feat(cubejs-api-gateway): Add scope check to sql runner (#6053)

wolfeeeg · web-flow · commit d79d3aae32ce · 2023-02-01T14:02:12.000+03:00
diff --git a/packages/cubejs-api-gateway/src/gateway.ts b/packages/cubejs-api-gateway/src/gateway.ts
@@ -354,10 +354,12 @@ class ApiGateway {
         this.preAggregationsJobs.bind(this),
       );
 
+      const sqlRunnerMiddlewares = [...systemMiddlewares, this.checkSqlRunnerScope];
+
       app.post(
         '/cubejs-system/v1/sql-runner',
         jsonParser,
-        systemMiddlewares,
+        sqlRunnerMiddlewares,
         async (req: Request, res: Response) => {
           await this.sqlRunner({
             query: req.body.query,
@@ -370,7 +372,7 @@ class ApiGateway {
       app.get(
         '/cubejs-system/v1/data-sources',
         jsonParser,
-        systemMiddlewares,
+        sqlRunnerMiddlewares,
         async (req: Request, res: Response) => {
           await this.dataSources({
             context: req.context,
@@ -2040,6 +2042,24 @@ class ApiGateway {
   protected checkAuthSystemMiddleware: RequestHandler = async (req, res, next) => {
     await this.checkAuthWrapper(this.checkAuthSystemFn, req, res, next);
   };
+  
+  protected checkSqlRunnerScope: RequestHandler = async (req: Request, res: Response, next: NextFunction) => {
+    await this.checkAuthWrapper(
+      async () => {
+        if (
+          !getEnv('devMode') &&
+          (!req.context?.securityContext?.scope ||
+          !Array.isArray(req.context?.securityContext?.scope) ||
+          !req.context?.securityContext?.scope.includes('sql-runner'))
+        ) {
+          throw new CubejsHandlerError(403, 'Forbidden', 'Sql-runner scope is missing.');
+        }
+      },
+      req,
+      res,
+      next
+    );
+  };
 
   protected requestContextMiddleware: RequestHandler = async (req: Request, res: Response, next: NextFunction) => {
     req.context = await this.contextByReq(req, req.securityContext, getRequestIdFromRequest(req));
diff --git a/packages/cubejs-api-gateway/test/index.test.ts b/packages/cubejs-api-gateway/test/index.test.ts
@@ -447,7 +447,7 @@ describe('API Gateway', () => {
 
     const scheduledRefreshTimeZonesFactory = () => (['UTC', 'America/Los_Angeles']);
 
-    const appPrepareFactory = () => {
+    const appPrepareFactory = (scope?: string[]) => {
       const playgroundAuthSecret = 'test12345';
       const { app } = createApiGateway(
         new AdapterApiMock(),
@@ -460,7 +460,7 @@ describe('API Gateway', () => {
           scheduledRefreshTimeZones: scheduledRefreshTimeZonesFactory()
         }
       );
-      const token = generateAuthToken({ uid: 5, }, {}, playgroundAuthSecret);
+      const token = generateAuthToken({ uid: 5, scope }, {}, playgroundAuthSecret);
       const tokenUser = generateAuthToken({ uid: 5, }, {}, API_SECRET);
 
       return { app, token, tokenUser };
@@ -490,8 +490,8 @@ describe('API Gateway', () => {
         .expect(404);
     };
 
-    const successTestFactory = ({ route, method = 'get', successBody = {}, successResult }) => async () => {
-      const { app, token } = appPrepareFactory();
+    const successTestFactory = ({ route, method = 'get', successBody = {}, successResult, scope = [''] }) => async () => {
+      const { app, token } = appPrepareFactory(scope);
 
       const req = request(app)[method](`/cubejs-system/v1/${route}`)
         .set('Content-type', 'application/json')
@@ -504,18 +504,19 @@ describe('API Gateway', () => {
       expect(res.body).toMatchObject(successResult);
     };
        
-    const wrongPayloadsTestFactory = ({ route, wrongPayloads }: {
+    const wrongPayloadsTestFactory = ({ route, wrongPayloads, scope }: {
       route: string,
       method: string,
+      scope?: string[],
       wrongPayloads: {
         result: {
           status: number,
           error: string
         },
-        body: {}
+        body: {},
       }[]
     }) => async () => {
-      const { app, token } = appPrepareFactory();
+      const { app, token } = appPrepareFactory(scope);
 
       for (const payload of wrongPayloads) {
         const req = request(app).post(`/cubejs-system/v1/${route}`)
@@ -551,6 +552,7 @@ describe('API Gateway', () => {
       },
       {
         route: 'sql-runner',
+        scope: ['sql-runner'],
         method: 'post',
         successBody: {
           query: {
@@ -592,7 +594,7 @@ describe('API Gateway', () => {
           }
         }]
       },
-      { route: 'data-sources', successResult: { dataSources: [{ dataSource: 'default', dbType: 'postgres' }] } },
+      { route: 'data-sources', scope: ['sql-runner'], successResult: { dataSources: [{ dataSource: 'default', dbType: 'postgres' }] } },
     ];
 
     testConfigs.forEach((config) => {
