Skip to content

Commit

Permalink
Merge commit from fork
Browse files Browse the repository at this point in the history 
* update samples

* move away from publicKeyToBlockId

* generate a full token in samples

* move the public key list from 3rd party block requests

* fix printing

* move fact and rule translation to Authorizer.update_on_token

* authorizer fixes

* test workarounds

* fix authorizer block translation

* cleanup

* v4.0.0
  • Loading branch information
@Geal
Geal authored Jul 31, 2024
1 parent 518d6ef commit f6b2f6f
Show file tree
Hide file tree
Showing 15 changed files with 237 additions and 231 deletions.
2 changes: 1 addition & 1 deletion pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<groupId>org.biscuitsec</groupId>
<artifactId>biscuit</artifactId>
<packaging>jar</packaging>
<version>3.0.2</version>
<version>4.0.0</version>
<name>biscuit-java</name>
<url>https://github.com/biscuit-auth/biscuit-java</url>

Expand Down
148 changes: 71 additions & 77 deletions src/main/java/org/biscuitsec/biscuit/token/Authorizer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,29 @@ public Authorizer clone() {

public void update_on_token() throws Error.FailedLogic {
if (token != null) {
for(long i =0; i < token.blocks.size(); i++) {
Block block = token.blocks.get((int) i);

if (block.externalKey.isDefined()) {
PublicKey pk = block.externalKey.get();
long newKeyId = this.symbols.insert(pk);
if (!this.publicKeyToBlockId.containsKey(newKeyId)) {
List<Long> l = new ArrayList<>();
l.add(i + 1);
this.publicKeyToBlockId.put(newKeyId, l);
} else {
this.publicKeyToBlockId.get(newKeyId).add(i + 1);
}
}
}

TrustedOrigins authorityTrustedOrigins = TrustedOrigins.fromScopes(
token.authority.scopes,
TrustedOrigins.defaultOrigins(),
0,
this.publicKeyToBlockId
);

for (org.biscuitsec.biscuit.datalog.Fact fact : token.authority.facts) {
org.biscuitsec.biscuit.datalog.Fact converted_fact = org.biscuitsec.biscuit.token.builder.Fact.convert_from(fact, token.symbols).convert(this.symbols);
world.add_fact(new Origin(0), converted_fact);
Expand All @@ -103,11 +126,51 @@ public void update_on_token() throws Error.FailedLogic {
if(res.isLeft()){
throw new Error.FailedLogic(new LogicError.InvalidBlockRule(0, token.symbols.print_rule(converted_rule)));
}
TrustedOrigins ruleTrustedOrigins = TrustedOrigins.fromScopes(
converted_rule.scopes(),
authorityTrustedOrigins,
0,
this.publicKeyToBlockId
);
world.add_rule((long) 0, ruleTrustedOrigins, converted_rule);
}
this.publicKeyToBlockId.putAll(token.publicKeyToBlockId);
for(Long keyId: token.publicKeyToBlockId.keySet()) {
PublicKey pk = token.symbols.get_pk((int) keyId.longValue()).get();
this.symbols.insert(pk);

for(long i =0; i < token.blocks.size(); i++) {
Block block = token.blocks.get((int)i);
TrustedOrigins blockTrustedOrigins = TrustedOrigins.fromScopes(
block.scopes,
TrustedOrigins.defaultOrigins(),
i + 1,
this.publicKeyToBlockId
);

SymbolTable blockSymbols = token.symbols;

if(block.externalKey.isDefined()) {
blockSymbols = new SymbolTable(block.symbols.symbols, block.publicKeys());
}

for (org.biscuitsec.biscuit.datalog.Fact fact : block.facts) {
org.biscuitsec.biscuit.datalog.Fact converted_fact = org.biscuitsec.biscuit.token.builder.Fact.convert_from(fact, blockSymbols).convert(this.symbols);
world.add_fact(new Origin(i + 1), converted_fact);
}

for (org.biscuitsec.biscuit.datalog.Rule rule : block.rules) {
org.biscuitsec.biscuit.token.builder.Rule _rule = org.biscuitsec.biscuit.token.builder.Rule.convert_from(rule, blockSymbols);
org.biscuitsec.biscuit.datalog.Rule converted_rule = _rule.convert(this.symbols);

Either<String, org.biscuitsec.biscuit.token.builder.Rule> res = _rule.validate_variables();
if (res.isLeft()) {
throw new Error.FailedLogic(new LogicError.InvalidBlockRule(0, this.symbols.print_rule(converted_rule)));
}
TrustedOrigins ruleTrustedOrigins = TrustedOrigins.fromScopes(
converted_rule.scopes(),
blockTrustedOrigins,
i + 1,
this.publicKeyToBlockId
);
world.add_rule((long) i + 1, ruleTrustedOrigins, converted_rule);
}
}
}
}
Expand Down Expand Up @@ -331,77 +394,8 @@ public Long authorize(RunLimits limits) throws Error {
List<FailedCheck> errors = new LinkedList<>();
Option<Either<Integer, Integer>> policy_result = Option.none();

Origin authorizerOrigin = Origin.authorizer();
TrustedOrigins authorizerTrustedOrigins = this.authorizerTrustedOrigins();

if (token != null) {
for (org.biscuitsec.biscuit.datalog.Fact fact : token.authority.facts) {
org.biscuitsec.biscuit.datalog.Fact converted_fact = org.biscuitsec.biscuit.token.builder.Fact.convert_from(fact, token.symbols).convert(this.symbols);
world.add_fact(new Origin(0), converted_fact);
}

TrustedOrigins authorityTrustedOrigins = TrustedOrigins.fromScopes(
token.authority.scopes,
TrustedOrigins.defaultOrigins(),
0,
this.publicKeyToBlockId
);

for (org.biscuitsec.biscuit.datalog.Rule rule : token.authority.rules) {
org.biscuitsec.biscuit.token.builder.Rule _rule = org.biscuitsec.biscuit.token.builder.Rule.convert_from(rule, token.symbols);
org.biscuitsec.biscuit.datalog.Rule converted_rule = _rule.convert(this.symbols);

Either<String,org.biscuitsec.biscuit.token.builder.Rule> res = _rule.validate_variables();
if(res.isLeft()){
throw new Error.FailedLogic(new LogicError.InvalidBlockRule(0, token.symbols.print_rule(converted_rule)));
}
TrustedOrigins ruleTrustedOrigins = TrustedOrigins.fromScopes(
converted_rule.scopes(),
authorityTrustedOrigins,
0,
this.publicKeyToBlockId
);
world.add_rule((long) 0, ruleTrustedOrigins, converted_rule);
}

for (int i = 0; i < token.blocks.size(); i++) {
org.biscuitsec.biscuit.token.Block block = token.blocks.get(i);
TrustedOrigins blockTrustedOrigins = TrustedOrigins.fromScopes(
block.scopes,
TrustedOrigins.defaultOrigins(),
i + 1,
this.publicKeyToBlockId
);
SymbolTable blockSymbols = token.symbols;

if (block.externalKey.isDefined()) {
blockSymbols = new SymbolTable(block.symbols.symbols, token.symbols.publicKeys());
}

for (org.biscuitsec.biscuit.datalog.Fact fact : block.facts) {
org.biscuitsec.biscuit.datalog.Fact converted_fact = org.biscuitsec.biscuit.token.builder.Fact.convert_from(fact, blockSymbols).convert(this.symbols);
world.add_fact(new Origin(i + 1), converted_fact);
}

for (org.biscuitsec.biscuit.datalog.Rule rule : block.rules) {
org.biscuitsec.biscuit.token.builder.Rule _rule = org.biscuitsec.biscuit.token.builder.Rule.convert_from(rule, blockSymbols);
org.biscuitsec.biscuit.datalog.Rule converted_rule = _rule.convert(this.symbols);

Either<String, org.biscuitsec.biscuit.token.builder.Rule> res = _rule.validate_variables();
if (res.isLeft()) {
throw new Error.FailedLogic(new LogicError.InvalidBlockRule(0, this.symbols.print_rule(converted_rule)));
}
TrustedOrigins ruleTrustedOrigins = TrustedOrigins.fromScopes(
converted_rule.scopes(),
blockTrustedOrigins,
i + 1,
this.publicKeyToBlockId
);
world.add_rule((long) i + 1, ruleTrustedOrigins, converted_rule);
}
}
}

world.run(limits, symbols);

for (int i = 0; i < this.checks.size(); i++) {
Expand Down Expand Up @@ -529,7 +523,7 @@ public Long authorize(RunLimits limits) throws Error {
);
SymbolTable blockSymbols = token.symbols;
if(b.externalKey.isDefined()) {
blockSymbols = new SymbolTable(b.symbols.symbols, token.symbols.publicKeys());
blockSymbols = new SymbolTable(b.symbols.symbols, b.publicKeys());
}

for (int j = 0; j < b.checks.size(); j++) {
Expand Down Expand Up @@ -608,15 +602,15 @@ public String print_world() {

if (this.token != null) {
for (int j = 0; j < this.token.authority.checks.size(); j++) {
checks.add("Block[0][" + j + "]: " + this.symbols.print_check(this.token.authority.checks.get(j)));
checks.add("Block[0][" + j + "]: " + token.symbols.print_check(this.token.authority.checks.get(j)));
}

for (int i = 0; i < this.token.blocks.size(); i++) {
Block b = this.token.blocks.get(i);

SymbolTable blockSymbols = token.symbols;
if(b.externalKey.isDefined()) {
blockSymbols = new SymbolTable(b.symbols.symbols, token.symbols.publicKeys());
blockSymbols = new SymbolTable(b.symbols.symbols, b.publicKeys());
}

for (int j = 0; j < b.checks.size(); j++) {
Expand Down Expand Up @@ -662,7 +656,7 @@ public List<Tuple2<Long, List<Check>>> checks() {
List<Check> blockChecks = new ArrayList<>();

if(block.externalKey.isDefined()) {
SymbolTable blockSymbols = new SymbolTable(block.symbols.symbols, token.symbols.publicKeys());
SymbolTable blockSymbols = new SymbolTable(block.symbols.symbols, block.publicKeys());
for(org.biscuitsec.biscuit.datalog.Check check: block.checks) {
blockChecks.add(Check.convert_from(check, blockSymbols));
}
Expand Down
31 changes: 15 additions & 16 deletions src/main/java/org/biscuitsec/biscuit/token/Biscuit.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
import org.biscuitsec.biscuit.datalog.SymbolTable;
import org.biscuitsec.biscuit.error.Error;
import org.biscuitsec.biscuit.token.format.SerializedBiscuit;
import io.vavr.Tuple3;
import io.vavr.Tuple2;
import io.vavr.control.Either;
import io.vavr.control.Option;

Expand Down Expand Up @@ -101,21 +101,20 @@ static private Biscuit make(final SecureRandom rng, final KeyPair root, final Op
} else {
SerializedBiscuit s = container.get();
List<byte[]> revocation_ids = s.revocation_identifiers();
HashMap<Long, List<Long>> publicKeyToBlockId = new HashMap<>();

Option<SerializedBiscuit> c = Option.some(s);
return new Biscuit(authority, blocks, authority.symbols, s, publicKeyToBlockId, revocation_ids, root_key_id);
return new Biscuit(authority, blocks, authority.symbols, s, revocation_ids, root_key_id);
}
}

Biscuit(Block authority, List<Block> blocks, SymbolTable symbols, SerializedBiscuit serializedBiscuit,
HashMap<Long, List<Long>> publicKeyToBlockId, List<byte[]> revocation_ids) {
super(authority, blocks, symbols, serializedBiscuit, publicKeyToBlockId, revocation_ids);
List<byte[]> revocation_ids) {
super(authority, blocks, symbols, serializedBiscuit, revocation_ids);
}

Biscuit(Block authority, List<Block> blocks, SymbolTable symbols, SerializedBiscuit serializedBiscuit,
HashMap<Long, List<Long>> publicKeyToBlockId, List<byte[]> revocation_ids, Option<Integer> root_key_id) {
super(authority, blocks, symbols, serializedBiscuit, publicKeyToBlockId, revocation_ids, root_key_id);
List<byte[]> revocation_ids, Option<Integer> root_key_id) {
super(authority, blocks, symbols, serializedBiscuit, revocation_ids, root_key_id);
}

/**
Expand Down Expand Up @@ -248,14 +247,13 @@ static public Biscuit from_bytes_with_symbols(byte[] data, KeyDelegate delegate,
* @return
*/
static Biscuit from_serialized_biscuit(SerializedBiscuit ser, SymbolTable symbols) throws Error {
Tuple3<Block, ArrayList<Block>, HashMap<Long, List<Long>>> t = ser.extractBlocks(symbols);
Tuple2<Block, ArrayList<Block>> t = ser.extractBlocks(symbols);
Block authority = t._1;
ArrayList<Block> blocks = t._2;
HashMap<Long, List<Long>> publicKeyToBlockId = t._3;

List<byte[]> revocation_ids = ser.revocation_identifiers();

return new Biscuit(authority, blocks, symbols, ser, publicKeyToBlockId, revocation_ids);
return new Biscuit(authority, blocks, symbols, ser, revocation_ids);
}

/**
Expand Down Expand Up @@ -311,7 +309,7 @@ public Biscuit attenuate(org.biscuitsec.biscuit.token.builder.Block block) throw
return attenuate(rng, keypair, block.build(builderSymbols));
}

public Biscuit attenuate(final SecureRandom rng, final KeyPair keypair,org.biscuitsec.biscuit.token.builder.Block block) throws Error {
public Biscuit attenuate(final SecureRandom rng, final KeyPair keypair, org.biscuitsec.biscuit.token.builder.Block block) throws Error {
SymbolTable builderSymbols = new SymbolTable(this.symbols);
return attenuate(rng, keypair, block.build(builderSymbols));
}
Expand Down Expand Up @@ -354,10 +352,7 @@ public Biscuit attenuate(final SecureRandom rng, final KeyPair keypair, Block bl

List<byte[]> revocation_ids = container.revocation_identifiers();

HashMap<Long, List<Long>> publicKeyToBlockId = new HashMap<>();
publicKeyToBlockId.putAll(this.publicKeyToBlockId);

return new Biscuit(copiedBiscuit.authority, blocks, symbols, container, publicKeyToBlockId, revocation_ids);
return new Biscuit(copiedBiscuit.authority, blocks, symbols, container, revocation_ids);
}

/**
Expand Down Expand Up @@ -385,7 +380,11 @@ public String print() {
s.append("\n\tblocks: [\n");
for (Block b : this.blocks) {
s.append("\t\t");
s.append(b.print(this.symbols));
if(b.externalKey.isDefined()) {
s.append(b.print(b.symbols));
} else {
s.append(b.print(this.symbols));
}
s.append("\n");
}
s.append("\t]\n}");
Expand Down
54 changes: 50 additions & 4 deletions src/main/java/org/biscuitsec/biscuit/token/Block.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,10 +102,10 @@ public String print(SymbolTable symbol_table) {
s.append("Block");
s.append(" {\n\t\tsymbols: ");
s.append(this.symbols.symbols);
s.append("\n\t\tpublic keys: ");
s.append(this.publicKeys);
s.append("\n\t\tsymbol public keys: ");
s.append(this.symbols.publicKeys());
s.append("\n\t\tblock public keys: ");
s.append(this.publicKeys);
s.append("\n\t\tcontext: ");
s.append(this.context);
if(this.externalKey.isDefined()) {
Expand Down Expand Up @@ -137,6 +137,47 @@ public String print(SymbolTable symbol_table) {
return s.toString();
}

public String printCode(SymbolTable symbol_table) {
StringBuilder s = new StringBuilder();

SymbolTable local_symbols;
if(this.externalKey.isDefined()) {
local_symbols = new SymbolTable(this.symbols);
for(PublicKey pk: symbol_table.publicKeys()) {
local_symbols.insert(pk);
}
} else {
local_symbols = symbol_table;
}
/*s.append("Block");
s.append(" {\n\t\tsymbols: ");
s.append(this.symbols.symbols);
s.append("\n\t\tsymbol public keys: ");
s.append(this.symbols.publicKeys());
s.append("\n\t\tblock public keys: ");
s.append(this.publicKeys);
s.append("\n\t\tcontext: ");
s.append(this.context);
if(this.externalKey.isDefined()) {
s.append("\n\t\texternal key: ");
s.append(this.externalKey.get().toString());
}*/
for (Scope scope : this.scopes) {
s.append("trusting "+local_symbols.print_scope(scope)+"\n");
}
for (Fact f : this.facts) {
s.append(local_symbols.print_fact(f)+";\n");
}
for (Rule r : this.rules) {
s.append(local_symbols.print_rule(r)+";\n");
}
for (Check c : this.checks) {
s.append(local_symbols.print_check(c)+";\n");
}

return s.toString();
}

/**
* Serializes a Block to its Protobuf representation
*
Expand Down Expand Up @@ -199,8 +240,11 @@ int getSchemaVersion() {
}
}

if(containsScopes || containsCheckAll || containsV4 || this.externalKey.isDefined()) {
if(this.externalKey.isDefined()) {
return SerializedBiscuit.MAX_SCHEMA_VERSION;

}else if(containsScopes || containsCheckAll || containsV4) {
return 4;
} else {
return SerializedBiscuit.MIN_SCHEMA_VERSION;
}
Expand Down Expand Up @@ -286,7 +330,9 @@ static public Either<Error.FormatError, Block> deserialize(Schema.Block b, Optio
ArrayList<PublicKey> publicKeys = new ArrayList<>();
for (Schema.PublicKey pk: b.getPublicKeysList()) {
try {
publicKeys.add(PublicKey.deserialize(pk));
PublicKey key =PublicKey.deserialize(pk);
publicKeys.add(key);
symbols.publicKeys().add(key);
} catch(Error.FormatError e) {
return Left(e);
}
Expand Down
Loading

0 comments on commit f6b2f6f

Please sign in to comment.