Merge branch 'master' into ec_p256

# Conflicts:
#	src/main/java/org/biscuitsec/biscuit/token/UnverifiedBiscuit.java

.github/workflows/deploy_to_central.yaml

@@ -6,11 +6,13 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout
+        uses: actions/checkout@v2
       - name: Install gpg secret key
         run: |
           cat <(echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}") | gpg --batch --import
-      - name: Checkout
-        uses: actions/checkout@v2
+      - name: Build with Maven
+        run: mvn package
       - name: Set up Maven Central Repository
         uses: actions/setup-java@v2
         with:
@@ -19,8 +21,10 @@ jobs:
           server-id: ossrh
           server-username: MAVEN_USERNAME
           server-password: MAVEN_PASSWORD
+          gpg-passphrase: GPG_PASS
       - name: Publish package
-        run: mvn --batch-mode -Dgpg.passphrase=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} deploy -Pdeploy
+        run: mvn deploy -Pdeploy
         env:
           MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
           MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+          GPG_PASS: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}

pom.xml

@@ -4,7 +4,7 @@
     <groupId>org.biscuitsec</groupId>
     <artifactId>biscuit</artifactId>
     <packaging>jar</packaging>
-    <version>3.0.2</version>
+    <version>4.0.0</version>
     <name>biscuit-java</name>
     <url>https://github.com/biscuit-auth/biscuit-java</url>
 
@@ -25,7 +25,7 @@
         <maven-compiler-plugin.version>3.10.0</maven-compiler-plugin.version>
 
         <!-- dependencies -->
-        <protobuf.version>3.25.0</protobuf.version>
+        <protobuf.version>3.25.5</protobuf.version>
         <protobuf-maven-plugin.version>0.6.1</protobuf-maven-plugin.version>
         <os-maven-plugin.version>1.7.1</os-maven-plugin.version>
         <net.i2p.crypto.eddsa.version>0.3.0</net.i2p.crypto.eddsa.version>

src/main/java/org/biscuitsec/biscuit/datalog/MatchedVariables.java

@@ -70,9 +70,12 @@ public Option<Map<Long, Term>> check_expressions(List<Expression> expressions, S
          for(Expression e: expressions) {
             Term term = e.evaluate(variables, new TemporarySymbolTable(symbols));
 
-            if(!term.equals(new Term.Bool(true))) {
+            if(! (term instanceof Term.Bool)) {
                throw new Error.InvalidType();
             }
+            if(!term.equals(new Term.Bool(true))) {
+               return Option.none();
+            }
          }
 
          return Option.some(variables);

src/main/java/org/biscuitsec/biscuit/datalog/expressions/Op.java

@@ -10,6 +10,7 @@
 import io.vavr.control.Either;
 import io.vavr.control.Option;
 
+import java.io.UnsupportedEncodingException;
 import java.util.*;
 
 import static io.vavr.API.Left;
@@ -136,7 +137,11 @@ public void evaluate(Deque<Term> stack, Map<Long, Term> variables, TemporarySymb
                         if(s.isEmpty()) {
                             throw new Error.Execution("string not found in symbols for id"+value);
                         } else {
-                            stack.push(new Term.Integer(s.get().length()));
+                            try {
+                                stack.push(new Term.Integer(s.get().getBytes("UTF-8").length));
+                            } catch (UnsupportedEncodingException e) {
+                                throw new Error.Execution("cannot calculate string length: "+e.toString());
+                            }
                         }
                     } else if (value instanceof Term.Bytes) {
                         stack.push(new Term.Integer(((Term.Bytes) value).value().length));

src/main/java/org/biscuitsec/biscuit/token/Authorizer.java

@@ -89,6 +89,29 @@ public Authorizer clone() {
 
     public void update_on_token() throws Error.FailedLogic {
         if (token != null) {
+            for(long i =0; i < token.blocks.size(); i++) {
+                Block block = token.blocks.get((int) i);
+
+                if (block.externalKey.isDefined()) {
+                    PublicKey pk = block.externalKey.get();
+                    long newKeyId = this.symbols.insert(pk);
+                    if (!this.publicKeyToBlockId.containsKey(newKeyId)) {
+                        List<Long> l = new ArrayList<>();
+                        l.add(i + 1);
+                        this.publicKeyToBlockId.put(newKeyId, l);
+                    } else {
+                        this.publicKeyToBlockId.get(newKeyId).add(i + 1);
+                    }
+                }
+            }
+
+            TrustedOrigins authorityTrustedOrigins = TrustedOrigins.fromScopes(
+                    token.authority.scopes,
+                    TrustedOrigins.defaultOrigins(),
+                    0,
+                    this.publicKeyToBlockId
+            );
+
             for (org.biscuitsec.biscuit.datalog.Fact fact : token.authority.facts) {
                 org.biscuitsec.biscuit.datalog.Fact converted_fact = org.biscuitsec.biscuit.token.builder.Fact.convert_from(fact, token.symbols).convert(this.symbols);
                 world.add_fact(new Origin(0), converted_fact);
@@ -101,11 +124,51 @@ public void update_on_token() throws Error.FailedLogic {
                 if(res.isLeft()){
                     throw new Error.FailedLogic(new LogicError.InvalidBlockRule(0, token.symbols.print_rule(converted_rule)));
                 }
+                TrustedOrigins ruleTrustedOrigins = TrustedOrigins.fromScopes(
+                        converted_rule.scopes(),
+                        authorityTrustedOrigins,
+                        0,
+                        this.publicKeyToBlockId
+                );
+                world.add_rule((long) 0, ruleTrustedOrigins, converted_rule);
             }
-            this.publicKeyToBlockId.putAll(token.publicKeyToBlockId);
-            for(Long keyId: token.publicKeyToBlockId.keySet()) {
-                PublicKey pk = token.symbols.get_pk((int) keyId.longValue()).get();
-                this.symbols.insert(pk);
+
+            for(long i =0; i < token.blocks.size(); i++) {
+                Block block = token.blocks.get((int)i);
+                TrustedOrigins blockTrustedOrigins = TrustedOrigins.fromScopes(
+                        block.scopes,
+                        TrustedOrigins.defaultOrigins(),
+                        i + 1,
+                        this.publicKeyToBlockId
+                );
+
+                SymbolTable blockSymbols = token.symbols;
+
+                if(block.externalKey.isDefined()) {
+                    blockSymbols = new SymbolTable(block.symbols.symbols, block.publicKeys());
+                }
+
+                for (org.biscuitsec.biscuit.datalog.Fact fact : block.facts) {
+                    org.biscuitsec.biscuit.datalog.Fact converted_fact = org.biscuitsec.biscuit.token.builder.Fact.convert_from(fact, blockSymbols).convert(this.symbols);
+                    world.add_fact(new Origin(i + 1), converted_fact);
+                }
+
+                for (org.biscuitsec.biscuit.datalog.Rule rule : block.rules) {
+                    org.biscuitsec.biscuit.token.builder.Rule _rule = org.biscuitsec.biscuit.token.builder.Rule.convert_from(rule, blockSymbols);
+                    org.biscuitsec.biscuit.datalog.Rule converted_rule = _rule.convert(this.symbols);
+
+                    Either<String, org.biscuitsec.biscuit.token.builder.Rule> res = _rule.validate_variables();
+                    if (res.isLeft()) {
+                        throw new Error.FailedLogic(new LogicError.InvalidBlockRule(0, this.symbols.print_rule(converted_rule)));
+                    }
+                    TrustedOrigins ruleTrustedOrigins = TrustedOrigins.fromScopes(
+                            converted_rule.scopes(),
+                            blockTrustedOrigins,
+                            i + 1,
+                            this.publicKeyToBlockId
+                    );
+                    world.add_rule((long) i + 1, ruleTrustedOrigins, converted_rule);
+                }
             }
         }
     }
@@ -329,77 +392,8 @@ public Long authorize(RunLimits limits) throws Error {
         List<FailedCheck> errors = new LinkedList<>();
         Option<Either<Integer, Integer>> policy_result = Option.none();
 
-        Origin authorizerOrigin = Origin.authorizer();
         TrustedOrigins authorizerTrustedOrigins = this.authorizerTrustedOrigins();
 
-        if (token != null) {
-            for (org.biscuitsec.biscuit.datalog.Fact fact : token.authority.facts) {
-                org.biscuitsec.biscuit.datalog.Fact converted_fact = org.biscuitsec.biscuit.token.builder.Fact.convert_from(fact, token.symbols).convert(this.symbols);
-                world.add_fact(new Origin(0), converted_fact);
-            }
-
-            TrustedOrigins authorityTrustedOrigins = TrustedOrigins.fromScopes(
-                    token.authority.scopes,
-                    TrustedOrigins.defaultOrigins(),
-                    0,
-                    this.publicKeyToBlockId
-            );
-
-            for (org.biscuitsec.biscuit.datalog.Rule rule : token.authority.rules) {
-                org.biscuitsec.biscuit.token.builder.Rule _rule = org.biscuitsec.biscuit.token.builder.Rule.convert_from(rule, token.symbols);
-                org.biscuitsec.biscuit.datalog.Rule converted_rule = _rule.convert(this.symbols);
-
-                Either<String,org.biscuitsec.biscuit.token.builder.Rule> res = _rule.validate_variables();
-                if(res.isLeft()){
-                    throw new Error.FailedLogic(new LogicError.InvalidBlockRule(0, token.symbols.print_rule(converted_rule)));
-                }
-                TrustedOrigins ruleTrustedOrigins = TrustedOrigins.fromScopes(
-                        converted_rule.scopes(),
-                        authorityTrustedOrigins,
-                        0,
-                        this.publicKeyToBlockId
-                );
-                world.add_rule((long) 0, ruleTrustedOrigins, converted_rule);
-            }
-
-            for (int i = 0; i < token.blocks.size(); i++) {
-                org.biscuitsec.biscuit.token.Block block = token.blocks.get(i);
-                TrustedOrigins blockTrustedOrigins = TrustedOrigins.fromScopes(
-                        block.scopes,
-                        TrustedOrigins.defaultOrigins(),
-                        i + 1,
-                        this.publicKeyToBlockId
-                );
-                SymbolTable blockSymbols = token.symbols;
-
-                if (block.externalKey.isDefined()) {
-                    blockSymbols = new SymbolTable(block.symbols.symbols, token.symbols.publicKeys());
-                }
-
-                for (org.biscuitsec.biscuit.datalog.Fact fact : block.facts) {
-                    org.biscuitsec.biscuit.datalog.Fact converted_fact = org.biscuitsec.biscuit.token.builder.Fact.convert_from(fact, blockSymbols).convert(this.symbols);
-                    world.add_fact(new Origin(i + 1), converted_fact);
-                }
-
-                for (org.biscuitsec.biscuit.datalog.Rule rule : block.rules) {
-                    org.biscuitsec.biscuit.token.builder.Rule _rule = org.biscuitsec.biscuit.token.builder.Rule.convert_from(rule, blockSymbols);
-                    org.biscuitsec.biscuit.datalog.Rule converted_rule = _rule.convert(this.symbols);
-
-                    Either<String, org.biscuitsec.biscuit.token.builder.Rule> res = _rule.validate_variables();
-                    if (res.isLeft()) {
-                        throw new Error.FailedLogic(new LogicError.InvalidBlockRule(0, this.symbols.print_rule(converted_rule)));
-                    }
-                    TrustedOrigins ruleTrustedOrigins = TrustedOrigins.fromScopes(
-                            converted_rule.scopes(),
-                            blockTrustedOrigins,
-                            i + 1,
-                            this.publicKeyToBlockId
-                    );
-                    world.add_rule((long) i + 1, ruleTrustedOrigins, converted_rule);
-                }
-            }
-        }
-
         world.run(limits, symbols);
 
         for (int i = 0; i < this.checks.size(); i++) {
@@ -527,7 +521,7 @@ public Long authorize(RunLimits limits) throws Error {
                 );
                 SymbolTable blockSymbols = token.symbols;
                 if(b.externalKey.isDefined()) {
-                    blockSymbols = new SymbolTable(b.symbols.symbols, token.symbols.publicKeys());
+                    blockSymbols = new SymbolTable(b.symbols.symbols, b.publicKeys());
                 }
 
                 for (int j = 0; j < b.checks.size(); j++) {
@@ -606,15 +600,15 @@ public String print_world() {
 
         if (this.token != null) {
             for (int j = 0; j < this.token.authority.checks.size(); j++) {
-                checks.add("Block[0][" + j + "]: " + this.symbols.print_check(this.token.authority.checks.get(j)));
+                checks.add("Block[0][" + j + "]: " + token.symbols.print_check(this.token.authority.checks.get(j)));
             }
 
             for (int i = 0; i < this.token.blocks.size(); i++) {
                 Block b = this.token.blocks.get(i);
 
                 SymbolTable blockSymbols = token.symbols;
                 if(b.externalKey.isDefined()) {
-                    blockSymbols = new SymbolTable(b.symbols.symbols, token.symbols.publicKeys());
+                    blockSymbols = new SymbolTable(b.symbols.symbols, b.publicKeys());
                 }
 
                 for (int j = 0; j < b.checks.size(); j++) {
@@ -660,7 +654,7 @@ public List<Tuple2<Long, List<Check>>> checks() {
             List<Check> blockChecks = new ArrayList<>();
 
             if(block.externalKey.isDefined()) {
-                SymbolTable blockSymbols = new SymbolTable(block.symbols.symbols, token.symbols.publicKeys());
+                SymbolTable blockSymbols = new SymbolTable(block.symbols.symbols, block.publicKeys());
                 for(org.biscuitsec.biscuit.datalog.Check check: block.checks) {
                     blockChecks.add(Check.convert_from(check, blockSymbols));
                 }

src/main/java/org/biscuitsec/biscuit/token/Biscuit.java

@@ -8,7 +8,7 @@
 import org.biscuitsec.biscuit.datalog.SymbolTable;
 import org.biscuitsec.biscuit.error.Error;
 import org.biscuitsec.biscuit.token.format.SerializedBiscuit;
-import io.vavr.Tuple3;
+import io.vavr.Tuple2;
 import io.vavr.control.Either;
 import io.vavr.control.Option;
 
@@ -102,21 +102,20 @@ static private Biscuit make(final SecureRandom rng, final KeyPair root, final Op
         } else {
             SerializedBiscuit s = container.get();
             List<byte[]> revocation_ids = s.revocation_identifiers();
-            HashMap<Long, List<Long>> publicKeyToBlockId = new HashMap<>();
 
             Option<SerializedBiscuit> c = Option.some(s);
-            return new Biscuit(authority, blocks, authority.symbols, s, publicKeyToBlockId, revocation_ids, root_key_id);
+            return new Biscuit(authority, blocks, authority.symbols, s, revocation_ids, root_key_id);
         }
     }
 
     Biscuit(Block authority, List<Block> blocks, SymbolTable symbols, SerializedBiscuit serializedBiscuit,
-            HashMap<Long, List<Long>> publicKeyToBlockId, List<byte[]> revocation_ids) {
-        super(authority, blocks, symbols, serializedBiscuit, publicKeyToBlockId, revocation_ids);
+            List<byte[]> revocation_ids) {
+        super(authority, blocks, symbols, serializedBiscuit,  revocation_ids);
     }
 
     Biscuit(Block authority, List<Block> blocks, SymbolTable symbols, SerializedBiscuit serializedBiscuit,
-            HashMap<Long, List<Long>> publicKeyToBlockId, List<byte[]> revocation_ids, Option<Integer> root_key_id) {
-        super(authority, blocks, symbols, serializedBiscuit, publicKeyToBlockId, revocation_ids, root_key_id);
+            List<byte[]> revocation_ids, Option<Integer> root_key_id) {
+        super(authority, blocks, symbols, serializedBiscuit, revocation_ids, root_key_id);
     }
 
     /**
@@ -249,14 +248,13 @@ static public Biscuit from_bytes_with_symbols(byte[] data, KeyDelegate delegate,
      * @return
      */
     static Biscuit from_serialized_biscuit(SerializedBiscuit ser, SymbolTable symbols) throws Error {
-        Tuple3<Block, ArrayList<Block>, HashMap<Long, List<Long>>> t = ser.extractBlocks(symbols);
+        Tuple2<Block, ArrayList<Block>> t = ser.extractBlocks(symbols);
         Block authority = t._1;
         ArrayList<Block> blocks = t._2;
-        HashMap<Long, List<Long>> publicKeyToBlockId = t._3;
 
         List<byte[]> revocation_ids = ser.revocation_identifiers();
 
-        return new Biscuit(authority, blocks, symbols, ser, publicKeyToBlockId, revocation_ids);
+        return new Biscuit(authority, blocks, symbols, ser, revocation_ids);
     }
 
     /**
@@ -313,7 +311,7 @@ public Biscuit attenuate(org.biscuitsec.biscuit.token.builder.Block block, Algor
         return attenuate(rng, keypair, block.build(builderSymbols));
     }
 
-    public Biscuit attenuate(final SecureRandom rng, final KeyPair keypair,org.biscuitsec.biscuit.token.builder.Block block) throws Error {
+    public Biscuit attenuate(final SecureRandom rng, final KeyPair keypair, org.biscuitsec.biscuit.token.builder.Block block) throws Error {
         SymbolTable builderSymbols = new SymbolTable(this.symbols);
         return attenuate(rng, keypair, block.build(builderSymbols));
     }
@@ -356,10 +354,7 @@ public Biscuit attenuate(final SecureRandom rng, final KeyPair keypair, Block bl
 
         List<byte[]> revocation_ids = container.revocation_identifiers();
 
-        HashMap<Long, List<Long>> publicKeyToBlockId = new HashMap<>();
-        publicKeyToBlockId.putAll(this.publicKeyToBlockId);
-
-        return new Biscuit(copiedBiscuit.authority, blocks, symbols, container, publicKeyToBlockId, revocation_ids);
+        return new Biscuit(copiedBiscuit.authority, blocks, symbols, container, revocation_ids);
     }
 
     /**
@@ -387,7 +382,11 @@ public String print() {
         s.append("\n\tblocks: [\n");
         for (Block b : this.blocks) {
             s.append("\t\t");
-            s.append(b.print(this.symbols));
+            if(b.externalKey.isDefined()) {
+                s.append(b.print(b.symbols));
+            } else {
+                s.append(b.print(this.symbols));
+            }
             s.append("\n");
         }
         s.append("\t]\n}");