From 2c529f2583961dc456e9476c1f3503d12b70821c Mon Sep 17 00:00:00 2001 From: Geoffroy Couprie Date: Thu, 4 Jan 2024 18:36:34 +0100 Subject: [PATCH] fix scopes execution --- .../clevercloud/biscuit/token/Authorizer.java | 41 ++++++++++++++----- .../biscuit/token/builder/Biscuit.java | 8 ++-- .../biscuit/token/builder/Block.java | 8 ++-- .../token/format/SerializedBiscuit.java | 6 +-- 4 files changed, 42 insertions(+), 21 deletions(-) diff --git a/src/main/java/com/clevercloud/biscuit/token/Authorizer.java b/src/main/java/com/clevercloud/biscuit/token/Authorizer.java index 6a1afabd..162c82dc 100644 --- a/src/main/java/com/clevercloud/biscuit/token/Authorizer.java +++ b/src/main/java/com/clevercloud/biscuit/token/Authorizer.java @@ -1,5 +1,6 @@ package com.clevercloud.biscuit.token; +import com.clevercloud.biscuit.crypto.PublicKey; import com.clevercloud.biscuit.datalog.*; import com.clevercloud.biscuit.datalog.Scope; import com.clevercloud.biscuit.error.Error; @@ -108,6 +109,10 @@ public void update_on_token() throws Error.FailedLogic { } } this.publicKeyToBlockId.putAll(token.publicKeyToBlockId); + for(Long keyId: token.publicKeyToBlockId.keySet()) { + PublicKey pk = token.symbols.get_pk((int) keyId.longValue()).get(); + this.symbols.insert(pk); + } } } @@ -336,8 +341,16 @@ public Long authorize(RunLimits limits) throws Error { if (token != null) { for (com.clevercloud.biscuit.datalog.Fact fact : token.authority.facts) { com.clevercloud.biscuit.datalog.Fact converted_fact = Fact.convert_from(fact, token.symbols).convert(this.symbols); - world.add_fact(authorizerOrigin, converted_fact); + world.add_fact(new Origin(0), converted_fact); } + + TrustedOrigins authorityTrustedOrigins = TrustedOrigins.fromScopes( + token.authority.scopes, + TrustedOrigins.defaultOrigins(), + 0, + this.publicKeyToBlockId + ); + for (com.clevercloud.biscuit.datalog.Rule rule : token.authority.rules) { com.clevercloud.biscuit.token.builder.Rule _rule = Rule.convert_from(rule, token.symbols); com.clevercloud.biscuit.datalog.Rule converted_rule = _rule.convert(this.symbols); @@ -346,27 +359,35 @@ public Long authorize(RunLimits limits) throws Error { if(res.isLeft()){ throw new Error.FailedLogic(new LogicError.InvalidBlockRule(0, token.symbols.print_rule(converted_rule))); } + TrustedOrigins ruleTrustedOrigins = TrustedOrigins.fromScopes( + converted_rule.scopes(), + authorityTrustedOrigins, + 0, + this.publicKeyToBlockId + ); + world.add_rule((long) 0, ruleTrustedOrigins, converted_rule); } for (int i = 0; i < token.blocks.size(); i++) { - Block b = token.blocks.get(i); + Block block = token.blocks.get(i); TrustedOrigins blockTrustedOrigins = TrustedOrigins.fromScopes( - b.scopes, + block.scopes, TrustedOrigins.defaultOrigins(), i + 1, this.publicKeyToBlockId ); SymbolTable blockSymbols = token.symbols; - if (b.externalKey.isDefined()) { - blockSymbols = new SymbolTable(b.symbols.symbols, symbols.publicKeys); + + if (block.externalKey.isDefined()) { + blockSymbols = new SymbolTable(block.symbols.symbols, token.symbols.publicKeys()); } - for (com.clevercloud.biscuit.datalog.Fact fact : b.facts) { + for (com.clevercloud.biscuit.datalog.Fact fact : block.facts) { com.clevercloud.biscuit.datalog.Fact converted_fact = Fact.convert_from(fact, blockSymbols).convert(this.symbols); world.add_fact(new Origin(i + 1), converted_fact); } - for (com.clevercloud.biscuit.datalog.Rule rule : b.rules) { + for (com.clevercloud.biscuit.datalog.Rule rule : block.rules) { com.clevercloud.biscuit.token.builder.Rule _rule = Rule.convert_from(rule, blockSymbols); com.clevercloud.biscuit.datalog.Rule converted_rule = _rule.convert(this.symbols); @@ -478,13 +499,13 @@ public Long authorize(RunLimits limits) throws Error { for (int j = 0; j < policy.queries.size(); j++) { com.clevercloud.biscuit.datalog.Rule query = policy.queries.get(j).convert(symbols); - TrustedOrigins ruleTrustedOrigins = TrustedOrigins.fromScopes( + TrustedOrigins policyTrustedOrigins = TrustedOrigins.fromScopes( query.scopes(), authorizerTrustedOrigins, Long.MAX_VALUE, this.publicKeyToBlockId ); - boolean res = world.query_match(query, Long.MAX_VALUE, ruleTrustedOrigins, symbols); + boolean res = world.query_match(query, Long.MAX_VALUE, policyTrustedOrigins, symbols); if (Instant.now().compareTo(timeLimit) >= 0) { throw new Error.Timeout(); @@ -512,7 +533,7 @@ public Long authorize(RunLimits limits) throws Error { ); SymbolTable blockSymbols = token.symbols; if(b.externalKey.isDefined()) { - blockSymbols = new SymbolTable(b.symbols.symbols, symbols.publicKeys); + blockSymbols = new SymbolTable(b.symbols.symbols, token.symbols.publicKeys()); } for (int j = 0; j < b.checks.size(); j++) { diff --git a/src/main/java/com/clevercloud/biscuit/token/builder/Biscuit.java b/src/main/java/com/clevercloud/biscuit/token/builder/Biscuit.java index 4aabf2f9..ac6e3ad2 100644 --- a/src/main/java/com/clevercloud/biscuit/token/builder/Biscuit.java +++ b/src/main/java/com/clevercloud/biscuit/token/builder/Biscuit.java @@ -37,8 +37,8 @@ public class Biscuit { public Biscuit(final SecureRandom rng, final KeyPair root, SymbolTable base_symbols) { this.rng = rng; this.root = root; - this.symbol_start = base_symbols.symbols.size(); - this.publicKeyStart = base_symbols.publicKeys.size(); + this.symbol_start = base_symbols.currentOffset(); + this.publicKeyStart = base_symbols.currentPublicKeyOffset(); this.symbols = new SymbolTable(base_symbols); this.context = ""; this.facts = new ArrayList<>(); @@ -145,8 +145,8 @@ public com.clevercloud.biscuit.token.Biscuit build() throws Error { } List publicKeys = new ArrayList<>(); - for (int i = this.publicKeyStart; i < this.symbols.publicKeys.size(); i++) { - publicKeys.add(this.symbols.publicKeys.get(i)); + for (int i = this.publicKeyStart; i < this.symbols.currentPublicKeyOffset(); i++) { + publicKeys.add(this.symbols.publicKeys().get(i)); } SchemaVersion schemaVersion = new SchemaVersion(this.facts, this.rules, this.checks, this.scopes); diff --git a/src/main/java/com/clevercloud/biscuit/token/builder/Block.java b/src/main/java/com/clevercloud/biscuit/token/builder/Block.java index 1599932a..5d639efb 100644 --- a/src/main/java/com/clevercloud/biscuit/token/builder/Block.java +++ b/src/main/java/com/clevercloud/biscuit/token/builder/Block.java @@ -34,8 +34,8 @@ public class Block { public Block(long index, SymbolTable base_symbols) { this.index = index; - this.symbol_start = base_symbols.symbols.size(); - this.publicKeyStart = base_symbols.publicKeys.size(); + this.symbol_start = base_symbols.currentOffset(); + this.publicKeyStart = base_symbols.currentPublicKeyOffset(); this.symbols = new SymbolTable(base_symbols); this.context = ""; this.facts = new ArrayList<>(); @@ -116,8 +116,8 @@ public com.clevercloud.biscuit.token.Block build() { } List publicKeys = new ArrayList<>(); - for (int i = this.publicKeyStart; i < this.symbols.publicKeys.size(); i++) { - publicKeys.add(this.symbols.publicKeys.get(i)); + for (int i = this.publicKeyStart; i < this.symbols.currentPublicKeyOffset(); i++) { + publicKeys.add(this.symbols.publicKeys().get(i)); } SchemaVersion schemaVersion = new SchemaVersion(this.facts, this.rules, this.checks, this.scopes); diff --git a/src/main/java/com/clevercloud/biscuit/token/format/SerializedBiscuit.java b/src/main/java/com/clevercloud/biscuit/token/format/SerializedBiscuit.java index 7aa4ea2f..8f4d6094 100644 --- a/src/main/java/com/clevercloud/biscuit/token/format/SerializedBiscuit.java +++ b/src/main/java/com/clevercloud/biscuit/token/format/SerializedBiscuit.java @@ -460,7 +460,7 @@ public Tuple3, HashMap>> extractBlocks( } Block authority = authRes.get(); for(PublicKey pk: authority.publicKeys()) { - symbols.publicKeys.add(pk); + symbols.insert(pk); } blockExternalKeys.add(Option.none()); @@ -483,7 +483,7 @@ public Tuple3, HashMap>> extractBlocks( // blocks with external signatures keep their own symbol table if(bdata.externalSignature.isDefined()) { - symbols.publicKeys.add(bdata.externalSignature.get().key); + symbols.insert(bdata.externalSignature.get().key); blockExternalKeys.add(Option.some(bdata.externalSignature.get().key)); } else { blockExternalKeys.add(Option.none()); @@ -492,7 +492,7 @@ public Tuple3, HashMap>> extractBlocks( } } for(PublicKey pk: block.publicKeys()) { - symbols.publicKeys.add(pk); + symbols.insert(pk); } blocks.add(block); }