Replace daemon thread in InMemoryRolePermissionResolver with RoleChangedEvent (#22507)

* Replace daemon thread in InMemoryRolePermissionResolver with RoleChangedEvent

* code cleanup

Author: todvora

graylog2-server/src/main/java/org/graylog2/security/InMemoryRolePermissionResolver.java

@@ -17,27 +17,25 @@
 package org.graylog2.security;
 
 import com.google.common.collect.ImmutableMap;
+import com.google.common.eventbus.EventBus;
+import com.google.common.eventbus.Subscribe;
+import jakarta.inject.Inject;
+import jakarta.inject.Singleton;
 import org.apache.shiro.authz.Permission;
 import org.apache.shiro.authz.permission.AllPermission;
 import org.apache.shiro.authz.permission.RolePermissionResolver;
 import org.graylog.security.permissions.CaseSensitiveWildcardPermission;
 import org.graylog2.shared.users.Role;
+import org.graylog2.users.RoleChangedEvent;
 import org.graylog2.users.RoleService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.annotation.Nonnull;
-
-import jakarta.inject.Inject;
-import jakarta.inject.Named;
-import jakarta.inject.Singleton;
-
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Set;
-import java.util.concurrent.ScheduledExecutorService;
-import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.stream.Collectors;
 
@@ -50,15 +48,12 @@ public class InMemoryRolePermissionResolver implements RolePermissionResolver {
 
     @Inject
     public InMemoryRolePermissionResolver(RoleService roleService,
-                                          @Named("daemonScheduler") ScheduledExecutorService daemonScheduler) {
+                                          EventBus eventBus) {
         this.roleService = roleService;
-        final RoleUpdater updater = new RoleUpdater();
 
+        eventBus.register(this);
         // eagerly load rules
-        updater.run();
-
-        // update rules every second in the background
-        daemonScheduler.scheduleAtFixedRate(updater, 1, 1, TimeUnit.SECONDS);
+        updateRoles();
     }
 
     @Override
@@ -93,15 +88,17 @@ public Set<String> resolveStringPermission(String roleId) {
     }
 
 
-    private class RoleUpdater implements Runnable {
-        @Override
-        public void run() {
-            try {
-                final Map<String, Role> index = roleService.loadAllIdMap();
-                InMemoryRolePermissionResolver.this.idToRoleIndex.set(ImmutableMap.copyOf(index));
-            } catch (Exception e) {
-                log.error("Could not find roles collection, no user roles updated.", e);
-            }
+    @Subscribe
+    public void handleRoleChangedEvent(RoleChangedEvent event) {
+        updateRoles();
+    }
+
+    private void updateRoles() {
+        try {
+            final Map<String, Role> index = roleService.loadAllIdMap();
+            this.idToRoleIndex.set(ImmutableMap.copyOf(index));
+        } catch (Exception e) {
+            log.error("Could not find roles collection, no user roles updated.", e);
         }
     }
 }

graylog2-server/src/main/java/org/graylog2/users/RoleChangedEvent.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog2.users;
+
+import org.graylog2.shared.users.Role;
+
+/**
+ * Fired every time a role is persisted or deleted.
+ *
+ * @param roleName name from {@link Role#getName()}
+ */
+public record RoleChangedEvent(String roleName) {
+}

graylog2-server/src/main/java/org/graylog2/users/RoleServiceImpl.java

@@ -33,6 +33,7 @@
 import org.graylog2.database.MongoCollections;
 import org.graylog2.database.NotFoundException;
 import org.graylog2.database.utils.MongoUtils;
+import org.graylog2.events.ClusterEventBus;
 import org.graylog2.plugin.database.ValidationException;
 import org.graylog2.shared.security.Permissions;
 import org.graylog2.shared.users.Role;
@@ -66,14 +67,16 @@ public class RoleServiceImpl implements RoleService {
     private final String adminRoleObjectId;
     private final String readerRoleObjectId;
     private final MongoCollection<RoleImpl> collection;
+    private final ClusterEventBus clusterEventBus;
 
     @Inject
     public RoleServiceImpl(MongoCollections mongoCollections,
                            Permissions permissions,
-                           Validator validator) {
+                           Validator validator, ClusterEventBus clusterEventBus) {
         this.validator = validator;
 
         collection = mongoCollections.nonEntityCollection(ROLES_COLLECTION_NAME, RoleImpl.class);
+        this.clusterEventBus = clusterEventBus;
         // lower case role names are unique, this allows arbitrary naming, but still uses an index
         collection.createIndex(Indexes.ascending(NAME_LOWER), new IndexOptions().unique(true));
 
@@ -179,17 +182,19 @@ public Map<String, Role> loadAllLowercaseNameMap() {
     }
 
     @Override
-    public RoleImpl save(Role role1) throws ValidationException {
+    public RoleImpl save(Role role) throws ValidationException {
         // sucky but necessary because of graylog2-shared not knowing about mongodb :(
-        if (!(role1 instanceof final RoleImpl role)) {
+        if (!(role instanceof final RoleImpl roleImpl)) {
             throw new IllegalArgumentException("invalid Role implementation class");
         }
-        final Set<ConstraintViolation<Role>> violations = validate(role);
+        final Set<ConstraintViolation<Role>> violations = validate(roleImpl);
         if (!violations.isEmpty()) {
             throw new ValidationException("Validation failed.", violations.toString());
         }
-        return collection.findOneAndReplace(eq(NAME_LOWER, role.nameLower()), role,
+        final RoleImpl result = collection.findOneAndReplace(eq(NAME_LOWER, roleImpl.nameLower()), roleImpl,
                 new FindOneAndReplaceOptions().returnDocument(ReturnDocument.AFTER).upsert(true));
+        triggerChangeEvent(roleImpl.getName());
+        return result;
     }
 
     @Override
@@ -202,7 +207,17 @@ public int delete(String roleName) {
         final var nameMatchesAndNotReadonly = Filters.and(
                 eq(READ_ONLY, false),
                 eq(NAME_LOWER, roleName.toLowerCase(Locale.ENGLISH)));
-        return Ints.saturatedCast(collection.deleteOne(nameMatchesAndNotReadonly).getDeletedCount());
+        final int result = Ints.saturatedCast(collection.deleteOne(nameMatchesAndNotReadonly).getDeletedCount());
+        triggerChangeEvent(roleName);
+        return result;
+    }
+
+    /**
+     * Notify other parts of the system and cluster that there was a change in roles.
+     * @param roleName which role has been persisted or deleted.
+     */
+    private void triggerChangeEvent(String roleName) {
+        clusterEventBus.post(new RoleChangedEvent(roleName));
     }
 
     @Override

graylog2-server/src/test/java/org/graylog2/migrations/V20200803120800_GrantsMigrations/RolesToGrantsMigrationTest.java

@@ -33,6 +33,7 @@
 import org.graylog2.bindings.providers.MongoJackObjectMapperProvider;
 import org.graylog2.database.MongoCollections;
 import org.graylog2.database.NotFoundException;
+import org.graylog2.events.ClusterEventBus;
 import org.graylog2.plugin.database.users.User;
 import org.graylog2.shared.security.Permissions;
 import org.graylog2.shared.users.UserService;
@@ -82,7 +83,7 @@ void setUp(MongoDBTestService mongodb,
         this.grnRegistry = grnRegistry;
 
         roleService = new RoleServiceImpl(
-                new MongoCollections(mongoJackObjectMapperProvider, mongodb.mongoConnection()), permissions, validator);
+                new MongoCollections(mongoJackObjectMapperProvider, mongodb.mongoConnection()), permissions, validator, new ClusterEventBus());
 
         this.dbGrantService = new DBGrantService(new MongoCollections(mongoJackObjectMapperProvider, mongodb.mongoConnection()));
         this.userService = userService;

graylog2-server/src/test/java/org/graylog2/security/InMemoryRolePermissionResolverTest.java

@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog2.security;
+
+import com.google.common.eventbus.EventBus;
+import jakarta.annotation.Nonnull;
+import jakarta.validation.Validator;
+import org.apache.shiro.authz.permission.AllPermission;
+import org.apache.shiro.authz.permission.RolePermissionResolver;
+import org.assertj.core.api.Assertions;
+import org.graylog.security.permissions.CaseSensitiveWildcardPermission;
+import org.graylog.testing.mongodb.MongoDBExtension;
+import org.graylog2.database.MongoCollections;
+import org.graylog2.database.NotFoundException;
+import org.graylog2.events.ClusterEventBus;
+import org.graylog2.plugin.database.ValidationException;
+import org.graylog2.shared.security.Permissions;
+import org.graylog2.shared.security.RestPermissions;
+import org.graylog2.shared.users.Role;
+import org.graylog2.users.RoleImpl;
+import org.graylog2.users.RoleService;
+import org.graylog2.users.RoleServiceImpl;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mockito;
+
+import java.util.Collections;
+import java.util.Set;
+
+@ExtendWith(MongoDBExtension.class)
+class InMemoryRolePermissionResolverTest {
+    @Test
+    void testRoleChangedEventHandling(MongoCollections mongoCollections) throws NotFoundException, ValidationException {
+        final EventBus eventBus = new EventBus();
+        final ClusterEventBus clusterEventBus = new ClusterEventBus() {
+            @Override
+            public void post(@Nonnull Object event) {
+                eventBus.post(event);
+            }
+        };
+        final RoleService service = new RoleServiceImpl(mongoCollections, new Permissions(Collections.emptySet()), Mockito.mock(Validator.class), clusterEventBus);
+        final RolePermissionResolver resolver = new InMemoryRolePermissionResolver(service, eventBus);
+
+        // test that the built-in roles are present right after resolver init
+        Assertions.assertThat(resolver.resolvePermissionsInRole(service.getAdminRoleObjectId()))
+                .anySatisfy(permission -> permission.implies(new AllPermission()));
+
+        // now let the service create a role. This information should be immediately propagated to the resolver
+        final Role createdRole = service.save(createRole("inputs_manager", "manages inputs", Set.of(RestPermissions.INPUTS_READ, RestPermissions.INPUTS_CREATE)));
+
+        // without explicitly updating the resolver (relying on the event bus), let's check that the role and its permissions
+        // are available.
+        Assertions.assertThat(resolver.resolvePermissionsInRole(createdRole.getId()))
+                .hasSize(2)
+                .anySatisfy(permission -> permission.implies(new CaseSensitiveWildcardPermission(RestPermissions.INPUTS_READ)))
+                .anySatisfy(permission -> permission.implies(new CaseSensitiveWildcardPermission(RestPermissions.INPUTS_CREATE)));
+
+        // now let's delete a role and check that the resolver got rid of it as well
+        service.delete("inputs_manager");
+        Assertions.assertThat(resolver.resolvePermissionsInRole(createdRole.getId()))
+                .isEmpty();
+    }
+
+
+    @Nonnull
+    private static RoleImpl createRole(String name, String description, Set<String> permissions) {
+        final RoleImpl role = new RoleImpl();
+        role.setName(name);
+        role.setDescription(description);
+        role.setPermissions(permissions);
+        role.setReadOnly(false);
+        return role;
+    }
+}

graylog2-server/src/test/java/org/graylog2/users/RoleServiceImplTest.java

@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog2.users;
+
+import com.google.common.eventbus.EventBus;
+import com.google.common.eventbus.Subscribe;
+import jakarta.annotation.Nonnull;
+import jakarta.validation.Validator;
+import org.assertj.core.api.Assertions;
+import org.graylog.testing.mongodb.MongoDBExtension;
+import org.graylog2.database.MongoCollections;
+import org.graylog2.events.ClusterEventBus;
+import org.graylog2.plugin.database.ValidationException;
+import org.graylog2.shared.security.Permissions;
+import org.graylog2.shared.security.RestPermissions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mockito;
+
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Set;
+
+@ExtendWith(MongoDBExtension.class)
+class RoleServiceImplTest {
+
+    @Test
+    void testChangeEvents(MongoCollections mongoCollections) throws ValidationException {
+        final EventsCollector eventsCollector = new EventsCollector();
+        final EventBus eventBus = new EventBus();
+
+        final ClusterEventBus clusterEventBus = new ClusterEventBus() {
+            @Override
+            public void post(@Nonnull Object event) {
+                eventBus.post(event);
+            }
+        };
+
+        eventBus.register(eventsCollector);
+        final RoleService service = new RoleServiceImpl(mongoCollections, new Permissions(Collections.emptySet()), Mockito.mock(Validator.class), clusterEventBus);
+        service.save(createRole("inputs_manager", "manages inputs", Set.of(RestPermissions.INPUTS_READ, RestPermissions.INPUTS_CREATE), false));
+        service.save(createRole("inputs_reader", "reads inputs", Set.of(RestPermissions.INPUTS_READ), false));
+
+        Assertions.assertThat(eventsCollector.getEvents())
+                .hasSize(4) // two built-in roles, Admin and Reader + whatever we add here
+                .map(RoleChangedEvent::roleName)
+                .contains("Admin", "Reader", "inputs_manager", "inputs_reader");
+    }
+
+    @Nonnull
+    private static RoleImpl createRole(String name, String description, Set<String> permissions, boolean readOnly) {
+        final RoleImpl role = new RoleImpl();
+        role.setName(name);
+        role.setDescription(description);
+        role.setPermissions(permissions);
+        role.setReadOnly(readOnly);
+        return role;
+    }
+
+    private class EventsCollector {
+        private final List<RoleChangedEvent> events = new LinkedList<>();
+
+        @Subscribe
+        public void subscribe(RoleChangedEvent event) {
+            this.events.add(event);
+        }
+
+        public List<RoleChangedEvent> getEvents() {
+            return events;
+        }
+    }
+}