refactor: initialize enforcer when firstly use to avoid raising errors while initializing application

mariajgrimaldi · mariajgrimaldi · commit 9ceaa07fe2a7 · 2025-10-14T11:27:13.000+02:00
diff --git a/openedx_authz/api/permissions.py b/openedx_authz/api/permissions.py
@@ -8,8 +8,6 @@
 from openedx_authz.api.data import ActionData, PermissionData, PolicyIndex, ScopeData, SubjectData
 from openedx_authz.engine.enforcer import AuthzEnforcer
 
-enforcer = AuthzEnforcer.get_enforcer()
-
 __all__ = [
     "get_permission_from_policy",
     "get_all_permissions_in_scope",
@@ -44,7 +42,9 @@ def get_all_permissions_in_scope(scope: ScopeData) -> list[PermissionData]:
     Returns:
         list of PermissionData: A list of PermissionData objects associated with the given scope.
     """
-    actions = enforcer.get_filtered_policy(PolicyIndex.SCOPE.value, scope.namespaced_key)
+    actions = AuthzEnforcer.get_enforcer().get_filtered_policy(
+        PolicyIndex.SCOPE.value, scope.namespaced_key
+    )
     return [get_permission_from_policy(action) for action in actions]
 
 
@@ -63,5 +63,6 @@ def is_subject_allowed(
     Returns:
         bool: True if the subject has the specified permission in the scope, False otherwise.
     """
-    enforcer.load_policy()
-    return enforcer.enforce(subject.namespaced_key, action.namespaced_key, scope.namespaced_key)
+    return AuthzEnforcer.get_enforcer().enforce(
+        subject.namespaced_key, action.namespaced_key, scope.namespaced_key
+    )
diff --git a/openedx_authz/api/roles.py b/openedx_authz/api/roles.py
@@ -22,7 +22,6 @@
 from openedx_authz.api.permissions import get_permission_from_policy
 from openedx_authz.engine.enforcer import AuthzEnforcer
 
-enforcer = AuthzEnforcer.get_enforcer()
 
 __all__ = [
     "get_permissions_for_single_role",
@@ -61,7 +60,7 @@ def get_permissions_for_single_role(
     Returns:
         list[PermissionData]: A list of PermissionData objects associated with the given role.
     """
-    policies = enforcer.get_implicit_permissions_for_user(role.namespaced_key)
+    policies = AuthzEnforcer.get_enforcer().get_implicit_permissions_for_user(role.namespaced_key)
     return [get_permission_from_policy(policy) for policy in policies]
 
 
@@ -116,8 +115,7 @@ def get_permissions_for_active_roles_in_scope(
         dict[str, list[PermissionData]]: A dictionary mapping the role external_key to its
         permissions and scopes.
     """
-    enforcer.load_policy()
-    filtered_policy = enforcer.get_filtered_grouping_policy(
+    filtered_policy = AuthzEnforcer.get_enforcer().get_filtered_grouping_policy(
         GroupingPolicyIndex.SCOPE.value, scope.namespaced_key
     )
 
@@ -148,8 +146,7 @@ def get_role_definitions_in_scope(scope: ScopeData) -> list[RoleData]:
     Returns:
         list[Role]: A list of roles.
     """
-    enforcer.load_policy()
-    policy_filtered = enforcer.get_filtered_policy(
+    policy_filtered = AuthzEnforcer.get_enforcer().get_filtered_policy(
         PolicyIndex.SCOPE.value, scope.namespaced_key
     )
 
@@ -182,7 +179,7 @@ def get_all_roles_names() -> list[str]:
     Returns:
         list[str]: A list of role names.
     """
-    return enforcer.get_all_subjects()
+    return AuthzEnforcer.get_enforcer().get_all_subjects()
 
 
 def get_all_roles_in_scope(scope: ScopeData) -> list[list[str]]:
@@ -194,8 +191,7 @@ def get_all_roles_in_scope(scope: ScopeData) -> list[list[str]]:
     Returns:
         list[list[str]]: A list of policies in the specified scope.
     """
-    enforcer.load_policy()
-    return enforcer.get_filtered_grouping_policy(
+    return AuthzEnforcer.get_enforcer().get_filtered_grouping_policy(
         GroupingPolicyIndex.SCOPE.value, scope.namespaced_key
     )
 
@@ -213,8 +209,7 @@ def assign_role_to_subject_in_scope(
     Returns:
         bool: True if the role was assigned successfully, False otherwise.
     """
-    enforcer.load_policy()
-    return enforcer.add_role_for_user_in_domain(
+    AuthzEnforcer.get_enforcer().add_role_for_user_in_domain(
         subject.namespaced_key,
         role.namespaced_key,
         scope.namespaced_key,
@@ -247,8 +242,7 @@ def unassign_role_from_subject_in_scope(
     Returns:
         bool: True if the role was unassigned successfully, False otherwise.
     """
-    enforcer.load_policy()
-    return enforcer.delete_roles_for_user_in_domain(
+    AuthzEnforcer.get_enforcer().delete_roles_for_user_in_domain(
         subject.namespaced_key, role.namespaced_key, scope.namespaced_key
     )
 
@@ -277,7 +271,7 @@ def get_subject_role_assignments(subject: SubjectData) -> list[RoleAssignmentDat
         list[RoleAssignmentData]: A list of role assignments for the subject.
     """
     role_assignments = []
-    for policy in enforcer.get_filtered_grouping_policy(
+    for policy in AuthzEnforcer.get_enforcer().get_filtered_grouping_policy(
         GroupingPolicyIndex.SUBJECT.value, subject.namespaced_key
     ):
         role = RoleData(namespaced_key=policy[GroupingPolicyIndex.ROLE.value])
@@ -305,10 +299,10 @@ def get_subject_role_assignments_in_scope(
     Returns:
         list[RoleAssignmentData]: A list of role assignments for the subject in the scope.
     """
-    enforcer.load_policy()
+    AuthzEnforcer.get_enforcer().load_policy()
     # TODO: we still need to get the remaining data for the role like email, etc
     role_assignments = []
-    for namespaced_key in enforcer.get_roles_for_user_in_domain(
+    for namespaced_key in AuthzEnforcer.get_enforcer().get_roles_for_user_in_domain(
         subject.namespaced_key, scope.namespaced_key
     ):
         role = RoleData(namespaced_key=namespaced_key)
@@ -340,7 +334,7 @@ def get_subject_role_assignments_for_role_in_scope(
         list[RoleAssignmentData]: A list of subjects assigned to the specified role in the specified scope.
     """
     role_assignments = []
-    for subject in enforcer.get_users_for_role_in_domain(
+    for subject in AuthzEnforcer.get_enforcer().get_users_for_role_in_domain(
         role.namespaced_key, scope.namespaced_key
     ):
         if subject.startswith(f"{RoleData.NAMESPACE}{RoleData.SEPARATOR}"):
@@ -404,6 +398,8 @@ def get_subjects_for_role(role: RoleData) -> list[SubjectData]:
     Returns:
         list[SubjectData]: A list of subjects assigned to the specified role.
     """
-    enforcer.load_policy()
-    policies = enforcer.get_filtered_grouping_policy(GroupingPolicyIndex.ROLE.value, role.namespaced_key)
+    policies = AuthzEnforcer.get_enforcer().get_filtered_grouping_policy(
+        GroupingPolicyIndex.ROLE.value,
+        role.namespaced_key
+    )
     return [SubjectData(namespaced_key=policy[GroupingPolicyIndex.SUBJECT.value]) for policy in policies]
diff --git a/openedx_authz/apps.py b/openedx_authz/apps.py
@@ -43,11 +43,7 @@ class OpenedxAuthzConfig(AppConfig):
 
     def ready(self):
         """Initialization layer for the openedx_authz app."""
-        # Initialize the enforcer to ensure it's ready when the app starts
-        try:
-            from openedx_authz.engine.enforcer import AuthzEnforcer
-            AuthzEnforcer()
-        except ImproperlyConfigured:
-            # The app might not be fully configured yet (e.g., during migrations).
-            # In such cases, we skip the enforcer initialization.
-            pass
+        # DO NOT initialize the enforcer here to avoid issues when
+        # apps are not fully loaded (e.g., while pulling translations).
+        # It's best to lazy load the enforcer when needed it's first used.
+        pass
diff --git a/openedx_authz/engine/apps.py b/openedx_authz/engine/apps.py
@@ -8,13 +8,7 @@ class CasbinAdapterConfig(AppConfig):
 
     def ready(self):
         """Initialization layer for the casbin_adapter app."""
-
-        try:
-            from casbin_adapter.enforcer import initialize_enforcer
-
-            db_alias = getattr(settings, "CASBIN_DB_ALIAS", "default")
-            initialize_enforcer(db_alias)
-        except ImproperlyConfigured:
-            # The app might not be fully configured yet (e.g., during migrations).
-            # In such cases, we skip the enforcer initialization.
-            pass
+        # DO NOT initialize the enforcer here to avoid issues when
+        # apps are not fully loaded (e.g., while pulling translations).
+        # It's best to lazy load the enforcer when needed it's first used.
+        pass
diff --git a/openedx_authz/engine/enforcer.py b/openedx_authz/engine/enforcer.py
@@ -23,6 +23,7 @@
 
 from openedx_authz.engine.adapter import ExtendedAdapter
 from openedx_authz.engine.watcher import Watcher
+from casbin_adapter.enforcer import initialize_enforcer
 
 logger = logging.getLogger(__name__)
 
@@ -33,9 +34,17 @@ class AuthzEnforcer:
     Ensures a single enforcer instance is created safely and configured with the
     ExtendedAdapter and Redis watcher for policy management and synchronization.
 
-    Usage:
+    There are two main use cases for this class:
+    1. Directly get the enforcer instance and initialize it if needed:
+        from openedx_authz.engine.enforcer import AuthzEnforcer
         enforcer = AuthzEnforcer.get_enforcer()
         allowed = enforcer.enforce(user, resource, action)
+    2. Instantiate the class to get the singleton enforcer instance:
+        from openedx_authz.engine.enforcer import AuthzEnforcer
+        enforcer = AuthzEnforcer()
+        allowed = enforcer.get_enforcer().enforce(user, resource, action)
+
+    Any of the two approaches will yield the same singleton enforcer instance.
     """
 
     _enforcer = None
@@ -62,13 +71,16 @@ def _initialize_enforcer() -> FastEnforcer:
         """
         Create and configure the Casbin FastEnforcer instance.
 
-        This function initializes the Casbin FastEnforcer with the ExtendedAdapter
-        for database-backed policy storage and sets up the Redis watcher for
-        real-time policy synchronization.
+        This method initializes the FastEnforcer with the ExtendedAdapter
+        for database policy storage and sets up the Redis watcher for real-time
+        policy synchronization if the Watcher is available. It also initializes
+        the enforcer with the specified database alias from settings.
 
         Returns:
             FastEnforcer: Configured Casbin enforcer with adapter and watcher
         """
+        db_alias = getattr(settings, "CASBIN_DB_ALIAS", "default")
+        initialize_enforcer(db_alias)
         adapter = ExtendedAdapter()
         enforcer = FastEnforcer(settings.CASBIN_MODEL, adapter, enable_log=True)
         enforcer.enable_auto_save(True)
diff --git a/openedx_authz/management/commands/load_policies.py b/openedx_authz/management/commands/load_policies.py
@@ -15,7 +15,6 @@
 from openedx_authz.engine.enforcer import AuthzEnforcer
 from openedx_authz.engine.utils import migrate_policy_between_enforcers
 
-global_enforcer = AuthzEnforcer.get_enforcer()
 
 
 class Command(BaseCommand):
@@ -76,7 +75,7 @@ def handle(self, *args, **options):
             )
 
         source_enforcer = casbin.Enforcer(model_file_path, policy_file_path)
-        self.migrate_policies(source_enforcer, global_enforcer)
+        self.migrate_policies(source_enforcer, AuthzEnforcer.get_enforcer())
 
     def migrate_policies(self, source_enforcer, target_enforcer):
         """Migrate policies from the source enforcer to the target enforcer.
diff --git a/openedx_authz/tests/api/test_roles.py b/openedx_authz/tests/api/test_roles.py
@@ -34,7 +34,6 @@
 from openedx_authz.engine.enforcer import AuthzEnforcer
 from openedx_authz.engine.utils import migrate_policy_between_enforcers
 
-global_enforcer = AuthzEnforcer.get_enforcer()
 
 
 class BaseRolesTestCase(TestCase):
@@ -52,6 +51,7 @@ def _seed_database_with_policies(cls):
         This simulates the one-time database seeding that would happen
         during application deployment, separate from the runtime policy loading.
         """
+        global_enforcer = AuthzEnforcer.get_enforcer()
         global_enforcer.load_policy()
         migrate_policy_between_enforcers(
             source_enforcer=casbin.Enforcer(
@@ -243,6 +243,16 @@ def setUpClass(cls):
         ]
         cls._assign_roles_to_users(assignments=assignments)
 
+    def setUp(self):
+        """Set up test environment."""
+        super().setUp()
+        AuthzEnforcer.get_enforcer().load_policy()  # Load policies before each test to simulate fresh start
+
+    def tearDown(self):
+        """Clean up after each test to ensure isolation."""
+        super().tearDown()
+        AuthzEnforcer.get_enforcer().clear_policy()  # Clear policies after each test to ensure isolation
+
 
 @ddt
 class TestRolesAPI(RolesTestSetupMixin):
diff --git a/openedx_authz/tests/test_enforcer.py b/openedx_authz/tests/test_enforcer.py
