From 6ec7d12e5c7bdc13712a19c60d464bff6ce27bb1 Mon Sep 17 00:00:00 2001 From: Geoffroy Couprie Date: Sun, 7 Jan 2024 15:50:03 +0100 Subject: [PATCH 1/8] WiP --- .../biscuitsec/biscuit/token/SamplesTest.java | 149 +- src/test/resources/samples/README | 2343 +++++++++++++++++ src/test/resources/samples/samples.json | 1024 +++++-- src/test/resources/samples/test001_basic.bc | Bin 358 -> 358 bytes .../samples/test002_different_root_key.bc | Bin 321 -> 321 bytes .../test003_invalid_signature_format.bc | Bin 309 -> 309 bytes .../resources/samples/test004_random_block.bc | Bin 347 -> 347 bytes .../samples/test005_invalid_signature.bc | Bin 358 -> 358 bytes .../samples/test006_reordered_blocks.bc | Bin 485 -> 485 bytes .../resources/samples/test007_scoped_rules.bc | Bin 535 -> 535 bytes .../samples/test008_scoped_checks.bc | Bin 454 -> 454 bytes .../samples/test009_expired_token.bc | Bin 338 -> 321 bytes .../samples/test010_authorizer_scope.bc | Bin 302 -> 302 bytes .../test011_authorizer_authority_caveats.bc | Bin 169 -> 169 bytes .../samples/test012_authority_caveats.bc | Bin 171 -> 171 bytes .../resources/samples/test013_block_rules.bc | Bin 490 -> 490 bytes .../samples/test014_regex_constraint.bc | Bin 205 -> 205 bytes .../samples/test015_multi_queries_caveats.bc | Bin 183 -> 183 bytes .../samples/test016_caveat_head_name.bc | Bin 298 -> 298 bytes .../resources/samples/test017_expressions.bc | Bin 1609 -> 1725 bytes .../test018_unbound_variables_in_rule.bc | Bin 323 -> 323 bytes ...st019_generating_ambient_from_variables.bc | Bin 297 -> 297 bytes src/test/resources/samples/test020_sealed.bc | Bin 390 -> 390 bytes src/test/resources/samples/test021_parsing.bc | Bin 188 -> 188 bytes .../samples/test022_default_symbols.bc | Bin 428 -> 428 bytes .../samples/test023_execution_scope.bc | Bin 461 -> 461 bytes .../resources/samples/test024_third_party.bc | Bin 458 -> 458 bytes .../resources/samples/test025_check_all.bc | Bin 258 -> 258 bytes .../samples/test026_public_keys_interning.bc | Bin 1316 -> 1316 bytes .../samples/test027_integer_wraparound.bc | Bin 329 -> 329 bytes 30 files changed, 3255 insertions(+), 261 deletions(-) create mode 100644 src/test/resources/samples/README diff --git a/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java b/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java index 5e8af47c..a230345a 100644 --- a/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java +++ b/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java @@ -2,12 +2,17 @@ import biscuit.format.schema.Schema; import com.google.gson.*; +import com.google.protobuf.MapEntry; +import io.vavr.Tuple2; import org.biscuitsec.biscuit.crypto.KeyPair; import org.biscuitsec.biscuit.crypto.PublicKey; +import org.biscuitsec.biscuit.datalog.Rule; import org.biscuitsec.biscuit.datalog.RunLimits; +import org.biscuitsec.biscuit.datalog.TrustedOrigins; import org.biscuitsec.biscuit.error.Error; import io.vavr.control.Either; import io.vavr.control.Try; +import org.biscuitsec.biscuit.token.builder.Check; import org.junit.jupiter.api.DynamicTest; import org.junit.jupiter.api.TestFactory; @@ -15,9 +20,7 @@ import java.io.InputStream; import java.io.InputStreamReader; import java.time.Duration; -import java.util.Collections; -import java.util.List; -import java.util.Map; +import java.util.*; import java.util.stream.Collectors; import java.util.stream.Stream; @@ -85,17 +88,14 @@ DynamicTest process_testcase(final TestCase testCase, final PublicKey publicKey, if(validation.has("world") && !validation.get("world").isJsonNull()) { World world = new Gson().fromJson(validation.get("world").getAsJsonObject(), World.class); - World authorizerWorld = new World( - authorizer.facts().stream().map(f -> f.toString()).collect(Collectors.toList()), - authorizer.rules().stream().map(r -> r.toString()).collect(Collectors.toList()), - authorizer.checks().stream().map(c -> c.toString()).collect(Collectors.toList()), - authorizer.policies().stream().map(p -> p.toString()).collect(Collectors.toList()) - ); - Collections.sort(world.facts); + + World authorizerWorld = new World(authorizer); + + //Collections.sort(world.facts); /*Collections.sort(world.rules); Collections.sort(world.checks); Collections.sort(world.policies);*/ - Collections.sort(authorizerWorld.facts); + //Collections.sort(authorizerWorld.facts); /*Collections.sort(authorizerWorld.rules); Collections.sort(authorizerWorld.checks); Collections.sort(authorizerWorld.policies);*/ @@ -125,14 +125,10 @@ DynamicTest process_testcase(final TestCase testCase, final PublicKey publicKey, if(validation.has("world") && !validation.get("world").isJsonNull()) { World world = new Gson().fromJson(validation.get("world").getAsJsonObject(), World.class); - World authorizerWorld = new World( - authorizer.facts().stream().map(f -> f.toString()).collect(Collectors.toList()), - authorizer.rules().stream().map(r -> r.toString()).collect(Collectors.toList()), - authorizer.checks().stream().map(c -> c.toString()).collect(Collectors.toList()), - authorizer.policies().stream().map(p -> p.toString()).collect(Collectors.toList()) - ); - Collections.sort(world.facts); - Collections.sort(authorizerWorld.facts); + World authorizerWorld = new World(authorizer); + + //Collections.sort(world.facts); + //Collections.sort(authorizerWorld.facts); /*Collections.sort(authorizerWorld.rules); Collections.sort(authorizerWorld.checks); Collections.sort(authorizerWorld.policies);*/ @@ -291,18 +287,63 @@ public void setTestcases(List testcases) { } class World { - List facts; - List rules; - List checks; + List facts; + List rules; + List checks; List policies; - public World(List facts, List rules, List checks, List policies) { + public World(List facts, List rules, List checks, List policies) { this.facts = facts; this.rules = rules; this.checks = checks; this.policies = policies; } + public World(Authorizer authorizer) { + this.facts = authorizer.facts().facts().entrySet().stream().map(entry -> { + ArrayList origin = new ArrayList<>(entry.getKey().inner); + Collections.sort(origin); + ArrayList facts = new ArrayList<>(entry.getValue().stream() + .map(r -> r.toString()).collect(Collectors.toList())); + Collections.sort(facts); + + return new FactSet(origin, facts); + }).collect(Collectors.toList()); + + HashMap> rules = new HashMap<>(); + for(List> l: authorizer.rules().rules.values()) { + for(Tuple2 t: l) { + if (!rules.containsKey(t._1)) { + rules.put(t._1, new ArrayList<>()); + } + rules.get(t._1).add(authorizer.symbols.print_rule(t._2)); + } + } + for(Map.Entry> entry: rules.entrySet()) { + Collections.sort(entry.getValue()); + } + List rulesets = rules.entrySet().stream() + .map(entry -> new RuleSet(entry.getKey(), entry.getValue())) + .collect(Collectors.toList()); + Collections.sort(rulesets); + + this.rules = rulesets; + + List checksets = authorizer.checks().stream() + .map((Tuple2> t) -> { + List checks = t._2.stream().map(c -> c.toString()).collect(Collectors.toList()); + Collections.sort(checks); + if(t._1 == null) { + return new CheckSet(checks); + } else { + return new CheckSet(t._1, checks); + } + }).collect(Collectors.toList()); + + this.checks = checksets; + this.policies = authorizer.policies().stream().map(p -> p.toString()).collect(Collectors.toList()); + } + @Override public String toString() { return "World{\n" + @@ -313,4 +354,66 @@ public String toString() { '}'; } } + + class FactSet { + List origin; + List facts; + + public FactSet(List origin, List facts) { + this.origin = origin; + this.facts = facts; + } + } + + class RuleSet implements Comparable { + Long origin; + List rules; + + public RuleSet(Long origin, List rules) { + this.origin = origin; + this.rules = rules; + } + + @Override + public int compareTo(RuleSet ruleSet) { + // we only compare origin to sort the list of rulesets + // there's only one of each origin so we don't need to compare the list of rules + if(this.origin == null) { + return -1; + } else if (ruleSet.origin == null) { + return 1; + } else { + return this.origin.compareTo(ruleSet.origin); + } + } + } + + class CheckSet implements Comparable { + Long origin; + List checks; + + public CheckSet(Long origin, List checks) { + this.origin = origin; + this.checks = checks; + } + + public CheckSet(List checks) { + this.origin = null; + this.checks = checks; + } + + @Override + public int compareTo(RuleSet ruleSet) { + // we only compare origin to sort the list of checksets + // there's only one of each origin so we don't need to compare the list of rules + if(this.origin == null) { + return -1; + } else if (ruleSet.origin == null) { + return 1; + } else { + return this.origin.compareTo(ruleSet.origin); + } + } + } + } diff --git a/src/test/resources/samples/README b/src/test/resources/samples/README new file mode 100644 index 00000000..0f915a7b --- /dev/null +++ b/src/test/resources/samples/README @@ -0,0 +1,2343 @@ +# Biscuit samples and expected results + +root secret key: 99e87b0e9158531eeeb503ff15266e2b23c2a2507b138c9d1b1f2ab458df2d61 +root public key: 1055c750b1a1505937af1537c626ba3263995c33a64758aaafb1275b0312e284 + +------------------------------ + +## basic token: test001_basic.bc +### token + +authority: +symbols: ["file1", "file2"] + +public keys: [] + +``` +right("file1", "read"); +right("file2", "read"); +right("file1", "write"); +``` + +1: +symbols: ["0"] + +public keys: [] + +``` +check if resource($0), operation("read"), right($0, "read"); +``` + +### validation + +authorizer code: +``` +resource("file1"); + +allow if true; +``` + +revocation ids: +- `7595a112a1eb5b81a6e398852e6118b7f5b8cbbff452778e655100e5fb4faa8d3a2af52fe2c4f9524879605675fae26adbc4783e0cafc43522fa82385f396c03` +- `45f4c14f9d9e8fa044d68be7a2ec8cddb835f575c7b913ec59bd636c70acae9a90db9064ba0b3084290ed0c422bbb7170092a884f5e0202b31e9235bbcc1650d` + +authorizer world: +``` +World { + facts: { + ( + "resource(\"file1\")", + { + None, + }, + ), + ( + "right(\"file1\", \"read\")", + { + Some( + 0, + ), + }, + ), + ( + "right(\"file1\", \"write\")", + { + Some( + 0, + ), + }, + ), + ( + "right(\"file2\", \"read\")", + { + Some( + 0, + ), + }, + ), +} + rules: {} + checks: { + "check if resource($0), operation(\"read\"), right($0, \"read\")", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: "check if resource($0), operation(\"read\"), right($0, \"read\")" })] }))` + + +------------------------------ + +## different root key: test002_different_root_key.bc +### token + +authority: +symbols: ["file1"] + +public keys: [] + +``` +right("file1", "read"); +``` + +1: +symbols: ["0"] + +public keys: [] + +``` +check if resource($0), operation("read"), right($0, "read"); +``` + +### validation + +result: `Err(Format(Signature(InvalidSignature("signature error: Verification equation was not satisfied"))))` + + +------------------------------ + +## invalid signature format: test003_invalid_signature_format.bc +### token + +authority: +symbols: ["file1", "file2"] + +public keys: [] + +``` +right("file1", "read"); +right("file2", "read"); +right("file1", "write"); +``` + +1: +symbols: ["0"] + +public keys: [] + +``` +check if resource($0), operation("read"), right($0, "read"); +``` + +### validation + +result: `Err(Format(InvalidSignatureSize(16)))` + + +------------------------------ + +## random block: test004_random_block.bc +### token + +authority: +symbols: ["file1", "file2"] + +public keys: [] + +``` +right("file1", "read"); +right("file2", "read"); +right("file1", "write"); +``` + +1: +symbols: ["0"] + +public keys: [] + +``` +check if resource($0), operation("read"), right($0, "read"); +``` + +### validation + +result: `Err(Format(Signature(InvalidSignature("signature error: Verification equation was not satisfied"))))` + + +------------------------------ + +## invalid signature: test005_invalid_signature.bc +### token + +authority: +symbols: ["file1", "file2"] + +public keys: [] + +``` +right("file1", "read"); +right("file2", "read"); +right("file1", "write"); +``` + +1: +symbols: ["0"] + +public keys: [] + +``` +check if resource($0), operation("read"), right($0, "read"); +``` + +### validation + +result: `Err(Format(Signature(InvalidSignature("signature error: Verification equation was not satisfied"))))` + + +------------------------------ + +## reordered blocks: test006_reordered_blocks.bc +### token + +authority: +symbols: ["file1", "file2"] + +public keys: [] + +``` +right("file1", "read"); +right("file2", "read"); +right("file1", "write"); +``` + +1: +symbols: ["0"] + +public keys: [] + +``` +check if resource($0), operation("read"), right($0, "read"); +``` + +2: +symbols: [] + +public keys: [] + +``` +check if resource("file1"); +``` + +### validation + +result: `Err(Format(Signature(InvalidSignature("signature error: Verification equation was not satisfied"))))` + + +------------------------------ + +## scoped rules: test007_scoped_rules.bc +### token + +authority: +symbols: ["user_id", "alice", "file1"] + +public keys: [] + +``` +user_id("alice"); +owner("alice", "file1"); +``` + +1: +symbols: ["0", "1"] + +public keys: [] + +``` +right($0, "read") <- resource($0), user_id($1), owner($1, $0); +check if resource($0), operation("read"), right($0, "read"); +``` + +2: +symbols: ["file2"] + +public keys: [] + +``` +owner("alice", "file2"); +``` + +### validation + +authorizer code: +``` +resource("file2"); +operation("read"); + +allow if true; +``` + +revocation ids: +- `4d86c9af808dc2e0583f47282e6f5df3e09dc264d5231ec360b4519e15ddaeec60b25a9bbcb22e8d192f4d36a0da3f9243711e30535b00ee55c53cb1395f230a` +- `63208c668c66f3ba6927140ba37533593b25e03459447805d4b2a8b75adeef45794c3d7249afe506ed77ccee276160bb4052a4009302bd34871a440f070b4509` +- `d8da982888eae8c038e4894a8c06fc57d8e5f06ad2e972b9cf4bde49ad60804558a0d1938192596c702d8e4f7f12ec19201d7c33d0cd77774a0d879a33880d02` + +authorizer world: +``` +World { + facts: { + ( + "operation(\"read\")", + { + None, + }, + ), + ( + "owner(\"alice\", \"file1\")", + { + Some( + 0, + ), + }, + ), + ( + "owner(\"alice\", \"file2\")", + { + Some( + 2, + ), + }, + ), + ( + "resource(\"file2\")", + { + None, + }, + ), + ( + "user_id(\"alice\")", + { + Some( + 0, + ), + }, + ), +} + rules: { + ( + "right($0, \"read\") <- resource($0), user_id($1), owner($1, $0)", + Some( + 1, + ), + ), +} + checks: { + "check if resource($0), operation(\"read\"), right($0, \"read\")", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: "check if resource($0), operation(\"read\"), right($0, \"read\")" })] }))` + + +------------------------------ + +## scoped checks: test008_scoped_checks.bc +### token + +authority: +symbols: ["file1"] + +public keys: [] + +``` +right("file1", "read"); +``` + +1: +symbols: ["0"] + +public keys: [] + +``` +check if resource($0), operation("read"), right($0, "read"); +``` + +2: +symbols: ["file2"] + +public keys: [] + +``` +right("file2", "read"); +``` + +### validation + +authorizer code: +``` +resource("file2"); +operation("read"); + +allow if true; +``` + +revocation ids: +- `a80c985ddef895518c216f64c65dcd50a5d97d012a94453d79159aed2981654b1fe9748c686c5667604026a94fb8db8a1d02de747df61e99fa9a63ff2878ad00` +- `77df45442be86a416aa02fd9d98d6d4703c634a9e3b1d293b41f5dc97849afbe7faeec8c22a210574888acc008fb64fe691ec9e8d2655586f970d9a6b6577000` +- `b31398aefe97d3db41ebc445760f216fb3aa7bf7439adcfc3a07489bfcc163970af3f4e20f5460aa24cf841101a5ab114d21acc0ee8d442bae7793b121284900` + +authorizer world: +``` +World { + facts: { + ( + "operation(\"read\")", + { + None, + }, + ), + ( + "resource(\"file2\")", + { + None, + }, + ), + ( + "right(\"file1\", \"read\")", + { + Some( + 0, + ), + }, + ), + ( + "right(\"file2\", \"read\")", + { + Some( + 2, + ), + }, + ), +} + rules: {} + checks: { + "check if resource($0), operation(\"read\"), right($0, \"read\")", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: "check if resource($0), operation(\"read\"), right($0, \"read\")" })] }))` + + +------------------------------ + +## expired token: test009_expired_token.bc +### token + +authority: +symbols: [] + +public keys: [] + +``` +``` + +1: +symbols: ["file1"] + +public keys: [] + +``` +check if resource("file1"); +check if time($time), $time <= 2018-12-20T00:00:00Z; +``` + +### validation + +authorizer code: +``` +resource("file1"); +operation("read"); +time(2020-12-21T09:23:12Z); + +allow if true; +``` + +revocation ids: +- `c248907bb6e5f433bbb5edf6367b399ebefca0d321d0b2ea9fc67f66dc1064ce926adb0c05d90c3e8a2833328b3578f79c4e1bca43583d9bcfb2ba6c37303d00` +- `a4edf7aaea8658bb9ae19b3ffe2adcc77cc9f16c249aeb0a85a584b5362f89f27f7c67ac0af16d7170673d6d1fb1563d1934b25ec5a461f6c01fa49805cd5e07` + +authorizer world: +``` +World { + facts: { + ( + "operation(\"read\")", + { + None, + }, + ), + ( + "resource(\"file1\")", + { + None, + }, + ), + ( + "time(2020-12-21T09:23:12Z)", + { + None, + }, + ), +} + rules: {} + checks: { + "check if resource(\"file1\")", + "check if time($time), $time <= 2018-12-20T00:00:00Z", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedBlockCheck { block_id: 1, check_id: 1, rule: "check if time($time), $time <= 2018-12-20T00:00:00Z" })] }))` + + +------------------------------ + +## authorizer scope: test010_authorizer_scope.bc +### token + +authority: +symbols: ["file1"] + +public keys: [] + +``` +right("file1", "read"); +``` + +1: +symbols: ["file2"] + +public keys: [] + +``` +right("file2", "read"); +``` + +### validation + +authorizer code: +``` +resource("file2"); +operation("read"); + +check if right($0, $1), resource($0), operation($1); + +allow if true; +``` + +revocation ids: +- `a80c985ddef895518c216f64c65dcd50a5d97d012a94453d79159aed2981654b1fe9748c686c5667604026a94fb8db8a1d02de747df61e99fa9a63ff2878ad00` +- `966eceb2aa937c41b25368808bab6e0698c02a4038de669d007c9c3d43602638a640083558d1576ac80cf3eb2ac6a7585527e0f6c1a65402f0935cf7f4df8005` + +authorizer world: +``` +World { + facts: { + ( + "operation(\"read\")", + { + None, + }, + ), + ( + "resource(\"file2\")", + { + None, + }, + ), + ( + "right(\"file1\", \"read\")", + { + Some( + 0, + ), + }, + ), + ( + "right(\"file2\", \"read\")", + { + Some( + 1, + ), + }, + ), +} + rules: {} + checks: { + "check if right($0, $1), resource($0), operation($1)", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Authorizer(FailedAuthorizerCheck { check_id: 0, rule: "check if right($0, $1), resource($0), operation($1)" })] }))` + + +------------------------------ + +## authorizer authority checks: test011_authorizer_authority_caveats.bc +### token + +authority: +symbols: ["file1"] + +public keys: [] + +``` +right("file1", "read"); +``` + +### validation + +authorizer code: +``` +resource("file2"); +operation("read"); + +check if right($0, $1), resource($0), operation($1); + +allow if true; +``` + +revocation ids: +- `a80c985ddef895518c216f64c65dcd50a5d97d012a94453d79159aed2981654b1fe9748c686c5667604026a94fb8db8a1d02de747df61e99fa9a63ff2878ad00` + +authorizer world: +``` +World { + facts: { + ( + "operation(\"read\")", + { + None, + }, + ), + ( + "resource(\"file2\")", + { + None, + }, + ), + ( + "right(\"file1\", \"read\")", + { + Some( + 0, + ), + }, + ), +} + rules: {} + checks: { + "check if right($0, $1), resource($0), operation($1)", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Authorizer(FailedAuthorizerCheck { check_id: 0, rule: "check if right($0, $1), resource($0), operation($1)" })] }))` + + +------------------------------ + +## authority checks: test012_authority_caveats.bc +### token + +authority: +symbols: ["file1"] + +public keys: [] + +``` +check if resource("file1"); +``` + +### validation for "file1" + +authorizer code: +``` +resource("file1"); +operation("read"); + +allow if true; +``` + +revocation ids: +- `6a8f90dad67ae2ac188460463914ae7326fda431c80785755f4edcc15f1a53911f7366e606ad80cbbeba94672e42713e88632a932128f1d796ce9ba7d7a0b80a` + +authorizer world: +``` +World { + facts: { + ( + "operation(\"read\")", + { + None, + }, + ), + ( + "resource(\"file1\")", + { + None, + }, + ), +} + rules: {} + checks: { + "check if resource(\"file1\")", +} + policies: { + "allow if true", +} +} +``` + +result: `Ok(0)` +### validation for "file2" + +authorizer code: +``` +resource("file2"); +operation("read"); + +allow if true; +``` + +revocation ids: +- `6a8f90dad67ae2ac188460463914ae7326fda431c80785755f4edcc15f1a53911f7366e606ad80cbbeba94672e42713e88632a932128f1d796ce9ba7d7a0b80a` + +authorizer world: +``` +World { + facts: { + ( + "operation(\"read\")", + { + None, + }, + ), + ( + "resource(\"file2\")", + { + None, + }, + ), +} + rules: {} + checks: { + "check if resource(\"file1\")", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check if resource(\"file1\")" })] }))` + + +------------------------------ + +## block rules: test013_block_rules.bc +### token + +authority: +symbols: ["file1", "file2"] + +public keys: [] + +``` +right("file1", "read"); +right("file2", "read"); +``` + +1: +symbols: ["valid_date", "0", "1"] + +public keys: [] + +``` +valid_date("file1") <- time($0), resource("file1"), $0 <= 2030-12-31T12:59:59Z; +valid_date($1) <- time($0), resource($1), $0 <= 1999-12-31T12:59:59Z, !["file1"].contains($1); +check if valid_date($0), resource($0); +``` + +### validation for "file1" + +authorizer code: +``` +resource("file1"); +time(2020-12-21T09:23:12Z); + +allow if true; +``` + +revocation ids: +- `c46d071ff3f33434223c8305fdad529f62bf78bb5d9cbfc2a345d4bca6bf314014840e18ba353f86fdb9073d58b12b8c872ac1f8e593c2e9064b90f6c2ede006` +- `a0c4c163a0b3ca406df4ece3d1371356190df04208eccef72f77e875ed0531b5d37e243d6f388b1967776a5dfd16ef228f19c5bdd6d2820f145c5ed3c3dcdc00` + +authorizer world: +``` +World { + facts: { + ( + "resource(\"file1\")", + { + None, + }, + ), + ( + "right(\"file1\", \"read\")", + { + Some( + 0, + ), + }, + ), + ( + "right(\"file2\", \"read\")", + { + Some( + 0, + ), + }, + ), + ( + "time(2020-12-21T09:23:12Z)", + { + None, + }, + ), + ( + "valid_date(\"file1\")", + { + None, + Some( + 1, + ), + }, + ), +} + rules: { + ( + "valid_date(\"file1\") <- time($0), resource(\"file1\"), $0 <= 2030-12-31T12:59:59Z", + Some( + 1, + ), + ), + ( + "valid_date($1) <- time($0), resource($1), $0 <= 1999-12-31T12:59:59Z, ![\"file1\"].contains($1)", + Some( + 1, + ), + ), +} + checks: { + "check if valid_date($0), resource($0)", +} + policies: { + "allow if true", +} +} +``` + +result: `Ok(0)` +### validation for "file2" + +authorizer code: +``` +resource("file2"); +time(2020-12-21T09:23:12Z); + +allow if true; +``` + +revocation ids: +- `c46d071ff3f33434223c8305fdad529f62bf78bb5d9cbfc2a345d4bca6bf314014840e18ba353f86fdb9073d58b12b8c872ac1f8e593c2e9064b90f6c2ede006` +- `a0c4c163a0b3ca406df4ece3d1371356190df04208eccef72f77e875ed0531b5d37e243d6f388b1967776a5dfd16ef228f19c5bdd6d2820f145c5ed3c3dcdc00` + +authorizer world: +``` +World { + facts: { + ( + "resource(\"file2\")", + { + None, + }, + ), + ( + "right(\"file1\", \"read\")", + { + Some( + 0, + ), + }, + ), + ( + "right(\"file2\", \"read\")", + { + Some( + 0, + ), + }, + ), + ( + "time(2020-12-21T09:23:12Z)", + { + None, + }, + ), +} + rules: { + ( + "valid_date(\"file1\") <- time($0), resource(\"file1\"), $0 <= 2030-12-31T12:59:59Z", + Some( + 1, + ), + ), + ( + "valid_date($1) <- time($0), resource($1), $0 <= 1999-12-31T12:59:59Z, ![\"file1\"].contains($1)", + Some( + 1, + ), + ), +} + checks: { + "check if valid_date($0), resource($0)", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: "check if valid_date($0), resource($0)" })] }))` + + +------------------------------ + +## regex_constraint: test014_regex_constraint.bc +### token + +authority: +symbols: ["0", "file[0-9]+.txt"] + +public keys: [] + +``` +check if resource($0), $0.matches("file[0-9]+.txt"); +``` + +### validation for "file1" + +authorizer code: +``` +resource("file1"); + +allow if true; +``` + +revocation ids: +- `da42718ad2631c12d3a44b7710dcc76c6c7809c6bc3a2d7eb0378c4154eae10e0884a8d54a2cd25ca3dfe01091d816ebbb9d246227baf7a359a787cb2344ad07` + +authorizer world: +``` +World { + facts: { + ( + "resource(\"file1\")", + { + None, + }, + ), +} + rules: {} + checks: { + "check if resource($0), $0.matches(\"file[0-9]+.txt\")", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check if resource($0), $0.matches(\"file[0-9]+.txt\")" })] }))` +### validation for "file123" + +authorizer code: +``` +resource("file123.txt"); + +allow if true; +``` + +revocation ids: +- `da42718ad2631c12d3a44b7710dcc76c6c7809c6bc3a2d7eb0378c4154eae10e0884a8d54a2cd25ca3dfe01091d816ebbb9d246227baf7a359a787cb2344ad07` + +authorizer world: +``` +World { + facts: { + ( + "resource(\"file123.txt\")", + { + None, + }, + ), +} + rules: {} + checks: { + "check if resource($0), $0.matches(\"file[0-9]+.txt\")", +} + policies: { + "allow if true", +} +} +``` + +result: `Ok(0)` + + +------------------------------ + +## multi queries checks: test015_multi_queries_caveats.bc +### token + +authority: +symbols: ["must_be_present", "hello"] + +public keys: [] + +``` +must_be_present("hello"); +``` + +### validation + +authorizer code: +``` +check if must_be_present($0) or must_be_present($0); + +allow if true; +``` + +revocation ids: +- `b0d466d31e015fa85a075fa875f7e1c9017edd503fee9f62a5f033e1fcfa811074b6e39dfe5af2f452043db97a3f98650592a370f5685b62c5d6abf9dd10b603` + +authorizer world: +``` +World { + facts: { + ( + "must_be_present(\"hello\")", + { + Some( + 0, + ), + }, + ), +} + rules: {} + checks: { + "check if must_be_present($0) or must_be_present($0)", +} + policies: { + "allow if true", +} +} +``` + +result: `Ok(0)` + + +------------------------------ + +## check head name should be independent from fact names: test016_caveat_head_name.bc +### token + +authority: +symbols: ["hello"] + +public keys: [] + +``` +check if resource("hello"); +``` + +1: +symbols: ["test"] + +public keys: [] + +``` +query("test"); +``` + +### validation + +authorizer code: +``` +allow if true; +``` + +revocation ids: +- `ce6f804f4390e693a8853d9a4a10bd4f3c94b86b7c6d671993a6e19346bc4d20bbb52cc945e5d0d02e4e75fa5da2caa99764050190353564a0a0b4b276809402` +- `916d566cc724e0773046fc5266e9d0d804311435b8d6955b332f823ab296be9a78dfea190447732ac9f6217234cf5726becf88f65169c6de56a766af55451b0f` + +authorizer world: +``` +World { + facts: { + ( + "query(\"test\")", + { + Some( + 1, + ), + }, + ), +} + rules: {} + checks: { + "check if resource(\"hello\")", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check if resource(\"hello\")" })] }))` + + +------------------------------ + +## test expression syntax and all available operations: test017_expressions.bc +### token + +authority: +symbols: ["hello world", "hello", "world", "aaabde", "a*c?.e", "abd", "aaa", "b", "de", "abcD12", "abc", "def"] + +public keys: [] + +``` +check if true; +check if !false; +check if !false && true; +check if false || true; +check if (true || false) && true; +check if true == true; +check if false == false; +check if 1 < 2; +check if 2 > 1; +check if 1 <= 2; +check if 1 <= 1; +check if 2 >= 1; +check if 2 >= 2; +check if 3 == 3; +check if 1 + 2 * 3 - 4 / 2 == 5; +check if "hello world".starts_with("hello") && "hello world".ends_with("world"); +check if "aaabde".matches("a*c?.e"); +check if "aaabde".contains("abd"); +check if "aaabde" == "aaa" + "b" + "de"; +check if "abcD12" == "abcD12"; +check if 2019-12-04T09:46:41Z < 2020-12-04T09:46:41Z; +check if 2020-12-04T09:46:41Z > 2019-12-04T09:46:41Z; +check if 2019-12-04T09:46:41Z <= 2020-12-04T09:46:41Z; +check if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z; +check if 2020-12-04T09:46:41Z >= 2019-12-04T09:46:41Z; +check if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z; +check if 2020-12-04T09:46:41Z == 2020-12-04T09:46:41Z; +check if hex:12ab == hex:12ab; +check if [1, 2].contains(2); +check if [2019-12-04T09:46:41Z, 2020-12-04T09:46:41Z].contains(2020-12-04T09:46:41Z); +check if [false, true].contains(true); +check if ["abc", "def"].contains("abc"); +check if [hex:12ab, hex:34de].contains(hex:34de); +check if [1, 2].contains([2]); +check if [1, 2] == [1, 2]; +check if [1, 2].intersection([2, 3]) == [2]; +check if [1, 2].union([2, 3]) == [1, 2, 3]; +check if [1, 2, 3].intersection([1, 2]).contains(1); +check if [1, 2, 3].intersection([1, 2]).length() == 2; +``` + +### validation + +authorizer code: +``` +allow if true; +``` + +revocation ids: +- `f61b4cb4fc58777fec6c8d39fe62259dc3c78511868236c391e9f67ffd03a3a8b8e3042d4bacce0d5756d053f5afccd4c5e4df0597af44b36bdfab492e5fe50e` + +authorizer world: +``` +World { + facts: {} + rules: {} + checks: { + "check if !false", + "check if !false && true", + "check if \"aaabde\" == \"aaa\" + \"b\" + \"de\"", + "check if \"aaabde\".contains(\"abd\")", + "check if \"aaabde\".matches(\"a*c?.e\")", + "check if \"abcD12\" == \"abcD12\"", + "check if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\")", + "check if (true || false) && true", + "check if 1 + 2 * 3 - 4 / 2 == 5", + "check if 1 < 2", + "check if 1 <= 1", + "check if 1 <= 2", + "check if 2 > 1", + "check if 2 >= 1", + "check if 2 >= 2", + "check if 2019-12-04T09:46:41Z < 2020-12-04T09:46:41Z", + "check if 2019-12-04T09:46:41Z <= 2020-12-04T09:46:41Z", + "check if 2020-12-04T09:46:41Z == 2020-12-04T09:46:41Z", + "check if 2020-12-04T09:46:41Z > 2019-12-04T09:46:41Z", + "check if 2020-12-04T09:46:41Z >= 2019-12-04T09:46:41Z", + "check if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z", + "check if 3 == 3", + "check if [\"abc\", \"def\"].contains(\"abc\")", + "check if [1, 2, 3].intersection([1, 2]).contains(1)", + "check if [1, 2, 3].intersection([1, 2]).length() == 2", + "check if [1, 2] == [1, 2]", + "check if [1, 2].contains(2)", + "check if [1, 2].contains([2])", + "check if [1, 2].intersection([2, 3]) == [2]", + "check if [1, 2].union([2, 3]) == [1, 2, 3]", + "check if [2019-12-04T09:46:41Z, 2020-12-04T09:46:41Z].contains(2020-12-04T09:46:41Z)", + "check if [false, true].contains(true)", + "check if [hex:12ab, hex:34de].contains(hex:34de)", + "check if false == false", + "check if false || true", + "check if hex:12ab == hex:12ab", + "check if true", + "check if true == true", +} + policies: { + "allow if true", +} +} +``` + +result: `Ok(0)` + + +------------------------------ + +## invalid block rule with unbound_variables: test018_unbound_variables_in_rule.bc +### token + +authority: +symbols: [] + +public keys: [] + +``` +check if operation("read"); +``` + +1: +symbols: ["unbound", "any1", "any2"] + +public keys: [] + +``` +operation($unbound, "read") <- operation($any1, $any2); +``` + +### validation + +result: `Err(FailedLogic(InvalidBlockRule(0, "operation($unbound, \"read\") <- operation($any1, $any2)")))` + + +------------------------------ + +## invalid block rule generating an #authority or #ambient symbol with a variable: test019_generating_ambient_from_variables.bc +### token + +authority: +symbols: [] + +public keys: [] + +``` +check if operation("read"); +``` + +1: +symbols: ["any"] + +public keys: [] + +``` +operation("read") <- operation($any); +``` + +### validation + +authorizer code: +``` +operation("write"); + +allow if true; +``` + +revocation ids: +- `a44210c6a01e55eadefc7d8540c2e6eff80ab6eeedde4751de734f9d780435780680d3f42d826b7e0f0dcf4a5ba303fd4c116984bb30978813d46ed867924307` +- `d3f8822a9b9bc0ee3933283c493ca9e711be5dd8339b5fe2eba1de3805aad4e84d3e2fb4affb4a743f1289915c167582b9425343635e45b70573ea1ee7a1ea03` + +authorizer world: +``` +World { + facts: { + ( + "operation(\"read\")", + { + None, + Some( + 1, + ), + }, + ), + ( + "operation(\"write\")", + { + None, + }, + ), +} + rules: { + ( + "operation(\"read\") <- operation($any)", + Some( + 1, + ), + ), +} + checks: { + "check if operation(\"read\")", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check if operation(\"read\")" })] }))` + + +------------------------------ + +## sealed token: test020_sealed.bc +### token + +authority: +symbols: ["file1", "file2"] + +public keys: [] + +``` +right("file1", "read"); +right("file2", "read"); +right("file1", "write"); +``` + +1: +symbols: ["0"] + +public keys: [] + +``` +check if resource($0), operation("read"), right($0, "read"); +``` + +### validation + +authorizer code: +``` +resource("file1"); +operation("read"); + +allow if true; +``` + +revocation ids: +- `7595a112a1eb5b81a6e398852e6118b7f5b8cbbff452778e655100e5fb4faa8d3a2af52fe2c4f9524879605675fae26adbc4783e0cafc43522fa82385f396c03` +- `45f4c14f9d9e8fa044d68be7a2ec8cddb835f575c7b913ec59bd636c70acae9a90db9064ba0b3084290ed0c422bbb7170092a884f5e0202b31e9235bbcc1650d` + +authorizer world: +``` +World { + facts: { + ( + "operation(\"read\")", + { + None, + }, + ), + ( + "resource(\"file1\")", + { + None, + }, + ), + ( + "right(\"file1\", \"read\")", + { + Some( + 0, + ), + }, + ), + ( + "right(\"file1\", \"write\")", + { + Some( + 0, + ), + }, + ), + ( + "right(\"file2\", \"read\")", + { + Some( + 0, + ), + }, + ), +} + rules: {} + checks: { + "check if resource($0), operation(\"read\"), right($0, \"read\")", +} + policies: { + "allow if true", +} +} +``` + +result: `Ok(0)` + + +------------------------------ + +## parsing: test021_parsing.bc +### token + +authority: +symbols: ["ns::fact_123", "hello Ć©\tšŸ˜"] + +public keys: [] + +``` +ns::fact_123("hello Ć© šŸ˜"); +``` + +### validation + +authorizer code: +``` +check if ns::fact_123("hello Ć© šŸ˜"); + +allow if true; +``` + +revocation ids: +- `d4b2f417b6e906434fdf5058afcabfcb98d3628f814f1c9dd7e64250d9beec4465aff51bd0cb2e85d0e67dc9f613c2a42af6158c678bc6f8b4684cd3a2d0d302` + +authorizer world: +``` +World { + facts: { + ( + "ns::fact_123(\"hello Ć©\tšŸ˜\")", + { + Some( + 0, + ), + }, + ), +} + rules: {} + checks: { + "check if ns::fact_123(\"hello Ć©\tšŸ˜\")", +} + policies: { + "allow if true", +} +} +``` + +result: `Ok(0)` + + +------------------------------ + +## default_symbols: test022_default_symbols.bc +### token + +authority: +symbols: [] + +public keys: [] + +``` +read(0); +write(1); +resource(2); +operation(3); +right(4); +time(5); +role(6); +owner(7); +tenant(8); +namespace(9); +user(10); +team(11); +service(12); +admin(13); +email(14); +group(15); +member(16); +ip_address(17); +client(18); +client_ip(19); +domain(20); +path(21); +version(22); +cluster(23); +node(24); +hostname(25); +nonce(26); +query(27); +``` + +### validation + +authorizer code: +``` +check if read(0), write(1), resource(2), operation(3), right(4), time(5), role(6), owner(7), tenant(8), namespace(9), user(10), team(11), service(12), admin(13), email(14), group(15), member(16), ip_address(17), client(18), client_ip(19), domain(20), path(21), version(22), cluster(23), node(24), hostname(25), nonce(26), query(27); + +allow if true; +``` + +revocation ids: +- `75ce48d496fd28f99905901783a1ba46d7ff8d69f9d364d1546fd73006026eae51849ad1190a4ae521a0a1269f9c6951e226afba8fcd24fa50f679162439ae09` + +authorizer world: +``` +World { + facts: { + ( + "admin(13)", + { + Some( + 0, + ), + }, + ), + ( + "client(18)", + { + Some( + 0, + ), + }, + ), + ( + "client_ip(19)", + { + Some( + 0, + ), + }, + ), + ( + "cluster(23)", + { + Some( + 0, + ), + }, + ), + ( + "domain(20)", + { + Some( + 0, + ), + }, + ), + ( + "email(14)", + { + Some( + 0, + ), + }, + ), + ( + "group(15)", + { + Some( + 0, + ), + }, + ), + ( + "hostname(25)", + { + Some( + 0, + ), + }, + ), + ( + "ip_address(17)", + { + Some( + 0, + ), + }, + ), + ( + "member(16)", + { + Some( + 0, + ), + }, + ), + ( + "namespace(9)", + { + Some( + 0, + ), + }, + ), + ( + "node(24)", + { + Some( + 0, + ), + }, + ), + ( + "nonce(26)", + { + Some( + 0, + ), + }, + ), + ( + "operation(3)", + { + Some( + 0, + ), + }, + ), + ( + "owner(7)", + { + Some( + 0, + ), + }, + ), + ( + "path(21)", + { + Some( + 0, + ), + }, + ), + ( + "query(27)", + { + Some( + 0, + ), + }, + ), + ( + "read(0)", + { + Some( + 0, + ), + }, + ), + ( + "resource(2)", + { + Some( + 0, + ), + }, + ), + ( + "right(4)", + { + Some( + 0, + ), + }, + ), + ( + "role(6)", + { + Some( + 0, + ), + }, + ), + ( + "service(12)", + { + Some( + 0, + ), + }, + ), + ( + "team(11)", + { + Some( + 0, + ), + }, + ), + ( + "tenant(8)", + { + Some( + 0, + ), + }, + ), + ( + "time(5)", + { + Some( + 0, + ), + }, + ), + ( + "user(10)", + { + Some( + 0, + ), + }, + ), + ( + "version(22)", + { + Some( + 0, + ), + }, + ), + ( + "write(1)", + { + Some( + 0, + ), + }, + ), +} + rules: {} + checks: { + "check if read(0), write(1), resource(2), operation(3), right(4), time(5), role(6), owner(7), tenant(8), namespace(9), user(10), team(11), service(12), admin(13), email(14), group(15), member(16), ip_address(17), client(18), client_ip(19), domain(20), path(21), version(22), cluster(23), node(24), hostname(25), nonce(26), query(27)", +} + policies: { + "allow if true", +} +} +``` + +result: `Ok(0)` + + +------------------------------ + +## execution scope: test023_execution_scope.bc +### token + +authority: +symbols: ["authority_fact"] + +public keys: [] + +``` +authority_fact(1); +``` + +1: +symbols: ["block1_fact"] + +public keys: [] + +``` +block1_fact(1); +``` + +2: +symbols: ["var"] + +public keys: [] + +``` +check if authority_fact($var); +check if block1_fact($var); +``` + +### validation + +authorizer code: +``` +allow if true; +``` + +revocation ids: +- `f9b49866caef5ece7be14ec5a9b36d98ca81d06b306eb0b4c57cd7436af176f40ee972f40903f87ec4460ab8b1adfcbfa9b19b20a6955a1e8dae7d88b2076005` +- `889054b9119e4440e54da1b63266a98d0f6646cde195fef206efd8b133cfb2ee7be49b32a9a5925ece452e64f9e6f6d80dab422e916c599675dd68cdea053802` +- `0a85ffbf27e08aa23665ba0d96a985b274d747556c9f016fd7f590c641ed0e4133291521aa442b320ee9ce80f5ad701b914a0c87b3dfa0cc92629dce94201806` + +authorizer world: +``` +World { + facts: { + ( + "authority_fact(1)", + { + Some( + 0, + ), + }, + ), + ( + "block1_fact(1)", + { + Some( + 1, + ), + }, + ), +} + rules: {} + checks: { + "check if authority_fact($var)", + "check if block1_fact($var)", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedBlockCheck { block_id: 2, check_id: 1, rule: "check if block1_fact($var)" })] }))` + + +------------------------------ + +## third party: test024_third_party.bc +### token + +authority: +symbols: [] + +public keys: ["ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"] + +``` +right("read"); +check if group("admin") trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189; +``` + +1: +symbols: [] + +public keys: [] + +external signature by: "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" + +``` +group("admin"); +check if right("read"); +``` + +### validation + +authorizer code: +``` +allow if true; +``` + +revocation ids: +- `470e4bf7aa2a01ab39c98150bd06aa15b4aa5d86509044a8809a8634cd8cf2b42269a51a774b65d10bac9369d013070b00187925196a8e680108473f11cf8f03` +- `93a7315ab1272da9eeef015f6fecbc9ac96fe4660e6204bf64ea2105ebe309e9c9cadc0a26c5604f13910fae3f2cd0800756afb6b6b208bf77adeb1ab2f42405` + +authorizer world: +``` +World { + facts: { + ( + "group(\"admin\")", + { + Some( + 1, + ), + }, + ), + ( + "right(\"read\")", + { + Some( + 0, + ), + }, + ), +} + rules: {} + checks: { + "check if group(\"admin\") trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + "check if right(\"read\")", +} + policies: { + "allow if true", +} +} +``` + +result: `Ok(0)` + + +------------------------------ + +## block rules: test025_check_all.bc +### token + +authority: +symbols: ["allowed_operations", "A", "B", "op", "allowed"] + +public keys: [] + +``` +allowed_operations(["A", "B"]); +check all operation($op), allowed_operations($allowed), $allowed.contains($op); +``` + +### validation for "A, B" + +authorizer code: +``` +operation("A"); +operation("B"); + +allow if true; +``` + +revocation ids: +- `c456817012e1d523c6d145b6d6a3475d9f7dd4383c535454ff3f745ecf4234984ce09b9dec0551f3d783abe850f826ce43b12f1fd91999a4753a56ecf4c56d0d` + +authorizer world: +``` +World { + facts: { + ( + "allowed_operations([\"A\", \"B\"])", + { + Some( + 0, + ), + }, + ), + ( + "operation(\"A\")", + { + None, + }, + ), + ( + "operation(\"B\")", + { + None, + }, + ), +} + rules: {} + checks: { + "check all operation($op), allowed_operations($allowed), $allowed.contains($op)", +} + policies: { + "allow if true", +} +} +``` + +result: `Ok(0)` +### validation for "A, invalid" + +authorizer code: +``` +operation("A"); +operation("invalid"); + +allow if true; +``` + +revocation ids: +- `c456817012e1d523c6d145b6d6a3475d9f7dd4383c535454ff3f745ecf4234984ce09b9dec0551f3d783abe850f826ce43b12f1fd91999a4753a56ecf4c56d0d` + +authorizer world: +``` +World { + facts: { + ( + "allowed_operations([\"A\", \"B\"])", + { + Some( + 0, + ), + }, + ), + ( + "operation(\"A\")", + { + None, + }, + ), + ( + "operation(\"invalid\")", + { + None, + }, + ), +} + rules: {} + checks: { + "check all operation($op), allowed_operations($allowed), $allowed.contains($op)", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedBlockCheck { block_id: 0, check_id: 0, rule: "check all operation($op), allowed_operations($allowed), $allowed.contains($op)" })] }))` + + +------------------------------ + +## public keys interning: test026_public_keys_interning.bc +### token + +authority: +symbols: [] + +public keys: ["ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"] + +``` +query(0); +check if true trusting previous, ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189; +``` + +1: +symbols: [] + +public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463"] + +external signature by: "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" + +``` +query(1); +query(1, 2) <- query(1), query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463; +check if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463; +check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189; +``` + +2: +symbols: [] + +public keys: [] + +external signature by: "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" + +``` +query(2); +check if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463; +check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189; +``` + +3: +symbols: [] + +public keys: [] + +external signature by: "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" + +``` +query(3); +check if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463; +check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189; +``` + +4: +symbols: [] + +public keys: ["ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136"] + +``` +query(4); +check if query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463; +check if query(4) trusting ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136; +``` + +### validation + +authorizer code: +``` +check if query(1, 2) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189, ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463; + +deny if query(3); +deny if query(1, 2); +deny if query(0) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189; +allow if true; +``` + +revocation ids: +- `3771cefe71beb21ead35a59c8116ee82627a5717c0295f35980662abccb159fe1b37848cb1818e548656bd4fd882d0094a2daab631c76b2b72e3a093914bfe04` +- `45133b90f228a81fe4d3042a79f6c6b7608e656e903d6b1f4db32cd774b09b8315af360879a5f210ad7be37ff55e3eb34f237bcc9711407b6329ac6018bfb400` +- `179f054f3c572646aba5013159ae192ac42f5666dbdd984129955f4652b6829e59f54aa251e451f96329d42a2524ce569c3e1ec52e708b642dd8994af51dd703` +- `edab54789d6656936fcd28200b9c61643434842d531f09f209fad555e11ff53174db174dafba126e6de448983a56f78d2042bc5782d71a45799c022fe69fb30d` +- `6a62306831e9dbe83e7b33db96b758c77dd690930f2d2d87e239b210b1944c5582bf6d7e1bfea8e7f928c27f2fff0e2ee2e0adc41e11e0c3abe8d7b96b9ede07` + +authorizer world: +``` +World { + facts: { + ( + "query(0)", + { + Some( + 0, + ), + }, + ), + ( + "query(1)", + { + Some( + 1, + ), + }, + ), + ( + "query(1, 2)", + { + Some( + 1, + ), + Some( + 2, + ), + }, + ), + ( + "query(2)", + { + Some( + 2, + ), + }, + ), + ( + "query(3)", + { + Some( + 3, + ), + }, + ), + ( + "query(4)", + { + Some( + 4, + ), + }, + ), +} + rules: { + ( + "query(1, 2) <- query(1), query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + Some( + 1, + ), + ), +} + checks: { + "check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + "check if query(1, 2) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189, ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + "check if query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + "check if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + "check if query(4) trusting ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136", + "check if true trusting previous, ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", +} + policies: { + "allow if true", + "deny if query(0) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + "deny if query(1, 2)", + "deny if query(3)", +} +} +``` + +result: `Ok(3)` + + +------------------------------ + +## integer wraparound: test027_integer_wraparound.bc +### token + +authority: +symbols: [] + +public keys: [] + +``` +check if true || 10000000000 * 10000000000 != 0; +check if true || 9223372036854775807 + 1 != 0; +check if true || -9223372036854775808 - 1 != 0; +``` + +### validation + +authorizer code: +``` +allow if true; +``` + +revocation ids: +- `3346a22aae0abfc1ffa526f02f7650e90af909e5e519989026441e78cdc245b7fd126503cfdc8831325fc04307edc65238db319724477915f7040a2f6a719a05` + +authorizer world: +``` +World { + facts: {} + rules: {} + checks: { + "check if true || -9223372036854775808 - 1 != 0", + "check if true || 10000000000 * 10000000000 != 0", + "check if true || 9223372036854775807 + 1 != 0", +} + policies: { + "allow if true", +} +} +``` + +result: `Err(Execution(Overflow))` + + +------------------------------ + +## test expression syntax and all available operations (v4 blocks): test028_expressions_v4.bc +### token + +authority: +symbols: ["abcD12x", "abcD12"] + +public keys: [] + +``` +check if 1 != 3; +check if 1 | 2 ^ 3 == 0; +check if "abcD12x" != "abcD12"; +check if 2022-12-04T09:46:41Z != 2020-12-04T09:46:41Z; +check if hex:12abcd != hex:12ab; +check if [1, 4] != [1, 2]; +``` + +### validation + +authorizer code: +``` +allow if true; +``` + +revocation ids: +- `117fa653744c859561555e6a6f5990e3a8e7817f91b87aa6991b6d64297158b4e884c92d10f49f74c96069df722aa676839b72751ca9d1fe83a7025b591de00b` + +authorizer world: +``` +World { + facts: {} + rules: {} + checks: { + "check if \"abcD12x\" != \"abcD12\"", + "check if 1 != 3", + "check if 1 | 2 ^ 3 == 0", + "check if 2022-12-04T09:46:41Z != 2020-12-04T09:46:41Z", + "check if [1, 4] != [1, 2]", + "check if hex:12abcd != hex:12ab", +} + policies: { + "allow if true", +} +} +``` + +result: `Ok(0)` + diff --git a/src/test/resources/samples/samples.json b/src/test/resources/samples/samples.json index 7f9ef481..2db940d7 100644 --- a/src/test/resources/samples/samples.json +++ b/src/test/resources/samples/samples.json @@ -1,6 +1,6 @@ { - "root_private_key": "12aca40167fbdd1a11037e9fd440e3d510d9d9dea70a6646aa4aaf84d718d75a", - "root_public_key": "acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + "root_private_key": "99e87b0e9158531eeeb503ff15266e2b23c2a2507b138c9d1b1f2ab458df2d61", + "root_public_key": "1055c750b1a1505937af1537c626ba3263995c33a64758aaafb1275b0312e284", "testcases": [ { "title": "basic token", @@ -28,14 +28,33 @@ "": { "world": { "facts": [ - "resource(\"file1\")", - "right(\"file1\", \"read\")", - "right(\"file1\", \"write\")", - "right(\"file2\", \"read\")" + { + "origin": [ + null + ], + "facts": [ + "resource(\"file1\")" + ] + }, + { + "origin": [ + 0 + ], + "facts": [ + "right(\"file1\", \"read\")", + "right(\"file1\", \"write\")", + "right(\"file2\", \"read\")" + ] + } ], "rules": [], "checks": [ - "check if resource($0), operation(\"read\"), right($0, \"read\")" + { + "origin": 1, + "checks": [ + "check if resource($0), operation(\"read\"), right($0, \"read\")" + ] + } ], "policies": [ "allow if true" @@ -63,8 +82,8 @@ }, "authorizer_code": "resource(\"file1\");\n\nallow if true;\n", "revocation_ids": [ - "3ee1c0f42ba69ec63b1f39a6b3c57d25a4ccec452233ca6d40530ecfe83af4918fa78d9346f8b7c498545b54663960342b9ed298b2c8bbe2085b80c237b56f09", - "e16ccf0820b02092adb531e36c2e82884c6c6c647b1c85184007f2ace601648afb71faa261b11f9ab352093c96187870f868588b664579c8018864b306bd5007" + "7595a112a1eb5b81a6e398852e6118b7f5b8cbbff452778e655100e5fb4faa8d3a2af52fe2c4f9524879605675fae26adbc4783e0cafc43522fa82385f396c03", + "45f4c14f9d9e8fa044d68be7a2ec8cddb835f575c7b913ec59bd636c70acae9a90db9064ba0b3084290ed0c422bbb7170092a884f5e0202b31e9235bbcc1650d" ] } } @@ -303,17 +322,48 @@ "": { "world": { "facts": [ - "operation(\"read\")", - "owner(\"alice\", \"file1\")", - "owner(\"alice\", \"file2\")", - "resource(\"file2\")", - "user_id(\"alice\")" + { + "origin": [ + null + ], + "facts": [ + "operation(\"read\")", + "resource(\"file2\")" + ] + }, + { + "origin": [ + 0 + ], + "facts": [ + "owner(\"alice\", \"file1\")", + "user_id(\"alice\")" + ] + }, + { + "origin": [ + 2 + ], + "facts": [ + "owner(\"alice\", \"file2\")" + ] + } ], "rules": [ - "right($0, \"read\") <- resource($0), user_id($1), owner($1, $0)" + { + "origin": 1, + "rules": [ + "right($0, \"read\") <- resource($0), user_id($1), owner($1, $0)" + ] + } ], "checks": [ - "check if resource($0), operation(\"read\"), right($0, \"read\")" + { + "origin": 1, + "checks": [ + "check if resource($0), operation(\"read\"), right($0, \"read\")" + ] + } ], "policies": [ "allow if true" @@ -341,9 +391,9 @@ }, "authorizer_code": "resource(\"file2\");\noperation(\"read\");\n\nallow if true;\n", "revocation_ids": [ - "02d287b0e5b22780192f8351538583c17f7d0200e064b32a1fcf07899e64ffb10e4de324f5c5ebc72c89a63e424317226cf555eb42dae81b2fd4639cf7591108", - "22e75ea200cf7b2b62b389298fe0dec973b7f9c7e54e76c3c41811d72ea82c68227bc9079b7d05986de17ef9301cccdc08f5023455386987d1e6ee4391b19f06", - "140a3631fecae550b51e50b9b822b947fb485c80070b34482fa116cdea560140164a1d0a959b40fed8a727e2f62c0b57635760c488c8bf0eda80ee591558c409" + "4d86c9af808dc2e0583f47282e6f5df3e09dc264d5231ec360b4519e15ddaeec60b25a9bbcb22e8d192f4d36a0da3f9243711e30535b00ee55c53cb1395f230a", + "63208c668c66f3ba6927140ba37533593b25e03459447805d4b2a8b75adeef45794c3d7249afe506ed77ccee276160bb4052a4009302bd34871a440f070b4509", + "d8da982888eae8c038e4894a8c06fc57d8e5f06ad2e972b9cf4bde49ad60804558a0d1938192596c702d8e4f7f12ec19201d7c33d0cd77774a0d879a33880d02" ] } } @@ -381,14 +431,40 @@ "": { "world": { "facts": [ - "operation(\"read\")", - "resource(\"file2\")", - "right(\"file1\", \"read\")", - "right(\"file2\", \"read\")" + { + "origin": [ + null + ], + "facts": [ + "operation(\"read\")", + "resource(\"file2\")" + ] + }, + { + "origin": [ + 0 + ], + "facts": [ + "right(\"file1\", \"read\")" + ] + }, + { + "origin": [ + 2 + ], + "facts": [ + "right(\"file2\", \"read\")" + ] + } ], "rules": [], "checks": [ - "check if resource($0), operation(\"read\"), right($0, \"read\")" + { + "origin": 1, + "checks": [ + "check if resource($0), operation(\"read\"), right($0, \"read\")" + ] + } ], "policies": [ "allow if true" @@ -416,9 +492,9 @@ }, "authorizer_code": "resource(\"file2\");\noperation(\"read\");\n\nallow if true;\n", "revocation_ids": [ - "567682495bf002eb84c46491e40fad8c55943d918c65e2c110b1b88511bf393072c0305a243e3d632ca5f1e9b0ace3e3582de84838c3a258480657087c267f02", - "71f0010b1034dbc62c53f67a23947b92ccba46495088567ac7ad5c4d7d65476964bee42053a6a35088110c5918f9c9606057689271fef89d84253cf98e6d4407", - "6d00d5f2a5d25dbfaa19152a81b44328b368e8fb8300b25e36754cfe8b2ce1eb2d1452ce9b1502e6f377a23aa87098fb05b5b073541624a8815ba0610f793005" + "a80c985ddef895518c216f64c65dcd50a5d97d012a94453d79159aed2981654b1fe9748c686c5667604026a94fb8db8a1d02de747df61e99fa9a63ff2878ad00", + "77df45442be86a416aa02fd9d98d6d4703c634a9e3b1d293b41f5dc97849afbe7faeec8c22a210574888acc008fb64fe691ec9e8d2655586f970d9a6b6577000", + "b31398aefe97d3db41ebc445760f216fb3aa7bf7439adcfc3a07489bfcc163970af3f4e20f5460aa24cf841101a5ab114d21acc0ee8d442bae7793b121284900" ] } } @@ -435,8 +511,7 @@ }, { "symbols": [ - "file1", - "expiration" + "file1" ], "public_keys": [], "external_key": null, @@ -447,14 +522,26 @@ "": { "world": { "facts": [ - "operation(\"read\")", - "resource(\"file1\")", - "time(2020-12-21T09:23:12Z)" + { + "origin": [ + null + ], + "facts": [ + "operation(\"read\")", + "resource(\"file1\")", + "time(2020-12-21T09:23:12Z)" + ] + } ], "rules": [], "checks": [ - "check if resource(\"file1\")", - "check if time($time), $time <= 2018-12-20T00:00:00Z" + { + "origin": 1, + "checks": [ + "check if resource(\"file1\")", + "check if time($time), $time <= 2018-12-20T00:00:00Z" + ] + } ], "policies": [ "allow if true" @@ -482,8 +569,8 @@ }, "authorizer_code": "resource(\"file1\");\noperation(\"read\");\ntime(2020-12-21T09:23:12Z);\n\nallow if true;\n", "revocation_ids": [ - "b2474f3e0a5788cdeff811f2599497a04d1ad71ca48dbafb90f20a950d565dda0b86bd6c9072a727c19b6b20a1ae10d8cb88155186550b77016ffd1dca9a6203", - "0d12152670cbefe2fa504af9a92b513f1a48ae460ae5e66aaac4ed9f7dc3cc1c4c510693312b351465062169a2169fc520ce4e17e548d21982c81a74c66a3c0c" + "c248907bb6e5f433bbb5edf6367b399ebefca0d321d0b2ea9fc67f66dc1064ce926adb0c05d90c3e8a2833328b3578f79c4e1bca43583d9bcfb2ba6c37303d00", + "a4edf7aaea8658bb9ae19b3ffe2adcc77cc9f16c249aeb0a85a584b5362f89f27f7c67ac0af16d7170673d6d1fb1563d1934b25ec5a461f6c01fa49805cd5e07" ] } } @@ -513,14 +600,40 @@ "": { "world": { "facts": [ - "operation(\"read\")", - "resource(\"file2\")", - "right(\"file1\", \"read\")", - "right(\"file2\", \"read\")" + { + "origin": [ + null + ], + "facts": [ + "operation(\"read\")", + "resource(\"file2\")" + ] + }, + { + "origin": [ + 0 + ], + "facts": [ + "right(\"file1\", \"read\")" + ] + }, + { + "origin": [ + 1 + ], + "facts": [ + "right(\"file2\", \"read\")" + ] + } ], "rules": [], "checks": [ - "check if right($0, $1), resource($0), operation($1)" + { + "origin": 18446744073709551615, + "checks": [ + "check if right($0, $1), resource($0), operation($1)" + ] + } ], "policies": [ "allow if true" @@ -547,8 +660,8 @@ }, "authorizer_code": "resource(\"file2\");\noperation(\"read\");\n\ncheck if right($0, $1), resource($0), operation($1);\n\nallow if true;\n", "revocation_ids": [ - "b9ecf192ecb1bbb10e45320c1c86661f0c6b6bd28e89fdd8fa838fe0ab3f754229f7fbbf92ad978d36f744c345c69bc156a2a91a2979a3c235a9d936d401b404", - "839728735701e589c2612e655afa2b53f573480e6a0477ae68ed71587987d1af398a31296bdec0b6eccee9348f4b4c23ca1031e809991626c579fef80b1d380d" + "a80c985ddef895518c216f64c65dcd50a5d97d012a94453d79159aed2981654b1fe9748c686c5667604026a94fb8db8a1d02de747df61e99fa9a63ff2878ad00", + "966eceb2aa937c41b25368808bab6e0698c02a4038de669d007c9c3d43602638a640083558d1576ac80cf3eb2ac6a7585527e0f6c1a65402f0935cf7f4df8005" ] } } @@ -570,13 +683,32 @@ "": { "world": { "facts": [ - "operation(\"read\")", - "resource(\"file2\")", - "right(\"file1\", \"read\")" + { + "origin": [ + null + ], + "facts": [ + "operation(\"read\")", + "resource(\"file2\")" + ] + }, + { + "origin": [ + 0 + ], + "facts": [ + "right(\"file1\", \"read\")" + ] + } ], "rules": [], "checks": [ - "check if right($0, $1), resource($0), operation($1)" + { + "origin": 18446744073709551615, + "checks": [ + "check if right($0, $1), resource($0), operation($1)" + ] + } ], "policies": [ "allow if true" @@ -603,7 +735,7 @@ }, "authorizer_code": "resource(\"file2\");\noperation(\"read\");\n\ncheck if right($0, $1), resource($0), operation($1);\n\nallow if true;\n", "revocation_ids": [ - "593d273d141bf23a3e89b55fffe1b3f96f683a022bb763e78f4e49f31a7cf47668c3fd5e0f580727ac9113ede302d34264597f6f1e6c6dd4167836d57aedf504" + "a80c985ddef895518c216f64c65dcd50a5d97d012a94453d79159aed2981654b1fe9748c686c5667604026a94fb8db8a1d02de747df61e99fa9a63ff2878ad00" ] } } @@ -625,12 +757,24 @@ "file1": { "world": { "facts": [ - "operation(\"read\")", - "resource(\"file1\")" + { + "origin": [ + null + ], + "facts": [ + "operation(\"read\")", + "resource(\"file1\")" + ] + } ], "rules": [], "checks": [ - "check if resource(\"file1\")" + { + "origin": 0, + "checks": [ + "check if resource(\"file1\")" + ] + } ], "policies": [ "allow if true" @@ -641,18 +785,30 @@ }, "authorizer_code": "resource(\"file1\");\noperation(\"read\");\n\nallow if true;\n", "revocation_ids": [ - "0a1d14a145debbb0a2f4ce0631d3a0a48a2e0eddabefda7fabb0414879ec6be24b9ae7295c434609ada3f8cc47b8845bbd5a0d4fba3d96748ff1b824496e0405" + "6a8f90dad67ae2ac188460463914ae7326fda431c80785755f4edcc15f1a53911f7366e606ad80cbbeba94672e42713e88632a932128f1d796ce9ba7d7a0b80a" ] }, "file2": { "world": { "facts": [ - "operation(\"read\")", - "resource(\"file2\")" + { + "origin": [ + null + ], + "facts": [ + "operation(\"read\")", + "resource(\"file2\")" + ] + } ], "rules": [], "checks": [ - "check if resource(\"file1\")" + { + "origin": 0, + "checks": [ + "check if resource(\"file1\")" + ] + } ], "policies": [ "allow if true" @@ -680,7 +836,7 @@ }, "authorizer_code": "resource(\"file2\");\noperation(\"read\");\n\nallow if true;\n", "revocation_ids": [ - "0a1d14a145debbb0a2f4ce0631d3a0a48a2e0eddabefda7fabb0414879ec6be24b9ae7295c434609ada3f8cc47b8845bbd5a0d4fba3d96748ff1b824496e0405" + "6a8f90dad67ae2ac188460463914ae7326fda431c80785755f4edcc15f1a53911f7366e606ad80cbbeba94672e42713e88632a932128f1d796ce9ba7d7a0b80a" ] } } @@ -713,18 +869,50 @@ "file1": { "world": { "facts": [ - "resource(\"file1\")", - "right(\"file1\", \"read\")", - "right(\"file2\", \"read\")", - "time(2020-12-21T09:23:12Z)", - "valid_date(\"file1\")" + { + "origin": [ + null + ], + "facts": [ + "resource(\"file1\")", + "time(2020-12-21T09:23:12Z)" + ] + }, + { + "origin": [ + null, + 1 + ], + "facts": [ + "valid_date(\"file1\")" + ] + }, + { + "origin": [ + 0 + ], + "facts": [ + "right(\"file1\", \"read\")", + "right(\"file2\", \"read\")" + ] + } ], "rules": [ - "valid_date(\"file1\") <- time($0), resource(\"file1\"), $0 <= 2030-12-31T12:59:59Z", - "valid_date($1) <- time($0), resource($1), $0 <= 1999-12-31T12:59:59Z, ![\"file1\"].contains($1)" + { + "origin": 1, + "rules": [ + "valid_date(\"file1\") <- time($0), resource(\"file1\"), $0 <= 2030-12-31T12:59:59Z", + "valid_date($1) <- time($0), resource($1), $0 <= 1999-12-31T12:59:59Z, ![\"file1\"].contains($1)" + ] + } ], "checks": [ - "check if valid_date($0), resource($0)" + { + "origin": 1, + "checks": [ + "check if valid_date($0), resource($0)" + ] + } ], "policies": [ "allow if true" @@ -735,24 +923,48 @@ }, "authorizer_code": "resource(\"file1\");\ntime(2020-12-21T09:23:12Z);\n\nallow if true;\n", "revocation_ids": [ - "d251352efd4e4c72e8a1609fce002f558f1a0bb5e36cd3d8b3a6c6599e3960880f21bea6fe1857f4ecbc2c399dd77829b154e75f1323e9dec413aad70f97650d", - "9de4f51e6019540598a957515dad52f5403e5c6cd8d2adbca1bff42a4fbc0eb8c6adab499da2fe894a8a9c9c581276bfb0fdc3d35ab2ff9f920a2c4690739903" + "c46d071ff3f33434223c8305fdad529f62bf78bb5d9cbfc2a345d4bca6bf314014840e18ba353f86fdb9073d58b12b8c872ac1f8e593c2e9064b90f6c2ede006", + "a0c4c163a0b3ca406df4ece3d1371356190df04208eccef72f77e875ed0531b5d37e243d6f388b1967776a5dfd16ef228f19c5bdd6d2820f145c5ed3c3dcdc00" ] }, "file2": { "world": { "facts": [ - "resource(\"file2\")", - "right(\"file1\", \"read\")", - "right(\"file2\", \"read\")", - "time(2020-12-21T09:23:12Z)" + { + "origin": [ + null + ], + "facts": [ + "resource(\"file2\")", + "time(2020-12-21T09:23:12Z)" + ] + }, + { + "origin": [ + 0 + ], + "facts": [ + "right(\"file1\", \"read\")", + "right(\"file2\", \"read\")" + ] + } ], "rules": [ - "valid_date(\"file1\") <- time($0), resource(\"file1\"), $0 <= 2030-12-31T12:59:59Z", - "valid_date($1) <- time($0), resource($1), $0 <= 1999-12-31T12:59:59Z, ![\"file1\"].contains($1)" + { + "origin": 1, + "rules": [ + "valid_date(\"file1\") <- time($0), resource(\"file1\"), $0 <= 2030-12-31T12:59:59Z", + "valid_date($1) <- time($0), resource($1), $0 <= 1999-12-31T12:59:59Z, ![\"file1\"].contains($1)" + ] + } ], "checks": [ - "check if valid_date($0), resource($0)" + { + "origin": 1, + "checks": [ + "check if valid_date($0), resource($0)" + ] + } ], "policies": [ "allow if true" @@ -780,8 +992,8 @@ }, "authorizer_code": "resource(\"file2\");\ntime(2020-12-21T09:23:12Z);\n\nallow if true;\n", "revocation_ids": [ - "d251352efd4e4c72e8a1609fce002f558f1a0bb5e36cd3d8b3a6c6599e3960880f21bea6fe1857f4ecbc2c399dd77829b154e75f1323e9dec413aad70f97650d", - "9de4f51e6019540598a957515dad52f5403e5c6cd8d2adbca1bff42a4fbc0eb8c6adab499da2fe894a8a9c9c581276bfb0fdc3d35ab2ff9f920a2c4690739903" + "c46d071ff3f33434223c8305fdad529f62bf78bb5d9cbfc2a345d4bca6bf314014840e18ba353f86fdb9073d58b12b8c872ac1f8e593c2e9064b90f6c2ede006", + "a0c4c163a0b3ca406df4ece3d1371356190df04208eccef72f77e875ed0531b5d37e243d6f388b1967776a5dfd16ef228f19c5bdd6d2820f145c5ed3c3dcdc00" ] } } @@ -804,11 +1016,23 @@ "file1": { "world": { "facts": [ - "resource(\"file1\")" + { + "origin": [ + null + ], + "facts": [ + "resource(\"file1\")" + ] + } ], "rules": [], "checks": [ - "check if resource($0), $0.matches(\"file[0-9]+.txt\")" + { + "origin": 0, + "checks": [ + "check if resource($0), $0.matches(\"file[0-9]+.txt\")" + ] + } ], "policies": [ "allow if true" @@ -836,17 +1060,29 @@ }, "authorizer_code": "resource(\"file1\");\n\nallow if true;\n", "revocation_ids": [ - "1c158e1e12c8670d3f4411597276fe1caab17b7728adb7f7e9c44eeec3e3d85676e6ebe2d28c287e285a45912386cfa53e1752997630bd7a4ca6c2cd9f143500" + "da42718ad2631c12d3a44b7710dcc76c6c7809c6bc3a2d7eb0378c4154eae10e0884a8d54a2cd25ca3dfe01091d816ebbb9d246227baf7a359a787cb2344ad07" ] }, "file123": { "world": { "facts": [ - "resource(\"file123.txt\")" + { + "origin": [ + null + ], + "facts": [ + "resource(\"file123.txt\")" + ] + } ], "rules": [], "checks": [ - "check if resource($0), $0.matches(\"file[0-9]+.txt\")" + { + "origin": 0, + "checks": [ + "check if resource($0), $0.matches(\"file[0-9]+.txt\")" + ] + } ], "policies": [ "allow if true" @@ -857,7 +1093,7 @@ }, "authorizer_code": "resource(\"file123.txt\");\n\nallow if true;\n", "revocation_ids": [ - "1c158e1e12c8670d3f4411597276fe1caab17b7728adb7f7e9c44eeec3e3d85676e6ebe2d28c287e285a45912386cfa53e1752997630bd7a4ca6c2cd9f143500" + "da42718ad2631c12d3a44b7710dcc76c6c7809c6bc3a2d7eb0378c4154eae10e0884a8d54a2cd25ca3dfe01091d816ebbb9d246227baf7a359a787cb2344ad07" ] } } @@ -880,11 +1116,23 @@ "": { "world": { "facts": [ - "must_be_present(\"hello\")" + { + "origin": [ + 0 + ], + "facts": [ + "must_be_present(\"hello\")" + ] + } ], "rules": [], "checks": [ - "check if must_be_present($0) or must_be_present($0)" + { + "origin": 18446744073709551615, + "checks": [ + "check if must_be_present($0) or must_be_present($0)" + ] + } ], "policies": [ "allow if true" @@ -895,7 +1143,7 @@ }, "authorizer_code": "check if must_be_present($0) or must_be_present($0);\n\nallow if true;\n", "revocation_ids": [ - "d3eee8a74eacec9c51d4d1eb29b479727dfaafa9df7d4c651d07c493c56f3a5f037a51139ebd036f50d1159d12bccec3e377bbd32db90a39dd52c4776757ad0b" + "b0d466d31e015fa85a075fa875f7e1c9017edd503fee9f62a5f033e1fcfa811074b6e39dfe5af2f452043db97a3f98650592a370f5685b62c5d6abf9dd10b603" ] } } @@ -925,11 +1173,23 @@ "": { "world": { "facts": [ - "query(\"test\")" + { + "origin": [ + 1 + ], + "facts": [ + "query(\"test\")" + ] + } ], "rules": [], "checks": [ - "check if resource(\"hello\")" + { + "origin": 0, + "checks": [ + "check if resource(\"hello\")" + ] + } ], "policies": [ "allow if true" @@ -957,8 +1217,8 @@ }, "authorizer_code": "allow if true;\n", "revocation_ids": [ - "e79679e019f1d7d3a9f9a309673aceadc7b2b2d67c0df3e7a1dccec25218e9b5935b9c8f8249243446406e3cdd86c1b35601a21cf1b119df48ca5e897cc6cd0d", - "2042ea2dca41ba3eb31196f49b211e615dcba46067be126e6035b8549bb57cdfeb24d07f2b44241bc0f70cc8ddc31e30772116d785b82bc91be8440dfdab500f" + "ce6f804f4390e693a8853d9a4a10bd4f3c94b86b7c6d671993a6e19346bc4d20bbb52cc945e5d0d02e4e75fa5da2caa99764050190353564a0a0b4b276809402", + "916d566cc724e0773046fc5266e9d0d804311435b8d6955b332f823ab296be9a78dfea190447732ac9f6217234cf5726becf88f65169c6de56a766af55451b0f" ] } } @@ -979,13 +1239,12 @@ "b", "de", "abcD12", - "abcD12x", "abc", "def" ], "public_keys": [], "external_key": null, - "code": "check if true;\ncheck if !false;\ncheck if !false && true;\ncheck if false or true;\ncheck if (true || false) && true;\ncheck if 1 < 2;\ncheck if 2 > 1;\ncheck if 1 <= 2;\ncheck if 1 <= 1;\ncheck if 2 >= 1;\ncheck if 2 >= 2;\ncheck if 3 == 3;\ncheck if 1 != 3;\ncheck if 1 + 2 * 3 - 4 / 2 == 5;\ncheck if 1 | 2 ^ 3 == 0;\ncheck if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\");\ncheck if \"aaabde\".matches(\"a*c?.e\");\ncheck if \"aaabde\".contains(\"abd\");\ncheck if \"aaabde\" == \"aaa\" + \"b\" + \"de\";\ncheck if \"abcD12\" == \"abcD12\";\ncheck if \"abcD12x\" != \"abcD12\";\ncheck if 2019-12-04T09:46:41Z < 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z > 2019-12-04T09:46:41Z;\ncheck if 2019-12-04T09:46:41Z <= 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z >= 2019-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z == 2020-12-04T09:46:41Z;\ncheck if 2022-12-04T09:46:41Z != 2020-12-04T09:46:41Z;\ncheck if hex:12ab == hex:12ab;\ncheck if hex:12abcd != hex:12ab;\ncheck if [1, 2].contains(2);\ncheck if [2019-12-04T09:46:41Z, 2020-12-04T09:46:41Z].contains(2020-12-04T09:46:41Z);\ncheck if [false, true].contains(true);\ncheck if [\"abc\", \"def\"].contains(\"abc\");\ncheck if [hex:12ab, hex:34de].contains(hex:34de);\ncheck if [1, 2] == [1, 2];\ncheck if [1, 4] != [1, 2];\n" + "code": "check if true;\ncheck if !false;\ncheck if !false && true;\ncheck if false || true;\ncheck if (true || false) && true;\ncheck if true == true;\ncheck if false == false;\ncheck if 1 < 2;\ncheck if 2 > 1;\ncheck if 1 <= 2;\ncheck if 1 <= 1;\ncheck if 2 >= 1;\ncheck if 2 >= 2;\ncheck if 3 == 3;\ncheck if 1 + 2 * 3 - 4 / 2 == 5;\ncheck if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\");\ncheck if \"aaabde\".matches(\"a*c?.e\");\ncheck if \"aaabde\".contains(\"abd\");\ncheck if \"aaabde\" == \"aaa\" + \"b\" + \"de\";\ncheck if \"abcD12\" == \"abcD12\";\ncheck if 2019-12-04T09:46:41Z < 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z > 2019-12-04T09:46:41Z;\ncheck if 2019-12-04T09:46:41Z <= 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z >= 2019-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z;\ncheck if 2020-12-04T09:46:41Z == 2020-12-04T09:46:41Z;\ncheck if hex:12ab == hex:12ab;\ncheck if [1, 2].contains(2);\ncheck if [2019-12-04T09:46:41Z, 2020-12-04T09:46:41Z].contains(2020-12-04T09:46:41Z);\ncheck if [false, true].contains(true);\ncheck if [\"abc\", \"def\"].contains(\"abc\");\ncheck if [hex:12ab, hex:34de].contains(hex:34de);\ncheck if [1, 2].contains([2]);\ncheck if [1, 2] == [1, 2];\ncheck if [1, 2].intersection([2, 3]) == [2];\ncheck if [1, 2].union([2, 3]) == [1, 2, 3];\ncheck if [1, 2, 3].intersection([1, 2]).contains(1);\ncheck if [1, 2, 3].intersection([1, 2]).length() == 2;\n" } ], "validations": { @@ -994,43 +1253,50 @@ "facts": [], "rules": [], "checks": [ - "check if !false", - "check if !false && true", - "check if \"aaabde\" == \"aaa\" + \"b\" + \"de\"", - "check if \"aaabde\".contains(\"abd\")", - "check if \"aaabde\".matches(\"a*c?.e\")", - "check if \"abcD12\" == \"abcD12\"", - "check if \"abcD12x\" != \"abcD12\"", - "check if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\")", - "check if (true || false) && true", - "check if 1 != 3", - "check if 1 + 2 * 3 - 4 / 2 == 5", - "check if 1 < 2", - "check if 1 <= 1", - "check if 1 <= 2", - "check if 1 | 2 ^ 3 == 0", - "check if 2 > 1", - "check if 2 >= 1", - "check if 2 >= 2", - "check if 2019-12-04T09:46:41Z < 2020-12-04T09:46:41Z", - "check if 2019-12-04T09:46:41Z <= 2020-12-04T09:46:41Z", - "check if 2020-12-04T09:46:41Z == 2020-12-04T09:46:41Z", - "check if 2020-12-04T09:46:41Z > 2019-12-04T09:46:41Z", - "check if 2020-12-04T09:46:41Z >= 2019-12-04T09:46:41Z", - "check if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z", - "check if 2022-12-04T09:46:41Z != 2020-12-04T09:46:41Z", - "check if 3 == 3", - "check if [\"abc\", \"def\"].contains(\"abc\")", - "check if [1, 2] == [1, 2]", - "check if [1, 2].contains(2)", - "check if [1, 4] != [1, 2]", - "check if [2019-12-04T09:46:41Z, 2020-12-04T09:46:41Z].contains(2020-12-04T09:46:41Z)", - "check if [false, true].contains(true)", - "check if [hex:12ab, hex:34de].contains(hex:34de)", - "check if false or true", - "check if hex:12ab == hex:12ab", - "check if hex:12abcd != hex:12ab", - "check if true" + { + "origin": 0, + "checks": [ + "check if !false", + "check if !false && true", + "check if \"aaabde\" == \"aaa\" + \"b\" + \"de\"", + "check if \"aaabde\".contains(\"abd\")", + "check if \"aaabde\".matches(\"a*c?.e\")", + "check if \"abcD12\" == \"abcD12\"", + "check if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\")", + "check if (true || false) && true", + "check if 1 + 2 * 3 - 4 / 2 == 5", + "check if 1 < 2", + "check if 1 <= 1", + "check if 1 <= 2", + "check if 2 > 1", + "check if 2 >= 1", + "check if 2 >= 2", + "check if 2019-12-04T09:46:41Z < 2020-12-04T09:46:41Z", + "check if 2019-12-04T09:46:41Z <= 2020-12-04T09:46:41Z", + "check if 2020-12-04T09:46:41Z == 2020-12-04T09:46:41Z", + "check if 2020-12-04T09:46:41Z > 2019-12-04T09:46:41Z", + "check if 2020-12-04T09:46:41Z >= 2019-12-04T09:46:41Z", + "check if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z", + "check if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z", + "check if 3 == 3", + "check if [\"abc\", \"def\"].contains(\"abc\")", + "check if [1, 2, 3].intersection([1, 2]).contains(1)", + "check if [1, 2, 3].intersection([1, 2]).length() == 2", + "check if [1, 2] == [1, 2]", + "check if [1, 2].contains(2)", + "check if [1, 2].contains([2])", + "check if [1, 2].intersection([2, 3]) == [2]", + "check if [1, 2].union([2, 3]) == [1, 2, 3]", + "check if [2019-12-04T09:46:41Z, 2020-12-04T09:46:41Z].contains(2020-12-04T09:46:41Z)", + "check if [false, true].contains(true)", + "check if [hex:12ab, hex:34de].contains(hex:34de)", + "check if false == false", + "check if false || true", + "check if hex:12ab == hex:12ab", + "check if true", + "check if true == true" + ] + } ], "policies": [ "allow if true" @@ -1041,7 +1307,7 @@ }, "authorizer_code": "allow if true;\n", "revocation_ids": [ - "3e51db5f0453929a596485b59e89bf628a301a33d476132c48a1c0a208805809f15bdf99593733c1b5f30e8c1f473ee2f78042f81fd0557081bafb5370e65d0c" + "f61b4cb4fc58777fec6c8d39fe62259dc3c78511868236c391e9f67ffd03a3a8b8e3042d4bacce0d5756d053f5afccd4c5e4df0597af44b36bdfab492e5fe50e" ] } } @@ -1082,8 +1348,8 @@ }, "authorizer_code": "", "revocation_ids": [ - "c536d07f08f6f73da69a2f49310045168e059b8c07e3ddf25afd524df358a0397744b31a139eced043cb5f7a29dacbe3a510ce449fc792e53623186767cefc0c", - "8588c74c3701e8d4be770769b4e1054dbb5ea5f231a89d205000802b8718859ea1d596af207a41b1b0f7d05959180c227ea8954e903f13ade3ce3384d1e6a70a" + "a44210c6a01e55eadefc7d8540c2e6eff80ab6eeedde4751de734f9d780435780680d3f42d826b7e0f0dcf4a5ba303fd4c116984bb30978813d46ed867924307", + "b0a33e3f4cd0994c0766c196c4d11c15e5a0f9bfba79a3a2b35ddd04ddb890282a7c63336ada5c680b9f9c940c1fa7127d2699754cbc77c21e1a2d85c5ef700c" ] } } @@ -1111,14 +1377,39 @@ "": { "world": { "facts": [ - "operation(\"read\")", - "operation(\"write\")" + { + "origin": [ + null + ], + "facts": [ + "operation(\"write\")" + ] + }, + { + "origin": [ + null, + 1 + ], + "facts": [ + "operation(\"read\")" + ] + } ], "rules": [ - "operation(\"read\") <- operation($any)" + { + "origin": 1, + "rules": [ + "operation(\"read\") <- operation($any)" + ] + } ], "checks": [ - "check if operation(\"read\")" + { + "origin": 0, + "checks": [ + "check if operation(\"read\")" + ] + } ], "policies": [ "allow if true" @@ -1146,8 +1437,8 @@ }, "authorizer_code": "operation(\"write\");\n\nallow if true;\n", "revocation_ids": [ - "4819e7360fdb840e54e94afcbc110e9b0652894dba2b8bf3b8b8f2254aaf00272bba7eb603c153c7e50cca0e5bb8e20449d70a1b24e7192e902c64f94848a703", - "4a4c59354354d2f91b3a2d1e7afa2c5eeaf8be9f7b163c6b9091817551cc8661f0f3e0523b525ef9a5e597c0dd1f32e09e97ace531c150dba335bb3e1d329d00" + "a44210c6a01e55eadefc7d8540c2e6eff80ab6eeedde4751de734f9d780435780680d3f42d826b7e0f0dcf4a5ba303fd4c116984bb30978813d46ed867924307", + "d3f8822a9b9bc0ee3933283c493ca9e711be5dd8339b5fe2eba1de3805aad4e84d3e2fb4affb4a743f1289915c167582b9425343635e45b70573ea1ee7a1ea03" ] } } @@ -1178,15 +1469,34 @@ "": { "world": { "facts": [ - "operation(\"read\")", - "resource(\"file1\")", - "right(\"file1\", \"read\")", - "right(\"file1\", \"write\")", - "right(\"file2\", \"read\")" + { + "origin": [ + null + ], + "facts": [ + "operation(\"read\")", + "resource(\"file1\")" + ] + }, + { + "origin": [ + 0 + ], + "facts": [ + "right(\"file1\", \"read\")", + "right(\"file1\", \"write\")", + "right(\"file2\", \"read\")" + ] + } ], "rules": [], "checks": [ - "check if resource($0), operation(\"read\"), right($0, \"read\")" + { + "origin": 1, + "checks": [ + "check if resource($0), operation(\"read\"), right($0, \"read\")" + ] + } ], "policies": [ "allow if true" @@ -1197,8 +1507,8 @@ }, "authorizer_code": "resource(\"file1\");\noperation(\"read\");\n\nallow if true;\n", "revocation_ids": [ - "b279f8c6fee5ea3c3fcb5109d8c6b35ba3fecea64d83a4dc387102b9401633a1558ac6ac50ddd7fd9e9877f936f9f4064abd467faeca2bef3114b9695eb0580e", - "e1f0aca12704c1a3b9bb6292504ca6070462d9e043756dd209e625084e7d4053078bd4e55b6eebebbeb771d26d7794aa95f6b39ff949431548b32585a7379f0c" + "7595a112a1eb5b81a6e398852e6118b7f5b8cbbff452778e655100e5fb4faa8d3a2af52fe2c4f9524879605675fae26adbc4783e0cafc43522fa82385f396c03", + "45f4c14f9d9e8fa044d68be7a2ec8cddb835f575c7b913ec59bd636c70acae9a90db9064ba0b3084290ed0c422bbb7170092a884f5e0202b31e9235bbcc1650d" ] } } @@ -1221,11 +1531,23 @@ "": { "world": { "facts": [ - "ns::fact_123(\"hello Ć©\tšŸ˜\")" + { + "origin": [ + 0 + ], + "facts": [ + "ns::fact_123(\"hello Ć©\tšŸ˜\")" + ] + } ], "rules": [], "checks": [ - "check if ns::fact_123(\"hello Ć©\tšŸ˜\")" + { + "origin": 18446744073709551615, + "checks": [ + "check if ns::fact_123(\"hello Ć©\tšŸ˜\")" + ] + } ], "policies": [ "allow if true" @@ -1236,7 +1558,7 @@ }, "authorizer_code": "check if ns::fact_123(\"hello Ć©\tšŸ˜\");\n\nallow if true;\n", "revocation_ids": [ - "4797a528328c8b5fb7939cc8956d8cda2513f552466eee501e26ea13a6cf6b4a381fd74ae547a9b50b627825142287d899b9d7bd1b5cfb18664a1be78320ea06" + "d4b2f417b6e906434fdf5058afcabfcb98d3628f814f1c9dd7e64250d9beec4465aff51bd0cb2e85d0e67dc9f613c2a42af6158c678bc6f8b4684cd3a2d0d302" ] } } @@ -1256,38 +1578,50 @@ "": { "world": { "facts": [ - "admin(13)", - "client(18)", - "client_ip(19)", - "cluster(23)", - "domain(20)", - "email(14)", - "group(15)", - "hostname(25)", - "ip_address(17)", - "member(16)", - "namespace(9)", - "node(24)", - "nonce(26)", - "operation(3)", - "owner(7)", - "path(21)", - "query(27)", - "read(0)", - "resource(2)", - "right(4)", - "role(6)", - "service(12)", - "team(11)", - "tenant(8)", - "time(5)", - "user(10)", - "version(22)", - "write(1)" + { + "origin": [ + 0 + ], + "facts": [ + "admin(13)", + "client(18)", + "client_ip(19)", + "cluster(23)", + "domain(20)", + "email(14)", + "group(15)", + "hostname(25)", + "ip_address(17)", + "member(16)", + "namespace(9)", + "node(24)", + "nonce(26)", + "operation(3)", + "owner(7)", + "path(21)", + "query(27)", + "read(0)", + "resource(2)", + "right(4)", + "role(6)", + "service(12)", + "team(11)", + "tenant(8)", + "time(5)", + "user(10)", + "version(22)", + "write(1)" + ] + } ], "rules": [], "checks": [ - "check if read(0), write(1), resource(2), operation(3), right(4), time(5), role(6), owner(7), tenant(8), namespace(9), user(10), team(11), service(12), admin(13), email(14), group(15), member(16), ip_address(17), client(18), client_ip(19), domain(20), path(21), version(22), cluster(23), node(24), hostname(25), nonce(26), query(27)" + { + "origin": 18446744073709551615, + "checks": [ + "check if read(0), write(1), resource(2), operation(3), right(4), time(5), role(6), owner(7), tenant(8), namespace(9), user(10), team(11), service(12), admin(13), email(14), group(15), member(16), ip_address(17), client(18), client_ip(19), domain(20), path(21), version(22), cluster(23), node(24), hostname(25), nonce(26), query(27)" + ] + } ], "policies": [ "allow if true" @@ -1298,7 +1632,7 @@ }, "authorizer_code": "check if read(0), write(1), resource(2), operation(3), right(4), time(5), role(6), owner(7), tenant(8), namespace(9), user(10), team(11), service(12), admin(13), email(14), group(15), member(16), ip_address(17), client(18), client_ip(19), domain(20), path(21), version(22), cluster(23), node(24), hostname(25), nonce(26), query(27);\n\nallow if true;\n", "revocation_ids": [ - "38094260b324eff92db2ef79e715d88c18503c0dafa400bff900399f2ab0840cedc5ac25bdd3e97860b3f9e78ca5e0df67a113eb87be50265d49278efb13210f" + "75ce48d496fd28f99905901783a1ba46d7ff8d69f9d364d1546fd73006026eae51849ad1190a4ae521a0a1269f9c6951e226afba8fcd24fa50f679162439ae09" ] } } @@ -1336,13 +1670,32 @@ "": { "world": { "facts": [ - "authority_fact(1)", - "block1_fact(1)" + { + "origin": [ + 0 + ], + "facts": [ + "authority_fact(1)" + ] + }, + { + "origin": [ + 1 + ], + "facts": [ + "block1_fact(1)" + ] + } ], "rules": [], "checks": [ - "check if authority_fact($var)", - "check if block1_fact($var)" + { + "origin": 2, + "checks": [ + "check if authority_fact($var)", + "check if block1_fact($var)" + ] + } ], "policies": [ "allow if true" @@ -1370,9 +1723,9 @@ }, "authorizer_code": "allow if true;\n", "revocation_ids": [ - "6a3606836bc63b858f96ce5000c9bead8eda139ab54679a2a8d7a9984c2e5d864b93280acc1b728bed0be42b5b1c3be10f48a13a4dbd05fd5763de5be3855108", - "5f1468fc60999f22c4f87fa088a83961188b4e654686c5b04bdc977b9ff4666d51a3d8be5594f4cef08054d100f31d1637b50bb394de7cccafc643c9b650390b", - "3eda05ddb65ee90d715cefc046837c01de944d8c4a7ff67e3d9a9d8470b5e214a20a8b9866bfe5e0d385e530b75ec8fcfde46b7dd6d4d6647d1e955c9d2fb90d" + "f9b49866caef5ece7be14ec5a9b36d98ca81d06b306eb0b4c57cd7436af176f40ee972f40903f87ec4460ab8b1adfcbfa9b19b20a6955a1e8dae7d88b2076005", + "889054b9119e4440e54da1b63266a98d0f6646cde195fef206efd8b133cfb2ee7be49b32a9a5925ece452e64f9e6f6d80dab422e916c599675dd68cdea053802", + "0a85ffbf27e08aa23665ba0d96a985b274d747556c9f016fd7f590c641ed0e4133291521aa442b320ee9ce80f5ad701b914a0c87b3dfa0cc92629dce94201806" ] } } @@ -1384,15 +1737,15 @@ { "symbols": [], "public_keys": [ - "ed25519/a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25" + "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" ], "external_key": null, - "code": "right(\"read\");\ncheck if group(\"admin\") trusting ed25519/a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25;\n" + "code": "right(\"read\");\ncheck if group(\"admin\") trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n" }, { "symbols": [], "public_keys": [], - "external_key": "ed25519/a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25", + "external_key": "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", "code": "group(\"admin\");\ncheck if right(\"read\");\n" } ], @@ -1400,13 +1753,37 @@ "": { "world": { "facts": [ - "group(\"admin\")", - "right(\"read\")" + { + "origin": [ + 0 + ], + "facts": [ + "right(\"read\")" + ] + }, + { + "origin": [ + 1 + ], + "facts": [ + "group(\"admin\")" + ] + } ], "rules": [], "checks": [ - "check if group(\"admin\") trusting ed25519/a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25", - "check if right(\"read\")" + { + "origin": 0, + "checks": [ + "check if group(\"admin\") trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" + ] + }, + { + "origin": 1, + "checks": [ + "check if right(\"read\")" + ] + } ], "policies": [ "allow if true" @@ -1417,8 +1794,8 @@ }, "authorizer_code": "allow if true;\n", "revocation_ids": [ - "4f61f2f2f9cefdcad03a82803638e459bef70d6fd72dbdf2bdcab78fbd23f33146e4ff9700e23acb547b820b871fa9b9fd3bb6d7a1a755afce47e9907c65600c", - "683b23943b73f53f57f473571ba266f79f1fca0633be249bc135054371a11ffb101c57150ab2f1b9a6a160b45d09567a314b7dbc84224edf6188afd5b86d9305" + "470e4bf7aa2a01ab39c98150bd06aa15b4aa5d86509044a8809a8634cd8cf2b42269a51a774b65d10bac9369d013070b00187925196a8e680108473f11cf8f03", + "93a7315ab1272da9eeef015f6fecbc9ac96fe4660e6204bf64ea2105ebe309e9c9cadc0a26c5604f13910fae3f2cd0800756afb6b6b208bf77adeb1ab2f42405" ] } } @@ -1444,13 +1821,32 @@ "A, B": { "world": { "facts": [ - "allowed_operations([\"A\", \"B\"])", - "operation(\"A\")", - "operation(\"B\")" + { + "origin": [ + null + ], + "facts": [ + "operation(\"A\")", + "operation(\"B\")" + ] + }, + { + "origin": [ + 0 + ], + "facts": [ + "allowed_operations([\"A\", \"B\"])" + ] + } ], "rules": [], "checks": [ - "check all operation($op), allowed_operations($allowed), $allowed.contains($op)" + { + "origin": 0, + "checks": [ + "check all operation($op), allowed_operations($allowed), $allowed.contains($op)" + ] + } ], "policies": [ "allow if true" @@ -1461,19 +1857,38 @@ }, "authorizer_code": "operation(\"A\");\noperation(\"B\");\n\nallow if true;\n", "revocation_ids": [ - "b4ee591001e4068a7ee8efb7a0586c3ca3a785558f34d1fa8dbfa21b41ace70de0b670ac49222c7413066d0d83e6d9edee94fb0fda4b27ea11e837304dfb4b0b" + "c456817012e1d523c6d145b6d6a3475d9f7dd4383c535454ff3f745ecf4234984ce09b9dec0551f3d783abe850f826ce43b12f1fd91999a4753a56ecf4c56d0d" ] }, "A, invalid": { "world": { "facts": [ - "allowed_operations([\"A\", \"B\"])", - "operation(\"A\")", - "operation(\"invalid\")" + { + "origin": [ + null + ], + "facts": [ + "operation(\"A\")", + "operation(\"invalid\")" + ] + }, + { + "origin": [ + 0 + ], + "facts": [ + "allowed_operations([\"A\", \"B\"])" + ] + } ], "rules": [], "checks": [ - "check all operation($op), allowed_operations($allowed), $allowed.contains($op)" + { + "origin": 0, + "checks": [ + "check all operation($op), allowed_operations($allowed), $allowed.contains($op)" + ] + } ], "policies": [ "allow if true" @@ -1501,7 +1916,7 @@ }, "authorizer_code": "operation(\"A\");\noperation(\"invalid\");\n\nallow if true;\n", "revocation_ids": [ - "b4ee591001e4068a7ee8efb7a0586c3ca3a785558f34d1fa8dbfa21b41ace70de0b670ac49222c7413066d0d83e6d9edee94fb0fda4b27ea11e837304dfb4b0b" + "c456817012e1d523c6d145b6d6a3475d9f7dd4383c535454ff3f745ecf4234984ce09b9dec0551f3d783abe850f826ce43b12f1fd91999a4753a56ecf4c56d0d" ] } } @@ -1513,65 +1928,147 @@ { "symbols": [], "public_keys": [ - "ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59" + "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" ], "external_key": null, - "code": "query(0);\ncheck if true trusting previous, ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59;\n" + "code": "query(0);\ncheck if true trusting previous, ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n" }, { "symbols": [], "public_keys": [ - "ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee" + "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" ], - "external_key": "ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59", - "code": "query(1);\nquery(1, 2) <- query(1), query(2) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee;\ncheck if query(2), query(3) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee;\ncheck if query(1) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59;\n" + "external_key": "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + "code": "query(1);\nquery(1, 2) <- query(1), query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n" }, { "symbols": [], "public_keys": [], - "external_key": "ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee", - "code": "query(2);\ncheck if query(2), query(3) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee;\ncheck if query(1) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59;\n" + "external_key": "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + "code": "query(2);\ncheck if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n" }, { "symbols": [], "public_keys": [], - "external_key": "ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee", - "code": "query(3);\ncheck if query(2), query(3) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee;\ncheck if query(1) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59;\n" + "external_key": "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + "code": "query(3);\ncheck if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n" }, { "symbols": [], "public_keys": [ - "ed25519/2e0118e63beb7731dab5119280ddb117234d0cdc41b7dd5dc4241bcbbb585d14" + "ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136" ], "external_key": null, - "code": "query(4);\ncheck if query(2) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee;\ncheck if query(4) trusting ed25519/2e0118e63beb7731dab5119280ddb117234d0cdc41b7dd5dc4241bcbbb585d14;\n" + "code": "query(4);\ncheck if query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(4) trusting ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136;\n" } ], "validations": { "": { "world": { "facts": [ - "query(0)", - "query(1)", - "query(1, 2)", - "query(2)", - "query(3)", - "query(4)" + { + "origin": [ + 0 + ], + "facts": [ + "query(0)" + ] + }, + { + "origin": [ + 1 + ], + "facts": [ + "query(1)" + ] + }, + { + "origin": [ + 1, + 2 + ], + "facts": [ + "query(1, 2)" + ] + }, + { + "origin": [ + 2 + ], + "facts": [ + "query(2)" + ] + }, + { + "origin": [ + 3 + ], + "facts": [ + "query(3)" + ] + }, + { + "origin": [ + 4 + ], + "facts": [ + "query(4)" + ] + } ], "rules": [ - "query(1, 2) <- query(1), query(2) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee" + { + "origin": 1, + "rules": [ + "query(1, 2) <- query(1), query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" + ] + } ], "checks": [ - "check if query(1) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59", - "check if query(1, 2) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59, ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee", - "check if query(2) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee", - "check if query(2), query(3) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee", - "check if query(4) trusting ed25519/2e0118e63beb7731dab5119280ddb117234d0cdc41b7dd5dc4241bcbbb585d14", - "check if true trusting previous, ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59" + { + "origin": 0, + "checks": [ + "check if true trusting previous, ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" + ] + }, + { + "origin": 1, + "checks": [ + "check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + "check if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" + ] + }, + { + "origin": 2, + "checks": [ + "check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + "check if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" + ] + }, + { + "origin": 3, + "checks": [ + "check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + "check if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" + ] + }, + { + "origin": 4, + "checks": [ + "check if query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + "check if query(4) trusting ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136" + ] + }, + { + "origin": 18446744073709551615, + "checks": [ + "check if query(1, 2) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189, ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" + ] + } ], "policies": [ "allow if true", - "deny if query(0) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59", + "deny if query(0) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", "deny if query(1, 2)", "deny if query(3)" ] @@ -1579,13 +2076,13 @@ "result": { "Ok": 3 }, - "authorizer_code": "check if query(1, 2) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59, ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee;\n\ndeny if query(3);\ndeny if query(1, 2);\ndeny if query(0) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59;\nallow if true;\n", + "authorizer_code": "check if query(1, 2) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189, ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\n\ndeny if query(3);\ndeny if query(1, 2);\ndeny if query(0) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\nallow if true;\n", "revocation_ids": [ - "bc144fef824b7ba4b266eac53e9b4f3f2d3cd443c6963833f2f8d4073bef9553f92034c2350fdd50966a9f0c09db35b142d61e0476b0133429885c787052060b", - "aba1631f8d0bea1c81447e73269f560973d03287c2b44325d1b42d10a496156dc8e78648b946bc7db7a3111d787a10c1a9da8d53fc066b1f207de7415a2e9b0b", - "539cff0f5c311dcac843a9e6c8bb445aff0d6510bfa9b17d5350747be92dc365217e89e1d733f3ead1ecc05f287f312c41831338708e788503b55517af3ad000", - "5b10f7a7b4487f4421cf7f7f6d00b24a7a71939037b65b2e44241909564082a3e1e70cf7d866eb96f0a5119b9ea395adb772faaa33252fa62a579eb15a108a0b", - "3905351588cdfc4433b510cc1ed9c11ca5c1a7bd7d9cef338bcd3f6d374c711f34edd83dd0d53c25b63bf05b49fc78addceb47905d5495580c2fd36c11bc1e0a" + "3771cefe71beb21ead35a59c8116ee82627a5717c0295f35980662abccb159fe1b37848cb1818e548656bd4fd882d0094a2daab631c76b2b72e3a093914bfe04", + "45133b90f228a81fe4d3042a79f6c6b7608e656e903d6b1f4db32cd774b09b8315af360879a5f210ad7be37ff55e3eb34f237bcc9711407b6329ac6018bfb400", + "179f054f3c572646aba5013159ae192ac42f5666dbdd984129955f4652b6829e59f54aa251e451f96329d42a2524ce569c3e1ec52e708b642dd8994af51dd703", + "edab54789d6656936fcd28200b9c61643434842d531f09f209fad555e11ff53174db174dafba126e6de448983a56f78d2042bc5782d71a45799c022fe69fb30d", + "6a62306831e9dbe83e7b33db96b758c77dd690930f2d2d87e239b210b1944c5582bf6d7e1bfea8e7f928c27f2fff0e2ee2e0adc41e11e0c3abe8d7b96b9ede07" ] } } @@ -1607,9 +2104,14 @@ "facts": [], "rules": [], "checks": [ - "check if true || -9223372036854775808 - 1 != 0", - "check if true || 10000000000 * 10000000000 != 0", - "check if true || 9223372036854775807 + 1 != 0" + { + "origin": 0, + "checks": [ + "check if true || -9223372036854775808 - 1 != 0", + "check if true || 10000000000 * 10000000000 != 0", + "check if true || 9223372036854775807 + 1 != 0" + ] + } ], "policies": [ "allow if true" @@ -1622,7 +2124,53 @@ }, "authorizer_code": "allow if true;\n", "revocation_ids": [ - "70d8941198ab5daa445a11357994d93278876ee95b6500f4c4a265ad668a0111440942b762e02513e471d40265d586ea76209921068524f588dc46eb4260db07" + "3346a22aae0abfc1ffa526f02f7650e90af909e5e519989026441e78cdc245b7fd126503cfdc8831325fc04307edc65238db319724477915f7040a2f6a719a05" + ] + } + } + }, + { + "title": "test expression syntax and all available operations (v4 blocks)", + "filename": "test028_expressions_v4.bc", + "token": [ + { + "symbols": [ + "abcD12x", + "abcD12" + ], + "public_keys": [], + "external_key": null, + "code": "check if 1 != 3;\ncheck if 1 | 2 ^ 3 == 0;\ncheck if \"abcD12x\" != \"abcD12\";\ncheck if 2022-12-04T09:46:41Z != 2020-12-04T09:46:41Z;\ncheck if hex:12abcd != hex:12ab;\ncheck if [1, 4] != [1, 2];\n" + } + ], + "validations": { + "": { + "world": { + "facts": [], + "rules": [], + "checks": [ + { + "origin": 0, + "checks": [ + "check if \"abcD12x\" != \"abcD12\"", + "check if 1 != 3", + "check if 1 | 2 ^ 3 == 0", + "check if 2022-12-04T09:46:41Z != 2020-12-04T09:46:41Z", + "check if [1, 4] != [1, 2]", + "check if hex:12abcd != hex:12ab" + ] + } + ], + "policies": [ + "allow if true" + ] + }, + "result": { + "Ok": 0 + }, + "authorizer_code": "allow if true;\n", + "revocation_ids": [ + "117fa653744c859561555e6a6f5990e3a8e7817f91b87aa6991b6d64297158b4e884c92d10f49f74c96069df722aa676839b72751ca9d1fe83a7025b591de00b" ] } } diff --git a/src/test/resources/samples/test001_basic.bc b/src/test/resources/samples/test001_basic.bc index c28905d73be700271d47af53b1acf08a1b00bfd9..f45e91bbc0960b93e915b19f4b232b2437318de4 100644 GIT binary patch delta 244 zcmV7ti|3;3jNQ03^>xR&6YN>NV{CA&u9}eBkYu_GFoY=%(8MCUw-*4CsD$<4AS*HH uBU`+|Wep-C3Lwfs+OUO??W966w*2(F5e$VZB=9i5nQDm#@GQ*5ezo!EiFvC4 delta 244 zcmV7QkmuM*1v#I`u!iu`+IBx4#tKHaDtv`5EoPGC*5}hko%k8bIM}&j=u} zAd;=MG2?75f{09PY-D>Jg&05w@~q|oWQzN7`l4a6ADXjL2|ShJ{1BVs&n_MV*|?Iw`EVhEW{)7or0tZ4a@v#;nQIB*QReh(TzunD^w zHZPk9Ovzvb}4EG@n$z^+Y2ewg?4Oc@X`Hnef(FXo=9{8bD4;m&XSz z7k+p7=BJnMeU*fDh#Ud#bCx@n@$d3ndOr)Dcwsm8XYL9#nWSxU@7p+_v8jF}5d1=V uUAQ)3qyZu#3LvTC&j5^+f(czU4RA)UL*dJ{1BVvpDs51znlMT6QLxdcwZUCP_`QfmtyI(cek7zeN+722(Hz$;X zetySIJk>`BbgnkY2oUkunaK(z{>hHa7}%@GZgIuyv!FVAG@aP3$S_q=E2?tda@bDuX(DG3XpP_`gH)cBZc4sz*!sb}SKW+r usVj*8Lkl7z3Ls-Spom5q6^&!9g_+U8eR)sW)BglgWo?WH(nJ13s>vp4(RSqk diff --git a/src/test/resources/samples/test003_invalid_signature_format.bc b/src/test/resources/samples/test003_invalid_signature_format.bc index d8aff84c7a65c64d9558a1eb2ac00b89a2f40c95..8c683a62429acb580534e63338beccf7a2b67fef 100644 GIT binary patch delta 196 zcmV;#06YJ+0<{8=M=}sq$564MP+2#x6*tBvx-w&#Tr;LeSgNnFCtCv&;)EIyb(NtK zq3c_LrsJ4}E@2qAk$Ei|3;3jNQ03^>xR&6YN>NV{CA&u9}eBkYu_GFoY=%(8MCUw-*4CsD$<4 yAS*HHBU`+|Wep-C3Lwfs+OUO??W966w*2(F5e$VZB=9i5nQDm#@GQ*5ezoyP1z(5& delta 196 zcmV;#06YJ+0<{8=M=~Rw-M%zK#Nw-#!R$9e9(nFH!wp{}l*X7p1VG$uu-6(8HW-ny zd;Y1xgAq^7h;@iCk$E!Z67tbuucQ(r2mlfw z)Iv=j5|J~ZN0;MF++V5Mr%WpwXR7{Bwb8Raz1mvQ8bC$#!B3r@kDx@>i|3;3jNQ03 z^>xR&6YN>NV{CA&u9}eBkYu_GFoY=%(8MCUw-*4CsD$<4AS*HHBU`+|Wep-C3Lwfs i+OUO??W966wiW#JyAce9DG(KnMXyihrHPPBsVSTy_#92mlfw zPRTFEo5tx_1AF3J-oVVkMt2igWj)1u#%~9lQMgiH8bHPr7iXakN*?FIeSY#^ii<*o z;NjOc$exBdk6YiS(-uiN*$h;DU;q|Q3kXXJC1#`50Ck{#dRN8atpRnt$=7h)-B3uOyMzX!AUuAZ8MIbx(t9BQ diff --git a/src/test/resources/samples/test005_invalid_signature.bc b/src/test/resources/samples/test005_invalid_signature.bc index d8133b51e59babbcb7822933b903686d07a805e5..b33c6abdd8148b71b0ffa9fffd6754a5dac01a0c 100644 GIT binary patch delta 244 zcmV7ti|3;3jNQ03^>xR&6YN>NV{CA&u9}eBkYu_GFoY=%(8MCUw-*4CsD$<4AS*HH uBU`+|Wep-C3Lwfs+OUO??W966w*2(F5e$VZB=9i5nQDm#@GQ*5ezo!FRC%lb delta 244 zcmVONd>9|9sG3Lq)|m3QFplt_;=(7>-cPMGR{IE_D_F diff --git a/src/test/resources/samples/test006_reordered_blocks.bc b/src/test/resources/samples/test006_reordered_blocks.bc index 20fc406b359463e67775cef9f4ec250a4ccff6f7..486981c5bb9165ecb8faa5a9ffcfe05caca85914 100644 GIT binary patch delta 347 zcmV-h0i^!r1LXsdNMaCG$564MP+2#x6*tBvx-w&#Tr;LeSgNnFCtCv&;)EJNb(NtK zq3c_LrsJ4}E@2qA^|;Hw^ip?@Wl;d-`%kKkIx6)q;>7t?}iYCNoLgWLI;g_{p-gCr2?%hkn{Xx_rANA8bDnavJhLk zcyQbXKt=SyPo18R zphVV-=c4S4-MBUNb;r3A>{-2IY;dfunvmO&WV#D5geeZt#3H-57XXr|g!SMcD>3OK tTfD(#4I&~6AQNiD|?;hyqJM6E?RJp;Xd$ds0@JYG}jDHHUQ#LIv?TIlC#< zcw=CfLI8RKk*XbHhZS=ruH!qH+<}57Vc{Xb_MN)D31eXy_W=26um`ce8bFL!<3uop z-`xhMba-bQDH9h(e5-eD(<@s#UN%auVJeN7Zs%$w-xrS74SDqpys-PZitQy5`GCdr z15VW{F$I$;0XBb(hprb=TuxnmEh20U{y_Am64Lg`!`aqfci{Xl56Y|9T(Gk!k?MOJWC2aI?}iYCNoLgW zLI;g_{p-gCr2?%hkn{Xx_rANA8bH|Em?((q=)gGSiAszH{8!lJ@M_ZOa=Fh--bt-s zfJIoK(UXCaS!{4Ej!%CQ>=_^(d^6C^cXvt+hnh2p4FVz}3Lq0|#N>||1=g4N8Q)K$ Wq!I#tS)lLePq#1!T0rOiohw(nC8K}< delta 376 zcmV-;0f+vV1eXMmK!4Fkp3Y)XZklE#z|d+cUn=RmRqLwgkr)A4o%}E^~LMQEQzK*LPHlKZ1q*^LfYsX zFVth4_gN7L8pr_(UJ3y)3IQ<~11c^G3kU=f0|;NHn|xB18APIkk@7!lVl zs4QqAd&vizeFd0p;ePor9L(GZ^#U|iIBAE`=I%q0v7ZK$Z2=^I3_6FE>l6yg6a z6?m<~P%uya3FSR29Fsac?DzYM8bA~ZHZlInpaLC*t-j3s+-TV8n>XzYf}f?pYOB#0erI3LtJvImKWt4JLmTm^oRR WDzzGrQaD6Fz)NDS>56AL(?AXlzzzU_d6RPq^EP9Rl8TefA!i z`kG_^D0r;^k%cy5)Iv=j5|J~ZN0;MF++V5Mr%WpwXR7{Bwb8Raz1mvQ8bEj7MMNv; zYC&qCFWK3RZASyfG^yjU(v!3wUCDS!ufBh-?2IC!5LZZutiTBSWd3O$$>`E$RfhR+ z*`~HvZ~&7X0V97l!|h}5h7g5GX4LRP2aS0B>&FG90<9~M^ZaD@zPpziK(iB=uKt(P z+d=EZMRpG%Z?md<_d}Z8{5l6noBY9JmkRUr;ty0{swB^Z5do#E5ltbi!0wGiE3S8w tu^}i)03sp^AQNiDq$MoCbJR(i*+TupstM`>ifn#*g&YKki=JR)=I;e1%`vtYIb5s^2sDWFc tVGnsQ1tKB}Af4}^U}a*Z`fpG7R~KJtXW^r#lD>RaZxaUun8O`k>|ND5p<@65 diff --git a/src/test/resources/samples/test009_expired_token.bc b/src/test/resources/samples/test009_expired_token.bc index 599a4209e2f4ae526c48f9831253be29d9664662..1ae9e59fd87747d17b31dcd19c5c2f9057e320f3 100644 GIT binary patch delta 294 zcmV+>0onf20>J`*5^M?r7y}X{2mlfw5LL%ev7t~|H?I{p#wNNlW0_ntrbk$+udydv z0}|qd8bHEGkbAb}^fSA)?e;c%Ii9}!pwl7Hvg)74e`eeeWX_Um+YANS3_gk|Gct=c zc=w!68_GjiJ)6(6x@V{am zn&F#2{wmzZe97@_B%13Ag{6eGHZO_te|%@G3h`}maA!SjAF)Px# delta 311 zcmV-70m%Nr0@4D15^M?r7y}X{2mlfw8*>V2qPRvo)CVV*)GVADz?z)K=p88>3QN%h zel5&c8bGo~Pd*A)h|TZ#5%O7-m!M4=*Bqpcy8Dpw3Y863UD^wVy=;(jrzgRiYapSn z5ZKFz6;Xy&3wHr;{T<4hVgnkz0SZ$J1!ie%Wibj0Wq5EWX>wt7X>V>A12PW^4GIDX z8xjWy0ulolfCw@x3MmQ)2!RL^0tf|>l_r1F8J20#f@Yy;<5D332@XEYg{FD~V9-38 z{;%cQ1jWKN?7`MhfNTYO2KTpMAs3986ILlQAnb6lDe> zX`&XN#URd37v)IO8G^_fbjE5t3?d>5AOR&mk2_RK=t&mK4`|_JOEl7K0ZVw^`Sk~( JIX429&qR&lbg%#b diff --git a/src/test/resources/samples/test010_authorizer_scope.bc b/src/test/resources/samples/test010_authorizer_scope.bc index e6664f2da2bbab1b15d53de9cc2294dd914a4b6c..b0188a76c2857ad5f1a9303026c051cfb4fc5847 100644 GIT binary patch delta 244 zcmV)NDS>56AL(?AXlzzzU_d6RPq^EP9Rl8TefA!i z`kG_^D0r;^k%c3F)Iv=j5|J~ZN0;MF++V5Mr%WpwXR7{Bwb8Raz1mvQ8bFqA&a$eL zd_l5PXn>2WZU&gZDnK~iW}N_hoIOKeCOD=*2sK#IS8B)%^Xn?cr&v`d;P%0$R08mm uT=(?ffCVBV3Lwfs+OUO??W966w*2(F5e$VZB=9i5nQDm#@GQ*5ezozY;BwIb delta 244 zcmV;{soE>Q0%#Ef8?y75Uv%;3GCUr~z diff --git a/src/test/resources/samples/test011_authorizer_authority_caveats.bc b/src/test/resources/samples/test011_authorizer_authority_caveats.bc index 46e1f8a51b5e2fab3bcff1f0851337076bdc25f0..a368cf3c32158e280a827d2551b5e41bec33db4a 100644 GIT binary patch delta 142 zcmV;90CE4R0jU9yBYzN8$564MP+2#x6*tBvx-w&#Tr;LeSgNnFCtCv&;)EJNs0^50 z-uRVKj3IAi#$C-&rP+M}DwIV%c@>)NDS>56AL(?AXlzzzU_d6RPq^EP9Rl8TefA!i w`kG_^D0r;^A|eVPndo~Ckyuk6?zIE|6((*gBf_FkdlQVE8wVdMv{>IQVd>307ytkO delta 142 zcmV;90CE4R0jU9yBY#7^xBFW^px98zY8EPe&;(k_!ENA?ZG72D*{-2*#o`)3Sv@B` z6dUq7K8dwo|KYRwZ)iFKE4O3kk4{PR8hrG2Xv6(p4_F5$tdSG#;{ww{WLbZ29&ByY w7I-$*dhPWDA|eVP5GITnu!dEpmbKte1V(qfo*bn=Gxbbewg>o2nq^^%$kt*)EdT%j diff --git a/src/test/resources/samples/test012_authority_caveats.bc b/src/test/resources/samples/test012_authority_caveats.bc index 3a7c850c6f3706a1a89c1e02bd2de53ebd760e61..6d852ec77d3333de65663a6e1bdf064a7597820b 100644 GIT binary patch delta 142 zcmV;90CE4T0jmL!C4UfA$564MP+2#x6*tBvx-w&#Tr;LeSgNnFCtCv&;)EJNYLAfG z)_UTs7=&O(ITWsQCjF!_$OnaWUryY?Um8=9A9H5r2Cab0zPglWE<$lWh+`^~At>?J wmd=}}*PyrxA|eVPndo~Ckyuk6?zIE|6((*gBf_FkdlQVE8wVdMv{>IQVLGopTL1t6 delta 142 zcmV;90CE4T0jmL!C4bzc>wxBx;S|w$tFS>xdF*TAOPc2?Tth|)t)uwNN4SJry;==Vx;>V3 wkMX!9Np1uMA|eVP1L^~iIbsl1$564MP+2#x6*tBvx-w&#Tr;LeSgNnFCtCv&;)EJN#BB#3 z^Yb(`B0Pfy{jE};V!wF1U7WwdqeaxbroS;j6od{Kx-~zB{kaD{Sg|XNhbqDN<&(nc z21}6k!tLM&k(1L^~iIbu87HaS>%9I|giKmO$4LZ);3Eh`VqGY}6@F>7vNauymu(or=o z{Z34B=%HYr&Hyh}j~WZL<80H|v!=#bo;hHM4Fo!59Nu~g?@6C>%~ z#1pF550_;Pk(t(?8@`jw^(L3JUv%#P diff --git a/src/test/resources/samples/test014_regex_constraint.bc b/src/test/resources/samples/test014_regex_constraint.bc index 92193c9c0759ca251e8e5f7d0de5761c1b4052ea..6c3c87e845fd3d16437699ad2b64b8a6897676bb 100644 GIT binary patch delta 142 zcmV;90CE4#0nGuBM}H7i$564MP+2#x6*tBvx-w&#Tr;LeSgNnFCtCv&;)EJN+Cp)P z(qkMF)1*sx5ZuRXYIQVQp4DxBvhE delta 142 zcmV;90CE4#0nGuBM}N+_*%(KJ^uSiN@u^@cYunE$_}^c#$r3z-USv%tnL-*s92Jfp z63Ax_KSU8(a(4b4sBLU%!{gXicINBi(u^p6C|X64BZkkVJ{MA%b}+qq wOs2xkpAIQVM{eZ9smFU delta 142 zcmV;90CE4f0k;8=F@N~0l52ER65=K&<{-;jb&NzUT2`8pcr3y(SHfY^;r1Fp)9&b} zPOR*lQPk1vDYSWVefqDd-+fGF9S6jd#cw)a1A0*tp1lKaP|+2g61>jC<9EB$Ex8Ig w-BQGNXIHHYA|eVPfr9e0G)6Ax4;%1}0DM#n%9w^7-sy`@(Fgl?&5`e#{eC4zPyhe` diff --git a/src/test/resources/samples/test016_caveat_head_name.bc b/src/test/resources/samples/test016_caveat_head_name.bc index 5923f402ea74fc70eef655a595b3a447d93c3925..c506641558defdd366216441e87cba70ecd98e16 100644 GIT binary patch delta 244 zcmV3m&U82gVmt+M2kTo@A zprEv}c7T)uk%t|B)Iv=j5|J~ZN0;MF++V5Mr%WpwXR7{Bwb8Raz1mvQ8bFb4R&2*4 z;CC=a{8DD=(AWeq6g9Zkm0L3}f;zI6zM6R7>KOz_b1KR9A#ya&S0=vCi1txw#@<$^ uX0KI68xJBP3Lwfs+OUO??W966w*2(F5e$VZB=9i5nQDm#@GQ*5ezoz6opY4{ delta 244 zcmVN%tv>kq&+H5*x8bBaI>MhDa zx<0cJmh_t;9${U}q+n;h5^i8MxKx|9eBbLN(0?mLBpbl@49MNX9x!(y7T1NiE6E$^ uL=F9`P!A#^3Lqzj#f~7B$G9tm3aDpOYPu{Lh@2|H)`rLjWfL);HJd+{TyJUs diff --git a/src/test/resources/samples/test017_expressions.bc b/src/test/resources/samples/test017_expressions.bc index 8992f912386e9fa23cddcf18077217eb341c3ae3..10f50241d96621a4a6d9b28f9e7386e98f21d91a 100644 GIT binary patch delta 534 zcmX@fvzM1mXc{lqYMzN~uH4LtNy%KyDXD1^%oF21rKPwexR^MkrG&UxxR?wWz$7CV zixd+F-^8Of90ou(P@Hk{Mn(}1s5AqRBR$!Hk!>;`99&ESj6lr9#lgj91++wf zX>vTPF{c%m1z45Q&OKf0-Ar*zuS}*L%%5-te#s!C%*(xpMT$eb(vv>s>Zy-(T&i7ypz` pNr_8g=8I~+i4nna@3u1k7gfvCRz9>Spjxmh|2)1NeiS&fDueGf#rq3Y=~N6 zFq>hr7SlzbHBw+5B3!Io%o1H3V5*Y?YUVGdzsgEn3SbpdTpV0%3XL~6&S8VFx>x*T zg{u3;tf(N*B@0$3&c)8fs>Lj{`YadF?OIGitD%a-Sh{(;Ie@nGKy2xrypF|aG6$

A5ho+WtFtjLtst@AqfCv_P}8DA+A*6~<)U=c?{1n0--`!gfW zjSp`9%-3Tf?{4?#dxO&t`3s>1jk|sa7d(sQQ3CqAQCE5CAAy&_S}UKhZjo&kb?!bH S{JPc839AXev$564MP+2#x6*tBvx-w&#Tr;LeSgNnFCtCv&;)EJNq(TtJ zpdMA~-u!)qK*Hwl_zJe}?cPUG-g8f#cmy?g27uG_ErM%)4-L;sTcZR0Oc7~>yD*oC z6Vz_lXOcq)k$yja)Iv=j5|J~ZN0;MF++V5Mr%WpwXR7{Bwb8Raz1mvQ8bGk4K0i#* znM?;}!Is3)92MoD`M4>nTxbiQoRkb7rxJZ8nRQIOcfuYT uErrGJa10_M3Lwfs+OUO??W966w*2(F5e$VZB=9i5nQDm#@GQ*5ezoyQ26M>( delta 244 zcmVc839Ab5nB3^RJIa5&x5GG!otH>m;eBg&xFvM^WCO$gopR5`{#Wv7? z2=@0qrkXEFF#tstjs=^H2jkuHTK!T@^H`uccSN%q6Q0h{L(5-!DcZ~9r4Y_UpU0Br zHX|5kXU_Z#k$yja9z5>gy&Q}fY{l^)K0ncYue;|X@hvb3*jTK|+UJ0B8bF1J$4oZ? z=+wS<2Whn71x>qNrSdVTogh#EfGdX>g`T0+maiasL9wv+&{3LsDyoA;;g1UZt*zI$}=5vv?k{B&@%eyZaKQu<_cxSJ{JLvv>U diff --git a/src/test/resources/samples/test019_generating_ambient_from_variables.bc b/src/test/resources/samples/test019_generating_ambient_from_variables.bc index b31ab8e5bbec35c278eafc1d90a900ca89097a6c..f486a3c75ef201bfcc57ae1db3003fdb20fff31e 100644 GIT binary patch delta 244 zcmVyD*oC z6Vz_lXOcq)k$xqA)Iv=j5|J~ZN0;MF++V5Mr%WpwXR7{Bwb8Raz1mvQ8bH(df-0Mv z!0tISC_G6#spk>CUDz|5U*hYb-Z%xS)aXqK^Bz>H{Jo3Lwfs+OUO??W966w*2(F5e$VZB=9i5nQDm#@GQ*5ezoyH_;hRl delta 244 zcmV7R0Hb7ti|3;3jNQ03^>xR&6YN>NV{CA&u9}eBkYu_GFoY=%(8MCUw-*4CsD$<4AS*HH zBU`+|Wep-i5kvU&K% z{^jaCKg&@G*v7M4qyEmOO@pM|IB^2GKo&EhRf@)}P~F%4o|t#}Hu>}hO1(yZuF5O# zF%-FJUa(jWk*YR-Cd32fNV;c%9GWxl!-O^9igAor2>(hpcLk4i^NyvV8bIOjtf40a z!K1mmVv+8O^anfyfl&Y2Xv!D4%LlsD~ zC55Lqp9~^G5Qr~sJRhl!5`WP5trW=5O+34 anYIWLeT5RjM2Nt6EAL+-l#FQnPC^JAql4T4 diff --git a/src/test/resources/samples/test021_parsing.bc b/src/test/resources/samples/test021_parsing.bc index 1d8de246ed4227a4d48646cf18068a336a496d77..3f926365e6a5f9acd8a4707f88f168cdd5607fe1 100644 GIT binary patch delta 142 zcmV;90CE4k0lWc_Hh&OR$564MP+2#x6*tBvx-w&#Tr;LeSgNnFCtCv&;)EJN)Uxy! zw&?~#Pv1~jugbs6nA2j9flnNr*XBY{*}m*VWv}%c(914`(B^%~_7lRSD)tqOXN$)8 wv}jDzqR`UIQVd|x+gN0+52 zGK`B~x09U6m2HgLB@^{hMsDs<9wzD&rq63iI3L$ajuN61OCb}|XnOrlbM_8(_u_s#t65@m!Ky}VY z)Rz4y`I!Zf7lWa?M%Vw1Y5CJ+(Nu5OFa`o{u2F=V(HRO#9`3aR{}m=~DmCzxe<;pDM6~4DH3NCB4(>cwn>n=ZvM`-)Er{>xaHj xCS6G&FG90<9~M^ZaD@zPpziKnjKbzbD{| zqBdo^4VI~evUJx+RcxODZ`bvZ#zE~4K{F{8A*w_xG7jm^fc33#8<9#3hqK?H%#vcA t&Xgb+1|lK~AQNiD^@272T4_K?Z%s3!p$cIE)Fp8bDtZX#8NA zpCZKgf1rq{Ibj%!PGv@h#js1{rRM7zQ9TqpW3$v8oe9W)L zL&>&KISZ2!0XBc0opMo0CZT0*MWZmx5F8?9KK)tQC4`SCKVkn3-q&s#Kt9?9-L_uo z4RKuWz(#|70p65Nj7op@em$Ceb&_0WPKi$ tT%9ku4I&~6AfQQb-Lsb$%)1Z1)T_j;`=KltCgl6UtZ@fKl+{a7r6)3ds3HIW diff --git a/src/test/resources/samples/test024_third_party.bc b/src/test/resources/samples/test024_third_party.bc index 78f16029589ec4a735465707c22bc63e2676a710..7bca415c6f4aeff3f27628adbaa6211f6e263493 100644 GIT binary patch delta 389 zcmX@be2RI3cKw>WxzWM<-??{x>-_OR=wD^W{?a(xn!unbReMBcA7bnjQsH0_Qn=#e zDYxACi<|BC-io>?<>1ce{e6`d<7&&3jRAYvR*7y| z726gt!DU6mtTvOgJ)gEHWiFK}_fEaYy=HRe1z~n>28l{l$*exk3`P!jd%^Sl%o8`O z*P9)FoBX~_pw%<&$_FR*-ip7kkFzdiTB|+b^PiOO`*u&4a+ti_FlwW^?#g%X8RPTc z?3r~k|4ABO63hOSSBk8!A9KDudFl?A+R+4m;feg~>~$_Qu!pVRwrvx~{_?f2r8a$0 zVO7fDaxnD|pL&-6I`@s;HP4HWv*ecC3TE3|#3*&XQ2R@Yb<~aT+afaOUXV9V+B@eM zo7gdtmu{=yUfSLL{PQ3A)Gu?Qrg1>Rgiy#SDRC(XXB~OcFUfjs`VYzb{)?6fG1Wyb Rc>ltGyFrx0^M7--!vWo=w)Fr2 delta 389 zcmX@be2RI3cKs3+(dr(CLqQ_1EIYkFPfg|Ra7uJfpEdW2Rm!!fr+ZX|R5%!f6t+J) zer|!2v;4d|KHfJs0&F9~CL26^o3~0>qCT*ZX;F)mgMZ?uPe0H7J$1pVslm+RN#wro zy!qF4_kP-YYJ2})<ysLl9>V!8FYMGjxV&!u5L~VaM{+?L#yS+wR$|1vAd5U%MSNrfU#o^M6 z(!S4^KgDLePi6K&Q~h4Q}zWWq(cHhtW=Y+=HdSkAC2L+{!>ElPg(6Fb&l-H|() zRVjnZLAvF}FVk=d*TmUjfzEzfD%Y6bxq8+`blfj|S|hVZN9bn0%)xU#>ZaCjqIT_b zNMLcfcy!yg1G*&_GB3!+>{=SZ0tpjBA*ZCorI41G5#N$`=<$B;_J=~{g}KXL^3ASX PCKNE;GGS%jDy{7Rv`VmK diff --git a/src/test/resources/samples/test025_check_all.bc b/src/test/resources/samples/test025_check_all.bc index 6b76c3eb1a82181774ed15b9d67fdb4177cb0025..221df2ca1fa4bdba842ef44c6d758ef16b507b57 100644 GIT binary patch delta 142 zcmV;90CE3<0)hgNe18yC$564MP+2#x6*tBvx-w&#Tr;LeSgNnFCtCv&;)EJN#8!cD z65-V&#?eK#)}u#VpMBIgJX2Iu|37qI&q6eqOyHZH>;+Nt*MqC*Q1~X!L$NO(*%_In wbvjn;^u=urA|eVPndo~Ckyuk6?zIE|6((*gBf_FkdlQVE8wVdMv{>IQVa;woO8@`> delta 142 zcmV;90CE3<0)hgNe1GcKf4I-*&4%$@x#HAkqh{^WsNCNm$e*cDr*LG^MavpMwC-6D z0ptdXe(3MFpjd1?qo;*ck2KNxjlZHBL9FKu;I?qANg^zC69#P!gXY=o?v(ov+Dj+u w5$HECP5Vm=A|eVPEXG|_-q*UL;@GnIrrje28xgNneW1T1%LkGo;NE5#Etw-paR2}S diff --git a/src/test/resources/samples/test026_public_keys_interning.bc b/src/test/resources/samples/test026_public_keys_interning.bc index 0016c7ab70ed080292ea1b179ed10ce3339825d1..49e417b23324b9ef24fa82114610e0ab3c3a14fe 100644 GIT binary patch delta 1001 zcmZ3&wS;See*K!exzWM<-??{x>-_OR=wD^W{?a(xn!unbReMBcA7bnjQsH0_QfRLF zH^IhejoPAEMJB1~|NHIkX@q=;KN+v7b$wsl384ll2lK*n{|fhQl3Q!KbWWq#yQZY7 zaPb40@uoA_l2)JD82L}yyrpMjV_!&H*k1n|O&2)5bXRRNJf6*|UG#XtSWC|2@?CaFeqhkIpi#zAMg44!S8vF zpWFSl)e1U0n>?jHPL|4<_UXvN292M`Wb|&_c%CM$@P95h+lpvg**}jT_N)utw$nmS z<}zax3&gR6!dGen6PJwyixLMH8^>gMChPjPMavoWws@PJP)J#2z~?C%XwRm>A3HXjBl0u*qu7 z?)BYa^^FYCEQhv#YMqq2M_W5kes97BozBJImUiol{W@}6%Hi$mkczo!VUzREYAA5e zNlY;@Y0(Xq=lsO^>uTsj`LBj0x5a(e?-I((ed000D(ri&g43Sxrt4C!m2;T%pUvOQ z3-S@a&Y{Q8;{Wcs9lfYg?_x>9xss1Y+nudGc=?J&J}BP&^Q~K7SO2mH-X~|AR!bLL zb*OEI{{GWWYQMM52rgMr>siA_q>n6F?CXE_t~hvpLPeOf^dH+3rG^h)t=%=@r{vp1 zMh?-f?R6i`AV$6H?Ur?vc~s5p_w=Xr+*H;3W-{l`Fep5EuCbkG^2P_iOp}#lkYV`p z_6xgeTlYxWygjeDtmT_&h#dYx|NdbT}E%3+U)|NAEI>Lr`fULCcY?QgGZ zbH(}CGz;TTKd!J_zn>cXQ^DkrDgWJoX<74mIB%P7bh;+TQno>u(?qi)rlKH-jeFwu ztok><`!34ge6~;6X35=NrMZ^J?`*mjS>R*&LjU@j4;OXcK^(J=!H?;;+~mgXS1isZ zw`V8!R#!Q%_qutiQT_n?vP#D%QVy#ZCd>D7zmjQmsVi2SAI4dH!KnSv7H8FqTXY4M zOcTvL@x0Arr`w*|?TZCvE2;zzuDsP7{D&>OUS6U0xnq>xY;L6tE(dcD!J>Klw=Cn{ z=yc5M?4wu3o|kv}g&sP5_aoQcWO)dMeDxipYd3y83 z?QEsK-mj~c3ZHs7U)}BT%q?7kVU3Q3ok{n9oV^_oSQVYiC};NQ%4BstPKfUaMc8CD zX7_skR(<28E`jpVd|T(PweG2EnQmDc{ORV`J$$!zlo_8~Ddi9?@O}9fk9rry^Y!() z44b^F3MWr6-xjUsq9Vx|=FqhG;d7qvH_~2D`><4S_PoVY*KRNRwaQpkf0DSMSUJv-uwR%@Qd$>A3kv_6yv9H%-lz3+Sy4>*AR>4UPcQ=YF`|{jz+G;--4U@O5TlZ8Bb%)xY>v;&pYY~J>G^`ayK29_vww0>jCtu+i%S};QVy1^rlK8Z z|F{@$6*wbz^PtSqgUk2U&UtU#ebzqL+^109gTQ;!?1gcwa<&@#c3e5o;DiEIQVLSUfi~s-t delta 142 zcmV;90CE4x0?7i9!+(=K4nqpgZ`p#@>DAe!ks?O`=^&N5D6uoWZX(aUBXb%+aM+X) zn5$i?L|PFwd6d~Qc!zH3TV(+B#G+-bW{Lq3LRR^cXLKl(8m{xf}nE(I) From cbfa5a88fe01bc491a9a324c95830294a68839ec Mon Sep 17 00:00:00 2001 From: Geoffroy Couprie Date: Mon, 8 Jan 2024 12:08:13 +0100 Subject: [PATCH 2/8] fix fact assertions --- .../biscuitsec/biscuit/token/Authorizer.java | 34 ++++--- .../biscuitsec/biscuit/token/SamplesTest.java | 92 ++++++++++++++----- 2 files changed, 92 insertions(+), 34 deletions(-) diff --git a/src/main/java/org/biscuitsec/biscuit/token/Authorizer.java b/src/main/java/org/biscuitsec/biscuit/token/Authorizer.java index 1da51334..0d2d3618 100644 --- a/src/main/java/org/biscuitsec/biscuit/token/Authorizer.java +++ b/src/main/java/org/biscuitsec/biscuit/token/Authorizer.java @@ -630,37 +630,47 @@ public String print_world() { "\n\t]\n}"; } - public List facts() { - return this.world.facts().stream() + public FactSet facts() { + return this.world.facts();/*.stream() .map((f) -> org.biscuitsec.biscuit.token.builder.Fact.convert_from(f, this.symbols)) - .collect(Collectors.toList()); + .collect(Collectors.toList());*/ } - public List rules() { - return this.world.rules().stream() + public RuleSet rules() { + return this.world.rules();/*.stream() .map((r) -> org.biscuitsec.biscuit.token.builder.Rule.convert_from(r, this.symbols)) - .collect(Collectors.toList()); + .collect(Collectors.toList());*/ } - public List checks() { - List checks = new ArrayList<>(this.checks); + public List>> checks() { + List>> allChecks = new ArrayList<>(); + allChecks.add(new Tuple2(null, this.checks)); + + List authorityChecks = new ArrayList<>(); for(org.biscuitsec.biscuit.datalog.Check check: this.token.authority.checks) { - checks.add(Check.convert_from(check, token.symbols)); + authorityChecks.add(Check.convert_from(check, this.token.symbols)); } + allChecks.add(new Tuple2((long)0, authorityChecks)); + + long count = 1; for(Block block: this.token.blocks) { + List blockChecks = new ArrayList<>(); + if(block.externalKey.isDefined()) { SymbolTable blockSymbols = new SymbolTable(block.symbols.symbols, token.symbols.publicKeys()); for(org.biscuitsec.biscuit.datalog.Check check: block.checks) { - checks.add(Check.convert_from(check, blockSymbols)); + blockChecks.add(Check.convert_from(check, blockSymbols)); } } else { for(org.biscuitsec.biscuit.datalog.Check check: block.checks) { - checks.add(Check.convert_from(check, token.symbols)); + blockChecks.add(Check.convert_from(check, token.symbols)); } } + allChecks.add(new Tuple2(count, blockChecks)); + count += 1; } - return checks; + return allChecks; } public List policies() { diff --git a/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java b/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java index a230345a..8fb90775 100644 --- a/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java +++ b/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java @@ -88,24 +88,19 @@ DynamicTest process_testcase(final TestCase testCase, final PublicKey publicKey, if(validation.has("world") && !validation.get("world").isJsonNull()) { World world = new Gson().fromJson(validation.get("world").getAsJsonObject(), World.class); + System.out.println("will fix origin"); + world.fixOrigin(); + System.out.println("fixed origin"); + World authorizerWorld = new World(authorizer); - //Collections.sort(world.facts); - /*Collections.sort(world.rules); - Collections.sort(world.checks); - Collections.sort(world.policies);*/ - //Collections.sort(authorizerWorld.facts); - /*Collections.sort(authorizerWorld.rules); - Collections.sort(authorizerWorld.checks); - Collections.sort(authorizerWorld.policies);*/ + System.out.println("validation world"+world); System.out.println("authorizer world"+authorizerWorld); - assertEquals(world.facts.size(), authorizerWorld.facts.size()); - for (int i = 0; i < world.facts.size(); i++) { - assertEquals(world.facts.get(i), authorizerWorld.facts.get(i)); - } + assertEquals(world.factMap(), authorizerWorld.factMap()); + /*assertEquals(world.rules.size(), authorizerWorld.rules.size()); for (int i = 0; i < world.rules.size(); i++) { assertEquals(world.rules.get(i), authorizerWorld.rules.get(i)); @@ -126,17 +121,15 @@ DynamicTest process_testcase(final TestCase testCase, final PublicKey publicKey, if(validation.has("world") && !validation.get("world").isJsonNull()) { World world = new Gson().fromJson(validation.get("world").getAsJsonObject(), World.class); World authorizerWorld = new World(authorizer); + System.out.println("will fix origin"); + world.fixOrigin(); + System.out.println("fixed origin"); - //Collections.sort(world.facts); - //Collections.sort(authorizerWorld.facts); - /*Collections.sort(authorizerWorld.rules); - Collections.sort(authorizerWorld.checks); - Collections.sort(authorizerWorld.policies);*/ - assertEquals(world.facts.size(), authorizerWorld.facts.size()); - for (int i = 0; i < world.facts.size(); i++) { - assertEquals(world.facts.get(i), authorizerWorld.facts.get(i)); - } + System.out.println(world.facts); + System.out.println(authorizerWorld.facts); + assertEquals(world.factMap(), authorizerWorld.factMap()); + /*assertEquals(world.rules.size(), authorizerWorld.rules.size()); for (int i = 0; i < world.rules.size(); i++) { assertEquals(world.rules.get(i), authorizerWorld.rules.get(i)); @@ -304,7 +297,7 @@ public World(Authorizer authorizer) { ArrayList origin = new ArrayList<>(entry.getKey().inner); Collections.sort(origin); ArrayList facts = new ArrayList<>(entry.getValue().stream() - .map(r -> r.toString()).collect(Collectors.toList())); + .map(f -> authorizer.symbols.print_fact(f)).collect(Collectors.toList())); Collections.sort(facts); return new FactSet(origin, facts); @@ -344,6 +337,21 @@ public World(Authorizer authorizer) { this.policies = authorizer.policies().stream().map(p -> p.toString()).collect(Collectors.toList()); } + public void fixOrigin() { + for(FactSet f: this.facts) { + f.fixOrigin(); + } + } + + public HashMap, List> factMap() { + HashMap, List> worldFacts = new HashMap<>(); + for(FactSet f: this.facts) { + worldFacts.put(f.origin, f.facts); + } + + return worldFacts; + } + @Override public String toString() { return "World{\n" + @@ -360,9 +368,49 @@ class FactSet { List facts; public FactSet(List origin, List facts) { + System.out.println("creating new factset with origin "+origin); this.origin = origin; this.facts = facts; } + + // JSON cannot represent Long.MAX_VALUE so it is stored as null, fix the origin list + public void fixOrigin() { + System.out.println("fixing origins: "+this.origin); + for(int i = 0; i < this.origin.size(); i++) { + if (this.origin.get(i) == null) { + this.origin.set(i, Long.MAX_VALUE); + } + } + + System.out.println("->: "+this.origin); + + } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + + FactSet factSet = (FactSet) o; + + if (!Objects.equals(origin, factSet.origin)) return false; + return Objects.equals(facts, factSet.facts); + } + + @Override + public int hashCode() { + int result = origin != null ? origin.hashCode() : 0; + result = 31 * result + (facts != null ? facts.hashCode() : 0); + return result; + } + + @Override + public String toString() { + return "FactSet{" + + "origin=" + origin + + ", facts=" + facts + + '}'; + } } class RuleSet implements Comparable { From 0870f9258ad879b15aa13120ca7382246670a1dd Mon Sep 17 00:00:00 2001 From: Geoffroy Couprie Date: Mon, 8 Jan 2024 14:34:51 +0100 Subject: [PATCH 3/8] compare rules --- .../biscuit/datalog/SymbolTable.java | 2 +- .../biscuit/datalog/expressions/Op.java | 2 +- .../biscuitsec/biscuit/token/Authorizer.java | 8 +-- .../biscuitsec/biscuit/token/SamplesTest.java | 50 ++++++++++++++++--- 4 files changed, 47 insertions(+), 15 deletions(-) diff --git a/src/main/java/org/biscuitsec/biscuit/datalog/SymbolTable.java b/src/main/java/org/biscuitsec/biscuit/datalog/SymbolTable.java index 94e6a499..489dae2f 100644 --- a/src/main/java/org/biscuitsec/biscuit/datalog/SymbolTable.java +++ b/src/main/java/org/biscuitsec/biscuit/datalog/SymbolTable.java @@ -177,7 +177,7 @@ public String print_scope(final Scope scope) { case PublicKey: Option pk = this.get_pk((int) scope.publicKey); if(pk.isDefined()) { - return pk.toString(); + return pk.get().toString(); } } return "?"; diff --git a/src/main/java/org/biscuitsec/biscuit/datalog/expressions/Op.java b/src/main/java/org/biscuitsec/biscuit/datalog/expressions/Op.java index 62b2c99d..dfdcfe27 100644 --- a/src/main/java/org/biscuitsec/biscuit/datalog/expressions/Op.java +++ b/src/main/java/org/biscuitsec/biscuit/datalog/expressions/Op.java @@ -157,7 +157,7 @@ public String print(Deque stack, SymbolTable symbols) { String _s = ""; switch (this.op) { case Negate: - _s = "! " + prec; + _s = "!" + prec; stack.push(_s); break; case Parens: diff --git a/src/main/java/org/biscuitsec/biscuit/token/Authorizer.java b/src/main/java/org/biscuitsec/biscuit/token/Authorizer.java index 0d2d3618..9462c8d3 100644 --- a/src/main/java/org/biscuitsec/biscuit/token/Authorizer.java +++ b/src/main/java/org/biscuitsec/biscuit/token/Authorizer.java @@ -631,15 +631,11 @@ public String print_world() { } public FactSet facts() { - return this.world.facts();/*.stream() - .map((f) -> org.biscuitsec.biscuit.token.builder.Fact.convert_from(f, this.symbols)) - .collect(Collectors.toList());*/ + return this.world.facts(); } public RuleSet rules() { - return this.world.rules();/*.stream() - .map((r) -> org.biscuitsec.biscuit.token.builder.Rule.convert_from(r, this.symbols)) - .collect(Collectors.toList());*/ + return this.world.rules(); } public List>> checks() { diff --git a/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java b/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java index 8fb90775..0ae50204 100644 --- a/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java +++ b/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java @@ -92,20 +92,18 @@ DynamicTest process_testcase(final TestCase testCase, final PublicKey publicKey, world.fixOrigin(); System.out.println("fixed origin"); - World authorizerWorld = new World(authorizer); - System.out.println("validation world"+world); System.out.println("authorizer world"+authorizerWorld); assertEquals(world.factMap(), authorizerWorld.factMap()); - /*assertEquals(world.rules.size(), authorizerWorld.rules.size()); + assertEquals(world.rules.size(), authorizerWorld.rules.size()); for (int i = 0; i < world.rules.size(); i++) { assertEquals(world.rules.get(i), authorizerWorld.rules.get(i)); } - assertEquals(world.checks.size(), authorizerWorld.checks.size()); + /*assertEquals(world.checks.size(), authorizerWorld.checks.size()); for (int i = 0; i < world.checks.size(); i++) { assertEquals(world.checks.get(i), authorizerWorld.checks.get(i)); } @@ -129,12 +127,15 @@ DynamicTest process_testcase(final TestCase testCase, final PublicKey publicKey, System.out.println(world.facts); System.out.println(authorizerWorld.facts); assertEquals(world.factMap(), authorizerWorld.factMap()); - - /*assertEquals(world.rules.size(), authorizerWorld.rules.size()); + + System.out.println(world.rules); + System.out.println(authorizerWorld.rules); + + assertEquals(world.rules.size(), authorizerWorld.rules.size()); for (int i = 0; i < world.rules.size(); i++) { assertEquals(world.rules.get(i), authorizerWorld.rules.get(i)); } - assertEquals(world.checks.size(), authorizerWorld.checks.size()); + /*assertEquals(world.checks.size(), authorizerWorld.checks.size()); for (int i = 0; i < world.checks.size(); i++) { assertEquals(world.checks.get(i), authorizerWorld.checks.get(i)); } @@ -381,6 +382,7 @@ public void fixOrigin() { this.origin.set(i, Long.MAX_VALUE); } } + Collections.sort(this.origin); System.out.println("->: "+this.origin); @@ -434,6 +436,32 @@ public int compareTo(RuleSet ruleSet) { return this.origin.compareTo(ruleSet.origin); } } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + + RuleSet ruleSet = (RuleSet) o; + + if (!Objects.equals(origin, ruleSet.origin)) return false; + return Objects.equals(rules, ruleSet.rules); + } + + @Override + public int hashCode() { + int result = origin != null ? origin.hashCode() : 0; + result = 31 * result + (rules != null ? rules.hashCode() : 0); + return result; + } + + @Override + public String toString() { + return "RuleSet{" + + "origin=" + origin + + ", rules=" + rules + + '}'; + } } class CheckSet implements Comparable { @@ -462,6 +490,14 @@ public int compareTo(RuleSet ruleSet) { return this.origin.compareTo(ruleSet.origin); } } + + @Override + public String toString() { + return "CheckSet{" + + "origin=" + origin + + ", checks=" + checks + + '}'; + } } } From 9932d306cde71a7d4acb33dac668f00c2661263d Mon Sep 17 00:00:00 2001 From: Geoffroy Couprie Date: Mon, 8 Jan 2024 14:49:52 +0100 Subject: [PATCH 4/8] test rules and checks --- .../biscuitsec/biscuit/token/Authorizer.java | 12 ++- .../biscuitsec/biscuit/token/SamplesTest.java | 101 +++++++++--------- 2 files changed, 61 insertions(+), 52 deletions(-) diff --git a/src/main/java/org/biscuitsec/biscuit/token/Authorizer.java b/src/main/java/org/biscuitsec/biscuit/token/Authorizer.java index 9462c8d3..639d7f74 100644 --- a/src/main/java/org/biscuitsec/biscuit/token/Authorizer.java +++ b/src/main/java/org/biscuitsec/biscuit/token/Authorizer.java @@ -640,13 +640,17 @@ public RuleSet rules() { public List>> checks() { List>> allChecks = new ArrayList<>(); - allChecks.add(new Tuple2(null, this.checks)); + if(!this.checks.isEmpty()) { + allChecks.add(new Tuple2(Long.MAX_VALUE, this.checks)); + } List authorityChecks = new ArrayList<>(); for(org.biscuitsec.biscuit.datalog.Check check: this.token.authority.checks) { authorityChecks.add(Check.convert_from(check, this.token.symbols)); } - allChecks.add(new Tuple2((long)0, authorityChecks)); + if(!authorityChecks.isEmpty()) { + allChecks.add(new Tuple2((long) 0, authorityChecks)); + } long count = 1; for(Block block: this.token.blocks) { @@ -662,7 +666,9 @@ public List>> checks() { blockChecks.add(Check.convert_from(check, token.symbols)); } } - allChecks.add(new Tuple2(count, blockChecks)); + if(!blockChecks.isEmpty()) { + allChecks.add(new Tuple2(count, blockChecks)); + } count += 1; } diff --git a/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java b/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java index 0ae50204..47bb68e1 100644 --- a/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java +++ b/src/test/java/org/biscuitsec/biscuit/token/SamplesTest.java @@ -88,29 +88,15 @@ DynamicTest process_testcase(final TestCase testCase, final PublicKey publicKey, if(validation.has("world") && !validation.get("world").isJsonNull()) { World world = new Gson().fromJson(validation.get("world").getAsJsonObject(), World.class); - System.out.println("will fix origin"); world.fixOrigin(); - System.out.println("fixed origin"); World authorizerWorld = new World(authorizer); - - System.out.println("validation world"+world); - System.out.println("authorizer world"+authorizerWorld); - assertEquals(world.factMap(), authorizerWorld.factMap()); + assertEquals(world.rules, authorizerWorld.rules); + assertEquals(world.checks, authorizerWorld.checks); + assertEquals(world.policies, authorizerWorld.policies); + - assertEquals(world.rules.size(), authorizerWorld.rules.size()); - for (int i = 0; i < world.rules.size(); i++) { - assertEquals(world.rules.get(i), authorizerWorld.rules.get(i)); - } - /*assertEquals(world.checks.size(), authorizerWorld.checks.size()); - for (int i = 0; i < world.checks.size(); i++) { - assertEquals(world.checks.get(i), authorizerWorld.checks.get(i)); - } - assertEquals(world.policies.size(), authorizerWorld.policies.size()); - for (int i = 0; i < world.policies.size(); i++) { - assertEquals(world.policies.get(i), authorizerWorld.policies.get(i)); - }*/ } return authorizeResult; @@ -118,31 +104,13 @@ DynamicTest process_testcase(final TestCase testCase, final PublicKey publicKey, if(validation.has("world") && !validation.get("world").isJsonNull()) { World world = new Gson().fromJson(validation.get("world").getAsJsonObject(), World.class); - World authorizerWorld = new World(authorizer); - System.out.println("will fix origin"); world.fixOrigin(); - System.out.println("fixed origin"); - - System.out.println(world.facts); - System.out.println(authorizerWorld.facts); + World authorizerWorld = new World(authorizer); assertEquals(world.factMap(), authorizerWorld.factMap()); - - System.out.println(world.rules); - System.out.println(authorizerWorld.rules); - - assertEquals(world.rules.size(), authorizerWorld.rules.size()); - for (int i = 0; i < world.rules.size(); i++) { - assertEquals(world.rules.get(i), authorizerWorld.rules.get(i)); - } - /*assertEquals(world.checks.size(), authorizerWorld.checks.size()); - for (int i = 0; i < world.checks.size(); i++) { - assertEquals(world.checks.get(i), authorizerWorld.checks.get(i)); - } - assertEquals(world.policies.size(), authorizerWorld.policies.size()); - for (int i = 0; i < world.policies.size(); i++) { - assertEquals(world.policies.get(i), authorizerWorld.policies.get(i)); - }*/ + assertEquals(world.rules, authorizerWorld.rules); + assertEquals(world.checks, authorizerWorld.checks); + assertEquals(world.policies, authorizerWorld.policies); } throw e; @@ -336,12 +304,22 @@ public World(Authorizer authorizer) { this.checks = checksets; this.policies = authorizer.policies().stream().map(p -> p.toString()).collect(Collectors.toList()); + Collections.sort(this.rules); + Collections.sort(this.checks); } public void fixOrigin() { for(FactSet f: this.facts) { f.fixOrigin(); } + for(RuleSet r: this.rules) { + r.fixOrigin(); + } + Collections.sort(this.rules); + for(CheckSet c: this.checks) { + c.fixOrigin(); + } + Collections.sort(this.checks); } public HashMap, List> factMap() { @@ -369,23 +347,18 @@ class FactSet { List facts; public FactSet(List origin, List facts) { - System.out.println("creating new factset with origin "+origin); this.origin = origin; this.facts = facts; } // JSON cannot represent Long.MAX_VALUE so it is stored as null, fix the origin list public void fixOrigin() { - System.out.println("fixing origins: "+this.origin); for(int i = 0; i < this.origin.size(); i++) { if (this.origin.get(i) == null) { this.origin.set(i, Long.MAX_VALUE); } } Collections.sort(this.origin); - - System.out.println("->: "+this.origin); - } @Override @@ -424,6 +397,12 @@ public RuleSet(Long origin, List rules) { this.rules = rules; } + public void fixOrigin() { + if (this.origin == null || this.origin == -1) { + this.origin = Long.MAX_VALUE; + } + } + @Override public int compareTo(RuleSet ruleSet) { // we only compare origin to sort the list of rulesets @@ -464,7 +443,7 @@ public String toString() { } } - class CheckSet implements Comparable { + class CheckSet implements Comparable { Long origin; List checks; @@ -478,19 +457,43 @@ public CheckSet(List checks) { this.checks = checks; } + public void fixOrigin() { + if (this.origin == null || this.origin == -1) { + this.origin = Long.MAX_VALUE; + } + } + @Override - public int compareTo(RuleSet ruleSet) { + public int compareTo(CheckSet checkSet) { // we only compare origin to sort the list of checksets // there's only one of each origin so we don't need to compare the list of rules if(this.origin == null) { return -1; - } else if (ruleSet.origin == null) { + } else if (checkSet.origin == null) { return 1; } else { - return this.origin.compareTo(ruleSet.origin); + return this.origin.compareTo(checkSet.origin); } } + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + + CheckSet checkSet = (CheckSet) o; + + if (!Objects.equals(origin, checkSet.origin)) return false; + return Objects.equals(checks, checkSet.checks); + } + + @Override + public int hashCode() { + int result = origin != null ? origin.hashCode() : 0; + result = 31 * result + (checks != null ? checks.hashCode() : 0); + return result; + } + @Override public String toString() { return "CheckSet{" + From 4ea0d59817f0b440502abe7a91ec429c4850e140 Mon Sep 17 00:00:00 2001 From: Geoffroy Couprie Date: Mon, 8 Jan 2024 14:59:58 +0100 Subject: [PATCH 5/8] fix policies order --- src/test/resources/samples/samples.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/test/resources/samples/samples.json b/src/test/resources/samples/samples.json index 2db940d7..432c45d2 100644 --- a/src/test/resources/samples/samples.json +++ b/src/test/resources/samples/samples.json @@ -2067,10 +2067,10 @@ } ], "policies": [ - "allow if true", - "deny if query(0) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + "deny if query(3)", "deny if query(1, 2)", - "deny if query(3)" + "deny if query(0) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + "allow if true" ] }, "result": { From 9855cd0065a7f021bbeb1b53631f8ddc34b0ff11 Mon Sep 17 00:00:00 2001 From: Geoffroy Couprie Date: Mon, 8 Jan 2024 15:11:37 +0100 Subject: [PATCH 6/8] missing implementations --- .../biscuitsec/biscuit/datalog/expressions/Op.java | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/main/java/org/biscuitsec/biscuit/datalog/expressions/Op.java b/src/main/java/org/biscuitsec/biscuit/datalog/expressions/Op.java index dfdcfe27..a5de31ff 100644 --- a/src/main/java/org/biscuitsec/biscuit/datalog/expressions/Op.java +++ b/src/main/java/org/biscuitsec/biscuit/datalog/expressions/Op.java @@ -164,6 +164,10 @@ public String print(Deque stack, SymbolTable symbols) { _s = "(" + prec + ")"; stack.push(_s); break; + case Length: + _s = prec+".length()"; + stack.push(_s); + break; } return _s; } @@ -307,6 +311,10 @@ public boolean evaluate(Deque stack, Map variables, TemporaryS } break; case Equal: + if (right instanceof Term.Bool && left instanceof Term.Bool) { + stack.push(new Term.Bool(((Term.Bool) left).value() == ((Term.Bool) right).value())); + return true; + } if (right instanceof Term.Integer && left instanceof Term.Integer) { stack.push(new Term.Bool(((Term.Integer) left).value() == ((Term.Integer) right).value())); return true; @@ -331,6 +339,10 @@ public boolean evaluate(Deque stack, Map variables, TemporaryS } break; case NotEqual: + if (right instanceof Term.Bool && left instanceof Term.Bool) { + stack.push(new Term.Bool(((Term.Bool) left).value() == ((Term.Bool) right).value())); + return true; + } if (right instanceof Term.Integer && left instanceof Term.Integer) { stack.push(new Term.Bool(((Term.Integer) left).value() != ((Term.Integer) right).value())); return true; From b0d65faa41bec610f6727476dfb8d5d1abb5c58f Mon Sep 17 00:00:00 2001 From: Geoffroy Couprie Date: Mon, 8 Jan 2024 15:12:44 +0100 Subject: [PATCH 7/8] update samples readme --- src/test/resources/samples/README.md | 1549 +++++++++++++++++++------- 1 file changed, 1122 insertions(+), 427 deletions(-) diff --git a/src/test/resources/samples/README.md b/src/test/resources/samples/README.md index bc3284bc..e123c7c6 100644 --- a/src/test/resources/samples/README.md +++ b/src/test/resources/samples/README.md @@ -1,7 +1,7 @@ # Biscuit samples and expected results -root secret key: 12aca40167fbdd1a11037e9fd440e3d510d9d9dea70a6646aa4aaf84d718d75a -root public key: acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189 +root secret key: 99e87b0e9158531eeeb503ff15266e2b23c2a2507b138c9d1b1f2ab458df2d61 +root public key: 1055c750b1a1505937af1537c626ba3263995c33a64758aaafb1275b0312e284 ------------------------------ @@ -38,25 +38,48 @@ allow if true; ``` revocation ids: -- `3ee1c0f42ba69ec63b1f39a6b3c57d25a4ccec452233ca6d40530ecfe83af4918fa78d9346f8b7c498545b54663960342b9ed298b2c8bbe2085b80c237b56f09` -- `e16ccf0820b02092adb531e36c2e82884c6c6c647b1c85184007f2ace601648afb71faa261b11f9ab352093c96187870f868588b664579c8018864b306bd5007` +- `7595a112a1eb5b81a6e398852e6118b7f5b8cbbff452778e655100e5fb4faa8d3a2af52fe2c4f9524879605675fae26adbc4783e0cafc43522fa82385f396c03` +- `45f4c14f9d9e8fa044d68be7a2ec8cddb835f575c7b913ec59bd636c70acae9a90db9064ba0b3084290ed0c422bbb7170092a884f5e0202b31e9235bbcc1650d` authorizer world: ``` World { - facts: { - "resource(\"file1\")", - "right(\"file1\", \"read\")", - "right(\"file1\", \"write\")", - "right(\"file2\", \"read\")", -} - rules: {} - checks: { - "check if resource($0), operation(\"read\"), right($0, \"read\")", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "resource(\"file1\")", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "right(\"file1\", \"read\")", + "right(\"file1\", \"write\")", + "right(\"file2\", \"read\")", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 1, + ), + checks: [ + "check if resource($0), operation(\"read\"), right($0, \"read\")", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -265,29 +288,68 @@ allow if true; ``` revocation ids: -- `02d287b0e5b22780192f8351538583c17f7d0200e064b32a1fcf07899e64ffb10e4de324f5c5ebc72c89a63e424317226cf555eb42dae81b2fd4639cf7591108` -- `22e75ea200cf7b2b62b389298fe0dec973b7f9c7e54e76c3c41811d72ea82c68227bc9079b7d05986de17ef9301cccdc08f5023455386987d1e6ee4391b19f06` -- `140a3631fecae550b51e50b9b822b947fb485c80070b34482fa116cdea560140164a1d0a959b40fed8a727e2f62c0b57635760c488c8bf0eda80ee591558c409` +- `4d86c9af808dc2e0583f47282e6f5df3e09dc264d5231ec360b4519e15ddaeec60b25a9bbcb22e8d192f4d36a0da3f9243711e30535b00ee55c53cb1395f230a` +- `63208c668c66f3ba6927140ba37533593b25e03459447805d4b2a8b75adeef45794c3d7249afe506ed77ccee276160bb4052a4009302bd34871a440f070b4509` +- `d8da982888eae8c038e4894a8c06fc57d8e5f06ad2e972b9cf4bde49ad60804558a0d1938192596c702d8e4f7f12ec19201d7c33d0cd77774a0d879a33880d02` authorizer world: ``` World { - facts: { - "operation(\"read\")", - "owner(\"alice\", \"file1\")", - "owner(\"alice\", \"file2\")", - "resource(\"file2\")", - "user_id(\"alice\")", -} - rules: { - "right($0, \"read\") <- resource($0), user_id($1), owner($1, $0)", -} - checks: { - "check if resource($0), operation(\"read\"), right($0, \"read\")", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "operation(\"read\")", + "resource(\"file2\")", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "owner(\"alice\", \"file1\")", + "user_id(\"alice\")", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 2, + ), + }, + facts: [ + "owner(\"alice\", \"file2\")", + ], + }, +] + rules: [ + AuthorizerRuleSet { + origin: Some( + 1, + ), + rules: [ + "right($0, \"read\") <- resource($0), user_id($1), owner($1, $0)", + ], + }, +] + checks: [ + AuthorizerCheckSet { + origin: Some( + 1, + ), + checks: [ + "check if resource($0), operation(\"read\"), right($0, \"read\")", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -337,26 +399,58 @@ allow if true; ``` revocation ids: -- `567682495bf002eb84c46491e40fad8c55943d918c65e2c110b1b88511bf393072c0305a243e3d632ca5f1e9b0ace3e3582de84838c3a258480657087c267f02` -- `71f0010b1034dbc62c53f67a23947b92ccba46495088567ac7ad5c4d7d65476964bee42053a6a35088110c5918f9c9606057689271fef89d84253cf98e6d4407` -- `6d00d5f2a5d25dbfaa19152a81b44328b368e8fb8300b25e36754cfe8b2ce1eb2d1452ce9b1502e6f377a23aa87098fb05b5b073541624a8815ba0610f793005` +- `a80c985ddef895518c216f64c65dcd50a5d97d012a94453d79159aed2981654b1fe9748c686c5667604026a94fb8db8a1d02de747df61e99fa9a63ff2878ad00` +- `77df45442be86a416aa02fd9d98d6d4703c634a9e3b1d293b41f5dc97849afbe7faeec8c22a210574888acc008fb64fe691ec9e8d2655586f970d9a6b6577000` +- `b31398aefe97d3db41ebc445760f216fb3aa7bf7439adcfc3a07489bfcc163970af3f4e20f5460aa24cf841101a5ab114d21acc0ee8d442bae7793b121284900` authorizer world: ``` World { - facts: { - "operation(\"read\")", - "resource(\"file2\")", - "right(\"file1\", \"read\")", - "right(\"file2\", \"read\")", -} - rules: {} - checks: { - "check if resource($0), operation(\"read\"), right($0, \"read\")", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "operation(\"read\")", + "resource(\"file2\")", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "right(\"file1\", \"read\")", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 2, + ), + }, + facts: [ + "right(\"file2\", \"read\")", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 1, + ), + checks: [ + "check if resource($0), operation(\"read\"), right($0, \"read\")", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -377,7 +471,7 @@ public keys: [] ``` 1: -symbols: ["file1", "expiration"] +symbols: ["file1"] public keys: [] @@ -398,25 +492,39 @@ allow if true; ``` revocation ids: -- `b2474f3e0a5788cdeff811f2599497a04d1ad71ca48dbafb90f20a950d565dda0b86bd6c9072a727c19b6b20a1ae10d8cb88155186550b77016ffd1dca9a6203` -- `0d12152670cbefe2fa504af9a92b513f1a48ae460ae5e66aaac4ed9f7dc3cc1c4c510693312b351465062169a2169fc520ce4e17e548d21982c81a74c66a3c0c` +- `c248907bb6e5f433bbb5edf6367b399ebefca0d321d0b2ea9fc67f66dc1064ce926adb0c05d90c3e8a2833328b3578f79c4e1bca43583d9bcfb2ba6c37303d00` +- `a4edf7aaea8658bb9ae19b3ffe2adcc77cc9f16c249aeb0a85a584b5362f89f27f7c67ac0af16d7170673d6d1fb1563d1934b25ec5a461f6c01fa49805cd5e07` authorizer world: ``` World { - facts: { - "operation(\"read\")", - "resource(\"file1\")", - "time(2020-12-21T09:23:12Z)", -} - rules: {} - checks: { - "check if resource(\"file1\")", - "check if time($time), $time <= 2018-12-20T00:00:00Z", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "operation(\"read\")", + "resource(\"file1\")", + "time(2020-12-21T09:23:12Z)", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 1, + ), + checks: [ + "check if resource(\"file1\")", + "check if time($time), $time <= 2018-12-20T00:00:00Z", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -459,25 +567,57 @@ allow if true; ``` revocation ids: -- `b9ecf192ecb1bbb10e45320c1c86661f0c6b6bd28e89fdd8fa838fe0ab3f754229f7fbbf92ad978d36f744c345c69bc156a2a91a2979a3c235a9d936d401b404` -- `839728735701e589c2612e655afa2b53f573480e6a0477ae68ed71587987d1af398a31296bdec0b6eccee9348f4b4c23ca1031e809991626c579fef80b1d380d` +- `a80c985ddef895518c216f64c65dcd50a5d97d012a94453d79159aed2981654b1fe9748c686c5667604026a94fb8db8a1d02de747df61e99fa9a63ff2878ad00` +- `966eceb2aa937c41b25368808bab6e0698c02a4038de669d007c9c3d43602638a640083558d1576ac80cf3eb2ac6a7585527e0f6c1a65402f0935cf7f4df8005` authorizer world: ``` World { - facts: { - "operation(\"read\")", - "resource(\"file2\")", - "right(\"file1\", \"read\")", - "right(\"file2\", \"read\")", -} - rules: {} - checks: { - "check if right($0, $1), resource($0), operation($1)", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "operation(\"read\")", + "resource(\"file2\")", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "right(\"file1\", \"read\")", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 1, + ), + }, + facts: [ + "right(\"file2\", \"read\")", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 18446744073709551615, + ), + checks: [ + "check if right($0, $1), resource($0), operation($1)", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -511,23 +651,46 @@ allow if true; ``` revocation ids: -- `593d273d141bf23a3e89b55fffe1b3f96f683a022bb763e78f4e49f31a7cf47668c3fd5e0f580727ac9113ede302d34264597f6f1e6c6dd4167836d57aedf504` +- `a80c985ddef895518c216f64c65dcd50a5d97d012a94453d79159aed2981654b1fe9748c686c5667604026a94fb8db8a1d02de747df61e99fa9a63ff2878ad00` authorizer world: ``` World { - facts: { - "operation(\"read\")", - "resource(\"file2\")", - "right(\"file1\", \"read\")", -} - rules: {} - checks: { - "check if right($0, $1), resource($0), operation($1)", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "operation(\"read\")", + "resource(\"file2\")", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "right(\"file1\", \"read\")", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 18446744073709551615, + ), + checks: [ + "check if right($0, $1), resource($0), operation($1)", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -559,22 +722,36 @@ allow if true; ``` revocation ids: -- `0a1d14a145debbb0a2f4ce0631d3a0a48a2e0eddabefda7fabb0414879ec6be24b9ae7295c434609ada3f8cc47b8845bbd5a0d4fba3d96748ff1b824496e0405` +- `6a8f90dad67ae2ac188460463914ae7326fda431c80785755f4edcc15f1a53911f7366e606ad80cbbeba94672e42713e88632a932128f1d796ce9ba7d7a0b80a` authorizer world: ``` World { - facts: { - "operation(\"read\")", - "resource(\"file1\")", -} - rules: {} - checks: { - "check if resource(\"file1\")", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "operation(\"read\")", + "resource(\"file1\")", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 0, + ), + checks: [ + "check if resource(\"file1\")", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -590,22 +767,36 @@ allow if true; ``` revocation ids: -- `0a1d14a145debbb0a2f4ce0631d3a0a48a2e0eddabefda7fabb0414879ec6be24b9ae7295c434609ada3f8cc47b8845bbd5a0d4fba3d96748ff1b824496e0405` +- `6a8f90dad67ae2ac188460463914ae7326fda431c80785755f4edcc15f1a53911f7366e606ad80cbbeba94672e42713e88632a932128f1d796ce9ba7d7a0b80a` authorizer world: ``` World { - facts: { - "operation(\"read\")", - "resource(\"file2\")", -} - rules: {} - checks: { - "check if resource(\"file1\")", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "operation(\"read\")", + "resource(\"file2\")", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 0, + ), + checks: [ + "check if resource(\"file1\")", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -649,29 +840,69 @@ allow if true; ``` revocation ids: -- `d251352efd4e4c72e8a1609fce002f558f1a0bb5e36cd3d8b3a6c6599e3960880f21bea6fe1857f4ecbc2c399dd77829b154e75f1323e9dec413aad70f97650d` -- `9de4f51e6019540598a957515dad52f5403e5c6cd8d2adbca1bff42a4fbc0eb8c6adab499da2fe894a8a9c9c581276bfb0fdc3d35ab2ff9f920a2c4690739903` +- `c46d071ff3f33434223c8305fdad529f62bf78bb5d9cbfc2a345d4bca6bf314014840e18ba353f86fdb9073d58b12b8c872ac1f8e593c2e9064b90f6c2ede006` +- `a0c4c163a0b3ca406df4ece3d1371356190df04208eccef72f77e875ed0531b5d37e243d6f388b1967776a5dfd16ef228f19c5bdd6d2820f145c5ed3c3dcdc00` authorizer world: ``` World { - facts: { - "resource(\"file1\")", - "right(\"file1\", \"read\")", - "right(\"file2\", \"read\")", - "time(2020-12-21T09:23:12Z)", - "valid_date(\"file1\")", -} - rules: { - "valid_date(\"file1\") <- time($0), resource(\"file1\"), $0 <= 2030-12-31T12:59:59Z", - "valid_date($1) <- time($0), resource($1), $0 <= 1999-12-31T12:59:59Z, ![\"file1\"].contains($1)", -} - checks: { - "check if valid_date($0), resource($0)", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "resource(\"file1\")", + "time(2020-12-21T09:23:12Z)", + ], + }, + AuthorizerFactSet { + origin: { + None, + Some( + 1, + ), + }, + facts: [ + "valid_date(\"file1\")", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "right(\"file1\", \"read\")", + "right(\"file2\", \"read\")", + ], + }, +] + rules: [ + AuthorizerRuleSet { + origin: Some( + 1, + ), + rules: [ + "valid_date(\"file1\") <- time($0), resource(\"file1\"), $0 <= 2030-12-31T12:59:59Z", + "valid_date($1) <- time($0), resource($1), $0 <= 1999-12-31T12:59:59Z, ![\"file1\"].contains($1)", + ], + }, +] + checks: [ + AuthorizerCheckSet { + origin: Some( + 1, + ), + checks: [ + "check if valid_date($0), resource($0)", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -687,28 +918,58 @@ allow if true; ``` revocation ids: -- `d251352efd4e4c72e8a1609fce002f558f1a0bb5e36cd3d8b3a6c6599e3960880f21bea6fe1857f4ecbc2c399dd77829b154e75f1323e9dec413aad70f97650d` -- `9de4f51e6019540598a957515dad52f5403e5c6cd8d2adbca1bff42a4fbc0eb8c6adab499da2fe894a8a9c9c581276bfb0fdc3d35ab2ff9f920a2c4690739903` +- `c46d071ff3f33434223c8305fdad529f62bf78bb5d9cbfc2a345d4bca6bf314014840e18ba353f86fdb9073d58b12b8c872ac1f8e593c2e9064b90f6c2ede006` +- `a0c4c163a0b3ca406df4ece3d1371356190df04208eccef72f77e875ed0531b5d37e243d6f388b1967776a5dfd16ef228f19c5bdd6d2820f145c5ed3c3dcdc00` authorizer world: ``` World { - facts: { - "resource(\"file2\")", - "right(\"file1\", \"read\")", - "right(\"file2\", \"read\")", - "time(2020-12-21T09:23:12Z)", -} - rules: { - "valid_date(\"file1\") <- time($0), resource(\"file1\"), $0 <= 2030-12-31T12:59:59Z", - "valid_date($1) <- time($0), resource($1), $0 <= 1999-12-31T12:59:59Z, ![\"file1\"].contains($1)", -} - checks: { - "check if valid_date($0), resource($0)", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "resource(\"file2\")", + "time(2020-12-21T09:23:12Z)", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "right(\"file1\", \"read\")", + "right(\"file2\", \"read\")", + ], + }, +] + rules: [ + AuthorizerRuleSet { + origin: Some( + 1, + ), + rules: [ + "valid_date(\"file1\") <- time($0), resource(\"file1\"), $0 <= 2030-12-31T12:59:59Z", + "valid_date($1) <- time($0), resource($1), $0 <= 1999-12-31T12:59:59Z, ![\"file1\"].contains($1)", + ], + }, +] + checks: [ + AuthorizerCheckSet { + origin: Some( + 1, + ), + checks: [ + "check if valid_date($0), resource($0)", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -739,21 +1000,35 @@ allow if true; ``` revocation ids: -- `1c158e1e12c8670d3f4411597276fe1caab17b7728adb7f7e9c44eeec3e3d85676e6ebe2d28c287e285a45912386cfa53e1752997630bd7a4ca6c2cd9f143500` +- `da42718ad2631c12d3a44b7710dcc76c6c7809c6bc3a2d7eb0378c4154eae10e0884a8d54a2cd25ca3dfe01091d816ebbb9d246227baf7a359a787cb2344ad07` authorizer world: ``` World { - facts: { - "resource(\"file1\")", -} - rules: {} - checks: { - "check if resource($0), $0.matches(\"file[0-9]+.txt\")", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "resource(\"file1\")", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 0, + ), + checks: [ + "check if resource($0), $0.matches(\"file[0-9]+.txt\")", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -768,21 +1043,35 @@ allow if true; ``` revocation ids: -- `1c158e1e12c8670d3f4411597276fe1caab17b7728adb7f7e9c44eeec3e3d85676e6ebe2d28c287e285a45912386cfa53e1752997630bd7a4ca6c2cd9f143500` +- `da42718ad2631c12d3a44b7710dcc76c6c7809c6bc3a2d7eb0378c4154eae10e0884a8d54a2cd25ca3dfe01091d816ebbb9d246227baf7a359a787cb2344ad07` authorizer world: ``` World { - facts: { - "resource(\"file123.txt\")", -} - rules: {} - checks: { - "check if resource($0), $0.matches(\"file[0-9]+.txt\")", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "resource(\"file123.txt\")", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 0, + ), + checks: [ + "check if resource($0), $0.matches(\"file[0-9]+.txt\")", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -813,21 +1102,37 @@ allow if true; ``` revocation ids: -- `d3eee8a74eacec9c51d4d1eb29b479727dfaafa9df7d4c651d07c493c56f3a5f037a51139ebd036f50d1159d12bccec3e377bbd32db90a39dd52c4776757ad0b` +- `b0d466d31e015fa85a075fa875f7e1c9017edd503fee9f62a5f033e1fcfa811074b6e39dfe5af2f452043db97a3f98650592a370f5685b62c5d6abf9dd10b603` authorizer world: ``` World { - facts: { - "must_be_present(\"hello\")", -} - rules: {} - checks: { - "check if must_be_present($0) or must_be_present($0)", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "must_be_present(\"hello\")", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 18446744073709551615, + ), + checks: [ + "check if must_be_present($0) or must_be_present($0)", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -865,22 +1170,38 @@ allow if true; ``` revocation ids: -- `e79679e019f1d7d3a9f9a309673aceadc7b2b2d67c0df3e7a1dccec25218e9b5935b9c8f8249243446406e3cdd86c1b35601a21cf1b119df48ca5e897cc6cd0d` -- `2042ea2dca41ba3eb31196f49b211e615dcba46067be126e6035b8549bb57cdfeb24d07f2b44241bc0f70cc8ddc31e30772116d785b82bc91be8440dfdab500f` +- `ce6f804f4390e693a8853d9a4a10bd4f3c94b86b7c6d671993a6e19346bc4d20bbb52cc945e5d0d02e4e75fa5da2caa99764050190353564a0a0b4b276809402` +- `916d566cc724e0773046fc5266e9d0d804311435b8d6955b332f823ab296be9a78dfea190447732ac9f6217234cf5726becf88f65169c6de56a766af55451b0f` authorizer world: ``` World { - facts: { - "query(\"test\")", -} - rules: {} - checks: { - "check if resource(\"hello\")", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + Some( + 1, + ), + }, + facts: [ + "query(\"test\")", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 0, + ), + checks: [ + "check if resource(\"hello\")", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -893,7 +1214,7 @@ result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedB ### token authority: -symbols: ["hello world", "hello", "world", "aaabde", "a*c?.e", "abd", "aaa", "b", "de", "abcD12", "abcD12x", "abc", "def"] +symbols: ["hello world", "hello", "world", "aaabde", "a*c?.e", "abd", "aaa", "b", "de", "abcD12", "abc", "def"] public keys: [] @@ -901,8 +1222,10 @@ public keys: [] check if true; check if !false; check if !false && true; -check if false or true; +check if false || true; check if (true || false) && true; +check if true == true; +check if false == false; check if 1 < 2; check if 2 > 1; check if 1 <= 2; @@ -910,15 +1233,12 @@ check if 1 <= 1; check if 2 >= 1; check if 2 >= 2; check if 3 == 3; -check if 1 != 3; check if 1 + 2 * 3 - 4 / 2 == 5; -check if 1 | 2 ^ 3 == 0; check if "hello world".starts_with("hello") && "hello world".ends_with("world"); check if "aaabde".matches("a*c?.e"); check if "aaabde".contains("abd"); check if "aaabde" == "aaa" + "b" + "de"; check if "abcD12" == "abcD12"; -check if "abcD12x" != "abcD12"; check if 2019-12-04T09:46:41Z < 2020-12-04T09:46:41Z; check if 2020-12-04T09:46:41Z > 2019-12-04T09:46:41Z; check if 2019-12-04T09:46:41Z <= 2020-12-04T09:46:41Z; @@ -926,16 +1246,18 @@ check if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z; check if 2020-12-04T09:46:41Z >= 2019-12-04T09:46:41Z; check if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z; check if 2020-12-04T09:46:41Z == 2020-12-04T09:46:41Z; -check if 2022-12-04T09:46:41Z != 2020-12-04T09:46:41Z; check if hex:12ab == hex:12ab; -check if hex:12abcd != hex:12ab; check if [1, 2].contains(2); check if [2019-12-04T09:46:41Z, 2020-12-04T09:46:41Z].contains(2020-12-04T09:46:41Z); check if [false, true].contains(true); check if ["abc", "def"].contains("abc"); check if [hex:12ab, hex:34de].contains(hex:34de); +check if [1, 2].contains([2]); check if [1, 2] == [1, 2]; -check if [1, 4] != [1, 2]; +check if [1, 2].intersection([2, 3]) == [2]; +check if [1, 2].union([2, 3]) == [1, 2, 3]; +check if [1, 2, 3].intersection([1, 2]).contains(1); +check if [1, 2, 3].intersection([1, 2]).length() == 2; ``` ### validation @@ -946,55 +1268,64 @@ allow if true; ``` revocation ids: -- `3e51db5f0453929a596485b59e89bf628a301a33d476132c48a1c0a208805809f15bdf99593733c1b5f30e8c1f473ee2f78042f81fd0557081bafb5370e65d0c` +- `f61b4cb4fc58777fec6c8d39fe62259dc3c78511868236c391e9f67ffd03a3a8b8e3042d4bacce0d5756d053f5afccd4c5e4df0597af44b36bdfab492e5fe50e` authorizer world: ``` World { - facts: {} - rules: {} - checks: { - "check if !false", - "check if !false && true", - "check if \"aaabde\" == \"aaa\" + \"b\" + \"de\"", - "check if \"aaabde\".contains(\"abd\")", - "check if \"aaabde\".matches(\"a*c?.e\")", - "check if \"abcD12\" == \"abcD12\"", - "check if \"abcD12x\" != \"abcD12\"", - "check if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\")", - "check if (true || false) && true", - "check if 1 != 3", - "check if 1 + 2 * 3 - 4 / 2 == 5", - "check if 1 < 2", - "check if 1 <= 1", - "check if 1 <= 2", - "check if 1 | 2 ^ 3 == 0", - "check if 2 > 1", - "check if 2 >= 1", - "check if 2 >= 2", - "check if 2019-12-04T09:46:41Z < 2020-12-04T09:46:41Z", - "check if 2019-12-04T09:46:41Z <= 2020-12-04T09:46:41Z", - "check if 2020-12-04T09:46:41Z == 2020-12-04T09:46:41Z", - "check if 2020-12-04T09:46:41Z > 2019-12-04T09:46:41Z", - "check if 2020-12-04T09:46:41Z >= 2019-12-04T09:46:41Z", - "check if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z", - "check if 2022-12-04T09:46:41Z != 2020-12-04T09:46:41Z", - "check if 3 == 3", - "check if [\"abc\", \"def\"].contains(\"abc\")", - "check if [1, 2] == [1, 2]", - "check if [1, 2].contains(2)", - "check if [1, 4] != [1, 2]", - "check if [2019-12-04T09:46:41Z, 2020-12-04T09:46:41Z].contains(2020-12-04T09:46:41Z)", - "check if [false, true].contains(true)", - "check if [hex:12ab, hex:34de].contains(hex:34de)", - "check if false or true", - "check if hex:12ab == hex:12ab", - "check if hex:12abcd != hex:12ab", - "check if true", -} - policies: { + facts: [] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 0, + ), + checks: [ + "check if !false", + "check if !false && true", + "check if \"aaabde\" == \"aaa\" + \"b\" + \"de\"", + "check if \"aaabde\".contains(\"abd\")", + "check if \"aaabde\".matches(\"a*c?.e\")", + "check if \"abcD12\" == \"abcD12\"", + "check if \"hello world\".starts_with(\"hello\") && \"hello world\".ends_with(\"world\")", + "check if (true || false) && true", + "check if 1 + 2 * 3 - 4 / 2 == 5", + "check if 1 < 2", + "check if 1 <= 1", + "check if 1 <= 2", + "check if 2 > 1", + "check if 2 >= 1", + "check if 2 >= 2", + "check if 2019-12-04T09:46:41Z < 2020-12-04T09:46:41Z", + "check if 2019-12-04T09:46:41Z <= 2020-12-04T09:46:41Z", + "check if 2020-12-04T09:46:41Z == 2020-12-04T09:46:41Z", + "check if 2020-12-04T09:46:41Z > 2019-12-04T09:46:41Z", + "check if 2020-12-04T09:46:41Z >= 2019-12-04T09:46:41Z", + "check if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z", + "check if 2020-12-04T09:46:41Z >= 2020-12-04T09:46:41Z", + "check if 3 == 3", + "check if [\"abc\", \"def\"].contains(\"abc\")", + "check if [1, 2, 3].intersection([1, 2]).contains(1)", + "check if [1, 2, 3].intersection([1, 2]).length() == 2", + "check if [1, 2] == [1, 2]", + "check if [1, 2].contains(2)", + "check if [1, 2].contains([2])", + "check if [1, 2].intersection([2, 3]) == [2]", + "check if [1, 2].union([2, 3]) == [1, 2, 3]", + "check if [2019-12-04T09:46:41Z, 2020-12-04T09:46:41Z].contains(2020-12-04T09:46:41Z)", + "check if [false, true].contains(true)", + "check if [hex:12ab, hex:34de].contains(hex:34de)", + "check if false == false", + "check if false || true", + "check if hex:12ab == hex:12ab", + "check if true", + "check if true == true", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -1062,25 +1393,56 @@ allow if true; ``` revocation ids: -- `4819e7360fdb840e54e94afcbc110e9b0652894dba2b8bf3b8b8f2254aaf00272bba7eb603c153c7e50cca0e5bb8e20449d70a1b24e7192e902c64f94848a703` -- `4a4c59354354d2f91b3a2d1e7afa2c5eeaf8be9f7b163c6b9091817551cc8661f0f3e0523b525ef9a5e597c0dd1f32e09e97ace531c150dba335bb3e1d329d00` +- `a44210c6a01e55eadefc7d8540c2e6eff80ab6eeedde4751de734f9d780435780680d3f42d826b7e0f0dcf4a5ba303fd4c116984bb30978813d46ed867924307` +- `d3f8822a9b9bc0ee3933283c493ca9e711be5dd8339b5fe2eba1de3805aad4e84d3e2fb4affb4a743f1289915c167582b9425343635e45b70573ea1ee7a1ea03` authorizer world: ``` World { - facts: { - "operation(\"read\")", - "operation(\"write\")", -} - rules: { - "operation(\"read\") <- operation($any)", -} - checks: { - "check if operation(\"read\")", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "operation(\"write\")", + ], + }, + AuthorizerFactSet { + origin: { + None, + Some( + 1, + ), + }, + facts: [ + "operation(\"read\")", + ], + }, +] + rules: [ + AuthorizerRuleSet { + origin: Some( + 1, + ), + rules: [ + "operation(\"read\") <- operation($any)", + ], + }, +] + checks: [ + AuthorizerCheckSet { + origin: Some( + 0, + ), + checks: [ + "check if operation(\"read\")", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -1123,26 +1485,49 @@ allow if true; ``` revocation ids: -- `b279f8c6fee5ea3c3fcb5109d8c6b35ba3fecea64d83a4dc387102b9401633a1558ac6ac50ddd7fd9e9877f936f9f4064abd467faeca2bef3114b9695eb0580e` -- `e1f0aca12704c1a3b9bb6292504ca6070462d9e043756dd209e625084e7d4053078bd4e55b6eebebbeb771d26d7794aa95f6b39ff949431548b32585a7379f0c` +- `7595a112a1eb5b81a6e398852e6118b7f5b8cbbff452778e655100e5fb4faa8d3a2af52fe2c4f9524879605675fae26adbc4783e0cafc43522fa82385f396c03` +- `45f4c14f9d9e8fa044d68be7a2ec8cddb835f575c7b913ec59bd636c70acae9a90db9064ba0b3084290ed0c422bbb7170092a884f5e0202b31e9235bbcc1650d` authorizer world: ``` World { - facts: { - "operation(\"read\")", - "resource(\"file1\")", - "right(\"file1\", \"read\")", - "right(\"file1\", \"write\")", - "right(\"file2\", \"read\")", -} - rules: {} - checks: { - "check if resource($0), operation(\"read\"), right($0, \"read\")", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "operation(\"read\")", + "resource(\"file1\")", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "right(\"file1\", \"read\")", + "right(\"file1\", \"write\")", + "right(\"file2\", \"read\")", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 1, + ), + checks: [ + "check if resource($0), operation(\"read\"), right($0, \"read\")", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -1173,21 +1558,37 @@ allow if true; ``` revocation ids: -- `4797a528328c8b5fb7939cc8956d8cda2513f552466eee501e26ea13a6cf6b4a381fd74ae547a9b50b627825142287d899b9d7bd1b5cfb18664a1be78320ea06` +- `d4b2f417b6e906434fdf5058afcabfcb98d3628f814f1c9dd7e64250d9beec4465aff51bd0cb2e85d0e67dc9f613c2a42af6158c678bc6f8b4684cd3a2d0d302` authorizer world: ``` World { - facts: { - "ns::fact_123(\"hello Ć©\tšŸ˜\")", -} - rules: {} - checks: { - "check if ns::fact_123(\"hello Ć©\tšŸ˜\")", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "ns::fact_123(\"hello Ć©\tšŸ˜\")", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 18446744073709551615, + ), + checks: [ + "check if ns::fact_123(\"hello Ć©\tšŸ˜\")", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -1245,48 +1646,64 @@ allow if true; ``` revocation ids: -- `38094260b324eff92db2ef79e715d88c18503c0dafa400bff900399f2ab0840cedc5ac25bdd3e97860b3f9e78ca5e0df67a113eb87be50265d49278efb13210f` +- `75ce48d496fd28f99905901783a1ba46d7ff8d69f9d364d1546fd73006026eae51849ad1190a4ae521a0a1269f9c6951e226afba8fcd24fa50f679162439ae09` authorizer world: ``` World { - facts: { - "admin(13)", - "client(18)", - "client_ip(19)", - "cluster(23)", - "domain(20)", - "email(14)", - "group(15)", - "hostname(25)", - "ip_address(17)", - "member(16)", - "namespace(9)", - "node(24)", - "nonce(26)", - "operation(3)", - "owner(7)", - "path(21)", - "query(27)", - "read(0)", - "resource(2)", - "right(4)", - "role(6)", - "service(12)", - "team(11)", - "tenant(8)", - "time(5)", - "user(10)", - "version(22)", - "write(1)", -} - rules: {} - checks: { - "check if read(0), write(1), resource(2), operation(3), right(4), time(5), role(6), owner(7), tenant(8), namespace(9), user(10), team(11), service(12), admin(13), email(14), group(15), member(16), ip_address(17), client(18), client_ip(19), domain(20), path(21), version(22), cluster(23), node(24), hostname(25), nonce(26), query(27)", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "admin(13)", + "client(18)", + "client_ip(19)", + "cluster(23)", + "domain(20)", + "email(14)", + "group(15)", + "hostname(25)", + "ip_address(17)", + "member(16)", + "namespace(9)", + "node(24)", + "nonce(26)", + "operation(3)", + "owner(7)", + "path(21)", + "query(27)", + "read(0)", + "resource(2)", + "right(4)", + "role(6)", + "service(12)", + "team(11)", + "tenant(8)", + "time(5)", + "user(10)", + "version(22)", + "write(1)", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 18446744073709551615, + ), + checks: [ + "check if read(0), write(1), resource(2), operation(3), right(4), time(5), role(6), owner(7), tenant(8), namespace(9), user(10), team(11), service(12), admin(13), email(14), group(15), member(16), ip_address(17), client(18), client_ip(19), domain(20), path(21), version(22), cluster(23), node(24), hostname(25), nonce(26), query(27)", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -1334,25 +1751,50 @@ allow if true; ``` revocation ids: -- `6a3606836bc63b858f96ce5000c9bead8eda139ab54679a2a8d7a9984c2e5d864b93280acc1b728bed0be42b5b1c3be10f48a13a4dbd05fd5763de5be3855108` -- `5f1468fc60999f22c4f87fa088a83961188b4e654686c5b04bdc977b9ff4666d51a3d8be5594f4cef08054d100f31d1637b50bb394de7cccafc643c9b650390b` -- `3eda05ddb65ee90d715cefc046837c01de944d8c4a7ff67e3d9a9d8470b5e214a20a8b9866bfe5e0d385e530b75ec8fcfde46b7dd6d4d6647d1e955c9d2fb90d` +- `f9b49866caef5ece7be14ec5a9b36d98ca81d06b306eb0b4c57cd7436af176f40ee972f40903f87ec4460ab8b1adfcbfa9b19b20a6955a1e8dae7d88b2076005` +- `889054b9119e4440e54da1b63266a98d0f6646cde195fef206efd8b133cfb2ee7be49b32a9a5925ece452e64f9e6f6d80dab422e916c599675dd68cdea053802` +- `0a85ffbf27e08aa23665ba0d96a985b274d747556c9f016fd7f590c641ed0e4133291521aa442b320ee9ce80f5ad701b914a0c87b3dfa0cc92629dce94201806` authorizer world: ``` World { - facts: { - "authority_fact(1)", - "block1_fact(1)", -} - rules: {} - checks: { - "check if authority_fact($var)", - "check if block1_fact($var)", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "authority_fact(1)", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 1, + ), + }, + facts: [ + "block1_fact(1)", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 2, + ), + checks: [ + "check if authority_fact($var)", + "check if block1_fact($var)", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -1367,11 +1809,11 @@ result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedB authority: symbols: [] -public keys: ["ed25519/a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25"] +public keys: ["ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"] ``` right("read"); -check if group("admin") trusting ed25519/a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25; +check if group("admin") trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189; ``` 1: @@ -1379,7 +1821,7 @@ symbols: [] public keys: [] -external signature by: "ed25519/a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25" +external signature by: "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" ``` group("admin"); @@ -1394,24 +1836,56 @@ allow if true; ``` revocation ids: -- `4f61f2f2f9cefdcad03a82803638e459bef70d6fd72dbdf2bdcab78fbd23f33146e4ff9700e23acb547b820b871fa9b9fd3bb6d7a1a755afce47e9907c65600c` -- `683b23943b73f53f57f473571ba266f79f1fca0633be249bc135054371a11ffb101c57150ab2f1b9a6a160b45d09567a314b7dbc84224edf6188afd5b86d9305` +- `470e4bf7aa2a01ab39c98150bd06aa15b4aa5d86509044a8809a8634cd8cf2b42269a51a774b65d10bac9369d013070b00187925196a8e680108473f11cf8f03` +- `93a7315ab1272da9eeef015f6fecbc9ac96fe4660e6204bf64ea2105ebe309e9c9cadc0a26c5604f13910fae3f2cd0800756afb6b6b208bf77adeb1ab2f42405` authorizer world: ``` World { - facts: { - "group(\"admin\")", - "right(\"read\")", -} - rules: {} - checks: { - "check if group(\"admin\") trusting ed25519/a424157b8c00c25214ea39894bf395650d88426147679a9dd43a64d65ae5bc25", - "check if right(\"read\")", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "right(\"read\")", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 1, + ), + }, + facts: [ + "group(\"admin\")", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 0, + ), + checks: [ + "check if group(\"admin\") trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + ], + }, + AuthorizerCheckSet { + origin: Some( + 1, + ), + checks: [ + "check if right(\"read\")", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -1444,23 +1918,46 @@ allow if true; ``` revocation ids: -- `b4ee591001e4068a7ee8efb7a0586c3ca3a785558f34d1fa8dbfa21b41ace70de0b670ac49222c7413066d0d83e6d9edee94fb0fda4b27ea11e837304dfb4b0b` +- `c456817012e1d523c6d145b6d6a3475d9f7dd4383c535454ff3f745ecf4234984ce09b9dec0551f3d783abe850f826ce43b12f1fd91999a4753a56ecf4c56d0d` authorizer world: ``` World { - facts: { - "allowed_operations([ \"A\", \"B\"])", - "operation(\"A\")", - "operation(\"B\")", -} - rules: {} - checks: { - "check all operation($op), allowed_operations($allowed), $allowed.contains($op)", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "operation(\"A\")", + "operation(\"B\")", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "allowed_operations([\"A\", \"B\"])", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 0, + ), + checks: [ + "check all operation($op), allowed_operations($allowed), $allowed.contains($op)", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -1476,23 +1973,46 @@ allow if true; ``` revocation ids: -- `b4ee591001e4068a7ee8efb7a0586c3ca3a785558f34d1fa8dbfa21b41ace70de0b670ac49222c7413066d0d83e6d9edee94fb0fda4b27ea11e837304dfb4b0b` +- `c456817012e1d523c6d145b6d6a3475d9f7dd4383c535454ff3f745ecf4234984ce09b9dec0551f3d783abe850f826ce43b12f1fd91999a4753a56ecf4c56d0d` authorizer world: ``` World { - facts: { - "allowed_operations([ \"A\", \"B\"])", - "operation(\"A\")", - "operation(\"invalid\")", -} - rules: {} - checks: { - "check all operation($op), allowed_operations($allowed), $allowed.contains($op)", -} - policies: { + facts: [ + AuthorizerFactSet { + origin: { + None, + }, + facts: [ + "operation(\"A\")", + "operation(\"invalid\")", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "allowed_operations([\"A\", \"B\"])", + ], + }, +] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 0, + ), + checks: [ + "check all operation($op), allowed_operations($allowed), $allowed.contains($op)", + ], + }, +] + policies: [ "allow if true", -} +] } ``` @@ -1507,25 +2027,25 @@ result: `Err(FailedLogic(Unauthorized { policy: Allow(0), checks: [Block(FailedB authority: symbols: [] -public keys: ["ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59"] +public keys: ["ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"] ``` query(0); -check if true trusting previous, ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59; +check if true trusting previous, ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189; ``` 1: symbols: [] -public keys: ["ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee"] +public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463"] -external signature by: "ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59" +external signature by: "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189" ``` query(1); -query(1, 2) <- query(1), query(2) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee; -check if query(2), query(3) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee; -check if query(1) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59; +query(1, 2) <- query(1), query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463; +check if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463; +check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189; ``` 2: @@ -1533,12 +2053,12 @@ symbols: [] public keys: [] -external signature by: "ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee" +external signature by: "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" ``` query(2); -check if query(2), query(3) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee; -check if query(1) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59; +check if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463; +check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189; ``` 3: @@ -1546,72 +2066,182 @@ symbols: [] public keys: [] -external signature by: "ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee" +external signature by: "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463" ``` query(3); -check if query(2), query(3) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee; -check if query(1) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59; +check if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463; +check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189; ``` 4: symbols: [] -public keys: ["ed25519/2e0118e63beb7731dab5119280ddb117234d0cdc41b7dd5dc4241bcbbb585d14"] +public keys: ["ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136"] ``` query(4); -check if query(2) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee; -check if query(4) trusting ed25519/2e0118e63beb7731dab5119280ddb117234d0cdc41b7dd5dc4241bcbbb585d14; +check if query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463; +check if query(4) trusting ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136; ``` ### validation authorizer code: ``` -check if query(1, 2) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59, ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee; +check if query(1, 2) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189, ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463; deny if query(3); deny if query(1, 2); -deny if query(0) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59; +deny if query(0) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189; allow if true; ``` revocation ids: -- `bc144fef824b7ba4b266eac53e9b4f3f2d3cd443c6963833f2f8d4073bef9553f92034c2350fdd50966a9f0c09db35b142d61e0476b0133429885c787052060b` -- `aba1631f8d0bea1c81447e73269f560973d03287c2b44325d1b42d10a496156dc8e78648b946bc7db7a3111d787a10c1a9da8d53fc066b1f207de7415a2e9b0b` -- `539cff0f5c311dcac843a9e6c8bb445aff0d6510bfa9b17d5350747be92dc365217e89e1d733f3ead1ecc05f287f312c41831338708e788503b55517af3ad000` -- `5b10f7a7b4487f4421cf7f7f6d00b24a7a71939037b65b2e44241909564082a3e1e70cf7d866eb96f0a5119b9ea395adb772faaa33252fa62a579eb15a108a0b` -- `3905351588cdfc4433b510cc1ed9c11ca5c1a7bd7d9cef338bcd3f6d374c711f34edd83dd0d53c25b63bf05b49fc78addceb47905d5495580c2fd36c11bc1e0a` +- `3771cefe71beb21ead35a59c8116ee82627a5717c0295f35980662abccb159fe1b37848cb1818e548656bd4fd882d0094a2daab631c76b2b72e3a093914bfe04` +- `45133b90f228a81fe4d3042a79f6c6b7608e656e903d6b1f4db32cd774b09b8315af360879a5f210ad7be37ff55e3eb34f237bcc9711407b6329ac6018bfb400` +- `179f054f3c572646aba5013159ae192ac42f5666dbdd984129955f4652b6829e59f54aa251e451f96329d42a2524ce569c3e1ec52e708b642dd8994af51dd703` +- `edab54789d6656936fcd28200b9c61643434842d531f09f209fad555e11ff53174db174dafba126e6de448983a56f78d2042bc5782d71a45799c022fe69fb30d` +- `6a62306831e9dbe83e7b33db96b758c77dd690930f2d2d87e239b210b1944c5582bf6d7e1bfea8e7f928c27f2fff0e2ee2e0adc41e11e0c3abe8d7b96b9ede07` authorizer world: ``` World { - facts: { - "query(0)", - "query(1)", - "query(1, 2)", - "query(2)", - "query(3)", - "query(4)", -} - rules: { - "query(1, 2) <- query(1), query(2) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee", -} - checks: { - "check if query(1) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59", - "check if query(1, 2) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59, ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee", - "check if query(2) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee", - "check if query(2), query(3) trusting ed25519/ecfb8ed11fd9e6be133ca4dd8d229d39c7dcb2d659704c39e82fd7acf0d12dee", - "check if query(4) trusting ed25519/2e0118e63beb7731dab5119280ddb117234d0cdc41b7dd5dc4241bcbbb585d14", - "check if true trusting previous, ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59", -} - policies: { - "allow if true", - "deny if query(0) trusting ed25519/3c8aeced6363b8a862552fb2b0b4b8b0f8244e8cef3c11c3e55fd553f3a90f59", - "deny if query(1, 2)", + facts: [ + AuthorizerFactSet { + origin: { + Some( + 0, + ), + }, + facts: [ + "query(0)", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 1, + ), + }, + facts: [ + "query(1)", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 1, + ), + Some( + 2, + ), + }, + facts: [ + "query(1, 2)", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 2, + ), + }, + facts: [ + "query(2)", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 3, + ), + }, + facts: [ + "query(3)", + ], + }, + AuthorizerFactSet { + origin: { + Some( + 4, + ), + }, + facts: [ + "query(4)", + ], + }, +] + rules: [ + AuthorizerRuleSet { + origin: Some( + 1, + ), + rules: [ + "query(1, 2) <- query(1), query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + ], + }, +] + checks: [ + AuthorizerCheckSet { + origin: Some( + 0, + ), + checks: [ + "check if true trusting previous, ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + ], + }, + AuthorizerCheckSet { + origin: Some( + 1, + ), + checks: [ + "check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + "check if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + ], + }, + AuthorizerCheckSet { + origin: Some( + 2, + ), + checks: [ + "check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + "check if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + ], + }, + AuthorizerCheckSet { + origin: Some( + 3, + ), + checks: [ + "check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + "check if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + ], + }, + AuthorizerCheckSet { + origin: Some( + 4, + ), + checks: [ + "check if query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + "check if query(4) trusting ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136", + ], + }, + AuthorizerCheckSet { + origin: Some( + 18446744073709551615, + ), + checks: [ + "check if query(1, 2) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189, ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", + ], + }, +] + policies: [ "deny if query(3)", -} + "deny if query(1, 2)", + "deny if query(0) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189", + "allow if true", +] } ``` @@ -1642,23 +2272,88 @@ allow if true; ``` revocation ids: -- `70d8941198ab5daa445a11357994d93278876ee95b6500f4c4a265ad668a0111440942b762e02513e471d40265d586ea76209921068524f588dc46eb4260db07` +- `3346a22aae0abfc1ffa526f02f7650e90af909e5e519989026441e78cdc245b7fd126503cfdc8831325fc04307edc65238db319724477915f7040a2f6a719a05` authorizer world: ``` World { - facts: {} - rules: {} - checks: { - "check if true || -9223372036854775808 - 1 != 0", - "check if true || 10000000000 * 10000000000 != 0", - "check if true || 9223372036854775807 + 1 != 0", -} - policies: { + facts: [] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 0, + ), + checks: [ + "check if true || -9223372036854775808 - 1 != 0", + "check if true || 10000000000 * 10000000000 != 0", + "check if true || 9223372036854775807 + 1 != 0", + ], + }, +] + policies: [ "allow if true", -} +] } ``` result: `Err(Execution(Overflow))` + +------------------------------ + +## test expression syntax and all available operations (v4 blocks): test028_expressions_v4.bc +### token + +authority: +symbols: ["abcD12x", "abcD12"] + +public keys: [] + +``` +check if 1 != 3; +check if 1 | 2 ^ 3 == 0; +check if "abcD12x" != "abcD12"; +check if 2022-12-04T09:46:41Z != 2020-12-04T09:46:41Z; +check if hex:12abcd != hex:12ab; +check if [1, 4] != [1, 2]; +``` + +### validation + +authorizer code: +``` +allow if true; +``` + +revocation ids: +- `117fa653744c859561555e6a6f5990e3a8e7817f91b87aa6991b6d64297158b4e884c92d10f49f74c96069df722aa676839b72751ca9d1fe83a7025b591de00b` + +authorizer world: +``` +World { + facts: [] + rules: [] + checks: [ + AuthorizerCheckSet { + origin: Some( + 0, + ), + checks: [ + "check if \"abcD12x\" != \"abcD12\"", + "check if 1 != 3", + "check if 1 | 2 ^ 3 == 0", + "check if 2022-12-04T09:46:41Z != 2020-12-04T09:46:41Z", + "check if [1, 4] != [1, 2]", + "check if hex:12abcd != hex:12ab", + ], + }, +] + policies: [ + "allow if true", +] +} +``` + +result: `Ok(0)` + From 9d1946a7f5624df394c582ddce58c1206f45e4f1 Mon Sep 17 00:00:00 2001 From: Geoffroy Couprie Date: Mon, 8 Jan 2024 16:06:09 +0100 Subject: [PATCH 8/8] fix printing --- .../java/org/biscuitsec/biscuit/datalog/ExpressionTest.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/test/java/org/biscuitsec/biscuit/datalog/ExpressionTest.java b/src/test/java/org/biscuitsec/biscuit/datalog/ExpressionTest.java index fa773b2e..06e8a681 100644 --- a/src/test/java/org/biscuitsec/biscuit/datalog/ExpressionTest.java +++ b/src/test/java/org/biscuitsec/biscuit/datalog/ExpressionTest.java @@ -27,7 +27,7 @@ public void testNegate() { ))); assertEquals( - "! 1 < $var", + "!1 < $var", e.print(symbols).get() ); @@ -104,7 +104,7 @@ public void testNegativeContainsStr() { ))); assertEquals( - "! \"ab\".contains(\"b\")", + "!\"ab\".contains(\"b\")", e.print(symbols).get() );