From 94534e8f4d1fc43022e3c4dac818484367b57f66 Mon Sep 17 00:00:00 2001
From: GeorgeC <gcolon021@gmail.com>
Date: Mon, 8 Jul 2024 16:18:11 -0400
Subject: [PATCH] Optimize access rule processing with caching

Introduced a caching mechanism to the access rule processing in the AuthorizationService, where access rules are now stored in a cache for each user. The caching system significantly reduces the time to process access rules, particularly for users with large numbers of privileges. Extra methods were also added to the AccessRuleService to handle cache evictions when a user's privileges are updated.
---
 .../auth/service/impl/AccessRuleService.java  | 26 ++++++++++++++++++-
 .../FENCEAuthenticationService.java           |  1 -
 .../authorization/AuthorizationService.java   |  2 +-
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/AccessRuleService.java b/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/AccessRuleService.java
index 9d4b74d9..d176c6be 100644
--- a/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/AccessRuleService.java
+++ b/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/AccessRuleService.java
@@ -153,11 +153,30 @@ public Set<AccessRule> getAccessRulesForUserAndApp(User user, Application applic
         return null;
     }
 
-    @CacheEvict(value = "mergedRulesCache", key = "#user.getEmail()")
+    /**
+     * Evicts the user from all AccessRule caches
+     * @param user the user to evict
+     */
     public void evictFromCache(User user) {
+        evictFromMergedAccessRuleCache(user);
+        evictFromPreProcessedAccessRules(user);
+    }
+
+    @CacheEvict(value = "mergedRulesCache", key = "#user.getEmail()")
+    public void evictFromMergedAccessRuleCache(User user) {
         // This method is used to clear the cache for a user when their privileges are updated
     }
 
+    @Cacheable(value = "preProcessedAccessRules", key = "#user.getEmail()")
+    public Set<AccessRule> cachedPreProcessAccessRules(User user, Set<Privilege> privileges) {
+        Set<AccessRule> accessRules = new HashSet<>();
+        for (Privilege privilege : privileges) {
+            accessRules.addAll(privilege.getAccessRules());
+        }
+
+        return preProcessARBySortedKeys(accessRules);
+    }
+
     public Set<AccessRule> preProcessAccessRules(Set<Privilege> privileges) {
         Set<AccessRule> accessRules = new HashSet<>();
         for (Privilege privilege : privileges) {
@@ -167,6 +186,11 @@ public Set<AccessRule> preProcessAccessRules(Set<Privilege> privileges) {
         return preProcessARBySortedKeys(accessRules);
     }
 
+    @CacheEvict(value = "preProcessedAccessRules", key = "#user.getEmail()")
+    public void evictFromPreProcessedAccessRules(User user) {
+        // This method is used to clear the cache for a user when their privileges are updated
+    }
+
     public Set<AccessRule> preProcessARBySortedKeys(Set<AccessRule> accessRules) {
         Map<String, Set<AccessRule>> accessRuleMap = new HashMap<>();
 
diff --git a/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/authentication/FENCEAuthenticationService.java b/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/authentication/FENCEAuthenticationService.java
index 1dbd6bca..307f81e1 100644
--- a/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/authentication/FENCEAuthenticationService.java
+++ b/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/authentication/FENCEAuthenticationService.java
@@ -4,7 +4,6 @@
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.node.ObjectNode;
-import edu.harvard.hms.dbmi.avillach.auth.entity.Application;
 import edu.harvard.hms.dbmi.avillach.auth.entity.Connection;
 import edu.harvard.hms.dbmi.avillach.auth.entity.Role;
 import edu.harvard.hms.dbmi.avillach.auth.entity.User;
diff --git a/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/authorization/AuthorizationService.java b/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/authorization/AuthorizationService.java
index f5752095..ad5655f5 100644
--- a/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/authorization/AuthorizationService.java
+++ b/pic-sure-auth-services/src/main/java/edu/harvard/hms/dbmi/avillach/auth/service/impl/authorization/AuthorizationService.java
@@ -134,7 +134,7 @@ public boolean isAuthorized(Application application, Object requestBody, User us
                 return false;
             }
 
-            accessRules = this.accessRuleService.preProcessAccessRules(privileges);
+            accessRules = this.accessRuleService.cachedPreProcessAccessRules(user, privileges);
             if (accessRules == null || accessRules.isEmpty()) {
                 logger.info("ACCESS_LOG ___ {},{},{} ___ has been granted access to execute query ___ {} ___ in application ___ {} ___ NO ACCESS RULES EVALUATED", user.getUuid().toString(), user.getEmail(), user.getName(), formattedQuery, applicationName);
                 return true;