synapse 2.164.0__py311-none-any.whl → 2.166.0__py311-none-any.whl

synapse/lib/nexus.py

@@ -12,9 +12,12 @@ import synapse.common as s_common
 import synapse.telepath as s_telepath
 
 import synapse.lib.base as s_base
+import synapse.lib.version as s_version
 
 logger = logging.getLogger(__name__)
 
+leaderversion = 'Leader is a higher version than we are.'
+
 # As a mirror follower, amount of time before giving up on a write request
 FOLLOWER_WRITE_WAIT_S = 30.0
 
@@ -86,7 +89,7 @@ class NexsRoot(s_base.Base):
         self.started = False
         self.celliden = self.cell.iden
         self.readonly = False
-        self.readonlyreason = None
+        self.writeholds = set()
 
         self.applytask = None
         self.applylock = asyncio.Lock()
@@ -266,23 +269,47 @@ class NexsRoot(s_base.Base):
         except Exception:
             logger.exception('Exception while replaying log')
 
-    def setReadOnly(self, readonly, reason=None):
-        self.readonly = readonly
-        self.readonlyreason = reason
+    async def addWriteHold(self, reason):
+
+        self.readonly = True
+
+        if reason not in self.writeholds:
+            logger.error(f'Entering Read-Only Mode: {reason}')
+            self.writeholds.add(reason)
+            return True
+
+        return False
+
+    async def delWriteHold(self, reason):
+
+        if reason in self.writeholds:
+
+            self.writeholds.remove(reason)
+
+            if not self.writeholds:
+                self.readonly = False
+
+            return True
+
+        return False
+
+    def reqNotReadOnly(self):
+
+        if not self.readonly:
+            return
+
+        # sets have stable order like dicts, so use the first message...
+        for reason in self.writeholds:
+            raise s_exc.IsReadOnly(mesg=reason)
+
+        mesg = 'Unable to issue Nexus events when readonly is set.'
+        raise s_exc.IsReadOnly(mesg=mesg)
 
     async def issue(self, nexsiden, event, args, kwargs, meta=None):
         '''
         If I'm not a follower, mutate, otherwise, ask the leader to make the change and wait for the follower loop
         to hand me the result through a future.
         '''
-        assert self.started, 'Attempt to issue before nexsroot is started'
-
-        if self.readonly:
-            mesg = self.readonlyreason
-            if mesg is None:
-                mesg = 'Unable to issue Nexus events when readonly is set.'
-
-            raise s_exc.IsReadOnly(mesg=mesg)
 
         # pick up a reference to avoid race when we eventually can promote
         client = self.client
@@ -290,6 +317,10 @@ class NexsRoot(s_base.Base):
         if client is None:
             return await self.eat(nexsiden, event, args, kwargs, meta)
 
+        # check here because we shouldn't be sending an edit upstream if we
+        # are in readonly mode because the mirror sync will never complete.
+        self.reqNotReadOnly()
+
         try:
             await client.waitready(timeout=FOLLOWER_WRITE_WAIT_S)
         except asyncio.TimeoutError:
@@ -315,6 +346,7 @@ class NexsRoot(s_base.Base):
             meta = {}
 
         async with self.applylock:
+            self.reqNotReadOnly()
             # Keep a reference to the shielded task to ensure it isn't GC'd
             self.applytask = asyncio.create_task(self._eat((nexsiden, event, args, kwargs, meta)))
             return await asyncio.shield(self.applytask)
@@ -470,7 +502,15 @@ class NexsRoot(s_base.Base):
         if features.get('dynmirror'):
             await proxy.readyToMirror()
 
-        cellvers = cellinfo['synapse']['version']
+        cellvers = cellinfo['cell']['version']
+        if cellvers > self.cell.VERSION:
+            logger.error('Leader is a higher version than we are. Mirrors must be updated first. Entering read-only mode.')
+            await self.addWriteHold(leaderversion)
+            # this will fire again on reconnect...
+            return
+
+        # When we reconnect and the leader version has become ok...
+        await self.delWriteHold(leaderversion)
 
         if self.celliden is not None:
             if self.celliden != await proxy.getCellIden():
@@ -482,6 +522,11 @@ class NexsRoot(s_base.Base):
         while not proxy.isfini:
 
             try:
+
+                if self.readonly:
+                    await self.waitfini(timeout=2)
+                    continue
+
                 offs = self.nexslog.index()
 
                 opts = {}
@@ -491,14 +536,12 @@ class NexsRoot(s_base.Base):
                 genr = proxy.getNexusChanges(offs, **opts)
                 async for item in genr:
 
-                    if self.readonly:
-                        logger.error('Unable to consume Nexus events when readonly is set')
-                        await self.client.fini()
-                        return
-
                     if proxy.isfini:  # pragma: no cover
                         break
 
+                    if self.readonly:
+                        break
+
                     # with tellready we move to ready=true when we get a None
                     if item is None:
                         logger.info(f'Entering realtime change window for syncing data at offset={offs}')
@@ -519,9 +562,6 @@ class NexsRoot(s_base.Base):
                     try:
                         retn = await self.eat(*args)
 
-                    except asyncio.CancelledError:  # pragma: no cover  TODO:  remove once >= py 3.8 only
-                        raise
-
                     except Exception as e:
                         if respfutu is not None:
                             assert not respfutu.done()
@@ -533,9 +573,6 @@ class NexsRoot(s_base.Base):
                         if respfutu is not None:
                             respfutu.set_result(retn)
 
-            except asyncio.CancelledError:  # pragma: no cover  TODO:  remove once >= py 3.8 only
-                raise
-
             except Exception:  # pragma: no cover
                 logger.exception('error in mirror loop')
 
@@ -552,10 +589,11 @@ class NexsRoot(s_base.Base):
 
         try:
             await self.cell.ahaclient.waitready(timeout=5)
-            ahainfo = await self.cell.ahaclient.getCellInfo()
+            proxy = await self.cell.ahaclient.proxy(timeout=5)
+            ahainfo = await proxy.getCellInfo()
             ahavers = ahainfo['synapse']['version']
             if self.cell.ahasvcname is not None and ahavers >= (2, 95, 0):
-                await self.cell.ahaclient.modAhaSvcInfo(self.cell.ahasvcname, {'ready': status})
+                await proxy.modAhaSvcInfo(self.cell.ahasvcname, {'ready': status})
 
         except asyncio.CancelledError:  # pragma: no cover  TODO:  remove once >= py 3.8 only
             raise

synapse/lib/parser.py

@@ -72,6 +72,7 @@ terminalEnglishMap = {
     'MODSET': '+= or -=',
     'NONQUOTEWORD': 'unquoted value',
     'NOT': 'not',
+    'NULL': 'null',
     'NUMBER': 'number',
     'OCTNUMBER': 'number',
     'OR': 'or',
@@ -618,6 +619,7 @@ terminalClassMap = {
     'HEXNUMBER': lambda astinfo, x: s_ast.Const(astinfo, s_ast.parseNumber(x)),
     'OCTNUMBER': lambda astinfo, x: s_ast.Const(astinfo, s_ast.parseNumber(x)),
     'BOOL': lambda astinfo, x: s_ast.Bool(astinfo, x == 'true'),
+    'NULL': lambda astinfo, x: s_ast.Const(astinfo, None),
     'SINGLEQUOTEDSTRING': lambda astinfo, x: s_ast.Const(astinfo, x[1:-1]),  # drop quotes
     'NONQUOTEWORD': massage_vartokn,
     'VARTOKN': massage_vartokn,

synapse/lib/schemas.py

@@ -40,6 +40,7 @@ _HttpExtAPIConfSchema = {
         'name': {'type': 'string', 'default': ''},
         'desc': {'type': 'string', 'default': ''},
         'path': {'type': 'string', 'minlen': 1},
+        'pool': {'type': 'boolean', 'default': False},
         'view': {'type': 'string', 'pattern': s_config.re_iden},
         'runas': {'type': 'string', 'pattern': '^(owner|user)$'},
         'owner': {'type': 'string', 'pattern': s_config.re_iden},
@@ -93,6 +94,7 @@ _CronJobSchema = {
         'iden': {'type': 'string', 'pattern': s_config.re_iden},
         'view': {'type': 'string', 'pattern': s_config.re_iden},
         'name': {'type': 'string'},
+        'pool': {'type': 'boolean'},
         'doc': {'type': 'string'},
         'incunit': {
             'oneOf': [
@@ -203,6 +205,7 @@ reqValidMerge = s_config.getJsValidator({
         'creator': {'type': 'string', 'pattern': s_config.re_iden},
         'created': {'type': 'number', 'minval': 0},
         'comment': {'type': 'string'},
+        'updated': {'type': 'number', 'minval': 0},
     },
     'required': ['iden', 'creator', 'created'],
     'additionalProperties': False,
@@ -216,6 +219,7 @@ reqValidVote = s_config.getJsValidator({
         'created': {'type': 'number', 'minval': 0},
         'approved': {'type': 'boolean'},
         'comment': {'type': 'string'},
+        'updated': {'type': 'number', 'minval': 0},
     },
     'required': ['user', 'offset', 'created', 'approved'],
     'additionalProperties': False,
@@ -273,3 +277,13 @@ reqValidSslCtxOpts = s_config.getJsValidator({
     },
     'additionalProperties': False,
 })
+
+_stormPoolOptsSchema = {
+    'type': 'object',
+    'properties': {
+        'timeout:sync': {'type': 'integer', 'minimum': 1},
+        'timeout:connection': {'type': 'integer', 'minimum': 1},
+    },
+    'additionalProperties': False,
+}
+reqValidStormPoolOpts = s_config.getJsValidator(_stormPoolOptsSchema)

synapse/lib/snap.py

@@ -209,6 +209,27 @@ class ProtoNode:
         if tagnode is not s_common.novalu:
             return self.ctx.loadNode(tagnode)
 
+        # check for an :isnow tag redirection in our hierarchy...
+        toks = info.get('toks')
+        for i in range(len(toks)):
+
+            toktag = '.'.join(toks[:i + 1])
+            toknode = await self.ctx.snap.getTagNode(toktag)
+            if toknode is s_common.novalu:
+                continue
+
+            tokvalu = toknode.ndef[1]
+            if tokvalu == toktag:
+                continue
+
+            realnow = tokvalu + norm[len(toktag):]
+            tagnode = await self.ctx.snap.getTagNode(realnow)
+            if tagnode is not s_common.novalu:
+                return self.ctx.loadNode(tagnode)
+
+            norm, info = await self.ctx.snap.getTagNorm(realnow)
+            break
+
         return await self.ctx.addNode('syn:tag', norm, norminfo=info)
 
     def getTag(self, tag):
@@ -619,10 +640,6 @@ class Snap(s_base.Base):
 
         self.changelog = []
         self.tagtype = self.core.model.type('ival')
-        self.trigson = self.core.trigson
-
-    def disableTriggers(self):
-        self.trigson = False
 
     async def getSnapMeta(self):
         '''
@@ -661,6 +678,33 @@ class Snap(s_base.Base):
         self.onfini(runt)
         return runt
 
+    async def _joinEmbedStor(self, storage, embeds):
+        for nodePath, relProps in embeds.items():
+            await asyncio.sleep(0)
+            iden = relProps.get('*')
+            if not iden:
+                continue
+
+            stor = await self.view.getStorNodes(s_common.uhex(iden))
+            for relProp in relProps.keys():
+                await asyncio.sleep(0)
+                if relProp == '*':
+                    continue
+
+                for idx, layrstor in enumerate(stor):
+                    await asyncio.sleep(0)
+                    props = layrstor.get('props')
+                    if not props:
+                        continue
+
+                    if relProp not in props:
+                        continue
+
+                    if 'embeds' not in storage[idx]:
+                        storage[idx]['embeds'] = {}
+
+                    storage[idx]['embeds'][f'{nodePath}::{relProp}'] = props[relProp]
+
     async def iterStormPodes(self, text, opts, user=None):
         '''
         Yield packed node tuples for the given storm query text.
@@ -703,6 +747,8 @@ class Snap(s_base.Base):
                 embdef = embeds.get(node.form.name)
                 if embdef is not None:
                     pode[1]['embeds'] = await node.getEmbeds(embdef)
+                    if show_storage:
+                        await self._joinEmbedStor(pode[1]['storage'], pode[1]['embeds'])
 
             yield pode
 

synapse/lib/storm.lark

@@ -56,8 +56,8 @@ edittagpropset: "+" tagprop (EQSPACE | EQNOSPACE | MODSET | TRYSET | TRYSETPLUS
 edittagpropdel: EXPRMINUS tagprop
 EQSPACE: /((?<=\s)=|=(?=\s))/
 MODSET.4: "+=" | "-="
-TRYSETPLUS: "?+="
-TRYSETMINUS: "?-="
+TRYSETPLUS.1: "?+="
+TRYSETMINUS.1: "?-="
 TRYSET.1: "?="
 SETTAGOPER: "?"
 
@@ -308,7 +308,7 @@ evalvalu: _valu
 exprdict: "{" ((_exprvalu | VARTOKN)  (":" | _EXPRCOLONNOSPACE) (_exprvalu | VARTOKN) ("," (_exprvalu | VARTOKN) (":" | _EXPRCOLONNOSPACE) (_exprvalu | VARTOKN))* ","? )? "}"
 exprlist: "[" ((_exprvalu | VARTOKN) ("," (_exprvalu | VARTOKN))* ","? )? "]"
 // Just like _valu, but doesn't allow valu lists or unquoted strings or queries
-_exprvalu: NUMBER | HEXNUMBER | OCTNUMBER | BOOL | exprlist | exprdict | _exprvarvalu | exprrelpropvalu
+_exprvalu: NUMBER | HEXNUMBER | OCTNUMBER | BOOL | NULL | exprlist | exprdict | _exprvarvalu | exprrelpropvalu
     | exprunivpropvalu | exprtagvalu | exprtagpropvalu | TRIPLEQUOTEDSTRING | DOUBLEQUOTEDSTRING
     | SINGLEQUOTEDSTRING | formatstring | _innerdollarexprs
 
@@ -590,6 +590,7 @@ OCTNUMBER.1: /
 /x
 
 BOOL.2: /(true|false)(?=$|[\s\),\]}\|\=])/
+NULL.2: "null"
 NOT.2: "not"
 OR.2: "or"
 AND.2: "and"

synapse/lib/storm.py

@@ -27,8 +27,8 @@ import synapse.lib.msgpack as s_msgpack
 import synapse.lib.spooled as s_spooled
 import synapse.lib.version as s_version
 import synapse.lib.hashitem as s_hashitem
+import synapse.lib.hiveauth as s_hiveauth
 import synapse.lib.stormctrl as s_stormctrl
-import synapse.lib.provenance as s_provenance
 import synapse.lib.stormtypes as s_stormtypes
 
 import synapse.lib.stormlib.graph as s_stormlib_graph
@@ -225,6 +225,7 @@ reqValidPkgdef = s_config.getJsValidator({
             },
             'required': ['cert', 'sign'],
         },
+        # TODO: Remove me after Synapse 3.0.0.
         'synapse_minversion': {
             'type': ['array', 'null'],
             'items': {'type': 'number'}
@@ -1206,6 +1207,8 @@ stormcmds = (
         'descr': addcrondescr,
         'cmdargs': (
             ('query', {'help': 'Query for the cron job to execute.'}),
+            ('--pool', {'action': 'store_true', 'default': False,
+                'help': 'Allow the cron job to be run by a mirror from the query pool.'}),
             ('--minute', {'help': 'Minute value for job or recurrence period.'}),
             ('--name', {'help': 'An optional name for the cron job.'}),
             ('--doc', {'help': 'An optional doc string for the cron job.'}),
@@ -1225,6 +1228,7 @@ stormcmds = (
                                   minute=$cmdopts.minute,
                                   hour=$cmdopts.hour,
                                   day=$cmdopts.day,
+                                  pool=$cmdopts.pool,
                                   month=$cmdopts.month,
                                   year=$cmdopts.year,
                                   hourly=$cmdopts.hourly,
@@ -1372,6 +1376,7 @@ stormcmds = (
                 $lib.print('iden:            {iden}', iden=$job.iden)
                 $lib.print('user:            {user}', user=$job.user)
                 $lib.print('enabled:         {enabled}', enabled=$job.enabled)
+                $lib.print(`pool:            {$job.pool}`)
                 $lib.print('recurring:       {isrecur}', isrecur=$job.isrecur)
                 $lib.print('# starts:        {startcount}', startcount=$job.startcount)
                 $lib.print('# errors:        {errcount}', errcount=$job.errcount)
@@ -1824,6 +1829,8 @@ class Runtime(s_base.Base):
     opaque object which is called through, but not dereferenced.
 
     '''
+
+    _admin_reason = s_hiveauth._allowedReason(True, isadmin=True)
     async def __anit__(self, query, snap, opts=None, user=None, root=None):
 
         await s_base.Base.__anit__(self)
@@ -2187,25 +2194,93 @@ class Runtime(s_base.Base):
 
         return self.user.allowed(perms, gateiden=gateiden, default=default)
 
+    def allowedReason(self, perms, gateiden=None, default=None):
+        '''
+        Similar to allowed, but always prefer the default value specified by the caller.
+        Default values are still pulled from permdefs if there is a match there; but still prefer caller default.
+        This results in a ternary response that can be used to know if a rule had a positive/negative or no match.
+        The matching reason metadata is also returned.
+        '''
+        if self.asroot:
+            return self._admin_reason
+
+        if default is None:
+            permdef = self.snap.core.getPermDef(perms)
+            if permdef:
+                default = permdef.get('default', default)
+
+        return self.user.getAllowedReason(perms, gateiden=gateiden, default=default)
+
     def confirmPropSet(self, prop, layriden=None):
 
         if layriden is None:
             layriden = self.snap.wlyr.iden
 
-        if any(self.allowed(perm, gateiden=self.snap.wlyr.iden) for perm in prop.setperms):
+        meta0 = self.allowedReason(prop.setperms[0], gateiden=layriden)
+
+        if meta0.isadmin:
             return
 
-        self.user.raisePermDeny(prop.setperms[-1], gateiden=layriden)
+        allowed0 = meta0.value
+
+        meta1 = self.allowedReason(prop.setperms[1], gateiden=layriden)
+        allowed1 = meta1.value
+
+        if allowed0:
+            if allowed1:
+                return
+            elif allowed1 is False:
+                # This is a allow-with-precedence case.
+                # Inspect meta to determine if the rule a0 is more specific than rule a1
+                if len(meta0.rule) >= len(meta1.rule):
+                    return
+                self.user.raisePermDeny(prop.setperms[0], gateiden=layriden)
+            return
+
+        if allowed1:
+            if allowed0 is None:
+                return
+            # allowed0 here is False. This is a deny-with-precedence case.
+            # Inspect meta to determine if the rule a1 is more specific than rule a0
+            if len(meta1.rule) > len(meta0.rule):
+                return
+
+        self.user.raisePermDeny(prop.setperms[0], gateiden=layriden)
 
     def confirmPropDel(self, prop, layriden=None):
 
         if layriden is None:
             layriden = self.snap.wlyr.iden
 
-        if any(self.allowed(perm, gateiden=self.snap.wlyr.iden) for perm in prop.delperms):
+        meta0 = self.allowedReason(prop.delperms[0], gateiden=layriden)
+
+        if meta0.isadmin:
+            return
+
+        allowed0 = meta0.value
+        meta1 = self.allowedReason(prop.delperms[1], gateiden=layriden)
+        allowed1 = meta1.value
+
+        if allowed0:
+            if allowed1:
+                return
+            elif allowed1 is False:
+                # This is a allow-with-precedence case.
+                # Inspect meta to determine if the rule a0 is more specific than rule a1
+                if len(meta0.rule) >= len(meta1.rule):
+                    return
+                self.user.raisePermDeny(prop.delperms[0], gateiden=layriden)
             return
 
-        self.user.raisePermDeny(prop.delperms[-1], gateiden=layriden)
+        if allowed1:
+            if allowed0 is None:
+                return
+            # allowed0 here is False. This is a deny-with-precedence case.
+            # Inspect meta to determine if the rule a1 is more specific than rule a0
+            if len(meta1.rule) > len(meta0.rule):
+                return
+
+        self.user.raisePermDeny(prop.delperms[0], gateiden=layriden)
 
     def confirmEasyPerm(self, item, perm, mesg=None):
         if not self.asroot:
@@ -2238,27 +2313,26 @@ class Runtime(s_base.Base):
 
     async def execute(self, genr=None):
         try:
-            with s_provenance.claim('storm', q=self.query.text, user=self.user.iden):
 
-                async with contextlib.aclosing(self.query.iterNodePaths(self, genr=genr)) as nodegenr:
-                    nodegenr, empty = await s_ast.pullone(nodegenr)
+            async with contextlib.aclosing(self.query.iterNodePaths(self, genr=genr)) as nodegenr:
+                nodegenr, empty = await s_ast.pullone(nodegenr)
 
-                    if empty:
-                        return
+                if empty:
+                    return
 
-                    rules = self.opts.get('graph')
-                    if rules not in (False, None):
-                        if rules is True:
-                            rules = {'degrees': None, 'refs': True}
-                        elif isinstance(rules, str):
-                            rules = await self.snap.core.getStormGraph(rules)
+                rules = self.opts.get('graph')
+                if rules not in (False, None):
+                    if rules is True:
+                        rules = {'degrees': None, 'refs': True}
+                    elif isinstance(rules, str):
+                        rules = await self.snap.core.getStormGraph(rules)
 
-                        subgraph = s_ast.SubGraph(rules)
-                        nodegenr = subgraph.run(self, nodegenr)
+                    subgraph = s_ast.SubGraph(rules)
+                    nodegenr = subgraph.run(self, nodegenr)
 
-                    async for item in nodegenr:
-                        self.tick()
-                        yield item
+                async for item in nodegenr:
+                    self.tick()
+                    yield item
 
         except RecursionError:
             mesg = 'Maximum Storm pipeline depth exceeded.'
@@ -3589,7 +3663,7 @@ class CopyToCmd(Cmd):
 
                 runt.confirm(node.form.addperm, gateiden=layriden)
                 for name in node.props.keys():
-                    runt.confirmPropSet(node.form.props[name])
+                    runt.confirmPropSet(node.form.props[name], layriden=layriden)
 
                 for tag in node.tags.keys():
                     runt.confirm(('node', 'tag', 'add', *tag.split('.')), gateiden=layriden)

synapse/lib/storm_format.py

@@ -55,6 +55,7 @@ TerminalPygMap = {
     'MODSET': p_t.Operator,
     'NONQUOTEWORD': p_t.Literal,
     'NOT': p_t.Keyword,
+    'NULL': p_t.Keyword,
     'NUMBER': p_t.Literal.Number,
     'OCTNUMBER': p_t.Literal.Number,
     'OR': p_t.Keyword,

synapse/lib/stormlib/aha.py

@@ -35,6 +35,7 @@ class AhaPoolLib(s_stormtypes.Lib):
         if poolinfo is not None:
             return AhaPool(self.runt, poolinfo)
 
+    @s_stormtypes.stormfunc(readonly=True)
     async def list(self):
 
         self.runt.reqAdmin()
@@ -45,6 +46,9 @@ class AhaPoolLib(s_stormtypes.Lib):
 
 @s_stormtypes.registry.registerType
 class AhaPool(s_stormtypes.StormType):
+    '''
+    Implements the Storm API for an AHA pool.
+    '''
     _storm_typename = 'aha:pool'
 
     def __init__(self, runt, poolinfo):
@@ -57,6 +61,9 @@ class AhaPool(s_stormtypes.StormType):
             'del': self._del,
         })
 
+    async def stormrepr(self):
+        return f'{self._storm_typename}: {self.poolinfo.get("name")}'
+
     async def _derefGet(self, name):
         return self.poolinfo.get(name)
 
@@ -94,7 +101,6 @@ stormcmds = (
         for $pool in $lib.aha.pool.list() {
             $count = ($count + 1)
             $lib.print(`Pool: {$pool.name}`)
-            $lib.print($pool)
             for ($svcname, $svcinfo) in $pool.services {
                 $lib.print(`    {$svcname}`)
             }

synapse/lib/stormlib/auth.py

@@ -1192,7 +1192,8 @@ class User(s_stormtypes.Prim):
 
         perm = tuple(permname.split('.'))
         user = await self.runt.snap.core.auth.reqUser(self.valu)
-        return user.getAllowedReason(perm, gateiden=gateiden, default=default)
+        reason = user.getAllowedReason(perm, gateiden=gateiden, default=default)
+        return reason.value, reason.mesg
 
     async def _methUserGrant(self, iden, indx=None):
         self.runt.confirm(('auth', 'user', 'grant'))
@@ -1226,6 +1227,11 @@ class User(s_stormtypes.Prim):
         indx = await s_stormtypes.toint(indx, noneok=True)
         gateiden = await s_stormtypes.tostr(gateiden, noneok=True)
         self.runt.confirm(('auth', 'user', 'set', 'rules'), gateiden=gateiden)
+        # TODO: Remove me in 3.0.0
+        if gateiden == 'cortex':
+            mesg = f'Adding rule on the "cortex" authgate. This authgate is not used ' \
+                   f'for permission checks and will be removed in Synapse v3.0.0.'
+            await self.runt.snap.warn(mesg, log=False)
         await self.runt.snap.core.addUserRule(self.valu, rule, indx=indx, gateiden=gateiden)
 
     async def _methUserDelRule(self, rule, gateiden=None):
@@ -1479,6 +1485,11 @@ class Role(s_stormtypes.Prim):
         indx = await s_stormtypes.toint(indx, noneok=True)
         gateiden = await s_stormtypes.tostr(gateiden, noneok=True)
         self.runt.confirm(('auth', 'role', 'set', 'rules'), gateiden=gateiden)
+        # TODO: Remove me in 3.0.0
+        if gateiden == 'cortex':
+            mesg = f'Adding rule on the "cortex" authgate. This authgate is not used ' \
+                   f'for permission checks and will be removed in Synapse v3.0.0.'
+            await self.runt.snap.warn(mesg, log=False)
         await self.runt.snap.core.addRoleRule(self.valu, rule, indx=indx, gateiden=gateiden)
 
     async def _methRoleDelRule(self, rule, gateiden=None):
@@ -1557,10 +1568,7 @@ class LibAuth(s_stormtypes.Lib):
     @s_stormtypes.stormfunc(readonly=True)
     async def textFromRule(self, rule):
         rule = await s_stormtypes.toprim(rule)
-        text = '.'.join(rule[1])
-        if not rule[0]:
-            text = '!' + text
-        return text
+        return s_common.reprauthrule(rule)
 
     @s_stormtypes.stormfunc(readonly=True)
     async def getPermDefs(self):