fix(sql lab): SQL Lab access restrictions not applied to default schema

[diegomedina248]

SUMMARY

The schema level restrictions are not working properly in SQL Lab, when the default schema is used. Some DB Engines allow users to execute a query without specifying the Schema, in which default Schema will be queried.

In the permission check, we're assigning the schema from two sources: the query itself, or if it's not present, the schema selected on the left hand side in SQL Lab.
It's the second scenario that's not properly checked, because, if the user has schema permission for the one selected, and if the query can be executed in the engine without specifying the schema explicitly, then the permission check will allow said execution, since there's a permission for the schema.

This PR alters the order of checks, so that we validate that the default schema actually contains the table we're trying to query, and then check the permission on said datasource.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

Before:

Screen.Recording.2022-06-06.at.17.31.02.mov

After:

Screen.Recording.2022-06-06.at.17.32.41.mov

TESTING INSTRUCTIONS

1. Create a new user role with the following permissions:

• can read on SavedQuery
• can write on SavedQuery
• can read on Database
• can read on Query
• can sqllab on Superset
• can sqllab history on Superset
• can sqllab viz on Superset
• can sql json on Superset
• can sqllab table viz on Superset
• can validate sql json on Superset
• can activate on TabStateView
• can get on TabStateView
• can put on TabStateView
• can delete query on TabStateView
• can post on TabStateView
• can delete on TabStateView
• menu access on SQL Lab
• menu access on SQL Editor
• schema access on [examples].[information_schema]

2. Create a new user and assign the above role to it.
3. Log in with that user.
4. Go to SQL Lab
5. Select examples as database and information_schema as schema

Execute these two queries:

select * from birth_names

select * from public.birth_names

Ensure both fail with a forbidden error.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[diegomedina248]

table._schema could be the one defined in the query itself, or the one selected on the left dropdown.
For that reason, we could be fetching the permission for a schema that does not contain the table, and validate the request (if the user has permission to that schema).
So, we invert the request order here, by querying all the datasources for the database/table combination, and then matching the schema. If there's a match, then we check the permission on that schema.

[codecov]

Codecov Report

Merging #20285 (2e63d50) into master (6b0bb80) will decrease coverage by 11.60%.
The diff coverage is 75.00%.

❗ Current head 2e63d50 differs from pull request most recent head 3c7ae32. Consider uploading reports for the commit 3c7ae32 to get more accurate results

@@             Coverage Diff             @@
##           master   #20285       +/-   ##
===========================================
- Coverage   66.83%   55.23%   -11.61%     
===========================================
  Files        1750     1750               
  Lines       65894    65899        +5     
  Branches     7017     7017               
===========================================
- Hits        44041    36399     -7642     
- Misses      20067    27714     +7647     
  Partials     1786     1786               

Flag	Coverage Δ
hive	53.96% <58.33%> (+0.01%)	⬆️
mysql	?
postgres	?
presto	53.82% <58.33%> (+0.01%)	⬆️
python	58.80% <75.00%> (-24.19%)	⬇️
sqlite	?
unit	51.03% <66.66%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
superset/security/manager.py	64.58% <75.00%> (-30.97%)	⬇️
superset/utils/dashboard_import_export.py	0.00% <0.00%> (-100.00%)	⬇️
superset/key_value/commands/update.py	0.00% <0.00%> (-88.89%)	⬇️
superset/key_value/commands/delete.py	0.00% <0.00%> (-85.30%)	⬇️
superset/key_value/commands/delete_expired.py	0.00% <0.00%> (-80.77%)	⬇️
superset/dashboards/commands/importers/v0.py	15.62% <0.00%> (-76.25%)	⬇️
superset/datasets/commands/update.py	25.30% <0.00%> (-68.68%)	⬇️
superset/datasets/commands/create.py	29.41% <0.00%> (-68.63%)	⬇️
superset/datasets/commands/importers/v0.py	24.03% <0.00%> (-67.45%)	⬇️
superset/reports/commands/execute.py	24.45% <0.00%> (-67.16%)	⬇️
... and 276 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6b0bb80...3c7ae32. Read the comment docs.

[eschutho]

I found test case where this won't work.

[eschutho]

@diegomedina248 I tested this out what I found is the way this reads now, if datasources is empty, i.e., there are no datasets created for this table, they will hit line 1074 and not get access to the schema.

[diegomedina248]

Good catch! I amended the PR to account for it.

[diegomedina248]

Though.. I think the same happens with the current code, unless I'm reading it wrong

[rusackas]

@eschutho if you wouldn't mind checking/accepting/amending the change requests, that would be much appreciated. Looks like this'll need a little rebase action as well :D

[eschutho]

I just checked with @yousoph on whether we should be fetching from the schema in the dropdown when not specified in the sql statement, which we're not doing.

[rusackas]

Fixed via #23356 I believe (hat tip to @eschutho for the reference)