stuff

iain-macdonald · iain-macdonald · commit 923079936b7f · 2026-03-17T10:05:24.000-07:00
diff --git a/enterprise/server/ip_rules_enforcer/ip_rules_enforcer.go b/enterprise/server/ip_rules_enforcer/ip_rules_enforcer.go
@@ -62,72 +62,32 @@ func newIpRuleCache() (ipRuleCache, error) {
 	})
 }
 
-type Enforcer struct {
-	env environment.Env
-
-	cache ipRuleCache
-}
-
-type NoOpEnforcer struct{}
-
-func (n *NoOpEnforcer) Authorize(ctx context.Context) error {
-	return nil
-}
-
-func (n *NoOpEnforcer) AuthorizeGroup(ctx context.Context, groupID string) error {
-	return nil
-}
-
-func (n *NoOpEnforcer) AuthorizeHTTPRequest(ctx context.Context, r *http.Request) error {
-	return nil
+// An abstraction for retrieving IP rules from a source of truth.
+type ipRulesProvider interface {
+	// TODO(iain): get rid of skipCache and skipRuleID.
+	get(ctx context.Context, groupID string, skipCache bool, skipRuleID string) ([]*net.IPNet, error)
+	startRefresher(env environment.Env) error
 }
 
-func (n *NoOpEnforcer) Check(ctx context.Context, groupID string, skipCache bool, skipRuleID string) error {
-	return nil
+// An implementation of ipRulesProvider that retrieves IP rules from a database.
+type dbIPRulesProvider struct {
+	db    interfaces.DBHandle
+	cache ipRuleCache
 }
 
-func New(env environment.Env) (*Enforcer, error) {
+func newDBIPRulesProvider(env environment.Env) (*dbIPRulesProvider, error) {
 	cache, err := newIpRuleCache()
 	if err != nil {
 		return nil, err
 	}
-
-	svc := &Enforcer{
-		env:   env,
+	return &dbIPRulesProvider{
+		db:    env.GetDBHandle(),
 		cache: cache,
-	}
-	if sns := env.GetServerNotificationService(); sns != nil {
-		go func() {
-			for msg := range sns.Subscribe(&snpb.InvalidateIPRulesCache{}) {
-				ic, ok := msg.(*snpb.InvalidateIPRulesCache)
-				if !ok {
-					alert.UnexpectedEvent("iprules_invalid_proto_type", "received proto type %T", msg)
-					continue
-				}
-				if err := svc.refreshRules(env.GetServerContext(), ic.GetGroupId()); err != nil {
-					log.Warningf("could not refresh IP rules for group %q: %s", ic.GetGroupId(), err)
-				}
-			}
-		}()
-	}
-	return svc, nil
+	}, nil
 }
 
-func Register(env *real_environment.RealEnv) error {
-	var enforcer interfaces.IPRulesEnforcer = &NoOpEnforcer{}
-	if *enableIPRules {
-		realEnforcer, err := New(env)
-		if err != nil {
-			return err
-		}
-		enforcer = realEnforcer
-	}
-	env.SetIPRulesEnforcer(enforcer)
-	return nil
-}
-
-func (s *Enforcer) loadRulesFromDB(ctx context.Context, groupID string) ([]*tables.IPRule, error) {
-	rq := s.env.GetDBHandle().NewQuery(ctx, "iprules_load_rules").Raw(
+func (p *dbIPRulesProvider) loadRulesFromDB(ctx context.Context, groupID string) ([]*tables.IPRule, error) {
+	rq := p.db.NewQuery(ctx, "iprules_load_rules").Raw(
 		`SELECT * FROM "IPRules" WHERE group_id = ? ORDER BY created_at_usec`, groupID)
 	rules, err := db.ScanAll(rq, &tables.IPRule{})
 	if err != nil {
@@ -136,8 +96,8 @@ func (s *Enforcer) loadRulesFromDB(ctx context.Context, groupID string) ([]*tabl
 	return rules, nil
 }
 
-func (s *Enforcer) loadParsedRulesFromDB(ctx context.Context, groupID string, skipRuleID string) ([]*net.IPNet, error) {
-	rs, err := s.loadRulesFromDB(ctx, groupID)
+func (p *dbIPRulesProvider) loadParsedRulesFromDB(ctx context.Context, groupID string, skipRuleID string) ([]*net.IPNet, error) {
+	rs, err := p.loadRulesFromDB(ctx, groupID)
 	if err != nil {
 		return nil, err
 	}
@@ -157,16 +117,104 @@ func (s *Enforcer) loadParsedRulesFromDB(ctx context.Context, groupID string, sk
 	return allowed, nil
 }
 
-func (s *Enforcer) refreshRules(ctx context.Context, groupID string) error {
-	pr, err := s.loadParsedRulesFromDB(ctx, groupID, "" /*=skipRuleId*/)
+func (p *dbIPRulesProvider) refreshRules(ctx context.Context, groupID string) error {
+	pr, err := p.loadParsedRulesFromDB(ctx, groupID, "" /*=skipRuleId*/)
 	if err != nil {
 		return err
 	}
-	s.cache.Add(groupID, pr)
+	p.cache.Add(groupID, pr)
 	log.CtxInfof(ctx, "refreshed IP rules for group %s", groupID)
 	return nil
 }
 
+func (p *dbIPRulesProvider) get(ctx context.Context, groupID string, skipCache bool, skipRuleID string) ([]*net.IPNet, error) {
+	allowed, ok := p.cache.Get(groupID)
+	if !ok || skipCache {
+		pr, err := p.loadParsedRulesFromDB(ctx, groupID, skipRuleID)
+		if err != nil {
+			return nil, err
+		}
+		// if skipRuleID is set, the retrieved rule list may be incomplete.
+		if skipRuleID == "" {
+			p.cache.Add(groupID, pr)
+		}
+		allowed = pr
+	}
+	return allowed, nil
+}
+
+// TODO(iain): halt goroutine on server exit.
+func (p *dbIPRulesProvider) startRefresher(env environment.Env) error {
+	sns := env.GetServerNotificationService()
+	if sns == nil {
+		return nil
+	}
+	go func() {
+		for msg := range sns.Subscribe(&snpb.InvalidateIPRulesCache{}) {
+			ic, ok := msg.(*snpb.InvalidateIPRulesCache)
+			if !ok {
+				alert.UnexpectedEvent("iprules_invalid_proto_type", "received proto type %T", msg)
+				continue
+			}
+			if err := p.refreshRules(env.GetServerContext(), ic.GetGroupId()); err != nil {
+				log.Warningf("could not refresh IP rules for group %q: %s", ic.GetGroupId(), err)
+			}
+		}
+	}()
+	return nil
+}
+
+type Enforcer struct {
+	env           environment.Env
+	rulesProvider ipRulesProvider
+}
+
+type NoOpEnforcer struct{}
+
+func (n *NoOpEnforcer) Authorize(ctx context.Context) error {
+	return nil
+}
+
+func (n *NoOpEnforcer) AuthorizeGroup(ctx context.Context, groupID string) error {
+	return nil
+}
+
+func (n *NoOpEnforcer) AuthorizeHTTPRequest(ctx context.Context, r *http.Request) error {
+	return nil
+}
+
+func (n *NoOpEnforcer) Check(ctx context.Context, groupID string, skipCache bool, skipRuleID string) error {
+	return nil
+}
+
+func New(env environment.Env) (*Enforcer, error) {
+	rulesProvider, err := newDBIPRulesProvider(env)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := rulesProvider.startRefresher(env); err != nil {
+		return nil, err
+	}
+	return &Enforcer{
+		env:           env,
+		rulesProvider: rulesProvider,
+	}, nil
+}
+
+func Register(env *real_environment.RealEnv) error {
+	var enforcer interfaces.IPRulesEnforcer = &NoOpEnforcer{}
+	if *enableIPRules {
+		realEnforcer, err := New(env)
+		if err != nil {
+			return err
+		}
+		enforcer = realEnforcer
+	}
+	env.SetIPRulesEnforcer(enforcer)
+	return nil
+}
+
 func (s *Enforcer) Check(ctx context.Context, groupID string, skipCache bool, skipRuleID string) error {
 	rawClientIP := clientip.Get(ctx)
 	clientIP := net.ParseIP(rawClientIP)
@@ -175,17 +223,9 @@ func (s *Enforcer) Check(ctx context.Context, groupID string, skipCache bool, sk
 		return status.FailedPreconditionErrorf("client IP %q is not valid", rawClientIP)
 	}
 
-	allowed, ok := s.cache.Get(groupID)
-	if !ok || skipCache {
-		pr, err := s.loadParsedRulesFromDB(ctx, groupID, skipRuleID)
-		if err != nil {
-			return err
-		}
-		// if skipRuleID is set, the retrieved rule list may be incomplete.
-		if skipRuleID == "" {
-			s.cache.Add(groupID, pr)
-		}
-		allowed = pr
+	allowed, err := s.rulesProvider.get(ctx, groupID, skipCache, skipRuleID)
+	if err != nil {
+		return err
 	}
 
 	for _, a := range allowed {
