squash!: Changed implementation to use UUID for cache invalidation

Author: rodmgwgu

openedx_authz/engine/enforcer.py

@@ -16,7 +16,7 @@
 """
 
 import logging
-import time
+from uuid import uuid4
 
 from casbin import SyncedEnforcer
 from casbin_adapter.enforcer import initialize_enforcer
@@ -70,7 +70,7 @@ class AuthzEnforcer:
 
     _enforcer = None
     _adapter = None
-    _last_policy_load_timestamp = None
+    _last_policy_loaded_version = None
 
     def __new__(cls):
         """Singleton pattern to ensure a single enforcer instance."""
@@ -158,43 +158,42 @@ def configure_enforcer_auto_save_and_load(cls):
 
     @classmethod
     def load_policy_if_needed(cls):
-        """Load policy if the last load timestamp indicates it's needed.
+        """Load policy if the last load version indicates it's needed.
 
         This method checks if the policy needs to be reloaded comparing
-        the last load timestamp with the last modified timestamp in cache
+        the last load version with the version in the cache invalidation model,
         and reloads it if necessary.
 
         Returns:
             None
         """
-        last_modified_timestamp = PolicyCacheControl.get_last_modified_timestamp()
+        last_version = PolicyCacheControl.get_version()
 
-        current_timestamp = time.time()
-
-        if last_modified_timestamp is None:
+        if last_version is None:
             # No timestamp in cache; initialize it
-            PolicyCacheControl.set_last_modified_timestamp(current_timestamp)
-            logger.info("Initialized policy last modified timestamp in cache control.")
+            last_version = uuid4()
+            PolicyCacheControl.set_version(last_version)
+            logger.info("Initialized policy last modified version in cache control.")
 
-        if cls._last_policy_load_timestamp is None or last_modified_timestamp > cls._last_policy_load_timestamp:
+        if cls._last_policy_loaded_version is None or last_version != cls._last_policy_loaded_version:
             # Policy has been modified since last load; reload it
             cls._enforcer.load_policy()
-            cls._last_policy_load_timestamp = current_timestamp
-            logger.info(f"Reloaded policy at {current_timestamp}")
+            cls._last_policy_loaded_version = last_version
+            logger.info(f"Reloaded policy to version {last_version}")
 
     @classmethod
     def invalidate_policy_cache(cls):
         """Invalidate the current policy cache to force a reload on next check.
 
-        This method updates the last modified timestamp in the cache to
-        the current time, indicating that the policy has changed.
+        This method updates the last modified version in the cache invalidation model
+        to a new UUID, indicating that the policy has changed.
 
         Returns:
             None
         """
-        current_timestamp = time.time()
-        PolicyCacheControl.set_last_modified_timestamp(current_timestamp)
-        logger.info(f"Invalidated policy cache at {current_timestamp}")
+        new_version = uuid4()
+        PolicyCacheControl.set_version(new_version)
+        logger.info(f"Invalidated policy cache to version {new_version}")
 
     @classmethod
     def get_enforcer(cls) -> SyncedEnforcer:

openedx_authz/migrations/0005_policycachecontrol.py

@@ -1,6 +1,6 @@
-# Generated by Django 4.2.24 on 2025-11-13 22:32
+# Generated by Django 4.2.24 on 2025-11-14 22:38
 
-import datetime
+import uuid
 
 from django.db import migrations, models
 
@@ -15,7 +15,7 @@ class Migration(migrations.Migration):
             name="PolicyCacheControl",
             fields=[
                 ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
-                ("last_modified", models.DateTimeField(default=datetime.datetime.now)),
+                ("version", models.UUIDField(default=uuid.uuid4)),
             ],
         ),
     ]

openedx_authz/models/engine.py

@@ -1,6 +1,6 @@
 """Models for the authorization engine."""
 
-from datetime import datetime
+from uuid import UUID, uuid4
 
 from django.db import models
 
@@ -9,14 +9,14 @@ class PolicyCacheControl(models.Model):
     """Model to control policy cache invalidation.
 
     This model can be used to trigger cache invalidation for authorization policies
-    by updating its timestamp. Whenever this model is updated, the authorization
+    by changing the version. Whenever this model is updated, the authorization
     engine should invalidate its cached policies.
     """
 
-    last_modified = models.DateTimeField(default=datetime.now)
+    version = models.UUIDField(default=uuid4)
 
     def save(self, *args, **kwargs):
-        """Override save to update the timestamp."""
+        """Override save to ensure a single instance."""
         self.pk = 1  # Ensure a single instance
         super().save(*args, **kwargs)
 
@@ -27,23 +27,23 @@ def get(cls):
         return obj
 
     @classmethod
-    def get_last_modified_timestamp(cls):
-        """Get the last modified timestamp for policy cache control.
+    def get_version(cls):
+        """Get the version for policy cache control.
 
         Returns:
-            float: The timestamp of the last update.
+            UUID: The version of the last update.
         """
         instance = cls.get()
-        return instance.last_modified.timestamp()
+        return instance.version
 
     @classmethod
-    def set_last_modified_timestamp(cls, timestamp: float):
-        """Update the last modified timestamp to the current time.
+    def set_version(cls, version: UUID):
+        """Update the cache version.
 
-        This method updates the timestamp, which can be used to signal
+        This method updates the cache version, which can be used to signal
         that the policy cache should be invalidated.
         """
         instance = cls.get()
-        instance.last_modified = datetime.fromtimestamp(timestamp)
+        instance.version = version
 
         instance.save()

openedx_authz/tests/api/test_roles.py

@@ -978,7 +978,6 @@ def test_assign_role_creates_extended_casbin_rule(self):
         self.assertIn(subject_data.namespaced_key, extended_rule.casbin_rule_key)
         self.assertIn(scope_data.namespaced_key, extended_rule.casbin_rule_key)
 
-
     @ddt_data(
         # Test user with single role in single scope
         ("alice", ["lib:Org1:math_101"], {"library_admin"}),

openedx_authz/tests/test_enforcer.py

@@ -7,6 +7,7 @@
 
 import time
 from unittest.mock import patch
+from uuid import uuid4
 
 import casbin
 from ddt import data as ddt_data
@@ -839,19 +840,22 @@ def test_load_policy_if_needed_initializes_cache_timestamp(self, mock_toggle):
         """Test that load_policy_if_needed initializes cache timestamp on first call.
 
         Expected result:
-            - On first call, cache invalidation key is set with current timestamp
-            - Policy is loaded since last load timestamp is None
+            - On first call, cache invalidation model is initialized
+            - Policy is loaded since last load version is None
         """
         mock_toggle.return_value = True
 
-        AuthzEnforcer._last_policy_load_timestamp = None  # pylint: disable=protected-access
-
+        AuthzEnforcer._last_policy_loaded_version = None  # pylint: disable=protected-access
         # get_enforcer calls load_policy_if_needed internally
         AuthzEnforcer.get_enforcer()
 
-        cached_timestamp = PolicyCacheControl.get_last_modified_timestamp()
-        self.assertIsNotNone(cached_timestamp)
-        self.assertIsNotNone(AuthzEnforcer._last_policy_load_timestamp)  # pylint: disable=protected-access
+        cached_version = PolicyCacheControl.get_version()
+        self.assertIsNotNone(cached_version)
+        self.assertIsNotNone(AuthzEnforcer._last_policy_loaded_version)  # pylint: disable=protected-access
+        self.assertEqual(
+            AuthzEnforcer._last_policy_loaded_version,  # pylint: disable=protected-access
+            cached_version,
+        )
 
     @patch("openedx_authz.engine.enforcer.libraries_v2_enabled")
     @override_settings(CASBIN_AUTO_LOAD_POLICY_INTERVAL=0)
@@ -860,25 +864,25 @@ def test_load_policy_if_needed_loads_when_stale(self, mock_toggle):
 
         Expected result:
             - If policy is stale, it is reloaded
-            - _last_policy_load_timestamp is updated with new timestamp
+            - _last_policy_loaded_version is updated with new version
         """
         mock_toggle.return_value = True
 
-        now = time.time()
-        stale_timestamp = now - 60  # 60 seconds ago
+        stale_version = uuid4()
+        current_version = uuid4()
 
-        # Set last load timestamp to stale value
-        AuthzEnforcer._last_policy_load_timestamp = stale_timestamp  # pylint: disable=protected-access
-        # Set last cache invalidation to a more recent time
-        PolicyCacheControl.set_last_modified_timestamp(now)
+        # Set last loaded version to stale value
+        AuthzEnforcer._last_policy_loaded_version = stale_version  # pylint: disable=protected-access
+        # Set last cache invalidation current version
+        PolicyCacheControl.set_version(current_version)
 
         # get_enforcer calls load_policy_if_needed internally
         AuthzEnforcer.get_enforcer()
 
-        self.assertIsNotNone(AuthzEnforcer._last_policy_load_timestamp)  # pylint: disable=protected-access
-        self.assertGreater(
-            AuthzEnforcer._last_policy_load_timestamp,  # pylint: disable=protected-access
-            stale_timestamp,
+        self.assertIsNotNone(AuthzEnforcer._last_policy_loaded_version)  # pylint: disable=protected-access
+        self.assertEqual(
+            AuthzEnforcer._last_policy_loaded_version,  # pylint: disable=protected-access
+            current_version,
         )
 
     @patch("openedx_authz.engine.enforcer.libraries_v2_enabled")
@@ -888,41 +892,41 @@ def test_load_policy_if_needed_doesnt_reload_when_not_stale(self, mock_toggle):
 
         Expected result:
             - If policy is not stale, it is not reloaded
-            - _last_policy_load_timestamp remains unchanged
+            - _last_policy_loaded_version remains unchanged
         """
         mock_toggle.return_value = True
 
-        now = time.time()
+        current_version = uuid4()
 
-        # Set last load timestamp to current time
-        AuthzEnforcer._last_policy_load_timestamp = now  # pylint: disable=protected-access
-        # Set last cache invalidation to an earlier time
-        PolicyCacheControl.set_last_modified_timestamp(now - 60)  # 60 seconds ago
+        # Set last loaded version to current version
+        AuthzEnforcer._last_policy_loaded_version = current_version  # pylint: disable=protected-access
+        # Set last cache invalidation to same version
+        PolicyCacheControl.set_version(current_version)
 
         # get_enforcer calls load_policy_if_needed internally
         AuthzEnforcer.get_enforcer()
 
         self.assertEqual(
-            AuthzEnforcer._last_policy_load_timestamp,  # pylint: disable=protected-access
-            now,
+            AuthzEnforcer._last_policy_loaded_version,  # pylint: disable=protected-access
+            current_version,
         )
 
     @patch("openedx_authz.engine.enforcer.libraries_v2_enabled")
     @override_settings(CASBIN_AUTO_LOAD_POLICY_INTERVAL=0)
     def test_invalidate_policy_cache(self, mock_toggle):
-        """Test that invalidate_policy_cache updates the cache invalidation key.
+        """Test that invalidate_policy_cache updates the cache invalidation model.
 
         Expected result:
-            - Cache invalidation key is updated with current timestamp
+            - Cache invalidation key is updated to a new version
         """
         mock_toggle.return_value = True
 
-        AuthzEnforcer._last_policy_load_timestamp = time.time()  # pylint: disable=protected-access
-        old_cache_value = time.time() - 60  # 60 seconds ago
-        PolicyCacheControl.set_last_modified_timestamp(old_cache_value)
+        AuthzEnforcer._last_policy_loaded_version = uuid4()  # pylint: disable=protected-access
+        old_cache_value = uuid4()
+        PolicyCacheControl.set_version(old_cache_value)
 
         AuthzEnforcer.invalidate_policy_cache()
 
-        new_cache_value = PolicyCacheControl.get_last_modified_timestamp()
+        new_cache_value = PolicyCacheControl.get_version()
         self.assertIsNotNone(new_cache_value)
-        self.assertGreater(new_cache_value, old_cache_value)
+        self.assertNotEqual(new_cache_value, old_cache_value)

openedx_authz/tests/test_models.py

@@ -13,6 +13,8 @@
 which run against the real ContentLibrary model.
 """
 
+from uuid import UUID, uuid4
+
 from casbin_adapter.models import CasbinRule
 from django.contrib.auth import get_user_model
 from django.test import TestCase
@@ -142,21 +144,21 @@ def test_extended_casbin_rule_cascade_deletion_when_subject_deleted(self):
 class TestPolicyCacheControlModel(TestCase):
     """Test cases for the PolicyCacheControl model."""
 
-    def test_get_and_set_last_modified_timestamp(self):
-        """Test getting and setting the last modified timestamp.
+    def test_get_and_set_version(self):
+        """Test getting and setting the cache version.
 
         Expected Result:
-        - Initially, the timestamp is set to the current time.
-        - After setting a new timestamp, it reflects the updated value.
+        - Initially, the version is set to a UUID.
+        - After setting a new version, it reflects the updated value.
         """
-        initial_timestamp = PolicyCacheControl.get_last_modified_timestamp()
-        self.assertIsInstance(initial_timestamp, float)
+        initial_version = PolicyCacheControl.get_version()
+        self.assertIsInstance(initial_version, UUID)
 
-        new_timestamp = initial_timestamp + 1000.0  # Simulate a future timestamp
-        PolicyCacheControl.set_last_modified_timestamp(new_timestamp)
+        new_version = uuid4()  # Generate a new UUID
+        PolicyCacheControl.set_version(new_version)
 
-        updated_timestamp = PolicyCacheControl.get_last_modified_timestamp()
-        self.assertEqual(updated_timestamp, new_timestamp)
+        updated_version = PolicyCacheControl.get_version()
+        self.assertEqual(updated_version, new_version)
 
     def test_singleton_behavior(self):
         """Test that only one instance of PolicyCacheControl exists.