fix: Support not in access policy conditions (cube-js#10767)

* feat: add RBAC smoke test for group-based conditional region row filtering

Add a test that verifies group-based conditional row filtering:
- region_test cube backed by users table (id, city, count)
- region_test_view with an access policy for user_group that
  conditionally applies a row filter based on region_group membership
- region_user (user_group + region_group): sees only San Francisco rows
- region_user_no_filter (user_group only): sees all rows

The access policy checks security_context.auth.groups for region_group
membership. If present, it filters rows by the user's region attribute.
If absent, it grants allow_all (no row filter).

Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>

* fix: use line_items table, group-based conditions, and MEASURE syntax

- Switch region_test cube to use public.line_items table to avoid
  cross-contamination from the users cube's RBAC city filter
- Add cube-level allowAll access policy so view policies can layer
  on top correctly
- Use group-based (user_group) policies with conditions to check
  hasRegionFilter user attribute for conditional row filtering
- Use MEASURE() syntax for aggregate count queries
- Both users have groups only (no roles needed) — view policy uses
  group: 'user_group' with conditions for mutual exclusivity

Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>

* feat: allow security_context evaluation at rowLevel in access policies

Enable security_context to be used directly at the rowLevel property
of access policies, allowing the entire filter structure to be
controlled dynamically based on the user's security context.

Changes:
- CubePropContextTranspiler: add special handling to transpile
  rowLevel/row_level when its value is an expression (not an object
  literal), wrapping it in an arrow function with securityContext
- CubeValidator: accept Joi.func() as alternative for rowLevel,
  alongside the existing RowLevelPolicySchema object
- CompilerApi: resolve rowLevel via evaluateContextFunction when it
  is a function, and process the returned raw filters through a new
  evaluateRawFilter method that handles uncompiled member references
- Update test to use the cleaner syntax where security_context
  controls the rowLevel structure directly via groups.includes()

This enables patterns like:
  rowLevel: security_context.auth?.groups?.includes('region_group')
    ? { filters: [{ member: 'col', operator: 'equals', values: ... }] }
    : { allowAll: true }

Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>

* refactor: convert region_test_view from JS to YAML

Replace the JS view with a YAML view that uses two mutually exclusive
conditions on the user_group access policy:
- hasRegionFilter (truthy) -> filters by allowedProductIds
- noRegionFilter (truthy) -> allow_all

Users carry complementary boolean attributes so the YAML conditions
(which only support truthy checks, not comparisons or negation) can
distinguish the two cases without policy overlap.

Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>

* refactor: use group-based policies instead of attribute-based conditions

Replace attribute-based conditions (hasRegionFilter/noRegionFilter) with
pure group-based policy scoping:
- group: region_group — row filter by allowedProductIds
- group: user_group — allow_all

Each user belongs to exactly one group so only one policy matches,
avoiding the union overlap problem without needing conditions.

Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>

* refactor: revert core changes, use conditions with groups.includes() check

Revert all changes to cubejs-schema-compiler and cubejs-server-core.
Use standard access policy conditions to check security context groups:

- Two mutually exclusive user_group policies with conditions:
  - if: security_context.auth?.groups?.includes('region_group')
    → filters by allowedProductIds
  - if: !security_context.auth?.groups?.includes('region_group')
    → allowAll

- region_user has both ['user_group', 'region_group'] and is
  correctly filtered because the condition routes to the filter
  policy, not the allowAll policy.

Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>

* refactor: convert region_test_view to YAML with group-scoped policies

Replace JS view with YAML view using two group-scoped policies:
- group: region_group — filters by allowedProductIds
- group: user_group — allow_all

Users belong to exactly one group to avoid the union-overlap problem
where allow_all would override the filter. No core changes.

Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>

* fix: use JS view with groups.includes() conditions for both-groups support

A user with both user_group and region_group must be filtered by
region_group. This requires mutually exclusive conditions checking
groups.includes('region_group') — which needs JS (not YAML, since
the YAML Python parser cannot express negation).

Single user_group policy with two condition branches:
- groups.includes('region_group') → filter by allowedProductIds
- !groups.includes('region_group') → allowAll

No core changes. region_user now has ['user_group', 'region_group']
and is correctly filtered.

Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>

* feat: add not/and/or support to YAML Python parser, convert view to YAML

Add support for Python boolean operators in the YAML expression parser:
- not → JS ! (unary negation)
- and → JS && (logical AND)
- or  → JS || (logical OR)

This enables YAML access policy conditions like:
  if: "{ not (security_context.auth.groups and security_context.auth.groups.includes('region_group')) }"

Convert region_test_view from JS to YAML using the new operators
for null-safe group membership checks in conditions.

Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>

Author: paveltiunov

packages/cubejs-schema-compiler/src/parser/PythonParser.ts

@@ -18,6 +18,12 @@ import Python3Parser, {
   Single_string_template_atomContext,
   ArglistContext,
   CallArgumentsContext,
+  // eslint-disable-next-line camelcase
+  Not_testContext,
+  // eslint-disable-next-line camelcase
+  And_testContext,
+  // eslint-disable-next-line camelcase
+  Or_testContext,
 } from './Python3Parser';
 import { UserError } from '../compiler/UserError';
 import Python3ParserVisitor from './Python3ParserVisitor';
@@ -223,6 +229,21 @@ export class PythonParser {
           return { args: children };
         } else if (node instanceof LambdefContext) {
           return t.arrowFunctionExpression(children[0].args, children[1]);
+        } else if (node instanceof Not_testContext) {
+          if (node.getChildCount() === 1) {
+            return children[0];
+          }
+          return t.unaryExpression('!', children[0]);
+        } else if (node instanceof And_testContext) {
+          if (children.length === 1) {
+            return children[0];
+          }
+          return children.reduce((left, right) => t.logicalExpression('&&', left, right));
+        } else if (node instanceof Or_testContext) {
+          if (children.length === 1) {
+            return children[0];
+          }
+          return children.reduce((left, right) => t.logicalExpression('||', left, right));
         } else if (node instanceof ArglistContext) {
           return children;
         } else {

packages/cubejs-testing/birdbox-fixtures/rbac/cube.js

@@ -186,6 +186,42 @@ module.exports = {
         },
       };
     }
+    if (user === 'region_user') {
+      if (password && password !== 'region_user_password') {
+        throw new Error(`Password doesn't match for ${user}`);
+      }
+      return {
+        password,
+        superuser: false,
+        securityContext: {
+          auth: {
+            username: 'region_user',
+            userAttributes: {
+              allowedProductIds: [1, 2],
+            },
+            roles: [],
+            groups: ['user_group', 'region_group'],
+          },
+        },
+      };
+    }
+    if (user === 'region_user_no_filter') {
+      if (password && password !== 'region_user_no_filter_password') {
+        throw new Error(`Password doesn't match for ${user}`);
+      }
+      return {
+        password,
+        superuser: false,
+        securityContext: {
+          auth: {
+            username: 'region_user_no_filter',
+            userAttributes: {},
+            roles: [],
+            groups: ['user_group'],
+          },
+        },
+      };
+    }
     if (user === 'sc_test') {
       if (password && password !== 'sc_test_password') {
         throw new Error(`Password doesn't match for ${user}`);

packages/cubejs-testing/birdbox-fixtures/rbac/model/cubes/region_test.yaml

@@ -0,0 +1,24 @@
+cubes:
+  - name: region_test
+    sql_table: public.line_items
+
+    measures:
+      - name: count
+        type: count
+
+    dimensions:
+      - name: id
+        sql: id
+        type: number
+        primary_key: true
+
+      - name: product_id
+        sql: product_id
+        type: number
+
+    access_policy:
+      - role: "*"
+        member_level:
+          includes: "*"
+        row_level:
+          allow_all: true

packages/cubejs-testing/birdbox-fixtures/rbac/model/views/region_test_view.yaml

@@ -0,0 +1,24 @@
+views:
+  - name: region_test_view
+    cubes:
+      - join_path: region_test
+        includes: "*"
+    access_policy:
+      - group: user_group
+        conditions:
+          - if: "{ security_context.auth.groups and security_context.auth.groups.includes('region_group') }"
+        member_level:
+          includes: "*"
+        row_level:
+          filters:
+            - member: product_id
+              operator: equals
+              values: security_context.auth.userAttributes.allowedProductIds
+
+      - group: user_group
+        conditions:
+          - if: "{ not (security_context.auth.groups and security_context.auth.groups.includes('region_group')) }"
+        member_level:
+          includes: "*"
+        row_level:
+          allow_all: true

packages/cubejs-testing/test/smoke-rbac.test.ts

@@ -1059,6 +1059,77 @@ describe('Cube RBAC Engine', () => {
     });
   });
 
+  /**
+   * Group-based conditional row filtering test.
+   *
+   * A view (region_test_view) wraps the region_test cube (backed by
+   * line_items). A single access policy for "user_group" uses conditions
+   * to check security_context.auth.groups for "region_group" membership:
+   *   - If groups.includes('region_group') is true, the first policy
+   *     matches and filters rows by product_id using allowedProductIds.
+   *   - If !groups.includes('region_group'), the second policy matches
+   *     and grants allowAll.
+   *
+   * The conditions are mutually exclusive (includes vs !includes) so
+   * only one policy matches per user, avoiding the union-overlap
+   * problem. A user with both user_group and region_group is correctly
+   * filtered because the condition on the first policy evaluates to
+   * true, and the condition on the second evaluates to false.
+   *
+   * Two users:
+   *   - region_user: groups = ['user_group', 'region_group'],
+   *     allowedProductIds = [1, 2]
+   *     → sees only rows with product_id in [1, 2]
+   *   - region_user_no_filter: groups = ['user_group']
+   *     → sees all rows
+   */
+  describe('RBAC via SQL API region group conditional row filter', () => {
+    let regionConn: PgClient;
+    let noFilterConn: PgClient;
+
+    beforeAll(async () => {
+      regionConn = await createPostgresClient('region_user', 'region_user_password');
+      noFilterConn = await createPostgresClient('region_user_no_filter', 'region_user_no_filter_password');
+    });
+
+    afterAll(async () => {
+      await regionConn.end();
+      await noFilterConn.end();
+    }, JEST_AFTER_ALL_DEFAULT_TIMEOUT);
+
+    test('user with region_group sees only rows matching their allowed product IDs', async () => {
+      const res = await regionConn.query(
+        'SELECT * FROM region_test_view ORDER BY id LIMIT 50'
+      );
+      expect(res.rows.length).toBeGreaterThan(0);
+      for (const row of res.rows) {
+        expect([1, 2]).toContain(row.product_id);
+      }
+    });
+
+    test('user without region_group sees all rows (no row filter)', async () => {
+      const res = await noFilterConn.query(
+        'SELECT * FROM region_test_view ORDER BY id LIMIT 50'
+      );
+      expect(res.rows.length).toBeGreaterThan(0);
+      const productIds = new Set(res.rows.map((r: any) => r.product_id));
+      expect(productIds.size).toBeGreaterThan(2);
+    });
+
+    test('filtered user count is less than unfiltered user count', async () => {
+      const filteredRes = await regionConn.query(
+        'SELECT MEASURE(count) as cnt FROM region_test_view'
+      );
+      const unfilteredRes = await noFilterConn.query(
+        'SELECT MEASURE(count) as cnt FROM region_test_view'
+      );
+      const filteredCount = Number(filteredRes.rows[0].cnt);
+      const unfilteredCount = Number(unfilteredRes.rows[0].cnt);
+      expect(filteredCount).toBeGreaterThan(0);
+      expect(unfilteredCount).toBeGreaterThan(filteredCount);
+    });
+  });
+
   describe('RBAC via REST API', () => {
     let client: CubeApi;
     let defaultClient: CubeApi;