Support access: security policies on Explore and Canvas resourc…

…es (#5728)
rilldata · Sep 20, 2024 · 10c6897 · 10c6897 · github-actions · Sep 20, 2024
1 parent 792b3fa
commit 10c6897
Show file tree

Hide file tree

Showing 10 changed files with 289 additions and 194 deletions.
diff --git a/proto/gen/rill/runtime/v1/resources.pb.go b/proto/gen/rill/runtime/v1/resources.pb.go
diff --git a/proto/gen/rill/runtime/v1/resources.pb.validate.go b/proto/gen/rill/runtime/v1/resources.pb.validate.go
diff --git a/proto/gen/rill/runtime/v1/runtime.swagger.yaml b/proto/gen/rill/runtime/v1/runtime.swagger.yaml
@@ -3385,6 +3385,11 @@ definitions:
         items:
           type: object
           $ref: '#/definitions/v1CanvasItem'
+      securityRules:
+        type: array
+        items:
+          type: object
+          $ref: '#/definitions/v1SecurityRule'
   v1CanvasState:
     type: object
     properties:

diff --git a/proto/rill/runtime/v1/resources.proto b/proto/rill/runtime/v1/resources.proto
@@ -641,6 +641,7 @@ message CanvasSpec {
   uint32 gap = 3;
   repeated ComponentVariable variables = 5;
   repeated CanvasItem items = 4;
+  repeated SecurityRule security_rules = 6;
 }
 
 message CanvasState {

diff --git a/runtime/compilers/rillv1/parse_canvas.go b/runtime/compilers/rillv1/parse_canvas.go
@@ -22,6 +22,7 @@ type CanvasYAML struct {
 		Width     *uint32   `yaml:"width"`
 		Height    *uint32   `yaml:"height"`
 	} `yaml:"items"`
+	Security *SecurityPolicyYAML `yaml:"security"`
 }
 
 func (p *Parser) parseCanvas(node *Node) error {
@@ -80,6 +81,17 @@ func (p *Parser) parseCanvas(node *Node) error {
 		node.Refs = append(node.Refs, ResourceName{Kind: ResourceKindComponent, Name: component})
 	}
 
+	// Parse security rules
+	rules, err := tmp.Security.Proto()
+	if err != nil {
+		return err
+	}
+	for _, rule := range rules {
+		if rule.GetAccess() == nil {
+			return fmt.Errorf("the 'canvas' resource type only supports 'access' security rules")
+		}
+	}
+
 	// Track canvas
 	r, err := p.insertResource(ResourceKindCanvas, node.Name, node.Paths, node.Refs...)
 	if err != nil {
@@ -92,6 +104,7 @@ func (p *Parser) parseCanvas(node *Node) error {
 	r.CanvasSpec.Gap = tmp.Gap
 	r.CanvasSpec.Variables = variables
 	r.CanvasSpec.Items = items
+	r.CanvasSpec.SecurityRules = rules
 
 	// Track inline components
 	for _, def := range inlineComponentDefs {

diff --git a/runtime/compilers/rillv1/parse_explore.go b/runtime/compilers/rillv1/parse_explore.go
@@ -29,6 +29,7 @@ type ExploreYAML struct {
 		ComparisonMode      string     `yaml:"comparison_mode"`
 		ComparisonDimension string     `yaml:"comparison_dimension"`
 	} `yaml:"presets"`
+	Security *SecurityPolicyYAML `yaml:"security"`
 }
 
 // NamesYAML parses a list of names with support for a '*' scalar for all names,
@@ -268,6 +269,17 @@ func (p *Parser) parseExplore(node *Node) error {
 		})
 	}
 
+	// Build security rules
+	rules, err := tmp.Security.Proto()
+	if err != nil {
+		return err
+	}
+	for _, rule := range rules {
+		if rule.GetAccess() == nil {
+			return fmt.Errorf("the 'explore' resource type only supports 'access' security rules")
+		}
+	}
+
 	// Track explore
 	r, err := p.insertResource(ResourceKindExplore, node.Name, node.Paths, node.Refs...)
 	if err != nil {
@@ -286,6 +298,7 @@ func (p *Parser) parseExplore(node *Node) error {
 	r.ExploreSpec.TimeRanges = timeRanges
 	r.ExploreSpec.TimeZones = tmp.TimeZones
 	r.ExploreSpec.Presets = presets
+	r.ExploreSpec.SecurityRules = rules
 
 	return nil
 }
diff --git a/runtime/compilers/rillv1/parse_metrics_view.go b/runtime/compilers/rillv1/parse_metrics_view.go
@@ -53,7 +53,7 @@ type MetricsViewYAML struct {
 		Ignore              bool   `yaml:"ignore"` // Deprecated
 		ValidPercentOfTotal bool   `yaml:"valid_percent_of_total"`
 	}
-	Security *MetricsViewSecurityPolicyYAML
+	Security *SecurityPolicyYAML
 
 	// DEPRECATED FIELDS
 	DefaultTimeRange   string   `yaml:"default_time_range"`
@@ -191,7 +191,7 @@ func (f *MetricsViewMeasureWindow) UnmarshalYAML(v *yaml.Node) error {
 	return nil
 }
 
-type MetricsViewSecurityPolicyYAML struct {
+type SecurityPolicyYAML struct {
 	Access    string `yaml:"access"`
 	RowFilter string `yaml:"row_filter"`
 	Include   []*struct {
@@ -202,10 +202,10 @@ type MetricsViewSecurityPolicyYAML struct {
 		Condition string    `yaml:"if"`
 		Names     yaml.Node // []string or "*" (will be parsed with parseNamesYAML)
 	}
-	Rules []*MetricsViewSecurityRuleYAML `yaml:"rules"`
+	Rules []*SecurityRuleYAML `yaml:"rules"`
 }
 
-func (p *MetricsViewSecurityPolicyYAML) Proto() ([]*runtimev1.SecurityRule, error) {
+func (p *SecurityPolicyYAML) Proto() ([]*runtimev1.SecurityRule, error) {
 	var rules []*runtimev1.SecurityRule
 	if p == nil {
 		return rules, nil
@@ -355,7 +355,7 @@ func (p *MetricsViewSecurityPolicyYAML) Proto() ([]*runtimev1.SecurityRule, erro
 	return rules, nil
 }
 
-type MetricsViewSecurityRuleYAML struct {
+type SecurityRuleYAML struct {
 	Type   string
 	Action string
 	If     string
@@ -364,7 +364,7 @@ type MetricsViewSecurityRuleYAML struct {
 	SQL    string
 }
 
-func (r *MetricsViewSecurityRuleYAML) Proto() (*runtimev1.SecurityRule, error) {
+func (r *SecurityRuleYAML) Proto() (*runtimev1.SecurityRule, error) {
 	condition := r.If
 	if condition != "" {
 		tmp, err := ResolveTemplate(condition, validationTemplateData)

diff --git a/runtime/security.go b/runtime/security.go
@@ -297,9 +297,17 @@ func (p *securityEngine) resolveRules(claims *SecurityClaims, r *runtimev1.Resou
 	// Everyone can access a component.
 	case ResourceKindComponent:
 		rules = append(rules, allowAccessRule)
-	// Everyone can access a canvas.
+	// Determine access using the canvas' security rules. If there are none, then everyone can access it.
 	case ResourceKindCanvas:
-		rules = append(rules, allowAccessRule)
+		spec := r.GetCanvas().State.ValidSpec
+		if spec == nil {
+			spec = r.GetCanvas().Spec // Not ideal, but better than giving access to the full resource
+		}
+		if len(spec.SecurityRules) == 0 {
+			rules = append(rules, allowAccessRule)
+		} else {
+			rules = append(rules, spec.SecurityRules...)
+		}
 	// Determine access using the metrics view's security rules. If there are none, then everyone can access it.
 	case ResourceKindMetricsView:
 		spec := r.GetMetricsView().State.ValidSpec

diff --git a/web-common/src/proto/gen/rill/runtime/v1/resources_pb.ts b/web-common/src/proto/gen/rill/runtime/v1/resources_pb.ts
@@ -4177,6 +4177,11 @@ export class CanvasSpec extends Message<CanvasSpec> {
    */
   items: CanvasItem[] = [];
 
+  /**
+   * @generated from field: repeated rill.runtime.v1.SecurityRule security_rules = 6;
+   */
+  securityRules: SecurityRule[] = [];
+
   constructor(data?: PartialMessage<CanvasSpec>) {
     super();
     proto3.util.initPartial(data, this);
@@ -4190,6 +4195,7 @@ export class CanvasSpec extends Message<CanvasSpec> {
     { no: 3, name: "gap", kind: "scalar", T: 13 /* ScalarType.UINT32 */ },
     { no: 5, name: "variables", kind: "message", T: ComponentVariable, repeated: true },
     { no: 4, name: "items", kind: "message", T: CanvasItem, repeated: true },
+    { no: 6, name: "security_rules", kind: "message", T: SecurityRule, repeated: true },
   ]);
 
   static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): CanvasSpec {

diff --git a/web-common/src/runtime-client/gen/index.schemas.ts b/web-common/src/runtime-client/gen/index.schemas.ts
@@ -2206,6 +2206,7 @@ export interface V1CanvasSpec {
   gap?: number;
   variables?: V1ComponentVariable[];
   items?: V1CanvasItem[];
+  securityRules?: V1SecurityRule[];
 }
 
 export interface V1CanvasState {