Remove IPRulesEnforcer.Check's skipCache parameter (#11609)

Related issues:
buildbuddy-io/buildbuddy-internal#6797

Author: iain-macdonald

enterprise/server/ip_rules_enforcer/ip_rules_enforcer.go

@@ -36,6 +36,7 @@ const (
 
 type ipRuleCache interface {
 	Add(groupID string, allowed []*net.IPNet) bool
+	Remove(groupID string) bool
 	Get(groupID string) ([]*net.IPNet, bool)
 }
 
@@ -46,6 +47,10 @@ func (c *noopIpRuleCache) Add(groupID string, allowed []*net.IPNet) bool {
 	return false
 }
 
+func (c *noopIpRuleCache) Remove(groupID string) bool {
+	return false
+}
+
 func (c *noopIpRuleCache) Get(groupID string) ([]*net.IPNet, bool) {
 	return nil, false
 }
@@ -64,8 +69,9 @@ func newIpRuleCache() (ipRuleCache, error) {
 
 // An abstraction for retrieving IP rules from a source of truth.
 type ipRulesProvider interface {
-	// TODO(iain): get rid of skipCache and skipRuleID.
-	get(ctx context.Context, groupID string, skipCache bool, skipRuleID string) ([]*net.IPNet, error)
+	// TODO(iain): get rid of skipRuleID.
+	get(ctx context.Context, groupID string, skipRuleID string) ([]*net.IPNet, error)
+	invalidate(ctx context.Context, groupID string)
 	startRefresher(env environment.Env) error
 }
 
@@ -127,9 +133,9 @@ func (p *dbIPRulesProvider) refreshRules(ctx context.Context, groupID string) er
 	return nil
 }
 
-func (p *dbIPRulesProvider) get(ctx context.Context, groupID string, skipCache bool, skipRuleID string) ([]*net.IPNet, error) {
+func (p *dbIPRulesProvider) get(ctx context.Context, groupID string, skipRuleID string) ([]*net.IPNet, error) {
 	allowed, ok := p.cache.Get(groupID)
-	if !ok || skipCache {
+	if !ok {
 		pr, err := p.loadParsedRulesFromDB(ctx, groupID, skipRuleID)
 		if err != nil {
 			return nil, err
@@ -143,6 +149,10 @@ func (p *dbIPRulesProvider) get(ctx context.Context, groupID string, skipCache b
 	return allowed, nil
 }
 
+func (p *dbIPRulesProvider) invalidate(ctx context.Context, groupID string) {
+	p.cache.Remove(groupID)
+}
+
 // TODO(iain): halt goroutine on server exit.
 func (p *dbIPRulesProvider) startRefresher(env environment.Env) error {
 	sns := env.GetServerNotificationService()
@@ -183,7 +193,10 @@ func (n *NoOpEnforcer) AuthorizeHTTPRequest(ctx context.Context, r *http.Request
 	return nil
 }
 
-func (n *NoOpEnforcer) Check(ctx context.Context, groupID string, skipCache bool, skipRuleID string) error {
+func (n *NoOpEnforcer) InvalidateCache(ctx context.Context, groupID string) {
+}
+
+func (n *NoOpEnforcer) Check(ctx context.Context, groupID string, skipRuleID string) error {
 	return nil
 }
 
@@ -215,15 +228,15 @@ func Register(env *real_environment.RealEnv) error {
 	return nil
 }
 
-func (s *Enforcer) Check(ctx context.Context, groupID string, skipCache bool, skipRuleID string) error {
+func (s *Enforcer) Check(ctx context.Context, groupID string, skipRuleID string) error {
 	rawClientIP := clientip.Get(ctx)
 	clientIP := net.ParseIP(rawClientIP)
 	// Client IP is not parsable.
 	if clientIP == nil {
 		return status.FailedPreconditionErrorf("client IP %q is not valid", rawClientIP)
 	}
 
-	allowed, err := s.rulesProvider.get(ctx, groupID, skipCache, skipRuleID)
+	allowed, err := s.rulesProvider.get(ctx, groupID, skipRuleID)
 	if err != nil {
 		return err
 	}
@@ -239,7 +252,7 @@ func (s *Enforcer) Check(ctx context.Context, groupID string, skipCache bool, sk
 
 func (s *Enforcer) authorize(ctx context.Context, groupID string) error {
 	start := time.Now()
-	err := s.Check(ctx, groupID, false /*=skipCache*/, "" /*skipRuleID*/)
+	err := s.Check(ctx, groupID, "" /*skipRuleID*/)
 	metrics.IPRulesCheckLatencyUsec.With(
 		prometheus.Labels{metrics.StatusHumanReadableLabel: status.MetricsLabel(err)},
 	).Observe(float64(time.Since(start).Microseconds()))
@@ -330,3 +343,7 @@ func (s *Enforcer) AuthorizeHTTPRequest(ctx context.Context, r *http.Request) er
 
 	return nil
 }
+
+func (s *Enforcer) InvalidateCache(ctx context.Context, groupID string) {
+	s.rulesProvider.invalidate(ctx, groupID)
+}

enterprise/server/ip_rules_enforcer/ip_rules_enforcer_test.go

@@ -116,7 +116,7 @@ func TestNoOpEnforcer(t *testing.T) {
 	require.NoError(t, enforcer.Authorize(context.Background()))
 	require.NoError(t, enforcer.AuthorizeGroup(context.Background(), "G1"))
 	require.NoError(t, enforcer.AuthorizeHTTPRequest(context.Background(), httptest.NewRequest("GET", "/rpc/BuildBuddyService/GetUser", nil)))
-	require.NoError(t, enforcer.Check(context.Background(), "G1", true, ""))
+	require.NoError(t, enforcer.Check(context.Background(), "G1", ""))
 }
 
 func TestAuthorizeAndAuthorizeGroup_EnforcementNotEnabled(t *testing.T) {
@@ -190,10 +190,10 @@ func TestCheckSkipRuleID(t *testing.T) {
 	ruleID := insertRule(t, env, groupID, "1.2.3.4/32", "rule1")
 	ctx := context.WithValue(context.Background(), clientip.ContextKey, "1.2.3.4")
 
-	err := irs.Check(ctx, groupID, true /* skipCache */, "" /* skipRuleID */)
+	err := irs.Check(ctx, groupID, "" /* skipRuleID */)
 	require.NoError(t, err)
 
-	err = irs.Check(ctx, groupID, true /* skipCache */, ruleID)
+	err = irs.Check(ctx, groupID, ruleID)
 	require.Error(t, err)
 	require.True(t, status.IsPermissionDeniedError(err))
 }

enterprise/server/ip_rules_service/ip_rules_service.go

@@ -107,7 +107,9 @@ func (s *Service) SetIPRuleConfig(ctx context.Context, req *irpb.SetRulesConfigR
 	}
 
 	if req.GetEnforceIpRules() {
-		err := s.enforcer.Check(ctx, req.GetRequestContext().GetGroupId(), true /*=skipCache*/, "" /*=skipRuleID*/)
+		groupID := req.GetRequestContext().GetGroupId()
+		s.enforcer.InvalidateCache(ctx, groupID)
+		err := s.enforcer.Check(ctx, groupID, "" /*=skipRuleID*/)
 		if err != nil {
 			if status.IsPermissionDeniedError(err) {
 				return nil, status.InvalidArgumentErrorf("Enabling IP rule enforcement would block your IP (%s) from accessing the organization.", clientip.Get(ctx))
@@ -235,9 +237,10 @@ func (s *Service) DeleteRule(ctx context.Context, req *irpb.DeleteRuleRequest) (
 		return nil, err
 	}
 	if g.EnforceIPRules {
-		// Check if deleting the rule would lock out the client calling this
-		// API.
-		err := s.enforcer.Check(ctx, req.GetRequestContext().GetGroupId(), true /*=skipCache*/, req.GetIpRuleId())
+		// Check if deleting the rule would block the client calling this API.
+		groupID := req.GetRequestContext().GetGroupId()
+		s.enforcer.InvalidateCache(ctx, groupID)
+		err := s.enforcer.Check(ctx, groupID, req.GetIpRuleId())
 		if err != nil {
 			if status.IsPermissionDeniedError(err) {
 				return nil, status.InvalidArgumentErrorf("Deleting this rule would block your IP (%s) from accessing the organization.", clientip.Get(ctx))

enterprise/server/ip_rules_service/ip_rules_service_test.go

@@ -22,15 +22,16 @@ import (
 	snpb "github.com/buildbuddy-io/buildbuddy/proto/server_notification"
 )
 
-type checkCall struct {
-	groupID    string
-	skipCache  bool
-	skipRuleID string
+type call struct {
+	groupID      string
+	invalidation bool
+	check        bool
+	skipRuleID   string
 }
 
 type fakeIPRulesEnforcer struct {
-	checkCalls []checkCall
-	checkErr   error
+	calls    []call
+	checkErr error
 }
 
 func (f *fakeIPRulesEnforcer) Authorize(ctx context.Context) error {
@@ -45,10 +46,17 @@ func (f *fakeIPRulesEnforcer) AuthorizeHTTPRequest(ctx context.Context, r *http.
 	return nil
 }
 
-func (f *fakeIPRulesEnforcer) Check(ctx context.Context, groupID string, skipCache bool, skipRuleID string) error {
-	f.checkCalls = append(f.checkCalls, checkCall{
+func (f *fakeIPRulesEnforcer) InvalidateCache(ctx context.Context, groupID string) {
+	f.calls = append(f.calls, call{
+		groupID:      groupID,
+		invalidation: true,
+	})
+}
+
+func (f *fakeIPRulesEnforcer) Check(ctx context.Context, groupID string, skipRuleID string) error {
+	f.calls = append(f.calls, call{
 		groupID:    groupID,
-		skipCache:  skipCache,
+		check:      true,
 		skipRuleID: skipRuleID,
 	})
 	return f.checkErr
@@ -262,7 +270,10 @@ func TestSetAndGetIPRuleConfig(t *testing.T) {
 		EnforceIpRules: true,
 	})
 	require.NoError(t, err)
-	require.Equal(t, []checkCall{{groupID: groupID, skipCache: true, skipRuleID: ""}}, enforcer.checkCalls)
+	require.Equal(t, []call{
+		{groupID: groupID, invalidation: true},
+		{groupID: groupID, check: true},
+	}, enforcer.calls)
 
 	cfgRsp, err = svc.GetIPRuleConfig(authCtx, &irpb.GetRulesConfigRequest{
 		RequestContext: &ctxpb.RequestContext{GroupId: groupID},
@@ -275,7 +286,7 @@ func TestSetAndGetIPRuleConfig(t *testing.T) {
 		EnforceIpRules: false,
 	})
 	require.NoError(t, err)
-	require.Len(t, enforcer.checkCalls, 1)
+	require.Len(t, enforcer.calls, 2)
 
 	cfgRsp, err = svc.GetIPRuleConfig(authCtx, &irpb.GetRulesConfigRequest{
 		RequestContext: &ctxpb.RequestContext{GroupId: groupID},
@@ -296,7 +307,10 @@ func TestSetIPRuleConfigRejectsLockout(t *testing.T) {
 	require.Error(t, err)
 	require.True(t, status.IsInvalidArgumentError(err))
 	require.Contains(t, err.Error(), "9.8.7.6")
-	require.Equal(t, []checkCall{{groupID: groupID, skipCache: true, skipRuleID: ""}}, enforcer.checkCalls)
+	require.Equal(t, []call{
+		{groupID: groupID, invalidation: true},
+		{groupID: groupID, check: true},
+	}, enforcer.calls)
 
 	cfgRsp, err := svc.GetIPRuleConfig(authCtx, &irpb.GetRulesConfigRequest{
 		RequestContext: &ctxpb.RequestContext{GroupId: groupID},
@@ -330,11 +344,16 @@ func TestDeleteRuleRejectsLockout(t *testing.T) {
 	require.Error(t, err)
 	require.True(t, status.IsInvalidArgumentError(err))
 	require.Contains(t, err.Error(), "1.2.3.4")
-	require.Equal(t, []checkCall{{
-		groupID:    groupID,
-		skipCache:  true,
-		skipRuleID: addRsp.GetRule().GetIpRuleId(),
-	}}, enforcer.checkCalls)
+	require.Equal(t, []call{
+		{
+			groupID:      groupID,
+			invalidation: true,
+		},
+		{
+			groupID:    groupID,
+			check:      true,
+			skipRuleID: addRsp.GetRule().GetIpRuleId(),
+		}}, enforcer.calls)
 
 	_, err = svc.GetRule(authCtx, groupID, addRsp.GetRule().GetIpRuleId())
 	require.NoError(t, err)

server/interfaces/interfaces.go

@@ -1579,10 +1579,12 @@ type IPRulesEnforcer interface {
 	// context.
 	AuthorizeHTTPRequest(ctx context.Context, r *http.Request) error
 
-	// Performs an explicit IP rule check for the given group ID with the
-	// option to force refresh rules from the backend and skip specific rules
-	// (for testing rule changes made by IPRulesService).
-	Check(ctx context.Context, groupID string, skipCache bool, skipRuleID string) error
+	// Invalidates all cached IP rules for the specified group ID.
+	InvalidateCache(ctx context.Context, groupID string)
+
+	// Performs an explicit IP rule check for the given group ID, skipping the
+	// rule with the provided ID, if specified.
+	Check(ctx context.Context, groupID string, skipRuleID string) error
 }
 
 type IPRulesService interface {