fix(authz): avoid stale authorization checks

deepthi-rao-scale · deepthi-rao-scale · commit 38bb4fa9667c · 2026-06-12T01:14:09.000-04:00
diff --git a/agentex/src/api/authentication_cache.py b/agentex/src/api/authentication_cache.py
@@ -85,6 +85,14 @@ async def clear(self) -> None:
         async with self._lock:
             self.cache.clear()
 
+    async def delete_by_prefix(self, prefix: str) -> int:
+        """Delete cache entries whose keys start with the given prefix."""
+        async with self._lock:
+            keys = [key for key in self.cache if key.startswith(prefix)]
+            for key in keys:
+                del self.cache[key]
+            return len(keys)
+
     async def remove_expired(self) -> None:
         """Remove all expired entries from cache."""
         async with self._lock:
@@ -257,6 +265,19 @@ def _contains_api_key(principal_context: Any) -> bool:
 
     # Authorization Check Cache Methods (Async)
 
+    @staticmethod
+    def _create_authorization_resource_cache_prefix(
+        resource_type: str,
+        resource_selector: str,
+    ) -> str:
+        resource_key = AuthenticationCache._hash_dict(
+            {
+                "resource_type": resource_type,
+                "resource_selector": resource_selector,
+            }
+        )
+        return f"authz:{resource_key}:"
+
     @staticmethod
     def _create_authorization_cache_key(
         resource_type: str,
@@ -303,13 +324,16 @@ def _create_authorization_cache_key(
 
         # Create the cache key components
         cache_data = {
-            "resource_type": resource_type,
-            "resource_selector": resource_selector,
             "operation": operation,
             "principal": principal_key_data,
         }
 
-        return f"authz:{AuthenticationCache._hash_dict(cache_data)}"
+        return (
+            AuthenticationCache._create_authorization_resource_cache_prefix(
+                resource_type, resource_selector
+            )
+            + AuthenticationCache._hash_dict(cache_data)
+        )
 
     async def get_authorization_check(
         self,
@@ -319,6 +343,12 @@ async def get_authorization_check(
         principal_context: Any,
     ) -> bool | None:
         """Get cached authorization check result."""
+        if self._contains_api_key(principal_context):
+            logger.debug(
+                "Skipping authorization check cache lookup for API key principal"
+            )
+            return None
+
         cache_key = self._create_authorization_cache_key(
             resource_type, resource_selector, operation, principal_context
         )
@@ -339,6 +369,12 @@ async def set_authorization_check(
         allowed: bool,
     ) -> None:
         """Cache authorization check result."""
+        if self._contains_api_key(principal_context):
+            logger.debug(
+                "Skipping authorization check cache write for API key principal"
+            )
+            return
+
         cache_key = self._create_authorization_cache_key(
             resource_type, resource_selector, operation, principal_context
         )
@@ -358,6 +394,23 @@ async def clear_all(self) -> None:
         await self.authorization_check_cache.clear()
         logger.info("All authentication and authorization caches cleared")
 
+    async def clear_authorization_checks_for_resource(
+        self,
+        resource_type: str,
+        resource_selector: str,
+    ) -> None:
+        """Clear cached authorization check results for one resource."""
+        prefix = self._create_authorization_resource_cache_prefix(
+            resource_type, resource_selector
+        )
+        deleted = await self.authorization_check_cache.delete_by_prefix(prefix)
+        logger.info(
+            "Authorization check cache cleared for %s:%s entries=%d",
+            resource_type,
+            resource_selector,
+            deleted,
+        )
+
     async def cleanup_expired(self) -> None:
         """Remove expired entries from all caches."""
         await self.agent_identity_cache.remove_expired()
diff --git a/agentex/src/domain/services/authorization_service.py b/agentex/src/domain/services/authorization_service.py
@@ -39,6 +39,13 @@ def _bypass(self) -> bool:
     def is_enabled(self) -> bool:
         return self.enabled
 
+    async def _clear_authorization_cache(self, resource: AgentexResource) -> None:
+        auth_cache = await get_auth_cache()
+        await auth_cache.clear_authorization_checks_for_resource(
+            resource_type=str(resource.type),
+            resource_selector=resource.selector,
+        )
+
     async def grant(
         self, resource: AgentexResource, *, commit: bool = True, principal_context=...
     ) -> None:
@@ -61,6 +68,7 @@ async def grant(
             resource,
             AuthorizedOperationType.create,
         )
+        await self._clear_authorization_cache(resource)
         return result
 
     async def revoke(
@@ -87,6 +95,7 @@ async def revoke(
         logger.info(
             f"Revoked {AuthorizedOperationType.delete} permission on {resource.type}:{resource.selector}"
         )
+        await self._clear_authorization_cache(resource)
         return result
 
     async def check(
@@ -214,6 +223,7 @@ async def register_resource(
             f"{parent.type}:{parent.selector}" if parent is not None else None,
         )
         await self.gateway.register_resource(effective_principal, resource, parent)
+        await self._clear_authorization_cache(resource)
 
     async def deregister_resource(
         self,
@@ -237,6 +247,7 @@ async def deregister_resource(
             resource.selector,
         )
         await self.gateway.deregister_resource(effective_principal, resource)
+        await self._clear_authorization_cache(resource)
 
 
 DAuthorizationService = Annotated[AuthorizationService, Depends(AuthorizationService)]
diff --git a/agentex/tests/unit/api/test_authentication_cache_metrics.py b/agentex/tests/unit/api/test_authentication_cache_metrics.py
@@ -102,3 +102,53 @@ async def test_auth_gateway_response_with_api_key_principal_is_not_cached():
     await cache.set_auth_gateway_response(headers, principal)
 
     assert await cache.get_auth_gateway_response(headers) is None
+
+
+@pytest.mark.unit
+@pytest.mark.asyncio
+async def test_authorization_check_with_api_key_principal_is_not_cached():
+    cache = AuthenticationCache()
+    principal = {"user_id": "user-1", "account_id": "acct-1", "api_key": "secret-key"}
+
+    await cache.set_authorization_check(
+        resource_type="agent",
+        resource_selector="agent-1",
+        operation="execute",
+        principal_context=principal,
+        allowed=True,
+    )
+
+    assert (
+        await cache.get_authorization_check(
+            resource_type="agent",
+            resource_selector="agent-1",
+            operation="execute",
+            principal_context=principal,
+        )
+        is None
+    )
+
+
+@pytest.mark.unit
+@pytest.mark.asyncio
+async def test_authorization_check_without_api_key_principal_is_cached():
+    cache = AuthenticationCache()
+    principal = {"user_id": "user-1", "account_id": "acct-1"}
+
+    await cache.set_authorization_check(
+        resource_type="agent",
+        resource_selector="agent-1",
+        operation="read",
+        principal_context=principal,
+        allowed=True,
+    )
+
+    assert (
+        await cache.get_authorization_check(
+            resource_type="agent",
+            resource_selector="agent-1",
+            operation="read",
+            principal_context=principal,
+        )
+        is True
+    )
diff --git a/agentex/tests/unit/services/test_authorization_service_cache.py b/agentex/tests/unit/services/test_authorization_service_cache.py
@@ -0,0 +1,129 @@
+from types import SimpleNamespace
+from unittest.mock import AsyncMock
+
+import pytest
+from src.api.authentication_cache import reset_auth_cache
+from src.api.schemas.authorization_types import AgentexResource, AuthorizedOperationType
+from src.domain.services.authorization_service import AuthorizationService
+
+
+def _request_with_principal(principal_context):
+    return SimpleNamespace(
+        state=SimpleNamespace(
+            principal_context=principal_context,
+            agent_identity=None,
+        )
+    )
+
+
+def _service(principal_context, gateway):
+    return AuthorizationService(
+        enabled=True,
+        gateway=gateway,
+        request=_request_with_principal(principal_context),
+    )
+
+
+@pytest.mark.unit
+@pytest.mark.asyncio
+async def test_api_key_principal_authorization_check_calls_gateway_each_time():
+    await reset_auth_cache()
+    try:
+        gateway = AsyncMock()
+        gateway.check.return_value = True
+        service = _service(
+            {"user_id": "user-1", "account_id": "acct-1", "api_key": "secret-key"},
+            gateway,
+        )
+        resource = AgentexResource.agent("agent-1")
+
+        assert await service.check(resource, AuthorizedOperationType.execute) is True
+        assert await service.check(resource, AuthorizedOperationType.execute) is True
+
+        assert gateway.check.await_count == 2
+    finally:
+        await reset_auth_cache()
+
+
+@pytest.mark.unit
+@pytest.mark.asyncio
+async def test_non_api_key_principal_authorization_check_uses_cache():
+    await reset_auth_cache()
+    try:
+        gateway = AsyncMock()
+        gateway.check.return_value = True
+        service = _service({"user_id": "user-1", "account_id": "acct-1"}, gateway)
+        resource = AgentexResource.agent("agent-1")
+
+        assert await service.check(resource, AuthorizedOperationType.read) is True
+        assert await service.check(resource, AuthorizedOperationType.read) is True
+
+        assert gateway.check.await_count == 1
+    finally:
+        await reset_auth_cache()
+
+
+@pytest.mark.unit
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "mutation",
+    ["grant", "revoke", "register_resource", "deregister_resource"],
+)
+async def test_authorization_mutations_clear_cached_authorization_checks(mutation):
+    await reset_auth_cache()
+    try:
+        gateway = AsyncMock()
+        gateway.check.return_value = True
+        service = _service({"user_id": "user-1", "account_id": "acct-1"}, gateway)
+        resource = AgentexResource.agent("agent-1")
+
+        assert await service.check(resource, AuthorizedOperationType.read) is True
+        assert await service.check(resource, AuthorizedOperationType.read) is True
+        assert gateway.check.await_count == 1
+
+        await getattr(service, mutation)(resource)
+
+        assert await service.check(resource, AuthorizedOperationType.read) is True
+        assert gateway.check.await_count == 2
+    finally:
+        await reset_auth_cache()
+
+
+@pytest.mark.unit
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "mutation",
+    ["grant", "revoke", "register_resource", "deregister_resource"],
+)
+async def test_authorization_mutations_only_clear_checks_for_mutated_resource(
+    mutation,
+):
+    await reset_auth_cache()
+    try:
+        gateway = AsyncMock()
+        gateway.check.return_value = True
+        service = _service({"user_id": "user-1", "account_id": "acct-1"}, gateway)
+        changed_resource = AgentexResource.agent("agent-1")
+        unchanged_resource = AgentexResource.agent("agent-2")
+
+        assert (
+            await service.check(changed_resource, AuthorizedOperationType.read) is True
+        )
+        assert (
+            await service.check(unchanged_resource, AuthorizedOperationType.read)
+            is True
+        )
+        assert gateway.check.await_count == 2
+
+        await getattr(service, mutation)(changed_resource)
+
+        assert (
+            await service.check(changed_resource, AuthorizedOperationType.read) is True
+        )
+        assert (
+            await service.check(unchanged_resource, AuthorizedOperationType.read)
+            is True
+        )
+        assert gateway.check.await_count == 3
+    finally:
+        await reset_auth_cache()
