code review fixes

Author: bsod90

packages/cubejs-schema-compiler/src/compiler/CompilerCache.ts

@@ -4,6 +4,8 @@ import { QueryCache } from '../adapter/QueryCache';
 export class CompilerCache extends QueryCache {
   protected readonly queryCache: LRUCache<string, QueryCache>;
 
+  protected readonly rbacCache: LRUCache<string, any>;
+
   public constructor({ maxQueryCacheSize, maxQueryCacheAge }) {
     super();
 
@@ -12,6 +14,15 @@ export class CompilerCache extends QueryCache {
       maxAge: (maxQueryCacheAge * 1000) || 1000 * 60 * 10,
       updateAgeOnGet: true
     });
+
+    this.rbacCache = new LRUCache({
+      max: 10000,
+      maxAge: 1000 * 60 * 5, // 5 minutes
+    });
+  }
+
+  public getRbacCacheInstance(): LRUCache<string, any> {
+    return this.rbacCache;
   }
 
   public getQueryCache(key: unknown): QueryCache {

packages/cubejs-schema-compiler/src/compiler/CubeSymbols.js

@@ -13,6 +13,7 @@ const CONTEXT_SYMBOLS = {
   // SECURITY_CONTEXT has been deprecated, however security_context (lowecase)
   // is allowed in RBAC policies for query-time attribute matching
   security_context: 'securityContext',
+  securityContext: 'securityContext',
   FILTER_PARAMS: 'filterParams',
   FILTER_GROUP: 'filterGroup',
   SQL_UTILS: 'sqlUtils'

packages/cubejs-schema-compiler/test/unit/yaml-schema.test.ts

@@ -374,11 +374,16 @@ describe('Yaml Schema Testing', () => {
                   - member: status
                     operator: equals
                     values: ["completed"]
-                  - member: "{CUBE}.created_at"
-                    operator: notInDateRange
-                    values:
-                      - 2022-01-01
-                      - "{ security_context.currentDate }"
+                  - or:
+                    - member: "{CUBE}.created_at"
+                      operator: notInDateRange
+                      values:
+                        - 2022-01-01
+                        - "{ security_context.currentDate }"
+                    - member: "created_at"
+                      operator: equals
+                      values:
+                        - "{ securityContext.currentDate }"
               memberLevel:
                 includes:
                   - status

packages/cubejs-server-core/src/core/CompilerApi.js

@@ -30,10 +30,6 @@ export class CompilerApi {
     this.sqlCache = options.sqlCache;
     this.standalone = options.standalone;
     this.nativeInstance = this.createNativeInstance();
-    this.rbacEvaluationCache = new LRUCache({
-      max: 10000,
-      maxAge: 1000 * 60 * 5, // 5 minutes
-    });
   }
 
   setGraphQLSchema(schema) {
@@ -227,20 +223,21 @@ export class CompilerApi {
     return context.__hash;
   }
 
-  async getApplicablePolicies(cube, context, cubeEvaluator) {
+  async getApplicablePolicies(cube, context, compilers) {
+    const cache = compilers.compilerCache.getRbacCacheInstance();
     const cacheKey = `${cube.name}_${this.hashRequestContext(context)}`;
-    if (!this.rbacEvaluationCache.has(cacheKey)) {
+    if (!cache.has(cacheKey)) {
       const userRoles = await this.getRolesFromContext(context);
       const policies = cube.accessPolicy.filter(policy => {
         const evaluatedConditions = (policy.conditions || []).map(
-          condition => cubeEvaluator.evaluateContextFunction(cube, condition.if, context)
+          condition => compilers.cubeEvaluator.evaluateContextFunction(cube, condition.if, context)
         );
         const res = this.userHasRole(userRoles, policy.role) && this.roleMeetsConditions(evaluatedConditions);
         return res;
       });
-      this.rbacEvaluationCache.set(cacheKey, policies);
+      cache.set(cacheKey, policies);
     }
-    return this.rbacEvaluationCache.get(cacheKey);
+    return cache.get(cacheKey);
   }
 
   evaluateNestedFilter(filter, cube, context, cubeEvaluator) {
@@ -277,7 +274,8 @@ export class CompilerApi {
    * - combining cube and view filters with AND
   */
   async applyRowLevelSecurity(query, context) {
-    const { cubeEvaluator } = await this.getCompilers({ requestId: query.requestId });
+    const compilers = await this.getCompilers({ requestId: query.requestId });
+    const { cubeEvaluator } = compilers;
 
     if (!cubeEvaluator.isRbacEnabled()) {
       return query;
@@ -297,7 +295,7 @@ export class CompilerApi {
 
       if (cubeEvaluator.isRbacEnabledForCube(cube)) {
         let hasRoleWithAccess = false;
-        const userPolicies = await this.getApplicablePolicies(cube, context, cubeEvaluator);
+        const userPolicies = await this.getApplicablePolicies(cube, context, compilers);
 
         for (const policy of userPolicies) {
           hasRoleWithAccess = true;
@@ -323,7 +321,7 @@ export class CompilerApi {
           query.segments.push({
             expression: () => '1 = 0',
             cubeName: cube.name,
-            name: 'RLS Access Denied',
+            name: 'rlsAccessDenied',
           });
           // If we hit this condition there's no need to evaluate the rest of the policy
           break;
@@ -336,7 +334,6 @@ export class CompilerApi {
       viewFiltersPerCubePerRole,
       hasAllowAllForCube
     );
-    console.lg('RLS Filter', JSON.stringify(rlsFilter, null, 2));
     query.filters = query.filters || [];
     query.filters.push(rlsFilter);
     return query;
@@ -430,8 +427,9 @@ export class CompilerApi {
    * It evaluates all applicable memeberLevel accessPolicies givean a context
    * and retains members that are allowed by any policy (most permissive set).
   */
-  async filterVisibilityByAccessPolicy(cubeEvaluator, context, cubes) {
+  async filterVisibilityByAccessPolicy(compilers, context, cubes) {
     const isMemberVisibleInContext = {};
+    const { cubeEvaluator } = compilers;
 
     if (!cubeEvaluator.isRbacEnabled()) {
       return cubes;
@@ -440,7 +438,7 @@ export class CompilerApi {
     for (const cube of cubes) {
       const evaluatedCube = cubeEvaluator.cubeFromPath(cube.config.name);
       if (cubeEvaluator.isRbacEnabledForCube(evaluatedCube)) {
-        const applicablePolicies = await this.getApplicablePolicies(evaluatedCube, context, cubeEvaluator);
+        const applicablePolicies = await this.getApplicablePolicies(evaluatedCube, context, compilers);
 
         const computeMemberVisibility = (item) => {
           let isIncluded = false;
@@ -498,7 +496,7 @@ export class CompilerApi {
     const compilers = await this.getCompilers(restOptions);
     const { cubes } = compilers.metaTransformer;
     const filteredCubes = await this.filterVisibilityByAccessPolicy(
-      compilers.cubeEvaluator,
+      compilers,
       requestContext,
       cubes
     );
@@ -512,15 +510,15 @@ export class CompilerApi {
   }
 
   async metaConfigExtended(requestContext, options) {
-    const { metaTransformer, cubeEvaluator } = await this.getCompilers(options);
+    const compilers = await this.getCompilers(options);
     const filteredCubes = await this.filterVisibilityByAccessPolicy(
-      cubeEvaluator,
+      compilers,
       requestContext,
-      metaTransformer?.cubes
+      compilers.metaTransformer?.cubes
     );
     return {
       metaConfig: filteredCubes,
-      cubeDefinitions: metaTransformer?.cubeEvaluator?.cubeDefinitions,
+      cubeDefinitions: compilers.metaTransformer?.cubeEvaluator?.cubeDefinitions,
     };
   }