chore: Cache AuthUsers, Everyone groups for lookup - BED-8363

[StephenHinck]

Description

Centralizes the lookups for specialGroups to prevent recurring lookups during post-processing. In pathological environments, this yielded a 98% reduction in creating the ADCSCache ahead of post-processing.

Motivation and Context

Resolves BED-8363

Why is this change required? What problem does it solve?

How Has This Been Tested?

No changes have been made to existing test suites. Additionally, validated with multiple local datasets.

Screenshots (optional):

Types of changes

• Chore (a change that does not modify the application functionality)

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README #672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments (GoDocs / JSDocs)
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

Summary by CodeRabbit

• Refactor
  • Optimized cache population to fetch principals once per transaction and reuse them, with improved group membership validation using bulk queries instead of individual lookups.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes optimize how special groups (Auth Users and Everyone) are checked for ADCS enrollment rights. Auth Users and Everyone are fetched once per database transaction in BuildCache, then passed to containsAuthUsersOrEveryone for checking, which now uses a single bulk relationship query instead of repeated per-group fetches.

Changes

Special Groups Membership Optimization

Layer / File(s)	Summary
containsAuthUsersOrEveryone refactor packages/go/analysis/ad/esc_shared.go	Function now accepts pre-computed specialGroups instead of fetching internally, and replaces nested relationship-fetch loops with a single bulk MemberOf query to check transitive membership.
BuildCache special groups fetch and reuse packages/go/analysis/ad/adcscache.go	BuildCache fetches Auth Users and Everyone groups once during the read transaction and reuses them in cert-template and enterprise-CA enrollment checks, passing pre-computed specialGroups into the refactored containsAuthUsersOrEveryone function.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description includes all required sections: Description with motivation (caching reduces lookups by 98%), How Has This Been Tested, Types of changes, and a completed Checklist with verified contributing prerequisites.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title 'Cache AuthUsers, Everyone groups for lookup' directly summarizes the main change: centralizing lookups of special groups to avoid repeated queries, resulting in significant performance improvements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch BED-8363

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}