feat(row-level-security): add base filter type and filter grouping

[villebro]

SUMMARY

This PR adds two new fields to Row Level Security Filters (RLS):

• Filter type: Currently RLS filters only apply additional where clauses if a user belongs to a role referenced by a RLS filter. This can cause leakage of sensitive data, as a person that doesn't satisfy any RLS filters will see all data (=no RLS filters applied). To fix this, a base filter type is added that can be used to apply a minimum filter that applies to all users. This is especially useful for cases where by default we don't want to show any rows if a user doesn't belong to any roles that have RLS filters attached to them. In this case we can set a base filter of 1 = 0, which will always be false.
• Group key: currently all RLS filters have to evaluate to true (=intersection). This can be problematic in cases where a user belongs to many roles that are exclusive: If, for instance, a person belongs to departments A and B and there is a RLS filter for both departments, the user won't see any rows, as the where clause will be department = 'A' AND department = 'B'. For these cases a group key department can be assigned to both RLS filters, after which they are ORed together (=union).

Example:

• We want all data in a table to be visible to the Admin role
• For regular users, we should only show 1 year of data
• For researchers, 10 years of data will be shown
• Data for domestic region is available to all users
• Data for foreign region is restricted to management only

RLS filters:

• Filter 1: type: Base, excluded roles: Admin, group key: "duration", clause: "date > now - 1 year"
• Filter 2: Type: Regular, roles: Research, group key: "duration", clause: "date > now - 10 year"
• Filter 3: Type: Base, excluded roles: Admin, group key: "region", clause: "region = 'domestic'"
• Filter 4: Type: Regular, roles: Management, group key: "region", clause: "region = 'foreign'"

This would render the following extra clauses:

• Admin user: None, i.e. all data would be visible
• No roles: (date > now - 1 year) AND (region = 'domestic')
• Research: (date > now - 1 year OR date > now - 10 year) AND (region = 'domestic')
• Management: (date > now - 1 year) AND (region = 'domestic' OR region = 'foreign')
• Management + Research: (date > now - 1 year OR date > now - 10 year) AND (region = 'domestic' OR region = 'foreign')

This change is backwards compatible, meaning that current filters will continue to function as before.

SCREENSHOTS

Add/Edit:

The custom list view. Note that Roles display "Not [Admin]" for base filters that apply to all except Admin and "All" when no roles have been excluded:

TEST PLAN

CI + new tests

ADDITIONAL INFORMATION

• Has associated issue:
• Changes UI
• Requires DB Migration.
• Confirm DB Migration upgrade and downgrade tested.
• Introduces new feature or API
• Removes existing feature or API

[villebro]

Thanks @bkyryliuk for the review, great comments!

[villebro]

@bkyryliuk this is ready for another round of review

[villebro]

For some reason mypy flags Type[RowLevelSecurityListWidget] as being incompatible with Type[SupersetListWidget] which is required for list_widget, despite RowLevelSecurityListWidget extending from SupersetListWidget. Either I'm missing something fundamental here, or mypy is just flagging a false positive.

[altef]

This looks like it adds power/flexibility to RLS without adding unnecessary complexity if you don't want that flexibility.
I can definitely see a use-case for it - seems really cool and I greatly appreciate that it doesn't break backwards compatibility