Update Rust to 1.85 and edition 2024

.github/workflows/ci.yaml

@@ -4,9 +4,9 @@ on:
   push:
     branches:
       - main
-      - 'release/**'
+      - "release/**"
     tags:
-      - 'v*'
+      - "v*"
   pull_request:
 
 concurrency:
@@ -31,10 +31,7 @@ jobs:
       - name: Checkout the code
         uses: actions/[email protected]
 
-      - name: Setup OPA
-        uses: open-policy-agent/[email protected]
-        with:
-          version: 0.70.0
+      - uses: ./.github/actions/build-policies
 
       - name: Setup Regal
         uses: StyraInc/setup-regal@v1
@@ -73,7 +70,6 @@ jobs:
         working-directory: ./frontend
         run: npm run lint
 
-
   frontend-test:
     name: Run the frontend test suite
     runs-on: ubuntu-24.04
@@ -98,7 +94,6 @@ jobs:
         working-directory: ./frontend
         run: npm test
 
-
   frontend-knip:
     name: Check the frontend for unused dependencies
     runs-on: ubuntu-24.04
@@ -123,7 +118,6 @@ jobs:
         working-directory: ./frontend
         run: npm run knip
 
-
   rustfmt:
     name: Check Rust style
     runs-on: ubuntu-24.04
@@ -143,7 +137,6 @@ jobs:
       - name: Check style
         run: cargo fmt --all -- --check
 
-
   cargo-deny:
     name: Run `cargo deny` checks
     runs-on: ubuntu-24.04
@@ -161,7 +154,8 @@ jobs:
 
       - name: Run `cargo-deny`
         uses: EmbarkStudios/[email protected]
-
+        with:
+          rust-version: stable
 
   check-schema:
     name: Check schema
@@ -203,7 +197,6 @@ jobs:
             exit 1
           fi
 
-
   clippy:
     name: Run Clippy
     needs: [rustfmt, opa-lint]
@@ -217,18 +210,11 @@ jobs:
         uses: actions/[email protected]
 
       - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@1.84.0
+        uses: dtolnay/rust-toolchain@1.85.0
         with:
           components: clippy
 
-      - name: Setup OPA
-        uses: open-policy-agent/[email protected]
-        with:
-          version: 0.64.1
-
-      - name: Compile OPA policies
-        working-directory: ./policies
-        run: make
+      - uses: ./.github/actions/build-policies
 
       - name: Setup sccache
         uses: mozilla-actions/[email protected]
@@ -237,7 +223,6 @@ jobs:
         run: |
           cargo clippy --workspace --tests --bins --lib -- -D warnings
 
-
   compile-test-artifacts:
     name: Compile test artifacts
     runs-on: ubuntu-24.04
@@ -263,15 +248,14 @@ jobs:
       - name: Build and archive tests
         run: cargo nextest archive --workspace --archive-file nextest-archive.tar.zst
         env:
-          SQLX_OFFLINE: '1'
+          SQLX_OFFLINE: "1"
 
       - name: Upload archive to workflow
         uses: actions/[email protected]
         with:
           name: nextest-archive
           path: nextest-archive.tar.zst
 
-
   test:
     name: Run test suite with Rust stable
     needs: [rustfmt, opa-lint, compile-test-artifacts]
@@ -303,7 +287,9 @@ jobs:
       - name: Checkout the code
         uses: actions/[email protected]
 
-      - run: mkdir -p ~/.cargo/bin
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
       - name: Install nextest
         uses: taiki-e/install-action@v2
         with:

.github/workflows/coverage.yaml

@@ -2,9 +2,9 @@ name: Coverage
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
-    branches: [ main ]
+    branches: [main]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -26,10 +26,7 @@ jobs:
       - name: Checkout the code
         uses: actions/[email protected]
 
-      - name: Setup OPA
-        uses: open-policy-agent/[email protected]
-        with:
-          version: 0.70.0
+      - uses: ./.github/actions/build-policies
 
       - name: Run OPA tests with coverage
         working-directory: ./policies
@@ -119,10 +116,10 @@ jobs:
         run: |
           cargo test --no-fail-fast --workspace
         env:
-          RUSTFLAGS: '-Cinstrument-coverage'
+          RUSTFLAGS: "-Cinstrument-coverage"
           LLVM_PROFILE_FILE: "cargo-test-%p-%m.profraw"
           DATABASE_URL: postgresql://postgres:postgres@localhost/postgres
-          SQLX_OFFLINE: '1'
+          SQLX_OFFLINE: "1"
 
       - name: Build grcov report
         run: |

.github/workflows/release-branch.yaml

@@ -28,7 +28,7 @@ jobs:
       - name: Compute the new minor RC
         id: next
         run: |
-          CURRENT_VERSION="$(cargo metadata --format-version 1 | jq -r '.packages[] | select(.name == "mas-cli") | .version')"
+          CURRENT_VERSION="$(cargo metadata --format-version 1 --no-deps | jq -r '.packages[] | select(.name == "mas-cli") | .version')"
           NEXT_VERSION="$(npx --yes [email protected] -i preminor --preid rc "${CURRENT_VERSION}")"
           # compute the short minor version, e.g. 0.1.0-rc.1 -> 0.1
           SHORT_VERSION="$(echo "${NEXT_VERSION}" | cut -d. -f1-2)"

.github/workflows/release-bump.yaml

@@ -35,7 +35,7 @@ jobs:
 
       - name: Extract the current version
         id: current
-        run: echo "version=$(cargo metadata --format-version 1 | jq -r '.packages[] | select(.name == "mas-cli") | .version')" >> "$GITHUB_OUTPUT"
+        run: echo "version=$(cargo metadata --format-version 1 --no-deps | jq -r '.packages[] | select(.name == "mas-cli") | .version')" >> "$GITHUB_OUTPUT"
 
       - name: Compute the new minor RC
         id: next

Cargo.toml

@@ -1,18 +1,18 @@
 [workspace]
 default-members = ["crates/cli"]
 members = ["crates/*"]
-resolver = "2"
+resolver = "3"
 
 # Updated in the CI with a `sed` command
 package.version = "0.14.1"
 package.license = "AGPL-3.0-only"
 package.authors = ["Element Backend Team"]
-package.edition = "2021"
+package.edition = "2024"
 package.homepage = "https://element-hq.github.io/matrix-authentication-service/"
 package.repository = "https://github.com/element-hq/matrix-authentication-service/"
 
 [workspace.lints.rust]
-unsafe_code = "forbid"
+unsafe_code = "deny"
 
 [workspace.lints.clippy]
 # We use groups as good defaults, but with a lower priority so that we can override them

Dockerfile

@@ -8,9 +8,9 @@
 # The Debian version and version name must be in sync
 ARG DEBIAN_VERSION=12
 ARG DEBIAN_VERSION_NAME=bookworm
-ARG RUSTC_VERSION=1.84.0
+ARG RUSTC_VERSION=1.85.0
 ARG NODEJS_VERSION=20.15.0
-ARG OPA_VERSION=0.64.1
+ARG OPA_VERSION=1.1.0
 ARG CARGO_AUDITABLE_VERSION=0.6.6
 
 ##########################################

crates/axum-utils/src/client_authorization.rs

@@ -7,24 +7,24 @@
 use std::collections::HashMap;
 
 use axum::{
+    BoxError, Json,
     extract::{
-        rejection::{FailedToDeserializeForm, FormRejection},
         Form, FromRequest, FromRequestParts,
+        rejection::{FailedToDeserializeForm, FormRejection},
     },
     response::IntoResponse,
-    BoxError, Json,
 };
 use axum_extra::typed_header::{TypedHeader, TypedHeaderRejectionReason};
-use headers::{authorization::Basic, Authorization};
+use headers::{Authorization, authorization::Basic};
 use http::{Request, StatusCode};
 use mas_data_model::{Client, JwksOrJwksUri};
 use mas_http::RequestBuilderExt;
 use mas_iana::oauth::OAuthClientAuthenticationMethod;
 use mas_jose::{jwk::PublicJsonWebKeySet, jwt::Jwt};
 use mas_keystore::Encrypter;
-use mas_storage::{oauth2::OAuth2ClientRepository, RepositoryAccess};
+use mas_storage::{RepositoryAccess, oauth2::OAuth2ClientRepository};
 use oauth2_types::errors::{ClientError, ClientErrorCode};
-use serde::{de::DeserializeOwned, Deserialize};
+use serde::{Deserialize, de::DeserializeOwned};
 use serde_json::Value;
 use thiserror::Error;
 
@@ -371,7 +371,7 @@ where
             Err(FormRejection::InvalidFormContentType(_err)) => (None, None, None, None, None),
             // If the form could not be read, return a Bad Request error
             Err(FormRejection::FailedToDeserializeForm(err)) => {
-                return Err(ClientAuthorizationError::BadForm(err))
+                return Err(ClientAuthorizationError::BadForm(err));
             }
             // Other errors (body read twice, byte stream broke) return an internal error
             Err(e) => return Err(ClientAuthorizationError::Internal(Box::new(e))),

crates/axum-utils/src/cookies.rs

@@ -14,7 +14,7 @@ use axum::{
 };
 use axum_extra::extract::cookie::{Cookie, Key, PrivateCookieJar, SameSite};
 use http::request::Parts;
-use serde::{de::DeserializeOwned, Serialize};
+use serde::{Serialize, de::DeserializeOwned};
 use thiserror::Error;
 use url::Url;
 

crates/axum-utils/src/csrf.rs

@@ -5,11 +5,11 @@
 // Please see LICENSE in the repository root for full details.
 
 use chrono::{DateTime, Duration, Utc};
-use data_encoding::{DecodeError, BASE64URL_NOPAD};
+use data_encoding::{BASE64URL_NOPAD, DecodeError};
 use mas_storage::Clock;
-use rand::{Rng, RngCore};
+use rand::{Rng, RngCore, distributions::Standard, prelude::Distribution as _};
 use serde::{Deserialize, Serialize};
-use serde_with::{serde_as, TimestampSeconds};
+use serde_with::{TimestampSeconds, serde_as};
 use thiserror::Error;
 
 use crate::cookies::{CookieDecodeError, CookieJar};
@@ -56,7 +56,7 @@ impl CsrfToken {
 
     /// Generate a new random token valid for a specified duration
     fn generate(now: DateTime<Utc>, mut rng: impl Rng, ttl: Duration) -> Self {
-        let token = rng.gen();
+        let token = Standard.sample(&mut rng);
         Self::new(token, now, ttl)
     }
 

crates/axum-utils/src/fancy_error.rs

@@ -5,9 +5,9 @@
 // Please see LICENSE in the repository root for full details.
 
 use axum::{
+    Extension,
     http::StatusCode,
     response::{IntoResponse, Response},
-    Extension,
 };
 use axum_extra::typed_header::TypedHeader;
 use headers::ContentType;

crates/axum-utils/src/language_detection.rs

@@ -7,7 +7,7 @@
 use std::cmp::Reverse;
 
 use headers::{Error, Header};
-use http::{header::ACCEPT_LANGUAGE, HeaderName, HeaderValue};
+use http::{HeaderName, HeaderValue, header::ACCEPT_LANGUAGE};
 use icu_locid::Locale;
 
 #[derive(PartialEq, Eq, Debug)]
@@ -155,7 +155,7 @@ impl Header for AcceptLanguage {
 #[cfg(test)]
 mod tests {
     use headers::HeaderMapExt;
-    use http::{header::ACCEPT_LANGUAGE, HeaderMap, HeaderValue};
+    use http::{HeaderMap, HeaderValue, header::ACCEPT_LANGUAGE};
     use icu_locid::locale;
 
     use super::*;

crates/axum-utils/src/session.rs

@@ -5,7 +5,7 @@
 // Please see LICENSE in the repository root for full details.
 
 use mas_data_model::BrowserSession;
-use mas_storage::{user::BrowserSessionRepository, RepositoryAccess};
+use mas_storage::{RepositoryAccess, user::BrowserSessionRepository};
 use serde::{Deserialize, Serialize};
 use ulid::Ulid;
 

crates/axum-utils/src/user_authorization.rs

@@ -8,20 +8,20 @@ use std::{collections::HashMap, error::Error};
 
 use axum::{
     extract::{
-        rejection::{FailedToDeserializeForm, FormRejection},
         Form, FromRequest, FromRequestParts,
+        rejection::{FailedToDeserializeForm, FormRejection},
     },
     response::{IntoResponse, Response},
 };
 use axum_extra::typed_header::{TypedHeader, TypedHeaderRejectionReason};
-use headers::{authorization::Bearer, Authorization, Header, HeaderMapExt, HeaderName};
-use http::{header::WWW_AUTHENTICATE, HeaderMap, HeaderValue, Request, StatusCode};
+use headers::{Authorization, Header, HeaderMapExt, HeaderName, authorization::Bearer};
+use http::{HeaderMap, HeaderValue, Request, StatusCode, header::WWW_AUTHENTICATE};
 use mas_data_model::Session;
 use mas_storage::{
-    oauth2::{OAuth2AccessTokenRepository, OAuth2SessionRepository},
     Clock, RepositoryAccess,
+    oauth2::{OAuth2AccessTokenRepository, OAuth2SessionRepository},
 };
-use serde::{de::DeserializeOwned, Deserialize};
+use serde::{Deserialize, de::DeserializeOwned};
 use thiserror::Error;
 
 #[derive(Debug, Deserialize)]
@@ -319,7 +319,7 @@ where
                 Err(FormRejection::InvalidFormContentType(_err)) => (None, None),
                 // If the form could not be read, return a Bad Request error
                 Err(FormRejection::FailedToDeserializeForm(err)) => {
-                    return Err(UserAuthorizationError::BadForm(err))
+                    return Err(UserAuthorizationError::BadForm(err));
                 }
                 // Other errors (body read twice, byte stream broke) return an internal error
                 Err(e) => return Err(UserAuthorizationError::Internal(Box::new(e))),

crates/cli/build.rs

@@ -11,7 +11,11 @@ fn main() -> anyhow::Result<()> {
     // empty, so we unset it here.
     if let Ok(ver) = std::env::var("VERGEN_GIT_DESCRIBE") {
         if ver.is_empty() {
-            std::env::remove_var("VERGEN_GIT_DESCRIBE");
+            #[allow(unsafe_code)]
+            // SAFETY: This is safe because the build script is running a single thread
+            unsafe {
+                std::env::remove_var("VERGEN_GIT_DESCRIBE");
+            }
         }
     }