superset2/superset/data_access_rules/api.py

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
"""
Data Access Rules REST API.

This module provides the REST API for managing Data Access Rules,
including CRUD operations and a group_keys discovery endpoint.
"""

import logging

from flask import request, Response
from flask_appbuilder.api import expose, protect, safe
from flask_appbuilder.models.sqla.interface import SQLAInterface
from marshmallow import ValidationError

from superset.constants import MODEL_API_RW_METHOD_PERMISSION_MAP, RouteMethod
from superset.data_access_rules.models import DataAccessRule
from superset.data_access_rules.schemas import (
    DataAccessRulePostSchema,
    DataAccessRulePutSchema,
    DataAccessRuleShowSchema,
)
from superset.data_access_rules.utils import get_all_group_keys
from superset.extensions import event_logger
from superset.views.base_api import (
    BaseSupersetModelRestApi,
    requires_json,
    statsd_metrics,
)
from superset.views.filters import BaseFilterRelatedRoles, BaseFilterRelatedUsers

logger = logging.getLogger(__name__)


class DataAccessRulesRestApi(BaseSupersetModelRestApi):
    """REST API for Data Access Rules."""

    datamodel = SQLAInterface(DataAccessRule)
    include_route_methods = RouteMethod.REST_MODEL_VIEW_CRUD_SET | {
        RouteMethod.RELATED,
        "group_keys",
    }
    resource_name = "dar"
    class_permission_name = "DataAccessRule"
    openapi_spec_tag = "Data Access Rules"
    method_permission_name = MODEL_API_RW_METHOD_PERMISSION_MAP
    allow_browser_login = True

    list_columns = [
        "id",
        "name",
        "description",
        "role_id",
        "role.id",
        "role.name",
        "rule",
        "changed_on_delta_humanized",
        "changed_by.first_name",
        "changed_by.last_name",
        "changed_by.id",
    ]
    order_columns = [
        "id",
        "name",
        "role_id",
        "changed_on_delta_humanized",
    ]
    add_columns = [
        "name",
        "description",
        "role_id",
        "rule",
    ]
    edit_columns = [
        "name",
        "description",
        "role_id",
        "rule",
    ]
    show_columns = [
        "id",
        "name",
        "description",
        "role_id",
        "role.name",
        "role.id",
        "rule",
        "created_on",
        "changed_on",
        "created_by.first_name",
        "created_by.last_name",
        "changed_by.first_name",
        "changed_by.last_name",
    ]
    search_columns = ["role", "changed_by"]

    allowed_rel_fields = {"role", "changed_by"}
    base_related_field_filters = {
        "role": [["id", BaseFilterRelatedRoles, lambda: []]],
        "changed_by": [["id", BaseFilterRelatedUsers, lambda: []]],
    }

    add_model_schema = DataAccessRulePostSchema()
    edit_model_schema = DataAccessRulePutSchema()
    # Don't use custom list_model_schema - let Flask-AppBuilder handle
    # nested relationships via list_columns dot notation
    show_model_schema = DataAccessRuleShowSchema()

    openapi_spec_methods = {
        "get": {"get": {"summary": "Get a data access rule"}},
        "get_list": {"get": {"summary": "Get a list of data access rules"}},
        "post": {"post": {"summary": "Create a data access rule"}},
        "put": {"put": {"summary": "Update a data access rule"}},
        "delete": {"delete": {"summary": "Delete a data access rule"}},
    }

    @expose("/<int:pk>", methods=("PUT",))
    @protect()
    @safe
    @statsd_metrics
    @requires_json
    @event_logger.log_this_with_context(
        action=lambda self, *args, **kwargs: f"{self.__class__.__name__}.put",
        log_to_statsd=False,
    )
    def put(self, pk: int) -> Response:
        """Update a data access rule.
        ---
        put:
          summary: Update a data access rule
          parameters:
          - in: path
            schema:
              type: integer
            name: pk
            description: The rule pk
          requestBody:
            description: Data access rule schema
            required: true
            content:
              application/json:
                schema:
                  $ref: '#/components/schemas/DataAccessRulePutSchema'
          responses:
            200:
              description: Rule updated
              content:
                application/json:
                  schema:
                    type: object
                    properties:
                      id:
                        type: number
                      result:
                        $ref: '#/components/schemas/DataAccessRulePutSchema'
            400:
              $ref: '#/components/responses/400'
            401:
              $ref: '#/components/responses/401'
            404:
              $ref: '#/components/responses/404'
            422:
              $ref: '#/components/responses/422'
            500:
              $ref: '#/components/responses/500'
        """
        try:
            item = self.edit_model_schema.load(request.json)
        except ValidationError as error:
            return self.response_400(message=error.messages)

        # Get existing rule
        existing = self.datamodel.get(pk)
        if not existing:
            return self.response_404()

        # Update fields
        for key, value in item.items():
            setattr(existing, key, value)

        try:
            self.datamodel.edit(existing)
            return self.response(200, id=existing.id, result=item)
        except Exception as ex:
            logger.error("Error updating data access rule: %s", str(ex), exc_info=True)
            return self.response_422(message=str(ex))

    @expose("/group_keys/", methods=("GET",))
    @protect()
    @safe
    @statsd_metrics
    @event_logger.log_this_with_context(
        action=lambda self, *args, **kwargs: f"{self.__class__.__name__}.group_keys",
        log_to_statsd=False,
    )
    def group_keys(self) -> Response:
        """
        Get all distinct group_keys used in RLS rules.

        This endpoint is useful for UI discoverability - showing users
        what group_keys already exist so they can reuse them.
        ---
        get:
          summary: Get all distinct RLS group keys
          description: >-
            Returns a list of all unique group_key values used in RLS rules
            across all Data Access Rules. This helps users discover existing
            keys for consistent rule grouping.
          responses:
            200:
              description: List of group keys
              content:
                application/json:
                  schema:
                    $ref: '#/components/schemas/GroupKeysResponseSchema'
            401:
              $ref: '#/components/responses/401'
            500:
              $ref: '#/components/responses/500'
        """
        group_keys = get_all_group_keys()
        return self.response(200, result=sorted(group_keys))