Merge commit from fork

* Isolate third party blocks public key tables Public key tables are now isolated from the rest of the token, same as for symbols. refactor: remove `public_key_to_block_id` from `Biscuit` Since it no longer carries indices but public keys directly, it does not bring anything compared to keys already carried by the blocks. * biscuit-auth 5.0.0 --------- Co-authored-by: Geoffroy Couprie <[email protected]>
biscuit-auth · Jul 31, 2024 · 61a12b0 · 61a12b0
1 parent c2618db
commit 61a12b0
Show file tree

Hide file tree

Showing 11 changed files with 71 additions and 181 deletions.
diff --git a/biscuit-auth/Cargo.toml b/biscuit-auth/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "biscuit-auth"
-version = "4.1.1"
+version = "5.0.0"
 description = "an authorization token with decentralized verification and offline attenuation"
 authors = ["Geoffroy Couprie <[email protected]>"]
 edition = "2018"

diff --git a/biscuit-auth/samples/README.md b/biscuit-auth/samples/README.md
@@ -1841,7 +1841,7 @@ allow if true;
 
 revocation ids:
 - `470e4bf7aa2a01ab39c98150bd06aa15b4aa5d86509044a8809a8634cd8cf2b42269a51a774b65d10bac9369d013070b00187925196a8e680108473f11cf8f03`
-- `93a7315ab1272da9eeef015f6fecbc9ac96fe4660e6204bf64ea2105ebe309e9c9cadc0a26c5604f13910fae3f2cd0800756afb6b6b208bf77adeb1ab2f42405`
+- `342167bc54bc642b6718a276875e55b6d39e9b21e4ce13b926a3d398b6c057fc436385bf4c817a16f9ecdf0b0d950e8b8258a20aeb3fd8896c5e9c1f0a53da03`
 
 authorizer world:
 ```
@@ -2041,7 +2041,7 @@ check if true trusting previous, ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755
 1:
 symbols: []
 
-public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463"]
+public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"]
 
 external signature by: "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"
 
@@ -2055,7 +2055,7 @@ check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5
 2:
 symbols: []
 
-public keys: []
+public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"]
 
 external signature by: "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463"
 
@@ -2068,7 +2068,7 @@ check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5
 3:
 symbols: []
 
-public keys: []
+public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"]
 
 external signature by: "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463"
 
@@ -2081,7 +2081,7 @@ check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5
 4:
 symbols: []
 
-public keys: ["ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136"]
+public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136"]
 
 ```
 query(4);
@@ -2103,10 +2103,10 @@ allow if true;
 
 revocation ids:
 - `3771cefe71beb21ead35a59c8116ee82627a5717c0295f35980662abccb159fe1b37848cb1818e548656bd4fd882d0094a2daab631c76b2b72e3a093914bfe04`
-- `45133b90f228a81fe4d3042a79f6c6b7608e656e903d6b1f4db32cd774b09b8315af360879a5f210ad7be37ff55e3eb34f237bcc9711407b6329ac6018bfb400`
-- `179f054f3c572646aba5013159ae192ac42f5666dbdd984129955f4652b6829e59f54aa251e451f96329d42a2524ce569c3e1ec52e708b642dd8994af51dd703`
-- `edab54789d6656936fcd28200b9c61643434842d531f09f209fad555e11ff53174db174dafba126e6de448983a56f78d2042bc5782d71a45799c022fe69fb30d`
-- `6a62306831e9dbe83e7b33db96b758c77dd690930f2d2d87e239b210b1944c5582bf6d7e1bfea8e7f928c27f2fff0e2ee2e0adc41e11e0c3abe8d7b96b9ede07`
+- `6528db2c9a561ada9086268549a600a8a52ff434ea8183812623eec0e9b6c5d3c41ab7868808623021d92294d583afdf92f4354bcdaa1bc50453e1b89afd630d`
+- `5d5679fe69bfe74b7919323515e9ecba9d01422b16be9341b57f88e695b2bb0bd7966b781001d2b9e00ee618fdc239c96e17e32cb379f13f12d6bd7b1b47ad04`
+- `c37bf24c063f0310eccab8864e48dbeffcdd7240b4f8d1e01eba4fc703e6c9082b845bb55543b10f008dc7f4e78540411912ac1f36fa2aa90011dca40f323b09`
+- `3f675d6c364e06405d4868c904e40f3d81c32b083d91586db814d4cb4bf536b4ba209d82f11b4cb6da293b60b20d6122fc3e0e08e80c381dee83edd848211900`
 
 authorizer world:
 ```

diff --git a/biscuit-auth/samples/samples.json b/biscuit-auth/samples/samples.json
@@ -1798,7 +1798,7 @@
  "authorizer_code": "allow if true;\n",
  "revocation_ids": [
  "470e4bf7aa2a01ab39c98150bd06aa15b4aa5d86509044a8809a8634cd8cf2b42269a51a774b65d10bac9369d013070b00187925196a8e680108473f11cf8f03",
- "93a7315ab1272da9eeef015f6fecbc9ac96fe4660e6204bf64ea2105ebe309e9c9cadc0a26c5604f13910fae3f2cd0800756afb6b6b208bf77adeb1ab2f42405"
+ "342167bc54bc642b6718a276875e55b6d39e9b21e4ce13b926a3d398b6c057fc436385bf4c817a16f9ecdf0b0d950e8b8258a20aeb3fd8896c5e9c1f0a53da03"
  ]
  }
  }
@@ -1939,26 +1939,34 @@
  {
  "symbols": [],
  "public_keys": [
- "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463"
+ "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463",
+ "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"
  ],
  "external_key": "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189",
  "code": "query(1);\nquery(1, 2) <- query(1), query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n"
  },
  {
  "symbols": [],
- "public_keys": [],
+ "public_keys": [
+ "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463",
+ "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"
+ ],
  "external_key": "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463",
  "code": "query(2);\ncheck if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n"
  },
  {
  "symbols": [],
- "public_keys": [],
+ "public_keys": [
+ "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463",
+ "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"
+ ],
  "external_key": "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463",
  "code": "query(3);\ncheck if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n"
  },
  {
  "symbols": [],
  "public_keys": [
+ "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463",
  "ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136"
  ],
  "external_key": null,
@@ -2082,10 +2090,10 @@
  "authorizer_code": "check if query(1, 2) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189, ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\n\ndeny if query(3);\ndeny if query(1, 2);\ndeny if query(0) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\nallow if true;\n",
  "revocation_ids": [
  "3771cefe71beb21ead35a59c8116ee82627a5717c0295f35980662abccb159fe1b37848cb1818e548656bd4fd882d0094a2daab631c76b2b72e3a093914bfe04",
- "45133b90f228a81fe4d3042a79f6c6b7608e656e903d6b1f4db32cd774b09b8315af360879a5f210ad7be37ff55e3eb34f237bcc9711407b6329ac6018bfb400",
- "179f054f3c572646aba5013159ae192ac42f5666dbdd984129955f4652b6829e59f54aa251e451f96329d42a2524ce569c3e1ec52e708b642dd8994af51dd703",
- "edab54789d6656936fcd28200b9c61643434842d531f09f209fad555e11ff53174db174dafba126e6de448983a56f78d2042bc5782d71a45799c022fe69fb30d",
- "6a62306831e9dbe83e7b33db96b758c77dd690930f2d2d87e239b210b1944c5582bf6d7e1bfea8e7f928c27f2fff0e2ee2e0adc41e11e0c3abe8d7b96b9ede07"
+ "6528db2c9a561ada9086268549a600a8a52ff434ea8183812623eec0e9b6c5d3c41ab7868808623021d92294d583afdf92f4354bcdaa1bc50453e1b89afd630d",
+ "5d5679fe69bfe74b7919323515e9ecba9d01422b16be9341b57f88e695b2bb0bd7966b781001d2b9e00ee618fdc239c96e17e32cb379f13f12d6bd7b1b47ad04",
+ "c37bf24c063f0310eccab8864e48dbeffcdd7240b4f8d1e01eba4fc703e6c9082b845bb55543b10f008dc7f4e78540411912ac1f36fa2aa90011dca40f323b09",
+ "3f675d6c364e06405d4868c904e40f3d81c32b083d91586db814d4cb4bf536b4ba209d82f11b4cb6da293b60b20d6122fc3e0e08e80c381dee83edd848211900"
  ]
  }
  }

diff --git a/biscuit-auth/samples/test024_third_party.bc b/biscuit-auth/samples/test024_third_party.bc
diff --git a/biscuit-auth/samples/test026_public_keys_interning.bc b/biscuit-auth/samples/test026_public_keys_interning.bc
diff --git a/biscuit-auth/src/format/convert.rs b/biscuit-auth/src/format/convert.rs
@@ -77,6 +77,12 @@ pub fn proto_block_to_token_block(
  ));
  }
 
+ if version != MAX_SCHEMA_VERSION && external_key.is_some() {
+ return Err(error::Format::DeserializationError(
+ "deserialization error: third-party blocks must be v5".to_string(),
+ ));
+ }
+
  for check in input.checks_v2.iter() {
  checks.push(v2::proto_check_to_token_check(check, version)?);
  }
@@ -86,12 +92,12 @@ pub fn proto_block_to_token_block(
 
  let context = input.context.clone();
 
- let symbols = SymbolTable::from(input.symbols.clone())?;
  let mut public_keys = PublicKeys::new();
-
  for pk in &input.public_keys {
  public_keys.insert_fallible(&PublicKey::from_proto(pk)?)?;
  }
+ let symbols =
+ SymbolTable::from_symbols_and_public_keys(input.symbols.clone(), public_keys.keys.clone())?;
 
  let detected_schema_version = get_schema_version(&facts, &rules, &checks, &scopes);
 

diff --git a/biscuit-auth/src/format/mod.rs b/biscuit-auth/src/format/mod.rs
@@ -14,7 +14,6 @@ use super::token::Block;
 use crate::crypto::ExternalSignature;
 use crate::datalog::SymbolTable;
 use crate::token::RootKeyProvider;
-use std::collections::HashMap;
 use std::convert::TryInto;
 
 /// Structures generated from the Protobuf schema
@@ -143,14 +142,7 @@ impl SerializedBiscuit {
  pub(crate) fn extract_blocks(
  &self,
  symbols: &mut SymbolTable,
- ) -> Result<
- (
- schema::Block,
- Vec<schema::Block>,
- HashMap<usize, Vec<usize>>,
- ),
- error::Token,
- > {
+ ) -> Result<(schema::Block, Vec<schema::Block>), error::Token> {
  let mut block_external_keys = Vec::new();
 
  let authority = schema::Block::decode(&self.authority.data[..]).map_err(|e| {
@@ -182,34 +174,21 @@ impl SerializedBiscuit {
  })?;
 
  if let Some(external_signature) = &block.external_signature {
- symbols.public_keys.insert(&external_signature.public_key);
  block_external_keys.push(Some(external_signature.public_key));
  } else {
  block_external_keys.push(None);
  symbols.extend(&SymbolTable::from(deser.symbols.clone())?)?;
- }
-
- for pk in &deser.public_keys {
- symbols
- .public_keys
- .insert_fallible(&PublicKey::from_proto(pk)?)?;
+ for pk in &deser.public_keys {
+ symbols
+ .public_keys
+ .insert_fallible(&PublicKey::from_proto(pk)?)?;
+ }
  }
 
  blocks.push(deser);
  }
 
- let mut public_key_to_block_id: HashMap<usize, Vec<usize>> = HashMap::new();
- for (index, opt_key) in block_external_keys.into_iter().enumerate() {
- if let Some(key) = opt_key {
- if let Some(key_index) = symbols.public_keys.get(&key) {
- public_key_to_block_id
- .entry(key_index as usize)
- .or_default()
- .push(index);
- }
- }
- }
- Ok((authority, blocks, public_key_to_block_id))
+ Ok((authority, blocks))
  }
 
  /// serializes the token

diff --git a/biscuit-auth/src/token/authorizer.rs b/biscuit-auth/src/token/authorizer.rs
@@ -5,7 +5,7 @@ use super::builder::{
 };
 use super::builder_ext::{AuthorizerExt, BuilderExt};
 use super::{Biscuit, Block};
-use crate::builder::{CheckKind, Convert};
+use crate::builder::{self, CheckKind, Convert};
 use crate::crypto::PublicKey;
 use crate::datalog::{self, Origin, RunLimits, SymbolTable, TrustedOrigins};
 use crate::error;
@@ -87,16 +87,15 @@ impl Authorizer {
  return Err(error::Logic::AuthorizerNotEmpty.into());
  }
 
- for (key_id, block_ids) in &token.public_key_to_block_id {
- let key = token
- .symbols
- .public_keys
- .get_key(*key_id as u64)
- .ok_or(error::Format::UnknownExternalKey)?;
- let new_key_id = self.symbols.public_keys.insert(key);
+ for (i, block) in token.container.blocks.iter().enumerate() {
+ if let Some(sig) = block.external_signature.as_ref() {
+ let new_key_id = self.symbols.public_keys.insert(&sig.public_key);
 
- self.public_key_to_block_id
- .insert(new_key_id as usize, block_ids.clone());
+ self.public_key_to_block_id
+ .entry(new_key_id as usize)
+ .or_default()
+ .push(i + 1);
+ }
  }
 
  let mut blocks = Vec::new();
@@ -120,7 +119,7 @@ impl Authorizer {
  Ok(())
  }
 
- /// we need to modify the block loaded from the token, because the authorizer's and th token's symbol table can differ
+ /// we need to modify the block loaded from the token, because the authorizer's and the token's symbol table can differ
  fn load_and_translate_block(
  &mut self,
  block: &mut Block,
@@ -131,14 +130,17 @@ impl Authorizer {
  let block_symbols = if i == 0 || block.external_key.is_none() {
  token_symbols.clone()
  } else {
- let mut symbols = block.symbols.clone();
- symbols.public_keys = token_symbols.public_keys.clone();
- symbols
+ block.symbols.clone()
  };
 
  let mut block_origin = Origin::default();
  block_origin.insert(i);
 
+ for scope in block.scopes.iter_mut() {
+ *scope = builder::Scope::convert_from(scope, &block_symbols)
+ .map(|s| s.convert(&mut self.symbols))?;
+ }
+
  let block_trusted_origins = TrustedOrigins::from_scopes(
  &block.scopes,
  &TrustedOrigins::default(),