feat: allow s3 file download/preview from inside apps

windmill-labs · Jan 2, 2025 · a13527d · a13527d
1 parent eeece84
commit a13527d
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 6 deletions.
diff --git a/backend/windmill-api/src/apps.rs b/backend/windmill-api/src/apps.rs
@@ -10,6 +10,7 @@ use std::{collections::HashMap, sync::Arc};
 
 use crate::{
     db::{ApiAuthed, DB},
+    job_helpers_ee::{download_s3_file_internal, DownloadFileQuery},
     resources::get_resource_value_interpolated_internal,
     users::{require_owner_of_path, OptAuthed},
     utils::WithStarredInfoQuery,
@@ -27,7 +28,7 @@ use crate::{
 };
 use axum::{
     extract::{Extension, Json, Path, Query},
-    response::IntoResponse,
+    response::{IntoResponse, Response},
     routing::{delete, get, post},
     Router,
 };
@@ -92,6 +93,7 @@ pub fn unauthed_service() -> Router {
     Router::new()
         .route("/execute_component/*path", post(execute_component))
         .route("/upload_s3_file/*path", post(upload_s3_file_from_app))
+        .route("/download_s3_file/*path", get(download_s3_file_from_app))
         .route("/public_app/:secret", get(get_public_app_by_secret))
         .route("/public_resource/*path", get(get_public_resource))
 }
@@ -1678,6 +1680,65 @@ async fn upload_s3_file_from_app(
     return Ok(Json(UploadFileResponse { file_key }));
 }
 
+#[cfg(not(feature = "parquet"))]
+async fn download_s3_file_from_app() -> Result<()> {
+    return Err(Error::BadRequest(
+        "This endpoint requires the parquet feature to be enabled".to_string(),
+    ));
+}
+
+#[cfg(feature = "parquet")]
+async fn download_s3_file_from_app(
+    OptAuthed(opt_authed): OptAuthed,
+    Extension(db): Extension<DB>,
+    Path((w_id, path)): Path<(String, StripPath)>,
+    Query(query): Query<DownloadFileQuery>,
+) -> Result<Response> {
+    let path = path.to_path();
+
+    let policy_o = sqlx::query_scalar!(
+        "SELECT policy from app WHERE path = $1 AND workspace_id = $2",
+        path,
+        w_id
+    )
+    .fetch_optional(&db)
+    .await?;
+
+    let policy = policy_o
+        .map(|p| serde_json::from_value::<Policy>(p).map_err(to_anyhow))
+        .transpose()?
+        .unwrap_or_else(|| Policy {
+            execution_mode: ExecutionMode::Viewer,
+            triggerables: None,
+            triggerables_v2: None,
+            on_behalf_of: None,
+            on_behalf_of_email: None,
+            s3_inputs: None,
+        });
+
+    let (username, permissioned_as, email) =
+        get_on_behalf_details_from_policy_and_authed(&policy, &opt_authed).await?;
+
+    let on_behalf_authed =
+        fetch_api_authed_from_permissioned_as(permissioned_as, email, &w_id, &db, Some(username))
+            .await?;
+
+    let allowed = sqlx::query_scalar!(
+            r#"SELECT EXISTS (SELECT 1 FROM completed_job WHERE result @> ('{"s3":"' || $1 ||  '"}')::jsonb AND workspace_id = $2 AND script_path LIKE $3 || '/%' AND (job_kind = 'appscript' OR job_kind = 'preview'))"#,
+            query.file_key,
+            w_id,
+            path,
+        ).fetch_one(&db)
+        .await?
+        .unwrap_or(false);
+
+    if !allowed {
+        return Err(Error::BadRequest("File restricted".to_string()));
+    }
+
+    download_s3_file_internal(on_behalf_authed, &db, None, "", &w_id, query).await
+}
+
 fn get_on_behalf_of(policy: &Policy) -> Result<(String, String)> {
     let permissioned_as = policy
         .on_behalf_of

diff --git a/frontend/src/lib/components/DisplayResult.svelte b/frontend/src/lib/components/DisplayResult.svelte
@@ -47,6 +47,7 @@
 	export let drawerOpen = false
 	export let nodeId: string | undefined = undefined
 	export let language: string | undefined = undefined
+	export let appPath: string | undefined = undefined
 
 	const IMG_MAX_SIZE = 10000000
 	const TABLE_MAX_SIZE = 5000000
@@ -645,7 +646,7 @@
 									>
 								</button>
 							{:else if !result?.disable_download}
-								<FileDownload {workspaceId} s3object={result} />
+								<FileDownload {workspaceId} s3object={result} {appPath} />
 								<button
 									class="text-secondary underline text-2xs whitespace-nowrap"
 									on:click={() => {

diff --git a/frontend/src/lib/components/apps/components/display/AppDisplayComponent.svelte b/frontend/src/lib/components/apps/components/display/AppDisplayComponent.svelte
@@ -24,7 +24,7 @@
 	export let configuration: RichConfigurations
 
 	const requireHtmlApproval = getContext<boolean | undefined>(IS_APP_PUBLIC_CONTEXT_KEY)
-	const { app, worldStore, componentControl, workspace } =
+	const { app, worldStore, componentControl, workspace, appPath } =
 		getContext<AppViewerContext>('AppViewerContext')
 
 	let result: any = undefined
@@ -96,6 +96,7 @@
 				{result}
 				{requireHtmlApproval}
 				disableExpand={resolvedConfig?.hideDetails}
+				appPath={$appPath}
 			/>
 		</div>
 	</div>

diff --git a/frontend/src/lib/components/common/fileDownload/FileDownload.svelte b/frontend/src/lib/components/common/fileDownload/FileDownload.svelte
@@ -5,16 +5,17 @@
 
 	export let s3object: any
 	export let workspaceId: string | undefined = undefined
+	export let appPath: string | undefined = undefined
 </script>
 
 <a
 	class="relative center-center flex w-full text-center font-normal text-tertiary text-sm
 border border-dashed border-gray-400 hover:border-blue-500
 focus-within:border-blue-500 hover:bg-blue-50 dark:hover:bg-frost-900 focus-within:bg-blue-50
 duration-200 rounded-lg p-1 gap-2"
-	href={`${base}/api/w/${workspaceId ?? $workspaceStore}/job_helpers/download_s3_file?file_key=${
-		s3object?.s3
-	}${s3object?.storage ? `&storage=${s3object.storage}` : ''}`}
+	href={`${base}/api/w/${workspaceId ?? $workspaceStore}${
+		appPath ? `/apps_u/download_s3_file/${appPath}` : '/job_helpers/download_s3_file'
+	}?file_key=${s3object?.s3}${s3object?.storage ? `&storage=${s3object.storage}` : ''}`}
 	download={s3object?.s3.split('/').pop() ?? 'unnamed_download.file'}
 >
 	<Download />