Merge "Improve application credential validation speed"

2024-01-26 17:37:13 +00:00 · 2024-01-26 17:37:13 +00:00 · 6c16f975d2
commit 6c16f975d2
parent 993e589fa1 67b5cca032
3 changed files with 14 additions and 2 deletions
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@ -938,6 +938,7 @@ class Manager(manager.Manager):

        return assignments

+    @MEMOIZE_COMPUTED_ASSIGNMENTS
    def list_role_assignments(self, role_id=None, user_id=None, group_id=None,
                              system=None, domain_id=None, project_id=None,
                              include_subtree=False, inherited=None,
@ -1080,6 +1081,7 @@ class Manager(manager.Manager):
        system_assignments = self.list_system_grants_for_group(group_id)
        for assignment in system_assignments:
            self.delete_system_grant_for_group(group_id, assignment['id'])
+        COMPUTED_ASSIGNMENTS_REGION.invalidate()

    def delete_user_assignments(self, user_id):
        # FIXME(lbragstad): This should be refactored in the Rocky release so
@ -1091,6 +1093,7 @@ class Manager(manager.Manager):
        system_assignments = self.list_system_grants_for_user(user_id)
        for assignment in system_assignments:
            self.delete_system_grant_for_user(user_id, assignment['id'])
+        COMPUTED_ASSIGNMENTS_REGION.invalidate()

    def check_system_grant_for_user(self, user_id, role_id):
        """Check if a user has a specific role on the system.
@ -1163,6 +1166,7 @@ class Manager(manager.Manager):
        target_id = self._SYSTEM_SCOPE_TOKEN
        inherited = False
        self.driver.delete_system_grant(role_id, user_id, target_id, inherited)
+        COMPUTED_ASSIGNMENTS_REGION.invalidate()

    def check_system_grant_for_group(self, group_id, role_id):
        """Check if a group has a specific role on the system.
@ -1237,6 +1241,7 @@ class Manager(manager.Manager):
        self.driver.delete_system_grant(
            role_id, group_id, target_id, inherited
        )
+        COMPUTED_ASSIGNMENTS_REGION.invalidate()

    def list_all_system_grants(self):
        """Return a list of all system grants."""
--- a/keystone/models/revoke_model.py
+++ b/keystone/models/revoke_model.py
@ -242,8 +242,9 @@ def build_token_values(token):
        token_values['assignment_domain_id'] = None

    role_list = []
-    if token.roles is not None:
-        for role in token.roles:
+    token_roles = token.roles
+    if token_roles is not None:
+        for role in token_roles:
            role_list.append(role['id'])
    token_values['roles'] = role_list

--- a/keystone/tests/unit/assignment/test_backends.py
+++ b/keystone/tests/unit/assignment/test_backends.py
@ -643,6 +643,9 @@ class AssignmentTests(AssignmentTestHelperMixin):
        # attempts to lookup a group that has been deleted in the backend
        with mock.patch.object(PROVIDERS.identity_api, 'get_group',
                               _group_not_found):
+            # Mocking a dependent function makes the cache invalid
+            keystone.assignment.COMPUTED_ASSIGNMENTS_REGION.invalidate()
+
            assignment_list = PROVIDERS.assignment_api.list_role_assignments(
                include_names=True
            )
@ -669,6 +672,9 @@ class AssignmentTests(AssignmentTestHelperMixin):
        # in the backend
        with mock.patch.object(PROVIDERS.identity_api, 'list_users_in_group',
                               _group_not_found):
+            # Mocking a dependent function makes the cache invalid
+            keystone.assignment.COMPUTED_ASSIGNMENTS_REGION.invalidate()
+
            assignment_list = PROVIDERS.assignment_api.list_role_assignments(
                effective=True
            )