Refactor Cedar policy tests to remove group principal references

- Updated Cedar policy definitions in non-SaaS and SaaS end-to-end tests to use 'principal' instead of 'principal in RocketAdmin::Group::"{groupId}"'.
- Removed redundant tests that checked for foreign group references in Cedar policies.
- Ensured consistency across all Cedar policy tests by standardizing the policy format.

Author: Artuomka

backend/src/entities/cedar-authorization/cedar-authorization.service.ts

@@ -186,7 +186,8 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 		const userGroups = await this.globalDbContext.groupRepository.findAllUserGroupsInConnection(connectionId, userId);
 		if (userGroups.length === 0) return false;
 
-		const policies = await this.loadPoliciesForConnection(connectionId);
+		const userGroupIds = userGroups.map((g) => g.id);
+		const policies = await this.loadPoliciesForUser(connectionId, userId, userGroupIds);
 		if (!policies) return false;
 
 		const entities = buildCedarEntities(userId, userGroups, connectionId, tableName, dashboardId);
@@ -210,17 +211,21 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 		return false;
 	}
 
-	private async loadPoliciesForConnection(connectionId: string): Promise<string | null> {
-		const cached = Cacher.getCedarPolicyCache(connectionId);
+	private async loadPoliciesForUser(connectionId: string, userId: string, userGroupIds: string[]): Promise<string | null> {
+		const cached = Cacher.getCedarPolicyCache(connectionId, userId);
 		if (cached !== null) return cached;
 
 		const groups = await this.globalDbContext.groupRepository.findAllGroupsInConnection(connectionId);
-		const policyTexts = groups.map((g) => g.cedarPolicy).filter(Boolean);
+		const userGroupIdSet = new Set(userGroupIds);
+		const policyTexts = groups
+			.filter((g) => userGroupIdSet.has(g.id))
+			.map((g) => g.cedarPolicy)
+			.filter(Boolean);
 
 		if (policyTexts.length === 0) return null;
 
 		const combined = policyTexts.join('\n\n');
-		Cacher.setCedarPolicyCache(connectionId, combined);
+		Cacher.setCedarPolicyCache(connectionId, userId, combined);
 		return combined;
 	}
 
@@ -271,19 +276,6 @@ export class CedarAuthorizationService implements ICedarAuthorizationService, On
 		groupId: string,
 	): Promise<void> {
 
-		const principalGroupIds = [
-			...cedarPolicy.matchAll(/principal\s+in\s+RocketAdmin::Group::"([^"]+)"/g),
-		].map((m) => m[1]);
-
-		for (const principalGroupId of principalGroupIds) {
-			if (principalGroupId !== groupId) {
-				throw new HttpException(
-					{ message: Messages.CEDAR_POLICY_REFERENCES_FOREIGN_PRINCIPAL },
-					HttpStatus.BAD_REQUEST,
-				);
-			}
-		}
-
 		const connectionIds = [
 			...cedarPolicy.matchAll(/resource\s*==\s*RocketAdmin::Connection::"([^"]+)"/g),
 		].map((m) => m[1]);

backend/src/entities/cedar-authorization/cedar-entity-builder.ts

@@ -19,7 +19,7 @@ export function buildCedarEntities(
 	entities.push({
 		uid: { type: 'RocketAdmin::User', id: userId },
 		attrs: { suspended: false },
-		parents: userGroups.map((g) => ({ type: 'RocketAdmin::Group', id: g.id })),
+		parents: [],
 	});
 
 	// Group entities

backend/src/entities/cedar-authorization/cedar-policy-generator.ts

@@ -8,12 +8,11 @@ export function generateCedarPolicyForGroup(
 	permissions: IComplexPermission,
 ): string {
 	const policies: Array<string> = [];
-	const groupRef = `RocketAdmin::Group::"${groupId}"`;
 	const connectionRef = `RocketAdmin::Connection::"${connectionId}"`;
 
 	if (isMain) {
 		policies.push(
-			`permit(\n  principal in ${groupRef},\n  action,\n  resource\n);`,
+			`permit(\n  principal,\n  action,\n  resource\n);`,
 		);
 		return policies.join('\n\n');
 	}
@@ -22,14 +21,14 @@ export function generateCedarPolicyForGroup(
 	const connAccess = permissions.connection.accessLevel;
 	if (connAccess === AccessLevelEnum.edit) {
 		policies.push(
-			`permit(\n  principal in ${groupRef},\n  action == RocketAdmin::Action::"connection:read",\n  resource == ${connectionRef}\n);`,
+			`permit(\n  principal,\n  action == RocketAdmin::Action::"connection:read",\n  resource == ${connectionRef}\n);`,
 		);
 		policies.push(
-			`permit(\n  principal in ${groupRef},\n  action == RocketAdmin::Action::"connection:edit",\n  resource == ${connectionRef}\n);`,
+			`permit(\n  principal,\n  action == RocketAdmin::Action::"connection:edit",\n  resource == ${connectionRef}\n);`,
 		);
 	} else if (connAccess === AccessLevelEnum.readonly) {
 		policies.push(
-			`permit(\n  principal in ${groupRef},\n  action == RocketAdmin::Action::"connection:read",\n  resource == ${connectionRef}\n);`,
+			`permit(\n  principal,\n  action == RocketAdmin::Action::"connection:read",\n  resource == ${connectionRef}\n);`,
 		);
 	}
 
@@ -38,14 +37,14 @@ export function generateCedarPolicyForGroup(
 	const groupResourceRef = `RocketAdmin::Group::"${permissions.group.groupId}"`;
 	if (groupAccess === AccessLevelEnum.edit) {
 		policies.push(
-			`permit(\n  principal in ${groupRef},\n  action == RocketAdmin::Action::"group:read",\n  resource == ${groupResourceRef}\n);`,
+			`permit(\n  principal,\n  action == RocketAdmin::Action::"group:read",\n  resource == ${groupResourceRef}\n);`,
 		);
 		policies.push(
-			`permit(\n  principal in ${groupRef},\n  action == RocketAdmin::Action::"group:edit",\n  resource == ${groupResourceRef}\n);`,
+			`permit(\n  principal,\n  action == RocketAdmin::Action::"group:edit",\n  resource == ${groupResourceRef}\n);`,
 		);
 	} else if (groupAccess === AccessLevelEnum.readonly) {
 		policies.push(
-			`permit(\n  principal in ${groupRef},\n  action == RocketAdmin::Action::"group:read",\n  resource == ${groupResourceRef}\n);`,
+			`permit(\n  principal,\n  action == RocketAdmin::Action::"group:read",\n  resource == ${groupResourceRef}\n);`,
 		);
 	}
 
@@ -59,32 +58,32 @@ export function generateCedarPolicyForGroup(
 			if (access.read) {
 				hasReadPermission = true;
 				policies.push(
-					`permit(\n  principal in ${groupRef},\n  action == RocketAdmin::Action::"dashboard:read",\n  resource == ${dashboardRef}\n);`,
+					`permit(\n  principal,\n  action == RocketAdmin::Action::"dashboard:read",\n  resource == ${dashboardRef}\n);`,
 				);
 			}
 			if (access.create) {
 				hasCreatePermission = true;
 			}
 			if (access.edit) {
 				policies.push(
-					`permit(\n  principal in ${groupRef},\n  action == RocketAdmin::Action::"dashboard:edit",\n  resource == ${dashboardRef}\n);`,
+					`permit(\n  principal,\n  action == RocketAdmin::Action::"dashboard:edit",\n  resource == ${dashboardRef}\n);`,
 				);
 			}
 			if (access.delete) {
 				policies.push(
-					`permit(\n  principal in ${groupRef},\n  action == RocketAdmin::Action::"dashboard:delete",\n  resource == ${dashboardRef}\n);`,
+					`permit(\n  principal,\n  action == RocketAdmin::Action::"dashboard:delete",\n  resource == ${dashboardRef}\n);`,
 				);
 			}
 		}
 		const newDashboardRef = `RocketAdmin::Dashboard::"${connectionId}/__new__"`;
 		if (hasReadPermission) {
 			policies.push(
-				`permit(\n  principal in ${groupRef},\n  action == RocketAdmin::Action::"dashboard:read",\n  resource == ${newDashboardRef}\n);`,
+				`permit(\n  principal,\n  action == RocketAdmin::Action::"dashboard:read",\n  resource == ${newDashboardRef}\n);`,
 			);
 		}
 		if (hasCreatePermission) {
 			policies.push(
-				`permit(\n  principal in ${groupRef},\n  action == RocketAdmin::Action::"dashboard:create",\n  resource == ${newDashboardRef}\n);`,
+				`permit(\n  principal,\n  action == RocketAdmin::Action::"dashboard:create",\n  resource == ${newDashboardRef}\n);`,
 			);
 		}
 	}
@@ -96,22 +95,22 @@ export function generateCedarPolicyForGroup(
 		const hasAnyAccess = access.visibility || access.add || access.delete || access.edit;
 		if (hasAnyAccess) {
 			policies.push(
-				`permit(\n  principal in ${groupRef},\n  action == RocketAdmin::Action::"table:read",\n  resource == ${tableRef}\n);`,
+				`permit(\n  principal,\n  action == RocketAdmin::Action::"table:read",\n  resource == ${tableRef}\n);`,
 			);
 		}
 		if (access.add) {
 			policies.push(
-				`permit(\n  principal in ${groupRef},\n  action == RocketAdmin::Action::"table:add",\n  resource == ${tableRef}\n);`,
+				`permit(\n  principal,\n  action == RocketAdmin::Action::"table:add",\n  resource == ${tableRef}\n);`,
 			);
 		}
 		if (access.edit) {
 			policies.push(
-				`permit(\n  principal in ${groupRef},\n  action == RocketAdmin::Action::"table:edit",\n  resource == ${tableRef}\n);`,
+				`permit(\n  principal,\n  action == RocketAdmin::Action::"table:edit",\n  resource == ${tableRef}\n);`,
 			);
 		}
 		if (access.delete) {
 			policies.push(
-				`permit(\n  principal in ${groupRef},\n  action == RocketAdmin::Action::"table:delete",\n  resource == ${tableRef}\n);`,
+				`permit(\n  principal,\n  action == RocketAdmin::Action::"table:delete",\n  resource == ${tableRef}\n);`,
 			);
 		}
 	}

backend/src/entities/cedar-authorization/cedar-policy-parser.ts

@@ -147,9 +147,9 @@ function parsePermitBody(body: string): ParsedPermitStatement {
 		isWildcard: false,
 	};
 
-	const principalMatch = body.match(/principal\s+in\s+RocketAdmin::Group::"([^"]+)"/);
-	if (principalMatch) {
-		result.groupId = principalMatch[1];
+	const principalInMatch = body.match(/principal\s+in\s+RocketAdmin::Group::"([^"]+)"/);
+	if (principalInMatch) {
+		result.groupId = principalInMatch[1];
 	}
 
 	const actionMatch = body.match(/action\s*==\s*RocketAdmin::Action::"([^"]+)"/);

backend/src/entities/cedar-authorization/cedar-schema.ts

@@ -2,7 +2,7 @@ export const CEDAR_SCHEMA = {
 	RocketAdmin: {
 		entityTypes: {
 			User: {
-				memberOfTypes: ['Group'],
+				memberOfTypes: [],
 				shape: {
 					type: 'Record',
 					attributes: {

backend/src/helpers/cache/cacher.ts

@@ -66,17 +66,23 @@ export class Cacher {
 		return userInvitations <= 10 && groupInvitations <= 10;
 	}
 
-	public static getCedarPolicyCache(connectionId: string): string | null {
-		const cached = cedarPolicyCache.get(connectionId);
+	public static getCedarPolicyCache(connectionId: string, userId: string): string | null {
+		const cacheKey = `${connectionId}:${userId}`;
+		const cached = cedarPolicyCache.get(cacheKey);
 		return cached !== undefined ? cached : null;
 	}
 
-	public static setCedarPolicyCache(connectionId: string, policies: string): void {
-		cedarPolicyCache.set(connectionId, policies);
+	public static setCedarPolicyCache(connectionId: string, userId: string, policies: string): void {
+		const cacheKey = `${connectionId}:${userId}`;
+		cedarPolicyCache.set(cacheKey, policies);
 	}
 
 	public static invalidateCedarPolicyCache(connectionId: string): void {
-		cedarPolicyCache.delete(connectionId);
+		for (const key of cedarPolicyCache.keys()) {
+			if (key.startsWith(`${connectionId}:`)) {
+				cedarPolicyCache.delete(key);
+			}
+		}
 	}
 
 	public static async clearAllCache(): Promise<void> {

backend/test/ava-tests/non-saas-tests/non-saas-cedar-entity-builder.test.ts

@@ -9,16 +9,14 @@ function makeGroup(id: string, isMain: boolean): GroupEntity {
 	return { id, isMain } as unknown as GroupEntity;
 }
 
-test('user entity has correct type, id, suspended=false, and group parents', (t) => {
+test('user entity has correct type, id, suspended=false, and empty parents', (t) => {
 	const groups = [makeGroup('g1', false), makeGroup('g2', true)];
 	const entities = buildCedarEntities(userId, groups, connectionId);
 	const userEntity = entities.find((e) => e.uid.type === 'RocketAdmin::User');
 	t.truthy(userEntity);
 	t.is(userEntity.uid.id, userId);
 	t.is(userEntity.attrs.suspended, false);
-	t.is(userEntity.parents.length, 2);
-	t.deepEqual(userEntity.parents[0], { type: 'RocketAdmin::Group', id: 'g1' });
-	t.deepEqual(userEntity.parents[1], { type: 'RocketAdmin::Group', id: 'g2' });
+	t.deepEqual(userEntity.parents, []);
 });
 
 test('group entities have correct type, isMain attribute, connectionId attribute, empty parents', (t) => {

backend/test/ava-tests/non-saas-tests/non-saas-cedar-policy-generator.test.ts

@@ -17,7 +17,7 @@ function makePermissions(overrides: Partial<IComplexPermission> = {}): IComplexP
 
 test('isMain=true generates a single wildcard permit', (t) => {
 	const result = generateCedarPolicyForGroup(groupId, connectionId, true, makePermissions());
-	t.true(result.includes('principal in RocketAdmin::Group::"test-group-id"'));
+	t.true(result.includes('principal,'));
 	t.true(result.includes('action,'));
 	t.true(result.includes('resource'));
 	// Should be a single policy
@@ -307,7 +307,7 @@ test('resource ref format validation', (t) => {
 			],
 		}),
 	);
-	t.true(result.includes(`RocketAdmin::Group::"${groupId}"`));
+	t.true(result.includes('principal,'));
 	t.true(result.includes(`RocketAdmin::Connection::"${connectionId}"`));
 	t.true(result.includes(`RocketAdmin::Table::"${connectionId}/users"`));
 });