fix: optimised policy sync calls (#3038)

* optimised policy sync calls

* updated wire

* removed mmethod for removing duplicate filters

Author: kartik-579

api/user/UserAuthHandler.go

@@ -141,7 +141,8 @@ func (handler UserAuthHandlerImpl) AddDefaultPolicyAndRoles(w http.ResponseWrite
 	viewPolicies = strings.ReplaceAll(viewPolicies, "<ENV_OBJ>", envObj)
 	viewPolicies = strings.ReplaceAll(viewPolicies, "<APP_OBJ>", appObj)
 	//for START in Casbin Object Ends Here
-
+	//loading policy for safety
+	casbin.LoadPolicy()
 	var policiesAdmin bean.PolicyRequest
 	err := json.Unmarshal([]byte(adminPolicies), &policiesAdmin)
 	if err != nil {
@@ -171,7 +172,8 @@ func (handler UserAuthHandlerImpl) AddDefaultPolicyAndRoles(w http.ResponseWrite
 	}
 	handler.logger.Debugw("request payload, AddDefaultPolicyAndRoles", "policiesView", policiesView)
 	casbin.AddPolicy(policiesView.Data)
-
+	//loading policy for syncing orchestrator to casbin with newly added policies
+	casbin.LoadPolicy()
 	//Creating ROLES
 	roleAdmin := "{\n    \"role\": \"role:admin_<TEAM>_<ENV>_<APP>\",\n    \"casbinSubjects\": [\n        \"role:admin_<TEAM>_<ENV>_<APP>\"\n    ],\n    \"team\": \"<TEAM>\",\n    \"application\": \"<APP>\",\n    \"environment\": \"<ENV>\",\n    \"action\": \"*\"\n}"
 	roleTrigger := "{\n    \"role\": \"role:trigger_<TEAM>_<ENV>_<APP>\",\n    \"casbinSubjects\": [\n        \"role:trigger_<TEAM>_<ENV>_<APP>\"\n    ],\n    \"team\": \"<TEAM>\",\n    \"application\": \"<APP>\",\n    \"environment\": \"<ENV>\",\n    \"action\": \"trigger\"\n}"

pkg/user/RoleGroupService.go

@@ -81,6 +81,8 @@ func (impl RoleGroupServiceImpl) CreateRoleGroup(request *bean.RoleGroup) (*bean
 			return nil, err
 		}
 	} else {
+		//loading policy for safety
+		casbin2.LoadPolicy()
 		//create new user in our db on d basis of info got from google api or hex. assign a basic role
 		model := &repository2.RoleGroup{
 			Name:        request.Name,
@@ -106,7 +108,6 @@ func (impl RoleGroupServiceImpl) CreateRoleGroup(request *bean.RoleGroup) (*bean
 			return request, err
 		}
 		model.Id = model.Id
-
 		//Starts Role and Mapping
 		var policies []casbin2.Policy
 		for _, roleFilter := range request.RoleFilters {
@@ -204,6 +205,8 @@ func (impl RoleGroupServiceImpl) CreateRoleGroup(request *bean.RoleGroup) (*bean
 		if len(policies) > 0 {
 			pRes := casbin2.AddPolicy(policies)
 			println(pRes)
+			//loading policy for syncing orchestrator to casbin with newly added policies
+			casbin2.LoadPolicy()
 		}
 		//Ends
 	}
@@ -339,6 +342,9 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token
 		eliminatedRoles[item.RoleId] = item
 	}
 
+	//loading policy for safety
+	casbin2.LoadPolicy()
+
 	// DELETE PROCESS STARTS
 	var eliminatedPolicies []casbin2.Policy
 	items, err := impl.userCommonService.RemoveRolesAndReturnEliminatedPoliciesForGroups(request, existingRoles, eliminatedRoles, tx, token, managerAuth)
@@ -465,7 +471,9 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token
 	if len(policies) > 0 {
 		casbin2.AddPolicy(policies)
 	}
-
+	//loading policy for syncing orchestrator to casbin with newly added policies
+	//(not calling this method in above if condition because we are also removing policies in this update service)
+	casbin2.LoadPolicy()
 	err = tx.Commit()
 	if err != nil {
 		return nil, err

pkg/user/UserService.go

@@ -168,9 +168,14 @@ func (impl UserServiceImpl) SelfRegisterUserIfNotExists(userInfo *bean.UserInfo)
 		userInfo.Exist = dbUser.Active
 		userResponse = append(userResponse, &bean.UserInfo{Id: userInfo.Id, EmailId: emailId, Groups: userInfo.Groups, RoleFilters: userInfo.RoleFilters, SuperAdmin: userInfo.SuperAdmin})
 	}
+
 	if len(policies) > 0 {
+		//loading policy for safety
+		casbin2.LoadPolicy()
 		pRes := casbin2.AddPolicy(policies)
 		println(pRes)
+		//loading policy for syncing orchestrator to casbin with newly added policies
+		casbin2.LoadPolicy()
 	}
 	err = tx.Commit()
 	if err != nil {
@@ -218,6 +223,7 @@ func (impl UserServiceImpl) saveUser(userInfo *bean.UserInfo, emailId string) (*
 }
 
 func (impl UserServiceImpl) CreateUser(userInfo *bean.UserInfo, token string, managerAuth func(resource, token string, object string) bool) ([]*bean.UserInfo, error) {
+
 	var pass []string
 	var userResponse []*bean.UserInfo
 	emailIds := strings.Split(userInfo.EmailId, ",")
@@ -317,7 +323,8 @@ func (impl UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, email
 		return nil, err
 	}
 	userInfo.Id = model.Id
-
+	//loading policy for safety
+	casbin2.LoadPolicy()
 	//Starts Role and Mapping
 	var policies []casbin2.Policy
 	if userInfo.SuperAdmin == false {
@@ -454,11 +461,12 @@ func (impl UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, email
 		println(pRes)
 	}
 	//Ends
-
 	err = tx.Commit()
 	if err != nil {
 		return nil, err
 	}
+	//loading policy for syncing orchestrator to casbin with newly added policies
+	casbin2.LoadPolicy()
 	return userInfo, nil
 }
 
@@ -653,7 +661,8 @@ func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, ma
 	restrictedGroups := []string{}
 	rolesChanged := false
 	groupsModified := false
-
+	//loading policy for safety
+	casbin2.LoadPolicy()
 	if userInfo.SuperAdmin == false {
 		//Starts Role and Mapping
 		userRoleModels, err := impl.userAuthRepository.GetUserRoleMappingByUserId(model.Id)
@@ -887,6 +896,8 @@ func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, ma
 	if err != nil {
 		return nil, false, false, nil, err
 	}
+	//loading policy for syncing orchestrator to casbin with newly added policies
+	casbin2.LoadPolicy()
 
 	return userInfo, rolesChanged, groupsModified, restrictedGroups, nil
 }
@@ -1320,6 +1331,8 @@ func (impl UserServiceImpl) SyncOrchestratorToCasbin() (bool, error) {
 	total := len(roles)
 	processed := 0
 	impl.logger.Infow("total roles found for sync", "len", total)
+	//loading policy for safety
+	casbin2.LoadPolicy()
 	for _, role := range roles {
 		if len(role.Team) > 0 {
 			flag, err := impl.userAuthRepository.SyncOrchestratorToCasbin(role.Team, role.EntityName, role.Environment, nil)
@@ -1333,6 +1346,8 @@ func (impl UserServiceImpl) SyncOrchestratorToCasbin() (bool, error) {
 		}
 		processed = processed + 1
 	}
+	//loading policy for syncing orchestrator to casbin with updated policies(if any)
+	casbin2.LoadPolicy()
 	impl.logger.Infow("total roles processed for sync", "len", processed)
 	return true, nil
 }

pkg/user/casbin/Adapter.go

@@ -77,7 +77,6 @@ func setEnforcerImpl(ref *EnforcerImpl) {
 
 func AddPolicy(policies []Policy) []Policy {
 	defer handlePanic()
-	LoadPolicy()
 	var failed = []Policy{}
 	emailIdList := map[string]struct{}{}
 	for _, p := range policies {
@@ -101,7 +100,6 @@ func AddPolicy(policies []Policy) []Policy {
 		}
 	}
 	if len(policies) != len(failed) {
-		LoadPolicy()
 		for emailId := range emailIdList {
 			enforcerImplRef.InvalidateCache(emailId)
 		}
@@ -138,7 +136,6 @@ func RemovePolicy(policies []Policy) []Policy {
 		}
 	}
 	if len(policies) != len(failed) {
-		LoadPolicy()
 		for emailId := range emailIdList {
 			enforcerImplRef.InvalidateCache(emailId)
 		}

pkg/user/repository/UserAuthRepository.go

@@ -1380,13 +1380,17 @@ func (impl UserAuthRepositoryImpl) UpdateDefaultPolicyByRoleType(newPolicy strin
 			deletedPolicyFinal.Data = append(deletedPolicyFinal.Data, deletedPolicyReq.Data...)
 		}
 	}
+	//loading policy for safety
+	casbin.LoadPolicy()
 	//updating all policies(for all roles) in casbin
 	if len(addedPolicyFinal.Data) > 0 {
 		casbin.AddPolicy(addedPolicyFinal.Data)
 	}
 	if len(deletedPolicyFinal.Data) > 0 {
 		casbin.RemovePolicy(deletedPolicyFinal.Data)
 	}
+	//loading policy for syncing orchestrator to casbin with newly added policies
+	casbin.LoadPolicy()
 	return nil
 }