WIP: new style access policy framework for Cube

Author: bsod90

packages/cubejs-api-gateway/src/gateway.ts

@@ -234,7 +234,7 @@ class ApiGateway {
       const { query, variables } = req.body;
       const compilerApi = await this.getCompilerApi(req.context);
 
-      const metaConfig = await compilerApi.metaConfig({
+      const metaConfig = await compilerApi.metaConfig(req.context, {
         requestId: req.context.requestId,
       });
 
@@ -267,7 +267,7 @@ class ApiGateway {
         const compilerApi = await this.getCompilerApi(req.context);
         let schema = compilerApi.getGraphQLSchema();
         if (!schema) {
-          let metaConfig = await compilerApi.metaConfig({
+          let metaConfig = await compilerApi.metaConfig(req.context, {
             requestId: req.context.requestId,
           });
           metaConfig = this.filterVisibleItemsInMeta(req.context, metaConfig);
@@ -526,6 +526,7 @@ class ApiGateway {
   private filterVisibleItemsInMeta(context: RequestContext, cubes: any[]) {
     const isDevMode = getEnv('devMode');
     function visibilityFilter(item) {
+      console.log('visibilityFilter', item, isDevMode, context.signedWithPlaygroundAuthSecret, item.isVisible);
       return isDevMode || context.signedWithPlaygroundAuthSecret || item.isVisible;
     }
 
@@ -551,7 +552,7 @@ class ApiGateway {
     try {
       await this.assertApiScope('meta', context.securityContext);
       const compilerApi = await this.getCompilerApi(context);
-      const metaConfig = await compilerApi.metaConfig({
+      const metaConfig = await compilerApi.metaConfig(context, {
         requestId: context.requestId,
         includeCompilerId: includeCompilerId || onlyCompilerId
       });
@@ -587,7 +588,7 @@ class ApiGateway {
     try {
       await this.assertApiScope('meta', context.securityContext);
       const compilerApi = await this.getCompilerApi(context);
-      const metaConfigExtended = await compilerApi.metaConfigExtended({
+      const metaConfigExtended = await compilerApi.metaConfigExtended(context, {
         requestId: context.requestId,
       });
       const { metaConfig, cubeDefinitions } = metaConfigExtended;
@@ -1010,7 +1011,7 @@ class ApiGateway {
           } else {
             const metaCacheKey = JSON.stringify(ctx);
             if (!metaCache.has(metaCacheKey)) {
-              metaCache.set(metaCacheKey, await compiler.metaConfigExtended(ctx));
+              metaCache.set(metaCacheKey, await compiler.metaConfigExtended(context, ctx));
             }
 
             // checking and fetching result status
@@ -1195,8 +1196,14 @@ class ApiGateway {
           }
 
           const normalizedQuery = normalizeQuery(currentQuery, persistent);
-          let rewrittenQuery = await this.queryRewrite(
+          // First apply cube/view level security policies
+          let rewrittenQuery = (await this.compilerApi(context)).applyRowLevelSecurity(
             normalizedQuery,
+            context
+          );
+          // Then apply user-supplied queryRewrite
+          rewrittenQuery = await this.queryRewrite(
+            rewrittenQuery,
             context,
           );
 
@@ -1693,7 +1700,7 @@ class ApiGateway {
         await this.getNormalizedQueries(query, context);
 
       let metaConfigResult = await (await this
-        .getCompilerApi(context)).metaConfig({
+        .getCompilerApi(context)).metaConfig(request.context, {
         requestId: context.requestId
       });
 
@@ -1803,7 +1810,7 @@ class ApiGateway {
         await this.getNormalizedQueries(query, context, request.streaming, request.memberExpressions);
 
       const compilerApi = await this.getCompilerApi(context);
-      let metaConfigResult = await compilerApi.metaConfig({
+      let metaConfigResult = await compilerApi.metaConfig(request.context, {
         requestId: context.requestId
       });
 

packages/cubejs-schema-compiler/src/compiler/CubeSymbols.js

@@ -10,6 +10,7 @@ import { BaseQuery } from '../adapter';
 const FunctionRegex = /function\s+\w+\(([A-Za-z0-9_,]*)|\(([\s\S]*?)\)\s*=>|\(?(\w+)\)?\s*=>/;
 const CONTEXT_SYMBOLS = {
   SECURITY_CONTEXT: 'securityContext',
+  security_context: 'securityContext',
   FILTER_PARAMS: 'filterParams',
   FILTER_GROUP: 'filterGroup',
   SQL_UTILS: 'sqlUtils'
@@ -139,6 +140,7 @@ export class CubeSymbols {
     this.camelCaseTypes(cube.dimensions);
     this.camelCaseTypes(cube.segments);
     this.camelCaseTypes(cube.preAggregations);
+    this.camelCaseTypes(cube.accessPolicy);
 
     if (cube.preAggregations) {
       this.transformPreAggregations(cube.preAggregations);
@@ -148,6 +150,10 @@ export class CubeSymbols {
       this.prepareIncludes(cube, errorReporter, splitViews);
     }
 
+    if (cube.accessPolicy) {
+      this.prepareAccessPolicy(cube, errorReporter);
+    }
+
     return Object.assign(
       { cubeName: () => cube.name, cubeObj: () => cube },
       cube.measures || {},
@@ -213,6 +219,60 @@ export class CubeSymbols {
     }
   }
 
+  /**
+   * @protected
+   */
+  allMembersOrList(cube, specifier) {
+    const types = ['measures', 'dimensions'];
+    if (specifier === '*') {
+      const allMembers = R.unnest(types.map(type => Object.keys(cube[type] || {})));
+      return allMembers;
+    } else {
+      return specifier || [];
+    }
+  }
+
+  /**
+   * @protected
+   */
+  prepareAccessPolicy(cube, errorReporter) {
+    for (const policy of cube.accessPolicy) {
+      for (const filter of policy?.rowLevel?.filters || []) {
+        filter.memberReference = this.evaluateReferences(cube, filter.member);
+        if (filter.memberReference.indexOf('.') !== -1) {
+          errorReporter.error(
+            `Paths aren't allowed in security policy filters but '${filter.memberReference}' provided as member for ${cube.name}`
+          );
+        }
+        filter.memberReference = this.pathFromArray([cube.name, filter.memberReference]);
+      }
+
+      if (policy.memberLevel) {
+        const memberMapper = (member) => {
+          if (member.indexOf('.') !== -1) {
+            errorReporter.error(
+              `Paths aren't allowed in memberLevel policy but '${member}' provided as a member for ${cube.name}`
+            );
+          }
+          return this.pathFromArray([cube.name, member]);
+        };
+
+        // TODO(maxim): is this even a correct way to figure out if includes is not set?
+        // const resolvedIncludes = this.resolveSymbol(policy.memberLevel.includes);
+        // if (!resolvedIncludes) {
+        //   errorReporter.error(`${cube.name} memberLevel.includes must be defined or set to "*"`);
+        //   return;
+        // }
+
+        const evaluatedIncludes = this.evaluateReferences(cube, policy.memberLevel.includes);
+        const evaluatedExcludes = this.evaluateReferences(cube, policy.memberLevel.excludes);
+
+        policy.memberLevel.includesMembers = this.allMembersOrList(cube, evaluatedIncludes).map(memberMapper);
+        policy.memberLevel.excludesMembers = this.allMembersOrList(cube, evaluatedExcludes).map(memberMapper);
+      }
+    }
+  }
+
   /**
    * @protected
    */
@@ -406,6 +466,27 @@ export class CubeSymbols {
     });
   }
 
+  // Used to evaluate access policies to allow referencing security_context at query time
+  evaluateContextFunction(cube, contextFn, context = {}) {
+    const cubeEvaluator = this;
+
+    const res = cubeEvaluator.resolveSymbolsCall(contextFn, (name) => {
+      const resolvedSymbol = this.resolveSymbol(cube, name);
+      if (resolvedSymbol) {
+        return resolvedSymbol;
+      }
+      throw new UserError(
+        `Cube references are not allowed when evaluating RLS conditions or filters. Found: ${name} in ${cube.name}`
+      );
+    }, {
+      contextSymbols: {
+        securityContext: context.securityContext,
+      }
+    });
+
+    return res;
+  }
+
   evaluateReferences(cube, referencesFn, options = {}) {
     const cubeEvaluator = this;
 
@@ -458,6 +539,10 @@ export class CubeSymbols {
         res = res.fn.apply(null, res.memberNames.map((id) => nameResolver(id.trim())));
       }
       return res;
+    } catch (e) {
+      // TODO(maxim): should we keep this log?
+      console.log('Error while resolving Cube symbols: ', e);
+      console.error(e);
     } finally {
       this.resolveSymbolsCallContext = oldContext;
     }

packages/cubejs-schema-compiler/src/compiler/CubeToMetaTransformer.js

@@ -105,6 +105,7 @@ export class CubeToMetaTransformer {
           })),
           R.toPairs
         )(cube.segments || {}),
+        accessPolicy: cube.accessPolicy || [],
         hierarchies: cube.hierarchies || []
       },
     };

packages/cubejs-schema-compiler/src/compiler/CubeValidator.ts

@@ -25,7 +25,8 @@ export const nonStringFields = new Set([
   'external',
   'useOriginalSqlPreAggregations',
   'readOnly',
-  'prefix'
+  'prefix',
+  'if'
 ]);
 
 const identifierRegex = /^[_a-zA-Z][_a-zA-Z0-9]*$/;
@@ -615,6 +616,62 @@ const SegmentsSchema = Joi.object().pattern(identifierRegex, Joi.object().keys({
   public: Joi.boolean().strict(),
 }));
 
+const PolicyFilterSchema = Joi.object().keys({
+  member: Joi.func().required(),
+  memberReference: Joi.string().required(),
+  operator: Joi.any().valid(
+    'equals',
+    'notEquals',
+    'contains',
+    'notContains',
+    'startsWith',
+    'notStartsWith',
+    'endsWith',
+    'notEndsWith',
+    'gt',
+    'gte',
+    'lt',
+    'lte',
+    'inDateRange',
+    'notInDateRange',
+    'beforeDate',
+    'beforeOrOnDate',
+    'afterDate',
+    'afterOrOnDate',
+  ).required(),
+  values: Joi.func().required(),
+});
+
+const MemberLevelPolicySchema = Joi.object().keys({
+  // TODO(maxim): how these should be validated?
+  excludes: Joi.func(),
+  includes: Joi.func(),
+  includesMembers: Joi.array().items(Joi.string().required()),
+  excludesMembers: Joi.array().items(Joi.string().required()),
+});
+
+const RowLevelPolicySchema = Joi.object().keys({
+
+  filters: Joi.array().items(Joi.alternatives().try(
+    Joi.object().keys({
+      or: Joi.array().items(PolicyFilterSchema).required(),
+      and: Joi.array().items(PolicyFilterSchema).required(),
+    }),
+    PolicyFilterSchema,
+  )).required(),
+});
+
+// TODO(maxim): follow the "ATTENTION" thing below
+const RolePolicySchema = Joi.object().keys({
+  role: Joi.string().required(),
+  memberLevel: MemberLevelPolicySchema,
+  rowLevel: RowLevelPolicySchema,
+  conditions: Joi.array().items(Joi.object().keys({
+    if: Joi.func().required(),
+  })),
+  // evaluatedConditions: Joi.array().items(Joi.boolean()),
+});
+
 /* *****************************
  * ATTENTION:
  * In case of adding/removing/changing any Joi.func() field that needs to be transpiled,
@@ -692,6 +749,7 @@ const baseSchema = {
     title: Joi.string(),
     levels: Joi.func()
   })),
+  accessPolicy: Joi.array().items(RolePolicySchema),
 };
 
 const cubeSchema = inherit(baseSchema, {

packages/cubejs-schema-compiler/src/compiler/transpilers/CubePropContextTranspiler.ts

@@ -25,6 +25,10 @@ export const transpiledFieldsPatterns: Array<RegExp> = [
   /^excludes$/,
   /^hierarchies\.[0-9]+\.levels$/,
   /^cubes\.[0-9]+\.(joinPath|join_path)$/,
+  /^(accessPolicy|access_policy)\.[0-9]+\.(rowLevel|row_level)\.filters\.[0-9]+\.member$/,
+  /^(accessPolicy|access_policy)\.[0-9]+\.(rowLevel|row_level)\.filters\.[0-9]+\.values$/,
+  /^(accessPolicy|access_policy)\.[0-9]+\.conditions.[0-9]+\.if$/,
+  /^(accessPolicy|access_policy)\.[0-9]+\.(memberLevel|member_level)\.(includes|excludes)$/,
 ];
 
 export const transpiledFields: Set<String> = new Set<String>();

packages/cubejs-schema-compiler/test/unit/schema.test.ts

@@ -1,5 +1,5 @@
 import { prepareCompiler } from './PrepareCompiler';
-import { createCubeSchema, createCubeSchemaWithCustomGranularities } from './utils';
+import { createCubeSchema, createCubeSchemaWithCustomGranularities, createCubeSchemaWithAccessPolicy } from './utils';
 
 describe('Schema Testing', () => {
   const schemaCompile = async () => {
@@ -367,4 +367,37 @@ describe('Schema Testing', () => {
       CubeD: { relationship: 'belongsTo' }
     });
   });
+
+  it('valid schema with accessPolicy', async () => {
+    const { compiler, metaTransformer } = prepareCompiler([
+      createCubeSchemaWithAccessPolicy('ProtectedCube'),
+    ]);
+    await compiler.compile();
+    compiler.throwIfAnyErrors();
+
+    // TODO(maxim): this should be further validated
+    expect(metaTransformer.cubes[0].config.accessPolicy).toBeDefined();
+  });
+
+  it('memberLevel accessPolicy should require explicit includes', async () => {
+    const logger = jest.fn();
+    const { compiler } = prepareCompiler([
+      createCubeSchemaWithAccessPolicy('ProtectedCube', `
+          {
+            role: 'manager2',
+            memberLevel: {
+              // ommitted includes
+              excludes: [\`min\`, \`max\`]
+            },
+          },
+      `),
+    ]);
+    await compiler.compile();
+    compiler.throwIfAnyErrors();
+
+    expect(logger.mock.calls.length).toEqual(1);
+    expect(logger.mock.calls[0]).toEqual([
+      'ProtectedCube memberLevel.includes must be defined or set to "*"'
+    ]);
+  });
 });