Upgrade to Rust 1.85 and edition 2024

Author: sandhose

.github/workflows/ci.yaml

@@ -4,9 +4,9 @@ on:
   push:
     branches:
       - main
-      - 'release/**'
+      - "release/**"
     tags:
-      - 'v*'
+      - "v*"
   pull_request:
 
 concurrency:
@@ -31,10 +31,7 @@ jobs:
       - name: Checkout the code
         uses: actions/[email protected]
 
-      - name: Setup OPA
-        uses: open-policy-agent/[email protected]
-        with:
-          version: 0.70.0
+      - uses: ./.github/actions/build-policies
 
       - name: Setup Regal
         uses: StyraInc/setup-regal@v1
@@ -73,7 +70,6 @@ jobs:
         working-directory: ./frontend
         run: npm run lint
 
-
   frontend-test:
     name: Run the frontend test suite
     runs-on: ubuntu-24.04
@@ -98,7 +94,6 @@ jobs:
         working-directory: ./frontend
         run: npm test
 
-
   frontend-knip:
     name: Check the frontend for unused dependencies
     runs-on: ubuntu-24.04
@@ -123,7 +118,6 @@ jobs:
         working-directory: ./frontend
         run: npm run knip
 
-
   rustfmt:
     name: Check Rust style
     runs-on: ubuntu-24.04
@@ -143,7 +137,6 @@ jobs:
       - name: Check style
         run: cargo fmt --all -- --check
 
-
   cargo-deny:
     name: Run `cargo deny` checks
     runs-on: ubuntu-24.04
@@ -162,7 +155,6 @@ jobs:
       - name: Run `cargo-deny`
         uses: EmbarkStudios/[email protected]
 
-
   check-schema:
     name: Check schema
     runs-on: ubuntu-24.04
@@ -203,7 +195,6 @@ jobs:
             exit 1
           fi
 
-
   clippy:
     name: Run Clippy
     needs: [rustfmt, opa-lint]
@@ -221,14 +212,7 @@ jobs:
         with:
           components: clippy
 
-      - name: Setup OPA
-        uses: open-policy-agent/[email protected]
-        with:
-          version: 0.64.1
-
-      - name: Compile OPA policies
-        working-directory: ./policies
-        run: make
+      - uses: ./.github/actions/build-policies
 
       - name: Setup sccache
         uses: mozilla-actions/[email protected]
@@ -237,7 +221,6 @@ jobs:
         run: |
           cargo clippy --workspace --tests --bins --lib -- -D warnings
 
-
   compile-test-artifacts:
     name: Compile test artifacts
     runs-on: ubuntu-24.04
@@ -263,15 +246,14 @@ jobs:
       - name: Build and archive tests
         run: cargo nextest archive --workspace --archive-file nextest-archive.tar.zst
         env:
-          SQLX_OFFLINE: '1'
+          SQLX_OFFLINE: "1"
 
       - name: Upload archive to workflow
         uses: actions/[email protected]
         with:
           name: nextest-archive
           path: nextest-archive.tar.zst
 
-
   test:
     name: Run test suite with Rust stable
     needs: [rustfmt, opa-lint, compile-test-artifacts]

.github/workflows/coverage.yaml

@@ -2,9 +2,9 @@ name: Coverage
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
-    branches: [ main ]
+    branches: [main]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -26,10 +26,7 @@ jobs:
       - name: Checkout the code
         uses: actions/[email protected]
 
-      - name: Setup OPA
-        uses: open-policy-agent/[email protected]
-        with:
-          version: 0.70.0
+      - uses: ./.github/actions/build-policies
 
       - name: Run OPA tests with coverage
         working-directory: ./policies
@@ -119,10 +116,10 @@ jobs:
         run: |
           cargo test --no-fail-fast --workspace
         env:
-          RUSTFLAGS: '-Cinstrument-coverage'
+          RUSTFLAGS: "-Cinstrument-coverage"
           LLVM_PROFILE_FILE: "cargo-test-%p-%m.profraw"
           DATABASE_URL: postgresql://postgres:postgres@localhost/postgres
-          SQLX_OFFLINE: '1'
+          SQLX_OFFLINE: "1"
 
       - name: Build grcov report
         run: |

Cargo.toml

@@ -7,12 +7,12 @@ resolver = "2"
 package.version = "0.14.1"
 package.license = "AGPL-3.0-only"
 package.authors = ["Element Backend Team"]
-package.edition = "2021"
+package.edition = "2024"
 package.homepage = "https://element-hq.github.io/matrix-authentication-service/"
 package.repository = "https://github.com/element-hq/matrix-authentication-service/"
 
 [workspace.lints.rust]
-unsafe_code = "forbid"
+unsafe_code = "deny"
 
 [workspace.lints.clippy]
 # We use groups as good defaults, but with a lower priority so that we can override them

Dockerfile

@@ -8,9 +8,9 @@
 # The Debian version and version name must be in sync
 ARG DEBIAN_VERSION=12
 ARG DEBIAN_VERSION_NAME=bookworm
-ARG RUSTC_VERSION=1.84.0
+ARG RUSTC_VERSION=1.85.0
 ARG NODEJS_VERSION=20.15.0
-ARG OPA_VERSION=0.64.1
+ARG OPA_VERSION=1.1.0
 ARG CARGO_AUDITABLE_VERSION=0.6.6
 
 ##########################################

crates/axum-utils/src/client_authorization.rs

@@ -7,24 +7,24 @@
 use std::collections::HashMap;
 
 use axum::{
+    BoxError, Json,
     extract::{
-        rejection::{FailedToDeserializeForm, FormRejection},
         Form, FromRequest, FromRequestParts,
+        rejection::{FailedToDeserializeForm, FormRejection},
     },
     response::IntoResponse,
-    BoxError, Json,
 };
 use axum_extra::typed_header::{TypedHeader, TypedHeaderRejectionReason};
-use headers::{authorization::Basic, Authorization};
+use headers::{Authorization, authorization::Basic};
 use http::{Request, StatusCode};
 use mas_data_model::{Client, JwksOrJwksUri};
 use mas_http::RequestBuilderExt;
 use mas_iana::oauth::OAuthClientAuthenticationMethod;
 use mas_jose::{jwk::PublicJsonWebKeySet, jwt::Jwt};
 use mas_keystore::Encrypter;
-use mas_storage::{oauth2::OAuth2ClientRepository, RepositoryAccess};
+use mas_storage::{RepositoryAccess, oauth2::OAuth2ClientRepository};
 use oauth2_types::errors::{ClientError, ClientErrorCode};
-use serde::{de::DeserializeOwned, Deserialize};
+use serde::{Deserialize, de::DeserializeOwned};
 use serde_json::Value;
 use thiserror::Error;
 
@@ -371,7 +371,7 @@ where
             Err(FormRejection::InvalidFormContentType(_err)) => (None, None, None, None, None),
             // If the form could not be read, return a Bad Request error
             Err(FormRejection::FailedToDeserializeForm(err)) => {
-                return Err(ClientAuthorizationError::BadForm(err))
+                return Err(ClientAuthorizationError::BadForm(err));
             }
             // Other errors (body read twice, byte stream broke) return an internal error
             Err(e) => return Err(ClientAuthorizationError::Internal(Box::new(e))),

crates/axum-utils/src/cookies.rs

@@ -14,7 +14,7 @@ use axum::{
 };
 use axum_extra::extract::cookie::{Cookie, Key, PrivateCookieJar, SameSite};
 use http::request::Parts;
-use serde::{de::DeserializeOwned, Serialize};
+use serde::{Serialize, de::DeserializeOwned};
 use thiserror::Error;
 use url::Url;
 

crates/axum-utils/src/csrf.rs

@@ -5,11 +5,11 @@
 // Please see LICENSE in the repository root for full details.
 
 use chrono::{DateTime, Duration, Utc};
-use data_encoding::{DecodeError, BASE64URL_NOPAD};
+use data_encoding::{BASE64URL_NOPAD, DecodeError};
 use mas_storage::Clock;
-use rand::{Rng, RngCore};
+use rand::{Rng, RngCore, distributions::Standard, prelude::Distribution as _};
 use serde::{Deserialize, Serialize};
-use serde_with::{serde_as, TimestampSeconds};
+use serde_with::{TimestampSeconds, serde_as};
 use thiserror::Error;
 
 use crate::cookies::{CookieDecodeError, CookieJar};
@@ -56,7 +56,7 @@ impl CsrfToken {
 
     /// Generate a new random token valid for a specified duration
     fn generate(now: DateTime<Utc>, mut rng: impl Rng, ttl: Duration) -> Self {
-        let token = rng.gen();
+        let token = Standard.sample(&mut rng);
         Self::new(token, now, ttl)
     }
 

crates/axum-utils/src/fancy_error.rs

@@ -5,9 +5,9 @@
 // Please see LICENSE in the repository root for full details.
 
 use axum::{
+    Extension,
     http::StatusCode,
     response::{IntoResponse, Response},
-    Extension,
 };
 use axum_extra::typed_header::TypedHeader;
 use headers::ContentType;

crates/axum-utils/src/language_detection.rs

@@ -7,7 +7,7 @@
 use std::cmp::Reverse;
 
 use headers::{Error, Header};
-use http::{header::ACCEPT_LANGUAGE, HeaderName, HeaderValue};
+use http::{HeaderName, HeaderValue, header::ACCEPT_LANGUAGE};
 use icu_locid::Locale;
 
 #[derive(PartialEq, Eq, Debug)]
@@ -155,7 +155,7 @@ impl Header for AcceptLanguage {
 #[cfg(test)]
 mod tests {
     use headers::HeaderMapExt;
-    use http::{header::ACCEPT_LANGUAGE, HeaderMap, HeaderValue};
+    use http::{HeaderMap, HeaderValue, header::ACCEPT_LANGUAGE};
     use icu_locid::locale;
 
     use super::*;

crates/axum-utils/src/session.rs

@@ -5,7 +5,7 @@
 // Please see LICENSE in the repository root for full details.
 
 use mas_data_model::BrowserSession;
-use mas_storage::{user::BrowserSessionRepository, RepositoryAccess};
+use mas_storage::{RepositoryAccess, user::BrowserSessionRepository};
 use serde::{Deserialize, Serialize};
 use ulid::Ulid;