From 5d03804e83e51bfd4e4e43b4b08c4dc2578e4862 Mon Sep 17 00:00:00 2001 From: kartik-579 Date: Fri, 24 Feb 2023 20:00:19 +0530 Subject: [PATCH 1/3] optimised policy sync calls --- api/user/UserAuthHandler.go | 6 +++-- pkg/user/RoleGroupService.go | 15 ++++++++++-- pkg/user/UserCommonService.go | 30 +++++++++++++++++++++++ pkg/user/UserService.go | 24 ++++++++++++++++-- pkg/user/casbin/Adapter.go | 3 --- pkg/user/repository/UserAuthRepository.go | 4 +++ 6 files changed, 73 insertions(+), 9 deletions(-) diff --git a/api/user/UserAuthHandler.go b/api/user/UserAuthHandler.go index 190512dacf..2a3559fbe4 100644 --- a/api/user/UserAuthHandler.go +++ b/api/user/UserAuthHandler.go @@ -141,7 +141,8 @@ func (handler UserAuthHandlerImpl) AddDefaultPolicyAndRoles(w http.ResponseWrite viewPolicies = strings.ReplaceAll(viewPolicies, "", envObj) viewPolicies = strings.ReplaceAll(viewPolicies, "", appObj) //for START in Casbin Object Ends Here - + //loading policy for safety + casbin.LoadPolicy() var policiesAdmin bean.PolicyRequest err := json.Unmarshal([]byte(adminPolicies), &policiesAdmin) if err != nil { @@ -171,7 +172,8 @@ func (handler UserAuthHandlerImpl) AddDefaultPolicyAndRoles(w http.ResponseWrite } handler.logger.Debugw("request payload, AddDefaultPolicyAndRoles", "policiesView", policiesView) casbin.AddPolicy(policiesView.Data) - + //loading policy for syncing orchestrator to casbin with newly added policies + casbin.LoadPolicy() //Creating ROLES roleAdmin := "{\n \"role\": \"role:admin___\",\n \"casbinSubjects\": [\n \"role:admin___\"\n ],\n \"team\": \"\",\n \"application\": \"\",\n \"environment\": \"\",\n \"action\": \"*\"\n}" roleTrigger := "{\n \"role\": \"role:trigger___\",\n \"casbinSubjects\": [\n \"role:trigger___\"\n ],\n \"team\": \"\",\n \"application\": \"\",\n \"environment\": \"\",\n \"action\": \"trigger\"\n}" diff --git a/pkg/user/RoleGroupService.go b/pkg/user/RoleGroupService.go index 0525468678..5345a69fa1 100644 --- a/pkg/user/RoleGroupService.go +++ b/pkg/user/RoleGroupService.go @@ -81,6 +81,8 @@ func (impl RoleGroupServiceImpl) CreateRoleGroup(request *bean.RoleGroup) (*bean return nil, err } } else { + //loading policy for safety + casbin2.LoadPolicy() //create new user in our db on d basis of info got from google api or hex. assign a basic role model := &repository2.RoleGroup{ Name: request.Name, @@ -106,7 +108,7 @@ func (impl RoleGroupServiceImpl) CreateRoleGroup(request *bean.RoleGroup) (*bean return request, err } model.Id = model.Id - + request.RoleFilters = impl.userCommonService.RemoveDuplicateRoleFilters(request.RoleFilters) //Starts Role and Mapping var policies []casbin2.Policy for _, roleFilter := range request.RoleFilters { @@ -204,6 +206,8 @@ func (impl RoleGroupServiceImpl) CreateRoleGroup(request *bean.RoleGroup) (*bean if len(policies) > 0 { pRes := casbin2.AddPolicy(policies) println(pRes) + //loading policy for syncing orchestrator to casbin with newly added policies + casbin2.LoadPolicy() } //Ends } @@ -339,6 +343,11 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token eliminatedRoles[item.RoleId] = item } + //loading policy for safety + casbin2.LoadPolicy() + + //removing duplicate roleFilters + request.RoleFilters = impl.userCommonService.RemoveDuplicateRoleFilters(request.RoleFilters) // DELETE PROCESS STARTS var eliminatedPolicies []casbin2.Policy items, err := impl.userCommonService.RemoveRolesAndReturnEliminatedPoliciesForGroups(request, existingRoles, eliminatedRoles, tx, token, managerAuth) @@ -465,7 +474,9 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token if len(policies) > 0 { casbin2.AddPolicy(policies) } - + //loading policy for syncing orchestrator to casbin with newly added policies + //(not calling this method in above if condition because we are also removing policies in this update service) + casbin2.LoadPolicy() err = tx.Commit() if err != nil { return nil, err diff --git a/pkg/user/UserCommonService.go b/pkg/user/UserCommonService.go index 471ec39f1e..4c7dd4df7c 100644 --- a/pkg/user/UserCommonService.go +++ b/pkg/user/UserCommonService.go @@ -16,6 +16,7 @@ type UserCommonService interface { RemoveRolesAndReturnEliminatedPolicies(userInfo *bean.UserInfo, existingRoleIds map[int]repository2.UserRoleModel, eliminatedRoleIds map[int]*repository2.UserRoleModel, tx *pg.Tx, token string, managerAuth func(resource, token, object string) bool) ([]casbin2.Policy, error) RemoveRolesAndReturnEliminatedPoliciesForGroups(request *bean.RoleGroup, existingRoles map[int]*repository2.RoleGroupRoleMapping, eliminatedRoles map[int]*repository2.RoleGroupRoleMapping, tx *pg.Tx, token string, managerAuth func(resource string, token string, object string) bool) ([]casbin2.Policy, error) CheckRbacForClusterEntity(cluster, namespace, group, kind, resource, token string, managerAuth func(resource, token, object string) bool) bool + RemoveDuplicateRoleFilters(inputFilters []bean.RoleFilter) []bean.RoleFilter } type UserCommonServiceImpl struct { @@ -363,3 +364,32 @@ func (impl UserCommonServiceImpl) CheckRbacForClusterEntity(cluster, namespace, } return true } + +func (impl UserCommonServiceImpl) RemoveDuplicateRoleFilters(inputFilters []bean.RoleFilter) []bean.RoleFilter { + var roleFilters []bean.RoleFilter + keysMap := make(map[string]bool) + //adding the same filters twice to remove duplicate ones + allRoleFilters := make([]bean.RoleFilter, len(inputFilters), 2*len(inputFilters)) + allRoleFilters = inputFilters + allRoleFilters = append(allRoleFilters, inputFilters...) + for _, role := range allRoleFilters { + key := fmt.Sprintf("%s-%s-%s-%s-%s-%s-%s-%s-%s-%s-%s", role.Entity, role.Team, role.Environment, + role.EntityName, role.Action, role.AccessType, role.Cluster, role.Namespace, role.Group, role.Kind, role.Resource) + if _, ok := keysMap[key]; !ok { + roleFilters = append(roleFilters, bean.RoleFilter{ + Entity: role.Entity, + Team: role.Team, + Environment: role.Environment, + EntityName: role.EntityName, + Action: role.Action, + AccessType: role.AccessType, + Cluster: role.Cluster, + Namespace: role.Namespace, + Group: role.Group, + Kind: role.Kind, + Resource: role.Resource, + }) + } + } + return roleFilters +} diff --git a/pkg/user/UserService.go b/pkg/user/UserService.go index 9e1a00161c..949e09879d 100644 --- a/pkg/user/UserService.go +++ b/pkg/user/UserService.go @@ -168,9 +168,14 @@ func (impl UserServiceImpl) SelfRegisterUserIfNotExists(userInfo *bean.UserInfo) userInfo.Exist = dbUser.Active userResponse = append(userResponse, &bean.UserInfo{Id: userInfo.Id, EmailId: emailId, Groups: userInfo.Groups, RoleFilters: userInfo.RoleFilters, SuperAdmin: userInfo.SuperAdmin}) } + if len(policies) > 0 { + //loading policy for safety + casbin2.LoadPolicy() pRes := casbin2.AddPolicy(policies) println(pRes) + //loading policy for syncing orchestrator to casbin with newly added policies + casbin2.LoadPolicy() } err = tx.Commit() if err != nil { @@ -218,6 +223,7 @@ func (impl UserServiceImpl) saveUser(userInfo *bean.UserInfo, emailId string) (* } func (impl UserServiceImpl) CreateUser(userInfo *bean.UserInfo, token string, managerAuth func(resource, token string, object string) bool) ([]*bean.UserInfo, error) { + var pass []string var userResponse []*bean.UserInfo emailIds := strings.Split(userInfo.EmailId, ",") @@ -317,7 +323,10 @@ func (impl UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, email return nil, err } userInfo.Id = model.Id - + //loading policy for safety + casbin2.LoadPolicy() + //removing duplicate roleFilters + userInfo.RoleFilters = impl.userCommonService.RemoveDuplicateRoleFilters(userInfo.RoleFilters) //Starts Role and Mapping var policies []casbin2.Policy if userInfo.SuperAdmin == false { @@ -454,11 +463,12 @@ func (impl UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, email println(pRes) } //Ends - err = tx.Commit() if err != nil { return nil, err } + //loading policy for syncing orchestrator to casbin with newly added policies + casbin2.LoadPolicy() return userInfo, nil } @@ -653,6 +663,10 @@ func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, ma restrictedGroups := []string{} rolesChanged := false groupsModified := false + //loading policy for safety + casbin2.LoadPolicy() + //removing duplicate entries from input roleFilters + userInfo.RoleFilters = impl.userCommonService.RemoveDuplicateRoleFilters(userInfo.RoleFilters) if userInfo.SuperAdmin == false { //Starts Role and Mapping @@ -887,6 +901,8 @@ func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, ma if err != nil { return nil, false, false, nil, err } + //loading policy for syncing orchestrator to casbin with newly added policies + casbin2.LoadPolicy() return userInfo, rolesChanged, groupsModified, restrictedGroups, nil } @@ -1320,6 +1336,8 @@ func (impl UserServiceImpl) SyncOrchestratorToCasbin() (bool, error) { total := len(roles) processed := 0 impl.logger.Infow("total roles found for sync", "len", total) + //loading policy for safety + casbin2.LoadPolicy() for _, role := range roles { if len(role.Team) > 0 { flag, err := impl.userAuthRepository.SyncOrchestratorToCasbin(role.Team, role.EntityName, role.Environment, nil) @@ -1333,6 +1351,8 @@ func (impl UserServiceImpl) SyncOrchestratorToCasbin() (bool, error) { } processed = processed + 1 } + //loading policy for syncing orchestrator to casbin with updated policies(if any) + casbin2.LoadPolicy() impl.logger.Infow("total roles processed for sync", "len", processed) return true, nil } diff --git a/pkg/user/casbin/Adapter.go b/pkg/user/casbin/Adapter.go index e8e3603ef5..671c74b1eb 100644 --- a/pkg/user/casbin/Adapter.go +++ b/pkg/user/casbin/Adapter.go @@ -77,7 +77,6 @@ func setEnforcerImpl(ref *EnforcerImpl) { func AddPolicy(policies []Policy) []Policy { defer handlePanic() - LoadPolicy() var failed = []Policy{} emailIdList := map[string]struct{}{} for _, p := range policies { @@ -101,7 +100,6 @@ func AddPolicy(policies []Policy) []Policy { } } if len(policies) != len(failed) { - LoadPolicy() for emailId := range emailIdList { enforcerImplRef.InvalidateCache(emailId) } @@ -138,7 +136,6 @@ func RemovePolicy(policies []Policy) []Policy { } } if len(policies) != len(failed) { - LoadPolicy() for emailId := range emailIdList { enforcerImplRef.InvalidateCache(emailId) } diff --git a/pkg/user/repository/UserAuthRepository.go b/pkg/user/repository/UserAuthRepository.go index 2fb3d6d828..7219244c82 100644 --- a/pkg/user/repository/UserAuthRepository.go +++ b/pkg/user/repository/UserAuthRepository.go @@ -1380,6 +1380,8 @@ func (impl UserAuthRepositoryImpl) UpdateDefaultPolicyByRoleType(newPolicy strin deletedPolicyFinal.Data = append(deletedPolicyFinal.Data, deletedPolicyReq.Data...) } } + //loading policy for safety + casbin.LoadPolicy() //updating all policies(for all roles) in casbin if len(addedPolicyFinal.Data) > 0 { casbin.AddPolicy(addedPolicyFinal.Data) @@ -1387,6 +1389,8 @@ func (impl UserAuthRepositoryImpl) UpdateDefaultPolicyByRoleType(newPolicy strin if len(deletedPolicyFinal.Data) > 0 { casbin.RemovePolicy(deletedPolicyFinal.Data) } + //loading policy for syncing orchestrator to casbin with newly added policies + casbin.LoadPolicy() return nil } From 18554b7b3877e034f30ffe44470f0747947e0ae8 Mon Sep 17 00:00:00 2001 From: kartik-579 Date: Fri, 24 Feb 2023 20:15:17 +0530 Subject: [PATCH 2/3] updated wire --- wire_gen.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/wire_gen.go b/wire_gen.go index 39cc8779ff..fa68f6331f 100644 --- a/wire_gen.go +++ b/wire_gen.go @@ -1,7 +1,8 @@ // Code generated by Wire. DO NOT EDIT. //go:generate go run github.com/google/wire/cmd/wire -//+build !wireinject +//go:build !wireinject +// +build !wireinject package main From b689fa80169092818918af721d5d81447f3c3330 Mon Sep 17 00:00:00 2001 From: kartik-579 Date: Mon, 27 Feb 2023 16:50:10 +0530 Subject: [PATCH 3/3] removed mmethod for removing duplicate filters --- pkg/user/RoleGroupService.go | 3 --- pkg/user/UserCommonService.go | 30 ------------------------------ pkg/user/UserService.go | 5 ----- 3 files changed, 38 deletions(-) diff --git a/pkg/user/RoleGroupService.go b/pkg/user/RoleGroupService.go index 5345a69fa1..4770a92a9a 100644 --- a/pkg/user/RoleGroupService.go +++ b/pkg/user/RoleGroupService.go @@ -108,7 +108,6 @@ func (impl RoleGroupServiceImpl) CreateRoleGroup(request *bean.RoleGroup) (*bean return request, err } model.Id = model.Id - request.RoleFilters = impl.userCommonService.RemoveDuplicateRoleFilters(request.RoleFilters) //Starts Role and Mapping var policies []casbin2.Policy for _, roleFilter := range request.RoleFilters { @@ -346,8 +345,6 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token //loading policy for safety casbin2.LoadPolicy() - //removing duplicate roleFilters - request.RoleFilters = impl.userCommonService.RemoveDuplicateRoleFilters(request.RoleFilters) // DELETE PROCESS STARTS var eliminatedPolicies []casbin2.Policy items, err := impl.userCommonService.RemoveRolesAndReturnEliminatedPoliciesForGroups(request, existingRoles, eliminatedRoles, tx, token, managerAuth) diff --git a/pkg/user/UserCommonService.go b/pkg/user/UserCommonService.go index 4c7dd4df7c..471ec39f1e 100644 --- a/pkg/user/UserCommonService.go +++ b/pkg/user/UserCommonService.go @@ -16,7 +16,6 @@ type UserCommonService interface { RemoveRolesAndReturnEliminatedPolicies(userInfo *bean.UserInfo, existingRoleIds map[int]repository2.UserRoleModel, eliminatedRoleIds map[int]*repository2.UserRoleModel, tx *pg.Tx, token string, managerAuth func(resource, token, object string) bool) ([]casbin2.Policy, error) RemoveRolesAndReturnEliminatedPoliciesForGroups(request *bean.RoleGroup, existingRoles map[int]*repository2.RoleGroupRoleMapping, eliminatedRoles map[int]*repository2.RoleGroupRoleMapping, tx *pg.Tx, token string, managerAuth func(resource string, token string, object string) bool) ([]casbin2.Policy, error) CheckRbacForClusterEntity(cluster, namespace, group, kind, resource, token string, managerAuth func(resource, token, object string) bool) bool - RemoveDuplicateRoleFilters(inputFilters []bean.RoleFilter) []bean.RoleFilter } type UserCommonServiceImpl struct { @@ -364,32 +363,3 @@ func (impl UserCommonServiceImpl) CheckRbacForClusterEntity(cluster, namespace, } return true } - -func (impl UserCommonServiceImpl) RemoveDuplicateRoleFilters(inputFilters []bean.RoleFilter) []bean.RoleFilter { - var roleFilters []bean.RoleFilter - keysMap := make(map[string]bool) - //adding the same filters twice to remove duplicate ones - allRoleFilters := make([]bean.RoleFilter, len(inputFilters), 2*len(inputFilters)) - allRoleFilters = inputFilters - allRoleFilters = append(allRoleFilters, inputFilters...) - for _, role := range allRoleFilters { - key := fmt.Sprintf("%s-%s-%s-%s-%s-%s-%s-%s-%s-%s-%s", role.Entity, role.Team, role.Environment, - role.EntityName, role.Action, role.AccessType, role.Cluster, role.Namespace, role.Group, role.Kind, role.Resource) - if _, ok := keysMap[key]; !ok { - roleFilters = append(roleFilters, bean.RoleFilter{ - Entity: role.Entity, - Team: role.Team, - Environment: role.Environment, - EntityName: role.EntityName, - Action: role.Action, - AccessType: role.AccessType, - Cluster: role.Cluster, - Namespace: role.Namespace, - Group: role.Group, - Kind: role.Kind, - Resource: role.Resource, - }) - } - } - return roleFilters -} diff --git a/pkg/user/UserService.go b/pkg/user/UserService.go index 949e09879d..86ab196bd0 100644 --- a/pkg/user/UserService.go +++ b/pkg/user/UserService.go @@ -325,8 +325,6 @@ func (impl UserServiceImpl) createUserIfNotExists(userInfo *bean.UserInfo, email userInfo.Id = model.Id //loading policy for safety casbin2.LoadPolicy() - //removing duplicate roleFilters - userInfo.RoleFilters = impl.userCommonService.RemoveDuplicateRoleFilters(userInfo.RoleFilters) //Starts Role and Mapping var policies []casbin2.Policy if userInfo.SuperAdmin == false { @@ -665,9 +663,6 @@ func (impl UserServiceImpl) UpdateUser(userInfo *bean.UserInfo, token string, ma groupsModified := false //loading policy for safety casbin2.LoadPolicy() - //removing duplicate entries from input roleFilters - userInfo.RoleFilters = impl.userCommonService.RemoveDuplicateRoleFilters(userInfo.RoleFilters) - if userInfo.SuperAdmin == false { //Starts Role and Mapping userRoleModels, err := impl.userAuthRepository.GetUserRoleMappingByUserId(model.Id)