Dependency updates and misc cleanup

.github/workflows/ci.yaml

@@ -36,7 +36,7 @@ jobs:
             features: default
           # MSRV
           - os: ubuntu-22.04
-            toolchain: 1.67.0
+            toolchain: 1.70.0
             features: default
     steps:
       - uses: actions/checkout@v4

CHANGELOG.md

@@ -4,6 +4,8 @@
 
 - [[#284](https://github.com/IronCoreLabs/ironoxide/pull/284)] Remove `dev` as an option for `IRONCORE_ENV`.
 - [[#300](https://github.com/IronCoreLabs/ironoxide/pull/300)] Bump MSRV to 1.67.0.
+- [[#308](https://github.com/IronCoreLabs/ironoxide/pull/308)] Use policy caching in unmanaged encryption.
+- [[#309](https://github.com/IronCoreLabs/ironoxide/pull/309)] Bump MSRV to 1.70.0.
 
 ## 2.0.0
 

Cargo.toml

@@ -16,7 +16,7 @@ keywords = [
 ]
 description = "A pure-Rust SDK for accessing IronCore's privacy platform"
 edition = "2021"
-rust-version = "1.67.0"
+rust-version = "1.70.0"
 
 [dependencies]
 async-trait = "0.1.21"
@@ -32,34 +32,34 @@ jsonwebtoken = "8"
 lazy_static = "1.4"
 log = "0.4"
 percent-encoding = "2.1"
-protobuf = { version = "3.0", features = [ "with-bytes" ] }
+protobuf = { version = "3.0", features = ["with-bytes"] }
 quick-error = "2"
 rand = "0.8"
 rand_chacha = "0.3"
 recrypt = "0.13"
 regex = "1.4"
-reqwest = { version = "0.11", features = [ "json" ], default-features = false }
-ring = { version = "0.16", features = [ "std" ] }
-serde = { version = "1.0.126", features = [ "derive" ] }
+reqwest = { version = "0.11", features = ["json"], default-features = false }
+ring = { version = "0.17", features = ["std"] }
+serde = { version = "1.0.126", features = ["derive"] }
 serde_json = "1"
 time = { version = "0.3.6", features = [
     "std",
     "serde-human-readable",
     "serde-well-known",
     "parsing",
 ] }
-tokio = { version = "1", features = [ "time" ] }
+tokio = { version = "1", features = ["time"] }
 url = "2.2"
 vec1 = "1.6"
 
 [dev-dependencies]
 anyhow = "1"
-criterion = "0.4"
+criterion = "0.5"
 double = "0.2.4"
 galvanic-assert = "0.8"
 mut_static = "5"
-tokio = { version = "1", features = [ "macros", "rt-multi-thread" ] }
-uuid = { version = "1.0", features = [ "v4" ], default-features = false }
+tokio = { version = "1", features = ["macros", "rt-multi-thread"] }
+uuid = { version = "1.0", features = ["v4"], default-features = false }
 
 [build-dependencies]
 itertools = "0.10"

flake.nix

@@ -18,9 +18,9 @@
         # nix develop
         devShell = pkgs.mkShell {
           buildInputs = with pkgs;
-            [ rusttoolchain openssl pkg-config ]
+            [ rusttoolchain pkg-config openssl  ]
             ++ lib.optionals stdenv.isDarwin
-            [ darwin.apple_sdk.frameworks.Security ];
+            [ darwin.apple_sdk.frameworks.SystemConfiguration ];
         };
 
       });

src/internal/document_api.rs

@@ -326,16 +326,17 @@ impl DocumentEncryptUnmanagedResult {
         access_errs: Vec<DocAccessEditErr>,
     ) -> Result<Self, IronOxideErr> {
         let edek_bytes = encryption_result.edek_bytes()?;
+        let encrypted_data = encryption_result.edoc_bytes().to_vec();
         Ok(DocumentEncryptUnmanagedResult {
-            id: encryption_result.header.document_id.clone(),
+            id: encryption_result.header.document_id,
             access_errs,
-            encrypted_data: encryption_result.edoc_bytes().to_vec(),
+            encrypted_data,
             encrypted_deks: edek_bytes,
             grants: encryption_result
                 .value
                 .edeks
-                .iter()
-                .map(|edek| edek.grant_to.id.clone())
+                .into_iter()
+                .map(|edek| edek.grant_to.id)
                 .collect(),
         })
     }
@@ -788,10 +789,13 @@ where
         grants,
     )?;
     let enc_result = EncryptedDoc {
-        header: DocumentHeader::new(doc_id.clone(), auth.segment_id),
+        header: DocumentHeader::new(doc_id, auth.segment_id),
         value: r,
     };
-    let access_errs = [&key_errs[..], &enc_result.value.encryption_errs[..]].concat();
+    let access_errs = key_errs
+        .into_iter()
+        .chain(enc_result.value.encryption_errs.clone())
+        .collect();
     DocumentEncryptUnmanagedResult::new(enc_result, access_errs)
 }
 /// Remove any duplicates in the grant list. Uses ids (not keys) for comparison.
@@ -842,9 +846,7 @@ fn recrypt_document<CR: rand::CryptoRng + rand::RngCore>(
                     })
                     .collect(),
                 encrypted_data: encrypted_doc,
-                encryption_errs: vec![encrypt_errs.into_iter().map(|e| e.into()).collect()]
-                    .into_iter()
-                    .concat(),
+                encryption_errs: encrypt_errs.into_iter().map(|e| e.into()).collect(),
             }
         })
     }
@@ -994,21 +996,21 @@ async fn document_create(
     doc_name: &Option<DocumentName>,
     accum_errs: Vec<DocAccessEditErr>,
 ) -> Result<DocumentEncryptResult, IronOxideErr> {
-    let api_resp = document_create::document_create_request(
-        auth,
-        doc_id.clone(),
-        doc_name.clone(),
-        edoc.edek_vec(),
-    )
-    .await?;
+    let api_resp =
+        document_create::document_create_request(auth, doc_id, doc_name.clone(), edoc.edek_vec())
+            .await?;
 
     Ok(DocumentEncryptResult {
         id: api_resp.id,
         name: api_resp.name,
         created: api_resp.created,
         updated: api_resp.updated,
-        encrypted_data: edoc.edoc_bytes().to_vec(),
-        grants: api_resp.shared_with.iter().map(|sw| sw.into()).collect(),
+        encrypted_data: edoc.edoc_bytes(),
+        grants: api_resp
+            .shared_with
+            .into_iter()
+            .map(|sw| sw.into())
+            .collect(),
         access_errs: [accum_errs, edoc.value.encryption_errs].concat(),
     })
 }
@@ -1029,7 +1031,7 @@ pub async fn document_update_bytes<
     let doc_meta = document_get_metadata(auth, document_id).await?;
     let sym_key = transform::decrypt_as_symmetric_key(
         recrypt,
-        doc_meta.0.encrypted_symmetric_key.clone().try_into()?,
+        doc_meta.0.encrypted_symmetric_key.try_into()?,
         device_private_key.recrypt_key(),
     )?;
     Ok(
@@ -1064,7 +1066,7 @@ pub async fn decrypt_document<CR: rand::CryptoRng + rand::RngCore + Send + Sync
     tokio::task::spawn_blocking(move || {
         let sym_key = transform::decrypt_as_symmetric_key(
             &recrypt,
-            doc_meta.0.encrypted_symmetric_key.clone().try_into()?,
+            doc_meta.0.encrypted_symmetric_key.try_into()?,
             device_private_key.recrypt_key(),
         )?;
 
@@ -1101,7 +1103,7 @@ pub async fn decrypt_document_unmanaged<CR: rand::CryptoRng + rand::RngCore>(
                 parse_document_parts(encrypted_doc)?,
             ))
         },
-        requests::edek_transform::edek_transform(auth, encrypted_deks,)
+        requests::edek_transform::edek_transform(auth, encrypted_deks)
     )?;
 
     edeks_and_header_match_or_err(&proto_edeks, &doc_meta)?;
@@ -1188,13 +1190,11 @@ pub async fn document_grant_access<CR: rand::CryptoRng + rand::RngCore>(
         );
 
         // squish all accumulated errors into one list
-        let other_errs = vec![
-            group_errs,
-            user_errs,
-            grant_errs.into_iter().map(|e| e.into()).collect(),
-        ]
-        .into_iter()
-        .concat();
+        let other_errs = group_errs
+            .into_iter()
+            .chain(user_errs)
+            .chain(grant_errs.into_iter().map(|e| e.into()))
+            .collect_vec();
         (grants, other_errs)
     };
 
@@ -1334,20 +1334,15 @@ fn process_policy(
             });
 
     (
-        [
-            pubkey_errs,
-            policy_result
-                .invalid_users_and_groups
-                .iter()
-                .map(|uog| {
-                    DocAccessEditErr::new(
-                        uog.clone(),
-                        format!("Policy refers to unknown user or group '{}'", &uog),
-                    )
-                })
-                .collect(),
-        ]
-        .concat(),
+        pubkey_errs
+            .into_iter()
+            .chain(policy_result.invalid_users_and_groups.iter().map(|uog| {
+                DocAccessEditErr::new(
+                    uog.clone(),
+                    format!("Policy refers to unknown user or group '{}'", &uog),
+                )
+            }))
+            .collect(),
         policy_eval_results,
     )
 }

src/internal/document_api/requests.rs

@@ -122,6 +122,25 @@ impl From<&AccessGrant> for UserOrGroup {
     }
 }
 
+impl From<AccessGrant> for UserOrGroup {
+    fn from(grant: AccessGrant) -> Self {
+        match grant {
+            AccessGrant {
+                user_or_group: UserOrGroupWithKey::User { id, .. },
+                ..
+            } => UserOrGroup::User {
+                id: UserId::unsafe_from_string(id),
+            },
+            AccessGrant {
+                user_or_group: UserOrGroupWithKey::Group { id, .. },
+                ..
+            } => UserOrGroup::Group {
+                id: GroupId::unsafe_from_string(id),
+            },
+        }
+    }
+}
+
 #[derive(Clone, Debug, Eq, Hash, PartialEq, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct DocumentMetaApiResponse {
@@ -419,7 +438,6 @@ pub mod document_access {
             access_resp: DocumentAccessResponse,
             other_errs: Vec<DocAccessEditErr>,
         ) -> DocumentAccessResult {
-            use itertools::Itertools;
             let succeeded = access_resp
                 .succeeded_ids
                 .into_iter()
@@ -429,10 +447,9 @@ pub mod document_access {
             let failed = access_resp
                 .failed_ids
                 .into_iter()
-                .map(DocAccessEditErr::from)
-                .collect();
+                .map(DocAccessEditErr::from);
 
-            DocumentAccessResult::new(succeeded, vec![failed, other_errs].into_iter().concat())
+            DocumentAccessResult::new(succeeded, failed.chain(other_errs).collect())
         }
     }