feat(server-core, api-gateway): Permissions API (#6240)

Author: buntarb

packages/cubejs-api-gateway/src/gateway.ts

@@ -28,6 +28,7 @@ import {
   CheckSQLAuthSuccessResponse,
   CheckSQLAuthFn,
   CanSwitchSQLUserFn,
+  ContextToPermissionsFn,
 } from './types/auth';
 
 import {
@@ -66,6 +67,7 @@ export {
   ExtendContextFn,
   ResponseResultFn,
   QueryRequest,
+  ContextToPermissionsFn,
 };
 
 /**

packages/cubejs-api-gateway/src/interfaces.ts

@@ -5,6 +5,13 @@
  * Cube.js auth related data types definition.
  */
 
+import { Permission } from './strings';
+
+/**
+ * Permissions tuple.
+ */
+type PermissionsTuple = Permission[];
+
 /**
  * Internal auth logic options object data type.
  */
@@ -70,11 +77,19 @@ type CanSwitchSQLUserFn =
     Promise<boolean> |
     boolean;
 
+/**
+ * Returns permissions tuple from a security context.
+ */
+type ContextToPermissionsFn =
+  (securityContext?: any) => Promise<PermissionsTuple>;
+
 export {
   CheckAuthInternalOptions,
   JWTOptions,
   CheckAuthFn,
   CheckSQLAuthSuccessResponse,
   CheckSQLAuthFn,
   CanSwitchSQLUserFn,
+  PermissionsTuple,
+  ContextToPermissionsFn,
 };

packages/cubejs-api-gateway/src/types/auth.ts

@@ -18,6 +18,7 @@ import {
   RequestLoggerMiddlewareFn,
   ContextRejectionMiddlewareFn,
   ContextAcceptorFn,
+  ContextToPermissionsFn,
 } from '../interfaces';
 
 type UserBackgroundContext = {
@@ -68,6 +69,7 @@ interface ApiGatewayOptions {
    * @deprecated Use checkAuth property instead.
    */
   checkAuthMiddleware?: CheckAuthMiddlewareFn;
+  contextToPermissions?: ContextToPermissionsFn;
 }
 
 export {

packages/cubejs-api-gateway/src/types/gateway.ts

@@ -98,6 +98,16 @@ type QueryOrderType =
   'asc' |
   'desc';
 
+/**
+ * Permission data type.
+ */
+type Permission =
+  'liveliness' |
+  'graphql' |
+  'meta' |
+  'data' |
+  'jobs';
+
 export {
   RequestType,
   ResultType,
@@ -109,4 +119,5 @@ export {
   FilterOperator,
   QueryTimeDimensionGranularity,
   QueryOrderType,
+  Permission,
 };

packages/cubejs-api-gateway/src/types/strings.ts

@@ -0,0 +1,195 @@
+import express from 'express';
+import request from 'supertest';
+import { ApiGateway, ApiGatewayOptions, Query, Request } from '../src';
+import {
+  compilerApi,
+  DataSourceStorageMock,
+  AdapterApiMock
+} from './mocks';
+
+const API_SECRET = 'secret';
+const AUTH_TOKEN = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.t-IDcSemACt8x4iTMCda8Yhe3iZaWbvV5XKSTbuAn0M';
+const logger = () => undefined;
+function createApiGateway(
+  options: Partial<ApiGatewayOptions> = {}
+) {
+  process.env.NODE_ENV = 'production';
+
+  const app = express();
+  const adapterApi: any = new AdapterApiMock();
+  const dataSourceStorage: any = new DataSourceStorageMock();
+  const apiGateway = new ApiGateway(API_SECRET, compilerApi, () => adapterApi, logger, {
+    standalone: true,
+    dataSourceStorage,
+    basePath: '/cubejs-api',
+    refreshScheduler: {},
+    ...options,
+  });
+  apiGateway.initApp(app);
+  return {
+    app,
+    apiGateway,
+    dataSourceStorage,
+    adapterApi
+  };
+}
+
+describe('Gateway permissions', () => {
+  test('Liveliness declined', async () => {
+    const { app, apiGateway } = createApiGateway({
+      contextToPermissions: async () => new Promise((resolve) => {
+        resolve(['graphql', 'meta', 'data', 'jobs']);
+      }),
+    });
+  
+    await request(app)
+      .get('/readyz')
+      .set('Authorization', AUTH_TOKEN)
+      .expect(200);
+  
+    await request(app)
+      .get('/livez')
+      .set('Authorization', AUTH_TOKEN)
+      .expect(200);
+  
+    apiGateway.release();
+  });
+
+  test('GraphQL declined', async () => {
+    const { app, apiGateway } = createApiGateway({
+      contextToPermissions: async () => new Promise((resolve) => {
+        resolve(['liveliness', 'meta', 'data', 'jobs']);
+      }),
+    });
+
+    const res = await request(app)
+      .get('/cubejs-api/graphql')
+      .set('Authorization', AUTH_TOKEN)
+      .expect(403);
+
+    expect(res.body && res.body.error)
+      .toStrictEqual('Permission is not allowed: graphql');
+
+    apiGateway.release();
+  });
+
+  test('Meta declined', async () => {
+    const { app, apiGateway } = createApiGateway({
+      contextToPermissions: async () => new Promise((resolve) => {
+        resolve(['liveliness', 'graphql', 'data', 'jobs']);
+      }),
+    });
+
+    const res1 = await request(app)
+      .get('/cubejs-api/v1/meta')
+      .set('Authorization', AUTH_TOKEN)
+      .expect(403);
+
+    expect(res1.body && res1.body.error)
+      .toStrictEqual('Permission is not allowed: meta');
+
+    const res2 = await request(app)
+      .post('/cubejs-api/v1/pre-aggregations/can-use')
+      .set('Authorization', AUTH_TOKEN)
+      .expect(403);
+
+    expect(res2.body && res2.body.error)
+      .toStrictEqual('Permission is not allowed: meta');
+
+    apiGateway.release();
+  });
+
+  test('Data declined', async () => {
+    const { app, apiGateway } = createApiGateway({
+      contextToPermissions: async () => new Promise((resolve) => {
+        resolve(['liveliness', 'graphql', 'meta', 'jobs']);
+      }),
+    });
+
+    const res1 = await request(app)
+      .get('/cubejs-api/v1/load')
+      .set('Authorization', AUTH_TOKEN)
+      .expect(403);
+
+    expect(res1.body && res1.body.error)
+      .toStrictEqual('Permission is not allowed: data');
+
+    const res2 = await request(app)
+      .post('/cubejs-api/v1/load')
+      .set('Authorization', AUTH_TOKEN)
+      .expect(403);
+
+    expect(res2.body && res2.body.error)
+      .toStrictEqual('Permission is not allowed: data');
+
+    const res3 = await request(app)
+      .get('/cubejs-api/v1/subscribe')
+      .set('Authorization', AUTH_TOKEN)
+      .expect(403);
+
+    expect(res3.body && res3.body.error)
+      .toStrictEqual('Permission is not allowed: data');
+
+    const res4 = await request(app)
+      .get('/cubejs-api/v1/sql')
+      .set('Authorization', AUTH_TOKEN)
+      .expect(403);
+
+    expect(res4.body && res4.body.error)
+      .toStrictEqual('Permission is not allowed: data');
+
+    const res5 = await request(app)
+      .post('/cubejs-api/v1/sql')
+      .set('Content-type', 'application/json')
+      .set('Authorization', AUTH_TOKEN)
+      .expect(403);
+
+    expect(res5.body && res5.body.error)
+      .toStrictEqual('Permission is not allowed: data');
+
+    const res6 = await request(app)
+      .get('/cubejs-api/v1/dry-run')
+      .set('Authorization', AUTH_TOKEN)
+      .expect(403);
+
+    expect(res6.body && res6.body.error)
+      .toStrictEqual('Permission is not allowed: data');
+
+    const res7 = await request(app)
+      .post('/cubejs-api/v1/dry-run')
+      .set('Content-type', 'application/json')
+      .set('Authorization', AUTH_TOKEN)
+      .expect(403);
+
+    expect(res7.body && res7.body.error)
+      .toStrictEqual('Permission is not allowed: data');
+
+    apiGateway.release();
+  });
+
+  test('Jobs declined', async () => {
+    const { app, apiGateway } = createApiGateway({
+      contextToPermissions: async () => new Promise((resolve) => {
+        resolve(['liveliness', 'graphql', 'data', 'meta']);
+      }),
+    });
+
+    const res1 = await request(app)
+      .post('/cubejs-api/v1/pre-aggregations/jobs')
+      .set('Authorization', AUTH_TOKEN)
+      .expect(403);
+
+    expect(res1.body && res1.body.error)
+      .toStrictEqual('Permission is not allowed: jobs');
+
+    const res2 = await request(app)
+      .get('/cubejs-api/v1/run-scheduled-refresh')
+      .set('Authorization', AUTH_TOKEN)
+      .expect(403);
+
+    expect(res2.body && res2.body.error)
+      .toStrictEqual('Permission is not allowed: jobs');
+
+    apiGateway.release();
+  });
+});

packages/cubejs-api-gateway/test/permissions.test.ts

@@ -64,6 +64,7 @@ const schemaOptions = Joi.object().keys({
   contextToAppId: Joi.func(),
   contextToOrchestratorId: Joi.func(),
   contextToDataSourceId: Joi.func(),
+  contextToPermissions: Joi.func(),
   repositoryFactory: Joi.func(),
   checkAuth: Joi.func(),
   checkAuthMiddleware: Joi.func(),

packages/cubejs-server-core/src/core/optionsValidate.ts

@@ -456,6 +456,7 @@ export class CubejsServerCore {
         scheduledRefreshContexts: this.options.scheduledRefreshContexts,
         scheduledRefreshTimeZones: this.options.scheduledRefreshTimeZones,
         serverCoreVersion: this.coreServerVersion,
+        contextToPermissions: this.options.contextToPermissions,
       }
     ));
   }

packages/cubejs-server-core/src/core/server.ts

@@ -8,6 +8,7 @@ import {
   QueryRewriteFn,
   CheckSQLAuthFn,
   CanSwitchSQLUserFn,
+  ContextToPermissionsFn,
 } from '@cubejs-backend/api-gateway';
 import { BaseDriver, RedisPoolOptions, CacheAndQueryDriverType } from '@cubejs-backend/query-orchestrator';
 import { BaseQuery } from '@cubejs-backend/schema-compiler';
@@ -173,6 +174,7 @@ export interface CreateOptions {
   cacheAndQueueDriver?: CacheAndQueryDriverType;
   contextToAppId?: ContextToAppIdFn;
   contextToOrchestratorId?: ContextToOrchestratorIdFn;
+  contextToPermissions?: ContextToPermissionsFn;
   repositoryFactory?: (context: RequestContext) => SchemaFileRepository;
   checkAuthMiddleware?: CheckAuthMiddlewareFn;
   checkAuth?: CheckAuthFn;