Add support for DENY statements

Author: aharpervc

src/ast/mod.rs

@@ -3906,6 +3906,10 @@ pub enum Statement {
         granted_by: Option<Ident>,
     },
     /// ```sql
+    /// DENY privileges ON object TO grantees
+    /// ```
+    Deny(DenyStatement),
+    /// ```sql
     /// REVOKE privileges ON objects FROM grantees
     /// ```
     Revoke {
@@ -5595,6 +5599,7 @@ impl fmt::Display for Statement {
                 }
                 Ok(())
             }
+            Statement::Deny(s) => write!(f, "{s}"),
             Statement::Revoke {
                 privileges,
                 objects,
@@ -6867,6 +6872,37 @@ impl fmt::Display for GrantObjects {
     }
 }
 
+/// A `DENY` statement
+///
+/// [MsSql](https://learn.microsoft.com/en-us/sql/t-sql/statements/deny-transact-sql)
+#[derive(Debug, Clone, PartialEq, PartialOrd, Eq, Ord, Hash)]
+#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "visitor", derive(Visit, VisitMut))]
+pub struct DenyStatement {
+    pub privileges: Privileges,
+    pub objects: GrantObjects,
+    pub grantees: Vec<Grantee>,
+    pub granted_by: Option<Ident>,
+    pub cascade: Option<CascadeOption>,
+}
+
+impl fmt::Display for DenyStatement {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        write!(f, "DENY {}", self.privileges)?;
+        write!(f, " ON {}", self.objects)?;
+        if !self.grantees.is_empty() {
+            write!(f, " TO {}", display_comma_separated(&self.grantees))?;
+        }
+        if let Some(cascade) = &self.cascade {
+            write!(f, " {cascade}")?;
+        }
+        if let Some(granted_by) = &self.granted_by {
+            write!(f, " AS {granted_by}")?;
+        }
+        Ok(())
+    }
+}
+
 /// SQL assignment `foo = expr` as used in SQLUpdate
 #[derive(Debug, Clone, PartialEq, PartialOrd, Eq, Ord, Hash)]
 #[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]

src/ast/spans.rs

@@ -491,6 +491,7 @@ impl Spanned for Statement {
             Statement::CreateStage { .. } => Span::empty(),
             Statement::Assert { .. } => Span::empty(),
             Statement::Grant { .. } => Span::empty(),
+            Statement::Deny { .. } => Span::empty(),
             Statement::Revoke { .. } => Span::empty(),
             Statement::Deallocate { .. } => Span::empty(),
             Statement::Execute { .. } => Span::empty(),

src/keywords.rs

@@ -278,6 +278,7 @@ define_keywords!(
     DELIMITER,
     DELTA,
     DENSE_RANK,
+    DENY,
     DEREF,
     DESC,
     DESCRIBE,

src/parser/mod.rs

@@ -583,6 +583,10 @@ impl<'a> Parser<'a> {
                 Keyword::SHOW => self.parse_show(),
                 Keyword::USE => self.parse_use(),
                 Keyword::GRANT => self.parse_grant(),
+                Keyword::DENY => {
+                    self.prev_token();
+                    self.parse_deny()
+                }
                 Keyword::REVOKE => self.parse_revoke(),
                 Keyword::START => self.parse_start_transaction(),
                 Keyword::BEGIN => self.parse_begin(),
@@ -13381,7 +13385,7 @@ impl<'a> Parser<'a> {
 
     /// Parse a GRANT statement.
     pub fn parse_grant(&mut self) -> Result<Statement, ParserError> {
-        let (privileges, objects) = self.parse_grant_revoke_privileges_objects()?;
+        let (privileges, objects) = self.parse_grant_deny_revoke_privileges_objects()?;
 
         self.expect_keyword_is(Keyword::TO)?;
         let grantees = self.parse_grantees()?;
@@ -13460,7 +13464,7 @@ impl<'a> Parser<'a> {
         Ok(values)
     }
 
-    pub fn parse_grant_revoke_privileges_objects(
+    pub fn parse_grant_deny_revoke_privileges_objects(
         &mut self,
     ) -> Result<(Privileges, Option<GrantObjects>), ParserError> {
         let privileges = if self.parse_keyword(Keyword::ALL) {
@@ -13510,7 +13514,6 @@ impl<'a> Parser<'a> {
                 let object_type = self.parse_one_of_keywords(&[
                     Keyword::SEQUENCE,
                     Keyword::DATABASE,
-                    Keyword::DATABASE,
                     Keyword::SCHEMA,
                     Keyword::TABLE,
                     Keyword::VIEW,
@@ -13803,9 +13806,40 @@ impl<'a> Parser<'a> {
         }
     }
 
+    /// Parse [`Statement::Deny`]
+    pub fn parse_deny(&mut self) -> Result<Statement, ParserError> {
+        self.expect_keyword(Keyword::DENY)?;
+
+        let (privileges, objects) = self.parse_grant_deny_revoke_privileges_objects()?;
+        let objects = match objects {
+            Some(o) => o,
+            None => {
+                return parser_err!(
+                    "DENY statements must specify an object",
+                    self.peek_token().span.start
+                )
+            }
+        };
+
+        self.expect_keyword_is(Keyword::TO)?;
+        let grantees = self.parse_grantees()?;
+        let cascade = self.parse_cascade_option();
+        let granted_by = self
+            .parse_keywords(&[Keyword::AS])
+            .then(|| self.parse_identifier().unwrap());
+
+        Ok(Statement::Deny(DenyStatement {
+            privileges,
+            objects,
+            grantees,
+            cascade,
+            granted_by,
+        }))
+    }
+
     /// Parse a REVOKE statement
     pub fn parse_revoke(&mut self) -> Result<Statement, ParserError> {
-        let (privileges, objects) = self.parse_grant_revoke_privileges_objects()?;
+        let (privileges, objects) = self.parse_grant_deny_revoke_privileges_objects()?;
 
         self.expect_keyword_is(Keyword::FROM)?;
         let grantees = self.parse_grantees()?;

tests/sqlparser_common.rs

@@ -9333,6 +9333,30 @@ fn parse_grant() {
     verified_stmt("GRANT SELECT ON VIEW view1 TO ROLE role1");
 }
 
+#[test]
+fn parse_deny() {
+    let sql = "DENY INSERT, DELETE ON users TO analyst CASCADE AS admin";
+    match verified_stmt(sql) {
+        Statement::Deny(deny) => {
+            assert_eq!(
+                Privileges::Actions(vec![Action::Insert { columns: None }, Action::Delete]),
+                deny.privileges
+            );
+            assert_eq!(
+                &GrantObjects::Tables(vec![ObjectName::from(vec![Ident::new("users")])]),
+                &deny.objects
+            );
+            assert_eq_vec(&["analyst"], &deny.grantees);
+            assert_eq!(Some(CascadeOption::Cascade), deny.cascade);
+            assert_eq!(Some(Ident::from("admin")), deny.granted_by);
+        }
+        _ => unreachable!(),
+    }
+
+    verified_stmt("DENY SELECT, INSERT, UPDATE, DELETE ON db1.sc1 TO role1, role2");
+    verified_stmt("DENY ALL ON db1.sc1 TO role1");
+}
+
 #[test]
 fn test_revoke() {
     let sql = "REVOKE ALL PRIVILEGES ON users, auth FROM analyst";