Merge branch 'main' into v5

.github/workflows/codspeed.yml

@@ -0,0 +1,32 @@
+name: codspeed-benchmarks
+
+on:
+ push:
+ branches:
+ - "main"
+ pull_request:
+ # `workflow_dispatch` allows CodSpeed to trigger backtest
+ # performance analysis in order to generate initial data.
+ workflow_dispatch:
+
+jobs:
+ benchmarks:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+
+ - name: Setup rust toolchain, cache and cargo-codspeed binary
+ uses: moonrepo/setup-rust@v0
+ with:
+ channel: stable
+ cache-target: release
+ bins: cargo-codspeed
+
+ - name: Build the benchmark target(s)
+ run: cargo codspeed build -p biscuit-auth
+
+ - name: Run the benchmarks
+ uses: CodSpeedHQ/action@v2
+ with:
+ run: cargo codspeed run -p biscuit-auth
+ token: ${{ secrets.CODSPEED_TOKEN }}

.github/workflows/rust.yml

@@ -65,3 +65,34 @@ jobs:
  with:
  command: ctest
  args: --release
+
+ coverage:
+ name: Coverage
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout sources
+ uses: actions/checkout@v2
+ - name: Install rust
+ uses: actions-rs/toolchain@v1
+ with:
+ toolchain: stable
+ profile: minimal
+ override: true
+ - name: Cache
+ uses: Swatinem/rust-cache@v1
+ - name: Install cargo-tarpaulin
+ uses: actions-rs/cargo@v1
+ with:
+ command: install
+ args: cargo-tarpaulin
+ - name: Run cargo tarpaulin
+ uses: actions-rs/cargo@v1
+ with:
+ command: tarpaulin
+ args: --output-dir coverage --out xml --workspace --exclude benchmarks
+
+ - name: Upload coverage reports to Codecov
+ uses: codecov/[email protected]
+ with:
+ token: ${{ secrets.CODECOV_TOKEN }}
+ slug: biscuit-auth/biscuit-rust

biscuit-auth/Cargo.toml

@@ -59,6 +59,7 @@ colored-diff = "0.2.3"
 prost-build = "0.10"
 serde = { version = "1.0.130", features = ["derive"] }
 serde_json = "1.0.67"
+codspeed-bencher-compat = "2.6.0"
 
 #[build-dependencies]
 #prost-build = "0.10"

biscuit-auth/benches/token.rs

@@ -1,12 +1,12 @@
-#[macro_use]
-extern crate bencher;
-
 extern crate biscuit_auth as biscuit;
 
-use bencher::Bencher;
+use std::time::Duration;
+
 use biscuit::{
- builder::*, builder_ext::BuilderExt, datalog::SymbolTable, Biscuit, KeyPair, UnverifiedBiscuit,
+ builder::*, builder_ext::BuilderExt, datalog::SymbolTable, AuthorizerLimits, Biscuit, KeyPair,
+ UnverifiedBiscuit,
 };
+use codspeed_bencher_compat::{benchmark_group, benchmark_main, Bencher};
 use rand::rngs::OsRng;
 
 fn create_block_1(b: &mut Bencher) {
@@ -245,16 +245,25 @@ fn verify_block_2(b: &mut Bencher) {
  verifier.add_fact("resource(\"file1\")");
  verifier.add_fact("operation(\"read\")");
  verifier.allow();
- verifier.authorize().unwrap();
-
+ verifier
+ .authorize_with_limits(AuthorizerLimits {
+ max_time: Duration::from_secs(10),
+ ..Default::default()
+ })
+ .unwrap();
  b.bytes = data.len() as u64;
  b.iter(|| {
  let token = Biscuit::from(&data, &root.public()).unwrap();
  let mut verifier = token.authorizer().unwrap();
  verifier.add_fact("resource(\"file1\")");
  verifier.add_fact("operation(\"read\")");
  verifier.allow();
- verifier.authorize().unwrap();
+ verifier
+ .authorize_with_limits(AuthorizerLimits {
+ max_time: Duration::from_secs(10),
+ ..Default::default()
+ })
+ .unwrap();
  });
 }
 
@@ -314,7 +323,12 @@ fn verify_block_5(b: &mut Bencher) {
  verifier.add_fact("resource(\"file1\")");
  verifier.add_fact("operation(\"read\")");
  verifier.allow();
- verifier.authorize().unwrap();
+ verifier
+ .authorize_with_limits(AuthorizerLimits {
+ max_time: Duration::from_secs(10),
+ ..Default::default()
+ })
+ .unwrap();
 
  b.bytes = data.len() as u64;
  b.iter(|| {
@@ -323,7 +337,12 @@ fn verify_block_5(b: &mut Bencher) {
  verifier.add_fact("resource(\"file1\")");
  verifier.add_fact("operation(\"read\")");
  verifier.allow();
- verifier.authorize().unwrap();
+ verifier
+ .authorize_with_limits(AuthorizerLimits {
+ max_time: Duration::from_secs(10),
+ ..Default::default()
+ })
+ .unwrap();
  });
 }
 
@@ -356,7 +375,12 @@ fn check_signature_2(b: &mut Bencher) {
  verifier.add_fact("resource(\"file1\")");
  verifier.add_fact("operation(\"read\")");
  verifier.allow();
- verifier.authorize().unwrap();
+ verifier
+ .authorize_with_limits(AuthorizerLimits {
+ max_time: Duration::from_secs(10),
+ ..Default::default()
+ })
+ .unwrap();
 
  b.bytes = data.len() as u64;
  b.iter(|| {
@@ -419,7 +443,12 @@ fn check_signature_5(b: &mut Bencher) {
  verifier.add_fact("resource(\"file1\")");
  verifier.add_fact("operation(\"read\")");
  verifier.allow();
- verifier.authorize().unwrap();
+ verifier
+ .authorize_with_limits(AuthorizerLimits {
+ max_time: Duration::from_secs(10),
+ ..Default::default()
+ })
+ .unwrap();
 
  b.bytes = data.len() as u64;
  b.iter(|| {
@@ -456,7 +485,12 @@ fn checks_block_2(b: &mut Bencher) {
  verifier.add_fact("resource(\"file1\")");
  verifier.add_fact("operation(\"read\")");
  verifier.allow();
- verifier.authorize().unwrap();
+ verifier
+ .authorize_with_limits(AuthorizerLimits {
+ max_time: Duration::from_secs(10),
+ ..Default::default()
+ })
+ .unwrap();
 
  let token = Biscuit::from(&data, &root.public()).unwrap();
  b.bytes = data.len() as u64;
@@ -465,7 +499,12 @@ fn checks_block_2(b: &mut Bencher) {
  verifier.add_fact("resource(\"file1\")");
  verifier.add_fact("operation(\"read\")");
  verifier.allow();
- verifier.authorize().unwrap();
+ verifier
+ .authorize_with_limits(AuthorizerLimits {
+ max_time: Duration::from_secs(10),
+ ..Default::default()
+ })
+ .unwrap();
  });
 }
 
@@ -498,7 +537,12 @@ fn checks_block_create_verifier2(b: &mut Bencher) {
  verifier.add_fact("resource(\"file1\")");
  verifier.add_fact("operation(\"read\")");
  verifier.allow();
- verifier.authorize().unwrap();
+ verifier
+ .authorize_with_limits(AuthorizerLimits {
+ max_time: Duration::from_secs(10),
+ ..Default::default()
+ })
+ .unwrap();
 
  let token = Biscuit::from(&data, &root.public()).unwrap();
  b.bytes = data.len() as u64;
@@ -536,15 +580,25 @@ fn checks_block_verify_only2(b: &mut Bencher) {
  verifier.add_fact("resource(\"file1\")");
  verifier.add_fact("operation(\"read\")");
  verifier.allow();
- verifier.authorize().unwrap();
+ verifier
+ .authorize_with_limits(AuthorizerLimits {
+ max_time: Duration::from_secs(10),
+ ..Default::default()
+ })
+ .unwrap();
 
  let token = Biscuit::from(&data, &root.public()).unwrap();
  b.iter(|| {
  let mut verifier = token.authorizer().unwrap();
  verifier.add_fact("resource(\"file1\")");
  verifier.add_fact("operation(\"read\")");
  verifier.allow();
- verifier.authorize().unwrap();
+ verifier
+ .authorize_with_limits(AuthorizerLimits {
+ max_time: Duration::from_secs(10),
+ ..Default::default()
+ })
+ .unwrap();
  });
 }
 

biscuit-auth/src/datalog/mod.rs

@@ -991,6 +991,7 @@ fn contains_v5_term(term: &Term) -> bool {
 #[cfg(test)]
 mod tests {
  use super::*;
+ use std::time::Duration;
 
  #[test]
  fn family() {
@@ -1048,7 +1049,10 @@ mod tests {
  println!("adding r2: {}", syms.print_rule(&r2));
  w.add_rule(0, &[0].iter().collect(), r2);
 
- w.run(&syms).unwrap();
+ w.run_with_limits(&syms, RunLimits {
+ max_time: Duration::from_secs(10),
+ ..Default::default()
+ }).unwrap();
 
  println!("parents:");
  let res = w

biscuit-auth/src/format/mod.rs

@@ -459,9 +459,13 @@ mod tests {
 
  #[test]
  fn proto() {
+ // somehow when building under cargo-tarpaulin, OUT_DIR is not set
+ let out_dir = match std::env::var("OUT_DIR") {
+ Ok(dir) => dir,
+ Err(_) => return,
+ };
  prost_build::compile_protos(&["src/format/schema.proto"], &["src/"]).unwrap();
- let mut file =
- std::fs::File::open(concat!(env!("OUT_DIR"), "/biscuit.format.schema.rs")).unwrap();
+ let mut file = std::fs::File::open(&format!("{out_dir}/biscuit.format.schema.rs")).unwrap();
  let mut contents = String::new();
  file.read_to_string(&mut contents).unwrap();