@cubejs-backend/testing 1.5.16 → 1.6.0

package/birdbox-fixtures/rbac/cube.js

@@ -91,6 +91,47 @@ module.exports = {
         },
       };
     }
+    // Developer user for testing overlapping policies scenario
+    // where group "*" has empty member includes and "developer" has row filter
+    if (user === 'developer') {
+      if (password && password !== 'developer_password') {
+        throw new Error(`Password doesn't match for ${user}`);
+      }
+      return {
+        password,
+        superuser: false,
+        securityContext: {
+          auth: {
+            username: 'developer',
+            userAttributes: {
+              region: 'CA',
+              allowedCities: ['Los Angeles', 'New York'],
+            },
+            roles: [],
+            groups: ['developer'],
+          },
+        },
+      };
+    }
+    // User for testing two-dimensional policy overlap (matches diagram in CompilerApi.ts)
+    // Has policy2_role, so both Policy 1 (*) and Policy 2 (policy2_role) apply
+    if (user === 'policy_test') {
+      if (password && password !== 'policy_test_password') {
+        throw new Error(`Password doesn't match for ${user}`);
+      }
+      return {
+        password,
+        superuser: false,
+        securityContext: {
+          auth: {
+            username: 'policy_test',
+            userAttributes: {},
+            roles: ['policy2_role'],
+            groups: [],
+          },
+        },
+      };
+    }
     throw new Error(`User "${user}" doesn't exist`);
   }
 };

package/birdbox-fixtures/rbac/model/cubes/customers.yaml

@@ -0,0 +1,69 @@
+# Test case for overlapping access policies with member-level and row-level filters.
+#
+# This tests the scenario where:
+# - Policy 1: group "*" with memberLevel.includes: [] (no members)
+# - Policy 2: group "developer" with memberLevel.includes: "*" and row_level filters
+# - Policy 3: group "admin" with memberLevel.includes: "*" and allowAll
+#
+# The row-level filter from the developer policy SHOULD be applied when a developer
+# queries for members, because:
+#
+#   Members
+#     ^
+#     |   ┌─────────────────┐
+#     |   │    Policy 1     │  (no members, no row filter)
+#     |   │   ┌─────────────┼───────────────┐
+#     |   │   │             │               │
+#     |   └───┼─────────────┘   Policy 2    │  (all members, with row filter)
+#     |       │                             │
+#     |       └─────────────────────────────┘
+#     └──────────────────────────────────────────> Rows
+#
+# Policy 1 covers no members (empty includes), so it should not affect row filtering.
+# Policy 2 covers all members with a row filter, so the filter MUST be applied.
+
+cubes:
+  - name: customers
+    sql_table: users
+
+    measures:
+      - name: count
+        type: count
+
+      - name: total_count
+        sql: "1"
+        type: sum
+
+    dimensions:
+      - name: id
+        sql: id
+        type: number
+        primary_key: true
+
+      - name: city
+        sql: city
+        type: string
+
+    access_policy:
+      # Policy 1: All groups, but grants access to NO members
+      - group: "*"
+        member_level:
+          includes: []
+
+      # Policy 2: Developers get all members, but with row-level filter on city
+      - group: developer
+        member_level:
+          includes: "*"
+        row_level:
+          filters:
+            - member: city
+              operator: equals
+              values: security_context.auth.userAttributes.allowedCities
+
+      # Policy 3: Admins get all members with no row restrictions
+      - group: leadership
+        member_level:
+          includes: "*"
+        row_level:
+          allow_all: true
+

package/birdbox-fixtures/rbac/model/cubes/policy_overlap_test.yaml

@@ -0,0 +1,81 @@
+# Test view for validating two-dimensional policy behavior
+# Matches the diagram in CompilerApi.ts:559-647
+#
+# Base cube has no policies - the view applies the access policies
+#
+# Policy 1: covers members a, b with row filter R1 (id < 500)
+# Policy 2: covers members b, c with row filter R2 (id >= 500)
+#
+# Expected behavior:
+#   Query (a, b)    → Only Policy 1 applies → R1 rows (id < 500)
+#   Query (b, c)    → Only Policy 2 applies → R2 rows (id >= 500)
+#   Query (b)       → Both policies apply   → R1 ∪ R2 rows (all rows)
+#   Query (a, b, c) → Neither covers all    → Empty result (denied)
+
+cubes:
+  # Base cube with no access policy
+  - name: policy_overlap_base
+    sql_table: public.line_items
+
+    dimensions:
+      - name: id
+        sql: id
+        type: number
+        primary_key: true
+
+      # Member "a" - only covered by Policy 1
+      - name: member_a
+        sql: order_id
+        type: number
+
+      # Member "b" - covered by both Policy 1 and Policy 2
+      - name: member_b
+        sql: product_id
+        type: number
+
+      # Member "c" - only covered by Policy 2
+      - name: member_c
+        sql: quantity
+        type: number
+
+    measures:
+      - name: count
+        type: count
+
+views:
+  # View with two-dimensional access policies
+  - name: policy_overlap_test
+    cubes:
+      - join_path: policy_overlap_base
+        includes: "*"
+
+    access_policy:
+      # Policy 1: covers members a, b (and count, id for filtering) with row filter R1 (id < 500)
+      - role: "*"
+        member_level:
+          includes:
+            - id
+            - count
+            - member_a
+            - member_b
+        row_level:
+          filters:
+            - member: id
+              operator: lt
+              values:
+                - "500"
+
+      # Policy 2: covers members b, c (and count, id for filtering) with row filter R2 (id >= 500)
+      - role: "policy2_role"
+        member_level:
+          includes:
+            - id
+            - count
+            - member_b
+            - member_c
+        row_level:
+          filters:
+            - member: id
+              operator: gte
+              values:
+                - "500"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cubejs-backend/testing",
-  "version": "1.5.16",
+  "version": "1.6.0",
   "description": "Cube.js e2e tests",
   "author": "Cube Dev, Inc.",
   "repository": {
@@ -99,15 +99,15 @@
     "birdbox-fixtures"
   ],
   "dependencies": {
-    "@cubejs-backend/cubestore-driver": "1.5.16",
+    "@cubejs-backend/cubestore-driver": "1.6.0",
     "@cubejs-backend/dotenv": "^9.0.2",
-    "@cubejs-backend/ksql-driver": "1.5.16",
-    "@cubejs-backend/postgres-driver": "1.5.16",
-    "@cubejs-backend/query-orchestrator": "1.5.16",
-    "@cubejs-backend/schema-compiler": "1.5.16",
-    "@cubejs-backend/shared": "1.5.16",
-    "@cubejs-backend/testing-shared": "1.5.16",
-    "@cubejs-client/ws-transport": "1.5.16",
+    "@cubejs-backend/ksql-driver": "1.6.0",
+    "@cubejs-backend/postgres-driver": "1.6.0",
+    "@cubejs-backend/query-orchestrator": "1.6.0",
+    "@cubejs-backend/schema-compiler": "1.6.0",
+    "@cubejs-backend/shared": "1.6.0",
+    "@cubejs-backend/testing-shared": "1.6.0",
+    "@cubejs-client/ws-transport": "1.6.0",
     "dedent": "^0.7.0",
     "fs-extra": "^8.1.0",
     "http-proxy": "^1.18.1",
@@ -118,8 +118,8 @@
   },
   "devDependencies": {
     "@4tw/cypress-drag-drop": "^1.6.0",
-    "@cubejs-backend/linter": "1.5.16",
-    "@cubejs-client/core": "1.5.16",
+    "@cubejs-backend/linter": "1.6.0",
+    "@cubejs-client/core": "1.6.0",
     "@jest/globals": "^29",
     "@types/dedent": "^0.7.0",
     "@types/http-proxy": "^1.17.5",
@@ -145,5 +145,5 @@
   "eslintConfig": {
     "extends": "../cubejs-linter"
   },
-  "gitHead": "b29af56bbf2d7293550f91e7ed749f263041f2ea"
+  "gitHead": "d2b683872b42db6c18dbd62b4a236eaf5faf090d"
 }