Merge branch 'main' into signals-migration

Author: lyubov-voloshko

backend/.development.env

@@ -109,4 +109,6 @@ MYSQL_CONNECTION_SSH_PORT=22
 MYSQL_CONNECTION_SSH_USERNAME=TEST_MYSQL_CONNECTION_SSH_USERNAME
 MYSQL_CONNECTION_SSH_KEY=TEST_MYSQL_CONNECTION_SSH_KEY
 
-TEST_CONNECTIONS=
+TEST_CONNECTIONS=
+
+CEDAR_AUTHORIZATION_ENABLED='true'

backend/package.json

@@ -25,10 +25,11 @@
 	},
 	"dependencies": {
 		"@amplitude/node": "1.10.2",
-		"@aws-sdk/client-bedrock-runtime": "^3.999.0",
-		"@aws-sdk/client-s3": "^3.999.0",
-		"@aws-sdk/lib-dynamodb": "^3.999.0",
-		"@aws-sdk/s3-request-presigner": "^3.999.0",
+		"@aws-sdk/client-bedrock-runtime": "^3.990.0",
+		"@aws-sdk/client-s3": "^3.990.0",
+		"@aws-sdk/lib-dynamodb": "^3.990.0",
+		"@aws-sdk/s3-request-presigner": "^3.990.0",
+		"@cedar-policy/cedar-wasm": "^4.9.0",
 		"@electric-sql/pglite": "^0.3.15",
 		"@faker-js/faker": "^10.3.0",
 		"@langchain/aws": "^1.3.0",

backend/src/app.module.ts

@@ -40,6 +40,7 @@ import { DashboardModule } from './entities/visualizations/dashboard/dashboards.
 import { PanelPositionModule } from './entities/visualizations/panel-position/panel-position.module.js';
 import { PanelModule } from './entities/visualizations/panel/panel.module.js';
 import { TableWidgetModule } from './entities/widget/table-widget.module.js';
+import { CedarAuthorizationModule } from './entities/cedar-authorization/cedar-authorization.module.js';
 import { SaaSGatewayModule } from './microservices/gateways/saas-gateway.ts/saas-gateway.module.js';
 import { SaasModule } from './microservices/saas-microservice/saas.module.js';
 import { AppLoggerMiddleware } from './middlewares/logging-middleware/app-logger-middlewate.js';
@@ -59,6 +60,7 @@ import { GetHelloUseCase } from './use-cases-app/get-hello.use.case.js';
 				},
 			],
 		}),
+		CedarAuthorizationModule,
 		AICoreModule,
 		ConnectionModule,
 		ConnectionPropertiesModule,

backend/src/entities/cedar-authorization/cedar-action-map.ts

@@ -0,0 +1,34 @@
+export enum CedarAction {
+	ConnectionRead = 'connection:read',
+	ConnectionEdit = 'connection:edit',
+	GroupRead = 'group:read',
+	GroupEdit = 'group:edit',
+	TableRead = 'table:read',
+	TableAdd = 'table:add',
+	TableEdit = 'table:edit',
+	TableDelete = 'table:delete',
+	DashboardRead = 'dashboard:read',
+	DashboardCreate = 'dashboard:create',
+	DashboardEdit = 'dashboard:edit',
+	DashboardDelete = 'dashboard:delete',
+}
+
+export enum CedarResourceType {
+	Connection = 'RocketAdmin::Connection',
+	Group = 'RocketAdmin::Group',
+	Table = 'RocketAdmin::Table',
+	Dashboard = 'RocketAdmin::Dashboard',
+}
+
+export const CEDAR_ACTION_TYPE = 'RocketAdmin::Action';
+export const CEDAR_USER_TYPE = 'RocketAdmin::User';
+export const CEDAR_GROUP_TYPE = 'RocketAdmin::Group';
+
+export interface CedarValidationRequest {
+	userId: string;
+	action: CedarAction;
+	connectionId?: string;
+	groupId?: string;
+	tableName?: string;
+	dashboardId?: string;
+}

backend/src/entities/cedar-authorization/cedar-authorization.controller.ts

@@ -0,0 +1,88 @@
+import {
+	Body,
+	Controller,
+	Get,
+	HttpException,
+	HttpStatus,
+	Injectable,
+	Post,
+	UseGuards,
+	UseInterceptors,
+} from '@nestjs/common';
+import { ApiBearerAuth, ApiBody, ApiOperation, ApiParam, ApiResponse, ApiTags } from '@nestjs/swagger';
+import { SlugUuid } from '../../decorators/index.js';
+import { Timeout } from '../../decorators/timeout.decorator.js';
+import { Messages } from '../../exceptions/text/messages.js';
+import { ConnectionEditGuard } from '../../guards/connection-edit.guard.js';
+import { ConnectionReadGuard } from '../../guards/connection-read.guard.js';
+import { SentryInterceptor } from '../../interceptors/index.js';
+import { IComplexPermission } from '../permission/permission.interface.js';
+import { CedarAuthorizationService } from './cedar-authorization.service.js';
+import { SaveCedarPolicyDto } from './dto/save-cedar-policy.dto.js';
+import { ValidateCedarSchemaDto } from './dto/validate-cedar-schema.dto.js';
+
+@UseInterceptors(SentryInterceptor)
+@Timeout()
+@Controller()
+@ApiBearerAuth()
+@ApiTags('Cedar Authorization')
+@Injectable()
+export class CedarAuthorizationController {
+	constructor(private readonly cedarAuthService: CedarAuthorizationService) {}
+
+	@ApiOperation({ summary: 'Get the current cedar schema used for authorization' })
+	@ApiResponse({
+		status: 200,
+		description: 'Cedar schema returned.',
+	})
+	@ApiParam({ name: 'connectionId', required: true })
+	@UseGuards(ConnectionReadGuard)
+	@Get('/connection/cedar-schema/:connectionId')
+	async getCedarSchema(
+		@SlugUuid('connectionId') connectionId: string,
+	): Promise<{ cedarSchema: Record<string, unknown> }> {
+		if (!connectionId) {
+			throw new HttpException({ message: Messages.CONNECTION_ID_MISSING }, HttpStatus.BAD_REQUEST);
+		}
+		return { cedarSchema: this.cedarAuthService.getSchema() };
+	}
+
+	@ApiOperation({ summary: 'Validate a cedar schema against the Cedar engine' })
+	@ApiResponse({
+		status: 200,
+		description: 'Cedar schema is valid.',
+	})
+	@ApiBody({ type: ValidateCedarSchemaDto })
+	@ApiParam({ name: 'connectionId', required: true })
+	@UseGuards(ConnectionReadGuard)
+	@Post('/connection/cedar-schema/validate/:connectionId')
+	async validateCedarSchema(
+		@SlugUuid('connectionId') connectionId: string,
+		@Body() dto: ValidateCedarSchemaDto,
+	): Promise<{ valid: boolean }> {
+		if (!connectionId) {
+			throw new HttpException({ message: Messages.CONNECTION_ID_MISSING }, HttpStatus.BAD_REQUEST);
+		}
+		this.cedarAuthService.validateCedarSchema(dto.cedarSchema);
+		return { valid: true };
+	}
+
+	@ApiOperation({ summary: 'Save a cedar policy for a group, generating classical permissions for backward compatibility' })
+	@ApiResponse({
+		status: 200,
+		description: 'Cedar policy saved and classical permissions generated.',
+	})
+	@ApiBody({ type: SaveCedarPolicyDto })
+	@ApiParam({ name: 'connectionId', required: true })
+	@UseGuards(ConnectionEditGuard)
+	@Post('/connection/cedar-policy/:connectionId')
+	async saveCedarPolicy(
+		@SlugUuid('connectionId') connectionId: string,
+		@Body() dto: SaveCedarPolicyDto,
+	): Promise<{ cedarPolicy: string; classicalPermissions: IComplexPermission }> {
+		if (!connectionId) {
+			throw new HttpException({ message: Messages.CONNECTION_ID_MISSING }, HttpStatus.BAD_REQUEST);
+		}
+		return this.cedarAuthService.saveCedarPolicy(connectionId, dto.groupId, dto.cedarPolicy);
+	}
+}

backend/src/entities/cedar-authorization/cedar-authorization.module.ts

@@ -0,0 +1,34 @@
+import { Global, MiddlewareConsumer, Module, NestModule, RequestMethod } from '@nestjs/common';
+import { TypeOrmModule } from '@nestjs/typeorm';
+import { AuthMiddleware } from '../../authorization/auth.middleware.js';
+import { GlobalDatabaseContext } from '../../common/application/global-database-context.js';
+import { BaseType } from '../../common/data-injection.tokens.js';
+import { LogOutEntity } from '../log-out/log-out.entity.js';
+import { UserEntity } from '../user/user.entity.js';
+import { CedarAuthorizationController } from './cedar-authorization.controller.js';
+import { CedarAuthorizationService } from './cedar-authorization.service.js';
+
+@Global()
+@Module({
+	imports: [TypeOrmModule.forFeature([UserEntity, LogOutEntity])],
+	providers: [
+		{
+			provide: BaseType.GLOBAL_DB_CONTEXT,
+			useClass: GlobalDatabaseContext,
+		},
+		CedarAuthorizationService,
+	],
+	controllers: [CedarAuthorizationController],
+	exports: [CedarAuthorizationService],
+})
+export class CedarAuthorizationModule implements NestModule {
+	public configure(consumer: MiddlewareConsumer): void {
+		consumer
+			.apply(AuthMiddleware)
+			.forRoutes(
+				{ path: '/connection/cedar-schema/:connectionId', method: RequestMethod.GET },
+				{ path: '/connection/cedar-schema/validate/:connectionId', method: RequestMethod.POST },
+				{ path: '/connection/cedar-policy/:connectionId', method: RequestMethod.POST },
+			);
+	}
+}

backend/src/entities/cedar-authorization/cedar-authorization.service.interface.ts

@@ -0,0 +1,15 @@
+import { IComplexPermission } from '../permission/permission.interface.js';
+import { CedarValidationRequest } from './cedar-action-map.js';
+
+export interface ICedarAuthorizationService {
+	isFeatureEnabled(): boolean;
+	validate(request: CedarValidationRequest): Promise<boolean>;
+	invalidatePolicyCacheForConnection(connectionId: string): void;
+	getSchema(): Record<string, unknown>;
+	validateCedarSchema(schema: Record<string, unknown>): void;
+	saveCedarPolicy(
+		connectionId: string,
+		groupId: string,
+		cedarPolicy: string,
+	): Promise<{ cedarPolicy: string; classicalPermissions: IComplexPermission }>;
+}