authorize third party blocks

biscuit-auth · Jan 4, 2024 · a28355d · a28355d
1 parent 3354213
commit a28355d
Show file tree

Hide file tree

Showing 6 changed files with 70 additions and 36 deletions.
diff --git a/src/main/java/com/clevercloud/biscuit/datalog/SymbolTable.java b/src/main/java/com/clevercloud/biscuit/datalog/SymbolTable.java
@@ -278,6 +278,13 @@ public SymbolTable(SymbolTable s) {
         publicKeys.addAll(s.publicKeys);
     }
 
+    public SymbolTable(List<String> symbols, List<PublicKey> publicKeys) {
+        this.symbols = new ArrayList<>();
+        symbols.addAll(symbols);
+        this.publicKeys = new ArrayList<>();
+        publicKeys.addAll(publicKeys);
+    }
+
     public List<String> getAllSymbols() {
         ArrayList<String> allSymbols = new ArrayList<>();
         allSymbols.addAll(defaultSymbols);

diff --git a/src/main/java/com/clevercloud/biscuit/token/Authorizer.java b/src/main/java/com/clevercloud/biscuit/token/Authorizer.java
@@ -107,6 +107,7 @@ public void update_on_token() throws Error.FailedLogic {
                     throw new Error.FailedLogic(new LogicError.InvalidBlockRule(0, token.symbols.print_rule(converted_rule)));
                 }
             }
+            this.publicKeyToBlockId.putAll(token.publicKeyToBlockId);
         }
     }
 
@@ -346,6 +347,42 @@ public Long authorize(RunLimits limits) throws Error {
                     throw new Error.FailedLogic(new LogicError.InvalidBlockRule(0, token.symbols.print_rule(converted_rule)));
                 }
             }
+
+            for (int i = 0; i < token.blocks.size(); i++) {
+                Block b = token.blocks.get(i);
+                TrustedOrigins blockTrustedOrigins = TrustedOrigins.fromScopes(
+                        b.scopes,
+                        TrustedOrigins.defaultOrigins(),
+                        i + 1,
+                        this.publicKeyToBlockId
+                );
+                SymbolTable blockSymbols = token.symbols;
+                if (b.externalKey.isDefined()) {
+                    blockSymbols = new SymbolTable(b.symbols.symbols, symbols.publicKeys);
+                }
+
+                for (com.clevercloud.biscuit.datalog.Fact fact : b.facts) {
+                    com.clevercloud.biscuit.datalog.Fact converted_fact = Fact.convert_from(fact, blockSymbols).convert(this.symbols);
+                    world.add_fact(new Origin(i + 1), converted_fact);
+                }
+
+                for (com.clevercloud.biscuit.datalog.Rule rule : b.rules) {
+                    com.clevercloud.biscuit.token.builder.Rule _rule = Rule.convert_from(rule, blockSymbols);
+                    com.clevercloud.biscuit.datalog.Rule converted_rule = _rule.convert(this.symbols);
+
+                    Either<String, Rule> res = _rule.validate_variables();
+                    if (res.isLeft()) {
+                        throw new Error.FailedLogic(new LogicError.InvalidBlockRule(0, this.symbols.print_rule(converted_rule)));
+                    }
+                    TrustedOrigins ruleTrustedOrigins = TrustedOrigins.fromScopes(
+                            converted_rule.scopes(),
+                            blockTrustedOrigins,
+                            i + 1,
+                            this.publicKeyToBlockId
+                    );
+                    world.add_rule((long) i + 1, ruleTrustedOrigins, converted_rule);
+                }
+            }
         }
 
         world.run(limits, symbols);
@@ -398,7 +435,7 @@ public Long authorize(RunLimits limits) throws Error {
             for (int j = 0; j < token.authority.checks.size(); j++) {
                 boolean successful = false;
 
-                Check c = Check.convert_from(token.authority.checks.get(j), symbols);
+                Check c = Check.convert_from(token.authority.checks.get(j), token.symbols);
                 com.clevercloud.biscuit.datalog.Check check = c.convert(symbols);
 
                 for (int k = 0; k < check.queries().size(); k++) {
@@ -473,35 +510,15 @@ public Long authorize(RunLimits limits) throws Error {
                         i+1,
                         this.publicKeyToBlockId
                 );
-
-                for (com.clevercloud.biscuit.datalog.Fact fact : b.facts) {
-                    com.clevercloud.biscuit.datalog.Fact converted_fact = Fact.convert_from(fact, token.symbols).convert(this.symbols);
-                    world.add_fact(new Origin(i+1), converted_fact);
+                SymbolTable blockSymbols = token.symbols;
+                if(b.externalKey.isDefined()) {
+                    blockSymbols = new SymbolTable(b.symbols.symbols, symbols.publicKeys);
                 }
 
-                for (com.clevercloud.biscuit.datalog.Rule rule : b.rules) {
-                    com.clevercloud.biscuit.token.builder.Rule _rule = Rule.convert_from(rule, token.symbols);
-                    com.clevercloud.biscuit.datalog.Rule converted_rule = _rule.convert(this.symbols);
-
-                    Either<String,Rule> res = _rule.validate_variables();
-                    if(res.isLeft()){
-                        throw new Error.FailedLogic(new LogicError.InvalidBlockRule(0, token.symbols.print_rule(converted_rule)));
-                    }
-                    TrustedOrigins ruleTrustedOrigins = TrustedOrigins.fromScopes(
-                            converted_rule.scopes(),
-                            blockTrustedOrigins,
-                            i+1,
-                            this.publicKeyToBlockId
-                    );
-                    world.add_rule((long)i+1, ruleTrustedOrigins, converted_rule);
-                }
-
-                world.run(limits, symbols);
-
                 for (int j = 0; j < b.checks.size(); j++) {
                     boolean successful = false;
 
-                    Check c = Check.convert_from(b.checks.get(j),symbols);
+                    Check c = Check.convert_from(b.checks.get(j), blockSymbols);
                     com.clevercloud.biscuit.datalog.Check check = c.convert(symbols);
 
                     for (int k = 0; k < check.queries().size(); k++) {

diff --git a/src/main/java/com/clevercloud/biscuit/token/Block.java b/src/main/java/com/clevercloud/biscuit/token/Block.java
@@ -28,6 +28,7 @@ public class Block {
     final List<Check> checks;
     final List<Scope> scopes;
     final List<PublicKey> publicKeys;
+    final Option<PublicKey> externalKey;
     final long version;
 
     /**
@@ -43,6 +44,7 @@ public Block(SymbolTable base_symbols) {
         this.checks = new ArrayList<>();
         this.scopes = new ArrayList<>();
         this.publicKeys = new ArrayList<>();
+        this.externalKey = Option.none();
         this.version = SerializedBiscuit.MAX_SCHEMA_VERSION;
     }
 
@@ -54,7 +56,7 @@ public Block(SymbolTable base_symbols) {
      * @param checks
      */
     public Block(SymbolTable base_symbols, String context, List<Fact> facts, List<Rule> rules, List<Check> checks,
-                 List<Scope> scopes, List<PublicKey> publicKeys, int version) {
+                 List<Scope> scopes, List<PublicKey> publicKeys, Option<PublicKey> externalKey, int version) {
         this.symbols = base_symbols;
         this.context = context;
         this.facts = facts;
@@ -63,6 +65,7 @@ public Block(SymbolTable base_symbols, String context, List<Fact> facts, List<Ru
         this.scopes = scopes;
         this.version = version;
         this.publicKeys = publicKeys;
+        this.externalKey = externalKey;
     }
 
     public SymbolTable symbols() {
@@ -87,6 +90,10 @@ public String print(SymbolTable symbol_table) {
         s.append(this.symbols.symbols);
         s.append("\n\t\tcontext: ");
         s.append(this.context);
+        if(this.externalKey.isDefined()) {
+            s.append("\n\t\texternal key: ");
+            s.append(this.externalKey.get().toString());
+        }
         s.append("\n\t\tfacts: [");
         for (Fact f : this.facts) {
             s.append("\n\t\t\t");
@@ -153,7 +160,7 @@ public Schema.Block serialize() {
      * @param b
      * @return
      */
-    static public Either<Error.FormatError, Block> deserialize(Schema.Block b) {
+    static public Either<Error.FormatError, Block> deserialize(Schema.Block b, Option<PublicKey> externalKey) {
         int version = b.getVersion();
         if (version < SerializedBiscuit.MIN_SCHEMA_VERSION || version > SerializedBiscuit.MAX_SCHEMA_VERSION) {
             return Left(new Error.FormatError.Version(SerializedBiscuit.MIN_SCHEMA_VERSION, SerializedBiscuit.MAX_SCHEMA_VERSION, version));
@@ -227,7 +234,7 @@ static public Either<Error.FormatError, Block> deserialize(Schema.Block b) {
             return Left(e);
         }
 
-        return Right(new Block(symbols, b.getContext(), facts, rules, checks, scopes, publicKeys, version));
+        return Right(new Block(symbols, b.getContext(), facts, rules, checks, scopes, publicKeys, externalKey, version));
     }
 
     /**
@@ -236,10 +243,10 @@ static public Either<Error.FormatError, Block> deserialize(Schema.Block b) {
      * @param slice
      * @return
      */
-    static public Either<Error.FormatError, Block> from_bytes(byte[] slice) {
+    static public Either<Error.FormatError, Block> from_bytes(byte[] slice, Option<PublicKey> externalKey) {
         try {
             Schema.Block data = Schema.Block.parseFrom(slice);
-            return Block.deserialize(data);
+            return Block.deserialize(data, externalKey);
         } catch (InvalidProtocolBufferException e) {
             return Left(new Error.FormatError.DeserializationError(e.toString()));
         }

diff --git a/src/main/java/com/clevercloud/biscuit/token/builder/Biscuit.java b/src/main/java/com/clevercloud/biscuit/token/builder/Biscuit.java
@@ -152,7 +152,7 @@ public com.clevercloud.biscuit.token.Biscuit build() throws Error {
         SchemaVersion schemaVersion = new SchemaVersion(this.facts, this.rules, this.checks, this.scopes);
 
         Block authority_block = new com.clevercloud.biscuit.token.Block(symbols, context, this.facts, this.rules,
-                this.checks, scopes, publicKeys, schemaVersion.version());
+                this.checks, scopes, publicKeys, Option.none(), schemaVersion.version());
 
         if (this.root_key_id.isDefined()) {
             return make(this.rng, this.root, this.root_key_id.get(), base_symbols, authority_block);

diff --git a/src/main/java/com/clevercloud/biscuit/token/builder/Block.java b/src/main/java/com/clevercloud/biscuit/token/builder/Block.java
@@ -10,6 +10,7 @@
 import com.clevercloud.biscuit.error.Error;
 import io.vavr.Tuple2;
 import io.vavr.control.Either;
+import io.vavr.control.Option;
 
 import static com.clevercloud.biscuit.datalog.Check.Kind.One;
 import static com.clevercloud.biscuit.token.builder.Utils.*;
@@ -122,7 +123,7 @@ public com.clevercloud.biscuit.token.Block build() {
         SchemaVersion schemaVersion = new SchemaVersion(this.facts, this.rules, this.checks, this.scopes);
 
         return new com.clevercloud.biscuit.token.Block(symbols, this.context, this.facts, this.rules, this.checks,
-                this.scopes, publicKeys, schemaVersion.version());
+                this.scopes, publicKeys, Option.none(), schemaVersion.version());
     }
 
     public Block check_right(String right) {

diff --git a/src/main/java/com/clevercloud/biscuit/token/format/SerializedBiscuit.java b/src/main/java/com/clevercloud/biscuit/token/format/SerializedBiscuit.java
@@ -453,7 +453,7 @@ static Either<Error, PublicKey> verifyBlockSignature(SignedBlock signedBlock, Pu
 
     public Tuple3<Block, ArrayList<Block>, HashMap<Long, List<Long>>> extractBlocks(SymbolTable symbols) throws Error {
         ArrayList<Option<PublicKey>> blockExternalKeys = new ArrayList<>();
-        Either<Error.FormatError, Block> authRes = Block.from_bytes(this.authority.block);
+        Either<Error.FormatError, Block> authRes = Block.from_bytes(this.authority.block, Option.none());
         if (authRes.isLeft()) {
             Error e = authRes.getLeft();
             throw e;
@@ -464,15 +464,17 @@ public Tuple3<Block, ArrayList<Block>, HashMap<Long, List<Long>>> extractBlocks(
         }
         blockExternalKeys.add(Option.none());
 
-
         for (String s : authority.symbols().symbols) {
             symbols.add(s);
         }
 
-
         ArrayList<Block> blocks = new ArrayList<>();
         for (SignedBlock bdata : this.blocks) {
-            Either<Error.FormatError, Block> blockRes = Block.from_bytes(bdata.block);
+            Option<PublicKey> externalKey = Option.none();
+            if(bdata.externalSignature.isDefined()) {
+                externalKey = Option.some(bdata.externalSignature.get().key);
+            }
+            Either<Error.FormatError, Block> blockRes = Block.from_bytes(bdata.block, externalKey);
             if (blockRes.isLeft()) {
                 Error e = blockRes.getLeft();
                 throw e;