@balena/pinejs 15.0.0-true-boolean-7896b116c446d891d7a0d5e4085c02a13bc9c725 → 15.0.1-build-migrations-clarify-marking-sbvr-optional-d6d0ded8eccc6eadb2492f4697918cf0afd00215-1

package/src/sbvr-api/permissions.ts

@@ -1,12 +1,17 @@
 import type {
 	AbstractSqlModel,
-	AbstractSqlType,
+	AbstractSqlQuery,
 	AliasNode,
+	AnyTypeNodes,
+	Definition,
+	FieldNode,
+	ReferencedFieldNode,
 	Relationship,
 	RelationshipInternalNode,
 	RelationshipLeafNode,
 	RelationshipMapping,
 	SelectNode,
+	SelectQueryNode,
 } from '@balena/abstract-sql-compiler';
 import './express-extension';
 import type * as Express from 'express';
@@ -15,12 +20,13 @@ import type {
 	ODataQuery,
 	SupportedMethod,
 } from '@balena/odata-parser';
+import type { Tx } from '../database-layer/db';
 import type { ApiKey, User } from '../sbvr-api/sbvr-utils';
-import type { AnyObject } from './common-types';
+import type { AnyObject, Dictionary } from './common-types';
 
 import {
-	Definition,
-	OData2AbstractSQL,
+	isBindReference,
+	type OData2AbstractSQL,
 	odataNameToSqlName,
 	ResourceFunction,
 	sqlNameToODataName,
@@ -95,7 +101,7 @@ type MappedType<I, O> = O extends NestedCheck<infer T>
 type MappedNestedCheck<
 	T extends NestedCheck<I>,
 	I,
-	O
+	O,
 > = T extends NestedCheckOr<I>
 	? NestedCheckOr<MappedType<I, O>>
 	: T extends NestedCheckAnd<I>
@@ -117,7 +123,8 @@ const methodPermissions: {
 	DELETE: 'delete',
 };
 
-const $parsePermissions = memoize(
+const $parsePermissions = env.createCache(
+	'parsePermissions',
 	(filter: string) => {
 		const { tree, binds } = ODataParser.parse(filter, {
 			startRule: 'ProcessRule',
@@ -130,11 +137,10 @@ const $parsePermissions = memoize(
 	},
 	{
 		primitive: true,
-		max: env.cache.parsePermissions.max,
 	},
 );
 
-const rewriteBinds = (
+const rewriteODataBinds = (
 	{ tree, extraBinds }: { tree: ODataQuery; extraBinds: ODataBinds },
 	odataBinds: ODataBinds,
 ): ODataQuery => {
@@ -157,7 +163,7 @@ const parsePermissions = (
 	odataBinds: ODataBinds,
 ): ODataQuery => {
 	const odata = $parsePermissions(filter);
-	return rewriteBinds(odata, odataBinds);
+	return rewriteODataBinds(odata, odataBinds);
 };
 
 // Traverses all values in `check`, actions for the following data types:
@@ -166,22 +172,22 @@ const parsePermissions = (
 // array: Treated as an AND of all elements
 // object: Must have only one key of either `AND` or `OR`, with an array value that will be treated according to the key.
 const isAnd = <T>(x: any): x is NestedCheckAnd<T> =>
-	_.isObject(x) && 'and' in x;
+	typeof x === 'object' && 'and' in x;
 const isOr = <T>(x: any): x is NestedCheckOr<T> =>
 	typeof x === 'object' && 'or' in x;
-export function nestedCheck<I, O>(
+export function nestedCheck<I extends {}, O>(
 	check: string,
 	stringCallback: (s: string) => O,
 ): O;
-export function nestedCheck<I, O>(
+export function nestedCheck<I extends {}, O>(
 	check: boolean,
 	stringCallback: (s: string) => O,
 ): boolean;
-export function nestedCheck<I, O>(
+export function nestedCheck<I extends {}, O>(
 	check: NestedCheck<I>,
 	stringCallback: (s: string) => O,
 ): Exclude<I, string> | O | MappedNestedCheck<typeof check, I, O>;
-export function nestedCheck<I, O>(
+export function nestedCheck<I extends {}, O>(
 	check: NestedCheck<I>,
 	stringCallback: (s: string) => O,
 ): boolean | Exclude<I, string> | O | MappedNestedCheck<typeof check, I, O> {
@@ -306,10 +312,14 @@ const namespaceRelationships = (
 	});
 };
 
-type PermissionLookup = _.Dictionary<true | string[]>;
+type PermissionLookup = Dictionary<true | string[]>;
 
-const getPermissionsLookup = memoize(
-	(permissions: string[]): PermissionLookup => {
+const getPermissionsLookup = env.createCache(
+	'permissionsLookup',
+	(permissions: string[], guestPermissions?: string[]): PermissionLookup => {
+		if (guestPermissions != null) {
+			permissions = [...guestPermissions, ...permissions];
+		}
 		const permissionsLookup: PermissionLookup = {};
 		for (const permission of permissions) {
 			const [target, condition] = permission.split('?');
@@ -317,20 +327,28 @@ const getPermissionsLookup = memoize(
 				// We have unconditional permission
 				permissionsLookup[target] = true;
 			} else if (permissionsLookup[target] !== true) {
-				if (permissionsLookup[target] == null) {
-					permissionsLookup[target] = [];
-				}
-				(permissionsLookup[target] as Exclude<
-					PermissionLookup[typeof target],
-					true
-				>).push(condition);
+				permissionsLookup[target] ??= [];
+				(
+					permissionsLookup[target] as Exclude<
+						PermissionLookup[typeof target],
+						true
+					>
+				).push(condition);
+			}
+		}
+		// Ensure there are no duplicate conditions as applying both would be wasteful
+		for (const target of Object.keys(permissionsLookup)) {
+			const conditions = permissionsLookup[target];
+			if (conditions !== true) {
+				permissionsLookup[target] = _.uniq(conditions);
 			}
 		}
 		return permissionsLookup;
 	},
 	{
-		primitive: true,
-		max: env.cache.permissionsLookup.max,
+		normalizer: ([permissions, guestPermissions]) =>
+			// When guestPermissions is present it should always be the same, so we can key by presence not content
+			`${permissions}${guestPermissions == null}`,
 	},
 );
 
@@ -343,52 +361,53 @@ const $checkPermissions = (
 	const checkObject: PermissionCheck = {
 		or: ['all', actionList],
 	};
-	return nestedCheck(checkObject, (permissionCheck):
-		| boolean
-		| string
-		| NestedCheckOr<string> => {
-		const resourcePermission = permissionsLookup['resource.' + permissionCheck];
-		let vocabularyPermission: string[] | undefined;
-		let vocabularyResourcePermission: string[] | undefined;
-		if (resourcePermission === true) {
-			return true;
-		}
-		if (vocabulary != null) {
-			const maybeVocabularyPermission =
-				permissionsLookup[vocabulary + '.' + permissionCheck];
-			if (maybeVocabularyPermission === true) {
+	return nestedCheck(
+		checkObject,
+		(permissionCheck): boolean | string | NestedCheckOr<string> => {
+			const resourcePermission =
+				permissionsLookup['resource.' + permissionCheck];
+			let vocabularyPermission: string[] | undefined;
+			let vocabularyResourcePermission: string[] | undefined;
+			if (resourcePermission === true) {
 				return true;
 			}
-			vocabularyPermission = maybeVocabularyPermission;
-			if (resourceName != null) {
-				const maybeVocabularyResourcePermission =
-					permissionsLookup[
-						vocabulary + '.' + resourceName + '.' + permissionCheck
-					];
-				if (maybeVocabularyResourcePermission === true) {
+			if (vocabulary != null) {
+				const maybeVocabularyPermission =
+					permissionsLookup[vocabulary + '.' + permissionCheck];
+				if (maybeVocabularyPermission === true) {
 					return true;
 				}
-				vocabularyResourcePermission = maybeVocabularyResourcePermission;
+				vocabularyPermission = maybeVocabularyPermission;
+				if (resourceName != null) {
+					const maybeVocabularyResourcePermission =
+						permissionsLookup[
+							vocabulary + '.' + resourceName + '.' + permissionCheck
+						];
+					if (maybeVocabularyResourcePermission === true) {
+						return true;
+					}
+					vocabularyResourcePermission = maybeVocabularyResourcePermission;
+				}
 			}
-		}
 
-		// Get the unique permission set, ignoring undefined sets.
-		const conditionalPermissions = _.union(
-			resourcePermission,
-			vocabularyPermission,
-			vocabularyResourcePermission,
-		);
+			// Get the unique permission set, ignoring undefined sets.
+			const conditionalPermissions = _.union(
+				resourcePermission,
+				vocabularyPermission,
+				vocabularyResourcePermission,
+			);
 
-		if (conditionalPermissions.length === 1) {
-			return conditionalPermissions[0];
-		}
-		if (conditionalPermissions.length > 1) {
-			return {
-				or: conditionalPermissions,
-			};
-		}
-		return false;
-	});
+			if (conditionalPermissions.length === 1) {
+				return conditionalPermissions[0];
+			}
+			if (conditionalPermissions.length > 1) {
+				return {
+					or: conditionalPermissions,
+				};
+			}
+			return false;
+		},
+	);
 };
 
 const convertToLambda = (filter: AnyObject, identifier: string) => {
@@ -401,9 +420,9 @@ const convertToLambda = (filter: AnyObject, identifier: string) => {
 			return;
 		}
 		if (Array.isArray(object)) {
-			object.forEach((element) => {
+			for (const element of object) {
 				replaceObject(element);
-			});
+			}
 		}
 
 		if (object.hasOwnProperty('name')) {
@@ -426,7 +445,7 @@ const rewriteSubPermissionBindings = (filter: AnyObject, counter: number) => {
 			object.bind = counter + object.bind;
 		}
 
-		if (Array.isArray(object) || _.isObject(object)) {
+		if (Array.isArray(object) || typeof object === 'object') {
 			_.forEach(object, (v) => {
 				rewrite(v);
 			});
@@ -459,7 +478,7 @@ const buildODataPermission = (
 	}
 	if (conditionalPerms === true) {
 		// If we have full access then no need to provide a constrained definition
-		return false;
+		return;
 	}
 
 	const permissionFilters = nestedCheck(conditionalPerms, (permissionCheck) => {
@@ -468,7 +487,7 @@ const buildODataPermission = (
 			return {
 				filter: parsePermissions(permissionCheck, odata.binds),
 			};
-		} catch (e) {
+		} catch (e: any) {
 			console.warn(
 				'Failed to parse conditional permissions: ',
 				permissionCheck,
@@ -477,9 +496,8 @@ const buildODataPermission = (
 		}
 	});
 
-	const collapsedPermissionFilters = collapsePermissionFilters(
-		permissionFilters,
-	);
+	const collapsedPermissionFilters =
+		collapsePermissionFilters(permissionFilters);
 
 	return collapsedPermissionFilters;
 };
@@ -490,7 +508,7 @@ const generateConstrainedAbstractSql = (
 	actionList: PermissionCheck,
 	vocabulary: string,
 	resourceName: string,
-) => {
+): Definition | undefined => {
 	const abstractSQLModel = sbvrUtils.getAbstractSqlModel({
 		vocabulary,
 	});
@@ -504,6 +522,12 @@ const generateConstrainedAbstractSql = (
 		odata,
 	);
 
+	if (collapsePermissionFilters == null) {
+		// If we have full access then there's no need to provide a constrained
+		// definition, just use the table directly.
+		return;
+	}
+
 	_.set(odata, ['tree', 'options', '$filter'], collapsedPermissionFilters);
 
 	const lambdaAlias = randomstring.generate(20);
@@ -513,9 +537,19 @@ const generateConstrainedAbstractSql = (
 	// permissions circles.
 	const canAccessTrace: string[] = [resourceName];
 
-	const canAccessFunction: ResourceFunction = function (property: AnyObject) {
+	const resolveBind = (maybeBind: any, extraBinds: ODataBinds) => {
+		if (isBindReference(maybeBind)) {
+			const { bind } = maybeBind;
+			if (typeof bind === 'string' || bind < odata.binds.length) {
+				return odata.binds[bind];
+			}
+			return extraBinds[bind - odata.binds.length];
+		}
+		return maybeBind;
+	};
+	const canAccessFunction: ResourceFunction = function (property) {
 		// remove method property so that we won't loop back here again at this point
-		delete property.method;
+		const { method, ...resolvedProperty } = property;
 
 		if (!this.defaultResource) {
 			throw new Error(`No resource selected in AST.`);
@@ -523,21 +557,54 @@ const generateConstrainedAbstractSql = (
 
 		const targetResource = this.NavigateResources(
 			this.defaultResource,
-			property.name,
+			resolvedProperty.name,
 		);
 
+		const lambdaId = `${lambdaAlias}+${inc}`;
+		inc = inc + 1;
+
 		const targetResourceName = sqlNameToODataName(targetResource.resource.name);
 
-		if (canAccessTrace.includes(targetResourceName)) {
-			// we don't want to allow permission loops for now, therefore we are
-			// throwing the exception here. If we ever want to allow permission
-			// loops return a false AST statement here (like true eq false), to
-			// not recursivley follow query branches in a deep first search.
-			throw new PermissionError(
-				`Permissions for ${resourceName} form a circle by the following path: ${canAccessTrace.join(
-					' -> ',
-				)} -> ${targetResourceName}`,
-			);
+		const traceIndex = canAccessTrace.findIndex(
+			(rName) => rName === targetResourceName,
+		);
+		if (traceIndex !== -1) {
+			if (canAccessTrace[canAccessTrace.length - 1] !== targetResourceName) {
+				throw new Error(
+					`Indirectly circular 'canAccess()' permissions are not supported, currently permissions for ${resourceName} form an indirect circle by the following path: ${canAccessTrace.join(
+						' -> ',
+					)} -> ${targetResourceName}`,
+				);
+			}
+
+			const { args } = method[1];
+			const depthArg = resolveBind(args[0], this.extraBindVars);
+			if (depthArg == null) {
+				// To enable directly circular dependencies a depth must be specified and it was not
+				throw new Error(
+					`You must specify a depth if you want to enable directly circular 'canAccess()' permissions, currently permissions for ${resourceName} form a direct circle by the following path: ${canAccessTrace.join(
+						' -> ',
+					)} -> ${targetResourceName}`,
+				);
+			}
+			const [type, depth] = depthArg;
+			if (type !== 'Real' || !Number.isInteger(depth) || depth < 1) {
+				throw new Error('The depth for `canAccess` must be an integer >= 1');
+			}
+			if (
+				// Make sure we have enough traces yet to have exceeded the depth before checking if they match
+				canAccessTrace.length > depth &&
+				// We know there cannot be any gaps due to the indirect circle check above so we only need to check
+				// that the final depth entry is the target resource to know they all must be
+				canAccessTrace[canAccessTrace.length - depth] === targetResourceName
+			) {
+				resolvedProperty.lambda = {
+					method: 'any',
+					identifier: lambdaId,
+					expression: ['eq', true, false],
+				};
+				return this.Property(resolvedProperty);
+			}
 		}
 
 		const parentOdata = memoizedParseOdata(`/${targetResourceName}`);
@@ -550,20 +617,17 @@ const generateConstrainedAbstractSql = (
 			parentOdata,
 		);
 
-		if (collapsedParentPermissionFilters === false) {
-			// We reuse a constant permission error here as it will be cached, and
-			// using a single error instance can drastically reduce the memory used
-			throw constrainedPermissionError;
+		if (collapsedParentPermissionFilters == null) {
+			// full access
+			return ['Equals', ['Boolean', true], ['Boolean', true]];
 		}
 
-		const lambdaId = `${lambdaAlias}+${inc}`;
-		inc = inc + 1;
 		rewriteSubPermissionBindings(
 			collapsedParentPermissionFilters,
 			this.bindVarsLength + this.extraBindVars.length,
 		);
 		convertToLambda(collapsedParentPermissionFilters, lambdaId);
-		property.lambda = {
+		resolvedProperty.lambda = {
 			method: 'any',
 			identifier: lambdaId,
 			expression: collapsedParentPermissionFilters,
@@ -573,7 +637,7 @@ const generateConstrainedAbstractSql = (
 
 		canAccessTrace.push(targetResourceName);
 		try {
-			return this.Property(property);
+			return this.Property(resolvedProperty);
 		} finally {
 			canAccessTrace.pop();
 		}
@@ -588,38 +652,41 @@ const generateConstrainedAbstractSql = (
 	odata.binds.push(...extraBindVars);
 	const odataBinds = odata.binds;
 
-	const abstractSqlQuery = [...tree];
+	const abstractSqlQuery = [...tree] as SelectQueryNode;
 	// Remove aliases from the top level select
-	const selectIndex = abstractSqlQuery.findIndex((v) => v[0] === 'Select');
-	const select = (abstractSqlQuery[selectIndex] = [
-		...abstractSqlQuery[selectIndex],
-	] as SelectNode);
-	select[1] = select[1].map(
-		(selectField): AbstractSqlType => {
-			if (selectField[0] === 'Alias') {
-				const maybeField = (selectField as AliasNode<any>)[1];
-				const fieldType = maybeField[0];
-				if (fieldType === 'ReferencedField' || fieldType === 'Field') {
-					return maybeField;
-				}
-				return [
-					'Alias',
-					maybeField,
-					odataNameToSqlName((selectField as AliasNode<any>)[2]),
-				];
-			}
-			if (selectField.length === 2 && Array.isArray(selectField[0])) {
-				return selectField[0];
+	const select = abstractSqlQuery.find(
+		(v): v is SelectNode => v[0] === 'Select',
+	)!;
+	select[1] = select[1].map((selectField): AnyTypeNodes => {
+		if (selectField[0] === 'Alias') {
+			const sqlName = odataNameToSqlName((selectField as AliasNode<any>)[2]);
+			const maybeField = (
+				selectField as AliasNode<
+					ReferencedFieldNode | FieldNode | AbstractSqlQuery
+				>
+			)[1];
+			if (
+				(maybeField[0] === 'ReferencedField' && maybeField[2] === sqlName) ||
+				(maybeField[0] === 'Field' && maybeField[1] === sqlName)
+			) {
+				// If the field name matches the sql name version of the alias then use it directly
+				return maybeField;
 			}
-			return selectField;
-		},
-	);
+			// Otherwise update the alias to use the sql name
+			return ['Alias', maybeField, sqlName];
+		}
+		return selectField;
+	});
 
-	return { extraBinds: odataBinds, abstractSqlQuery };
+	return { binds: odataBinds, abstractSql: abstractSqlQuery };
 };
 
 // Call the function once and either return the same result or throw the same error on subsequent calls
-const onceGetter = (obj: AnyObject, propName: string, fn: () => any) => {
+const onceGetter = <T, U extends keyof T>(
+	obj: T,
+	propName: U,
+	fn: () => T[U],
+) => {
 	// We have `nullableFn` to keep fn required but still allow us to clear the fn reference
 	// after we have called fn
 	let nullableFn: undefined | typeof fn = fn;
@@ -637,7 +704,7 @@ const onceGetter = (obj: AnyObject, propName: string, fn: () => any) => {
 				// and the delete removes that restriction
 				delete this[propName];
 				return (this[propName] = result);
-			} catch (e) {
+			} catch (e: any) {
 				thrownErr = e;
 				throw thrownErr;
 			} finally {
@@ -650,7 +717,7 @@ const onceGetter = (obj: AnyObject, propName: string, fn: () => any) => {
 const deepFreezeExceptDefinition = (obj: AnyObject) => {
 	Object.freeze(obj);
 
-	Object.getOwnPropertyNames(obj).forEach((prop) => {
+	for (const prop of Object.getOwnPropertyNames(obj)) {
 		// We skip the definition because we know it's a property we've defined that will throw an error in some cases
 		if (
 			prop !== 'definition' &&
@@ -660,7 +727,7 @@ const deepFreezeExceptDefinition = (obj: AnyObject) => {
 		) {
 			deepFreezeExceptDefinition(obj);
 		}
-	});
+	}
 };
 
 const createBypassDefinition = (definition: Definition) =>
@@ -754,6 +821,12 @@ const rewriteRelationship = memoizeWeak(
 							odata,
 						);
 
+						if (collapsedPermissionFilters == null) {
+							// If we have full access already then there's no need to
+							// check for/rewrite based on `canAccess`
+							return;
+						}
+
 						_.set(
 							odata,
 							['tree', 'options', '$filter'],
@@ -805,7 +878,7 @@ const rewriteRelationship = memoizeWeak(
 									canAccess: canAccessFunction,
 								},
 							);
-						} catch (e) {
+						} catch (e: any) {
 							throw new ODataParser.SyntaxError(e);
 						}
 						if (foundCanAccessLink) {
@@ -833,7 +906,7 @@ const rewriteRelationship = memoizeWeak(
 				}
 			}
 
-			if (Array.isArray(object) || _.isObject(object)) {
+			if (Array.isArray(object) || typeof object === 'object') {
 				_.forEach(object, (v) => {
 					// we want to recurse into the relationship path, but
 					// in case we hit a plain string, we don't need to bother
@@ -888,11 +961,16 @@ const getBoundConstrainedMemoizer = memoizeWeak(
 			(permissionsLookup: PermissionLookup, vocabulary: string) => {
 				const constrainedAbstractSqlModel = _.cloneDeep(abstractSqlModel);
 
-				const origSynonyms = Object.keys(constrainedAbstractSqlModel.synonyms);
+				const origSynonyms = Object.entries(
+					constrainedAbstractSqlModel.synonyms,
+				);
 				constrainedAbstractSqlModel.synonyms = new Proxy(
 					constrainedAbstractSqlModel.synonyms,
 					{
-						get: (synonyms, permissionSynonym: string) => {
+						get(synonyms, permissionSynonym, receiver) {
+							if (typeof permissionSynonym === 'symbol') {
+								return Reflect.get(synonyms, permissionSynonym, receiver);
+							}
 							if (synonyms[permissionSynonym]) {
 								return synonyms[permissionSynonym];
 							}
@@ -900,9 +978,9 @@ const getBoundConstrainedMemoizer = memoizeWeak(
 							if (!alias) {
 								return;
 							}
-							origSynonyms.forEach((canonicalForm, synonym) => {
+							for (const [synonym, canonicalForm] of origSynonyms) {
 								synonyms[`${synonym}$${alias}`] = `${canonicalForm}$${alias}`;
-							});
+							}
 							return synonyms[permissionSynonym];
 						},
 					},
@@ -917,14 +995,12 @@ const getBoundConstrainedMemoizer = memoizeWeak(
 					constrainedAbstractSqlModel.tables[bypassResourceName] = {
 						...table,
 					};
-					constrainedAbstractSqlModel.tables[
-						bypassResourceName
-					].resourceName = bypassResourceName;
+					constrainedAbstractSqlModel.tables[bypassResourceName].resourceName =
+						bypassResourceName;
 					if (table.definition) {
 						// If the table is definition based then just make the bypass version match but pointing to the equivalent bypassed resources
-						constrainedAbstractSqlModel.tables[
-							bypassResourceName
-						].definition = createBypassDefinition(table.definition);
+						constrainedAbstractSqlModel.tables[bypassResourceName].definition =
+							createBypassDefinition(table.definition);
 					} else {
 						// Otherwise constrain the non-bypass table
 						onceGetter(
@@ -942,14 +1018,15 @@ const getBoundConstrainedMemoizer = memoizeWeak(
 				constrainedAbstractSqlModel.tables = new Proxy(
 					constrainedAbstractSqlModel.tables,
 					{
-						get: (tables, permissionResourceName: string) => {
+						get(tables, permissionResourceName, receiver) {
+							if (typeof permissionResourceName === 'symbol') {
+								return Reflect.get(tables, permissionResourceName, receiver);
+							}
 							if (tables[permissionResourceName]) {
 								return tables[permissionResourceName];
 							}
-							const [
-								resourceName,
-								permissionsJSON,
-							] = permissionResourceName.split('$permissions');
+							const [resourceName, permissionsJSON] =
+								permissionResourceName.split('$permissions');
 							if (!permissionsJSON) {
 								return;
 							}
@@ -968,9 +1045,12 @@ const getBoundConstrainedMemoizer = memoizeWeak(
 									permissionsLookup,
 									permissions,
 									vocabulary,
-									sqlNameToODataName(permissionsTable.name),
+									sqlNameToODataName(
+										permissionsTable.modifyName ?? permissionsTable.name,
+									),
 								),
 							);
+
 							return permissionsTable;
 						},
 					},
@@ -989,7 +1069,14 @@ const getBoundConstrainedMemoizer = memoizeWeak(
 				constrainedAbstractSqlModel.relationships = new Proxy(
 					constrainedAbstractSqlModel.relationships,
 					{
-						get: (relationships, permissionResourceName: string) => {
+						get(relationships, permissionResourceName, receiver) {
+							if (typeof permissionResourceName === 'symbol') {
+								return Reflect.get(
+									relationships,
+									permissionResourceName,
+									receiver,
+								);
+							}
 							if (relationships[permissionResourceName]) {
 								return relationships[permissionResourceName];
 							}
@@ -1066,59 +1153,61 @@ export const checkPassword = async (
 	};
 };
 
-const getUserPermissionsQuery = _.once(() =>
-	sbvrUtils.api.Auth.prepare<{ userId: number }>({
-		resource: 'permission',
-		passthrough: {
-			req: rootRead,
-		},
-		options: {
-			$select: 'name',
-			$filter: {
-				$or: {
-					is_of__user: {
-						$any: {
-							$alias: 'uhp',
-							$expr: {
-								uhp: { user: { '@': 'userId' } },
-								$or: [
-									{
-										uhp: { expiry_date: null },
-									},
-									{
-										uhp: {
-											expiry_date: { $gt: { $now: null } },
+const $getUserPermissions = (() => {
+	const getUserPermissionsQuery = _.once(() =>
+		sbvrUtils.api.Auth.prepare<{ userId: number }>({
+			resource: 'permission',
+			passthrough: {
+				req: rootRead,
+			},
+			options: {
+				$select: 'name',
+				$filter: {
+					$or: {
+						is_of__user: {
+							$any: {
+								$alias: 'uhp',
+								$expr: {
+									uhp: { user: { '@': 'userId' } },
+									$or: [
+										{
+											uhp: { expiry_date: null },
 										},
-									},
-								],
+										{
+											uhp: {
+												expiry_date: { $gt: { $now: null } },
+											},
+										},
+									],
+								},
 							},
 						},
-					},
-					is_of__role: {
-						$any: {
-							$alias: 'rhp',
-							$expr: {
-								rhp: {
-									role: {
-										$any: {
-											$alias: 'r',
-											$expr: {
-												r: {
-													is_of__user: {
-														$any: {
-															$alias: 'uhr',
-															$expr: {
-																uhr: { user: { '@': 'userId' } },
-																$or: [
-																	{
-																		uhr: { expiry_date: null },
-																	},
-																	{
-																		uhr: {
-																			expiry_date: { $gt: { $now: null } },
+						is_of__role: {
+							$any: {
+								$alias: 'rhp',
+								$expr: {
+									rhp: {
+										role: {
+											$any: {
+												$alias: 'r',
+												$expr: {
+													r: {
+														is_of__user: {
+															$any: {
+																$alias: 'uhr',
+																$expr: {
+																	uhr: { user: { '@': 'userId' } },
+																	$or: [
+																		{
+																			uhr: { expiry_date: null },
 																		},
-																	},
-																],
+																		{
+																			uhr: {
+																				expiry_date: { $gt: { $now: null } },
+																			},
+																		},
+																	],
+																},
 															},
 														},
 													},
@@ -1131,15 +1220,36 @@ const getUserPermissionsQuery = _.once(() =>
 						},
 					},
 				},
+				// We orderby to increase the hit rate for the `_checkPermissions` memoisation
+				$orderby: {
+					name: 'asc',
+				},
 			},
-			// We orderby to increase the hit rate for the `_checkPermissions` memoisation
-			$orderby: {
-				name: 'asc',
-			},
+		}),
+	);
+	return env.createCache(
+		'userPermissions',
+		async (userId: number, tx?: Tx) => {
+			const permissions = (await getUserPermissionsQuery()(
+				{
+					userId,
+				},
+				undefined,
+				{ tx },
+			)) as Array<{ name: string }>;
+			return permissions.map((permission) => permission.name);
 		},
-	}),
-);
-export const getUserPermissions = async (userId: number): Promise<string[]> => {
+		{
+			primitive: true,
+			promise: true,
+			normalizer: ([userId]) => `${userId}`,
+		},
+	);
+})();
+export const getUserPermissions = async (
+	userId: number,
+	tx?: Tx,
+): Promise<string[]> => {
 	if (typeof userId === 'string') {
 		userId = parseInt(userId, 10);
 	}
@@ -1147,63 +1257,84 @@ export const getUserPermissions = async (userId: number): Promise<string[]> => {
 		throw new Error(`User ID has to be numeric, got: ${typeof userId}`);
 	}
 	try {
-		const permissions = (await getUserPermissionsQuery()({
-			userId,
-		})) as Array<{ name: string }>;
-		return permissions.map((permission) => permission.name);
-	} catch (err) {
+		return await $getUserPermissions(userId, tx);
+	} catch (err: any) {
 		sbvrUtils.api.Auth.logger.error('Error loading user permissions', err);
 		throw err;
 	}
 };
 
-const getApiKeyPermissionsQuery = _.once(() =>
-	sbvrUtils.api.Auth.prepare<{ apiKey: string }>({
-		resource: 'permission',
-		passthrough: {
-			req: rootRead,
-		},
-		options: {
-			$select: 'name',
-			$filter: {
-				$or: {
-					is_of__api_key: {
-						$any: {
-							$alias: 'khp',
-							$expr: {
-								khp: {
-									api_key: {
-										$any: {
-											$alias: 'k',
-											$expr: {
-												k: { key: { '@': 'apiKey' } },
+const $getApiKeyPermissions = (() => {
+	const getApiKeyPermissionsQuery = _.once(() =>
+		sbvrUtils.api.Auth.prepare<{ apiKey: string }>({
+			resource: 'permission',
+			passthrough: {
+				req: rootRead,
+			},
+			options: {
+				$select: 'name',
+				$filter: {
+					$or: {
+						is_of__api_key: {
+							$any: {
+								$alias: 'khp',
+								$expr: {
+									khp: {
+										api_key: {
+											$any: {
+												$alias: 'k',
+												$expr: {
+													k: { key: { '@': 'apiKey' } },
+													$or: [
+														{
+															k: { expiry_date: null },
+														},
+														{
+															k: {
+																expiry_date: { $gt: { $now: null } },
+															},
+														},
+													],
+												},
 											},
 										},
 									},
 								},
 							},
 						},
-					},
-					is_of__role: {
-						$any: {
-							$alias: 'rhp',
-							$expr: {
-								rhp: {
-									role: {
-										$any: {
-											$alias: 'r',
-											$expr: {
-												r: {
-													is_of__api_key: {
-														$any: {
-															$alias: 'khr',
-															$expr: {
-																khr: {
-																	api_key: {
-																		$any: {
-																			$alias: 'k',
-																			$expr: {
-																				k: { key: { '@': 'apiKey' } },
+						is_of__role: {
+							$any: {
+								$alias: 'rhp',
+								$expr: {
+									rhp: {
+										role: {
+											$any: {
+												$alias: 'r',
+												$expr: {
+													r: {
+														is_of__api_key: {
+															$any: {
+																$alias: 'khr',
+																$expr: {
+																	khr: {
+																		api_key: {
+																			$any: {
+																				$alias: 'k',
+																				$expr: {
+																					k: { key: { '@': 'apiKey' } },
+																					$or: [
+																						{
+																							k: { expiry_date: null },
+																						},
+																						{
+																							k: {
+																								expiry_date: {
+																									$gt: { $now: null },
+																								},
+																							},
+																						},
+																					],
+																				},
 																			},
 																		},
 																	},
@@ -1220,94 +1351,116 @@ const getApiKeyPermissionsQuery = _.once(() =>
 						},
 					},
 				},
+				// We orderby to increase the hit rate for the `_checkPermissions` memoisation
+				$orderby: {
+					name: 'asc',
+				},
 			},
-			// We orderby to increase the hit rate for the `_checkPermissions` memoisation
-			$orderby: {
-				name: 'asc',
-			},
+		}),
+	);
+	return env.createCache(
+		'apiKeyPermissions',
+		async (apiKey: string, tx?: Tx) => {
+			const permissions = (await getApiKeyPermissionsQuery()(
+				{
+					apiKey,
+				},
+				undefined,
+				{ tx },
+			)) as Array<{ name: string }>;
+			return permissions.map((permission) => permission.name);
 		},
-	}),
-);
+		{
+			primitive: true,
+			promise: true,
+			normalizer: ([apiKey]) => apiKey,
+		},
+	);
+})();
 export const getApiKeyPermissions = async (
 	apiKey: string,
+	tx?: Tx,
 ): Promise<string[]> => {
 	if (typeof apiKey !== 'string') {
 		throw new Error('API key has to be a string, got: ' + typeof apiKey);
 	}
 	try {
-		const permissions = (await getApiKeyPermissionsQuery()({
-			apiKey,
-		})) as Array<{ name: string }>;
-		return permissions.map((permission) => permission.name);
-	} catch (err) {
+		return await $getApiKeyPermissions(apiKey, tx);
+	} catch (err: any) {
 		sbvrUtils.api.Auth.logger.error('Error loading api key permissions', err);
 		throw err;
 	}
 };
 
-const getApiKeyActorIdQuery = _.once(() =>
-	sbvrUtils.api.Auth.prepare<{ apiKey: string }>({
-		resource: 'api_key',
-		passthrough: {
-			req: rootRead,
-		},
-		id: {
-			key: { '@': 'apiKey' },
+const getApiKeyActorId = (() => {
+	const getApiKeyActorIdQuery = _.once(() =>
+		sbvrUtils.api.Auth.prepare<{ apiKey: string }>({
+			resource: 'api_key',
+			passthrough: {
+				req: rootRead,
+			},
+			id: {
+				key: { '@': 'apiKey' },
+			},
+			options: {
+				$select: 'is_of__actor',
+				$filter: {
+					$or: [
+						{ expiry_date: null },
+						{ expiry_date: { $gt: { $now: null } } },
+					],
+				},
+			},
+		}),
+	);
+	const apiActorPermissionError = new PermissionError();
+	return env.createCache(
+		'apiKeyActorId',
+		async (apiKey: string, tx?: Tx) => {
+			const apiKeyResult = await getApiKeyActorIdQuery()(
+				{
+					apiKey,
+				},
+				undefined,
+				{ tx },
+			);
+			if (apiKeyResult == null) {
+				// We reuse a constant permission error here as it will be cached, and
+				// using a single error instance can drastically reduce the memory used
+				throw apiActorPermissionError;
+			}
+			const apiKeyActorID = apiKeyResult.is_of__actor.__id;
+			if (apiKeyActorID == null) {
+				throw new Error('API key is not linked to a actor?!');
+			}
+			return apiKeyActorID as number;
 		},
-		options: {
-			$select: 'is_of__actor',
+		{
+			promise: true,
+			primitive: true,
+			normalizer: ([apiKey]) => apiKey,
 		},
-	}),
-);
-const apiActorPermissionError = new PermissionError();
-const getApiKeyActorId = async (apiKey: string) => {
-	const apiKeyResult = await getApiKeyActorIdQuery()({
-		apiKey,
-	});
-	if (apiKeyResult == null) {
-		// We reuse a constant permission error here as it will be cached, and
-		// using a single error instance can drastically reduce the memory used
-		throw apiActorPermissionError;
-	}
-	const apiKeyActorID = apiKeyResult.is_of__actor.__id;
-	if (apiKeyActorID == null) {
-		throw new Error('API key is not linked to a actor?!');
-	}
-	return apiKeyActorID as number;
-};
+	);
+})();
 
 const checkApiKey = async (
-	req: PermissionReq,
 	apiKey: string,
+	tx?: Tx,
 ): Promise<PermissionReq['apiKey']> => {
-	if (apiKey == null || req.apiKey != null) {
-		return;
-	}
-	let permissions: string[];
-	try {
-		permissions = await getApiKeyPermissions(apiKey);
-	} catch (err) {
-		console.warn('Error with API key:', err);
-		// Ignore errors getting the api key and just use an empty permissions object.
-		permissions = [];
-	}
-	let actor;
-	if (permissions.length > 0) {
-		actor = await getApiKeyActorId(apiKey);
-	}
-	const resolvedApiKey: PermissionReq['apiKey'] = {
+	const permissions = await getApiKeyPermissions(apiKey, tx);
+	const actor = await getApiKeyActorId(apiKey, tx);
+	return {
 		key: apiKey,
 		permissions,
+		actor,
 	};
-	if (actor != null) {
-		resolvedApiKey.actor = actor;
-	}
-	return resolvedApiKey;
 };
 
 export const resolveAuthHeader = async (
 	req: Express.Request,
 	expectedScheme = 'Bearer',
+	// TODO: Consider making tx the second argument in the next major
+	tx?: Tx,
 ): Promise<PermissionReq['apiKey']> => {
 	const auth = req.header('Authorization');
 	if (!auth) {
@@ -1324,7 +1477,7 @@ export const resolveAuthHeader = async (
 		return;
 	}
 
-	return await checkApiKey(req, apiKey);
+	return await checkApiKey(apiKey, tx);
 };
 
 export const customAuthorizationMiddleware = (expectedScheme = 'Bearer') => {
@@ -1351,20 +1504,18 @@ export const authorizationMiddleware = customAuthorizationMiddleware();
 export const resolveApiKey = async (
 	req: HookReq | Express.Request,
 	paramName = 'apikey',
+	// TODO: Consider making tx the second argument in the next major
+	tx?: Tx,
 ): Promise<PermissionReq['apiKey']> => {
 	const apiKey =
-		req.params[paramName] != null
-			? req.params[paramName]
-			: req.body[paramName] != null
-			? req.body[paramName]
-			: req.query[paramName];
-	return await checkApiKey(req, apiKey);
+		req.params[paramName] ?? req.body[paramName] ?? req.query[paramName];
+	if (apiKey == null) {
+		return;
+	}
+	return await checkApiKey(apiKey, tx);
 };
 
 export const customApiKeyMiddleware = (paramName = 'apikey') => {
-	if (paramName == null) {
-		paramName = 'apikey';
-	}
 	return async (
 		req: HookReq | Express.Request,
 		_res?: Express.Response,
@@ -1399,33 +1550,30 @@ export const checkPermissions = async (
 	);
 };
 
-export const checkPermissionsMiddleware = (
-	action: PermissionCheck,
-): Express.RequestHandler => async (req, res, next) => {
-	try {
-		const allowed = await checkPermissions(req, action);
-		switch (allowed) {
-			case false:
-				res.sendStatus(401);
-				return;
-			case true:
-				next();
-				return;
-			default:
-				throw new Error(
-					'checkPermissionsMiddleware returned a conditional permission',
-				);
+export const checkPermissionsMiddleware =
+	(action: PermissionCheck): Express.RequestHandler =>
+	async (req, res, next) => {
+		try {
+			const allowed = await checkPermissions(req, action);
+			switch (allowed) {
+				case false:
+					res.status(401).end();
+					return;
+				case true:
+					next();
+					return;
+				default:
+					throw new Error(
+						'checkPermissionsMiddleware returned a conditional permission',
+					);
+			}
+		} catch (err: any) {
+			sbvrUtils.api.Auth.logger.error('Error checking permissions', err);
+			res.status(503).end();
 		}
-	} catch (err) {
-		sbvrUtils.api.Auth.logger.error(
-			'Error checking permissions',
-			err,
-			err.stack,
-		);
-		res.sendStatus(503);
-	}
-};
+	};
 
+let guestPermissionsInitialized = false;
 const getGuestPermissions = memoize(
 	async () => {
 		// Get guest user
@@ -1444,102 +1592,75 @@ const getGuestPermissions = memoize(
 		if (result == null) {
 			throw new Error('No guest user');
 		}
-		return _.uniq(await getUserPermissions(result.id));
+		const guestPermissions = _.uniq(await getUserPermissions(result.id));
+
+		if (guestPermissions.some((p) => DEFAULT_ACTOR_BIND_REGEX.test(p))) {
+			throw new Error('Guest permissions cannot reference actors');
+		}
+		guestPermissionsInitialized = true;
+		return guestPermissions;
 	},
 	{ promise: true },
 );
 
 const getReqPermissions = async (
 	req: PermissionReq,
-	odataBinds: ODataBinds = [],
+	odataBinds: ODataBinds = [] as any as ODataBinds,
 ) => {
-	const [guestPermissions] = await Promise.all([
-		getGuestPermissions(),
-		(async () => {
-			// TODO: Remove this extra actor ID lookup making actor non-optional and updating open-balena-api.
-			if (
-				req.apiKey != null &&
-				req.apiKey.actor == null &&
-				req.apiKey.permissions != null &&
-				req.apiKey.permissions.length > 0
-			) {
-				const actorId = await getApiKeyActorId(req.apiKey.key);
-				req.apiKey!.actor = actorId;
-			}
-		})(),
-	]);
-
-	if (guestPermissions.some((p) => DEFAULT_ACTOR_BIND_REGEX.test(p))) {
-		throw new Error('Guest permissions cannot reference actors');
-	}
-
-	let permissions = guestPermissions;
-
-	let actorIndex = 0;
-	const addActorPermissions = (actorId: number, actorPermissions: string[]) => {
-		let actorBind = DEFAULT_ACTOR_BIND;
-		if (actorIndex > 0) {
-			actorBind += actorIndex;
-			actorPermissions = actorPermissions.map((actorPermission) =>
-				actorPermission.replace(DEFAULT_ACTOR_BIND_REGEX, actorBind),
-			);
+	const guestPermissions = await (async () => {
+		if (
+			guestPermissionsInitialized === false &&
+			(req.user === root.user || req.user === rootRead.user)
+		) {
+			// In the case that guest permissions are not initialized yet and the query is being made with root permissions
+			// then we need to bypass `getGuestPermissions` as it will cause an infinite loop back to here.
+			// Therefore to break that loop we just ignore guest permissions.
+			return [];
 		}
-		odataBinds[actorBind] = ['Real', actorId];
-		actorIndex++;
-		permissions = permissions.concat(actorPermissions);
+		return await getGuestPermissions();
+	})();
+
+	let actorPermissions: string[] = [];
+	const addActorPermissions = (actorId: number, perms: string[]) => {
+		odataBinds[DEFAULT_ACTOR_BIND] = ['Real', actorId];
+		actorPermissions = perms;
 	};
 
-	if (req.user != null && req.user.permissions != null) {
+	if (req.user?.permissions != null) {
 		addActorPermissions(req.user.actor, req.user.permissions);
-	} else if (req.apiKey != null && req.apiKey.permissions != null) {
+	} else if (req.apiKey?.permissions != null) {
 		addActorPermissions(req.apiKey.actor!, req.apiKey.permissions);
 	}
 
-	permissions = _.uniq(permissions);
-
-	return getPermissionsLookup(permissions);
+	return getPermissionsLookup(actorPermissions, guestPermissions);
 };
 
 export const addPermissions = async (
 	req: PermissionReq,
 	request: ODataRequest & { permissionType?: PermissionCheck },
 ): Promise<void> => {
-	const { vocabulary, resourceName, odataQuery, odataBinds } = request;
-	let { method } = request;
+	const { resourceName, odataQuery, odataBinds } = request;
+	const vocabulary = _.last(request.translateVersions)!;
 	let abstractSqlModel = sbvrUtils.getAbstractSqlModel(request);
-	method = method.toUpperCase() as SupportedMethod;
-	const isMetadataEndpoint =
-		metadataEndpoints.includes(resourceName) || method === 'OPTIONS';
-
-	let permissionType: PermissionCheck;
-	if (request.permissionType != null) {
-		permissionType = request.permissionType;
-	} else if (isMetadataEndpoint) {
-		permissionType = 'model';
-	} else {
-		const methodPermission = methodPermissions[method];
-		if (methodPermission != null) {
-			permissionType = methodPermission;
+
+	let { permissionType } = request;
+	if (permissionType == null) {
+		const method = request.method.toUpperCase() as SupportedMethod;
+		const isMetadataEndpoint =
+			method === 'OPTIONS' || metadataEndpoints.includes(resourceName);
+		if (isMetadataEndpoint) {
+			permissionType = 'model';
 		} else {
-			console.warn('Unknown method for permissions type check: ', method);
-			permissionType = 'all';
+			const methodPermission = methodPermissions[method];
+			if (methodPermission != null) {
+				permissionType = methodPermission;
+			} else {
+				console.warn('Unknown method for permissions type check: ', method);
+				permissionType = 'all';
+			}
 		}
 	}
 
-	// This bypasses in the root cases, needed for fetching guest permissions to work, it can almost certainly be done better though
-	let permissions = req.user?.permissions ?? [];
-	permissions = permissions.concat(req.apiKey?.permissions ?? []);
-	if (
-		permissions.length > 0 &&
-		$checkPermissions(
-			getPermissionsLookup(permissions),
-			permissionType,
-			vocabulary,
-		) === true
-	) {
-		// We have unconditional permission to access the vocab so there's no need to intercept anything
-		return;
-	}
 	const permissionsLookup = await getReqPermissions(req, odataBinds);
 	// Update the request's abstract sql model to use the constrained version
 	request.abstractSqlModel = abstractSqlModel = memoizedGetConstrainedModel(
@@ -1591,6 +1712,10 @@ export const config = {
 					ALTER TABLE "role-has-permission"
 					ADD COLUMN IF NOT EXISTS "modified at" TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL;
 				`,
+				'14.42.0-api-key-expiry-date': `
+					ALTER TABLE "api key"
+					ADD COLUMN IF NOT EXISTS "expiry date" TIMESTAMP NULL;
+				`,
 			},
 		},
 	] as sbvrUtils.ExecutableModel[],
@@ -1613,8 +1738,7 @@ export const setup = () => {
 			}
 			if (
 				request.method === 'POST' &&
-				request.odataQuery.property != null &&
-				request.odataQuery.property.resource === 'canAccess'
+				request.odataQuery.property?.resource === 'canAccess'
 			) {
 				if (request.odataQuery.key == null) {
 					throw new BadRequestError();
@@ -1639,6 +1763,10 @@ export const setup = () => {
 					0,
 					-'#canAccess'.length,
 				);
+				request.originalResourceName = request.originalResourceName.slice(
+					0,
+					-'#canAccess'.length,
+				);
 				const resourceName = sbvrUtils.resolveSynonym(request);
 				const resourceTable = abstractSqlModel.tables[resourceName];
 				if (resourceTable == null) {
@@ -1656,8 +1784,13 @@ export const setup = () => {
 			}
 			await addPermissions(req, request);
 		},
-		PRERESPOND: ({ request, data }) => {
-			if (request.custom.isAction === 'canAccess' && _.isEmpty(data)) {
+		PRERESPOND: ({ request, response }) => {
+			if (
+				request.custom.isAction === 'canAccess' &&
+				(response.body == null ||
+					typeof response.body === 'string' ||
+					_.isEmpty(response.body?.d))
+			) {
 				// If the caller does not have any permissions to access the
 				// resource pine will throw a PermissionError. To have the
 				// same behavior for the case that the user has permissions