Merge pull request #3560 from uselagoon/remove-permission-cache

chore: remove permission cache
uselagoon · Oct 5, 2023 · 4d4e656 · 4d4e656
2 parents c1301fe + df4b91c
commit 4d4e656
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 80 deletions.
diff --git a/services/api/src/clients/redisClient.ts b/services/api/src/clients/redisClient.ts
@@ -47,29 +47,6 @@ const hashKey = ({ resource, project, group, scope }: IUserResourceScope) =>
     group ? `${group}:` : ''
   }${scope}`;
 
-export const getRedisCache = async (resourceScope: IUserResourceScope): Promise<string> => {
-  const redisHash = await hgetall(`cache:authz:${resourceScope.currentUserId}`);
-  const key = hashKey(resourceScope);
-
-  return R.prop(key, redisHash);
-};
-
-export const saveRedisCache = async (
-  resourceScope: IUserResourceScope,
-  value: string
-) => {
-  const key = hashKey(resourceScope);
-  const timeout = getConfigFromEnv('CACHE_PERMISSION_TTL', '500');
-  redisClient.multi()
-  .hset(
-    `cache:authz:${resourceScope.currentUserId}`,
-    key,
-    value
-  )
-  .expire(`cache:authz:${resourceScope.currentUserId}`, parseInt(timeout, 10))
-  .exec();
-};
-
 export const getRedisKeycloakCache = async (key: string) => {
   const redisHash = await hgetall(`cache:keycloak`);
 
@@ -97,8 +74,6 @@ export const deleteProjectGroupsCache = async projectId =>
   del(`project-groups:${projectId}`);
 
 export default {
-  getRedisCache,
-  saveRedisCache,
   getRedisKeycloakCache,
   saveRedisKeycloakCache,
   deleteRedisUserCache,

diff --git a/services/api/src/util/auth.ts b/services/api/src/util/auth.ts
@@ -9,7 +9,7 @@ import { keycloakGrantManager } from '../clients/keycloakClient';
 const { userActivityLogger } = require('../loggers/userActivityLogger');
 import { Group } from '../models/group';
 import { User } from '../models/user';
-import { saveRedisCache, getRedisCache, saveRedisKeycloakCache } from '../clients/redisClient';
+import { saveRedisKeycloakCache } from '../clients/redisClient';
 
 interface ILegacyToken {
   iat: string;
@@ -155,54 +155,6 @@ export const keycloakHasPermission = (grant, requestCache, modelClients, service
 
   return async (resource, scope, attributes: IKeycloakAuthAttributes = {}) => {
 
-    // Check if the same set of permissions has been granted already for this
-    // api query.
-    const cacheKey = `${currentUser.id}:${resource}:${scope}:${JSON.stringify(
-      attributes
-    )}`;
-    const cachedPermissions = requestCache.get(cacheKey);
-    if (cachedPermissions === true) {
-      return true;
-    } else if (!cachedPermissions === false) {
-      userActivityLogger.user_info(
-        `User does not have permission to '${scope}' on '${resource}'`,
-        {
-          user: grant ? grant.access_token.content : null
-        }
-      );
-      throw new KeycloakUnauthorizedError(
-        `Unauthorized: You don't have permission to "${scope}" on "${resource}": ${JSON.stringify(
-          attributes
-        )}`
-      );
-    }
-
-    // Check the redis cache before doing a full keycloak lookup.
-    const resourceScope = { resource, scope, currentUserId: currentUser.id, ...attributes };
-    let redisCacheResult: number;
-    try {
-      const data = await getRedisCache(resourceScope);
-      redisCacheResult = parseInt(data, 10);
-    } catch (err) {
-      logger.warn(`Couldn't check redis authz cache: ${err.message}`);
-    }
-
-    if (redisCacheResult === 1) {
-      return true;
-    } else if (redisCacheResult === 0) {
-      userActivityLogger.user_info(
-        `User does not have permission to '${scope}' on '${resource}'`,
-        {
-          user: grant.access_token.content
-        }
-      );
-      throw new KeycloakUnauthorizedError(
-        `Unauthorized: You don't have permission to "${scope}" on "${resource}": ${JSON.stringify(
-          attributes
-        )}`
-      );
-    }
-
     let claims: {
       currentUser: [string];
       usersQuery?: [string];
@@ -374,12 +326,6 @@ export const keycloakHasPermission = (grant, requestCache, modelClients, service
       );
 
       if (newGrant.access_token.hasPermission(resource, scope)) {
-        requestCache.set(cacheKey, true);
-        try {
-          await saveRedisCache(resourceScope, '1');
-        } catch (err) {
-          logger.warn(`Couldn't save redis authz cache: ${err.message}`);
-        }
         return;
       }
     } catch (err) {