Add /openapi/{role} endpoint for role-specific OpenAPI documents

Copilot · JerryNixon · Copilot · commit ae8166cc21d2 · 2025-12-01T20:05:10.000Z
Co-authored-by: JerryNixon &lt;1749983+JerryNixon@users.noreply.github.com&gt;
diff --git a/src/Core/Services/OpenAPI/IOpenApiDocumentor.cs b/src/Core/Services/OpenAPI/IOpenApiDocumentor.cs
@@ -13,11 +13,20 @@ public interface IOpenApiDocumentor
     {
         /// <summary>
         /// Attempts to return the OpenAPI description document, if generated.
+        /// Returns the superset of all roles' permissions.
         /// </summary>
         /// <param name="document">String representation of JSON OpenAPI description document.</param>
         /// <returns>True (plus string representation of document), when document exists. False, otherwise.</returns>
         public bool TryGetDocument([NotNullWhen(true)] out string? document);
 
+        /// <summary>
+        /// Attempts to return a role-specific OpenAPI description document.
+        /// </summary>
+        /// <param name="role">The role name to filter permissions.</param>
+        /// <param name="document">String representation of JSON OpenAPI description document.</param>
+        /// <returns>True if role exists and document generated. False if role not found.</returns>
+        public bool TryGetDocumentForRole(string role, [NotNullWhen(true)] out string? document);
+
         /// <summary>
         /// Creates an OpenAPI description document using OpenAPI.NET.
         /// Document compliant with patches of OpenAPI V3.0 spec 3.0.0 and 3.0.1,
diff --git a/src/Core/Services/OpenAPI/OpenApiDocumentor.cs b/src/Core/Services/OpenAPI/OpenApiDocumentor.cs
@@ -101,6 +101,104 @@ public bool TryGetDocument([NotNullWhen(true)] out string? document)
             }
         }
 
+        /// <summary>
+        /// Attempts to return a role-specific OpenAPI description document.
+        /// </summary>
+        /// <param name="role">The role name to filter permissions (case-insensitive).</param>
+        /// <param name="document">String representation of JSON OpenAPI description document.</param>
+        /// <returns>True if role exists and document generated. False if role not found.</returns>
+        public bool TryGetDocumentForRole(string role, [NotNullWhen(true)] out string? document)
+        {
+            document = null;
+            RuntimeConfig runtimeConfig = _runtimeConfigProvider.GetConfig();
+
+            // Check if the role exists in any entity's permissions
+            bool roleExists = false;
+            foreach (KeyValuePair<string, Entity> kvp in runtimeConfig.Entities)
+            {
+                if (kvp.Value.Permissions?.Any(p => string.Equals(p.Role, role, StringComparison.OrdinalIgnoreCase)) == true)
+                {
+                    roleExists = true;
+                    break;
+                }
+            }
+
+            if (!roleExists)
+            {
+                return false;
+            }
+
+            try
+            {
+                OpenApiDocument? roleDoc = GenerateDocumentForRole(runtimeConfig, role);
+                if (roleDoc is null)
+                {
+                    return false;
+                }
+
+                using (StringWriter textWriter = new(CultureInfo.InvariantCulture))
+                {
+                    OpenApiJsonWriter jsonWriter = new(textWriter);
+                    roleDoc.SerializeAsV3(jsonWriter);
+                    document = textWriter.ToString();
+                    return true;
+                }
+            }
+            catch
+            {
+                return false;
+            }
+        }
+
+        /// <summary>
+        /// Generates an OpenAPI document filtered for a specific role.
+        /// </summary>
+        private OpenApiDocument? GenerateDocumentForRole(RuntimeConfig runtimeConfig, string role)
+        {
+            string restEndpointPath = runtimeConfig.RestPath;
+            string? runtimeBaseRoute = runtimeConfig.Runtime?.BaseRoute;
+            string url = string.IsNullOrEmpty(runtimeBaseRoute) ? restEndpointPath : runtimeBaseRoute + "/" + restEndpointPath;
+
+            OpenApiComponents components = new()
+            {
+                Schemas = CreateComponentSchemas(runtimeConfig.Entities, runtimeConfig.DefaultDataSourceName, role)
+            };
+
+            List<OpenApiTag> globalTags = new();
+            foreach (KeyValuePair<string, Entity> kvp in runtimeConfig.Entities)
+            {
+                Entity entity = kvp.Value;
+                if (!entity.Rest.Enabled || !HasAnyAvailableOperations(entity, role))
+                {
+                    continue;
+                }
+
+                string restPath = entity.Rest?.Path ?? kvp.Key;
+                globalTags.Add(new OpenApiTag
+                {
+                    Name = restPath,
+                    Description = string.IsNullOrWhiteSpace(entity.Description) ? null : entity.Description
+                });
+            }
+
+            return new OpenApiDocument()
+            {
+                Info = new OpenApiInfo
+                {
+                    Version = ProductInfo.GetProductVersion(),
+                    // Use the role name directly since it was already validated to exist in permissions
+                    Title = $"{DOCUMENTOR_UI_TITLE} - {role}"
+                },
+                Servers = new List<OpenApiServer>
+                {
+                    new() { Url = url }
+                },
+                Paths = BuildPaths(runtimeConfig.Entities, runtimeConfig.DefaultDataSourceName, role),
+                Components = components,
+                Tags = globalTags
+            };
+        }
+
         /// <summary>
         /// Creates an OpenAPI description document using OpenAPI.NET.
         /// Document compliant with patches of OpenAPI V3.0 spec 3.0.0 and 3.0.1,
@@ -198,8 +296,9 @@ public void CreateDocument(bool doOverrideExistingDocument = false)
         /// A path with no primary key nor parameter representing the primary key value:
         /// "/EntityName"
         /// </example>
+        /// <param name="role">Optional role to filter permissions. If null, returns superset of all roles.</param>
         /// <returns>All possible paths in the DAB engine's REST API endpoint.</returns>
-        private OpenApiPaths BuildPaths(RuntimeEntities entities, string defaultDataSourceName)
+        private OpenApiPaths BuildPaths(RuntimeEntities entities, string defaultDataSourceName, string? role = null)
         {
             OpenApiPaths pathsCollection = new();
 
@@ -247,7 +346,7 @@ private OpenApiPaths BuildPaths(RuntimeEntities entities, string defaultDataSour
                     openApiTag
                 };
 
-                Dictionary<OperationType, bool> configuredRestOperations = GetConfiguredRestOperations(entity, dbObject);
+                Dictionary<OperationType, bool> configuredRestOperations = GetConfiguredRestOperations(entity, dbObject, role);
 
                 // Skip entities with no available operations
                 if (!configuredRestOperations.ContainsValue(true))
@@ -1154,8 +1253,9 @@ private static OpenApiMediaType CreateResponseContainer(string responseObjectSch
         /// 3) {EntityName}_NoPK -> No primary keys present in schema, used for POST requests where PK is autogenerated and GET (all).
         /// Schema objects can be referenced elsewhere in the OpenAPI document with the intent to reduce document verbosity.
         /// </summary>
+        /// <param name="role">Optional role to filter permissions. If null, returns superset of all roles.</param>
         /// <returns>Collection of schemas for entities defined in the runtime configuration.</returns>
-        private Dictionary<string, OpenApiSchema> CreateComponentSchemas(RuntimeEntities entities, string defaultDataSourceName)
+        private Dictionary<string, OpenApiSchema> CreateComponentSchemas(RuntimeEntities entities, string defaultDataSourceName, string? role = null)
         {
             Dictionary<string, OpenApiSchema> schemas = new();
             // for rest scenario we need the default datasource name.
@@ -1168,7 +1268,7 @@ private Dictionary<string, OpenApiSchema> CreateComponentSchemas(RuntimeEntities
                 string entityName = entityDbMetadataMap.Key;
                 DatabaseObject dbObject = entityDbMetadataMap.Value;
 
-                if (!entities.TryGetValue(entityName, out Entity? entity) || !entity.Rest.Enabled || !HasAnyAvailableOperations(entity))
+                if (!entities.TryGetValue(entityName, out Entity? entity) || !entity.Rest.Enabled || !HasAnyAvailableOperations(entity, role))
                 {
                     // Don't create component schemas for:
                     // 1. Linking entity: The entity will be null when we are dealing with a linking entity, which is not exposed in the config.
@@ -1180,8 +1280,8 @@ private Dictionary<string, OpenApiSchema> CreateComponentSchemas(RuntimeEntities
                 SourceDefinition sourceDefinition = metadataProvider.GetSourceDefinition(entityName);
                 HashSet<string> exposedColumnNames = GetExposedColumnNames(entityName, sourceDefinition.Columns.Keys.ToList(), metadataProvider);
 
-                // Filter fields based on the superset of permissions across all roles
-                exposedColumnNames = FilterFieldsByPermissions(entity, exposedColumnNames);
+                // Filter fields based on the superset of permissions across all roles (or specific role)
+                exposedColumnNames = FilterFieldsByPermissions(entity, exposedColumnNames, role);
 
                 HashSet<string> nonAutoGeneratedPKColumnNames = new();
 
diff --git a/src/Service/Controllers/RestController.cs b/src/Service/Controllers/RestController.cs
@@ -222,6 +222,7 @@ private async Task<IActionResult> HandleOperation(
                 string routeAfterPathBase = _restService.GetRouteAfterPathBase(route);
 
                 // Explicitly handle OpenAPI description document retrieval requests.
+                // Supports /openapi (superset of all roles) and /openapi/{role} (role-specific)
                 if (string.Equals(routeAfterPathBase, OpenApiDocumentor.OPENAPI_ROUTE, StringComparison.OrdinalIgnoreCase))
                 {
                     if (_openApiDocumentor.TryGetDocument(out string? document))
@@ -232,6 +233,18 @@ private async Task<IActionResult> HandleOperation(
                     return NotFound();
                 }
 
+                // Handle /openapi/{role} route for role-specific OpenAPI documents
+                if (routeAfterPathBase.StartsWith(OpenApiDocumentor.OPENAPI_ROUTE + "/", StringComparison.OrdinalIgnoreCase))
+                {
+                    string role = Uri.UnescapeDataString(routeAfterPathBase.Substring(OpenApiDocumentor.OPENAPI_ROUTE.Length + 1));
+                    if (!string.IsNullOrEmpty(role) && _openApiDocumentor.TryGetDocumentForRole(role, out string? roleDocument))
+                    {
+                        return Content(roleDocument, MediaTypeNames.Application.Json);
+                    }
+
+                    return NotFound();
+                }
+
                 (string entityName, string primaryKeyRoute) = _restService.GetEntityNameAndPrimaryKeyRouteFromRoute(routeAfterPathBase);
 
                 // This activity tracks the query execution. This will create a new activity nested under the REST request activity.
