squash!: Changed approach to use DB instead of cache

Author: rodmgwgu

openedx_authz/engine/enforcer.py

@@ -21,10 +21,10 @@
 from casbin import SyncedEnforcer
 from casbin_adapter.enforcer import initialize_enforcer
 from django.conf import settings
-from django.core.cache import cache
 
 from openedx_authz.engine.adapter import ExtendedAdapter
 from openedx_authz.engine.matcher import is_admin_or_superuser_check
+from openedx_authz.models.engine import PolicyCacheControl
 
 
 def libraries_v2_enabled() -> bool:
@@ -69,8 +69,6 @@ class AuthzEnforcer:
         _adapter (ExtendedAdapter): The singleton adapter instance.
     """
 
-    CACHE_KEY = "authz_policy_last_modified_timestamp"
-
     _enforcer = None
     _adapter = None
     _last_policy_load_timestamp = None
@@ -152,7 +150,6 @@ def configure_enforcer_auto_save_and_load(cls):
         auto_load_policy_interval = getattr(settings, "CASBIN_AUTO_LOAD_POLICY_INTERVAL", 0)
         auto_save_policy = getattr(settings, "CASBIN_AUTO_SAVE_POLICY", True)
 
-        # TODO: remove autoload in favor of cache invalidation?
         if auto_load_policy_interval > 0:
             cls.configure_enforcer_auto_loading(auto_load_policy_interval)
         else:
@@ -171,20 +168,20 @@ def load_policy_if_needed(cls):
         Returns:
             None
         """
-        last_modified_timestamp = cache.get(cls.CACHE_KEY)
+        last_modified_timestamp = PolicyCacheControl.get_last_modified_timestamp()
 
         current_timestamp = time.time()
 
         if last_modified_timestamp is None:
             # No timestamp in cache; initialize it
-            cache.set(cls.CACHE_KEY, current_timestamp, None)
-            logger.info(f">>>> Initialized policy last modified timestamp in cache. {current_timestamp}")
+            PolicyCacheControl.set_last_modified_timestamp(current_timestamp)
+            logger.info("Initialized policy last modified timestamp in cache control.")
 
         if cls._last_policy_load_timestamp is None or last_modified_timestamp > cls._last_policy_load_timestamp:
             # Policy has been modified since last load; reload it
             cls._enforcer.load_policy()
             cls._last_policy_load_timestamp = current_timestamp
-            logger.info(f">>>> Reloaded policy at {current_timestamp}")
+            logger.info(f"Reloaded policy at {current_timestamp}")
 
     @classmethod
     def invalidate_policy_cache(cls):
@@ -197,8 +194,8 @@ def invalidate_policy_cache(cls):
             None
         """
         current_timestamp = time.time()
-        cache.set(cls.CACHE_KEY, current_timestamp, None)
-        logger.info(f">>>> Invalidated policy cache at {current_timestamp}")
+        PolicyCacheControl.set_last_modified_timestamp(current_timestamp)
+        logger.info(f"Invalidated policy cache at {current_timestamp}")
 
     @classmethod
     def get_enforcer(cls) -> SyncedEnforcer:

openedx_authz/migrations/0005_policycachecontrol.py

@@ -0,0 +1,21 @@
+# Generated by Django 4.2.24 on 2025-11-13 22:32
+
+import datetime
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("openedx_authz", "0004_contentlibraryscope"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="PolicyCacheControl",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
+                ("last_modified", models.DateTimeField(default=datetime.datetime.now)),
+            ],
+        ),
+    ]

openedx_authz/models/engine.py

@@ -0,0 +1,49 @@
+"""Models for the authorization engine."""
+
+from datetime import datetime
+
+from django.db import models
+
+
+class PolicyCacheControl(models.Model):
+    """Model to control policy cache invalidation.
+
+    This model can be used to trigger cache invalidation for authorization policies
+    by updating its timestamp. Whenever this model is updated, the authorization
+    engine should invalidate its cached policies.
+    """
+
+    last_modified = models.DateTimeField(default=datetime.now)
+
+    def save(self, *args, **kwargs):
+        """Override save to update the timestamp."""
+        self.pk = 1  # Ensure a single instance
+        super().save(*args, **kwargs)
+
+    @classmethod
+    def get(cls):
+        """Get the singleton instance of the model."""
+        obj, _ = cls.objects.get_or_create(pk=1)
+        return obj
+
+    @classmethod
+    def get_last_modified_timestamp(cls):
+        """Get the last modified timestamp for policy cache control.
+
+        Returns:
+            float: The timestamp of the last update.
+        """
+        instance = cls.get()
+        return instance.last_modified.timestamp()
+
+    @classmethod
+    def set_last_modified_timestamp(cls, timestamp: float):
+        """Update the last modified timestamp to the current time.
+
+        This method updates the timestamp, which can be used to signal
+        that the policy cache should be invalidated.
+        """
+        instance = cls.get()
+        instance.last_modified = datetime.fromtimestamp(timestamp)
+
+        instance.save()

openedx_authz/tests/test_enforcer.py

@@ -12,12 +12,12 @@
 from ddt import data as ddt_data
 from ddt import ddt
 from django.conf import settings
-from django.core.cache import cache
 from django.test import TestCase, TransactionTestCase, override_settings
 
 from openedx_authz.engine.enforcer import AuthzEnforcer
 from openedx_authz.engine.filter import Filter
 from openedx_authz.engine.utils import migrate_policy_between_enforcers
+from openedx_authz.models.engine import PolicyCacheControl
 from openedx_authz.tests.test_utils import make_action_key, make_role_key, make_scope_key, make_user_key
 
 
@@ -845,12 +845,11 @@ def test_load_policy_if_needed_initializes_cache_timestamp(self, mock_toggle):
         mock_toggle.return_value = True
 
         AuthzEnforcer._last_policy_load_timestamp = None  # pylint: disable=protected-access
-        cache.clear()
 
         # get_enforcer calls load_policy_if_needed internally
         AuthzEnforcer.get_enforcer()
 
-        cached_timestamp = cache.get(AuthzEnforcer.CACHE_KEY)
+        cached_timestamp = PolicyCacheControl.get_last_modified_timestamp()
         self.assertIsNotNone(cached_timestamp)
         self.assertIsNotNone(AuthzEnforcer._last_policy_load_timestamp)  # pylint: disable=protected-access
 
@@ -871,7 +870,7 @@ def test_load_policy_if_needed_loads_when_stale(self, mock_toggle):
         # Set last load timestamp to stale value
         AuthzEnforcer._last_policy_load_timestamp = stale_timestamp  # pylint: disable=protected-access
         # Set last cache invalidation to a more recent time
-        cache.set(AuthzEnforcer.CACHE_KEY, now, None)
+        PolicyCacheControl.set_last_modified_timestamp(now)
 
         # get_enforcer calls load_policy_if_needed internally
         AuthzEnforcer.get_enforcer()
@@ -898,7 +897,7 @@ def test_load_policy_if_needed_doesnt_reload_when_not_stale(self, mock_toggle):
         # Set last load timestamp to current time
         AuthzEnforcer._last_policy_load_timestamp = now  # pylint: disable=protected-access
         # Set last cache invalidation to an earlier time
-        cache.set(AuthzEnforcer.CACHE_KEY, now - 60, None)  # 60 seconds ago
+        PolicyCacheControl.set_last_modified_timestamp(now - 60)  # 60 seconds ago
 
         # get_enforcer calls load_policy_if_needed internally
         AuthzEnforcer.get_enforcer()
@@ -920,10 +919,10 @@ def test_invalidate_policy_cache(self, mock_toggle):
 
         AuthzEnforcer._last_policy_load_timestamp = time.time()  # pylint: disable=protected-access
         old_cache_value = time.time() - 60  # 60 seconds ago
-        cache.set(AuthzEnforcer.CACHE_KEY, old_cache_value, None)
+        PolicyCacheControl.set_last_modified_timestamp(old_cache_value)
 
         AuthzEnforcer.invalidate_policy_cache()
 
-        new_cache_value = cache.get(AuthzEnforcer.CACHE_KEY)
+        new_cache_value = PolicyCacheControl.get_last_modified_timestamp()
         self.assertIsNotNone(new_cache_value)
         self.assertGreater(new_cache_value, old_cache_value)