Improve userstate.Generate performance (#58387)

Author: smallinsky

lib/auth/userloginstate/generator.go

@@ -27,14 +27,14 @@ import (
 	"github.com/jonboulle/clockwork"
 
 	"github.com/gravitational/teleport/api/client/proto"
-	accesslistv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accesslist/v1"
 	usageeventsv1 "github.com/gravitational/teleport/api/gen/proto/go/usageevents/v1"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/api/types/accesslist"
 	apievents "github.com/gravitational/teleport/api/types/events"
 	"github.com/gravitational/teleport/api/types/header"
 	"github.com/gravitational/teleport/api/types/userloginstate"
 	"github.com/gravitational/teleport/api/utils"
+	"github.com/gravitational/teleport/api/utils/clientutils"
 	"github.com/gravitational/teleport/lib/accesslists"
 	"github.com/gravitational/teleport/lib/events"
 	"github.com/gravitational/teleport/lib/modules"
@@ -212,127 +212,96 @@ func (g *Generator) generate(ctx context.Context, user types.User, ulsService se
 
 // addAccessListsToState will add the user's applicable access lists to the user login state after validating them, returning any inherited roles and traits.
 func (g *Generator) addAccessListsToState(ctx context.Context, user types.User, state *userloginstate.UserLoginState) (inheritedRoles []string, inheritedTraits map[string][]string, err error) {
-	accessLists, err := g.accessLists.GetAccessLists(ctx)
+	locks, err := g.accessLists.GetLocks(ctx, true, types.LockTarget{
+		User: user.GetName(),
+	})
 	if err != nil {
 		return nil, nil, trace.Wrap(err)
 	}
+	if len(locks) > 0 {
+		return inheritedRoles, inheritedTraits, nil
+	}
 
 	var allInheritedRoles []string
 	allInheritedTraits := make(map[string][]string)
-
-	for _, accessList := range accessLists {
-		// Grants are inherited if the user is a member of the access list, explicitly or via inheritance.
-		inheritedRoles, inheritedTraits, err := g.handleAccessListMembership(ctx, user, accessList, state)
+	applyHierarchy := func(hierarchy []*accesslist.AccessList, accessListName string, ownerHierarchy bool) error {
+		if len(hierarchy) == 0 {
+			return nil
+		}
+		inheritedRoles, inheritedTraits, err := g.applyGrantsAcrossACLs(ctx, hierarchy, accessListName, user, state, ownerHierarchy)
 		if err != nil {
-			return nil, nil, trace.Wrap(err)
+			return trace.Wrap(err)
 		}
 		allInheritedRoles = append(allInheritedRoles, inheritedRoles...)
 		for k, values := range inheritedTraits {
 			allInheritedTraits[k] = append(allInheritedTraits[k], values...)
 		}
+		return nil
+	}
 
-		// OwnerGrants are inherited if the user is an owner of the access list, explicitly or via inheritance.
-		inheritedRoles, inheritedTraits, err = g.handleAccessListOwnership(ctx, user, accessList, state)
+	h, err := accesslists.NewHierarchy(accesslists.HierarchyConfig{
+		AccessListsService: g.accessLists,
+		Clock:              g.clock,
+	})
+	if err != nil {
+		return nil, nil, trace.Wrap(err)
+	}
+
+	for acl, err := range clientutils.Resources(ctx, g.accessLists.ListAccessLists) {
 		if err != nil {
 			return nil, nil, trace.Wrap(err)
 		}
-		allInheritedRoles = append(allInheritedRoles, inheritedRoles...)
-		for k, values := range inheritedTraits {
-			allInheritedTraits[k] = append(allInheritedTraits[k], values...)
+		memberOf, ownerOf, err := h.GetHierarchyForUser(ctx, acl, user)
+		if err != nil {
+			return nil, nil, trace.Wrap(err)
+		}
+		// Grants are inherited if the user is a member of the access list, explicitly or via inheritance.
+		if err := applyHierarchy(memberOf, acl.GetName(), false); err != nil {
+			return nil, nil, trace.Wrap(err)
+		}
+		// OwnerGrants are inherited if the user is an owner of the access list, explicitly or via inheritance.
+		if err := applyHierarchy(ownerOf, acl.GetName(), true); err != nil {
+			return nil, nil, trace.Wrap(err)
 		}
 	}
-
 	return allInheritedRoles, allInheritedTraits, nil
 }
 
-// handleAccessListMembership validates the access list and applies the grants and traits from the access list to the user if they are a member of the access list.
-// If the access list is invalid (because it references a non-existent role, for example,
-// then it will not be applied.
-func (g *Generator) handleAccessListMembership(ctx context.Context, user types.User, accessList *accesslist.AccessList, state *userloginstate.UserLoginState) ([]string, map[string][]string, error) {
-	var inheritedRoles []string
-	inheritedTraits := make(map[string][]string)
-
-	membershipKind, err := accesslists.IsAccessListMember(ctx, user, accessList, g.accessLists, g.accessLists, g.clock)
-	// Return early if there was an error or the user isn't a member of the access list.
-	if err != nil || membershipKind == accesslistv1.AccessListUserAssignmentType_ACCESS_LIST_USER_ASSIGNMENT_TYPE_UNSPECIFIED {
-		// Log any error besides user being locked.
-		if err != nil && !accesslists.IsUserLocked(err) {
-			g.log.WarnContext(ctx, "checking access list membership", "error", err)
+func (g *Generator) applyGrantsAcrossACLs(ctx context.Context, acls []*accesslist.AccessList, baseName string, user types.User, state *userloginstate.UserLoginState, owner bool) (inheritedRoles []string, inheritedTraits map[string][]string, err error) {
+	inheritedTraits = make(map[string][]string)
+	for _, acl := range acls {
+		grants := selectGrants(acl, owner)
+		missing, err := g.identifyMissingRoles(ctx, grants.Roles)
+		if err != nil {
+			return nil, nil, trace.Wrap(err)
 		}
-		return inheritedRoles, inheritedTraits, nil
-	}
-
-	// Validate that all the roles in the access list exist.
-	missingRoles, err := g.identifyMissingRoles(ctx, accessList.Spec.Grants.Roles)
-	if err != nil {
-		return nil, nil, trace.Wrap(err)
-	}
-
-	// If there are any missing roles, then we cannot apply the access list.
-	// Emit an audit event and return early.
-	// This flow is designed to skip the entire access list rather than processing individual roles within it.
-	// This approach ensures that access lists are treated as cohesive units of access control. Partial
-	// application of an access list could result in unintended permission configurations, potentially leading
-	// to security vulnerabilities or unpredictable behavior.
-	if missingRoles != nil {
-		g.emitSkippedAccessListEvent(ctx, accessList.Spec.Title, missingRoles, user.GetName())
-		return nil, nil, nil
-	}
-
-	g.grantRolesAndTraits(accessList.Spec.Grants, state)
-	if membershipKind == accesslistv1.AccessListUserAssignmentType_ACCESS_LIST_USER_ASSIGNMENT_TYPE_INHERITED {
-		inheritedRoles = append(inheritedRoles, accessList.Spec.Grants.Roles...)
-		for k, values := range accessList.Spec.Grants.Traits {
+		if len(missing) > 0 {
+			// If there are any missing roles, then we cannot apply the access list.
+			// Emit an audit event and skip the access list.
+			// This flow is designed to skip the entire access list rather than processing individual roles within it.
+			// This approach ensures that access lists are treated as cohesive units of access control. Partial
+			// application of an access list could result in unintended permission configurations, potentially leading
+			// to security vulnerabilities or unpredictable behavior.
+			g.emitSkippedAccessListEvent(ctx, acl.Spec.Title, missing, user.GetName())
+			continue
+		}
+		g.grantRolesAndTraits(grants, state)
+		if acl.GetName() == baseName {
+			continue
+		}
+		inheritedRoles = append(inheritedRoles, grants.Roles...)
+		for k, values := range grants.Traits {
 			inheritedTraits[k] = append(inheritedTraits[k], values...)
 		}
 	}
-
 	return inheritedRoles, inheritedTraits, nil
 }
 
-// handleAccessListOwnership validates the access list and applies the grants and traits from the access list to the user if they are an owner of the access list.
-// If the access list is invalid (because it references a non-existent role, for example,
-// then it will not be applied.
-func (g *Generator) handleAccessListOwnership(ctx context.Context, user types.User, accessList *accesslist.AccessList, state *userloginstate.UserLoginState) ([]string, map[string][]string, error) {
-	var inheritedRoles []string
-	inheritedTraits := make(map[string][]string)
-
-	ownershipType, err := accesslists.IsAccessListOwner(ctx, user, accessList, g.accessLists, g.accessLists, g.clock)
-	// Return early if there was an error or the user isn't an owner of the access list.
-	if err != nil || ownershipType == accesslistv1.AccessListUserAssignmentType_ACCESS_LIST_USER_ASSIGNMENT_TYPE_UNSPECIFIED {
-		// Log any error besides user being locked.
-		if err != nil && !accesslists.IsUserLocked(err) {
-			g.log.WarnContext(ctx, "checking access list ownership", "error", err)
-		}
-		return inheritedRoles, inheritedTraits, nil
-	}
-
-	// Validate that all the roles in the access list exist.
-	missingRoles, err := g.identifyMissingRoles(ctx, accessList.Spec.OwnerGrants.Roles)
-	if err != nil {
-		return nil, nil, trace.Wrap(err)
-	}
-
-	// If there are any missing roles, then we cannot apply the access list.
-	// Emit an audit event and return early.
-	// This flow is designed to skip the entire access list rather than processing individual roles within it.
-	// This approach ensures that access lists are treated as cohesive units of access control. Partial
-	// application of an access list could result in unintended permission configurations, potentially leading
-	// to security vulnerabilities or unpredictable behavior.
-	if missingRoles != nil {
-		g.emitSkippedAccessListEvent(ctx, accessList.Spec.Title, missingRoles, user.GetName())
-		return nil, nil, nil
+func selectGrants(acl *accesslist.AccessList, owner bool) accesslist.Grants {
+	if owner {
+		return acl.Spec.OwnerGrants
 	}
-
-	g.grantRolesAndTraits(accessList.Spec.OwnerGrants, state)
-	if ownershipType == accesslistv1.AccessListUserAssignmentType_ACCESS_LIST_USER_ASSIGNMENT_TYPE_INHERITED {
-		inheritedRoles = append(inheritedRoles, accessList.Spec.OwnerGrants.Roles...)
-		for k, values := range accessList.Spec.OwnerGrants.Traits {
-			inheritedTraits[k] = append(inheritedTraits[k], values...)
-		}
-	}
-
-	return inheritedRoles, inheritedTraits, nil
+	return acl.Spec.Grants
 }
 
 // grantRolesAndTraits will append the roles and traits from the provided Grants to the UserLoginState,

lib/auth/userloginstate/generator_bench_test.go

@@ -0,0 +1,110 @@
+/*
+ * Teleport
+ * Copyright (C) 2025  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package userloginstate
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/gravitational/trace"
+	"github.com/jonboulle/clockwork"
+
+	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/types/accesslist"
+	"github.com/gravitational/teleport/api/types/header"
+)
+
+func BenchmarkGenerate(b *testing.B) {
+	user, err := types.NewUser("alice")
+	if err != nil {
+		b.Fatalf("NewUser: %v", err)
+	}
+
+	accessList, err := makeAccessList("acl")
+	if err != nil {
+		b.Fatalf("makeAccessList: %v", err)
+	}
+
+	sizes := []int{100, 1_000, 10_000}
+	for _, n := range sizes {
+		b.Run(fmt.Sprintf("members=%d", n), func(b *testing.B) {
+			svc, backendSvc, err := initGeneratorSvc()
+			if err != nil {
+				b.Fatalf("initGeneratorSvc: %v", err)
+			}
+			_, err = backendSvc.UpsertAccessList(b.Context(), accessList)
+			if err != nil {
+				b.Fatalf("UpsertAccessList: %v", err)
+			}
+
+			for i := 0; i < n; i++ {
+				member := makeUserMember(accessList.GetName(), fmt.Sprintf("u%d", i))
+				_, err = backendSvc.UpsertAccessListMember(b.Context(), member)
+				if err != nil {
+					b.Fatalf("UpsertAccessListMember: %v", err)
+				}
+			}
+
+			b.ReportAllocs()
+			b.ResetTimer()
+
+			for b.Loop() {
+				_, err := svc.Generate(b.Context(), user, backendSvc)
+				if err != nil {
+					b.Fatalf("Generate: %v", err)
+				}
+			}
+		})
+	}
+}
+
+func makeAccessList(name string) (*accesslist.AccessList, error) {
+	accessList, err := accesslist.NewAccessList(header.Metadata{
+		Name: name,
+	}, accesslist.Spec{
+		Title: "title",
+		Audit: accesslist.Audit{
+			NextAuditDate: clockwork.NewRealClock().Now().Add(time.Hour * 48),
+		},
+		Owners: []accesslist.Owner{{Name: ownerUser}},
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return accessList, nil
+}
+
+func makeUserMember(acl, username string) *accesslist.AccessListMember {
+	m := &accesslist.AccessListMember{
+		ResourceHeader: header.ResourceHeader{
+			Metadata: header.Metadata{
+				Name: username,
+			},
+		},
+		Spec: accesslist.AccessListMemberSpec{
+			Name:           username,
+			AccessList:     acl,
+			MembershipKind: accesslist.MembershipKindUser,
+			Joined:         clockwork.NewRealClock().Now(),
+			AddedBy:        "system",
+		},
+	}
+	return m
+}

lib/auth/userloginstate/generator_test.go

@@ -25,6 +25,7 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/gravitational/trace"
 	"github.com/jonboulle/clockwork"
 	"github.com/stretchr/testify/require"
 
@@ -579,7 +580,8 @@ func TestAccessLists(t *testing.T) {
 			})
 
 			ctx := context.Background()
-			svc, backendSvc := initGeneratorSvc(t)
+			svc, backendSvc, err := initGeneratorSvc()
+			require.NoError(t, err)
 
 			for _, accessList := range test.accessLists {
 				_, err = backendSvc.UpsertAccessList(ctx, accessList)
@@ -632,7 +634,8 @@ func TestAccessLists(t *testing.T) {
 
 func TestGitHubIdentity(t *testing.T) {
 	ctx := context.Background()
-	svc, backendSvc := initGeneratorSvc(t)
+	svc, backendSvc, err := initGeneratorSvc()
+	require.NoError(t, err)
 
 	noGitHubIdentity, err := types.NewUser("alice")
 	require.NoError(t, err)
@@ -715,20 +718,24 @@ func (s *svc) SubmitUsageEvent(ctx context.Context, req *proto.SubmitUsageEventR
 	return nil
 }
 
-func initGeneratorSvc(t *testing.T) (*Generator, *svc) {
-	t.Helper()
-
+func initGeneratorSvc() (*Generator, *svc, error) {
 	clock := clockwork.NewFakeClock()
 	mem, err := memory.New(memory.Config{
 		Clock: clock,
 	})
-	require.NoError(t, err)
+	if err != nil {
+		return nil, nil, trace.Wrap(err)
+	}
 
 	accessListsSvc, err := local.NewAccessListService(mem, clock)
-	require.NoError(t, err)
+	if err != nil {
+		return nil, nil, trace.Wrap(err)
+	}
 	accessSvc := local.NewAccessService(mem)
 	ulsService, err := local.NewUserLoginStateService(mem)
-	require.NoError(t, err)
+	if err != nil {
+		return nil, nil, trace.Wrap(err)
+	}
 
 	svc := &svc{
 		AccessLists:     accessListsSvc,
@@ -746,8 +753,10 @@ func initGeneratorSvc(t *testing.T) (*Generator, *svc) {
 		Clock:       clock,
 		Emitter:     emitter,
 	})
-	require.NoError(t, err)
-	return generator, svc
+	if err != nil {
+		return nil, nil, trace.Wrap(err)
+	}
+	return generator, svc, nil
 }
 
 func grants(roles []string, traits trait.Traits) accesslist.Grants {