Optimize policy iterators (#5184)

* Optimize policy iterators (go1.23) This modifies (*Options).GetAllPolicies() to use a go 1.23 iterator instead of copying all policies on every call, which can be extremely expensive. All existing usages of this function were updated as necessary. Additionally, a new (*Options).NumPolicies() method was added which quickly computes the number of policies that would be given by GetAllPolicies(), since there were several usages where only the number of policies was needed. * Fix race condition when assigning default envoy opts to a policy
2025-08-03 00:40:25 +02:00 · 2024-08-20 12:35:10 -04:00 · 2024-08-20 12:35:10 -04:00 · 56ba07e53e
commit 56ba07e53e
parent 3961098681
16 changed files with 136 additions and 87 deletions
--- a/authorize/authorize.go
+++ b/authorize/authorize.go
@ -5,6 +5,7 @@ package authorize
 import (
 	"context"
 	"fmt"
+	"slices"
 	"sync"
 	"time"

@ -91,7 +92,7 @@ func newPolicyEvaluator(
 	opts *config.Options, store *store.Store, previous *evaluator.Evaluator,
 ) (*evaluator.Evaluator, error) {
 	metrics.AddPolicyCountCallback("pomerium-authorize", func() int64 {
-		return int64(len(opts.GetAllPolicies()))
+		return int64(opts.NumPolicies())
 	})
 	ctx := log.WithContext(context.Background(), func(c zerolog.Context) zerolog.Context {
 		return c.Str("service", "authorize")
@ -131,8 +132,9 @@ func newPolicyEvaluator(
 			"authorize: internal error: couldn't build client cert constraints: %w", err)
 	}

+	allPolicies := slices.Collect(opts.GetAllPolicies())
 	return evaluator.New(ctx, store, previous,
-		evaluator.WithPolicies(opts.GetAllPolicies()),
+		evaluator.WithPolicies(allPolicies),
 		evaluator.WithClientCA(clientCA),
 		evaluator.WithAddDefaultClientCertificateRule(addDefaultClientCertificateRule),
 		evaluator.WithClientCRL(clientCRL),