From 23bf232efc6f902a194f41866fd3cdfb85fcbd2e Mon Sep 17 00:00:00 2001 From: Geoffroy Couprie Date: Wed, 27 Nov 2024 17:23:27 +0100 Subject: [PATCH] fix --- biscuit-auth/benches/token.rs | 110 +++++++++++------- biscuit-auth/examples/third_party.rs | 16 ++- biscuit-auth/examples/verifying_printer.rs | 8 +- biscuit-auth/src/token/authorizer.rs | 17 ++- biscuit-auth/src/token/authorizer/snapshot.rs | 11 +- biscuit-auth/src/token/builder/authorizer.rs | 2 +- 6 files changed, 106 insertions(+), 58 deletions(-) diff --git a/biscuit-auth/benches/token.rs b/biscuit-auth/benches/token.rs index 6b5b0624..929a5a3b 100644 --- a/biscuit-auth/benches/token.rs +++ b/biscuit-auth/benches/token.rs @@ -243,10 +243,12 @@ fn verify_block_2(b: &mut Bencher) { }; let token = Biscuit::from(&data, &root.public()).unwrap(); - let mut verifier = token.authorizer().unwrap(); - verifier.add_fact("resource(\"file1\")"); - verifier.add_fact("operation(\"read\")"); - verifier.add_allow_all(); + let mut builder = AuthorizerBuilder::new(); + builder.add_token(&token); + builder.add_fact("resource(\"file1\")"); + builder.add_fact("operation(\"read\")"); + builder.add_allow_all(); + let mut verifier = builder.build().unwrap(); verifier .authorize_with_limits(AuthorizerLimits { max_time: Duration::from_secs(10), @@ -256,10 +258,12 @@ fn verify_block_2(b: &mut Bencher) { b.bytes = data.len() as u64; b.iter(|| { let token = Biscuit::from(&data, &root.public()).unwrap(); - let mut verifier = token.authorizer().unwrap(); - verifier.add_fact("resource(\"file1\")"); - verifier.add_fact("operation(\"read\")"); - verifier.add_allow_all(); + let mut builder = AuthorizerBuilder::new(); + builder.add_token(&token); + builder.add_fact("resource(\"file1\")"); + builder.add_fact("operation(\"read\")"); + builder.add_allow_all(); + let mut verifier = builder.build().unwrap(); verifier .authorize_with_limits(AuthorizerLimits { max_time: Duration::from_secs(10), @@ -321,10 +325,12 @@ fn verify_block_5(b: &mut Bencher) { }; let token = Biscuit::from(&data, &root.public()).unwrap(); - let mut verifier = token.authorizer().unwrap(); - verifier.add_fact("resource(\"file1\")"); - verifier.add_fact("operation(\"read\")"); - verifier.add_allow_all(); + let mut builder = AuthorizerBuilder::new(); + builder.add_token(&token); + builder.add_fact("resource(\"file1\")"); + builder.add_fact("operation(\"read\")"); + builder.add_allow_all(); + let mut verifier = builder.build().unwrap(); verifier .authorize_with_limits(AuthorizerLimits { max_time: Duration::from_secs(10), @@ -335,10 +341,12 @@ fn verify_block_5(b: &mut Bencher) { b.bytes = data.len() as u64; b.iter(|| { let token = Biscuit::from(&data, &root.public()).unwrap(); - let mut verifier = token.authorizer().unwrap(); - verifier.add_fact("resource(\"file1\")"); - verifier.add_fact("operation(\"read\")"); - verifier.add_allow_all(); + let mut builder = AuthorizerBuilder::new(); + builder.add_token(&token); + builder.add_fact("resource(\"file1\")"); + builder.add_fact("operation(\"read\")"); + builder.add_allow_all(); + let mut verifier = builder.build().unwrap(); verifier .authorize_with_limits(AuthorizerLimits { max_time: Duration::from_secs(10), @@ -373,10 +381,12 @@ fn check_signature_2(b: &mut Bencher) { }; let token = Biscuit::from(&data, &root.public()).unwrap(); - let mut verifier = token.authorizer().unwrap(); - verifier.add_fact("resource(\"file1\")"); - verifier.add_fact("operation(\"read\")"); - verifier.add_allow_all(); + let mut builder = AuthorizerBuilder::new(); + builder.add_token(&token); + builder.add_fact("resource(\"file1\")"); + builder.add_fact("operation(\"read\")"); + builder.add_allow_all(); + let mut verifier = builder.build().unwrap(); verifier .authorize_with_limits(AuthorizerLimits { max_time: Duration::from_secs(10), @@ -441,10 +451,12 @@ fn check_signature_5(b: &mut Bencher) { }; let token = Biscuit::from(&data, &root.public()).unwrap(); - let mut verifier = token.authorizer().unwrap(); - verifier.add_fact("resource(\"file1\")"); - verifier.add_fact("operation(\"read\")"); - verifier.add_allow_all(); + let mut builder = AuthorizerBuilder::new(); + builder.add_token(&token); + builder.add_fact("resource(\"file1\")"); + builder.add_fact("operation(\"read\")"); + builder.add_allow_all(); + let mut verifier = builder.build().unwrap(); verifier .authorize_with_limits(AuthorizerLimits { max_time: Duration::from_secs(10), @@ -483,10 +495,12 @@ fn checks_block_2(b: &mut Bencher) { }; let token = Biscuit::from(&data, &root.public()).unwrap(); - let mut verifier = token.authorizer().unwrap(); - verifier.add_fact("resource(\"file1\")"); - verifier.add_fact("operation(\"read\")"); - verifier.add_allow_all(); + let mut builder = AuthorizerBuilder::new(); + builder.add_token(&token); + builder.add_fact("resource(\"file1\")"); + builder.add_fact("operation(\"read\")"); + builder.add_allow_all(); + let mut verifier = builder.build().unwrap(); verifier .authorize_with_limits(AuthorizerLimits { max_time: Duration::from_secs(10), @@ -497,10 +511,12 @@ fn checks_block_2(b: &mut Bencher) { let token = Biscuit::from(&data, &root.public()).unwrap(); b.bytes = data.len() as u64; b.iter(|| { - let mut verifier = token.authorizer().unwrap(); - verifier.add_fact("resource(\"file1\")"); - verifier.add_fact("operation(\"read\")"); - verifier.add_allow_all(); + let mut builder = AuthorizerBuilder::new(); + builder.add_token(&token); + builder.add_fact("resource(\"file1\")"); + builder.add_fact("operation(\"read\")"); + builder.add_allow_all(); + let mut verifier = builder.build().unwrap(); verifier .authorize_with_limits(AuthorizerLimits { max_time: Duration::from_secs(10), @@ -535,10 +551,12 @@ fn checks_block_create_verifier2(b: &mut Bencher) { }; let token = Biscuit::from(&data, &root.public()).unwrap(); - let mut verifier = token.authorizer().unwrap(); - verifier.add_fact("resource(\"file1\")"); - verifier.add_fact("operation(\"read\")"); - verifier.add_allow_all(); + let mut builder = AuthorizerBuilder::new(); + builder.add_token(&token); + builder.add_fact("resource(\"file1\")"); + builder.add_fact("operation(\"read\")"); + builder.add_allow_all(); + let mut verifier = builder.build().unwrap(); verifier .authorize_with_limits(AuthorizerLimits { max_time: Duration::from_secs(10), @@ -578,10 +596,12 @@ fn checks_block_verify_only2(b: &mut Bencher) { }; let token = Biscuit::from(&data, &root.public()).unwrap(); - let mut verifier = token.authorizer().unwrap(); - verifier.add_fact("resource(\"file1\")"); - verifier.add_fact("operation(\"read\")"); - verifier.add_allow_all(); + let mut builder = AuthorizerBuilder::new(); + builder.add_token(&token); + builder.add_fact("resource(\"file1\")"); + builder.add_fact("operation(\"read\")"); + builder.add_allow_all(); + let mut verifier = builder.build().unwrap(); verifier .authorize_with_limits(AuthorizerLimits { max_time: Duration::from_secs(10), @@ -591,10 +611,12 @@ fn checks_block_verify_only2(b: &mut Bencher) { let token = Biscuit::from(&data, &root.public()).unwrap(); b.iter(|| { - let mut verifier = token.authorizer().unwrap(); - verifier.add_fact("resource(\"file1\")"); - verifier.add_fact("operation(\"read\")"); - verifier.add_allow_all(); + let mut builder = AuthorizerBuilder::new(); + builder.add_token(&token); + builder.add_fact("resource(\"file1\")"); + builder.add_fact("operation(\"read\")"); + builder.add_allow_all(); + let mut verifier = builder.build().unwrap(); verifier .authorize_with_limits(AuthorizerLimits { max_time: Duration::from_secs(10), diff --git a/biscuit-auth/examples/third_party.rs b/biscuit-auth/examples/third_party.rs index b22ab47e..eb3ab52f 100644 --- a/biscuit-auth/examples/third_party.rs +++ b/biscuit-auth/examples/third_party.rs @@ -1,5 +1,5 @@ use biscuit_auth::{ - builder::{Algorithm, BlockBuilder}, + builder::{Algorithm, AuthorizerBuilder, BlockBuilder}, builder_ext::AuthorizerExt, datalog::SymbolTable, Biscuit, KeyPair, @@ -38,13 +38,19 @@ fn main() { println!("biscuit2: {}", biscuit2); - let mut authorizer = biscuit1.authorizer().unwrap(); - authorizer.add_allow_all(); + let mut builder = AuthorizerBuilder::new(); + builder.add_token(&biscuit1); + builder.add_allow_all(); + let mut authorizer = builder.build().unwrap(); + println!("authorize biscuit1:\n{:?}", authorizer.authorize()); println!("world:\n{}", authorizer.print_world()); - let mut authorizer = biscuit2.authorizer().unwrap(); - authorizer.add_allow_all(); + let mut builder = AuthorizerBuilder::new(); + builder.add_token(&biscuit2); + builder.add_allow_all(); + let mut authorizer = builder.build().unwrap(); + println!("authorize biscuit2:\n{:?}", authorizer.authorize()); println!("world:\n{}", authorizer.print_world()); } diff --git a/biscuit-auth/examples/verifying_printer.rs b/biscuit-auth/examples/verifying_printer.rs index 580681d3..41febf25 100644 --- a/biscuit-auth/examples/verifying_printer.rs +++ b/biscuit-auth/examples/verifying_printer.rs @@ -1,4 +1,4 @@ -use biscuit_auth::{builder_ext::AuthorizerExt, PublicKey}; +use biscuit_auth::{builder::AuthorizerBuilder, builder_ext::AuthorizerExt, PublicKey}; fn main() { let mut args = std::env::args(); @@ -25,8 +25,10 @@ fn main() { } println!("token:\n{}", token); - let mut authorizer = token.authorizer().unwrap(); - authorizer.add_allow_all(); + let mut builder = AuthorizerBuilder::new(); + builder.add_token(&token); + builder.add_allow_all(); + let mut authorizer = builder.build().unwrap(); println!("authorizer result: {:?}", authorizer.authorize()); println!("authorizer world:\n{}", authorizer.print_world()); diff --git a/biscuit-auth/src/token/authorizer.rs b/biscuit-auth/src/token/authorizer.rs index f14865db..0d0eb5e0 100644 --- a/biscuit-auth/src/token/authorizer.rs +++ b/biscuit-auth/src/token/authorizer.rs @@ -940,6 +940,8 @@ pub type AuthorizerLimits = RunLimits; mod tests { use std::time::Duration; + use builder::load_and_translate_block; + use datalog::World; use token::{public_keys::PublicKeys, DATALOG_3_1}; use crate::{ @@ -1409,10 +1411,19 @@ allow if true; scopes: vec![], }; + // FIXME assert_eq!( - authorizer - .load_and_translate_block(&mut block, 0, &syms) - .unwrap_err(), + /*builder + .load_and_translate_block(&mut block, 0, &syms)*/ + load_and_translate_block( + &mut block, + 0, + &syms, + &mut SymbolTable::new(), + &mut HashMap::new(), + &mut World::new(), + ) + .unwrap_err(), error::Token::FailedLogic(error::Logic::InvalidBlockRule( 0, "test($unbound) <- pred($any)".to_string() diff --git a/biscuit-auth/src/token/authorizer/snapshot.rs b/biscuit-auth/src/token/authorizer/snapshot.rs index 373aff9f..02274120 100644 --- a/biscuit-auth/src/token/authorizer/snapshot.rs +++ b/biscuit-auth/src/token/authorizer/snapshot.rs @@ -2,7 +2,7 @@ use prost::Message; use std::{collections::HashMap, time::Duration}; use crate::{ - builder::{BlockBuilder, Convert, Policy}, + builder::{load_and_translate_block, BlockBuilder, Convert, Policy}, datalog::{Origin, RunLimits, TrustedOrigins}, error, format::{ @@ -91,7 +91,14 @@ impl super::Authorizer { .push(i); } - authorizer.load_and_translate_block(&mut block, i, &token_symbols)?; + load_and_translate_block( + &mut block, + i, + &token_symbols, + &mut authorizer.symbols, + &mut public_key_to_block_id, + &mut authorizer.world, + )?; blocks.push(block); } diff --git a/biscuit-auth/src/token/builder/authorizer.rs b/biscuit-auth/src/token/builder/authorizer.rs index 4f3298c6..6f564a8b 100644 --- a/biscuit-auth/src/token/builder/authorizer.rs +++ b/biscuit-auth/src/token/builder/authorizer.rs @@ -380,7 +380,7 @@ impl<'a> AuthorizerBuilder<'a> { } /// we need to modify the block loaded from the token, because the authorizer's and the token's symbol table can differ -fn load_and_translate_block( +pub(crate) fn load_and_translate_block( block: &mut Block, i: usize, token_symbols: &SymbolTable,