forked from biscuit-auth/biscuit-go
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexample_test.go
161 lines (132 loc) · 4.13 KB
/
example_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
package biscuit_test
import (
"crypto/ed25519"
"crypto/rand"
"fmt"
"github.com/biscuit-auth/biscuit-go"
"github.com/biscuit-auth/biscuit-go/parser"
)
func ExampleBiscuit() {
rng := rand.Reader
publicRoot, privateRoot, _ := ed25519.GenerateKey(rng)
builder := biscuit.NewBuilder(privateRoot)
fact1, err := parser.FromStringFact(`right("/a/file1.txt", "read")`)
if err != nil {
panic(fmt.Errorf("failed to parse authority facts: %v", err))
}
err = builder.AddAuthorityFact(fact1)
if err != nil {
panic(fmt.Errorf("failed to add authority facts: %v", err))
}
fact2, err := parser.FromStringFact(`right("/a/file1.txt", "write")`)
if err != nil {
panic(fmt.Errorf("failed to parse authority facts: %v", err))
}
err = builder.AddAuthorityFact(fact2)
if err != nil {
panic(fmt.Errorf("failed to add authority facts: %v", err))
}
fact3, err := parser.FromStringFact(`right("/a/file2.txt", "read")`)
if err != nil {
panic(fmt.Errorf("failed to parse authority facts: %v", err))
}
err = builder.AddAuthorityFact(fact3)
if err != nil {
panic(fmt.Errorf("failed to add authority facts: %v", err))
}
fact4, err := parser.FromStringFact(`right("/a/file3.txt", "write")`)
if err != nil {
panic(fmt.Errorf("failed to parse authority facts: %v", err))
}
err = builder.AddAuthorityFact(fact4)
if err != nil {
panic(fmt.Errorf("failed to add authority facts: %v", err))
}
b, err := builder.Build()
if err != nil {
panic(fmt.Errorf("failed to build biscuit: %v", err))
}
token, err := b.Serialize()
if err != nil {
panic(fmt.Errorf("failed to serialize biscuit: %v", err))
}
fmt.Printf("Token1 length: %d\n", len(token))
deser, err := biscuit.Unmarshal(token)
if err != nil {
panic(fmt.Errorf("failed to deserialize biscuit: %v", err))
}
blockBuilder := deser.CreateBlock()
check, err := parser.FromStringCheck(`check if resource($file), operation($permission), ["read"].contains($permission)`)
if err != nil {
panic(fmt.Errorf("failed to parse check: %v", err))
}
err = blockBuilder.AddCheck(check)
if err != nil {
panic(fmt.Errorf("failed to add block check: %v", err))
}
b2, err := deser.Append(rng, blockBuilder.Build())
if err != nil {
panic(fmt.Errorf("failed to append: %v", err))
}
token2, err := b2.Serialize()
if err != nil {
panic(fmt.Errorf("failed to serialize biscuit: %v", err))
}
fmt.Printf("Token2 length: %d\n", len(token2))
// Verify
b2, err = biscuit.Unmarshal(token2)
if err != nil {
panic(fmt.Errorf("failed to deserialize token: %v", err))
}
v1, err := b2.Authorizer(publicRoot)
if err != nil {
panic(fmt.Errorf("failed to create verifier: %v", err))
}
vfact1, err := parser.FromStringFact(`resource("/a/file1.txt")`)
if err != nil {
panic(fmt.Errorf("failed to parse verifier fact: %v", err))
}
v1.AddFact(vfact1)
vfact2, err := parser.FromStringFact(`operation("read")`)
if err != nil {
panic(fmt.Errorf("failed to parse verifier fact: %v", err))
}
v1.AddFact(vfact2)
policy, err := parser.FromStringPolicy(`allow if resource("/a/file1.txt")`)
if err != nil {
panic(fmt.Errorf("failed to parse verifier policy: %v", err))
}
v1.AddPolicy(policy)
if err := v1.Authorize(); err != nil {
fmt.Println(v1.PrintWorld())
fmt.Println("forbidden to read /a/file1.txt")
} else {
//fmt.Println(v1.PrintWorld())
fmt.Println("allowed to read /a/file1.txt")
}
v1, _ = b2.Authorizer(publicRoot)
vfact1, err = parser.FromStringFact(`resource("/a/file1.txt")`)
if err != nil {
panic(fmt.Errorf("failed to parse verifier fact: %v", err))
}
v1.AddFact(vfact1)
vfact2, err = parser.FromStringFact(`operation("write")`)
if err != nil {
panic(fmt.Errorf("failed to parse verifier fact: %v", err))
}
v1.AddFact(vfact2)
policy, err = parser.FromStringPolicy(`allow if resource("/a/file1.txt")`)
if err != nil {
panic(fmt.Errorf("failed to parse verifier policy: %v", err))
}
v1.AddPolicy(policy)
if err := v1.Authorize(); err != nil {
fmt.Println("forbidden to write /a/file1.txt")
} else {
fmt.Println("allowed to write /a/file1.txt")
}
// Output: Token1 length: 260
// Token2 length: 446
// allowed to read /a/file1.txt
// forbidden to write /a/file1.txt
}