Attempted benchmark test with JWT evaluation with added complexity with data.

Pushpalanka · Pushpalanka · commit 02588ce09608 · 2024-12-08T23:05:25.000+01:00
Signed-off-by: Pushpalanka Jayawardhana &lt;pushpalanka.jayawardhana@zalando.de&gt;
diff --git a/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go b/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go
@@ -623,6 +623,7 @@ const (
 
 	certPath = "../../../skptesting/cert.pem"
 	keyPath  = "../../../skptesting/key.pem"
+	dataPath = "../../../skptesting/data.json"
 )
 
 func BenchmarkAuthorizeRequest(b *testing.B) {
@@ -806,6 +807,119 @@ func BenchmarkAuthorizeRequest(b *testing.B) {
 			assert.False(b, ctx.FServed)
 		}
 	})
+
+	b.Run("authorize-request-jwt-validation-with-pre-evaluation", func(b *testing.B) {
+
+		publicKey, err := os.ReadFile(certPath)
+		if err != nil {
+			log.Fatalf("Failed to read public key: %v", err)
+		}
+
+		dataFile, err := os.ReadFile(dataPath)
+		if err != nil {
+			log.Fatalf("Failed to read data.json: %v", err)
+		}
+
+		opaControlPlane := opasdktest.MustNewServer(
+			opasdktest.MockBundle("/bundles/somebundle.tar.gz", map[string]string{
+				"main.rego": fmt.Sprintf(`
+					package envoy.authz
+
+					import future.keywords.if
+
+					default allow = false
+
+					public_key_cert := %q
+
+					bearer_token := t if {
+						v := input.attributes.request.http.headers.authorization
+						startswith(v, "Bearer ")
+						t := substring(v, count("Bearer "), -1)
+					}
+
+					allow if {
+						[valid, _, payload] :=  io.jwt.decode_verify(bearer_token, {
+							"cert": public_key_cert,
+							"aud": "nqz3xhorr5"
+						})
+					
+						valid
+						sub := payload.sub
+						has_user_logged_in(sub)
+						is_admin(sub)
+						has_some_read_permission(sub)
+					}
+
+					has_user_logged_in(sub) {
+						data.users[sub].history[_].action == "login"
+					}
+
+					is_admin(sub) {
+						data.users[sub].role == "admin"
+					}
+
+					has_some_read_permission(sub) {
+                     	count(data.users[sub].permissions["read"]) > 0
+					}
+
+				`, publicKey),
+				"data.json": string(dataFile),
+			}),
+		)
+
+		f, err := createOpaFilterWithPreEvaluation(opaControlPlane)
+		assert.NoError(b, err)
+
+		url, err := url.Parse("http://opa-authorized.test/somepath")
+		assert.NoError(b, err)
+
+		claims := jwt.MapClaims{
+			"iss":   "https://some.identity.acme.com",
+			"sub":   "5974934733",
+			"aud":   "nqz3xhorr5",
+			"iat":   time.Now().Add(-time.Minute).UTC().Unix(),
+			"exp":   time.Now().Add(tokenExp).UTC().Unix(),
+			"email": "someone@example.org",
+		}
+
+		token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+
+		privKey, err := os.ReadFile(keyPath)
+		if err != nil {
+			log.Fatalf("Failed to read priv key: %v", err)
+		}
+
+		key, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(privKey))
+		if err != nil {
+			log.Fatalf("Failed to parse RSA PEM: %v", err)
+		}
+
+		// Sign and get the complete encoded token as a string using the secret
+		signedToken, err := token.SignedString(key)
+		if err != nil {
+			log.Fatalf("Failed to sign token: %v", err)
+		}
+
+		ctx := &filtertest.Context{
+			FStateBag: map[string]interface{}{},
+			FResponse: &http.Response{},
+			FRequest: &http.Request{
+				Header: map[string][]string{
+					"Authorization": {fmt.Sprintf("Bearer %s", signedToken)},
+				},
+				URL: url,
+			},
+			FMetrics: &metricstest.MockMetrics{},
+		}
+
+		b.ResetTimer()
+		b.ReportAllocs()
+
+		for i := 0; i < b.N; i++ {
+			f.Request(ctx)
+			assert.False(b, ctx.FServed)
+		}
+	})
 }
 
 func createOpaFilter(opaControlPlane *opasdktest.Server) (filters.Filter, error) {
@@ -815,6 +929,13 @@ func createOpaFilter(opaControlPlane *opasdktest.Server) (filters.Filter, error)
 	return spec.CreateFilter([]interface{}{"somebundle.tar.gz"})
 }
 
+func createOpaFilterWithPreEvaluation(opaControlPlane *opasdktest.Server) (filters.Filter, error) {
+	config := generateConfig(opaControlPlane, "envoy/authz/allow")
+	opaFactory := openpolicyagent.NewOpenPolicyAgentRegistry(openpolicyagent.WithPreevaluationOptimization(true))
+	spec := NewOpaAuthorizeRequestSpec(opaFactory, openpolicyagent.WithConfigTemplate(config))
+	return spec.CreateFilter([]interface{}{"somebundle.tar.gz"})
+}
+
 func createBodyBasedOpaFilter(opaControlPlane *opasdktest.Server) (filters.Filter, error) {
 	config := generateConfig(opaControlPlane, "envoy/authz/allow")
 	opaFactory := openpolicyagent.NewOpenPolicyAgentRegistry()
diff --git a/skptesting/data.json b/skptesting/data.json
@@ -0,0 +1,152 @@
+{
+  "users": {
+    "5974934733": {
+      "name": "John Amal",
+      "role": "admin",
+      "permissions": {
+        "read": [
+          "file1",
+          "file2"
+        ],
+        "write": [
+          "file3"
+        ]
+      },
+      "history": [
+        {
+          "action": "login",
+          "timestamp": "2024-12-08T10:00:00Z"
+        },
+        {
+          "action": "upload",
+          "timestamp": "2024-12-08T11:00:00Z"
+        },
+        {
+          "action": "logout",
+          "timestamp": "2024-12-08T12:00:00Z"
+        }
+      ]
+    },
+    "7836491938": {
+      "name": "Jane Nayana",
+      "role": "user",
+      "permissions": {
+        "read": [
+          "file1"
+        ],
+        "write": []
+      },
+      "history": [
+        {
+          "action": "login",
+          "timestamp": "2024-12-08T09:30:00Z"
+        },
+        {
+          "action": "download",
+          "timestamp": "2024-12-08T10:30:00Z"
+        }
+      ]
+    },
+    "8237491821": {
+      "name": "Nimal Johnson",
+      "role": "manager",
+      "permissions": {
+        "read": [
+          "file2",
+          "file3"
+        ],
+        "write": [
+          "file1"
+        ]
+      },
+      "history": [
+        {
+          "action": "login",
+          "timestamp": "2024-12-08T08:00:00Z"
+        },
+        {
+          "action": "upload",
+          "timestamp": "2024-12-08T08:15:00Z"
+        }
+      ]
+    },
+    "9823749823": {
+      "name": "Bob Sunil",
+      "role": "guest",
+      "permissions": {
+        "read": [
+          "file1"
+        ],
+        "write": []
+      },
+      "history": [
+        {
+          "action": "login",
+          "timestamp": "2024-12-08T08:30:00Z"
+        }
+      ]
+    },
+    "1928374650": {
+      "name": "Nihal Smith",
+      "role": "admin",
+      "permissions": {
+        "read": [
+          "file1",
+          "file2",
+          "file3"
+        ],
+        "write": [
+          "file1"
+        ]
+      },
+      "history": [
+        {
+          "action": "login",
+          "timestamp": "2024-12-08T08:35:00Z"
+        },
+        {
+          "action": "update",
+          "timestamp": "2024-12-08T09:00:00Z"
+        }
+      ]
+    },
+    "8472637450": {
+      "name": "Kamal Lee",
+      "role": "user",
+      "permissions": {
+        "read": [
+          "file2"
+        ],
+        "write": [
+          "file2"
+        ]
+      },
+      "history": [
+        {
+          "action": "login",
+          "timestamp": "2024-12-08T09:10:00Z"
+        },
+        {
+          "action": "edit",
+          "timestamp": "2024-12-08T09:15:00Z"
+        }
+      ]
+    },
+    "5748392048": {
+      "name": "Johnson Siril",
+      "role": "guest",
+      "permissions": {
+        "read": [
+          "file3"
+        ],
+        "write": []
+      },
+      "history": [
+        {
+          "action": "login",
+          "timestamp": "2024-12-08T09:25:00Z"
+        }
+      ]
+    }
+  }
+}
