From 2f9ed0146e9c1757881ab3489da8816fb48e319d Mon Sep 17 00:00:00 2001
From: josipmrden <josip.mrden@external-basf.com>
Date: Mon, 4 Jul 2022 13:49:54 +0200
Subject: [PATCH 1/7] Updated lexer for adding privileges over labels

---
 src/query/frontend/opencypher/grammar/MemgraphCypher.g4     | 6 ++++++
 .../frontend/opencypher/grammar/MemgraphCypherLexer.g4      | 1 +
 src/query/frontend/stripped_lexer_constants.hpp             | 5 +++--
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/query/frontend/opencypher/grammar/MemgraphCypher.g4 b/src/query/frontend/opencypher/grammar/MemgraphCypher.g4
index b412a474a..98d09784d 100644
--- a/src/query/frontend/opencypher/grammar/MemgraphCypher.g4
+++ b/src/query/frontend/opencypher/grammar/MemgraphCypher.g4
@@ -56,6 +56,7 @@ memgraphCypherKeyword : cypherKeyword
                       | IDENTIFIED
                       | ISOLATION
                       | KAFKA
+                      | LABELS
                       | LEVEL
                       | LOAD
                       | LOCK
@@ -254,10 +255,15 @@ privilege : CREATE
           | MODULE_READ
           | MODULE_WRITE
           | WEBSOCKET
+          | LABELS labels=labelList
           ;
 
 privilegeList : privilege ( ',' privilege )* ;
 
+labelList : label ( ',' label )* ;
+
+label: ( '*' | StringLiteral ) ;
+
 showPrivileges : SHOW PRIVILEGES FOR userOrRole=userOrRoleName ;
 
 showRoleForUser : SHOW ROLE FOR user=userOrRoleName ;
diff --git a/src/query/frontend/opencypher/grammar/MemgraphCypherLexer.g4 b/src/query/frontend/opencypher/grammar/MemgraphCypherLexer.g4
index 55e5d53a2..a98aa8630 100644
--- a/src/query/frontend/opencypher/grammar/MemgraphCypherLexer.g4
+++ b/src/query/frontend/opencypher/grammar/MemgraphCypherLexer.g4
@@ -66,6 +66,7 @@ IDENTIFIED          : I D E N T I F I E D ;
 IGNORE              : I G N O R E ;
 ISOLATION           : I S O L A T I O N ;
 KAFKA               : K A F K A ;
+LabelsTest          : L A B E L S ;
 LEVEL               : L E V E L ;
 LOAD                : L O A D ;
 LOCK                : L O C K ;
diff --git a/src/query/frontend/stripped_lexer_constants.hpp b/src/query/frontend/stripped_lexer_constants.hpp
index 42b7b4aeb..9e216e2c4 100644
--- a/src/query/frontend/stripped_lexer_constants.hpp
+++ b/src/query/frontend/stripped_lexer_constants.hpp
@@ -204,8 +204,9 @@ const trie::Trie kKeywords = {"union",
                               "pulsar",
                               "service_url",
                               "version",
-                              "websocket"
-                              "foreach"};
+                              "websocket",
+                              "foreach",
+                              "labels"};
 
 // Unicode codepoints that are allowed at the start of the unescaped name.
 const std::bitset<kBitsetSize> kUnescapedNameAllowedStarts(

From dd85b428bf1f78624852d0e1b13abf4143a8d315 Mon Sep 17 00:00:00 2001
From: josipmrden <josip.mrden@external-basf.com>
Date: Mon, 4 Jul 2022 13:54:36 +0200
Subject: [PATCH 2/7] Updated lcp file

---
 src/query/frontend/ast/ast.lcp                          | 5 +++--
 src/query/frontend/opencypher/grammar/MemgraphCypher.g4 | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/query/frontend/ast/ast.lcp b/src/query/frontend/ast/ast.lcp
index 33d397754..836857a4e 100644
--- a/src/query/frontend/ast/ast.lcp
+++ b/src/query/frontend/ast/ast.lcp
@@ -2253,7 +2253,7 @@ cpp<#
     (lcp:define-enum privilege
         (create delete match merge set remove index stats auth constraint
          dump replication durability read_file free_memory trigger config stream module_read module_write
-         websocket)
+         websocket labels)
       (:serialize))
     #>cpp
     AuthQuery() = default;
@@ -2295,7 +2295,8 @@ const std::vector<AuthQuery::Privilege> kPrivilegesAll = {
     AuthQuery::Privilege::FREE_MEMORY, AuthQuery::Privilege::TRIGGER,
     AuthQuery::Privilege::CONFIG,      AuthQuery::Privilege::STREAM,
     AuthQuery::Privilege::MODULE_READ, AuthQuery::Privilege::MODULE_WRITE,
-    AuthQuery::Privilege::WEBSOCKET};
+    AuthQuery::Privilege::WEBSOCKET
+    AuthQuery::Privilege::LABELS};
 cpp<#
 
 (lcp:define-class info-query (query)
diff --git a/src/query/frontend/opencypher/grammar/MemgraphCypher.g4 b/src/query/frontend/opencypher/grammar/MemgraphCypher.g4
index 98d09784d..551b165e8 100644
--- a/src/query/frontend/opencypher/grammar/MemgraphCypher.g4
+++ b/src/query/frontend/opencypher/grammar/MemgraphCypher.g4
@@ -262,7 +262,7 @@ privilegeList : privilege ( ',' privilege )* ;
 
 labelList : label ( ',' label )* ;
 
-label: ( '*' | StringLiteral ) ;
+label : ( '*' | StringLiteral ) ;
 
 showPrivileges : SHOW PRIVILEGES FOR userOrRole=userOrRoleName ;
 

From 7e1d39bf86e7d7bb0d2a09ea6d2767cb108869b6 Mon Sep 17 00:00:00 2001
From: josipmrden <josip.mrden@external-basf.com>
Date: Mon, 4 Jul 2022 13:59:17 +0200
Subject: [PATCH 3/7] Updated switch cases with privileges and permissions

---
 src/auth/models.hpp | 3 ++-
 src/glue/auth.cpp   | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/auth/models.hpp b/src/auth/models.hpp
index 0f01c0a39..c6ed3e0ae 100644
--- a/src/auth/models.hpp
+++ b/src/auth/models.hpp
@@ -38,7 +38,8 @@ enum class Permission : uint64_t {
   STREAM       = 1U << 17U,
   MODULE_READ  = 1U << 18U,
   MODULE_WRITE = 1U << 19U,
-  WEBSOCKET    = 1U << 20U
+  WEBSOCKET    = 1U << 20U,
+  LABELS       = 1U << 21U
 };
 // clang-format on
 
diff --git a/src/glue/auth.cpp b/src/glue/auth.cpp
index 7f05d8045..650f215e8 100644
--- a/src/glue/auth.cpp
+++ b/src/glue/auth.cpp
@@ -57,6 +57,8 @@ auth::Permission PrivilegeToPermission(query::AuthQuery::Privilege privilege) {
       return auth::Permission::MODULE_WRITE;
     case query::AuthQuery::Privilege::WEBSOCKET:
       return auth::Permission::WEBSOCKET;
+    case query::AuthQuery::Privilege::LABELS:
+      return auth::Permission::LABELS;
   }
 }
 }  // namespace memgraph::glue

From 38c0a08342a8602fd5a45c47e8c8a7d6793a4122 Mon Sep 17 00:00:00 2001
From: josipmrden <josip.mrden@external-basf.com>
Date: Mon, 4 Jul 2022 14:11:30 +0200
Subject: [PATCH 4/7] Updated case which adds LABELS as Permissions

---
 src/auth/models.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/auth/models.cpp b/src/auth/models.cpp
index 54bf24da6..9720c3596 100644
--- a/src/auth/models.cpp
+++ b/src/auth/models.cpp
@@ -84,6 +84,8 @@ std::string PermissionToString(Permission permission) {
       return "MODULE_WRITE";
     case Permission::WEBSOCKET:
       return "WEBSOCKET";
+    case Permission::LABELS:
+      return "LABELS";
   }
 }
 

From 11d60c203ea83a945284aea54884dbe393540a90 Mon Sep 17 00:00:00 2001
From: josipmrden <josip.mrden@external-basf.com>
Date: Mon, 4 Jul 2022 14:16:50 +0200
Subject: [PATCH 5/7] Updated CypherLexer for LABELS

---
 src/query/frontend/opencypher/grammar/MemgraphCypherLexer.g4 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/query/frontend/opencypher/grammar/MemgraphCypherLexer.g4 b/src/query/frontend/opencypher/grammar/MemgraphCypherLexer.g4
index a98aa8630..3f21cccf0 100644
--- a/src/query/frontend/opencypher/grammar/MemgraphCypherLexer.g4
+++ b/src/query/frontend/opencypher/grammar/MemgraphCypherLexer.g4
@@ -66,7 +66,7 @@ IDENTIFIED          : I D E N T I F I E D ;
 IGNORE              : I G N O R E ;
 ISOLATION           : I S O L A T I O N ;
 KAFKA               : K A F K A ;
-LabelsTest          : L A B E L S ;
+LABELS              : L A B E L S ;
 LEVEL               : L E V E L ;
 LOAD                : L O A D ;
 LOCK                : L O C K ;

From 0c8b35b1514972a0888d3fa8ffae0d877e473fe3 Mon Sep 17 00:00:00 2001
From: josipmrden <josip.mrden@external-basf.com>
Date: Mon, 4 Jul 2022 14:25:28 +0200
Subject: [PATCH 6/7] Added accepting visiting privilege to labels

---
 src/query/frontend/ast/cypher_main_visitor.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/query/frontend/ast/cypher_main_visitor.cpp b/src/query/frontend/ast/cypher_main_visitor.cpp
index f4a269dfd..62a7aa338 100644
--- a/src/query/frontend/ast/cypher_main_visitor.cpp
+++ b/src/query/frontend/ast/cypher_main_visitor.cpp
@@ -1355,6 +1355,7 @@ antlrcpp::Any CypherMainVisitor::visitPrivilege(MemgraphCypher::PrivilegeContext
   if (ctx->MODULE_READ()) return AuthQuery::Privilege::MODULE_READ;
   if (ctx->MODULE_WRITE()) return AuthQuery::Privilege::MODULE_WRITE;
   if (ctx->WEBSOCKET()) return AuthQuery::Privilege::WEBSOCKET;
+  if (ctx->LABELS()) return AuthQuery::Privilege::LABELS;
   LOG_FATAL("Should not get here - unknown privilege!");
 }
 

From 86a15331d164487291404bd4f2c0a964bd9b117e Mon Sep 17 00:00:00 2001
From: josipmrden <josip.mrden@external-basf.com>
Date: Mon, 4 Jul 2022 16:49:23 +0200
Subject: [PATCH 7/7] Added saving of labels to AuthQuery

---
 src/query/frontend/ast/ast.lcp                |  6 +++--
 .../frontend/ast/cypher_main_visitor.cpp      | 27 +++++++++++++++++--
 .../frontend/ast/cypher_main_visitor.hpp      |  5 ++++
 .../opencypher/grammar/MemgraphCypher.g4      |  2 +-
 4 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/src/query/frontend/ast/ast.lcp b/src/query/frontend/ast/ast.lcp
index 836857a4e..a618adf69 100644
--- a/src/query/frontend/ast/ast.lcp
+++ b/src/query/frontend/ast/ast.lcp
@@ -2239,6 +2239,7 @@ cpp<#
    (user "std::string" :scope :public)
    (role "std::string" :scope :public)
    (user-or-role "std::string" :scope :public)
+   (labels "std::vector<std::string>" :scope :public)
    (password "Expression *" :initval "nullptr" :scope :public
              :slk-save #'slk-save-ast-pointer
              :slk-load (slk-load-ast-pointer "Expression"))
@@ -2264,13 +2265,14 @@ cpp<#
     #>cpp
     AuthQuery(Action action, std::string user, std::string role,
               std::string user_or_role, Expression *password,
-              std::vector<Privilege> privileges)
+              std::vector<Privilege> privileges, std::vector<std::string> labels)
         : action_(action),
           user_(user),
           role_(role),
           user_or_role_(user_or_role),
           password_(password),
-          privileges_(privileges) {}
+          privileges_(privileges),
+          labels_(labels) {}
     cpp<#)
   (:private
     #>cpp
diff --git a/src/query/frontend/ast/cypher_main_visitor.cpp b/src/query/frontend/ast/cypher_main_visitor.cpp
index 62a7aa338..162552b0f 100644
--- a/src/query/frontend/ast/cypher_main_visitor.cpp
+++ b/src/query/frontend/ast/cypher_main_visitor.cpp
@@ -1285,7 +1285,11 @@ antlrcpp::Any CypherMainVisitor::visitGrantPrivilege(MemgraphCypher::GrantPrivil
   auth->user_or_role_ = ctx->userOrRole->accept(this).as<std::string>();
   if (ctx->privilegeList()) {
     for (auto *privilege : ctx->privilegeList()->privilege()) {
-      auth->privileges_.push_back(privilege->accept(this));
+      if (privilege->LABELS()) {
+        auth->labels_ = privilege->labelList()->accept(this).as<std::vector<std::string>>();
+      } else {
+        auth->privileges_.push_back(privilege->accept(this));
+      }
     }
   } else {
     /* grant all privileges */
@@ -1330,6 +1334,22 @@ antlrcpp::Any CypherMainVisitor::visitRevokePrivilege(MemgraphCypher::RevokePriv
   return auth;
 }
 
+/**
+ * @return AuthQuery*
+ */
+antlrcpp::Any CypherMainVisitor::visitLabelList(MemgraphCypher::LabelListContext *ctx) {
+  std::vector<std::string> labels;
+  for (auto *label : ctx->label()) {
+    if (label->ASTERISK()) {
+      labels.push_back("*");
+    } else {
+      labels.push_back(label->symbolicName()->accept(this).as<std::string>());
+    }
+  }
+
+  return labels;
+}
+
 /**
  * @return AuthQuery::Privilege
  */
@@ -1355,7 +1375,10 @@ antlrcpp::Any CypherMainVisitor::visitPrivilege(MemgraphCypher::PrivilegeContext
   if (ctx->MODULE_READ()) return AuthQuery::Privilege::MODULE_READ;
   if (ctx->MODULE_WRITE()) return AuthQuery::Privilege::MODULE_WRITE;
   if (ctx->WEBSOCKET()) return AuthQuery::Privilege::WEBSOCKET;
-  if (ctx->LABELS()) return AuthQuery::Privilege::LABELS;
+  if (ctx->LABELS()) {
+    // fill labels in authquery
+    return AuthQuery::Privilege::LABELS;
+  }
   LOG_FATAL("Should not get here - unknown privilege!");
 }
 
diff --git a/src/query/frontend/ast/cypher_main_visitor.hpp b/src/query/frontend/ast/cypher_main_visitor.hpp
index 2a6b8ff5e..2fdd22b88 100644
--- a/src/query/frontend/ast/cypher_main_visitor.hpp
+++ b/src/query/frontend/ast/cypher_main_visitor.hpp
@@ -473,6 +473,11 @@ class CypherMainVisitor : public antlropencypher::MemgraphCypherBaseVisitor {
    */
   antlrcpp::Any visitPrivilege(MemgraphCypher::PrivilegeContext *ctx) override;
 
+  /**
+   * @return AuthQuery::LabelList
+   */
+  antlrcpp::Any visitLabelList(MemgraphCypher::LabelListContext *ctx) override;
+
   /**
    * @return AuthQuery*
    */
diff --git a/src/query/frontend/opencypher/grammar/MemgraphCypher.g4 b/src/query/frontend/opencypher/grammar/MemgraphCypher.g4
index 551b165e8..12d54a916 100644
--- a/src/query/frontend/opencypher/grammar/MemgraphCypher.g4
+++ b/src/query/frontend/opencypher/grammar/MemgraphCypher.g4
@@ -262,7 +262,7 @@ privilegeList : privilege ( ',' privilege )* ;
 
 labelList : label ( ',' label )* ;
 
-label : ( '*' | StringLiteral ) ;
+label : ( '*' | symbolicName ) ;
 
 showPrivileges : SHOW PRIVILEGES FOR userOrRole=userOrRoleName ;