Add wrapper for dataSourceView, added permission checks

Author: tdraier

front/lib/api/resource_wrappers.ts

@@ -6,11 +6,13 @@ import type { SessionWithUser } from "@app/lib/iam/provider";
 import { DataSourceResource } from "@app/lib/resources/data_source_resource";
 import { SpaceResource } from "@app/lib/resources/space_resource";
 import { apiError } from "@app/logger/withlogging";
+import { DataSourceViewResource } from "@app/lib/resources/data_source_view_resource";
 
 // This is a type that represents the resources that can be extracted from an API route
 type KeyToResource = {
   space: SpaceResource;
   dataSource: DataSourceResource;
+  dataSourceView: DataSourceViewResource;
 };
 
 type ResourceMap<U extends ResourceKey> = {
@@ -23,7 +25,12 @@ type OptionsMap<U extends ResourceKey> = {
 
 type ResourceKey = keyof KeyToResource;
 
-const resolvers = [withSpaceFromRoute, withDataSourceFromRoute];
+// Resolvers must be in reverse order : last one is applied first.
+const resolvers = [
+  withDataSourceViewFromRoute,
+  withDataSourceFromRoute,
+  withSpaceFromRoute,
+];
 
 type SessionOrKeyAuthType = Authenticator | SessionWithUser | null;
 
@@ -98,13 +105,13 @@ export function withResourceFetchingFromRoute<
       );
     }
   );
-  const resources = {} as ResourceMap<U>;
+
   return (
     req: NextApiRequest,
     res: NextApiResponse<WithAPIErrorResponse<T>>,
     auth: Authenticator,
     sessionOrKeyAuth: A
-  ) => wrappedHandler(req, res, auth, resources, options, sessionOrKeyAuth);
+  ) => wrappedHandler(req, res, auth, {}, options, sessionOrKeyAuth);
 }
 
 /**
@@ -147,7 +154,7 @@ function withSpaceFromRoute<T, A extends SessionOrKeyAuthType>(
             // possibility of `spaceId` being undefined
             await SpaceResource.fetchById(auth, spaceId as string);
 
-      if (!space || !space.canList(auth) || space.isConversations()) {
+      if (!space || space.isConversations()) {
         return apiError(req, res, {
           status_code: 404,
           api_error: {
@@ -157,6 +164,22 @@ function withSpaceFromRoute<T, A extends SessionOrKeyAuthType>(
         });
       }
 
+      const opts = options.space;
+      if (typeof opts === "object") {
+        if (
+          (opts.requireCanRead === true && !space.canRead(auth)) ||
+          (opts.requireCanList === true && !space.canList(auth))
+        ) {
+          return apiError(req, res, {
+            status_code: 404,
+            api_error: {
+              type: "space_not_found",
+              message: "The space you requested was not found.",
+            },
+          });
+        }
+      }
+
       resources.space = space;
     }
 
@@ -248,15 +271,109 @@ function withDataSourceFromRoute<T, A extends SessionOrKeyAuthType>(
         return apiError(req, res, {
           status_code: 404,
           api_error: {
-            type: "space_not_found",
-            message: "The space you requested was not found.",
+            type: "data_source_not_found",
+            message: "The data source you requested was not found.",
           },
         });
       }
 
+      const opts = options.dataSource;
+      if (typeof opts === "object") {
+        if (
+          (opts.requireCanRead === true && !dataSource.canRead(auth)) ||
+          (opts.requireCanList === true && !dataSource.canList(auth))
+        ) {
+          return apiError(req, res, {
+            status_code: 404,
+            api_error: {
+              type: "data_source_not_found",
+              message: "The data source you requested was not found.",
+            },
+          });
+        }
+      }
+
       resources.dataSource = dataSource;
     }
 
     return handler(req, res, auth, resources, options, sessionOrKeyAuth);
   };
 }
+
+/**
+ * for /w/[wId]/spaces/[spaceId]/data_source_view/[dsvId]/ => check the data source exists,
+ * that it's not in a conversation space, etc. and provide the data source resource to the handler.
+ * also supports the legacy usage of connectors with /w/[wId]/data_source/[dsId]/
+ */
+function withDataSourceViewFromRoute<T, A extends SessionOrKeyAuthType>(
+  handler: ResourceHandler<T, A>
+): ResourceHandler<T, A> {
+  return async (
+    req: NextApiRequest,
+    res: NextApiResponse<WithAPIErrorResponse<T>>,
+    auth: Authenticator,
+    resources: Partial<ResourceMap<ResourceKey>>,
+    options: Partial<OptionsMap<ResourceKey>>,
+    sessionOrKeyAuth: A
+  ) => {
+    const { dsvId } = req.query;
+
+    if (dsvId) {
+      if (typeof dsvId !== "string") {
+        return apiError(req, res, {
+          status_code: 400,
+          api_error: {
+            type: "invalid_request_error",
+            message: "Invalid path parameters.",
+          },
+        });
+      }
+
+      const dataSourceView = await DataSourceViewResource.fetchById(
+        auth,
+        dsvId
+      );
+
+      let { space } = resources;
+      if (!space) {
+        return apiError(req, res, {
+          status_code: 400,
+          api_error: {
+            type: "invalid_request_error",
+            message: "Invalid space id.",
+          },
+        });
+      }
+
+      if (!dataSourceView || dataSourceView.space.sId !== space.sId) {
+        return apiError(req, res, {
+          status_code: 404,
+          api_error: {
+            type: "data_source_view_not_found",
+            message: "The data source view you requested was not found.",
+          },
+        });
+      }
+
+      const opts = options.dataSourceView;
+      if (typeof opts === "object") {
+        if (
+          (opts.requireCanRead === true && !dataSourceView.canRead(auth)) ||
+          (opts.requireCanList === true && !dataSourceView.canList(auth))
+        ) {
+          return apiError(req, res, {
+            status_code: 404,
+            api_error: {
+              type: "data_source_view_not_found",
+              message: "The data source view you requested was not found.",
+            },
+          });
+        }
+      }
+
+      resources.dataSourceView = dataSourceView;
+    }
+
+    return handler(req, res, auth, resources, options, sessionOrKeyAuth);
+  };
+}

front/pages/api/v1/w/[wId]/spaces/[spaceId]/apps/[aId]/runs/[runId]/index.ts

@@ -145,5 +145,5 @@ async function handler(
 }
 
 export default withPublicAPIAuthentication(
-  withResourceFetchingFromRoute(handler, { space: true })
+  withResourceFetchingFromRoute(handler, { space: { requireCanList: true } })
 );

front/pages/api/v1/w/[wId]/spaces/[spaceId]/apps/[aId]/runs/index.ts

@@ -506,7 +506,7 @@ async function handler(
 }
 
 export default withPublicAPIAuthentication(
-  withResourceFetchingFromRoute(handler, { space: true }),
+  withResourceFetchingFromRoute(handler, { space: { requireCanList: true } }),
   {
     allowUserOutsideCurrentWorkspace: true,
   }

front/pages/api/v1/w/[wId]/spaces/[spaceId]/apps/index.ts

@@ -120,5 +120,5 @@ async function handler(
 }
 
 export default withPublicAPIAuthentication(
-  withResourceFetchingFromRoute(handler, { space: true })
+  withResourceFetchingFromRoute(handler, { space: { requireCanList: true } })
 );

front/pages/api/v1/w/[wId]/spaces/[spaceId]/data_source_views/[dsvId]/index.ts

@@ -152,35 +152,9 @@ async function handler(
   req: NextApiRequest,
   res: NextApiResponse<WithAPIErrorResponse<DataSourceViewsResponseType>>,
   auth: Authenticator,
-  { space }: { space: SpaceResource }
+  { dataSourceView }: { dataSourceView: DataSourceViewResource }
 ): Promise<void> {
-  const { dsvId } = req.query;
-  if (typeof dsvId !== "string") {
-    return apiError(req, res, {
-      status_code: 400,
-      api_error: {
-        type: "invalid_request_error",
-        message: "Invalid path parameters.",
-      },
-    });
-  }
-
-  const dataSourceView = await DataSourceViewResource.fetchById(auth, dsvId);
-  if (!dataSourceView || dataSourceView.space.sId !== space.sId) {
-    return apiError(req, res, {
-      status_code: 404,
-      api_error: {
-        type: "data_source_view_not_found",
-        message: "The data source view you requested was not found.",
-      },
-    });
-  }
-
-  if (
-    !dataSourceView ||
-    req.query.vId !== dataSourceView.space.sId ||
-    !dataSourceView.canList(auth)
-  ) {
+  if (!dataSourceView.canList(auth)) {
     return apiError(req, res, {
       status_code: 404,
       api_error: {
@@ -255,5 +229,7 @@ async function handler(
 }
 
 export default withPublicAPIAuthentication(
-  withResourceFetchingFromRoute(handler, { space: true })
+  withResourceFetchingFromRoute(handler, {
+    dataSourceView: { requireCanList: true },
+  })
 );

front/pages/api/v1/w/[wId]/spaces/[spaceId]/data_source_views/[dsvId]/search.ts

@@ -152,25 +152,9 @@ async function handler(
   req: NextApiRequest,
   res: NextApiResponse<WithAPIErrorResponse<DataSourceSearchResponseType>>,
   auth: Authenticator,
-  { space }: { space: SpaceResource }
+  { dataSourceView }: { dataSourceView: DataSourceViewResource }
 ): Promise<void> {
-  const { dsvId } = req.query;
-  if (typeof dsvId !== "string") {
-    return apiError(req, res, {
-      status_code: 400,
-      api_error: {
-        type: "invalid_request_error",
-        message: "Invalid path parameters.",
-      },
-    });
-  }
-
-  const dataSourceView = await DataSourceViewResource.fetchById(auth, dsvId);
-  if (
-    !dataSourceView ||
-    dataSourceView.space.sId !== space.sId ||
-    !dataSourceView.canRead(auth)
-  ) {
+  if (!dataSourceView.canRead(auth)) {
     return apiError(req, res, {
       status_code: 404,
       api_error: {
@@ -243,5 +227,5 @@ async function handler(
 }
 
 export default withPublicAPIAuthentication(
-  withResourceFetchingFromRoute(handler, { space: true })
+  withResourceFetchingFromRoute(handler, { space: { requireCanList: true } })
 );

front/pages/api/v1/w/[wId]/spaces/[spaceId]/data_source_views/index.ts

@@ -95,5 +95,5 @@ async function handler(
 }
 
 export default withPublicAPIAuthentication(
-  withResourceFetchingFromRoute(handler, { space: true })
+  withResourceFetchingFromRoute(handler, { space: { requireCanList: true } })
 );

front/pages/api/v1/w/[wId]/spaces/[spaceId]/data_sources/index.ts

@@ -87,5 +87,5 @@ async function handler(
 }
 
 export default withPublicAPIAuthentication(
-  withResourceFetchingFromRoute(handler, { space: true })
+  withResourceFetchingFromRoute(handler, { space: { requireCanList: true } })
 );

front/pages/api/w/[wId]/spaces/[spaceId]/apps/[aId]/datasets/[name]/index.ts

@@ -232,5 +232,5 @@ async function handler(
 }
 
 export default withSessionAuthenticationForWorkspace(
-  withResourceFetchingFromRoute(handler, { space: true })
+  withResourceFetchingFromRoute(handler, { space: { requireCanList: true } })
 );

front/pages/api/w/[wId]/spaces/[spaceId]/apps/[aId]/datasets/index.ts

@@ -211,5 +211,5 @@ async function handler(
 }
 
 export default withSessionAuthenticationForWorkspace(
-  withResourceFetchingFromRoute(handler, { space: true })
+  withResourceFetchingFromRoute(handler, { space: { requireCanList: true } })
 );

front/pages/api/w/[wId]/spaces/[spaceId]/apps/[aId]/index.ts

@@ -134,5 +134,5 @@ async function handler(
 }
 
 export default withSessionAuthenticationForWorkspace(
-  withResourceFetchingFromRoute(handler, { space: true })
+  withResourceFetchingFromRoute(handler, { space: { requireCanList: true } })
 );

front/pages/api/w/[wId]/spaces/[spaceId]/apps/[aId]/runs/[runId]/blocks/[type]/[name]/index.ts

@@ -107,5 +107,5 @@ async function handler(
 }
 
 export default withSessionAuthenticationForWorkspace(
-  withResourceFetchingFromRoute(handler, { space: true })
+  withResourceFetchingFromRoute(handler, { space: { requireCanList: true } })
 );

front/pages/api/w/[wId]/spaces/[spaceId]/apps/[aId]/runs/[runId]/status.ts

@@ -108,5 +108,5 @@ async function handler(
 }
 
 export default withSessionAuthenticationForWorkspace(
-  withResourceFetchingFromRoute(handler, { space: true })
+  withResourceFetchingFromRoute(handler, { space: { requireCanList: true } })
 );

front/pages/api/w/[wId]/spaces/[spaceId]/apps/[aId]/runs/index.ts

@@ -265,5 +265,5 @@ async function handler(
 }
 
 export default withSessionAuthenticationForWorkspace(
-  withResourceFetchingFromRoute(handler, { space: true })
+  withResourceFetchingFromRoute(handler, { space: { requireCanList: true } })
 );

front/pages/api/w/[wId]/spaces/[spaceId]/apps/[aId]/state.ts

@@ -109,5 +109,5 @@ async function handler(
 }
 
 export default withSessionAuthenticationForWorkspace(
-  withResourceFetchingFromRoute(handler, { space: true })
+  withResourceFetchingFromRoute(handler, { space: { requireCanList: true } })
 );

front/pages/api/w/[wId]/spaces/[spaceId]/apps/index.ts

@@ -117,5 +117,5 @@ async function handler(
 }
 
 export default withSessionAuthenticationForWorkspace(
-  withResourceFetchingFromRoute(handler, { space: true })
+  withResourceFetchingFromRoute(handler, { space: { requireCanList: true } })
 );