cyberark · codihuston · Dec 30, 2022 · Jan 11, 2023
diff --git a/app/db/utils/materialized_views.rb b/app/db/utils/materialized_views.rb
@@ -0,0 +1,42 @@
+module DB
+  module Utils
+    class MaterializedViews
+      def initialize(
+        db: Sequel::Model.db,
+        logger: Rails.logger
+      )
+        @db = db
+        @logger = logger
+      end
+
+      def refresh()
+        @logger.debug("Begin refreshing materialized views...")
+        refresh_all_roles
+        refresh_resources
+        @logger.debug("Finished refreshing materialized views.")
+      end
+
+      def refresh_all_roles()
+        @db.run('REFRESH MATERIALIZED VIEW all_roles_view;')
+      rescue Sequel::DatabaseError => e
+        # TODO: handle ERROR:  relation "all_roles_view" does not exist
+        # /var/lib/ruby/lib/ruby/gems/3.0.0/gems/sequel-5.51.0/lib/sequel/adapters/postgres.rb:156:in `exec': ERROR:  relation "all_roles_view" does not exist (PG::UndefinedTable)
+        # ...
+        @logger.error(
+          "DB::Utils::MaterializedViews.refresh_all_roles - Error #{e.message}"
+        )
+      end
+
+      def refresh_resources()
+        @db.run('REFRESH MATERIALIZED VIEW resources_view;')
+      rescue Sequel::DatabaseError => e
+        # TODO: handle ERROR:  relation "resources_view" does not exist
+        # /var/lib/ruby/lib/ruby/gems/3.0.0/gems/sequel-5.51.0/lib/sequel/adapters/postgres.rb:156:in `exec': ERROR:  relation "all_roles_view" does not exist (PG::UndefinedTable)
+        # ...
+        @logger.error(
+          "DB::Utils::MaterializedViews.refresh_resources - Error #{e.message}"
+        )
+      end     
+    end
+  end
+end
diff --git a/app/models/loader/orchestrate.rb b/app/models/loader/orchestrate.rb
@@ -369,9 +369,7 @@ def update_materialized_views
       # Materialized views are used to pre-compute recursive role members
       # and resource attributes to save time on read. These
       # must be refreshed when they underlying tables are updated.
-      db.run('REFRESH MATERIALIZED VIEW all_roles_view;')
-      db.run('REFRESH MATERIALIZED VIEW resources_view;')
-
+      ::DB::Utils::MaterializedViews.new.refresh
     end
 
     def insert_policy_log_records(table)

diff --git a/app/models/permission.rb b/app/models/permission.rb
@@ -13,4 +13,8 @@ def as_json options = {}
       end
     end
   end
+
+  def after_create
+    ::DB::Utils::MaterializedViews.new.refresh
+  end
 end
diff --git a/app/models/resource.rb b/app/models/resource.rb
@@ -192,4 +192,8 @@ def secret version: nil
   def annotation name
     annotations_dataset.where(name: name).select(:value).single_value
   end
+
+  def after_create
+    ::DB::Utils::MaterializedViews.new.refresh
+  end
 end
diff --git a/app/models/role.rb b/app/models/role.rb
@@ -184,4 +184,8 @@ def modify_credentials
     yield(credentials)
     credentials.save(raise_on_save_failure: true)
   end
+
+  def after_create
+    ::DB::Utils::MaterializedViews.new.refresh
+  end
 end
diff --git a/app/models/role_membership.rb b/app/models/role_membership.rb
@@ -20,4 +20,8 @@ def member_of role_ids
       where(member_id: subset_roles.to_a)
     end
   end
-end
+
+  def after_create
+    ::DB::Utils::MaterializedViews.new.refresh
+  end
+end
diff --git a/cucumber/api/features/step_definitions/authz_steps.rb b/cucumber/api/features/step_definitions/authz_steps.rb
@@ -58,6 +58,9 @@
   grantee = Role.with_pk!(grantee)
   target = Resource.with_pk!(target)
   target.permit(privilege, grantee)
+
+  Sequel::Model.db << "REFRESH MATERIALIZED VIEW all_roles_view;"
+  Sequel::Model.db << "REFRESH MATERIALIZED VIEW resources_view;"
 end
 
 Given(/^I permit user "([^"]*)" to "([^"]*)" user "([^"]*)"$/) do |grantee, privilege, target|
@@ -93,6 +96,7 @@
 
 Given(/^I add the secret value(?: "([^"]*)")? to the resource(?: "([^"]*)")?$/) do |value, resource_id|
   Secret.create(resource_id: resource_id, value: value)
+  # TODO: refresh mat views here?
 end
 
 Given(/^I permit (user|host) "([^"]*)" to "([^"]*)" it$/) do |role_type, grantee, privilege|
@@ -120,4 +124,7 @@
 
   grantee = role_type == "user" ? lookup_user(grantee) : lookup_host(grantee)
   group.grant_to(grantee)
+
+  Sequel::Model.db << "REFRESH MATERIALIZED VIEW all_roles_view;"
+  Sequel::Model.db << "REFRESH MATERIALIZED VIEW resources_view;"
 end
diff --git a/spec/models/resource_spec.rb b/spec/models/resource_spec.rb
@@ -113,17 +113,13 @@
       end
       it "the corresponding role is listed exactly once in the owner's list of roles" do
         the_membership_again
-        # update materialized view
-        Sequel::Model.db << "REFRESH MATERIALIZED VIEW all_roles_view;"
         expect(the_user.all_roles.reverse_order(:role_id).all.map(&:role_id)).to eq([ the_user, the_role ].map(&:role_id))
       end
     end
     it "the role can still be explicitly granted" do
       RoleMembership.create(role: the_role, member: the_user, admin_option: true)
     end
     it "the corresponding role is in the owner's list of roles" do
-      # update materialized view
-      Sequel::Model.db << "REFRESH MATERIALIZED VIEW all_roles_view;"
       expect(the_user.all_roles.all).to include(the_role)
     end
     context "changing the owner" do
-Original file line number
+Diff line change
@@ Expand Up / @@ -13,4 +13,8 @@ def as_json options = {} @@
           end
         end
       end
+      def after_create
+        ::DB::Utils::MaterializedViews.new.refresh
+      end
     end