feat: optimize multi tenancy evaluation to happen only once per event

Author: JoseSzycho

internal/indexer/consumer.go

@@ -33,7 +33,7 @@ type auditEvent struct {
 	} `json:"objectRef"`
 	ResponseObject map[string]any `json:"responseObject"`
 	// User carries authenticated user information including tenant context in extra fields.
-	User struct {
+	User *struct {
 		Extra map[string][]string `json:"extra,omitempty"`
 	} `json:"user,omitempty"`
 }
@@ -45,7 +45,7 @@ func extractTenantFromAuditEvent(event *auditEvent) (tenantName string, tenantTy
 	tenantName = "platform"
 	tenantType = "platform"
 
-	if event.User.Extra == nil {
+	if event.User == nil || event.User.Extra == nil {
 		return
 	}
 
@@ -134,6 +134,14 @@ func (i *Indexer) Start(ctx context.Context) error {
 			return
 		}
 
+		// In single-tenant mode, skip non-platform
+		// events entirely so that no policy can accidentally queue them.
+		tenantName, tenantType := extractTenantFromAuditEvent(&event)
+		if !i.multiTenant && tenantType != tenantTypePlatform {
+			msg.Ack()
+			return
+		}
+
 		queued := false
 
 		policies := i.policyCache.GetPolicies()
@@ -155,14 +163,9 @@ func (i *Indexer) Start(ctx context.Context) error {
 					continue
 				}
 
-				// Always extract tenant context from the audit event's user extra fields.
-				// In single-tenant mode, skip non-platform resources so that project-tenant
-				// resources are never incorrectly indexed as platform resources.
-				evalResult.Tenant, evalResult.TenantType = extractTenantFromAuditEvent(&event)
-				if !i.multiTenant && evalResult.TenantType != tenantTypePlatform {
-					msg.Ack()
-					continue
-				}
+				// Attach the already-extracted tenant context to the eval result.
+				evalResult.Tenant = tenantName
+				evalResult.TenantType = tenantType
 
 				// Transform the matching resource into an indexable document
 				doc := evalResult.Transform()

internal/indexer/consumer_test.go

@@ -159,9 +159,13 @@ func TestIndexer_Start_ConsumeFlow(t *testing.T) {
 
 func TestExtractTenantFromAuditEvent_WithUserExtra(t *testing.T) {
 	event := &auditEvent{}
-	event.User.Extra = map[string][]string{
-		"iam.miloapis.com/parent-type": {"project"},
-		"iam.miloapis.com/parent-name": {"my-project"},
+	event.User = &struct {
+		Extra map[string][]string `json:"extra,omitempty"`
+	}{
+		Extra: map[string][]string{
+			"iam.miloapis.com/parent-type": {"project"},
+			"iam.miloapis.com/parent-name": {"my-project"},
+		},
 	}
 
 	name, typ := extractTenantFromAuditEvent(event)
@@ -192,8 +196,12 @@ func TestExtractTenantFromAuditEvent_PartialUserExtra_TypeOnlyNoName(t *testing.
 	// Only parent-type is set; parent-name is absent.
 	// Expect: tenantType reflects the extra field, tenantName falls back to "platform".
 	event := &auditEvent{}
-	event.User.Extra = map[string][]string{
-		"iam.miloapis.com/parent-type": {"project"},
+	event.User = &struct {
+		Extra map[string][]string `json:"extra,omitempty"`
+	}{
+		Extra: map[string][]string{
+			"iam.miloapis.com/parent-type": {"project"},
+		},
 	}
 
 	name, typ := extractTenantFromAuditEvent(event)
@@ -209,9 +217,13 @@ func TestExtractTenantFromAuditEvent_PartialUserExtra_TypeOnlyNoName(t *testing.
 func TestExtractTenantFromAuditEvent_EmptySliceValues(t *testing.T) {
 	// Keys present but with empty slices should not override the defaults.
 	event := &auditEvent{}
-	event.User.Extra = map[string][]string{
-		"iam.miloapis.com/parent-type": {},
-		"iam.miloapis.com/parent-name": {},
+	event.User = &struct {
+		Extra map[string][]string `json:"extra,omitempty"`
+	}{
+		Extra: map[string][]string{
+			"iam.miloapis.com/parent-type": {},
+			"iam.miloapis.com/parent-name": {},
+		},
 	}
 
 	name, typ := extractTenantFromAuditEvent(event)