refactor: initialize enforcer when firstly use to avoid raising errors while initializing application

mariajgrimaldi · mariajgrimaldi · commit d87570118529 · 2025-10-13T15:01:00.000+02:00
diff --git a/openedx_authz/api/permissions.py b/openedx_authz/api/permissions.py
@@ -8,8 +8,6 @@
 from openedx_authz.api.data import ActionData, PermissionData, PolicyIndex, ScopeData, SubjectData
 from openedx_authz.engine.enforcer import AuthzEnforcer
 
-enforcer = AuthzEnforcer.get_enforcer()
-
 __all__ = [
     "get_permission_from_policy",
     "get_all_permissions_in_scope",
@@ -44,7 +42,7 @@ def get_all_permissions_in_scope(scope: ScopeData) -> list[PermissionData]:
     Returns:
         list of PermissionData: A list of PermissionData objects associated with the given scope.
     """
-    actions = enforcer.get_filtered_policy(
+    actions = AuthzEnforcer.get_enforcer().get_filtered_policy(
         PolicyIndex.SCOPE.value, scope.namespaced_key
     )
     return [get_permission_from_policy(action) for action in actions]
@@ -65,6 +63,6 @@ def is_subject_allowed(
     Returns:
         bool: True if the subject has the specified permission in the scope, False otherwise.
     """
-    return enforcer.enforce(
+    return AuthzEnforcer.get_enforcer().enforce(
         subject.namespaced_key, action.namespaced_key, scope.namespaced_key
     )
diff --git a/openedx_authz/api/roles.py b/openedx_authz/api/roles.py
@@ -22,7 +22,6 @@
 from openedx_authz.api.permissions import get_permission_from_policy
 from openedx_authz.engine.enforcer import AuthzEnforcer
 
-enforcer = AuthzEnforcer.get_enforcer()
 
 __all__ = [
     "get_permissions_for_single_role",
@@ -61,7 +60,7 @@ def get_permissions_for_single_role(
     Returns:
         list[PermissionData]: A list of PermissionData objects associated with the given role.
     """
-    policies = enforcer.get_implicit_permissions_for_user(role.namespaced_key)
+    policies = AuthzEnforcer.get_enforcer().get_implicit_permissions_for_user(role.namespaced_key)
     return [get_permission_from_policy(policy) for policy in policies]
 
 
@@ -116,7 +115,7 @@ def get_permissions_for_active_roles_in_scope(
         dict[str, list[PermissionData]]: A dictionary mapping the role external_key to its
         permissions and scopes.
     """
-    filtered_policy = enforcer.get_filtered_grouping_policy(
+    filtered_policy = AuthzEnforcer.get_enforcer().get_filtered_grouping_policy(
         GroupingPolicyIndex.SCOPE.value, scope.namespaced_key
     )
 
@@ -147,7 +146,7 @@ def get_role_definitions_in_scope(scope: ScopeData) -> list[RoleData]:
     Returns:
         list[Role]: A list of roles.
     """
-    policy_filtered = enforcer.get_filtered_policy(
+    policy_filtered = AuthzEnforcer.get_enforcer().get_filtered_policy(
         PolicyIndex.SCOPE.value, scope.namespaced_key
     )
 
@@ -180,7 +179,7 @@ def get_all_roles_names() -> list[str]:
     Returns:
         list[str]: A list of role names.
     """
-    return enforcer.get_all_subjects()
+    return AuthzEnforcer.get_enforcer().get_all_subjects()
 
 
 def get_all_roles_in_scope(scope: ScopeData) -> list[list[str]]:
@@ -192,7 +191,7 @@ def get_all_roles_in_scope(scope: ScopeData) -> list[list[str]]:
     Returns:
         list[list[str]]: A list of policies in the specified scope.
     """
-    return enforcer.get_filtered_grouping_policy(
+    return AuthzEnforcer.get_enforcer().get_filtered_grouping_policy(
         GroupingPolicyIndex.SCOPE.value, scope.namespaced_key
     )
 
@@ -206,7 +205,7 @@ def assign_role_to_subject_in_scope(
         subject: The ID of the subject.
         role: The role to assign.
     """
-    enforcer.add_role_for_user_in_domain(
+    AuthzEnforcer.get_enforcer().add_role_for_user_in_domain(
         subject.namespaced_key,
         role.namespaced_key,
         scope.namespaced_key,
@@ -236,7 +235,7 @@ def unassign_role_from_subject_in_scope(
         role: The role to unassign.
         scope: The scope from which to unassign the role.
     """
-    enforcer.delete_roles_for_user_in_domain(
+    AuthzEnforcer.get_enforcer().delete_roles_for_user_in_domain(
         subject.namespaced_key, role.namespaced_key, scope.namespaced_key
     )
 
@@ -265,7 +264,7 @@ def get_subject_role_assignments(subject: SubjectData) -> list[RoleAssignmentDat
         list[RoleAssignmentData]: A list of role assignments for the subject.
     """
     role_assignments = []
-    for policy in enforcer.get_filtered_grouping_policy(
+    for policy in AuthzEnforcer.get_enforcer().get_filtered_grouping_policy(
         GroupingPolicyIndex.SUBJECT.value, subject.namespaced_key
     ):
         role = RoleData(namespaced_key=policy[GroupingPolicyIndex.ROLE.value])
@@ -295,7 +294,7 @@ def get_subject_role_assignments_in_scope(
     """
     # TODO: we still need to get the remaining data for the role like email, etc
     role_assignments = []
-    for namespaced_key in enforcer.get_roles_for_user_in_domain(
+    for namespaced_key in AuthzEnforcer.get_enforcer().get_roles_for_user_in_domain(
         subject.namespaced_key, scope.namespaced_key
     ):
         role = RoleData(namespaced_key=namespaced_key)
@@ -327,7 +326,7 @@ def get_subject_role_assignments_for_role_in_scope(
         list[RoleAssignmentData]: A list of subjects assigned to the specified role in the specified scope.
     """
     role_assignments = []
-    for subject in enforcer.get_users_for_role_in_domain(
+    for subject in AuthzEnforcer.get_enforcer().get_users_for_role_in_domain(
         role.namespaced_key, scope.namespaced_key
     ):
         if subject.startswith(f"{RoleData.NAMESPACE}{RoleData.SEPARATOR}"):
diff --git a/openedx_authz/apps.py b/openedx_authz/apps.py
@@ -43,11 +43,7 @@ class OpenedxAuthzConfig(AppConfig):
 
     def ready(self):
         """Initialization layer for the openedx_authz app."""
-        # Initialize the enforcer to ensure it's ready when the app starts
-        try:
-            from openedx_authz.engine.enforcer import AuthzEnforcer
-            AuthzEnforcer()
-        except ImproperlyConfigured:
-            # The app might not be fully configured yet (e.g., during migrations).
-            # In such cases, we skip the enforcer initialization.
-            pass
+        # DO NOT initialize the enforcer here to avoid issues when
+        # apps are not fully loaded (e.g., while pulling translations).
+        # It's best to lazy load the enforcer when needed it's first used.
+        pass
diff --git a/openedx_authz/engine/apps.py b/openedx_authz/engine/apps.py
@@ -8,13 +8,7 @@ class CasbinAdapterConfig(AppConfig):
 
     def ready(self):
         """Initialization layer for the casbin_adapter app."""
-
-        try:
-            from casbin_adapter.enforcer import initialize_enforcer
-
-            db_alias = getattr(settings, "CASBIN_DB_ALIAS", "default")
-            initialize_enforcer(db_alias)
-        except ImproperlyConfigured:
-            # The app might not be fully configured yet (e.g., during migrations).
-            # In such cases, we skip the enforcer initialization.
-            pass
+        # DO NOT initialize the enforcer here to avoid issues when
+        # apps are not fully loaded (e.g., while pulling translations).
+        # It's best to lazy load the enforcer when needed it's first used.
+        pass
diff --git a/openedx_authz/engine/enforcer.py b/openedx_authz/engine/enforcer.py
@@ -23,6 +23,7 @@
 
 from openedx_authz.engine.adapter import ExtendedAdapter
 from openedx_authz.engine.watcher import Watcher
+from casbin_adapter.enforcer import initialize_enforcer
 
 logger = logging.getLogger(__name__)
 
@@ -33,9 +34,17 @@ class AuthzEnforcer:
     Ensures a single enforcer instance is created safely and configured with the
     ExtendedAdapter and Redis watcher for policy management and synchronization.
 
-    Usage:
+    There are two main use cases for this class:
+    1. Directly get the enforcer instance and initialize it if needed:
+        from openedx_authz.engine.enforcer import AuthzEnforcer
         enforcer = AuthzEnforcer.get_enforcer()
         allowed = enforcer.enforce(user, resource, action)
+    2. Instantiate the class to get the singleton enforcer instance:
+        from openedx_authz.engine.enforcer import AuthzEnforcer
+        enforcer = AuthzEnforcer()
+        allowed = enforcer.get_enforcer().enforce(user, resource, action)
+
+    Any of the two approaches will yield the same singleton enforcer instance.
     """
 
     _enforcer = None
@@ -62,13 +71,16 @@ def _initialize_enforcer() -> FastEnforcer:
         """
         Create and configure the Casbin FastEnforcer instance.
 
-        This function initializes the Casbin FastEnforcer with the ExtendedAdapter
-        for database-backed policy storage and sets up the Redis watcher for
-        real-time policy synchronization.
+        This method initializes the FastEnforcer with the ExtendedAdapter
+        for database policy storage and sets up the Redis watcher for real-time
+        policy synchronization if the Watcher is available. It also initializes
+        the enforcer with the specified database alias from settings.
 
         Returns:
             FastEnforcer: Configured Casbin enforcer with adapter and watcher
         """
+        db_alias = getattr(settings, "CASBIN_DB_ALIAS", "default")
+        initialize_enforcer(db_alias)
         adapter = ExtendedAdapter()
         enforcer = FastEnforcer(settings.CASBIN_MODEL, adapter, enable_log=True)
         enforcer.enable_auto_save(True)
diff --git a/openedx_authz/management/commands/load_policies.py b/openedx_authz/management/commands/load_policies.py
@@ -15,7 +15,6 @@
 from openedx_authz.engine.enforcer import AuthzEnforcer
 from openedx_authz.engine.utils import migrate_policy_between_enforcers
 
-global_enforcer = AuthzEnforcer.get_enforcer()
 
 
 class Command(BaseCommand):
@@ -76,7 +75,7 @@ def handle(self, *args, **options):
             )
 
         source_enforcer = casbin.Enforcer(model_file_path, policy_file_path)
-        self.migrate_policies(source_enforcer, global_enforcer)
+        self.migrate_policies(source_enforcer, AuthzEnforcer.get_enforcer())
 
     def migrate_policies(self, source_enforcer, target_enforcer):
         """Migrate policies from the source enforcer to the target enforcer.
diff --git a/openedx_authz/tests/api/test_roles.py b/openedx_authz/tests/api/test_roles.py
@@ -34,7 +34,6 @@
 from openedx_authz.engine.enforcer import AuthzEnforcer
 from openedx_authz.engine.utils import migrate_policy_between_enforcers
 
-global_enforcer = AuthzEnforcer.get_enforcer()
 
 
 class RolesTestSetupMixin(TestCase):
@@ -47,6 +46,7 @@ def _seed_database_with_policies(cls):
         This simulates the one-time database seeding that would happen
         during application deployment, separate from the runtime policy loading.
         """
+        global_enforcer = AuthzEnforcer.get_enforcer()
         global_enforcer.load_policy()
         migrate_policy_between_enforcers(
             source_enforcer=casbin.Enforcer(
@@ -218,12 +218,12 @@ def setUpClass(cls):
     def setUp(self):
         """Set up test environment."""
         super().setUp()
-        global_enforcer.load_policy()  # Load policies before each test to simulate fresh start
+        AuthzEnforcer.get_enforcer().load_policy()  # Load policies before each test to simulate fresh start
 
     def tearDown(self):
         """Clean up after each test to ensure isolation."""
         super().tearDown()
-        global_enforcer.clear_policy()  # Clear policies after each test to ensure isolation
+        AuthzEnforcer.get_enforcer().clear_policy()  # Clear policies after each test to ensure isolation
 
 
 @ddt
diff --git a/openedx_authz/tests/test_enforcer.py b/openedx_authz/tests/test_enforcer.py
@@ -14,8 +14,6 @@
 from openedx_authz.engine.filter import Filter
 from openedx_authz.engine.utils import migrate_policy_between_enforcers
 
-global_enforcer = AuthzEnforcer.get_enforcer()
-
 
 class PolicyLoadingTestSetupMixin(TestCase):
     """Mixin providing policy loading test utilities."""
@@ -65,6 +63,7 @@ def _seed_database_with_policies(self):
         during application deployment, separate from runtime policy loading.
         """
         # Always start with completely clean state
+        global_enforcer = AuthzEnforcer.get_enforcer()
         global_enforcer.clear_policy()
 
         migrate_policy_between_enforcers(
@@ -87,6 +86,7 @@ def _load_policies_for_scope(self, scope: str = None):
             scope: The scope to load policies for (e.g., 'lib^*' for all libraries).
                   If None, loads all policies using load_policy().
         """
+        global_enforcer = AuthzEnforcer.get_enforcer()
         if scope is None:
             global_enforcer.load_policy()
         else:
@@ -99,6 +99,7 @@ def _load_policies_for_user_context(self, scopes: list[str] = None):
         Args:
             scopes: List of scopes the user is operating in.
         """
+        global_enforcer = AuthzEnforcer.get_enforcer()
         global_enforcer.clear_policy()
 
         if scopes:
@@ -116,6 +117,7 @@ def _load_policies_for_role_management(self, role_name: str = None):
         Args:
             role_name: Specific role to load policies for, if any.
         """
+        global_enforcer = AuthzEnforcer.get_enforcer()
         global_enforcer.clear_policy()
 
         if role_name:
@@ -131,6 +133,7 @@ def _add_test_policies_for_multiple_scopes(self):
         This adds course and organization policies in addition to existing
         library policies to create a realistic multi-scope environment.
         """
+        global_enforcer = AuthzEnforcer.get_enforcer()
         test_policies = [
             # Course policies
             ["role^course_instructor", "act^edit_course", "course^*", "allow"],
@@ -172,7 +175,7 @@ def setUp(self):
 
     def tearDown(self):
         """Clean up after each test to ensure isolation."""
-        global_enforcer.clear_policy()
+        AuthzEnforcer.get_enforcer().clear_policy()
         super().tearDown()
 
     @ddt_data(
@@ -191,6 +194,7 @@ def test_scope_based_policy_loading(self, scope):
             - Only scope-relevant policies are loaded
             - Policy count matches expected for scope
         """
+        global_enforcer = AuthzEnforcer.get_enforcer()
         expected_policy_count = self._count_policies_in_file(scope_pattern=scope)
         initial_policy_count = len(global_enforcer.get_policy())
 
@@ -221,6 +225,7 @@ def test_user_context_policy_loading(self, user_scopes):
             - Policies are loaded for user's scopes
             - Policy count is reasonable for context
         """
+        global_enforcer = AuthzEnforcer.get_enforcer()
         initial_policy_count = len(global_enforcer.get_policy())
 
         self._load_policies_for_user_context(user_scopes)
@@ -241,6 +246,7 @@ def test_role_specific_policy_loading(self, role_name):
             - Role-specific policies are loaded
             - Loaded policies contain expected role
         """
+        global_enforcer = AuthzEnforcer.get_enforcer()
         initial_policy_count = len(global_enforcer.get_policy())
 
         self._load_policies_for_role_management(role_name)
@@ -263,6 +269,7 @@ def test_policy_loading_lifecycle(self):
             - Policy counts change appropriately between stages
             - No policies exist at startup
         """
+        global_enforcer = AuthzEnforcer.get_enforcer()
         startup_policy_count = len(global_enforcer.get_policy())
 
         self.assertEqual(startup_policy_count, 0)
@@ -293,6 +300,7 @@ def test_empty_enforcer_behavior(self):
             - Policy queries return empty results
             - No enforcement decisions are possible
         """
+        global_enforcer = AuthzEnforcer.get_enforcer()
         initial_policy_count = len(global_enforcer.get_policy())
         all_policies = global_enforcer.get_policy()
         all_grouping_policies = global_enforcer.get_grouping_policy()
@@ -320,6 +328,7 @@ def test_filtered_policy_loading_variations(self, policy_filter):
             - Filtered loading works without errors
             - Appropriate policies are loaded based on filter
         """
+        global_enforcer = AuthzEnforcer.get_enforcer()
         initial_policy_count = len(global_enforcer.get_policy())
 
         global_enforcer.clear_policy()
@@ -337,6 +346,7 @@ def test_policy_clear_and_reload(self):
             - Cleared enforcer has no policies
             - Reloading produces same count as initial load
         """
+        global_enforcer = AuthzEnforcer.get_enforcer()
         self._load_policies_for_scope("lib^*")
         initial_load_count = len(global_enforcer.get_policy())
 
@@ -360,6 +370,7 @@ def test_filtered_loading_by_role(self, role_name):
             - Filtered count matches policies in file for that role
             - All loaded policies contain the specified role
         """
+        global_enforcer = AuthzEnforcer.get_enforcer()
         expected_count = self._count_policies_in_file(role=role_name)
 
         self._load_policies_for_role_management(role_name)
@@ -377,6 +388,7 @@ def test_multi_scope_filtering(self):
             - Combined scope filter loads sum of individual scopes
             - Total load equals sum of all scope policies
         """
+        global_enforcer = AuthzEnforcer.get_enforcer()
         lib_scope = "lib^*"
         course_scope = "course^*"
         org_scope = "org^*"
