feat: allow underscore prefix for private identifiers

CHANGELOG.md

@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
 ### Added
+- Allow underscore prefix for private identifiers in definitions, relations, and permissions (https://github.com/authzed/spicedb/pull/2733)
 - Added support for YAML-based validation files in DevContext (https://github.com/authzed/spicedb/pull/3024)
 
 ### Changed

pkg/development/wasm/operations_test.go

@@ -133,7 +133,7 @@ func TestCheckOperation(t *testing.T) {
 			tuple.MustParse("somenamespace:someobj#anotherrel@user:foo"),
 			nil,
 			&devinterface.DeveloperError{
-				Message: "error in object definition fo: validation error: name: value does not match regex pattern `^([a-z][a-z0-9_]{1,62}[a-z0-9]/)*[a-z][a-z0-9_]{1,62}[a-z0-9]$`",
+				Message: "error in object definition fo: validation error: name: value does not match regex pattern `^([a-z_][a-z0-9_]{1,62}[a-z0-9]/)*[a-z_][a-z0-9_]{1,62}[a-z0-9]$`",
 				Kind:    devinterface.DeveloperError_SCHEMA_ISSUE,
 				Source:  devinterface.DeveloperError_SCHEMA,
 				Line:    1,

pkg/schemadsl/compiler/compiler_test.go

@@ -795,7 +795,7 @@ func TestCompile(t *testing.T) {
 			"invalid definition name",
 			nilPrefix,
 			`definition someTenant/fo {}`,
-			"parse error in `invalid definition name`, line 1, column 1: error in object definition someTenant/fo: validation error: name: value does not match regex pattern `^([a-z][a-z0-9_]{1,62}[a-z0-9]/)*[a-z][a-z0-9_]{1,62}[a-z0-9]$`",
+			"parse error in `invalid definition name`, line 1, column 1: error in object definition someTenant/fo: validation error: name: value does not match regex pattern `^([a-z_][a-z0-9_]{1,62}[a-z0-9]/)*[a-z_][a-z0-9_]{1,62}[a-z0-9]$`",
 			[]SchemaDefinition{},
 		},
 		{
@@ -804,9 +804,69 @@ func TestCompile(t *testing.T) {
 			`definition some_tenant/foos {
 				relation ab: some_tenant/foos
 			}`,
-			"parse error in `invalid relation name`, line 2, column 5: error in relation ab: validation error: name: value does not match regex pattern `^[a-z][a-z0-9_]{1,62}[a-z0-9]$`",
+			"parse error in `invalid relation name`, line 2, column 5: error in relation ab: validation error: name: value does not match regex pattern `^[a-z_][a-z0-9_]{1,62}[a-z0-9]$`",
 			[]SchemaDefinition{},
 		},
+		{
+			"underscore prefix namespace",
+			AllowUnprefixedObjectType(),
+			`definition _private_resource {
+				relation owner: user
+			}`,
+			"",
+			[]SchemaDefinition{
+				namespace.Namespace("_private_resource",
+					namespace.MustRelation("owner", nil, namespace.AllowedRelation("user", "...")),
+				),
+			},
+		},
+		{
+			"underscore prefix relation",
+			withTenantPrefix,
+			`definition resource {
+				relation _internal_owner: sometenant/user
+				relation viewer: sometenant/user
+				permission view = viewer + _internal_owner
+			}`,
+			"",
+			[]SchemaDefinition{
+				namespace.Namespace("sometenant/resource",
+					namespace.MustRelation("_internal_owner", nil, namespace.AllowedRelation("sometenant/user", "...")),
+					namespace.MustRelation("viewer", nil, namespace.AllowedRelation("sometenant/user", "...")),
+					namespace.MustRelation("view",
+						namespace.Union(
+							namespace.ComputedUserset("viewer"),
+							namespace.ComputedUserset("_internal_owner"),
+						),
+					),
+				),
+			},
+		},
+		{
+			"underscore prefix permission",
+			withTenantPrefix,
+			`definition document {
+				relation owner: sometenant/user
+				permission _internal_edit = owner
+				permission edit = _internal_edit
+			}`,
+			"",
+			[]SchemaDefinition{
+				namespace.Namespace("sometenant/document",
+					namespace.MustRelation("owner", nil, namespace.AllowedRelation("sometenant/user", "...")),
+					namespace.MustRelation("_internal_edit",
+						namespace.Union(
+							namespace.ComputedUserset("owner"),
+						),
+					),
+					namespace.MustRelation("edit",
+						namespace.Union(
+							namespace.ComputedUserset("_internal_edit"),
+						),
+					),
+				),
+			},
+		},
 		{
 			"no implicit tenant with specified tenant on type ref",
 			nilPrefix,

pkg/schemadsl/lexer/lex_test.go

@@ -67,6 +67,24 @@ var lexerTests = []lexerTest{
 		tEOF,
 	}},
 
+	// Underscore prefix tests
+	{"underscore identifier", "_private", []Lexeme{{TokenTypeIdentifier, 0, "_private", ""}, tEOF}},
+	{"underscore relation", "_internal_permission", []Lexeme{{TokenTypeIdentifier, 0, "_internal_permission", ""}, tEOF}},
+	{"underscore namespace", "_system", []Lexeme{{TokenTypeIdentifier, 0, "_system", ""}, tEOF}},
+	{"underscore typepath", "_tenant/_resource", []Lexeme{
+		{TokenTypeIdentifier, 0, "_tenant", ""},
+		{TokenTypeDiv, 0, "/", ""},
+		{TokenTypeIdentifier, 0, "_resource", ""},
+		tEOF,
+	}},
+	{"mixed underscore path", "_private/public/_internal", []Lexeme{
+		{TokenTypeIdentifier, 0, "_private", ""},
+		{TokenTypeDiv, 0, "/", ""},
+		{TokenTypeIdentifier, 0, "public", ""},
+		{TokenTypeDiv, 0, "/", ""},
+		{TokenTypeIdentifier, 0, "_internal", ""},
+		tEOF,
+	}},
 	{"unicode identifier", "一级", []Lexeme{{TokenTypeIdentifier, 0, "一级", ""}, tEOF}},
 	{"unicode singlequoted string literal", "'一级'", []Lexeme{{TokenTypeString, 0, "'一级'", ""}, tEOF}},
 	{"ascii singlequoted string literal", "'foo'", []Lexeme{{TokenTypeString, 0, "'foo'", ""}, tEOF}},

pkg/tuple/parsing.go

@@ -16,11 +16,11 @@ import (
 )
 
 const (
-	namespaceNameExpr = "([a-z][a-z0-9_]{1,61}[a-z0-9]/)*[a-z][a-z0-9_]{1,62}[a-z0-9]"
+	namespaceNameExpr = "([a-z_][a-z0-9_]{1,61}[a-z0-9]/)*[a-z_][a-z0-9_]{1,62}[a-z0-9]"
 	resourceIDExpr    = "([a-zA-Z0-9/_|\\-=+]{1,})"
 	subjectIDExpr     = "([a-zA-Z0-9/_|\\-=+]{1,})|\\*"
-	relationExpr      = "[a-z][a-z0-9_]{1,62}[a-z0-9]"
-	caveatNameExpr    = "([a-z][a-z0-9_]{1,61}[a-z0-9]/)*[a-z][a-z0-9_]{1,62}[a-z0-9]"
+	relationExpr      = "[a-z_][a-z0-9_]{1,62}[a-z0-9]"
+	caveatNameExpr    = "([a-z_][a-z0-9_]{1,61}[a-z0-9]/)*[a-z_][a-z0-9_]{1,62}[a-z0-9]"
 )
 
 var onrExpr = fmt.Sprintf(