Skip to content

Commit

Permalink
Merge branch 'geal/change-builder-api' into geal/authorizer-builder
Browse files Browse the repository at this point in the history
  • Loading branch information
@Geal
Geal committed Nov 28, 2024
2 parents b1ee758 + aff9748 commit 6587f0b
Show file tree
Hide file tree
Showing 14 changed files with 556 additions and 487 deletions.
373 changes: 199 additions & 174 deletions biscuit-auth/benches/token.rs
View file

Large diffs are not rendered by default.

27 changes: 12 additions & 15 deletions biscuit-auth/examples/testcases.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -878,9 +878,9 @@ fn scoped_rules(target: &str, root: &KeyPair, test: bool) -> TestResult {
)
.unwrap();

let mut block3 = BlockBuilder::new();

block3.add_fact(r#"owner("alice", "file2")"#).unwrap();
let block3 = BlockBuilder::new()
.add_fact(r#"owner("alice", "file2")"#)
.unwrap();

let keypair3 = KeyPair::new_with_rng(Algorithm::Ed25519, &mut rng);
let biscuit3 = biscuit2.append_with_keypair(&keypair3, block3).unwrap();
Expand Down Expand Up @@ -973,14 +973,13 @@ fn expired_token(target: &str, root: &KeyPair, test: bool) -> TestResult {
.build_with_rng(&root, SymbolTable::default(), &mut rng)
.unwrap();

let mut block2 = block!(r#"check if resource("file1");"#);

// January 1 2019
block2.check_expiration_date(
UNIX_EPOCH
.checked_add(Duration::from_secs(49 * 365 * 24 * 3600))
.unwrap(),
);
let block2 = block!(r#"check if resource("file1");"#)
// January 1 2019
.check_expiration_date(
UNIX_EPOCH
.checked_add(Duration::from_secs(49 * 365 * 24 * 3600))
.unwrap(),
);

let keypair2 = KeyPair::new_with_rng(Algorithm::Ed25519, &mut rng);
let biscuit2 = biscuit1.append_with_keypair(&keypair2, block2).unwrap();
Expand Down Expand Up @@ -1410,10 +1409,8 @@ fn unbound_variables_in_rule(target: &str, root: &KeyPair, test: bool) -> TestRe
.build_with_rng(&root, SymbolTable::default(), &mut rng)
.unwrap();

let mut block2 = BlockBuilder::new();

// this one does not go through the parser because it checks for unused variables
block2
let block2 = BlockBuilder::new()
// this one does not go through the parser because it checks for unused variables
.add_rule(rule(
"operation",
&[var("unbound"), string("read")],
Expand Down
14 changes: 5 additions & 9 deletions biscuit-auth/examples/third_party.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,18 +10,13 @@ fn main() {
let mut rng: StdRng = SeedableRng::seed_from_u64(0);
let root = KeyPair::new_with_rng(Algorithm::Ed25519, &mut rng);
let external = KeyPair::new_with_rng(Algorithm::Ed25519, &mut rng);

let mut builder = Biscuit::builder();

let external_pub = hex::encode(external.public().to_bytes());

builder
let biscuit1 = Biscuit::builder()
.add_check(
format!("check if external_fact(\"hello\") trusting ed25519/{external_pub}").as_str(),
)
.unwrap();

let biscuit1 = builder
.unwrap()
.build_with_rng(&root, SymbolTable::default(), &mut rng)
.unwrap();

Expand All @@ -30,8 +25,9 @@ fn main() {
let serialized_req = biscuit1.third_party_request().unwrap().serialize().unwrap();

let req = biscuit_auth::ThirdPartyRequest::deserialize(&serialized_req).unwrap();
let mut builder = BlockBuilder::new();
builder.add_fact("external_fact(\"hello\")").unwrap();
let builder = BlockBuilder::new()
.add_fact("external_fact(\"hello\")")
.unwrap();
let res = req.create_block(&external.private(), builder).unwrap();

let biscuit2 = biscuit1.append_third_party(external.public(), res).unwrap();
Expand Down
48 changes: 26 additions & 22 deletions biscuit-auth/src/token/authorizer.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -824,15 +824,18 @@ impl TryFrom<AuthorizerPolicies> for Authorizer {
let mut authorizer = Self::new();

for fact in facts.into_iter() {
authorizer.authorizer_block_builder.add_fact(fact)?;
authorizer.authorizer_block_builder =
authorizer.authorizer_block_builder.add_fact(fact)?;
}

for rule in rules.into_iter() {
authorizer.authorizer_block_builder.add_rule(rule)?;
authorizer.authorizer_block_builder =
authorizer.authorizer_block_builder.add_rule(rule)?;
}

for check in checks.into_iter() {
authorizer.authorizer_block_builder.add_check(check)?;
authorizer.authorizer_block_builder =
authorizer.authorizer_block_builder.add_check(check)?;
}

for policy in policies {
Expand Down Expand Up @@ -1034,10 +1037,11 @@ mod tests {
use crate::Biscuit;
use crate::KeyPair;
let keypair = KeyPair::new(Algorithm::Ed25519);
let mut builder = Biscuit::builder();
builder.add_fact("user(\"John Doe\", 42)").unwrap();

let biscuit = builder.build(&keypair).unwrap();
let biscuit = Biscuit::builder()
.add_fact("user(\"John Doe\", 42)")
.unwrap()
.build(&keypair)
.unwrap();

let mut authorizer = biscuit.authorizer().unwrap();
let res: Vec<(String, i64)> = authorizer
Expand All @@ -1054,10 +1058,11 @@ mod tests {
use crate::Biscuit;
use crate::KeyPair;
let keypair = KeyPair::new(Algorithm::Ed25519);
let mut builder = Biscuit::builder();
builder.add_fact("user(\"John Doe\")").unwrap();

let biscuit = builder.build(&keypair).unwrap();
let biscuit = Biscuit::builder()
.add_fact("user(\"John Doe\")")
.unwrap()
.build(&keypair)
.unwrap();

let mut authorizer = biscuit.authorizer().unwrap();
let res: Vec<(String,)> = authorizer.query("data($name) <- user($name)").unwrap();
Expand All @@ -1071,25 +1076,24 @@ mod tests {
let root = KeyPair::new(Algorithm::Ed25519);
let external = KeyPair::new(Algorithm::Ed25519);

let mut builder = Biscuit::builder();
let mut scope_params = HashMap::new();
scope_params.insert("external_pub".to_string(), external.public());
builder

let biscuit1 = Biscuit::builder()
.add_code_with_params(
r#"right("read");
check if group("admin") trusting {external_pub};
"#,
check if group("admin") trusting {external_pub};
"#,
HashMap::new(),
scope_params,
)
.unwrap()
.build(&root)
.unwrap();

let biscuit1 = builder.build(&root).unwrap();

let req = biscuit1.third_party_request().unwrap();

let mut builder = BlockBuilder::new();
builder
let builder = BlockBuilder::new()
.add_code(
r#"group("admin");
check if right("read");
Expand Down Expand Up @@ -1254,17 +1258,17 @@ mod tests {
fn authorizer_display_before_and_after_authorization() {
let root = KeyPair::new(Algorithm::Ed25519);

let mut token_builder = BiscuitBuilder::new();
token_builder
let token = BiscuitBuilder::new()
.add_code(
r#"
authority_fact(true);
authority_rule($v) <- authority_fact($v);
check if authority_fact(true), authority_rule(true);
"#,
)
.unwrap()
.build(&root)
.unwrap();
let token = token_builder.build(&root).unwrap();

let mut builder = AuthorizerBuilder::new();
builder.add_token(&token);
Expand Down
62 changes: 27 additions & 35 deletions biscuit-auth/src/token/builder.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -251,7 +251,7 @@ mod tests {
.unwrap();
let mut scope_params = HashMap::new();
scope_params.insert("pk".to_string(), pubkey);
builder
builder = builder
.add_code_with_params(
r#"fact({p1}, "value");
rule($head_var) <- f1($head_var), {p2} > 0 trusting {pk};
Expand All @@ -272,52 +272,46 @@ check if true trusting ed25519/6e9e6d5a75cf0c0e87ec1256b4dfed0ca3ba452912d213fcc

#[test]
fn forbid_unbound_parameters() {
let mut builder = BlockBuilder::new();
let builder = BlockBuilder::new();

let mut fact = Fact::try_from("fact({p1}, {p4})").unwrap();
fact.set("p1", "hello").unwrap();
let res = builder.add_fact(fact);
let res = builder.clone().add_fact(fact);
assert_eq!(
res,
Err(error::Token::Language(
biscuit_parser::error::LanguageError::Parameters {
missing_parameters: vec!["p4".to_string()],
unused_parameters: vec![],
}
))
res.unwrap_err(),
error::Token::Language(biscuit_parser::error::LanguageError::Parameters {
missing_parameters: vec!["p4".to_string()],
unused_parameters: vec![],
})
);
let mut rule = Rule::try_from(
"fact($var1, {p2}) <- f1($var1, $var3), f2({p2}, $var3, {p4}), $var3.starts_with({p2})",
)
.unwrap();
rule.set("p2", "hello").unwrap();
let res = builder.add_rule(rule);
let res = builder.clone().add_rule(rule);
assert_eq!(
res,
Err(error::Token::Language(
biscuit_parser::error::LanguageError::Parameters {
missing_parameters: vec!["p4".to_string()],
unused_parameters: vec![],
}
))
res.unwrap_err(),
error::Token::Language(biscuit_parser::error::LanguageError::Parameters {
missing_parameters: vec!["p4".to_string()],
unused_parameters: vec![],
})
);
let mut check = Check::try_from("check if {p4}, {p3}").unwrap();
check.set("p3", true).unwrap();
let res = builder.add_check(check);
let res = builder.clone().add_check(check);
assert_eq!(
res,
Err(error::Token::Language(
biscuit_parser::error::LanguageError::Parameters {
missing_parameters: vec!["p4".to_string()],
unused_parameters: vec![],
}
))
res.unwrap_err(),
error::Token::Language(biscuit_parser::error::LanguageError::Parameters {
missing_parameters: vec!["p4".to_string()],
unused_parameters: vec![],
})
);
}

#[test]
fn forbid_unbound_parameters_in_set_code() {
let mut builder = BlockBuilder::new();
let builder = BlockBuilder::new();
let mut params = HashMap::new();
params.insert("p1".to_string(), "hello".into());
params.insert("p2".to_string(), 1i64.into());
Expand All @@ -332,13 +326,11 @@ check if true trusting ed25519/6e9e6d5a75cf0c0e87ec1256b4dfed0ca3ba452912d213fcc
);

assert_eq!(
res,
Err(error::Token::Language(
biscuit_parser::error::LanguageError::Parameters {
missing_parameters: vec!["p3".to_string()],
unused_parameters: vec![],
}
))
)
res.unwrap_err(),
error::Token::Language(biscuit_parser::error::LanguageError::Parameters {
missing_parameters: vec!["p3".to_string()],
unused_parameters: vec![],
})
);
}
}
Loading

0 comments on commit 6587f0b

Please sign in to comment.