Early termination of reducing functions

The following reducing function is a variant on the function first and the transducer (take 1), created specially for people with nostalgia for the 80s.

(defn highlander-rf
  "There can be only one"
  [_ input] (reduced input))

Although this function is largely useless in practice, it provides the most minimalist example of early termination. It takes an intermediate result and an input value, and returns this input value wrapped with a special object. Functions that use this reducing function will recognize this special object and know that they shouldn't provide any more input to this function.

The function reduce is one of those functions that recognize the wrapper object:

(reduce highlander-rf nil [1 2 3 4]) ;; Evaluates to 1

The function reduce will call highlander-rf with nil and 1 as arguments, and then won't call it any more.

This mechanism makes it possible to efficiently reduce large or even infinite collections. Once all relevant input has been processed, all irrelevant input that follows can be ignored.

Using ensure-reduced inside transducers

The following transducer has the same behavior as the reducing function above:

(defn highlander-tr
  "There can be only one"
  [rf]
  (fn
    ([] (rf))
    ([result] (rf result))
    ([result input] (ensure-reduced (rf result input)))))

The two-arity variant of this transducer takes a value as input and returns this value wrapped in the same special object again. It uses ensure-reduced to do this, instead of reduced. When implementing highlander-tr, it's not known what reducing function rf it will be used with. It could be that some of these functions will return a result that is already wrapped. The function ensure-reduced will ensure that an already wrapped result is not wrapped again. If the return value of (rf result input) is already wrapped using reduced, the result will be returned as-is. If it is not wrapped, ensure-reduced will wrap it.

The following example demonstrates the behavior of highlander-tr:

(into []
      highlander-tr
      [1 2 3 4]) ;; Evaluates to [1]

Using reduced? inside transducers

The following reducer does a little more than the one we just saw:

(defn broken-stutter [rf]
  (fn
    ([] (rf))
    ([result] (rf result))
    ([result input]
     (rf (rf result input) input))))

This transducer will output each value it receives as input twice. As its name suggests, it is broken. Unfortunately, that is not that easy to notice.

Evaluating the following example leads to the result you'd expect:

(transduce
 broken-stutter
 conj
 []
 [1 2 3 4 5 6]) ;; Evaluates to [1 1 2 2 3 3 4 4 5 5 6 6]

When used together with the following reducing function that terminates early, however, the transducer will not always behave as expected:

(defn limited-conj [n]
  (fn 
    ([result] result)
    ([result input]
     (if (>= (count result) n)
       (reduced result)
       (conj result input)))))

The reducing function above behaves the same as conj, until the collection passed as intermediate result contains at least n values. Once that threshold has been reached, the intermediate result is returned as final result.

Combining the reducing function limited-conj with the transducer broken-stutter can bring the issue with broken-stutter to the surface. The following expression cannot be evaluated, for example:

(transduce
 broken-stutter
 (limited-conj 6)
 []
 [1 2 3 4 5 6])

The following expression can be evaluated, however, which highlights why dealing with early termination can be tricky:

(transduce
 broken-stutter
 (limited-conj 5)
 []
 [1 2 3 4 5 6]) ;; Evaluates to [1 1 2 2 3]

The problem with broken-stutter is that it may apply the reducing function rf to a result that is already wrapped using reduced. The following variant fixes that issue:

(defn stutter [rf]
  (fn
    ([] (rf))
    ([result] (rf result))
    ([result input]
     (let [intermediate (rf result input)]
       (if (reduced? intermediate)
         intermediate
         (rf intermediate input))))))

This variant checks whether the intermediate result is already reduced and does not apply rf if that is the case.

(transduce
 stutter
 (limited-conj 6)
 []
 [1 2 3 4 5 6]) ;; Evaluates to [1 1 2 2 3 3]

Using unreduced inside transducers

There's one more scenario regarding early termination that I'd like to describe. Because this scenario is also tricky, we need another reducing function that terminates early to demonstrate it. The following function is taken from ClojureDocs:

(defn conj-till-odd
  ([coll] coll)
  ([coll x] (cond-> (conj coll x)
              (odd? x) reduced)))

It behaves as conj until an odd value is received as input.

The following stateful transducer outputs each input value it receives and stores the last one. Once all input has been processed, the last input value is added to the output again.

(defn repeat-last [rf]
  (let [pv (volatile! nil)]
    (fn
      ([] (rf))
      ([result]
       (if-let [p @pv]
         (unreduced (rf result p))
         (rf result)))
      ([result input]
       (let [result (rf result input)]
         (vreset! pv input)
         result)))))

This transducer uses unreduced to ensure that the final result returned by the single-arity variant of this function is not wrapped with reduced. It could be that the result of (rf result p) is wrapped with reduced. If that is the case, this wrapper should be removed because it has no place in the output of the transducer.

If a reducing function or the two-arity variant of a transducer returns a value wrapped with reduced, this wrapper is only intended to signal that the reducing function or transducer will not process any more input values. Whoever is using the reducing function or transducer should stop feeding it more input values and remove the wrapper from the final result. The transducer stutter demonstrates the first action, and the transducer repeat-last demonstrates the second action.

The following example illustrates the use of repeat-last in combination with conj-till-odd:

(transduce
 repeat-last
 conj-till-odd
 []
 [2 4 3 2]) ;; Evaluates to [2 4 3 3]

Conclusion

See https://github.com/ljpengelen/transduce-shakespeare/tree/main/transduce-clj for a Clojure project containing some expressions that illustrate the concepts described in this post.

The heart of most Vert.x-based web applications is a router. The router routes requests to zero or more requests handlers, based on the path of the requests. If all goes well, the handler that is handling a given request will issue a response. Vert.x offers failure handlers and error handlers to handle the situation when things go wrong.

How to signal that something went wrong in a request handler?

Errors in request handlers come in two flavors: either an exception is thrown (intentionally or unintentionally) or an error is signalled explicitly by calling the fail method on the routing context. If you want to signal something went wrong by calling this method, you have three options:

• you can supply a status code,
• you can supply a status code and an exception, or
• you can supply an exception.

Throwing an exception has the same effect as calling the fail method with an exception as argument. If no status code is provided when calling fail, status code 500 is used. If an exception is provided when calling fail, this exception will be available to all failure and error handlers.

Without any error or failure handler, Vert.x will respond to a failed request with status code 500 and a body containing "Internal Server Error". If that response doesn't suit your needs, you'll need to register an error handler and/or one or more failure handlers.

Error handlers

You can register one error handler per status code with a router. If some failure happens while handling a request and there are no failure handlers (more about those below), then the error handler registered for the status code corresponding to the failure will handle the request:

@Test
void errorHandlerCanHandleException(VertxTestContext vertxTestContext) {
    var handlerExecuted = vertxTestContext.checkpoint();
    var errorHandlerExecuted = vertxTestContext.checkpoint();

    router.route("/")
            .handler(rc -> {
                handlerExecuted.flag();
                throw new RuntimeException(REQUEST_HANDLER_ERROR_MESSAGE);
            });
    router.errorHandler(500, rc -> {
        errorHandlerExecuted.flag();
        rc.response()
                .setStatusCode(500)
                .end(MESSAGE_FROM_ERROR_HANDLER + ": " + rc.failure().getMessage());
    });

    var response = performGetRequest("/");

    assertThat(response.statusCode()).isEqualTo(500);
    assertThat(response.body()).startsWith(MESSAGE_FROM_ERROR_HANDLER);
    assertThat(response.body()).endsWith(REQUEST_HANDLER_ERROR_MESSAGE);
}

As discussed above, the error handler has access to the exception that led to the invocation of the error handler. In this example, the error handler for status code 500 handles the error because this is the default status code when no other status code is provided.

Vert.x supports splitting up a single (large) router into multiple smaller ones using sub routers. Although error handlers can be registered for each sub router, they will simply be ignored:

@Test
void errorHandlerForSubRouterIsIgnored(Vertx vertx, VertxTestContext vertxTestContext) {
    var handlerExecuted = vertxTestContext.checkpoint();
    var rootErrorHandlerExecuted = vertxTestContext.checkpoint();

    var subRouter = Router.router(vertx);
    subRouter.errorHandler(500, rc ->
            vertxTestContext.failNow("Error handler for sub router should not be reached"));
    subRouter.route("/route")
            .handler(rc -> {
                handlerExecuted.flag();
                throw new RuntimeException(REQUEST_HANDLER_ERROR_MESSAGE);
            });

    router.route("/sub/*")
            .subRouter(subRouter);

    router.errorHandler(500, rc -> {
        rootErrorHandlerExecuted.flag();
        rc.response()
                .setStatusCode(500)
                .end(MESSAGE_FROM_ERROR_HANDLER + ": " + rc.failure().getMessage());
    });

    var response = performGetRequest("/sub/route");

    assertThat(response.statusCode()).isEqualTo(500);
    assertThat(response.body()).startsWith(MESSAGE_FROM_ERROR_HANDLER);
    assertThat(response.body()).endsWith(REQUEST_HANDLER_ERROR_MESSAGE);
}

Failure handlers

In some cases, you may want more fine-grained control over how errors are handled. This is where failure handlers come in. One or more failure handlers can be registered per route. They will handle errors in the order in which they are registered, until a handler successfully handles the error or an exception is thrown.

Like error handlers, failure handlers have access to the exception that led to their invocation. They also have access to the status code:

@Test
void failureHandlerCanHandleFailWithStatusCodeAndException(VertxTestContext vertxTestContext) {
    var handlerExecuted = vertxTestContext.checkpoint();
    var failureHandlerExecuted = vertxTestContext.checkpoint();

    router.route("/")
            .handler(rc -> {
                handlerExecuted.flag();
                rc.fail(418, new RuntimeException(REQUEST_HANDLER_ERROR_MESSAGE));
            })
            .failureHandler(rc -> {
                failureHandlerExecuted.flag();
                rc.response()
                        .setStatusCode(rc.statusCode())
                        .end(MESSAGE_FROM_FAILURE_HANDLER + ": " + rc.failure().getMessage());
            });

    var response = performGetRequest("/");

    assertThat(response.statusCode()).isEqualTo(418);
    assertThat(response.body()).startsWith(MESSAGE_FROM_FAILURE_HANDLER);
    assertThat(response.body()).endsWith(REQUEST_HANDLER_ERROR_MESSAGE);
}

Once an failure handler has handled a failure successfully, no error handler will be invoked:

@Test
void errorHandlerIsIgnoredWhenFailureHandlerHandledFailure(VertxTestContext vertxTestContext) {
    var handlerExecuted = vertxTestContext.checkpoint();
    var failureHandlerExecuted = vertxTestContext.checkpoint();

    router.route("/")
            .handler(rc -> {
                handlerExecuted.flag();
                throw new RuntimeException(REQUEST_HANDLER_ERROR_MESSAGE);
            })
            .failureHandler(rc -> {
                failureHandlerExecuted.flag();
                rc.response()
                        .setStatusCode(rc.statusCode())
                        .end(MESSAGE_FROM_FAILURE_HANDLER + ": " + rc.failure().getMessage());
            });
    router.errorHandler(500, rc -> vertxTestContext.failNow("Error should not reach error handler"));

    var response = performGetRequest("/");

    assertThat(response.statusCode()).isEqualTo(500);
    assertThat(response.body()).startsWith(MESSAGE_FROM_FAILURE_HANDLER);
    assertThat(response.body()).endsWith(REQUEST_HANDLER_ERROR_MESSAGE);
}

If a failure handler is unable to handle a certain failure, it can let it be handled by the next failure handler:

@Test
void failureHandlerCanDeferToNextFailureHandler(VertxTestContext vertxTestContext) {
    var handlerExecuted = vertxTestContext.checkpoint();
    var firstFailureHandlerExecuted = vertxTestContext.checkpoint();
    var secondFailureHandlerExecuted = vertxTestContext.checkpoint();

    router.route("/")
            .handler(rc -> {
                handlerExecuted.flag();
                throw new RuntimeException(REQUEST_HANDLER_ERROR_MESSAGE);
            })
            .failureHandler(rc -> {
                firstFailureHandlerExecuted.flag();
                rc.next();
            })
            .failureHandler(rc -> {
                secondFailureHandlerExecuted.flag();
                rc.response()
                        .setStatusCode(rc.statusCode())
                        .end(MESSAGE_FROM_FAILURE_HANDLER + ": " + rc.failure().getMessage());
            });

    var response = performGetRequest("/");

    assertThat(response.statusCode()).isEqualTo(500);
    assertThat(response.body()).startsWith(MESSAGE_FROM_FAILURE_HANDLER);
    assertThat(response.body()).endsWith(REQUEST_HANDLER_ERROR_MESSAGE);
}

If handling a failure leads to an exception, the handling of the original failure is taken over by the error handler:

@Test
void exceptionInFailureHandlerIsIgnoredByErrorHandler(VertxTestContext vertxTestContext) {
    var handlerExecuted = vertxTestContext.checkpoint();
    var failureHandlerExecuted = vertxTestContext.checkpoint();
    var errorHandlerExecuted = vertxTestContext.checkpoint();

    router.route("/")
            .handler(rc -> {
                handlerExecuted.flag();
                throw new RuntimeException(REQUEST_HANDLER_ERROR_MESSAGE);
            })
            .failureHandler(rc -> {
                failureHandlerExecuted.flag();
                throw new RuntimeException(FAILURE_HANDLER_ERROR_MESSAGE);
            });

    router.errorHandler(500, rc -> {
        errorHandlerExecuted.flag();
        rc.response()
                .setStatusCode(500)
                .end(MESSAGE_FROM_ERROR_HANDLER + ": " + rc.failure().getMessage());
    });

    var response = performGetRequest("/");

    assertThat(response.statusCode()).isEqualTo(500);
    assertThat(response.body()).startsWith(MESSAGE_FROM_ERROR_HANDLER);
    assertThat(response.body()).endsWith(REQUEST_HANDLER_ERROR_MESSAGE);
}

If there is no error handler registered for status code 500, an exception thrown in a failure handler will lead to an internal server error.

We saw above that error handlers registered on sub routers are ignored. Failure handlers registered for routes on a sub router function as expected, however. The failure handler registered for one of the routes of a sub router can either return a response itself or fall back to the failure handler of another matching route:

@Test
void failureHandlerForSubRouterCanFallBackToFailureHandlerForRoot(Vertx vertx, VertxTestContext vertxTestContext) {
    var handlerExecuted = vertxTestContext.checkpoint();
    var rootFailureHandlerExecuted = vertxTestContext.checkpoint();
    var subFailureHandlerExecuted = vertxTestContext.checkpoint();

    var subRouter = Router.router(vertx);
    subRouter.route("/route")
            .handler(rc -> {
                handlerExecuted.flag();
                throw new RuntimeException(REQUEST_HANDLER_ERROR_MESSAGE);
            })
            .failureHandler(rc -> {
                subFailureHandlerExecuted.flag();
                rc.next();
            });

    router.route("/sub/*")
            .subRouter(subRouter);

    router.route()
            .failureHandler(rc -> {
                rootFailureHandlerExecuted.flag();
                rc.response()
                        .setStatusCode(500)
                        .end(MESSAGE_FROM_FAILURE_HANDLER + ": " + rc.failure().getMessage());
            });

    var response = performGetRequest("/sub/route");

    assertThat(response.statusCode()).isEqualTo(500);
    assertThat(response.body()).startsWith(MESSAGE_FROM_FAILURE_HANDLER);
    assertThat(response.body()).endsWith(REQUEST_HANDLER_ERROR_MESSAGE);
}

Conclusion

As we've seen, error handlers are pretty straightforward. There can be only one error handler per status code, practically speaking, and this handler will handle each error for the given status code if that error has not been handled otherwise.

There's a little more to say about failure handlers. There can be multiple error handlers per route, which will handle errors in the order in which the handlers are registered. In case of overlapping routes (multiple routes that match the path of a given request), the failure handlers for each of these routes are invoked in the order in which the routes are registered. Each failure handler can decide to let the next failure handler handle an error.

I hope this post provides a useful addition to Vert.x's official documentation. If you want to experiment a little yourself, clone and browse https://github.com/ljpengelen/vertx-error-and-failure-handlers for some inspiration and a nice starting point.

Lazy seqs

Before we look into transducers, let's talk about lazy seqs first. Consider the following expression:

(->> (range)
     (filter even?)
     (drop 5)
     (take 5))

This expression can be read as follows:

• start with the (infinite) seq of all natural numbers,
• keep only the even numbers,
• drop the first five, and
• take the following five.

The end result of the expression is a lazy seq containing the numbers 10, 12, 14, 16, and 18. Lazy evaluation is part of the foundation of Clojure. Without lazy evaluation, evaluating expressions like the one above would be impossible. You cannot eagerly construct the set of all natural numbers, because that would take an infinite amount of time and storage space.

Although lazy evaluation is what makes expressions like the one above possible, it also has its downsides. One downside is that each step in the transformation pipeline above leads to an intermediate lazy seq. They are created when calculating the end result and then immediately discarded.

Once the value of a certain element of a lazy seq has been calculated, this value is cached. When working with large lazy seqs while keeping a reference to the final result (either deliberately or by accident), memory use can be significant.

Consider the following expression, for example:

(let [r (range 3e7)]
    [(last r) (first r)])

This expression takes the numbers 0 to 30 million minus one and returns a vector containing the last and first of those numbers. After evaluating (last r), all of these numbers are cached in memory, which takes a large amount of space. Since all but the first number are never used again, this space is wasted. We'll come back to this example below.

Because of these downsides (and more), some say that lazy evaluation should be avoided as much as possible. One way of avoiding lazy evaluation as much as possible would be to default to using transducers.

A first look at transducers

The following example shows an alternative expression for calculating the 6th to 10th even number:

(into []
      (comp
       (filter even?)
       (drop 5)
       (take 5))
      (range))

This example uses a transducer, constructed by composing three other transducers, and returns a vector containing the numbers 10, 12, 14, 16, and 18. This end result is computed eagerly, and no intermediate lazy seqs are created.

Although there are some syntactical similarities between this expression and the one at the start of this post, something completely different is going on. Both this example and the one at the start of this post contain the expressions (filter even?), (drop 5), and (take 5). However, after macro expansion, these syntactical similarities are gone:

(clojure.core/take 5
    (clojure.core/drop 5
        (clojure.core/filter clojure.core/even? (clojure.core/range))))

Once the threading macro ->> is out of the picture, it is clear that the functions filter, drop, and take operate on seqs in the first example. In the example demonstrating transducers, (filter even?), (drop 5), and (take 5) each return a transducer.

It is not hard to imagine what (filter even? [1 2 3]) returns. Imagining what (filter even?) could return and how that could be put to good use is a bit more difficult.

Transducers in terms of reducing functions

A reducing function is a function that takes an intermediate result and a new input, and returns a new result. For example, + is a reducing function that takes an intermediate sum and a new number and returns a new sum. The function conj is also a reducing function, which takes an intermediate collection and a new value and returns a new collection that includes the new value. Generally speaking, reducing functions are used to construct a single value from a number of values, one step at a time. They're used to reduce multiple values into a single value.

Depending on how they're supposed to be used, some reducing functions in Clojure also have to support taking no arguments. For example, because (+) evaluates to 0, (reduce + []) can be evaluated too, and will evaluate to 0.

Clojure's documentation describes transducers as a transformation from one reducing function into another. For that statement to be 100% correct, an additional requirement for reducing functions is needed. Apart from accepting no arguments or two arguments, they should also accept a single argument.

Consider the following function, which is a slimmed down variant of Clojure's filter function that takes a predicate and returns a transducer:

(defn filter [pred]
  (fn [rf]
    (fn
      ([] (rf))
      ([result] (rf result))
      ([result input]
        (if (pred input)
          (rf result input)
          result)))))

You'll notice that the transducer returned by filter is a function that takes a reducing function rf and returns a function that takes either 0, 1, or 2 arguments. You'll also notice that the reducing function rf itself is called with 0, 1, or 2 arguments. The most important thing to note, however, is that this transducer will work as expected, regardless of what function is provided as reducing function. The following examples illustrate this.

(reduce ((filter even?) +) 0 [1 2 3 4 5 6]) ;; evaluates to 12
(reduce ((filter even?) str) "" [1 2 3 4 5 6]) ;; evaluates to "246"
(reduce ((filter even?) *) 1 [1 2 3 4 5 6]) ;; evaluates to 48

These examples are only provided to illustrate that any reducing function can be used in combination with a transducer. This is not how you'd use transducers in practice.

Because transducers are simply functions that transform reducing functions into reducing functions, they can be composed with comp, as we've seen in one of the examples above.

The fact that transducers do not care at all which reducing function they're wrapping is exactly the reason why they were added to the language. Whereas the traditional implementations of functions like map and filter operate on collections and return collections, transducers are much more widely applicable. They can be used to implement a variety of processes that take input one value at a time, perform some operation on each of these values, and combine the result somehow.

Creating a stateful transducer

The transducer returned by the function filter we looked at earlier was stateless. It processes input value by value, without maintaining any state concerning previous values. To get a feel for stateful transducers, I created drop-nth, the twin brother of take-nth.

(defn drop-nth [n]
  (fn [rf]
    (let [nv (volatile! -1)]
      (fn
        ([] (rf))
        ([result] (rf result))
        ([result input]
         (let [i (vswap! nv inc)]
           (if (zero? (rem i n))
             result
             (rf result input))))))))

The function drop-nth takes a number n and returns a transducer that leaves out every nth value it receives as input from the output. If this transducer is called without arguments, there's nothing for it to do, so it calls the reducing function without arguments. If this transducer is called with a single argument, there's also nothing for it to do, so it calls the reducing function with the single argument. If the transducer is called with two arguments, it checks its local state to see whether or not the new input value should be included in the result. This is where it gets interesting.

The contract for transducers says that a transducer may be invoked by different threads, but not at the same time. A given transducer could be used to process some values on one thread for some time and then later to process some other values on another thread. Each of these threads should see the current value of nv, the local state of the transducer. This is where volatile and vswap! come into play.

Usually, atoms are used to share state between threads in Clojure. However, to keep transducers as performant as possible, volatiles where introduced for state kept by transducers. The JVM will ensure that the value of a volatile field is always read from main memory and not from the cache maintained by a thread. A volatile does not provide the atomicity guarantees that an atom provides, but that is acceptable given the contract for transducers mentioned above.

Volatile

The following Java application demonstrates the effect of the volatile keyword:

public class VolatileDemo {

    private static volatile boolean STOP_RUNNING_VOLATILE;
    private static boolean STOP_RUNNING_NON_VOLATILE;

    public static void main(String[] args) throws InterruptedException {
        try (var executorService = Executors.newCachedThreadPool()) {
            executorService.submit(() -> {
                var count = 0;
                while (!STOP_RUNNING_VOLATILE) {
                    count++;
                }

                System.out.println("Runnable checking volatile field terminated: " + count);
            });
            executorService.submit(() -> {
                var count = 0;
                while (!STOP_RUNNING_NON_VOLATILE) {
                    count++;
                }

                System.out.println("Runnable checking non-volatile field terminated: " + count);
            });
            Thread.sleep(10);
            STOP_RUNNING_VOLATILE = true;
            STOP_RUNNING_NON_VOLATILE = true;
        }
    }
}

The first runnable submitted to the executor service will stop increasing the counter as soon as the value of STOP_RUNNING_VOLATILE is changed to true. The second runnable will keep on increasing its counter because it's reading a cached value of STOP_RUNNING_NON_VOLATILE.

Another stateful transducer

The transducer drop-nth had nothing to do once the end of its input was reached, but the following transducer does:

(defn strings-to-the-back [rf]
  (let [stringsv (volatile! (java.util.ArrayList.))]
    (fn
      ([] (rf))
      ([result]
       (let [^java.util.ArrayList strings @stringsv
             result (if (.isEmpty strings)
                      result
                      (let [v (vec strings)]
                        (.clear strings)
                        (vreset! stringsv strings)
                        (reduce rf result v)))]
         (rf result)))
      ([result input]
       (let [^java.util.ArrayList strings @stringsv]
         (if (string? input)
           (do
             (.add strings input)
             (vreset! stringsv strings)
             result)
           (rf result input)))))))

This transducer inspects the values it receives as input and will not immediately add them to the output if they are strings. One the end of the input is reached, all strings are added to the output.

This transducer is inspired by partition-all, which looks like this at the time of writing:

(defn partition-all [^long n]
  (fn [rf]
    (let [a (java.util.ArrayList. n)]
      (fn
        ([] (rf))
        ([result]
         (let [result (if (.isEmpty a)
                        result
                        (let [v (vec (.toArray a))]
                          ;;clear first!
                          (.clear a)
                          (unreduced (rf result v))))]
           (rf result)))
        ([result input]
         (.add a input)
         (if (= n (.size a))
           (let [v (vec (.toArray a))]
             (.clear a)
             (rf result v))
           result))))))

The most notable difference between strings-to-the-back and partition-all is that the latter does not make use of a volatile. This is, however, a bug: https://clojure.atlassian.net/browse/CLJ-2146. Another difference is that the array list stored as state is converted to a vector as follows: (vec (.toArray a)). After some benchmarking, I found out that this is slightly faster than (vec a) for small lists. I don't see why this only holds for small lists, but I don't want to invest time in finding out right now.

After each update of the array list containing strings in strings-to-the-back, you'll see (vreset! stringsv strings). This may seem unnecessary, since strings is always the same object. This expression does have an effect, however. The Java memory model guarantees that when a thread reads a volatile variable, it sees not just the latest change to the volatile, but also the side effects of the code that led up to the change.

Volatile fields and visibility of related changes

There is a set of stress tests called the Java Concurrency Stress tests (jcstress) that can be used to find concurrency-related bugs in implementations of the JVM, among other things.

Running the following stress test shows that the JVM behaves exactly as documented. The observer will either see a null list or one that contains the number 42, because the assignment to the volatile field happens after the number 42 is added to the temporary list.

@JCStressTest
@State
@Outcome.Outcomes({
        @Outcome(id = "-1", expect = ACCEPTABLE, desc = "Null list"),
        @Outcome(id = "0", expect = FORBIDDEN, desc = "Empty list"),
        @Outcome(id = "42", expect = ACCEPTABLE, desc = "List containing 42"),
})
public class VolatileSaveAfterModification {

    volatile List<Integer> list;

    @Actor
    public void actor() {
        var tmpList = new ArrayList<Integer>();
        tmpList.add(42);
        list = tmpList;
    }

    @Actor
    public void observer(I_Result r) {
        var l = list;
        if (l != null) {
            if (l.isEmpty()) {
                r.r1 = 0;
            } else {
                r.r1 = l.get(0);
            }
        } else {
            r.r1 = -1;
        }
    }
}

The test report is as follows:

  RESULT     SAMPLES     FREQ      EXPECT  DESCRIPTION
      -1  24.230.598   78,97%  Acceptable  Null list
       0           0    0,00%   Forbidden  Empty list
      42   6.454.586   21,03%  Acceptable  List containing 42

The result of running the following test is very different:

@JCStressTest
@State
@Outcome.Outcomes({
        @Outcome(id = "-1", expect = ACCEPTABLE, desc = "Null list"),
        @Outcome(id = "-2", expect = ACCEPTABLE_INTERESTING, desc = "Non-empty list without item"),
        @Outcome(id = "0", expect = ACCEPTABLE_INTERESTING, desc = "Empty list"),
        @Outcome(id = "42", expect = ACCEPTABLE, desc = "List containing 42"),
})
public class VolatileSaveBeforeModification {

    volatile List<Integer> list;

    @Actor
    public void actor() {
        list = new ArrayList<>();
        list.add(42);
    }

    @Actor
    public void observer(I_Result r) {
        var l = list;
        if (l != null) {
            if (l.isEmpty()) {
                r.r1 = 0;
            } else {
                try {
                    var value = l.get(0);
                    r.r1 = value != null ? value : -1;
                } catch (Exception e) {
                    r.r1 = -2;
                }
            }
        } else {
            r.r1 = -1;
        }
    }
}

The test report is as follows:

  RESULT     SAMPLES     FREQ       EXPECT  DESCRIPTION
      -1  30.773.768   88,04%   Acceptable  Null list
      -2          49   <0,01%  Interesting  Non-empty list without item
       0      62.466    0,18%  Interesting  Empty list
      42   4.118.981   11,78%   Acceptable  List containing 42

The observer still sees a null list or one containing 42 most of the time, but it also happens that it sees an empty list or one that is not empty but does not have a first item.

Applying transducers in different contexts

As mentioned above, part of the beauty of transducers is that they can be reused in different, unrelated contexts. In the examples below, we use the same transducer to modify a vector of values as well as to transform all values communicated over a core/async channel.

(into [] strings-to-the-back [1 "2" 3]) ;; Evaluates to [1 3 "2"]

(let [c (chan 3 strings-to-the-back)]
  (>!! c 1)
  (>!! c "2")
  (>!! c 3)
  (close! c)
  (-> []
      (conj (<!! c))
      (conj (<!! c))
      (conj (<!! c)))) ;; Evaluates to [1 3 "2"]

Delayed evaluation

When discussing some of the downsides of lazy seqs, we encountered the following example:

(let [r (range 3e7)]
    [(last r) (first r)])

Due to the caching of already computed values, evaluating this expression takes a large amount of memory. In situations where you need delayed eager evaluation and no caching, eduction can come in handy. The eduction function takes zero or more transducers and a collection, and returns something that can be reduced or iterated over.

I see an eduction as something that is not yet a reduction. It can become a reduction after reducing it.

Values are computed eagerly, one at a time, and only when reducing or iterating over an eduction. Computed values are not cached and thus have to be recomputed each time an eduction is reduced or iterated over again.

The following example uses an eduction to prevent the memory issues of the previous example. In this example, the eduction function is used without any transducers.

(let [r (eduction (range 3e7))]
    [(last r) (first r)])

The image below, produced with jconsole, shows that the memory used while evaluating the second expression is much lower.

Conclusion

First of all, let's answer the question in the title of this post. Should we transduce or should we not? Of course, we should. Transducers are really interesting conceptually, they're performant, and they're reusable. Should they be used every time, everywhere? I'm not convinced about that. I don't think laziness should be avoided at all costs or that transducer-based solutions are always superior to solutions using lazy seqs.

Visit https://github.com/ljpengelen/transduce-shakespeare/ to try this at home.

Over time, however, people will start using your application, and your MongoDB collections will grow as a result. Creating an index for an empty collections takes very little time. Creating an index for a big collection can take a while. Because of this, configuring Spring to handle index creation on startup can lead to unpleasant surprises. The startup of your application will block until the new index is created, and this can take a while for existing, large collections.

Additionally, your application will not start at all if something goes wrong while creating an index. This could happen if you try to modify an existing index, for example.

All in all, it's worthwhile to take a closer look at various ways to programmatically create, find, and delete indexes.

Experimenting

I've created a small Spring Boot application accompanied by a set of tests to experiment with index creation: https://github.com/ljpengelen/mongo-index-experiments. The application itself is not much more than a single document RandomData and a repository for this document. The class RandomData looks like this:

@Builder
@CompoundIndex(def = "{ randomString: 1, randomLong: 1 }", name = "idx0")
@Data
@Document
public class RandomData {

    @Indexed
    private String randomString;

    @Indexed
    private long randomLong;

    private boolean randomBoolean;
}

The app is configured to create indexes on startup, so once you start it, four indexes are generated: one compound index corresponding to the @CompoundIndex annotation, two single-field indexes corresponding to the @Indexed annotations, and one for the implicit ID. On my machine, the app starts in about 2 seconds. Part of the startup time is spent creating indexes, but this is almost negligible.

Now, let's insert some random data by executing the following test a few times:

@Test
void savesEntities() {
    var batchSize = 100;
    var totalNumberOfEntities = 1_000_000;
    IntStream.range(0, totalNumberOfEntities / batchSize).forEach(batchNumber -> {
        var entities = Stream.generate(ExperimentApplicationTest::randomData)
                .limit(batchSize)
                .toList();
        repository.saveAll(entities);

        if (batchNumber % 500 == 0) {
            log.info("Inserting batch number {}", batchNumber);
        }
    });
}

After inserting 3 million documents and removing the previously created indexes, the app takes around 14 seconds to start on my machine. Clearly, the time it takes to create indexes is no longer negligible.

Now that I've told you the same thing twice, it's time for some new information.

One way of creating indexes programmatically uses Spring's Mongo template:

@Test
void createsIndexViaTemplate() {
    var indexOps = mongoTemplate.indexOps(COLLECTION_NAME);

    log.info("Creating index");

    var indexDefinition = new Index();
    indexDefinition.named(INDEX_NAME)
            .on("randomBoolean", Sort.Direction.ASC)
            .on("randomString", Sort.Direction.ASC)
            .on("randomLong", Sort.Direction.ASC);

    var stopWatch = new StopWatch();
    stopWatch.start();
    indexOps.ensureIndex(indexDefinition);
    stopWatch.stop();
    log.info("Time to create index: {}", stopWatch.getTotalTimeMillis());
}

On my machine, creating this index takes around 4 seconds.

With MongoDB versions before 4.2, indices could be created in the foreground or the background. Foreground builds would be faster and would lead to more efficient index data structures, but would block access to the database during the build. Background builds would not block access to the database, but would take longer to build and be less efficient.

Starting from version 4.2, access is no longer blocked while the index is built. However, access is blocked at the start and end of the build process.

Even though access to the database is not blocked during index creation, the statement indexOps.ensureIndex(indexDefinition) does block, just like the application startup blocks during index creation.

One way of ensuring that your application is not blocked during index creation is by explicitly starting a new thread for this:

@Test
void createsIndexViaTemplateInBackground() throws InterruptedException, ExecutionException {
    var indexOps = mongoTemplate.indexOps(COLLECTION_NAME);

    var completableFuture = new CompletableFuture<Void>();
    var thread = new Thread(() -> {
        log.info("Creating index");

        var indexDefinition = new Index();
        indexDefinition.named(INDEX_NAME)
                .on("randomBoolean", Sort.Direction.ASC)
                .on("randomString", Sort.Direction.ASC)
                .on("randomLong", Sort.Direction.ASC);

        var stopWatch = new StopWatch();
        stopWatch.start();
        indexOps.ensureIndex(indexDefinition);
        stopWatch.stop();
        log.info("Time to create index: {}", stopWatch.getTotalTimeMillis());

        completableFuture.complete(null);
    });

    thread.start();

    completableFuture.get();
}

Alternatively, you could use Spring's reactive Mongo template:

@Test
void createsIndexReactively() throws InterruptedException, ExecutionException {
    var indexOps = reactiveMongoTemplate.indexOps(COLLECTION_NAME);

    log.info("Creating index");

    var indexDefinition = new Index();
    indexDefinition.named(INDEX_NAME)
            .on("randomBoolean", Sort.Direction.ASC)
            .on("randomString", Sort.Direction.ASC)
            .on("randomLong", Sort.Direction.ASC);

    var completableFuture = new CompletableFuture<Void>();
    var stopWatch = new StopWatch();
    stopWatch.start();
    indexOps.ensureIndex(indexDefinition).subscribe(name -> {
        stopWatch.stop();
        log.info("Time to create index {}: {}", name, stopWatch.getTotalTimeMillis());

        completableFuture.complete(null);
    });

    completableFuture.get();
}

If you're looking for a way to create indexes that is not Spring-specific, you could also use the Mongo client for Java:

@Test
void createsIndexViaClient() {
    var keys = new BsonDocument();
    keys.put("randomLong", new BsonInt32(1));
    keys.put("randomString", new BsonInt32(1));
    keys.put("randomBoolean", new BsonInt32(1));

    var indexOptions = new IndexOptions();
    indexOptions.name(INDEX_NAME);

    var stopWatch = new StopWatch();
    stopWatch.start();
    log.info("Creating index");
    mongoClient.getDatabase(DATABASE_NAME).getCollection(COLLECTION_NAME).createIndex(keys, indexOptions);
    stopWatch.stop();
    log.info("Time to create index: {}", stopWatch.getTotalTimeMillis());
}

The statement mongoClient.getDatabase(...).getCollection(...).createIndex(keys, indexOptions) is again a blocking statement. As you might expect, all four ways take the same amount of time to create this particular index. The hard work is done by MongoDB, not our application or any library we're using.

What's in a name?

Some of the methods above are named ensureIndex, and some are named createIndex. In practice, they all behave as you would expect a method named ensureIndex to behave. They create an index if it doesn't exist yet, and they'll just do nothing if the index is already present. In other words, the following test passes and the last indexOps.ensureIndex(indexDefinition) only takes a few milliseconds:

@Test
void canEnsureExistingIndexViaTemplate() {
    var indexOps = mongoTemplate.indexOps(COLLECTION_NAME);

    var indexDefinition = new Index();
    indexDefinition.named(INDEX_NAME)
            .on("randomBoolean", Sort.Direction.ASC)
            .on("randomString", Sort.Direction.ASC)
            .on("randomLong", Sort.Direction.ASC);

    log.info("Ensuring index");
    indexOps.ensureIndex(indexDefinition);
    log.info("Ensured index");
    indexOps.ensureIndex(indexDefinition);
    log.info("Ensured index again");
}

No updates

MongoDB does not allow you to update existing indices. If you have a non-unique index with a given name and you want a unique index with that same name, for example, you have to delete the existing index and create a new one to replace it. After deleting the existing index, performance may suffer until the replacement index is built.

Alternatively, you can introduce the replacement index with a new name. It's perfectly fine to have two indexes for the same fields as long as they have different names and one is unique and the other isn't, or one is sparse and the other isn't, etc.

Automating index creation

A basic way of creating indexes at the start of your application, without blocking, is as follows:

@Component
@Slf4j
public class RandomDataIndexCreator {

    private static final String COLLECTION_NAME = "randomData";
    private static final String DATABASE_NAME = "test";
 
    private final MongoIndexOperations mongoIndexOperations;

    public RandomDataIndexCreator(MongoClient mongoClient) {
        mongoIndexOperations = new MongoIndexOperations(DATABASE_NAME, COLLECTION_NAME, mongoClient);
    }

    @PostConstruct
    public void startIndexCreation() {
        var indexSpecification = MongoIndexSpecification.builder()
            .definition("{ randomBoolean: 1, randomLong: 1 }")
            .build();
        new Thread(() -> mongoIndexOperations.createIndex(indexSpecification)).start();
    }
}

The class MongoIndexOperations is a wrapper around MongoClient, but you could use MongoTemplate or ReactiveMongoTemplate too. I used MongoClient because it's Spring independent, which would make it possible to use MongoIndexOperations in non-Spring applications too. See MongoIndexOperations.java for the complete implementation.

It could happen that some of the indexes you need are already present on some deployment environments, for example because someone created them manually. If you know the names of these indexes, you can just issue create statements like the one above. If the index already exists, nothing will happen, as discussed above. If it doesn't exist, it will be created.

If the naming is not consistent across deployment environments, things are a little trickier. In such cases, you first have to determine whether a given index exists, regardless of the name, and only create it when it doesn't exist.

@PostConstruct
public void startIndexCreation() {
    var indexSpecification = MongoIndexSpecification.builder()
        .definition("{ randomBoolean: 1, randomLong: 1 }")
        .build();
    new Thread(() -> {
        if (mongoIndexOperations.findIndex(indexSpecification) == null) {
            mongoIndexOperations.createIndex(indexSpecification.toBuilder()
                .name("name-that-does-not-exist-in-any-deployment-environment")
                .build());
        }
    }).start();
}

Ideally, you'd use some migration framework that ensures that each index is only created once, instead of creating it (or at least verifying its existence) each time your app starts. For SQL databases, Flyway provides such functionality. I have no experience with any open-source counterpart for MongoDB.

Conclusion

If you have a few minutes to spare, I advise you to clone https://github.com/ljpengelen/mongo-index-experiments and do some experiments yourself. The proof of the pudding is in the eating.

Conception

Tiny Utterances started out as Tiny Giscus, a clone of Giscus. Giscus is a comment system based on GitHub Discussions. Utterances, on the other hand, is based on GitHub Issues.

I started working on a minimalistic clone of Giscus that was based on GitHub Discussions too, simply because comments feel more closely related to discussions than issues. However, there's only a GraphQL API to interact with Github Discussions and this API requires a personal access token for all operations. As a result, you can't really use this API client side. Although it's technically possible, it requires you to expose one of your personal access tokens. That's also technically possible, because you could create a personal access token that can only be used to read public repositories and discussion, but GitHub immediately revokes any personal access token it finds in a repository.

Long story short, I had to switch to GitHub Issues as a basis for my minimalistic comment system. Although it's not a perfect fit conceptually, it works pretty well.

For additional details, such as installation instructions, visit the documentation. An example comment section is included at the bottom of this page and other pages of this blog. Feel free to leave a comment, that's why it's there.

The protocol Logger below consists of a single method info. The constructor function create-logger returns a concrete implementation of Logger, which delegates to clojure.tools.logging/info.

(ns logging
  (:require [clojure.tools.logging :as log]))

(defprotocol Logger
  (info [this message]))

(defn create-logger []
  (reify Logger
    (info [_ message] (log/info message))))

The function add-and-log below takes a logger as its first argument and uses it to log the result of some computation. Pay close attention to the namespace.

(ns domain
  (:require [logging :refer [create-logger info]]))

(defn add-and-log [logger & args]
  (info logger (apply + args)))

(add-and-log (create-logger) 1 2 3 4)
(add-and-log (create-logger) 1 2 3 4 5)

The result of evaluating the last two expressions is as follows:

13:47:30.130 [nREPL-session-fab93eaa-9ae3-40d4-a4f1-a0605747ba5c] INFO logging - 10
13:49:22.927 [nREPL-session-fab93eaa-9ae3-40d4-a4f1-a0605747ba5c] INFO logging - 15

These two log entries contain the log level ("INFO"), the namespace from which the logging function was called ("logging"), and the log messages ("10" and "15").

Usually, it's convenient to be able to trace an entry in the logs to its origin in the code. In this example, however, we're logging messages in the namespace domain, but the log entries contain the namespace logging. This is unfortunate, but it makes perfect sense. It may look like we're logging messages in the namespace domain, because that's where we call the info method of the logger, but the actual logging happens in the namespace logging, where log/info is called.

Macros to the rescue

After some head scratching and browsing through code bases and documentation, I learned that this is one of those occasions where macros come in handy. As you may know, macros can be used to transform code at compile time. The end result of this transformation is evaluated at runtime.

For example, the macro twice below takes a function and a value, and applies the function twice: once to the value and then to the result of the first application.

(defmacro twice [f x]
  `(~f (~f ~x)))

Without going into details too much, you could view the expression `(~f (~f ~x)) as a template, where ~ is used as an escape symbol.

At compile time, the expression (twice inc 0) expands to the following:

(inc (inc 0))

At runtime, this evaluates to 2.

For beginners, it can be difficult to determine whether a function or a macro should be used to solve a certain problem. In fact, the macro twice could have been a function. Most people would say that if something can be implemented as a function, then it should be implemented as function, not a macro. The problem with our logger, however, is a perfect fit for macros.

Here's a new version of the Logger protocol and the corresponding constructor function:

(ns logging
  (:require [clojure.tools.logging :as log]
            [clojure.tools.logging.impl :as impl]))

(defprotocol Logger
  (-log [this ns level message throwable]))

(defn create-logger []
  (reify Logger
    (-log [_ ns level message throwable]
      (let [logger (impl/get-logger log/*logger-factory* ns)]
        (log/log* logger level throwable message)))))

This version of the protocol consists of a single method named -log, where the minus-sign indicates that the method is not meant to be called directly. (It can be called directly, but it's not meant to be.) What's most noteworthy about this method is that it takes an argument ns. The constructor function creates a logger by passing the value of ns to the logger factory of clojure.tools.logging, and that logger is then used to do the actual logging via log/log*.

This change itself doesn't bring us any closer to solving our problem, however. We still need to figure out how to pass the namespace in which we're logging something to the method -log without doing so explicitly. Part of the answer lies in *ns*, an object representing the current namespace. Using a function in the logging namespace to pass along *ns* wouldn't work however, because we would be passing along that namespace again. The second part of the answer lies in using a macro.

(defmacro log [logger level message throwable]
  `(-log ~logger ~*ns* ~level ~message ~throwable))

As mentioned above, macros will be expanded at compile time and the resulting expression will be evaluated at runtime. Because the expansion happens where the macro is applied, the value of *ns* is the namespace in which the macro is applied, not the namespace in which the macro is defined.

To provide an API that is a little more pleasant to use, the macro above is combined with the following ones (and similar ones for other log levels).

(defmacro info [logger message]
  `(log ~logger :info ~message nil))

(defmacro error [logger message throwable]
  `(log ~logger :error ~message throwable))

Now that we've defined this collection of macros, we can evaluate the following expression.

(ns domain
  (:require [logging :refer [create-logger info]]))

(info (create-logger) "a message to log")

At compile time, the expression on the last line expands to the following:

(logging/-log (create-logger) #namespace[domain] :info "a message to log" nil)

At runtime, the message "a message to log" is logged at log level "INFO", with a reference to the namespace "domain", which is exactly what we set out to achieve.

Let's put these new macros to use:

(ns domain
  (:require [logging :refer [create-logger info]]))

(defn add-and-log [logger & args]
  (info logger (apply + args)))

(add-and-log (create-logger) 1 2 3 4)
(add-and-log (create-logger) 1 2 3 4 5)

The result of evaluating the last two expressions is now as follows:

13:58:17.378 [nREPL-session-fab93eaa-9ae3-40d4-a4f1-a0605747ba5c] INFO  domain - 10
13:58:18.589 [nREPL-session-fab93eaa-9ae3-40d4-a4f1-a0605747ba5c] INFO  domain - 15

Only one word changed, but this can make a world of difference when looking through logs to track down bugs.

• takes a map of dependencies and a ring request,
• updates a gift using data from the request, and
• returns a ring response:

(defn update-gift [{:keys [datasource]} request]
  (let [{:keys [external-list-id external-gift-id]} (:path-params request)
        {:keys [name ok price description]} (:params request)]
    (when ok
      (domain/update-gift! datasource external-gift-id name price description))
    (response/redirect (str "/list/" external-list-id "/edit") :see-other)))

The function domain/update-gift! persists the changes to the database. It has a side effect, which makes it an impure function. Because update-gift uses domain/update-gift!, it's impure too.

You could argue that this fact alone is a reason to refactor this code. Generally speaking, pure functions are easier to test and easier to reason about, which are both good reasons to prefer pure functions over impure ones.

For simple apps, however, you could also argue that there's not much to reason about anyway, and refactoring may not be worth the effort. What's more, using with-redefs to replace the impure function domain/update-gift! would make testing quite straightforward.

Because this blog post is about dependency injection, we better find another reason to refactor update-gift and apply some more dependency injection. Luckily, we can pretend that we want to replace the function domain/update-gift! with a function that uses a completely different method to persist gifts. That's not something you would do with with-redefs.

Let's look at the (spoiler alert) naive approach where we introduce a parameter to inject the function domain/update-gift! directly as a function.

(defn update-gift [{:keys [datasource update-gift!]} request]
  (let [{:keys [external-list-id external-gift-id]} (:path-params request)
        {:keys [name ok price description]} (:params request)]
    (when ok
      (update-gift! datasource external-gift-id name price description))
    (response/redirect (str "/list/" external-list-id "/edit") :see-other)))

As I mentioned above, the first argument to the function update-gift is a map of dependencies. In the example above, the key update-gift! of that map should map to a function for persisting updated gifts.

The downside of this approach is that there's no static analysis that your IDE can apply to provide you with useful information about this function. In fact, it can't even tell you that the key update-gift! maps to a function at all. You yourself have to remember that update-gift! is a function that takes a datasource, an external gift ID, a name, a price, and a description, in that order. If you forget, you have to navigate to the place where you call update-gift and see what it was again that you inject under the key update-gift!.

You could argue that this is what you get when you use a dynamically typed language instead of a statically typed one, and you would be right. However, there are good reasons to prefer dynamically typed languages over statically typed ones, and there are ways around this particular problem.

Protocols to the rescue

We can use protocols to help static analysis tools a little. A protocol is a named set of named methods and their signatures. They're similar to Java's interfaces.

The following snippet shows the definition of a simple protocol named GiftService. This protocol defines a single method update-gift!, which takes a concrete implementation of the protocol as first argument together with a number of additional arguments.

(defprotocol GiftService
  (update-gift!
    [this datasource external-id name price description]
    "Update the gift with ID `external-id` with the given name, price, and description"))

There are a number of ways to create concrete implementations of protocols. The following snippet shows one way, which uses reify.

(defn create-gift-service []
  (reify GiftService
    (update-gift!
     [_ datasource external-id name price description]
     (db/update-gift! datasource {:id external-id
                                  :name name
                                  :price price
                                  :description description}))))

The snippet shows the definition of a constructor function create-gift-service, which creates a concrete implementation of the protocol GiftService by providing an implementation of the method update-gift!. This implementation ignores the gift service itself (hence the underscore) and passes its arguments to another function db/update-gift!.

In practice, most services would have more than one method, and these methods would do more than directly call a single function. The service could perform some validation, for example, or combine a number of more low-level functions that interact with a database.

Here's the same update-gift function again. This time, a gift-service is injected as a dependency.

(defn update-gift [{:keys [datasource gift-service]} request]
  (let [{:keys [external-list-id external-gift-id]} (:path-params request)
        {:keys [name ok price description]} (:params request)]
    (when ok
      (domain/update-gift! gift-service datasource external-gift-id name price description))
    (response/redirect (str "/list/" external-list-id "/edit") :see-other)))

This function is pure, like the previous version, which makes it easier to reason about and test. Because we're injecting a service and applying a method from a protocol to it, there's more information to work with for static analysis tools. The image below shows how such a tool can show the argument list and documentation of the protocol method domain/update-gift!.

Whether or not this final version is better than the first version depends a lot on the size of the app it is part of, the plans for this app, the team working on the app, etc. The point of this post is not to convince you that you should apply dependency injection where you can or that you should always use protocols when you do apply it. The point of this post is to show you that you can have your cake and eat it when it comes to dynamically typed languages and static analysis.

In the last few years, I've been using Clojure and ClojureScript to create prototypes and utilities at work as well as hobby projects and apps for personal use. Because of the size and nature of these applications, I wasn't too worried about regressions. Because Clojure and ClojureScript have excellent support for REPL-driven development, the need for tests as a means for quick feedback also disappeared. As a result, I wrote a few tests for these applications, but not nearly as many as I used to.

Deep down inside, however, I knew I would have to invest some time into learning more about testing Clojure and ClojureScript applications at some point. I wouldn't want to work in a team that produced software without decent test coverage. I should hold myself to the same standard. This week, I decided to sit down and take some time to look into different ways to execute tests for ClojureScript apps powered by shadow-cljs. As you may know, shadow-cljs is one of the two de facto standard tools for creating ClojureScript apps. The other is Figwheel.

There are a number of different ways to execute tests for a shadow-cljs based ClojureScript application. This blog post covers three of them and a number of variations. There are more alternatives, but I'll probably stick with a combination of the following for now.

Running tests on the command line

shadow-cljs supports a number of build targets for building and running tests. One of them if the :node-test target, which will gather all tests from namespaces that match a given regex and produces a build that includes these tests and a test runner for executing them.

The following configuration is the absolute minimum you need to get started. Additional configuration options are described in the user guide for shadow-cljs.

...
:builds {...
         :test {:target :node-test
                :output-to "out/node-tests.js"}
         ...}
...

Given the configuration above, executing npx shadow-cljs compile test will result in the creation of a file named out/node-test.js, which can be executed with node.

npx shadow-cljs compile test
node out/node-test.js

Executing the file leads to output like this when there are no failures:

shadow-cljs - updating dependencies
shadow-cljs - dependencies updated
[:test] Compiling ...
[:test] Build completed. (60 files, 1 compiled, 0 warnings, 2,28s)

Testing rsi.multiplication-tables-test

Ran 1 tests containing 3 assertions.
0 failures, 0 errors.

When there are failures, the output will show which assertion failed and why:

[:test] Compiling ...
[:test] Build completed. (60 files, 2 compiled, 0 warnings, 2,34s)

Testing rsi.multiplication-tables-test

FAIL in (transforming-state) (rsi/multiplication_tables_test.cljs:8:11)
correct answer on time
expected: (= {:question [1 2], :score 2, :highscore 22, :mode :against-the-clock, :wrongly-answered #{}, :deadline-passed? false} (process-answer {:question [2 3], :score 1, :highscore 1, :wrongly-answered #{}} "6" [1 2]))
  actual: (not (= {:question [1 2], :score 2, :highscore 22, :mode :against-the-clock, :wrongly-answered #{}, :deadline-passed? false} {:question [1 2], :score 2, :highscore 2, :deadline-passed? false, :wrongly-answered #{}, :mode :against-the-clock}))

Ran 1 tests containing 3 assertions.
1 failures, 0 errors.

If all tests pass, the exit code is zero. If any test fails, the exit code is one. That makes running tests like this a good option for CI servers.

If you prefer running tests in a headless browser instead of node, there's also a build target for Karma. As long as your test don't touch any code that uses browser-only APIs, I'd say that running them in node is fine. Tests like the following will fail when run with node, however:

(deftest log
  (is (= 1 ((fn [] (js/alert "1") 1)))))

Especially when combining unit tests with end-to-end tests executed via something like Cypress or Etaoin, I think it's perfectly reasonable to restrict the unit tests to testing pure functions and testing browser-specific functionality with the end-to-end tests.

Functions that make use of browser-only APIs that can't be tested efficiently via end-to-end tests could be extracted into a separate library, which could then be tested via Karma. This could make sense for functions that use localStorage, sessionStorage, cookies, or a canvas, for example.

The :node-test target has an optional configuration option :autorun. When set to true, all tests will be executed automatically after creating a build. Using this option in combination with the watch build command makes it possible to automatically run all tests each time a file is changed. You can either include the :autorun option directly in your configuration, or add it later on the command line when starting the watch build:

npx shadow-cljs watch test --config-merge '{:autorun true}'

Running tests in the browser

There's another way to automatically run all tests each time a file is changed. The :browser-test build target can be used to generate a web page that shows the results of your tests. Starting a watch build for this build target will regenerate this page each time a file is changed. The configuration below is enough to get you started, but there are additional options.

...
:builds {...
         :browser-test {:target :browser-test
                        :test-dir "out/test"}
         ...}
:dev-http {...
           3001 "out/test"
           ...}
...

The configuration above will produce the web page containing test results in the folder out/test. It also sets up an HTTP server on port 3001 that will serve this page.

If all tests pass, the page will look like this:

If any of the tests fail, the page will look like this:

Essentially, you'll get the same feedback as you'd get on the command line.

Because the favicon changes from green to red when any of the tests fail, you don't need to keep a close eye on this page all the time during development. As long as you have it open in a browser tab, you'll notice the color change soon enough when something breaks.

Running tests from the REPL

For some reason, I had high hopes for this final way of running tests. It took me quite some time before I understood what I had to do to run tests from the REPL. In the end, I wonder if there will be situations where I prefer this method over the ones above.

The library cljs.test contains a macro run-all-tests, which runs all tests in all namespaces. When you start a watch build for your shadow-cljs app and execute this macro in the REPL, you'll most likely see a list of test results for all libraries used by your app. What it probably won't show are the test results for your own app.

Because the main entrypoint for your app won't refer to any of your test namespaces, these namespaces can't be found by run-all-tests. Since you don't want the main entrypoint of your app to refer to any test namespace, you'll need another way of including them in your development build.

One way of achieving this involves the cljs.user namespace. This namespace is automatically loaded in each ClojureScript REPL started by shadow-cljs. The example below shows the content of a file named cljs/user.cljs that loads the namespaces cljs.test and rsi.multiplication-tables-test. As a result, the namespace rsi.multiplication-tables-test will be found by run-all-tests.

(ns cljs.user
  (:require [cljs.test]
            [rsi.multiplication-tables-test]))

(comment
  (cljs.test/run-all-tests)
  (cljs.test/run-all-tests #"rsi.*-test"))

The last line of the snippet above shows how you can restrict run-all-tests to the namespaces containing the tests for your app. Most likely, you're not interested in seeing the test results for all your dependencies.

Many editors that support Clojure offer functionality to trigger the evaluation of custom snippets of Clojure when a certain combination of keys is pressed. You could use that functionality to evaluate something like (cljs.test/run-all-tests #"rsi.*-test") each time you want to run your tests. Make sure to evaluate test definitions after you've changed them, however, before running the tests. Otherwise, run-all-tests will execute the previous version of your tests.

Conclusion

As mentioned above, I'm not sure which combination of these methods I'll use in the future. I'll definitely run tests on the command line for CI builds. I'll probably won't be running tests in the REPL very often. Evaluating changed test definitions before running tests requires additional key presses, and there's some extra work needed to keep cljs/user.cljs up to date.

In the previous installment of browser beats, we used the Web Audio API to synthesize a kick drum. This time, we’ll look at snares and hi-hats. Once you know how to synthesize kicks, snares and hi-hats are not far away.

Snare

The snare sound we’ll synthesize consists of two components. One component represents the vibrating skins of the snare drum, the other represents the vibrating snares. For the first component, we’ll use two sine-like waves, one at 185Hz and the other at 349Hz. I took these values from a MusicTech tutorial. An article in Sound on Sound mentions 180Hz and 330Hz. Obviously, you should go with whatever frequencies sound best to you.

const playSnare = () => {
    const lowTriangle = audioContext.createOscillator();
    lowTriangle.type = 'triangle';
    lowTriangle.frequency.value = 185;

    const highTriangle = audioContext.createOscillator();
    highTriangle.type = 'triangle';
    highTriangle.frequency.value = 349;

    const lowWaveShaper = audioContext.createWaveShaper();
    lowWaveShaper.curve = distortionCurve(5);

    const highWaveShaper = audioContext.createWaveShaper();
    highWaveShaper.curve = distortionCurve(5);

    const lowTriangleGainNode = audioContext.createGain();
    lowTriangleGainNode.gain.value = 1;
    lowTriangleGainNode.gain.linearRampToValueAtTime(0, audioContext.currentTime + 0.1)

    const highTriangleGainNode = audioContext.createGain();
    highTriangleGainNode.gain.value = 1;
    highTriangleGainNode.gain.linearRampToValueAtTime(0, audioContext.currentTime + 0.1)

    const snareGainNode = audioContext.createGain();
    snareGainNode.gain.value = 1;

    lowTriangle.connect(lowWaveShaper);
    lowWaveShaper.connect(lowTriangleGainNode);
    lowTriangleGainNode.connect(snareGainNode);
    snareGainNode.connect(audioContext.destination);

    highTriangle.connect(highWaveShaper);
    highWaveShaper.connect(highTriangleGainNode);
    highTriangleGainNode.connect(snareGainNode);

    lowTriangle.start(audioContext.currentTime);
    lowTriangle.stop(audioContext.currentTime + 1);

    highTriangle.start(audioContext.currentTime);
    highTriangle.stop(audioContext.currentTime + 1);
};

Together, these two sound like this:

We could have used pure sines waves here. There’s no need for applying the trick we used for the kick drum. What you’re witnessing here is a sheer waste of processing power due to my unwillingness to refactor this code right now. Let’s just say that I like the slightly more metallic sound of the distorted traingle waves.

We’ll use white noise again to represent the second component. This time, we’ll use a filter to cut of all frequencies below 2kHz.

const playSnare = () => {

    ...

    const noise = whiteNoiseBufferSource();

    const noiseGainNode = audioContext.createGain();
    noiseGainNode.gain.value = 1;
    noiseGainNode.gain.linearRampToValueAtTime(0, audioContext.currentTime + 0.2);

    const noiseFilter = audioContext.createBiquadFilter();
    noiseFilter.type = 'highpass';
    noiseFilter.frequency.value = 2000;

    noise.connect(noiseGainNode);
    noiseGainNode.connect(noiseFilter);
    noiseFilter.connect(snareGainNode);

    noise.start(audioContext.currentTime);
    noise.stop(audioContext.currentTime + 1);
};

The filtered noise sounds like this:

Finally, the distorted sines and the noise together sound like this:

Hi-hat

Some filtered white noise is all you need for a hi-hat. We again cut all frequencies below 2kHz. This time, the volume should fade to zero in 100 milliseconds.

const playHiHat = () => {
    const noise = whiteNoiseBufferSource();

    const noiseGainNode = audioContext.createGain();
    noiseGainNode.gain.value = 1;
    noiseGainNode.gain.setValueAtTime(1, audioContext.currentTime + 0.001);
    noiseGainNode.gain.linearRampToValueAtTime(0, audioContext.currentTime + 0.1);

    const noiseFilter = audioContext.createBiquadFilter();
    noiseFilter.type = 'highpass';
    noiseFilter.frequency.value = 2000;

    const hiHatGainNode = audioContext.createGain();
    hiHatGainNode.gain.value = 0.3;

    noise.connect(noiseGainNode);
    noiseGainNode.connect(noiseFilter);
    noiseFilter.connect(hiHatGainNode);
    hiHatGainNode.connect(audioContext.destination);

    hiHatGainNode.connect(analyser)

    noise.start(audioContext.currentTime);
    noise.stop(audioContext.currentTime + 1);
};

The end result sounds like this:

Conclusion

The snare and hi-hat we’ve produced here are pretty basic. If you want to dig deeper to achieve prettier or more realistic results, the following articles would be good starting points:

• https://www.soundonsound.com/techniques/practical-snare-drum-synthesis
• https://www.soundonsound.com/techniques/practical-cymbal-synthesis

Don’t forget to put these sounds to the test by playing along with your favorite songs: https://ljpengelen.github.io/groovid19/kick-snare-hihat.html.

Because I wanted to gain some experience in working with Angular and NgRx, I started building a sample-based step sequencer that runs in the browser. To do that, I had to dive into the Web Audio API. I’ll write something about that step sequencer later. First, I want to take a look at the basics of the Web Audio API and try to synthesize a kick drum.

The basis

At the basis of most syntesized kick drums, there’s a sine wave, or something that’s close to a sine wave. The function below produces a sine wave with a frequency of 55Hz that plays for the duration of ten seconds.

const play = () => {
    const audioContextClass = window.AudioContext || window.webkitAudioContext;
    const audioContext = new audioContextClass();

    const sine = audioContext.createOscillator();
    sine.type = 'sine';
    sine.frequency.value = 55;

    sine.start(audioContext.currentTime);
    sine.stop(audioContext.currentTime + 10);
}

It sounds like this: (You might not hear it over your laptop’s speakers. You’ll need decent speakers or headphones that are able to reproduce low frequencies.)

When you visualize that sound, as shown below, you’ll see why it’s called a sine wave. The left-hand side of the figure shows the waveform, and the right-hand side shows the sound spectrum.

The sound spectrum is almost completely empty, except for a narrow spike at the rightmost end. This explains why you might not hear the sound over your laptop speakers, for example. Not all speakers are capable of reproducing sounds at low frequencies. You can emulate the frequency response of such speakers by applying a high-pass filter. If you filter out all frequencies below 120Hz, this is what’s left of our sine wave:

The graphs below further illustrate that not much is left of the original sound.

What does that mean for our synthesized kick drum? We’ll apply a trick to make your ears believe that there’s still some bass to be heard, even when listening to speakers that can’t reproduce low frequencies very well. Instead of a sine wave, we’ll start out with a triangle wave.

const play = () => {
    const audioContextClass = window.AudioContext || window.webkitAudioContext;
    const audioContext = new audioContextClass();

    const triangle = audioContext.createOscillator();
    triangle.type = 'triangle';
    triangle.frequency.value = 55;

    triangle.connect(audioContext.destination);

    triangle.start(audioContext.currentTime);
    triangle.stop(audioContext.currentTime + 10);
}

Without further processing, it will look like this:

It’s again clear where the name comes from. It’s also clear that there’s much more going on in the spectrum graph.

Unfortunately, it sounds a little abrasive, like this:

Ideally, we’d like to process this triangle wave in such a way that it sounds more like the sine wave, without cutting off too much of the high-frequency sounds. We can do that using a wave shaper.

const distortionCurve = (amount) => {
    const numberOfSamples = 44100;
    const curve = new Float32Array(numberOfSamples);
    const deg = Math.PI / 180;
    for (let i = 0; i < numberOfSamples; ++i) {
        const x = i * 2 / numberOfSamples - 1;
        curve[i] = (3 + amount) * x * 20 * deg / ( Math.PI + amount * Math.abs(x) );
    }
    return curve;
};

const play = () => {
    const audioContextClass = window.AudioContext || window.webkitAudioContext;
    const audioContext = new audioContextClass();

    const triangle = audioContext.createOscillator();
    triangle.type = 'triangle';
    triangle.frequency.value = 55;

    const waveShaper = audioContext.createWaveShaper();
    waveShaper.curve = distortionCurve(5);

    triangle.connect(waveShaper);
    waveShaper.connect(audioContext.destination);

    triangle.start(audioContext.currentTime);
    triangle.stop(audioContext.currentTime + 10);
}

The curve I’m using above comes from a Stack Overflow answer by Kevin Ennis. In theory, there are multiple Sigmoid functions that you could use. I only tried this one and stuck with it because I liked the result.

Speaking of results, here are the graphs for this sound:

The triangles look a lot more like sines, and there is still something going on at the higher end of the frequency spectrum. The resulting sound sounds like this:

The W3C spec gives a good explanation of what’s actually going on when you apply a wave shaper with a certain curve. I won’t go into the details here.

What did we achieve with this detour? If we filter out the low frequencies again to simulate cheaper speakers, we end up with the following sound:

The graphs for this filtered sound are shown below. When you compare these to the ones for the filtered sine wave shown above, you’ll notice that there’s still something to hear after removing the low end. This is enough for you ears to trick you into believing that there’s actually some low end left, even when there isn’t.

Make it boom

The sound we ended up with sounds a little like “WOOOOOOOOOOH”. Let’s turn that into a “WOOOOM”.

const play = () => {
    const audioContextClass = window.AudioContext || window.webkitAudioContext;
    const audioContext = new audioContextClass();

    const triangle = audioContext.createOscillator();
    triangle.type = 'triangle';
    triangle.frequency.value = 55;

    const waveShaper = audioContext.createWaveShaper();
    waveShaper.curve = distortionCurve(5);

    const triangleGainNode = audioContext.createGain();
    triangleGainNode.gain.value = 1;
    triangleGainNode.gain.linearRampToValueAtTime(0, audioContext.currentTime + 0.6)

    triangle.connect(waveShaper);
    waveShaper.connect(triangleGainNode);
    triangleGainNode.connect(audioContext.destination);

    triangle.start(audioContext.currentTime);
    triangle.stop(audioContext.currentTime + 1);
}

In the snippet above, you’ll see that we’re using a gain node to gradually fade out over the course of 600 milliseconds. The end result sounds like this.

Now that we have something that sounds like “WOOOOM”, let’s make it sound like “BOOOOM”.

const play = () => {
    const audioContextClass = window.AudioContext || window.webkitAudioContext;
    const audioContext = new audioContextClass();

    const triangle = audioContext.createOscillator();
    triangle.type = 'triangle';
    triangle.frequency.value = 220;
    triangle.frequency.exponentialRampToValueAtTime(55, audioContext.currentTime + 0.1);

    const waveShaper = audioContext.createWaveShaper();
    waveShaper.curve = distortionCurve(5);

    const triangleGainNode = audioContext.createGain();
    triangleGainNode.gain.value = 1;
    triangleGainNode.gain.linearRampToValueAtTime(0, audioContext.currentTime + 0.6)

    triangle.connect(waveShaper);
    waveShaper.connect(triangleGainNode);
    triangleGainNode.connect(audioContext.destination);

    triangle.start(audioContext.currentTime);
    triangle.stop(audioContext.currentTime + 1);
}

As shown above, we do that be quickly lowering the frequency of the triangle wave from 220Hz to 55Hz over the course of 100 milliseconds. The end result sounds like this:

If you want to achieve more of a 90s Euro house vibe, you can drop down from a higher frequency.

White noise

If you look at how classic synthesizers emulate kick drums, you’ll see that they’ll often use a little white noise to give the kicks a little more body. The Web Audio API doesn’t provide (white) noise out of the box, but you can use an audio buffer to create your own.

const generateWhiteNoiseBuffer = (numberOfSamples) => {
    const buffer = audioContext.createBuffer(1, numberOfSamples, audioContext.sampleRate);

    const data = buffer.getChannelData(0);
    for (let i = 0; i < numberOfSamples; ++i) {
        data[i] = Math.random() * 2 - 1;
    }

    return buffer;
}

const whiteNoiseBuffer = generateWhiteNoiseBuffer(audioContext.sampleRate);

const whiteNoiseBufferSource = () => {
    const bufferSource = audioContext.createBufferSource();
    bufferSource.buffer = whiteNoiseBuffer;
    bufferSource.loop = true;
    bufferSource.loopEnd = audioContext.sampleRate
    return bufferSource;
}

Each buffer source returned by the function whiteNoiseBufferSource can only be started once. The same holds for the oscillator nodes that we’ve been creating above. The buffer returned by generateWhiteNoiseBuffer, however, can be reused. The result sounds like this:

The next step is to apply a fade to this sound, just like we did before.

After that, we cut of most of the higher frequencies using a low pass filter.

const play = () => {

    ...

    const noise = whiteNoiseBufferSource();

    const noiseGainNode = audioContext.createGain();
    noiseGainNode.gain.value = 1;
    noiseGainNode.gain.linearRampToValueAtTime(0, audioContext.currentTime + 0.2);

    const noiseFilter = audioContext.createBiquadFilter();
    noiseFilter.type = 'lowpass';
    noiseFilter.frequency.value = 120;

    noise.connect(noiseGainNode);
    noiseGainNode.connect(noiseFilter);
    noiseFilter.connect(audioContext.destination);

    noise.start(audioContext.currentTime);
    noise.stop(audioContext.currentTime + 1);
};

The end result sounds like this:

End result

Combining the sine-like wave and the filtered white noise leads to the following result:

All you need is a handful of other instruments and you’re halfway making the next big dance hit, in your browser.

Conclusion

Let’s put the results of all this hard work into action. First, open Youtube, Spotify or whatever streaming service you like to play your favorite song. Then, visit https://ljpengelen.github.io/groovid19/kick-snare-hihat.html and press q, w, and e to drum along. Enjoy!

A few years ago, I gave a talk about JSON Web Tokens (JWTs) during a Meetup for Java enthusiasts in Eindhoven. Triggered by a talk about JWTs I attended recently, I decided to dust of my presentation and the demo applications I made back then to see whether they still hold up. It turns out that life is a little harder in 2019 than it was in 2016, at least as far as security and JWTs are concerned. Before we go into the details, we should first discuss the basics.

JSON Web Tokens

Essentially, a JSON Web Token is something that a server application would give to a client application, which the client would then use to authenticate itself with the server when doing requests. A JSON Web Token looks something like this:

eyJhbGciOiJIUzUxMiJ9.eyJleHAiOjE0NzYyOTAxNDksInN1YiI6IjEifQ.mvJEWu3kxm0WSUKu-qEVTBmuelM-2Te-VJHEFclVt_uR89ya0hNawkrgftQbAd-28lycLX2jXCgOGrA3XRg9Jg

If you look closely, you’ll see that it consists of three base64-encoded strings, joined by periods. If you decode the ones above, you end up with the following:

{
  "alg": "HS512"
}

{
  "exp": 1476290149,
  "sub":"1"
}

HMACSHA512(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

The first part is the header, the second is the payload, and the third is the signature. Anyone that gets their hands on this token can decode the strings. (Execute atob("eyJhbGciOiJIUzUxMiJ9") in the console of your browser if you want to see for yourself.) This means that anyone who gets their hands on the token can use the encoded information. Because only the server knows the secret that was used to compute the signature from the header and body, however, only the server can check the validity of a token by recomputing its expected signature and comparing it with the actual signature. Once the server has determined that a given JWT is valid, it knows that it issued the token itself, and that the data in the body can be trusted.

The header specifies which algorithm was used to compute the signature. In this case, that’s the HMAC-SHA512 algorithm.

The payload can contain any number of claims. In this example, the standard claims exp and sub are used. The claim exp (short for “expiration time”) specifies when the token expires. The claim sub (short for “subject”) specifies the subject of the token, usually something like a user of your app, denoted by an identifier. There are a number of other standard claims, and you’re free to add claims of your own.

A trip down memory lane

When I first read about JWTs, I was still used to working in an environment where deployments lead to downtime and were something that you’d do very early in the morning, so that they would impact as little end users as possible. Because they had to take place early in the morning, they didn’t occur very frequently. As a consequence, multiple features where collected and released together, and deployments automatically became stressful.

The back-end applications I worked on at that time maintained in-memory sessions for logged in users. If one of the servers went down, the users whose sessions were stored on that server would lose their session. In situations like that, you can’t just release a bug fix in the middle of the day, because you’d potentially log out part of your users.

First and foremost, I saw JWTs as a solution to this problem. (There are other, potentially better, solutions to this problem, but let’s ignore those for the time being.) Two or more instances of the same back-end application could sit behind a load balancer and issue JWTs to clients. All of these instances would be able to validate JWTs issued by any one of them. The body of each JWT could contain the information that would normally be stored in a session, such as the identifier of the currently logged-in user. If one of the instance would go down (during a deployment, for example), the load balancer would just route requests to the remaining instance(s) and clients wouldn’t notice anything.

I was convinced that JWTs could solve one of my problems, but I wasn’t sure how clients and servers should exchange them. Should they be sent along with requests in a header or should they be kept in a cookie? In the case of communication between back-end applications, the answer is clear. It’s much easier to follow conventions and put them in a header, and there’s no benefit to putting them in cookies instead. In the case of communication between client applications running in a browser and back-end applications, the answer is less clear. I remember frantically Googling for best practices while preparing for my presentation and being confronted with all sorts of contradictory claims and advice. Before we can discuss the conclusion I reached back then, we need to take a detour.

CSRF and XSS

The term cross-site request forgery (CSRF) is used for the situation where someone else’s web application secretly lets its visitors perform actions with your web application due to cookies still present from previous visits.

The following example (a modified version of one provided by OWASP) shows a form that tricks unsuspecting users into sending 10.000 euro (?) to my bank account at http://bank.com:

<form action="http://bank.com/transfer.do" method="POST">
  <input type="hidden" name="account" value="LUC"/>
  <input type="hidden" name="amount" value="100000"/>
  <input type="submit" value="View my pictures"/>
</form>

The term cross-site scripting (XSS) is used for the situation where someone is able to have their scripts executed as part of your web application.

The following example (directly stolen from OWASP) without any extra effort) shows part of a JSP template that allows anyone to execute code on the corresponding web page:

<% String eid = request.getParameter("eid"); %>
	...
	Employee ID: <%= eid %>

Imagine the nightmares you’ll have after clicking http://example.com/employee.jsp?eid=alert%28%22you%20have%20been%20p0wned%22%29...

Cookie or header?

If you put your JWTs in a cookie, you need to take precautions to combat CSRF. If you use secure, HTTP-only cookies, you don’t need to worry about XSS, however, because scripts don’t have access to the content of such cookies. There’s no way someone can abuse XSS and take your JWT to impersonate you.

Update 2023-01-06: Unfortunately, you do need to worry about XSS, even with secure, HTTP-only cookies. See the second addendum below to find out why. I'm leaving the rest of this post as it is because I don't want to rewrite history. However, I no longer agree with the conclusion at the end of this section and the final conclusion of this post.

If you put your JWTs in a header, you don’t need to worry about CSRF. You do need to worry about XSS, however. If someone can abuse XSS to steal your JWT, this person is able to impersonate you.

In my 2016 presentation, I stated that “defense against CSRF is straightforward and durable.” This statement was based on advice offered by the Open Web Application Security Project (OWASP) at that time. Years later, defense against CSRF is still durable, but a little less straightforward. We’ll come back to that in a minute.

XSS, on the other hand, is something you need to constantly keep in mind. Each template you add could open up possibilities for XSS. The same holds for all those NPM packages you add to your front-end project, either directly or indirectly.

My conclusion from this is that JWTs belong in a secure, HTTP-only cookie, and should be used in combination with preventive measures against CSRF.

Seeing is believing

Because the proof of the pudding is in the eating, I wrote a simple front-end app and two back-end apps that demonstrate a session-based and JWT-based approach to authentication: https://github.com/ljpengelen/java-meetup-jwt.

With a simple docker-compose command, you can start three instances of either of the two back ends, a database, and an instance of nginx that serves the front end and acts as load balancer. You can open the front end in your browser, create an account, log in, and then stop some of the back-end instances with docker stop.

In the case of the JWT-based back end, it doesn’t matter which two instances you stop. In the case of the session-based back end, stopping the instance your connected to will terminate your session.

Measures against CSRF

The OWASP has a cheat sheet about measures against CSRF. The applications mentioned above use two of those measures.

First, they combat CSRF by checking the Origin and Referer headers. If the value of none of these headers match the expected value for a given request, the request is denied.

Second, each response returned by the back end contains a secure random token in two locations. One is sent in a header, where it can be read by the front end. The other is stored in the session (in case of the session-based back end) or in yet another secure, HTTP-only cookie (in case of the JWT-based back end) and is only accessible for the back end. These tokens are generated by a cryptographically secure random-number generator. The front-end application reads the token in the header of each response and passes it on with the next request. For each request to a protected endpoint, the back end checks whether the two tokens match. If they match, the request is granted. Otherwise, it’s denied.

Keeping track of the CSRF tokens in the front end is not completely straightforward. It takes a little effort to keep track of the latest token value and forward it with each request, but that’s an acceptable price to pay if you ask me.

For the JWT-based back end, both measures above come from the section of the OWASP cheat sheet describing measures for defense in depth. The second measure is known as the double-submit cookie technique. To mitigate the known issues of this technique, the CSRF token is stored in a JWT. Additionally, the account identifier is included in this JWT as well for logged-in users. Storing the CSRF token in a JWT makes it possible for the back-end application to verify that it produced the token itself. Combining the CSRF token with an account identifier makes it impossible for attackers to reuse a token for another user, even if they were able to replace cookies.

Lifespan of a JWT

Think about the following for a second: What happens to already issued JWTs when you change your credentials? What happens to already issued JWTs when you delete your account? In both scenarios, existing JWTs will remain valid. Without additional measures, JWTs remain valid until they expire or until the secret on the server is changed. If someone gets their hands on a token, it can be abused until it expires. If you want to invalidate a single token by changing the secret on the server, you invalidate all tokens.

When should a JWT expire? On one hand, they should expire as soon as possible, to prevent misuse for long periods. On the other hand, they should expire as late as possible, so that users don’t have to re-authenticate all the time.

In practice, two types of tokens are used together, to achieve the best of both worlds. A short-lived access token is used for authentication per request. A long-lived refresh token is used to generate new access token when needed.

Each time the refresh token is used to obtain a new access token, some additional checks could be made to enhance security. The refresh token can be used in combination with a blacklist, for example, to invalidate tokens that were issued for a particular user before a given point in time.

What kind of abuse is this protecting you from?

Because the JWTs are stored in secure, HTTP-only cookies, it is implausible that someone would be able to access the JWTs themselves. An attacker would, for example, need access to a victim’s computer to read the values of these cookies. The blacklist mentioned above could be used to invalidate JWTs comprised like this. However, if someone is able to access cookies directly from your computer, you have bigger problems to worry about that lie beyond the responsibility of an app developer. Moreover, there’s no reasonable defense against someone willing to turn your life into a Quentin Tarantino movie to access your data or credentials.

Other scenarios in which an attacker would be able to read the values of the JWTs would be when the attacker is able to intercept traffic between client and server or when an attacker would have access to the server. In such scenarios, all that can be done is patch up the security holes and change the secret key used to sign JWTs. The latter is the easiest way of invalidating all JWTs that have been issued before. Protection against these types of attacks cannot be implemented on the application level.

In short, your JWTs are reasonably safe from harm in their cookies. More realistically, however, it could happen that you inadvertently introduce an XSS vulnerability in your app. This could enable an attacker to access the value of the CSRF token, and use it in a CSRF attack. Also in this scenario, all you can do is change the secret to invalidate all tokens after patching the vulnerability.

Conclusion

I am not a security expert, and I must stress that you shouldn’t mistake my advice for the absolute truth on this subject. Instead, I hope this post allows you to follow my reasoning and helps you make informed decisions when you have to choose between different forms of authentication.

I’m well aware that the contradictory advice I encountered years ago is still out there, and that most people put their JWTs in a header. I guess those people are more scared of CSRF and that I’m more afraid of XSS.

Update 2023-01-06: As mentioned above, my opinion about where to put JWTs has changed. The second addendum below explains why.

Addendum

Right after this blog post got published, my colleague Luk van den Borne shared a post about securing cookies with cookie prefixes. Coincidentally, that post describes a way to patch one of the security holes in the JWT-based back end. This back end is vulnerable for an attack called login CSRF, which is when an attacker is able to make users log in using the attacker’s account. This attack is possible when an attacker has access to an insecure subdomain of the domain that hosts your app. Attackers can use this insecure subdomain to set an arbitrary value for the cookie holding the CSRF token. This attack is only possible for the API call that is used to log in, because the CSRF token is tied to the user’s account identifier after logging in.

Simply adding the prefix __Host- to the name of the cookie that holds the CSRF token triggers browser behavior that mitigates this type of attack, at least for users of Chrome and Firefox.

Second addendum

While copying the original version of this blog post from Kabisa's Tech Blog on 2023-01-06, I noticed a comment by Dmytro Lapshyn that triggered me to reconsider the conclusion of this post. It turns out that the following statement made above is not completely true:

"If you use secure, HTTP-only cookies, you don’t need to worry about XSS, however, because scripts don’t have access to the content of such cookies. There’s no way someone can abuse XSS and take your JWT to impersonate you."

It's true that no one can use XSS to take your JWT from a secure, HTTP-only cookie and use it to impersonate you. Unfortunately, that doesn't mean that you don't have to worry about XSS.

Later on in the post above, the following statement is made:

"More realistically, however, it could happen that you inadvertently introduce an XSS vulnerability in your app. This could enable an attacker to access the value of the CSRF token, and use it in a CSRF attack."

At the time of writing, my reasoning was that someone else getting their hands on a JWT would be worse than someone getting their hands on an anti-CSRF token. A JWT can be used to impersonate the person for which it was issued. You can't do that with an anti-CSRF token by itself. However, if that anti-CSRF token is obtained via XSS or any other way of injecting and executing arbitrary JavaScript, then it's also possible to use JavaScript to perform HTTP requests that include both the anti-CRSF token and the cookie containing the JWT. Even without obtaining the JWT itself, the same kind of abuse is possible.

As the OWASP CSRF prevention cheat sheet says:

”... any Cross-Site Scripting (XSS) can be used to defeat all CSRF mitigation techniques!"

In conclusion, it's not worth going through all the extra trouble to pass JWTs along in cookies.

It's good to know that the more complicated approach has no benefits over the simpler approach. It's less reassuring that XSS or some other way of injecting and executing arbitrary JavaScript opens up the possibility of this kind of abuse. Keeping an eye on your own code is one thing. Keeping a close eye on your dependencies and their dependencies is another story.

This morning, I was looking for a way to run multiple Docker containers in parallel with Jenkins. Even though this seemed like a common use case to me, it took me a while to find all information I needed and piece it together. As you know, the only design pattern you need is copy-paste. I wrote this post to allow you and my future self to copy-paste some useful snippets from a Jenkinsfile.

Suppose you have a Java app that requires a PostgreSQL database. If you want to run a few integration tests for that app, you’ll probably need this database to be accessible as well. To make it possible for Jenkins to run these integration tests for you, you could just install PostgreSQL on the machine running Jenkins, create the necessary databases and users, and call it a day. However, I’d rather keep each app in its own Docker container and only have apps running when they’re needed.

Consider the following Jenkinsfile:

def withDockerNetwork(Closure inner) {
  try {
    networkId = UUID.randomUUID().toString()
    sh "docker network create ${networkId}"
    inner.call(networkId)
  } finally {
    sh "docker network rm ${networkId}"
  }
}

pipeline {
  agent none

  stages {
    stage("test") {
      agent any

      steps {
        script {
          def database = docker.build("database", "database")
          def app = docker.build("app", "-f dockerfiles/ci/Dockerfile .")

          withDockerNetwork{ n ->
            database.withRun("--network ${n} --name database") { c ->
              app.inside("""
                --network ${n}
                -e 'SPRING_DATASOURCE_URL=jdbc:postgresql://database:5432/test'
              """) {
                sh "mvn verify"
              }
            }
          }
        }
      }
    }
  }
}

The function withDockerNetwork (copy-pasted from Ryan Desmon) creates and eventually deletes a Docker network with a random name. After creating the network, it calls a block of code of your choice and provides it with this random name. After the block of code has finished, the network is deleted.

The statement docker.build("database", "database") builds a Docker image named “database” with the context database. The statement docker.build("app", "-f dockerfiles/ci/Dockerfile .") builds a Docker image named “app” from the Dockerfile dockerfiles/ci/Dockerfile with context ..

Once both images are built, containers based on these images are started and connected to the same network, allowing them to communicate. The arguments --network ${n} are used to connect both containers to the network. The container for the database is given a name explicitly with the argument --name database, so that we can point the app to it. The latter is achieved by setting an environment variable with the argument -e 'SPRING_DATASOURCE_URL=jdbc:postgresql://database:5432/test'. This last step is specific to Spring. You’ll probably need to do something completely different for your own use case.

Once both containers are running, the tests for the app are executed by the step sh "mvn verify". This step is specific to Java and Maven and is again unrelated to running containers in parallel.

If you want to see this in action, take a look at https://github.com/ljpengelen/java-meetup-jwt. The example above is a simplified version of the Jenkinsfile used for this project.

Vert.x is a toolkit for developing reactive applications on the JVM. Although it’s possible to use Vert.x with many different languages (Java, JavaScript, Groovy, Ruby, Ceylon, Scala and Kotlin), this post will use plain old Java.

The Reactive Manifesto states that reactive systems are:

• responsive,
• resilient,
• elastic, and
• message driven.

Before we consider what that means in the context of Vert.x, let’s look at one of the simplest possible applications using Vert.x:

package nl.kabisa.vertx;

import io.vertx.core.AbstractVerticle;
import io.vertx.core.Vertx;
import io.vertx.core.http.HttpServerOptions;

public class Application {

    private static class HelloWorldVerticle extends AbstractVerticle {

        @Override
        public void start() {
            var options = new HttpServerOptions().setPort(8080);
            vertx.createHttpServer(options)
                    .requestHandler(request -> request.response().end("Hello world"))
                    .listen();
        }
    }

    public static void main(String[] args) {
        Vertx.vertx().deployVerticle(new HelloWorldVerticle());
    }
}

When running this application, a single verticle is deployed when the statement Vertx.vertx().deployVerticle(new HelloWorldVerticle()); is executed. This verticle is an instance of the class HelloWorldVerticle. Each verticle has a start and a stop method. The start method is called when the verticle is deployed, and the stop method is called when the verticle is undeployed. In this example, we only provide an implementation for the start method and reuse the (empty) stop method of the class AbstractVerticle. When an instance of HelloworldVerticle is deployed, an HTTP server is created, which listens for incoming requests on port 8080. Each request is answered with the plain-text response “Hello world”.

Responsive

By default, Vert.x creates two threads per CPU core to deploy verticles like the one above. Each verticle is assigned to a specific thread, and all handlers of that verticle are executed on that thread sequentially. For the example above, this means that the handler request -> request.response().end("Hello world") is always executed on the same thread.

Because the handlers for a given verticle are never executed concurrently, you don’t have to worry about locking or the atomicity of actions relevant for a single verticle. Multiple instances of the same verticle, however, can have their handlers executed at the same time. In fact, this holds for any two verticles. This means that if two verticles share a resource, you might still have to worry about concurrent access to that resource.

It’s your responsibility as a developer to ensure that a handler cannot occupy its assigned thread for too long. If you block a thread for too long, Vert.x will log a warning. The Vert.x developers took at it as their responsibility to ensure that no Vert.x API call will block a thread. As a result, a well-designed Vert.x application can handle a large amount of events using only a few threads, ultimately making such an application responsive.

Message driven and resilient

The example below shows an application consisting of two verticles. It illustrates Vert.x’s event bus. The event bus allows you to broadcast messages to any number of interested receivers as well as send messages to a single receiver. The broadcasted messages end up at each of the receivers registered for an address, whereas the messages sent directly end up at a single receiver.

In the example below, instances of the WorldVerticle are registered as consumers on the address WORLD. Instances of the HelloVerticle send messages to this address. If we would deploy multiple WordVerticles, each of them would receive messages in turn.

It’s possible to send messages in a number of different forms, including strings, booleans, JSON objects, and JSON arrays. Vert.x best-effort delivery, which means that message can get lost, but are never thrown away intentionally.

package nl.kabisa.vertx;

import io.vertx.core.AbstractVerticle;
import io.vertx.core.Vertx;
import io.vertx.core.http.HttpServerOptions;

public class Application {

    private static class HelloVerticle extends AbstractVerticle {

        @Override
        public void start() {
            var options = new HttpServerOptions().setPort(8080);
            vertx.createHttpServer(options)
                    .requestHandler(request ->
                            vertx.eventBus().send("WORLD", "Hello", ar -> {
                                if (ar.succeeded()) {
                                    request.response().end((String) ar.result().body());
                                } else {
                                    request.response().setStatusCode(500).end(ar.cause().getMessage());
                                }
                            }))
                    .listen();
        }
    }

    private static class WorldVerticle extends AbstractVerticle {

        @Override
        public void start() {
            vertx.eventBus().consumer("WORLD", event -> event.reply(event.body() + " world"));
        }
    }

    public static void main(String[] args) {
        var vertx = Vertx.vertx();
        vertx.deployVerticle(new WorldVerticle());
        vertx.deployVerticle(new HelloVerticle());
    }
}

The example shows that the sender of a message can specify an optional reply handler. The reply is provided to the handler in the form of an asynchronous result, which can either be succeeded or failed. If it succeeded, the actual reply message is available (ar.result(), as shown in the example). Otherwise, a throwable is available that indicates what went wrong (ar.cause(), also shown in the example).

I probably don’t need to tell you that this covers the message driven part of the Reactive Manifesto. Clearly, verticles can communicate via asynchronous message passing.

In a way, the example also illustrates resilience. If we would deploy multiple WorldVerticles and one of them would fail, the others would just keep on doing their jobs on their own thread. Additionally, the example shows how Vert.x reminds you to think about gracefully handling failure when implementing a handler. Many handlers receive their input in the form of an asynchronous result, which can always be succeeded or failed, as discussed above. Finally, and perhaps paradoxically, because of the best-effort delivery of messages via the event bus, you’re also forced to consciously deal with failure related to lost messages. If it’s paramount that a given type of message is always processed, you need to implement acknowledgements and retries.

Elasticity

As mentioned above, Vert.x creates two threads per available CPU core to deploy verticles like the ones shown above. If you need to handle more events (such as HTTP requests, for example), you can run your app on a machine with more CPU cores and reap the benefits of more concurrency, without any additional programming or configuration changes. Additionally, it’s possible to scale individual components of your application by simply deploying more or fewer verticles of a certain type. That sounds pretty elastic to me.

Let’s go overboard 🚢

If you have experience with callback-based asynchronous programming, you’ve probably also heard of callback hell. Callback hell is the term used to describe the type of programs that slowly but surely move to the right-hand side of your screen, where you’re dealing with callbacks inside callbacks, inside callbacks, inside callbacks, etc.

Take the following TCP client for example:

package nl.kabisa.vertx.tcp;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import com.google.common.primitives.Bytes;

import io.vertx.core.AbstractVerticle;
import io.vertx.core.buffer.Buffer;
import io.vertx.core.eventbus.EventBus;
import io.vertx.core.eventbus.Message;
import io.vertx.core.json.JsonObject;
import io.vertx.core.net.NetClient;

public class TcpClientVerticle extends AbstractVerticle {

    public static final String REQUEST_ADDRESS = "tcp.client.request";

    private static final Logger LOGGER = LogManager.getLogger();

    private EventBus eventBus;
    private NetClient authClient;
    private NetClient echoClient;

    private void handleEvent(Message<JsonObject> event) {
        authClient.connect(3001, "localhost", asyncAuthSocket -> {
            if (asyncAuthSocket.succeeded()) {
                var authSocket = asyncAuthSocket.result();
                authSocket.handler(authBuffer -> {
                    if (authBuffer.getByte(0) == 0) {
                        event.fail(0, "Invalid credentials");
                    } else if (authBuffer.getByte(0) == 2) {
                        event.fail(0, "Unexpected error");
                    } else if (authBuffer.getByte(0) == 1) {
                        var id = authBuffer.getBytes(1, authBuffer.length());

                        echoClient.connect(3002, "localhost", asyncEchoSocket -> {
                            if (asyncEchoSocket.succeeded()) {
                                var echoSocket = asyncEchoSocket.result();
                                echoSocket.handler(echoBuffer -> {
                                    if (echoBuffer.getByte(0) == 0) {
                                        event.fail(500, "Unauthenticated");
                                    } else if (echoBuffer.getByte(0) == 1) {
                                        event.reply(echoBuffer.getBuffer(1, echoBuffer.length()));
                                    } else {
                                        event.fail(500, "Unexpected response from echo service");
                                    }
                                });
                                echoSocket.write(Buffer.buffer(Bytes.concat(id, event.body().getString("body").getBytes())));
                            } else {
                                String errorMessage = "Unable to obtain socket for echo service";
                                LOGGER.error(errorMessage, asyncEchoSocket.cause());
                                event.fail(500, errorMessage);
                            }
                        });
                    } else {
                        event.fail(500, "Unexpected response from authentication service");
                    }
                });
                authSocket.write(Buffer.buffer(new byte[] { 1, 2, 3, 4 }));
            } else {
                String errorMessage = "Unable to obtain socket for authentication service";
                LOGGER.error(errorMessage, asyncAuthSocket.cause());
                event.fail(500, errorMessage);
            }
        });
    }

    @Override
    public void start() {
        LOGGER.info("Starting");

        eventBus = vertx.eventBus();
        authClient = vertx.createNetClient();
        echoClient = vertx.createNetClient();

        eventBus.consumer(REQUEST_ADDRESS, this::handleEvent);
    }
}

This verticle listens for messages on the address tcp.client.request. Each time a message arrives, the verticle authenticates itself with some service listening on port 3001 by exchanging some bytes. It uses the token it receives to communicate with some other service listening on port 3002. In the end, it replies to the initial message with a buffer containing an array of bytes received from the service listening on port 3002. You could argue that this isn’t the most beautiful piece of code ever written, although beauty lies in the eyes of the beholder.

(If you want to see the callback-based implementation of the rest of this application, by my guest: https://github.com/ljpengelen/vertx-demo/tree/971e33e4475a18fb7239d716a8c6d05369442b8a.)

Futures

JavaScript’s answer to callback hell were promises. Vert.x’s answer to callback hell are futures. A future represents the result of some computation that is potentially available at some later stage. A future can either succeed or fail. When it succeed, its result will be available. When it fails, a throwable representing the cause of failure will be available. You can set a handler for a future, which will be called with the asynchronous result when the future has succeeded or failed. There are different ways to combine futures into a single future, which we’ll illustrate with an example.

Suppose you want to deploy a number of verticles, and some of these verticles should only be deployed once others have been deployed successfully. Vert.x offers a deploy method with a callback, which is called when the deployment has finished. Without the use of futures, you could end up with code like this:

package nl.kabisa.vertx;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import io.vertx.core.Vertx;
import nl.kabisa.vertx.http.HttpServerVerticle;
import nl.kabisa.vertx.tcp.*;

public class Application {

    private static final Logger LOGGER = LogManager.getLogger();

    private static Vertx vertx;

    public static void main(String[] args) {
        vertx = Vertx.vertx();

        vertx.deployVerticle(new AuthServiceVerticle(), authServiceDeployment -> {
            if (authServiceDeployment.succeeded()) {
                vertx.deployVerticle(new ScreamingEchoServiceVerticle(), screamingEchoServiceDeployment -> {
                    if (screamingEchoServiceDeployment.succeeded()) {
                        vertx.deployVerticle(new TcpClientVerticle(), tcpClientDeployment -> {
                            if (tcpClientDeployment.succeeded()) {
                                vertx.deployVerticle(new HttpServerVerticle(), httpServerDeployment ->
                                    LOGGER.info("All verticles started successfully"));
                            }
                        });
                    }
                });
            }
        });
    }
}

This isn’t pretty at all, even without the additional code you need to deal with possible failures. Also, we’re deploying the verticles one at a time, while we actually want to deploy the HttpServerVerticle once the others have been deployed successfully.

Rewriting this example using futures leads to the following:

package nl.kabisa.vertx;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import io.vertx.core.*;
import nl.kabisa.vertx.http.HttpServerVerticle;
import nl.kabisa.vertx.tcp.*;

public class Application {

    private static final Logger LOGGER = LogManager.getLogger();

    private static Vertx vertx;

    private static Future<String> deploy(Vertx vertx, Verticle verticle) {
        Future<String> future = Future.future();
        vertx.deployVerticle(verticle, future);
        return future;
    }

    public static void main(String[] args) {
        LOGGER.info("Starting");

        vertx = Vertx.vertx();

        CompositeFuture.all(
                deploy(vertx, new AuthServiceVerticle()),
                deploy(vertx, new ScreamingEchoServiceVerticle()),
                deploy(vertx, new TcpClientVerticle()))
                .compose(s -> deploy(vertx, new HttpServerVerticle()))
                .setHandler(s -> {
                            if (s.succeeded()) {
                                LOGGER.info("All verticles started successfully");
                            } else {
                                LOGGER.error("Failed to deploy all verticles", s.cause());
                            }
                        }
                );
    }
}

Here, we deploy three verticles at the same time, and deploy the last one when the deployment of all the others succeeded. Again, beauty lies in the eyes of the beholder, but this is good enough for me.

Do you still remember the TCP client you saw above? Here’s the same client implemented using futures:

package nl.kabisa.vertx.tcp;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import com.google.common.primitives.Bytes;

import io.vertx.core.AbstractVerticle;
import io.vertx.core.Future;
import io.vertx.core.buffer.Buffer;
import io.vertx.core.eventbus.EventBus;
import io.vertx.core.eventbus.Message;
import io.vertx.core.json.JsonObject;
import io.vertx.core.net.NetClient;
import io.vertx.core.net.NetSocket;

public class TcpClientVerticle extends AbstractVerticle {

    public static final String REQUEST_ADDRESS = "tcp.client.request";

    private static final Logger LOGGER = LogManager.getLogger();

    private EventBus eventBus;
    private NetClient authClient;
    private NetClient echoClient;

    private Future<NetSocket> connectToAuthService() {
        Future<NetSocket> future = Future.future();

        authClient.connect(3001, "localhost", future);

        return future;
    }

    private Future<Buffer> authenticate(NetSocket authSocket) {
        Future<Buffer> future = Future.future();

        authSocket.handler(authBuffer -> {
            if (authBuffer.getByte(0) == 0) {
                future.fail("Invalid credentials");
            } else if (authBuffer.getByte(0) == 2) {
                future.fail("Unexpected error");
            } else if (authBuffer.getByte(0) == 1) {
                future.complete(authBuffer.getBuffer(1, authBuffer.length()));
            } else {
                future.fail("Unexpected response from authentication service");
            }
        });

        authSocket.write(Buffer.buffer(new byte[] { 1, 2, 3, 4 }));

        return future;
    }

    private Future<NetSocket> connectToEchoClient() {
        Future<NetSocket> future = Future.future();

        echoClient.connect(3002, "localhost", future);

        return future;
    }

    private Future<Buffer> forwardToEchoClient(NetSocket echoSocket, Buffer token, String input) {
        Future<Buffer> future = Future.future();

        echoSocket.handler(echoBuffer -> {
            if (echoBuffer.getByte(0) == 0) {
                future.fail("Unauthenticated");
            } else if (echoBuffer.getByte(0) == 1) {
                future.complete(echoBuffer.getBuffer(1, echoBuffer.length()));
            } else {
                future.fail("Unexpected response from echo service");
            }
        });
        echoSocket.write(Buffer.buffer(Bytes.concat(token.getBytes(), input.getBytes())));

        return future;
    }

    private void handleEvent(Message<JsonObject> event) {
        connectToAuthService()
                .compose(this::authenticate)
                .compose(token -> connectToEchoClient()
                        .compose(socket -> forwardToEchoClient(socket, token, event.body().getString("body"))))
                .setHandler(asyncBuffer -> {
                    if (asyncBuffer.succeeded()) {
                        event.reply(asyncBuffer.result());
                    } else {
                        event.fail(500, asyncBuffer.cause().getMessage());
                    }
                });
    }

    @Override
    public void start() {
        LOGGER.info("Starting");

        eventBus = vertx.eventBus();
        authClient = vertx.createNetClient();
        echoClient = vertx.createNetClient();

        eventBus.consumer(REQUEST_ADDRESS, this::handleEvent);
    }
}

Although I still have to look closely to see what the handleEvent method is doing exactly, I hope we can agree that this is an improvement over the callback-based implementation. In my opinion, it’s clearer what each part of the implementation is responsible for and which parts are related.

Conclusion

By looking at these few examples, you’ve seen part of what Vert.x has to offer. However, it doesn’t end with what’s described here. Vert.x’s documentation page offers a comprehensive list of books, manuals, and API docs that covers the complete toolkit. There’s also a page listing learning materials that should help you get started.

If you’re interested in the toolkit, you should definitely play around with the example application available at https://github.com/ljpengelen/vertx-demo/. Besides a few other verticles apart from those described here, there are a number of tests that should give you an impression of what Vert.x has to offer.

Once you get the hang of it, developing applications with Vert.x is quite enjoyable. As with all forms of asynchronous programming, however, I sometimes find myself in slightly annoying situations where a synchronous approach would be much easier to implement and reason about. The question is whether you’re willing to put up with a little extra work to enjoy the potential benefits of reactive systems.

To keep programs easy to reason about, I try to avoid side effects and aim for a functional style of programming using immutable objects. I’m happy to trade a few CPU cycles for a reduced demand of brain power.

Because we’re talking about Python here, and we’re all responsible users, it’s impossible to create actual objects that are impossible to mutate. You can, however, create things that behave like objects that are impossible to mutate or actual objects that cannot be mutated by mistake.

Let’s look at three ways to do this and how they differ.

Named Tuples

The Python project I’m currently working on started before data classes were available. Additionally, this project is created for a client that prefers the use of as few dependencies as possible. In that context, the following class for points emerged:

from collections import namedtuple


class Point(namedtuple("_Point", ["x", "y"])):
    def scale(self, scale):
        return Point(self.x * scale, self.y * scale)

    def translate(self, dx, dy):
        return Point(self.x + dx, self.y + dy)

It’s a class for points in two-dimensional space. When you call the scale or translate method, a new point is returned. This variant of the class extends a named tuple _Point consisting of two fields named x and y.

When you try to mutate an instance of this class, you’ll be greeted with an AttributeError:

>>> from collections import namedtuple
>>> Point = namedtuple("_Point", ["x", "y"])
>>> p = Point(1, 2)
>>> p.x
1
>>> p.x = 2
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
AttributeError: can't set attribute

That looks pretty much like immutability to me. One of the downsides of this approach is that p isn’t an actual object. It’s a tuple.

>>> SomethingCompletelyDifferent = namedtuple("SomethingCompletelyDifferent", "a b")
>>> a = SomethingCompletelyDifferent(1, 2)
>>> p == a
True
>>> p == (1, 2)
True

Depending on how you’re using instances of this class, this could be a big deal. The documentation for the attrs package list a few more downsides.

Attrs

If you don’t mind dependencies, you could use the aforementioned attrs package and do this:

import attr


@attr.s(frozen=True)
class Point:
    x = attr.ib()
    y = attr.ib()

    def scale(self, scale):
        return Point(self.x * scale, self.y * scale)

    def translate(self, dx, dy):
        return Point(self.x + dx, self.y + dy)

In this case, the decorator @attr.s(frozen=True) dictates that values of x and y cannot be changed by simple assignments. This behaves like you expect it to:

>>> import attr
>>> @attr.s(frozen=True)
... class Point:
...     x = attr.ib()
...     y = attr.ib()
...
>>> p = Point(1, 2)
>>> p.x
1
>>> p.x = 2
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/lucengelen/.local/share/virtualenvs/python-immutable-1HIt_5XS/lib/python3.7/site-packages/attr/_make.py", line 428, in _frozen_setattrs
    raise FrozenInstanceError()
attr.exceptions.FrozenInstanceError
>>> p == (1, 2)
False
>>> p == Point(1, 2)
True
>>> p == Point(2, 1)
False

You can still mutate instances of this class, but not by accident:

>>> p = Point(1, 2)
>>> p.__dict__["x"] = 100
>>> p
Point(x=100, y=2)

Data Classes

Since Python 3.7, you can use data classes to achieve something similar to the variant using attrs:

from dataclasses import dataclass


@dataclass(frozen=True)
class Point:
    x: int
    y: int

    def scale(self, scale):
        return Point(self.x * scale, self.y * scale)

    def translate(self, dx, dy):
        return Point(self.x + dx, self.y + dy)

Here, the decorator @dataclass(frozen=True) dictates that the values of x and y cannot be changed by simple assignments. This also behaves like you would expect:

>>> from dataclasses import dataclass
>>> @dataclass(frozen=True)
... class Point:
...     x: int
...     y: int
...
>>> p = Point(1, 2)
>>> p.x = 100
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<string>", line 3, in __setattr__
dataclasses.FrozenInstanceError: cannot assign to field 'x'
>>> p = Point(1, 2)
>>> p == Point(1, 2)
True
>>> p == Point(2, 1)
False
>>> p == (1, 2)
False

You can mutate instances in the same way as above, but I won’t believe you if say you did this by mistake.

Conclusion

If you want to play around with these variants, you could use the Python shell. You could also take a look at the following repo: https://github.com/ljpengelen/immutable-python-objects.

My personal conclusion after reviewing these variants is that I won’t replace all the named tuples in existing projects just yet. I don’t expect to get burned by the unfortunate behavior concerning equality. For future projects, however, I’ll probably go with data classes.

For a project I’m working on, I wanted to know which protocol and data representation would be best to transfer relatively large amounts of data between microservices. At first, I just wanted to see whether using protocol buffers to represent data would lead to smaller response sizes compared to compressed JSON. Once I was looking into protocol buffers, I wondered when it would be better to choose gRPC over REST.

Protocol Buffers

As Google puts it, protocol buffers are a language-neutral, platform-neutral extensible mechanism for serializing structured data. Given the definition below, code to efficiently serialize and deserialize compact representations of lists of vectors can be generated for a number of programming languages.

syntax = "proto3";

package vectors;

message Point {
    double x = 1;
    double y = 2;
    double z = 3;
}

message Vector {
    Point start = 1;
    Point end = 2;
}

message Vectors {
    repeated Vector vectors = 1;
}

As you can see in the definition above, the data is typed. That is an advantage over JSON if you ask me. Because of the large number of supported programming languages, you can exchange protocol buffers between apps written in many languages.

gRPC

gRPC is a high-performance, open-source universal framework for remote procedure calls. If you extend the definition above with declarations like the ones below, code can be generated that allows client applications to call methods of server applications in a way that compares to calling local methods.

service VectorService {
    rpc GetVectorStream(VectorsRequest) returns (stream Vector) {}
    rpc GetVectors(VectorsRequest) returns (Vectors) {}
}

message VectorsRequest {
    int64 seed = 1;
    int32 number_of_vectors = 2;
}

You implement the actual service by extending the base implementation generated from the definition. The following code shows an example implementation in Java.

@GRpcService
public class VectorsService extends VectorServiceGrpc.VectorServiceImplBase {

    private final VectorGenerator vectorGenerator;

    @Autowired
    public VectorsService(VectorGenerator vectorGenerator) {
        this.vectorGenerator = vectorGenerator;
    }

    @Override
    public void getVectors(VectorProto.VectorsRequest request, StreamObserver<VectorProto.Vectors> responseObserver) {
        responseObserver.onNext(toProto(vectorGenerator.generateRandomVectors(request.getSeed(), request.getNumberOfVectors())));
        responseObserver.onCompleted();
    }

    @Override
    public void getVectorStream(VectorProto.VectorsRequest request, StreamObserver<VectorProto.Vector> responseObserver) {
        vectorGenerator.generateRandomVectors(request.getSeed(), request.getNumberOfVectors()).forEach(vector -> responseObserver.onNext(toProto(vector)));
        responseObserver.onCompleted();
    }
}

The following implementation of a consumer gives an example of how such a remote procedure is called by a client.

@Component
public class VectorsServiceConsumer {

    public void getVectors(String hostname, int port, long seed, int numberOfVectors) {
        var managedChannel = ManagedChannelBuilder.forAddress(hostname, port).usePlaintext().build();
        var blockingStub = VectorServiceGrpc.newBlockingStub(managedChannel);
        var vectorsRequest = VectorProto.VectorsRequest.newBuilder()
                .setNumberOfVectors(numberOfVectors)
                .setSeed(seed)
                .build();

        var response = blockingStub.getVectors(vectorsRequest);

        response.getVectorsList();

        managedChannel.shutdown();
    }

    public void getVectorStream(String hostname, int port, long seed, int numberOfVectors) {
        var managedChannel = ManagedChannelBuilder.forAddress(hostname, port).usePlaintext().build();
        var blockingStub = VectorServiceGrpc.newBlockingStub(managedChannel);
        var vectorsRequest = VectorProto.VectorsRequest.newBuilder()
                .setNumberOfVectors(numberOfVectors)
                .setSeed(seed)
                .build();

        var response = blockingStub.getVectorStream(vectorsRequest);

        while (response.hasNext()) {
            response.next();
        }

        managedChannel.shutdown();
    }
}

Some Experiments

To see some practical results and learn about the implementation details, I created a Spring Boot application that sends and receives data via REST and gRPC. If you want to do your own experiments, you could use that app as a starting point:

https://github.com/ljpengelen/RPC

The data exchanged by this app is a list of vectors with random start and end points. Represented as JSON, a vector looks as follows.

{
  "start": {
    "x": 0.730967787376657,
    "y": 0.24053641567148587,
    "z": 0.6374174253501083
  },
  "end": {
    "x": 0.5504370051176339,
    "y": 0.5975452777972018,
    "z": 0.3332183994766498
  }
}

Response Size

The table below shows the response size in kilobytes when requesting a list of vectors of a given size via REST, using three different representations. As you can see from the table, if compression of responses is enabled on the server, it doesn’t matter much whether you choose for JSON or protocol buffers to represent your data. As far as response size is concerned, you might as well keep things simple and stick with JSON.

One reason to prefer protocol buffers over compressed JSON would be that protocol buffers are typed. Additionally, if you use a framework such as Spring Boot, you have to define data transfer objects to represent the requests and responses of your REST endpoints. With protocol buffers, these are generated for you.

Speed

To compare the amount of time it takes to exchange lists of vectors via REST and gRPC, I’ve set up two virtual machines on AWS. Both machines had type t2.small (https://aws.amazon.com/ec2/instance-types/) and ran Linux and Java 11. One was located in Frankfurt and the other in Sydney. I was communicating with these machines from my local machine in Eindhoven, a 2017 MacBook Pro with a 2.8 GHz Intel Core i7 processor and 16 GB of RAM.

The table below shows the amount of time in milliseconds it takes to retrieve a list (or stream) of 10.000 vectors 10 times in a row. The two columns labelled “REST” show how much time it takes to exchange data represented as JSON and protocol buffers. With gRPC, data is always represented as protocol buffers. The two columns labelled “gRPC” show how much time it takes to transfer multiple vectors as a list and as a stream.

The last three rows are included as a sort of sanity check. I would expect the numbers for Frankfurt -> Frankfurt to be comparable to those for Sydney -> Sydney (because we’re essentially doing the exact same thing) and a little worse than those for Eindhoven -> Eindhoven (because my laptop is faster than the ec2 instances). This seems to be the case. I would also expect Frankfurt -> Sydney to be comparable to Sydney -> Frankfurt, which is also the case.

The results might give the impression that there’s little reason to prefer gRPC over REST. This is caused by the fact that we’re not using gRPC to its fullest potential. For this experiment, we’re using blocking communication and don’t process the stream of vectors vector by vector. In real-world scenarios, however, it might be benificial to use asynchronous communication, and deal with input and output as streams.

Conclusion

To conclude, here are some bullet points with simplistic advice:

• If you only care about response size, use REST and JSON, enable compression, and call it a day.
• If you want your data to be typed and keep things simple, use REST and protocol buffers.
• If you want to handle your input and output as streams, use gRPC.

Because Jenkins is one of the biggest names in the field of tools for continuous integration and continuous delivery, it probably needs no introduction. Because you probably read every letter on theguild.nl, Pipelines and Jenkinsfiles also need no introduction. In case you forgot, Jenkinsfiles provide a way to declaratively specify continuous-delivery pipelines, which are automated expressions of your process for getting software from version control right through to your users and customers, as Jenkins puts it. You can keep Jenkinsfiles in the repositories of the apps they test and deploy. When Jenkins finds such a file in a repository, it will set up the pipeline defined in the file and run it. This allows developers to manage the pipelines for their apps without dealing with Jenkins itself.

If you have limited experience with Jenkins, I’d advise you to run it locally right away and take a look. If you’re running Docker, the simplest way to run Jenkins is by means of a script like the following.

#!/bin/sh
docker pull jenkinsci/blueocean
docker run -u root --rm -d \
  -p 8080:8080 \
  -p 50000:50000 \
  -v jenkins-data:/var/jenkins_home \
  -v jenkins-root:/root \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /Users/lucengelen/Repositories:/Users/lucengelen/Repositories \
  jenkinsci/blueocean

When you compare this script with the installation instructions provided by Jenkins, you’ll see some differences. First, I’ve added docker pull jenkinsci/blueocean to ensure that I always use the latest version of the Docker image for Jenkins. Additionally, I’ve added the command-line arguments -v jenkins-root:/root and -v /Users/lucengelen/Repositories:/Users/lucengelen/Repositories. The first ensures that SSH keys are preserved when a new Docker image for Jenkins is built. The second ensures that the folder where I keep my repositories is accessible from within the Docker container. You should modify this line to match your situation (or move your repositories to /Users/lucengelen/Repositories).

After you’ve executed the commands above, you’ll be able to visit http://localhost:8080 in the browser and see Jenkins’ post-installation setup wizard. Jenkins asks you to enter a key that you can find in its logs, which you can inspect by running docker logs <CONTAINER_ID>, where <CONTAINER_ID> is the long string displayed after the docker run command is finished.

Once you’re done with the setup, create a new job in Jenkins with the type “Multibranch Pipeline”. Give this job a source of type “Git” and point it to the repository https://github.com/ljpengelen/jenkinsfile. You’ll see that Jenkins discovers the Jenkinsfile in the root of the repository and tries to run a pipeline for the branches master and staging. This will fail for a number of reasons, but that’s okay.

Starting From Scratch

When experimenting with Jenkins, it’s often convenient to be able to test changes to a Jenkinsfile without pushing to a remote repository. If Jenkins is pulling a remote repository for changes, it will only see the that you’ve pushed. Using a file URL for a local repository enables you to iterate faster. Assuming that you’ve clone the repository mentioned above into the folder /Users/lucengelen/Repositories/jenkinsfile, you can create a second multibranch-pipeline job and point it to the repository file:///Users/lucengelen/Repositories/jenkinsfile, for example.

After you’ve done this for the folder were you’ve cloned the repository, replace the content of the Jenkinsfile in the root of the repository to the following and commit your changes.

pipeline {
  agent none

  stages {
    stage("Test back end") {
      agent {
        dockerfile {
          filename "back-end/dockerfiles/ci/Dockerfile"
        }
      }

      steps {
        sh "cd back-end && bin/ci"
      }
    }

    stage("Test front end") {
      agent {
        dockerfile {
          filename "front-end/dockerfiles/ci/Dockerfile"
        }
      }

      steps {
        sh "rm -f front-end/node_modules && ln -s /app/node_modules front-end/node_modules"
        sh "cd front-end && bin/ci"
      }
    }
  }
}

If you’ve committed these changes on a new branch, you need to ask Jenkins to scan your multibranch pipeline again. If you’ve committed them to an existing branch, you can just start a new build for that branch. You’ll see that this build succeeds.

The tests and linters for both apps are executed inside Docker containers. The dependencies for both apps are installed inside these containers. This way, Docker takes care of the caching.

By default, Yarn looks for dependencies in a folder named node_modules in the root of your project folder. The command cd front-end && bin/ci is executed in the folder where Jenkins has checked out your repository. As part of the build of the Docker image for the front end, however, the dependencies are installed in the folder /app/node_modules. This explains the presence of the command rm -f front-end/node_modules && ln -s /app/node_modules front-end/node_modules. There’s a Yarn-specific way of configuring an alternative location of the node_modules folder, but it didn’t work for me. Since this is also a post for masochists, feel free to experiment with it.

Shooting Yourself in the Foot

You can tell Jenkins to run (parts of) your pipelines on a specific node. You do this by specifying a label for an agent in your pipeline. The steps for this particular agent will then be executed on a node with the given label. Modify your Jenkinsfile as follows.

pipeline {
  agent none

  stages {
    stage("Test back end") {
      agent {
        dockerfile {
          filename "back-end/dockerfiles/ci/Dockerfile"
          label "webapps"
        }
      }

      steps {
        sh "cd back-end && bin/ci"
      }
    }

    stage("Test front end") {
      agent {
        dockerfile {
          filename "front-end/dockerfiles/ci/Dockerfile"
          label "webapps"
        }
      }

      steps {
        sh "rm -f front-end/node_modules && ln -s /app/node_modules front-end/node_modules"
        sh "cd front-end && bin/ci"
      }
    }
  }
}

If you trigger a new build, you’ll probably see it fail because there’s no agent with the label “webapps”. Introduce a new agent by visiting http://localhost:8080/computer/new, choosing a name, and selecting “permanent agent”. On the next page, specify a remote root directory, set the label to “webapps”, and the host to “localhost” or your computer’s hostname. If you’re on a Mac, you’ll have to allow remote access via SSH to your machine. Provide your credentials for logging in via SSH.

If you’ve followed all these steps, you should now be able to run the pipeline, right? In the end, you’re just executing the steps on your local machine, just like you were doing before. If you’re working on a Mac, you’ll quickly find that new builds still fail. For some reason, Docker is not available, and you’ll see a line ending with script.sh: line 1: docker: command not found in the console output of your pipeline.

If you go to the command line and execute the following command, you’ll understand what’s going on.

ssh localhost "echo \$PATH"

This will result in something like /usr/bin:/bin:/usr/sbin:/sbin. Be sure to escape the dollar sign because the result of the following command will only add to the confusion.

ssh localhost "echo $PATH"

If you run commands like we do above, you end up in a non-interactive, non-login shell. This is also what Jenkins is doing when it’s executing the steps of the agents in our Jenkinsfile. In such a shell, you have a different path than in the interactive login shell that you work in when you open a terminal. On a Mac, the Docker executable is located at /usr/local/bin/docker, which is not in the path of the non-interactive, non-login shell.

To fix this, go back to the configuration of the node you just added and add PATH=$PATH:/usr/local/bin && as the value for the input “Prefix Start Agent Command” that is part of the advanced settings.

Because we’re just experimenting with Jenkins, there’s no real reason to shoot yourself in the foot like this. You could leave out the label or configure your main node to run jobs with this label. I just wanted to warn you about this pitfall in case you ever encountered it in the real world.

Continuous Delivery

To keep experimenting along, you’ll need an instance of Dokku running somewhere. Coincidentally, there’s a blog post about setting up an instance of Dokku on Azure that is almost perfect for the Jenkinsfile below. You only have to open port 8000 instead of 8080. You may also have to pick another prefix for your hostnames if the ones below are taken.

dokkuHostname = "kabisa-dokku-demo-staging.westeurope.cloudapp.azure.com"
if (env.BRANCH_NAME == "production") {
  dokkuHostname = "kabisa-dokku-demo-production.westeurope.cloudapp.azure.com"
}

pipeline {
  agent none

  stages {
    stage("Test back end") {
      agent {
        dockerfile {
          filename "back-end/dockerfiles/ci/Dockerfile"
          label "webapps"
        }
      }

      steps {
        sh "cd back-end && bin/ci"
      }
    }

    stage("Test front end") {
      agent {
        dockerfile {
          filename "front-end/dockerfiles/ci/Dockerfile"
          label "webapps"
        }
      }

      steps {
        sh "rm -f front-end/node_modules && ln -s /app/node_modules front-end/node_modules"
        sh "cd front-end && bin/ci"
      }
    }

    stage("Deploy back end") {
      agent {
        label "webapps"
      }

      when {
        anyOf {
          branch 'staging';
          branch 'production'
        }
      }

      steps {
        sh "git push -f dokku@${dokkuHostname}:back-end HEAD:refs/heads/master"
      }
    }

    stage("Build front end") {
      agent {
        dockerfile {
          args "-e 'API_BASE_URL=http://${dokkuHostname}:8000/api'"
          filename "front-end/dockerfiles/ci/Dockerfile"
          label "webapps"
        }
      }

      when {
        anyOf {
          branch 'staging';
          branch 'production'
        }
      }

      steps {
        sh "cd front-end && yarn build"
      }
    }

    stage("Deploy front end") {
      agent {
        label "webapps"
      }

      when {
        anyOf {
          branch 'staging';
          branch 'production'
        }
      }

      steps {
        sh "rm -rf deploy-front-end"
        sh "git clone dokku@${dokkuHostname}:front-end deploy-front-end"
        sh "rm -rf deploy-front-end/dist"
        sh "mkdir -p deploy-front-end/dist"
        sh "cp -R front-end/dist/* deploy-front-end/dist"
        sh "touch deploy-front-end/.static"
        sh "cd deploy-front-end && git add . && git commit -m \"Deploy\" --allow-empty && git push -f"
      }
    }
  }
}

If you want the pipeline above to be successful, you need to configure SSH in the Docker container running Jenkins so that it uses the right keys. Execute docker exec -it <CONTAINER_ID> /bin/sh to enter the container, store the keys somewhere, create the file /root/.ssh/config if it doesn’t exist yet, and add the following lines to point SSH to the right keys.

Host kabisa-dokku-demo-staging.westeurope.cloudapp.azure.com
  IdentityFile ~/.ssh/azure_dokku_git_staging

Host kabisa-dokku-demo-production.westeurope.cloudapp.azure.com
  IdentityFile ~/.ssh/azure_dokku_git_production

Modify the hostnames and key names in this example to match your situation.

Better Safe than Sorry

Unless you tell Docker otherwise, it will do as little work as possible when building an image. It caches the result of each build step of a Dockerfile that it has executed before and uses the result for each new build. If a new version of the base image you’re using becomes available that conflicts with your app, however, you won’t notice that when running the tests in a container using an image that is built upon the older, cached version of the base image.

You can instruct Docker to look for newer verions of your base image during a build with the command-line argument --pull. Because new base images are only available once in a while, it’s not really wasteful to use this argument all the time when building images. This is what we’re doing in the Jenkinsfile below.

additionalBuildArgs = "--pull"
if (env.BRANCH_NAME == "master") {
  additionalBuildArgs = "--pull --no-cache"
}

dokkuHostname = "kabisa-dokku-demo-staging.westeurope.cloudapp.azure.com"
if (env.BRANCH_NAME == "production") {
  dokkuHostname = "kabisa-dokku-demo-production.westeurope.cloudapp.azure.com"
}

pipeline {
  agent none

  triggers {
    cron(env.BRANCH_NAME == 'master' ? '@weekly' : '')
  }

  stages {
    stage("Test back end") {
      agent {
        dockerfile {
          additionalBuildArgs "${additionalBuildArgs}"
          filename "back-end/dockerfiles/ci/Dockerfile"
          label "webapps"
        }
      }

      steps {
        sh "cd back-end && bin/ci"
      }
    }

    stage("Test front end") {
      agent {
        dockerfile {
          additionalBuildArgs "${additionalBuildArgs}"
          filename "front-end/dockerfiles/ci/Dockerfile"
          label "webapps"
        }
      }

      steps {
        sh "rm -f front-end/node_modules && ln -s /app/node_modules front-end/node_modules"
        sh "cd front-end && bin/ci"
      }
    }

    stage("Deploy back end") {
      agent {
        label "webapps"
      }

      when {
        anyOf {
          branch 'staging';
          branch 'production'
        }
      }
    }

    stage("Build front end") {
      agent {
        dockerfile {
          args "-e 'API_BASE_URL=http://${dokkuHostname}:8000/api'"
          filename "front-end/dockerfiles/ci/Dockerfile"
          label "webapps"
        }
      }

      when {
        beforeAgent true
        anyOf {
          branch 'staging';
          branch 'production'
        }
      }

      steps {
        sh "cd front-end && yarn build"
      }
    }

    stage("Deploy front end") {
      agent {
        label "webapps"
      }

      when {
        anyOf {
          branch 'staging';
          branch 'production'
        }
      }

      steps {
        sh "rm -rf deploy-front-end"
        sh "git clone dokku@${dokkuHostname}:front-end deploy-front-end"
        sh "rm -rf deploy-front-end/dist"
        sh "mkdir -p deploy-front-end/dist"
        sh "cp -R front-end/dist/* deploy-front-end/dist"
        sh "touch deploy-front-end/.static"
        sh "cd deploy-front-end && git add . && git commit -m \"Deploy\" --allow-empty && git push -f"
      }
    }
  }
}

You may have noticed that there’s also a command-line argument --no-cache in this Jenkinsfile, which is only used on the master branch. This command-line argument instructs Docker to not use any caching at all when building an image. This means that Docker will download and install all dependencies when building an image. If there’s something wrong when any of your dependencies, you’ll find out right away. This is a good way of ensuring that your Docker containers can be built from scratch, but it would be a waste of resources and bandwith to build images like this for every commit. In the Jenkinsfile above, images are only built from scratch on the master branch. This ensures that you’ll find out that something is wrong with your Docker image when you merge features to master. To ensure that you’re also notified in case of issues when an app is no longer in active development, a trigger is added to build the master branch once every week.

The line beforeAgent true in the when clause of the stage “Build front end” ensures that the Docker image used to build the front end is only built when new changes are pushed to the branches staging and production. Without this line, the image would always be built, regardless of the branch. The when clause would only prevent the steps from being executed. This is mostly gold plating of the Jenkinsfile, since the same image is used to run the tests for the front end and build it, which means that the second Docker build would use cached data anyway.

Because the same container is used for testing and building the front end, the additional arguments for the Docker build command are left out for the build step.

Shooting Yourself in the Foot Again

So far, some potential issues were masked because we’ve been running Jenkins as root. In other real-life scenarios, Jenkins will not always be running as root, however. If you run the WAR-file version of Jenkins, for example, the Jenkins process would be running as the user that executed java -jar jenkins.war on the command line. When you execute a new build in that scenario, you’ll find that it fails again. The user that’s executing commands in the Docker container for the front end doesn’t have the right access rights. I advise all masochists to try this at home and watch it fail.

We can easily fix this by explicitly instructing Docker to use the root user again, as shown below.

additionalBuildArgs = "--pull"
if (env.BRANCH_NAME == "master") {
  additionalBuildArgs = "--pull --no-cache"
}

dokkuHostname = "kabisa-dokku-demo-staging.westeurope.cloudapp.azure.com"
if (env.BRANCH_NAME == "production") {
  dokkuHostname = "kabisa-dokku-demo-production.westeurope.cloudapp.azure.com"
}

pipeline {
  agent none

  triggers {
    cron(env.BRANCH_NAME == 'master' ? '@weekly' : '')
  }

  stages {
    stage("Test back end") {
      agent {
        dockerfile {
          additionalBuildArgs "${additionalBuildArgs}"
          filename "back-end/dockerfiles/ci/Dockerfile"
          label "webapps"
        }
      }

      steps {
        sh "cd back-end && bin/ci"
      }
    }

    stage("Test front end") {
      agent {
        dockerfile {
          additionalBuildArgs "${additionalBuildArgs}"
          args "-u root"
          filename "front-end/dockerfiles/ci/Dockerfile"
          label "webapps"
        }
      }

      steps {
        sh "rm -f front-end/node_modules && ln -s /app/node_modules front-end/node_modules"
        sh "cd front-end && bin/ci"
      }
    }

    stage("Deploy back end") {
      agent {
        label "webapps"
      }

      when {
        anyOf {
          branch 'staging';
          branch 'production'
        }
      }

      steps {
        sh "git push -f dokku@${dokkuHostname}:back-end HEAD:refs/heads/master"
      }
    }

    stage("Build front end") {
      agent {
        dockerfile {
          args "-u root -e 'API_BASE_URL=http://${dokkuHostname}:8000/api'"
          filename "front-end/dockerfiles/ci/Dockerfile"
          label "webapps"
        }
      }

      when {
        beforeAgent true
        anyOf {
          branch 'staging';
          branch 'production'
        }
      }

      steps {
        sh "cd front-end && yarn build"
      }
    }

    stage("Deploy front end") {
      agent {
        label "webapps"
      }

      when {
        anyOf {
          branch 'staging';
          branch 'production'
        }
      }

      steps {
        sh "rm -rf deploy-front-end"
        sh "git clone dokku@${dokkuHostname}:front-end deploy-front-end"
        sh "rm -rf deploy-front-end/dist"
        sh "mkdir -p deploy-front-end/dist"
        sh "cp -R front-end/dist/* deploy-front-end/dist"
        sh "touch deploy-front-end/.static"
        sh "cd deploy-front-end && git add . && git commit -m \"Deploy\" --allow-empty && git push -f"
      }
    }
  }

The test and build steps for the front end are now executed as root, which seems to work great at first sight. In fact, due to some peculiarities related to file permission of Docker for Mac, it works great on Mac, period.

If you feel that seeing is believing or have lots of time to kill, boot up a Linux (virtual) machine, install Docker and Jenkins, set up a multibranch project again, and start a new build. Afterwards, visit Jenkins’ workspace for the project and check the file permissions. You’ll notice that some files and folders have been created that are owned by root. Because Jenkins isn’t running as root, it is not allowed to delete these files when the time comes to clean up the workspace for your project. For your own amusement, it’s also worthwhile to check that you don’t have this issue on Macs.

To prevent Jenkins from running out of disk space in the future, we need to make sure that the files and folders created as root can be deleted by Jenkins. There are a number of ways to do this, but one way that doesn’t require any additional configuration of Jenkins is demonstrated in the final version of our Jenkinsfile.

additionalBuildArgs = "--pull"
if (env.BRANCH_NAME == "master") {
  additionalBuildArgs = "--pull --no-cache"
}

dokkuHostname = "kabisa-dokku-demo-staging.westeurope.cloudapp.azure.com"
if (env.BRANCH_NAME == "production") {
  dokkuHostname = "kabisa-dokku-demo-production.westeurope.cloudapp.azure.com"
}

pipeline {
  agent none

  triggers {
    cron(env.BRANCH_NAME == 'master' ? '@weekly' : '')
  }

  stages {
    stage("Test back end") {
      agent {
        dockerfile {
          additionalBuildArgs "${additionalBuildArgs}"
          filename "back-end/dockerfiles/ci/Dockerfile"
          label "webapps"
        }
      }

      steps {
        sh "cd back-end && bin/ci"
      }
    }

    stage("Test front end") {
      agent {
        dockerfile {
          additionalBuildArgs "${additionalBuildArgs}"
          args "-u root"
          filename "front-end/dockerfiles/ci/Dockerfile"
          label "webapps"
        }
      }

      steps {
        sh "rm -f front-end/node_modules && ln -s /app/node_modules front-end/node_modules"
        sh "cd front-end && bin/ci"
      }

      post {
        always {
          sh "chown -R \$(stat -c '%u:%g' .) \$WORKSPACE"
        }
      }
    }

    stage("Deploy back end") {
      agent {
        label "webapps"
      }

      when {
        anyOf {
          branch 'staging';
          branch 'production'
        }
      }

      steps {
        sh "git push -f dokku@${dokkuHostname}:back-end HEAD:refs/heads/master"
      }
    }

    stage("Build front end") {
      agent {
        dockerfile {
          args "-u root -e 'API_BASE_URL=http://${dokkuHostname}:8000/api'"
          filename "front-end/dockerfiles/ci/Dockerfile"
          label "webapps"
        }
      }

      when {
        beforeAgent true
        anyOf {
          branch 'staging';
          branch 'production'
        }
      }

      steps {
        sh "cd front-end && yarn build"
      }

      post {
        always {
          sh "chown -R \$(stat -c '%u:%g' .) \$WORKSPACE"
        }
      }
    }

    stage("Deploy front end") {
      agent {
        label "webapps"
      }

      when {
        anyOf {
          branch 'staging';
          branch 'production'
        }
      }

      steps {
        sh "rm -rf deploy-front-end"
        sh "git clone dokku@${dokkuHostname}:front-end deploy-front-end"
        sh "rm -rf deploy-front-end/dist"
        sh "mkdir -p deploy-front-end/dist"
        sh "cp -R front-end/dist/* deploy-front-end/dist"
        sh "touch deploy-front-end/.static"
        sh "cd deploy-front-end && git add . && git commit -m \"Deploy\" --allow-empty && git push -f"
      }
    }
  }

After the test and build step, we change the owner of all files in the workspace to whoever owns the workspace, which is Jenkins.

Conclusion

If you ask me, there are two important conclusions to be drawn from this port. First, Jenkinsfiles are a powerful and convenient tool for continuous integration and continuous delivery. Second, one instance of Jenkins can be very different from another. You can’t take a Jenkinsfile from one project to another and expect it to work right away. I hope that some of the pitfalls described in this post point you in the right direction when you run into trouble in the future.

This post provides a guided tour of the Terraform configuration and Ansible playbooks in the following repository: https://github.com/ljpengelen/dokku-on-azure.

If you follow all the steps described in README.md, you’ll be able to deploy a static front end and a back end defined by any Dockerfile, simply by pushing code to some Git repositories. The end result is a virtual machine on Microsoft Azure running Dokku, an open-source platform as a service. efore we start the guided tour, let’s start with some why’s.

Why would you want to do a deployment by pushing to a repository? If you can deploy an application by pushing to a repository, then so can tools for continuous integration and deployment, such as Jenkins. Even in environments with strict firewall policies, tools like Jenkins should always be able to interact with repositories, without any additional plugins and with little effort. This makes setting up continuous deployment easy.

Why use Dokku as a platform as a service? Similar functionality can be achieved with Heroku and Azure web apps for containers. This type of managed solutions comes with the additional benefit of limited to no maintenance costs. However, they also come with a considerable price tag if you’re deploying resource-hungry applications. Running a VM with about 16GB of RAM will cost you around 100 dollars per month, whereas a similar amount of RAM will cost around 500 dollars if you use a managed service. Clearly, performing maintenance is not free and puts the burden of securing your infrastructure on you. That could be something you’re very willing to pay for.

Why use Terraform to manage infrastructure as code? Terraform is not the only tool that allows you to manage infrastructure as code. You could use vendor-specific tools, such as Azure Resource Manager templates and AWS CloudFormation instead, for example. The benefit of using Terraform is that it is one single tool you can use to manage infrastructure hosted by many different providers.

Terraform

You can use Terraform to manage infrastructure, such as virtual machines, by means of declarative descriptions of the desired end result. These descriptions are called configurations. Terraform keeps track of the current state of the infrastructure and is able to determine which (incremental) changes are required when a configuration changes. This state can be stored online and shared between developers.

The module azure_vm in the repository accompanying this post defines which infrastructure we want to set up on Azure to end up with a publicly accessible virtual machine running Ubuntu. Part of this module is shown below.

variable "admin_username" {}

...

variable "vm_size" {
  default = "Standard_B1S"
}

variable "http_whitelist_ip_ranges" {
  default = ["0.0.0.0/0"]
}

...

data "azurerm_resource_group" "main" {
  name = "${var.resource_group_name}"
}

...

resource "azurerm_public_ip" "main" {
  name = "${var.env}-public-ip"
  location = "${data.azurerm_resource_group.main.location}"
  resource_group_name = "${data.azurerm_resource_group.main.name}"
  public_ip_address_allocation = "static"
  domain_name_label = "${var.domain_name_label_prefix}-${var.env}"
}

This module uses a number of variables. These variables can be strings, lists, or maps, where string is the default type. The variables admin_username and vm_size have type strings. It’s possible to specify default values for variables, which are used when no value is declared for the variable at some other point in the configuration. The variable http_whitelist_ip_ranges has a list as default value, from which Terraform is able to imply that this variable has the type list.

For each environment, there’s a configuration file that provides the values for the variables of this module for the given environment. The file main.tf, for example, provides value for the development environment.

The module above also contains a data source, which is used to fetch data about an existing Azure resource group with a given name. This data source is used to define the location (location = "${data.azurerm_resource_group.main.location}") and resource group name (resource_group_name = "${data.azurerm_resource_group.main.name}") of resources that are defined elsewhere in the configuration.

The most important part of a Terraform configuration are its resources. In the partial example above, a resource defining a public ip is used. Terraform has documentation for each type of Azure resource you’d want to create. If you look at the complete module, you’ll see that it declares resources representing a virtual machine, a network security group, a virtual network, and so on.

Although there are multiple ways to hide secrects in Terraform, I’ve chosen to keep things simple and just keep the secrets out of version control entirely.

I’ve chosen to use three separate and independent configurations for the development, staging, and production environments, which all use the module described above. This is not necessarily the Terraform way of doing things, but it has the benefit of being able to manage all environments independently. If you upgrade the configuration, you’ll be able to test the effects of that change on one environment, while leaving the others intact.

Ansible

After you’ve set up your infrastructure with Terraform, you can use Ansible to automate the installation of software on the virtual machines that are part of that infrastructure. In essence, Ansible is a tool that connects to remote machines via SSH and performs various actions on these machines. In contrast to similar tools, Ansible doesn’t try to abstract from the operating system running on the remote machine. For example, this means that when you connect to a remote machine running Ubuntu, you have to upgrade packages using Ansible tasks specific to apt, but if you connect to a remote machine running CentOS, you have to upgrade packages using tasks specific to yum.

The installation and configuration process that Ansible is supposed to execute is described in the form of playbooks. A playbook consists of a number of roles and tasks, as shown below.

---
- hosts: dokku
  vars:
    dokku_version: v0.14.0
    ports:
      - 80
      - 8080
  remote_user: "{{ admin_username }}"
  roles:
    - print_affected_hosts
    - upgrade_apt_packages
    - secure_server
    - install_dokku
  tasks:
  - name: Install dokku-dockerfile plugin
    become: yes
    command: dokku plugin:install https://github.com/mimischi/dokku-dockerfile.git
    args:
      creates: /var/lib/dokku/plugins/available/dockerfile

Each role is a collection of tasks, and each task is an atomic action, often corresponding to the execution of a single command.

The playbook above is quite simple. It prints the hostname(s) of the machine(s) that Ansible is connecting to, upgrades packages, sets up a firewall, installs Dokku, and installs the dokku-dockerfile plugin. At the start of the playbook, a variable representing the Dokku version to install and one representing the list of ports to open are declared. The playbook also states that Ansible should use the value of the variable admin_username as username when connecting to the machine it is configuring via SSH. This variable is environment specific and defined elsewhere.

Although Ansible provides a vault to be able to keep encrypted secrets in version control, I’ve again chosen to keep things simple and keep secrets out of version control entirely.

Dokku

The Ansible playbook dokku_apps.yml configures two apps named “front-end” and “back-end”. Dokku provides a Git repository for each of these apps. Pushing to one of these repositories will trigger the deployment of the corresponding app.

The nginx buildpack is used to deploy the front end as a static website. It is triggered by the presence of a file called .static in the root of the repository. To be able to clone the repository for this app before the initial push, this repository is initialized as part of the configuration with Ansible. This makes the initial deployment the same as all the following ones, which in turn simplifies setting up continuous deployment.

- name: Initialize repositories for static apps
  command: dokku git:initialize {{ item.name }}
  args:
    creates: /home/dokku/{{ item.name }}/branches
  when: item.static
  with_items: "{{ apps }}"

By default, the nginx buildpack serves files from the root of the repository. The following command executed by Ansible ensures that nginx uses the dist folder as root instead.

- name: Configure nginx for static apps
  command: dokku config:set {{ item.name }} NGINX_ROOT=dist
  when: item.static
  with_items: "{{ apps }}"

By default, static apps are exposed on a random port after the first deployment. Specifying a fixed port is also part of the configuration with Ansible.

- name: Configure ports for static apps
  command: dokku proxy:ports-add {{ item.name }} http:{{ item.port }}:5000
  when: item.static
  with_items: "{{ apps }}"

The back end is deployed by creating a Docker container from a Dockerfile in the corresponding repository. By default, Dokku looks in the root of this repository for the Dockerfile. To support monorepos and keep the root of the repository clean, we use the dokku-dockerfile plugin. This instructs Dokku to look for the Dockerfile in dockerfiles/deploy.

tasks:
- name: Configure dokku-dockerfile plugin
  command: dokku dockerfile:set back-end dockerfiles/deploy/Dockerfile

Conclusion

I’ve written this post for anyone in the situation I was in about a year ago. If you’ve never worked with Azure, Terraform, or Ansible, I hope this post lowers the barrier to get started. I also hope that this post triggers some discussions about best practises. If you see any room for improvement or want to share your opinion about this topic, be my guest!

Before I started making money as a web developer, I was a web developer making money as a PhD student. Like many others in academia, I used LaTeX for most of the documents I produced. I wrote a number of research papers with LaTeX, a PhD thesis, and when it was time to leave academia behind, I wrote a CV with LaTeX. Suffice to say, I’m a big fan.

If you’ve never heard of LaTex, consider the following document:

\documentclass{article}
\usepackage[pdfborder={0 0 0}]{hyperref}
\title{Good-looking PDFs with CSS for Paged Media and Markdown}
\author{Luc Engelen}
\begin{document}
   \maketitle
   Transforming your Markdown documents into good-looking,
   printable PDFs isn't hard and can even be free.
   All you need is a Markdown-to-HTML converter, such as
   \href{https://python-markdown.github.io/}{Python-Markown},
   a CSS style sheet,
   and a rendering tool that supports the CSS module for paged media,
   such as \href{https://weasyprint.org/}{WeasyPrint}.
\end{document}

The end result of typesetting this annotated piece of text will look like this:

LaTeX is advertised as a high-quality typesetting system, a claim that I can only agree with. It’s really nice to be able to focus on the textual content and structure of documents and leave most of the appearance to a specialized tool. An added benefit of writing documents in (annotated) plain text is that you can easily track changes in documents using version-control system such as Git. Although you can collaborate on Word or Pages documents, for example, nothing beats tracking changes commit-by-commit with line-by-line diffs or working on the same document in parallel on different branches. Once you know what you’re doing, LaTeX is great.

LaTeX is also, however, a massive piece of software that takes quite some time to get to know. If you don’t really need professional-quality typesetting or don’t plan to include a lot of mathematical formulas in your documents, it’s hard to justify installing three gigabytes of software and spending many hours to get to know this particular tool.

At Kabisa, we use Google Docs is to create resumes, quotations, etc. Collaborating on these documents works reasonably well, and the end results are fine. Inspired by LaTeX and static site generators, I looked around a few times to see whether we could use Markdown as a basis for this sort of documents instead, hoping to improve both collaboration and the looks of the end results. Things didn’t look very promising for a long time, until I stumbled upon WeasyPrint by coincidence.

WeasyPrint

WeasyPrint is free and open-source software that you can use to generate PDF documents from HTML and CSS. Clearly, you could simply print a webpage to PDF in any browser, but you don’t have any control over the styling of page numbers in that case, and you can’t define headers and footers. WeasyPrint supports a CSS module for which browser support is limited: CSS for Paged Media. Although browsers do support the CSS properties page-break-after, page-break-before, and page-break-inside from this modules, they don’t support the CSS rules for page-margin boxes. It’s the latter set of rules that make it possible to define and style headers and footers, page numbers, covers, and so on. The end results you can achieve with this subset of CSS is quite impressive, as can be seen by looking at the samples provided by WeasyPrint.

There are a number of competitors, but most of them are far from free. Vivliostyle is a notable exception that’s also worth looking into.

CSS for Paged Media

Among other things, CSS for paged media allows you to target specific parts of the margin around each page. For example, the @top-right rule below specifies that the top-right part of the margin of each page should contain a logo.

@page {
  @top-right {
    background: url(kabisa-logo-two-color.svg) no-repeat bottom;
    background-size: 5cm;
    content: "";
    width: 5cm;
  }
}

The @bottom-right rule below specifies that the bottom-right part of the margin of each page should display the page number and the total number of pages. The counters page and pages are available by default, but it’s also possible to define custom counters.

@page {
  @bottom-right {
    content: counter(page) " of " counter(pages);
  }
}

The @bottom-center rule below specifies that the center of each bottom margin should contain the value of the string heading. The value of this string is updated each time an h2 element is encountered. The property page-break-before is an example of a CSS property that most browsers do support. It is used to ensure that each h2 element starts a new page.

@page {
  @bottom-center {
    content: string(heading);
  }
}

h2 {
  page-break-before: always;
  string-set: heading content();
}

These examples only show part of what you can achieve with CSS for paged media. Rachel Andrews provided an excellent overview of all the possibilities for Smashing Magazine.

Markdown

Being able to style HTML for print with CSS is only a part of the story if you’re looking for a convenient way to write good-looking documents. I suppose most people wouldn’t be to enthusiastic about writing documents in plain HTML. HTML is fine for web pages, but markup languages such as reStructuredText, AsciiDoc, and Markdown are better suited for documents like reports, CVs, quotations, notes, and books. Although there’s not a clear winner among these three for me personally, I decided to build some tooling around Python-Markdown because Markdown seems to be the most popular.

If you’ve never heard about Markdown, consider the following document:

# Good-looking PDFs with CSS for Paged Media and Markdown

Transforming your Markdown documents into good-looking,
printable PDFs isn't hard and can even be free.
All you need is

* a Markdown-to-HTML converter, such as
[Python-Markown](https://python-markdown.github.io/),
* a CSS style sheet, and
* a rendering tool that supports the CSS module for paged media,
such as [WeasyPrint](https://weasyprint.org/).

Markdown converts this annotated text into the following HTML:

<h1>Good-looking PDFs with CSS for Paged Media and Markdown</h1>
<p>
  Transforming your Markdown documents into good-looking,
  printable PDFs isn't hard and can even be free.
  All you need is
</p>
<ul>
  <li>
    a Markdown-to-HTML converter, such as
    <a href="https://python-markdown.github.io/">Python-Markown</a>,
  </li>
  <li>a CSS style sheet, and</li>
  <li>
    a rendering tool that supports the CSS module for paged media,
    such as <a href="https://weasyprint.org/">WeasyPrint</a>.
  </li>
</ul>

There’s an extension for Python-Markdown, Attribute Lists, that allows you to define attributes on the HTML elements in Markdown’s output. This extension comes in handy when you want to apply CSS to the resulting HTML.

A Script to Tie These Tools Together

I’ve created a Python script that ties Python-Markdown and WeasyPrint together, including two examples that demonstrate the possibilities of this tool chain. You can use this script to convert documents in one go or to watch a Markdown document and a CSS style sheet for changes and convert them on the fly. If you don’t feel like installing all the dependencies, you could build a Docker image and run the tool in a container instead.