From 67b5cca032c36ef67a8aee9db6adada9b403dc5c Mon Sep 17 00:00:00 2001
From: Trent Lloyd <trent.lloyd@canonical.com>
Date: Tue, 2 Jan 2024 08:46:24 +0000
Subject: [PATCH] Improve application credential validation speed

Validating an application credential token is very slow, taking at least
400ms+ in a simple devstack environment, 5-10x longer than validating a
user/password project token.

The primary bottleneck during a token validation request
(/v3/auth/tokens) is that token.roles is evaluated at least 5 times.
validate_token is called twice, first during RBAC to populate the
subject token context and again to actually validate the token. Each
call to validate_token then called token.roles twice because it first
checks if it is None, before calling it again to use the result. Lastly
token.roles is evaluated a fifth time during
render_token_response_from_model.

Each evaluation of token.roles calls through
_get_application_credential_roles into list_role_assignments which then
makes multiple round-trip SQL queries to the database.

Unlike the related get_roles_for_user_and_project function, none of
these calls are currently cached/memoized. We memoize
list_role_assignments to get the same-speedup.

Reduce the number of token.roles calls to only 3 by storing and re-using
the token.roles result in validate_token, then memoize
list_role_assignments so the 2nd and 3rd call fetch from the cache
instead of repeating many SQL queries.

This provides a substantial performance improvement bringing validation
time in-line with user/password tokens.

Change-Id: I8c45131b298ceae7b43b42e2c5df167607d18c48
---
 keystone/assignment/core.py                     | 5 +++++
 keystone/models/revoke_model.py                 | 5 +++--
 keystone/tests/unit/assignment/test_backends.py | 6 ++++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
index a6db545c46..b8039b3c79 100644
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@@ -938,6 +938,7 @@ class Manager(manager.Manager):
 
         return assignments
 
+    @MEMOIZE_COMPUTED_ASSIGNMENTS
     def list_role_assignments(self, role_id=None, user_id=None, group_id=None,
                               system=None, domain_id=None, project_id=None,
                               include_subtree=False, inherited=None,
@@ -1080,6 +1081,7 @@ class Manager(manager.Manager):
         system_assignments = self.list_system_grants_for_group(group_id)
         for assignment in system_assignments:
             self.delete_system_grant_for_group(group_id, assignment['id'])
+        COMPUTED_ASSIGNMENTS_REGION.invalidate()
 
     def delete_user_assignments(self, user_id):
         # FIXME(lbragstad): This should be refactored in the Rocky release so
@@ -1091,6 +1093,7 @@ class Manager(manager.Manager):
         system_assignments = self.list_system_grants_for_user(user_id)
         for assignment in system_assignments:
             self.delete_system_grant_for_user(user_id, assignment['id'])
+        COMPUTED_ASSIGNMENTS_REGION.invalidate()
 
     def check_system_grant_for_user(self, user_id, role_id):
         """Check if a user has a specific role on the system.
@@ -1163,6 +1166,7 @@ class Manager(manager.Manager):
         target_id = self._SYSTEM_SCOPE_TOKEN
         inherited = False
         self.driver.delete_system_grant(role_id, user_id, target_id, inherited)
+        COMPUTED_ASSIGNMENTS_REGION.invalidate()
 
     def check_system_grant_for_group(self, group_id, role_id):
         """Check if a group has a specific role on the system.
@@ -1237,6 +1241,7 @@ class Manager(manager.Manager):
         self.driver.delete_system_grant(
             role_id, group_id, target_id, inherited
         )
+        COMPUTED_ASSIGNMENTS_REGION.invalidate()
 
     def list_all_system_grants(self):
         """Return a list of all system grants."""
diff --git a/keystone/models/revoke_model.py b/keystone/models/revoke_model.py
index 63425f1adc..c36d4fdc30 100644
--- a/keystone/models/revoke_model.py
+++ b/keystone/models/revoke_model.py
@@ -242,8 +242,9 @@ def build_token_values(token):
         token_values['assignment_domain_id'] = None
 
     role_list = []
-    if token.roles is not None:
-        for role in token.roles:
+    token_roles = token.roles
+    if token_roles is not None:
+        for role in token_roles:
             role_list.append(role['id'])
     token_values['roles'] = role_list
 
diff --git a/keystone/tests/unit/assignment/test_backends.py b/keystone/tests/unit/assignment/test_backends.py
index 4add5649a0..119bcf7ab3 100644
--- a/keystone/tests/unit/assignment/test_backends.py
+++ b/keystone/tests/unit/assignment/test_backends.py
@@ -643,6 +643,9 @@ class AssignmentTests(AssignmentTestHelperMixin):
         # attempts to lookup a group that has been deleted in the backend
         with mock.patch.object(PROVIDERS.identity_api, 'get_group',
                                _group_not_found):
+            # Mocking a dependent function makes the cache invalid
+            keystone.assignment.COMPUTED_ASSIGNMENTS_REGION.invalidate()
+
             assignment_list = PROVIDERS.assignment_api.list_role_assignments(
                 include_names=True
             )
@@ -669,6 +672,9 @@ class AssignmentTests(AssignmentTestHelperMixin):
         # in the backend
         with mock.patch.object(PROVIDERS.identity_api, 'list_users_in_group',
                                _group_not_found):
+            # Mocking a dependent function makes the cache invalid
+            keystone.assignment.COMPUTED_ASSIGNMENTS_REGION.invalidate()
+
             assignment_list = PROVIDERS.assignment_api.list_role_assignments(
                 effective=True
             )