| 2248 | } |
| 2249 | |
| 2250 | func TestSecurityPolicyWithRef(t *testing.T) { |
| 2251 | ctx := context.Background() |
| 2252 | repo := makeRepo(t, map[string]string{ |
| 2253 | `rill.yaml`: ``, |
| 2254 | `models/mappings.sql`: ` |
| 2255 | SELECT * FROM domain_mappings |
| 2256 | `, |
| 2257 | `metrics/d1.yaml`: ` |
| 2258 | version: 1 |
| 2259 | type: metrics_view |
| 2260 | table: t1 |
| 2261 | dimensions: |
| 2262 | - name: foo |
| 2263 | column: foo |
| 2264 | measures: |
| 2265 | - name: a |
| 2266 | expression: count(*) |
| 2267 | security: |
| 2268 | access: true |
| 2269 | row_filter: partner_id IN (SELECT partner_id FROM {{ ref "mappings" }} WHERE domain = '{{ .user.domain }}') |
| 2270 | `, |
| 2271 | }) |
| 2272 | |
| 2273 | resources := []*Resource{ |
| 2274 | { |
| 2275 | Name: ResourceName{Kind: ResourceKindModel, Name: "mappings"}, |
| 2276 | Paths: []string{"/models/mappings.sql"}, |
| 2277 | ModelSpec: &runtimev1.ModelSpec{ |
| 2278 | RefreshSchedule: &runtimev1.Schedule{RefUpdate: true}, |
| 2279 | InputConnector: "duckdb", |
| 2280 | InputProperties: must(structpb.NewStruct(map[string]any{"sql": "SELECT * FROM domain_mappings"})), |
| 2281 | OutputConnector: "duckdb", |
| 2282 | ChangeMode: runtimev1.ModelChangeMode_MODEL_CHANGE_MODE_RESET, |
| 2283 | }, |
| 2284 | }, |
| 2285 | { |
| 2286 | Name: ResourceName{Kind: ResourceKindMetricsView, Name: "d1"}, |
| 2287 | Refs: []ResourceName{{Kind: ResourceKindModel, Name: "mappings"}}, |
| 2288 | Paths: []string{"/metrics/d1.yaml"}, |
| 2289 | MetricsViewSpec: &runtimev1.MetricsViewSpec{ |
| 2290 | Connector: "duckdb", |
| 2291 | Table: "t1", |
| 2292 | DisplayName: "D1", |
| 2293 | Dimensions: []*runtimev1.MetricsViewSpec_Dimension{ |
| 2294 | {Name: "foo", DisplayName: "Foo", Column: "foo"}, |
| 2295 | }, |
| 2296 | Measures: []*runtimev1.MetricsViewSpec_Measure{ |
| 2297 | {Name: "a", DisplayName: "A", Expression: "count(*)", Type: runtimev1.MetricsViewSpec_MEASURE_TYPE_SIMPLE}, |
| 2298 | }, |
| 2299 | SecurityRules: []*runtimev1.SecurityRule{ |
| 2300 | {Rule: &runtimev1.SecurityRule_Access{Access: &runtimev1.SecurityRuleAccess{ |
| 2301 | ConditionExpression: "true", |
| 2302 | Allow: true, |
| 2303 | }}}, |
| 2304 | {Rule: &runtimev1.SecurityRule_RowFilter{RowFilter: &runtimev1.SecurityRuleRowFilter{ |
| 2305 | Sql: "partner_id IN (SELECT partner_id FROM {{ ref \"mappings\" }} WHERE domain = '{{ .user.domain }}')", |
| 2306 | }}}, |
| 2307 | }, |