Move gel-jwt from main geldata repo (#408)

Author: mmastrac

.github/workflows/publish-gel-jwt.yaml

@@ -0,0 +1,42 @@
+on:
+  push:
+    tags:
+    - releases/gel-jwt/v*
+
+name: Release gel-jwt
+
+jobs:
+  test_and_publish:
+    name: Test and publish
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: "write"
+      contents: "read"
+    steps:
+      - name: checkout and env setup
+        uses: actions/checkout@v3
+
+      - name: Extract project name and version
+        run: |
+          set -x
+          PROJECT_NAME=$(echo $GITHUB_REF | sed -E 's|refs/tags/releases/([^/]+)/v.*|\1|')
+          VERSION=$(echo $GITHUB_REF | sed -E 's|.*/v(.*)|\1|')
+          echo "PROJECT_NAME=$PROJECT_NAME" >> $GITHUB_ENV
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      # verify that git tag matches cargo version
+      - run: |
+          set -x
+          cargo_version="$(cargo metadata --format-version 1 \
+            | jq -r '.packages[] | select(.name=="${{ env.PROJECT_NAME }}") | .version')"
+          test "$cargo_version" = "${{ env.VERSION }}"
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+          components: rustfmt, clippy
+
+      - working-directory: ./${{ env.PROJECT_NAME }}
+        run: |
+          cargo publish --token=${{ secrets.CARGO_REGISTRY_TOKEN }}

Cargo.toml

@@ -2,9 +2,10 @@
 resolver = "2"
 members = [
     "gel-auth",
+    "gel-derive",
     "gel-dsn",
     "gel-errors",
-    "gel-derive",
+    "gel-jwt",
     "gel-protocol",
     "gel-stream",
     "gel-tokio",
@@ -18,8 +19,9 @@ debug = true
 lto = true
 
 [workspace.dependencies]
-tokio = { version = "1.43" }
+tokio = { version = "1.44" }
 tracing = { version = "0.1" }
+pyo3 = { version = "0.23", features = ["extension-module", "serde", "macros"] }
 
 [workspace.package]
 rust-version = "1.81" # keep in sync with flake.nix

README.md

@@ -8,6 +8,8 @@ docs can currently be found on docs.rs:
 |-------|--------|-------------|
 | [gel-auth](https://docs.rs/gel-auth) | [Source](https://github.com/edgedb/edgedb-rust/tree/main/gel-auth) | Authentication and authorization utilities |
 | [gel-derive](https://docs.rs/gel-derive) | [Source](https://github.com/edgedb/edgedb-rust/tree/main/gel-derive) | Derive macro for data structures fetched from the database |
+| [gel-dsn](https://docs.rs/gel-dsn) | [Source](https://github.com/edgedb/edgedb-rust/tree/main/gel-dsn) | Data-source name (DSN) parser for Gel and PostgreSQL databases |
+| [gel-jwt](https://docs.rs/gel-jwt) | [Source](https://github.com/edgedb/edgedb-rust/tree/main/gel-jwt) | JSON Web Token (JWT) utilities |
 | [gel-errors](https://docs.rs/gel-errors) | [Source](https://github.com/edgedb/edgedb-rust/tree/main/gel-errors) | Error handling utilities |
 | [gel-protocol](https://docs.rs/gel-protocol) | [Source](https://github.com/edgedb/edgedb-rust/tree/main/gel-protocol) | Low-level definitions for data model of the Gel protocol |
 | [gel-stream](https://docs.rs/gel-stream) | [Source](https://github.com/edgedb/edgedb-rust/tree/main/gel-stream) | Library for streaming TLS/plaintext data between clients and servers |

gel-jwt/Cargo.toml

@@ -0,0 +1,64 @@
+[package]
+name = "gel-jwt"
+license = "MIT/Apache-2.0"
+version = "0.1.0"
+authors = ["MagicStack Inc. <[email protected]>"]
+edition = "2021"
+description = """
+    Low-level protocol implementation for Gel database client.
+    For applications, use gel-tokio.
+    Formerly published as edgedb-protocol.
+"""
+readme = "README.md"
+rust-version.workspace = true
+
+[features]
+python_extension = ["pyo3/extension-module"]
+
+[dependencies]
+pyo3 = { workspace = true, optional = true }
+tracing.workspace = true
+
+# This is required to be in sync w/jsonwebtoken
+rand = "0.8.5"
+
+md5 = "0.7.0"
+sha2 = "0.10.8"
+constant_time_eq = "0.3"
+base64 = "0.22"
+thiserror = "2"
+hmac = "0.12.1"
+derive_more = { version = "2", features = ["debug", "from", "display"] }
+
+rustls-pki-types = "1"
+serde = "1"
+serde_derive = "1"
+serde_json = "1"
+jsonwebtoken = { version = "9", default-features = false }
+ring = { version = "0.17", default-features = false }
+rsa = { version = "0.9.7", default-features = false, features = ["std"] }
+pkcs1 = "0.7.5"
+pkcs8 = "0.10.2"
+sec1 = { version = "0.7.3", features = ["der", "pkcs8", "alloc"] }
+pem = "3"
+const-oid = { version ="0.9.6", features = ["db"] }
+p256 = { version = "0.13.2", features = ["jwk"] }
+base64ct = { version = "1", features = ["alloc"] }
+der = "0.7.9"
+libc = "0.2"
+elliptic-curve = { version = "0.13.8", features = ["arithmetic"] }
+num-bigint-dig = "0.8.4"
+zeroize = { version = "1", features = ["derive", "serde"] }
+uuid = { version = "1", features = ["v4", "serde"] }
+
+[dev-dependencies]
+pretty_assertions = "1"
+rstest = "0.24.0"
+hex-literal = "0.4.1"
+divan = "0.1.17"
+
+[[bench]]
+name = "encode"
+harness = false
+
+[lib]

gel-jwt/benches/bench-jwcrypto.py

@@ -0,0 +1,121 @@
+from jwcrypto import jwt, jwk
+import time
+import statistics
+
+
+def generate_key(key_type):
+    if key_type == "ES256":
+        return jwk.JWK.generate(kty='EC', crv='P-256')
+    elif key_type == "RS256":
+        return jwk.JWK.generate(kty='RSA', size=2048)
+    elif key_type == "HS256":
+        return jwk.JWK.generate(kty='oct', size=256)
+    raise ValueError(f"Unsupported key type: {key_type}")
+
+
+def benchmark_encode(key_type, iterations=100):
+    # Generate key outside the loop
+    key = generate_key(key_type)
+
+    # Benchmark full encoding process including claims creation
+    times = []
+    for _ in range(iterations):
+        start = time.perf_counter_ns()
+
+        # Create claims and sign in the timed section
+        claims = {"sub": "test"}
+        token = jwt.JWT(
+            header={"alg": key_type},
+            claims=claims
+        )
+        token.make_signed_token(key)
+
+        end = time.perf_counter_ns()
+        times.append(end - start)
+
+    mean = statistics.mean(times) / 1000  # Convert to microseconds
+    median = statistics.median(times) / 1000
+    return mean, median
+
+
+def benchmark_signing(key_type, iterations=100):
+    # Generate key outside the loop
+    key = generate_key(key_type)
+    claims = {"sub": "test"}
+
+    # Benchmark signing
+    times = []
+    for _ in range(iterations):
+        start = time.perf_counter_ns()
+
+        # Signing
+        token = jwt.JWT(
+            header={"alg": key_type},
+            claims=claims
+        )
+        token.make_signed_token(key)
+
+        end = time.perf_counter_ns()
+        times.append(end - start)
+
+    mean = statistics.mean(times) / 1000
+    median = statistics.median(times) / 1000
+    return mean, median
+
+
+def benchmark_validation(key_type, iterations=100):
+    # Generate key and token outside the loop
+    key = generate_key(key_type)
+    token = jwt.JWT(
+        header={"alg": key_type},
+        claims={"sub": "test"}
+    )
+    token.make_signed_token(key)
+    token_string = token.serialize()
+
+    # Benchmark validation
+    times = []
+    for _ in range(iterations):
+        start = time.perf_counter_ns()
+
+        # Validation
+        jwt.JWT(jwt=token_string, key=key)
+
+        end = time.perf_counter_ns()
+        times.append(end - start)
+
+    mean = statistics.mean(times) / 1000
+    median = statistics.median(times) / 1000
+    return mean, median
+
+
+def main():
+    key_types = ["ES256", "RS256", "HS256"]
+    iterations = 100
+
+    print(f"Running {iterations} iterations for each algorithm")
+
+    print("\nFull encode benchmarks (including claims creation):")
+    print(f"{'Algorithm':<10} | {'Mean (µs)':<12} | {'Median (µs)':<12}")
+    print("-" * 38)
+    for key_type in key_types:
+        mean, median = benchmark_encode(key_type, iterations)
+        print(f"{key_type:<10} | {mean:12.2f} | {median:12.2f}")
+
+    print("\nSigning benchmarks (pre-created claims):")
+    print(f"{'Algorithm':<10} | {'Mean (µs)':<12} | {'Median (µs)':<12}")
+    print("-" * 38)
+    for key_type in key_types:
+        mean, median = benchmark_signing(key_type, iterations)
+        print(f"{key_type:<10} | {mean:12.2f} | {median:12.2f}")
+
+    print("\nValidation benchmarks:")
+    print(f"{'Algorithm':<10} | {'Mean (µs)':<12} | {'Median (µs)':<12}")
+    print("-" * 38)
+    for key_type in key_types:
+        mean, median = benchmark_validation(key_type, iterations)
+        print(f"{key_type:<10} | {mean:12.2f} | {median:12.2f}")
+
+
+if __name__ == "__main__":
+    main()

gel-jwt/benches/encode.rs

@@ -0,0 +1,41 @@
+use std::collections::HashMap;
+
+use gel_jwt::{KeyType, PrivateKey, SigningContext, ValidationContext};
+
+const KEY_TYPES: &[KeyType] = &[KeyType::ES256, KeyType::RS256, KeyType::HS256];
+
+#[divan::bench(args = KEY_TYPES)]
+fn bench_jwt_signing(b: divan::Bencher, key_type: KeyType) {
+    let key = PrivateKey::generate(None, key_type).unwrap();
+    let claims = HashMap::from([("sub".to_string(), "test".into())]);
+    let ctx = SigningContext::default();
+
+    b.bench_local(move || key.sign(claims.clone(), &ctx));
+}
+
+#[divan::bench(args = KEY_TYPES)]
+fn bench_jwt_validation(b: divan::Bencher, key_type: KeyType) {
+    let key = PrivateKey::generate(None, key_type).unwrap();
+    let claims = HashMap::from([("sub".to_string(), "test".into())]);
+    let ctx = SigningContext::default();
+    let token = key.sign(claims, &ctx).unwrap();
+    let ctx = ValidationContext::default();
+
+    b.bench_local(move || key.validate(&token, &ctx));
+}
+
+#[divan::bench(args = KEY_TYPES)]
+fn bench_jwt_encode(b: divan::Bencher, key_type: KeyType) {
+    let key = PrivateKey::generate(None, key_type).unwrap();
+
+    b.bench_local(move || {
+        let claims = HashMap::from([("sub".to_string(), "test".into())]);
+        let ctx = SigningContext::default();
+        key.sign(claims, &ctx).unwrap()
+    });
+}
+
+fn main() {
+    // Run registered benchmarks.
+    divan::main();
+}

gel-jwt/src/README.md

@@ -0,0 +1,18 @@
+# JWT support
+
+This crate provides support for JWT tokens. The JWT signing and verification is done
+using the `jsonwebtoken` crate, while the key loading is performed here via the
+`rsa`/`p256` crates.
+
+## Key types
+
+HS256: symmetric key
+RS256: asymmetric key (RSA 2048+ + SHA256)
+ES256: asymmetric key (P-256 + SHA256)
+
+## Supported key formats
+
+HS256: raw data
+RS256: PKCS1/PKCS8 PEM
+ES256: SEC1/PKCS8 PEM
+