optimize batch access query functions (#198)

* saving progress

* updates

* updates

Author: joshua-roberts

src/main/java/gov/nist/csd/pm/core/common/prohibition/ContainerCondition.java

@@ -8,9 +8,6 @@ public class ContainerCondition implements Serializable {
     private long id;
     private boolean complement;
 
-    public ContainerCondition() {
-    }
-
     public ContainerCondition(long id, boolean complement) {
         this.id = id;
         this.complement = complement;

src/main/java/gov/nist/csd/pm/core/pap/query/AccessQuerier.java

@@ -12,6 +12,7 @@
 import gov.nist.csd.pm.core.common.graph.dag.UserDagResult;
 import gov.nist.csd.pm.core.common.graph.node.Node;
 import gov.nist.csd.pm.core.common.graph.relationship.AccessRightSet;
+import gov.nist.csd.pm.core.pap.query.access.CachedTargetEvaluator;
 import gov.nist.csd.pm.core.pap.query.access.Explainer;
 import gov.nist.csd.pm.core.pap.query.access.TargetEvaluator;
 import gov.nist.csd.pm.core.pap.query.access.UserEvaluator;
@@ -37,31 +38,26 @@ public AccessQuerier(PolicyStore store) {
 
     @Override
     public AccessRightSet computePrivileges(UserContext userCtx, TargetContext targetCtx) throws PMException {
-        // traverse the user side of the graph to get the associations
-        UserEvaluator userEvaluator = new UserEvaluator(store);
-        UserDagResult userDagResult = userEvaluator.evaluate(userCtx);
+        UserDagResult userDagResult = evaluateUser(userCtx);
 
         // traverse the target side of the graph to get permissions per policy class
         TargetEvaluator targetEvaluator = new TargetEvaluator(store);
-        TargetDagResult targetDagResult = targetEvaluator.evaluate(userDagResult, targetCtx);
 
         // resolve the permissions
-        return resolvePrivileges(userDagResult, targetDagResult, store.operations().getResourceOperations());
+        return computePrivileges(userDagResult, targetCtx, targetEvaluator);
     }
 
     @Override
     public List<AccessRightSet> computePrivileges(UserContext userCtx, List<TargetContext> targetCtxs) throws PMException {
         // traverse the user side of the graph to get the associations
-        UserEvaluator userEvaluator = new UserEvaluator(store);
-        UserDagResult userDagResult = userEvaluator.evaluate(userCtx);
+        UserDagResult userDagResult = evaluateUser(userCtx);
 
         // traverse the target side of the graph to get permissions per policy class
-        TargetEvaluator targetEvaluator = new TargetEvaluator(store);
+        TargetEvaluator targetEvaluator = new CachedTargetEvaluator(store);
 
         List<AccessRightSet> accessRightSets = new ArrayList<>();
         for (TargetContext targetCtx : targetCtxs) {
-            TargetDagResult targetDagResult = targetEvaluator.evaluate(userDagResult, targetCtx);
-            AccessRightSet privs = resolvePrivileges(userDagResult, targetDagResult, store.operations().getResourceOperations());
+            AccessRightSet privs = computePrivileges(userDagResult, targetCtx, targetEvaluator);
 
             accessRightSets.add(privs);
         }
@@ -92,25 +88,29 @@ public AccessRightSet computeDeniedPrivileges(UserContext userCtx, TargetContext
     public Map<Long, AccessRightSet> computeCapabilityList(UserContext userCtx) throws PMException {
         Map<Long, AccessRightSet> results = new HashMap<>();
 
-        //get border nodes.  Can be OA or UA.  Return empty set if no attrs are reachable
+        // get border nodes.  Can be OA or UA.  Return empty set if no attrs are reachable
         UserEvaluator userEvaluator = new UserEvaluator(store);
         UserDagResult userDagResult = userEvaluator.evaluate(userCtx);
         if (userDagResult.borderTargets().isEmpty()) {
             return results;
         }
 
+        CachedTargetEvaluator cachedTargetEvaluator = new CachedTargetEvaluator(store);
+
         for(long borderTarget : userDagResult.borderTargets().keySet()) {
             // compute permissions on the border attr
-            getAndStorePrivileges(results, userDagResult, borderTarget);
+            AccessRightSet arset = computePrivileges(userDagResult, new TargetContext(borderTarget), cachedTargetEvaluator);
+            results.put(borderTarget, arset);
 
             // compute decisions for the subgraph of the border attr
-            Set<Long> descendants = getAscendants(borderTarget);
-            for (long descendant : descendants) {
-                if (results.containsKey(descendant)) {
+            Set<Long> ascendants = getAscendants(borderTarget);
+            for (long ascendant : ascendants) {
+                if (results.containsKey(ascendant)) {
                     continue;
                 }
 
-                getAndStorePrivileges(results, userDagResult, descendant);
+                arset = computePrivileges(userDagResult, new TargetContext(ascendant), cachedTargetEvaluator);
+                results.put(ascendant, arset);
             }
         }
 
@@ -129,8 +129,12 @@ public Map<Long, AccessRightSet> computeCapabilityList(UserContext userCtx) thro
     public Map<Long, AccessRightSet> computeACL(TargetContext targetCtx) throws PMException {
         Map<Long, AccessRightSet> acl = new HashMap<>();
         Collection<Long> search = store.graph().search(U, NO_PROPERTIES);
+
+        TargetEvaluator targetEvaluator = new CachedTargetEvaluator(store);
         for (long user : search) {
-            AccessRightSet list = this.computePrivileges(new UserContext(user), targetCtx);
+            UserDagResult userDagResult = evaluateUser(new UserContext(user));
+
+            AccessRightSet list = this.computePrivileges(userDagResult, targetCtx, targetEvaluator);
             acl.put(user, list);
         }
 
@@ -139,9 +143,7 @@ public Map<Long, AccessRightSet> computeACL(TargetContext targetCtx) throws PMEx
 
     @Override
     public Map<Long, AccessRightSet> computeDestinationAttributes(UserContext userCtx) throws PMException {
-        return new UserEvaluator(store)
-            .evaluate(userCtx)
-            .borderTargets();
+        return evaluateUser(userCtx).borderTargets();
     }
 
     @Override
@@ -153,17 +155,27 @@ public SubgraphPrivileges computeSubgraphPrivileges(UserContext userCtx, long ro
             subgraphs.add(computeSubgraphPrivileges(userCtx, adjacent));
         }
 
-        return new SubgraphPrivileges(store.graph().getNodeById(root), computePrivileges(userCtx, new TargetContext(root)), subgraphs);
+        UserDagResult userDagResult = evaluateUser(userCtx);
+        TargetEvaluator targetEvaluator = new TargetEvaluator(store);
+
+        return new SubgraphPrivileges(
+            store.graph().getNodeById(root),
+            computePrivileges(userDagResult, new TargetContext(root), targetEvaluator),
+            subgraphs
+        );
     }
 
     @Override
     public Map<Node, AccessRightSet> computeAdjacentAscendantPrivileges(UserContext userCtx, long root) throws PMException {
         Map<Node, AccessRightSet> ascendantPrivs = new HashMap<>();
 
+        UserDagResult userDagResult = evaluateUser(userCtx);
+        TargetEvaluator targetEvaluator = new TargetEvaluator(store);
+
         Collection<Long> adjacentAscendants = store.graph().getAdjacentAscendants(root);
         for (long adjacentAscendant : adjacentAscendants) {
             Node node = store.graph().getNodeById(adjacentAscendant);
-            ascendantPrivs.put(node, computePrivileges(userCtx, new TargetContext(adjacentAscendant)));
+            ascendantPrivs.put(node, computePrivileges(userDagResult, new TargetContext(adjacentAscendant), targetEvaluator));
         }
 
         return ascendantPrivs;
@@ -173,10 +185,13 @@ public Map<Node, AccessRightSet> computeAdjacentAscendantPrivileges(UserContext
     public Map<Node, AccessRightSet> computeAdjacentDescendantPrivileges(UserContext userCtx, long root) throws PMException {
         Map<Node, AccessRightSet> descendantPrivs = new HashMap<>();
 
+        UserDagResult userDagResult = evaluateUser(userCtx);
+        TargetEvaluator targetEvaluator = new TargetEvaluator(store);
+
         Collection<Long> adjacentDescendants = store.graph().getAdjacentDescendants(root);
         for (long adjacentDescendant : adjacentDescendants) {
             Node node = store.graph().getNodeById(adjacentDescendant);
-            descendantPrivs.put(node, computePrivileges(userCtx, new TargetContext(adjacentDescendant)));
+            descendantPrivs.put(node, computePrivileges(userDagResult, new TargetContext(adjacentDescendant), targetEvaluator));
         }
 
         return descendantPrivs;
@@ -192,20 +207,21 @@ public Explain explain(UserContext userCtx, TargetContext targetCtx) throws PMEx
     public Map<Node, AccessRightSet> computePersonalObjectSystem(UserContext userCtx) throws PMException {
         Map<Long, AccessRightSet> pos = new HashMap<>();
 
+        UserDagResult userDagResult = evaluateUser(userCtx);
+        CachedTargetEvaluator cachedTargetEvaluator = new CachedTargetEvaluator(store);
+
         for (long pc : store.graph().getPolicyClasses()) {
             new GraphStoreBFS(store.graph())
                 .withDirection(Direction.ASCENDANTS)
                 .withVisitor(n -> {
-                    AccessRightSet privs = computePrivileges(userCtx, new TargetContext(n));
+                    AccessRightSet privs = computePrivileges(userDagResult, new TargetContext(n), cachedTargetEvaluator);
                     if (privs.isEmpty()) {
                         return;
                     }
 
                     pos.put(n, privs);
                 })
-                .withSinglePathShortCircuit(n -> {
-                    return pos.containsKey(n);
-                })
+                .withSinglePathShortCircuit(pos::containsKey)
                 .walk(pc);
         }
 
@@ -217,11 +233,9 @@ public Map<Node, AccessRightSet> computePersonalObjectSystem(UserContext userCtx
         return posWithNodes;
     }
 
-    private void getAndStorePrivileges(Map<Long, AccessRightSet> arsetMap, UserDagResult userDagResult, long target) throws PMException {
-        TargetDagResult result = new TargetEvaluator(store)
-            .evaluate(userDagResult, new TargetContext(target));
-        AccessRightSet privileges = resolvePrivileges(userDagResult, result, store.operations().getResourceOperations());
-        arsetMap.put(target, privileges);
+    private UserDagResult evaluateUser(UserContext userCtx) throws PMException {
+        UserEvaluator userEvaluator = new UserEvaluator(store);
+        return userEvaluator.evaluate(userCtx);
     }
 
     private Set<Long> getAscendants(long vNode) throws PMException {
@@ -240,4 +254,11 @@ private Set<Long> getAscendants(long vNode) throws PMException {
 
         return ret;
     }
+
+    private AccessRightSet computePrivileges(UserDagResult userDagResult, TargetContext targetCtx, TargetEvaluator targetEvaluator) throws PMException {
+        TargetDagResult targetDagResult = targetEvaluator.evaluate(userDagResult, targetCtx);
+
+        // resolve the permissions
+        return resolvePrivileges(userDagResult, targetDagResult, store.operations().getResourceOperations());
+    }
 }

src/main/java/gov/nist/csd/pm/core/pap/query/access/CachedTargetEvaluator.java

@@ -0,0 +1,58 @@
+package gov.nist.csd.pm.core.pap.query.access;
+
+import gov.nist.csd.pm.core.common.exception.PMException;
+import gov.nist.csd.pm.core.common.graph.dag.TargetDagResult;
+import gov.nist.csd.pm.core.common.graph.dag.UserDagResult;
+import gov.nist.csd.pm.core.common.graph.relationship.AccessRightSet;
+import gov.nist.csd.pm.core.pap.query.model.context.TargetContext;
+import gov.nist.csd.pm.core.pap.store.PolicyStore;
+import it.unimi.dsi.fastutil.longs.Long2ObjectOpenHashMap;
+import it.unimi.dsi.fastutil.longs.LongArrayList;
+import it.unimi.dsi.fastutil.longs.LongOpenHashSet;
+
+import java.util.Collection;
+import java.util.Map;
+import java.util.Set;
+
+public class CachedTargetEvaluator extends TargetEvaluator {
+
+    private UserDagResult cachedUserDagResult;
+    private final Map<Long, Map<Long, AccessRightSet>> cachedVisitedNodes;
+
+    public CachedTargetEvaluator(PolicyStore policyStore) {
+        super(policyStore);
+        this.cachedVisitedNodes = new Long2ObjectOpenHashMap<>();
+    }
+
+    @Override
+    public TargetDagResult evaluate(UserDagResult userDagResult, TargetContext targetContext) throws PMException {
+        // If UserDagResult has changed, clear the cache
+        if (cachedUserDagResult == null || !cachedUserDagResult.equals(userDagResult)) {
+            cachedUserDagResult = userDagResult;
+            cachedVisitedNodes.clear();
+        }
+
+        return super.evaluate(userDagResult, targetContext);
+    }
+
+    @Override
+    protected TraversalState initializeEvaluationState(UserDagResult userDagResult, TargetContext targetCtx) throws PMException {
+        Collection<Long> firstLevelDescs = new LongArrayList();
+        if (targetCtx.isNode()) {
+            firstLevelDescs.addAll(policyStore.graph().getAdjacentDescendants(targetCtx.getTargetId()));
+        } else {
+            firstLevelDescs.addAll(targetCtx.getAttributeIds());
+        }
+
+        Set<Long> userProhibitionTargets = collectUserProhibitionTargets(userDagResult.prohibitions());
+        Set<Long> visitedProhibitionTargets = new LongOpenHashSet();
+
+        // Use cached visitedNodes instead of creating a new one
+        return new TraversalState(
+            firstLevelDescs,
+            userProhibitionTargets,
+            cachedVisitedNodes,
+            visitedProhibitionTargets
+        );
+    }
+}