Merge branch 'main' into fipscuit

biscuit-auth · Mar 26, 2024 · b52b929 · b52b929
2 parents d0f335f + c94c085
commit b52b929
Show file tree

Hide file tree

Showing 10 changed files with 1,763 additions and 1,497 deletions.
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -33,7 +33,7 @@ jobs:
     - name: Check samples
       run: |
         cd biscuit-auth
-        cargo run --release --example testcases --features serde-error -- ./samples  > ./samples/README.md
+        cargo run --release --example testcases --features serde-error -- ./samples --json > ./samples/samples.json
         git diff --exit-code
       
 

diff --git a/biscuit-auth/CHANGELOG.md b/biscuit-auth/CHANGELOG.md
@@ -1,5 +1,17 @@
 # not released
 
+# `4.1.1`
+
+- remove PKCS8 file loading functions (#208)
+
+# `4.1.0` (yanked)
+
+**This release was yanked because PKCS8 file loading functions, activated by the `pem` feature, could not compile. Those functions are removed in #208. PKCS8 parsing from buffers is still available**
+
+- fix: typo in documentation (#190) (Rémi Duraffort)
+- fix: include all authorizer facts and rules when using `Display` (#195) (Clément Delafargue)
+- Add optional support for PEM/DER parsing (#204) (Baran Yildirim)
+
 # `4.0.0`
 
 - macros for individual statements: `fact!`, `check!`, `policy!` (#175, #176) (Clément Delafargue)

diff --git a/biscuit-auth/Cargo.toml b/biscuit-auth/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "biscuit-auth"
-version = "4.0.0"
+version = "4.1.1"
 description = "an authorization token with decentralized verification and offline attenuation"
 authors = ["Geoffroy Couprie <contact@geoffroycouprie.com>"]
 edition = "2018"
@@ -24,6 +24,8 @@ datalog-macro = ["biscuit-quote"]
 bwk = ["chrono", "serde"]
 docsrs = []
 uuid = ["dep:uuid"]
+# used to expose pem/der loaders for keypairs
+pem = ["ed25519-dalek/pem"]
 
 [dependencies]
 rand_core = "^0.6"

diff --git a/biscuit-auth/examples/testcases.rs b/biscuit-auth/examples/testcases.rs
@@ -250,10 +250,28 @@ impl TestResult {
 
 #[derive(Debug, Serialize)]
 struct AuthorizerWorld {
-    pub facts: BTreeSet<(String, BTreeSet<Option<usize>>)>,
-    pub rules: BTreeSet<(String, Option<usize>)>,
-    pub checks: BTreeSet<String>,
-    pub policies: BTreeSet<String>,
+    pub facts: Vec<AuthorizerFactSet>,
+    pub rules: Vec<AuthorizerRuleSet>,
+    pub checks: Vec<AuthorizerCheckSet>,
+    pub policies: Vec<String>,
+}
+
+#[derive(Debug, Serialize, PartialEq, Eq, PartialOrd, Ord)]
+struct AuthorizerFactSet {
+    origin: BTreeSet<Option<usize>>,
+    facts: Vec<String>,
+}
+
+#[derive(Debug, Serialize, PartialEq, Eq, PartialOrd, Ord)]
+struct AuthorizerRuleSet {
+    origin: Option<usize>,
+    rules: Vec<String>,
+}
+
+#[derive(Debug, Serialize, PartialEq, Eq, PartialOrd, Ord)]
+struct AuthorizerCheckSet {
+    origin: Option<usize>,
+    checks: Vec<String>,
 }
 
 #[derive(Debug, Serialize)]
@@ -299,7 +317,7 @@ fn validate_token(root: &KeyPair, data: &[u8], authorizer_code: &str) -> Validat
 
     let res = authorizer.authorize();
     //println!("authorizer world:\n{}", authorizer.print_world());
-    let (_, _, mut checks, mut policies) = authorizer.dump();
+    let (_, _, _, policies) = authorizer.dump();
     let snapshot = authorizer.snapshot().unwrap();
 
     let symbols = SymbolTable::from_symbols_and_public_keys(
@@ -313,23 +331,65 @@ fn validate_token(root: &KeyPair, data: &[u8], authorizer_code: &str) -> Validat
     )
     .unwrap();
 
-    let mut facts = BTreeSet::new();
-    let mut rules = BTreeSet::new();
+    let mut authorizer_facts = Vec::new();
+    let mut authorizer_rules = Vec::new();
+    let mut authorizer_checks = Vec::new();
     for (i, block) in snapshot.world.blocks.iter().enumerate() {
-        let mut origin = BTreeSet::new();
-        origin.insert(i);
+        let mut rules: Vec<String> = Vec::new();
         for rule in block.rules_v2.iter() {
             let r =
                 convert::proto_rule_to_token_rule(&rule, snapshot.world.version.unwrap()).unwrap();
-            rules.insert((symbols.print_rule(&r.0), Some(i)));
+            rules.push(symbols.print_rule(&r.0));
+        }
+        if !rules.is_empty() {
+            rules.sort();
+            authorizer_rules.push(AuthorizerRuleSet {
+                origin: Some(i),
+                rules,
+            });
+        }
+
+        let mut checks = Vec::new();
+        for check in block.checks_v2.iter() {
+            let c = convert::proto_check_to_token_check(&check, snapshot.world.version.unwrap())
+                .unwrap();
+            checks.push(symbols.print_check(&c));
+        }
+        if !checks.is_empty() {
+            checks.sort();
+            authorizer_checks.push(AuthorizerCheckSet {
+                origin: Some(i),
+                checks,
+            });
         }
     }
 
-    let mut authorizer_origin = BTreeSet::new();
-    authorizer_origin.insert(usize::MAX);
+    let mut rules: Vec<String> = Vec::new();
     for rule in snapshot.world.authorizer_block.rules_v2 {
         let r = convert::proto_rule_to_token_rule(&rule, snapshot.world.version.unwrap()).unwrap();
-        rules.insert((symbols.print_rule(&r.0), None));
+
+        rules.push(symbols.print_rule(&r.0));
+    }
+    if !rules.is_empty() {
+        rules.sort();
+        authorizer_rules.push(AuthorizerRuleSet {
+            origin: Some(usize::MAX),
+            rules,
+        });
+    }
+
+    let mut checks = Vec::new();
+    for check in snapshot.world.authorizer_block.checks_v2 {
+        let c =
+            convert::proto_check_to_token_check(&check, snapshot.world.version.unwrap()).unwrap();
+        checks.push(symbols.print_check(&c));
+    }
+    if !checks.is_empty() {
+        checks.sort();
+        authorizer_checks.push(AuthorizerCheckSet {
+            origin: Some(usize::MAX),
+            checks,
+        });
     }
 
     for factset in snapshot.world.generated_facts {
@@ -343,18 +403,25 @@ fn validate_token(root: &KeyPair, data: &[u8], authorizer_code: &str) -> Validat
             };
         }
 
+        let mut facts = Vec::new();
+
         for fact in factset.facts {
             let f = convert::proto_fact_to_token_fact(&fact).unwrap();
-            facts.insert((symbols.print_fact(&f), origin.clone()));
+            facts.push(symbols.print_fact(&f));
+        }
+        if !facts.is_empty() {
+            facts.sort();
+            authorizer_facts.push(AuthorizerFactSet { origin, facts });
         }
     }
+    authorizer_facts.sort();
 
     Validation {
         world: Some(AuthorizerWorld {
-            facts,
-            rules,
-            checks: checks.drain(..).map(|c| c.to_string()).collect(),
-            policies: policies.drain(..).map(|p| p.to_string()).collect(),
+            facts: authorizer_facts,
+            rules: authorizer_rules,
+            checks: authorizer_checks,
+            policies: policies.into_iter().map(|p| p.to_string()).collect(),
         }),
         result: match res {
             Ok(i) => AuthorizerResult::Ok(i),