diff --git a/biscuit-auth/Cargo.toml b/biscuit-auth/Cargo.toml index 4e100841..322cb555 100644 --- a/biscuit-auth/Cargo.toml +++ b/biscuit-auth/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "biscuit-auth" -version = "4.1.1" +version = "5.0.0" description = "an authorization token with decentralized verification and offline attenuation" authors = ["Geoffroy Couprie "] edition = "2018" diff --git a/biscuit-auth/samples/README.md b/biscuit-auth/samples/README.md index 0e61691a..e5fbafe3 100644 --- a/biscuit-auth/samples/README.md +++ b/biscuit-auth/samples/README.md @@ -1841,7 +1841,7 @@ allow if true; revocation ids: - `470e4bf7aa2a01ab39c98150bd06aa15b4aa5d86509044a8809a8634cd8cf2b42269a51a774b65d10bac9369d013070b00187925196a8e680108473f11cf8f03` -- `93a7315ab1272da9eeef015f6fecbc9ac96fe4660e6204bf64ea2105ebe309e9c9cadc0a26c5604f13910fae3f2cd0800756afb6b6b208bf77adeb1ab2f42405` +- `342167bc54bc642b6718a276875e55b6d39e9b21e4ce13b926a3d398b6c057fc436385bf4c817a16f9ecdf0b0d950e8b8258a20aeb3fd8896c5e9c1f0a53da03` authorizer world: ``` @@ -2041,7 +2041,7 @@ check if true trusting previous, ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755 1: symbols: [] -public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463"] +public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"] external signature by: "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" @@ -2055,7 +2055,7 @@ check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5 2: symbols: [] -public keys: [] +public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"] external signature by: "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" @@ -2068,7 +2068,7 @@ check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5 3: symbols: [] -public keys: [] +public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"] external signature by: "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" @@ -2081,7 +2081,7 @@ check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5 4: symbols: [] -public keys: ["ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136"] +public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136"] ``` query(4); @@ -2103,10 +2103,10 @@ allow if true; revocation ids: - `3771cefe71beb21ead35a59c8116ee82627a5717c0295f35980662abccb159fe1b37848cb1818e548656bd4fd882d0094a2daab631c76b2b72e3a093914bfe04` -- `45133b90f228a81fe4d3042a79f6c6b7608e656e903d6b1f4db32cd774b09b8315af360879a5f210ad7be37ff55e3eb34f237bcc9711407b6329ac6018bfb400` -- `179f054f3c572646aba5013159ae192ac42f5666dbdd984129955f4652b6829e59f54aa251e451f96329d42a2524ce569c3e1ec52e708b642dd8994af51dd703` -- `edab54789d6656936fcd28200b9c61643434842d531f09f209fad555e11ff53174db174dafba126e6de448983a56f78d2042bc5782d71a45799c022fe69fb30d` -- `6a62306831e9dbe83e7b33db96b758c77dd690930f2d2d87e239b210b1944c5582bf6d7e1bfea8e7f928c27f2fff0e2ee2e0adc41e11e0c3abe8d7b96b9ede07` +- `6528db2c9a561ada9086268549a600a8a52ff434ea8183812623eec0e9b6c5d3c41ab7868808623021d92294d583afdf92f4354bcdaa1bc50453e1b89afd630d` +- `5d5679fe69bfe74b7919323515e9ecba9d01422b16be9341b57f88e695b2bb0bd7966b781001d2b9e00ee618fdc239c96e17e32cb379f13f12d6bd7b1b47ad04` +- `c37bf24c063f0310eccab8864e48dbeffcdd7240b4f8d1e01eba4fc703e6c9082b845bb55543b10f008dc7f4e78540411912ac1f36fa2aa90011dca40f323b09` +- `3f675d6c364e06405d4868c904e40f3d81c32b083d91586db814d4cb4bf536b4ba209d82f11b4cb6da293b60b20d6122fc3e0e08e80c381dee83edd848211900` authorizer world: ``` diff --git a/biscuit-auth/samples/samples.json b/biscuit-auth/samples/samples.json index acae28a8..d97790a7 100644 --- a/biscuit-auth/samples/samples.json +++ b/biscuit-auth/samples/samples.json @@ -1798,7 +1798,7 @@ "authorizer_code": "allow if true;\n", "revocation_ids": [ "470e4bf7aa2a01ab39c98150bd06aa15b4aa5d86509044a8809a8634cd8cf2b42269a51a774b65d10bac9369d013070b00187925196a8e680108473f11cf8f03", - "93a7315ab1272da9eeef015f6fecbc9ac96fe4660e6204bf64ea2105ebe309e9c9cadc0a26c5604f13910fae3f2cd0800756afb6b6b208bf77adeb1ab2f42405" + "342167bc54bc642b6718a276875e55b6d39e9b21e4ce13b926a3d398b6c057fc436385bf4c817a16f9ecdf0b0d950e8b8258a20aeb3fd8896c5e9c1f0a53da03" ] } } @@ -1939,26 +1939,34 @@ { "symbols": [], "public_keys": [ - "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" + "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" ], "external_key": "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", "code": "query(1);\nquery(1, 2) <- query(1), query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n" }, { "symbols": [], - "public_keys": [], + "public_keys": [ + "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" + ], "external_key": "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "code": "query(2);\ncheck if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n" }, { "symbols": [], - "public_keys": [], + "public_keys": [ + "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" + ], "external_key": "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "code": "query(3);\ncheck if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n" }, { "symbols": [], "public_keys": [ + "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136" ], "external_key": null, @@ -2082,10 +2090,10 @@ "authorizer_code": "check if query(1, 2) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189, ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\n\ndeny if query(3);\ndeny if query(1, 2);\ndeny if query(0) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\nallow if true;\n", "revocation_ids": [ "3771cefe71beb21ead35a59c8116ee82627a5717c0295f35980662abccb159fe1b37848cb1818e548656bd4fd882d0094a2daab631c76b2b72e3a093914bfe04", - "45133b90f228a81fe4d3042a79f6c6b7608e656e903d6b1f4db32cd774b09b8315af360879a5f210ad7be37ff55e3eb34f237bcc9711407b6329ac6018bfb400", - "179f054f3c572646aba5013159ae192ac42f5666dbdd984129955f4652b6829e59f54aa251e451f96329d42a2524ce569c3e1ec52e708b642dd8994af51dd703", - "edab54789d6656936fcd28200b9c61643434842d531f09f209fad555e11ff53174db174dafba126e6de448983a56f78d2042bc5782d71a45799c022fe69fb30d", - "6a62306831e9dbe83e7b33db96b758c77dd690930f2d2d87e239b210b1944c5582bf6d7e1bfea8e7f928c27f2fff0e2ee2e0adc41e11e0c3abe8d7b96b9ede07" + "6528db2c9a561ada9086268549a600a8a52ff434ea8183812623eec0e9b6c5d3c41ab7868808623021d92294d583afdf92f4354bcdaa1bc50453e1b89afd630d", + "5d5679fe69bfe74b7919323515e9ecba9d01422b16be9341b57f88e695b2bb0bd7966b781001d2b9e00ee618fdc239c96e17e32cb379f13f12d6bd7b1b47ad04", + "c37bf24c063f0310eccab8864e48dbeffcdd7240b4f8d1e01eba4fc703e6c9082b845bb55543b10f008dc7f4e78540411912ac1f36fa2aa90011dca40f323b09", + "3f675d6c364e06405d4868c904e40f3d81c32b083d91586db814d4cb4bf536b4ba209d82f11b4cb6da293b60b20d6122fc3e0e08e80c381dee83edd848211900" ] } } diff --git a/biscuit-auth/samples/test024_third_party.bc b/biscuit-auth/samples/test024_third_party.bc index 7bca415c..d2aef528 100644 Binary files a/biscuit-auth/samples/test024_third_party.bc and b/biscuit-auth/samples/test024_third_party.bc differ diff --git a/biscuit-auth/samples/test026_public_keys_interning.bc b/biscuit-auth/samples/test026_public_keys_interning.bc index 49e417b2..392d649c 100644 Binary files a/biscuit-auth/samples/test026_public_keys_interning.bc and b/biscuit-auth/samples/test026_public_keys_interning.bc differ diff --git a/biscuit-auth/src/format/convert.rs b/biscuit-auth/src/format/convert.rs index 427e5e68..d1e2cef2 100644 --- a/biscuit-auth/src/format/convert.rs +++ b/biscuit-auth/src/format/convert.rs @@ -77,6 +77,12 @@ pub fn proto_block_to_token_block( )); } + if version != MAX_SCHEMA_VERSION && external_key.is_some() { + return Err(error::Format::DeserializationError( + "deserialization error: third-party blocks must be v5".to_string(), + )); + } + for check in input.checks_v2.iter() { checks.push(v2::proto_check_to_token_check(check, version)?); } @@ -86,12 +92,12 @@ pub fn proto_block_to_token_block( let context = input.context.clone(); - let symbols = SymbolTable::from(input.symbols.clone())?; let mut public_keys = PublicKeys::new(); - for pk in &input.public_keys { public_keys.insert_fallible(&PublicKey::from_proto(pk)?)?; } + let symbols = + SymbolTable::from_symbols_and_public_keys(input.symbols.clone(), public_keys.keys.clone())?; let detected_schema_version = get_schema_version(&facts, &rules, &checks, &scopes); diff --git a/biscuit-auth/src/format/mod.rs b/biscuit-auth/src/format/mod.rs index 48643d71..90816111 100644 --- a/biscuit-auth/src/format/mod.rs +++ b/biscuit-auth/src/format/mod.rs @@ -14,7 +14,6 @@ use super::token::Block; use crate::crypto::ExternalSignature; use crate::datalog::SymbolTable; use crate::token::RootKeyProvider; -use std::collections::HashMap; use std::convert::TryInto; /// Structures generated from the Protobuf schema @@ -143,14 +142,7 @@ impl SerializedBiscuit { pub(crate) fn extract_blocks( &self, symbols: &mut SymbolTable, - ) -> Result< - ( - schema::Block, - Vec, - HashMap>, - ), - error::Token, - > { + ) -> Result<(schema::Block, Vec), error::Token> { let mut block_external_keys = Vec::new(); let authority = schema::Block::decode(&self.authority.data[..]).map_err(|e| { @@ -182,34 +174,21 @@ impl SerializedBiscuit { })?; if let Some(external_signature) = &block.external_signature { - symbols.public_keys.insert(&external_signature.public_key); block_external_keys.push(Some(external_signature.public_key)); } else { block_external_keys.push(None); symbols.extend(&SymbolTable::from(deser.symbols.clone())?)?; - } - - for pk in &deser.public_keys { - symbols - .public_keys - .insert_fallible(&PublicKey::from_proto(pk)?)?; + for pk in &deser.public_keys { + symbols + .public_keys + .insert_fallible(&PublicKey::from_proto(pk)?)?; + } } blocks.push(deser); } - let mut public_key_to_block_id: HashMap> = HashMap::new(); - for (index, opt_key) in block_external_keys.into_iter().enumerate() { - if let Some(key) = opt_key { - if let Some(key_index) = symbols.public_keys.get(&key) { - public_key_to_block_id - .entry(key_index as usize) - .or_default() - .push(index); - } - } - } - Ok((authority, blocks, public_key_to_block_id)) + Ok((authority, blocks)) } /// serializes the token diff --git a/biscuit-auth/src/token/authorizer.rs b/biscuit-auth/src/token/authorizer.rs index 027b6e9c..922beacd 100644 --- a/biscuit-auth/src/token/authorizer.rs +++ b/biscuit-auth/src/token/authorizer.rs @@ -5,7 +5,7 @@ use super::builder::{ }; use super::builder_ext::{AuthorizerExt, BuilderExt}; use super::{Biscuit, Block}; -use crate::builder::{CheckKind, Convert}; +use crate::builder::{self, CheckKind, Convert}; use crate::crypto::PublicKey; use crate::datalog::{self, Origin, RunLimits, SymbolTable, TrustedOrigins}; use crate::error; @@ -87,16 +87,15 @@ impl Authorizer { return Err(error::Logic::AuthorizerNotEmpty.into()); } - for (key_id, block_ids) in &token.public_key_to_block_id { - let key = token - .symbols - .public_keys - .get_key(*key_id as u64) - .ok_or(error::Format::UnknownExternalKey)?; - let new_key_id = self.symbols.public_keys.insert(key); + for (i, block) in token.container.blocks.iter().enumerate() { + if let Some(sig) = block.external_signature.as_ref() { + let new_key_id = self.symbols.public_keys.insert(&sig.public_key); - self.public_key_to_block_id - .insert(new_key_id as usize, block_ids.clone()); + self.public_key_to_block_id + .entry(new_key_id as usize) + .or_default() + .push(i + 1); + } } let mut blocks = Vec::new(); @@ -120,7 +119,7 @@ impl Authorizer { Ok(()) } - /// we need to modify the block loaded from the token, because the authorizer's and th token's symbol table can differ + /// we need to modify the block loaded from the token, because the authorizer's and the token's symbol table can differ fn load_and_translate_block( &mut self, block: &mut Block, @@ -131,14 +130,17 @@ impl Authorizer { let block_symbols = if i == 0 || block.external_key.is_none() { token_symbols.clone() } else { - let mut symbols = block.symbols.clone(); - symbols.public_keys = token_symbols.public_keys.clone(); - symbols + block.symbols.clone() }; let mut block_origin = Origin::default(); block_origin.insert(i); + for scope in block.scopes.iter_mut() { + *scope = builder::Scope::convert_from(scope, &block_symbols) + .map(|s| s.convert(&mut self.symbols))?; + } + let block_trusted_origins = TrustedOrigins::from_scopes( &block.scopes, &TrustedOrigins::default(), diff --git a/biscuit-auth/src/token/mod.rs b/biscuit-auth/src/token/mod.rs index 2fedac95..fe1b089e 100644 --- a/biscuit-auth/src/token/mod.rs +++ b/biscuit-auth/src/token/mod.rs @@ -1,5 +1,4 @@ //! main structures to interact with Biscuit tokens -use std::collections::HashMap; use std::convert::TryInto; use std::fmt::Display; @@ -32,7 +31,7 @@ pub use third_party::*; /// minimum supported version of the serialization format pub const MIN_SCHEMA_VERSION: u32 = 3; /// maximum supported version of the serialization format -pub const MAX_SCHEMA_VERSION: u32 = 4; +pub const MAX_SCHEMA_VERSION: u32 = 5; /// some symbols are predefined and available in every implementation, to avoid /// transmitting them with every token @@ -78,7 +77,6 @@ pub struct Biscuit { pub(crate) blocks: Vec, pub(crate) symbols: SymbolTable, pub(crate) container: SerializedBiscuit, - pub(crate) public_key_to_block_id: HashMap>, } impl Biscuit { @@ -259,7 +257,6 @@ impl Biscuit { blocks, symbols, container, - public_key_to_block_id: HashMap::new(), }) } @@ -282,7 +279,7 @@ impl Biscuit { container: SerializedBiscuit, mut symbols: SymbolTable, ) -> Result { - let (authority, blocks, public_key_to_block_id) = container.extract_blocks(&mut symbols)?; + let (authority, blocks) = container.extract_blocks(&mut symbols)?; let root_key_id = container.root_key_id; @@ -292,7 +289,6 @@ impl Biscuit { blocks, symbols, container, - public_key_to_block_id, }) } @@ -333,23 +329,12 @@ impl Biscuit { let authority = self.authority.clone(); let mut blocks = self.blocks.clone(); let mut symbols = self.symbols.clone(); - let mut public_key_to_block_id = self.public_key_to_block_id.clone(); let container = self.container.append(keypair, &block, None)?; symbols.extend(&block.symbols)?; symbols.public_keys.extend(&block.public_keys)?; - if let Some(index) = block - .external_key - .as_ref() - .and_then(|pk| symbols.public_keys.get(pk)) - { - public_key_to_block_id - .entry(index as usize) - .or_default() - .push(self.block_count() + 1); - } let deser = schema::Block::decode( &container .blocks @@ -371,7 +356,6 @@ impl Biscuit { blocks, symbols, container, - public_key_to_block_id, }) } @@ -443,30 +427,13 @@ impl Biscuit { signature, }; - let mut symbols = self.symbols.clone(); - let mut public_key_to_block_id = self.public_key_to_block_id.clone(); + let symbols = self.symbols.clone(); let mut blocks = self.blocks.clone(); let container = self.container .append_serialized(&next_keypair, payload, Some(external_signature))?; - let token_block = proto_block_to_token_block(&block, Some(external_key)).unwrap(); - for key in &token_block.public_keys.keys { - symbols.public_keys.insert_fallible(key)?; - } - - if let Some(index) = token_block - .external_key - .as_ref() - .and_then(|pk| symbols.public_keys.get(pk)) - { - public_key_to_block_id - .entry(index as usize) - .or_default() - .push(self.block_count()); - } - blocks.push(block); Ok(Biscuit { @@ -475,7 +442,6 @@ impl Biscuit { blocks, symbols, container, - public_key_to_block_id, }) } @@ -535,7 +501,7 @@ impl Biscuit { } pub(crate) fn block(&self, index: usize) -> Result { - let mut block = if index == 0 { + let block = if index == 0 { proto_block_to_token_block( &self.authority, self.container @@ -562,9 +528,6 @@ impl Biscuit { .map_err(error::Token::Format)? }; - // we have to add the entire list of public keys here because - // they are used to validate 3rd party tokens - block.symbols.public_keys = self.symbols.public_keys.clone(); Ok(block) } } @@ -645,7 +608,7 @@ fn print_block(symbols: &SymbolTable, block: &Block) -> String { pub enum Scope { Authority, Previous, - // index of the public key in the token's list + // index of the public key in the symbol table PublicKey(u64), } diff --git a/biscuit-auth/src/token/third_party.rs b/biscuit-auth/src/token/third_party.rs index e9aed202..c6e300bf 100644 --- a/biscuit-auth/src/token/third_party.rs +++ b/biscuit-auth/src/token/third_party.rs @@ -10,13 +10,10 @@ use crate::{ KeyPair, PrivateKey, }; -use super::public_keys::PublicKeys; - /// Third party block request #[derive(Debug)] pub struct ThirdPartyRequest { pub(crate) previous_key: PublicKey, - pub(crate) public_keys: PublicKeys, } impl ThirdPartyRequest { @@ -27,52 +24,21 @@ impl ThirdPartyRequest { return Err(error::Token::AppendOnSealed); } - let mut public_keys = PublicKeys::new(); - - for pk in &schema::Block::decode(&container.authority.data[..]) - .map_err(|e| { - error::Format::DeserializationError(format!("deserialization error: {:?}", e)) - })? - .public_keys - { - public_keys.insert(&PublicKey::from_proto(pk)?); - } - for block in &container.blocks { - for pk in &schema::Block::decode(&block.data[..]) - .map_err(|e| { - error::Format::DeserializationError(format!("deserialization error: {:?}", e)) - })? - .public_keys - { - public_keys.insert(&PublicKey::from_proto(pk)?); - } - } - let previous_key = container .blocks .last() .unwrap_or(&container.authority) .next_key; - Ok(ThirdPartyRequest { - previous_key, - public_keys, - }) + Ok(ThirdPartyRequest { previous_key }) } pub fn serialize(&self) -> Result, error::Token> { - let public_keys = self - .public_keys - .keys - .iter() - .map(|key| key.to_proto()) - .collect(); - let previous_key = self.previous_key.to_proto(); let request = schema::ThirdPartyBlockRequest { previous_key, - public_keys, + public_keys: Vec::new(), }; let mut v = Vec::new(); @@ -95,16 +61,13 @@ impl ThirdPartyRequest { let previous_key = PublicKey::from_proto(&data.previous_key)?; - let mut public_keys = PublicKeys::new(); - - for key in data.public_keys { - public_keys.insert(&PublicKey::from_proto(&key)?); + if !data.public_keys.is_empty() { + return Err(error::Token::Format(error::Format::DeserializationError( + "public keys were provided in third-party block request".to_owned(), + ))); } - Ok(ThirdPartyRequest { - previous_key, - public_keys, - }) + Ok(ThirdPartyRequest { previous_key }) } pub fn deserialize_base64(slice: T) -> Result @@ -121,8 +84,7 @@ impl ThirdPartyRequest { private_key: &PrivateKey, block_builder: BlockBuilder, ) -> Result { - let mut symbols = SymbolTable::new(); - symbols.public_keys = self.public_keys.clone(); + let symbols = SymbolTable::new(); let mut block = block_builder.build(symbols); block.version = super::MAX_SCHEMA_VERSION; diff --git a/biscuit-auth/src/token/unverified.rs b/biscuit-auth/src/token/unverified.rs index 0cf8c501..28500b3f 100644 --- a/biscuit-auth/src/token/unverified.rs +++ b/biscuit-auth/src/token/unverified.rs @@ -1,4 +1,3 @@ -use std::collections::HashMap; use std::convert::TryInto; use super::{default_symbol_table, Biscuit, Block}; @@ -26,7 +25,6 @@ pub struct UnverifiedBiscuit { pub(crate) authority: schema::Block, pub(crate) blocks: Vec, pub(crate) symbols: SymbolTable, - pub(crate) public_key_to_block_id: HashMap>, container: SerializedBiscuit, } @@ -69,7 +67,6 @@ impl UnverifiedBiscuit { authority: self.authority, blocks: self.blocks, symbols: self.symbols, - public_key_to_block_id: self.public_key_to_block_id, container: self.container, }) } @@ -100,13 +97,12 @@ impl UnverifiedBiscuit { pub fn from_with_symbols(slice: &[u8], mut symbols: SymbolTable) -> Result { let container = SerializedBiscuit::deserialize(slice)?; - let (authority, blocks, public_key_to_block_id) = container.extract_blocks(&mut symbols)?; + let (authority, blocks) = container.extract_blocks(&mut symbols)?; Ok(UnverifiedBiscuit { authority, blocks, symbols, - public_key_to_block_id, container, }) } @@ -138,24 +134,12 @@ impl UnverifiedBiscuit { let authority = self.authority.clone(); let mut blocks = self.blocks.clone(); let mut symbols = self.symbols.clone(); - let mut public_key_to_block_id = self.public_key_to_block_id.clone(); let container = self.container.append(keypair, &block, None)?; symbols.extend(&block.symbols)?; symbols.public_keys.extend(&block.public_keys)?; - if let Some(index) = block - .external_key - .as_ref() - .and_then(|pk| symbols.public_keys.get(pk)) - { - public_key_to_block_id - .entry(index as usize) - .or_default() - .push(self.block_count() + 1); - } - let deser = schema::Block::decode( &container .blocks @@ -175,7 +159,6 @@ impl UnverifiedBiscuit { authority, blocks, symbols, - public_key_to_block_id, container, }) } @@ -340,7 +323,6 @@ impl UnverifiedBiscuit { }; let mut symbols = self.symbols.clone(); - let mut public_key_to_block_id = self.public_key_to_block_id.clone(); let mut blocks = self.blocks.clone(); let container = @@ -352,17 +334,6 @@ impl UnverifiedBiscuit { symbols.public_keys.insert_fallible(key)?; } - if let Some(index) = token_block - .external_key - .as_ref() - .and_then(|pk| symbols.public_keys.get(pk)) - { - public_key_to_block_id - .entry(index as usize) - .or_default() - .push(self.block_count()); - } - blocks.push(block); Ok(UnverifiedBiscuit { @@ -370,7 +341,6 @@ impl UnverifiedBiscuit { blocks, symbols, container, - public_key_to_block_id, }) }