feat: support for rel and namespace deprecation

[kartikaysaxena]

This PR adds support for relation and namespace level deprecation in schemas.

• Relations and namespaces can now be annotated with a @deprecated(...) directive to indicate they are deprecated.
• When a relationship is written to a deprecated relation or deprecated namespace:
  • A warning or error is generated, depending on the specified deprecation level.
  • In the current implementation, writes fail when an error deprecation is configured.
• Deprecation is associated with the definition/relation decorated with the deprecation.
• A flag is to be passed to enable this feature, namely --enable-experimental-deprecation along with use directive.

Example:

use deprecation

@deprecated(warn, "comments")
definition user {}

definition resource {
  relation viewer: user | @deprecated(warn, "documents can no longer be public") user:*

  @deprecated(error, "comment goes here")
  relation admin: user
}

Note

Each relation has a object Deprecation assigned to them containing an enum DeprecationType and optional comments, if unspecified DeprecationType defaults to DEPRECATED_TYPE_UNSPECIFIED

Note

Attempted write with a DELETE operation to a deprecated relation/namespace doesn't fail

(related #2465)

[codecov]

Codecov Report

❌ Patch coverage is 86.18090% with 55 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.47%. Comparing base (d4ff660) to head (d98c374).

Files with missing lines	Patch %	Lines
pkg/schema/typesystem.go	74.60%	19 Missing and 12 partials ⚠️
pkg/schemadsl/compiler/translator.go	78.79%	8 Missing and 6 partials ⚠️
pkg/schemadsl/parser/parser.go	75.00%	6 Missing and 3 partials ⚠️
pkg/schemadsl/generator/generator.go	97.37%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2504      +/-   ##
==========================================
+ Coverage   79.46%   79.47%   +0.02%     
==========================================
  Files         456      456              
  Lines       47322    47664     +342     
==========================================
+ Hits        37600    37877     +277     
- Misses       6963     7004      +41     
- Partials     2759     2783      +24     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[josephschorr]

Add a new error reason into the API and use it here

[kartikaysaxena]

just raising that into the api repo, once that gets in, i will switch to that

[kartikaysaxena]

here: authzed/api#143

[josephschorr]

Add a TODO here

[josephschorr]

rather than reading the namespace again, let's do this check in the existing validation block, just as an additional check if enabled

[kartikaysaxena]

migrated the check to the relationship validation block to remove unnecessary lookups, also this now uses the typesystem for the read, also added a test

[josephschorr]

Can we add a method into the type system to retrieve the deprecation status of a namespace and/or relation and then use that? Its good to have it in a single place

[kartikaysaxena]

done

[josephschorr]

I think you can add deprecation to the type system and just read it from there

[ecordell]

Just thinking about the UX a bit (we don't have to solve it in this PR - just thinking ahead!) it would be nice to be able to do something like:

definition document {
  relation viewer: user

  @deprecated(warn, "documents can no longer be public")
  relation viewer: user:*
}

which would normally fail validation as a duplicated relation name

[josephschorr]

Just thinking about the UX a bit (we don't have to solve it in this PR - just thinking ahead!) it would be nice to be able to do something like:

definition document {
  relation viewer: user

  @deprecated(warn, "documents can no longer be public")
  relation viewer: user:*
}

which would normally fail validation as a duplicated relation name

Not sure... I kind of prefer:

relation viewer: user | @deprecated(warn, "documents can no longer be public") user:*

[kartikaysaxena]

Just thinking about the UX a bit (we don't have to solve it in this PR - just thinking ahead!) it would be nice to be able to do something like:

definition document {
  relation viewer: user

  @deprecated(warn, "documents can no longer be public")
  relation viewer: user:*
}

which would normally fail validation as a duplicated relation name

Not sure... I kind of prefer:

relation viewer: user | @deprecated(warn, "documents can no longer be public") user:*

this would require extending the support to the type reference, would look into that, or address do that in a follow up

[josephschorr]

Just thinking about the UX a bit (we don't have to solve it in this PR - just thinking ahead!) it would be nice to be able to do something like:

definition document {
  relation viewer: user

  @deprecated(warn, "documents can no longer be public")
  relation viewer: user:*
}

which would normally fail validation as a duplicated relation name

Not sure... I kind of prefer:

relation viewer: user | @deprecated(warn, "documents can no longer be public") user:*

this would require extending the support to the type reference, would look into that, or address do that in a follow up

Followup is fine

[kartikaysaxena]

Just thinking about the UX a bit (we don't have to solve it in this PR - just thinking ahead!) it would be nice to be able to do something like:

definition document {
  relation viewer: user

  @deprecated(warn, "documents can no longer be public")
  relation viewer: user:*
}

which would normally fail validation as a duplicated relation name

Not sure... I kind of prefer:

relation viewer: user | @deprecated(warn, "documents can no longer be public") user:*

this would require extending the support to the type reference, would look into that, or address do that in a follow up

Followup is fine

I added it just a while ago 😅, have added tests too, if anything looks sideways, would revert back to previous commit, or if any other suggestion is taken into consideration regarding the type ref approach for relation deprecation, let me know.

[kartikaysaxena]

this iterates over the allowed relation types for a relation to validate the deprecation type, it now supports relation viewer: user | @deprecated(warn, "documents can no longer be public") user:*, also added tests for it.

[kartikaysaxena]

could've used ts.GetFullRecursiveSubjectTypesForRelation() but that too would've took O(N) time and would want a *core.AllowedRelation at other steps as it gives the string types only

[josephschorr]

Yeah

[kartikaysaxena]

a little check here as we would not want an attempted write with DELETE operation to a deprecated relation or namespace to fail

[kartikaysaxena]

this now uses the typesystem with relevant functions

[josephschorr]

namespace -> resource_type

[josephschorr]

GetDeprecationForObjectType

[josephschorr]

make this "warning vs error" into a helper method and use here and the other two locations

[josephschorr]

might be worth having a method GetDeprecationForRelationship and have it return an error/warning message and what kind it is, if any

[kartikaysaxena]

but a single relationship might have multiple deprecations (a warning type deprecation at the resource or relation level, and an error type deprecation at the subject level) and it might be necessary to preserve all of them

[kartikaysaxena]

these methods would now be invoked in CheckRelationshipDeprecation, does this sound about right?

[josephschorr]

drop the the, its cleaner :) - relation ....

[josephschorr]

Add a TODO here

[josephschorr]

use the string method in the type system to describe the relation: you need to handle wildcards, expiration and caveats, and all should be done in there

[josephschorr]

add tests for deprecation of, say, a subject type without expiration but the one with expiration is still valid (and vice versa) and caveats as well

[kartikaysaxena]

added tests of these scenarios including the log and err messages, example "resource_type user with caveat somecaveat and expiration is deprecated:comments here"

[josephschorr]

Add these methods to the type system tests

[kartikaysaxena]

done

[josephschorr]

extra into a helper method

[josephschorr]

This should not be marked as required. The required above means that a caveat (or expiration) must be specified when using the type as part of a subject, which doesn't apply here

[kartikaysaxena]

renamed

[kartikaysaxena]

this method is now invoked during validation of the relationship being written, and is responsible for checking any applicable deprecations on the resource, relation, or subject

[kartikaysaxena]

this now checks whether the allowed relation reference has a caveat/expiration or both

[josephschorr]

Might be worth changing this to take in a traits map

[kartikaysaxena]

Rebased and updated

[josephschorr]

relsToCheck := make([]tuple.Relationship, 0, len(updates))

[kartikaysaxena]

yeah would improve perf, done

[josephschorr]

// CheckDeprecationsOnRelationships checks the provided relationships for any deprecations, returning an error if applicable

[josephschorr]

object type, relation, or allowed subject type

[josephschorr]

Also: can we add a test such that if an object type is deprecated, and you attempt to write with it as a subject, it also fails?

[josephschorr]

add calls to the deprecation methods in the other tests here, and make sure they all return false/nil/empty

[kartikaysaxena]

done

[josephschorr]

Might be worth changing this to take in a traits map

[josephschorr]

add a default here that returns a spiceerrors

[josephschorr]

move if slices.Contains(tctx.enabledFlags, "deprecation") && slices.Contains(tctx.allowedFlags, "deprecation") && (deprecationForNamespace != &core.Deprecation{}) into a helper method

[barakmich]

A related call to this might also be useful in Validate() (in this package) if the deprecation is an error state.

[kartikaysaxena]

The Validate function is also invoked during WriteSchema, so if we call this in Validate, any attempt to write a schema with this feature containing deprecated resources/relations/subjects would result in an error at schema write time.

[kartikaysaxena]

checking on this

[josephschorr]

@kartikaysaxena Sorry, I thought this merged. Can you rebase and resolve conflicts?

[josephschorr]

@kartikaysaxena Checking in on this; I'd like to get it in but it has conflicts

[kartikaysaxena]

Hey @josephschorr sorry was busy at work; I have rebased and resolved the the merge conflicts and did a sanity on the changes. Let me know if anything else is needed, happy to help.