Skip to content

Commit

Permalink
fix(gcs): fix timeout by running getPolicy in parallel (#365)
Browse files Browse the repository at this point in the history
  • Loading branch information
@rahmatrhd
rahmatrhd authored Feb 20, 2023
1 parent f2e2739 commit 274a8ca
Showing 1 changed file with 39 additions and 29 deletions.
68 changes: 39 additions & 29 deletions plugins/providers/gcs/client.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"cloud.google.com/go/storage"
"github.com/odpf/guardian/domain"
"github.com/odpf/guardian/utils"
"golang.org/x/sync/errgroup"
"google.golang.org/api/iterator"
"google.golang.org/api/option"
)
Expand Down Expand Up @@ -83,42 +84,51 @@ func (c *gcsClient) RevokeBucketAccess(ctx context.Context, b Bucket, identity s

func (c *gcsClient) ListAccess(ctx context.Context, resources []*domain.Resource) (domain.MapResourceAccess, error) {
result := make(domain.MapResourceAccess)
eg, ctx := errgroup.WithContext(ctx)

for _, resource := range resources {
var accessEntries []domain.AccessEntry

bucket := c.client.Bucket(resource.URN)
policy, err := bucket.IAM().Policy(ctx)
if err != nil {
return nil, fmt.Errorf("Bucket(%q).IAM().Policy: %w", resource.URN, err)
}

for _, role := range policy.Roles() {
for _, member := range policy.Members(role) {
if strings.HasPrefix(member, "deleted:") {
continue
}
accountType, accountID, err := parseMember(member)
if err != nil {
return nil, err
}
resource := resource
eg.Go(func() error {
var accessEntries []domain.AccessEntry

bucket := c.client.Bucket(resource.URN)
policy, err := bucket.IAM().Policy(ctx)
if err != nil {
return fmt.Errorf("Bucket(%q).IAM().Policy: %w", resource.URN, err)
}

// exclude unsupported account types
if !utils.ContainsString(AllowedAccountTypes, accountType) {
continue
for _, role := range policy.Roles() {
for _, member := range policy.Members(role) {
if strings.HasPrefix(member, "deleted:") {
continue
}
accountType, accountID, err := parseMember(member)
if err != nil {
return err
}

// exclude unsupported account types
if !utils.ContainsString(AllowedAccountTypes, accountType) {
continue
}

accessEntries = append(accessEntries, domain.AccessEntry{
Permission: string(role),
AccountID: accountID,
AccountType: accountType,
})
}
}

accessEntries = append(accessEntries, domain.AccessEntry{
Permission: string(role),
AccountID: accountID,
AccountType: accountType,
})
if accessEntries != nil {
result[resource.URN] = accessEntries
}
}

if accessEntries != nil {
result[resource.URN] = accessEntries
}
return nil
})
}
if err := eg.Wait(); err != nil {
return nil, err
}

return result, nil
Expand Down

0 comments on commit 274a8ca

Please sign in to comment.