Merge 3ef3f57 into cee02e6

src/main/scala/org/broadinstitute/dsde/workbench/sam/openam/AccessPolicyDAO.scala

@@ -31,8 +31,6 @@ trait AccessPolicyDAO {
   def listAccessPoliciesForUser(resource: FullyQualifiedResourceId, user: WorkbenchUserId): IO[Set[AccessPolicyWithoutMembers]]
   def listFlattenedPolicyMembers(policyId: FullyQualifiedPolicyId): IO[Set[WorkbenchUser]]
   def setPolicyIsPublic(policyId: FullyQualifiedPolicyId, isPublic: Boolean): IO[Unit]
-
-  def evictIsMemberOfCache(subject: WorkbenchSubject): IO[Unit]
 }
 
 

src/main/scala/org/broadinstitute/dsde/workbench/sam/openam/PostgresAccessPolicyDAO.scala

@@ -798,8 +798,6 @@ class PostgresAccessPolicyDAO(protected val dbRef: DbReference,
               and ${r.name} = ${policyId.resource.resourceId}
               and ${rt.name} = ${policyId.resource.resourceTypeName}""".update().apply()
   }
-
-  override def evictIsMemberOfCache(subject: WorkbenchSubject): IO[Unit] = IO.unit
 }
 
 private final case class PolicyInfo(name: AccessPolicyName, resourceId: ResourceId, resourceTypeName: ResourceTypeName, email: WorkbenchEmail, public: Boolean)

src/main/scala/org/broadinstitute/dsde/workbench/sam/service/PolicyEvaluatorService.scala

@@ -39,17 +39,7 @@ class PolicyEvaluatorService(
   }
 
   def hasPermission(resource: FullyQualifiedResourceId, action: ResourceAction, userId: WorkbenchUserId, parentSpan: Span = null): IO[Boolean] = traceIOWithParent("hasPermission", parentSpan)(_ => {
-    def checkPermission(force: Boolean) =
-      listUserResourceActions(resource, userId, force).map { _.contains(action) }
-
-    // this is optimized for the case where the user has permission since that is the usual case
-    // if the first attempt shows the user does not have permission, force a second attempt
-    for {
-      attempt1 <- traceIOWithParent("checkWithCache", parentSpan)(_ => checkPermission(force = false))
-      attempt2 <- if (attempt1) IO.pure(attempt1) else traceIOWithParent("checkWithoutCache", parentSpan)(_ =>checkPermission(force = true))
-    } yield {
-      attempt2
-    }
+    listUserResourceActions(resource, userId).map { _.contains(action) }
   })
 
   /** Checks if user have permission by providing user email address. */
@@ -68,10 +58,9 @@ class PolicyEvaluatorService(
     *
     * @param resource
     * @param userId
-    * @param force true to ignore any caching
     * @return
     */
-  def listUserResourceActions(resource: FullyQualifiedResourceId, userId: WorkbenchUserId, force: Boolean = false): IO[Set[ResourceAction]] = {
+  def listUserResourceActions(resource: FullyQualifiedResourceId, userId: WorkbenchUserId): IO[Set[ResourceAction]] = {
     def allActions(policy: AccessPolicyWithoutMembers, resourceType: ResourceType): Set[ResourceAction] = {
       val roleActions = policy.roles.flatMap { role =>
         resourceType.roles.filter(_.roleName == role).flatMap(_.actions)
@@ -80,7 +69,6 @@ class PolicyEvaluatorService(
     }
 
     for {
-      _ <- if (force) accessPolicyDAO.evictIsMemberOfCache(userId) else IO.unit
       rt <- IO.fromEither[ResourceType](
         resourceTypes.get(resource.resourceTypeName).toRight(new WorkbenchException(s"missing configuration for resourceType ${resource.resourceTypeName}")))
       isConstrainable = rt.isAuthDomainConstrainable

src/test/scala/org/broadinstitute/dsde/workbench/sam/openam/MockAccessPolicyDAO.scala

@@ -147,6 +147,4 @@ class MockAccessPolicyDAO(private val policies: mutable.Map[WorkbenchGroupIdenti
       }.toStream
     )
   }
-
-  override def evictIsMemberOfCache(subject: WorkbenchSubject): IO[Unit] = IO.unit
 }