feat(api-gateway, server-core): Renamed Permissions to ApiScopes (#6397)

Author: buntarb

packages/cubejs-api-gateway/src/gateway.ts

@@ -19,7 +19,7 @@ import type {
 } from 'express';
 import {
   QueryType,
-  Permission,
+  ApiScopes,
 } from './types/strings';
 import {
   QueryType as QueryTypeEnum, ResultType
@@ -44,7 +44,7 @@ import {
   CheckAuthInternalOptions,
   JWTOptions,
   CheckAuthFn,
-  ContextToPermissionsFn,
+  ContextToApiScopesFn,
 } from './types/auth';
 import {
   Query,
@@ -117,9 +117,9 @@ class ApiGateway {
 
   public readonly checkAuthSystemFn: CheckAuthFn;
 
-  protected readonly contextToPermFn: ContextToPermissionsFn;
+  protected readonly contextToApiScopesFn: ContextToApiScopesFn;
 
-  protected readonly contextToPermDefFn: ContextToPermissionsFn =
+  protected readonly contextToApiScopesDefFn: ContextToApiScopesFn =
     async () => ['liveliness', 'graphql', 'meta', 'data'];
 
   protected readonly checkAuthMiddleware: CheckAuthMiddlewareFn;
@@ -158,7 +158,7 @@ class ApiGateway {
 
     this.checkAuthFn = this.createCheckAuthFn(options);
     this.checkAuthSystemFn = this.createCheckAuthSystemFn();
-    this.contextToPermFn = this.createContextToPermissionsFn(options);
+    this.contextToApiScopesFn = this.createContextToApiScopesFn(options);
     this.checkAuthMiddleware = options.checkAuthMiddleware
       ? this.wrapCheckAuthMiddleware(options.checkAuthMiddleware)
       : this.checkAuth;
@@ -178,19 +178,19 @@ class ApiGateway {
     ];
 
     /** **************************************************************
-     * Liveliness permission                                         *
+     * Liveliness scope                                              *
      *************************************************************** */
 
     // @todo Should we pass requestLoggerMiddleware?
-    // @todo Should we add permission assert here?
+    // @todo Should we add scope assert here?
 
     const guestMiddlewares = [];
 
     app.get('/readyz', guestMiddlewares, cachedHandler(this.readiness));
     app.get('/livez', guestMiddlewares, cachedHandler(this.liveness));
 
     /** **************************************************************
-     * Graphql permission                                            *
+     * Graphql scope                                                 *
      *************************************************************** */
 
     app.use(
@@ -199,7 +199,7 @@ class ApiGateway {
         ...userMiddlewares,
         async (req, res, next) => {
           try {
-            await this.assertPermission(
+            await this.assertApiScope(
               'graphql',
               req?.context?.securityContext
             );
@@ -236,7 +236,7 @@ class ApiGateway {
     );
 
     /** **************************************************************
-     * Data permission                                               *
+     * Data scope                                                    *
      *************************************************************** */
 
     app.get(`${this.basePath}/v1/load`, userMiddlewares, (async (req, res) => {
@@ -300,7 +300,7 @@ class ApiGateway {
     }));
 
     /** **************************************************************
-     * Meta permission                                               *
+     * Meta scope                                                    *
      *************************************************************** */
 
     app.get(
@@ -327,7 +327,7 @@ class ApiGateway {
         ...userMiddlewares,
         async (req, res, next) => {
           try {
-            await this.assertPermission(
+            await this.assertApiScope(
               'meta',
               req?.context?.securityContext
             );
@@ -353,7 +353,7 @@ class ApiGateway {
     );
 
     /** **************************************************************
-     * Jobs permission                                               *
+     * Jobs scope                                                    *
      *************************************************************** */
 
     app.get(
@@ -375,7 +375,7 @@ class ApiGateway {
     );
 
     /** **************************************************************
-     * Private API (no permissions)                                  *
+     * Private API (no scopes)                                       *
      *************************************************************** */
 
     if (this.playgroundAuthSecret) {
@@ -473,7 +473,7 @@ class ApiGateway {
   }) {
     const requestStarted = new Date();
     try {
-      await this.assertPermission('jobs', context.securityContext);
+      await this.assertApiScope('jobs', context.securityContext);
       const refreshScheduler = this.refreshScheduler();
       res(await refreshScheduler.runScheduledRefresh(context, {
         ...this.parseQueryParam(queryingOptions || {}),
@@ -507,7 +507,7 @@ class ApiGateway {
     const requestStarted = new Date();
 
     try {
-      await this.assertPermission('meta', context.securityContext);
+      await this.assertApiScope('meta', context.securityContext);
       const metaConfig = await this.getCompilerApi(context).metaConfig({
         requestId: context.requestId,
       });
@@ -527,7 +527,7 @@ class ApiGateway {
     const requestStarted = new Date();
 
     try {
-      await this.assertPermission('meta', context.securityContext);
+      await this.assertApiScope('meta', context.securityContext);
       const metaConfigExtended = await this.getCompilerApi(context).metaConfigExtended({
         requestId: context.requestId,
       });
@@ -737,7 +737,7 @@ class ApiGateway {
     const query = <PreAggsJobsRequest>req.body;
     let result;
     try {
-      await this.assertPermission('jobs', req?.context?.securityContext);
+      await this.assertApiScope('jobs', req?.context?.securityContext);
       switch (query.action) {
         case 'post':
           if (
@@ -1158,7 +1158,7 @@ class ApiGateway {
     const requestStarted = new Date();
 
     try {
-      await this.assertPermission('data', context.securityContext);
+      await this.assertApiScope('data', context.securityContext);
 
       query = this.parseQueryParam(query);
       const [queryType, normalizedQueries] = await this.getNormalizedQueries(query, context);
@@ -1246,7 +1246,7 @@ class ApiGateway {
     const requestStarted = new Date();
 
     try {
-      await this.assertPermission('data', context.securityContext);
+      await this.assertApiScope('data', context.securityContext);
 
       const [queryType, normalizedQueries] = await this.getNormalizedQueries(query, context);
 
@@ -1484,7 +1484,7 @@ class ApiGateway {
     const requestStarted = new Date();
 
     try {
-      await this.assertPermission('data', context.securityContext);
+      await this.assertApiScope('data', context.securityContext);
 
       query = this.parseQueryParam(request.query);
       let resType: ResultType = ResultType.DEFAULT;
@@ -1960,49 +1960,56 @@ class ApiGateway {
     };
   }
 
-  protected createContextToPermissionsFn(
+  protected createContextToApiScopesFn(
     options: ApiGatewayOptions,
-  ): ContextToPermissionsFn {
-    return options.contextToPermissions
-      ? async (securityContext?: any, defaultPermissions?: Permission[]) => {
-        const permissions = options.contextToPermissions &&
-            await options.contextToPermissions(
+  ): ContextToApiScopesFn {
+    return options.contextToApiScopes
+      ? async (securityContext?: any, defaultApiScopes?: ApiScopes[]) => {
+        const scopes = options.contextToApiScopes &&
+            await options.contextToApiScopes(
               securityContext,
-              defaultPermissions,
+              defaultApiScopes,
             );
-        if (!permissions || !Array.isArray(permissions)) {
+        if (!scopes || !Array.isArray(scopes)) {
           throw new Error(
-            'A user-defined contextToPermissions function returns an inconsistent type.'
+            'A user-defined contextToApiScopes function returns an inconsistent type.'
           );
         } else {
-          permissions.forEach((p) => {
+          scopes.forEach((p) => {
             if (['liveliness', 'graphql', 'meta', 'data', 'jobs'].indexOf(p) === -1) {
               throw new Error(
-                `A user-defined contextToPermissions function returns a wrong permission: ${p}`
+                `A user-defined contextToApiScopes function returns a wrong scope: ${p}`
               );
             }
           });
         }
-        return permissions;
+        return scopes;
       }
-      : this.contextToPermDefFn;
+      : async () => {
+        const defaultApiScope = getEnv('defaultApiScope');
+        if (defaultApiScope) {
+          return defaultApiScope;
+        } else {
+          return this.contextToApiScopesDefFn();
+        }
+      };
   }
 
-  protected async assertPermission(
-    permission: Permission,
+  protected async assertApiScope(
+    scope: ApiScopes,
     securityContext?: any,
   ): Promise<void> {
-    const permissions =
-      await this.contextToPermFn(
+    const scopes =
+      await this.contextToApiScopesFn(
         securityContext || {},
-        await this.contextToPermDefFn(),
+        await this.contextToApiScopesDefFn(),
       );
-    const permited = permissions.indexOf(permission) >= 0;
+    const permited = scopes.indexOf(scope) >= 0;
     if (!permited) {
       throw new CubejsHandlerError(
         403,
         'Forbidden',
-        `Permission is missed: ${permission}`
+        `Api scope is missed: ${scope}`
       );
     }
   }

packages/cubejs-api-gateway/src/interfaces.ts

@@ -28,7 +28,7 @@ import {
   CheckSQLAuthSuccessResponse,
   CheckSQLAuthFn,
   CanSwitchSQLUserFn,
-  ContextToPermissionsFn,
+  ContextToApiScopesFn,
 } from './types/auth';
 
 import {
@@ -67,7 +67,7 @@ export {
   ExtendContextFn,
   ResponseResultFn,
   QueryRequest,
-  ContextToPermissionsFn,
+  ContextToApiScopesFn,
 };
 
 /**

packages/cubejs-api-gateway/src/types/auth.ts

@@ -5,12 +5,12 @@
  * Cube.js auth related data types definition.
  */
 
-import { Permission } from './strings';
+import { ApiScopes } from './strings';
 
 /**
- * Permissions tuple.
+ * ApiScopes tuple.
  */
-type PermissionsTuple = Permission[];
+type ApiScopesTuple = ApiScopes[];
 
 /**
  * Internal auth logic options object data type.
@@ -78,11 +78,11 @@ type CanSwitchSQLUserFn =
     boolean;
 
 /**
- * Returns permissions tuple from a security context.
+ * Returns scopes tuple from a security context.
  */
-type ContextToPermissionsFn =
-  (securityContext?: any, permissions?: PermissionsTuple) =>
-    Promise<PermissionsTuple>;
+type ContextToApiScopesFn =
+  (securityContext?: any, scopes?: ApiScopesTuple) =>
+    Promise<ApiScopesTuple>;
 
 export {
   CheckAuthInternalOptions,
@@ -91,6 +91,6 @@ export {
   CheckSQLAuthSuccessResponse,
   CheckSQLAuthFn,
   CanSwitchSQLUserFn,
-  PermissionsTuple,
-  ContextToPermissionsFn,
+  ApiScopesTuple,
+  ContextToApiScopesFn,
 };

packages/cubejs-api-gateway/src/types/gateway.ts

@@ -18,7 +18,7 @@ import {
   RequestLoggerMiddlewareFn,
   ContextRejectionMiddlewareFn,
   ContextAcceptorFn,
-  ContextToPermissionsFn,
+  ContextToApiScopesFn,
 } from '../interfaces';
 
 type UserBackgroundContext = {
@@ -69,7 +69,7 @@ interface ApiGatewayOptions {
    * @deprecated Use checkAuth property instead.
    */
   checkAuthMiddleware?: CheckAuthMiddlewareFn;
-  contextToPermissions?: ContextToPermissionsFn;
+  contextToApiScopes?: ContextToApiScopesFn;
 }
 
 export {

packages/cubejs-api-gateway/src/types/strings.ts

@@ -99,9 +99,9 @@ type QueryOrderType =
   'desc';
 
 /**
- * Permission data type.
+ * ApiScopes data type.
  */
-type Permission =
+type ApiScopes =
   'liveliness' |
   'graphql' |
   'meta' |
@@ -119,5 +119,5 @@ export {
   FilterOperator,
   QueryTimeDimensionGranularity,
   QueryOrderType,
-  Permission,
+  ApiScopes,
 };