Merge pull request #1759 from rocket-admin/backend_ai_insights_permission

Backend ai insights permission

Author: Artuomka

backend/src/entities/ai/user-ai-requests-v2.controller.ts

@@ -20,7 +20,7 @@ import { Timeout, TimeoutDefaults } from '../../decorators/timeout.decorator.js'
 import { UserId } from '../../decorators/user-id.decorator.js';
 import { InTransactionEnum } from '../../enums/in-transaction.enum.js';
 import { ConnectionEditGuard } from '../../guards/connection-edit.guard.js';
-import { TableReadGuard } from '../../guards/table-read.guard.js';
+import { TableAiRequestGuard } from '../../guards/table-ai-request.guard.js';
 import { ValidationHelper } from '../../helpers/validators/validation-helper.js';
 import { SentryInterceptor } from '../../interceptors/sentry.interceptor.js';
 import { IAISettingsAndWidgetsCreation, IRequestInfoFromTableV2 } from './ai-use-cases.interface.js';
@@ -47,7 +47,7 @@ export class UserAIRequestsControllerV2 {
 		status: 201,
 		description: 'Returned info with conversation history saved.',
 	})
-	@UseGuards(TableReadGuard)
+	@UseGuards(TableAiRequestGuard)
 	@ApiBody({ type: RequestInfoFromTableBodyDTO })
 	@ApiQuery({ name: 'tableName', required: true, type: String })
 	@ApiQuery({ name: 'threadId', required: false, type: String })

backend/src/entities/cedar-authorization/cedar-action-map.ts

@@ -8,6 +8,7 @@ export enum CedarAction {
 	TableAdd = 'table:add',
 	TableEdit = 'table:edit',
 	TableDelete = 'table:delete',
+	TableAiRequest = 'table:ai-request',
 	DashboardRead = 'dashboard:read',
 	DashboardCreate = 'dashboard:create',
 	DashboardEdit = 'dashboard:edit',

backend/src/entities/cedar-authorization/cedar-permissions.service.ts

@@ -213,7 +213,17 @@ export class CedarPermissionsService implements IUserAccessRepository {
 	): Promise<ITablePermissionData> {
 		const ctx = await this.loadContext(connectionId, cognitoUserName);
 		if (!ctx) {
-			return { tableName, accessLevel: { visibility: false, readonly: false, add: false, delete: false, edit: false } };
+			return {
+				tableName,
+				accessLevel: {
+					visibility: false,
+					readonly: false,
+					add: false,
+					delete: false,
+					edit: false,
+					aiRequest: false,
+				},
+			};
 		}
 
 		return this.evaluateTablePermissions(cognitoUserName, connectionId, tableName, ctx);
@@ -386,6 +396,14 @@ export class CedarPermissionsService implements IUserAccessRepository {
 			ctx.policies,
 			entities,
 		);
+		const canAiRequest = this.evaluatePolicies(
+			userId,
+			CedarAction.TableAiRequest,
+			CedarResourceType.Table,
+			resourceId,
+			ctx.policies,
+			entities,
+		);
 
 		return {
 			tableName,
@@ -395,6 +413,7 @@ export class CedarPermissionsService implements IUserAccessRepository {
 				add: canAdd,
 				delete: canDelete,
 				edit: canEdit,
+				aiRequest: canAiRequest,
 			},
 		};
 	}

backend/src/entities/cedar-authorization/cedar-policy-generator.ts

@@ -153,6 +153,11 @@ export function generateCedarPolicyForGroup(
 				`permit(\n  principal,\n  action == RocketAdmin::Action::"table:delete",\n  resource == ${tableRef}\n);`,
 			);
 		}
+		if (access.aiRequest) {
+			policies.push(
+				`permit(\n  principal,\n  action == RocketAdmin::Action::"table:ai-request",\n  resource == ${tableRef}\n);`,
+			);
+		}
 	}
 
 	return policies.join('\n\n');

backend/src/entities/cedar-authorization/cedar-policy-parser.ts

@@ -66,7 +66,8 @@ export function parseCedarPolicyToClassicalPermissions(
 			case 'table:read':
 			case 'table:add':
 			case 'table:edit':
-			case 'table:delete': {
+			case 'table:delete':
+			case 'table:ai-request': {
 				const tableName = extractTableName(permit.resourceId, connectionId);
 				if (!tableName) break;
 				const tableEntry = getOrCreateTableEntry(tableMap, tableName);
@@ -227,6 +228,7 @@ function getOrCreateTableEntry(map: Map<string, ITablePermissionData>, tableName
 				add: false,
 				delete: false,
 				edit: false,
+				aiRequest: false,
 			},
 		};
 		map.set(tableName, entry);
@@ -248,6 +250,9 @@ function applyTableAction(entry: ITablePermissionData, action: string): void {
 		case 'table:delete':
 			entry.accessLevel.delete = true;
 			break;
+		case 'table:ai-request':
+			entry.accessLevel.aiRequest = true;
+			break;
 	}
 }
 

backend/src/entities/cedar-authorization/cedar-schema.json

@@ -101,6 +101,12 @@
 					"resourceTypes": ["Table"]
 				}
 			},
+			"table:ai-request": {
+				"appliesTo": {
+					"principalTypes": ["User"],
+					"resourceTypes": ["Table"]
+				}
+			},
 			"dashboard:read": {
 				"appliesTo": {
 					"principalTypes": ["User"],

backend/src/entities/cedar-authorization/cedar-schema.ts

@@ -110,6 +110,12 @@ export const CEDAR_SCHEMA = {
 					resourceTypes: ['Table'],
 				},
 			},
+			'table:ai-request': {
+				appliesTo: {
+					principalTypes: ['User'],
+					resourceTypes: ['Table'],
+				},
+			},
 			'dashboard:read': {
 				appliesTo: {
 					principalTypes: ['User'],

backend/src/entities/connection/use-cases/get-permissions-for-group-in-connection.use.case.ts

@@ -4,8 +4,8 @@ import AbstractUseCase from '../../../common/abstract-use.case.js';
 import { IGlobalDatabaseContext } from '../../../common/application/global-database-context.interface.js';
 import { BaseType } from '../../../common/data-injection.tokens.js';
 import { AccessLevelEnum } from '../../../enums/access-level.enum.js';
-import { TablePermissionDs } from '../../permission/application/data-structures/create-permissions.ds.js';
 import { parseCedarPolicyToClassicalPermissions } from '../../cedar-authorization/cedar-policy-parser.js';
+import { TablePermissionDs } from '../../permission/application/data-structures/create-permissions.ds.js';
 import { FoundPermissionsInConnectionDs } from '../application/data-structures/found-permissions-in-connection.ds.js';
 import { GetPermissionsInConnectionDs } from '../application/data-structures/get-permissions-in-connection.ds.js';
 import { IGetPermissionsForGroupInConnection } from './use-cases.interfaces.js';
@@ -62,6 +62,7 @@ export class GetPermissionsForGroupInConnectionUseCase
 					edit: false,
 					readonly: false,
 					visibility: false,
+					aiRequest: false,
 				},
 			};
 		});

backend/src/entities/permission/application/data-structures/create-permissions.ds.ts

@@ -1,5 +1,5 @@
 import { ApiProperty } from '@nestjs/swagger';
-import { IsArray, IsBoolean, IsEnum, IsString, IsUUID, ValidateNested } from 'class-validator';
+import { IsArray, IsBoolean, IsEnum, IsOptional, IsString, IsUUID, ValidateNested } from 'class-validator';
 import { AccessLevelEnum } from '../../../../enums/access-level.enum.js';
 
 export class CreatePermissionsDs {
@@ -41,6 +41,11 @@ export class TableAccessLevelsDs {
 	@ApiProperty()
 	@IsBoolean()
 	visibility: boolean;
+
+	@ApiProperty({ required: false })
+	@IsOptional()
+	@IsBoolean()
+	aiRequest?: boolean;
 }
 
 export class TablePermissionDs {

backend/src/entities/permission/permission.interface.ts

@@ -24,6 +24,7 @@ export interface ITableAccessLevel {
 	add: boolean;
 	delete: boolean;
 	edit: boolean;
+	aiRequest?: boolean;
 }
 
 export interface ITablePermissionData {