MCPcopy Index your code
hub / github.com/coder/coder / BenchmarkRBACAuthorizeGroups

Function BenchmarkRBACAuthorizeGroups

coderd/rbac/authz_test.go:182–228  ·  view source on GitHub ↗

BenchmarkRBACAuthorizeGroups benchmarks the rbac.Authorize method and leverages groups for authorizing rather than the permissions/roles. go test -bench '^BenchmarkRBACAuthorizeGroups$' -benchmem -memprofile memprofile.out -cpuprofile profile.out

(b *testing.B)

Source from the content-addressed store, hash-verified

180//
181// go test -bench '^BenchmarkRBACAuthorizeGroups$' -benchmem -memprofile memprofile.out -cpuprofile profile.out
182func BenchmarkRBACAuthorizeGroups(b *testing.B) {
183 benchCases, user, orgs := benchmarkUserCases()
184 users := append([]uuid.UUID{},
185 user,
186 uuid.MustParse("4ca78b1d-f2d2-4168-9d76-cd93b51c6c1e"),
187 uuid.MustParse("0632b012-49e0-4d70-a5b3-f4398f1dcd52"),
188 uuid.MustParse("70dbaa7a-ea9c-4f68-a781-97b08af8461d"),
189 )
190 authorizer := rbac.NewAuthorizer(prometheus.NewRegistry())
191
192 // Same benchmark cases, but this time groups will be used to match.
193 // Some '*' permissions will still match, but using a fake action reduces
194 // the chance.
195 neverMatchAction := policy.Action("never-match-action")
196 for _, c := range benchCases {
197 b.Run(c.Name+"GroupACL", func(b *testing.B) {
198 userGroupAllow := uuid.NewString()
199 c.Actor.Groups = append(c.Actor.Groups, userGroupAllow)
200 c.Actor.Scope = rbac.ScopeAll
201 objects := benchmarkSetup(orgs, users, b.N, func(object rbac.Object) rbac.Object {
202 m := map[string][]policy.Action{
203 // Add the user's group
204 // Noise
205 uuid.NewString(): {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
206 uuid.NewString(): {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate},
207 uuid.NewString(): {policy.ActionCreate, policy.ActionRead},
208 uuid.NewString(): {policy.ActionCreate},
209 uuid.NewString(): {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
210 uuid.NewString(): {policy.ActionRead, policy.ActionUpdate},
211 }
212 for _, g := range c.Actor.Groups {
213 // Every group the user is in will be added, but it will not match the perms. This makes the
214 // authorizer look at many groups before finding the one that matches.
215 m[g] = []policy.Action{policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete}
216 }
217 // This is the only group that will give permission.
218 m[userGroupAllow] = []policy.Action{neverMatchAction}
219 return object.WithGroupACL(m)
220 })
221 b.ResetTimer()
222 for i := 0; i < b.N; i++ {
223 allowed := authorizer.Authorize(context.Background(), c.Actor, neverMatchAction, objects[b.N%len(objects)])
224 _ = allowed
225 }
226 })
227 }
228}
229
230// BenchmarkRBACFilter benchmarks the rbac.Filter method.
231//

Callers

nothing calls this directly

Calls 7

AuthorizeMethod · 0.95
NewAuthorizerFunction · 0.92
ActionTypeAlias · 0.92
benchmarkUserCasesFunction · 0.85
benchmarkSetupFunction · 0.85
WithGroupACLMethod · 0.80
RunMethod · 0.65

Tested by

no test coverage detected