshipDeprecation, "enable-experimental-deprecation", false, "enables experimental support for deprecating relations and objects")
 	experimentalFlags.BoolVar(&config.EnableExperimentalWatchableSchemaCache, "enable-experimental-watchable-schema-cache", false, "enables the experimental schema cache, which uses the Watch API to keep the schema up to date")
 	// TODO: these two could reasonably be put in either the Dispatch group or the Experimental group. Is there a preference?
 	experimentalFlags.StringToStringVar(&config.DispatchSecondaryUpstreamAddrs, "experimental-dispatch-secondary-upstream-addrs", nil, "secondary upstream addresses for dispatches, each with a name")