Migrate to biscuit-auth 6.0.0

- biscuit-datalog v3.3 support
- secp256r1 support
- authorizers are now immutable (except for fact generation): adding code to a parsed snapshot is not possible anymore

Author: divarvel

src/cli.rs

@@ -1,3 +1,4 @@
+use biscuit_auth::Algorithm;
 use clap::Parser;
 use std::path::PathBuf;
 
@@ -49,6 +50,9 @@ pub struct KeyPairCmd {
     /// Output the private key raw bytes directly, with no hex encoding
     #[clap(long, requires("only-private-key"))]
     pub raw_private_key_output: bool,
+    /// Key algorithm: ed25519 (default) or secp256r1
+    #[clap(long, default_value_t)]
+    pub key_algorithm: Algorithm,
 }
 
 /// Generate a biscuit from a private key and an authority block
@@ -79,6 +83,9 @@ pub struct Generate {
     /// Read the private key raw bytes directly (only available when reading the private key from a file)
     #[clap(long, conflicts_with = "private-key", requires = "private-key-file")]
     pub raw_private_key: bool,
+    /// Key algorithm: ed25519 (default) or secp256r1
+    #[clap(long, default_value_t)]
+    pub key_algorithm: Algorithm,
     /// The optional context string attached to the authority block
     #[clap(long)]
     pub context: Option<String>,
@@ -142,6 +149,11 @@ pub struct Inspect {
     /// Read the public key raw bytes directly
     #[clap(long, requires("public-key-file"), conflicts_with("public-key"))]
     pub raw_public_key: bool,
+    /// Key algorithm: ed25519 (default) or secp256r1
+    #[clap(long, default_value_t)]
+    pub key_algorithm: Algorithm,
+    #[clap(flatten)]
+    pub run_limits_args: common_args::RunLimitArgs,
     #[clap(flatten)]
     pub authorization_args: common_args::AuthorizeArgs,
     #[clap(flatten)]
@@ -169,7 +181,7 @@ pub struct InspectSnapshot {
     #[clap(long)]
     pub raw_input: bool,
     #[clap(flatten)]
-    pub authorization_args: common_args::AuthorizeArgs,
+    pub run_limits_args: common_args::RunLimitArgs,
     #[clap(flatten)]
     pub query_args: common_args::QueryArgs,
     #[clap(flatten)]
@@ -209,6 +221,9 @@ pub struct GenerateThirdPartyBlock {
     /// Read the private key raw bytes directly (only available when reading the private key from a file)
     #[clap(long, conflicts_with = "private-key", requires = "private-key-file")]
     pub raw_private_key: bool,
+    /// Key algorithm: ed25519 (default) or secp256r1
+    #[clap(long, default_value_t)]
+    pub key_algorithm: Algorithm,
     /// Output the block raw bytes directly, with no base64 encoding
     #[clap(long)]
     pub raw_output: bool,
@@ -254,7 +269,7 @@ mod common_args {
     pub struct ParamArg {
         /// Provide a value for a datalog parameter. `type` is optional and defaults to `string`. Possible types are pubkey, string, integer, date, bytes or bool.
         /// Bytes values must be hex-encoded and start with `hex:`
-        /// Public keys must be hex-encoded and start with `ed25519/`
+        /// Public keys must be hex-encoded and start with `ed25519/` or `secp256r1/`
         #[clap(
         long,
         value_parser = clap::builder::ValueParser::new(parse_param),
@@ -263,6 +278,25 @@ mod common_args {
         pub param: Vec<Param>,
     }
 
+    /// Arguments related to runtime limits
+    #[derive(Parser)]
+    pub struct RunLimitArgs {
+        /// Configure the maximum amount of facts that can be generated
+        /// before aborting evaluation
+        #[clap(long)]
+        pub max_facts: Option<u64>,
+        /// Configure the maximum amount of iterations before aborting
+        /// evaluation
+        #[clap(long)]
+        pub max_iterations: Option<u64>,
+        /// Configure the maximum evaluation duration before aborting
+        #[clap(
+            long,
+            parse(try_from_str = parse_duration)
+        )]
+        pub max_time: Option<Duration>,
+    }
+
     /// Arguments related to running authorization
     #[derive(Parser)]
     pub struct AuthorizeArgs {
@@ -291,33 +325,6 @@ mod common_args {
             conflicts_with("authorize-interactive")
         )]
         pub authorize_with: Option<String>,
-        /// Configure the maximum amount of facts that can be generated
-        /// before aborting evaluation
-        #[clap(
-            long,
-            requires("authorize-with"),
-            requires("authorize-interactive"),
-            requires("authorize-with-file")
-        )]
-        pub max_facts: Option<u64>,
-        /// Configure the maximum amount of iterations before aborting
-        /// evaluation
-        #[clap(
-            long,
-            requires("authorize-with"),
-            requires("authorize-interactive"),
-            requires("authorize-with-file")
-        )]
-        pub max_iterations: Option<u64>,
-        /// Configure the maximum evaluation duration before aborting
-        #[clap(
-            long,
-            requires("authorize-with"),
-            requires("authorize-interactive"),
-            requires("authorize-with-file"),
-            parse(try_from_str = parse_duration)
-        )]
-        pub max_time: Option<Duration>,
         /// Include the current time in the verifier facts
         #[clap(long)]
         pub include_time: bool,

src/errors.rs

@@ -27,6 +27,8 @@ pub enum CliError {
     MissingPublicKeyForQuerying,
     #[error("Signatures check failed")]
     SignaturesCheckFailed,
+    #[error("Datalog fact generation failed")]
+    EvaluationFailed,
     #[error("Authorization failed")]
     AuthorizationFailed,
     #[error("Querying failed")]

src/input.rs

@@ -2,7 +2,8 @@ use anyhow::Result;
 use atty::Stream;
 use biscuit_auth::{
     builder::{BiscuitBuilder, BlockBuilder, Rule, Term},
-    Authorizer, ThirdPartyRequest, UnverifiedBiscuit, {PrivateKey, PublicKey},
+    Algorithm, Authorizer, AuthorizerBuilder, PrivateKey, PublicKey, ThirdPartyRequest,
+    UnverifiedBiscuit,
 };
 use chrono::{DateTime, Duration, Utc};
 use parse_duration as duration_parser;
@@ -131,8 +132,8 @@ pub fn read_authority_from(
     from: &DatalogInput,
     all_params: &[Param],
     context: &Option<String>,
-    builder: &mut BiscuitBuilder,
-) -> Result<()> {
+    builder: BiscuitBuilder,
+) -> Result<BiscuitBuilder> {
     let string = match from {
         DatalogInput::FromEditor => read_editor_string()?,
         DatalogInput::FromStdin => read_stdin_string("datalog program")?,
@@ -153,22 +154,22 @@ pub fn read_authority_from(
         }
     }
 
-    builder
-        .add_code_with_params(&string, params, scope_params)
+    let mut builder = builder
+        .code_with_params(&string, params, scope_params)
         .map_err(|e| ParseError("datalog statements".to_string(), e.to_string()))?;
     if let Some(ctx) = context {
-        builder.set_context(ctx.to_owned());
+        builder = builder.context(ctx.to_owned());
     }
 
-    Ok(())
+    Ok(builder)
 }
 
 pub fn read_block_from(
     from: &DatalogInput,
     all_params: &[Param],
     context: &Option<String>,
-    builder: &mut BlockBuilder,
-) -> Result<()> {
+    builder: BlockBuilder,
+) -> Result<BlockBuilder> {
     let string = match from {
         DatalogInput::FromEditor => read_editor_string()?,
         DatalogInput::FromStdin => read_stdin_string("datalog program")?,
@@ -188,22 +189,22 @@ pub fn read_block_from(
             }
         }
     }
-    builder
-        .add_code_with_params(&string, params, scope_params)
+    let mut builder = builder
+        .code_with_params(&string, params, scope_params)
         .map_err(|e| ParseError("datalog statements".to_string(), e.to_string()))?;
 
     if let Some(ctx) = context {
-        builder.set_context(ctx.to_owned());
+        builder = builder.context(ctx.to_owned());
     }
 
-    Ok(())
+    Ok(builder)
 }
 
 pub fn read_authorizer_from(
     from: &DatalogInput,
     all_params: &[Param],
-    authorizer: &mut Authorizer,
-) -> Result<()> {
+    builder: AuthorizerBuilder,
+) -> Result<AuthorizerBuilder> {
     let string = match from {
         DatalogInput::FromEditor => read_editor_string()?,
         DatalogInput::FromStdin => read_stdin_string("datalog program")?,
@@ -223,14 +224,14 @@ pub fn read_authorizer_from(
             }
         }
     }
-    authorizer
-        .add_code_with_params(&string, params, scope_params)
+    let builder = builder
+        .code_with_params(&string, params, scope_params)
         .map_err(|e| ParseError("datalog statements".to_string(), e.to_string()))?;
 
-    Ok(())
+    Ok(builder)
 }
 
-pub fn read_private_key_from(from: &KeyBytes) -> Result<PrivateKey> {
+pub fn read_private_key_from(from: &KeyBytes, alg: Algorithm) -> Result<PrivateKey> {
     let bytes = match from {
         KeyBytes::FromStdin(KeyFormat::RawBytes) => read_stdin_bytes()?,
         KeyBytes::FromStdin(KeyFormat::HexKey) => {
@@ -246,11 +247,11 @@ pub fn read_private_key_from(from: &KeyBytes) -> Result<PrivateKey> {
         )?,
         KeyBytes::HexString(str) => hex::decode(str)?,
     };
-    PrivateKey::from_bytes(&bytes)
+    PrivateKey::from_bytes(&bytes, alg)
         .map_err(|e| ParseError("private key".to_string(), format!("{}", &e)).into())
 }
 
-pub fn read_public_key_from(from: &KeyBytes) -> Result<PublicKey> {
+pub fn read_public_key_from(from: &KeyBytes, alg: Algorithm) -> Result<PublicKey> {
     let bytes = match from {
         KeyBytes::FromStdin(KeyFormat::RawBytes) => read_stdin_bytes()?,
         KeyBytes::FromStdin(KeyFormat::HexKey) => {
@@ -266,7 +267,7 @@ pub fn read_public_key_from(from: &KeyBytes) -> Result<PublicKey> {
         )?,
         KeyBytes::HexString(str) => hex::decode(str)?,
     };
-    PublicKey::from_bytes(&bytes)
+    PublicKey::from_bytes(&bytes, alg)
         .map_err(|e| ParseError("public key".to_string(), format!("{}", &e)).into())
 }
 
@@ -424,7 +425,7 @@ pub fn parse_param(kv: &str) -> Result<Param, std::io::Error> {
         ))?;
         let bytes =
             hex::decode(hex_key).map_err(|e| Error::new(ErrorKind::Other, format!("{}", &e)));
-        let pubkey = PublicKey::from_bytes(&bytes?)
+        let pubkey = PublicKey::from_bytes(&bytes?, Algorithm::Ed25519)
             .map_err(|e| Error::new(ErrorKind::Other, format!("{}", &e)))?;
         Ok(Param::PublicKey(name.to_string(), pubkey))
       },