support relation deprecations

Signed-off-by: Kartikay <[email protected]>

Author: kartikaysaxena

internal/services/shared/errors.go

@@ -52,6 +52,16 @@ type SchemaWriteDataValidationError struct {
 	error
 }
 
+type DeprecationError struct {
+	error
+}
+
+func NewDeprecationError(namespace string, relation string) DeprecationError {
+	return DeprecationError{
+		error: fmt.Errorf("relation %s#%s is deprecated", namespace, relation),
+	}
+}
+
 // MarshalZerologObject implements zerolog object marshalling.
 func (err SchemaWriteDataValidationError) MarshalZerologObject(e *zerolog.Event) {
 	e.Err(err.error)
@@ -201,6 +211,9 @@ func rewriteError(ctx context.Context, err error, config *ConfigForErrors) error
 		}
 
 		return status.Errorf(codes.Canceled, "%s", err)
+	case errors.As(err, &DeprecationError{}):
+		log.Ctx(ctx).Err(err).Msg("using deprecated relation")
+		return status.Errorf(codes.Aborted, "%s", err)
 	default:
 		log.Ctx(ctx).Err(err).Msg("received unexpected error")
 		return err

internal/services/v1/relationships.go

@@ -16,6 +16,7 @@ import (
 	v1 "github.com/authzed/authzed-go/proto/authzed/api/v1"
 
 	"github.com/authzed/spicedb/internal/dispatch"
+	log "github.com/authzed/spicedb/internal/logging"
 	"github.com/authzed/spicedb/internal/middleware"
 	datastoremw "github.com/authzed/spicedb/internal/middleware/datastore"
 	"github.com/authzed/spicedb/internal/middleware/handwrittenvalidation"
@@ -34,6 +35,7 @@ import (
 	"github.com/authzed/spicedb/pkg/genutil"
 	"github.com/authzed/spicedb/pkg/genutil/mapz"
 	"github.com/authzed/spicedb/pkg/middleware/consistency"
+	corev1 "github.com/authzed/spicedb/pkg/proto/core/v1"
 	dispatchv1 "github.com/authzed/spicedb/pkg/proto/dispatch/v1"
 	"github.com/authzed/spicedb/pkg/tuple"
 	"github.com/authzed/spicedb/pkg/zedtoken"
@@ -324,6 +326,10 @@ func (ps *permissionServer) WriteRelationships(ctx context.Context, req *v1.Writ
 	updateRelationshipSet := mapz.NewSet[string]()
 	for _, update := range req.Updates {
 		// TODO(jschorr): Change to struct-based keys.
+		if err := checkForDeprecatedRelationships(ctx, update, ds); err != nil {
+			return nil, ps.rewriteError(ctx, err)
+		}
+
 		tupleStr := tuple.V1StringRelationshipWithoutCaveatOrExpiration(update.Relationship)
 		if !updateRelationshipSet.Add(tupleStr) {
 			return nil, ps.rewriteError(
@@ -620,3 +626,29 @@ func labelsForFilter(filter *v1.RelationshipFilter) perfinsights.APIShapeLabels
 		perfinsights.SubjectRelationLabel:  filter.OptionalSubjectFilter.OptionalRelation.Relation,
 	}
 }
+
+func checkForDeprecatedRelationships(ctx context.Context, update *v1.RelationshipUpdate, ds datastore.Datastore) error {
+	resource := update.Relationship.Resource
+	headRevision, err := ds.HeadRevision(ctx)
+	if err != nil {
+		return err
+	}
+	reader := ds.SnapshotReader(headRevision)
+	_, relDef, err := namespace.ReadNamespaceAndRelation(ctx, resource.ObjectType, update.Relationship.Relation, reader)
+	if err != nil {
+		return err
+	}
+
+	switch relDef.DeprecationType {
+	case corev1.DeprecationType_DEPRECATED_TYPE_WARNING:
+		log.Warn().
+			Str("namespace", update.Relationship.Resource.ObjectType).
+			Str("relation", update.Relationship.Relation).
+			Msg("write to deprecated relation")
+
+	case corev1.DeprecationType_DEPRECATED_TYPE_ERROR:
+		return shared.NewDeprecationError(update.Relationship.Resource.ObjectType, update.Relationship.Relation)
+	}
+
+	return nil
+}

internal/services/v1/schema_test.go

@@ -1642,3 +1642,75 @@ func TestComputablePermissions(t *testing.T) {
 		})
 	}
 }
+
+func TestSchemaChangeRelationDeprecation(t *testing.T) {
+	conn, cleanup, _, _ := testserver.NewTestServer(require.New(t), 0, memdb.DisableGC, true, tf.EmptyDatastore)
+	t.Cleanup(cleanup)
+	client := v1.NewSchemaServiceClient(conn)
+	v1client := v1.NewPermissionsServiceClient(conn)
+
+	// Write a basic schema with deprecation type warning.
+	originalSchema := `
+		definition user {}
+
+		definition document {
+			@deprecated(warn)
+			relation somerelation: user
+		}`
+	_, err := client.WriteSchema(t.Context(), &v1.WriteSchemaRequest{
+		Schema: originalSchema,
+	})
+	require.NoError(t, err)
+
+	// Write the relationship referencing the relation.
+	toWrite := tuple.MustParse("document:somedoc#somerelation@user:tom")
+	_, err = v1client.WriteRelationships(t.Context(), &v1.WriteRelationshipsRequest{
+		Updates: []*v1.RelationshipUpdate{tuple.MustUpdateToV1RelationshipUpdate(tuple.Create(
+			toWrite,
+		))},
+	})
+	require.Nil(t, err)
+
+	deprecatedErrSchema := `
+		definition user {}
+
+		definition document {
+			@deprecated(error)
+			relation somerelation: user
+		}`
+
+	// Enforce deprecation over the relation in the new schema.
+	_, err = client.WriteSchema(t.Context(), &v1.WriteSchemaRequest{
+		Schema: deprecatedErrSchema,
+	})
+	require.NoError(t, err)
+
+	// Attempt to write to a deprecated relation which should fail.
+	toWrite = tuple.MustParse("document:somedoc#somerelation@user:jerry")
+	_, err = v1client.WriteRelationships(t.Context(), &v1.WriteRelationshipsRequest{
+		Updates: []*v1.RelationshipUpdate{tuple.MustUpdateToV1RelationshipUpdate(tuple.Create(
+			toWrite,
+		))},
+	})
+	require.Equal(t, "rpc error: code = Aborted desc = relation document#somerelation is deprecated", err.Error())
+
+	// Change the schema to remove the deprecation type.
+	newSchema := `
+		definition user {}
+
+		definition document {
+			relation somerelation: user
+		}`
+	_, err = client.WriteSchema(t.Context(), &v1.WriteSchemaRequest{
+		Schema: newSchema,
+	})
+	require.NoError(t, err)
+
+	// Again attempt to write to the relation, which should now succeed.
+	_, err = v1client.WriteRelationships(t.Context(), &v1.WriteRelationshipsRequest{
+		Updates: []*v1.RelationshipUpdate{tuple.MustUpdateToV1RelationshipUpdate(tuple.Create(
+			toWrite,
+		))},
+	})
+	require.NoError(t, err)
+}

pkg/diff/namespace/diff.go

@@ -60,6 +60,9 @@ const (
 
 	// ChangedRelationComment indicates that the comment of the relation has changed in some way.
 	ChangedRelationComment DeltaType = "changed-relation-comment"
+
+	// ChangedDeprecation indicates that the deprecation status of the relation has changed.
+	ChangedDeprecation DeltaType = "changed-deprecation"
 )
 
 // Diff holds the diff between two namespaces.
@@ -240,6 +243,14 @@ func DiffNamespaces(existing *core.NamespaceDefinition, updated *core.NamespaceD
 			})
 		}
 
+		// Compare deprecation status
+		if existingRel.DeprecationType != updatedRel.DeprecationType {
+			deltas = append(deltas, Delta{
+				Type:         ChangedDeprecation,
+				RelationName: shared,
+			})
+		}
+
 		// Compare comments.
 		existingComments := nspkg.GetComments(existingRel.Metadata)
 		updatedComments := nspkg.GetComments(updatedRel.Metadata)

pkg/diff/namespace/diff_test.go

@@ -571,6 +571,34 @@ func TestNamespaceDiff(t *testing.T) {
 			),
 			[]Delta{},
 		},
+		{
+			"deprecate relation with an error type",
+			ns.Namespace(
+				"document",
+				ns.MustRelation("somerel", nil, ns.AllowedDeprecatedRelation("foo", "bar", core.DeprecationType_DEPRECATED_TYPE_UNSPECIFIED)),
+			),
+			ns.Namespace(
+				"document",
+				ns.MustRelation("somerel", nil, ns.AllowedDeprecatedRelation("foo", "bar", core.DeprecationType_DEPRECATED_TYPE_ERROR)),
+			),
+			[]Delta{
+				{Type: ChangedDeprecation, RelationName: "somerel"},
+			},
+		},
+		{
+			"remove deprecation",
+			ns.Namespace(
+				"document",
+				ns.MustRelation("somerel", nil, ns.AllowedDeprecatedRelation("foo", "bar", core.DeprecationType_DEPRECATED_TYPE_ERROR)),
+			),
+			ns.Namespace(
+				"document",
+				ns.MustRelation("somerel", nil, ns.AllowedRelation("foo", "bar")),
+			),
+			[]Delta{
+				{Type: ChangedDeprecation, RelationName: "somerel"},
+			},
+		},
 	}
 
 	for _, tc := range testCases {

pkg/namespace/builder.go

@@ -46,6 +46,10 @@ func Relation(name string, rewrite *core.UsersetRewrite, allowedDirectRelations
 		TypeInformation: typeInfo,
 	}
 
+	if err := setRelationDeprecationType(rel, allowedDirectRelations...); err != nil {
+		return nil, spiceerrors.MustBugf("failed to set deprecation type: %s", err.Error())
+	}
+
 	switch {
 	case rewrite != nil && len(allowedDirectRelations) == 0:
 		if err := SetRelationKind(rel, iv1.RelationMetadata_PERMISSION); err != nil {
@@ -94,6 +98,17 @@ func AllowedRelationWithCaveat(namespaceName string, relationName string, withCa
 	}
 }
 
+// AllowedDeprecatedRelation creates a relation reference to an allowed relation that is deprecated.
+func AllowedDeprecatedRelation(namespaceName string, relationName string, deprecationType core.DeprecationType) *core.AllowedRelation {
+	return &core.AllowedRelation{
+		Namespace: namespaceName,
+		RelationOrWildcard: &core.AllowedRelation_Relation{
+			Relation: relationName,
+		},
+		DeprecationType: deprecationType,
+	}
+}
+
 // WithExpiration adds the expiration trait to the allowed relation.
 func WithExpiration(allowedRelation *core.AllowedRelation) *core.AllowedRelation {
 	return &core.AllowedRelation{
@@ -243,6 +258,18 @@ func setOperation(firstChild *core.SetOperation_Child, rest []*core.SetOperation
 	}
 }
 
+// setRelationDeprecationType sets the deprecation type of a relation based on all of the deprecations of allowed direct relations.
+func setRelationDeprecationType(relation *core.Relation, allowedDirectRelations ...*core.AllowedRelation) error {
+	if len(allowedDirectRelations) > 0 {
+		for _, allowedRelation := range allowedDirectRelations {
+			if allowedRelation.DeprecationType != core.DeprecationType_DEPRECATED_TYPE_UNSPECIFIED {
+				relation.DeprecationType = allowedRelation.DeprecationType
+			}
+		}
+	}
+	return nil
+}
+
 // Nil creates a child for a set operation that references the empty set.
 func Nil() *core.SetOperation_Child {
 	return &core.SetOperation_Child{