Major improvements to auth

go.mod

@@ -8,13 +8,13 @@ require (
 	github.com/PuerkitoBio/goquery v1.8.1
 	github.com/cockroachdb/apd/v2 v2.0.3-0.20200518165714-d020e156310a
 	github.com/cockroachdb/errors v1.7.5
-	github.com/dolthub/dolt/go v0.40.5-0.20241115201116-e5d3dcc32851
-	github.com/dolthub/dolt/go/gen/proto/dolt/services/eventsapi v0.0.0-20241104143128-c2bb78c109df
+	github.com/dolthub/dolt/go v0.40.5-0.20241119094239-f4e529af734d
+	github.com/dolthub/dolt/go/gen/proto/dolt/services/eventsapi v0.0.0-20241119094239-f4e529af734d
 	github.com/dolthub/flatbuffers/v23 v23.3.3-dh.2
 	github.com/dolthub/go-icu-regex v0.0.0-20240916130659-0118adc6b662
-	github.com/dolthub/go-mysql-server v0.18.2-0.20241115193357-2d21230229d1
+	github.com/dolthub/go-mysql-server v0.18.2-0.20241119011039-4d6202a92c5f
 	github.com/dolthub/sqllogictest/go v0.0.0-20240618184124-ca47f9354216
-	github.com/dolthub/vitess v0.0.0-20241111235433-a20a5ab9d7c9
+	github.com/dolthub/vitess v0.0.0-20241119005402-6a198321d993
 	github.com/fatih/color v1.13.0
 	github.com/goccy/go-json v0.10.2
 	github.com/gogo/protobuf v1.3.2

go.sum

@@ -214,18 +214,18 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZm
 github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/dolthub/dolt/go v0.40.5-0.20241115201116-e5d3dcc32851 h1:YXtt75Ea8vubxjZaaFapZOvTk/QAInRpBf6k7zdZKhQ=
-github.com/dolthub/dolt/go v0.40.5-0.20241115201116-e5d3dcc32851/go.mod h1:i3nULz7I2VgZuWdGgSJo+SsCJdz1ftjjSOPMAuV0uNk=
-github.com/dolthub/dolt/go/gen/proto/dolt/services/eventsapi v0.0.0-20241104143128-c2bb78c109df h1:xafyaNR+hSk5TwOhmNkhhrmOZKIOkxAOCiIEUzlIybc=
-github.com/dolthub/dolt/go/gen/proto/dolt/services/eventsapi v0.0.0-20241104143128-c2bb78c109df/go.mod h1:L5RDYZbC9BBWmoU2+TjTekeqqhFXX5EqH9ln00O0stY=
+github.com/dolthub/dolt/go v0.40.5-0.20241119094239-f4e529af734d h1:QEwNm7eRxngYPhUEW0+nl8GeKTBzl+wN2OKFNxZitdw=
+github.com/dolthub/dolt/go v0.40.5-0.20241119094239-f4e529af734d/go.mod h1:0Idu5ie7JiD13tx9X7zrsubBEGjR5DR3ZVbuyYz8A24=
+github.com/dolthub/dolt/go/gen/proto/dolt/services/eventsapi v0.0.0-20241119094239-f4e529af734d h1:gO9+wrmNHXukPNCO1tpfCcXIdMlW/qppbUStfLvqz/U=
+github.com/dolthub/dolt/go/gen/proto/dolt/services/eventsapi v0.0.0-20241119094239-f4e529af734d/go.mod h1:L5RDYZbC9BBWmoU2+TjTekeqqhFXX5EqH9ln00O0stY=
 github.com/dolthub/flatbuffers/v23 v23.3.3-dh.2 h1:u3PMzfF8RkKd3lB9pZ2bfn0qEG+1Gms9599cr0REMww=
 github.com/dolthub/flatbuffers/v23 v23.3.3-dh.2/go.mod h1:mIEZOHnFx4ZMQeawhw9rhsj+0zwQj7adVsnBX7t+eKY=
 github.com/dolthub/fslock v0.0.3 h1:iLMpUIvJKMKm92+N1fmHVdxJP5NdyDK5bK7z7Ba2s2U=
 github.com/dolthub/fslock v0.0.3/go.mod h1:QWql+P17oAAMLnL4HGB5tiovtDuAjdDTPbuqx7bYfa0=
 github.com/dolthub/go-icu-regex v0.0.0-20240916130659-0118adc6b662 h1:aC17hZD6iwzBwwfO5M+3oBT5E5gGRiQPdn+vzpDXqIA=
 github.com/dolthub/go-icu-regex v0.0.0-20240916130659-0118adc6b662/go.mod h1:KPUcpx070QOfJK1gNe0zx4pA5sicIK1GMikIGLKC168=
-github.com/dolthub/go-mysql-server v0.18.2-0.20241115193357-2d21230229d1 h1:FfUUxob0uurW8D8z25GfgEmBwL+dl1zWWkf85iCsnUI=
-github.com/dolthub/go-mysql-server v0.18.2-0.20241115193357-2d21230229d1/go.mod h1:sOMQzWUvHvJECzpcUxjDgV5BR/A7U+hOh596PUO2NPI=
+github.com/dolthub/go-mysql-server v0.18.2-0.20241119011039-4d6202a92c5f h1:gWnRFJyo3fuXXO80uTH+/2n+qc+0TwofvwgVQ4e49gU=
+github.com/dolthub/go-mysql-server v0.18.2-0.20241119011039-4d6202a92c5f/go.mod h1:uPKS0kU0pd1l/9RVVFe4i+/cqqxxGuhnYZZzE9xwc2U=
 github.com/dolthub/gozstd v0.0.0-20240423170813-23a2903bca63 h1:OAsXLAPL4du6tfbBgK0xXHZkOlos63RdKYS3Sgw/dfI=
 github.com/dolthub/gozstd v0.0.0-20240423170813-23a2903bca63/go.mod h1:lV7lUeuDhH5thVGDCKXbatwKy2KW80L4rMT46n+Y2/Q=
 github.com/dolthub/ishell v0.0.0-20240701202509-2b217167d718 h1:lT7hE5k+0nkBdj/1UOSFwjWpNxf+LCApbRHgnCA17XE=
@@ -238,8 +238,8 @@ github.com/dolthub/sqllogictest/go v0.0.0-20240618184124-ca47f9354216 h1:JWkKRE4
 github.com/dolthub/sqllogictest/go v0.0.0-20240618184124-ca47f9354216/go.mod h1:e/FIZVvT2IR53HBCAo41NjqgtEnjMJGKca3Y/dAmZaA=
 github.com/dolthub/swiss v0.1.0 h1:EaGQct3AqeP/MjASHLiH6i4TAmgbG/c4rA6a1bzCOPc=
 github.com/dolthub/swiss v0.1.0/go.mod h1:BeucyB08Vb1G9tumVN3Vp/pyY4AMUnr9p7Rz7wJ7kAQ=
-github.com/dolthub/vitess v0.0.0-20241111235433-a20a5ab9d7c9 h1:s36zDuLPuZRWC0nBCJs2Z8joP19eKEtcsIsuE8K9Kx0=
-github.com/dolthub/vitess v0.0.0-20241111235433-a20a5ab9d7c9/go.mod h1:uBvlRluuL+SbEWTCZ68o0xvsdYZER3CEG/35INdzfJM=
+github.com/dolthub/vitess v0.0.0-20241119005402-6a198321d993 h1:MhD6jHjshx2djyUq/uZxtCyHBYAnE3WshhJDUaO9fD8=
+github.com/dolthub/vitess v0.0.0-20241119005402-6a198321d993/go.mod h1:uBvlRluuL+SbEWTCZ68o0xvsdYZER3CEG/35INdzfJM=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=

server/ast/aliased_table_expr.go

@@ -43,8 +43,8 @@ func nodeAliasedTableExpr(ctx *Context, node *tree.AliasedTableExpr) (*vitess.Al
 		aliasExpr = tableName
 		authInfo = vitess.AuthInformation{
 			AuthType:    ctx.Auth().PeekAuthType(),
-			TargetType:  auth.AuthTargetType_SingleTableIdentifier,
-			TargetNames: []string{tableName.SchemaQualifier.String(), tableName.Name.String()},
+			TargetType:  auth.AuthTargetType_TableIdentifiers,
+			TargetNames: []string{tableName.DbQualifier.String(), tableName.SchemaQualifier.String(), tableName.Name.String()},
 		}
 	case *tree.Subquery:
 		tableExpr, err := nodeTableExpr(ctx, expr)

server/ast/create_schema.go

@@ -17,6 +17,8 @@ package ast
 import (
 	vitess "github.com/dolthub/vitess/go/vt/sqlparser"
 
+	"github.com/dolthub/doltgresql/server/auth"
+
 	"github.com/dolthub/doltgresql/postgres/parser/sem/tree"
 )
 
@@ -25,13 +27,16 @@ func nodeCreateSchema(ctx *Context, node *tree.CreateSchema) (vitess.Statement,
 	if node == nil {
 		return nil, nil
 	}
-
 	return &vitess.DBDDL{
 		Action:           "CREATE",
 		SchemaOrDatabase: "schema",
 		DBName:           node.Schema,
 		IfNotExists:      node.IfNotExists,
 		CharsetCollate:   nil, // TODO
-		// TODO: AuthRole
+		Auth: vitess.AuthInformation{
+			AuthType:    auth.AuthType_CREATE,
+			TargetType:  auth.AuthTargetType_DatabaseIdentifiers,
+			TargetNames: []string{""},
+		},
 	}, nil
 }

server/ast/create_table.go

@@ -20,6 +20,7 @@ import (
 	vitess "github.com/dolthub/vitess/go/vt/sqlparser"
 
 	"github.com/dolthub/doltgresql/postgres/parser/sem/tree"
+	"github.com/dolthub/doltgresql/server/auth"
 )
 
 // nodeCreateTable handles *tree.CreateTable nodes.
@@ -87,6 +88,11 @@ func nodeCreateTable(ctx *Context, node *tree.CreateTable) (*vitess.DDL, error)
 		Temporary:   isTemporary,
 		OptSelect:   optSelect,
 		OptLike:     optLike,
+		Auth: vitess.AuthInformation{
+			AuthType:    auth.AuthType_CREATE,
+			TargetType:  auth.AuthTargetType_SchemaIdentifiers,
+			TargetNames: []string{tableName.DbQualifier.String(), tableName.SchemaQualifier.String()},
+		},
 	}
 	if err = assignTableDefs(ctx, node.Defs, ddl); err != nil {
 		return nil, err

server/ast/drop_table.go

@@ -20,6 +20,7 @@ import (
 	vitess "github.com/dolthub/vitess/go/vt/sqlparser"
 
 	"github.com/dolthub/doltgresql/postgres/parser/sem/tree"
+	"github.com/dolthub/doltgresql/server/auth"
 )
 
 // nodeDropTable handles *tree.DropTable nodes.
@@ -36,16 +37,24 @@ func nodeDropTable(ctx *Context, node *tree.DropTable) (*vitess.DDL, error) {
 		return nil, fmt.Errorf("CASCADE is not yet supported")
 	}
 	tableNames := make([]vitess.TableName, len(node.Names))
+	authTableNames := make([]string, 0, len(node.Names)*3)
 	for i := range node.Names {
 		var err error
 		tableNames[i], err = nodeTableName(ctx, &node.Names[i])
 		if err != nil {
 			return nil, err
 		}
+		authTableNames = append(authTableNames,
+			tableNames[i].DbQualifier.String(), tableNames[i].SchemaQualifier.String(), tableNames[i].Name.String())
 	}
 	return &vitess.DDL{
 		Action:     vitess.DropStr,
 		FromTables: tableNames,
 		IfExists:   node.IfExists,
+		Auth: vitess.AuthInformation{
+			AuthType:    auth.AuthType_DROPTABLE,
+			TargetType:  auth.AuthTargetType_Ignore,
+			TargetNames: authTableNames,
+		},
 	}, nil
 }

server/ast/grant.go

@@ -32,10 +32,12 @@ func nodeGrant(ctx *Context, node *tree.Grant) (vitess.Statement, error) {
 		return nil, nil
 	}
 	var grantTable *pgnodes.GrantTable
+	var grantSchema *pgnodes.GrantSchema
+	var grantDatabase *pgnodes.GrantDatabase
 	switch node.Targets.TargetType {
 	case privilege.Table:
-		tables := make([]doltdb.TableName, len(node.Targets.Tables))
-		for i, table := range node.Targets.Tables {
+		tables := make([]doltdb.TableName, 0, len(node.Targets.Tables)+len(node.Targets.InSchema))
+		for _, table := range node.Targets.Tables {
 			normalizedTable, err := table.NormalizeTablePattern()
 			if err != nil {
 				return nil, err
@@ -45,31 +47,60 @@ func nodeGrant(ctx *Context, node *tree.Grant) (vitess.Statement, error) {
 				if normalizedTable.ExplicitCatalog {
 					return nil, fmt.Errorf("granting privileges to other databases is not yet supported")
 				}
-				tables[i] = doltdb.TableName{
+				tables = append(tables, doltdb.TableName{
 					Name:   string(normalizedTable.ObjectName),
 					Schema: string(normalizedTable.SchemaName),
-				}
+				})
 			case *tree.AllTablesSelector:
-				return nil, fmt.Errorf("selecting all tables in a schema is not yet supported")
+				tables = append(tables, doltdb.TableName{
+					Name:   "",
+					Schema: string(normalizedTable.SchemaName),
+				})
 			default:
 				return nil, fmt.Errorf(`unexpected table type in GRANT: %T`, normalizedTable)
 			}
 		}
+		for _, schema := range node.Targets.InSchema {
+			tables = append(tables, doltdb.TableName{
+				Name:   "",
+				Schema: schema,
+			})
+		}
 		privileges, err := convertPrivilegeKinds(auth.PrivilegeObject_TABLE, node.Privileges)
 		if err != nil {
 			return nil, err
 		}
 		grantTable = &pgnodes.GrantTable{
-			Privileges:         privileges,
-			Tables:             tables,
-			AllTablesInSchemas: nil,
+			Privileges: privileges,
+			Tables:     tables,
+		}
+	case privilege.Schema:
+		privileges, err := convertPrivilegeKinds(auth.PrivilegeObject_SCHEMA, node.Privileges)
+		if err != nil {
+			return nil, err
+		}
+		grantSchema = &pgnodes.GrantSchema{
+			Privileges: privileges,
+			Schemas:    node.Targets.Names,
+		}
+	case privilege.Database:
+		privileges, err := convertPrivilegeKinds(auth.PrivilegeObject_DATABASE, node.Privileges)
+		if err != nil {
+			return nil, err
+		}
+		grantDatabase = &pgnodes.GrantDatabase{
+			Privileges: privileges,
+			Databases:  node.Targets.Databases.ToStrings(),
 		}
 	default:
 		return nil, fmt.Errorf("this form of GRANT is not yet supported")
 	}
 	return vitess.InjectedStatement{
 		Statement: &pgnodes.Grant{
 			GrantTable:      grantTable,
+			GrantSchema:     grantSchema,
+			GrantDatabase:   grantDatabase,
+			GrantRole:       nil,
 			ToRoles:         node.Grantees,
 			WithGrantOption: node.WithGrantOption,
 			GrantedBy:       node.GrantedBy,

server/ast/grant_role.go

@@ -15,7 +15,7 @@
 package ast
 
 import (
-	"fmt"
+	pgnodes "github.com/dolthub/doltgresql/server/node"
 
 	vitess "github.com/dolthub/vitess/go/vt/sqlparser"
 
@@ -27,5 +27,15 @@ func nodeGrantRole(ctx *Context, node *tree.GrantRole) (vitess.Statement, error)
 	if node == nil {
 		return nil, nil
 	}
-	return nil, fmt.Errorf("GRANT ROLE is not yet supported")
+	return vitess.InjectedStatement{
+		Statement: &pgnodes.Grant{
+			GrantRole: &pgnodes.GrantRole{
+				Groups: node.Roles.ToStrings(),
+			},
+			ToRoles:         node.Members,
+			WithGrantOption: len(node.WithOption) > 0,
+			GrantedBy:       node.GrantedBy,
+		},
+		Children: nil,
+	}, nil
 }

server/ast/insert.go

@@ -105,8 +105,8 @@ func nodeInsert(ctx *Context, node *tree.Insert) (*vitess.Insert, error) {
 		OnDup:   onDuplicate,
 		Auth: vitess.AuthInformation{
 			AuthType:    auth.AuthType_INSERT,
-			TargetType:  auth.AuthTargetType_SingleTableIdentifier,
-			TargetNames: []string{tableName.SchemaQualifier.String(), tableName.Name.String()},
+			TargetType:  auth.AuthTargetType_TableIdentifiers,
+			TargetNames: []string{tableName.DbQualifier.String(), tableName.SchemaQualifier.String(), tableName.Name.String()},
 		},
 	}, nil
 }

server/ast/revoke.go

@@ -32,9 +32,11 @@ func nodeRevoke(ctx *Context, node *tree.Revoke) (vitess.Statement, error) {
 		return nil, nil
 	}
 	var revokeTable *pgnodes.RevokeTable
+	var revokeSchema *pgnodes.RevokeSchema
+	var revokeDatabase *pgnodes.RevokeDatabase
 	switch node.Targets.TargetType {
 	case privilege.Table:
-		tables := make([]doltdb.TableName, len(node.Targets.Tables))
+		tables := make([]doltdb.TableName, len(node.Targets.Tables)+len(node.Targets.InSchema))
 		for i, table := range node.Targets.Tables {
 			normalizedTable, err := table.NormalizeTablePattern()
 			if err != nil {
@@ -50,26 +52,55 @@ func nodeRevoke(ctx *Context, node *tree.Revoke) (vitess.Statement, error) {
 					Schema: string(normalizedTable.SchemaName),
 				}
 			case *tree.AllTablesSelector:
-				return nil, fmt.Errorf("selecting all tables in a schema is not yet supported")
+				tables[i] = doltdb.TableName{
+					Name:   "",
+					Schema: string(normalizedTable.SchemaName),
+				}
 			default:
 				return nil, fmt.Errorf(`unexpected table type in REVOKE: %T`, normalizedTable)
 			}
 		}
+		for _, schema := range node.Targets.InSchema {
+			tables = append(tables, doltdb.TableName{
+				Name:   "",
+				Schema: schema,
+			})
+		}
 		privileges, err := convertPrivilegeKinds(auth.PrivilegeObject_TABLE, node.Privileges)
 		if err != nil {
 			return nil, err
 		}
 		revokeTable = &pgnodes.RevokeTable{
-			Privileges:         privileges,
-			Tables:             tables,
-			AllTablesInSchemas: nil,
+			Privileges: privileges,
+			Tables:     tables,
+		}
+	case privilege.Schema:
+		privileges, err := convertPrivilegeKinds(auth.PrivilegeObject_SCHEMA, node.Privileges)
+		if err != nil {
+			return nil, err
+		}
+		revokeSchema = &pgnodes.RevokeSchema{
+			Privileges: privileges,
+			Schemas:    node.Targets.Names,
+		}
+	case privilege.Database:
+		privileges, err := convertPrivilegeKinds(auth.PrivilegeObject_DATABASE, node.Privileges)
+		if err != nil {
+			return nil, err
+		}
+		revokeDatabase = &pgnodes.RevokeDatabase{
+			Privileges: privileges,
+			Databases:  node.Targets.Databases.ToStrings(),
 		}
 	default:
 		return nil, fmt.Errorf("this form of REVOKE is not yet supported")
 	}
 	return vitess.InjectedStatement{
 		Statement: &pgnodes.Revoke{
 			RevokeTable:    revokeTable,
+			RevokeSchema:   revokeSchema,
+			RevokeDatabase: revokeDatabase,
+			RevokeRole:     nil,
 			FromRoles:      node.Grantees,
 			GrantedBy:      node.GrantedBy,
 			GrantOptionFor: node.GrantOptionFor,

server/ast/revoke_role.go

@@ -15,7 +15,7 @@
 package ast
 
 import (
-	"fmt"
+	pgnodes "github.com/dolthub/doltgresql/server/node"
 
 	vitess "github.com/dolthub/vitess/go/vt/sqlparser"
 
@@ -27,5 +27,16 @@ func nodeRevokeRole(ctx *Context, node *tree.RevokeRole) (vitess.Statement, erro
 	if node == nil {
 		return nil, nil
 	}
-	return nil, fmt.Errorf("REVOKE ROLE is not yet supported")
+	return vitess.InjectedStatement{
+		Statement: &pgnodes.Revoke{
+			RevokeRole: &pgnodes.RevokeRole{
+				Groups: node.Roles.ToStrings(),
+			},
+			FromRoles:      node.Members,
+			GrantedBy:      node.GrantedBy,
+			GrantOptionFor: len(node.Option) > 0,
+			Cascade:        node.DropBehavior == tree.DropCascade,
+		},
+		Children: nil,
+	}, nil
 }

server/ast/table_expr.go

@@ -125,8 +125,8 @@ func nodeTableExpr(ctx *Context, node tree.TableExpr) (vitess.TableExpr, error)
 			Expr: tableName,
 			Auth: vitess.AuthInformation{
 				AuthType:    ctx.Auth().PeekAuthType(),
-				TargetType:  auth.AuthTargetType_SingleTableIdentifier,
-				TargetNames: []string{tableName.SchemaQualifier.String(), tableName.Name.String()},
+				TargetType:  auth.AuthTargetType_TableIdentifiers,
+				TargetNames: []string{tableName.DbQualifier.String(), tableName.SchemaQualifier.String(), tableName.Name.String()},
 			},
 		}, nil
 	case *tree.TableRef:
@@ -140,8 +140,8 @@ func nodeTableExpr(ctx *Context, node tree.TableExpr) (vitess.TableExpr, error)
 			Expr: tableName,
 			Auth: vitess.AuthInformation{
 				AuthType:    ctx.Auth().PeekAuthType(),
-				TargetType:  auth.AuthTargetType_SingleTableIdentifier,
-				TargetNames: []string{tableName.SchemaQualifier.String(), tableName.Name.String()},
+				TargetType:  auth.AuthTargetType_TableIdentifiers,
+				TargetNames: []string{tableName.DbQualifier.String(), tableName.SchemaQualifier.String(), tableName.Name.String()},
 			},
 		}, nil
 	default:

server/ast/truncate.go

@@ -48,8 +48,8 @@ func nodeTruncate(ctx *Context, node *tree.Truncate) (*vitess.DDL, error) {
 		Table:  tableName,
 		Auth: vitess.AuthInformation{
 			AuthType:    auth.AuthType_TRUNCATE,
-			TargetType:  auth.AuthTargetType_SingleTableIdentifier,
-			TargetNames: []string{tableName.SchemaQualifier.String(), tableName.Name.String()},
+			TargetType:  auth.AuthTargetType_TableIdentifiers,
+			TargetNames: []string{tableName.DbQualifier.String(), tableName.SchemaQualifier.String(), tableName.Name.String()},
 		},
 	}, nil
 }