Add policy indexing infrastructure for performance optimization

Co-authored-by: mserico <[email protected]>

Author: Copilot

src/coreEnforcer.ts

@@ -62,6 +62,7 @@ export class CoreEnforcer {
   protected autoBuildRoleLinks = true;
   protected autoNotifyWatcher = true;
   protected acceptJsonRequest = false;
+  protected autoBuildPolicyIndex = false;
   protected fs?: FileSystem;
 
   /**
@@ -245,6 +246,10 @@ export class CoreEnforcer {
     if (this.autoBuildRoleLinks) {
       await this.buildRoleLinksInternal();
     }
+
+    if (this.autoBuildPolicyIndex) {
+      this.buildPolicyIndexInternal();
+    }
   }
 
   /**
@@ -280,6 +285,11 @@ export class CoreEnforcer {
     if (this.autoBuildRoleLinks) {
       await this.buildRoleLinksInternal();
     }
+
+    if (this.autoBuildPolicyIndex) {
+      this.buildPolicyIndexInternal();
+    }
+
     return true;
   }
 
@@ -371,6 +381,18 @@ export class CoreEnforcer {
     this.autoBuildRoleLinks = autoBuildRoleLinks;
   }
 
+  /**
+   * enableAutoBuildPolicyIndex controls whether to build an index for policies
+   * to improve performance when checking permissions with many policies.
+   * The index groups policies by subject (first field), which significantly
+   * improves performance for RBAC models with wildcard matching.
+   *
+   * @param autoBuildPolicyIndex whether to automatically build the policy index.
+   */
+  public enableAutoBuildPolicyIndex(autoBuildPolicyIndex: boolean): void {
+    this.autoBuildPolicyIndex = autoBuildPolicyIndex;
+  }
+
   /**
    * add matching function to RoleManager by ptype
    * @param ptype g
@@ -404,6 +426,23 @@ export class CoreEnforcer {
     return this.buildRoleLinksInternal();
   }
 
+  /**
+   * buildPolicyIndex manually rebuilds the policy index.
+   * This improves enforcement performance for models with many policies.
+   */
+  public buildPolicyIndex(): void {
+    return this.buildPolicyIndexInternal();
+  }
+
+  protected buildPolicyIndexInternal(): void {
+    const pMap = this.model.model.get('p');
+    if (pMap) {
+      pMap.forEach((ast) => {
+        ast.buildPolicyIndex();
+      });
+    }
+  }
+
   /**
    * buildIncrementalRoleLinks provides incremental build the role inheritance relations.
    * @param op policy operation
@@ -426,6 +465,53 @@ export class CoreEnforcer {
     }
   }
 
+  /**
+   * Get policy indices to check for a given subject.
+   * This method is called before enforcement to optimize which policies to check.
+   */
+  protected async getPolicyIndicesToCheck(subject: string, enforceContext: EnforceContext): Promise<number[] | null> {
+    if (!this.autoBuildPolicyIndex) {
+      return null;
+    }
+
+    const p = this.model.model.get('p')?.get(enforceContext.pType);
+    if (!p || !p.policyIndexMap || p.policyIndexMap.size === 0) {
+      return null;
+    }
+
+    const subjects = new Set<string>();
+    subjects.add(subject);
+
+    // Get all roles for the subject
+    const astMap = this.model.model.get('g');
+    if (astMap) {
+      for (const [key, value] of astMap) {
+        const rm = value.rm;
+        if (rm) {
+          try {
+            const roles = await rm.getRoles(subject);
+            roles.forEach((role) => subjects.add(role));
+          } catch (e) {
+            // If there's an error getting roles, fall back to checking all policies
+            return null;
+          }
+        }
+      }
+    }
+
+    // Collect all policy indices for the subject and its roles
+    const indices: number[] = [];
+    for (const sub of subjects) {
+      const subIndices = p.policyIndexMap.get(sub);
+      if (subIndices) {
+        indices.push(...subIndices);
+      }
+    }
+
+    // If we found specific indices, return them; otherwise return null to check all
+    return indices.length > 0 ? indices : null;
+  }
+
   private *privateEnforce(
     asyncCompile = true,
     explain = false,

src/model/assertion.ts

@@ -25,6 +25,7 @@ export class Assertion {
   public policy: string[][];
   public rm: rbac.RoleManager;
   public fieldIndexMap: Map<string, number>;
+  public policyIndexMap: Map<string, number[]>;
 
   /**
    * constructor is the constructor for Assertion.
@@ -36,6 +37,63 @@ export class Assertion {
     this.policy = [];
     this.rm = new rbac.DefaultRoleManager(10);
     this.fieldIndexMap = new Map<string, number>();
+    this.policyIndexMap = new Map<string, number[]>();
+  }
+
+  /**
+   * buildPolicyIndex builds an index for policies by subject (first field).
+   * This improves performance when checking permissions with many policies.
+   */
+  public buildPolicyIndex(): void {
+    this.policyIndexMap.clear();
+    for (let i = 0; i < this.policy.length; i++) {
+      const rule = this.policy[i];
+      if (rule.length > 0) {
+        const subject = rule[0];
+        const indices = this.policyIndexMap.get(subject);
+        if (indices) {
+          indices.push(i);
+        } else {
+          this.policyIndexMap.set(subject, [i]);
+        }
+      }
+    }
+  }
+
+  /**
+   * addPolicyIndex adds an index entry for a newly added policy.
+   */
+  public addPolicyIndex(rule: string[], index: number): void {
+    if (rule.length > 0) {
+      const subject = rule[0];
+      const indices = this.policyIndexMap.get(subject);
+      if (indices) {
+        indices.push(index);
+      } else {
+        this.policyIndexMap.set(subject, [index]);
+      }
+    }
+  }
+
+  /**
+   * removePolicyIndex removes an index entry for a deleted policy.
+   */
+  public removePolicyIndex(rule: string[]): void {
+    if (rule.length > 0) {
+      const subject = rule[0];
+      const indices = this.policyIndexMap.get(subject);
+      if (indices) {
+        // Rebuild the index for this subject since we don't know the exact index
+        this.policyIndexMap.delete(subject);
+        for (let i = 0; i < this.policy.length; i++) {
+          if (this.policy[i][0] === subject) {
+            const newIndices = this.policyIndexMap.get(subject) || [];
+            newIndices.push(i);
+            this.policyIndexMap.set(subject, newIndices);
+          }
+        }
+      }
+    }
   }
 
   public async buildIncrementalRoleLinks(rm: rbac.RoleManager, op: PolicyOp, rules: string[][]): Promise<void> {

src/model/model.ts

@@ -262,13 +262,18 @@ export class Model {
         const priorityRule = rule[priorityIndex];
         const insertIndex = policy.findIndex((oneRule) => oneRule[priorityIndex] >= priorityRule);
 
-        if (priorityIndex === -1) {
+        if (insertIndex === -1) {
           policy.push(rule);
+          ast.addPolicyIndex(rule, policy.length - 1);
         } else {
           policy.splice(insertIndex, 0, rule);
+          // Rebuild index for this section since indices have shifted
+          ast.buildPolicyIndex();
         }
       } else {
+        const index = policy.length;
         policy.push(rule);
+        ast.addPolicyIndex(rule, index);
       }
       return true;
     }
@@ -296,7 +301,12 @@ export class Model {
         this.addPolicy(sec, ptype, rule);
       });
     } else {
+      const startIndex = ast.policy.length;
       ast.policy = ast.policy.concat(rules);
+      // Add index entries for all new policies
+      rules.forEach((rule, i) => {
+        ast.addPolicyIndex(rule, startIndex + i);
+      });
     }
 
     return [true, rules];
@@ -319,13 +329,21 @@ export class Model {
     if (priorityIndex !== -1) {
       if (oldRule[priorityIndex] === newRule[priorityIndex]) {
         ast.policy[index] = newRule;
+        // Update index if subject changed
+        if (oldRule[0] !== newRule[0]) {
+          ast.buildPolicyIndex();
+        }
       } else {
         // this.removePolicy(sec, ptype, oldRule);
         // this.addPolicy(sec, ptype, newRule);
         throw new Error('new rule should have the same priority with old rule.');
       }
     } else {
       ast.policy[index] = newRule;
+      // Update index if subject changed
+      if (oldRule[0] !== newRule[0]) {
+        ast.buildPolicyIndex();
+      }
     }
 
     return true;
@@ -339,6 +357,8 @@ export class Model {
         return false;
       }
       ast.policy = ast.policy.filter((r) => !util.arrayEquals(rule, r));
+      // Rebuild index since we removed a policy
+      ast.buildPolicyIndex();
       return true;
     }
 
@@ -369,6 +389,9 @@ export class Model {
       });
     }
 
+    // Rebuild index since we removed policies
+    ast.buildPolicyIndex();
+
     return [true, effects];
   }
 
@@ -429,6 +452,8 @@ export class Model {
 
     if (effects.length !== 0) {
       ast.policy = res;
+      // Rebuild index since we removed policies
+      ast.buildPolicyIndex();
     }
 
     return [bool, effects];