policies: Optimize policy checking for static bindings

[BeryJu]

Details

Currently we spawn a sub process to check policies for every type of binding, regardless whether it's bound to a user, group or policy. Realistically we only need to do this for bindings bound to policies as user and group bindings are static.

This PR does that, checking any bindings bound to a user or group on a database level, skipping the rest of the policy engine

Improvements so far:

Computing policy result for a PBM with 1000 bindings all bound to groups:

main: 3000~ queries Now: 2 queries

TODO: Needs some more test to ensure the behaviour with Group.parent is identical to the old behaviour

closes #14130

---

Checklist

• [ ] Local tests pass (ak test authentik/)
• [ ] The code has been formatted (make lint-fix)

If an API change has been made

• [ ] The API schema has been updated (make gen-build)

If changes to the frontend have been made

• [ ] The code has been formatted (make web)

If applicable

• [ ] The documentation has been updated
• [ ] The documentation has been formatted (make website)

[netlify[bot]]

✅ Deploy Preview for authentik-docs canceled.

Name	Link
🔨 Latest commit	aa4c06fa090f0da7babe51038cf28e6259902d7c
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/6867baf8fcf6540008b8e81c

[netlify[bot]]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	aa4c06fa090f0da7babe51038cf28e6259902d7c
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/6867baf8a0a8e90008587ff7

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 92.99%. Comparing base (b58a877) to head (aa4c06f). Report is 1 commits behind head on main.

:white_check_mark: All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #14957   +/-   ##
=======================================
  Coverage   92.99%   92.99%           
=======================================
  Files         824      824           
  Lines       42703    42755   +52     
=======================================
+ Hits        39713    39762   +49     
- Misses       2990     2993    +3     

Flag	Coverage Δ
e2e	47.45% <37.50%> (-0.07%)	:arrow_down:
integration	24.19% <7.50%> (-0.03%)	:arrow_down:
unit	91.04% <98.75%> (+0.01%)	:arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:

• :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions[bot]]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-aa4c06fa090f0da7babe51038cf28e6259902d7c
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-aa4c06fa090f0da7babe51038cf28e6259902d7c

Afterwards, run the upgrade commands from the latest release notes.

[rissson]

A bit out of scope but still related, could we add a help text to the order property mentioning that it only is the order in the the result of policies is considered, and not the order in which they are run?

[netlify[bot]]

✅ Deploy Preview for authentik-integrations canceled.

Name	Link
🔨 Latest commit	aa4c06fa090f0da7babe51038cf28e6259902d7c
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/6867baf834f37a000857f1f6