chore: fix

Author: ovr

packages/cubejs-api-gateway/package.json

@@ -15,7 +15,7 @@
   "typings": "dist/src/index.d.ts",
   "scripts": {
     "test": "npm run unit",
-    "unit": "jest --coverage dist/test",
+    "unit": "CUBE_JS_NATIVE_API_GATEWAY_INTERNAL=true jest --coverage dist/test",
     "build": "rm -rf dist && npm run tsc",
     "tsc": "tsc",
     "watch": "tsc -w",

packages/cubejs-api-gateway/src/gateway.ts

@@ -150,9 +150,9 @@ class ApiGateway {
 
   public readonly checkAuthSystemFn: PreparedCheckAuthFn;
 
-  protected readonly contextToApiScopesFn: ContextToApiScopesFn;
+  public readonly contextToApiScopesFn: ContextToApiScopesFn;
 
-  protected readonly contextToApiScopesDefFn: ContextToApiScopesFn =
+  public readonly contextToApiScopesDefFn: ContextToApiScopesFn =
     async () => ['graphql', 'meta', 'data'];
 
   protected readonly requestLoggerMiddleware: RequestLoggerMiddlewareFn;
@@ -546,20 +546,24 @@ class ApiGateway {
     }
 
     if (getEnv('nativeApiGateway')) {
-      const proxyMiddleware = createProxyMiddleware<Request, Response>({
-        target: `http://127.0.0.1:${this.sqlServer.getNativeGatewayPort()}/v2`,
-        changeOrigin: true,
-      });
-
-      app.use(
-        `${this.basePath}/v2`,
-        proxyMiddleware as any
-      );
+      this.enableNativeApiGateway(app);
     }
 
     app.use(this.handleErrorMiddleware);
   }
 
+  protected enableNativeApiGateway(app: ExpressApplication) {
+    const proxyMiddleware = createProxyMiddleware<Request, Response>({
+      target: `http://127.0.0.1:${this.sqlServer.getNativeGatewayPort()}/v2`,
+      changeOrigin: true,
+    });
+
+    app.use(
+      `${this.basePath}/v2`,
+      proxyMiddleware as any
+    );
+  }
+
   public initSubscriptionServer(sendMessage: WebSocketSendMessageFn) {
     return new SubscriptionServer(this, sendMessage, this.subscriptionStore, this.wsContextAcceptor);
   }

packages/cubejs-api-gateway/src/sql-server.ts

@@ -107,6 +107,12 @@ export class SQLServer {
     this.sqlInterfaceInstance = await registerInterface({
       gatewayPort: this.gatewayPort,
       pgPort: options.pgSqlPort,
+      contextToApiScopes: async ({ securityContext }) => {
+        return this.apiGateway.contextToApiScopesFn(
+          securityContext,
+          getEnv('defaultApiScope') || await this.apiGateway.contextToApiScopesDefFn()
+        );
+      },
       checkAuth: async ({ request, token }) => {
         const { securityContext } = await this.apiGateway.checkAuthFn(request, token);
 

packages/cubejs-api-gateway/test/auth.test.ts

@@ -10,22 +10,47 @@ import { AdapterApiMock, DataSourceStorageMock } from './mocks';
 import { RequestContext } from '../src/interfaces';
 import { generateAuthToken } from './utils';
 
+class ApiGatewayOpenAPI extends ApiGateway {
+  protected isRunning: Promise<void> | null = null;
+
+  public coerceForSqlQuery(query, context: RequestContext) {
+    return super.coerceForSqlQuery(query, context);
+  }
+
+  public async startSQLServer(): Promise<void> {
+    if (this.isRunning) {
+      return this.isRunning;
+    }
+
+    this.isRunning = this.sqlServer.init({});
+
+    return this.isRunning;
+  }
+
+  public async shutdownSQLServer(): Promise<void> {
+    try {
+      await this.sqlServer.shutdown('fast');
+    } catch (error) {
+      console.log(`Error while shutting down server: ${error}`);
+    }
+
+    this.isRunning = null;
+  }
+}
+
 function createApiGateway(handler: RequestHandler, logger: () => any, options: Partial<ApiGatewayOptions>) {
   const adapterApi: any = new AdapterApiMock();
   const dataSourceStorage: any = new DataSourceStorageMock();
 
-  class ApiGatewayFake extends ApiGateway {
-    public coerceForSqlQuery(query, context: RequestContext) {
-      return super.coerceForSqlQuery(query, context);
-    }
-
+  class ApiGatewayFake extends ApiGatewayOpenAPI {
     public initApp(app: ExpressApplication) {
       const userMiddlewares: RequestHandler[] = [
         this.checkAuth,
         this.requestContextMiddleware,
       ];
 
       app.get('/test-auth-fake', userMiddlewares, handler);
+      this.enableNativeApiGateway(app);
 
       app.use(this.handleErrorMiddleware);
     }
@@ -50,6 +75,61 @@ function createApiGateway(handler: RequestHandler, logger: () => any, options: P
   };
 }
 
+describe('test authorization with native gateway', () => {
+  const expectSecurityContext = (securityContext) => {
+    expect(securityContext.uid).toEqual(5);
+    expect(securityContext.iat).toBeDefined();
+    expect(securityContext.exp).toBeDefined();
+  };
+
+  let app: ExpressApplication;
+  let apiGateway: ApiGatewayOpenAPI;
+
+  const handlerMock = jest.fn((req, res) => {
+    expectSecurityContext(req.context.authInfo);
+    expectSecurityContext(req.context.securityContext);
+
+    res.status(200).end();
+  });
+  const loggerMock = jest.fn(() => {
+    //
+  });
+
+  beforeAll(async () => {
+    const result = createApiGateway(handlerMock, loggerMock, {});
+
+    app = result.app;
+    apiGateway = result.apiGateway;
+
+    await result.apiGateway.startSQLServer();
+  });
+
+  beforeEach(() => {
+    handlerMock.mockClear();
+    loggerMock.mockClear();
+  });
+
+  afterAll(async () => {
+    await apiGateway.shutdownSQLServer();
+  });
+
+  fit('default authorization', async () => {
+    const token = generateAuthToken({ uid: 5, });
+
+    await request(app)
+      .get('/cubejs-api/v2/stream')
+      .set('Authorization', `${token}`)
+      .expect(501);
+
+    // No bad logs
+    expect(loggerMock.mock.calls.length).toEqual(0);
+    // We should not call js handler, request should go into rust code
+    expect(handlerMock.mock.calls.length).toEqual(0);
+
+    await apiGateway.shutdownSQLServer();
+  });
+});
+
 describe('test authorization', () => {
   test('default authorization', async () => {
     const loggerMock = jest.fn(() => {

packages/cubejs-backend-native/js/index.ts

@@ -37,6 +37,12 @@ export interface CheckSQLAuthResponse {
   skipPasswordCheck?: boolean,
 }
 
+export interface ContextToApiScopesPayload {
+  securityContext: any,
+}
+
+export type ContextToApiScopesResponse = string[];
+
 export interface CheckAuthPayload {
   request: Request<undefined>,
   token: string,
@@ -97,6 +103,7 @@ export interface CanSwitchUserPayload {
 
 export type SQLInterfaceOptions = {
   pgPort?: number,
+  contextToApiScopes: (payload: ContextToApiScopesPayload) => ContextToApiScopesResponse | Promise<ContextToApiScopesResponse>,
   checkAuth: (payload: CheckAuthPayload) => CheckAuthResponse | Promise<CheckAuthResponse>,
   checkSqlAuth: (payload: CheckSQLAuthPayload) => CheckSQLAuthResponse | Promise<CheckSQLAuthResponse>,
   load: (payload: LoadPayload) => unknown | Promise<unknown>,
@@ -357,6 +364,10 @@ export const registerInterface = async (options: SQLInterfaceOptions): Promise<S
     throw new Error('Argument options must be an object');
   }
 
+  if (typeof options.contextToApiScopes !== 'function') {
+    throw new Error('options.contextToApiScopes must be a function');
+  }
+
   if (typeof options.checkAuth !== 'function') {
     throw new Error('options.checkAuth must be a function');
   }
@@ -392,6 +403,7 @@ export const registerInterface = async (options: SQLInterfaceOptions): Promise<S
   const native = loadNative();
   return native.registerInterface({
     ...options,
+    contextToApiScopes: wrapNativeFunctionWithChannelCallback(options.contextToApiScopes),
     checkAuth: wrapNativeFunctionWithChannelCallback(options.checkAuth),
     checkSqlAuth: wrapNativeFunctionWithChannelCallback(options.checkSqlAuth),
     load: wrapNativeFunctionWithChannelCallback(options.load),

packages/cubejs-backend-native/src/auth.rs

@@ -17,17 +17,20 @@ use crate::gateway::{
     GatewayAuthContext, GatewayAuthContextRef, GatewayAuthService, GatewayAuthenticateResponse,
     GatewayCheckAuthRequest,
 };
+use crate::gateway::auth_service::GatewayContextToApiScopesResponse;
 
 #[derive(Debug)]
 pub struct NodeBridgeAuthService {
     channel: Arc<Channel>,
     check_auth: Arc<Root<JsFunction>>,
     check_sql_auth: Arc<Root<JsFunction>>,
+    context_to_api_scopes: Arc<Root<JsFunction>>,
 }
 
 pub struct NodeBridgeAuthServiceOptions {
     pub check_auth: Root<JsFunction>,
     pub check_sql_auth: Root<JsFunction>,
+    pub context_to_api_scopes: Root<JsFunction>,
 }
 
 impl NodeBridgeAuthService {
@@ -36,6 +39,7 @@ impl NodeBridgeAuthService {
             channel: Arc::new(channel),
             check_auth: Arc::new(options.check_auth),
             check_sql_auth: Arc::new(options.check_sql_auth),
+            context_to_api_scopes: Arc::new(options.context_to_api_scopes),
         }
     }
 }
@@ -129,16 +133,23 @@ struct CheckAuthTransportResponse {
 }
 
 #[derive(Debug)]
-pub struct NativeAuthContext {
+pub struct NativeGatewayAuthContext {
     pub security_context: Option<serde_json::Value>,
 }
 
-impl GatewayAuthContext for NativeAuthContext {
+impl GatewayAuthContext for NativeGatewayAuthContext {
     fn as_any(&self) -> &dyn Any {
         self
     }
 }
 
+#[derive(Debug, Serialize)]
+struct ContextToApiScopesTransportRequest<'ref_auth_context> {
+    security_context: &'ref_auth_context Option<serde_json::Value>,
+}
+
+type ContextToApiScopesTransportResponse = Vec<String>;
+
 #[async_trait]
 impl GatewayAuthService for NodeBridgeAuthService {
     async fn authenticate(
@@ -167,17 +178,37 @@ impl GatewayAuthService for NodeBridgeAuthService {
         trace!("[auth] Request <- {:?}", response);
 
         Ok(GatewayAuthenticateResponse {
-            context: Arc::new(NativeAuthContext {
+            context: Arc::new(NativeGatewayAuthContext {
                 security_context: response.security_context,
             }),
         })
     }
 
     async fn context_to_api_scopes(
         &self,
-        auth_context: GatewayAuthContextRef,
-    ) -> Result<GatewayAuthenticateResponse, CubeError> {
-        unimplemented!();
+        auth_context: &GatewayAuthContextRef,
+    ) -> Result<GatewayContextToApiScopesResponse, CubeError> {
+        trace!("[context_to_api_scopes] Request ->");
+
+        let native_auth = auth_context
+            .as_any()
+            .downcast_ref::<NativeGatewayAuthContext>()
+            .expect("Unable to cast AuthContext to NativeGatewayAuthContext");
+
+        let extra = serde_json::to_string(&ContextToApiScopesTransportRequest {
+            security_context: &native_auth.security_context,
+        })?;
+        let response: ContextToApiScopesTransportResponse = call_js_with_channel_as_callback(
+            self.channel.clone(),
+            self.context_to_api_scopes.clone(),
+            Some(extra),
+        )
+            .await?;
+        trace!("[context_to_api_scopes] Request <- {:?}", response);
+
+        Ok(GatewayContextToApiScopesResponse {
+            scopes: response,
+        })
     }
 }
 

packages/cubejs-backend-native/src/config.rs

@@ -74,6 +74,7 @@ impl NodeCubeServices {
                 .injector
                 .get_service_typed::<dyn ApiGatewayServer>()
                 .await;
+
             gateway_server.stop_processing(shutdown_mode).await?;
         }
 

packages/cubejs-backend-native/src/gateway/auth_service.rs

@@ -22,6 +22,11 @@ pub struct GatewayCheckAuthRequest {
     pub(crate) protocol: String,
 }
 
+#[derive(Debug)]
+pub struct GatewayContextToApiScopesResponse {
+    pub scopes: Vec<String>,
+}
+
 #[async_trait]
 pub trait GatewayAuthService: Send + Sync + Debug {
     async fn authenticate(
@@ -32,6 +37,6 @@ pub trait GatewayAuthService: Send + Sync + Debug {
 
     async fn context_to_api_scopes(
         &self,
-        auth_context: GatewayAuthContextRef,
-    ) -> Result<GatewayAuthenticateResponse, CubeError>;
+        auth_context: &GatewayAuthContextRef,
+    ) -> Result<GatewayContextToApiScopesResponse, CubeError>;
 }

packages/cubejs-backend-native/src/gateway/handlers/stream.rs

@@ -18,7 +18,7 @@ pub async fn stream_handler_v2(
     Extension(auth): Extension<AuthExtension>,
 ) -> Result<impl IntoResponse, HttpError> {
     gateway_state
-        .assert_api_scope(auth.auth_context(), "stream")
+        .assert_api_scope(auth.auth_context(), "data")
         .await?;
 
     Ok((