Add project permission cache

backend/src/ee/services/access-approval-request/access-approval-request-service.ts

@@ -35,7 +35,7 @@ import { ApprovalStatus, TAccessApprovalRequestServiceFactory } from "./access-a
 
 type TSecretApprovalRequestServiceFactoryDep = {
   additionalPrivilegeDAL: Pick<TProjectUserAdditionalPrivilegeDALFactory, "create" | "findById">;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "invalidateProjectPermissionCache">;
   accessApprovalPolicyApproverDAL: Pick<TAccessApprovalPolicyApproverDALFactory, "find">;
   projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
   projectDAL: Pick<
@@ -758,6 +758,8 @@ export const accessApprovalRequestServiceFactory = ({
             { privilegeId: privilegeIdToSet, status: ApprovalStatus.APPROVED },
             tx
           );
+
+          await permissionService.invalidateProjectPermissionCache(accessApprovalRequest.projectId, tx);
         }
       }
 

backend/src/ee/services/group/group-service.ts

@@ -44,7 +44,10 @@ type TGroupServiceFactoryDep = {
   projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser" | "findById">;
   projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
   projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "delete" | "findLatestProjectKey" | "insertMany">;
-  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission" | "getOrgPermissionByRole">;
+  permissionService: Pick<
+    TPermissionServiceFactory,
+    "getOrgPermission" | "getOrgPermissionByRole" | "invalidateProjectPermissionCache"
+  >;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
   oidcConfigDAL: Pick<TOidcConfigDALFactory, "findOne">;
 };
@@ -225,6 +228,15 @@ export const groupServiceFactory = ({
       return updated;
     });
 
+    if (role) {
+      const groupProjects = await groupProjectDAL.find({ groupId: group.id });
+      await Promise.allSettled([
+        ...groupProjects.map((groupProject) =>
+          permissionService.invalidateProjectPermissionCache(groupProject.projectId)
+        )
+      ]);
+    }
+
     return updatedGroup;
   };
 
@@ -247,11 +259,17 @@ export const groupServiceFactory = ({
         message: "Failed to delete group due to plan restriction. Upgrade plan to delete group."
       });
 
+    const groupProjects = await groupProjectDAL.find({ groupId: id });
+
     const [group] = await groupDAL.delete({
       id,
       orgId: actorOrgId
     });
 
+    await Promise.allSettled([
+      ...groupProjects.map((groupProject) => permissionService.invalidateProjectPermissionCache(groupProject.projectId))
+    ]);
+
     return group;
   };
 
@@ -398,6 +416,11 @@ export const groupServiceFactory = ({
       projectBotDAL
     });
 
+    const groupProjects = await groupProjectDAL.find({ groupId: group.id });
+    await Promise.allSettled([
+      ...groupProjects.map((groupProject) => permissionService.invalidateProjectPermissionCache(groupProject.projectId))
+    ]);
+
     return users[0];
   };
 
@@ -479,6 +502,11 @@ export const groupServiceFactory = ({
       projectKeyDAL
     });
 
+    const groupProjects = await groupProjectDAL.find({ groupId: group.id });
+    await Promise.allSettled([
+      ...groupProjects.map((groupProject) => permissionService.invalidateProjectPermissionCache(groupProject.projectId))
+    ]);
+
     return users[0];
   };
 

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts

@@ -28,7 +28,7 @@ type TIdentityProjectAdditionalPrivilegeV2ServiceFactoryDep = {
   identityProjectAdditionalPrivilegeDAL: TIdentityProjectAdditionalPrivilegeV2DALFactory;
   identityProjectDAL: Pick<TIdentityProjectDALFactory, "findOne" | "findById">;
   projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "invalidateProjectPermissionCache">;
 };
 
 export type TIdentityProjectAdditionalPrivilegeV2ServiceFactory = ReturnType<
@@ -115,6 +115,8 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
         permissions: packedPermission
       });
 
+      await permissionService.invalidateProjectPermissionCache(identityProjectMembership.projectId);
+
       return {
         ...additionalPrivilege,
         permissions: unpackPermissions(additionalPrivilege.permissions)
@@ -132,6 +134,9 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       temporaryAccessStartTime: new Date(dto.temporaryAccessStartTime),
       temporaryAccessEndTime: new Date(new Date(dto.temporaryAccessStartTime).getTime() + relativeTempAllocatedTimeInMs)
     });
+
+    await permissionService.invalidateProjectPermissionCache(identityProjectMembership.projectId);
+
     return {
       ...additionalPrivilege,
       permissions: unpackPermissions(additionalPrivilege.permissions)
@@ -224,6 +229,9 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
         temporaryAccessStartTime: new Date(temporaryAccessStartTime || ""),
         temporaryAccessEndTime: new Date(new Date(temporaryAccessStartTime || "").getTime() + ms(temporaryRange || ""))
       });
+
+      await permissionService.invalidateProjectPermissionCache(identityProjectMembership.projectId);
+
       return {
         ...additionalPrivilege,
         permissions: unpackPermissions(additionalPrivilege.permissions)
@@ -239,6 +247,9 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       temporaryRange: null,
       temporaryMode: null
     });
+
+    await permissionService.invalidateProjectPermissionCache(identityProjectMembership.projectId);
+
     return {
       ...additionalPrivilege,
       permissions: unpackPermissions(additionalPrivilege.permissions)
@@ -294,6 +305,9 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
       });
 
     const deletedPrivilege = await identityProjectAdditionalPrivilegeDAL.deleteById(identityPrivilege.id);
+
+    await permissionService.invalidateProjectPermissionCache(identityProjectMembership.projectId);
+
     return {
       ...deletedPrivilege,
       permissions: unpackPermissions(deletedPrivilege.permissions)

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -31,7 +31,7 @@ type TIdentityProjectAdditionalPrivilegeServiceFactoryDep = {
   identityProjectAdditionalPrivilegeDAL: TIdentityProjectAdditionalPrivilegeDALFactory;
   identityProjectDAL: Pick<TIdentityProjectDALFactory, "findOne" | "findById">;
   projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "invalidateProjectPermissionCache">;
 };
 
 export type TIdentityProjectAdditionalPrivilegeServiceFactory = ReturnType<
@@ -129,6 +129,9 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
         slug,
         permissions: packedPermission
       });
+
+      await permissionService.invalidateProjectPermissionCache(identityProjectMembership.projectId);
+
       return {
         ...additionalPrivilege,
         permissions: unpackPermissions(additionalPrivilege.permissions)
@@ -146,6 +149,9 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       temporaryAccessStartTime: new Date(dto.temporaryAccessStartTime),
       temporaryAccessEndTime: new Date(new Date(dto.temporaryAccessStartTime).getTime() + relativeTempAllocatedTimeInMs)
     });
+
+    await permissionService.invalidateProjectPermissionCache(identityProjectMembership.projectId);
+
     return {
       ...additionalPrivilege,
       permissions: unpackPermissions(additionalPrivilege.permissions)
@@ -250,6 +256,9 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
         temporaryAccessStartTime: new Date(temporaryAccessStartTime || ""),
         temporaryAccessEndTime: new Date(new Date(temporaryAccessStartTime || "").getTime() + ms(temporaryRange || ""))
       });
+
+      await permissionService.invalidateProjectPermissionCache(identityProjectMembership.projectId);
+
       return {
         ...additionalPrivilege,
         permissions: unpackPermissions(additionalPrivilege.permissions)
@@ -265,6 +274,9 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
       temporaryRange: null,
       temporaryMode: null
     });
+
+    await permissionService.invalidateProjectPermissionCache(identityProjectMembership.projectId);
+
     return {
       ...additionalPrivilege,
       permissions: unpackPermissions(additionalPrivilege.permissions)
@@ -338,9 +350,11 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     }
 
     const deletedPrivilege = await identityProjectAdditionalPrivilegeDAL.deleteById(identityPrivilege.id);
+
+    await permissionService.invalidateProjectPermissionCache(identityProjectMembership.projectId);
+
     return {
       ...deletedPrivilege,
-
       permissions: unpackPermissions(deletedPrivilege.permissions)
     };
   };

backend/src/ee/services/permission/permission-service-types.ts

@@ -1,5 +1,6 @@
 import { MongoAbility, RawRuleOf } from "@casl/ability";
 import { MongoQuery } from "@ucast/mongo2js";
+import { Knex } from "knex";
 
 import { ActionProjectType } from "@app/db/schemas";
 import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
@@ -283,4 +284,5 @@ export type TPermissionServiceFactory = {
     projectId: string;
     checkPermissions: ProjectPermissionSet;
   }) => Promise<boolean>;
+  invalidateProjectPermissionCache: (projectId: string, tx?: Knex) => Promise<void>;
 };