feat(examples): add complex authorization benchmarks

Add new benchmark commands that exercise subject mapping evaluation
with multiple attributes per resource and multiple resources per request:

- benchmark-decision-complex: v2 API with configurable resources/attrs
- benchmark-decision-v1-complex: v1 API with same capabilities

These benchmarks show where optimization improvements shine by testing
with 500 resources × 5 attributes = 2,500 attribute checks per request.

Also updates CI workflow to run and report these benchmarks.

Author: strantalis

.github/workflows/checks.yaml

@@ -273,6 +273,28 @@ jobs:
             echo "$OUTPUT";
             echo "EODECISIONV2"
           } >> "$GITHUB_ENV"
+      - name: run complex decision benchmark tests
+        run: |
+          OUTPUT=$(./examples/examples benchmark-decision-complex --resources 500 --attrs 5)
+          echo "--- Complex Decision Benchmark Output ---"
+          echo "$OUTPUT"
+          echo "$OUTPUT" >> "$GITHUB_STEP_SUMMARY"
+          {
+            echo "BENCHMARK_DECISION_COMPLEX_OUTPUT<<EODECISIONCOMPLEX";
+            echo "$OUTPUT";
+            echo "EODECISIONCOMPLEX"
+          } >> "$GITHUB_ENV"
+      - name: run complex decision v1 benchmark tests
+        run: |
+          OUTPUT=$(./examples/examples benchmark-decision-v1-complex --resources 500 --attrs 5)
+          echo "--- Complex Decision v1 Benchmark Output ---"
+          echo "$OUTPUT"
+          echo "$OUTPUT" >> "$GITHUB_STEP_SUMMARY"
+          {
+            echo "BENCHMARK_DECISION_V1_COMPLEX_OUTPUT<<EODECISIONV1COMPLEX";
+            echo "$OUTPUT";
+            echo "EODECISIONV1COMPLEX"
+          } >> "$GITHUB_ENV"
       - name: run tdf3 benchmark tests
         run: |
           OUTPUT=$(./examples/examples benchmark --count=5000 --concurrent=50)
@@ -322,6 +344,8 @@ jobs:
 
             h2 "${BENCHMARK_DECISION_OUTPUT}" "Decision Benchmark"
             h2 "${BENCHMARK_DECISION_V2_OUTPUT}" "Decision Benchmark v2"
+            h2 "${BENCHMARK_DECISION_COMPLEX_OUTPUT}" "Complex Decision Benchmark"
+            h2 "${BENCHMARK_DECISION_V1_COMPLEX_OUTPUT}" "Complex Decision v1 Benchmark"
             h2 "${BENCHMARK_METRICS_OUTPUT}" "Standard Benchmark Metrics"
             h2 "${BENCHMARK_BULK_OUTPUT}" "Bulk Benchmark"
             h2 "${BENCHMARK_TDF3_OUTPUT}" "TDF3 Benchmark"

examples/cmd/benchmark_decision_complex.go

@@ -0,0 +1,144 @@
+//nolint:forbidigo // We use Println here extensively because we are printing markdown.
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"time"
+
+	authzV2 "github.com/opentdf/platform/protocol/go/authorization/v2"
+	"github.com/opentdf/platform/protocol/go/entity"
+	"github.com/opentdf/platform/protocol/go/policy"
+	"github.com/spf13/cobra"
+)
+
+var (
+	complexAttrCount     int
+	complexResourceCount int
+)
+
+func init() {
+	benchmarkCmd := &cobra.Command{
+		Use:   "benchmark-decision-complex",
+		Short: "benchmark authorization with complex policy scenarios",
+		Long: `A benchmark tool to measure authorization performance with complex policies.
+This benchmark exercises subject mapping evaluation with multiple attributes per resource
+and multiple resources per request, showing where optimization improvements shine.`,
+		RunE: runDecisionBenchmarkComplex,
+	}
+	benchmarkCmd.Flags().IntVar(&complexAttrCount, "attrs", 5, "Number of attributes per resource")         //nolint:mnd // default shown in help
+	benchmarkCmd.Flags().IntVar(&complexResourceCount, "resources", 100, "Number of resources per request") //nolint:mnd // default shown in help
+	ExamplesCmd.AddCommand(benchmarkCmd)
+}
+
+func runDecisionBenchmarkComplex(_ *cobra.Command, _ []string) error {
+	client, err := newSDK()
+	if err != nil {
+		return err
+	}
+
+	// Available attribute values from fixtures that have subject mappings
+	// These exercise different subject mapping conditions
+	availableAttrs := []string{
+		"https://example.com/attr/attr1/value/value1", // 4 subject mappings with complex AND/OR conditions
+		"https://example.com/attr/attr1/value/value2", // 1 subject mapping
+		"https://example.net/attr/attr1/value/value1", // 1 subject mapping with NOT_IN condition
+		"https://example.com/attr/attr2/value/value1", // ALL_OF rule
+		"https://example.com/attr/attr2/value/value2", // ALL_OF rule
+	}
+
+	// Build resources with multiple attributes each
+	var resources []*authzV2.Resource
+	for i := 0; i < complexResourceCount; i++ {
+		// Select attributes for this resource (cycle through available ones)
+		var fqns []string
+		for j := 0; j < complexAttrCount; j++ {
+			fqns = append(fqns, availableAttrs[(i+j)%len(availableAttrs)])
+		}
+
+		r := &authzV2.Resource{
+			EphemeralId: "resource-" + strconv.Itoa(i),
+			Resource: &authzV2.Resource_AttributeValues_{
+				AttributeValues: &authzV2.Resource_AttributeValues{
+					Fqns: fqns,
+				},
+			},
+		}
+		resources = append(resources, r)
+	}
+
+	// Run the benchmark multiple times to get stable measurements
+	const iterations = 5
+	var totalTime time.Duration
+	var lastApproved, lastDenied int
+
+	for iter := 0; iter < iterations; iter++ {
+		start := time.Now()
+		res, err := client.AuthorizationV2.GetDecisionMultiResource(context.Background(), &authzV2.GetDecisionMultiResourceRequest{
+			Action: &policy.Action{
+				Name: "read",
+			},
+			EntityIdentifier: &authzV2.EntityIdentifier{
+				Identifier: &authzV2.EntityIdentifier_EntityChain{
+					EntityChain: &entity.EntityChain{
+						EphemeralId: "complex-benchmark-entity-chain",
+						Entities: []*entity.Entity{
+							{
+								EphemeralId: "env-cli-client",
+								EntityType:  &entity.Entity_ClientId{ClientId: "opentdf-sdk"},
+								Category:    entity.Entity_CATEGORY_ENVIRONMENT,
+							},
+							{
+								EphemeralId: "subject-sample-user",
+								EntityType:  &entity.Entity_UserName{UserName: "sample-user"},
+								Category:    entity.Entity_CATEGORY_SUBJECT,
+							},
+						},
+					},
+				},
+			},
+			Resources: resources,
+		})
+		elapsed := time.Since(start)
+		totalTime += elapsed
+
+		if err != nil {
+			return fmt.Errorf("iteration %d failed: %w", iter, err)
+		}
+
+		lastApproved = 0
+		lastDenied = 0
+		for _, decision := range res.GetResourceDecisions() {
+			if decision.GetDecision() == authzV2.Decision_DECISION_PERMIT {
+				lastApproved++
+			} else {
+				lastDenied++
+			}
+		}
+	}
+
+	avgTime := totalTime / iterations
+	decisionsPerSecond := float64(complexResourceCount) / avgTime.Seconds()
+
+	// Print results
+	fmt.Printf("# Complex Authorization Benchmark Results\n\n")
+	fmt.Printf("## Configuration\n")
+	fmt.Printf("| Parameter            | Value                  |\n")
+	fmt.Printf("|----------------------|------------------------|\n")
+	fmt.Printf("| Resources per request | %d                    |\n", complexResourceCount)
+	fmt.Printf("| Attributes per resource | %d                  |\n", complexAttrCount)
+	fmt.Printf("| Total attribute checks | %d                   |\n", complexResourceCount*complexAttrCount)
+	fmt.Printf("| Iterations           | %d                     |\n", iterations)
+	fmt.Printf("\n")
+	fmt.Printf("## Results\n")
+	fmt.Printf("| Metric                  | Value                  |\n")
+	fmt.Printf("|-------------------------|------------------------|\n")
+	fmt.Printf("| Approved Decisions      | %d                     |\n", lastApproved)
+	fmt.Printf("| Denied Decisions        | %d                     |\n", lastDenied)
+	fmt.Printf("| Average Request Time    | %s                     |\n", avgTime)
+	fmt.Printf("| Decisions/second        | %.2f                   |\n", decisionsPerSecond)
+	fmt.Printf("| Time per decision       | %s                     |\n", time.Duration(int64(avgTime)/int64(complexResourceCount)))
+
+	return nil
+}

examples/cmd/benchmark_decision_v1_complex.go

@@ -0,0 +1,127 @@
+//nolint:forbidigo // We use Println here extensively because we are printing markdown.
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/opentdf/platform/protocol/go/authorization"
+	"github.com/opentdf/platform/protocol/go/policy"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	benchmarkCmd := &cobra.Command{
+		Use:   "benchmark-decision-v1-complex",
+		Short: "benchmark authorization.GetDecisions with complex policy scenarios",
+		Long: `A benchmark tool to measure authorization v1 performance with complex policies.
+This benchmark exercises subject mapping evaluation with multiple attributes per resource.`,
+		RunE: runDecisionBenchmarkV1Complex,
+	}
+	benchmarkCmd.Flags().IntVar(&complexAttrCount, "attrs", 5, "Number of attributes per resource")         //nolint:mnd // default shown in help
+	benchmarkCmd.Flags().IntVar(&complexResourceCount, "resources", 100, "Number of resources per request") //nolint:mnd // default shown in help
+	ExamplesCmd.AddCommand(benchmarkCmd)
+}
+
+func runDecisionBenchmarkV1Complex(_ *cobra.Command, _ []string) error {
+	client, err := newSDK()
+	if err != nil {
+		return err
+	}
+
+	// Available attribute values from fixtures that have subject mappings
+	availableAttrs := []string{
+		"https://example.com/attr/attr1/value/value1",
+		"https://example.com/attr/attr1/value/value2",
+		"https://example.net/attr/attr1/value/value1",
+		"https://example.com/attr/attr2/value/value1",
+		"https://example.com/attr/attr2/value/value2",
+	}
+
+	// Build resource attributes with multiple attribute values each
+	var ras []*authorization.ResourceAttribute
+	for i := 0; i < complexResourceCount; i++ {
+		var fqns []string
+		for j := 0; j < complexAttrCount; j++ {
+			fqns = append(fqns, availableAttrs[(i+j)%len(availableAttrs)])
+		}
+		ras = append(ras, &authorization.ResourceAttribute{AttributeValueFqns: fqns})
+	}
+
+	// Run benchmark iterations
+	const iterations = 5
+	var totalTime time.Duration
+	var lastApproved, lastDenied int
+
+	for iter := 0; iter < iterations; iter++ {
+		start := time.Now()
+		res, err := client.Authorization.GetDecisions(context.Background(), &authorization.GetDecisionsRequest{
+			DecisionRequests: []*authorization.DecisionRequest{
+				{
+					Actions: []*policy.Action{{Value: &policy.Action_Standard{
+						Standard: policy.Action_STANDARD_ACTION_DECRYPT,
+					}}},
+					EntityChains: []*authorization.EntityChain{
+						{
+							Id: "complex-v1-entity-chain",
+							Entities: []*authorization.Entity{
+								{
+									Id:         "env-cli-client",
+									EntityType: &authorization.Entity_ClientId{ClientId: "opentdf-sdk"},
+									Category:   authorization.Entity_CATEGORY_ENVIRONMENT,
+								},
+								{
+									Id:         "subject-sample-user",
+									EntityType: &authorization.Entity_UserName{UserName: "sample-user"},
+									Category:   authorization.Entity_CATEGORY_SUBJECT,
+								},
+							},
+						},
+					},
+					ResourceAttributes: ras,
+				},
+			},
+		})
+		elapsed := time.Since(start)
+		totalTime += elapsed
+
+		if err != nil {
+			return fmt.Errorf("iteration %d failed: %w", iter, err)
+		}
+
+		lastApproved = 0
+		lastDenied = 0
+		for _, dr := range res.GetDecisionResponses() {
+			if dr.GetDecision() == authorization.DecisionResponse_DECISION_PERMIT {
+				lastApproved++
+			} else {
+				lastDenied++
+			}
+		}
+	}
+
+	avgTime := totalTime / iterations
+	decisionsPerSecond := float64(complexResourceCount) / avgTime.Seconds()
+
+	// Print results
+	fmt.Printf("# Complex Authorization v1 Benchmark Results\n\n")
+	fmt.Printf("## Configuration\n")
+	fmt.Printf("| Parameter              | Value                  |\n")
+	fmt.Printf("|------------------------|------------------------|\n")
+	fmt.Printf("| Resources per request  | %d                     |\n", complexResourceCount)
+	fmt.Printf("| Attributes per resource | %d                    |\n", complexAttrCount)
+	fmt.Printf("| Total attribute checks | %d                     |\n", complexResourceCount*complexAttrCount)
+	fmt.Printf("| Iterations             | %d                     |\n", iterations)
+	fmt.Printf("\n")
+	fmt.Printf("## Results\n")
+	fmt.Printf("| Metric                  | Value                  |\n")
+	fmt.Printf("|-------------------------|------------------------|\n")
+	fmt.Printf("| Approved Decisions      | %d                     |\n", lastApproved)
+	fmt.Printf("| Denied Decisions        | %d                     |\n", lastDenied)
+	fmt.Printf("| Average Request Time    | %s                     |\n", avgTime)
+	fmt.Printf("| Decisions/second        | %.2f                   |\n", decisionsPerSecond)
+	fmt.Printf("| Time per decision       | %s                     |\n", time.Duration(int64(avgTime)/int64(complexResourceCount)))
+
+	return nil
+}

lib/flattening/flatten_bench_large_test.go

@@ -71,5 +71,3 @@ func BenchmarkFlatten_NestedEntity(b *testing.B) {
 		}
 	}
 }
-
-