codeant-ai-for-open-source[bot] commented on code in PR #40356: URL: https://github.com/apache/superset/pull/40356#discussion_r3326679158
########## superset/mcp_service/rls/tool/update_rls_filter.py: ########## @@ -0,0 +1,147 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +import logging +from typing import Any + +from fastmcp import Context +from superset_core.mcp.decorators import tool, ToolAnnotations + +from superset.extensions import event_logger +from superset.mcp_service.rls.schemas import ( + CreateRLSFilterResponse, + UpdateRLSFilterRequest, +) + +logger = logging.getLogger(__name__) + + +def _build_update_properties( + request: UpdateRLSFilterRequest, existing: Any +) -> dict[str, object]: + """Build the properties dict for UpdateRLSRuleCommand from a partial request. + + Omitted fields default to their current values from ``existing`` so the + caller only needs to specify what changed. + """ + set_fields = request.model_fields_set + properties: dict[str, object] = {} + + for field in ("name", "filter_type", "clause"): + value = getattr(request, field) + if field in set_fields and value is not None: + properties[field] = value + + for field in ("group_key", "description"): + if field in set_fields: + properties[field] = getattr(request, field) + + if "tables" in set_fields and request.tables is not None: + properties["tables"] = request.tables + else: + properties["tables"] = [t.id for t in getattr(existing, "tables", [])] + + if "roles" in set_fields and request.roles is not None: + properties["roles"] = request.roles + else: + properties["roles"] = [r.id for r in getattr(existing, "roles", [])] Review Comment: **Suggestion:** Sending `tables: null` or `roles: null` is treated as "omit field" and falls back to existing associations, even though the documented contract says omit to keep and `[]` to clear. This silently masks bad client payloads and can leave permissions unchanged when a caller expects a mutation. Treat explicit null as invalid input and return a validation error. [api mismatch] <details> <summary><b>Severity Level:</b> Major ⚠️</summary> ```mdx - ❌ update_rls_filter ignores null tables and roles updates. - ⚠️ RLS permissions via MCP can silently remain unchanged. ``` </details> <details> <summary><b>Steps of Reproduction ✅ </b></summary> ```mdx 1. Start the MCP server so `update_rls_filter` is registered (`superset/mcp_service/app.py:659-662`) and uses `UpdateRLSFilterRequest` (`superset/mcp_service/rls/schemas.py:110-123`) where `tables` and `roles` are typed as `list[int] | None` without `allow_none=False`-style constraints. 2. Create an RLS rule with associated tables and roles (via `RLSRestApi.post` in `superset/row_level_security/api.py:151-227` or `create_rls_filter` in `superset/mcp_service/rls/tool/create_rls_filter.py:42-93`) so that `RLSDAO.find_by_id` (`superset/daos/security.py:22-23`) returns an object with non-empty `tables` and `roles`. 3. From an MCP client, call `update_rls_filter` (`superset/mcp_service/rls/tool/update_rls_filter.py:76-88`) with a payload like `{"id": <id>, "tables": null}` or `{"id": <id>, "roles": null}`; Pydantic accepts JSON `null` into `UpdateRLSFilterRequest.tables` / `.roles` as `None`, while still marking the field as present in `request.model_fields_set`. 4. `_build_update_properties` (`update_rls_filter.py:53-61`) sees `"tables"` or `"roles"` in `set_fields` but, because `request.tables` / `request.roles` is `None`, falls into the `else` branches that copy the existing `tables` and `roles` (`[t.id for t in existing.tables]`, `[r.id for r in existing.roles]`), so `UpdateRLSRuleCommand` (`superset/commands/security/update.py:34-46`) runs and returns success while the invalid explicit `null` is treated as "keep existing", contrary to the documented contract in `update_rls_filter`'s docstring (`update_rls_filter.py:79-87`) and the REST `RLSPutSchema` which rejects null lists with `allow_none=False` (`superset/row_level_security/schemas.py:167-179`). ``` </details> [Fix in Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=fd6b2410715647d28541334a31a9c882&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset) | [Fix in VSCode Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=fd6b2410715647d28541334a31a9c882&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset) *(Use Cmd/Ctrl + Click for best experience)* <details> <summary><b>Prompt for AI Agent 🤖 </b></summary> ```mdx This is a comment left during a code review. **Path:** superset/mcp_service/rls/tool/update_rls_filter.py **Line:** 53:61 **Comment:** *Api Mismatch: Sending `tables: null` or `roles: null` is treated as "omit field" and falls back to existing associations, even though the documented contract says omit to keep and `[]` to clear. This silently masks bad client payloads and can leave permissions unchanged when a caller expects a mutation. Treat explicit null as invalid input and return a validation error. Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise. Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix ``` </details> <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40356&comment_hash=c7a42913e21f6333d51b35755a9f227298a5a71e1bf1ca17ba2ba9cdb6956fd1&reaction=like'>👍</a> | <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40356&comment_hash=c7a42913e21f6333d51b35755a9f227298a5a71e1bf1ca17ba2ba9cdb6956fd1&reaction=dislike'>👎</a> ########## superset/mcp_service/rls/schemas.py: ########## @@ -0,0 +1,138 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +""" +Pydantic schemas for RLS (row-level security) MCP tools. +""" + +from __future__ import annotations + +from typing import Literal + +from pydantic import BaseModel, ConfigDict, Field + + +class CreateRLSFilterRequest(BaseModel): + model_config = ConfigDict(populate_by_name=True) + + name: str = Field(..., min_length=1, description="Name for the RLS filter rule.") + filter_type: Literal["Regular", "Base"] = Field( + ..., + description=( + 'Type of filter. "Regular" hides rows from the specified roles ' + 'unless the clause matches. "Base" shows only rows where the ' + "clause matches to the specified roles." + ), + ) + tables: list[int] = Field( + ..., + min_length=1, + description=( + "List of table IDs this filter applies to. Use list_datasets to find IDs." + ), + ) + roles: list[int] = Field( + ..., + description="List of role IDs that see this filter applied.", + ) + clause: str = Field( + ..., + min_length=1, + description=( + "SQL WHERE clause applied to matching tables (e.g. \"region = 'EMEA'\")." + ), + ) + group_key: str | None = Field( + None, + description="Optional group key for grouping related filters.", + ) + description: str | None = Field( + None, + description="Optional human-readable description of the filter.", + ) + + +class CreateRLSFilterResponse(BaseModel): + id: int | None = Field( + None, + description="RLS filter ID. None if the operation failed.", + ) + name: str | None = Field(None, description="Name of the RLS filter.") + filter_type: str | None = Field(None, description="Filter type: Regular or Base.") + clause: str | None = Field(None, description="SQL WHERE clause of the filter.") + tables: list[int] = Field( + default_factory=list, + description="Table IDs this filter applies to.", + ) + roles: list[int] = Field( + default_factory=list, + description="Role IDs affected by this filter.", + ) + group_key: str | None = Field(None, description="Group key for the filter.") + description: str | None = Field(None, description="Description of the filter.") + error: str | None = Field( + None, + description="Error message if the operation failed, otherwise null.", + ) + + +class UpdateRLSFilterRequest(BaseModel): + model_config = ConfigDict(populate_by_name=True) + + id: int = Field(..., description="ID of the RLS filter rule to update.") + name: str | None = Field( + None, + min_length=1, + description="New name for the RLS filter rule. Omit to keep existing.", + ) Review Comment: **Suggestion:** The request schema does not enforce the database length limit for `name` (255 chars). `RowLevelSecurityFilter.name` is a `String(255)`, so oversized input will pass Pydantic validation and then fail at commit time with a database error instead of a clean validation response. Add `max_length=255` for both create and update request `name` fields. [api mismatch] <details> <summary><b>Severity Level:</b> Major ⚠️</summary> ```mdx - ❌ MCP create_rls_filter fails on overlong RLS names. - ⚠️ RLS management via MCP returns late database errors. ``` </details> <details> <summary><b>Steps of Reproduction ✅ </b></summary> ```mdx 1. Start the MCP server so that `create_rls_filter` is registered via `superset/mcp_service/app.py:588-589` and imported at `superset/mcp_service/app.py:659-662` from `superset.mcp_service.rls.tool`. 2. From an MCP client with admin credentials, call `create_rls_filter` (`superset/mcp_service/rls/tool/create_rls_filter.py:42-45`) with a JSON body that includes a `name` longer than 255 characters (e.g., 300+ chars), along with valid `filter_type`, `tables`, `roles`, and `clause`. 3. The request is parsed into `CreateRLSFilterRequest` (`superset/mcp_service/rls/schemas.py:29-32`), where `name` only has `min_length=1` and no `max_length`, so Pydantic accepts the overlong string instead of raising a validation error. 4. `create_rls_filter` builds `properties` and calls `CreateRLSRuleCommand(properties).run()` (`superset/mcp_service/rls/tool/create_rls_filter.py:71-84`), which persists a `RowLevelSecurityFilter` whose `name` column is `String(255)` (`superset/connectors/sqla/models.py:10-13`); the oversized value causes a database error at commit time, surfacing as a late failure instead of a clean input validation error on the MCP tool. ``` </details> [Fix in Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=cd623d3d2c4c4eaa9cbcbd7b13147d29&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset) | [Fix in VSCode Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=cd623d3d2c4c4eaa9cbcbd7b13147d29&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset) *(Use Cmd/Ctrl + Click for best experience)* <details> <summary><b>Prompt for AI Agent 🤖 </b></summary> ```mdx This is a comment left during a code review. **Path:** superset/mcp_service/rls/schemas.py **Line:** 32:101 **Comment:** *Api Mismatch: The request schema does not enforce the database length limit for `name` (255 chars). `RowLevelSecurityFilter.name` is a `String(255)`, so oversized input will pass Pydantic validation and then fail at commit time with a database error instead of a clean validation response. Add `max_length=255` for both create and update request `name` fields. Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise. Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix ``` </details> <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40356&comment_hash=a2d9fc252f9c5dae4574e33f2f0b936910144e9d5ea78e9899f910672bba5746&reaction=like'>👍</a> | <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40356&comment_hash=a2d9fc252f9c5dae4574e33f2f0b936910144e9d5ea78e9899f910672bba5746&reaction=dislike'>👎</a> ########## superset/mcp_service/rls/tool/update_rls_filter.py: ########## @@ -0,0 +1,147 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +import logging +from typing import Any + +from fastmcp import Context +from superset_core.mcp.decorators import tool, ToolAnnotations + +from superset.extensions import event_logger +from superset.mcp_service.rls.schemas import ( + CreateRLSFilterResponse, + UpdateRLSFilterRequest, +) + +logger = logging.getLogger(__name__) + + +def _build_update_properties( + request: UpdateRLSFilterRequest, existing: Any +) -> dict[str, object]: + """Build the properties dict for UpdateRLSRuleCommand from a partial request. + + Omitted fields default to their current values from ``existing`` so the + caller only needs to specify what changed. + """ + set_fields = request.model_fields_set + properties: dict[str, object] = {} + + for field in ("name", "filter_type", "clause"): + value = getattr(request, field) + if field in set_fields and value is not None: + properties[field] = value Review Comment: **Suggestion:** Explicit `null` for scalar update fields (`name`, `filter_type`, `clause`) is silently ignored because the code only copies values when they are non-null. This creates an API contract bug where invalid client payloads are treated as successful no-ops. Reject explicit nulls in the request model (or raise a validation error when a field is in `model_fields_set` with `None`). [incorrect condition logic] <details> <summary><b>Severity Level:</b> Major ⚠️</summary> ```mdx - ❌ update_rls_filter silently ignores null name or clause. - ⚠️ MCP clients cannot detect rejected scalar updates. ``` </details> <details> <summary><b>Steps of Reproduction ✅ </b></summary> ```mdx 1. Ensure the MCP server is running so `update_rls_filter` is registered via `superset/mcp_service/app.py:659-662` and exposed as a FastMCP tool using `UpdateRLSFilterRequest` from `superset/mcp_service/rls/schemas.py:93-130`. 2. Create an initial RLS rule (via the existing REST API `RLSRestApi.post` in `superset/row_level_security/api.py:151-227` or via `create_rls_filter` in `superset/mcp_service/rls/tool/create_rls_filter.py:42-93`) so there is a rule with a known `id` to update. 3. From an MCP client, call `update_rls_filter` (`superset/mcp_service/rls/tool/update_rls_filter.py:76-88`) with a payload like `{"id": <id>, "name": null}` or `{"id": <id>, "clause": null}`; `UpdateRLSFilterRequest` defines these fields as `str | None` with `min_length` only (`schemas.py:97-101, 124-129`), so JSON `null` is accepted and recorded in `request.model_fields_set`. 4. `_build_update_properties` (`update_rls_filter.py:33-47`) iterates `("name", "filter_type", "clause")`, sees each field in `set_fields` but skips adding it to `properties` because `value is None`, so `UpdateRLSRuleCommand(request.id, properties).run()` (`update_rls_filter.py:107-110`) runs without any `name` or `clause` entry; the command updates other fields (if any) and returns success, silently treating the invalid explicit `null` as a no-op, unlike the REST `RLSPutSchema.name` which rejects nulls via `allow_none=False` and `Length(1, 255)` in `superset/row_level_security/schemas.py:147-153`. ``` </details> [Fix in Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=da75fe5e7d19439ea0335902ccc44f99&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset) | [Fix in VSCode Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=da75fe5e7d19439ea0335902ccc44f99&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset) *(Use Cmd/Ctrl + Click for best experience)* <details> <summary><b>Prompt for AI Agent 🤖 </b></summary> ```mdx This is a comment left during a code review. **Path:** superset/mcp_service/rls/tool/update_rls_filter.py **Line:** 44:47 **Comment:** *Incorrect Condition Logic: Explicit `null` for scalar update fields (`name`, `filter_type`, `clause`) is silently ignored because the code only copies values when they are non-null. This creates an API contract bug where invalid client payloads are treated as successful no-ops. Reject explicit nulls in the request model (or raise a validation error when a field is in `model_fields_set` with `None`). Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise. Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix ``` </details> <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40356&comment_hash=61512c93ef26a21c439f567d63b5c4807d9fe79abf1bba6beac623cd51d11a15&reaction=like'>👍</a> | <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40356&comment_hash=61512c93ef26a21c439f567d63b5c4807d9fe79abf1bba6beac623cd51d11a15&reaction=dislike'>👎</a> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
