Esl2

biscuit-auth/examples/testcases.rs

@@ -1378,6 +1378,9 @@ fn expressions(target: &str, root: &KeyPair, test: bool) -> TestResult {
         check if {1, 2, 3}.intersection({1, 2}).contains(1);
         // chained method calls with unary method
         check if {1, 2, 3}.intersection({1, 2}).length() === 2;
+
+        // empty set literal
+        check if {,}.length() === 0;
     "#)
         .build_with_rng(&root, SymbolTable::default(), &mut rng)
         .unwrap();

biscuit-auth/examples/third_party.rs

@@ -1,7 +1,9 @@
+use std::time::Duration;
+
 use biscuit_auth::{
     builder::{Algorithm, AuthorizerBuilder, BlockBuilder},
     builder_ext::AuthorizerExt,
-    datalog::SymbolTable,
+    datalog::{RunLimits, SymbolTable},
     Biscuit, KeyPair,
 };
 use rand::{prelude::StdRng, SeedableRng};
@@ -36,6 +38,10 @@ fn main() {
 
     let mut authorizer = AuthorizerBuilder::new()
         .allow_all()
+        .limits(RunLimits {
+            max_time: Duration::from_secs(10),
+            ..Default::default()
+        })
         .build(&biscuit1)
         .unwrap();
 
@@ -44,6 +50,10 @@ fn main() {
 
     let mut authorizer = AuthorizerBuilder::new()
         .allow_all()
+        .limits(RunLimits {
+            max_time: Duration::from_secs(10),
+            ..Default::default()
+        })
         .build(&biscuit2)
         .unwrap();
 

biscuit-auth/samples/README.md

@@ -1321,6 +1321,7 @@ check if {1, 2}.intersection({2, 3}) === {2};
 check if {1, 2}.union({2, 3}) === {1, 2, 3};
 check if {1, 2, 3}.intersection({1, 2}).contains(1);
 check if {1, 2, 3}.intersection({1, 2}).length() === 2;
+check if {,}.length() === 0;
 ```
 
 ### validation
@@ -1331,7 +1332,7 @@ allow if true;
 ```
 
 revocation ids:
-- `d0420227266e3583a42dfaa0e38550d99f681d150dd18856f3af9a697bc9c5c8bf06b4b0fe5b9df0377d1b963574e2fd210a0a76a8b0756a65f640c602bebd07`
+- `fa358e4e3bea896415b1859e6cd347e64e1918fb86e31ae3fe208628321576a47f7a269760357e291c827ec9cbe322074f6860a546207a64e133c83a214bb505`
 
 authorizer world:
 ```
@@ -1372,6 +1373,7 @@ World {
             "check if true",
             "check if true === true",
             "check if {\"abc\", \"def\"}.contains(\"abc\")",
+            "check if {,}.length() === 0",
             "check if {1, 2, 3}.intersection({1, 2}).contains(1)",
             "check if {1, 2, 3}.intersection({1, 2}).length() === 2",
             "check if {1, 2} === {1, 2}",

biscuit-auth/samples/samples.json

@@ -1276,7 +1276,7 @@
           ],
           "public_keys": [],
           "external_key": null,
-          "code": "check if true;\ncheck if !false;\ncheck if true === true;\ncheck if false === false;\ncheck if 1 < 2;\ncheck if 2 > 1;\ncheck if 1 <= 2;\ncheck if 1 <= 1;\ncheck if 2 >= 1;\ncheck if 2 >= 2;\ncheck if 3 === 3;\ncheck if 1 + 2 * 3 - 4 / 2 === 5;\ncheck if \"hello world\".starts_with(\"hello\"), \"hello world\".ends_with(\"world\");\ncheck if \"aaabde\".matches(\"a*c?.e\");\ncheck if \"aaabde\".contains(\"abd\");\ncheck if \"aaabde\" === \"aaa\" + \"b\" + \"de\";\ncheck if \"abcD12\" === \"abcD12\";\ncheck if \"abcD12\".length() === 6;\ncheck if \"é\".length() === 2;\ncheck if 2019-12-04T09:46:41Z < 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z > 2019-12-04T09:46:41Z;\ncheck if 2019-12-04T09:46:41Z <= 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z >= 2019-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z === 2020-12-04T09:46:41Z;\ncheck if hex:12ab === hex:12ab;\ncheck if {1, 2}.contains(2);\ncheck if {2019-12-04T09:46:41Z, 2020-12-04T09:46:41Z}.contains(2020-12-04T09:46:41Z);\ncheck if {false, true}.contains(true);\ncheck if {\"abc\", \"def\"}.contains(\"abc\");\ncheck if {hex:12ab, hex:34de}.contains(hex:34de);\ncheck if {1, 2}.contains({2});\ncheck if {1, 2} === {1, 2};\ncheck if {1, 2}.intersection({2, 3}) === {2};\ncheck if {1, 2}.union({2, 3}) === {1, 2, 3};\ncheck if {1, 2, 3}.intersection({1, 2}).contains(1);\ncheck if {1, 2, 3}.intersection({1, 2}).length() === 2;\n",
+          "code": "check if true;\ncheck if !false;\ncheck if true === true;\ncheck if false === false;\ncheck if 1 < 2;\ncheck if 2 > 1;\ncheck if 1 <= 2;\ncheck if 1 <= 1;\ncheck if 2 >= 1;\ncheck if 2 >= 2;\ncheck if 3 === 3;\ncheck if 1 + 2 * 3 - 4 / 2 === 5;\ncheck if \"hello world\".starts_with(\"hello\"), \"hello world\".ends_with(\"world\");\ncheck if \"aaabde\".matches(\"a*c?.e\");\ncheck if \"aaabde\".contains(\"abd\");\ncheck if \"aaabde\" === \"aaa\" + \"b\" + \"de\";\ncheck if \"abcD12\" === \"abcD12\";\ncheck if \"abcD12\".length() === 6;\ncheck if \"é\".length() === 2;\ncheck if 2019-12-04T09:46:41Z < 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z > 2019-12-04T09:46:41Z;\ncheck if 2019-12-04T09:46:41Z <= 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z >= 2019-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z === 2020-12-04T09:46:41Z;\ncheck if hex:12ab === hex:12ab;\ncheck if {1, 2}.contains(2);\ncheck if {2019-12-04T09:46:41Z, 2020-12-04T09:46:41Z}.contains(2020-12-04T09:46:41Z);\ncheck if {false, true}.contains(true);\ncheck if {\"abc\", \"def\"}.contains(\"abc\");\ncheck if {hex:12ab, hex:34de}.contains(hex:34de);\ncheck if {1, 2}.contains({2});\ncheck if {1, 2} === {1, 2};\ncheck if {1, 2}.intersection({2, 3}) === {2};\ncheck if {1, 2}.union({2, 3}) === {1, 2, 3};\ncheck if {1, 2, 3}.intersection({1, 2}).contains(1);\ncheck if {1, 2, 3}.intersection({1, 2}).length() === 2;\ncheck if {,}.length() === 0;\n",
           "version": 3
         }
       ],
@@ -1317,6 +1317,7 @@
                   "check if true",
                   "check if true === true",
                   "check if {\"abc\", \"def\"}.contains(\"abc\")",
+                  "check if {,}.length() === 0",
                   "check if {1, 2, 3}.intersection({1, 2}).contains(1)",
                   "check if {1, 2, 3}.intersection({1, 2}).length() === 2",
                   "check if {1, 2} === {1, 2}",
@@ -1339,7 +1340,7 @@
           },
           "authorizer_code": "allow if true;\n",
           "revocation_ids": [
-            "d0420227266e3583a42dfaa0e38550d99f681d150dd18856f3af9a697bc9c5c8bf06b4b0fe5b9df0377d1b963574e2fd210a0a76a8b0756a65f640c602bebd07"
+            "fa358e4e3bea896415b1859e6cd347e64e1918fb86e31ae3fe208628321576a47f7a269760357e291c827ec9cbe322074f6860a546207a64e133c83a214bb505"
           ]
         }
       }

biscuit-auth/src/datalog/symbol.rs

@@ -198,11 +198,15 @@ impl SymbolTable {
                 }
             }
             Term::Set(s) => {
-                let terms = s
-                    .iter()
-                    .map(|term| self.print_term(term))
-                    .collect::<Vec<_>>();
-                format!("{{{}}}", terms.join(", "))
+                if s.is_empty() {
+                    "{,}".to_string()
+                } else {
+                    let terms = s
+                        .iter()
+                        .map(|term| self.print_term(term))
+                        .collect::<Vec<_>>();
+                    format!("{{{}}}", terms.join(", "))
+                }
             }
             Term::Null => "null".to_string(),
             Term::Array(a) => {

biscuit-auth/src/token/authorizer.rs

@@ -1093,7 +1093,7 @@ mod tests {
             )
             .unwrap()
             .limits(AuthorizerLimits {
-                max_time: Duration::from_millis(10), //Set 10 milliseconds as the maximum time allowed for the authorization due to "cheap" worker on GitHub Actions
+                max_time: Duration::from_secs(10), //Set 10 seconds as the maximum time allowed for the authorization due to "cheap" worker on GitHub Actions
                 ..Default::default()
             })
             .build(&biscuit2)

biscuit-auth/src/token/builder.rs

@@ -333,4 +333,8 @@ check if true trusting ed25519/6e9e6d5a75cf0c0e87ec1256b4dfed0ca3ba452912d213fcc
             })
         );
     }
+    #[test]
+    fn empty_set_display() {
+        assert_eq!(Term::Set(BTreeSet::new()).to_string(), "{,}");
+    }
 }

biscuit-auth/src/token/builder/term.rs

@@ -359,8 +359,12 @@ impl fmt::Display for Term {
                 }
             }
             Term::Set(s) => {
-                let terms = s.iter().map(|term| term.to_string()).collect::<Vec<_>>();
-                write!(f, "{{{}}}", terms.join(", "))
+                if s.is_empty() {
+                    write!(f, "{{,}}")
+                } else {
+                    let terms = s.iter().map(|term| term.to_string()).collect::<Vec<_>>();
+                    write!(f, "{{{}}}", terms.join(", "))
+                }
             }
             Term::Parameter(s) => {
                 write!(f, "{{{}}}", s)

biscuit-auth/src/token/mod.rs

@@ -1384,6 +1384,10 @@ mod tests {
             .check("check if bytes($0), { hex:00000000, hex:0102AB }.contains($0)")
             .unwrap()
             .allow_all()
+            .limits(AuthorizerLimits {
+                max_time: Duration::from_secs(10),
+                ..Default::default()
+            })
             .build(&biscuit2)
             .unwrap();
 

biscuit-auth/tests/macros.rs

@@ -75,7 +75,13 @@ fn authorizer_macro() {
       "#
     );
 
-    let authorizer = b.build_unauthenticated().unwrap();
+    let authorizer = b
+        .limits(RunLimits {
+            max_time: Duration::from_secs(10),
+            ..Default::default()
+        })
+        .build_unauthenticated()
+        .unwrap();
     assert_eq!(
         authorizer.dump_code(),
         r#"appended(true);
@@ -95,6 +101,10 @@ allow if true;
 #[test]
 fn authorizer_macro_trailing_comma() {
     let a = authorizer!(r#"fact("test", {my_key});"#, my_key = "my_value",)
+        .limits(RunLimits {
+            max_time: Duration::from_secs(10),
+            ..Default::default()
+        })
         .build_unauthenticated()
         .unwrap();
     assert_eq!(
@@ -261,6 +271,10 @@ fn json() {
           $value.get("id") == $id,
           $value.get("roles").contains("admin");"#
     )
+    .limits(RunLimits {
+        max_time: Duration::from_secs(10),
+        ..Default::default()
+    })
     .build(&biscuit)
     .unwrap();
     assert_eq!(

biscuit-parser/src/builder.rs

@@ -622,30 +622,26 @@ pub fn pred<I: AsRef<Term>>(name: &str, terms: &[I]) -> Predicate {
 }
 
 /// creates a rule
-pub fn rule<T: AsRef<Term>, P: AsRef<Predicate>>(
-    head_name: &str,
-    head_terms: &[T],
-    predicates: &[P],
-) -> Rule {
+pub fn rule<T: AsRef<Term>>(head_name: &str, head_terms: &[T], predicates: &[Predicate]) -> Rule {
     Rule::new(
         pred(head_name, head_terms),
-        predicates.iter().map(|p| p.as_ref().clone()).collect(),
+        predicates.to_vec(),
         Vec::new(),
         vec![],
     )
 }
 
 /// creates a rule with constraints
-pub fn constrained_rule<T: AsRef<Term>, P: AsRef<Predicate>, E: AsRef<Expression>>(
+pub fn constrained_rule<T: AsRef<Term>>(
     head_name: &str,
     head_terms: &[T],
-    predicates: &[P],
-    expressions: &[E],
+    predicates: &[Predicate],
+    expressions: &[Expression],
 ) -> Rule {
     Rule::new(
         pred(head_name, head_terms),
-        predicates.iter().map(|p| p.as_ref().clone()).collect(),
-        expressions.iter().map(|c| c.as_ref().clone()).collect(),
+        predicates.to_vec(),
+        expressions.to_vec(),
         vec![],
     )
 }