chore(cloud_auth): Auth improvements

- Register viewer/editor roles in DB
- Restrict users service to authenticated role
- Shared policy cache (ensures can be read/written by multiple processes)

Author: dnys1

services/celest_cloud_auth/lib/src/authorization/celest_role.dart

@@ -9,6 +9,14 @@ extension type const CelestRole._(EntityUid _) implements EntityUid {
     EntityUid.of('Celest::Role', 'authenticated'),
   );
 
+  static const CelestRole viewer = CelestRole._(
+    EntityUid.of('Celest::Role', 'viewer'),
+  );
+
+  static const CelestRole editor = CelestRole._(
+    EntityUid.of('Celest::Role', 'editor'),
+  );
+
   static const CelestRole admin = CelestRole._(
     EntityUid.of('Celest::Role', 'admin'),
   );

services/celest_cloud_auth/lib/src/database/auth_database_accessors.dart

@@ -1,4 +1,3 @@
-import 'package:async/async.dart';
 import 'package:cedar/ast.dart';
 import 'package:cedar/cedar.dart';
 import 'package:celest_ast/celest_ast.dart';
@@ -177,9 +176,17 @@ class CloudAuthDatabaseAccessors extends DatabaseAccessor<GeneratedDatabase>
       uid: CelestRole.authenticated,
       parents: [CelestRole.anonymous],
     ),
+    CelestRole.viewer: const Entity(
+      uid: CelestRole.viewer,
+      parents: [CelestRole.authenticated],
+    ),
+    CelestRole.editor: const Entity(
+      uid: CelestRole.editor,
+      parents: [CelestRole.viewer],
+    ),
     CelestRole.admin: const Entity(
       uid: CelestRole.admin,
-      parents: [CelestRole.authenticated],
+      parents: [CelestRole.editor],
     ),
     CelestRole.owner: const Entity(
       uid: CelestRole.owner,
@@ -454,13 +461,11 @@ class CloudAuthDatabaseAccessors extends DatabaseAccessor<GeneratedDatabase>
     return result;
   }
 
-  final _effectivePolicySetCache = AsyncCache<PolicySet>(
-    const Duration(hours: 1),
-  );
+  late final _PolicySetCache _policySetCache = _PolicySetCache(db);
 
   /// The effective [PolicySet] for the project.
   Future<PolicySet> get effectivePolicySet {
-    return _effectivePolicySetCache.fetch(loadEffectivePolicySet);
+    return _policySetCache.fetch(loadEffectivePolicySet);
   }
 
   /// Loads the effective policy set from the database.
@@ -722,7 +727,7 @@ class CloudAuthDatabaseAccessors extends DatabaseAccessor<GeneratedDatabase>
         );
       }
     });
-    _effectivePolicySetCache.invalidate();
+    _policySetCache.invalidate();
   }
 
   /// Creates a new [entity] in the database.
@@ -901,6 +906,55 @@ class CloudAuthDatabaseAccessors extends DatabaseAccessor<GeneratedDatabase>
   }
 }
 
+final class _PolicySetCache {
+  _PolicySetCache(this._db);
+
+  final GeneratedDatabase _db;
+
+  PolicySet? _cached;
+  int? _dataVersion;
+  Future<PolicySet>? _pending;
+
+  Future<PolicySet> fetch(Future<PolicySet> Function() loader) async {
+    final version = await _readDataVersion();
+    final cached = _cached;
+    if (cached != null && _dataVersion == version) {
+      return cached;
+    }
+
+    _pending ??= _reload(loader);
+    return _pending!;
+  }
+
+  Future<PolicySet> _reload(Future<PolicySet> Function() loader) async {
+    try {
+      while (true) {
+        final before = await _readDataVersion();
+        final loaded = await loader();
+        final after = await _readDataVersion();
+        if (before == after) {
+          _cached = loaded;
+          _dataVersion = after;
+          return loaded;
+        }
+      }
+    } finally {
+      _pending = null;
+    }
+  }
+
+  void invalidate() {
+    _cached = null;
+    _dataVersion = null;
+    _pending = null;
+  }
+
+  Future<int> _readDataVersion() async {
+    final row = await _db.customSelect('PRAGMA data_version').getSingle();
+    return row.data.values.single as int;
+  }
+}
+
 /// Creates a diff of a project's authorization config between two versions.
 final class _ProjectAuthDiff extends ResolvedAstVisitorWithArg<void, Node?> {
   _ProjectAuthDiff();

services/celest_cloud_auth/lib/src/users/users_service.dart

@@ -127,7 +127,7 @@ extension type UsersService._(_Deps _deps) implements Object {
     policySet: PolicySet(
       templateLinks: [
         TemplateLink(
-          templateId: 'cloud.functions.anonymous',
+          templateId: 'cloud.functions.authenticated',
           newId: apiId,
           values: {SlotId.resource: apiUid},
         ),
@@ -254,6 +254,7 @@ extension type UsersService._(_Deps _deps) implements Object {
     final principal = context.get(ContextKey.principal);
     await _authorizer.expectAuthorized(
       principal: principal?.uid,
+      resource: UsersService.apiUid,
       action: CelestAction.list,
     );
     final response = await listUsers(

services/celest_cloud_auth/test/authorization/authorizer_test.dart

@@ -3,6 +3,7 @@ import 'package:cedar/cedar.dart';
 import 'package:celest_ast/celest_ast.dart';
 import 'package:celest_cloud_auth/src/authorization/authorizer.dart';
 import 'package:celest_cloud_auth/src/database/auth_database.dart';
+import 'package:celest_cloud_auth/src/users/users_repository.dart';
 import 'package:logging/logging.dart';
 import 'package:pub_semver/pub_semver.dart';
 import 'package:test/test.dart';
@@ -13,11 +14,14 @@ import '../tester.dart';
 const roleAdmin = EntityUid.of('Celest::Role', 'admin');
 const roleAuthenticated = EntityUid.of('Celest::Role', 'authenticated');
 const roleAnonymous = EntityUid.of('Celest::Role', 'anonymous');
+const roleEditor = EntityUid.of('Celest::Role', 'editor');
+const roleViewer = EntityUid.of('Celest::Role', 'viewer');
 
 // Users
 const userAlice = EntityUid.of('Celest::User', 'alice');
 const userBob = EntityUid.of('Celest::User', 'bob');
 const userCharlie = EntityUid.of('Celest::User', 'charlie');
+const userDiana = EntityUid.of('Celest::User', 'diana');
 
 // Actions
 const actionCreate = EntityUid.of('Celest::Action', 'create');
@@ -54,7 +58,7 @@ Policy forbidUnless(
 );
 
 void main() {
-  Logger.root.level = Level.ALL;
+  Logger.root.level = Level.WARNING;
   Logger.root.onRecord.listen((record) {
     print('${record.level.name}: ${record.message}');
   });
@@ -63,6 +67,39 @@ void main() {
     late CloudAuthDatabase db;
     late Authorizer authorizer;
 
+    group('core roles', () {
+      late CloudAuthDatabase roleDb;
+      late UsersRepository users;
+
+      setUp(() async {
+        roleDb = CloudAuthDatabase.memory(project: defaultProject);
+        await roleDb.ping();
+        users = UsersRepository(db: roleDb);
+      });
+
+      tearDown(() async {
+        await roleDb.close();
+      });
+
+      test('viewer and editor roles are assignable', () async {
+        final anonymous = await users.createAnonymousUser();
+
+        await roleDb.cloudAuth.setUserRoles(
+          userId: anonymous.userId,
+          roles: const [roleViewer],
+        );
+        var updated = await roleDb.cloudAuth.getUser(userId: anonymous.userId);
+        expect(updated!.roles, contains(roleViewer));
+
+        await roleDb.cloudAuth.setUserRoles(
+          userId: anonymous.userId,
+          roles: const [roleEditor],
+        );
+        updated = await roleDb.cloudAuth.getUser(userId: anonymous.userId);
+        expect(updated!.roles, contains(roleEditor));
+      });
+    });
+
     Future<void> createEntities(List<Entity> entities) async {
       for (final entity in entities) {
         await db.cloudAuth.createEntity(entity);
@@ -116,6 +153,7 @@ void main() {
         Entity(uid: userAlice, parents: [roleAdmin]),
         Entity(uid: userBob, parents: [roleAuthenticated]),
         Entity(uid: userCharlie, parents: [roleAnonymous]),
+        Entity(uid: userDiana, parents: [roleViewer]),
         Entity(uid: functionAuthenticated, parents: [apiTest]),
         Entity(uid: functionAdmin, parents: [apiTest]),
         Entity(uid: functionPublic, parents: [apiTest]),
@@ -201,6 +239,33 @@ void main() {
           ),
           expected: Decision.allow,
         ),
+        (
+          description: 'viewer can invoke admin function via viewer policy',
+          request: AuthorizationRequest(
+            action: actionInvoke,
+            resource: functionAdmin,
+            principal: userDiana,
+          ),
+          expected: Decision.allow,
+        ),
+        (
+          description: 'viewer can invoke authenticated function',
+          request: AuthorizationRequest(
+            action: actionInvoke,
+            resource: functionAuthenticated,
+            principal: userDiana,
+          ),
+          expected: Decision.allow,
+        ),
+        (
+          description: 'viewer can invoke public function',
+          request: AuthorizationRequest(
+            action: actionInvoke,
+            resource: functionPublic,
+            principal: userDiana,
+          ),
+          expected: Decision.allow,
+        ),
         (
           description: 'admin user can invoke admin function',
           request: AuthorizationRequest(

services/celest_cloud_auth/test/database/auth_database/policy_cache_test.dart

@@ -0,0 +1,91 @@
+import 'package:cedar/cedar.dart';
+import 'package:celest_cloud_auth/celest_cloud_auth.dart';
+import 'package:drift/drift.dart';
+import 'package:file/file.dart';
+import 'package:file/local.dart';
+import 'package:test/test.dart';
+
+import '../../tester.dart' show defaultProject;
+
+void main() {
+  driftRuntimeOptions.dontWarnAboutMultipleDatabases = true;
+
+  group('CloudAuthDatabaseAccessors policy cache', () {
+    test('reuses cached policy set when data_version is unchanged', () async {
+      final fs = const LocalFileSystem();
+      final Directory directory = await fs.systemTempDirectory.createTemp(
+        'celest_policy_cache_test_',
+      );
+      addTearDown(() async {
+        if (await directory.exists()) {
+          await directory.delete(recursive: true);
+        }
+      });
+
+      final db = CloudAuthDatabase.localDir(directory, project: defaultProject);
+      addTearDown(db.close);
+
+      final first = await db.cloudAuth.effectivePolicySet;
+      final second = await db.cloudAuth.effectivePolicySet;
+
+      expect(identical(first, second), isTrue);
+    });
+
+    test('reloads policies after external updates via data_version', () async {
+      final fs = const LocalFileSystem();
+      final Directory directory = await fs.systemTempDirectory.createTemp(
+        'celest_policy_cache_test_',
+      );
+      addTearDown(() async {
+        if (await directory.exists()) {
+          await directory.delete(recursive: true);
+        }
+      });
+
+      final dbA = CloudAuthDatabase.localDir(
+        directory,
+        project: defaultProject,
+      );
+      final dbB = CloudAuthDatabase.localDir(
+        directory,
+        project: defaultProject,
+      );
+      addTearDown(() async {
+        await dbA.close();
+        await dbB.close();
+      });
+
+      final initial = await dbA.cloudAuth.effectivePolicySet;
+      final initialPolicyIds = initial.policies.keys.toSet();
+      const newLinkId = 'policy.cache.test';
+
+      final policyResource = EntityUid.of(
+        'Celest::Function',
+        'policy-cache-test',
+      );
+      await dbB.cloudAuth.createEntity(
+        Entity(
+          uid: policyResource,
+          parents: [EntityUid.of('Celest::Api', 'test')],
+        ),
+      );
+
+      final newLink = TemplateLink(
+        templateId: 'cloud.functions.authenticated',
+        newId: newLinkId,
+        values: {SlotId.resource: policyResource},
+      );
+
+      await dbB.cloudAuth.upsertPolicySet(PolicySet(templateLinks: [newLink]));
+
+      final updated = await dbA.cloudAuth.effectivePolicySet;
+      expect(identical(initial, updated), isFalse);
+      final updatedPolicyIds = updated.policies.keys.toSet();
+      final newPolicyIds = updatedPolicyIds.difference(initialPolicyIds);
+      expect(newPolicyIds, hasLength(1));
+
+      final cached = await dbA.cloudAuth.effectivePolicySet;
+      expect(identical(updated, cached), isTrue);
+    });
+  });
+}