Use V8 instead of Otto for JavaScript

.github/workflows/ci.yml

@@ -15,10 +15,12 @@ on:
       - 'release/*'
       - 'CBG*'
       - 'ci-*'
+      - 'feature*'
   pull_request:
     branches:
       - 'master'
       - 'release/*'
+      - 'feature*'
 
 jobs:
   build:
@@ -40,7 +42,7 @@ jobs:
           go-version: 1.20.3
       - run: go install github.com/google/addlicense@latest
       - uses: actions/checkout@v3
-      - run: addlicense -check -f licenses/addlicense.tmpl .
+      - run: addlicense -check -f licenses/addlicense.tmpl -ignore 'js/underscore*.js' .
 
   golangci:
     name: lint
@@ -86,6 +88,39 @@ jobs:
         uses: guyarb/golang-test-annotations@v0.6.0
         with:
           test-results: test.json
+  test-v8:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-latest
+            name: macos
+          # v8 windows does not work yet CBG-2741
+          #- os: windows-latest
+          #name: windows
+          - os: ubuntu-latest
+            name: ubuntu
+    env:
+      GOPRIVATE: github.com/couchbaselabs
+      MallocNanoZone: 0
+    name: test v8 (${{ matrix.name }})
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: 1.20.3
+      - uses: actions/checkout@v3
+      - name: Build
+        run: go build -tags cb_sg_v8 -v "./..."
+      - name: Run Tests
+        run: go test -tags cb_sg_v8 -timeout=30m -count=1 -json -v "./..." | tee test.json | jq -s -jr 'sort_by(.Package,.Time) | .[].Output | select (. != null )'
+        shell: bash
+      - name: Annotate Failures
+        if: always()
+        uses: guyarb/golang-test-annotations@v0.6.0
+        with:
+          test-results: test.json
+
 
   test-race:
     runs-on: ubuntu-latest

Jenkinsfile

@@ -9,6 +9,7 @@ pipeline {
         BRANCH = "${BRANCH_NAME}"
         COVERALLS_TOKEN = credentials('SG_COVERALLS_TOKEN')
         EE_BUILD_TAG = "cb_sg_enterprise"
+        V8_BUILD_TAG = "cb_sg_v8"
         SGW_REPO = "github.com/couchbase/sync_gateway"
         GH_ACCESS_TOKEN_CREDENTIAL = "github_cb-robot-sg_access_token"
         GO111MODULE = "on"
@@ -80,11 +81,21 @@ pipeline {
                         sh "GOOS=linux go build -o sync_gateway_ce-linux -v ${SGW_REPO}"
                     }
                 }
+                stage('CE Linux V8') {
+                    steps {
+                        sh "GOOS=linux go build -tags ${V8_BUILD_TAG} -o sync_gateway_ce-linux -v ${SGW_REPO}"
+                    }
+                }
                 stage('EE Linux') {
                     steps {
                         sh "GOOS=linux go build -o sync_gateway_ee-linux -tags ${EE_BUILD_TAG} -v ${SGW_REPO}"
                     }
                 }
+                stage('EE Linux V8') {
+                    steps {
+                        sh "GOOS=linux go build -o sync_gateway_ee-linux -tags ${EE_BUILD_TAG},${V8_BUILD_TAG} -v ${SGW_REPO}"
+                    }
+                }
                 stage('CE macOS') {
                     // TODO: Remove skip
                     when { expression { return false } }
@@ -291,6 +302,51 @@ pipeline {
                                 }
                             }
                         }
+                        stage('EE V8') {
+                            steps {
+                                withEnv(["PATH+GO=${env.GOTOOLS}/bin"]) {
+                                    githubNotify(credentialsId: "${GH_ACCESS_TOKEN_CREDENTIAL}", context: 'sgw-pipeline-ee-v8-unit-tests', description: 'EE V8 Unit Tests Running', status: 'PENDING')
+
+                                    // Build EE coverprofiles
+                                    sh "2>&1 go test -timeout=20m -tags ${EE_BUILD_TAG},${V8_BUILD_TAG} -coverpkg=./... -coverprofile=cover_ee_v8.out -race -count=1 -v ./... > verbose_ee_v8.out.raw || true"
+
+                                    sh 'go tool cover -func=cover_ee_v8.out | awk \'END{print "Total SG EE V8 Coverage: " $3}\''
+
+                                    sh 'mkdir -p reports'
+
+                                    // strip non-printable characters from the raw verbose test output
+                                    sh 'LC_CTYPE=C tr -dc [:print:][:space:] < verbose_ee_v8.out.raw > verbose_ee_v8.out'
+
+                                    // Generate Cobertura XML report that can be parsed by the Jenkins Cobertura Plugin
+                                    sh 'gocov convert cover_ee_v8.out | gocov-xml > reports/coverage-ee_v8.xml'
+
+                                    // Grab test fail/total counts so we can print them later
+                                    sh "grep '\\-\\-\\- PASS: ' verbose_ee_v8.out | wc -l | awk '{printf \$1}' > test-ee-v8-pass.count"
+                                    sh "grep '\\-\\-\\- FAIL: ' verbose_ee_v8.out | wc -l | awk '{printf \$1}' > test-ee-v8-fail.count"
+                                    sh "grep '\\-\\-\\- SKIP: ' verbose_ee_v8.out | wc -l | awk '{printf \$1}' > test-ee-v8-skip.count"
+                                    sh "grep '=== RUN' verbose_ee_v8.out | wc -l | awk '{printf \$1}' > test-ee-v8-total.count"
+                                    script {
+                                        env.TEST_EE_PASS = readFile 'test-ee-v8-pass.count'
+                                        env.TEST_EE_FAIL = readFile 'test-ee-v8-fail.count'
+                                        env.TEST_EE_SKIP = readFile 'test-ee-v8-skip.count'
+                                        env.TEST_EE_TOTAL = readFile 'test-ee-v8-total.count'
+                                    }
+
+                                    // Generate junit-formatted test report
+                                    script {
+                                        try {
+                                            sh 'go2xunit -fail -suite-name-prefix="EE-V8-" -input verbose_ee_v8.out -output reports/test-ee-v8.xml'
+                                            githubNotify(credentialsId: "${GH_ACCESS_TOKEN_CREDENTIAL}", context: 'sgw-pipeline-ee-v8-unit-tests', description: env.TEST_EE_V8_PASS+'/'+env.TEST_EE_V8_TOTAL+' passed ('+env.TEST_EE_V8_SKIP+' skipped)', status: 'SUCCESS')
+                                        } catch (Exception e) {
+                                            githubNotify(credentialsId: "${GH_ACCESS_TOKEN_CREDENTIAL}", context: 'sgw-pipeline-ee-unit-tests', description: env.TEST_EE_V8_FAIL+'/'+env.TEST_EE_V8_TOTAL+' failed ('+env.TEST_EE_V8_SKIP+' skipped)', status: 'FAILURE')
+                                            // archive verbose test logs in the event of a test failure
+                                            archiveArtifacts artifacts: 'verbose_ee_v8.out', fingerprint: false
+                                            unstable("At least one EE V8 unit test failed")
+                                        }
+                                    }
+                                }
+                            }
+                        }
                     }
                 }
 

auth/auth.go

@@ -32,11 +32,12 @@ type Authenticator struct {
 }
 
 type AuthenticatorOptions struct {
-	ClientPartitionWindow    time.Duration
-	ChannelsWarningThreshold *uint32
-	SessionCookieName        string
-	BcryptCost               int
-	LogCtx                   context.Context
+	ClientPartitionWindow      time.Duration
+	ChannelsWarningThreshold   *uint32
+	ServerlessChannelThreshold uint32
+	SessionCookieName          string
+	BcryptCost                 int
+	LogCtx                     context.Context
 
 	// Collections defines the set of collections used by the authenticator when rebuilding channels.
 	// Channels are only recomputed for collections included in this set.
@@ -196,6 +197,17 @@ func (auth *Authenticator) getPrincipal(docID string, factory func() Principal)
 				}
 				changed = true
 			}
+			// If the channel threshold has been set we need to check the inherited channels across all scopes and collections against the limit
+			if auth.ServerlessChannelThreshold != 0 {
+				channelsLength, err := auth.getInheritedChannelsLength(user)
+				if err != nil {
+					return nil, nil, false, err
+				}
+				err = auth.checkChannelLimits(channelsLength, user)
+				if err != nil {
+					return nil, nil, false, err
+				}
+			}
 		}
 
 		if changed {
@@ -223,13 +235,81 @@ func (auth *Authenticator) getPrincipal(docID string, factory func() Principal)
 	return princ, nil
 }
 
+// inheritedCollectionChannels returns channels for a given scope + collection
+func (auth *Authenticator) inheritedCollectionChannels(user User, scope, collection string) (ch.TimedSet, error) {
+	roles, err := auth.getUserRoles(user)
+	if err != nil {
+		return nil, err
+	}
+
+	channels := user.CollectionChannels(scope, collection)
+	for _, role := range roles {
+		roleSince := user.RoleNames()[role.Name()]
+		channels.AddAtSequence(role.CollectionChannels(scope, collection), roleSince.Sequence)
+	}
+	return channels, nil
+}
+
+// getInheritedChannelsLength returns number of channels a user has access to across all collections
+func (auth *Authenticator) getInheritedChannelsLength(user User) (int, error) {
+	var cumulativeChannels int
+	for scope, collections := range auth.Collections {
+		for collection := range collections {
+			channels, err := auth.inheritedCollectionChannels(user, scope, collection)
+			if err != nil {
+				return 0, err
+			}
+			cumulativeChannels += len(channels)
+		}
+	}
+	return cumulativeChannels, nil
+}
+
+// checkChannelLimits logs a warning when the warning threshold is met and will return an error when the channel limit is met
+func (auth *Authenticator) checkChannelLimits(channels int, user User) error {
+	// Error if ServerlessChannelThreshold is set and is >= than the threshold
+	if uint32(channels) >= auth.ServerlessChannelThreshold {
+		base.ErrorfCtx(auth.LogCtx, "User ID: %v channel count: %d exceeds %d for channels per user threshold. Auth will be rejected until rectified",
+			base.UD(user.Name()), channels, auth.ServerlessChannelThreshold)
+		return base.ErrMaximumChannelsForUserExceeded
+	}
+
+	// This function is likely to be called once per session when a channel limit is applied, the sync once
+	// applied here ensures we don't fill logs with warnings about being over warning threshold. We may want
+	// to revisit this implementation around the warning threshold in future
+	user.GetWarnChanSync().Do(func() {
+		if channelsPerUserThreshold := auth.ChannelsWarningThreshold; channelsPerUserThreshold != nil {
+			if uint32(channels) >= *channelsPerUserThreshold {
+				base.WarnfCtx(auth.LogCtx, "User ID: %v channel count: %d exceeds %d for channels per user warning threshold",
+					base.UD(user.Name()), channels, *channelsPerUserThreshold)
+			}
+		}
+	})
+	return nil
+}
+
+// getUserRoles gets all roles a user has been granted
+func (auth *Authenticator) getUserRoles(user User) ([]Role, error) {
+	roles := make([]Role, 0, len(user.RoleNames()))
+	for name := range user.RoleNames() {
+		role, err := auth.GetRole(name)
+		if err != nil {
+			return nil, err
+		} else if role != nil {
+			roles = append(roles, role)
+		}
+	}
+	return roles, nil
+}
+
 // Rebuild channels computes the full set of channels for all collections defined for the authenticator.
 // For each collection in Authenticator.collections:
 //   - if there is no CollectionAccess on the principal for the collection, rebuilds channels for that collection
 //   - If CollectionAccess on the principal has been invalidated, rebuilds channels for that collection
 func (auth *Authenticator) rebuildChannels(princ Principal) (changed bool, err error) {
 
 	changed = false
+
 	for scope, collections := range auth.Collections {
 		for collection, _ := range collections {
 			// If collection channels are nil, they have been invalidated and must be rebuilt
@@ -242,6 +322,7 @@ func (auth *Authenticator) rebuildChannels(princ Principal) (changed bool, err e
 			}
 		}
 	}
+
 	return changed, nil
 }
 

auth/auth_test.go

@@ -2752,6 +2752,117 @@ func TestObtainChannelsForDeletedRole(t *testing.T) {
 	}
 }
 
+func TestServerlessChannelLimitsRoles(t *testing.T) {
+	testCases := []struct {
+		Name       string
+		Collection bool
+	}{
+		{
+			Name: "Single role",
+		},
+		{
+			Name: "Muliple roles",
+		},
+	}
+	for _, testCase := range testCases {
+		t.Run(testCase.Name, func(t *testing.T) {
+			testBucket := base.GetTestBucket(t)
+			defer testBucket.Close()
+			dataStore := testBucket.GetSingleDataStore()
+			var role2 Role
+
+			opts := DefaultAuthenticatorOptions()
+			opts.ServerlessChannelThreshold = 5
+			opts.Collections = map[string]map[string]struct{}{
+				"scope1": {"collection1": struct{}{}, "collection2": struct{}{}},
+			}
+			auth := NewAuthenticator(dataStore, nil, opts)
+			user1, err := auth.NewUser("user1", "pass", ch.BaseSetOf(t, "ABC"))
+			require.NoError(t, err)
+			err = auth.Save(user1)
+			require.NoError(t, err)
+			_, err = auth.AuthenticateUser("user1", "pass")
+			require.NoError(t, err)
+
+			role1, err := auth.NewRole("role1", nil)
+			require.NoError(t, err)
+			if testCase.Name == "Single role" {
+				user1.SetExplicitRoles(ch.TimedSet{"role1": ch.NewVbSimpleSequence(1)}, 1)
+				require.NoError(t, auth.Save(user1))
+				_, err = auth.AuthenticateUser("user1", "pass")
+				require.NoError(t, err)
+
+				role1.SetCollectionExplicitChannels("scope1", "collection1", ch.AtSequence(ch.BaseSetOf(t, "ABC", "DEF", "GHI", "JKL"), 1), 1)
+				require.NoError(t, auth.Save(role1))
+			} else {
+				role2, err = auth.NewRole("role2", nil)
+				require.NoError(t, err)
+				user1.SetExplicitRoles(ch.TimedSet{"role1": ch.NewVbSimpleSequence(1), "role2": ch.NewVbSimpleSequence(1)}, 1)
+				require.NoError(t, auth.Save(user1))
+				role1.SetCollectionExplicitChannels("scope1", "collection1", ch.AtSequence(ch.BaseSetOf(t, "ABC", "DEF", "GHI", "JKL"), 1), 1)
+				role2.SetCollectionExplicitChannels("scope1", "collection2", ch.AtSequence(ch.BaseSetOf(t, "MNO", "PQR"), 1), 1)
+				require.NoError(t, auth.Save(role1))
+				require.NoError(t, auth.Save(role2))
+			}
+			_, err = auth.AuthenticateUser("user1", "pass")
+			require.Error(t, err)
+		})
+	}
+}
+
+func TestServerlessChannelLimits(t *testing.T) {
+
+	testCases := []struct {
+		Name       string
+		Collection bool
+	}{
+		{
+			Name:       "Collection not enabled",
+			Collection: false,
+		},
+		{
+			Name:       "Collection is enabled",
+			Collection: true,
+		},
+	}
+	for _, testCase := range testCases {
+		t.Run(testCase.Name, func(t *testing.T) {
+			testBucket := base.GetTestBucket(t)
+			defer testBucket.Close()
+			dataStore := testBucket.GetSingleDataStore()
+
+			opts := DefaultAuthenticatorOptions()
+			opts.ServerlessChannelThreshold = 5
+			if testCase.Collection {
+				opts.Collections = map[string]map[string]struct{}{
+					"scope1": {"collection1": struct{}{}, "collection2": struct{}{}},
+				}
+			}
+			auth := NewAuthenticator(dataStore, nil, opts)
+			user1, err := auth.NewUser("user1", "pass", ch.BaseSetOf(t, "ABC"))
+			require.NoError(t, err)
+			err = auth.Save(user1)
+			require.NoError(t, err)
+			_, err = auth.AuthenticateUser("user1", "pass")
+			require.NoError(t, err)
+
+			if !testCase.Collection {
+				user1.SetCollectionExplicitChannels("_default", "_default", ch.AtSequence(ch.BaseSetOf(t, "ABC", "DEF", "GHI", "JKL", "MNO", "PQR"), 1), 1)
+				err = auth.Save(user1)
+				require.NoError(t, err)
+			} else {
+				user1.SetCollectionExplicitChannels("scope1", "collection1", ch.AtSequence(ch.BaseSetOf(t, "ABC", "DEF", "GHI", "JKL"), 1), 1)
+				user1.SetCollectionExplicitChannels("scope1", "collection2", ch.AtSequence(ch.BaseSetOf(t, "MNO", "PQR"), 1), 1)
+				err = auth.Save(user1)
+				require.NoError(t, err)
+			}
+			_, err = auth.AuthenticateUser("user1", "pass")
+			require.Error(t, err)
+			assert.Contains(t, err.Error(), base.ErrMaximumChannelsForUserExceeded.Error())
+		})
+	}
+}
+
 func TestInvalidateRoles(t *testing.T) {
 	testBucket := base.GetTestBucket(t)
 	defer testBucket.Close()