Add read_only bool to admin key and identity and enforce it (#27335)

GitOrigin-RevId: 2f5dc1eb566716c0cdde2bc41463ef7d254b9386

Author: atrakh

crates/application/src/lib.rs

@@ -937,6 +937,7 @@ impl<RT: Runtime> Application<RT> {
         caller: FunctionCaller,
         pause_client: PauseClient,
     ) -> anyhow::Result<Result<RedactedMutationReturn, RedactedMutationError>> {
+        identity.ensure_can_run_function(UdfType::Mutation)?;
         let block_logging = self
             .log_visibility
             .should_redact_logs_and_error(
@@ -999,6 +1000,8 @@ impl<RT: Runtime> Application<RT> {
         identity: Identity,
         caller: FunctionCaller,
     ) -> anyhow::Result<Result<RedactedActionReturn, RedactedActionError>> {
+        identity.ensure_can_run_function(UdfType::Action)?;
+
         let block_logging = self
             .log_visibility
             .should_redact_logs_and_error(
@@ -1064,6 +1067,7 @@ impl<RT: Runtime> Application<RT> {
         caller: FunctionCaller,
         mut response_streamer: HttpActionResponseStreamer,
     ) -> anyhow::Result<()> {
+        identity.ensure_can_run_function(UdfType::HttpAction)?;
         let block_logging = self
             .log_visibility
             .should_redact_logs_and_error(
@@ -1165,6 +1169,8 @@ impl<RT: Runtime> Application<RT> {
             }));
         };
 
+        identity.ensure_can_run_function(analyzed_function.udf_type)?;
+
         match analyzed_function.udf_type {
             UdfType::Query => self
                 .read_only_udf(request_id, path, args, identity, caller)

crates/keybroker/src/broker.rs

@@ -34,6 +34,7 @@ use common::{
         MemberId,
         PersistenceVersion,
         TeamId,
+        UdfType,
     },
 };
 use errors::ErrorMetadata;
@@ -193,6 +194,25 @@ impl Identity {
             UncheckedIdentityProto::Unknown(()) => Ok(Identity::Unknown),
         }
     }
+
+    pub fn ensure_can_run_function(&self, udf_type: UdfType) -> anyhow::Result<()> {
+        // Everyone can run queries.
+        if udf_type == UdfType::Query {
+            return Ok(());
+        }
+        match self {
+            Identity::InstanceAdmin(admin_identity) | Identity::ActingUser(admin_identity, _) => {
+                if admin_identity.is_read_only() {
+                    anyhow::bail!(ErrorMetadata::forbidden(
+                        "Unauthorized",
+                        format!("You do not have permission to run {udf_type} functions.")
+                    ));
+                }
+            },
+            _ => {},
+        }
+        Ok(())
+    }
 }
 
 impl From<Identity> for InertIdentity {
@@ -481,6 +501,11 @@ pub struct AdminIdentity {
     instance_name: String,
     principal: AdminIdentityPrincipal,
     key: String,
+    // is_read_only being true implies that this identity should not be able to write data.
+    // At the function level, read only admins are allowed to run queries but not mutations and
+    // actions. At the database level, they are allowed to read data from user and system tables
+    // but not write to them.
+    is_read_only: bool,
 }
 
 impl From<AdminIdentity> for pb::convex_identity::AdminIdentity {
@@ -489,6 +514,7 @@ impl From<AdminIdentity> for pb::convex_identity::AdminIdentity {
             instance_name,
             principal,
             key,
+            is_read_only,
         }: AdminIdentity,
     ) -> Self {
         Self {
@@ -502,6 +528,7 @@ impl From<AdminIdentity> for pb::convex_identity::AdminIdentity {
                 ),
             },
             key: Some(key),
+            is_read_only,
         }
     }
 }
@@ -521,10 +548,12 @@ impl AdminIdentity {
             None => anyhow::bail!("Missing principal"),
         };
         let key = msg.key.ok_or_else(|| anyhow::anyhow!("Missing key"))?;
+        let is_read_only: bool = msg.is_read_only;
         Ok(Self {
             instance_name,
             principal,
             key,
+            is_read_only,
         })
     }
 
@@ -537,12 +566,21 @@ impl AdminIdentity {
             instance_name,
             principal,
             key: access_token,
+            is_read_only: false,
         }
     }
 
     pub fn principal(&self) -> &AdminIdentityPrincipal {
         &self.principal
     }
+
+    // is_read_only being true implies that this identity should not be able to
+    // write data. At the function level, read only admins are allowed to run
+    // queries but not mutations and actions. At the database level, they are
+    // allowed to read data from user and system tables but not write to them.
+    pub fn is_read_only(&self) -> bool {
+        self.is_read_only
+    }
 }
 
 #[cfg(any(test, feature = "testing"))]
@@ -557,6 +595,7 @@ impl Arbitrary for AdminIdentity {
             instance_name: "fake-instance-name".to_string(),
             principal,
             key,
+            is_read_only: false,
         })
     }
 }
@@ -568,6 +607,7 @@ impl AdminIdentity {
             instance_name,
             principal: AdminIdentityPrincipal::Member(member_id),
             key: "chocolate-charlies-cupcake".to_string(),
+            is_read_only: false,
         }
     }
 
@@ -623,11 +663,15 @@ impl KeyBroker {
     }
 
     pub fn issue_admin_key(&self, member_id: MemberId) -> AdminKey {
-        AdminKey::new(self.issue_key(Some(member_id)))
+        AdminKey::new(self.issue_key(Some(member_id), false))
+    }
+
+    pub fn issue_read_only_admin_key(&self, member_id: MemberId) -> AdminKey {
+        AdminKey::new(self.issue_key(Some(member_id), true))
     }
 
     pub fn issue_system_key(&self) -> SystemKey {
-        SystemKey::new(self.issue_key(None))
+        SystemKey::new(self.issue_key(None, false))
     }
 
     pub fn issue_store_file_authorization<RT: Runtime>(
@@ -652,7 +696,7 @@ impl KeyBroker {
     /// Private helper method to generate an admin key.
     /// If `member_id` is None, it generates a system key, otherwise
     /// an admin key for the given user.
-    fn issue_key(&self, member_id: Option<MemberId>) -> String {
+    fn issue_key(&self, member_id: Option<MemberId>, is_read_only: bool) -> String {
         let now = SystemTime::now();
         let since_epoch = now
             .duration_since(SystemTime::UNIX_EPOCH)
@@ -666,6 +710,7 @@ impl KeyBroker {
             instance_name: None,
             issued_s: since_epoch.as_secs(),
             identity: Some(identity),
+            is_read_only,
         };
         format_admin_key(
             &self.instance_name,
@@ -691,6 +736,7 @@ impl KeyBroker {
             instance_name: instance_name_from_encrypted_part,
             issued_s,
             identity,
+            is_read_only,
         } = self
             .encryptor
             .decode_proto(ADMIN_KEY_VERSION, encrypted_part)
@@ -712,6 +758,7 @@ impl KeyBroker {
                 instance_name: self.instance_name.clone(),
                 principal: AdminIdentityPrincipal::Member(MemberId(member_id)),
                 key: key.to_string(),
+                is_read_only,
             }),
             AdminIdentityProto::System(()) => Identity::system(),
         })
@@ -996,6 +1043,7 @@ mod tests {
             instance_name: Some(kb.instance_name.clone()),
             issued_s: since_epoch.as_secs(),
             identity: Some(identity),
+            is_read_only: false,
         };
         kb.encryptor.encode_proto(ADMIN_KEY_VERSION, proto)
     }

crates/local_backend/src/admin.rs

@@ -19,29 +19,79 @@ pub fn must_be_admin_from_keybroker(
     Ok(identity)
 }
 
+pub async fn must_be_admin_from_key_with_write_access(
+    app_auth: &ApplicationAuth,
+    instance_name: String,
+    admin_key: String,
+) -> anyhow::Result<Identity> {
+    must_be_admin_from_key_internal(app_auth, instance_name, admin_key, true).await
+}
+
 pub async fn must_be_admin_from_key(
+    app_auth: &ApplicationAuth,
+    instance_name: String,
+    admin_key: String,
+) -> anyhow::Result<Identity> {
+    must_be_admin_from_key_internal(app_auth, instance_name, admin_key, false).await
+}
+
+async fn must_be_admin_from_key_internal(
     app_auth: &ApplicationAuth,
     instance_name: String,
     admin_key_or_access_token: String,
+    needs_write_access: bool,
 ) -> anyhow::Result<Identity> {
     let identity = app_auth
         .check_key(admin_key_or_access_token, instance_name.clone())
         .await
         .context(bad_admin_key_error(Some(instance_name)))?;
+    if needs_write_access {
+        must_be_admin_with_write_access(&identity)?;
+    }
     Ok(identity)
 }
 
+pub fn must_be_admin_with_write_access(
+    identity: &Identity,
+) -> anyhow::Result<AdminIdentityPrincipal> {
+    must_be_admin_internal(identity, true)
+}
+
 pub fn must_be_admin(identity: &Identity) -> anyhow::Result<AdminIdentityPrincipal> {
+    must_be_admin_internal(identity, false)
+}
+
+fn must_be_admin_internal(
+    identity: &Identity,
+    needs_write_access: bool,
+) -> anyhow::Result<AdminIdentityPrincipal> {
     if let Identity::InstanceAdmin(admin_identity) = identity {
+        if needs_write_access && admin_identity.is_read_only() {
+            return Err(read_only_admin_key_error().into());
+        }
         Ok(admin_identity.principal().clone())
     } else {
         Err(bad_admin_key_error(identity.instance_name()).into())
     }
 }
 
+pub fn must_be_admin_member_with_write_access(identity: &Identity) -> anyhow::Result<MemberId> {
+    must_be_admin_member_internal(identity, true)
+}
+
 pub fn must_be_admin_member(identity: &Identity) -> anyhow::Result<MemberId> {
+    must_be_admin_member_internal(identity, false)
+}
+
+fn must_be_admin_member_internal(
+    identity: &Identity,
+    needs_write_access: bool,
+) -> anyhow::Result<MemberId> {
     if let Identity::InstanceAdmin(admin_identity) = identity {
         if let AdminIdentityPrincipal::Member(member_id) = admin_identity.principal() {
+            if needs_write_access && admin_identity.is_read_only() {
+                return Err(read_only_admin_key_error().into());
+            }
             Ok(*member_id)
         } else {
             Err(bad_admin_key_error(identity.instance_name()).into())
@@ -64,3 +114,10 @@ pub fn bad_admin_key_error(instance_name: Option<String>) -> ErrorMetadata {
     };
     ErrorMetadata::forbidden("BadDeployKey", msg)
 }
+
+pub fn read_only_admin_key_error() -> ErrorMetadata {
+    ErrorMetadata::forbidden(
+        "ReadOnlyAdminKey",
+        "You do not have permission to perform this operation.",
+    )
+}

crates/local_backend/src/dashboard.rs

@@ -29,7 +29,10 @@ use value::{
 };
 
 use crate::{
-    admin::must_be_admin_member,
+    admin::{
+        must_be_admin_member,
+        must_be_admin_member_with_write_access,
+    },
     authentication::ExtractIdentity,
     schema::IndexMetadataResponse,
     LocalAppState,
@@ -74,7 +77,7 @@ pub async fn delete_tables(
     ExtractIdentity(identity): ExtractIdentity,
     Json(DeleteTableArgs { table_names }): Json<DeleteTableArgs>,
 ) -> Result<impl IntoResponse, HttpResponseError> {
-    must_be_admin_member(&identity)?;
+    must_be_admin_member_with_write_access(&identity)?;
     let table_names = table_names
         .into_iter()
         .map(|t| Ok(t.parse::<ValidIdentifier<TableName>>()?.0))

crates/local_backend/src/deploy_config.rs

@@ -69,7 +69,10 @@ use sync_types::CanonicalizedModulePath;
 use value::ConvexObject;
 
 use crate::{
-    admin::must_be_admin_from_key,
+    admin::{
+        must_be_admin_from_key,
+        must_be_admin_with_write_access,
+    },
     parse::parse_module_path,
     EmptyResponse,
     LocalAppState,
@@ -381,6 +384,8 @@ pub async fn push_config_handler(
         .await
         .context("bad admin key error")?;
 
+    must_be_admin_with_write_access(&identity)?;
+
     let udf_server_version = Version::parse(&config.udf_server_version).context(
         ErrorMetadata::bad_request("InvalidVersion", "The function version is invalid"),
     )?;

crates/local_backend/src/deploy_config2.rs

@@ -109,7 +109,10 @@ use value::{
 };
 
 use crate::{
-    admin::must_be_admin_from_key,
+    admin::{
+        must_be_admin_from_key,
+        must_be_admin_from_key_with_write_access,
+    },
     deploy_config::{
         analyze_modules,
         ModuleJson,
@@ -356,7 +359,7 @@ pub async fn start_push_handler(
     st: &LocalAppState,
     request: StartPushRequest,
 ) -> anyhow::Result<StartPushResponse> {
-    let _identity = must_be_admin_from_key(
+    let _identity = must_be_admin_from_key_with_write_access(
         st.application.app_auth(),
         st.instance_name.clone(),
         request.admin_key.clone(),
@@ -716,7 +719,7 @@ async fn finish_push_handler(
     req: FinishPushRequest,
 ) -> anyhow::Result<FinishPushDiff> {
     let start_push = StartPushResponse::try_from(req.start_push)?;
-    let _identity = must_be_admin_from_key(
+    let _identity = must_be_admin_from_key_with_write_access(
         st.application.app_auth(),
         st.instance_name.clone(),
         req.admin_key.clone(),

crates/local_backend/src/environment_variables.rs

@@ -16,7 +16,7 @@ use model::environment_variables::types::{
 use serde::Deserialize;
 
 use crate::{
-    admin::must_be_admin,
+    admin::must_be_admin_with_write_access,
     authentication::ExtractIdentity,
     LocalAppState,
 };
@@ -56,7 +56,7 @@ pub async fn update_environment_variables(
     ExtractIdentity(identity): ExtractIdentity,
     Json(UpdateEnvVarsRequest { changes }): Json<UpdateEnvVarsRequest>,
 ) -> Result<impl IntoResponse, HttpResponseError> {
-    must_be_admin(&identity)?;
+    must_be_admin_with_write_access(&identity)?;
 
     let mut env_var_changes = vec![];
     for change in changes {