BenchmarkRBACAuthorizeGroups benchmarks the rbac.Authorize method and leverages groups for authorizing rather than the permissions/roles. go test -bench '^BenchmarkRBACAuthorizeGroups$' -benchmem -memprofile memprofile.out -cpuprofile profile.out
(b *testing.B)
| 180 | // |
| 181 | // go test -bench '^BenchmarkRBACAuthorizeGroups$' -benchmem -memprofile memprofile.out -cpuprofile profile.out |
| 182 | func BenchmarkRBACAuthorizeGroups(b *testing.B) { |
| 183 | benchCases, user, orgs := benchmarkUserCases() |
| 184 | users := append([]uuid.UUID{}, |
| 185 | user, |
| 186 | uuid.MustParse("4ca78b1d-f2d2-4168-9d76-cd93b51c6c1e"), |
| 187 | uuid.MustParse("0632b012-49e0-4d70-a5b3-f4398f1dcd52"), |
| 188 | uuid.MustParse("70dbaa7a-ea9c-4f68-a781-97b08af8461d"), |
| 189 | ) |
| 190 | authorizer := rbac.NewAuthorizer(prometheus.NewRegistry()) |
| 191 | |
| 192 | // Same benchmark cases, but this time groups will be used to match. |
| 193 | // Some '*' permissions will still match, but using a fake action reduces |
| 194 | // the chance. |
| 195 | neverMatchAction := policy.Action("never-match-action") |
| 196 | for _, c := range benchCases { |
| 197 | b.Run(c.Name+"GroupACL", func(b *testing.B) { |
| 198 | userGroupAllow := uuid.NewString() |
| 199 | c.Actor.Groups = append(c.Actor.Groups, userGroupAllow) |
| 200 | c.Actor.Scope = rbac.ScopeAll |
| 201 | objects := benchmarkSetup(orgs, users, b.N, func(object rbac.Object) rbac.Object { |
| 202 | m := map[string][]policy.Action{ |
| 203 | // Add the user's group |
| 204 | // Noise |
| 205 | uuid.NewString(): {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete}, |
| 206 | uuid.NewString(): {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate}, |
| 207 | uuid.NewString(): {policy.ActionCreate, policy.ActionRead}, |
| 208 | uuid.NewString(): {policy.ActionCreate}, |
| 209 | uuid.NewString(): {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete}, |
| 210 | uuid.NewString(): {policy.ActionRead, policy.ActionUpdate}, |
| 211 | } |
| 212 | for _, g := range c.Actor.Groups { |
| 213 | // Every group the user is in will be added, but it will not match the perms. This makes the |
| 214 | // authorizer look at many groups before finding the one that matches. |
| 215 | m[g] = []policy.Action{policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete} |
| 216 | } |
| 217 | // This is the only group that will give permission. |
| 218 | m[userGroupAllow] = []policy.Action{neverMatchAction} |
| 219 | return object.WithGroupACL(m) |
| 220 | }) |
| 221 | b.ResetTimer() |
| 222 | for i := 0; i < b.N; i++ { |
| 223 | allowed := authorizer.Authorize(context.Background(), c.Actor, neverMatchAction, objects[b.N%len(objects)]) |
| 224 | _ = allowed |
| 225 | } |
| 226 | }) |
| 227 | } |
| 228 | } |
| 229 | |
| 230 | // BenchmarkRBACFilter benchmarks the rbac.Filter method. |
| 231 | // |
nothing calls this directly
no test coverage detected