Add rill sudo embed open command (#9230)

* Add `rill sudo embed open` command and `superuser_force_access` to embed APIs

* Test case

Author: begelundmuller

admin/server/deployment.go

@@ -171,15 +171,30 @@ func (s *Server) GetDeployment(ctx context.Context, req *adminv1.GetDeploymentRe
 	}
 
 	claims := auth.GetClaims(ctx)
+	forceAccess := claims.Superuser(ctx) && req.SuperuserForceAccess
 	permissions := claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID)
 
-	if depl.Environment == "dev" {
-		if !permissions.ReadDev {
-			return nil, status.Error(codes.PermissionDenied, "does not have permission to read dev deployment")
+	if !forceAccess {
+		if depl.Environment == "dev" {
+			if !permissions.ReadDev {
+				return nil, status.Error(codes.PermissionDenied, "does not have permission to read dev deployment")
+			}
+		} else {
+			if !permissions.ReadProd {
+				return nil, status.Error(codes.PermissionDenied, "does not have permission to read prod deployment")
+			}
 		}
-	} else {
-		if !permissions.ReadProd {
-			return nil, status.Error(codes.PermissionDenied, "does not have permission to read prod deployment")
+
+		if req.For != nil || req.ExternalUserId != "" {
+			if depl.Environment == "dev" {
+				if !permissions.ManageDev {
+					return nil, status.Error(codes.PermissionDenied, "does not have permission to manage dev deployment")
+				}
+			} else {
+				if !permissions.ManageProd {
+					return nil, status.Error(codes.PermissionDenied, "does not have permission to manage prod deployment")
+				}
+			}
 		}
 	}
 
@@ -204,14 +219,6 @@ func (s *Server) GetDeployment(ctx context.Context, req *adminv1.GetDeploymentRe
 			// Some users use service accounts for generating JWTs for end users without passing req.For, and we don't want to accidentally pass a shared subject ID across those users (which could leak e.g. AI chats).
 		}
 	} else if req.For != nil {
-		if depl.Environment == "prod" && !permissions.ManageProd {
-			return nil, status.Error(codes.PermissionDenied, "does not have permission to manage prod deployment")
-		}
-
-		if depl.Environment == "dev" && !permissions.ManageDev {
-			return nil, status.Error(codes.PermissionDenied, "does not have permission to manage dev deployment")
-		}
-
 		switch forVal := req.For.(type) {
 		case *adminv1.GetDeploymentRequest_UserId:
 			if req.ExternalUserId != "" {
@@ -583,9 +590,10 @@ func (s *Server) GetDeploymentCredentials(ctx context.Context, req *adminv1.GetD
 	}
 
 	claims := auth.GetClaims(ctx)
+	forceAccess := claims.Superuser(ctx) && req.SuperuserForceAccess
 	permissions := claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID)
 
-	if !permissions.ManageProd {
+	if !forceAccess && !permissions.ManageProd {
 		return nil, status.Error(codes.PermissionDenied, "does not have permission to manage deployment")
 	}
 
@@ -709,9 +717,10 @@ func (s *Server) GetIFrame(ctx context.Context, req *adminv1.GetIFrameRequest) (
 	}
 
 	claims := auth.GetClaims(ctx)
+	forceAccess := claims.Superuser(ctx) && req.SuperuserForceAccess
 	permissions := claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID)
 
-	if !permissions.ManageProd {
+	if !forceAccess && !permissions.ManageProd {
 		return nil, status.Error(codes.PermissionDenied, "does not have permission to manage deployment")
 	}
 

cli/cmd/sudo/embed/embed.go

@@ -0,0 +1,17 @@
+package embed
+
+import (
+	"github.com/rilldata/rill/cli/pkg/cmdutil"
+	"github.com/spf13/cobra"
+)
+
+func EmbedCmd(ch *cmdutil.Helper) *cobra.Command {
+	embedCmd := &cobra.Command{
+		Use:   "embed",
+		Short: "Manage embeds",
+	}
+
+	embedCmd.AddCommand(OpenCmd(ch))
+
+	return embedCmd
+}

cli/cmd/sudo/embed/embed_test.go

@@ -0,0 +1,64 @@
+package embed_test
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/rilldata/rill/admin/testadmin"
+	"github.com/rilldata/rill/cli/testcli"
+	"github.com/rilldata/rill/runtime/testruntime/testmode"
+	"github.com/stretchr/testify/require"
+)
+
+func TestEmbedOpen(t *testing.T) {
+	testmode.Expensive(t)
+
+	adm := testadmin.NewWithOptionalRuntime(t, true)
+
+	// First user is automatically a superuser.
+	_, u1Client := adm.NewUser(t)
+	u1 := testcli.New(t, adm, u1Client.Token)
+
+	// Second user: regular, owns the org and project.
+	_, u2Client := adm.NewUser(t)
+	u2 := testcli.New(t, adm, u2Client.Token)
+
+	// Third user: no access
+	_, u3Client := adm.NewUser(t)
+	u3 := testcli.New(t, adm, u3Client.Token)
+
+	// u2 creates an org and deploys a project.
+	res := u2.Run(t, "org", "create", "embed-test")
+	require.Equal(t, 0, res.ExitCode, res.Output)
+
+	tempDir := t.TempDir()
+	putFiles(t, tempDir, map[string]string{
+		"rill.yaml": `olap_connector: duckdb`,
+	})
+	res = u2.Run(t, "project", "deploy", "--interactive=false", "--org=embed-test", "--project=embed-project", "--path="+tempDir)
+	require.Equal(t, 0, res.ExitCode, res.Output)
+
+	// Reconcile the deployment so it has a runtime host and instance.
+	adm.TriggerDeployment(t, "embed-test", "embed-project")
+
+	// Superuser can get an embed URL for the project.
+	res = u1.Run(t, "sudo", "embed", "open", "embed-test", "embed-project", "--no-open", "--navigation")
+	require.Equal(t, 0, res.ExitCode, res.Output)
+	require.Contains(t, res.Output, "Open browser at:")
+
+	// Normal user cannot get an embed URL for the project.
+	res = u3.Run(t, "sudo", "embed", "open", "embed-test", "embed-project", "--no-open", "--navigation")
+	require.NotEqual(t, 0, res.ExitCode)
+	require.Contains(t, res.Output, "does not have permission")
+}
+
+func putFiles(t *testing.T, baseDir string, files map[string]string) {
+	t.Helper()
+	for path, content := range files {
+		path = filepath.Join(baseDir, path)
+		dir := filepath.Dir(path)
+		require.NoError(t, os.MkdirAll(dir, 0755))
+		require.NoError(t, os.WriteFile(path, []byte(content), 0644))
+	}
+}

cli/cmd/sudo/embed/open.go

@@ -0,0 +1,114 @@
+package embed
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/rilldata/rill/cli/pkg/browser"
+	"github.com/rilldata/rill/cli/pkg/cmdutil"
+	adminv1 "github.com/rilldata/rill/proto/gen/rill/admin/v1"
+	"github.com/spf13/cobra"
+	"google.golang.org/protobuf/types/known/structpb"
+)
+
+func OpenCmd(ch *cmdutil.Helper) *cobra.Command {
+	var branch string
+	var ttlSeconds uint32
+	var userID string
+	var userEmail string
+	var userAttributes string
+	var externalUserID string
+	var resourceType string
+	var resource string
+	var theme string
+	var themeMode string
+	var navigation bool
+	var query map[string]string
+	var noOpen bool
+
+	openCmd := &cobra.Command{
+		Use:   "open <org> <project>",
+		Args:  cobra.ExactArgs(2),
+		Short: "Open an embedded dashboard in the browser",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			org := args[0]
+			project := args[1]
+
+			req := &adminv1.GetIFrameRequest{
+				Org:                  org,
+				Project:              project,
+				Branch:               branch,
+				TtlSeconds:           ttlSeconds,
+				ExternalUserId:       externalUserID,
+				Type:                 resourceType,
+				Resource:             resource,
+				Theme:                theme,
+				ThemeMode:            themeMode,
+				Navigation:           navigation,
+				Query:                query,
+				SuperuserForceAccess: true,
+			}
+
+			// Set user identity: only one of user_id, user_email, or user_attributes can be specified.
+			n := 0
+			if userID != "" {
+				n++
+				req.For = &adminv1.GetIFrameRequest_UserId{UserId: userID}
+			}
+			if userEmail != "" {
+				n++
+				req.For = &adminv1.GetIFrameRequest_UserEmail{UserEmail: userEmail}
+			}
+			if userAttributes != "" {
+				n++
+				var attrs map[string]any
+				if err := json.Unmarshal([]byte(userAttributes), &attrs); err != nil {
+					return fmt.Errorf("invalid --user-attributes JSON: %w", err)
+				}
+				s, err := structpb.NewStruct(attrs)
+				if err != nil {
+					return fmt.Errorf("failed to parse --user-attributes: %w", err)
+				}
+				req.For = &adminv1.GetIFrameRequest_Attributes{Attributes: s}
+			}
+			if n > 1 {
+				return fmt.Errorf("only one of --user-id, --user-email, or --user-attributes can be specified")
+			}
+
+			client, err := ch.Client()
+			if err != nil {
+				return err
+			}
+
+			res, err := client.GetIFrame(cmd.Context(), req)
+			if err != nil {
+				return err
+			}
+
+			if noOpen || !ch.Interactive {
+				ch.Printf("Open browser at: %s\n", res.IframeSrc)
+			} else {
+				ch.Printf("Opening browser at: %s\n", res.IframeSrc)
+				_ = browser.Open(res.IframeSrc)
+			}
+
+			return nil
+		},
+	}
+
+	openCmd.Flags().StringVar(&branch, "branch", "", "Branch to embed (defaults to the primary branch)")
+	openCmd.Flags().Uint32Var(&ttlSeconds, "ttl-seconds", 0, "TTL for the access token in seconds")
+	openCmd.Flags().StringVar(&userID, "user-id", "", "Rill user ID to assume")
+	openCmd.Flags().StringVar(&userEmail, "user-email", "", "User email to assume")
+	openCmd.Flags().StringVar(&userAttributes, "user-attributes", "", "User attributes as JSON (e.g. '{\"domain\":\"example.com\"}')")
+	openCmd.Flags().StringVar(&externalUserID, "external-user-id", "", "External user ID for per-user state")
+	openCmd.Flags().StringVar(&resourceType, "resource-type", "", "Type of resource to embed")
+	openCmd.Flags().StringVar(&resource, "resource", "", "Name of the resource to embed")
+	openCmd.Flags().StringVar(&theme, "theme", "", "Theme for the embedded resource")
+	openCmd.Flags().StringVar(&themeMode, "theme-mode", "", "Theme mode")
+	openCmd.Flags().BoolVar(&navigation, "navigation", false, "Enable navigation between resources")
+	openCmd.Flags().StringToStringVar(&query, "query", nil, "Additional query parameters (key=value)")
+	openCmd.Flags().BoolVar(&noOpen, "no-open", false, "Print the URL without opening the browser")
+
+	return openCmd
+}

cli/cmd/sudo/sudo.go

@@ -3,6 +3,7 @@ package sudo
 import (
 	"github.com/rilldata/rill/cli/cmd/sudo/annotations"
 	"github.com/rilldata/rill/cli/cmd/sudo/billing"
+	"github.com/rilldata/rill/cli/cmd/sudo/embed"
 	"github.com/rilldata/rill/cli/cmd/sudo/org"
 	"github.com/rilldata/rill/cli/cmd/sudo/project"
 	"github.com/rilldata/rill/cli/cmd/sudo/quota"
@@ -24,6 +25,7 @@ func SudoCmd(ch *cmdutil.Helper) *cobra.Command {
 		GroupID: internalGroupID,
 	}
 	sudoCmd.AddCommand(lookupCmd(ch))
+	sudoCmd.AddCommand(embed.EmbedCmd(ch))
 	sudoCmd.AddCommand(org.OrgCmd(ch))
 	sudoCmd.AddCommand(project.ProjectCmd(ch))
 	sudoCmd.AddCommand(user.UserCmd(ch))

proto/gen/rill/admin/v1/admin.swagger.yaml

@@ -140,6 +140,9 @@ paths:
                 description: |-
                   Optional ID for an external end user of the deployment. If set, the access token enables per-user state, such as AI chat history.
                   Cannot be combined with `user_id`. If `user_email` matches a Rill Cloud user, their attributes are used, but this ID takes precedence for per-user state.
+              superuserForceAccess:
+                type: boolean
+                description: If true, superusers can access the deployment even without org/project membership.
   /v1/deployments/{deploymentId}/provision:
     post:
       summary: |-
@@ -1488,6 +1491,9 @@ paths:
                 description: |-
                   Optional ID for an external end user of the deployment. If set, the access token enables per-user state, such as AI chat history.
                   Cannot be combined with `user_id`. If `user_email` matches a Rill Cloud user, their attributes are used, but this ID takes precedence for per-user state.
+              superuserForceAccess:
+                type: boolean
+                description: If true, superusers can access the deployment even without org/project membership.
   /v1/orgs/{org}/projects/{project}/deployments:
     get:
       summary: ListDeployments lists deployments for a project.
@@ -1662,6 +1668,9 @@ paths:
                 additionalProperties:
                   type: string
                 description: 'DEPRECATED: Additional parameters to set outright in the generated URL query.'
+              superuserForceAccess:
+                type: boolean
+                description: If true, superusers can access the project even without org/project membership.
             description: GetIFrameRequest is the request payload for AdminService.GetIFrame.
   /v1/orgs/{org}/projects/{project}/invites:
     get: