From 274a8ca0bb5cba03d83d840815abfd709d13a37a Mon Sep 17 00:00:00 2001
From: Rahmat Hidayat <rahmatramahidayat@gmail.com>
Date: Mon, 20 Feb 2023 10:50:42 +0700
Subject: [PATCH] fix(gcs): fix timeout by running getPolicy in parallel (#365)

---
 plugins/providers/gcs/client.go | 68 +++++++++++++++++++--------------
 1 file changed, 39 insertions(+), 29 deletions(-)

diff --git a/plugins/providers/gcs/client.go b/plugins/providers/gcs/client.go
index 956a79d6f..f03dd787e 100644
--- a/plugins/providers/gcs/client.go
+++ b/plugins/providers/gcs/client.go
@@ -9,6 +9,7 @@ import (
 	"cloud.google.com/go/storage"
 	"github.com/odpf/guardian/domain"
 	"github.com/odpf/guardian/utils"
+	"golang.org/x/sync/errgroup"
 	"google.golang.org/api/iterator"
 	"google.golang.org/api/option"
 )
@@ -83,42 +84,51 @@ func (c *gcsClient) RevokeBucketAccess(ctx context.Context, b Bucket, identity s
 
 func (c *gcsClient) ListAccess(ctx context.Context, resources []*domain.Resource) (domain.MapResourceAccess, error) {
 	result := make(domain.MapResourceAccess)
+	eg, ctx := errgroup.WithContext(ctx)
 
 	for _, resource := range resources {
-		var accessEntries []domain.AccessEntry
-
-		bucket := c.client.Bucket(resource.URN)
-		policy, err := bucket.IAM().Policy(ctx)
-		if err != nil {
-			return nil, fmt.Errorf("Bucket(%q).IAM().Policy: %w", resource.URN, err)
-		}
-
-		for _, role := range policy.Roles() {
-			for _, member := range policy.Members(role) {
-				if strings.HasPrefix(member, "deleted:") {
-					continue
-				}
-				accountType, accountID, err := parseMember(member)
-				if err != nil {
-					return nil, err
-				}
+		resource := resource
+		eg.Go(func() error {
+			var accessEntries []domain.AccessEntry
+
+			bucket := c.client.Bucket(resource.URN)
+			policy, err := bucket.IAM().Policy(ctx)
+			if err != nil {
+				return fmt.Errorf("Bucket(%q).IAM().Policy: %w", resource.URN, err)
+			}
 
-				// exclude unsupported account types
-				if !utils.ContainsString(AllowedAccountTypes, accountType) {
-					continue
+			for _, role := range policy.Roles() {
+				for _, member := range policy.Members(role) {
+					if strings.HasPrefix(member, "deleted:") {
+						continue
+					}
+					accountType, accountID, err := parseMember(member)
+					if err != nil {
+						return err
+					}
+
+					// exclude unsupported account types
+					if !utils.ContainsString(AllowedAccountTypes, accountType) {
+						continue
+					}
+
+					accessEntries = append(accessEntries, domain.AccessEntry{
+						Permission:  string(role),
+						AccountID:   accountID,
+						AccountType: accountType,
+					})
 				}
+			}
 
-				accessEntries = append(accessEntries, domain.AccessEntry{
-					Permission:  string(role),
-					AccountID:   accountID,
-					AccountType: accountType,
-				})
+			if accessEntries != nil {
+				result[resource.URN] = accessEntries
 			}
-		}
 
-		if accessEntries != nil {
-			result[resource.URN] = accessEntries
-		}
+			return nil
+		})
+	}
+	if err := eg.Wait(); err != nil {
+		return nil, err
 	}
 
 	return result, nil