Backend ai insights permission#1759
Merged
Merged
Conversation
…ed this type of permission into ceadr policy)
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (49)
📝 WalkthroughWalkthroughThis PR adds a new ChangesTable AI Request Permission
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested reviewers
Poem
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a new Cedar-backed, table-level permission (table:ai-request) intended to gate access to the AI “request info from table” endpoint, and updates permission serialization/tests to account for the additional permission flag.
Changes:
- Adds
table:ai-requestto the Cedar schema/action map, and extends Cedar policy generation/parsing + permission evaluation to includeaiRequest. - Adds a new Nest guard (
TableAiRequestGuard) and switchesPOST /ai/v4/request/:connectionIdto use it. - Updates many e2e tests to expect the additional table permission field, and adds a new non-SaaS e2e suite covering the new permission behavior.
Reviewed changes
Copilot reviewed 49 out of 49 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| backend/src/entities/ai/user-ai-requests-v2.controller.ts | Switches AI v4 request endpoint authorization to the new table AI-request guard. |
| backend/src/guards/table-ai-request.guard.ts | New guard validating table:ai-request via Cedar authorization. |
| backend/src/entities/cedar-authorization/cedar-action-map.ts | Adds TableAiRequest action enum value. |
| backend/src/entities/cedar-authorization/cedar-schema.ts | Adds table:ai-request action definition to TS Cedar schema. |
| backend/src/entities/cedar-authorization/cedar-schema.json | Adds table:ai-request action definition to JSON Cedar schema. |
| backend/src/entities/cedar-authorization/cedar-policy-generator.ts | Emits Cedar policies for table:ai-request when enabled in table access. |
| backend/src/entities/cedar-authorization/cedar-policy-parser.ts | Parses table:ai-request permits into classical permissions (aiRequest). |
| backend/src/entities/cedar-authorization/cedar-permissions.service.ts | Evaluates table:ai-request and exposes it in table permissions. |
| backend/src/entities/permission/permission.interface.ts | Extends table access level interface with aiRequest. |
| backend/src/entities/permission/application/data-structures/create-permissions.ds.ts | Allows aiRequest in table access level DTO validation. |
| backend/src/entities/connection/use-cases/get-permissions-for-group-in-connection.use.case.ts | Ensures returned table permissions include an aiRequest flag (default false). |
| backend/test/ava-tests/non-saas-tests/non-saas-ai-request-permission-e2e.test.ts | New e2e tests validating allow/deny behavior for the AI request endpoint based on aiRequest. |
| backend/test/ava-tests/saas-tests/table-redis-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-redis-agent-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-postgres-schema-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-postgres-encrypted-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-postgres-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-postgres-agent-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-oracledb-schema-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-oracledb-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-oracle-agent-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-mysql-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-mysql-agent-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-mssql-schema-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-mssql-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-mssql-agent-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-mongodb-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-mongodb-agent-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-ibmdb2-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-ibmdb2-agent-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-elasticsearch-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-dynamodb-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-clickhouse-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-clickhouse-agent-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-cassandra.e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/table-cassandra-agent.e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/saas-tests/connection-properties-e2e.test.ts | Updates expected table permission key count from 5 → 6 in connection-properties table list assertions. |
| backend/test/ava-tests/saas-tests/api-key-e2e.test.ts | Updates expected table permission key count from 5 → 6 in API key flow table list assertions. |
| backend/test/ava-tests/non-saas-tests/non-saas-table-redis-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/non-saas-tests/non-saas-table-postgres-schema-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/non-saas-tests/non-saas-table-postgres-encrypted-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/non-saas-tests/non-saas-table-oracledb-schema-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/non-saas-tests/non-saas-table-oracledb-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/non-saas-tests/non-saas-table-mysql-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/non-saas-tests/non-saas-table-mssql-schema-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/non-saas-tests/non-saas-table-mssql-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/non-saas-tests/non-saas-table-mongodb-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/non-saas-tests/non-saas-table-ibmdb2-e2e.test.ts | Updates expected table permission key count from 5 → 6. |
| backend/test/ava-tests/non-saas-tests/non-saas-table-cassandra.e2e.test.ts | Updates expected table permission key count from 5 → 6. |
Comments suppressed due to low confidence (2)
backend/src/entities/ai/user-ai-requests-v2.controller.ts:55
- Switching this endpoint from TableReadGuard to TableAiRequestGuard removes the enforcement of
table:read. The AI request use case (RequestInfoFromTableWithAIUseCaseV7) reads table structure (and can query data) and does not appear to perform an additional table-read authorization check, so granting onlytable:ai-requestwould allow access to table information withouttable:read.
Consider requiring BOTH permissions (e.g., apply both guards, or update TableAiRequestGuard to validate CedarAction.TableRead AND CedarAction.TableAiRequest). Also add an e2e test for the case where aiRequest: true but visibility/read is not granted, and ensure it is rejected.
status: 201,
description: 'Returned info with conversation history saved.',
})
@UseGuards(TableAiRequestGuard)
@ApiBody({ type: RequestInfoFromTableBodyDTO })
@ApiQuery({ name: 'tableName', required: true, type: String })
@ApiQuery({ name: 'threadId', required: false, type: String })
@Timeout(process.env.NODE_ENV !== 'test' ? TimeoutDefaults.AI : TimeoutDefaults.AI_TEST)
@Post('/ai/v4/request/:connectionId')
backend/test/ava-tests/saas-tests/table-postgres-e2e.test.ts:112
- Asserting an exact
Object.keys(...).lengthmakes this test brittle when new table permissions are added/removed. Since this PR introduces a new permission, it would be more stable to assert the presence/type/value of the newaiRequestflag (and/or explicitly check the expected keys) rather than a hard-coded key count.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+137
to
+176
| await request(app.getHttpServer()) | ||
| .post(`/connection/properties/${connectionId}`) | ||
| .send({ allow_ai_requests: true }) | ||
| .set('Cookie', adminToken) | ||
| .set('Content-Type', 'application/json') | ||
| .set('Accept', 'application/json'); | ||
|
|
||
| const newGroup = mockFactory.generateCreateGroupDto1(); | ||
| const createGroupResponse = await request(app.getHttpServer()) | ||
| .post(`/connection/group/${connectionId}`) | ||
| .set('Cookie', adminToken) | ||
| .send(newGroup) | ||
| .set('Content-Type', 'application/json') | ||
| .set('Accept', 'application/json'); | ||
| const createdGroupId = JSON.parse(createGroupResponse.text).id; | ||
|
|
||
| const permissions = { | ||
| connection: { | ||
| connectionId, | ||
| accessLevel: AccessLevelEnum.readonly, | ||
| }, | ||
| group: { | ||
| groupId: createdGroupId, | ||
| accessLevel: AccessLevelEnum.none, | ||
| }, | ||
| tables: [ | ||
| { | ||
| tableName: testTableName, | ||
| accessLevel: tableAccessLevel, | ||
| }, | ||
| ], | ||
| }; | ||
|
|
||
| await request(app.getHttpServer()) | ||
| .put(`/permissions/${createdGroupId}?connectionId=${connectionId}`) | ||
| .send({ permissions }) | ||
| .set('Cookie', adminToken) | ||
| .set('Content-Type', 'application/json') | ||
| .set('Accept', 'application/json'); | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit
Release Notes
New Features
aiRequestpermission flag to table-level access controls, enabling granular control over who can make AI requests on specific tables.Updates
table:ai-requestaction for Cedar-based permission evaluation.