fix: fix data access policies condition logic

Data access policies conditions should be joined via AND operator,
but the initial implementation used OR by mistake

Also ensured that rbac smoke tests are ran as part of the CI

Author: bsod90

.github/actions/smoke.sh

@@ -55,4 +55,8 @@ echo "::endgroup::"
 
 echo "::group::MongoBI"
 yarn lerna run --concurrency 1 --stream --no-prefix smoke:mongobi
-echo "::endgroup::"
+echo "::endgroup::"
+
+echo "::group::RBAC"
+yarn lerna run --concurrency 1 --stream --no-prefix smoke:rbac
+echo "::endgroup::"

packages/cubejs-server-core/src/core/CompilerApi.js

@@ -205,7 +205,7 @@ export class CompilerApi {
         if (typeof b !== 'boolean') {
           throw new Error(`Access policy condition must return boolean, got ${JSON.stringify(b)}`);
         }
-        return a || b;
+        return a && b;
       });
     }
     return true;

packages/cubejs-testing/birdbox-fixtures/rbac/cube.js

@@ -22,6 +22,27 @@ module.exports = {
         },
       };
     }
+    if (user === 'manager') {
+      if (password && password !== 'manager_password') {
+        throw new Error(`Password doesn't match for ${user}`);
+      }
+      return {
+        password,
+        superuser: false,
+        securityContext: {
+          auth: {
+            username: 'manager',
+            userAttributes: {
+              region: 'CA',
+              city: 'Fresno',
+              canHaveAdmin: false,
+              minDefaultId: 10000,
+            },
+            roles: ['manager'],
+          },
+        },
+      };
+    }
     throw new Error(`User "${user}" doesn't exist`);
   }
 };

packages/cubejs-testing/birdbox-fixtures/rbac/model/cubes/line_items.js

@@ -72,5 +72,23 @@ cube('line_items', {
         excludes: ['created_at'],
       },
     },
+    {
+      role: 'manager',
+      conditions: [
+        {
+          if: security_context.auth?.userAttributes?.region === 'CA',
+        },
+        {
+          // This condition should not match the one defined in the "manager" mock context
+          if: security_context.auth?.userAttributes?.region === 'San Francisco',
+        },
+      ],
+      rowLevel: {
+        allowAll: true,
+      },
+      memberLevel: {
+        excludes: ['created_at'],
+      },
+    },
   ],
 });

packages/cubejs-testing/test/__snapshots__/smoke-rbac.test.ts.snap

@@ -1081,3 +1081,5 @@ Array [
   },
 ]
 `;
+
+exports[`Cube RBAC Engine RBAC via SQL API manager SELECT * from line_items: line_items_manager 1`] = `Array []`;

packages/cubejs-testing/test/smoke-rbac.test.ts

@@ -57,6 +57,8 @@ describe('Cube RBAC Engine', () => {
         ...DEFAULT_CONFIG,
         //
         CUBESQL_LOG_LEVEL: 'trace',
+        CUBEJS_DEV_MODE: 'false',
+        NODE_ENV: 'production',
         //
         CUBEJS_DB_TYPE: 'postgres',
         CUBEJS_DB_HOST: db.getHost(),
@@ -148,6 +150,26 @@ describe('Cube RBAC Engine', () => {
     });
   });
 
+  describe('RBAC via SQL API manager', () => {
+    let connection: PgClient;
+
+    beforeAll(async () => {
+      connection = await createPostgresClient('manager', 'manager_password');
+    });
+
+    afterAll(async () => {
+      await connection.end();
+    }, JEST_AFTER_ALL_DEFAULT_TIMEOUT);
+
+    test('SELECT * from line_items', async () => {
+      const res = await connection.query('SELECT * FROM line_items limit 10');
+      // This query should return rows allowed by the default policy
+      // because the manager security context has a wrong city and should not match
+      // two conditions defined on the manager policy
+      expect(res.rows).toMatchSnapshot('line_items_manager');
+    });
+  });
+
   describe('RBAC via REST API', () => {
     let client: CubeApi;
     let defaultClient: CubeApi;