[Comp-792-2] Remove simple cache from staff and auth services (#717)

Author: tolkamps1

compliance-api/src/compliance_api/services/authorize_service/auth_service.py

@@ -4,102 +4,36 @@
 from flask import current_app, g
 
 from compliance_api.exceptions import BusinessError
-from compliance_api.utils.cache import cache
 from compliance_api.utils.constant import AUTH_APP
 from compliance_api.utils.enum import HttpMethod
 
 from .constant import API_REQUEST_TIMEOUT
 
 
 class AuthService:
-    """Handle service request for epic.authorize with integrated cache management."""
-
-    AUTH_CACHE_VERSION_KEY = "auth_cache_version"
-
-    @classmethod
-    def _get_auth_cache_version(cls):
-        """
-        Get current auth cache version from shared cache.
-
-        This ensures all pods see the same version number.
-        """
-        version = cache.get(cls.AUTH_CACHE_VERSION_KEY)
-        if version is None:
-            version = 0
-            cache.set(cls.AUTH_CACHE_VERSION_KEY, version)
-        return version
+    """Handle service request for epic.authorize."""
 
     @staticmethod
     def get_epic_user_by_guid(auth_user_guid: str):
-        """
-        Return the user representation from epic.authorize (cached).
-
-        This is called frequently for individual user lookups,
-        so we cache it with the user's token hash for security.
-        """
-        from compliance_api.services.cached_staff_user import CachedStaffUserService
-
-        # Include version AND token hash in cache key
-        version = AuthService._get_auth_cache_version()
-        token_hash = CachedStaffUserService._get_token_hash()
-        cache_key = f"auth_user:{auth_user_guid}:{token_hash}:v{version}"
-
-        cached_result = cache.get(cache_key)
-        if cached_result is not None:
-            current_app.logger.debug(f"Cache hit for auth user {auth_user_guid}")
-            return cached_result
-
-        current_app.logger.debug(f"Cache miss for auth user {auth_user_guid}")
-
+        """Return the user representation from epic.authorize."""
         auth_user_response = _request_auth_service(f"users/{auth_user_guid}")
         if auth_user_response.status_code != 200:
             raise BusinessError(
                 f"Error finding user with ID {auth_user_guid} from auth server"
             )
-
-        result = auth_user_response.json()
-        cache.set(cache_key, result, timeout=180)  # 3 minutes
-        return result
+        return auth_user_response.json()
 
     @staticmethod
     def get_epic_users_by_app():
-        """
-        Return all users belonging to COMPLIANCE app with caching.
-
-        This caches per-user to prevent data leakage.
-        """
-        from compliance_api.services.cached_staff_user import CachedStaffUserService
-        from compliance_api.utils.constant import AUTH_APP
-        from compliance_api.exceptions import BusinessError
-
-        # Include version AND token hash in cache key
-        version = AuthService._get_auth_cache_version()
-        token_hash = CachedStaffUserService._get_token_hash()
-        cache_key = f"auth_users_app:{AUTH_APP}:{token_hash}:v{version}"
-
-        cached_result = cache.get(cache_key)
-        if cached_result is not None:
-            current_app.logger.debug("Cache hit for auth users by app")
-            return cached_result
-
-        current_app.logger.debug("Cache miss for auth users by app")
-
-        # Fetch from auth service
+        """Return all users belonging to COMPLIANCE app."""
         auth_users_response = _request_auth_service(f"users?app_name={AUTH_APP}")
         if auth_users_response.status_code != 200:
             raise BusinessError(f"Error fetching users for the app {AUTH_APP}")
-
-        result = auth_users_response.json()
-        cache.set(cache_key, result, timeout=180)  # 3 minutes
-        return result
+        return auth_users_response.json()
 
     @staticmethod
     def update_user_group(auth_user_guid: str, payload: dict):
-        """Update user group and invalidate all related caches."""
-        from compliance_api.services.cached_staff_user import CachedStaffUserService
-        from compliance_api.utils.enum import HttpMethod
-        from compliance_api.exceptions import BusinessError
-
+        """Update the group of the user in the identity server."""
         update_group_response = _request_auth_service(
             f"users/{auth_user_guid}/groups", HttpMethod.PUT, payload
         )
@@ -108,53 +42,20 @@ def update_user_group(auth_user_guid: str, payload: dict):
                 f"Update group in the auth server failed for user : {auth_user_guid}"
             )
 
-        # Invalidate all auth caches by bumping version
-        AuthService._invalidate_all_auth_cache()
-
-        # Invalidate ALL staff caches since permissions changed
-        CachedStaffUserService.invalidate_staff_cache(auth_user_guid)
-
         return update_group_response
 
     @staticmethod
     def delete_user_group(auth_user_guid: str, group: str, del_sub_group_mappings=True):
-        """Delete user group and invalidate all related caches."""
-        from compliance_api.services.cached_staff_user import CachedStaffUserService
-        from compliance_api.utils.enum import HttpMethod
-        from compliance_api.exceptions import BusinessError
-
+        """Delete user group."""
         delete_response = _request_auth_service(
             f"users/{auth_user_guid}/groups/{group}?del_sub_group_mappings={del_sub_group_mappings}",
             HttpMethod.DELETE,
         )
         if delete_response.status_code != 204:
             raise BusinessError("Delete group mapping failed")
 
-        # Invalidate all auth caches by bumping version
-        AuthService._invalidate_all_auth_cache()
-
-        # Invalidate all staff caches since permissions changed
-        CachedStaffUserService.invalidate_staff_cache(auth_user_guid)
-
         return delete_response
 
-    @staticmethod
-    def _invalidate_all_auth_cache():
-        """Invalidate all auth cache by bumping version number."""
-        try:
-            current_version = cache.get(AuthService.AUTH_CACHE_VERSION_KEY)
-            if current_version is None:
-                current_version = 0
-
-            new_version = current_version + 1
-            cache.set(AuthService.AUTH_CACHE_VERSION_KEY, new_version)
-
-            current_app.logger.debug(
-                f"Bumped auth cache version from {current_version} to {new_version}"
-            )
-        except (AttributeError, RuntimeError) as e:
-            current_app.logger.error(f"Error invalidating auth cache: {e}")
-
 
 def _request_auth_service(
     relative_url, http_method: HttpMethod = HttpMethod.GET, data=None

compliance-api/src/compliance_api/services/cached_staff_user.py

@@ -1,36 +1,23 @@
-"""Integrated caching strategy for staff users."""
+"""
+CachedStaffUserService provides methods for staff user data retrieval.
 
-import hashlib
-from flask import current_app, g
+NOTE:
+Staff caching has been intentionally removed for in production.
+This service always fetches fresh data to avoid cross-pod
+permission inconsistencies.
+Re-enable only with a shared cache, not a Simple cache.
+"""
+
+from flask import current_app
 
 from compliance_api.models.staff_user import StaffUser as StaffUserModel
 from compliance_api.schemas.staff_user import StaffUserSchema
 from compliance_api.services.authorize_service.auth_service import AuthService
-from compliance_api.utils.cache import cache
 
 
 class CachedStaffUserService:
     """Cached staff user service for performance optimization during token validation."""
 
-    CACHE_TIMEOUT = 3600  # 1 hour
-    STAFF_CACHE_KEY_PREFIX = "staff_user:"
-    ALL_STAFF_CACHE_KEY = "all_staff_users"
-    ALL_STAFF_WITH_AUTH_PREFIX = "all_staff_with_auth:"
-    CACHE_VERSION_KEY = "staff_cache_version"
-
-    @classmethod
-    def _get_cache_version(cls):
-        """
-        Get current cache version from shared cache.
-
-        This ensures all pods see the same version number.
-        """
-        version = cache.get(cls.CACHE_VERSION_KEY)
-        if version is None:
-            version = 0
-            cache.set(cls.CACHE_VERSION_KEY, version)
-        return version
-
     @classmethod
     def exists_staff_by_auth_guid(cls, auth_guid: str) -> bool:
         """
@@ -48,130 +35,36 @@ def exists_staff_by_auth_guid(cls, auth_guid: str) -> bool:
         if not auth_guid:
             return False
 
-        # Include version in cache key
-        version = cls._get_cache_version()
-        cache_key = f"{cls.STAFF_CACHE_KEY_PREFIX}{auth_guid}:v{version}"
-
-        cached_staff_exists = cache.get(cache_key)
-        if cached_staff_exists is not None:
-            current_app.logger.debug(
-                f"Cache hit for staff existence check: {auth_guid}"
-            )
-            return bool(cached_staff_exists)
+        current_app.logger.debug(
+            f"Fetching staff existence from DB for auth_guid={auth_guid}"
+        )
 
-        current_app.logger.debug(f"Cache miss for staff existence check: {auth_guid}")
         staff_user = StaffUserModel.get_by_auth_guid(auth_guid)
-
-        cache_value = bool(staff_user)
-        cache.set(cache_key, cache_value, timeout=cls.CACHE_TIMEOUT)
-
-        return cache_value
+        return bool(staff_user)
 
     @staticmethod
     def get_all_staff_users_with_auth():
         """
-        Get all staff users with merged auth data (cached as serialized data).
+        Get all staff users with merged auth data.
 
         Returns:
             List of serialized staff user dictionaries
         """
         # pylint: disable=import-outside-toplevel
         from compliance_api.services.staff_user import _set_permission_level_in_compliance_user_obj
 
-        # Get current version from shared cache
-        version = CachedStaffUserService._get_cache_version()
-
-        # Create cache key that includes token hash AND version
-        token_hash = CachedStaffUserService._get_token_hash()
-        cache_key = (
-            f"{CachedStaffUserService.ALL_STAFF_WITH_AUTH_PREFIX}"
-            f"{token_hash}:v{version}"
+        current_app.logger.debug(
+            "Fetching all staff users with auth data (no cache)"
         )
 
-        cached_result = cache.get(cache_key)
-        if cached_result is not None:
-            current_app.logger.debug("Cache hit for all staff users with auth data")
-            return cached_result
-
-        current_app.logger.debug("Cache miss for all staff users with auth data")
-
-        # Get users from compliance database with eager loading
         users = StaffUserModel.get_all_with_relationships(default_filters=False)
 
-        # Get compliance users from epic system
         auth_users = AuthService.get_epic_users_by_app()
-
-        # Merge the two sets of users to set the permission in the result
         index_auth_users = {user["username"]: user for user in auth_users}
+
         for user in users:
-            auth_user = index_auth_users.get(user.auth_user_guid, None)
-            user = _set_permission_level_in_compliance_user_obj(user, auth_user)
+            auth_user = index_auth_users.get(user.auth_user_guid)
+            _set_permission_level_in_compliance_user_obj(user, auth_user)
 
-        # Serialize the data BEFORE caching to avoid detached instance issues
         user_schema = StaffUserSchema(many=True)
-        serialized_users = user_schema.dump(users)
-
-        # Cache the serialized data
-        cache.set(cache_key, serialized_users, timeout=300)  # 5 minutes
-
-        return serialized_users
-
-    @staticmethod
-    def invalidate_staff_cache(auth_guid: str = None):
-        """
-        Invalidate cached staff user data.
-
-        Args:
-            auth_guid: Specific auth_guid to invalidate, or None to clear all staff cache
-        """
-        # Bump version to invalidate all caches across all pods
-        CachedStaffUserService._invalidate_all_staff_cache()
-
-        if auth_guid:
-            current_app.logger.info(f"Invalidated cache for staff user: {auth_guid}")
-
-    @staticmethod
-    def _invalidate_all_staff_cache():
-        """
-        Invalidate all staff cache by bumping version number.
-
-        This invalidates cache for across pods since the version
-        is part of every cache key.
-        """
-        try:
-            current_version = cache.get(CachedStaffUserService.CACHE_VERSION_KEY)
-            if current_version is None:
-                current_version = 0
-
-            new_version = current_version + 1
-            cache.set(CachedStaffUserService.CACHE_VERSION_KEY, new_version)
-            current_app.logger.info(
-                f"Bumped staff cache version from {current_version} to {new_version}"
-            )
-        except (AttributeError, RuntimeError) as e:
-            current_app.logger.error(f"Error invalidating staff cache: {e}")
-
-    @classmethod
-    def _clear_all_staff_cache(cls):
-        """Clear all staff-related cache entries."""
-        try:
-            cache.clear()
-            current_app.logger.info("Cleared all cache (simple cache type)")
-        except (AttributeError, RuntimeError) as e:
-            current_app.logger.error(f"Error clearing cache: {str(e)}")
-
-    @staticmethod
-    def _get_token_hash():
-        """
-        Generate a cache key suffix based on the current user's token.
-
-        This ensures different users get different cached data while
-        not exposing the actual token in cache keys.
-        """
-        token = getattr(g, "access_token", None)
-        if not token:
-            return "no_token"
-
-        # Use first 16 chars of SHA256 hash
-        token_hash = hashlib.sha256(token.encode()).hexdigest()[:16]
-        return token_hash
+        return user_schema.dump(users)