Cache check results

Author: JoannaaKL

pkg/github/issues_test.go

@@ -52,6 +52,23 @@ func Test_GetIssue(t *testing.T) {
 		},
 	}
 
+	mockPrivateIssue := &github.Issue{
+		Number:  github.Ptr(42),
+		Title:   github.Ptr("Test Issue"),
+		Body:    github.Ptr("This is a test issue"),
+		State:   github.Ptr("open"),
+		HTMLURL: github.Ptr("https://github.com/owner/repo/issues/42"),
+		User: &github.User{
+			Login: github.Ptr("privateuser"),
+		},
+		Repository: &github.Repository{
+			Name: github.Ptr("repo"),
+			Owner: &github.User{
+				Login: github.Ptr("owner"),
+			},
+		},
+	}
+
 	tests := []struct {
 		name               string
 		mockedClient       *http.Client
@@ -101,7 +118,7 @@ func Test_GetIssue(t *testing.T) {
 			mockedClient: mock.NewMockedHTTPClient(
 				mock.WithRequestMatch(
 					mock.GetReposIssuesByOwnerByRepoByIssueNumber,
-					mockIssue,
+					mockPrivateIssue,
 				),
 			),
 			gqlHTTPClient: githubv4mock.NewMockedHTTPClient(
@@ -122,7 +139,7 @@ func Test_GetIssue(t *testing.T) {
 					map[string]any{
 						"owner":    githubv4.String("owner"),
 						"name":     githubv4.String("repo"),
-						"username": githubv4.String("testuser"),
+						"username": githubv4.String("privateuser"),
 					},
 					githubv4mock.DataResponse(map[string]any{
 						"repository": map[string]any{
@@ -140,7 +157,7 @@ func Test_GetIssue(t *testing.T) {
 				"repo":         "repo",
 				"issue_number": float64(42),
 			},
-			expectedIssue:   mockIssue,
+			expectedIssue:   mockPrivateIssue,
 			lockdownEnabled: true,
 		},
 		{

pkg/lockdown/lockdown.go

@@ -4,19 +4,70 @@ import (
 	"context"
 	"fmt"
 	"strings"
+	"sync"
+	"time"
 
 	"github.com/shurcooL/githubv4"
 )
 
+type repoAccessKey struct {
+	owner    string
+	repo     string
+	username string
+}
+
+type repoAccessEntry struct {
+	isPrivate bool
+	hasPush   bool
+	loadedAt  time.Time
+}
+
+var (
+	repoAccessCache    sync.Map
+	repoAccessInfoFunc = repoAccessInfo
+	timeNow            = time.Now
+)
+
+// repoAccessRefreshInterval defines how long to cache repository access
+// information before refreshing it.
+const repoAccessRefreshInterval = 10 * time.Minute
+
+func newRepoAccessKey(username, owner, repo string) repoAccessKey {
+	return repoAccessKey{
+		owner:    strings.ToLower(owner),
+		repo:     strings.ToLower(repo),
+		username: strings.ToLower(username),
+	}
+}
+
 // ShouldRemoveContent determines if content should be removed based on
 // lockdown mode rules. It checks if the repository is private and if the user
 // has push access to the repository.
 func ShouldRemoveContent(ctx context.Context, client *githubv4.Client, username, owner, repo string) (bool, error) {
-	isPrivate, hasPushAccess, err := repoAccessInfo(ctx, client, username, owner, repo)
+	key := newRepoAccessKey(username, owner, repo)
+
+	now := timeNow()
+	if cached, ok := repoAccessCache.Load(key); ok {
+		entry := cached.(repoAccessEntry)
+		if now.Sub(entry.loadedAt) < repoAccessRefreshInterval {
+			if entry.isPrivate {
+				return false, nil
+			}
+			return !entry.hasPush, nil
+		}
+	}
+
+	isPrivate, hasPushAccess, err := repoAccessInfoFunc(ctx, client, username, owner, repo)
 	if err != nil {
 		return false, err
 	}
 
+	repoAccessCache.Store(key, repoAccessEntry{
+		isPrivate: isPrivate,
+		hasPush:   hasPushAccess,
+		loadedAt:  timeNow(),
+	})
+
 	// Do not filter content for private repositories
 	if isPrivate {
 		return false, nil
@@ -25,6 +76,14 @@ func ShouldRemoveContent(ctx context.Context, client *githubv4.Client, username,
 	return !hasPushAccess, nil
 }
 
+// clearRepoAccessCache removes all cached repository access information; used by tests.
+func clearRepoAccessCache() {
+	repoAccessCache.Range(func(key, _ any) bool {
+		repoAccessCache.Delete(key)
+		return true
+	})
+}
+
 func repoAccessInfo(ctx context.Context, client *githubv4.Client, username, owner, repo string) (bool, bool, error) {
 	if client == nil {
 		return false, false, fmt.Errorf("nil GraphQL client")

pkg/lockdown/lockdown_test.go

@@ -0,0 +1,155 @@
+package lockdown
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/shurcooL/githubv4"
+)
+
+func TestShouldRemoveContentCachesResultsWithinInterval(t *testing.T) {
+	clearRepoAccessCache()
+	defer clearRepoAccessCache()
+
+	originalInfoFunc := repoAccessInfoFunc
+	defer func() { repoAccessInfoFunc = originalInfoFunc }()
+
+	originalTimeNow := timeNow
+	defer func() { timeNow = originalTimeNow }()
+
+	fixed := time.Now()
+	timeNow = func() time.Time { return fixed }
+
+	callCount := 0
+	repoAccessInfoFunc = func(_ context.Context, _ *githubv4.Client, _, _, _ string) (bool, bool, error) {
+		callCount++
+		return false, true, nil
+	}
+
+	ctx := context.Background()
+
+	remove, err := ShouldRemoveContent(ctx, nil, "User", "Owner", "Repo")
+	if err != nil {
+		t.Fatalf("unexpected error on first call: %v", err)
+	}
+	if remove {
+		t.Fatalf("expected remove=false when user has push access")
+	}
+
+	remove, err = ShouldRemoveContent(ctx, nil, "user", "owner", "repo")
+	if err != nil {
+		t.Fatalf("unexpected error on cached call: %v", err)
+	}
+	if remove {
+		t.Fatalf("expected remove=false when cached entry reused")
+	}
+	if callCount != 1 {
+		t.Fatalf("expected cached result to prevent additional repo access queries, got %d", callCount)
+	}
+}
+
+func TestShouldRemoveContentRefreshesAfterInterval(t *testing.T) {
+	clearRepoAccessCache()
+	defer clearRepoAccessCache()
+
+	originalInfoFunc := repoAccessInfoFunc
+	defer func() { repoAccessInfoFunc = originalInfoFunc }()
+
+	originalTimeNow := timeNow
+	defer func() { timeNow = originalTimeNow }()
+
+	base := time.Now()
+	current := base
+	timeNow = func() time.Time { return current }
+
+	callCount := 0
+	repoAccessInfoFunc = func(_ context.Context, _ *githubv4.Client, _, _, _ string) (bool, bool, error) {
+		callCount++
+		if callCount == 1 {
+			return false, false, nil
+		}
+		return false, true, nil
+	}
+
+	ctx := context.Background()
+
+	remove, err := ShouldRemoveContent(ctx, nil, "user", "owner", "repo")
+	if err != nil {
+		t.Fatalf("unexpected error on first call: %v", err)
+	}
+	if !remove {
+		t.Fatalf("expected remove=true when user lacks push access")
+	}
+	if callCount != 1 {
+		t.Fatalf("expected first call to query once, got %d", callCount)
+	}
+
+	current = base.Add(9 * time.Minute)
+	remove, err = ShouldRemoveContent(ctx, nil, "user", "owner", "repo")
+	if err != nil {
+		t.Fatalf("unexpected error before refresh interval: %v", err)
+	}
+	if !remove {
+		t.Fatalf("expected remove=true before refresh interval expires")
+	}
+	if callCount != 1 {
+		t.Fatalf("expected cached value before refresh interval, got %d calls", callCount)
+	}
+
+	current = base.Add(11 * time.Minute)
+	remove, err = ShouldRemoveContent(ctx, nil, "user", "owner", "repo")
+	if err != nil {
+		t.Fatalf("unexpected error after refresh interval: %v", err)
+	}
+	if remove {
+		t.Fatalf("expected remove=false after permissions refreshed")
+	}
+	if callCount != 2 {
+		t.Fatalf("expected refreshed access info after interval, got %d calls", callCount)
+	}
+}
+
+func TestShouldRemoveContentDoesNotCacheErrors(t *testing.T) {
+	clearRepoAccessCache()
+	defer clearRepoAccessCache()
+
+	originalInfoFunc := repoAccessInfoFunc
+	defer func() { repoAccessInfoFunc = originalInfoFunc }()
+
+	originalTimeNow := timeNow
+	defer func() { timeNow = originalTimeNow }()
+
+	now := time.Now()
+	timeNow = func() time.Time { return now }
+
+	callCount := 0
+	repoAccessInfoFunc = func(_ context.Context, _ *githubv4.Client, _, _, _ string) (bool, bool, error) {
+		callCount++
+		if callCount == 1 {
+			return false, false, errors.New("boom")
+		}
+		return false, false, nil
+	}
+
+	ctx := context.Background()
+
+	if _, err := ShouldRemoveContent(ctx, nil, "user", "owner", "repo"); err == nil {
+		t.Fatal("expected error on first call")
+	}
+	if callCount != 1 {
+		t.Fatalf("expected single call after error, got %d", callCount)
+	}
+
+	remove, err := ShouldRemoveContent(ctx, nil, "user", "owner", "repo")
+	if err != nil {
+		t.Fatalf("unexpected error on retry: %v", err)
+	}
+	if !remove {
+		t.Fatalf("expected remove=true when user lacks push access")
+	}
+	if callCount != 2 {
+		t.Fatalf("expected repo access to be queried again after error, got %d calls", callCount)
+	}
+}