CLI long execution time about biscuit-rust HOT 3 CLOSED

I have noticed general slowness on my (i assume) similarly-spec'd macbook air: generating the samples for the test suite was sufficient to hit the default timeout. I did not have this specific issues on my other computers.

That being said, the example you provided does take a lot more time that simpler programs:

M1 macbook: ~100ms
Lenovo X1 carbon (Core i5-7200 @ 2.50 GHz, 8GB RAM): ~140ms
Custom rig (AMD Ryzen 9 5900X 12 cores, 32GB RAM): ~80ms

from biscuit-rust.

Profiling the datalog engine would be good anyway now that third party blocks have landed.

In this specific example, the use of regexes might be a part of the problem (but profiling the engine will be important anyway)

from biscuit-rust.

generating the samples hits the timeout on my machine too, if compiled in debug mode. In release mode it's fast enough.

Running with this code:

use biscuit_auth::Authorizer;

fn main() {
    let code = r#"
    entity("entity:justine");

    organization_parent("mof", "mof:tax", false, false);
    [...]
    allow if true;"#;

    let mut authorizer = Authorizer::new();
    authorizer.add_code(code).unwrap();

    let res = authorizer.authorize();
    println!("authorizer world:\n{}", authorizer.print_world());
    println!("authorizer result: {:?}", res);

    loop {
        let mut authorizer = Authorizer::new();
        authorizer.add_code(code).unwrap();

        let _ = authorizer.authorize();
    }
}

It's pretty apparent that compiling the regex is taking the most time (18ms to create the authorizer and run it on my machine in release mode).

with rules like

policy($child_id, $child, $child_resource, $child_action, "allow") <- 
  organization_parent($parent, $child, $propagate_allow, $propagate_deny),
  policy($parent_id, $parent, $parent_resource, $parent_action, "allow"),
  raw_policy($child_id, $child, $child_resource, $child_action, "allow"),
  $child_resource.matches("^" + $parent_resource + "(\\w|:)*"),
  $child_action.matches("^" + $parent_action + "(\\w|:)*");

this would create a regex for each different value in $parent_resource and $parent_action. The state machines are supposed to be memoized, but maybe that's too much here. It looks like you're trying to do 2 things here:

• checking for a prefix, which can be done with $child_resource.starts_with($parent_resource)
• checking that the format matches (\\w|:)*, which can be done with ` $child_resource.matches("^(\w|:)*$")

With rules written like this:

policy($child_id, $child, $child_resource, $child_action, "allow") <- 
      organization_parent($parent, $child, $propagate_allow, $propagate_deny),
      policy($parent_id, $parent, $parent_resource, $parent_action, "allow"),
      raw_policy($child_id, $child, $child_resource, $child_action, "allow"),
      $child_resource.starts_with($parent_resource),
      $child_action.starts_with($parent_action),
      $child_resource.matches("^(\\w|:)*$"),
      $child_action.matches("^(\\w|:)*$");

To avoid recompiling the regex
It now runs in 5ms (still in release mode).

Now it's a bit wasteful to execute the regex on each combination, we could apply it only once per relevant fact, like this:

check all raw_policy($child_id, $child, $child_resource, $child_action, "allow"),
  $child_resource.matches("^(\\w|:)*$"),
      $child_action.matches("^(\\w|:)*$");

and remove it from other rules. Unfortunately, now the runtime shots up to 20ms, so there's something wrong we have to look at here. In the meantime, maybe the format of the members in raw_policy and operation could be checked outside? It does not look critical to policy execution, and without them execution runs under a millisecond

from biscuit-rust.