restricted_paths: run shadow path comparison logging

Summary:
## This stack
This stack moves restricted paths toward AclManifest-backed restriction lookup and Shadow-mode comparison logging while keeping existing `RestrictedPaths` public APIs and config-backed enforcement behavior stable. The end state is that path and manifest access checks can evaluate both the legacy config/manifest-id-store source and the new AclManifest source, log source-prefixed comparison results to Scuba, and still return config-authoritative authorization results while Shadow mode is being validated.

Before this stack, restricted path logging was effectively single-source: path access read `path_acls` from config, manifest access read restricted paths from the manifest-id store, and Scuba rows only described the aggregate config-backed result. That made it hard to prove whether AclManifest-derived restrictions matched production behavior before flipping traffic to them.

After this stack, lookup and logging are split into source-specific primitives: config and AclManifest restriction lookup live behind explicit source selectors, authorization result construction is shared, and Shadow mode dispatch runs both sources side by side for supported path and HgAugmented manifest accesses. Scuba rows now include aggregate config-authoritative fields plus `config_*`, `acl_manifest_*`, `acl_manifest_mode`, errors, and `considered_restricted_by`, so we can compare behavior without changing enforcement.

```text
Before:
  path access     -> config path_acls            -> aggregate auth/log row
  manifest access -> manifest-id store + config  -> aggregate auth/log row

After:
  path access
    -> config path_acls              -> authoritative result
    -> AclManifest at changeset      -> shadow comparison fields
    -> Scuba: aggregate + config_* + acl_manifest_* + considered_restricted_by

  HgAugmented manifest access
    -> config manifest-id store      -> authoritative result
    -> manifest acl_manifest pointer -> shadow comparison fields
    -> Scuba: aggregate + config_* + acl_manifest_* + considered_restricted_by
```

This makes the codebase better by separating lookup, authorization, and logging responsibilities; making source choice explicit in tests and implementation; and giving us production observability for AclManifest parity before changing enforcement. Follow-up work can use the Shadow data to fix mismatches, expand support beyond HgAugmented manifest logging, move repos toward `Both`/`Authoritative` modes, and eventually remove legacy manifest-type handling and config-only fallbacks once AclManifest is proven safe.

## This diff (behaviour change)
This diff wires Shadow-mode path access through config and AclManifest source checks. This is a behavior change in Shadow mode only: path access now logs source comparison rows when either source finds a restriction or errors, while the returned authorization result remains config-authoritative.

Reviewed By: lmvasquezg

Differential Revision: D103436517

fbshipit-source-id: b4797cb3c4ce7c7eec937e06f9a1f71fb96c2b8b

Author: gustavoavena

eden/mononoke/repo_attributes/restricted_paths/src/access_log.rs

@@ -122,13 +122,6 @@ pub(crate) struct SourceRestrictionCheckResult {
     pub(crate) is_rollout_allowlisted: bool,
 }
 
-#[cfg_attr(
-    not(test),
-    expect(
-        dead_code,
-        reason = "implemented before Shadow dispatch wires production callers"
-    )
-)]
 impl SourceRestrictionCheckResult {
     pub(crate) fn new(
         has_authorization: bool,
@@ -254,13 +247,6 @@ pub async fn is_part_of_group(
 /// config-authoritative, while source disagreement is summarized with compact
 /// mismatch fields. If every available source completed unrestricted, no row
 /// is written.
-#[cfg_attr(
-    not(test),
-    expect(
-        dead_code,
-        reason = "implemented before Shadow dispatch wires production callers"
-    )
-)]
 pub(crate) fn log_source_results_to_scuba(
     ctx: &CoreContext,
     repo_id: RepositoryId,

eden/mononoke/repo_attributes/restricted_paths/src/lib.rs

@@ -38,9 +38,12 @@ use tokio::task;
 
 pub use crate::access_log::ACCESS_LOG_SCUBA_TABLE;
 pub use crate::access_log::RestrictionCheckResult;
+use crate::access_log::SourceRestrictionResult;
 pub use crate::access_log::has_read_access_to_repo_region_acls;
 use crate::access_log::is_member_of_groups;
 use crate::access_log::log_access_to_restricted_path;
+use crate::access_log::log_source_results_to_scuba;
+use crate::restriction_check::PathRestrictionSource;
 pub use crate::restriction_info::ManifestRestrictionInfo;
 pub use crate::restriction_info::PathRestrictionInfo;
 
@@ -133,7 +136,9 @@ impl RestrictedPaths {
     /// from `.slacl` files in the repo, so callers cannot treat a false
     /// config-only lookup as proof that no restricted paths exist.
     pub fn may_have_restricted_paths(&self) -> bool {
-        self.use_acl_manifest || self.config_based.has_restricted_paths()
+        self.use_acl_manifest
+            || self.config_based.has_restricted_paths()
+            || self.config().acl_manifest_mode == AclManifestMode::Shadow
     }
 
     /// Returns the soft path ACLs configuration.
@@ -321,6 +326,12 @@ impl RestrictedPaths {
         path: NonRootMPath,
         cs_id: Option<ChangesetId>,
     ) -> Result<RestrictionCheckResult> {
+        if !self.use_acl_manifest && self.config().acl_manifest_mode == AclManifestMode::Shadow {
+            return self
+                .log_shadow_access_by_path_if_restricted(ctx, path, cs_id)
+                .await;
+        }
+
         // Return early if the repo doesn't have any restricted paths.
         let _ = cs_id; // Will be used in a follow-up diff for ACL manifest checks
         if self.config().is_empty() {
@@ -362,6 +373,53 @@ impl RestrictedPaths {
         .await
     }
 
+    async fn log_shadow_access_by_path_if_restricted(
+        &self,
+        ctx: &CoreContext,
+        path: NonRootMPath,
+        cs_id: Option<ChangesetId>,
+    ) -> Result<RestrictionCheckResult> {
+        let config_result = source_result(
+            restriction_check::check_path_restriction(
+                ctx,
+                self,
+                path.clone(),
+                PathRestrictionSource::Config,
+            )
+            .await,
+        );
+        let acl_manifest_result = match cs_id {
+            Some(cs_id) => Some(source_result(
+                restriction_check::check_path_restriction(
+                    ctx,
+                    self,
+                    path.clone(),
+                    PathRestrictionSource::AclManifest(cs_id),
+                )
+                .await,
+            )),
+            None => None,
+        };
+
+        log_source_results_to_scuba(
+            ctx,
+            self.config_based.manifest_id_store().repo_id(),
+            &config_result,
+            acl_manifest_result.as_ref(),
+            AclManifestMode::Shadow,
+            crate::access_log::RestrictedPathAccessData::FullPath { full_path: path },
+            self.scuba.clone(),
+        )?;
+
+        let config = config_result
+            .as_ref()
+            .map_err(|err| anyhow::anyhow!("{:#}", err))?;
+        Ok(RestrictionCheckResult {
+            has_authorization: config.has_authorization,
+            restriction_roots: config.restriction_paths.clone().unwrap_or_default(),
+        })
+    }
+
     /// Check if any client identity matches the enforcement conditions config.
     /// Returns true if enforcement should be applied.
     async fn should_enforce_restriction(&self, ctx: &CoreContext) -> Result<bool> {
@@ -375,6 +433,15 @@ impl RestrictedPaths {
     }
 }
 
+fn source_result<T>(result: Result<T>) -> SourceRestrictionResult
+where
+    T: Into<crate::access_log::SourceRestrictionCheckResult>,
+{
+    result
+        .map(|result| Arc::new(result.into()))
+        .map_err(Arc::new)
+}
+
 /// Helper function to spawn an async task that logs access to restricted paths.
 ///
 /// This function checks if restricted paths access logging is enabled via justknobs,
@@ -408,8 +475,8 @@ pub fn spawn_log_restricted_path_access(
         return Ok(None);
     }
 
-    // Early return if config is empty - no restricted paths to check
-    if restricted_paths.config().is_empty() {
+    // Early return if no source can report restricted paths.
+    if !restricted_paths.may_have_restricted_paths() {
         return Ok(None);
     }
 

eden/mononoke/repo_attributes/restricted_paths/src/restriction_check.rs

@@ -8,8 +8,10 @@
 //! Restriction check helpers that turn restriction lookup results into
 //! authorization results.
 
+use std::str::FromStr;
 use std::sync::Arc;
 
+use anyhow::Context;
 use anyhow::Result;
 use context::CoreContext;
 use futures::future;
@@ -22,11 +24,13 @@ use crate::ManifestId;
 use crate::ManifestType;
 use crate::RestrictedPaths;
 use crate::RestrictionCheckResult;
+use crate::access_log::SourceRestrictionCheckResult;
 use crate::access_log::has_read_access_to_repo_region_acls;
 use crate::access_log::is_part_of_group;
+use crate::restriction_info;
+use crate::restriction_info::PathRestrictionInfo;
 
 /// Source to use for path-side restriction checks.
-#[expect(dead_code, reason = "interface skeleton for the split stack")]
 #[derive(Clone, Debug, Eq, PartialEq)]
 pub(crate) enum PathRestrictionSource {
     /// Config-backed path ACLs.
@@ -102,14 +106,30 @@ pub(crate) fn build_restriction_check_result(
 }
 
 /// Check a path against one restriction source.
-#[expect(dead_code, reason = "interface skeleton for the split stack")]
 pub(crate) async fn check_path_restriction(
-    _ctx: &CoreContext,
-    _restricted_paths: &RestrictedPaths,
-    _path: NonRootMPath,
-    _source: PathRestrictionSource,
-) -> Result<RestrictionCheckResult> {
-    unimplemented!("implemented by the follow-up extraction diff")
+    ctx: &CoreContext,
+    restricted_paths: &RestrictedPaths,
+    path: NonRootMPath,
+    source: PathRestrictionSource,
+) -> Result<SourceRestrictionCheckResult> {
+    match source {
+        PathRestrictionSource::Config => {
+            check_config_path_authorization(ctx, restricted_paths, &path).await
+        }
+        PathRestrictionSource::AclManifest(cs_id) => {
+            let restriction_info = restriction_info::get_path_restriction_info_from_acl_manifest(
+                restricted_paths,
+                ctx,
+                cs_id,
+                std::slice::from_ref(&path),
+            )
+            .await
+            .context("find AclManifest restrictions for path-side fetch")?;
+            let restriction_acls = parse_restriction_acls(&restriction_info)?;
+            check_path_authorization(ctx, restricted_paths, restriction_info, restriction_acls)
+                .await
+        }
+    }
 }
 
 /// Check a manifest against one restriction source.
@@ -123,3 +143,76 @@ pub(crate) async fn check_manifest_restriction(
 ) -> Result<RestrictionCheckResult> {
     unimplemented!("implemented by the follow-up extraction diff")
 }
+
+async fn check_config_path_authorization(
+    ctx: &CoreContext,
+    restricted_paths: &RestrictedPaths,
+    path: &NonRootMPath,
+) -> Result<SourceRestrictionCheckResult> {
+    let (restriction_info, restriction_acls) = restricted_paths
+        .config()
+        .path_acls
+        .iter()
+        .filter(|(prefix, _)| prefix.is_prefix_of(path))
+        .map(|(restriction_root, acl)| {
+            let repo_region_acl = acl.to_string();
+            (
+                PathRestrictionInfo {
+                    restriction_root: restriction_root.clone(),
+                    request_acl: repo_region_acl.clone(),
+                    repo_region_acl,
+                },
+                acl.clone(),
+            )
+        })
+        .unzip();
+
+    check_path_authorization(ctx, restricted_paths, restriction_info, restriction_acls).await
+}
+
+async fn check_path_authorization(
+    ctx: &CoreContext,
+    restricted_paths: &RestrictedPaths,
+    restriction_info: Vec<PathRestrictionInfo>,
+    restriction_acls: Vec<MononokeIdentity>,
+) -> Result<SourceRestrictionCheckResult> {
+    if restriction_info.is_empty() {
+        return Ok(SourceRestrictionCheckResult::unrestricted(Some(vec![])));
+    }
+
+    let restriction_paths = restriction_info
+        .iter()
+        .map(|info| info.restriction_root.clone())
+        .collect::<Vec<_>>();
+    let acl_refs = restriction_acls.iter().collect::<Vec<_>>();
+    let authorization = check_authorization(
+        ctx,
+        restricted_paths.acl_provider(),
+        &acl_refs,
+        restricted_paths.config().tooling_allowlist_group.as_deref(),
+        restricted_paths.config().rollout_allowlist_group.as_deref(),
+    )
+    .await?;
+
+    Ok(SourceRestrictionCheckResult::new(
+        authorization.has_authorization(),
+        authorization.has_acl_access,
+        restriction_acls,
+        Some(restriction_paths),
+        authorization.is_allowlisted_tooling,
+        authorization.is_rollout_allowlisted,
+    ))
+}
+
+fn parse_restriction_acls(
+    restriction_info: &[PathRestrictionInfo],
+) -> Result<Vec<MononokeIdentity>> {
+    restriction_info
+        .iter()
+        .map(|info| {
+            MononokeIdentity::from_str(&info.repo_region_acl).with_context(|| {
+                format!("Failed to parse repo_region_acl {}", info.repo_region_acl)
+            })
+        })
+        .collect()
+}