restricted_paths: use path check primitives

Summary:
## This stack
This stack completes the second half of the restricted_paths AclManifest migration after the shadow comparison logging stack. The end result is that restricted_paths no longer relies on legacy construction flags or source-specific call paths: AclManifestMode owns source selection, config and AclManifest fetches are planned explicitly, the fetch results are shared between logging, enforcement, and metadata, and the public callers adapt to the final manifest-aware shape at the API boundary.

Visual flow: https://pxl.cl/9GjpF

Before this stack:
- Behavior was split across the old use_acl_manifest construction state, config-shaped metadata APIs, conditional_enforcement_acls, duplicated source fetches, and unimplemented AclManifest enforcement modes.
- Logging and enforcement could ask for overlapping source data independently, and Mononoke API/HG, SCS, and SLAPI still had to bridge around the incomplete manifest restriction shape.

After this stack:
- Construction and source planning are mode-driven. Disabled, Shadow, Both, and Authoritative modes choose the sources they need;
- Config and AclManifest fetches can be killed switched independently by rollout knobs;
- Shared typed fetch handles feed both comparison logging and enforcement;
- Conditional enforcement uses `enforcement_condition_sets`
- `AclManifestMode::Both` mode denies if either source denies;
- Authoritative-source errors are surfaced when the authoritative source cannot answer;
- Metadata lookup unions config and AclManifest results in Both mode.

This makes the codebase better because
- Source (config vs acl_manifest) choice is centralized,
- Fetch work is not duplicated
- Rollout controls are easier to reason about
- Restriction check results are typed instead of copied into loosely shaped structs, and API-specific adaptation happens at the edge instead of leaking through the restricted_paths internals.
- **The stack also stays reviewable by putting no-op setup and tests before behavior changes**

Remaining follow-ups after this stack are
- Schematized Scuba source/error parity
- The Eden API vector response shape tracked by TODO(T248658346)
- Reviewing the both-sources-disabled fail-open behavior also tracked by TODO(T248658346)
- Deleting rollout-only fallback paths after AclManifest enforcement is proven.

## This diff (no-op)
Changes `ChangesetPathRestrictionContext::restriction_info` to use the typed restricted_paths path check primitive when callers request permission checks. The API behavior is unchanged: callers still receive `PathAccessInfo`, `has_access` remains populated only when requested, and restriction-info-only callers still avoid authorization checks. This removes duplicate ACL parsing/checking from mononoke_api and keeps the permission-checking logic owned by restricted_paths.

Reviewed By: lmvasquezg

Differential Revision: D103698836

fbshipit-source-id: c624f7b3a917e6e31f5cd15a3b991c7977858af4

Author: gustavoavena

eden/mononoke/mononoke_api/BUCK

@@ -20,6 +20,7 @@ rust_library(
         "//common/rust/shed/fbinit:fbinit",
         "//common/rust/shed/fbinit:fbinit-tokio",
         "//eden/mononoke/common/mononoke_macros:mononoke_macros",
+        "//eden/mononoke/common/permission_checker:permission_checker",
         "//eden/mononoke/common/sql_construct:sql_construct",
         "//eden/mononoke/repo_attributes/commit_graph/commit_graph_testlib:commit_graph_testlib",
         "//eden/mononoke/repo_attributes/repo_blobstore:repo_blobstore",
@@ -61,7 +62,6 @@ rust_library(
         "//eden/mononoke/common/acl_regions:acl_regions",
         "//eden/mononoke/common/futures_watchdog:futures_watchdog",
         "//eden/mononoke/common/mononoke_repos:mononoke_repos",
-        "//eden/mononoke/common/permission_checker:permission_checker",
         "//eden/mononoke/common/scuba_ext:scuba_ext",
         "//eden/mononoke/derived_data:basename_suffix_skeleton_manifest_v3",
         "//eden/mononoke/derived_data:blame",

eden/mononoke/mononoke_api/Cargo.toml

@@ -84,7 +84,6 @@ mutable_blobstore = { version = "0.1.0", path = "../repo_attributes/mutable_blob
 mutable_counters = { version = "0.1.0", path = "../repo_attributes/mutable_counters" }
 mutable_renames = { version = "0.1.0", path = "../repo_attributes/mutable_renames" }
 packfile = { version = "0.1.0", path = "../git/packfile" }
-permission_checker = { version = "0.1.0", path = "../common/permission_checker" }
 phases = { version = "0.1.0", path = "../repo_attributes/phases" }
 protocol = { version = "0.1.0", path = "../git/protocol" }
 pushrebase = { version = "0.1.0", path = "../features/pushrebase" }
@@ -136,6 +135,7 @@ fbinit-tokio = { version = "0.1.2", git = "https://github.com/facebookexperiment
 fixtures = { version = "0.1.0", path = "../tests/fixtures" }
 gix-object = "0.49"
 mononoke_macros = { version = "0.1.0", path = "../common/mononoke_macros" }
+permission_checker = { version = "0.1.0", path = "../common/permission_checker" }
 pretty_assertions = { version = "1.4.1", features = ["alloc"], default-features = false }
 sql_construct = { version = "0.1.0", path = "../common/sql_construct" }
 test_repo_factory = { version = "0.1.0", path = "../repo_factory/test_repo_factory" }

eden/mononoke/mononoke_api/src/changeset.rs

@@ -81,6 +81,7 @@ use repo_derived_data::RepoDerivedDataArc;
 use repo_derived_data::RepoDerivedDataRef;
 use repo_identity::RepoIdentityRef;
 use restricted_paths::RestrictedPathsArc;
+use restricted_paths::check_path_restriction_infos;
 use skeleton_manifest::RootSkeletonManifestId;
 use skeleton_manifest_v2::RootSkeletonManifestV2Id;
 use smallvec::SmallVec;
@@ -101,7 +102,6 @@ use crate::repo::RepoContext;
 use crate::restricted_paths::PathAccessInfo;
 use crate::restricted_paths::RestrictedChangeGroup;
 use crate::restricted_paths::RestrictedPathsChangesInfo;
-use crate::restricted_paths::build_path_access_info;
 use crate::specifiers::ChangesetId;
 use crate::specifiers::GitSha1;
 use crate::specifiers::HgChangesetId;
@@ -1326,7 +1326,7 @@ impl<R: MononokeRepo> ChangesetContext<R> {
                 .find_entries(
                     self.ctx().clone(),
                     other.repo_ctx().repo().repo_blobstore().clone(),
-                    to_paths.into_iter(),
+                    to_paths,
                 )
                 .map_ok(|(path, _)| path)
                 .try_collect::<HashSet<_>>();
@@ -2071,13 +2071,26 @@ impl<R: MononokeRepo> ChangesetContext<R> {
             .find_restricted_descendants(self.ctx(), Some(cs_id), roots)
             .await?;
 
-        build_path_access_info(
-            self.ctx(),
-            restricted_paths.acl_provider(),
-            restriction_infos,
-            check_permissions,
-        )
-        .await
+        if check_permissions {
+            let restriction_checks =
+                check_path_restriction_infos(self.ctx(), &restricted_paths, restriction_infos)
+                    .await?;
+            return Ok(restriction_checks
+                .into_iter()
+                .map(|restriction_check| PathAccessInfo {
+                    has_access: Some(restriction_check.has_authorization()),
+                    restriction: restriction_check.into_restriction_info(),
+                })
+                .collect());
+        }
+
+        Ok(restriction_infos
+            .into_iter()
+            .map(|restriction| PathAccessInfo {
+                restriction,
+                has_access: None,
+            })
+            .collect())
     }
 
     /// Determine which changed files in this changeset touch restricted paths.

eden/mononoke/mononoke_api/src/changeset_path.rs

@@ -64,7 +64,6 @@ use crate::errors::MononokeError;
 use crate::file::FileContext;
 use crate::repo::RepoContext;
 use crate::restricted_paths::PathAccessInfo;
-use crate::restricted_paths::build_path_access_info;
 use crate::tree::TreeContext;
 
 pub struct HistoryEntry {
@@ -791,7 +790,7 @@ impl<R: MononokeRepo> ChangesetPathHistoryContext<R> {
                 repo: &impl history_traversal::Repo,
                 descendant_id_cs_ids: Vec<(Option<CsAndPath>, Vec<CsAndPath>)>,
             ) -> Result<(), Error> {
-                let items = stream::iter(descendant_id_cs_ids.into_iter())
+                let items = stream::iter(descendant_id_cs_ids)
                     .map(|(descendant_cs_id, cs_ids)| {
                         self._visit(ctx, repo, descendant_cs_id.clone(), cs_ids.clone())
                             .map_ok(move |res| ((descendant_cs_id, cs_ids), res))
@@ -1079,21 +1078,38 @@ impl<R: MononokeRepo> ChangesetPathRestrictionContext<R> {
         let restricted_paths = self.changeset().repo_ctx().repo().restricted_paths_arc();
         let cs_id = self.changeset().id();
 
+        if check_permissions {
+            let restriction_checks = restricted_paths
+                .get_path_restriction_check(
+                    self.changeset().ctx(),
+                    Some(cs_id),
+                    std::slice::from_ref(&path),
+                )
+                .await?;
+            return Ok(restriction_checks
+                .into_iter()
+                .map(|restriction_check| PathAccessInfo {
+                    has_access: Some(restriction_check.has_authorization()),
+                    restriction: restriction_check.into_restriction_info(),
+                })
+                .collect());
+        }
+
         let restriction_infos = restricted_paths
-            .get_path_restriction_info(self.changeset().ctx(), Some(cs_id), &[path])
+            .get_path_restriction_info(
+                self.changeset().ctx(),
+                Some(cs_id),
+                std::slice::from_ref(&path),
+            )
             .await?;
 
-        if restriction_infos.is_empty() {
-            return Ok(vec![]);
-        }
-
-        build_path_access_info(
-            self.changeset().ctx(),
-            restricted_paths.acl_provider(),
-            restriction_infos,
-            check_permissions,
-        )
-        .await
+        Ok(restriction_infos
+            .into_iter()
+            .map(|restriction| PathAccessInfo {
+                restriction,
+                has_access: None,
+            })
+            .collect())
     }
 
     /// Find all restricted paths that are descendants of this path.

eden/mononoke/mononoke_api/src/restricted_paths.rs

@@ -5,21 +5,8 @@
  * GNU General Public License version 2.
  */
 
-use std::str::FromStr;
-use std::sync::Arc;
-
-use anyhow::Context;
-use context::CoreContext;
-use futures::StreamExt;
-use futures::TryStreamExt;
-use futures::stream;
 use mononoke_types::NonRootMPath;
-use permission_checker::AclProvider;
-use permission_checker::MononokeIdentity;
 use restricted_paths::PathRestrictionInfo;
-use restricted_paths::has_read_access_to_repo_region_acls;
-
-use crate::errors::MononokeError;
 
 /// Access check result for a restricted path.
 #[derive(Clone, Debug, PartialEq)]
@@ -48,41 +35,6 @@ impl PathAccessInfo {
     }
 }
 
-pub(crate) async fn build_path_access_info(
-    ctx: &CoreContext,
-    acl_provider: &Arc<dyn AclProvider>,
-    restriction_infos: Vec<PathRestrictionInfo>,
-    check_permissions: bool,
-) -> Result<Vec<PathAccessInfo>, MononokeError> {
-    if !check_permissions {
-        return Ok(restriction_infos
-            .into_iter()
-            .map(|restriction| PathAccessInfo {
-                restriction,
-                has_access: None,
-            })
-            .collect());
-    }
-
-    stream::iter(restriction_infos)
-        .map(|restriction| {
-            let acl_provider = Arc::clone(acl_provider);
-            async move {
-                let acl = MononokeIdentity::from_str(&restriction.repo_region_acl)
-                    .context("Failed to parse repo_region_acl")?;
-                let has_access =
-                    has_read_access_to_repo_region_acls(ctx, &acl_provider, &[&acl]).await?;
-                Ok::<_, MononokeError>(PathAccessInfo {
-                    restriction,
-                    has_access: Some(has_access),
-                })
-            }
-        })
-        .buffered(100)
-        .try_collect()
-        .await
-}
-
 /// Information about restricted path changes in a changeset.
 #[derive(Clone, Debug, PartialEq)]
 pub struct RestrictedPathsChangesInfo {

eden/mononoke/repo_attributes/restricted_paths/src/access_log.rs

@@ -158,7 +158,7 @@ impl SourceRestrictionCheckResult {
 /// would silently bypass an inner restriction.
 ///
 /// Runs checks concurrently and short-circuits on the first deny or error.
-pub async fn has_read_access_to_repo_region_acls(
+pub(crate) async fn has_read_access_to_repo_region_acls(
     ctx: &CoreContext,
     acl_provider: &Arc<dyn AclProvider>,
     acls: &[&MononokeIdentity],

eden/mononoke/repo_attributes/restricted_paths/src/lib.rs

@@ -37,12 +37,12 @@ use thiserror::Error;
 use tokio::task;
 
 pub use crate::access_log::ACCESS_LOG_SCUBA_TABLE;
-pub use crate::access_log::has_read_access_to_repo_region_acls;
 use crate::access_log::is_member_of_groups;
 use crate::access_log::log_access_to_restricted_path;
 pub use crate::restriction_check::ManifestRestrictionCheckResult;
 pub use crate::restriction_check::PathRestrictionCheckResult;
 pub use crate::restriction_check::RestrictionCheckResult;
+pub use crate::restriction_check::check_path_restriction_infos;
 pub use crate::restriction_info::ManifestRestrictionInfo;
 pub use crate::restriction_info::PathRestrictionInfo;
 

eden/mononoke/repo_attributes/restricted_paths/src/restriction_check.rs

@@ -359,7 +359,7 @@ pub(crate) async fn check_manifest_restriction(
     check_manifest_authorization(ctx, restricted_paths, restriction_info).await
 }
 
-async fn check_config_path_authorization(
+pub(crate) async fn check_config_path_authorization(
     ctx: &CoreContext,
     restricted_paths: &RestrictedPaths,
     path: &NonRootMPath,
@@ -385,7 +385,7 @@ async fn check_config_path_authorization(
     check_path_authorization(ctx, restricted_paths, restriction_info, restriction_acls).await
 }
 
-async fn check_path_restriction_infos(
+pub async fn check_path_restriction_infos(
     ctx: &CoreContext,
     restricted_paths: &RestrictedPaths,
     restriction_info: Vec<PathRestrictionInfo>,