fix: fix data access policies condition logic

bsod90 · bsod90 · commit a1936d24d96f · 2024-11-20T13:41:34.000-08:00
Data access policies conditions should be joined via AND operator,
but the initial implementation used OR by mistake

Also ensured that rbac smoke tests are ran as part of the CI
diff --git a/.github/actions/smoke.sh b/.github/actions/smoke.sh
@@ -55,4 +55,8 @@ echo "::endgroup::"
 
 echo "::group::MongoBI"
 yarn lerna run --concurrency 1 --stream --no-prefix smoke:mongobi
-echo "::endgroup::"
+echo "::endgroup::"
+
+echo "::group::RBAC"
+yarn lerna run --concurrency 1 --stream --no-prefix smoke:rbac
+echo "::endgroup::"
diff --git a/packages/cubejs-server-core/src/core/CompilerApi.js b/packages/cubejs-server-core/src/core/CompilerApi.js
@@ -205,7 +205,7 @@ export class CompilerApi {
         if (typeof b !== 'boolean') {
           throw new Error(`Access policy condition must return boolean, got ${JSON.stringify(b)}`);
         }
-        return a || b;
+        return a && b;
       });
     }
     return true;
diff --git a/packages/cubejs-testing/birdbox-fixtures/rbac/cube.js b/packages/cubejs-testing/birdbox-fixtures/rbac/cube.js
@@ -22,6 +22,27 @@ module.exports = {
         },
       };
     }
+    if (user === 'manager') {
+      if (password && password !== 'manager_password') {
+        throw new Error(`Password doesn't match for ${user}`);
+      }
+      return {
+        password,
+        superuser: false,
+        securityContext: {
+          auth: {
+            username: 'manager',
+            userAttributes: {
+              region: 'CA',
+              city: 'Fresno',
+              canHaveAdmin: false,
+              minDefaultId: 10000,
+            },
+            roles: ['manager'],
+          },
+        },
+      };
+    }
     throw new Error(`User "${user}" doesn't exist`);
   }
 };
diff --git a/packages/cubejs-testing/birdbox-fixtures/rbac/model/cubes/line_items.js b/packages/cubejs-testing/birdbox-fixtures/rbac/model/cubes/line_items.js
@@ -72,5 +72,23 @@ cube('line_items', {
         excludes: ['created_at'],
       },
     },
+    {
+      role: 'manager',
+      conditions: [
+        {
+          if: security_context.auth?.userAttributes?.region === 'CA',
+        },
+        {
+          // This condition should not match the one defined in the "manager" mock context
+          if: security_context.auth?.userAttributes?.region === 'San Francisco',
+        },
+      ],
+      rowLevel: {
+        allowAll: true,
+      },
+      memberLevel: {
+        excludes: ['created_at'],
+      },
+    },
   ],
 });
diff --git a/packages/cubejs-testing/package.json b/packages/cubejs-testing/package.json
@@ -73,7 +73,7 @@
     "smoke:postgres": "jest --verbose -i dist/test/smoke-postgres.test.js",
     "smoke:redshift": "jest --verbose -i dist/test/smoke-redshift.test.js",
     "smoke:redshift:snapshot": "jest --verbose --updateSnapshot -i dist/test/smoke-redshift.test.js",
-    "smoke:rbac": "TZ=UTC jest --verbose --forceExit -i dist/test/smoke-rbac.test.js",
+    "smoke:rbac": "TZ=UTC jest --verbose -i dist/test/smoke-rbac.test.js",
     "smoke:cubesql": "TZ=UTC jest --verbose --forceExit -i dist/test/smoke-cubesql.test.js",
     "smoke:cubesql:snapshot": "TZ=UTC jest --verbose --forceExit --updateSnapshot -i dist/test/smoke-cubesql.test.js",
     "smoke:prestodb": "jest --verbose -i dist/test/smoke-prestodb.test.js",
diff --git a/packages/cubejs-testing/test/__snapshots__/smoke-rbac.test.ts.snap b/packages/cubejs-testing/test/__snapshots__/smoke-rbac.test.ts.snap
diff --git a/packages/cubejs-testing/test/smoke-rbac.test.ts b/packages/cubejs-testing/test/smoke-rbac.test.ts

Original file line number	Diff line number	Diff line change
`@@ -205,7 +205,7 @@ export class CompilerApi {`
`205`	`205`	`if (typeof b !== 'boolean') {`
`206`	`206`	throw new Error(`Access policy condition must return boolean, got ${JSON.stringify(b)}`);
`207`	`207`	`}`
`208`		`- return a \|\| b;`
	`208`	`+ return a && b;`
`209`	`209`	`});`
`210`	`210`	`}`
`211`	`211`	`return true;`