test: add YAML model tests for userAttributes shorthand in mask SQL

Add unit tests in yaml-schema.test.ts:
- userAttributes shorthand in mask sql compiles and resolves correctly
- user_attributes shorthand in mask sql compiles and resolves correctly
- groups shorthand in mask sql compiles and resolves correctly

Add YAML cube definition yaml_ua_mask_test in masking_test.yaml using
userAttributes shorthand in mask.sql with CASE WHEN expression.

Add smoke tests for the YAML-defined mask (SQL + REST, both non-Tesseract
and Tesseract).

Co-authored-by: Pavel Tiunov <pavel.tiunov@gmail.com>

Author: cursoragent

packages/cubejs-schema-compiler/test/unit/yaml-schema.test.ts

@@ -1,4 +1,5 @@
 import { prepareYamlCompiler } from './PrepareCompiler';
+import { PostgresQuery } from '../../src';
 
 describe('Yaml Schema Testing', () => {
   describe('Duplicate member detection', () => {
@@ -1114,4 +1115,122 @@ cubes:
       }
     });
   });
+
+  describe('Mask SQL with shorthand', () => {
+    it('userAttributes shorthand in mask sql should compile and resolve', async () => {
+      const compilers = prepareYamlCompiler(`
+cubes:
+  - name: orders
+    sql_table: public.orders
+    dimensions:
+      - name: id
+        sql: id
+        type: number
+        primary_key: true
+      - name: status
+        sql: status
+        type: string
+        mask:
+          sql: "CASE WHEN { userAttributes.hasStatusAccess } THEN {CUBE}.status ELSE '***' END"
+    measures:
+      - name: count
+        type: count
+    access_policy:
+      - role: "*"
+        member_level:
+          includes: []
+        member_masking:
+          includes: "*"
+      `);
+
+      await compilers.compiler.compile();
+
+      const dim = compilers.cubeEvaluator.cubeFromPath('orders').dimensions.status;
+      const maskSql = (dim as any).mask.sql.toString();
+      expect(maskSql).toContain('SECURITY_CONTEXT.cubeCloud.userAttributes.hasStatusAccess');
+      expect(maskSql).toContain('CUBE');
+      expect(maskSql).not.toMatch(/[^.}]userAttributes\.hasStatusAccess/);
+
+      const query = new PostgresQuery(
+        compilers,
+        {
+          measures: ['orders.count'],
+          dimensions: ['orders.status'],
+          maskedMembers: ['orders.status'],
+          contextSymbols: {
+            securityContext: { cubeCloud: { userAttributes: { hasStatusAccess: true } } }
+          }
+        }
+      );
+      const sql = query.buildSqlAndParams();
+      expect(sql[0]).toContain('"orders".status');
+      expect(sql[0]).toContain('CASE WHEN');
+    });
+
+    it('user_attributes shorthand in mask sql should compile and resolve', async () => {
+      const compilers = prepareYamlCompiler(`
+cubes:
+  - name: orders
+    sql_table: public.orders
+    dimensions:
+      - name: id
+        sql: id
+        type: number
+        primary_key: true
+      - name: status
+        sql: status
+        type: string
+        mask:
+          sql: "CASE WHEN { user_attributes.hasStatusAccess } THEN {CUBE}.status ELSE '***' END"
+    measures:
+      - name: count
+        type: count
+    access_policy:
+      - role: "*"
+        member_level:
+          includes: []
+        member_masking:
+          includes: "*"
+      `);
+
+      await compilers.compiler.compile();
+
+      const dim = compilers.cubeEvaluator.cubeFromPath('orders').dimensions.status;
+      const maskSql = (dim as any).mask.sql.toString();
+      expect(maskSql).toContain('SECURITY_CONTEXT.cubeCloud.userAttributes.hasStatusAccess');
+    });
+
+    it('groups shorthand in mask sql should compile and resolve', async () => {
+      const compilers = prepareYamlCompiler(`
+cubes:
+  - name: orders
+    sql_table: public.orders
+    dimensions:
+      - name: id
+        sql: id
+        type: number
+        primary_key: true
+      - name: secret
+        sql: price
+        type: number
+        mask:
+          sql: "CASE WHEN {CUBE}.product_id IN ({groups}) THEN {CUBE}.price ELSE -1 END"
+    measures:
+      - name: count
+        type: count
+    access_policy:
+      - role: "*"
+        member_level:
+          includes: []
+        member_masking:
+          includes: "*"
+      `);
+
+      await compilers.compiler.compile();
+
+      const dim = compilers.cubeEvaluator.cubeFromPath('orders').dimensions.secret;
+      const maskSql = (dim as any).mask.sql.toString();
+      expect(maskSql).toContain('SECURITY_CONTEXT.cubeCloud.groups');
+    });
+  });
 });

packages/cubejs-testing/birdbox-fixtures/rbac/model/cubes/masking_test.yaml

@@ -106,6 +106,32 @@ cubes:
         member_level:
           includes: []
 
+  - name: yaml_ua_mask_test
+    sql_table: public.line_items
+
+    dimensions:
+      - name: id
+        sql: id
+        type: number
+        primary_key: true
+
+      - name: masked_status
+        sql: product_id
+        type: number
+        mask:
+          sql: "CASE WHEN { userAttributes.tenantId } = '1' THEN {CUBE}.product_id ELSE -1 END"
+
+    measures:
+      - name: count
+        type: count
+
+    access_policy:
+      - role: "*"
+        member_level:
+          includes: []
+        member_masking:
+          includes: "*"
+
 views:
   # View with full access at view level - but cube masking still applies (RLS pattern)
   # Excludes members with {CUBE} references in SQL (secret_string, secret_boolean)

packages/cubejs-testing/test/smoke-rbac.test.ts

@@ -843,6 +843,18 @@ describe('Cube RBAC Engine', () => {
         expect(row.masked_product).toBeLessThan(0);
       }
     });
+
+    test('userAttributes shorthand in YAML mask sql', async () => {
+      const res = await connection.query(
+        'SELECT * FROM yaml_ua_mask_test LIMIT 5'
+      );
+      expect(res.rows.length).toBeGreaterThan(0);
+      for (const row of res.rows) {
+        // sc_test user has tenantId = '1', so the CASE WHEN evaluates to true
+        // and masked_status should be the actual product_id (positive)
+        expect(row.masked_status).toBeGreaterThan(0);
+      }
+    });
   });
 
   describe('SECURITY_CONTEXT.cubeCloud features via REST API', () => {
@@ -933,6 +945,19 @@ describe('Cube RBAC Engine', () => {
         expect(row['sc_cube_mask_test.masked_product']).toBeLessThan(0);
       }
     });
+
+    test('userAttributes shorthand in YAML mask sql via REST', async () => {
+      const result = await scClient.load({
+        measures: ['yaml_ua_mask_test.count'],
+        dimensions: ['yaml_ua_mask_test.masked_status'],
+      });
+      const rows = result.rawData();
+      expect(rows.length).toBeGreaterThan(0);
+      for (const row of rows) {
+        // sc_test user has tenantId = '1', so masked_status should be actual product_id
+        expect(row['yaml_ua_mask_test.masked_status']).toBeGreaterThan(0);
+      }
+    });
   });
 
   describe('RBAC via REST API', () => {
@@ -1097,6 +1122,16 @@ describe('Cube RBAC Engine [Tesseract]', () => {
         expect(row.masked_product).toBeLessThan(0);
       }
     });
+
+    test('userAttributes shorthand in YAML mask sql', async () => {
+      const res = await connection.query(
+        'SELECT * FROM yaml_ua_mask_test LIMIT 5'
+      );
+      expect(res.rows.length).toBeGreaterThan(0);
+      for (const row of res.rows) {
+        expect(row.masked_status).toBeGreaterThan(0);
+      }
+    });
   });
 
   describe('Shorthand and mask tests via REST API [Tesseract]', () => {
@@ -1148,6 +1183,18 @@ describe('Cube RBAC Engine [Tesseract]', () => {
         expect(row['sc_cube_mask_test.masked_product']).toBeLessThan(0);
       }
     });
+
+    test('userAttributes shorthand in YAML mask sql via REST', async () => {
+      const result = await scClient.load({
+        measures: ['yaml_ua_mask_test.count'],
+        dimensions: ['yaml_ua_mask_test.masked_status'],
+      });
+      const rows = result.rawData();
+      expect(rows.length).toBeGreaterThan(0);
+      for (const row of rows) {
+        expect(row['yaml_ua_mask_test.masked_status']).toBeGreaterThan(0);
+      }
+    });
   });
 });