Remove IPRulesEnforcer.Check's skipCache parameter in favor of explicit cache invalidation

Author: iain-macdonald

enterprise/server/ip_rules_enforcer/ip_rules_enforcer.go

@@ -36,7 +36,8 @@ const (
 
 // An abstraction for retrieving IP rules from a source of truth.
 type ipRulesProvider interface {
-	get(ctx context.Context, groupID string, skipCache bool) ([]*ipRule, error)
+	get(ctx context.Context, groupID string) ([]*ipRule, error)
+	remove(ctx context.Context, groupID string)
 	startRefresher(env environment.Env) error
 }
 
@@ -59,9 +60,9 @@ func newIPRulesProvider(db interfaces.DBHandle) (ipRulesProvider, error) {
 	return &dbIPRulesProvider{db: db, cache: cache}, nil
 }
 
-func (p *dbIPRulesProvider) get(ctx context.Context, groupID string, skipCache bool) ([]*ipRule, error) {
+func (p *dbIPRulesProvider) get(ctx context.Context, groupID string) ([]*ipRule, error) {
 	allowed, ok := p.cache.Get(groupID)
-	if ok && !skipCache {
+	if ok {
 		return allowed, nil
 	}
 
@@ -73,6 +74,10 @@ func (p *dbIPRulesProvider) get(ctx context.Context, groupID string, skipCache b
 	return allowed, nil
 }
 
+func (p *dbIPRulesProvider) remove(ctx context.Context, groupID string) {
+	p.cache.Remove(groupID)
+}
+
 func (p *dbIPRulesProvider) refresh(ctx context.Context, groupID string) error {
 	allowed, err := p.loadParsedRulesFromDB(ctx, groupID)
 	if err != nil {
@@ -160,6 +165,7 @@ func (p *dbIPRulesProvider) loadParsedRulesFromDB(ctx context.Context, groupID s
 
 type ipRuleCache interface {
 	Add(groupID string, allowed []*ipRule) bool
+	Remove(groupID string) bool
 	Get(groupID string) ([]*ipRule, bool)
 }
 
@@ -170,6 +176,10 @@ func (c *noopIpRuleCache) Add(groupID string, allowed []*ipRule) bool {
 	return false
 }
 
+func (c *noopIpRuleCache) Remove(groupID string) bool {
+	return false
+}
+
 func (c *noopIpRuleCache) Get(groupID string) ([]*ipRule, bool) {
 	return nil, false
 }
@@ -206,7 +216,10 @@ func (n *NoOpEnforcer) AuthorizeHTTPRequest(ctx context.Context, r *http.Request
 	return nil
 }
 
-func (n *NoOpEnforcer) Check(ctx context.Context, groupID string, skipCache bool, skipRuleID string) error {
+func (s *NoOpEnforcer) InvalidateCachedRules(ctx context.Context, groupID string) {
+}
+
+func (n *NoOpEnforcer) Check(ctx context.Context, groupID string, skipRuleID string) error {
 	return nil
 }
 
@@ -235,15 +248,19 @@ func Register(env *real_environment.RealEnv) error {
 	return nil
 }
 
-func (s *Enforcer) Check(ctx context.Context, groupID string, skipCache bool, skipRuleID string) error {
+func (s *Enforcer) InvalidateCachedRules(ctx context.Context, groupID string) {
+	s.rulesProvider.remove(ctx, groupID)
+}
+
+func (s *Enforcer) Check(ctx context.Context, groupID string, skipRuleID string) error {
 	rawClientIP := clientip.Get(ctx)
 	clientIP := net.ParseIP(rawClientIP)
 	// Client IP is not parsable.
 	if clientIP == nil {
 		return status.FailedPreconditionErrorf("client IP %q is not valid", rawClientIP)
 	}
 
-	allowed, err := s.rulesProvider.get(ctx, groupID, skipCache)
+	allowed, err := s.rulesProvider.get(ctx, groupID)
 	if err != nil {
 		return err
 	}
@@ -262,7 +279,7 @@ func (s *Enforcer) Check(ctx context.Context, groupID string, skipCache bool, sk
 
 func (s *Enforcer) authorize(ctx context.Context, groupID string) error {
 	start := time.Now()
-	err := s.Check(ctx, groupID, false /*=skipCache*/, "" /*skipRuleID*/)
+	err := s.Check(ctx, groupID, "" /*skipRuleID*/)
 	metrics.IPRulesCheckLatencyUsec.With(
 		prometheus.Labels{metrics.StatusHumanReadableLabel: status.MetricsLabel(err)},
 	).Observe(float64(time.Since(start).Microseconds()))

enterprise/server/ip_rules_enforcer/ip_rules_enforcer_test.go

@@ -137,7 +137,7 @@ func TestNoOpEnforcer(t *testing.T) {
 	require.NoError(t, enforcer.Authorize(context.Background()))
 	require.NoError(t, enforcer.AuthorizeGroup(context.Background(), "G1"))
 	require.NoError(t, enforcer.AuthorizeHTTPRequest(context.Background(), httptest.NewRequest("GET", "/rpc/BuildBuddyService/GetUser", nil)))
-	require.NoError(t, enforcer.Check(context.Background(), "G1", true, ""))
+	require.NoError(t, enforcer.Check(context.Background(), "G1", ""))
 }
 
 func TestAuthorizeAndAuthorizeGroup_EnforcementNotEnabled(t *testing.T) {
@@ -211,10 +211,10 @@ func TestCheckSkipRuleID(t *testing.T) {
 	ruleID := insertRule(t, env, groupID, "1.2.3.4/32", "rule1")
 	ctx := context.WithValue(context.Background(), clientip.ContextKey, "1.2.3.4")
 
-	err := irs.Check(ctx, groupID, true /* skipCache */, "" /* skipRuleID */)
+	err := irs.Check(ctx, groupID, "" /* skipRuleID */)
 	require.NoError(t, err)
 
-	err = irs.Check(ctx, groupID, true /* skipCache */, ruleID)
+	err = irs.Check(ctx, groupID, ruleID)
 	require.Error(t, err)
 	require.True(t, status.IsPermissionDeniedError(err))
 }
@@ -278,17 +278,17 @@ func TestRefresherStopsOnShutdown(t *testing.T) {
 
 	insertRule(t, env, groupID, "1.2.3.4/32", "rule1")
 	ctx1 := context.WithValue(context.Background(), clientip.ContextKey, "1.2.3.4")
-	require.NoError(t, irs.Check(ctx1, groupID, false /*=skipCache*/, "" /*=skipRuleID*/))
+	require.NoError(t, irs.Check(ctx1, groupID, "" /*=skipRuleID*/))
 
 	insertRule(t, env, groupID, "4.5.6.7/32", "rule2")
 	ctx2 := context.WithValue(context.Background(), clientip.ContextKey, "4.5.6.7")
-	err = irs.Check(ctx2, groupID, false /*=skipCache*/, "" /*=skipRuleID*/)
+	err = irs.Check(ctx2, groupID, "" /*=skipRuleID*/)
 	require.Error(t, err)
 	require.True(t, status.IsPermissionDeniedError(err))
 
 	sns.ch <- &snpb.InvalidateIPRulesCache{GroupId: groupID}
 	require.Eventually(t, func() bool {
-		return irs.Check(ctx2, groupID, false /*=skipCache*/, "" /*=skipRuleID*/) == nil
+		return irs.Check(ctx2, groupID, "" /*=skipRuleID*/) == nil
 	}, time.Second, 10*time.Millisecond)
 
 	env.GetHealthChecker().Shutdown()
@@ -298,7 +298,7 @@ func TestRefresherStopsOnShutdown(t *testing.T) {
 	sns.ch <- &snpb.InvalidateIPRulesCache{GroupId: groupID}
 
 	ctx3 := context.WithValue(context.Background(), clientip.ContextKey, "8.9.10.11")
-	err = irs.Check(ctx3, groupID, false /*=skipCache*/, "" /*=skipRuleID*/)
+	err = irs.Check(ctx3, groupID, "" /*=skipRuleID*/)
 	require.Error(t, err)
 	require.True(t, status.IsPermissionDeniedError(err))
 }

enterprise/server/ip_rules_service/ip_rules_service.go

@@ -107,7 +107,9 @@ func (s *Service) SetIPRuleConfig(ctx context.Context, req *irpb.SetRulesConfigR
 	}
 
 	if req.GetEnforceIpRules() {
-		err := s.enforcer.Check(ctx, req.GetRequestContext().GetGroupId(), true /*=skipCache*/, "" /*=skipRuleID*/)
+		groupID := req.GetRequestContext().GetGroupId()
+		s.enforcer.InvalidateCachedRules(ctx, groupID)
+		err := s.enforcer.Check(ctx, groupID, "" /*=skipRuleID*/)
 		if err != nil {
 			if status.IsPermissionDeniedError(err) {
 				return nil, status.InvalidArgumentErrorf("Enabling IP rule enforcement would block your IP (%s) from accessing the organization.", clientip.Get(ctx))
@@ -237,7 +239,9 @@ func (s *Service) DeleteRule(ctx context.Context, req *irpb.DeleteRuleRequest) (
 	if g.EnforceIPRules {
 		// Check if deleting the rule would lock out the client calling this
 		// API.
-		err := s.enforcer.Check(ctx, req.GetRequestContext().GetGroupId(), true /*=skipCache*/, req.GetIpRuleId())
+		groupID := req.GetRequestContext().GetGroupId()
+		s.enforcer.InvalidateCachedRules(ctx, groupID)
+		err := s.enforcer.Check(ctx, groupID, req.GetIpRuleId())
 		if err != nil {
 			if status.IsPermissionDeniedError(err) {
 				return nil, status.InvalidArgumentErrorf("Deleting this rule would block your IP (%s) from accessing the organization.", clientip.Get(ctx))

enterprise/server/ip_rules_service/ip_rules_service_test.go

@@ -22,14 +22,14 @@ import (
 	snpb "github.com/buildbuddy-io/buildbuddy/proto/server_notification"
 )
 
-type checkCall struct {
-	groupID    string
-	skipCache  bool
-	skipRuleID string
+type operations struct {
+	groupID      string
+	invalidation bool
+	skipRuleID   string
 }
 
 type fakeIPRulesEnforcer struct {
-	checkCalls []checkCall
+	checkCalls []operations
 	checkErr   error
 }
 
@@ -45,10 +45,16 @@ func (f *fakeIPRulesEnforcer) AuthorizeHTTPRequest(ctx context.Context, r *http.
 	return nil
 }
 
-func (f *fakeIPRulesEnforcer) Check(ctx context.Context, groupID string, skipCache bool, skipRuleID string) error {
-	f.checkCalls = append(f.checkCalls, checkCall{
+func (f *fakeIPRulesEnforcer) InvalidateCachedRules(ctx context.Context, groupID string) {
+	f.checkCalls = append(f.checkCalls, operations{
+		groupID:      groupID,
+		invalidation: true,
+	})
+}
+
+func (f *fakeIPRulesEnforcer) Check(ctx context.Context, groupID string, skipRuleID string) error {
+	f.checkCalls = append(f.checkCalls, operations{
 		groupID:    groupID,
-		skipCache:  skipCache,
 		skipRuleID: skipRuleID,
 	})
 	return f.checkErr
@@ -262,7 +268,10 @@ func TestSetAndGetIPRuleConfig(t *testing.T) {
 		EnforceIpRules: true,
 	})
 	require.NoError(t, err)
-	require.Equal(t, []checkCall{{groupID: groupID, skipCache: true, skipRuleID: ""}}, enforcer.checkCalls)
+	require.Equal(t, []operations{
+		{groupID: groupID, invalidation: true},
+		{groupID: groupID, skipRuleID: ""},
+	}, enforcer.checkCalls)
 
 	cfgRsp, err = svc.GetIPRuleConfig(authCtx, &irpb.GetRulesConfigRequest{
 		RequestContext: &ctxpb.RequestContext{GroupId: groupID},
@@ -275,7 +284,7 @@ func TestSetAndGetIPRuleConfig(t *testing.T) {
 		EnforceIpRules: false,
 	})
 	require.NoError(t, err)
-	require.Len(t, enforcer.checkCalls, 1)
+	require.Len(t, enforcer.checkCalls, 2)
 
 	cfgRsp, err = svc.GetIPRuleConfig(authCtx, &irpb.GetRulesConfigRequest{
 		RequestContext: &ctxpb.RequestContext{GroupId: groupID},
@@ -296,7 +305,10 @@ func TestSetIPRuleConfigRejectsLockout(t *testing.T) {
 	require.Error(t, err)
 	require.True(t, status.IsInvalidArgumentError(err))
 	require.Contains(t, err.Error(), "9.8.7.6")
-	require.Equal(t, []checkCall{{groupID: groupID, skipCache: true, skipRuleID: ""}}, enforcer.checkCalls)
+	require.Equal(t, []operations{
+		{groupID: groupID, invalidation: true},
+		{groupID: groupID, skipRuleID: ""},
+	}, enforcer.checkCalls)
 
 	cfgRsp, err := svc.GetIPRuleConfig(authCtx, &irpb.GetRulesConfigRequest{
 		RequestContext: &ctxpb.RequestContext{GroupId: groupID},
@@ -330,11 +342,13 @@ func TestDeleteRuleRejectsLockout(t *testing.T) {
 	require.Error(t, err)
 	require.True(t, status.IsInvalidArgumentError(err))
 	require.Contains(t, err.Error(), "1.2.3.4")
-	require.Equal(t, []checkCall{{
-		groupID:    groupID,
-		skipCache:  true,
-		skipRuleID: addRsp.GetRule().GetIpRuleId(),
-	}}, enforcer.checkCalls)
+	require.Equal(t, []operations{
+		{groupID: groupID, invalidation: true},
+		{
+			groupID:    groupID,
+			skipRuleID: addRsp.GetRule().GetIpRuleId(),
+		},
+	}, enforcer.checkCalls)
 
 	_, err = svc.GetRule(authCtx, groupID, addRsp.GetRule().GetIpRuleId())
 	require.NoError(t, err)

server/interfaces/interfaces.go

@@ -1579,10 +1579,14 @@ type IPRulesEnforcer interface {
 	// context.
 	AuthorizeHTTPRequest(ctx context.Context, r *http.Request) error
 
+	// Invalidates all cached IP Rules for the provided group ID, ensuring the
+	// next authorization/check request will use fresh rules from the backend.
+	InvalidateCachedRules(ctx context.Context, groupID string)
+
 	// Performs an explicit IP rule check for the given group ID with the
 	// option to force refresh rules from the backend and skip specific rules
 	// (for testing rule changes made by IPRulesService).
-	Check(ctx context.Context, groupID string, skipCache bool, skipRuleID string) error
+	Check(ctx context.Context, groupID string, skipRuleID string) error
 }
 
 type IPRulesService interface {