# Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. import logging from typing import Any, Optional from marshmallow import ValidationError from superset.commands.base import BaseCommand from superset.commands.exceptions import DatasourceNotFoundValidationError from superset.commands.security.exceptions import RLSRuleNotFoundError from superset.commands.security.utils import raise_for_datasource_access from superset.commands.utils import populate_subject_list from superset.connectors.sqla.models import RowLevelSecurityFilter, SqlaTable from superset.daos.security import RLSDAO from superset.extensions import db from superset.utils.core import RowLevelSecurityFilterType from superset.utils.decorators import transaction logger = logging.getLogger(__name__) class UpdateRLSRuleCommand(BaseCommand): def __init__(self, model_id: int, data: dict[str, Any]): self._model_id = model_id self._properties = data.copy() self._tables = self._properties.get("tables", []) self._subjects = self._properties.get("subjects", []) self._model: Optional[RowLevelSecurityFilter] = None @transaction() def run(self) -> Any: self.validate() assert self._model return RLSDAO.update(self._model, self._properties) def validate(self) -> None: self._model = RLSDAO.find_by_id(int(self._model_id)) if not self._model: raise RLSRuleNotFoundError() # Only resolve and overwrite the relationships that are actually present # in the request body. A partial update (e.g. changing only the name) # must leave the rule's existing tables/subjects bindings untouched # rather than replacing them with empty lists. if "subjects" in self._properties: subjects = populate_subject_list( self._subjects, default_to_user=False, ) self._properties["subjects"] = subjects else: subjects = list(self._model.subjects) filter_type = self._properties.get("filter_type", self._model.filter_type) filter_type_value = getattr(filter_type, "value", filter_type) if ( filter_type_value == RowLevelSecurityFilterType.REGULAR.value and not subjects ): raise ValidationError( {"subjects": ["Regular RLS filters require at least one subject."]} ) if "tables" in self._properties: tables = ( db.session.query(SqlaTable) .filter(SqlaTable.id.in_(self._tables)) # type: ignore[attr-defined] .all() ) if len(tables) != len(self._tables): raise DatasourceNotFoundValidationError() raise_for_datasource_access(tables) self._properties["tables"] = tables else: # A partial update that omits ``tables`` still mutates the rule, so # enforce datasource access against the rule's existing tables to # avoid letting a caller edit a rule bound to datasources they # cannot access. raise_for_datasource_access(self._model.tables)