Database-level access control (valkey-io#2309)

## API changes and user behavior:

- [x] Default behavior for database access.

Default is `alldbs` permissions.

### Database Permissions (`db=`)
- [x] Accessing particular database

```
> ACL SETUSER test1 on +@ALL ~* resetdbs db=0,1 nopass
"user test1 on nopass sanitize-payload ~* resetchannels db=0,1 +@ALL"
```

- [x] (Same behavior without usage of `resetdbs`)
```
> ACL SETUSER test1 on +@ALL ~* db=0,1 nopass
"user test1 on nopass sanitize-payload ~* resetchannels db=0,1 +@ALL"
```

- [x] Multiple selector can be provided
```
> ACL SETUSER test1 on nopass (db=0,1 +@Write +select ~*) (db=2,3 +@READ +select ~*)
"user test1 on nopass sanitize-payload resetchannels alldbs -@ALL (~* resetchannels db=0,1 -@ALL +@Write +select) (~* resetchannels db=2,3 -@ALL +@READ +select)"
```

- [x] Restricting special commands which access databases as part of the
command.

The user needs to have access to both the commands and db(s) part of the
command to run these commands.

1. SWAPDB
2. SELECT
3. MOVE - (Select command would have went through for the source
database). Have access for the target database.
4. COPY

- [x] Restricting special commands which doesn't specify database
number, however, accesses multiple databases.

The user needs to have access to both the commands and all databases
(`alldbs`) to run these commands.

1. FLUSHALL - Access all databases
2. CLUSTER commands that access all databases:
    - CANCELSLOTMIGRATIONS
    - MIGRATESLOTS

- [x] New connection establishment behavior
New client connection gets established to DB 0 by default.
Authentication and authorisation are decoupled and the user can
connect/authenticate and further perform `SELECT` or other operation
that do not access keyspace.

(Do we want to extend HELLO?) Alternative suggestion by @madolson:
Extend `HELLO` command to pass the dbid to which the user should get
connected after authentication if they have right set of permission. I
think it will become a long poll for adoption.

- [x] Observability
Extend `ACL LOG` to log user which received denied permission error
while accessing a database.

- [x] Module API
* Introduce module API `int VM_ACLCheckPermissions(ValkeyModuleUser
*user, ValkeyModuleString **argv, int argc, int dbid,
ValkeyModuleACLLogEntryReason *denial_reason);`
* Stop support of `VM_ACLCheckCommandPermissions()`.

Resolves: valkey-io#1336

---------

Signed-off-by: Daniil Kashapov <daniil.kashapov.ykt@gmail.com>
Signed-off-by: Harkrishn Patro <bunty.hari@gmail.com>

Author: dvkashapov

src/acl.c

@@ -3,8 +3,8 @@
 
 /* Definitions to configure commands.c to generate the above structs. */
 #define MAKE_CMD(name, summary, complexity, since, doc_flags, replaced, deprecated, group, group_enum, history, \
-                 num_history, tips, num_tips, function, arity, flags, acl, key_specs, key_specs_num, get_keys,  \
-                 numargs)                                                                                       \
+                 num_history, tips, num_tips, function, arity, flags, acl, get_dbid_args, key_specs,            \
+                 key_specs_num, get_keys, numargs)                                                              \
     name, summary, group, since, numargs
 #define MAKE_ARG(name, type, key_spec_index, token, summary, since, flags, numsubargs, deprecated_since) \
     name, type, token, since, flags, numsubargs

src/cli_commands.c

@@ -2,10 +2,10 @@
 #include "server.h"
 
 #define MAKE_CMD(name, summary, complexity, since, doc_flags, replaced, deprecated, group, group_enum, history, \
-                 num_history, tips, num_tips, function, arity, flags, acl, key_specs, key_specs_num, get_keys,  \
-                 numargs)                                                                                       \
+                 num_history, tips, num_tips, function, arity, flags, acl, get_dbid_args, key_specs,            \
+                 key_specs_num, get_keys, numargs)                                                              \
     name, summary, complexity, since, doc_flags, replaced, deprecated, group_enum, history, num_history, tips,  \
-        num_tips, function, arity, flags, acl, key_specs, key_specs_num, get_keys, numargs
+        num_tips, function, arity, flags, acl, get_dbid_args, key_specs, key_specs_num, get_keys, numargs
 #define MAKE_ARG(name, type, key_spec_index, token, summary, since, flags, numsubargs, deprecated_since) \
     name, type, key_spec_index, token, summary, since, flags, deprecated_since, numsubargs
 #define COMMAND_STRUCT serverCommand

src/commands.c

@@ -54,6 +54,7 @@ following keys. To be safe, assume all of them are optional.
   the command. (Don't use it for anything else.)
 * `"command_flags"`: An array of flags represented as strings. Command flags:
   * `"ADMIN"`
+  * `"ALL_DBS"`
   * `"ALLOW_BUSY"`
   * `"ASKING"`
   * `"BLOCKING"`
@@ -93,6 +94,9 @@ following keys. To be safe, assume all of them are optional.
   * `"STREAM"`
   * `"STRING"`
   * `"TRANSACTION"`
+* `"get_dbid_args"`: The name of the C function in Valkey's source code
+  implementing retrieval of database ID arguments from commands that accept
+  database ID as an argument.
 * `"command_tips"`: Optional. A list of one or more of these strings:
   * `"NONDETERMINISTIC_OUTPUT"`
   * `"NONDETERMINISTIC_OUTPUT_ORDER"`

src/commands.def

@@ -15,6 +15,10 @@
             [
                 "7.0.0",
                 "Added selectors and changed the format of key and channel patterns from a list to their rule representation."
+            ],
+            [
+                "9.1.0",
+                "Added database permission rules."
             ]
         ],
         "command_flags": [
@@ -61,6 +65,10 @@
                             "description": "Root selector's channels.",
                             "type": "string"
                         },
+                        "databases": {
+                            "description": "Root selector's databases.",
+                            "type": "string"
+                        },
                         "selectors": {
                             "type": "array",
                             "items": {
@@ -75,6 +83,9 @@
                                     },
                                     "channels": {
                                         "type": "string"
+                                    },
+                                    "databases": {
+                                        "type": "string"
                                     }
                                 }
                             }

src/commands/README.md

@@ -15,6 +15,10 @@
             [
                 "7.0.0",
                 "Added selectors and key based permissions."
+            ],
+            [
+                "9.1.0",
+                "Added database permission rules."
             ]
         ],
         "command_flags": [

src/commands/acl-getuser.json

@@ -10,7 +10,8 @@
         "command_flags": [
             "NO_ASYNC_LOADING",
             "ADMIN",
-            "STALE"
+            "STALE",
+            "ALL_DBS"
         ],
         "reply_schema": {
             "const": "OK"

src/commands/acl-setuser.json

@@ -10,7 +10,8 @@
         "command_flags": [
             "NO_ASYNC_LOADING",
             "ADMIN",
-            "STALE"
+            "STALE",
+            "ALL_DBS"
         ],
         "arguments": [
             {

src/commands/cluster-cancelslotmigrations.json

@@ -15,6 +15,7 @@
             "SLOW",
             "WRITE"
         ],
+        "get_dbid_args": "copyDbIdArgs",
         "key_specs": [
             {
                 "flags": [