Skip to content

Commit

Permalink
fix
Browse files Browse the repository at this point in the history
  • Loading branch information
@Geal
Geal committed Nov 27, 2024
1 parent 3550e8e commit 23bf232
Show file tree
Hide file tree
Showing 6 changed files with 106 additions and 58 deletions.
110 changes: 66 additions & 44 deletions biscuit-auth/benches/token.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -243,10 +243,12 @@ fn verify_block_2(b: &mut Bencher) {
};

let token = Biscuit::from(&data, &root.public()).unwrap();
let mut verifier = token.authorizer().unwrap();
verifier.add_fact("resource(\"file1\")");
verifier.add_fact("operation(\"read\")");
verifier.add_allow_all();
let mut builder = AuthorizerBuilder::new();
builder.add_token(&token);
builder.add_fact("resource(\"file1\")");
builder.add_fact("operation(\"read\")");
builder.add_allow_all();
let mut verifier = builder.build().unwrap();
verifier
.authorize_with_limits(AuthorizerLimits {
max_time: Duration::from_secs(10),
Expand All @@ -256,10 +258,12 @@ fn verify_block_2(b: &mut Bencher) {
b.bytes = data.len() as u64;
b.iter(|| {
let token = Biscuit::from(&data, &root.public()).unwrap();
let mut verifier = token.authorizer().unwrap();
verifier.add_fact("resource(\"file1\")");
verifier.add_fact("operation(\"read\")");
verifier.add_allow_all();
let mut builder = AuthorizerBuilder::new();
builder.add_token(&token);
builder.add_fact("resource(\"file1\")");
builder.add_fact("operation(\"read\")");
builder.add_allow_all();
let mut verifier = builder.build().unwrap();
verifier
.authorize_with_limits(AuthorizerLimits {
max_time: Duration::from_secs(10),
Expand Down Expand Up @@ -321,10 +325,12 @@ fn verify_block_5(b: &mut Bencher) {
};

let token = Biscuit::from(&data, &root.public()).unwrap();
let mut verifier = token.authorizer().unwrap();
verifier.add_fact("resource(\"file1\")");
verifier.add_fact("operation(\"read\")");
verifier.add_allow_all();
let mut builder = AuthorizerBuilder::new();
builder.add_token(&token);
builder.add_fact("resource(\"file1\")");
builder.add_fact("operation(\"read\")");
builder.add_allow_all();
let mut verifier = builder.build().unwrap();
verifier
.authorize_with_limits(AuthorizerLimits {
max_time: Duration::from_secs(10),
Expand All @@ -335,10 +341,12 @@ fn verify_block_5(b: &mut Bencher) {
b.bytes = data.len() as u64;
b.iter(|| {
let token = Biscuit::from(&data, &root.public()).unwrap();
let mut verifier = token.authorizer().unwrap();
verifier.add_fact("resource(\"file1\")");
verifier.add_fact("operation(\"read\")");
verifier.add_allow_all();
let mut builder = AuthorizerBuilder::new();
builder.add_token(&token);
builder.add_fact("resource(\"file1\")");
builder.add_fact("operation(\"read\")");
builder.add_allow_all();
let mut verifier = builder.build().unwrap();
verifier
.authorize_with_limits(AuthorizerLimits {
max_time: Duration::from_secs(10),
Expand Down Expand Up @@ -373,10 +381,12 @@ fn check_signature_2(b: &mut Bencher) {
};

let token = Biscuit::from(&data, &root.public()).unwrap();
let mut verifier = token.authorizer().unwrap();
verifier.add_fact("resource(\"file1\")");
verifier.add_fact("operation(\"read\")");
verifier.add_allow_all();
let mut builder = AuthorizerBuilder::new();
builder.add_token(&token);
builder.add_fact("resource(\"file1\")");
builder.add_fact("operation(\"read\")");
builder.add_allow_all();
let mut verifier = builder.build().unwrap();
verifier
.authorize_with_limits(AuthorizerLimits {
max_time: Duration::from_secs(10),
Expand Down Expand Up @@ -441,10 +451,12 @@ fn check_signature_5(b: &mut Bencher) {
};

let token = Biscuit::from(&data, &root.public()).unwrap();
let mut verifier = token.authorizer().unwrap();
verifier.add_fact("resource(\"file1\")");
verifier.add_fact("operation(\"read\")");
verifier.add_allow_all();
let mut builder = AuthorizerBuilder::new();
builder.add_token(&token);
builder.add_fact("resource(\"file1\")");
builder.add_fact("operation(\"read\")");
builder.add_allow_all();
let mut verifier = builder.build().unwrap();
verifier
.authorize_with_limits(AuthorizerLimits {
max_time: Duration::from_secs(10),
Expand Down Expand Up @@ -483,10 +495,12 @@ fn checks_block_2(b: &mut Bencher) {
};

let token = Biscuit::from(&data, &root.public()).unwrap();
let mut verifier = token.authorizer().unwrap();
verifier.add_fact("resource(\"file1\")");
verifier.add_fact("operation(\"read\")");
verifier.add_allow_all();
let mut builder = AuthorizerBuilder::new();
builder.add_token(&token);
builder.add_fact("resource(\"file1\")");
builder.add_fact("operation(\"read\")");
builder.add_allow_all();
let mut verifier = builder.build().unwrap();
verifier
.authorize_with_limits(AuthorizerLimits {
max_time: Duration::from_secs(10),
Expand All @@ -497,10 +511,12 @@ fn checks_block_2(b: &mut Bencher) {
let token = Biscuit::from(&data, &root.public()).unwrap();
b.bytes = data.len() as u64;
b.iter(|| {
let mut verifier = token.authorizer().unwrap();
verifier.add_fact("resource(\"file1\")");
verifier.add_fact("operation(\"read\")");
verifier.add_allow_all();
let mut builder = AuthorizerBuilder::new();
builder.add_token(&token);
builder.add_fact("resource(\"file1\")");
builder.add_fact("operation(\"read\")");
builder.add_allow_all();
let mut verifier = builder.build().unwrap();
verifier
.authorize_with_limits(AuthorizerLimits {
max_time: Duration::from_secs(10),
Expand Down Expand Up @@ -535,10 +551,12 @@ fn checks_block_create_verifier2(b: &mut Bencher) {
};

let token = Biscuit::from(&data, &root.public()).unwrap();
let mut verifier = token.authorizer().unwrap();
verifier.add_fact("resource(\"file1\")");
verifier.add_fact("operation(\"read\")");
verifier.add_allow_all();
let mut builder = AuthorizerBuilder::new();
builder.add_token(&token);
builder.add_fact("resource(\"file1\")");
builder.add_fact("operation(\"read\")");
builder.add_allow_all();
let mut verifier = builder.build().unwrap();
verifier
.authorize_with_limits(AuthorizerLimits {
max_time: Duration::from_secs(10),
Expand Down Expand Up @@ -578,10 +596,12 @@ fn checks_block_verify_only2(b: &mut Bencher) {
};

let token = Biscuit::from(&data, &root.public()).unwrap();
let mut verifier = token.authorizer().unwrap();
verifier.add_fact("resource(\"file1\")");
verifier.add_fact("operation(\"read\")");
verifier.add_allow_all();
let mut builder = AuthorizerBuilder::new();
builder.add_token(&token);
builder.add_fact("resource(\"file1\")");
builder.add_fact("operation(\"read\")");
builder.add_allow_all();
let mut verifier = builder.build().unwrap();
verifier
.authorize_with_limits(AuthorizerLimits {
max_time: Duration::from_secs(10),
Expand All @@ -591,10 +611,12 @@ fn checks_block_verify_only2(b: &mut Bencher) {

let token = Biscuit::from(&data, &root.public()).unwrap();
b.iter(|| {
let mut verifier = token.authorizer().unwrap();
verifier.add_fact("resource(\"file1\")");
verifier.add_fact("operation(\"read\")");
verifier.add_allow_all();
let mut builder = AuthorizerBuilder::new();
builder.add_token(&token);
builder.add_fact("resource(\"file1\")");
builder.add_fact("operation(\"read\")");
builder.add_allow_all();
let mut verifier = builder.build().unwrap();
verifier
.authorize_with_limits(AuthorizerLimits {
max_time: Duration::from_secs(10),
Expand Down
16 changes: 11 additions & 5 deletions biscuit-auth/examples/third_party.rs
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
use biscuit_auth::{
builder::{Algorithm, BlockBuilder},
builder::{Algorithm, AuthorizerBuilder, BlockBuilder},
builder_ext::AuthorizerExt,
datalog::SymbolTable,
Biscuit, KeyPair,
Expand Down Expand Up @@ -38,13 +38,19 @@ fn main() {

println!("biscuit2: {}", biscuit2);

let mut authorizer = biscuit1.authorizer().unwrap();
authorizer.add_allow_all();
let mut builder = AuthorizerBuilder::new();
builder.add_token(&biscuit1);
builder.add_allow_all();
let mut authorizer = builder.build().unwrap();

println!("authorize biscuit1:\n{:?}", authorizer.authorize());
println!("world:\n{}", authorizer.print_world());

let mut authorizer = biscuit2.authorizer().unwrap();
authorizer.add_allow_all();
let mut builder = AuthorizerBuilder::new();
builder.add_token(&biscuit2);
builder.add_allow_all();
let mut authorizer = builder.build().unwrap();

println!("authorize biscuit2:\n{:?}", authorizer.authorize());
println!("world:\n{}", authorizer.print_world());
}
8 changes: 5 additions & 3 deletions biscuit-auth/examples/verifying_printer.rs
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
use biscuit_auth::{builder_ext::AuthorizerExt, PublicKey};
use biscuit_auth::{builder::AuthorizerBuilder, builder_ext::AuthorizerExt, PublicKey};

fn main() {
let mut args = std::env::args();
Expand All @@ -25,8 +25,10 @@ fn main() {
}
println!("token:\n{}", token);

let mut authorizer = token.authorizer().unwrap();
authorizer.add_allow_all();
let mut builder = AuthorizerBuilder::new();
builder.add_token(&token);
builder.add_allow_all();
let mut authorizer = builder.build().unwrap();

println!("authorizer result: {:?}", authorizer.authorize());
println!("authorizer world:\n{}", authorizer.print_world());
Expand Down
17 changes: 14 additions & 3 deletions biscuit-auth/src/token/authorizer.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -940,6 +940,8 @@ pub type AuthorizerLimits = RunLimits;
mod tests {
use std::time::Duration;

use builder::load_and_translate_block;
use datalog::World;
use token::{public_keys::PublicKeys, DATALOG_3_1};

use crate::{
Expand Down Expand Up @@ -1409,10 +1411,19 @@ allow if true;
scopes: vec![],
};

// FIXME
assert_eq!(
authorizer
.load_and_translate_block(&mut block, 0, &syms)
.unwrap_err(),
/*builder
.load_and_translate_block(&mut block, 0, &syms)*/
load_and_translate_block(
&mut block,
0,
&syms,
&mut SymbolTable::new(),
&mut HashMap::new(),
&mut World::new(),
)
.unwrap_err(),
error::Token::FailedLogic(error::Logic::InvalidBlockRule(
0,
"test($unbound) <- pred($any)".to_string()
Expand Down
11 changes: 9 additions & 2 deletions biscuit-auth/src/token/authorizer/snapshot.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ use prost::Message;
use std::{collections::HashMap, time::Duration};

use crate::{
builder::{BlockBuilder, Convert, Policy},
builder::{load_and_translate_block, BlockBuilder, Convert, Policy},
datalog::{Origin, RunLimits, TrustedOrigins},
error,
format::{
Expand Down Expand Up @@ -91,7 +91,14 @@ impl super::Authorizer {
.push(i);
}

authorizer.load_and_translate_block(&mut block, i, &token_symbols)?;
load_and_translate_block(
&mut block,
i,
&token_symbols,
&mut authorizer.symbols,
&mut public_key_to_block_id,
&mut authorizer.world,
)?;
blocks.push(block);
}

Expand Down
2 changes: 1 addition & 1 deletion biscuit-auth/src/token/builder/authorizer.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -380,7 +380,7 @@ impl<'a> AuthorizerBuilder<'a> {
}

/// we need to modify the block loaded from the token, because the authorizer's and the token's symbol table can differ
fn load_and_translate_block(
pub(crate) fn load_and_translate_block(
block: &mut Block,
i: usize,
token_symbols: &SymbolTable,
Expand Down

0 comments on commit 23bf232

Please sign in to comment.