Finalize check-all

biscuit-auth · Jun 2, 2024 · 53b5402 · 53b5402
1 parent 700c04b
commit 53b5402
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 10 deletions.
diff --git a/authorizer.go b/authorizer.go
@@ -235,11 +235,6 @@ func (v *authorizer) Authorize() error {
 func (v *authorizer) applyCheck(ch *Check, errs []error, world *datalog.World, block string, idx int) []error {
 	c := ch.convert(v.symbols)
 
-	if c.CheckKind != datalog.CheckKindOne {
-		errs = append(errs, errors.New("whazzat check kind?"))
-		return errs
-	}
-
 	successful := false
 	for _, query := range c.Queries {
 		res := world.QueryRuleExtended(query, v.symbols, c.CheckKind)

diff --git a/datalog/datalog.go b/datalog/datalog.go
@@ -207,7 +207,9 @@ func (r Rule) ApplyExtended(facts *FactSet, newFacts *FactSet, syms *SymbolTable
 	// extract all variables from the rule body
 	variables := r.collectVariables()
 
-	combinations := combine(variables, r.Body, r.Expressions, facts, syms)
+	matchAllExpr := kind == CheckKindAll
+
+	combinations := combine(variables, r.Body, r.Expressions, facts, syms, matchAllExpr)
 
 	for res := range combinations {
 		if res.error != nil {
@@ -466,7 +468,7 @@ func (w *World) QueryRule(rule Rule, syms *SymbolTable) *FactSet {
 func (w *World) QueryRuleExtended(rule Rule, syms *SymbolTable, kind CheckKind) *FactSet {
 	newFacts := &FactSet{}
 	err := rule.ApplyExtended(w.facts, newFacts, syms, kind)
-	if err != nil { // TODO: this check was missing from mainline code. Report as security vuln?
+	if err != nil { // TODO: this check was missing from mainline code.
 		return &FactSet{}
 	}
 	return newFacts
@@ -510,7 +512,7 @@ func (m MatchedVariables) Clone() MatchedVariables {
 	return res
 }
 
-func combine(variables MatchedVariables, predicates []Predicate, expressions []Expression, facts *FactSet, syms *SymbolTable) <-chan struct {
+func combine(variables MatchedVariables, predicates []Predicate, expressions []Expression, facts *FactSet, syms *SymbolTable, matchAllExpr bool) <-chan struct {
 	MatchedVariables
 	error
 } {
@@ -601,8 +603,17 @@ func combine(variables MatchedVariables, predicates []Predicate, expressions []E
 							return
 						}
 						if !res.Equal(Bool(true)) {
-							valid = false
-							break
+							if !matchAllExpr {
+								valid = false
+								break
+							} else {
+								c <- struct {
+									MatchedVariables
+									error
+								}{complete_vars, fmt.Errorf("one or more expressions failed to match")}
+
+								return
+							}
 						}
 					}